Pass change/expiry problem

Richard van der Veen richardvanderveen at outlook.com
Wed Jun 3 09:02:43 CEST 2015


I'm sorry for the wrong format.....
Below my new attempt
================================


(0) Received Access-Request Id 146 from 10.70.1.1:32770 to 10.10.10.3:1812 length 234
(0)   User-Name = 'vdiuser001'
(0)   Calling-Station-Id = '00-c0-a8-c6-d7-79'
(0)   Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(0)   NAS-Port = 13
(0)   Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'
(0)   NAS-IP-Address = 10.70.1.1
(0)   NAS-Identifier = 'Cisco-WLC-5508'
(0)   Airespace-Wlan-Id = 9
(0)   Service-Type = Framed-User
(0)   Framed-MTU = 1300
(0)   NAS-Port-Type = Wireless-802.11
(0)   Tunnel-Type:0 = VLAN
(0)   Tunnel-Medium-Type:0 = IEEE-802
(0)   Tunnel-Private-Group-Id:0 = '212'
(0)   EAP-Message = 0x0202000f0176646975736572303031
(0)   Message-Authenticator = 0xaf7ffeb4c2d2854413f57effba1d7a06
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (!&User-Name) {
(0)       if (!&User-Name)  -> FALSE
(0)       if (&User-Name =~ / /) {
(0)       if (&User-Name =~ / /)  -> FALSE
(0)       if (&User-Name =~ /@.*@/ ) {
(0)       if (&User-Name =~ /@.*@/ )  -> FALSE
(0)       if (&User-Name =~ /\.\./ ) {
(0)       if (&User-Name =~ /\.\./ )  -> FALSE
(0)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)       if (&User-Name =~ /\.$/)  {
(0)       if (&User-Name =~ /\.$/)   -> FALSE
(0)       if (&User-Name =~ /@\./)  {
(0)       if (&User-Name =~ /@\./)   -> FALSE
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent code Response (2) ID 2 length 15
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent method Identity (1)
(0) eap: Calling eap_peap to process EAP data
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: Initiate
(0) eap_peap: Start returned 1
(0) eap: EAP session adding &reply:State = 0x1e1591df1e16880e
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 146 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(0)   EAP-Message = 0x010300061920
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x1e1591df1e16880e6da8d17effec1644
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 147 from 10.70.1.1:32770 to 10.10.10.3:1812 length 346
(1)   User-Name = 'vdiuser001'
(1)   Calling-Station-Id = '00-c0-a8-c6-d7-79'
(1)   Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(1)   NAS-Port = 13
(1)   Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'
(1)   NAS-IP-Address = 10.70.1.1
(1)   NAS-Identifier = 'Cisco-WLC-5508'
(1)   Airespace-Wlan-Id = 9
(1)   Service-Type = Framed-User
(1)   Framed-MTU = 1300
(1)   NAS-Port-Type = Wireless-802.11
(1)   Tunnel-Type:0 = VLAN
(1)   Tunnel-Medium-Type:0 = IEEE-802
(1)   Tunnel-Private-Group-Id:0 = '212'
(1)   EAP-Message = 0x0203006d198000000063160301005e0100005a0301556ea07cb3e1da5438e4a0fda201cbfcdfff42b72294b1d171d0c2e5bfb7324f000018c014c0130035002fc00ac00900380032000a00130005000401000019ff01000100000a0006000400170018000b0002010000230000
(1)   State = 0x1e1591df1e16880e6da8d17effec1644
(1)   Message-Authenticator = 0xff709617cbc210bed08b77be13d02f78
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (!&User-Name) {
(1)       if (!&User-Name)  -> FALSE
(1)       if (&User-Name =~ / /) {
(1)       if (&User-Name =~ / /)  -> FALSE
(1)       if (&User-Name =~ /@.*@/ ) {
(1)       if (&User-Name =~ /@.*@/ )  -> FALSE
(1)       if (&User-Name =~ /\.\./ ) {
(1)       if (&User-Name =~ /\.\./ )  -> FALSE
(1)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)       if (&User-Name =~ /\.$/)  {
(1)       if (&User-Name =~ /\.$/)   -> FALSE
(1)       if (&User-Name =~ /@\./)  {
(1)       if (&User-Name =~ /@\./)   -> FALSE
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent code Response (2) ID 3 length 109
(1) eap: Continuing tunnel setup
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x1e1591df1e16880e
(1) eap: Finished EAP session with state 0x1e1591df1e16880e
(1) eap: Previous EAP request found for state 0x1e1591df1e16880e, released from the list
(1) eap: Peer sent method PEAP (25)
(1) eap: EAP PEAP (25)
(1) eap: Calling eap_peap to process EAP data
(1) eap_peap: processing EAP-TLS
(1) eap_peap: TLS Length 99
(1) eap_peap: Length Included
(1) eap_peap: eaptls_verify returned 11
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< TLS 1.0 Handshake [length 005e], ClientHello
(1) eap_peap: TLS_accept: SSLv3 read client hello A
(1) eap_peap:>>> TLS 1.0 Handshake [length 0059], ServerHello
(1) eap_peap: TLS_accept: SSLv3 write server hello A
(1) eap_peap:>>> TLS 1.0 Handshake [length 08d0], Certificate
(1) eap_peap: TLS_accept: SSLv3 write certificate A
(1) eap_peap:>>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(1) eap_peap: TLS_accept: SSLv3 write key exchange A
(1) eap_peap:>>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap: TLS_accept: SSLv3 write server done A
(1) eap_peap: TLS_accept: SSLv3 flush data
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(1) eap_peap: eaptls_process returned 13
(1) eap_peap: FR_TLS_HANDLED
(1) eap: EAP session adding &reply:State = 0x1e1591df1f11880e
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found.  Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 147 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(1)   EAP-Message = 0x010403ec19c000000a8c160301005902000055030186abd118bcdaa77ddb5869e5ddfbfe95dceb5754d78269df4bcdb7299564fe2d200820f20d95f9ba8235db521076848da4d36f7481e161aada4b50a272181044c1c01400000dff01000100000b00040300010216030108d00b0008cc0008c90003de
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x1e1591df1f11880e6da8d17effec1644
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 148 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243
(2)   User-Name = 'vdiuser001'
(2)   Calling-Station-Id = '00-c0-a8-c6-d7-79'
(2)   Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(2)   NAS-Port = 13
(2)   Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'
(2)   NAS-IP-Address = 10.70.1.1
(2)   NAS-Identifier = 'Cisco-WLC-5508'
(2)   Airespace-Wlan-Id = 9
(2)   Service-Type = Framed-User
(2)   Framed-MTU = 1300
(2)   NAS-Port-Type = Wireless-802.11
(2)   Tunnel-Type:0 = VLAN
(2)   Tunnel-Medium-Type:0 = IEEE-802
(2)   Tunnel-Private-Group-Id:0 = '212'
(2)   EAP-Message = 0x020400061900
(2)   State = 0x1e1591df1f11880e6da8d17effec1644
(2)   Message-Authenticator = 0x776a06fa5dc2b42c73bb121fcca33bea
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (!&User-Name) {
(2)       if (!&User-Name)  -> FALSE
(2)       if (&User-Name =~ / /) {
(2)       if (&User-Name =~ / /)  -> FALSE
(2)       if (&User-Name =~ /@.*@/ ) {
(2)       if (&User-Name =~ /@.*@/ )  -> FALSE
(2)       if (&User-Name =~ /\.\./ ) {
(2)       if (&User-Name =~ /\.\./ )  -> FALSE
(2)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)       if (&User-Name =~ /\.$/)  {
(2)       if (&User-Name =~ /\.$/)   -> FALSE
(2)       if (&User-Name =~ /@\./)  {
(2)       if (&User-Name =~ /@\./)   -> FALSE
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: Peer sent code Response (2) ID 4 length 6
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0x1e1591df1f11880e
(2) eap: Finished EAP session with state 0x1e1591df1f11880e
(2) eap: Previous EAP request found for state 0x1e1591df1f11880e, released from the list
(2) eap: Peer sent method PEAP (25)
(2) eap: EAP PEAP (25)
(2) eap: Calling eap_peap to process EAP data
(2) eap_peap: processing EAP-TLS
(2) eap_peap: Received TLS ACK
(2) eap_peap: Received TLS ACK
(2) eap_peap: ACK handshake fragment handler
(2) eap_peap: eaptls_verify returned 1
(2) eap_peap: eaptls_process returned 13
(2) eap_peap: FR_TLS_HANDLED
(2) eap: EAP session adding &reply:State = 0x1e1591df1c10880e
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found.  Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 148 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(2)   EAP-Message = 0x010503e8194087d363ae51e9fa919a6062082c2ab782a717d7fede947271bcbe38ea3b9d04ee4cef44da92b58dfea437ba6764fd97950d4f99cb8e1b38b721f29b087ce94f71868ec5554e72d8d3a6f9a11c4108d6c8a7945c60f03a9991d841074df483c1574367aee17dbd11aaab0004e5308204e130
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0x1e1591df1c10880e6da8d17effec1644
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 149 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243
(3)   User-Name = 'vdiuser001'
(3)   Calling-Station-Id = '00-c0-a8-c6-d7-79'
(3)   Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(3)   NAS-Port = 13
(3)   Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'
(3)   NAS-IP-Address = 10.70.1.1
(3)   NAS-Identifier = 'Cisco-WLC-5508'
(3)   Airespace-Wlan-Id = 9
(3)   Service-Type = Framed-User
(3)   Framed-MTU = 1300
(3)   NAS-Port-Type = Wireless-802.11
(3)   Tunnel-Type:0 = VLAN
(3)   Tunnel-Medium-Type:0 = IEEE-802
(3)   Tunnel-Private-Group-Id:0 = '212'
(3)   EAP-Message = 0x020500061900
(3)   State = 0x1e1591df1c10880e6da8d17effec1644
(3)   Message-Authenticator = 0x1feb9b7bb1e9f4d588005f8e4c1f441b
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (!&User-Name) {
(3)       if (!&User-Name)  -> FALSE
(3)       if (&User-Name =~ / /) {
(3)       if (&User-Name =~ / /)  -> FALSE
(3)       if (&User-Name =~ /@.*@/ ) {
(3)       if (&User-Name =~ /@.*@/ )  -> FALSE
(3)       if (&User-Name =~ /\.\./ ) {
(3)       if (&User-Name =~ /\.\./ )  -> FALSE
(3)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(3)       if (&User-Name =~ /\.$/)  {
(3)       if (&User-Name =~ /\.$/)   -> FALSE
(3)       if (&User-Name =~ /@\./)  {
(3)       if (&User-Name =~ /@\./)   -> FALSE
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: Peer sent code Response (2) ID 5 length 6
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0x1e1591df1c10880e
(3) eap: Finished EAP session with state 0x1e1591df1c10880e
(3) eap: Previous EAP request found for state 0x1e1591df1c10880e, released from the list
(3) eap: Peer sent method PEAP (25)
(3) eap: EAP PEAP (25)
(3) eap: Calling eap_peap to process EAP data
(3) eap_peap: processing EAP-TLS
(3) eap_peap: Received TLS ACK
(3) eap_peap: Received TLS ACK
(3) eap_peap: ACK handshake fragment handler
(3) eap_peap: eaptls_verify returned 1
(3) eap_peap: eaptls_process returned 13
(3) eap_peap: FR_TLS_HANDLED
(3) eap: EAP session adding &reply:State = 0x1e1591df1d13880e
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found.  Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 149 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(3)   EAP-Message = 0x010602ce190020417574686f72697479820900eb4cce581239f262300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100c1a0
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0x1e1591df1d13880e6da8d17effec1644
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 150 from 10.70.1.1:32770 to 10.10.10.3:1812 length 381
(4)   User-Name = 'vdiuser001'
(4)   Calling-Station-Id = '00-c0-a8-c6-d7-79'
(4)   Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(4)   NAS-Port = 13
(4)   Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'
(4)   NAS-IP-Address = 10.70.1.1
(4)   NAS-Identifier = 'Cisco-WLC-5508'
(4)   Airespace-Wlan-Id = 9
(4)   Service-Type = Framed-User
(4)   Framed-MTU = 1300
(4)   NAS-Port-Type = Wireless-802.11
(4)   Tunnel-Type:0 = VLAN
(4)   Tunnel-Medium-Type:0 = IEEE-802
(4)   Tunnel-Private-Group-Id:0 = '212'
(4)   EAP-Message = 0x0206009019800000008616030100461000004241041c7db466f320cdd73375bd32ae121beb52414806d71da093e45be96f1368dbbf176affcce34fc191bd0a86203a369e1c98f1595c3ae6cedd722150c58f619c8314030100010116030100308e95f63a5f43e7d94cf3583b9fc1b9a041050278e6f62b
(4)   State = 0x1e1591df1d13880e6da8d17effec1644
(4)   Message-Authenticator = 0x454da7994b1a632987de592cee18ad93
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (!&User-Name) {
(4)       if (!&User-Name)  -> FALSE
(4)       if (&User-Name =~ / /) {
(4)       if (&User-Name =~ / /)  -> FALSE
(4)       if (&User-Name =~ /@.*@/ ) {
(4)       if (&User-Name =~ /@.*@/ )  -> FALSE
(4)       if (&User-Name =~ /\.\./ ) {
(4)       if (&User-Name =~ /\.\./ )  -> FALSE
(4)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(4)       if (&User-Name =~ /\.$/)  {
(4)       if (&User-Name =~ /\.$/)   -> FALSE
(4)       if (&User-Name =~ /@\./)  {
(4)       if (&User-Name =~ /@\./)   -> FALSE
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent code Response (2) ID 6 length 144
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0x1e1591df1d13880e
(4) eap: Finished EAP session with state 0x1e1591df1d13880e
(4) eap: Previous EAP request found for state 0x1e1591df1d13880e, released from the list
(4) eap: Peer sent method PEAP (25)
(4) eap: EAP PEAP (25)
(4) eap: Calling eap_peap to process EAP data
(4) eap_peap: processing EAP-TLS
(4) eap_peap: TLS Length 134
(4) eap_peap: Length Included
(4) eap_peap: eaptls_verify returned 11
(4) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(4) eap_peap: TLS_accept: SSLv3 read client key exchange A
(4) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3 read finished A
(4) eap_peap:>>> TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(4) eap_peap:>>> TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3 write finished A
(4) eap_peap: TLS_accept: SSLv3 flush data
  TLS: adding session 0820f20d95f9ba8235db521076848da4d36f7481e161aada4b50a272181044c1 to cache
(4) eap_peap: (other): SSL negotiation finished successfully
SSL Connection Established
(4) eap_peap: eaptls_process returned 13
(4) eap_peap: FR_TLS_HANDLED
(4) eap: EAP session adding &reply:State = 0x1e1591df1a12880e
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found.  Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 150 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(4)   EAP-Message = 0x0107004119001403010001011603010030844ddc99d83876b1afa809097ddc158138ae61e5027df9156161e80fd4e6b5dc6dc0286f2d7f440f29064c5d5da6135f
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0x1e1591df1a12880e6da8d17effec1644
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 151 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243
(5)   User-Name = 'vdiuser001'
(5)   Calling-Station-Id = '00-c0-a8-c6-d7-79'
(5)   Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(5)   NAS-Port = 13
(5)   Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'
(5)   NAS-IP-Address = 10.70.1.1
(5)   NAS-Identifier = 'Cisco-WLC-5508'
(5)   Airespace-Wlan-Id = 9
(5)   Service-Type = Framed-User
(5)   Framed-MTU = 1300
(5)   NAS-Port-Type = Wireless-802.11
(5)   Tunnel-Type:0 = VLAN
(5)   Tunnel-Medium-Type:0 = IEEE-802
(5)   Tunnel-Private-Group-Id:0 = '212'
(5)   EAP-Message = 0x020700061900
(5)   State = 0x1e1591df1a12880e6da8d17effec1644
(5)   Message-Authenticator = 0x6a9f9babb7fb5a0603e50e2292064d52
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (!&User-Name) {
(5)       if (!&User-Name)  -> FALSE
(5)       if (&User-Name =~ / /) {
(5)       if (&User-Name =~ / /)  -> FALSE
(5)       if (&User-Name =~ /@.*@/ ) {
