Pass change/expiry problem
Richard van der Veen
richardvanderveen at outlook.com
Wed Jun 3 16:33:53 CEST 2015
Thank you Alan for your response,
After I changed to 3.0.9 I am not getting a pass change window on my laptop anymore... it just tells me that the username or password is incorrect. I still can authenticate succesfully with a different user that has no expired password..
(0) Received Access-Request Id 239 from 10.70.1.1:32770 to 10.10.10.3:1812 length 234
(0) User-Name = 'vdiuser001'
(0) Calling-Station-Id = '00-c0-a8-c6-d7-79'
(0) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(0) NAS-Port = 13
(0) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
(0) NAS-IP-Address = 10.70.1.1
(0) NAS-Identifier = 'Cisco-WLC-5508'
(0) Airespace-Wlan-Id = 9
(0) Service-Type = Framed-User
(0) Framed-MTU = 1300
(0) NAS-Port-Type = Wireless-802.11
(0) Tunnel-Type:0 = VLAN
(0) Tunnel-Medium-Type:0 = IEEE-802
(0) Tunnel-Private-Group-Id:0 = '212'
(0) EAP-Message = 0x0202000f0176646975736572303031
(0) Message-Authenticator = 0x188f999c1ff661dbdf631889c89f601b
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (!&User-Name) {
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ ) {
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent code Response (2) ID 2 length 15
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent method Identity (1)
(0) eap: Calling eap_peap to process EAP data
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: Initiate
(0) eap_peap: Start returned 1
(0) eap: EAP session adding &reply:State = 0xfcd853a7fcdb4aaf
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 239 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(0) EAP-Message = 0x010300061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xfcd853a7fcdb4aafb400e9d91b88b168
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 240 from 10.70.1.1:32770 to 10.10.10.3:1812 length 378
(1) User-Name = 'vdiuser001'
(1) Calling-Station-Id = '00-c0-a8-c6-d7-79'
(1) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(1) NAS-Port = 13
(1) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
(1) NAS-IP-Address = 10.70.1.1
(1) NAS-Identifier = 'Cisco-WLC-5508'
(1) Airespace-Wlan-Id = 9
(1) Service-Type = Framed-User
(1) Framed-MTU = 1300
(1) NAS-Port-Type = Wireless-802.11
(1) Tunnel-Type:0 = VLAN
(1) Tunnel-Medium-Type:0 = IEEE-802
(1) Tunnel-Private-Group-Id:0 = '212'
(1) EAP-Message = 0x0203008d198000000083160301007e0100007a0301556f007139e2ef5fa810877430d9d30e669ea446efcc04237015dc29d6f6e88f20b48510af5eef4cad8b2d52382a9b8c9d69d2f5b409db03c2f576067eea76ab270018c014c0130035002fc00ac00900380032000a00130005000401000019ff0100
(1) State = 0xfcd853a7fcdb4aafb400e9d91b88b168
(1) Message-Authenticator = 0xc71382cba8adc5f62dd1d52c1f94eabd
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (!&User-Name) {
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ ) {
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent code Response (2) ID 3 length 141
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xfcd853a7fcdb4aaf
(1) eap: Finished EAP session with state 0xfcd853a7fcdb4aaf
(1) eap: Previous EAP request found for state 0xfcd853a7fcdb4aaf, released from the list
(1) eap: Peer sent method PEAP (25)
(1) eap: EAP PEAP (25)
(1) eap: Calling eap_peap to process EAP data
(1) eap_peap: processing EAP-TLS
(1) eap_peap: TLS Length 131
(1) eap_peap: Length Included
(1) eap_peap: eaptls_verify returned 11
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< TLS 1.0 Handshake [length 007e], ClientHello
SSL: Client requested cached session b48510af5eef4cad8b2d52382a9b8c9d69d2f5b409db03c2f576067eea76ab27
(1) eap_peap: TLS_accept: SSLv3 read client hello A
(1) eap_peap:>>> TLS 1.0 Handshake [length 0059], ServerHello
(1) eap_peap: TLS_accept: SSLv3 write server hello A
(1) eap_peap:>>> TLS 1.0 Handshake [length 08d0], Certificate
(1) eap_peap: TLS_accept: SSLv3 write certificate A
(1) eap_peap:>>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(1) eap_peap: TLS_accept: SSLv3 write key exchange A
(1) eap_peap:>>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap: TLS_accept: SSLv3 write server done A
(1) eap_peap: TLS_accept: SSLv3 flush data
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(1) eap_peap: eaptls_process returned 13
(1) eap_peap: FR_TLS_HANDLED
(1) eap: EAP session adding &reply:State = 0xfcd853a7fddc4aaf
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 240 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(1) EAP-Message = 0x010403ec19c000000a8c1603010059020000550301e33481638ab50505fd243d5f28281a03744290725fad8dda8caa9a4759feff2d20e43d8045ba796d2e07fef583a7bcf15886ba3822b31a075eca43b74aab2086c9c01400000dff01000100000b00040300010216030108d00b0008cc0008c90003de
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xfcd853a7fddc4aafb400e9d91b88b168
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 241 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243
(2) User-Name = 'vdiuser001'
(2) Calling-Station-Id = '00-c0-a8-c6-d7-79'
(2) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(2) NAS-Port = 13
(2) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
(2) NAS-IP-Address = 10.70.1.1
(2) NAS-Identifier = 'Cisco-WLC-5508'
(2) Airespace-Wlan-Id = 9
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) Tunnel-Type:0 = VLAN
(2) Tunnel-Medium-Type:0 = IEEE-802
(2) Tunnel-Private-Group-Id:0 = '212'
(2) EAP-Message = 0x020400061900
(2) State = 0xfcd853a7fddc4aafb400e9d91b88b168
(2) Message-Authenticator = 0x69d10acc80d82e3a9c5aac64c3728ec0
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (!&User-Name) {
(2) if (!&User-Name) -> FALSE
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ ) {
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent code Response (2) ID 4 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xfcd853a7fddc4aaf
(2) eap: Finished EAP session with state 0xfcd853a7fddc4aaf
(2) eap: Previous EAP request found for state 0xfcd853a7fddc4aaf, released from the list
(2) eap: Peer sent method PEAP (25)
(2) eap: EAP PEAP (25)
(2) eap: Calling eap_peap to process EAP data
(2) eap_peap: processing EAP-TLS
(2) eap_peap: Received TLS ACK
(2) eap_peap: Received TLS ACK
(2) eap_peap: ACK handshake fragment handler
(2) eap_peap: eaptls_verify returned 1
(2) eap_peap: eaptls_process returned 13
(2) eap_peap: FR_TLS_HANDLED
(2) eap: EAP session adding &reply:State = 0xfcd853a7fedd4aaf
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 241 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(2) EAP-Message = 0x010503e8194087d363ae51e9fa919a6062082c2ab782a717d7fede947271bcbe38ea3b9d04ee4cef44da92b58dfea437ba6764fd97950d4f99cb8e1b38b721f29b087ce94f71868ec5554e72d8d3a6f9a11c4108d6c8a7945c60f03a9991d841074df483c1574367aee17dbd11aaab0004e5308204e130
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xfcd853a7fedd4aafb400e9d91b88b168
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 242 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243
(3) User-Name = 'vdiuser001'
(3) Calling-Station-Id = '00-c0-a8-c6-d7-79'
(3) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(3) NAS-Port = 13
(3) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
(3) NAS-IP-Address = 10.70.1.1
(3) NAS-Identifier = 'Cisco-WLC-5508'
(3) Airespace-Wlan-Id = 9
(3) Service-Type = Framed-User
(3) Framed-MTU = 1300
(3) NAS-Port-Type = Wireless-802.11
(3) Tunnel-Type:0 = VLAN
(3) Tunnel-Medium-Type:0 = IEEE-802
(3) Tunnel-Private-Group-Id:0 = '212'
(3) EAP-Message = 0x020500061900
(3) State = 0xfcd853a7fedd4aafb400e9d91b88b168
(3) Message-Authenticator = 0x0adea1512f939350fd4ac3a6ab9f2460
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (!&User-Name) {
(3) if (!&User-Name) -> FALSE
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ ) {
