Attribute NOT being returned in access-accept but is returned in Access-Challenge
Jake He
jake.he at gmail.com
Fri Jun 26 05:38:49 CEST 2015
Here is the debug output:
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Ready to process requests
(0) Received Access-Request Id 241 from 203.59.132.253:38386 to
172.17.0.68:1812 length 222
(0) Service-Type = Framed-User
(0) Framed-MTU = 1400
(0) User-Name = 'jake'
(0) NAS-Port-Id = 'wlan4'
(0) NAS-Port-Type = Wireless-802.11
(0) Acct-Session-Id = '82200019'
(0) Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(0) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(0) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(0) EAP-Message = 0x02000009016a616b65
(0) Message-Authenticator = 0x0942bb06979bc2c6859785baa97efea0
(0) NAS-Identifier = 'MikroTik'
(0) NAS-IP-Address = 10.1.1.23
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (!&User-Name) {
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ ) {
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "jake", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent code Response (2) ID 0 length 9
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent method Identity (1)
(0) eap: Calling eap_md5 to process EAP data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: EAP session adding &reply:State = 0x2ae8af442ae9ab52
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Sent Access-Challenge Id 241 from 172.17.0.68:1812 to
203.59.132.253:38386 length 0
(0) EAP-Message = 0x010100160410e9962633c394d82e8af727f23160824c
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x2ae8af442ae9ab526f505f86b4932430
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 242 from 203.59.132.253:44270 to
172.17.0.68:1812 length 237
(1) Service-Type = Framed-User
(1) Framed-MTU = 1400
(1) User-Name = 'jake'
(1) State = 0x2ae8af442ae9ab526f505f86b4932430
(1) NAS-Port-Id = 'wlan4'
(1) NAS-Port-Type = Wireless-802.11
(1) Acct-Session-Id = '82200019'
(1) Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(1) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(1) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(1) EAP-Message = 0x020100060319
(1) Message-Authenticator = 0x23c1df8ed8c64f231b0e8b9a5c48c798
(1) NAS-Identifier = 'MikroTik'
(1) NAS-IP-Address = 10.1.1.23
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (!&User-Name) {
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ ) {
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "jake", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent code Response (2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) sql: EXPAND %{User-Name}
(1) sql: --> jake
(1) sql: SQL-User-Name set to 'jake'
rlm_sql (sql): Reserved connection (4)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'jake' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'jake' ORDER BY id
(1) sql: User found in radcheck table
(1) sql: Conditional check items matched, merging assignment check items
(1) sql: Cleartext-Password := 'fheman123'
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'jake' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'jake' ORDER BY id
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(1) sql: --> SELECT groupname FROM radusergroup WHERE username = 'jake'
ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'jake' ORDER BY priority
(1) sql: User found in the group table
(1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id
(1) sql: --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id
(1) sql: Group "14kimberleyst": Conditional check items matched
(1) sql: Group "14kimberleyst": Merging assignment check items
(1) sql: Reset-Date := '13'
(1) sql: Total-Bytes := '999999999999999999'
(1) sql: EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id
(1) sql: --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id
(1) sql: Executing select query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id
(1) sql: Group "14kimberleyst": Merging reply items
(1) sql: Session-Timeout := 10800
rlm_sql (sql): Released connection (4)
(1) [sql] = ok
(1) policy site-restriction {
(1) update request {
(1) EXPAND %{User-Name}
(1) --> jake
(1) SQL-User-Name set to 'jake'
rlm_sql (sql): Reserved connection (4)
(1) Executing select query: SET @user = 'jake'; SET @nasmac =
'02-0C-42-B7-A9-5E:GRACE UPON GRACE'; SELECT COUNT(*) FROM (SELECT
radsitegroup.nasshortname FROM `radsitegroup` INNER JOIN `radusergroup` ON
radsitegroup.groupname=radusergroup.groupname WHERE nasshortname='ALL' AND
`radusergroup`.`username` = @user UNION ALL SELECT
radsitegroup.nasshortname FROM `radsitegroup` INNER JOIN `radusergroup` ON
radsitegroup.groupname=radusergroup.groupname INNER JOIN `nas` ON
nas.shortname=radsitegroup.nasshortname WHERE nas.nasidentifier=@nasmac AND
`radusergroup`.`username` = @user) as a
rlm_sql (sql): Released connection (4)
(1) EXPAND %{sql:SET @user = '%{User-Name}'; SET @nasmac =
'%{request:Called-Station-Id}'; SELECT COUNT(*) FROM (SELECT
radsitegroup.nasshortname FROM `radsitegroup` INNER JOIN `radusergroup` ON
radsitegroup.groupname=radusergroup.groupname WHERE nasshortname='ALL' AND
`radusergroup`.`username` = @user UNION ALL SELECT
radsitegroup.nasshortname FROM `radsitegroup` INNER JOIN `radusergroup` ON
radsitegroup.groupname=radusergroup.groupname INNER JOIN `nas` ON
nas.shortname=radsitegroup.nasshortname WHERE nas.nasidentifier=@nasmac AND
`radusergroup`.`username` = @user) as a}
(1) --> 1
(1) Site := 1
(1) } # update request = noop
(1) if ( Site == '0' ) {
(1) if ( Site == '0' ) -> FALSE
(1) } # policy site-restriction = noop
(1) policy data-restriction {
(1) if ((control:Total-Bytes)){
(1) if ((control:Total-Bytes)) -> TRUE
(1) if ((control:Total-Bytes)) {
(1) update control {
(1) EXPAND %{User-Name}
(1) --> jake
(1) SQL-User-Name set to 'jake'
rlm_sql (sql): Reserved connection (4)
(1) Executing select query: SET @reset_date = '13'; SELECT
IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM `radacct` WHERE
UserName='jake' AND DATE(`acctstarttime`) BETWEEN (CASE WHEN @reset_date >
DAYOFMONTH(NOW()) THEN DATE( DATE_SUB( CONCAT( YEAR( NOW( ) ) , '-', MONTH(
NOW( ) ) , '-', @reset_date ) , INTERVAL 1 MONTH ) ) ELSE CONCAT( YEAR(
NOW( ) ) , '-', MONTH( NOW( ) ) , '-', @reset_date )END) AND DATE(NOW());
rlm_sql (sql): Released connection (4)
(1) EXPAND %{sql:SET @reset_date = '%{control:Reset-Date}';
SELECT IFNULL((sum(acctinputoctets)+sum(acctoutputoctets)),0) FROM
`radacct` WHERE UserName='%{request:User-Name}' AND DATE(`acctstarttime`)
BETWEEN (CASE WHEN @reset_date > DAYOFMONTH(NOW()) THEN DATE( DATE_SUB(
CONCAT( YEAR( NOW( ) ) , '-', MONTH( NOW( ) ) , '-', @reset_date ) ,
INTERVAL 1 MONTH ) ) ELSE CONCAT( YEAR( NOW( ) ) , '-', MONTH( NOW( ) ) ,
'-', @reset_date )END) AND DATE(NOW());}
(1) --> 154996
(1) Used-Bytes := 154996
(1) EXPAND %{User-Name}
(1) --> jake
(1) SQL-User-Name set to 'jake'
rlm_sql (sql): Reserved connection (4)
(1) Executing select query: SELECT `email` FROM `users` WHERE
`username` = 'jake'
rlm_sql (sql): Released connection (4)
(1) EXPAND %{sql:SELECT `email` FROM `users` WHERE `username` =
'%{request:User-Name}'}
(1) --> zhex900 at gmail.com
(1) Email := zhex900 at gmail.com
(1) EXPAND %{User-Name}
(1) --> jake
(1) SQL-User-Name set to 'jake'
rlm_sql (sql): Reserved connection (4)
(1) Executing select query: SELECT `sentmail` FROM `users` WHERE
`username` = 'jake'
rlm_sql (sql): Released connection (4)
(1) EXPAND %{sql:SELECT `sentmail` FROM `users` WHERE `username`
= '%{request:User-Name}'}
(1) --> 0
(1) Sent-Mail := 0
(1) EXPAND %{User-Name}
(1) --> jake
(1) SQL-User-Name set to 'jake'
rlm_sql (sql): Reserved connection (4)