(5)       if (&User-Name =~ /@.*@/ )  -> FALSE
(5)       if (&User-Name =~ /\.\./ ) {
(5)       if (&User-Name =~ /\.\./ )  -> FALSE
(5)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)       if (&User-Name =~ /\.$/)  {
(5)       if (&User-Name =~ /\.$/)   -> FALSE
(5)       if (&User-Name =~ /@\./)  {
(5)       if (&User-Name =~ /@\./)   -> FALSE
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: Peer sent code Response (2) ID 7 length 6
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0x1e1591df1a12880e
(5) eap: Finished EAP session with state 0x1e1591df1a12880e
(5) eap: Previous EAP request found for state 0x1e1591df1a12880e, released from the list
(5) eap: Peer sent method PEAP (25)
(5) eap: EAP PEAP (25)
(5) eap: Calling eap_peap to process EAP data
(5) eap_peap: processing EAP-TLS
(5) eap_peap: Received TLS ACK
(5) eap_peap: Received TLS ACK
(5) eap_peap: ACK handshake is finished
(5) eap_peap: eaptls_verify returned 3
(5) eap_peap: eaptls_process returned 3
(5) eap_peap: FR_TLS_SUCCESS
(5) eap_peap: Session established.  Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: EAP session adding &reply:State = 0x1e1591df1b1d880e
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found.  Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Sent Access-Challenge Id 151 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(5)   EAP-Message = 0x0108002b190017030100206db2be686f268ad99a2f0f2723b6e3d5710916296d814c355a0cd194caed8a7b
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0x1e1591df1b1d880e6da8d17effec1644
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 152 from 10.70.1.1:32770 to 10.10.10.3:1812 length 280
(6)   User-Name = 'vdiuser001'
(6)   Calling-Station-Id = '00-c0-a8-c6-d7-79'
(6)   Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(6)   NAS-Port = 13
(6)   Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'
(6)   NAS-IP-Address = 10.70.1.1
(6)   NAS-Identifier = 'Cisco-WLC-5508'
(6)   Airespace-Wlan-Id = 9
(6)   Service-Type = Framed-User
(6)   Framed-MTU = 1300
(6)   NAS-Port-Type = Wireless-802.11
(6)   Tunnel-Type:0 = VLAN
(6)   Tunnel-Medium-Type:0 = IEEE-802
(6)   Tunnel-Private-Group-Id:0 = '212'
(6)   EAP-Message = 0x0208002b1900170301002041ab8b582edc5512fcc8ba26acc4c3cca929b11e6bb6dc324e964be4c8912361
(6)   State = 0x1e1591df1b1d880e6da8d17effec1644
(6)   Message-Authenticator = 0x32cd4ca4495354475cad0639e3657fcd
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6)   authorize {
(6)     policy filter_username {
(6)       if (!&User-Name) {
(6)       if (!&User-Name)  -> FALSE
(6)       if (&User-Name =~ / /) {
(6)       if (&User-Name =~ / /)  -> FALSE
(6)       if (&User-Name =~ /@.*@/ ) {
(6)       if (&User-Name =~ /@.*@/ )  -> FALSE
(6)       if (&User-Name =~ /\.\./ ) {
(6)       if (&User-Name =~ /\.\./ )  -> FALSE
(6)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)       if (&User-Name =~ /\.$/)  {
(6)       if (&User-Name =~ /\.$/)   -> FALSE
(6)       if (&User-Name =~ /@\./)  {
(6)       if (&User-Name =~ /@\./)   -> FALSE
(6)     } # policy filter_username = notfound
(6)     [preprocess] = ok
(6)     [chap] = noop
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6) eap: Peer sent code Response (2) ID 8 length 43
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0x1e1591df1b1d880e
(6) eap: Finished EAP session with state 0x1e1591df1b1d880e
(6) eap: Previous EAP request found for state 0x1e1591df1b1d880e, released from the list
(6) eap: Peer sent method PEAP (25)
(6) eap: EAP PEAP (25)
(6) eap: Calling eap_peap to process EAP data
(6) eap_peap: processing EAP-TLS
(6) eap_peap: eaptls_verify returned 7
(6) eap_peap: Done initial handshake
(6) eap_peap: eaptls_process returned 7
(6) eap_peap: FR_TLS_OK
(6) eap_peap: Session established.  Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - vdiuser001
(6) eap_peap: Got inner identity 'vdiuser001'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap:   EAP-Message = 0x0208000f0176646975736572303031
(6) eap_peap: Setting User-Name to vdiuser001
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap:   EAP-Message = 0x0208000f0176646975736572303031
(6) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap:   User-Name = 'vdiuser001'
(6) Virtual server inner-tunnel received request
(6)   EAP-Message = 0x0208000f0176646975736572303031
(6)   FreeRADIUS-Proxied-To = 127.0.0.1
(6)   User-Name = 'vdiuser001'
(6) server inner-tunnel {
(6)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(6)     authorize {
(6)       [chap] = noop
(6)       [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)       [suffix] = noop
(6)       update control {
(6)         &Proxy-To-Realm := LOCAL
(6)       } # update control = noop
(6) eap: Peer sent code Response (2) ID 8 length 15
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6)       [eap] = ok
(6)     } # authorize = ok
(6)   Found Auth-Type = EAP
(6)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6)     authenticate {
(6) eap: Peer sent method Identity (1)
(6) eap: Calling eap_mschapv2 to process EAP data
(6) eap_mschapv2: Issuing Challenge
(6) eap: EAP session adding &reply:State = 0x51a562e351ac7819
(6)       [eap] = handled
(6)     } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6)   EAP-Message = 0x0109002a1a01090025103864b0660eb39e6c695de88ff893e0e6667265657261646975732d332e302e38
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0x51a562e351ac78191732838bb1154cd3
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap:   EAP-Message = 0x0109002a1a01090025103864b0660eb39e6c695de88ff893e0e6667265657261646975732d332e302e38
(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap:   State = 0x51a562e351ac78191732838bb1154cd3
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap:   EAP-Message = 0x0109002a1a01090025103864b0660eb39e6c695de88ff893e0e6667265657261646975732d332e302e38
(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap:   State = 0x51a562e351ac78191732838bb1154cd3
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: EAP session adding &reply:State = 0x1e1591df181c880e
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found.  Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Sent Access-Challenge Id 152 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(6)   EAP-Message = 0x0109004b19001703010040d8c3a0f01020d409085cc9f8485a9541e838b86586f7b38d0420e95191d98a03ccada0bcd4542632b89be702586bf861065d500e247a43742d868664491075b0
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0x1e1591df181c880e6da8d17effec1644
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 153 from 10.70.1.1:32770 to 10.10.10.3:1812 length 344
(7)   User-Name = 'vdiuser001'
(7)   Calling-Station-Id = '00-c0-a8-c6-d7-79'
(7)   Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(7)   NAS-Port = 13
(7)   Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'
(7)   NAS-IP-Address = 10.70.1.1
(7)   NAS-Identifier = 'Cisco-WLC-5508'
(7)   Airespace-Wlan-Id = 9
(7)   Service-Type = Framed-User
(7)   Framed-MTU = 1300
(7)   NAS-Port-Type = Wireless-802.11
(7)   Tunnel-Type:0 = VLAN
(7)   Tunnel-Medium-Type:0 = IEEE-802
(7)   Tunnel-Private-Group-Id:0 = '212'
(7)   EAP-Message = 0x0209006b190017030100609c5de592c2afd938ac3a0fce0efa7286bf5952d8522bc4d61d10ea044cbc77d5b722359da1b451d63d657087ab33ffe9af61f913b4a982210d2b12439685adb88228050d1c6c1f2ea1801b282badf8f1bba82ffbba04dec6096c1c7fd93f808a
(7)   State = 0x1e1591df181c880e6da8d17effec1644
(7)   Message-Authenticator = 0x6b59dbf369a713c307314fd6098370a7
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (!&User-Name) {
(7)       if (!&User-Name)  -> FALSE
(7)       if (&User-Name =~ / /) {
(7)       if (&User-Name =~ / /)  -> FALSE
(7)       if (&User-Name =~ /@.*@/ ) {
(7)       if (&User-Name =~ /@.*@/ )  -> FALSE
(7)       if (&User-Name =~ /\.\./ ) {
(7)       if (&User-Name =~ /\.\./ )  -> FALSE
(7)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)       if (&User-Name =~ /\.$/)  {
(7)       if (&User-Name =~ /\.$/)   -> FALSE
(7)       if (&User-Name =~ /@\./)  {
(7)       if (&User-Name =~ /@\./)   -> FALSE
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent code Response (2) ID 9 length 107
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0x51a562e351ac7819
(7) eap: Finished EAP session with state 0x1e1591df181c880e
(7) eap: Previous EAP request found for state 0x1e1591df181c880e, released from the list
(7) eap: Peer sent method PEAP (25)
(7) eap: EAP PEAP (25)
(7) eap: Calling eap_peap to process EAP data
(7) eap_peap: processing EAP-TLS
(7) eap_peap: eaptls_verify returned 7
(7) eap_peap: Done initial handshake
(7) eap_peap: eaptls_process returned 7
(7) eap_peap: FR_TLS_OK
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP type MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap:   EAP-Message = 0x020900451a0209004031d2da32c556686cced64008c9cc9172bc0000000000000000aad43f4e34a84dddd4677581fb648551549e2a1dbbf9b45d0076646975736572303031
(7) eap_peap: Setting User-Name to vdiuser001
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap:   EAP-Message = 0x020900451a0209004031d2da32c556686cced64008c9cc9172bc0000000000000000aad43f4e34a84dddd4677581fb648551549e2a1dbbf9b45d0076646975736572303031
(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap:   User-Name = 'vdiuser001'
(7) eap_peap:   State = 0x51a562e351ac78191732838bb1154cd3
(7) Virtual server inner-tunnel received request
(7)   EAP-Message = 0x020900451a0209004031d2da32c556686cced64008c9cc9172bc0000000000000000aad43f4e34a84dddd4677581fb648551549e2a1dbbf9b45d0076646975736572303031
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = 'vdiuser001'
(7)   State = 0x51a562e351ac78191732838bb1154cd3
(7) server inner-tunnel {
(7)   session-state: No cached attributes
(7)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7)     authorize {
(7)       [chap] = noop
(7)       [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)       [suffix] = noop
(7)       update control {
(7)         &Proxy-To-Realm := LOCAL
(7)       } # update control = noop
(7) eap: Peer sent code Response (2) ID 9 length 69
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)       [eap] = updated
(7)       [files] = noop
(7) sql: EXPAND %{User-Name}
(7) sql:    --> vdiuser001
(7) sql: SQL-User-Name set to 'vdiuser001'
rlm_sql (sql): Reserved connection (4)
(7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(7) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id
(7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id
(7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(7) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority
(7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority
(7) sql: User not found in any groups
rlm_sql (sql): Released connection (4)
(7)       [sql] = notfound
rlm_ldap (ldap): Reserved connection (4)
(7) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap:    --> (sAMAccountName=vdiuser001)
(7) ldap: Performing search in "ou=_TerAA_Users,dc=teraa,dc=local" with filter "(sAMAccountName=vdiuser001)", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN "CN=VDIuser001,OU=VDI,OU=PRS,OU=_TerAA_Users,DC=teraa,DC=local"
(7) ldap: Processing user attributes
(7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the
password attribute
(7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
(7)       [ldap] = ok
(7)       if (control:Ldap-UserDn =~ /OU=EDU/) {
(7)       if (control:Ldap-UserDn =~ /OU=EDU/)  -> FALSE
(7)       elsif (control:Ldap-UserDn =~ /OU=PRS/) {
(7)       elsif (control:Ldap-UserDn =~ /OU=PRS/)  -> TRUE
(7)       elsif (control:Ldap-UserDn =~ /OU=PRS/)  {
(7)         update control {
(7)           Simultaneous-Use := 3
(7)         } # update control = noop
(7)         update outer.session-state {
(7)           Tunnel-type = VLAN
(7)           Tunnel-medium-type = IEEE-802
(7)           Tunnel-Private-Group-Id = PRS-WIFI-Client
(7)         } # update outer.session-state = noop
(7)       } # elsif (control:Ldap-UserDn =~ /OU=PRS/)  = noop
(7)       ... skipping elsif for request 7: Preceding "if" was taken
(7)       ... skipping else for request 7: Preceding "if" was taken
(7)       [expiration] = noop
(7)       [logintime] = noop
(7)       [pap] = noop
(7)     } # authorize = updated
(7)   Found Auth-Type = EAP
(7)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7)     authenticate {
(7) eap: Expiring EAP session with state 0x51a562e351ac7819
(7) eap: Finished EAP session with state 0x51a562e351ac7819
(7) eap: Previous EAP request found for state 0x51a562e351ac7819, released from the list
(7) eap: Peer sent method MSCHAPv2 (26)
(7) eap: EAP MSCHAPv2 (26)
(7) eap: Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2:   Auth-Type MS-CHAP {
(7) mschap: Creating challenge hash with username: vdiuser001
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:

(7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(7) mschap:    --> --username=vdiuser001
(7) mschap: Creating challenge hash with username: vdiuser001
(7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(7) mschap:    --> --challenge=2f1b60fe24af9f0b
(7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(7) mschap:    --> --nt-response=aad43f4e34a84dddd4677581fb648551549e2a1dbbf9b45d
(7) mschap: ERROR: Program returned code (1) and output 'Must change password (0xc0000224)'
(7) mschap: ERROR: Must change password (0xc0000224)
(7)     [mschap] = reject
(7)   } # Auth-Type MS-CHAP = reject
(7) MSCHAP-Error:       E=648 R=0 C=d713bb20e9d8bd4fc9a1715afa66110e V=3 M=Password Expired
(7) Found new challenge from MS-CHAP-Error: err=648 retry=0 challenge=d713bb20e9d8bd4fc9a1715afa66110e
(7) ERROR: MSCHAP Failure
(7) eap: EAP session adding &reply:State = 0x51a562e350af7819
(7)       [eap] = handled
(7)     } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7)   EAP-Message = 0x010a004c1a04090047453d36343820523d3020433d643731336262323065396438626434666339613137313561666136363131306520563d33204d3d50617373776f72642045787069726564
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x51a562e350af78191732838bb1154cd3
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap:   EAP-Message = 0x010a004c1a04090047453d36343820523d3020433d643731336262323065396438626434666339613137313561666136363131306520563d33204d3d50617373776f72642045787069726564
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   State = 0x51a562e350af78191732838bb1154cd3
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap:   EAP-Message = 0x010a004c1a04090047453d36343820523d3020433d643731336262323065396438626434666339613137313561666136363131306520563d33204d3d50617373776f72642045787069726564
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   State = 0x51a562e350af78191732838bb1154cd3
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: EAP session adding &reply:State = 0x1e1591df191f880e
(7)     [eap] = handled
(7)   } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found.  Ignoring.