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent code Response (2) ID 5 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xfcd853a7fedd4aaf
(3) eap: Finished EAP session with state 0xfcd853a7fedd4aaf
(3) eap: Previous EAP request found for state 0xfcd853a7fedd4aaf, released from the list
(3) eap: Peer sent method PEAP (25)
(3) eap: EAP PEAP (25)
(3) eap: Calling eap_peap to process EAP data
(3) eap_peap: processing EAP-TLS
(3) eap_peap: Received TLS ACK
(3) eap_peap: Received TLS ACK
(3) eap_peap: ACK handshake fragment handler
(3) eap_peap: eaptls_verify returned 1
(3) eap_peap: eaptls_process returned 13
(3) eap_peap: FR_TLS_HANDLED
(3) eap: EAP session adding &reply:State = 0xfcd853a7ffde4aaf
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 242 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(3) EAP-Message = 0x010602ce190020417574686f72697479820900cf57e5d1f44e11e4300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105050003820101001a21
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xfcd853a7ffde4aafb400e9d91b88b168
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 243 from 10.70.1.1:32770 to 10.10.10.3:1812 length 381
(4) User-Name = 'vdiuser001'
(4) Calling-Station-Id = '00-c0-a8-c6-d7-79'
(4) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(4) NAS-Port = 13
(4) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
(4) NAS-IP-Address = 10.70.1.1
(4) NAS-Identifier = 'Cisco-WLC-5508'
(4) Airespace-Wlan-Id = 9
(4) Service-Type = Framed-User
(4) Framed-MTU = 1300
(4) NAS-Port-Type = Wireless-802.11
(4) Tunnel-Type:0 = VLAN
(4) Tunnel-Medium-Type:0 = IEEE-802
(4) Tunnel-Private-Group-Id:0 = '212'
(4) EAP-Message = 0x020600901980000000861603010046100000424104659013060486276c41b5734d0c4799ba9d6cb700dabbbc6bfa68a9b3b0c3b237b6f7ee8c9a194b8a20645279d3c7e05b5a7ee14383257f83eadf85aab1fc7d0d140301000101160301003042a06361b3cb896ea1b0476e10371b8eed883122419379
(4) State = 0xfcd853a7ffde4aafb400e9d91b88b168
(4) Message-Authenticator = 0x3674700353af1563ff78522ff0bf447d
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (!&User-Name) {
(4) if (!&User-Name) -> FALSE
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ ) {
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent code Response (2) ID 6 length 144
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xfcd853a7ffde4aaf
(4) eap: Finished EAP session with state 0xfcd853a7ffde4aaf
(4) eap: Previous EAP request found for state 0xfcd853a7ffde4aaf, released from the list
(4) eap: Peer sent method PEAP (25)
(4) eap: EAP PEAP (25)
(4) eap: Calling eap_peap to process EAP data
(4) eap_peap: processing EAP-TLS
(4) eap_peap: TLS Length 134
(4) eap_peap: Length Included
(4) eap_peap: eaptls_verify returned 11
(4) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(4) eap_peap: TLS_accept: SSLv3 read client key exchange A
(4) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3 read finished A
(4) eap_peap:>>> TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(4) eap_peap:>>> TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3 write finished A
(4) eap_peap: TLS_accept: SSLv3 flush data
TLS: adding session e43d8045ba796d2e07fef583a7bcf15886ba3822b31a075eca43b74aab2086c9 to cache
(4) eap_peap: (other): SSL negotiation finished successfully
SSL Connection Established
(4) eap_peap: eaptls_process returned 13
(4) eap_peap: FR_TLS_HANDLED
(4) eap: EAP session adding &reply:State = 0xfcd853a7f8df4aaf
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 243 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(4) EAP-Message = 0x0107004119001403010001011603010030805396c196ecd0cfbcdf4262de648ff5c61404e719706e413e8c67f9169d03f6075a93a6402c6cb3df2681c909c13ca5
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xfcd853a7f8df4aafb400e9d91b88b168
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 244 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243
(5) User-Name = 'vdiuser001'
(5) Calling-Station-Id = '00-c0-a8-c6-d7-79'
(5) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(5) NAS-Port = 13
(5) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
(5) NAS-IP-Address = 10.70.1.1
(5) NAS-Identifier = 'Cisco-WLC-5508'
(5) Airespace-Wlan-Id = 9
(5) Service-Type = Framed-User
(5) Framed-MTU = 1300
(5) NAS-Port-Type = Wireless-802.11
(5) Tunnel-Type:0 = VLAN
(5) Tunnel-Medium-Type:0 = IEEE-802
(5) Tunnel-Private-Group-Id:0 = '212'
(5) EAP-Message = 0x020700061900
(5) State = 0xfcd853a7f8df4aafb400e9d91b88b168
(5) Message-Authenticator = 0x75def782b74b9f6aaae4b726602f9eae
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (!&User-Name) {
(5) if (!&User-Name) -> FALSE
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ ) {
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent code Response (2) ID 7 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xfcd853a7f8df4aaf
(5) eap: Finished EAP session with state 0xfcd853a7f8df4aaf
(5) eap: Previous EAP request found for state 0xfcd853a7f8df4aaf, released from the list
(5) eap: Peer sent method PEAP (25)
(5) eap: EAP PEAP (25)
(5) eap: Calling eap_peap to process EAP data
(5) eap_peap: processing EAP-TLS
(5) eap_peap: Received TLS ACK
(5) eap_peap: Received TLS ACK
(5) eap_peap: ACK handshake is finished
(5) eap_peap: eaptls_verify returned 3
(5) eap_peap: eaptls_process returned 3
(5) eap_peap: FR_TLS_SUCCESS
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: EAP session adding &reply:State = 0xfcd853a7f9d04aaf
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Sent Access-Challenge Id 244 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(5) EAP-Message = 0x0108002b19001703010020e9acf4878f2cf9c9c79de729087ad3e19b253b8c0e50b1c26443853c5c984637
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xfcd853a7f9d04aafb400e9d91b88b168
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 245 from 10.70.1.1:32770 to 10.10.10.3:1812 length 280
(6) User-Name = 'vdiuser001'
(6) Calling-Station-Id = '00-c0-a8-c6-d7-79'
(6) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(6) NAS-Port = 13
(6) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
(6) NAS-IP-Address = 10.70.1.1
(6) NAS-Identifier = 'Cisco-WLC-5508'
(6) Airespace-Wlan-Id = 9
(6) Service-Type = Framed-User
(6) Framed-MTU = 1300
(6) NAS-Port-Type = Wireless-802.11
(6) Tunnel-Type:0 = VLAN
(6) Tunnel-Medium-Type:0 = IEEE-802
(6) Tunnel-Private-Group-Id:0 = '212'
(6) EAP-Message = 0x0208002b190017030100204283191b2685faf2b92c873c8c3972380e81ab3a78cc797b6518e8af45963138
(6) State = 0xfcd853a7f9d04aafb400e9d91b88b168
(6) Message-Authenticator = 0x36d173beae56175a27434016ac0a82cb
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (!&User-Name) {
(6) if (!&User-Name) -> FALSE
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ ) {
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent code Response (2) ID 8 length 43
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0xfcd853a7f9d04aaf
(6) eap: Finished EAP session with state 0xfcd853a7f9d04aaf
(6) eap: Previous EAP request found for state 0xfcd853a7f9d04aaf, released from the list
(6) eap: Peer sent method PEAP (25)
(6) eap: EAP PEAP (25)
(6) eap: Calling eap_peap to process EAP data
(6) eap_peap: processing EAP-TLS
(6) eap_peap: eaptls_verify returned 7
(6) eap_peap: Done initial handshake
(6) eap_peap: eaptls_process returned 7
(6) eap_peap: FR_TLS_OK
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - vdiuser001
(6) eap_peap: Got inner identity 'vdiuser001'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x0208000f0176646975736572303031
(6) eap_peap: Setting User-Name to vdiuser001
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x0208000f0176646975736572303031
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = 'vdiuser001'
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x0208000f0176646975736572303031
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = 'vdiuser001'