(1) Executing select query: SELECT `mobile_suffix` FROM `users`
WHERE `username` = 'jake'
rlm_sql (sql): Released connection (4)
(1) EXPAND %{sql:SELECT `mobile_suffix` FROM `users` WHERE
`username` = '%{request:User-Name}'}
(1) --> 0433169153
(1) Mobile := 0433169153
(1) } # update control = noop
(1) sendmsg: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'jake'
(1) sendmsg: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address ->
'10.1.1.23'
(1) sendmsg: $RAD_REQUEST{'Service-Type'} = &request:Service-Type ->
'Framed-User'
(1) sendmsg: $RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU -> '1400'
(1) sendmsg: $RAD_REQUEST{'State'} = &request:State ->
'0x2ae8af442ae9ab526f505f86b4932430'
(1) sendmsg: $RAD_REQUEST{'Called-Station-Id'} =
&request:Called-Station-Id -> '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(1) sendmsg: $RAD_REQUEST{'Calling-Station-Id'} =
&request:Calling-Station-Id -> 'F8-A9-D0-18-F2-24'
(1) sendmsg: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier ->
'MikroTik'
(1) sendmsg: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type ->
'Wireless-802.11'
(1) sendmsg: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id
-> '82200019'
(1) sendmsg: $RAD_REQUEST{'Acct-Multi-Session-Id'} =
&request:Acct-Multi-Session-Id ->
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(1) sendmsg: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp
-> 'Jun 26 2015 03:36:51 UTC'
(1) sendmsg: $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message ->
'0x020100060319'
(1) sendmsg: $RAD_REQUEST{'Message-Authenticator'} =
&request:Message-Authenticator -> '0x23c1df8ed8c64f231b0e8b9a5c48c798'
(1) sendmsg: $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id -> 'wlan4'
(1) sendmsg: $RAD_REQUEST{'EAP-Type'} = &request:EAP-Type -> 'NAK'
(1) sendmsg: $RAD_REQUEST{'SQL-User-Name'} = &request:SQL-User-Name ->
'jake'
(1) sendmsg: $RAD_REQUEST{'Site'} = &request:Site -> '1'
(1) sendmsg: $RAD_REPLY{'Session-Timeout'} = &reply:Session-Timeout ->
'10800'
(1) sendmsg: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'EAP'
(1) sendmsg: $RAD_CHECK{'Cleartext-Password'} =
&control:Cleartext-Password -> 'fheman123'
(1) sendmsg: $RAD_CHECK{'Total-Bytes'} = &control:Total-Bytes ->
'999999999999999999'
(1) sendmsg: $RAD_CHECK{'Used-Bytes'} = &control:Used-Bytes -> '154996'
(1) sendmsg: $RAD_CHECK{'Reset-Date'} = &control:Reset-Date -> '13'
(1) sendmsg: $RAD_CHECK{'Email'} = &control:Email -> 'zhex900 at gmail.com'
(1) sendmsg: $RAD_CHECK{'Sent-Mail'} = &control:Sent-Mail -> '0'
(1) sendmsg: $RAD_CHECK{'Mobile'} = &control:Mobile -> '0433169153'
(1) sendmsg: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'EAP'
(1) sendmsg: $RAD_CONFIG{'Cleartext-Password'} =
&control:Cleartext-Password -> 'fheman123'
(1) sendmsg: $RAD_CONFIG{'Total-Bytes'} = &control:Total-Bytes ->
'999999999999999999'
(1) sendmsg: $RAD_CONFIG{'Used-Bytes'} = &control:Used-Bytes -> '154996'
(1) sendmsg: $RAD_CONFIG{'Reset-Date'} = &control:Reset-Date -> '13'
(1) sendmsg: $RAD_CONFIG{'Email'} = &control:Email -> 'zhex900 at gmail.com'
(1) sendmsg: $RAD_CONFIG{'Sent-Mail'} = &control:Sent-Mail -> '0'
(1) sendmsg: $RAD_CONFIG{'Mobile'} = &control:Mobile -> '0433169153'
(1) sendmsg: &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1400'
(1) sendmsg: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} ->
'Jun 26 2015 03:36:51 UTC'
(1) sendmsg: &request:Service-Type = $RAD_REQUEST{'Service-Type'} ->
'Framed-User'
(1) sendmsg: &request:Calling-Station-Id =
$RAD_REQUEST{'Calling-Station-Id'} -> 'F8-A9-D0-18-F2-24'
(1) sendmsg: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'jake'
(1) sendmsg: &request:EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 'NAK'
(1) sendmsg: &request:Message-Authenticator =
$RAD_REQUEST{'Message-Authenticator'} ->
'0x23c1df8ed8c64f231b0e8b9a5c48c798'
(1) sendmsg: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} ->
'Wireless-802.11'
(1) sendmsg: &request:Acct-Multi-Session-Id =
$RAD_REQUEST{'Acct-Multi-Session-Id'} ->
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(1) sendmsg: &request:SQL-User-Name = $RAD_REQUEST{'SQL-User-Name'} ->
'jake'
(1) sendmsg: &request:Called-Station-Id = $RAD_REQUEST{'Called-Station-Id'}
-> '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(1) sendmsg: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} ->
'10.1.1.23'
(1) sendmsg: &request:Acct-Session-Id = $RAD_REQUEST{'Acct-Session-Id'} ->
'82200019'
(1) sendmsg: &request:NAS-Port-Id = $RAD_REQUEST{'NAS-Port-Id'} -> 'wlan4'
(1) sendmsg: &request:Site = $RAD_REQUEST{'Site'} -> '1'
(1) sendmsg: &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} ->
'0x020100060319'
(1) sendmsg: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} ->
'MikroTik'
(1) sendmsg: &request:State = $RAD_REQUEST{'State'} ->
'0x2ae8af442ae9ab526f505f86b4932430'
(1) sendmsg: &reply:Session-Timeout = $RAD_REPLY{'Session-Timeout'} ->
'10800'
(1) sendmsg: &control:Cleartext-Password = $RAD_CHECK{'Cleartext-Password'}
-> 'fheman123'
(1) sendmsg: &control:Mobile = $RAD_CHECK{'Mobile'} -> '0433169153'
(1) sendmsg: &control:Reset-Date = $RAD_CHECK{'Reset-Date'} -> '13'
(1) sendmsg: &control:Sent-Mail = $RAD_CHECK{'Sent-Mail'} -> '0'
(1) sendmsg: &control:Total-Bytes = $RAD_CHECK{'Total-Bytes'} ->
'999999999999999999'
(1) sendmsg: &control:Used-Bytes = $RAD_CHECK{'Used-Bytes'} -> '154996'
(1) sendmsg: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'EAP'
(1) sendmsg: &control:Email = $RAD_CHECK{'Email'} -> 'zhex900 at gmail.com'
(1) [sendmsg] = noop
(1) check_usage: $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'jake'
(1) check_usage: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address
-> '10.1.1.23'
(1) check_usage: $RAD_REQUEST{'Service-Type'} = &request:Service-Type ->
'Framed-User'
(1) check_usage: $RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU ->
'1400'
(1) check_usage: $RAD_REQUEST{'State'} = &request:State ->
'0x2ae8af442ae9ab526f505f86b4932430'
(1) check_usage: $RAD_REQUEST{'Called-Station-Id'} =
&request:Called-Station-Id -> '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(1) check_usage: $RAD_REQUEST{'Calling-Station-Id'} =
&request:Calling-Station-Id -> 'F8-A9-D0-18-F2-24'
(1) check_usage: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier
-> 'MikroTik'
(1) check_usage: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type
-> 'Wireless-802.11'
(1) check_usage: $RAD_REQUEST{'Acct-Session-Id'} =
&request:Acct-Session-Id -> '82200019'
(1) check_usage: $RAD_REQUEST{'Acct-Multi-Session-Id'} =
&request:Acct-Multi-Session-Id ->
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(1) check_usage: $RAD_REQUEST{'Event-Timestamp'} =
&request:Event-Timestamp -> 'Jun 26 2015 03:36:51 UTC'
(1) check_usage: $RAD_REQUEST{'EAP-Message'} = &request:EAP-Message ->
'0x020100060319'
(1) check_usage: $RAD_REQUEST{'Message-Authenticator'} =
&request:Message-Authenticator -> '0x23c1df8ed8c64f231b0e8b9a5c48c798'
(1) check_usage: $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id ->
'wlan4'
(1) check_usage: $RAD_REQUEST{'EAP-Type'} = &request:EAP-Type -> 'NAK'
(1) check_usage: $RAD_REQUEST{'SQL-User-Name'} = &request:SQL-User-Name
-> 'jake'
(1) check_usage: $RAD_REQUEST{'Site'} = &request:Site -> '1'
(1) check_usage: $RAD_REPLY{'Session-Timeout'} = &reply:Session-Timeout
-> '10800'
(1) check_usage: $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'EAP'
(1) check_usage: $RAD_CHECK{'Cleartext-Password'} =
&control:Cleartext-Password -> 'fheman123'
(1) check_usage: $RAD_CHECK{'Total-Bytes'} = &control:Total-Bytes ->
'999999999999999999'
(1) check_usage: $RAD_CHECK{'Used-Bytes'} = &control:Used-Bytes ->
'154996'