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) session-state: Saving cached attributes
(7)   Tunnel-Type = VLAN
(7)   Tunnel-Medium-Type = IEEE-802
(7)   Tunnel-Private-Group-Id = 'PRS-WIFI-Client'
(7) Sent Access-Challenge Id 153 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(7)   EAP-Message = 0x010a006b19001703010060cd702593105348aaa8c69e0e32f0bd973b1260f86941a98af0cabdeafe78417cbb6bb1ee2db3e90312b1b94031c5d2e93bcf353008dbb28e6bb0804faaa24f57eea2f4d5d5f25b20e1d9fa4975ad0224c1ac4d8369d6bf5b80d75dafbb14bd47
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x1e1591df191f880e6da8d17effec1644
(7) Finished request
Waking up in 4.8 seconds.
(0) <done>: Cleaning up request packet ID 146 with timestamp +10
(1) <done>: Cleaning up request packet ID 147 with timestamp +10
(2) <done>: Cleaning up request packet ID 148 with timestamp +10
(3) <done>: Cleaning up request packet ID 149 with timestamp +10
(4) <done>: Cleaning up request packet ID 150 with timestamp +10
(5) <done>: Cleaning up request packet ID 151 with timestamp +10
(6) <done>: Cleaning up request packet ID 152 with timestamp +10
(7) <done>: Cleaning up request packet ID 153 with timestamp +10
Ready to process requests
(8) Received Access-Request Id 154 from 10.70.1.1:32770 to 10.10.10.3:1812 length 860
(8)   User-Name = 'vdiuser001'
(8)   Calling-Station-Id = '00-c0-a8-c6-d7-79'
(8)   Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(8)   NAS-Port = 13
(8)   Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'
(8)   NAS-IP-Address = 10.70.1.1
(8)   NAS-Identifier = 'Cisco-WLC-5508'
(8)   Airespace-Wlan-Id = 9
(8)   Service-Type = Framed-User
(8)   Framed-MTU = 1300
(8)   NAS-Port-Type = Wireless-802.11
(8)   Tunnel-Type:0 = VLAN
(8)   Tunnel-Medium-Type:0 = IEEE-802
(8)   Tunnel-Private-Group-Id:0 = '212'
(8)   EAP-Message = 0x020a026b190017030102606d169c2fc8c7c02aff0aac1560032a55d594b95aac167509361487589d3cf9fd05e9659eb6c3460f00fde2f2f9eedc29c667fb993d6dd89f0d8611a4f8a8c5e10d264ebbdf6a762d112ed85d966e32389d8247d7a9054b5cdfbfc3ddad2020dbe2c4ad50c2d660b760fc702f
(8)   State = 0x1e1591df191f880e6da8d17effec1644
(8)   Message-Authenticator = 0xb7579687e39291cd7a3befbfdbb6b1d2
(8) session-state: Found cached attributes
(8)   Tunnel-Type = VLAN
(8)   Tunnel-Medium-Type = IEEE-802
(8)   Tunnel-Private-Group-Id = 'PRS-WIFI-Client'
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8)   authorize {
(8)     policy filter_username {
(8)       if (!&User-Name) {
(8)       if (!&User-Name)  -> FALSE
(8)       if (&User-Name =~ / /) {
(8)       if (&User-Name =~ / /)  -> FALSE
(8)       if (&User-Name =~ /@.*@/ ) {
(8)       if (&User-Name =~ /@.*@/ )  -> FALSE
(8)       if (&User-Name =~ /\.\./ ) {
(8)       if (&User-Name =~ /\.\./ )  -> FALSE
(8)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)       if (&User-Name =~ /\.$/)  {
(8)       if (&User-Name =~ /\.$/)   -> FALSE
(8)       if (&User-Name =~ /@\./)  {
(8)       if (&User-Name =~ /@\./)   -> FALSE
(8)     } # policy filter_username = notfound
(8)     [preprocess] = ok
(8)     [chap] = noop
(8)     [mschap] = noop
(8)     [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8) eap: Peer sent code Response (2) ID 10 length 619
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0x51a562e350af7819
(8) eap: Finished EAP session with state 0x1e1591df191f880e
(8) eap: Previous EAP request found for state 0x1e1591df191f880e, released from the list
(8) eap: Peer sent method PEAP (25)
(8) eap: EAP PEAP (25)
(8) eap: Calling eap_peap to process EAP data
(8) eap_peap: processing EAP-TLS
(8) eap_peap: eaptls_verify returned 7
(8) eap_peap: Done initial handshake
(8) eap_peap: eaptls_process returned 7
(8) eap_peap: FR_TLS_OK
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP type MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message = 0x020a024f1a070a024a4f634797561c5fad5b88d345da27761ab5ecf7a9bc43719579932194330fa999b94f293f55fd38a933a1ec2ea10fed700b63cdcab19931f4ef1832efed4d11380e162fad51a9eaf0f6b5687ce4c306230171a4afb0af2574edb3b562b792b1078a5627174edcd4f5fa8cddf8e5c4
(8) eap_peap:   EAP-Message = 0x1f62684ea38b93b87d5a3b483557a65f98c48df8863c45926e31c0b7e9ab5dfaf79a3a419c135f4d51af509198bba00c7c303e2c381d49d14801f423aea52a14aaa174decb6e8c23fdac27535fb2a80ae51039540e702f14ea045e9d6810f0e7455b2ab930714be234311d57bec90c10e851c5da6c2239
(8) eap_peap: Setting User-Name to vdiuser001
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap:   EAP-Message = 0x020a024f1a070a024a4f634797561c5fad5b88d345da27761ab5ecf7a9bc43719579932194330fa999b94f293f55fd38a933a1ec2ea10fed700b63cdcab19931f4ef1832efed4d11380e162fad51a9eaf0f6b5687ce4c306230171a4afb0af2574edb3b562b792b1078a5627174edcd4f5fa8cddf8e5c4
(8) eap_peap:   EAP-Message = 0x1f62684ea38b93b87d5a3b483557a65f98c48df8863c45926e31c0b7e9ab5dfaf79a3a419c135f4d51af509198bba00c7c303e2c381d49d14801f423aea52a14aaa174decb6e8c23fdac27535fb2a80ae51039540e702f14ea045e9d6810f0e7455b2ab930714be234311d57bec90c10e851c5da6c2239
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = 'vdiuser001'
(8) eap_peap:   State = 0x51a562e350af78191732838bb1154cd3
(8) Virtual server inner-tunnel received request
(8)   EAP-Message = 0x020a024f1a070a024a4f634797561c5fad5b88d345da27761ab5ecf7a9bc43719579932194330fa999b94f293f55fd38a933a1ec2ea10fed700b63cdcab19931f4ef1832efed4d11380e162fad51a9eaf0f6b5687ce4c306230171a4afb0af2574edb3b562b792b1078a5627174edcd4f5fa8cddf8e5c4
(8)   EAP-Message = 0x1f62684ea38b93b87d5a3b483557a65f98c48df8863c45926e31c0b7e9ab5dfaf79a3a419c135f4d51af509198bba00c7c303e2c381d49d14801f423aea52a14aaa174decb6e8c23fdac27535fb2a80ae51039540e702f14ea045e9d6810f0e7455b2ab930714be234311d57bec90c10e851c5da6c2239
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = 'vdiuser001'
(8)   State = 0x51a562e350af78191732838bb1154cd3
(8) server inner-tunnel {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8)     authorize {
(8)       [chap] = noop
(8)       [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)       [suffix] = noop
(8)       update control {
(8)         &Proxy-To-Realm := LOCAL
(8)       } # update control = noop
(8) eap: Peer sent code Response (2) ID 10 length 253
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8)       [eap] = updated
(8)       [files] = noop
(8) sql: EXPAND %{User-Name}
(8) sql:    --> vdiuser001
(8) sql: SQL-User-Name set to 'vdiuser001'
rlm_sql (sql): Reserved connection (4)
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id
(8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(8) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority
(8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority
(8) sql: User not found in any groups
rlm_sql (sql): Released connection (4)
(8)       [sql] = notfound
rlm_ldap (ldap): Reserved connection (4)
(8) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap:    --> (sAMAccountName=vdiuser001)
(8) ldap: Performing search in "ou=_TerAA_Users,dc=teraa,dc=local" with filter "(sAMAccountName=vdiuser001)", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: User object found at DN "CN=VDIuser001,OU=VDI,OU=PRS,OU=_TerAA_Users,DC=teraa,DC=local"
(8) ldap: Processing user attributes
(8) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the
password attribute
(8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
(8)       [ldap] = ok
(8)       if (control:Ldap-UserDn =~ /OU=EDU/) {
(8)       if (control:Ldap-UserDn =~ /OU=EDU/)  -> FALSE
(8)       elsif (control:Ldap-UserDn =~ /OU=PRS/) {
(8)       elsif (control:Ldap-UserDn =~ /OU=PRS/)  -> TRUE
(8)       elsif (control:Ldap-UserDn =~ /OU=PRS/)  {
(8)         update control {
(8)           Simultaneous-Use := 3
(8)         } # update control = noop
(8)         update outer.session-state {
(8)           Tunnel-type = VLAN
(8)           Tunnel-medium-type = IEEE-802
(8)           Tunnel-Private-Group-Id = PRS-WIFI-Client
(8)         } # update outer.session-state = noop
(8)       } # elsif (control:Ldap-UserDn =~ /OU=PRS/)  = noop
(8)       ... skipping elsif for request 8: Preceding "if" was taken
(8)       ... skipping else for request 8: Preceding "if" was taken
(8)       [expiration] = noop
(8)       [logintime] = noop
(8)       [pap] = noop
(8)     } # authorize = updated
(8)   Found Auth-Type = EAP
(8)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8)     authenticate {
(8) eap: Expiring EAP session with state 0x51a562e350af7819
(8) eap: Finished EAP session with state 0x51a562e350af7819
(8) eap: Previous EAP request found for state 0x51a562e350af7819, released from the list
(8) eap: Peer sent method MSCHAPv2 (26)
(8) eap: EAP MSCHAPv2 (26)
(8) eap: Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2: Password change packet received
(8) eap_mschapv2: Built change password packet
(8) eap_mschapv2:   EAP-Message = 0x020a024f1a070a024a4f634797561c5fad5b88d345da27761ab5ecf7a9bc43719579932194330fa999b94f293f55fd38a933a1ec2ea10fed700b63cdcab19931f4ef1832efed4d11380e162fad51a9eaf0f6b5687ce4c306230171a4afb0af2574edb3b562b792b1078a5627174edcd4f5fa8cddf8e5c4
(8) eap_mschapv2:   EAP-Message = 0x1f62684ea38b93b87d5a3b483557a65f98c48df8863c45926e31c0b7e9ab5dfaf79a3a419c135f4d51af509198bba00c7c303e2c381d49d14801f423aea52a14aaa174decb6e8c23fdac27535fb2a80ae51039540e702f14ea045e9d6810f0e7455b2ab930714be234311d57bec90c10e851c5da6c2239
(8) eap_mschapv2:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_mschapv2:   User-Name = 'vdiuser001'
(8) eap_mschapv2:   State = 0x51a562e350af78191732838bb1154cd3
(8) eap_mschapv2:   EAP-Type = MSCHAPv2
(8) eap_mschapv2:   MS-CHAP-Challenge = 0xd713bb20e9d8bd4fc9a1715afa66110e
(8) eap_mschapv2:   MS-CHAP2-CPW = 0x070a5b9d8e0e4988d32d379033db88d2c9e51799dfdaef22c8439644435c36caa0db00000000000000004e2c4c5c9d3931cb3e9642030b60810041b3efe75b7751f30000
(8) eap_mschapv2:   MS-CHAP-NT-Enc-PW += 0x060a00014f634797561c5fad5b88d345da27761ab5ecf7a9bc43719579932194330fa999b94f293f55fd38a933a1ec2ea10fed700b63cdcab19931f4ef1832efed4d11380e162fad51a9eaf0f6b5687ce4c306230171a4afb0af2574edb3b562b792b1078a5627174edcd4f5fa8cddf8e5c4a7f0
(8) eap_mschapv2:   MS-CHAP-NT-Enc-PW += 0x060a00021c1f62684ea38b93b87d5a3b483557a65f98c48df8863c45926e31c0b7e9ab5dfaf79a3a419c135f4d51af509198bba00c7c303e2c381d49d14801f423aea52a14aaa174decb6e8c23fdac27535fb2a80ae51039540e702f14ea045e9d6810f0e7455b2ab930714be234311d57bec90c
(8) eap_mschapv2:   MS-CHAP-NT-Enc-PW += 0x060a00033045950315e9330c49bb6f570898a9590b21fcd14263167211617a51a091
(8) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) eap_mschapv2:   Auth-Type MS-CHAP {
(8) mschap: MS-CHAPv2 password change request received
(8) mschap: ERROR: No valid NT-Password attribute found, can't change password
(8)     [mschap] = invalid
(8)   } # Auth-Type MS-CHAP = invalid
(8) ERROR: No MS-CHAP2-Success or MS-CHAP-Error was found
(8) eap: ERROR: Failed continuing EAP MSCHAPv2 (26) session. EAP sub-module failed
(8) eap: Failed in EAP select
(8)       [eap] = invalid
(8)     } # authenticate = invalid
(8)   Failed to authenticate the user
(8)   Using Post-Auth-Type Reject
(8)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8)     Post-Auth-Type REJECT {
(8) sql: EXPAND .query
(8) sql:    --> .query
(8) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(8) sql: EXPAND %{User-Name}
(8) sql:    --> vdiuser001
(8) sql: SQL-User-Name set to 'vdiuser001'
(8) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(8) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vdiuser001', '',
 'Access-Reject', '2015-06-03 08:32:42')
(8) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vdiuser001', '', 'Access-Reject', '2015-06-03 08:32:42')
(8) sql: SQL query returned: success
(8) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(8)       [sql] = ok
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject:    --> vdiuser001
(8) attr_filter.access_reject: Matched entry DEFAULT at line 18
(8)       [attr_filter.access_reject] = updated
(8)       update outer.session-state {
(8)         &Module-Failure-Message := &Module-Failure-Message -> mschap: No valid NT-Password attribute found, can't change password
(8)       } # update outer.session-state = noop
(8)     } # Post-Auth-Type REJECT = updated
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8)   EAP-Message = 0x040a0004
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Got tunneled reply code 3
(8) eap_peap:   EAP-Message = 0x040a0004
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Got tunneled reply RADIUS code 3
(8) eap_peap:   EAP-Message = 0x040a0004
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Tunneled authentication was rejected
(8) eap_peap: FAILURE
(8) eap: EAP session adding &reply:State = 0x1e1591df161e880e
(8)     [eap] = handled
(8)   } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found.  Ignoring.