(6) server inner-tunnel {
(6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent code Response (2) ID 8 length 15
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent method Identity (1)
(6) eap: Calling eap_mschapv2 to process EAP data
(6) eap_mschapv2: Issuing Challenge
(6) eap: EAP session adding &reply:State = 0x6a2b492e6a22538f
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x6a2b492e6a22538fe503884f9d44e7ff
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: EAP session adding &reply:State = 0xfcd853a7fad14aaf
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Sent Access-Challenge Id 245 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(6) EAP-Message = 0x0109004b190017030100406a3b46095fb10b93a11e13b5e74fc5eac154270b5a9ef8fdfb482c1dab2a759a4872e47dec1beaf306303e2a07d5e762b3381999cc96604175fe9c6adf84eab2
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xfcd853a7fad14aafb400e9d91b88b168
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 246 from 10.70.1.1:32770 to 10.10.10.3:1812 length 344
(7) User-Name = 'vdiuser001'
(7) Calling-Station-Id = '00-c0-a8-c6-d7-79'
(7) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
(7) NAS-Port = 13
(7) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
(7) NAS-IP-Address = 10.70.1.1
(7) NAS-Identifier = 'Cisco-WLC-5508'
(7) Airespace-Wlan-Id = 9
(7) Service-Type = Framed-User
(7) Framed-MTU = 1300
(7) NAS-Port-Type = Wireless-802.11
(7) Tunnel-Type:0 = VLAN
(7) Tunnel-Medium-Type:0 = IEEE-802
(7) Tunnel-Private-Group-Id:0 = '212'
(7) EAP-Message = 0x0209006b19001703010060e3ebfd336d1c0bb5d36d68ac263e5e6d7f80e8a1e28be6bc752c0d06555b63f06367b0ca1803b17f092d89c35ce418ecce8b1425853a3dd6ccd16a292e80e46a1ecc98ba53222a0c1cccc827075993197807413d5778b2712ce2ad3eae35d7ce
(7) State = 0xfcd853a7fad14aafb400e9d91b88b168
(7) Message-Authenticator = 0x4c9a2819e43b37c8eadf9473681308a2
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (!&User-Name) {
(7) if (!&User-Name) -> FALSE
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ ) {
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent code Response (2) ID 9 length 107
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x6a2b492e6a22538f
(7) eap: Finished EAP session with state 0xfcd853a7fad14aaf
(7) eap: Previous EAP request found for state 0xfcd853a7fad14aaf, released from the list
(7) eap: Peer sent method PEAP (25)
(7) eap: EAP PEAP (25)
(7) eap: Calling eap_peap to process EAP data
(7) eap_peap: processing EAP-TLS
(7) eap_peap: eaptls_verify returned 7
(7) eap_peap: Done initial handshake
(7) eap_peap: eaptls_process returned 7
(7) eap_peap: FR_TLS_OK
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP type MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031
(7) eap_peap: Setting User-Name to vdiuser001
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = 'vdiuser001'
(7) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = 'vdiuser001'
(7) State = 0x6a2b492e6a22538fe503884f9d44e7ff
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent code Response (2) ID 9 length 69
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) sql: EXPAND %{User-Name}
(7) sql: --> vdiuser001
(7) sql: SQL-User-Name set to 'vdiuser001'
rlm_sql (sql): Reserved connection (0)
(7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id
(7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id
(7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority
(7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority
(7) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
rlm_sql (sql): Closing connection (1), from 1 unused connections
rlm_sql_mysql: Socket destructor called, closing socket
(7) [sql] = notfound
rlm_ldap (ldap): Reserved connection (0)
(7) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap: --> (sAMAccountName=vdiuser001)
(7) ldap: Performing search in "ou=_TerAA_Users,dc=teraa,dc=local" with filter "(sAMAccountName=vdiuser001)", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN "CN=VDIuser001,OU=VDI,OU=PRS,OU=_TerAA_Users,DC=teraa,DC=local"
(7) ldap: Processing user attributes
(7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the
password attribute
(7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
rlm_ldap (ldap): Closing connection (1), from 1 unused connections
(7) [ldap] = ok
(7) if (control:Ldap-UserDn =~ /OU=EDU/) {
(7) if (control:Ldap-UserDn =~ /OU=EDU/) -> FALSE
(7) elsif (control:Ldap-UserDn =~ /OU=PRS/) {
(7) elsif (control:Ldap-UserDn =~ /OU=PRS/) -> TRUE
(7) elsif (control:Ldap-UserDn =~ /OU=PRS/) {
(7) update control {
(7) Simultaneous-Use := 3
(7) } # update control = noop
(7) update outer.session-state {
(7) Tunnel-type = VLAN
(7) Tunnel-medium-type = IEEE-802
(7) Tunnel-Private-Group-Id = PRS-WIFI-Client
(7) } # update outer.session-state = noop
(7) } # elsif (control:Ldap-UserDn =~ /OU=PRS/) = noop
(7) ... skipping elsif for request 7: Preceding "if" was taken
(7) ... skipping else for request 7: Preceding "if" was taken
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x6a2b492e6a22538f
(7) eap: Finished EAP session with state 0x6a2b492e6a22538f
(7) eap: Previous EAP request found for state 0x6a2b492e6a22538f, released from the list
(7) eap: Peer sent method MSCHAPv2 (26)
(7) eap: EAP MSCHAPv2 (26)
(7) eap: Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2: Auth-Type MS-CHAP {
(7) mschap: Creating challenge hash with username: vdiuser001
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(7) mschap: --> --username=vdiuser001
(7) mschap: Creating challenge hash with username: vdiuser001
(7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(7) mschap: --> --challenge=9f432e6abc4ec74e
(7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(7) mschap: --> --nt-response=bcae7bc9d2c22a1291791a130d422a537209282de03718a0
(7) mschap: ERROR: Program returned code (1) and output 'Must change password (0xc0000224)'
(7) mschap: ERROR: Must change password (0xc0000224)
(7) mschap: Password has expired. The user should retry authentication
(7) [mschap] = reject
(7) } # Auth-Type MS-CHAP = reject
(7) MSCHAP-Error: E=648 R=1 C=00063b49e7c084b7016b35ab4336020d V=3 M=Password Expired
(7) Found new challenge from MS-CHAP-Error: err=648 retry=1 challenge=00063b49e7c084b7016b35ab4336020d
(7) ERROR: MSCHAP Failure
(7) eap: EAP session adding &reply:State = 0x6a2b492e6b21538f
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x6a2b492e6b21538fe503884f9d44e7ff
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x6a2b492e6b21538fe503884f9d44e7ff
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x6a2b492e6b21538fe503884f9d44e7ff
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: EAP session adding &reply:State = 0xfcd853a7fbd24aaf
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) session-state: Saving cached attributes
(7) Tunnel-Type = VLAN
(7) Tunnel-Medium-Type = IEEE-802
(7) Tunnel-Private-Group-Id = 'PRS-WIFI-Client'
(7) Sent Access-Challenge Id 246 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
(7) EAP-Message = 0x010a006b19001703010060b3897a1c79b4063ee3eea85ec0eb5b1ffef302d6c90c1819ac828808598205d33c2dbad5a1af49ff0f8add5f0cb05a598bdae558b2e839b44204ac2b0fbc80437323b4f46871add958ea20f13a19e66bb6c2402389e445ba3305ffea4be0b16b
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xfcd853a7fbd24aafb400e9d91b88b168
(7) Finished request
----------------------------------------
> From: richardvanderveen at outlook.com
> To: a.l.m.buxey at lboro.ac.uk
> Subject: RE: Pass change/expiry problem
> Date: Wed, 3 Jun 2015 15:34:45 +0200
>
> Thank you Alan for your response,
>
> After I changed to 3.0.9 I am not getting a pass change window on my laptop anymore... it just tells me that the username or password is incorrect. I still can authenticate succesfully with a different user that has no expired password..