(1) check_usage: $RAD_CHECK{'Reset-Date'} = &control:Reset-Date -> '13'
(1) check_usage: $RAD_CHECK{'Email'} = &control:Email -> '
zhex900 at gmail.com'
(1) check_usage: $RAD_CHECK{'Sent-Mail'} = &control:Sent-Mail -> '0'
(1) check_usage: $RAD_CHECK{'Mobile'} = &control:Mobile -> '0433169153'
(1) check_usage: $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'EAP'
(1) check_usage: $RAD_CONFIG{'Cleartext-Password'} =
&control:Cleartext-Password -> 'fheman123'
(1) check_usage: $RAD_CONFIG{'Total-Bytes'} = &control:Total-Bytes ->
'999999999999999999'
(1) check_usage: $RAD_CONFIG{'Used-Bytes'} = &control:Used-Bytes ->
'154996'
(1) check_usage: $RAD_CONFIG{'Reset-Date'} = &control:Reset-Date -> '13'
(1) check_usage: $RAD_CONFIG{'Email'} = &control:Email -> '
zhex900 at gmail.com'
(1) check_usage: $RAD_CONFIG{'Sent-Mail'} = &control:Sent-Mail -> '0'
(1) check_usage: $RAD_CONFIG{'Mobile'} = &control:Mobile -> '0433169153'
(1) check_usage: &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1400'
(1) check_usage: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'}
-> 'Jun 26 2015 03:36:51 UTC'
(1) check_usage: &request:Service-Type = $RAD_REQUEST{'Service-Type'} ->
'Framed-User'
(1) check_usage: &request:Calling-Station-Id =
$RAD_REQUEST{'Calling-Station-Id'} -> 'F8-A9-D0-18-F2-24'
(1) check_usage: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'jake'
(1) check_usage: &request:EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 'NAK'
(1) check_usage: &request:Message-Authenticator =
$RAD_REQUEST{'Message-Authenticator'} ->
'0x23c1df8ed8c64f231b0e8b9a5c48c798'
(1) check_usage: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} ->
'Wireless-802.11'
(1) check_usage: &request:Acct-Multi-Session-Id =
$RAD_REQUEST{'Acct-Multi-Session-Id'} ->
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(1) check_usage: &request:SQL-User-Name = $RAD_REQUEST{'SQL-User-Name'} ->
'jake'
(1) check_usage: &request:Called-Station-Id =
$RAD_REQUEST{'Called-Station-Id'} -> '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(1) check_usage: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'}
-> '10.1.1.23'
(1) check_usage: &request:Acct-Session-Id = $RAD_REQUEST{'Acct-Session-Id'}
-> '82200019'
(1) check_usage: &request:NAS-Port-Id = $RAD_REQUEST{'NAS-Port-Id'} ->
'wlan4'
(1) check_usage: &request:Site = $RAD_REQUEST{'Site'} -> '1'
(1) check_usage: &request:EAP-Message = $RAD_REQUEST{'EAP-Message'} ->
'0x020100060319'
(1) check_usage: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'}
-> 'MikroTik'
(1) check_usage: &request:State = $RAD_REQUEST{'State'} ->
'0x2ae8af442ae9ab526f505f86b4932430'
(1) check_usage: &reply:Mikrotik-Total-Limit-Gigawords =
$RAD_REPLY{'Mikrotik-Total-Limit-Gigawords'} -> '232830643'
(1) check_usage: &reply:Mikrotik-Total-Limit =
$RAD_REPLY{'Mikrotik-Total-Limit'} -> '2808193675'
(1) check_usage: &reply:Session-Timeout = $RAD_REPLY{'Session-Timeout'} ->
'10800'
(1) check_usage: &control:Cleartext-Password =
$RAD_CHECK{'Cleartext-Password'} -> 'fheman123'
(1) check_usage: &control:Avail-Bytes = $RAD_CHECK{'Avail-Bytes'} ->
'999999999999845003'
(1) check_usage: &control:Mobile = $RAD_CHECK{'Mobile'} -> '0433169153'
(1) check_usage: &control:Reset-Date = $RAD_CHECK{'Reset-Date'} -> '13'
(1) check_usage: &control:Sent-Mail = $RAD_CHECK{'Sent-Mail'} -> '0'
(1) check_usage: &control:Total-Bytes = $RAD_CHECK{'Total-Bytes'} ->
'999999999999999999'
(1) check_usage: &control:Used-Bytes = $RAD_CHECK{'Used-Bytes'} -> '154996'
(1) check_usage: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'EAP'
(1) check_usage: &control:Email = $RAD_CHECK{'Email'} -> 'zhex900 at gmail.com'
(1) [check_usage] = updated
(1) } # if ((control:Total-Bytes)) = updated
(1) } # policy data-restriction = updated
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x2ae8af442ae9ab52
(1) eap: Finished EAP session with state 0x2ae8af442ae9ab52
(1) eap: Previous EAP request found for state 0x2ae8af442ae9ab52, released
from the list
(1) eap: Peer sent method NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling eap_peap to process EAP data
(1) eap_peap: Flushing SSL sessions (of #0)
(1) eap_peap: Initiate
(1) eap_peap: Start returned 1
(1) eap: EAP session adding &reply:State = 0x2ae8af442beab652
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Sent Access-Challenge Id 242 from 172.17.0.68:1812 to
203.59.132.253:44270 length 0
(1) Mikrotik-Total-Limit-Gigawords = 232830643
(1) Mikrotik-Total-Limit = 2808193675
(1) Session-Timeout = 10800
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x2ae8af442beab6526f505f86b4932430
(1) Finished request
Waking up in 4.8 seconds.
(2) Received Access-Request Id 243 from 203.59.132.253:52144 to
172.17.0.68:1812 length 427
(2) Service-Type = Framed-User
(2) Framed-MTU = 1400
(2) User-Name = 'jake'
(2) State = 0x2ae8af442beab6526f505f86b4932430
(2) NAS-Port-Id = 'wlan4'
(2) NAS-Port-Type = Wireless-802.11
(2) Acct-Session-Id = '82200019'
(2) Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(2) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(2) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(2) EAP-Message =
0x020200c41980000000ba16030100b5010000b103016e692cd58137a32168d3f582da80112b10f99f0b740669a6ebb3372583558513000048c014c00a00390038c00fc0050035c013c00900330032c00ec004002fc011c007c00cc00200050004c012c00800160013c00dc003000a001500120009001400
(2) Message-Authenticator = 0xe1a2042b676d0a3bca307cb23bd11d3d
(2) NAS-Identifier = 'MikroTik'
(2) NAS-IP-Address = 10.1.1.23
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (!&User-Name) {
(2) if (!&User-Name) -> FALSE
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ ) {
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "jake", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent code Response (2) ID 2 length 196
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x2ae8af442beab652
(2) eap: Finished EAP session with state 0x2ae8af442beab652
(2) eap: Previous EAP request found for state 0x2ae8af442beab652, released
from the list
(2) eap: Peer sent method PEAP (25)
(2) eap: EAP PEAP (25)
(2) eap: Calling eap_peap to process EAP data
(2) eap_peap: processing EAP-TLS
(2) eap_peap: TLS Length 186
(2) eap_peap: Length Included
(2) eap_peap: eaptls_verify returned 11
(2) eap_peap: (other): before/accept initialization
(2) eap_peap: TLS_accept: before/accept initialization
(2) eap_peap: <<< TLS 1.0 Handshake [length 00b5], ClientHello
(2) eap_peap: TLS_accept: SSLv3 read client hello A
(2) eap_peap: >>> TLS 1.0 Handshake [length 0059], ServerHello
(2) eap_peap: TLS_accept: SSLv3 write server hello A
(2) eap_peap: >>> TLS 1.0 Handshake [length 08d0], Certificate
(2) eap_peap: TLS_accept: SSLv3 write certificate A
(2) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_peap: TLS_accept: SSLv3 write key exchange A
(2) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_peap: TLS_accept: SSLv3 write server done A
(2) eap_peap: TLS_accept: SSLv3 flush data
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
(2) eap_peap: eaptls_process returned 13
(2) eap_peap: FR_TLS_HANDLED
(2) eap: EAP session adding &reply:State = 0x2ae8af4428ebb652
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) Sent Access-Challenge Id 243 from 172.17.0.68:1812 to
203.59.132.253:52144 length 0
(2) EAP-Message =
0x010303ec19c000000a8c1603010059020000550301d46c8d0a4b602b18e16f0c2eca4ab0b9923c8c75937b6be866c61bccebeff4f020f8318cccbe262c0e3e6529d8f49d6f94bb3d20480c225789496ecaf88b6d23bbc01400000dff01000100000b00040300010216030108d00b0008cc0008c90003de
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x2ae8af4428ebb6526f505f86b4932430
(2) Finished request
Waking up in 4.7 seconds.