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) session-state: Saving cached attributes
(8)   Tunnel-Type = VLAN
(8)   Tunnel-Medium-Type = IEEE-802
(8)   Tunnel-Private-Group-Id = 'PRS-WIFI-Client'
(8)   Module-Failure-Message := 'mschap: No valid NT-Password attribute found, can\'t change password'
(8) Sent Access-Challenge Id 154 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(8)   EAP-Message = 0x010b002b1900170301002086b7bbc516c5fe1abafad64e28b2b37a80cd2cbd98c57e21e3a301c17bf26117
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0x1e1591df161e880e6da8d17effec1644
(8) Finished request
Waking up in 4.9 seconds.
(9) Received Access-Request Id 155 from 10.70.1.1:32770 to 10.10.10.3:1812 length 280
(9)   User-Name = 'vdiuser001'
(9)   Calling-Station-Id = '00-c0-a8-c6-d7-79'
(9)   Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(9)   NAS-Port = 13
(9)   Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'
(9)   NAS-IP-Address = 10.70.1.1
(9)   NAS-Identifier = 'Cisco-WLC-5508'
(9)   Airespace-Wlan-Id = 9
(9)   Service-Type = Framed-User
(9)   Framed-MTU = 1300
(9)   NAS-Port-Type = Wireless-802.11
(9)   Tunnel-Type:0 = VLAN
(9)   Tunnel-Medium-Type:0 = IEEE-802
(9)   Tunnel-Private-Group-Id:0 = '212'
(9)   EAP-Message = 0x020b002b19001703010020889a71d588eee79bc7bef5909fe945a2b6259669d2d02820ae8e09b9cca83ee4
(9)   State = 0x1e1591df161e880e6da8d17effec1644
(9)   Message-Authenticator = 0xe78aa54c51f9d4ebca980275b9fa8b8b
(9) session-state: Found cached attributes
(9)   Tunnel-Type = VLAN
(9)   Tunnel-Medium-Type = IEEE-802
(9)   Tunnel-Private-Group-Id = 'PRS-WIFI-Client'
(9)   Module-Failure-Message := 'mschap: No valid NT-Password attribute found, can\'t change password'
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9)   authorize {
(9)     policy filter_username {
(9)       if (!&User-Name) {
(9)       if (!&User-Name)  -> FALSE
(9)       if (&User-Name =~ / /) {
(9)       if (&User-Name =~ / /)  -> FALSE
(9)       if (&User-Name =~ /@.*@/ ) {
(9)       if (&User-Name =~ /@.*@/ )  -> FALSE
(9)       if (&User-Name =~ /\.\./ ) {
(9)       if (&User-Name =~ /\.\./ )  -> FALSE
(9)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(9)       if (&User-Name =~ /\.$/)  {
(9)       if (&User-Name =~ /\.$/)   -> FALSE
(9)       if (&User-Name =~ /@\./)  {
(9)       if (&User-Name =~ /@\./)   -> FALSE
(9)     } # policy filter_username = notfound
(9)     [preprocess] = ok
(9)     [chap] = noop
(9)     [mschap] = noop
(9)     [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent code Response (2) ID 11 length 43
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0x1e1591df161e880e
(9) eap: Finished EAP session with state 0x1e1591df161e880e
(9) eap: Previous EAP request found for state 0x1e1591df161e880e, released from the list
(9) eap: Peer sent method PEAP (25)
(9) eap: EAP PEAP (25)
(9) eap: Calling eap_peap to process EAP data
(9) eap_peap: processing EAP-TLS
(9) eap_peap: eaptls_verify returned 7
(9) eap_peap: Done initial handshake
(9) eap_peap: eaptls_process returned 7
(9) eap_peap: FR_TLS_OK
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv failure
(9) eap_peap: Received EAP-TLV response
(9) eap_peap:   The users session was previously rejected: returning reject (again.)
(9) eap_peap:   This means you need to read the PREVIOUS messages in the debug output
(9) eap_peap:   to find out the reason why the user was rejected
(9) eap_peap:   Look for "reject" or "fail".  Those earlier messages will tell you
(9) eap_peap:   what went wrong, and how to fix the problem
  SSL: Removing session 0820f20d95f9ba8235db521076848da4d36f7481e161aada4b50a272181044c1 from the cache
(9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(9) eap: Failed in EAP select
(9)     [eap] = invalid
(9)   } # authenticate = invalid
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9)   Post-Auth-Type REJECT {
(9) sql: EXPAND .query
(9) sql:    --> .query
(9) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(9) sql: EXPAND %{User-Name}
(9) sql:    --> vdiuser001
(9) sql: SQL-User-Name set to 'vdiuser001'
(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(9) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vdiuser001', '',
 'Access-Reject', '2015-06-03 08:32:42')
(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vdiuser001', '', 'Access-Reject', '2015-06-03 08:32:42')
(9) sql: SQL query returned: success
(9) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(9)     [sql] = ok
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject:    --> vdiuser001
(9) attr_filter.access_reject: Matched entry DEFAULT at line 18
(9)     [attr_filter.access_reject] = updated
(9)     [eap] = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)   } # Post-Auth-Type REJECT = updated
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(9) <delay>: Sending delayed response
(9) <delay>: Sent Access-Reject Id 155 from 10.10.10.3:1812 to 10.70.1.1:32770 length 44
(9) <delay>:   EAP-Message = 0x040b0004
(9) <delay>:   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(8) <done>: Cleaning up request packet ID 154 with timestamp +22
(9) <delay>: Cleaning up request packet ID 155 with timestamp +22

----------------------------------------
> From: richardvanderveen at outlook.com
> To: freeradius-users at lists.freeradius.org
> Subject: Pass change/expiry problem
> Date: Wed, 3 Jun 2015 08:51:58 +0200
>
> Hello everybody,
> I'm new to FreeRadius and linux and I've gotten to the point that I have succesfull authentication and vlan assignment for my wireless users using 802.1x via NTLM authentication with FreeRadius 3.0.8 in my test setup.I am trying to get the pass change option to work using the mschapv2 module and I do get a passchange window on my windows 8 test laptop.
> I see that the passchange packet is received but after that I get "No valid NT-Password attribute found, can't change password"
> I hope someone can give me some pointers in the right direction..
> Below is my pass change attempt================================================
>
> (0) Received Access-Request Id 146 from 10.70.1.1:32770 to 10.10.10.3:1812 length 234(0) User-Name = 'vdiuser001'(0) Calling-Station-Id = '00-c0-a8-c6-d7-79'(0) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(0) NAS-Port = 13(0) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(0) NAS-IP-Address = 10.70.1.1(0) NAS-Identifier = 'Cisco-WLC-5508'(0) Airespace-Wlan-Id = 9(0) Service-Type = Framed-User(0) Framed-MTU = 1300(0) NAS-Port-Type = Wireless-802.11(0) Tunnel-Type:0 = VLAN(0) Tunnel-Medium-Type:0 = IEEE-802(0) Tunnel-Private-Group-Id:0 = '212'(0) EAP-Message = 0x0202000f0176646975736572303031(0) Message-Authenticator = 0xaf7ffeb4c2d2854413f57effba1d7a06(0) # Executing section authorize from file /etc/raddb/sites-enabled/default(0) authorize {(0) policy filter_username {(0) if (!&User-Name) {(0) if (!&User-Name) -> FALSE(0) if (&User-Name =~ / /) {(0) if (&User-Name =~ / /) -> FALSE(0) if (&User-Name =~ /@.*@/ ) {(0) if (&User-Name =~ /@.*@/ ) -> FALSE(0) if (&User-Name =~ /\.\./ ) {(0) if (&User-Name =~ /\.\./ ) -> FALSE(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE(0) if (&User-Name =~ /\.$/) {(0) if (&User-Name =~ /\.$/) -> FALSE(0) if (&User-Name =~ /@\./) {(0) if (&User-Name =~ /@\./) -> FALSE(0) } # policy filter_username = notfound(0) [preprocess] = ok(0) [chap] = noop(0) [mschap] = noop(0) [digest] = noop(0) suffix: Checking for suffix after "@"(0) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(0) suffix: No such realm "NULL"(0) [suffix] = noop(0) eap: Peer sent code Response (2) ID 2 length 15(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize(0) [eap] = ok(0) } # authorize = ok(0) Found Auth-Type = EAP(0) # Executing group from file /etc/raddb/sites-enabled/default(0) authenticate {(0) eap: Peer sent method Identity (1)(0) eap: Calling eap_peap to process EAP data(0) eap_peap: Flushing SSL sessions (of #0)(0) eap_peap: Initiate(0) eap_peap: Start returned 1(0) eap: EAP session adding &reply:State = 0x1e1591df1e16880e(0) [eap] = handled(0) } # authenticate = handled(0) Using Post-Auth-Type Challenge(0) Post-Auth-Type sub-section not found. Ignoring.(0) # Executing group from file /etc/raddb/sites-enabled/default(0) Sent Access-Challenge Id 146 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(0) EAP-Message = 0x010300061920(0) Message-Authenticator = 0x00000000000000000000000000000000(0) State = 0x1e1591df1e16880e6da8d17effec1644(0) Finished requestWaking up in 4.9 seconds.(1) Received Access-Request Id 147 from 10.70.1.1:32770 to 10.10.10.3:1812 length 346(1) User-Name = 'vdiuser001'(1) Calling-Station-Id = '00-c0-a8-c6-d7-79'(1) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(1) NAS-Port = 13(1) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(1) NAS-IP-Address = 10.70.1.1(1) NAS-Identifier = 'Cisco-WLC-5508'(1) Airespace-Wlan-Id = 9(1) Service-Type = Framed-User(1) Framed-MTU = 1300(1) NAS-Port-Type = Wireless-802.11(1) Tunnel-Type:0 = VLAN(1) Tunnel-Medium-Type:0 = IEEE-802(1) Tunnel-Private-Group-Id:0 = '212'(1) EAP-Message = 0x0203006d198000000063160301005e0100005a0301556ea07cb3e1da5438e4a0fda201cbfcdfff42b72294b1d171d0c2e5bfb7324f000018c014c0130035002fc00ac00900380032000a00130005000401000019ff01000100000a0006000400170018000b0002010000230000(1) State = 0x1e1591df1e16880e6da8d17effec1644(1) Message-Authenticator = 0xff709617cbc210bed08b77be13d02f78(1) session-state: No cached attributes(1) # Executing section authorize from file /etc/raddb/sites-enabled/default(1) authorize {(1) policy filter_username {(1) if (!&User-Name) {(1) if (!&User-Name) -> FALSE(1) if (&User-Name =~ / /) {(1) if (&User-Name =~ / /) -> FALSE(1) if (&User-Name =~ /@.*@/ ) {(1) if (&User-Name =~ /@.*@/ ) -> FALSE(1) if (&User-Name =~ /\.\./ ) {(1) if (&User-Name =~ /\.\./ ) -> FALSE(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE(1) if (&User-Name =~ /\.$/) {(1) if (&User-Name =~ /\.$/) -> FALSE(1) if (&User-Name =~ /@\./) {(1) if (&User-Name =~ /@\./) -> FALSE(1) } # policy filter_username = notfound(1) [preprocess] = ok(1) [chap] = noop(1) [mschap] = noop(1) [digest] = noop(1) suffix: Checking for suffix after "@"(1) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(1) suffix: No such realm "NULL"(1) [suffix] = noop(1) eap: Peer sent code Response (2) ID 3 length 109(1) eap: Continuing tunnel setup(1) [eap] = ok(1) } # authorize = ok(1) Found Auth-Type = EAP(1) # Executing group from file /etc/raddb/sites-enabled/default(1) authenticate {(1) eap: Expiring EAP session with state 0x1e1591df1e16880e(1) eap: Finished EAP session with state 0x1e1591df1e16880e(1) eap: Previous EAP request found for state 0x1e1591df1e16880e, released from the list(1) eap: Peer sent method PEAP (25)(1) eap: EAP PEAP (25)(1) eap: Calling eap_peap to process EAP data(1) eap_peap: processing EAP-TLS(1) eap_peap: TLS Length 99(1) eap_peap: Length Included(1) eap_peap: eaptls_verify returned 11(1) eap_peap: (other): before/accept initialization(1) eap_peap: TLS_accept: before/accept initialization(1) eap_peap: <<< TLS 1.0 Handshake [length 005e], ClientHello(1) eap_peap: TLS_accept: SSLv3 read client hello A(1) eap_peap:>>> TLS 1.0 Handshake [length 0059], ServerHello(1) eap_peap: TLS_accept: SSLv3 write server hello A(1) eap_peap:>>> TLS 1.0 Handshake [length 08d0], Certificate(1) eap_peap: TLS_accept: SSLv3 write certificate A(1) eap_peap:>>> TLS 1.0 Handshake [length 014b], ServerKeyExchange(1) eap_peap: TLS_accept: SSLv3 write key exchange A(1) eap_peap:>>> TLS 1.0 Handshake [length 0004], ServerHelloDone(1) eap_peap: TLS_accept: SSLv3 write server done A(1) eap_peap: TLS_accept: SSLv3 flush data(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate AIn SSL Handshake PhaseIn SSL Accept mode(1) eap_peap: eaptls_process returned 13(1) eap_peap: FR_TLS_HANDLED(1) eap: EAP session adding &reply:State = 0x1e1591df1f11880e(1) [eap] = handled(1) } # authenticate = handled(1) Using Post-Auth-Type Challenge(1) Post-Auth-Type sub-section not found. Ignoring.