>
> (0) Received Access-Request Id 239 from 10.70.1.1:32770 to 10.10.10.3:1812 length 234
> (0) User-Name = 'vdiuser001'
> (0) Calling-Station-Id = '00-c0-a8-c6-d7-79'
> (0) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
> (0) NAS-Port = 13
> (0) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
> (0) NAS-IP-Address = 10.70.1.1
> (0) NAS-Identifier = 'Cisco-WLC-5508'
> (0) Airespace-Wlan-Id = 9
> (0) Service-Type = Framed-User
> (0) Framed-MTU = 1300
> (0) NAS-Port-Type = Wireless-802.11
> (0) Tunnel-Type:0 = VLAN
> (0) Tunnel-Medium-Type:0 = IEEE-802
> (0) Tunnel-Private-Group-Id:0 = '212'
> (0) EAP-Message = 0x0202000f0176646975736572303031
> (0) Message-Authenticator = 0x188f999c1ff661dbdf631889c89f601b
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (!&User-Name) {
> (0) if (!&User-Name) -> FALSE
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@.*@/ ) {
> (0) if (&User-Name =~ /@.*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0) [suffix] = noop
> (0) eap: Peer sent code Response (2) ID 2 length 15
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = EAP
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0) authenticate {
> (0) eap: Peer sent method Identity (1)
> (0) eap: Calling eap_peap to process EAP data
> (0) eap_peap: Flushing SSL sessions (of #0)
> (0) eap_peap: Initiate
> (0) eap_peap: Start returned 1
> (0) eap: EAP session adding &reply:State = 0xfcd853a7fcdb4aaf
> (0) [eap] = handled
> (0) } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) Post-Auth-Type sub-section not found. Ignoring.
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0) Sent Access-Challenge Id 239 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
> (0) EAP-Message = 0x010300061920
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> (0) State = 0xfcd853a7fcdb4aafb400e9d91b88b168
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 240 from 10.70.1.1:32770 to 10.10.10.3:1812 length 378
> (1) User-Name = 'vdiuser001'
> (1) Calling-Station-Id = '00-c0-a8-c6-d7-79'
> (1) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
> (1) NAS-Port = 13
> (1) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
> (1) NAS-IP-Address = 10.70.1.1
> (1) NAS-Identifier = 'Cisco-WLC-5508'
> (1) Airespace-Wlan-Id = 9
> (1) Service-Type = Framed-User
> (1) Framed-MTU = 1300
> (1) NAS-Port-Type = Wireless-802.11
> (1) Tunnel-Type:0 = VLAN
> (1) Tunnel-Medium-Type:0 = IEEE-802
> (1) Tunnel-Private-Group-Id:0 = '212'
> (1) EAP-Message = 0x0203008d198000000083160301007e0100007a0301556f007139e2ef5fa810877430d9d30e669ea446efcc04237015dc29d6f6e88f20b48510af5eef4cad8b2d52382a9b8c9d69d2f5b409db03c2f576067eea76ab270018c014c0130035002fc00ac00900380032000a00130005000401000019ff0100
> (1) State = 0xfcd853a7fcdb4aafb400e9d91b88b168
> (1) Message-Authenticator = 0xc71382cba8adc5f62dd1d52c1f94eabd
> (1) session-state: No cached attributes
> (1) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (1) authorize {
> (1) policy filter_username {
> (1) if (!&User-Name) {
> (1) if (!&User-Name) -> FALSE
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@.*@/ ) {
> (1) if (&User-Name =~ /@.*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /@\./) {
> (1) if (&User-Name =~ /@\./) -> FALSE
> (1) } # policy filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1) [suffix] = noop
> (1) eap: Peer sent code Response (2) ID 3 length 141
> (1) eap: Continuing tunnel setup
> (1) [eap] = ok
> (1) } # authorize = ok
> (1) Found Auth-Type = EAP
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1) authenticate {
> (1) eap: Expiring EAP session with state 0xfcd853a7fcdb4aaf
> (1) eap: Finished EAP session with state 0xfcd853a7fcdb4aaf
> (1) eap: Previous EAP request found for state 0xfcd853a7fcdb4aaf, released from the list
> (1) eap: Peer sent method PEAP (25)
> (1) eap: EAP PEAP (25)
> (1) eap: Calling eap_peap to process EAP data
> (1) eap_peap: processing EAP-TLS
> (1) eap_peap: TLS Length 131
> (1) eap_peap: Length Included
> (1) eap_peap: eaptls_verify returned 11
> (1) eap_peap: (other): before/accept initialization
> (1) eap_peap: TLS_accept: before/accept initialization
> (1) eap_peap: <<< TLS 1.0 Handshake [length 007e], ClientHello
> SSL: Client requested cached session b48510af5eef4cad8b2d52382a9b8c9d69d2f5b409db03c2f576067eea76ab27
> (1) eap_peap: TLS_accept: SSLv3 read client hello A
> (1) eap_peap:>>> TLS 1.0 Handshake [length 0059], ServerHello
> (1) eap_peap: TLS_accept: SSLv3 write server hello A
> (1) eap_peap:>>> TLS 1.0 Handshake [length 08d0], Certificate
> (1) eap_peap: TLS_accept: SSLv3 write certificate A
> (1) eap_peap:>>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
> (1) eap_peap: TLS_accept: SSLv3 write key exchange A
> (1) eap_peap:>>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> (1) eap_peap: TLS_accept: SSLv3 write server done A
> (1) eap_peap: TLS_accept: SSLv3 flush data
> (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
> (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> (1) eap_peap: eaptls_process returned 13
> (1) eap_peap: FR_TLS_HANDLED
> (1) eap: EAP session adding &reply:State = 0xfcd853a7fddc4aaf
> (1) [eap] = handled
> (1) } # authenticate = handled
> (1) Using Post-Auth-Type Challenge
> (1) Post-Auth-Type sub-section not found. Ignoring.
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1) Sent Access-Challenge Id 240 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
> (1) EAP-Message = 0x010403ec19c000000a8c1603010059020000550301e33481638ab50505fd243d5f28281a03744290725fad8dda8caa9a4759feff2d20e43d8045ba796d2e07fef583a7bcf15886ba3822b31a075eca43b74aab2086c9c01400000dff01000100000b00040300010216030108d00b0008cc0008c90003de
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> (1) State = 0xfcd853a7fddc4aafb400e9d91b88b168
> (1) Finished request
> Waking up in 4.9 seconds.