(3) Received Access-Request Id 244 from 203.59.132.253:35924 to
172.17.0.68:1812 length 237
(3) Service-Type = Framed-User
(3) Framed-MTU = 1400
(3) User-Name = 'jake'
(3) State = 0x2ae8af4428ebb6526f505f86b4932430
(3) NAS-Port-Id = 'wlan4'
(3) NAS-Port-Type = Wireless-802.11
(3) Acct-Session-Id = '82200019'
(3) Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(3) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(3) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(3) EAP-Message = 0x020300061900
(3) Message-Authenticator = 0xbcede2e1f511c39d7829a8d31d3056ca
(3) NAS-Identifier = 'MikroTik'
(3) NAS-IP-Address = 10.1.1.23
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (!&User-Name) {
(3) if (!&User-Name) -> FALSE
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@.*@/ ) {
(3) if (&User-Name =~ /@.*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "jake", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent code Response (2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x2ae8af4428ebb652
(3) eap: Finished EAP session with state 0x2ae8af4428ebb652
(3) eap: Previous EAP request found for state 0x2ae8af4428ebb652, released
from the list
(3) eap: Peer sent method PEAP (25)
(3) eap: EAP PEAP (25)
(3) eap: Calling eap_peap to process EAP data
(3) eap_peap: processing EAP-TLS
(3) eap_peap: Received TLS ACK
(3) eap_peap: Received TLS ACK
(3) eap_peap: ACK handshake fragment handler
(3) eap_peap: eaptls_verify returned 1
(3) eap_peap: eaptls_process returned 13
(3) eap_peap: FR_TLS_HANDLED
(3) eap: EAP session adding &reply:State = 0x2ae8af4429ecb652
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) Sent Access-Challenge Id 244 from 172.17.0.68:1812 to
203.59.132.253:35924 length 0
(3) EAP-Message =
0x010403e8194070fc3072618327914b90833c80b17761d6b71ed327b33f801709abca73c4785893e2238950ca0494c79dceb74a47d2ae97f2cf40c1857e89d6543f5d275ca54082c2d8a4ec8109ca6d7161699efce7a8d33588e1f1403c619f4ebd02f166ab8a0d9b07ad442d0202e60004e5308204e130
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x2ae8af4429ecb6526f505f86b4932430
(3) Finished request
Waking up in 4.6 seconds.
(4) Received Access-Request Id 245 from 203.59.132.253:39524 to
172.17.0.68:1812 length 237
(4) Service-Type = Framed-User
(4) Framed-MTU = 1400
(4) User-Name = 'jake'
(4) State = 0x2ae8af4429ecb6526f505f86b4932430
(4) NAS-Port-Id = 'wlan4'
(4) NAS-Port-Type = Wireless-802.11
(4) Acct-Session-Id = '82200019'
(4) Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(4) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(4) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(4) EAP-Message = 0x020400061900
(4) Message-Authenticator = 0x54aecaf6cd05e5bf1bce8ad82728077d
(4) NAS-Identifier = 'MikroTik'
(4) NAS-IP-Address = 10.1.1.23
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (!&User-Name) {
(4) if (!&User-Name) -> FALSE
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@.*@/ ) {
(4) if (&User-Name =~ /@.*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "jake", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent code Response (2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x2ae8af4429ecb652
(4) eap: Finished EAP session with state 0x2ae8af4429ecb652
(4) eap: Previous EAP request found for state 0x2ae8af4429ecb652, released
from the list
(4) eap: Peer sent method PEAP (25)
(4) eap: EAP PEAP (25)
(4) eap: Calling eap_peap to process EAP data
(4) eap_peap: processing EAP-TLS
(4) eap_peap: Received TLS ACK
(4) eap_peap: Received TLS ACK
(4) eap_peap: ACK handshake fragment handler
(4) eap_peap: eaptls_verify returned 1
(4) eap_peap: eaptls_process returned 13
(4) eap_peap: FR_TLS_HANDLED
(4) eap: EAP session adding &reply:State = 0x2ae8af442eedb652
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) Sent Access-Challenge Id 245 from 172.17.0.68:1812 to
203.59.132.253:39524 length 0
(4) EAP-Message =
0x010502ce190020417574686f72697479820900b019525dc1d9412e300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101006f73
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x2ae8af442eedb6526f505f86b4932430
(4) Finished request
Waking up in 4.4 seconds.
(5) Received Access-Request Id 246 from 203.59.132.253:45440 to
172.17.0.68:1812 length 375
(5) Service-Type = Framed-User
(5) Framed-MTU = 1400
(5) User-Name = 'jake'
(5) State = 0x2ae8af442eedb6526f505f86b4932430
(5) NAS-Port-Id = 'wlan4'
(5) NAS-Port-Type = Wireless-802.11
(5) Acct-Session-Id = '82200019'
(5) Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(5) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(5) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(5) EAP-Message =
0x020500901980000000861603010046100000424104bd66ff8372c1dc049759a9b955193ffa8e8e4da7348cc4e36500cb9b5198ba94ea171b8d06416f4894d5ff73e68fa74a8d6fd8563daec796148288a0a5ed0ebb1403010001011603010030bfe20542d15a4dfa96fecdb720ea6156305308632d1890
(5) Message-Authenticator = 0x7df94396891c33014810e3acbeafcbb1
(5) NAS-Identifier = 'MikroTik'
(5) NAS-IP-Address = 10.1.1.23
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (!&User-Name) {
(5) if (!&User-Name) -> FALSE
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@.*@/ ) {
(5) if (&User-Name =~ /@.*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "jake", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent code Response (2) ID 5 length 144
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x2ae8af442eedb652
(5) eap: Finished EAP session with state 0x2ae8af442eedb652
(5) eap: Previous EAP request found for state 0x2ae8af442eedb652, released
from the list
(5) eap: Peer sent method PEAP (25)
(5) eap: EAP PEAP (25)
(5) eap: Calling eap_peap to process EAP data
(5) eap_peap: processing EAP-TLS
(5) eap_peap: TLS Length 134
(5) eap_peap: Length Included
(5) eap_peap: eaptls_verify returned 11
(5) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5) eap_peap: TLS_accept: SSLv3 read client key exchange A
(5) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap: TLS_accept: SSLv3 read finished A
(5) eap_peap: >>> TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished
(5) eap_peap: TLS_accept: SSLv3 write finished A
(5) eap_peap: TLS_accept: SSLv3 flush data
TLS: adding session
f8318cccbe262c0e3e6529d8f49d6f94bb3d20480c225789496ecaf88b6d23bb to cache
(5) eap_peap: (other): SSL negotiation finished successfully
SSL Connection Established
(5) eap_peap: eaptls_process returned 13
(5) eap_peap: FR_TLS_HANDLED
(5) eap: EAP session adding &reply:State = 0x2ae8af442feeb652
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) Sent Access-Challenge Id 246 from 172.17.0.68:1812 to
203.59.132.253:45440 length 0
(5) EAP-Message =
0x0106004119001403010001011603010030b50c5c6bcd7f1f0c3cdb9a9dd16fb6d24bfc64db51180644d3f3806f9a566ed700be78e43a68b107312669ee0fbe6d1f
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x2ae8af442feeb6526f505f86b4932430
(5) Finished request
Waking up in 4.3 seconds.