(1) # Executing group from file /etc/raddb/sites-enabled/default(1) Sent Access-Challenge Id 147 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(1) EAP-Message = 0x010403ec19c000000a8c160301005902000055030186abd118bcdaa77ddb5869e5ddfbfe95dceb5754d78269df4bcdb7299564fe2d200820f20d95f9ba8235db521076848da4d36f7481e161aada4b50a272181044c1c01400000dff01000100000b00040300010216030108d00b0008cc0008c90003de(1) Message-Authenticator = 0x00000000000000000000000000000000(1) State = 0x1e1591df1f11880e6da8d17effec1644(1) Finished requestWaking up in 4.9 seconds.(2) Received Access-Request Id 148 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243(2) User-Name = 'vdiuser001'(2) Calling-Station-Id = '00-c0-a8-c6-d7-79'(2) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(2) NAS-Port = 13(2) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(2) NAS-IP-Address = 10.70.1.1(2) NAS-Identifier = 'Cisco-WLC-5508'(2) Airespace-Wlan-Id = 9(2) Service-Type = Framed-User(2) Framed-MTU = 1300(2) NAS-Port-Type = Wireless-802.11(2) Tunnel-Type:0 = VLAN(2) Tunnel-Medium-Type:0 = IEEE-802(2) Tunnel-Private-Group-Id:0 = '212'(2) EAP-Message = 0x020400061900(2) State = 0x1e1591df1f11880e6da8d17effec1644(2) Message-Authenticator = 0x776a06fa5dc2b42c73bb121fcca33bea(2) session-state: No cached attributes(2) # Executing section authorize from file /etc/raddb/sites-enabled/default(2) authorize {(2) policy filter_username {(2) if (!&User-Name) {(2) if (!&User-Name) -> FALSE(2) if (&User-Name =~ / /) {(2) if (&User-Name =~ / /) -> FALSE(2) if (&User-Name =~ /@.*@/ ) {(2) if (&User-Name =~ /@.*@/ ) -> FALSE(2) if (&User-Name =~ /\.\./ ) {(2) if (&User-Name =~ /\.\./ ) -> FALSE(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE(2) if (&User-Name =~ /\.$/) {(2) if (&User-Name =~ /\.$/) -> FALSE(2) if (&User-Name =~ /@\./) {(2) if (&User-Name =~ /@\./) -> FALSE(2) } # policy filter_username = notfound(2) [preprocess] = ok(2) [chap] = noop(2) [mschap] = noop(2) [digest] = noop(2) suffix: Checking for suffix after "@"(2) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(2) suffix: No such realm "NULL"(2) [suffix] = noop(2) eap: Peer sent code Response (2) ID 4 length 6(2) eap: Continuing tunnel setup(2) [eap] = ok(2) } # authorize = ok(2) Found Auth-Type = EAP(2) # Executing group from file /etc/raddb/sites-enabled/default(2) authenticate {(2) eap: Expiring EAP session with state 0x1e1591df1f11880e(2) eap: Finished EAP session with state 0x1e1591df1f11880e(2) eap: Previous EAP request found for state 0x1e1591df1f11880e, released from the list(2) eap: Peer sent method PEAP (25)(2) eap: EAP PEAP (25)(2) eap: Calling eap_peap to process EAP data(2) eap_peap: processing EAP-TLS(2) eap_peap: Received TLS ACK(2) eap_peap: Received TLS ACK(2) eap_peap: ACK handshake fragment handler(2) eap_peap: eaptls_verify returned 1(2) eap_peap: eaptls_process returned 13(2) eap_peap: FR_TLS_HANDLED(2) eap: EAP session adding &reply:State = 0x1e1591df1c10880e(2) [eap] = handled(2) } # authenticate = handled(2) Using Post-Auth-Type Challenge(2) Post-Auth-Type sub-section not found. Ignoring.(2) # Executing group from file /etc/raddb/sites-enabled/default(2) Sent Access-Challenge Id 148 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(2) EAP-Message = 0x010503e8194087d363ae51e9fa919a6062082c2ab782a717d7fede947271bcbe38ea3b9d04ee4cef44da92b58dfea437ba6764fd97950d4f99cb8e1b38b721f29b087ce94f71868ec5554e72d8d3a6f9a11c4108d6c8a7945c60f03a9991d841074df483c1574367aee17dbd11aaab0004e5308204e130(2) Message-Authenticator = 0x00000000000000000000000000000000(2) State = 0x1e1591df1c10880e6da8d17effec1644(2) Finished requestWaking up in 4.9 seconds.(3) Received Access-Request Id 149 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243(3) User-Name = 'vdiuser001'(3) Calling-Station-Id = '00-c0-a8-c6-d7-79'(3) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(3) NAS-Port = 13(3) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(3) NAS-IP-Address = 10.70.1.1(3) NAS-Identifier = 'Cisco-WLC-5508'(3) Airespace-Wlan-Id = 9(3) Service-Type = Framed-User(3) Framed-MTU = 1300(3) NAS-Port-Type = Wireless-802.11(3) Tunnel-Type:0 = VLAN(3) Tunnel-Medium-Type:0 = IEEE-802(3) Tunnel-Private-Group-Id:0 = '212'(3) EAP-Message = 0x020500061900(3) State = 0x1e1591df1c10880e6da8d17effec1644(3) Message-Authenticator = 0x1feb9b7bb1e9f4d588005f8e4c1f441b(3) session-state: No cached attributes(3) # Executing section authorize from file /etc/raddb/sites-enabled/default(3) authorize {(3) policy filter_username {(3) if (!&User-Name) {(3) if (!&User-Name) -> FALSE(3) if (&User-Name =~ / /) {(3) if (&User-Name =~ / /) -> FALSE(3) if (&User-Name =~ /@.*@/ ) {(3) if (&User-Name =~ /@.*@/ ) -> FALSE(3) if (&User-Name =~ /\.\./ ) {(3) if (&User-Name =~ /\.\./ ) -> FALSE(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE(3) if (&User-Name =~ /\.$/) {(3) if (&User-Name =~ /\.$/) -> FALSE(3) if (&User-Name =~ /@\./) {(3) if (&User-Name =~ /@\./) -> FALSE(3) } # policy filter_username = notfound(3) [preprocess] = ok(3) [chap] = noop(3) [mschap] = noop(3) [digest] = noop(3) suffix: Checking for suffix after "@"(3) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(3) suffix: No such realm "NULL"(3) [suffix] = noop(3) eap: Peer sent code Response (2) ID 5 length 6(3) eap: Continuing tunnel setup(3) [eap] = ok(3) } # authorize = ok(3) Found Auth-Type = EAP(3) # Executing group from file /etc/raddb/sites-enabled/default(3) authenticate {(3) eap: Expiring EAP session with state 0x1e1591df1c10880e(3) eap: Finished EAP session with state 0x1e1591df1c10880e(3) eap: Previous EAP request found for state 0x1e1591df1c10880e, released from the list(3) eap: Peer sent method PEAP (25)(3) eap: EAP PEAP (25)(3) eap: Calling eap_peap to process EAP data(3) eap_peap: processing EAP-TLS(3) eap_peap: Received TLS ACK(3) eap_peap: Received TLS ACK(3) eap_peap: ACK handshake fragment handler(3) eap_peap: eaptls_verify returned 1(3) eap_peap: eaptls_process returned 13(3) eap_peap: FR_TLS_HANDLED(3) eap: EAP session adding &reply:State = 0x1e1591df1d13880e(3) [eap] = handled(3) } # authenticate = handled(3) Using Post-Auth-Type Challenge(3) Post-Auth-Type sub-section not found. Ignoring.(3) # Executing group from file /etc/raddb/sites-enabled/default(3) Sent Access-Challenge Id 149 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(3) EAP-Message = 0x010602ce190020417574686f72697479820900eb4cce581239f262300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010505000382010100c1a0(3) Message-Authenticator = 0x00000000000000000000000000000000(3) State = 0x1e1591df1d13880e6da8d17effec1644(3) Finished requestWaking up in 4.9 seconds.(4) Received Access-Request Id 150 from 10.70.1.1:32770 to 10.10.10.3:1812 length 381(4) User-Name = 'vdiuser001'(4) Calling-Station-Id = '00-c0-a8-c6-d7-79'(4) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(4) NAS-Port = 13(4) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(4) NAS-IP-Address = 10.70.1.1(4) NAS-Identifier = 'Cisco-WLC-5508'(4) Airespace-Wlan-Id = 9(4) Service-Type = Framed-User(4) Framed-MTU = 1300(4) NAS-Port-Type = Wireless-802.11(4) Tunnel-Type:0 = VLAN(4) Tunnel-Medium-Type:0 = IEEE-802(4) Tunnel-Private-Group-Id:0 = '212'(4) EAP-Message = 0x0206009019800000008616030100461000004241041c7db466f320cdd73375bd32ae121beb52414806d71da093e45be96f1368dbbf176affcce34fc191bd0a86203a369e1c98f1595c3ae6cedd722150c58f619c8314030100010116030100308e95f63a5f43e7d94cf3583b9fc1b9a041050278e6f62b(4) State = 0x1e1591df1d13880e6da8d17effec1644(4) Message-Authenticator = 0x454da7994b1a632987de592cee18ad93(4) session-state: No cached attributes(4) # Executing section authorize from file /etc/raddb/sites-enabled/default(4) authorize {(4) policy filter_username {(4) if (!&User-Name) {(4) if (!&User-Name) -> FALSE(4) if (&User-Name =~ / /) {(4) if (&User-Name =~ / /) -> FALSE(4) if (&User-Name =~ /@.*@/ ) {(4) if (&User-Name =~ /@.*@/ ) -> FALSE(4) if (&User-Name =~ /\.\./ ) {(4) if (&User-Name =~ /\.\./ ) -> FALSE(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE(4) if (&User-Name =~ /\.$/) {(4) if (&User-Name =~ /\.$/) -> FALSE(4) if (&User-Name =~ /@\./) {(4) if (&User-Name =~ /@\./) -> FALSE(4) } # policy filter_username = notfound(4) [preprocess] = ok(4) [chap] = noop(4) [mschap] = noop(4) [digest] = noop(4) suffix: Checking for suffix after "@"(4) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(4) suffix: No such realm "NULL"(4) [suffix] = noop(4) eap: Peer sent code Response (2) ID 6 length 144(4) eap: Continuing tunnel setup(4) [eap] = ok(4) } # authorize = ok(4) Found Auth-Type = EAP(4) # Executing group from file /etc/raddb/sites-enabled/default(4) authenticate {(4) eap: Expiring EAP session with state 0x1e1591df1d13880e(4) eap: Finished EAP session with state 0x1e1591df1d13880e(4) eap: Previous EAP request found for state 0x1e1591df1d13880e, released from the list(4) eap: Peer sent method PEAP (25)(4) eap: EAP PEAP (25)(4) eap: Calling eap_peap to process EAP data(4) eap_peap: processing EAP-TLS(4) eap_peap: TLS Length 134(4) eap_peap: Length Included(4) eap_peap: eaptls_verify returned 11(4) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange(4) eap_peap: TLS_accept: SSLv3 read client key exchange A(4) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001](4) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished(4) eap_peap: TLS_accept: SSLv3 read finished A(4) eap_peap:>>> TLS 1.0 ChangeCipherSpec [length 0001](4) eap_peap: TLS_accept: SSLv3 write change cipher spec A(4) eap_peap:>>> TLS 1.0 Handshake [length 0010], Finished(4) eap_peap: TLS_accept: SSLv3 write finished A(4) eap_peap: TLS_accept: SSLv3 flush data TLS: adding session 0820f20d95f9ba8235db521076848da4d36f7481e161aada4b50a272181044c1 to cache(4) eap_peap: (other): SSL negotiation finished successfullySSL Connection Established(4) eap_peap: eaptls_process returned 13(4) eap_peap: FR_TLS_HANDLED(4) eap: EAP session adding &reply:State = 0x1e1591df1a12880e(4) [eap] = handled(4) } # authenticate = handled(4) Using Post-Auth-Type Challenge(4) Post-Auth-Type sub-section not found. Ignoring.(4) # Executing group from file /etc/raddb/sites-enabled/default(4) Sent Access-Challenge Id 150 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(4) EAP-Message = 0x0107004119001403010001011603010030844ddc99d83876b1afa809097ddc158138ae61e5027df9156161e80fd4e6b5dc6dc0286f2d7f440f29064c5d5da6135f(4) Message-Authenticator = 0x00000000000000000000000000000000(4) State = 0x1e1591df1a12880e6da8d17effec1644(4) Finished requestWaking up in 4.9 seconds.(5) Received Access-Request Id 151 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243(5) User-Name = 'vdiuser001'(5) Calling-Station-Id = '00-c0-a8-c6-d7-79'(5) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(5) NAS-Port = 13(5) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(5) NAS-IP-Address = 10.70.1.1(5) NAS-Identifier = 'Cisco-WLC-5508'(5) Airespace-Wlan-Id = 9(5) Service-Type = Framed-User(5) Framed-MTU = 1300(5) NAS-Port-Type = Wireless-802.11(5) Tunnel-Type:0 = VLAN(5) Tunnel-Medium-Type:0 = IEEE-802(5) Tunnel-Private-Group-Id:0 = '212'(5) EAP-Message = 0x020700061900(5) State = 0x1e1591df1a12880e6da8d17effec1644(5) Message-Authenticator = 0x6a9f9babb7fb5a0603e50e2292064d52(5) session-state: No cached attributes(5) # Executing section authorize from file /etc/raddb/sites-enabled/default(5) authorize {(5) policy filter_username {(5) if (!&User-Name) {(5) if (!