> (2) Received Access-Request Id 241 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243
> (2) User-Name = 'vdiuser001'
> (2) Calling-Station-Id = '00-c0-a8-c6-d7-79'
> (2) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
> (2) NAS-Port = 13
> (2) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
> (2) NAS-IP-Address = 10.70.1.1
> (2) NAS-Identifier = 'Cisco-WLC-5508'
> (2) Airespace-Wlan-Id = 9
> (2) Service-Type = Framed-User
> (2) Framed-MTU = 1300
> (2) NAS-Port-Type = Wireless-802.11
> (2) Tunnel-Type:0 = VLAN
> (2) Tunnel-Medium-Type:0 = IEEE-802
> (2) Tunnel-Private-Group-Id:0 = '212'
> (2) EAP-Message = 0x020400061900
> (2) State = 0xfcd853a7fddc4aafb400e9d91b88b168
> (2) Message-Authenticator = 0x69d10acc80d82e3a9c5aac64c3728ec0
> (2) session-state: No cached attributes
> (2) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (2) authorize {
> (2) policy filter_username {
> (2) if (!&User-Name) {
> (2) if (!&User-Name) -> FALSE
> (2) if (&User-Name =~ / /) {
> (2) if (&User-Name =~ / /) -> FALSE
> (2) if (&User-Name =~ /@.*@/ ) {
> (2) if (&User-Name =~ /@.*@/ ) -> FALSE
> (2) if (&User-Name =~ /\.\./ ) {
> (2) if (&User-Name =~ /\.\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (2) if (&User-Name =~ /\.$/) {
> (2) if (&User-Name =~ /\.$/) -> FALSE
> (2) if (&User-Name =~ /@\./) {
> (2) if (&User-Name =~ /@\./) -> FALSE
> (2) } # policy filter_username = notfound
> (2) [preprocess] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (2) suffix: No such realm "NULL"
> (2) [suffix] = noop
> (2) eap: Peer sent code Response (2) ID 4 length 6
> (2) eap: Continuing tunnel setup
> (2) [eap] = ok
> (2) } # authorize = ok
> (2) Found Auth-Type = EAP
> (2) # Executing group from file /etc/raddb/sites-enabled/default
> (2) authenticate {
> (2) eap: Expiring EAP session with state 0xfcd853a7fddc4aaf
> (2) eap: Finished EAP session with state 0xfcd853a7fddc4aaf
> (2) eap: Previous EAP request found for state 0xfcd853a7fddc4aaf, released from the list
> (2) eap: Peer sent method PEAP (25)
> (2) eap: EAP PEAP (25)
> (2) eap: Calling eap_peap to process EAP data
> (2) eap_peap: processing EAP-TLS
> (2) eap_peap: Received TLS ACK
> (2) eap_peap: Received TLS ACK
> (2) eap_peap: ACK handshake fragment handler
> (2) eap_peap: eaptls_verify returned 1
> (2) eap_peap: eaptls_process returned 13
> (2) eap_peap: FR_TLS_HANDLED
> (2) eap: EAP session adding &reply:State = 0xfcd853a7fedd4aaf
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) Post-Auth-Type sub-section not found. Ignoring.
> (2) # Executing group from file /etc/raddb/sites-enabled/default
> (2) Sent Access-Challenge Id 241 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
> (2) EAP-Message = 0x010503e8194087d363ae51e9fa919a6062082c2ab782a717d7fede947271bcbe38ea3b9d04ee4cef44da92b58dfea437ba6764fd97950d4f99cb8e1b38b721f29b087ce94f71868ec5554e72d8d3a6f9a11c4108d6c8a7945c60f03a9991d841074df483c1574367aee17dbd11aaab0004e5308204e130
> (2) Message-Authenticator = 0x00000000000000000000000000000000
> (2) State = 0xfcd853a7fedd4aafb400e9d91b88b168
> (2) Finished request
> Waking up in 4.9 seconds.
> (3) Received Access-Request Id 242 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243
> (3) User-Name = 'vdiuser001'
> (3) Calling-Station-Id = '00-c0-a8-c6-d7-79'
> (3) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
> (3) NAS-Port = 13
> (3) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
> (3) NAS-IP-Address = 10.70.1.1
> (3) NAS-Identifier = 'Cisco-WLC-5508'
> (3) Airespace-Wlan-Id = 9
> (3) Service-Type = Framed-User
> (3) Framed-MTU = 1300
> (3) NAS-Port-Type = Wireless-802.11
> (3) Tunnel-Type:0 = VLAN
> (3) Tunnel-Medium-Type:0 = IEEE-802
> (3) Tunnel-Private-Group-Id:0 = '212'
> (3) EAP-Message = 0x020500061900
> (3) State = 0xfcd853a7fedd4aafb400e9d91b88b168
> (3) Message-Authenticator = 0x0adea1512f939350fd4ac3a6ab9f2460
> (3) session-state: No cached attributes
> (3) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (3) authorize {
> (3) policy filter_username {
> (3) if (!&User-Name) {
> (3) if (!&User-Name) -> FALSE
> (3) if (&User-Name =~ / /) {
> (3) if (&User-Name =~ / /) -> FALSE
> (3) if (&User-Name =~ /@.*@/ ) {
> (3) if (&User-Name =~ /@.*@/ ) -> FALSE
> (3) if (&User-Name =~ /\.\./ ) {
> (3) if (&User-Name =~ /\.\./ ) -> FALSE
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (3) if (&User-Name =~ /\.$/) {
> (3) if (&User-Name =~ /\.$/) -> FALSE
> (3) if (&User-Name =~ /@\./) {
> (3) if (&User-Name =~ /@\./) -> FALSE
> (3) } # policy filter_username = notfound
> (3) [preprocess] = ok
> (3) [chap] = noop
> (3) [mschap] = noop
> (3) [digest] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (3) suffix: No such realm "NULL"
> (3) [suffix] = noop
> (3) eap: Peer sent code Response (2) ID 5 length 6
> (3) eap: Continuing tunnel setup
> (3) [eap] = ok
> (3) } # authorize = ok
> (3) Found Auth-Type = EAP
> (3) # Executing group from file /etc/raddb/sites-enabled/default
> (3) authenticate {
> (3) eap: Expiring EAP session with state 0xfcd853a7fedd4aaf
> (3) eap: Finished EAP session with state 0xfcd853a7fedd4aaf
> (3) eap: Previous EAP request found for state 0xfcd853a7fedd4aaf, released from the list
> (3) eap: Peer sent method PEAP (25)
> (3) eap: EAP PEAP (25)
> (3) eap: Calling eap_peap to process EAP data
> (3) eap_peap: processing EAP-TLS
> (3) eap_peap: Received TLS ACK
> (3) eap_peap: Received TLS ACK
> (3) eap_peap: ACK handshake fragment handler
> (3) eap_peap: eaptls_verify returned 1
> (3) eap_peap: eaptls_process returned 13
> (3) eap_peap: FR_TLS_HANDLED
> (3) eap: EAP session adding &reply:State = 0xfcd853a7ffde4aaf
> (3) [eap] = handled
> (3) } # authenticate = handled
> (3) Using Post-Auth-Type Challenge
> (3) Post-Auth-Type sub-section not found. Ignoring.
> (3) # Executing group from file /etc/raddb/sites-enabled/default
> (3) Sent Access-Challenge Id 242 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
> (3) EAP-Message = 0x010602ce190020417574686f72697479820900cf57e5d1f44e11e4300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d010105050003820101001a21
> (3) Message-Authenticator = 0x00000000000000000000000000000000
> (3) State = 0xfcd853a7ffde4aafb400e9d91b88b168
> (3) Finished request
> Waking up in 4.9 seconds.