(6) Received Access-Request Id 247 from 203.59.132.253:39369 to
172.17.0.68:1812 length 237
(6) Service-Type = Framed-User
(6) Framed-MTU = 1400
(6) User-Name = 'jake'
(6) State = 0x2ae8af442feeb6526f505f86b4932430
(6) NAS-Port-Id = 'wlan4'
(6) NAS-Port-Type = Wireless-802.11
(6) Acct-Session-Id = '82200019'
(6) Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(6) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(6) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(6) EAP-Message = 0x020600061900
(6) Message-Authenticator = 0xb6affee6faf6ee543b6ef9c9f52f74ec
(6) NAS-Identifier = 'MikroTik'
(6) NAS-IP-Address = 10.1.1.23
(6) session-state: No cached attributes
(6) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (!&User-Name) {
(6) if (!&User-Name) -> FALSE
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@.*@/ ) {
(6) if (&User-Name =~ /@.*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "jake", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent code Response (2) ID 6 length 6
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x2ae8af442feeb652
(6) eap: Finished EAP session with state 0x2ae8af442feeb652
(6) eap: Previous EAP request found for state 0x2ae8af442feeb652, released
from the list
(6) eap: Peer sent method PEAP (25)
(6) eap: EAP PEAP (25)
(6) eap: Calling eap_peap to process EAP data
(6) eap_peap: processing EAP-TLS
(6) eap_peap: Received TLS ACK
(6) eap_peap: Received TLS ACK
(6) eap_peap: ACK handshake is finished
(6) eap_peap: eaptls_verify returned 3
(6) eap_peap: eaptls_process returned 3
(6) eap_peap: FR_TLS_SUCCESS
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: EAP session adding &reply:State = 0x2ae8af442cefb652
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) Sent Access-Challenge Id 247 from 172.17.0.68:1812 to
203.59.132.253:39369 length 0
(6) EAP-Message =
0x0107002b190017030100209db4b82b7785ec126910f4c56f3693646b7c87d993175dec544c881e17ff7e66
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x2ae8af442cefb6526f505f86b4932430
(6) Finished request
Waking up in 4.2 seconds.
(7) Received Access-Request Id 248 from 203.59.132.253:54163 to
172.17.0.68:1812 length 274
(7) Service-Type = Framed-User
(7) Framed-MTU = 1400
(7) User-Name = 'jake'
(7) State = 0x2ae8af442cefb6526f505f86b4932430
(7) NAS-Port-Id = 'wlan4'
(7) NAS-Port-Type = Wireless-802.11
(7) Acct-Session-Id = '82200019'
(7) Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(7) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(7) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(7) EAP-Message =
0x0207002b190017030100208286978455a47dcaa043b6ee4493bf1162e7a1a6105b84d369f022c49c2db0b8
(7) Message-Authenticator = 0xb259288f94fab665a32a8e25909eabe9
(7) NAS-Identifier = 'MikroTik'
(7) NAS-IP-Address = 10.1.1.23
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (!&User-Name) {
(7) if (!&User-Name) -> FALSE
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@.*@/ ) {
(7) if (&User-Name =~ /@.*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "jake", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent code Response (2) ID 7 length 43
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x2ae8af442cefb652
(7) eap: Finished EAP session with state 0x2ae8af442cefb652
(7) eap: Previous EAP request found for state 0x2ae8af442cefb652, released
from the list
(7) eap: Peer sent method PEAP (25)
(7) eap: EAP PEAP (25)
(7) eap: Calling eap_peap to process EAP data
(7) eap_peap: processing EAP-TLS
(7) eap_peap: eaptls_verify returned 7
(7) eap_peap: Done initial handshake
(7) eap_peap: eaptls_process returned 7
(7) eap_peap: FR_TLS_OK
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - jake
(7) eap_peap: Got inner identity 'jake'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x02070009016a616b65
(7) eap_peap: Setting User-Name to jake
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x02070009016a616b65
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = 'jake'
(7) eap_peap: Service-Type = Framed-User
(7) eap_peap: Framed-MTU = 1400
(7) eap_peap: NAS-Port-Id = 'wlan4'
(7) eap_peap: NAS-Port-Type = Wireless-802.11
(7) eap_peap: Acct-Session-Id = '82200019'
(7) eap_peap: Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(7) eap_peap: Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(7) eap_peap: Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(7) eap_peap: NAS-Identifier = 'MikroTik'
(7) eap_peap: NAS-IP-Address = 10.1.1.23
(7) eap_peap: Event-Timestamp = 'Jun 26 2015 03:36:52 UTC'
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x02070009016a616b65
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = 'jake'
(7) Service-Type = Framed-User
(7) Framed-MTU = 1400
(7) NAS-Port-Id = 'wlan4'
(7) NAS-Port-Type = Wireless-802.11
(7) Acct-Session-Id = '82200019'
(7) Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(7) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(7) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(7) NAS-Identifier = 'MikroTik'
(7) NAS-IP-Address = 10.1.1.23
(7) Event-Timestamp = 'Jun 26 2015 03:36:52 UTC'
(7) server inner-tunnel {
(7) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(7) authorize {
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "jake", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent code Response (2) ID 7 length 9
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Peer sent method Identity (1)
(7) eap: Calling eap_mschapv2 to process EAP data
(7) eap_mschapv2: Issuing Challenge
(7) eap: EAP session adding &reply:State = 0x22b0356022b82f2e
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message =
0x0108002a1a010800251014f3168a99ab99e591528dc482b16e2c667265657261646975732d332e302e38
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x22b0356022b82f2e85a63bb65e619718
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message =
0x0108002a1a010800251014f3168a99ab99e591528dc482b16e2c667265657261646975732d332e302e38
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x22b0356022b82f2e85a63bb65e619718
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message =
0x0108002a1a010800251014f3168a99ab99e591528dc482b16e2c667265657261646975732d332e302e38
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x22b0356022b82f2e85a63bb65e619718
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: EAP session adding &reply:State = 0x2ae8af442de0b652
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) Sent Access-Challenge Id 248 from 172.17.0.68:1812 to
203.59.132.253:54163 length 0
(7) EAP-Message =
0x0108004b190017030100405d23e6bcb09cb6d20b68d9aaca1f83e4091ceff102e5083ddd35b9012b3d0e7188c3b1e155ea8f9bddc0ea1f850f357d2b8f6240e497819ecfd11cf2a7c0fbbb
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x2ae8af442de0b6526f505f86b4932430
(7) Finished request
Waking up in 4.1 seconds.