&User-Name) -> FALSE(5) if (&User-Name =~ / /) {(5) if (&User-Name =~ / /) -> FALSE(5) if (&User-Name =~ /@.*@/ ) {(5) if (&User-Name =~ /@.*@/ ) -> FALSE(5) if (&User-Name =~ /\.\./ ) {(5) if (&User-Name =~ /\.\./ ) -> FALSE(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE(5) if (&User-Name =~ /\.$/) {(5) if (&User-Name =~ /\.$/) -> FALSE(5) if (&User-Name =~ /@\./) {(5) if (&User-Name =~ /@\./) -> FALSE(5) } # policy filter_username = notfound(5) [preprocess] = ok(5) [chap] = noop(5) [mschap] = noop(5) [digest] = noop(5) suffix: Checking for suffix after "@"(5) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(5) suffix: No such realm "NULL"(5) [suffix] = noop(5) eap: Peer sent code Response (2) ID 7 length 6(5) eap: Continuing tunnel setup(5) [eap] = ok(5) } # authorize = ok(5) Found Auth-Type = EAP(5) # Executing group from file /etc/raddb/sites-enabled/default(5) authenticate {(5) eap: Expiring EAP session with state 0x1e1591df1a12880e(5) eap: Finished EAP session with state 0x1e1591df1a12880e(5) eap: Previous EAP request found for state 0x1e1591df1a12880e, released from the list(5) eap: Peer sent method PEAP (25)(5) eap: EAP PEAP (25)(5) eap: Calling eap_peap to process EAP data(5) eap_peap: processing EAP-TLS(5) eap_peap: Received TLS ACK(5) eap_peap: Received TLS ACK(5) eap_peap: ACK handshake is finished(5) eap_peap: eaptls_verify returned 3(5) eap_peap: eaptls_process returned 3(5) eap_peap: FR_TLS_SUCCESS(5) eap_peap: Session established. Decoding tunneled attributes(5) eap_peap: PEAP state TUNNEL ESTABLISHED(5) eap: EAP session adding &reply:State = 0x1e1591df1b1d880e(5) [eap] = handled(5) } # authenticate = handled(5) Using Post-Auth-Type Challenge(5) Post-Auth-Type sub-section not found. Ignoring.(5) # Executing group from file /etc/raddb/sites-enabled/default(5) Sent Access-Challenge Id 151 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(5) EAP-Message = 0x0108002b190017030100206db2be686f268ad99a2f0f2723b6e3d5710916296d814c355a0cd194caed8a7b(5) Message-Authenticator = 0x00000000000000000000000000000000(5) State = 0x1e1591df1b1d880e6da8d17effec1644(5) Finished requestWaking up in 4.9 seconds.(6) Received Access-Request Id 152 from 10.70.1.1:32770 to 10.10.10.3:1812 length 280(6) User-Name = 'vdiuser001'(6) Calling-Station-Id = '00-c0-a8-c6-d7-79'(6) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(6) NAS-Port = 13(6) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(6) NAS-IP-Address = 10.70.1.1(6) NAS-Identifier = 'Cisco-WLC-5508'(6) Airespace-Wlan-Id = 9(6) Service-Type = Framed-User(6) Framed-MTU = 1300(6) NAS-Port-Type = Wireless-802.11(6) Tunnel-Type:0 = VLAN(6) Tunnel-Medium-Type:0 = IEEE-802(6) Tunnel-Private-Group-Id:0 = '212'(6) EAP-Message = 0x0208002b1900170301002041ab8b582edc5512fcc8ba26acc4c3cca929b11e6bb6dc324e964be4c8912361(6) State = 0x1e1591df1b1d880e6da8d17effec1644(6) Message-Authenticator = 0x32cd4ca4495354475cad0639e3657fcd(6) session-state: No cached attributes(6) # Executing section authorize from file /etc/raddb/sites-enabled/default(6) authorize {(6) policy filter_username {(6) if (!&User-Name) {(6) if (!&User-Name) -> FALSE(6) if (&User-Name =~ / /) {(6) if (&User-Name =~ / /) -> FALSE(6) if (&User-Name =~ /@.*@/ ) {(6) if (&User-Name =~ /@.*@/ ) -> FALSE(6) if (&User-Name =~ /\.\./ ) {(6) if (&User-Name =~ /\.\./ ) -> FALSE(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE(6) if (&User-Name =~ /\.$/) {(6) if (&User-Name =~ /\.$/) -> FALSE(6) if (&User-Name =~ /@\./) {(6) if (&User-Name =~ /@\./) -> FALSE(6) } # policy filter_username = notfound(6) [preprocess] = ok(6) [chap] = noop(6) [mschap] = noop(6) [digest] = noop(6) suffix: Checking for suffix after "@"(6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(6) suffix: No such realm "NULL"(6) [suffix] = noop(6) eap: Peer sent code Response (2) ID 8 length 43(6) eap: Continuing tunnel setup(6) [eap] = ok(6) } # authorize = ok(6) Found Auth-Type = EAP(6) # Executing group from file /etc/raddb/sites-enabled/default(6) authenticate {(6) eap: Expiring EAP session with state 0x1e1591df1b1d880e(6) eap: Finished EAP session with state 0x1e1591df1b1d880e(6) eap: Previous EAP request found for state 0x1e1591df1b1d880e, released from the list(6) eap: Peer sent method PEAP (25)(6) eap: EAP PEAP (25)(6) eap: Calling eap_peap to process EAP data(6) eap_peap: processing EAP-TLS(6) eap_peap: eaptls_verify returned 7(6) eap_peap: Done initial handshake(6) eap_peap: eaptls_process returned 7(6) eap_peap: FR_TLS_OK(6) eap_peap: Session established. Decoding tunneled attributes(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY(6) eap_peap: Identity - vdiuser001(6) eap_peap: Got inner identity 'vdiuser001'(6) eap_peap: Setting default EAP type for tunneled EAP session(6) eap_peap: Got tunneled request(6) eap_peap: EAP-Message = 0x0208000f0176646975736572303031(6) eap_peap: Setting User-Name to vdiuser001(6) eap_peap: Sending tunneled request to inner-tunnel(6) eap_peap: EAP-Message = 0x0208000f0176646975736572303031(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1(6) eap_peap: User-Name = 'vdiuser001'(6) Virtual server inner-tunnel received request(6) EAP-Message = 0x0208000f0176646975736572303031(6) FreeRADIUS-Proxied-To = 127.0.0.1(6) User-Name = 'vdiuser001'(6) server inner-tunnel {(6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel(6) authorize {(6) [chap] = noop(6) [mschap] = noop(6) suffix: Checking for suffix after "@"(6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(6) suffix: No such realm "NULL"(6) [suffix] = noop(6) update control {(6) &Proxy-To-Realm := LOCAL(6) } # update control = noop(6) eap: Peer sent code Response (2) ID 8 length 15(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize(6) [eap] = ok(6) } # authorize = ok(6) Found Auth-Type = EAP(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel(6) authenticate {(6) eap: Peer sent method Identity (1)(6) eap: Calling eap_mschapv2 to process EAP data(6) eap_mschapv2: Issuing Challenge(6) eap: EAP session adding &reply:State = 0x51a562e351ac7819(6) [eap] = handled(6) } # authenticate = handled(6) } # server inner-tunnel(6) Virtual server sending reply(6) EAP-Message = 0x0109002a1a01090025103864b0660eb39e6c695de88ff893e0e6667265657261646975732d332e302e38(6) Message-Authenticator = 0x00000000000000000000000000000000(6) State = 0x51a562e351ac78191732838bb1154cd3(6) eap_peap: Got tunneled reply code 11(6) eap_peap: EAP-Message = 0x0109002a1a01090025103864b0660eb39e6c695de88ff893e0e6667265657261646975732d332e302e38(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(6) eap_peap: State = 0x51a562e351ac78191732838bb1154cd3(6) eap_peap: Got tunneled reply RADIUS code 11(6) eap_peap: EAP-Message = 0x0109002a1a01090025103864b0660eb39e6c695de88ff893e0e6667265657261646975732d332e302e38(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(6) eap_peap: State = 0x51a562e351ac78191732838bb1154cd3(6) eap_peap: Got tunneled Access-Challenge(6) eap: EAP session adding &reply:State = 0x1e1591df181c880e(6) [eap] = handled(6) } # authenticate = handled(6) Using Post-Auth-Type Challenge(6) Post-Auth-Type sub-section not found. Ignoring.(6) # Executing group from file /etc/raddb/sites-enabled/default(6) Sent Access-Challenge Id 152 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(6) EAP-Message = 0x0109004b19001703010040d8c3a0f01020d409085cc9f8485a9541e838b86586f7b38d0420e95191d98a03ccada0bcd4542632b89be702586bf861065d500e247a43742d868664491075b0(6) Message-Authenticator = 0x00000000000000000000000000000000(6) State = 0x1e1591df181c880e6da8d17effec1644(6) Finished requestWaking up in 4.9 seconds.(7) Received Access-Request Id 153 from 10.70.1.1:32770 to 10.10.10.3:1812 length 344(7) User-Name = 'vdiuser001'(7) Calling-Station-Id = '00-c0-a8-c6-d7-79'(7) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(7) NAS-Port = 13(7) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(7) NAS-IP-Address = 10.70.1.1(7) NAS-Identifier = 'Cisco-WLC-5508'(7) Airespace-Wlan-Id = 9(7) Service-Type = Framed-User(7) Framed-MTU = 1300(7) NAS-Port-Type = Wireless-802.11(7) Tunnel-Type:0 = VLAN(7) Tunnel-Medium-Type:0 = IEEE-802(7) Tunnel-Private-Group-Id:0 = '212'(7) EAP-Message = 0x0209006b190017030100609c5de592c2afd938ac3a0fce0efa7286bf5952d8522bc4d61d10ea044cbc77d5b722359da1b451d63d657087ab33ffe9af61f913b4a982210d2b12439685adb88228050d1c6c1f2ea1801b282badf8f1bba82ffbba04dec6096c1c7fd93f808a(7) State = 0x1e1591df181c880e6da8d17effec1644(7) Message-Authenticator = 0x6b59dbf369a713c307314fd6098370a7(7) session-state: No cached attributes(7) # Executing section authorize from file /etc/raddb/sites-enabled/default(7) authorize {(7) policy filter_username {(7) if (!&User-Name) {(7) if (!&User-Name) -> FALSE(7) if (&User-Name =~ / /) {(7) if (&User-Name =~ / /) -> FALSE(7) if (&User-Name =~ /@.*@/ ) {(7) if (&User-Name =~ /@.*@/ ) -> FALSE(7) if (&User-Name =~ /\.\./ ) {(7) if (&User-Name =~ /\.\./ ) -> FALSE(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE(7) if (&User-Name =~ /\.$/) {(7) if (&User-Name =~ /\.$/) -> FALSE(7) if (&User-Name =~ /@\./) {(7) if (&User-Name =~ /@\./) -> FALSE(7) } # policy filter_username = notfound(7) [preprocess] = ok(7) [chap] = noop(7) [mschap] = noop(7) [digest] = noop(7) suffix: Checking for suffix after "@"(7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(7) suffix: No such realm "NULL"(7) [suffix] = noop(7) eap: Peer sent code Response (2) ID 9 length 107(7) eap: Continuing tunnel setup(7) [eap] = ok(7) } # authorize = ok(7) Found Auth-Type = EAP(7) # Executing group from file /etc/raddb/sites-enabled/default(7) authenticate {(7) eap: Expiring EAP session with state 0x51a562e351ac7819(7) eap: Finished EAP session with state 0x1e1591df181c880e(7) eap: Previous EAP request found for state 0x1e1591df181c880e, released from the list(7) eap: Peer sent method PEAP (25)(7) eap: EAP PEAP (25)(7) eap: Calling eap_peap to process EAP data(7) eap_peap: processing EAP-TLS(7) eap_peap: eaptls_verify returned 7(7) eap_peap: Done initial handshake(7) eap_peap: eaptls_process returned 7(7) eap_peap: FR_TLS_OK(7) eap_peap: Session established. Decoding tunneled attributes(7) eap_peap: PEAP state phase2(7) eap_peap: EAP type MSCHAPv2 (26)(7) eap_peap: Got tunneled request(7) eap_peap: EAP-Message = 0x020900451a0209004031d2da32c556686cced64008c9cc9172bc0000000000000000aad43f4e34a84dddd4677581fb648551549e2a1dbbf9b45d0076646975736572303031(7) eap_peap: Setting User-Name to vdiuser001(7) eap_peap: Sending tunneled request to inner-tunnel(7) eap_peap: EAP-Message = 0x020900451a0209004031d2da32c556686cced64008c9cc9172bc0000000000000000aad43f4e34a84dddd4677581fb648551549e2a1dbbf9b45d0076646975736572303031(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1(7) eap_peap: User-Name = 'vdiuser001'(7) eap_peap: State = 0x51a562e351ac78191732838bb1154cd3(7) Virtual server inner-tunnel received request(7) EAP-Message = 0x020900451a0209004031d2da32c556686cced64008c9cc9172bc0000000000000000aad43f4e34a84dddd4677581fb648551549e2a1dbbf9b45d0076646975736572303031(7) FreeRADIUS-Proxied-To = 127.0.0.1(7) User-Name = 'vdiuser001'(7) State = 0x51a562e351ac78191732838bb1154cd3(7) server inner-tunnel {(7) session-state: No cached attributes(7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel(7) authorize {(7) [chap] = noop(7) [mschap] = noop(7) suffix: Checking for suffix after "@"(7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(7) suffix: No such realm "NULL"(7) [suffix] = noop(7) update control {(7) &Proxy-To-Realm := LOCAL(7) } # update control = noop(7) eap: Peer sent code Response (2) ID 9 length 69(7) eap: No EAP Start, assuming it's an on-going EAP conversation(7) [eap] = updated(7) [files] = noop(7) sql: EXPAND %{User-Name}(7) sql: --> vdiuser001(7) sql: SQL-User-Name set to 'vdiuser001'rlm_sql (sql): Reserved connection (4)(7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id(7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id(7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id(7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority(7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority(7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority(7) sql: User not found in any groupsrlm_sql (sql): Released connection (4)(7) [sql] = notfoundrlm_ldap (ldap): Reserved connection (4)(7) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(7) ldap: --> (sAMAccountName=vdiuser001)(7) ldap: Performing search in "ou=_TerAA_Users,dc=teraa,dc=local" with filter "(sAMAccountName=vdiuser001)", scope "sub"(7) ldap: Waiting for search result...