> (4) Received Access-Request Id 243 from 10.70.1.1:32770 to 10.10.10.3:1812 length 381
> (4) User-Name = 'vdiuser001'
> (4) Calling-Station-Id = '00-c0-a8-c6-d7-79'
> (4) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
> (4) NAS-Port = 13
> (4) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
> (4) NAS-IP-Address = 10.70.1.1
> (4) NAS-Identifier = 'Cisco-WLC-5508'
> (4) Airespace-Wlan-Id = 9
> (4) Service-Type = Framed-User
> (4) Framed-MTU = 1300
> (4) NAS-Port-Type = Wireless-802.11
> (4) Tunnel-Type:0 = VLAN
> (4) Tunnel-Medium-Type:0 = IEEE-802
> (4) Tunnel-Private-Group-Id:0 = '212'
> (4) EAP-Message = 0x020600901980000000861603010046100000424104659013060486276c41b5734d0c4799ba9d6cb700dabbbc6bfa68a9b3b0c3b237b6f7ee8c9a194b8a20645279d3c7e05b5a7ee14383257f83eadf85aab1fc7d0d140301000101160301003042a06361b3cb896ea1b0476e10371b8eed883122419379
> (4) State = 0xfcd853a7ffde4aafb400e9d91b88b168
> (4) Message-Authenticator = 0x3674700353af1563ff78522ff0bf447d
> (4) session-state: No cached attributes
> (4) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (4) authorize {
> (4) policy filter_username {
> (4) if (!&User-Name) {
> (4) if (!&User-Name) -> FALSE
> (4) if (&User-Name =~ / /) {
> (4) if (&User-Name =~ / /) -> FALSE
> (4) if (&User-Name =~ /@.*@/ ) {
> (4) if (&User-Name =~ /@.*@/ ) -> FALSE
> (4) if (&User-Name =~ /\.\./ ) {
> (4) if (&User-Name =~ /\.\./ ) -> FALSE
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (4) if (&User-Name =~ /\.$/) {
> (4) if (&User-Name =~ /\.$/) -> FALSE
> (4) if (&User-Name =~ /@\./) {
> (4) if (&User-Name =~ /@\./) -> FALSE
> (4) } # policy filter_username = notfound
> (4) [preprocess] = ok
> (4) [chap] = noop
> (4) [mschap] = noop
> (4) [digest] = noop
> (4) suffix: Checking for suffix after "@"
> (4) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (4) suffix: No such realm "NULL"
> (4) [suffix] = noop
> (4) eap: Peer sent code Response (2) ID 6 length 144
> (4) eap: Continuing tunnel setup
> (4) [eap] = ok
> (4) } # authorize = ok
> (4) Found Auth-Type = EAP
> (4) # Executing group from file /etc/raddb/sites-enabled/default
> (4) authenticate {
> (4) eap: Expiring EAP session with state 0xfcd853a7ffde4aaf
> (4) eap: Finished EAP session with state 0xfcd853a7ffde4aaf
> (4) eap: Previous EAP request found for state 0xfcd853a7ffde4aaf, released from the list
> (4) eap: Peer sent method PEAP (25)
> (4) eap: EAP PEAP (25)
> (4) eap: Calling eap_peap to process EAP data
> (4) eap_peap: processing EAP-TLS
> (4) eap_peap: TLS Length 134
> (4) eap_peap: Length Included
> (4) eap_peap: eaptls_verify returned 11
> (4) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
> (4) eap_peap: TLS_accept: SSLv3 read client key exchange A
> (4) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001]
> (4) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished
> (4) eap_peap: TLS_accept: SSLv3 read finished A
> (4) eap_peap:>>> TLS 1.0 ChangeCipherSpec [length 0001]
> (4) eap_peap: TLS_accept: SSLv3 write change cipher spec A
> (4) eap_peap:>>> TLS 1.0 Handshake [length 0010], Finished
> (4) eap_peap: TLS_accept: SSLv3 write finished A
> (4) eap_peap: TLS_accept: SSLv3 flush data
> TLS: adding session e43d8045ba796d2e07fef583a7bcf15886ba3822b31a075eca43b74aab2086c9 to cache
> (4) eap_peap: (other): SSL negotiation finished successfully
> SSL Connection Established
> (4) eap_peap: eaptls_process returned 13
> (4) eap_peap: FR_TLS_HANDLED
> (4) eap: EAP session adding &reply:State = 0xfcd853a7f8df4aaf
> (4) [eap] = handled
> (4) } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) Post-Auth-Type sub-section not found. Ignoring.
> (4) # Executing group from file /etc/raddb/sites-enabled/default
> (4) Sent Access-Challenge Id 243 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
> (4) EAP-Message = 0x0107004119001403010001011603010030805396c196ecd0cfbcdf4262de648ff5c61404e719706e413e8c67f9169d03f6075a93a6402c6cb3df2681c909c13ca5
> (4) Message-Authenticator = 0x00000000000000000000000000000000
> (4) State = 0xfcd853a7f8df4aafb400e9d91b88b168
> (4) Finished request
> Waking up in 4.9 seconds.
> (5) Received Access-Request Id 244 from 10.70.1.1:32770 to 10.10.10.3:1812 length 243
> (5) User-Name = 'vdiuser001'
> (5) Calling-Station-Id = '00-c0-a8-c6-d7-79'
> (5) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
> (5) NAS-Port = 13
> (5) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
> (5) NAS-IP-Address = 10.70.1.1
> (5) NAS-Identifier = 'Cisco-WLC-5508'
> (5) Airespace-Wlan-Id = 9
> (5) Service-Type = Framed-User
> (5) Framed-MTU = 1300
> (5) NAS-Port-Type = Wireless-802.11
> (5) Tunnel-Type:0 = VLAN
> (5) Tunnel-Medium-Type:0 = IEEE-802
> (5) Tunnel-Private-Group-Id:0 = '212'
> (5) EAP-Message = 0x020700061900
> (5) State = 0xfcd853a7f8df4aafb400e9d91b88b168
> (5) Message-Authenticator = 0x75def782b74b9f6aaae4b726602f9eae
> (5) session-state: No cached attributes
> (5) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (5) authorize {
> (5) policy filter_username {
> (5) if (!&User-Name) {
> (5) if (!&User-Name) -> FALSE
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@.*@/ ) {
> (5) if (&User-Name =~ /@.*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /@\./) {
> (5) if (&User-Name =~ /@\./) -> FALSE
> (5) } # policy filter_username = notfound
> (5) [preprocess] = ok
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) [digest] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5) [suffix] = noop
> (5) eap: Peer sent code Response (2) ID 7 length 6
> (5) eap: Continuing tunnel setup
> (5) [eap] = ok
> (5) } # authorize = ok
> (5) Found Auth-Type = EAP
> (5) # Executing group from file /etc/raddb/sites-enabled/default
> (5) authenticate {
> (5) eap: Expiring EAP session with state 0xfcd853a7f8df4aaf
> (5) eap: Finished EAP session with state 0xfcd853a7f8df4aaf
> (5) eap: Previous EAP request found for state 0xfcd853a7f8df4aaf, released from the list
> (5) eap: Peer sent method PEAP (25)
> (5) eap: EAP PEAP (25)
> (5) eap: Calling eap_peap to process EAP data
> (5) eap_peap: processing EAP-TLS
> (5) eap_peap: Received TLS ACK
> (5) eap_peap: Received TLS ACK
> (5) eap_peap: ACK handshake is finished
> (5) eap_peap: eaptls_verify returned 3
> (5) eap_peap: eaptls_process returned 3
> (5) eap_peap: FR_TLS_SUCCESS
> (5) eap_peap: Session established. Decoding tunneled attributes
> (5) eap_peap: PEAP state TUNNEL ESTABLISHED
> (5) eap: EAP session adding &reply:State = 0xfcd853a7f9d04aaf
> (5) [eap] = handled
> (5) } # authenticate = handled
> (5) Using Post-Auth-Type Challenge
> (5) Post-Auth-Type sub-section not found. Ignoring.
> (5) # Executing group from file /etc/raddb/sites-enabled/default
> (5) Sent Access-Challenge Id 244 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
> (5) EAP-Message = 0x0108002b19001703010020e9acf4878f2cf9c9c79de729087ad3e19b253b8c0e50b1c26443853c5c984637
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> (5) State = 0xfcd853a7f9d04aafb400e9d91b88b168
> (5) Finished request
> Waking up in 4.9 seconds.