(8) Received Access-Request Id 249 from 203.59.132.253:36869 to
172.17.0.68:1812 length 322
(8) Service-Type = Framed-User
(8) Framed-MTU = 1400
(8) User-Name = 'jake'
(8) State = 0x2ae8af442de0b6526f505f86b4932430
(8) NAS-Port-Id = 'wlan4'
(8) NAS-Port-Type = Wireless-802.11
(8) Acct-Session-Id = '82200019'
(8) Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(8) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(8) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(8) EAP-Message =
0x0208005b190017030100507a6c5910e9c1dc3a4adf8951c44d459517e50c2a6116265ff2d8924df35f0557e921ca3264d2be55f40dc688cb5fa91b6d9c14b1c9a895996ca03e1c224e31a2efb0740a6415f05685f77b4427b49f76
(8) Message-Authenticator = 0x1b7b410bbe118d5b2da8add5b4ac1a43
(8) NAS-Identifier = 'MikroTik'
(8) NAS-IP-Address = 10.1.1.23
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (!&User-Name) {
(8) if (!&User-Name) -> FALSE
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@.*@/ ) {
(8) if (&User-Name =~ /@.*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "jake", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent code Response (2) ID 8 length 91
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x22b0356022b82f2e
(8) eap: Finished EAP session with state 0x2ae8af442de0b652
(8) eap: Previous EAP request found for state 0x2ae8af442de0b652, released
from the list
(8) eap: Peer sent method PEAP (25)
(8) eap: EAP PEAP (25)
(8) eap: Calling eap_peap to process EAP data
(8) eap_peap: processing EAP-TLS
(8) eap_peap: eaptls_verify returned 7
(8) eap_peap: Done initial handshake
(8) eap_peap: eaptls_process returned 7
(8) eap_peap: FR_TLS_OK
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP type MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message =
0x0208003f1a0208003a31fcc0fb5d30dd364f4a9edc06a2029b9d0000000000000000312629d61823e24eb9069392de30e57b93615a8ff11013d1006a616b65
(8) eap_peap: Setting User-Name to jake
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message =
0x0208003f1a0208003a31fcc0fb5d30dd364f4a9edc06a2029b9d0000000000000000312629d61823e24eb9069392de30e57b93615a8ff11013d1006a616b65
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = 'jake'
(8) eap_peap: State = 0x22b0356022b82f2e85a63bb65e619718
(8) eap_peap: Service-Type = Framed-User
(8) eap_peap: Framed-MTU = 1400
(8) eap_peap: NAS-Port-Id = 'wlan4'
(8) eap_peap: NAS-Port-Type = Wireless-802.11
(8) eap_peap: Acct-Session-Id = '82200019'
(8) eap_peap: Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(8) eap_peap: Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(8) eap_peap: Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(8) eap_peap: NAS-Identifier = 'MikroTik'
(8) eap_peap: NAS-IP-Address = 10.1.1.23
(8) eap_peap: Event-Timestamp = 'Jun 26 2015 03:36:52 UTC'
(8) Virtual server inner-tunnel received request
(8) EAP-Message =
0x0208003f1a0208003a31fcc0fb5d30dd364f4a9edc06a2029b9d0000000000000000312629d61823e24eb9069392de30e57b93615a8ff11013d1006a616b65
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = 'jake'
(8) State = 0x22b0356022b82f2e85a63bb65e619718
(8) Service-Type = Framed-User
(8) Framed-MTU = 1400
(8) NAS-Port-Id = 'wlan4'
(8) NAS-Port-Type = Wireless-802.11
(8) Acct-Session-Id = '82200019'
(8) Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(8) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(8) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(8) NAS-Identifier = 'MikroTik'
(8) NAS-IP-Address = 10.1.1.23
(8) Event-Timestamp = 'Jun 26 2015 03:36:52 UTC'
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(8) authorize {
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "jake", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent code Response (2) ID 8 length 63
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
(8) sql: EXPAND %{User-Name}
(8) sql: --> jake
(8) sql: SQL-User-Name set to 'jake'
rlm_sql (sql): Reserved connection (4)
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'jake' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'jake' ORDER BY id
(8) sql: User found in radcheck table
(8) sql: Conditional check items matched, merging assignment check items
(8) sql: Cleartext-Password := 'fheman123'
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql: --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'jake' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'jake' ORDER BY id
(8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(8) sql: --> SELECT groupname FROM radusergroup WHERE username = 'jake'
ORDER BY priority
(8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'jake' ORDER BY priority
(8) sql: User found in the group table
(8) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id
(8) sql: --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id
(8) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id
(8) sql: Group "14kimberleyst": Conditional check items matched
(8) sql: Group "14kimberleyst": Merging assignment check items
(8) sql: Reset-Date := '13'
(8) sql: Total-Bytes := '999999999999999999'
(8) sql: EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id
(8) sql: --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id
(8) sql: Executing select query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id
(8) sql: Group "14kimberleyst": Merging reply items
(8) sql: Session-Timeout := 10800
rlm_sql (sql): Released connection (4)
(8) [sql] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x22b0356022b82f2e
(8) eap: Finished EAP session with state 0x22b0356022b82f2e
(8) eap: Previous EAP request found for state 0x22b0356022b82f2e, released
from the list
(8) eap: Peer sent method MSCHAPv2 (26)
(8) eap: EAP MSCHAPv2 (26)
(8) eap: Calling eap_mschapv2 to process EAP data
(8) eap_mschapv2: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
(8) eap_mschapv2: Auth-Type MS-CHAP {
(8) mschap: Found Cleartext-Password, hashing to create NT-Password
(8) mschap: Found Cleartext-Password, hashing to create LM-Password
(8) mschap: Creating challenge hash with username: jake
(8) mschap: Client is using MS-CHAPv2
(8) mschap: Adding MS-CHAPv2 MPPE keys
(8) [mschap] = ok
(8) } # Auth-Type MS-CHAP = ok
(8) MSCHAP Success
(8) eap: EAP session adding &reply:State = 0x22b0356023b92f2e
(8) [eap] = handled
(8) } # authenticate = handled
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) Session-Timeout = 10800
(8) EAP-Message =
0x010900331a0308002e533d41333944323941353645323936313832444636323842413142393243463244353430393334463042
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x22b0356023b92f2e85a63bb65e619718
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: Session-Timeout = 10800
(8) eap_peap: EAP-Message =
0x010900331a0308002e533d41333944323941353645323936313832444636323842413142393243463244353430393334463042
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0x22b0356023b92f2e85a63bb65e619718
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap: Session-Timeout = 10800
(8) eap_peap: EAP-Message =
0x010900331a0308002e533d41333944323941353645323936313832444636323842413142393243463244353430393334463042
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0x22b0356023b92f2e85a63bb65e619718
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: EAP session adding &reply:State = 0x2ae8af4422e1b652
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) Sent Access-Challenge Id 249 from 172.17.0.68:1812 to
203.59.132.253:36869 length 0
(8) EAP-Message =
0x0109005b19001703010050ff2fa83e838510f3b311adc6a2de5dd4e3bf9e49ca7b67699dc84fd1c698570243feeaa1c808dee3846a38ffbdf223dee1afbe871ba2398fe4bc3653e21b24c6fcee8c9607bbe10fe7370c07f0b041f4
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x2ae8af4422e1b6526f505f86b4932430
(8) Finished request
Waking up in 4.0 seconds.
(9) Received Access-Request Id 250 from 203.59.132.253:51671 to
172.17.0.68:1812 length 274
(9) Service-Type = Framed-User
(9) Framed-MTU = 1400
(9) User-Name = 'jake'
(9) State = 0x2ae8af4422e1b6526f505f86b4932430
(9) NAS-Port-Id = 'wlan4'
(9) NAS-Port-Type = Wireless-802.11
(9) Acct-Session-Id = '82200019'
(9) Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(9) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(9) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(9) EAP-Message =
0x0209002b19001703010020b385b35defe2309a0a1087757d0f1334ba0c847fa90fecacec7d8233ff986872
(9) Message-Authenticator = 0xd85c93784094e1af3cf813ae7c2212c5
(9) NAS-Identifier = 'MikroTik'
(9) NAS-IP-Address = 10.1.1.23
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (!&User-Name) {
(9) if (!&User-Name) -> FALSE
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@.*@/ ) {
(9) if (&User-Name =~ /@.*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "jake", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent code Response (2) ID 9 length 43
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x22b0356023b92f2e
(9) eap: Finished EAP session with state 0x2ae8af4422e1b652
(9) eap: Previous EAP request found for state 0x2ae8af4422e1b652, released
from the list
(9) eap: Peer sent method PEAP (25)
(9) eap: EAP PEAP (25)
(9) eap: Calling eap_peap to process EAP data
(9) eap_peap: processing EAP-TLS
(9) eap_peap: eaptls_verify returned 7
(9) eap_peap: Done initial handshake
(9) eap_peap: eaptls_process returned 7
(9) eap_peap: FR_TLS_OK
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP type MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x020900061a03
(9) eap_peap: Setting User-Name to jake
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message = 0x020900061a03
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = 'jake'
(9) eap_peap: State = 0x22b0356023b92f2e85a63bb65e619718
(9) eap_peap: Service-Type = Framed-User
(9) eap_peap: Framed-MTU = 1400
(9) eap_peap: NAS-Port-Id = 'wlan4'
(9) eap_peap: NAS-Port-Type = Wireless-802.11
(9) eap_peap: Acct-Session-Id = '82200019'
(9) eap_peap: Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(9) eap_peap: Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(9) eap_peap: Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(9) eap_peap: NAS-Identifier = 'MikroTik'
(9) eap_peap: NAS-IP-Address = 10.1.1.23
(9) eap_peap: Event-Timestamp = 'Jun 26 2015 03:36:52 UTC'
(9) Virtual server inner-tunnel received request
(9) EAP-Message = 0x020900061a03
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = 'jake'
(9) State = 0x22b0356023b92f2e85a63bb65e619718