(7) ldap: User object found at DN "CN=VDIuser001,OU=VDI,OU=PRS,OU=_TerAA_Users,DC=teraa,DC=local"(7) ldap: Processing user attributes(7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read thepassword attribute(7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)rlm_ldap (ldap): Released connection (4)(7) [ldap] = ok(7) if (control:Ldap-UserDn =~ /OU=EDU/) {(7) if (control:Ldap-UserDn =~ /OU=EDU/) -> FALSE(7) elsif (control:Ldap-UserDn =~ /OU=PRS/) {(7) elsif (control:Ldap-UserDn =~ /OU=PRS/) -> TRUE(7) elsif (control:Ldap-UserDn =~ /OU=PRS/) {(7) update control {(7) Simultaneous-Use := 3(7) } # update control = noop(7) update outer.session-state {(7) Tunnel-type = VLAN(7) Tunnel-medium-type = IEEE-802(7) Tunnel-Private-Group-Id = PRS-WIFI-Client(7) } # update outer.session-state = noop(7) } # elsif (control:Ldap-UserDn =~ /OU=PRS/) = noop(7) ... skipping elsif for request 7: Preceding "if" was taken(7) ... skipping else for request 7: Preceding "if" was taken(7) [expiration] = noop(7) [logintime] = noop(7) [pap] = noop(7) } # authorize = updated(7) Found Auth-Type = EAP(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel(7) authenticate {(7) eap: Expiring EAP session with state 0x51a562e351ac7819(7) eap: Finished EAP session with state 0x51a562e351ac7819(7) eap: Previous EAP request found for state 0x51a562e351ac7819, released from the list(7) eap: Peer sent method MSCHAPv2 (26)(7) eap: EAP MSCHAPv2 (26)(7) eap: Calling eap_mschapv2 to process EAP data(7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel(7) eap_mschapv2: Auth-Type MS-CHAP {(7) mschap: Creating challenge hash with username: vdiuser001(7) mschap: Client is using MS-CHAPv2(7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
> (7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}(7) mschap: --> --username=vdiuser001(7) mschap: Creating challenge hash with username: vdiuser001(7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}(7) mschap: --> --challenge=2f1b60fe24af9f0b(7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}(7) mschap: --> --nt-response=aad43f4e34a84dddd4677581fb648551549e2a1dbbf9b45d(7) mschap: ERROR: Program returned code (1) and output 'Must change password (0xc0000224)'(7) mschap: ERROR: Must change password (0xc0000224)(7) [mschap] = reject(7) } # Auth-Type MS-CHAP = reject(7) MSCHAP-Error: E=648 R=0 C=d713bb20e9d8bd4fc9a1715afa66110e V=3 M=Password Expired(7) Found new challenge from MS-CHAP-Error: err=648 retry=0 challenge=d713bb20e9d8bd4fc9a1715afa66110e(7) ERROR: MSCHAP Failure(7) eap: EAP session adding &reply:State = 0x51a562e350af7819(7) [eap] = handled(7) } # authenticate = handled(7) } # server inner-tunnel(7) Virtual server sending reply(7) EAP-Message = 0x010a004c1a04090047453d36343820523d3020433d643731336262323065396438626434666339613137313561666136363131306520563d33204d3d50617373776f72642045787069726564(7) Message-Authenticator = 0x00000000000000000000000000000000(7) State = 0x51a562e350af78191732838bb1154cd3(7) eap_peap: Got tunneled reply code 11(7) eap_peap: EAP-Message = 0x010a004c1a04090047453d36343820523d3020433d643731336262323065396438626434666339613137313561666136363131306520563d33204d3d50617373776f72642045787069726564(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(7) eap_peap: State = 0x51a562e350af78191732838bb1154cd3(7) eap_peap: Got tunneled reply RADIUS code 11(7) eap_peap: EAP-Message = 0x010a004c1a04090047453d36343820523d3020433d643731336262323065396438626434666339613137313561666136363131306520563d33204d3d50617373776f72642045787069726564(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(7) eap_peap: State = 0x51a562e350af78191732838bb1154cd3(7) eap_peap: Got tunneled Access-Challenge(7) eap: EAP session adding &reply:State = 0x1e1591df191f880e(7) [eap] = handled(7) } # authenticate = handled(7) Using Post-Auth-Type Challenge(7) Post-Auth-Type sub-section not found. Ignoring.(7) # Executing group from file /etc/raddb/sites-enabled/default(7) session-state: Saving cached attributes(7) Tunnel-Type = VLAN(7) Tunnel-Medium-Type = IEEE-802(7) Tunnel-Private-Group-Id = 'PRS-WIFI-Client'(7) Sent Access-Challenge Id 153 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(7) EAP-Message = 0x010a006b19001703010060cd702593105348aaa8c69e0e32f0bd973b1260f86941a98af0cabdeafe78417cbb6bb1ee2db3e90312b1b94031c5d2e93bcf353008dbb28e6bb0804faaa24f57eea2f4d5d5f25b20e1d9fa4975ad0224c1ac4d8369d6bf5b80d75dafbb14bd47(7) Message-Authenticator = 0x00000000000000000000000000000000(7) State = 0x1e1591df191f880e6da8d17effec1644(7) Finished requestWaking up in 4.8 seconds.(0) <done>: Cleaning up request packet ID 146 with timestamp +10(1) <done>: Cleaning up request packet ID 147 with timestamp +10(2) <done>: Cleaning up request packet ID 148 with timestamp +10(3) <done>: Cleaning up request packet ID 149 with timestamp +10(4) <done>: Cleaning up request packet ID 150 with timestamp +10(5) <done>: Cleaning up request packet ID 151 with timestamp +10(6) <done>: Cleaning up request packet ID 152 with timestamp +10(7) <done>: Cleaning up request packet ID 153 with timestamp +10Ready to process requests(8) Received Access-Request Id 154 from 10.70.1.1:32770 to 10.10.10.3:1812 length 860(8) User-Name = 'vdiuser001'(8) Calling-Station-Id = '00-c0-a8-c6-d7-79'(8) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(8) NAS-Port = 13(8) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(8) NAS-IP-Address = 10.70.1.1(8) NAS-Identifier = 'Cisco-WLC-5508'(8) Airespace-Wlan-Id = 9(8) Service-Type = Framed-User(8) Framed-MTU = 1300(8) NAS-Port-Type = Wireless-802.11(8) Tunnel-Type:0 = VLAN(8) Tunnel-Medium-Type:0 = IEEE-802(8) Tunnel-Private-Group-Id:0 = '212'(8) EAP-Message = 0x020a026b190017030102606d169c2fc8c7c02aff0aac1560032a55d594b95aac167509361487589d3cf9fd05e9659eb6c3460f00fde2f2f9eedc29c667fb993d6dd89f0d8611a4f8a8c5e10d264ebbdf6a762d112ed85d966e32389d8247d7a9054b5cdfbfc3ddad2020dbe2c4ad50c2d660b760fc702f(8) State = 0x1e1591df191f880e6da8d17effec1644(8) Message-Authenticator = 0xb7579687e39291cd7a3befbfdbb6b1d2(8) session-state: Found cached attributes(8) Tunnel-Type = VLAN(8) Tunnel-Medium-Type = IEEE-802(8) Tunnel-Private-Group-Id = 'PRS-WIFI-Client'(8) # Executing section authorize from file /etc/raddb/sites-enabled/default(8) authorize {(8) policy filter_username {(8) if (!&User-Name) {(8) if (!&User-Name) -> FALSE(8) if (&User-Name =~ / /) {(8) if (&User-Name =~ / /) -> FALSE(8) if (&User-Name =~ /@.*@/ ) {(8) if (&User-Name =~ /@.*@/ ) -> FALSE(8) if (&User-Name =~ /\.\./ ) {(8) if (&User-Name =~ /\.\./ ) -> FALSE(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE(8) if (&User-Name =~ /\.$/) {(8) if (&User-Name =~ /\.$/) -> FALSE(8) if (&User-Name =~ /@\./) {(8) if (&User-Name =~ /@\./) -> FALSE(8) } # policy filter_username = notfound(8) [preprocess] = ok(8) [chap] = noop(8) [mschap] = noop(8) [digest] = noop(8) suffix: Checking for suffix after "@"(8) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(8) suffix: No such realm "NULL"(8) [suffix] = noop(8) eap: Peer sent code Response (2) ID 10 length 619(8) eap: Continuing tunnel setup(8) [eap] = ok(8) } # authorize = ok(8) Found Auth-Type = EAP(8) # Executing group from file /etc/raddb/sites-enabled/default(8) authenticate {(8) eap: Expiring EAP session with state 0x51a562e350af7819(8) eap: Finished EAP session with state 0x1e1591df191f880e(8) eap: Previous EAP request found for state 0x1e1591df191f880e, released from the list(8) eap: Peer sent method PEAP (25)(8) eap: EAP PEAP (25)(8) eap: Calling eap_peap to process EAP data(8) eap_peap: processing EAP-TLS(8) eap_peap: eaptls_verify returned 7(8) eap_peap: Done initial handshake(8) eap_peap: eaptls_process returned 7(8) eap_peap: FR_TLS_OK(8) eap_peap: Session established. Decoding tunneled attributes(8) eap_peap: PEAP state phase2(8) eap_peap: EAP type MSCHAPv2 (26)(8) eap_peap: Got tunneled request(8) eap_peap: EAP-Message = 0x020a024f1a070a024a4f634797561c5fad5b88d345da27761ab5ecf7a9bc43719579932194330fa999b94f293f55fd38a933a1ec2ea10fed700b63cdcab19931f4ef1832efed4d11380e162fad51a9eaf0f6b5687ce4c306230171a4afb0af2574edb3b562b792b1078a5627174edcd4f5fa8cddf8e5c4(8) eap_peap: EAP-Message = 0x1f62684ea38b93b87d5a3b483557a65f98c48df8863c45926e31c0b7e9ab5dfaf79a3a419c135f4d51af509198bba00c7c303e2c381d49d14801f423aea52a14aaa174decb6e8c23fdac27535fb2a80ae51039540e702f14ea045e9d6810f0e7455b2ab930714be234311d57bec90c10e851c5da6c2239(8) eap_peap: Setting User-Name to vdiuser001(8) eap_peap: Sending tunneled request to inner-tunnel(8) eap_peap: EAP-Message = 0x020a024f1a070a024a4f634797561c5fad5b88d345da27761ab5ecf7a9bc43719579932194330fa999b94f293f55fd38a933a1ec2ea10fed700b63cdcab19931f4ef1832efed4d11380e162fad51a9eaf0f6b5687ce4c306230171a4afb0af2574edb3b562b792b1078a5627174edcd4f5fa8cddf8e5c4(8) eap_peap: EAP-Message = 0x1f62684ea38b93b87d5a3b483557a65f98c48df8863c45926e31c0b7e9ab5dfaf79a3a419c135f4d51af509198bba00c7c303e2c381d49d14801f423aea52a14aaa174decb6e8c23fdac27535fb2a80ae51039540e702f14ea045e9d6810f0e7455b2ab930714be234311d57bec90c10e851c5da6c2239(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1(8) eap_peap: User-Name = 'vdiuser001'(8) eap_peap: State = 0x51a562e350af78191732838bb1154cd3(8) Virtual server inner-tunnel received request(8) EAP-Message = 0x020a024f1a070a024a4f634797561c5fad5b88d345da27761ab5ecf7a9bc43719579932194330fa999b94f293f55fd38a933a1ec2ea10fed700b63cdcab19931f4ef1832efed4d11380e162fad51a9eaf0f6b5687ce4c306230171a4afb0af2574edb3b562b792b1078a5627174edcd4f5fa8cddf8e5c4(8) EAP-Message = 0x1f62684ea38b93b87d5a3b483557a65f98c48df8863c45926e31c0b7e9ab5dfaf79a3a419c135f4d51af509198bba00c7c303e2c381d49d14801f423aea52a14aaa174decb6e8c23fdac27535fb2a80ae51039540e702f14ea045e9d6810f0e7455b2ab930714be234311d57bec90c10e851c5da6c2239(8) FreeRADIUS-Proxied-To = 127.0.0.1(8) User-Name = 'vdiuser001'(8) State = 0x51a562e350af78191732838bb1154cd3(8) server inner-tunnel {(8) session-state: No cached attributes(8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel(8) authorize {(8) [chap] = noop(8) [mschap] = noop(8) suffix: Checking for suffix after "@"(8) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(8) suffix: No such realm "NULL"(8) [suffix] = noop(8) update control {(8) &Proxy-To-Realm := LOCAL(8) } # update control = noop(8) eap: Peer sent code Response (2) ID 10 length 253(8) eap: No EAP Start, assuming it's an on-going EAP conversation(8) [eap] = updated(8) [files] = noop(8) sql: EXPAND %{User-Name}(8) sql: --> vdiuser001(8) sql: SQL-User-Name set to 'vdiuser001'rlm_sql (sql): Reserved connection (4)(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id(8) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id(8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id(8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority(8) sql: --> SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority(8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority(8) sql: User not found in any groupsrlm_sql (sql): Released connection (4)(8) [sql] = notfoundrlm_ldap (ldap): Reserved connection (4)(8) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})(8) ldap: --> (sAMAccountName=vdiuser001)(8) ldap: Performing search in "ou=_TerAA_Users,dc=teraa,dc=local" with filter "(sAMAccountName=vdiuser001)", scope "sub"(8) ldap: Waiting for search result...