> (6) Received Access-Request Id 245 from 10.70.1.1:32770 to 10.10.10.3:1812 length 280
> (6) User-Name = 'vdiuser001'
> (6) Calling-Station-Id = '00-c0-a8-c6-d7-79'
> (6) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
> (6) NAS-Port = 13
> (6) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
> (6) NAS-IP-Address = 10.70.1.1
> (6) NAS-Identifier = 'Cisco-WLC-5508'
> (6) Airespace-Wlan-Id = 9
> (6) Service-Type = Framed-User
> (6) Framed-MTU = 1300
> (6) NAS-Port-Type = Wireless-802.11
> (6) Tunnel-Type:0 = VLAN
> (6) Tunnel-Medium-Type:0 = IEEE-802
> (6) Tunnel-Private-Group-Id:0 = '212'
> (6) EAP-Message = 0x0208002b190017030100204283191b2685faf2b92c873c8c3972380e81ab3a78cc797b6518e8af45963138
> (6) State = 0xfcd853a7f9d04aafb400e9d91b88b168
> (6) Message-Authenticator = 0x36d173beae56175a27434016ac0a82cb
> (6) session-state: No cached attributes
> (6) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (6) authorize {
> (6) policy filter_username {
> (6) if (!&User-Name) {
> (6) if (!&User-Name) -> FALSE
> (6) if (&User-Name =~ / /) {
> (6) if (&User-Name =~ / /) -> FALSE
> (6) if (&User-Name =~ /@.*@/ ) {
> (6) if (&User-Name =~ /@.*@/ ) -> FALSE
> (6) if (&User-Name =~ /\.\./ ) {
> (6) if (&User-Name =~ /\.\./ ) -> FALSE
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (6) if (&User-Name =~ /\.$/) {
> (6) if (&User-Name =~ /\.$/) -> FALSE
> (6) if (&User-Name =~ /@\./) {
> (6) if (&User-Name =~ /@\./) -> FALSE
> (6) } # policy filter_username = notfound
> (6) [preprocess] = ok
> (6) [chap] = noop
> (6) [mschap] = noop
> (6) [digest] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6) [suffix] = noop
> (6) eap: Peer sent code Response (2) ID 8 length 43
> (6) eap: Continuing tunnel setup
> (6) [eap] = ok
> (6) } # authorize = ok
> (6) Found Auth-Type = EAP
> (6) # Executing group from file /etc/raddb/sites-enabled/default
> (6) authenticate {
> (6) eap: Expiring EAP session with state 0xfcd853a7f9d04aaf
> (6) eap: Finished EAP session with state 0xfcd853a7f9d04aaf
> (6) eap: Previous EAP request found for state 0xfcd853a7f9d04aaf, released from the list
> (6) eap: Peer sent method PEAP (25)
> (6) eap: EAP PEAP (25)
> (6) eap: Calling eap_peap to process EAP data
> (6) eap_peap: processing EAP-TLS
> (6) eap_peap: eaptls_verify returned 7
> (6) eap_peap: Done initial handshake
> (6) eap_peap: eaptls_process returned 7
> (6) eap_peap: FR_TLS_OK
> (6) eap_peap: Session established. Decoding tunneled attributes
> (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
> (6) eap_peap: Identity - vdiuser001
> (6) eap_peap: Got inner identity 'vdiuser001'
> (6) eap_peap: Setting default EAP type for tunneled EAP session
> (6) eap_peap: Got tunneled request
> (6) eap_peap: EAP-Message = 0x0208000f0176646975736572303031
> (6) eap_peap: Setting User-Name to vdiuser001
> (6) eap_peap: Sending tunneled request to inner-tunnel
> (6) eap_peap: EAP-Message = 0x0208000f0176646975736572303031
> (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (6) eap_peap: User-Name = 'vdiuser001'
> (6) Virtual server inner-tunnel received request
> (6) EAP-Message = 0x0208000f0176646975736572303031
> (6) FreeRADIUS-Proxied-To = 127.0.0.1
> (6) User-Name = 'vdiuser001'
> (6) server inner-tunnel {
> (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
> (6) authorize {
> (6) [chap] = noop
> (6) [mschap] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6) [suffix] = noop
> (6) update control {
> (6) &Proxy-To-Realm := LOCAL
> (6) } # update control = noop
> (6) eap: Peer sent code Response (2) ID 8 length 15
> (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
> (6) [eap] = ok
> (6) } # authorize = ok
> (6) Found Auth-Type = EAP
> (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (6) authenticate {
> (6) eap: Peer sent method Identity (1)
> (6) eap: Calling eap_mschapv2 to process EAP data
> (6) eap_mschapv2: Issuing Challenge
> (6) eap: EAP session adding &reply:State = 0x6a2b492e6a22538f
> (6) [eap] = handled
> (6) } # authenticate = handled
> (6) } # server inner-tunnel
> (6) Virtual server sending reply
> (6) EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> (6) State = 0x6a2b492e6a22538fe503884f9d44e7ff
> (6) eap_peap: Got tunneled reply code 11
> (6) eap_peap: EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39
> (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (6) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff
> (6) eap_peap: Got tunneled reply RADIUS code 11
> (6) eap_peap: EAP-Message = 0x0109002a1a01090025107dea2c3598e93665587b4dba43189cfa667265657261646975732d332e302e39
> (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (6) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff
> (6) eap_peap: Got tunneled Access-Challenge
> (6) eap: EAP session adding &reply:State = 0xfcd853a7fad14aaf
> (6) [eap] = handled
> (6) } # authenticate = handled
> (6) Using Post-Auth-Type Challenge
> (6) Post-Auth-Type sub-section not found. Ignoring.
> (6) # Executing group from file /etc/raddb/sites-enabled/default
> (6) Sent Access-Challenge Id 245 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
> (6) EAP-Message = 0x0109004b190017030100406a3b46095fb10b93a11e13b5e74fc5eac154270b5a9ef8fdfb482c1dab2a759a4872e47dec1beaf306303e2a07d5e762b3381999cc96604175fe9c6adf84eab2
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> (6) State = 0xfcd853a7fad14aafb400e9d91b88b168
> (6) Finished request
> Waking up in 4.9 seconds.
> (7) Received Access-Request Id 246 from 10.70.1.1:32770 to 10.10.10.3:1812 length 344
> (7) User-Name = 'vdiuser001'
> (7) Calling-Station-Id = '00-c0-a8-c6-d7-79'
> (7) Called-Station-Id = 'a0-cf-5b-ca-a7-c0:Test'
> (7) NAS-Port = 13
> (7) Cisco-AVPair = 'audit-session-id=0a46010100012114556eff78'
> (7) NAS-IP-Address = 10.70.1.1
> (7) NAS-Identifier = 'Cisco-WLC-5508'
> (7) Airespace-Wlan-Id = 9
> (7) Service-Type = Framed-User
> (7) Framed-MTU = 1300
> (7) NAS-Port-Type = Wireless-802.11
> (7) Tunnel-Type:0 = VLAN
> (7) Tunnel-Medium-Type:0 = IEEE-802
> (7) Tunnel-Private-Group-Id:0 = '212'
> (7) EAP-Message = 0x0209006b19001703010060e3ebfd336d1c0bb5d36d68ac263e5e6d7f80e8a1e28be6bc752c0d06555b63f06367b0ca1803b17f092d89c35ce418ecce8b1425853a3dd6ccd16a292e80e46a1ecc98ba53222a0c1cccc827075993197807413d5778b2712ce2ad3eae35d7ce
> (7) State = 0xfcd853a7fad14aafb400e9d91b88b168
> (7) Message-Authenticator = 0x4c9a2819e43b37c8eadf9473681308a2
> (7) session-state: No cached attributes
> (7) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (7) authorize {
> (7) policy filter_username {
> (7) if (!&User-Name) {
> (7) if (!&User-Name) -> FALSE
> (7) if (&User-Name =~ / /) {
> (7) if (&User-Name =~ / /) -> FALSE
> (7) if (&User-Name =~ /@.*@/ ) {
> (7) if (&User-Name =~ /@.*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /@\./) {
> (7) if (&User-Name =~ /@\./) -> FALSE
> (7) } # policy filter_username = notfound
> (7) [preprocess] = ok
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) [digest] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) eap: Peer sent code Response (2) ID 9 length 107
> (7) eap: Continuing tunnel setup
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = EAP
> (7) # Executing group from file /etc/raddb/sites-enabled/default
> (7) authenticate {
> (7) eap: Expiring EAP session with state 0x6a2b492e6a22538f
> (7) eap: Finished EAP session with state 0xfcd853a7fad14aaf
> (7) eap: Previous EAP request found for state 0xfcd853a7fad14aaf, released from the list
> (7) eap: Peer sent method PEAP (25)
> (7) eap: EAP PEAP (25)
> (7) eap: Calling eap_peap to process EAP data
> (7) eap_peap: processing EAP-TLS
> (7) eap_peap: eaptls_verify returned 7
> (7) eap_peap: Done initial handshake
> (7) eap_peap: eaptls_process returned 7
> (7) eap_peap: FR_TLS_OK
> (7) eap_peap: Session established. Decoding tunneled attributes
> (7) eap_peap: PEAP state phase2
> (7) eap_peap: EAP type MSCHAPv2 (26)
> (7) eap_peap: Got tunneled request
> (7) eap_peap: EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031
> (7) eap_peap: Setting User-Name to vdiuser001
> (7) eap_peap: Sending tunneled request to inner-tunnel
> (7) eap_peap: EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031
> (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (7) eap_peap: User-Name = 'vdiuser001'
> (7) eap_peap: State = 0x6a2b492e6a22538fe503884f9d44e7ff
> (7) Virtual server inner-tunnel received request
> (7) EAP-Message = 0x020900451a0209004031f720f64e114a568afc3428e187fef2d20000000000000000bcae7bc9d2c22a1291791a130d422a537209282de03718a00076646975736572303031
> (7) FreeRADIUS-Proxied-To = 127.0.0.1
> (7) User-Name = 'vdiuser001'
> (7) State = 0x6a2b492e6a22538fe503884f9d44e7ff
> (7) server inner-tunnel {
> (7) session-state: No cached attributes
> (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
> (7) authorize {
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "vdiuser001", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) update control {
> (7) &Proxy-To-Realm := LOCAL
> (7) } # update control = noop
> (7) eap: Peer sent code Response (2) ID 9 length 69
> (7) eap: No EAP Start, assuming it's an on-going EAP conversation
> (7) [eap] = updated
> (7) [files] = noop
> (7) sql: EXPAND %{User-Name}
> (7) sql: --> vdiuser001
> (7) sql: SQL-User-Name set to 'vdiuser001'
> rlm_sql (sql): Reserved connection (0)
> (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
> (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id
> (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vdiuser001' ORDER BY id
> (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
> (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority
> (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'vdiuser001' ORDER BY priority
> (7) sql: User not found in any groups
> rlm_sql (sql): Released connection (0)
> rlm_sql (sql): Closing connection (1), from 1 unused connections
> rlm_sql_mysql: Socket destructor called, closing socket
> (7) [sql] = notfound
> rlm_ldap (ldap): Reserved connection (0)
> (7) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
> (7) ldap: --> (sAMAccountName=vdiuser001)
> (7) ldap: Performing search in "ou=_TerAA_Users,dc=teraa,dc=local" with filter "(sAMAccountName=vdiuser001)", scope "sub"
> (7) ldap: Waiting for search result...