(9) Service-Type = Framed-User
(9) Framed-MTU = 1400
(9) NAS-Port-Id = 'wlan4'
(9) NAS-Port-Type = Wireless-802.11
(9) Acct-Session-Id = '82200019'
(9) Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(9) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(9) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(9) NAS-Identifier = 'MikroTik'
(9) NAS-IP-Address = 10.1.1.23
(9) Event-Timestamp = 'Jun 26 2015 03:36:52 UTC'
(9) server inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(9) authorize {
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "jake", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) &Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent code Response (2) ID 9 length 6
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) [files] = noop
(9) sql: EXPAND %{User-Name}
(9) sql: --> jake
(9) sql: SQL-User-Name set to 'jake'
rlm_sql (sql): Reserved connection (4)
(9) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(9) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'jake' ORDER BY id
(9) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'jake' ORDER BY id
(9) sql: User found in radcheck table
(9) sql: Conditional check items matched, merging assignment check items
(9) sql: Cleartext-Password := 'fheman123'
(9) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(9) sql: --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'jake' ORDER BY id
(9) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radreply WHERE username = 'jake' ORDER BY id
(9) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(9) sql: --> SELECT groupname FROM radusergroup WHERE username = 'jake'
ORDER BY priority
(9) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = 'jake' ORDER BY priority
(9) sql: User found in the group table
(9) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id
(9) sql: --> SELECT id, groupname, attribute, Value, op FROM
radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id
(9) sql: Executing select query: SELECT id, groupname, attribute, Value, op
FROM radgroupcheck WHERE groupname = '14kimberleyst' ORDER BY id
(9) sql: Group "14kimberleyst": Conditional check items matched
(9) sql: Group "14kimberleyst": Merging assignment check items
(9) sql: Reset-Date := '13'
(9) sql: Total-Bytes := '999999999999999999'
(9) sql: EXPAND SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id
(9) sql: --> SELECT id, groupname, attribute, value, op FROM
radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id
(9) sql: Executing select query: SELECT id, groupname, attribute, value, op
FROM radgroupreply WHERE groupname = '14kimberleyst' ORDER BY id
(9) sql: Group "14kimberleyst": Merging reply items
(9) sql: Session-Timeout := 10800
rlm_sql (sql): Released connection (4)
(9) [sql] = ok
(9) [expiration] = noop
(9) [logintime] = noop
(9) pap: WARNING: Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Expiring EAP session with state 0x22b0356023b92f2e
(9) eap: Finished EAP session with state 0x22b0356023b92f2e
(9) eap: Previous EAP request found for state 0x22b0356023b92f2e, released
from the list
(9) eap: Peer sent method MSCHAPv2 (26)
(9) eap: EAP MSCHAPv2 (26)
(9) eap: Calling eap_mschapv2 to process EAP data
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file
/etc/freeradius/sites-enabled/inner-tunnel
(9) post-auth {
(9) sql: EXPAND .query
(9) sql: --> .query
(9) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(9) sql: EXPAND %{User-Name}
(9) sql: --> jake
(9) sql: SQL-User-Name set to 'jake'
(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(9) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'jake', '', 'Access-Accept', '2015-06-26 03:36:52')
(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'jake', '', 'Access-Accept', '2015-06-26 03:36:52')
(9) sql: SQL query returned: success
(9) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(9) [sql] = ok
(9) update {
(9) &outer.session-state:Session-Timeout += &reply:Session-Timeout
-> 10800
(9) &outer.session-state:MS-MPPE-Encryption-Policy +=
&reply:MS-MPPE-Encryption-Policy -> Encryption-Allowed
(9) &outer.session-state:MS-MPPE-Encryption-Types +=
&reply:MS-MPPE-Encryption-Types -> RC4-40or128-bit-Allowed
(9) &outer.session-state:MS-MPPE-Send-Key +=
&reply:MS-MPPE-Send-Key -> 0x89180aba877672b89e8af47487914f88
(9) &outer.session-state:MS-MPPE-Recv-Key +=
&reply:MS-MPPE-Recv-Key -> 0xeb1d86612d6cfa12c45d9dfa87f470d1
(9) &outer.session-state:EAP-Message += &reply:EAP-Message ->
0x03090004
(9) &outer.session-state:Message-Authenticator +=
&reply:Message-Authenticator -> 0x00000000000000000000000000000000
(9) &outer.session-state:User-Name += &reply:User-Name -> jake
(9) } # update = noop
(9) update outer.session-state {
(9) MS-MPPE-Encryption-Policy !* ANY
(9) MS-MPPE-Encryption-Types !* ANY
(9) MS-MPPE-Send-Key !* ANY
(9) MS-MPPE-Recv-Key !* ANY
(9) Message-Authenticator !* ANY
(9) EAP-Message !* ANY
(9) Proxy-State !* ANY
(9) } # update outer.session-state = noop
(9) } # post-auth = ok
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) Session-Timeout = 10800
(9) MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) MS-MPPE-Send-Key = 0x89180aba877672b89e8af47487914f88
(9) MS-MPPE-Recv-Key = 0xeb1d86612d6cfa12c45d9dfa87f470d1
(9) EAP-Message = 0x03090004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = 'jake'
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap: Session-Timeout = 10800
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap: MS-MPPE-Send-Key = 0x89180aba877672b89e8af47487914f88
(9) eap_peap: MS-MPPE-Recv-Key = 0xeb1d86612d6cfa12c45d9dfa87f470d1
(9) eap_peap: EAP-Message = 0x03090004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = 'jake'
(9) eap_peap: Got tunneled reply RADIUS code 2
(9) eap_peap: Session-Timeout = 10800
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap: MS-MPPE-Send-Key = 0x89180aba877672b89e8af47487914f88
(9) eap_peap: MS-MPPE-Recv-Key = 0xeb1d86612d6cfa12c45d9dfa87f470d1
(9) eap_peap: EAP-Message = 0x03090004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = 'jake'
(9) eap_peap: Tunneled authentication was successful
(9) eap_peap: SUCCESS
(9) eap_peap: Saving tunneled attributes for later
(9) eap: EAP session adding &reply:State = 0x2ae8af4423e2b652
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) session-state: Saving cached attributes
(9) Session-Timeout += 10800
(9) User-Name += 'jake'
(9) Sent Access-Challenge Id 250 from 172.17.0.68:1812 to
203.59.132.253:51671 length 0
(9) EAP-Message =
0x010a002b190017030100209ffa89db62ad66cc4ddee6a4a1950f7ef37a98001a17f318cb0b6beb1492a1e0
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x2ae8af4423e2b6526f505f86b4932430
(9) Finished request
Waking up in 3.9 seconds.
(10) Received Access-Request Id 251 from 203.59.132.253:49242 to
172.17.0.68:1812 length 274
(10) Service-Type = Framed-User
(10) Framed-MTU = 1400
(10) User-Name = 'jake'
(10) State = 0x2ae8af4423e2b6526f505f86b4932430
(10) NAS-Port-Id = 'wlan4'
(10) NAS-Port-Type = Wireless-802.11
(10) Acct-Session-Id = '82200019'
(10) Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(10) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(10) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(10) EAP-Message =
0x020a002b1900170301002026447f2d4d239efdc5f79e265525ede34826f132b7d0c5c8874169bacc4ac3a3
(10) Message-Authenticator = 0xa5e90887435c642376fc2a49a006da0b
(10) NAS-Identifier = 'MikroTik'
(10) NAS-IP-Address = 10.1.1.23
(10) session-state: Found cached attributes
(10) Session-Timeout += 10800
(10) User-Name += 'jake'
(10) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (!&User-Name) {
(10) if (!&User-Name) -> FALSE
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@.*@/ ) {
(10) if (&User-Name =~ /@.*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "jake", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent code Response (2) ID 10 length 43
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = EAP
(10) # Executing group from file /etc/freeradius/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0x2ae8af4423e2b652
(10) eap: Finished EAP session with state 0x2ae8af4423e2b652
(10) eap: Previous EAP request found for state 0x2ae8af4423e2b652, released
from the list
(10) eap: Peer sent method PEAP (25)
(10) eap: EAP PEAP (25)
(10) eap: Calling eap_peap to process EAP data
(10) eap_peap: processing EAP-TLS
(10) eap_peap: eaptls_verify returned 7
(10) eap_peap: Done initial handshake
(10) eap_peap: eaptls_process returned 7
(10) eap_peap: FR_TLS_OK
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap_peap: Using saved attributes from the original Access-Accept
(10) eap_peap: Session-Timeout = 10800
(10) eap_peap: User-Name = 'jake'
(10) eap_peap: Saving session
f8318cccbe262c0e3e6529d8f49d6f94bb3d20480c225789496ecaf88b6d23bb vps
0x18cb740 in the cache
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(10) post-auth {
(10) update {
(10) &reply:Session-Timeout += &session-state:Session-Timeout -> 10800
(10) &reply:User-Name += &session-state:User-Name -> jake
(10) } # update = noop
(10) sql: EXPAND .query
(10) sql: --> .query
(10) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(10) sql: EXPAND %{User-Name}
(10) sql: --> jake
(10) sql: SQL-User-Name set to 'jake'
(10) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(10) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'jake', '', 'Access-Accept', '2015-06-26 03:36:52')
(10) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'jake', '', 'Access-Accept', '2015-06-26 03:36:52')
(10) sql: SQL query returned: success
(10) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(10) [sql] = ok
(10) [exec] = noop
(10) policy remove_reply_message_if_eap {
(10) if (&reply:EAP-Message && &reply:Reply-Message) {
(10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(10) else {
(10) [noop] = noop
(10) } # else = noop
(10) } # policy remove_reply_message_if_eap = noop
(10) } # post-auth = ok
(10) Sent Access-Accept Id 251 from 172.17.0.68:1812 to 203.59.132.253:49242
length 0
(10) Session-Timeout = 10800
(10) User-Name = 'jake'
(10) MS-MPPE-Recv-Key =
0xe5deb546fc8f6e00acdf29b623d95704d2ed1020f037955b5200e47def068653
(10) MS-MPPE-Send-Key =
0x1c0c6d0296a173ab78c88bae351114f84de5cdc9386cbb1dc93bb9ff188d29ef
(10) EAP-Message = 0x030a0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) Session-Timeout += 10800
(10) User-Name += 'jake'
(10) Finished request
Waking up in 3.8 seconds.