(8) ldap: User object found at DN "CN=VDIuser001,OU=VDI,OU=PRS,OU=_TerAA_Users,DC=teraa,DC=local"(8) ldap: Processing user attributes(8) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read thepassword attribute(8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)rlm_ldap (ldap): Released connection (4)(8) [ldap] = ok(8) if (control:Ldap-UserDn =~ /OU=EDU/) {(8) if (control:Ldap-UserDn =~ /OU=EDU/) -> FALSE(8) elsif (control:Ldap-UserDn =~ /OU=PRS/) {(8) elsif (control:Ldap-UserDn =~ /OU=PRS/) -> TRUE(8) elsif (control:Ldap-UserDn =~ /OU=PRS/) {(8) update control {(8) Simultaneous-Use := 3(8) } # update control = noop(8) update outer.session-state {(8) Tunnel-type = VLAN(8) Tunnel-medium-type = IEEE-802(8) Tunnel-Private-Group-Id = PRS-WIFI-Client(8) } # update outer.session-state = noop(8) } # elsif (control:Ldap-UserDn =~ /OU=PRS/) = noop(8) ... skipping elsif for request 8: Preceding "if" was taken(8) ... skipping else for request 8: Preceding "if" was taken(8) [expiration] = noop(8) [logintime] = noop(8) [pap] = noop(8) } # authorize = updated(8) Found Auth-Type = EAP(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel(8) authenticate {(8) eap: Expiring EAP session with state 0x51a562e350af7819(8) eap: Finished EAP session with state 0x51a562e350af7819(8) eap: Previous EAP request found for state 0x51a562e350af7819, released from the list(8) eap: Peer sent method MSCHAPv2 (26)(8) eap: EAP MSCHAPv2 (26)(8) eap: Calling eap_mschapv2 to process EAP data(8) eap_mschapv2: Password change packet received(8) eap_mschapv2: Built change password packet(8) eap_mschapv2: EAP-Message = 0x020a024f1a070a024a4f634797561c5fad5b88d345da27761ab5ecf7a9bc43719579932194330fa999b94f293f55fd38a933a1ec2ea10fed700b63cdcab19931f4ef1832efed4d11380e162fad51a9eaf0f6b5687ce4c306230171a4afb0af2574edb3b562b792b1078a5627174edcd4f5fa8cddf8e5c4(8) eap_mschapv2: EAP-Message = 0x1f62684ea38b93b87d5a3b483557a65f98c48df8863c45926e31c0b7e9ab5dfaf79a3a419c135f4d51af509198bba00c7c303e2c381d49d14801f423aea52a14aaa174decb6e8c23fdac27535fb2a80ae51039540e702f14ea045e9d6810f0e7455b2ab930714be234311d57bec90c10e851c5da6c2239(8) eap_mschapv2: FreeRADIUS-Proxied-To = 127.0.0.1(8) eap_mschapv2: User-Name = 'vdiuser001'(8) eap_mschapv2: State = 0x51a562e350af78191732838bb1154cd3(8) eap_mschapv2: EAP-Type = MSCHAPv2(8) eap_mschapv2: MS-CHAP-Challenge = 0xd713bb20e9d8bd4fc9a1715afa66110e(8) eap_mschapv2: MS-CHAP2-CPW = 0x070a5b9d8e0e4988d32d379033db88d2c9e51799dfdaef22c8439644435c36caa0db00000000000000004e2c4c5c9d3931cb3e9642030b60810041b3efe75b7751f30000(8) eap_mschapv2: MS-CHAP-NT-Enc-PW += 0x060a00014f634797561c5fad5b88d345da27761ab5ecf7a9bc43719579932194330fa999b94f293f55fd38a933a1ec2ea10fed700b63cdcab19931f4ef1832efed4d11380e162fad51a9eaf0f6b5687ce4c306230171a4afb0af2574edb3b562b792b1078a5627174edcd4f5fa8cddf8e5c4a7f0(8) eap_mschapv2: MS-CHAP-NT-Enc-PW += 0x060a00021c1f62684ea38b93b87d5a3b483557a65f98c48df8863c45926e31c0b7e9ab5dfaf79a3a419c135f4d51af509198bba00c7c303e2c381d49d14801f423aea52a14aaa174decb6e8c23fdac27535fb2a80ae51039540e702f14ea045e9d6810f0e7455b2ab930714be234311d57bec90c(8) eap_mschapv2: MS-CHAP-NT-Enc-PW += 0x060a00033045950315e9330c49bb6f570898a9590b21fcd14263167211617a51a091(8) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel(8) eap_mschapv2: Auth-Type MS-CHAP {(8) mschap: MS-CHAPv2 password change request received(8) mschap: ERROR: No valid NT-Password attribute found, can't change password(8) [mschap] = invalid(8) } # Auth-Type MS-CHAP = invalid(8) ERROR: No MS-CHAP2-Success or MS-CHAP-Error was found(8) eap: ERROR: Failed continuing EAP MSCHAPv2 (26) session. EAP sub-module failed(8) eap: Failed in EAP select(8) [eap] = invalid(8) } # authenticate = invalid(8) Failed to authenticate the user(8) Using Post-Auth-Type Reject(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel(8) Post-Auth-Type REJECT {(8) sql: EXPAND .query(8) sql: --> .query(8) sql: Using query template 'query'rlm_sql (sql): Reserved connection (4)(8) sql: EXPAND %{User-Name}(8) sql: --> vdiuser001(8) sql: SQL-User-Name set to 'vdiuser001'(8) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')(8) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vdiuser001', '', 'Access-Reject', '2015-06-03 08:32:42')(8) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vdiuser001', '', 'Access-Reject', '2015-06-03 08:32:42')(8) sql: SQL query returned: success(8) sql: 1 record(s) updatedrlm_sql (sql): Released connection (4)(8) [sql] = ok(8) attr_filter.access_reject: EXPAND %{User-Name}(8) attr_filter.access_reject: --> vdiuser001(8) attr_filter.access_reject: Matched entry DEFAULT at line 18(8) [attr_filter.access_reject] = updated(8) update outer.session-state {(8) &Module-Failure-Message := &Module-Failure-Message -> mschap: No valid NT-Password attribute found, can't change password(8) } # update outer.session-state = noop(8) } # Post-Auth-Type REJECT = updated(8) } # server inner-tunnel(8) Virtual server sending reply(8) EAP-Message = 0x040a0004(8) Message-Authenticator = 0x00000000000000000000000000000000(8) eap_peap: Got tunneled reply code 3(8) eap_peap: EAP-Message = 0x040a0004(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(8) eap_peap: Got tunneled reply RADIUS code 3(8) eap_peap: EAP-Message = 0x040a0004(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000(8) eap_peap: Tunneled authentication was rejected(8) eap_peap: FAILURE(8) eap: EAP session adding &reply:State = 0x1e1591df161e880e(8) [eap] = handled(8) } # authenticate = handled(8) Using Post-Auth-Type Challenge(8) Post-Auth-Type sub-section not found. Ignoring.(8) # Executing group from file /etc/raddb/sites-enabled/default(8) session-state: Saving cached attributes(8) Tunnel-Type = VLAN(8) Tunnel-Medium-Type = IEEE-802(8) Tunnel-Private-Group-Id = 'PRS-WIFI-Client'(8) Module-Failure-Message := 'mschap: No valid NT-Password attribute found, can\'t change password'(8) Sent Access-Challenge Id 154 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0(8) EAP-Message = 0x010b002b1900170301002086b7bbc516c5fe1abafad64e28b2b37a80cd2cbd98c57e21e3a301c17bf26117(8) Message-Authenticator = 0x00000000000000000000000000000000(8) State = 0x1e1591df161e880e6da8d17effec1644(8) Finished requestWaking up in 4.9 seconds.(9) Received Access-Request Id 155 from 10.70.1.1:32770 to 10.10.10.3:1812 length 280(9) User-Name = 'vdiuser001'(9) Calling-Station-Id = '00-c0-a8-c6-d7-79'(9) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'(9) NAS-Port = 13(9) Cisco-AVPair = 'audit-session-id=0a46010100011de2556e9f83'(9) NAS-IP-Address = 10.70.1.1(9) NAS-Identifier = 'Cisco-WLC-5508'(9) Airespace-Wlan-Id = 9(9) Service-Type = Framed-User(9) Framed-MTU = 1300(9) NAS-Port-Type = Wireless-802.11(9) Tunnel-Type:0 = VLAN(9) Tunnel-Medium-Type:0 = IEEE-802(9) Tunnel-Private-Group-Id:0 = '212'(9) EAP-Message = 0x020b002b19001703010020889a71d588eee79bc7bef5909fe945a2b6259669d2d02820ae8e09b9cca83ee4(9) State = 0x1e1591df161e880e6da8d17effec1644(9) Message-Authenticator = 0xe78aa54c51f9d4ebca980275b9fa8b8b(9) session-state: Found cached attributes(9) Tunnel-Type = VLAN(9) Tunnel-Medium-Type = IEEE-802(9) Tunnel-Private-Group-Id = 'PRS-WIFI-Client'(9) Module-Failure-Message := 'mschap: No valid NT-Password attribute found, can\'t change password'(9) # Executing section authorize from file /etc/raddb/sites-enabled/default(9) authorize {(9) policy filter_username {(9) if (!&User-Name) {(9) if (!&User-Name) -> FALSE(9) if (&User-Name =~ / /) {(9) if (&User-Name =~ / /) -> FALSE(9) if (&User-Name =~ /@.*@/ ) {(9) if (&User-Name =~ /@.*@/ ) -> FALSE(9) if (&User-Name =~ /\.\./ ) {(9) if (&User-Name =~ /\.\./ ) -> FALSE(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE(9) if (&User-Name =~ /\.$/) {(9) if (&User-Name =~ /\.$/) -> FALSE(9) if (&User-Name =~ /@\./) {(9) if (&User-Name =~ /@\./) -> FALSE(9) } # policy filter_username = notfound(9) [preprocess] = ok(9) [chap] = noop(9) [mschap] = noop(9) [digest] = noop(9) suffix: Checking for suffix after "@"(9) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL(9) suffix: No such realm "NULL"(9) [suffix] = noop(9) eap: Peer sent code Response (2) ID 11 length 43(9) eap: Continuing tunnel setup(9) [eap] = ok(9) } # authorize = ok(9) Found Auth-Type = EAP(9) # Executing group from file /etc/raddb/sites-enabled/default(9) authenticate {(9) eap: Expiring EAP session with state 0x1e1591df161e880e(9) eap: Finished EAP session with state 0x1e1591df161e880e(9) eap: Previous EAP request found for state 0x1e1591df161e880e, released from the list(9) eap: Peer sent method PEAP (25)(9) eap: EAP PEAP (25)(9) eap: Calling eap_peap to process EAP data(9) eap_peap: processing EAP-TLS(9) eap_peap: eaptls_verify returned 7(9) eap_peap: Done initial handshake(9) eap_peap: eaptls_process returned 7(9) eap_peap: FR_TLS_OK(9) eap_peap: Session established. Decoding tunneled attributes(9) eap_peap: PEAP state send tlv failure(9) eap_peap: Received EAP-TLV response(9) eap_peap: The users session was previously rejected: returning reject (again.)(9) eap_peap: This means you need to read the PREVIOUS messages in the debug output(9) eap_peap: to find out the reason why the user was rejected(9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you(9) eap_peap: what went wrong, and how to fix the problem SSL: Removing session 0820f20d95f9ba8235db521076848da4d36f7481e161aada4b50a272181044c1 from the cache(9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed(9) eap: Failed in EAP select(9) [eap] = invalid(9) } # authenticate = invalid(9) Failed to authenticate the user(9) Using Post-Auth-Type Reject(9) # Executing group from file /etc/raddb/sites-enabled/default(9) Post-Auth-Type REJECT {(9) sql: EXPAND .query(9) sql: --> .query(9) sql: Using query template 'query'rlm_sql (sql): Reserved connection (4)(9) sql: EXPAND %{User-Name}(9) sql: --> vdiuser001(9) sql: SQL-User-Name set to 'vdiuser001'(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')(9) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vdiuser001', '', 'Access-Reject', '2015-06-03 08:32:42')(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vdiuser001', '', 'Access-Reject', '2015-06-03 08:32:42')(9) sql: SQL query returned: success(9) sql: 1 record(s) updatedrlm_sql (sql): Released connection (4)(9) [sql] = ok(9) attr_filter.access_reject: EXPAND %{User-Name}(9) attr_filter.access_reject: --> vdiuser001(9) attr_filter.access_reject: Matched entry DEFAULT at line 18(9) [attr_filter.access_reject] = updated(9) [eap] = noop(9) policy remove_reply_message_if_eap {(9) if (&reply:EAP-Message && &reply:Reply-Message) {(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE(9) else {(9) [noop] = noop(9) } # else = noop(9) } # policy remove_reply_message_if_eap = noop(9) } # Post-Auth-Type REJECT = updated(9) Delaying response for 1.000000 secondsWaking up in 0.3 seconds.Waking up in 0.6 seconds.(9) <delay>: Sending delayed response(9) <delay>: Sent Access-Reject Id 155 from 10.10.10.3:1812 to 10.70.1.1:32770 length 44(9) <delay>: EAP-Message = 0x040b0004(9) <delay>: Message-Authenticator = 0x00000000000000000000000000000000Waking up in 3.9 seconds.(8) <done>: Cleaning up request packet ID 154 with timestamp +22(9) <delay>: Cleaning up request packet ID 155 with timestamp +22
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 		 	   		  


More information about the Freeradius-Users mailing list