> (7) ldap: User object found at DN "CN=VDIuser001,OU=VDI,OU=PRS,OU=_TerAA_Users,DC=teraa,DC=local"
> (7) ldap: Processing user attributes
> (7) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the
> password attribute
> (7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Released connection (0)
> rlm_ldap (ldap): Closing connection (1), from 1 unused connections
> (7) [ldap] = ok
> (7) if (control:Ldap-UserDn =~ /OU=EDU/) {
> (7) if (control:Ldap-UserDn =~ /OU=EDU/) -> FALSE
> (7) elsif (control:Ldap-UserDn =~ /OU=PRS/) {
> (7) elsif (control:Ldap-UserDn =~ /OU=PRS/) -> TRUE
> (7) elsif (control:Ldap-UserDn =~ /OU=PRS/) {
> (7) update control {
> (7) Simultaneous-Use := 3
> (7) } # update control = noop
> (7) update outer.session-state {
> (7) Tunnel-type = VLAN
> (7) Tunnel-medium-type = IEEE-802
> (7) Tunnel-Private-Group-Id = PRS-WIFI-Client
> (7) } # update outer.session-state = noop
> (7) } # elsif (control:Ldap-UserDn =~ /OU=PRS/) = noop
> (7) ... skipping elsif for request 7: Preceding "if" was taken
> (7) ... skipping else for request 7: Preceding "if" was taken
> (7) [expiration] = noop
> (7) [logintime] = noop
> (7) [pap] = noop
> (7) } # authorize = updated
> (7) Found Auth-Type = EAP
> (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (7) authenticate {
> (7) eap: Expiring EAP session with state 0x6a2b492e6a22538f
> (7) eap: Finished EAP session with state 0x6a2b492e6a22538f
> (7) eap: Previous EAP request found for state 0x6a2b492e6a22538f, released from the list
> (7) eap: Peer sent method MSCHAPv2 (26)
> (7) eap: EAP MSCHAPv2 (26)
> (7) eap: Calling eap_mschapv2 to process EAP data
> (7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (7) eap_mschapv2: Auth-Type MS-CHAP {
> (7) mschap: Creating challenge hash with username: vdiuser001
> (7) mschap: Client is using MS-CHAPv2
> (7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
>
> (7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (7) mschap: --> --username=vdiuser001
> (7) mschap: Creating challenge hash with username: vdiuser001
> (7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (7) mschap: --> --challenge=9f432e6abc4ec74e
> (7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (7) mschap: --> --nt-response=bcae7bc9d2c22a1291791a130d422a537209282de03718a0
> (7) mschap: ERROR: Program returned code (1) and output 'Must change password (0xc0000224)'
> (7) mschap: ERROR: Must change password (0xc0000224)
> (7) mschap: Password has expired. The user should retry authentication
> (7) [mschap] = reject
> (7) } # Auth-Type MS-CHAP = reject
> (7) MSCHAP-Error: E=648 R=1 C=00063b49e7c084b7016b35ab4336020d V=3 M=Password Expired
> (7) Found new challenge from MS-CHAP-Error: err=648 retry=1 challenge=00063b49e7c084b7016b35ab4336020d
> (7) ERROR: MSCHAP Failure
> (7) eap: EAP session adding &reply:State = 0x6a2b492e6b21538f
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) } # server inner-tunnel
> (7) Virtual server sending reply
> (7) EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0x6a2b492e6b21538fe503884f9d44e7ff
> (7) eap_peap: Got tunneled reply code 11
> (7) eap_peap: EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564
> (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (7) eap_peap: State = 0x6a2b492e6b21538fe503884f9d44e7ff
> (7) eap_peap: Got tunneled reply RADIUS code 11
> (7) eap_peap: EAP-Message = 0x010a004c1a04090047453d36343820523d3120433d303030363362343965376330383462373031366233356162343333363032306420563d33204d3d50617373776f72642045787069726564
> (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (7) eap_peap: State = 0x6a2b492e6b21538fe503884f9d44e7ff
> (7) eap_peap: Got tunneled Access-Challenge
> (7) eap: EAP session adding &reply:State = 0xfcd853a7fbd24aaf
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) Using Post-Auth-Type Challenge
> (7) Post-Auth-Type sub-section not found. Ignoring.
> (7) # Executing group from file /etc/raddb/sites-enabled/default
> (7) session-state: Saving cached attributes
> (7) Tunnel-Type = VLAN
> (7) Tunnel-Medium-Type = IEEE-802
> (7) Tunnel-Private-Group-Id = 'PRS-WIFI-Client'
> (7) Sent Access-Challenge Id 246 from 10.10.10.3:1812 to 10.70.1.1:32770 length 0
> (7) EAP-Message = 0x010a006b19001703010060b3897a1c79b4063ee3eea85ec0eb5b1ffef302d6c90c1819ac828808598205d33c2dbad5a1af49ff0f8add5f0cb05a598bdae558b2e839b44204ac2b0fbc80437323b4f46871add958ea20f13a19e66bb6c2402389e445ba3305ffea4be0b16b
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0xfcd853a7fbd24aafb400e9d91b88b168
> (7) Finished request
>
> ________________________________
>> Subject: Re: Pass change/expiry problem
>> From: A.L.M.Buxey at lboro.ac.uk
>> Date: Wed, 3 Jun 2015 08:20:33 +0100
>> To: freeradius-users at lists.freeradius.org;
>> richardvanderveen at outlook.com; freeradius-users at lists.freeradius.org
>>
>> I seem to recall a very recent change related to that feature. Can you
>> try the latest pre 3.0.9 release (get it via git)?
>>
>> alan
>
More information about the Freeradius-Users
mailing list