(11) Received Accounting-Request Id 252 from 203.59.132.253:49829 to
172.17.0.68:1813 length 205
(11) Service-Type = Framed-User
(11) NAS-Port-Id = 'wlan4'
(11) NAS-Port-Type = Wireless-802.11
(11) User-Name = 'jake'
(11) Acct-Session-Id = '82200019'
(11) Acct-Multi-Session-Id =
'02-0C-42-B7-A9-5E-F8-A9-D0-18-F2-24-82-20-00-00-00-00-00-18'
(11) Calling-Station-Id = 'F8-A9-D0-18-F2-24'
(11) Called-Station-Id = '02-0C-42-B7-A9-5E:GRACE UPON GRACE'
(11) Acct-Authentic = RADIUS
(11) Acct-Status-Type = Start
(11) NAS-Identifier = 'MikroTik'
(11) Acct-Delay-Time = 0
(11) NAS-IP-Address = 10.1.1.23
(11) # Executing section preacct from file
/etc/freeradius/sites-enabled/default
(11) preacct {
(11) [preprocess] = ok
(11) policy acct_unique {
(11) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) {
(11) EXPAND %{string:Class}
(11) -->
(11) if ("%{string:Class}" =~ /ai:([0-9a-f]{32})/i) -> FALSE
(11) else {
(11) update request {
(11) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(11) --> fbad663f9e23f248b243af3297e4a26d
(11) &Acct-Unique-Session-Id := fbad663f9e23f248b243af3297e4a26d
(11) } # update request = noop
(11) } # else = noop
(11) } # policy acct_unique = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "jake", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) [files] = noop
(11) } # preacct = ok
(11) # Executing section accounting from file
/etc/freeradius/sites-enabled/default
(11) accounting {
(11) detail: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(11) detail: --> /var/log/freeradius/radacct/
203.59.132.253/detail-20150626
(11) detail:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/203.59.132.253/detail-20150626
(11) detail: EXPAND %t
(11) detail: --> Fri Jun 26 03:36:52 2015
(11) [detail] = ok
(11) [unix] = ok
(11) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(11) sql: --> type.start.query
(11) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(11) sql: EXPAND %{User-Name}
(11) sql: --> jake
(11) sql: SQL-User-Name set to 'jake'
(11) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid,
username, realm, nasipaddress, nasportid, nasporttype,acctstarttime,
acctupdatetime, acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets,
calledstationid, callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}',
'%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}',
FROM_UNIXTIME(%{integer:Event-Timestamp}),
FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}',
'%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}',
'%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}')
(11) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid,
username, realm, nasipaddress, nasportid, nasporttype,acctstarttime,
acctupdatetime, acctstoptime, acctsessiontime, acctauthentic,
connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets,
calledstationid, callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress) VALUES ('82200019',
'fbad663f9e23f248b243af3297e4a26d', 'jake', '', '10.1.1.23', '',
'Wireless-802.11', FROM_UNIXTIME(1435289812), FROM_UNIXTIME(1435289812),
NULL, '0', 'RADIUS', '', '', '0', '0', '02-0C-42-B7-A9-5E:GRACE UPON
GRACE', 'F8-A9-D0-18-F2-24', '', 'Framed-User', '', '')
(11) sql: Executing query: INSERT INTO radacct (acctsessionid,
acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype,
acctstarttime, acctupdatetime, acctstoptime, acctsessiontime,
acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets,
acctoutputoctets, calledstationid, callingstationid, acctterminatecause,
servicetype, framedprotocol, framedipaddress) VALUES ('82200019',
'fbad663f9e23f248b243af3297e4a26d', 'jake', '', '10.1.1.23', '',
'Wireless-802.11', FROM_UNIXTIME(1435289812), FROM_UNIXTIME(1435289812),
NULL, '0', 'RADIUS', '', '', '0', '0', '02-0C-42-B7-A9-5E:GRACE UPON
GRACE', 'F8-A9-D0-18-F2-24', '', 'Framed-User', '', '')
(11) sql: SQL query returned: success
(11) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(11) [sql] = ok
(11) [exec] = noop
(11) attr_filter.accounting_response: EXPAND %{User-Name}
(11) attr_filter.accounting_response: --> jake
(11) attr_filter.accounting_response: Matched entry DEFAULT at line 15
(11) [attr_filter.accounting_response] = updated
(11) } # accounting = updated
(11) Sent Accounting-Response Id 252 from 172.17.0.68:1813 to
203.59.132.253:49829 length 0
(11) Finished request
(11) <done>: Cleaning up request packet ID 252 with timestamp +10
Waking up in 3.7 seconds.
(0) <done>: Cleaning up request packet ID 241 with timestamp +9
Waking up in 0.1 seconds.
(1) <done>: Cleaning up request packet ID 242 with timestamp +9
Waking up in 0.1 seconds.
(2) <done>: Cleaning up request packet ID 243 with timestamp +9
Waking up in 0.1 seconds.
(3) <done>: Cleaning up request packet ID 244 with timestamp +9
Waking up in 0.1 seconds.
(4) <done>: Cleaning up request packet ID 245 with timestamp +9
Waking up in 0.1 seconds.
(5) <done>: Cleaning up request packet ID 246 with timestamp +9
Waking up in 0.1 seconds.
(6) <done>: Cleaning up request packet ID 247 with timestamp +10
(7) <done>: Cleaning up request packet ID 248 with timestamp +10
Waking up in 0.1 seconds.
(8) <done>: Cleaning up request packet ID 249 with timestamp +10
Waking up in 0.1 seconds.
(9) <done>: Cleaning up request packet ID 250 with timestamp +10
Waking up in 0.1 seconds.
(10) <done>: Cleaning up request packet ID 251 with timestamp +10
Ready to process requests
On 26 June 2015 at 11:33, Arran Cudbard-Bell <a.cudbardb at freeradius.org>
wrote:
>
>
> > On 25 Jun 2015, at 23:21, Jake He <jake.he at gmail.com> wrote:
> >
> > Hi,
> >
> > I have a problem where Attribute MT-Recv-Limit is returned in
> > Access-Challenge but not in Access-Accept.
> >
> > This is my setup. FR 3.0.8
> >
> > I have configured following in the eap.conf file in the ttls section :
> >
> > copy_request_to_tunnel = yes
> > use_tunneled_reply = yes
> > virtual_server = "inner-tunnel"
> >
> > /etc/freeradius/sites-available/inner-tunnel. post-auth block,
uncommented.
> >
> > update {
> > &outer.session-state: += &reply:
> > }
> >
> > update outer.session-state {
> >
> > MS-MPPE-Encryption-Policy !* ANY
> >
> > MS-MPPE-Encryption-Types !* ANY
> >
> > MS-MPPE-Send-Key !* ANY
> >
> > MS-MPPE-Recv-Key !* ANY
> >
> > Message-Authenticator !* ANY
> >
> > EAP-Message !* ANY
> >
> > Proxy-State !* ANY
> >
> > }
> >
> > I have a fixed radreply attribute Session-Timeout in the database. This
is
> > sent in the Access-Accept.
> >
> > MT-Recv-Limit is sent by a perl script
> > <
https://raw.githubusercontent.com/zhex900/radius-config/master/version.3/mods-config/perl/check_usage.pl
>.
> > This
> > script add a new radreply $RAD_REPLY{'Mikrotik-Recv-Limit'}. This is
called
> > in the site-available/default authorize block.
> > Mikrotik-Recv-Limit does appear in the Access-Challenge but not in the
> > Access-Accept.
> >
> > Any ideas?
>
> Not really, seeing as you've not provided the debug output...
>
> -Arran
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS development team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list