MACSEC on Cisco 3750-X and FreeRADIUS 2.2.5

Krause, Kilian krause at tik.uni-stuttgart.de
Tue Mar 3 14:19:50 CET 2015


Hi Alan,

> after some more debugging I've found the reason of my PEAP failing with
> MACSEC: SoH!
> I've attached the log with and without SoH. Is this a buggy client
> behavior or is the FR misinterpreting the packet?
> 
> With regard to getting rid of use_tunneled_reply I don't get the
> Chargeable-User-Identity to show up in the last (Access-Accept) request.
> If you see anything I may have missed to get the attribute handed out
> there, please do point me to it.

Not sure why the attached logs have vanished, so here goes:

-(snip:PEAP with SoH)-
freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/tls_log
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/cui_log
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/inner_log
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/asa_log
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/nksusers
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/soh
including dictionary file /etc/freeradius/dictionary
main {
	name = "freeradius"
	prefix = "/usr"
	localstatedir = "/var"
	sbindir = "/usr/sbin"
	logdir = "/var/log/freeradius"
	run_dir = "/var/run/freeradius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/freeradius/radacct"
	hostname_lookups = no
	max_request_time = 5
	cleanup_delay = 5
	max_requests = 2048
	pidfile = "/var/run/freeradius/freeradius.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log {
 	stripped_names = no
 	auth = yes
 	auth_badpass = no
 	auth_goodpass = no
 }
 security {
 	max_attributes = 200
 	reject_delay = 1
 	status_server = yes
 	allow_vulnerable_openssl = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
 	retry_delay = 5
 	retry_count = 3
 	default_fallback = no
 	dead_time = 120
 	wake_all_if_all_dead = no
 }
 home_server localhost {
 	ipaddr = 127.0.0.1
 	port = 1812
 	type = "auth+acct"
 	secret = "testing123"
 	response_window = 20
 	max_outstanding = 65536
 	require_message_authenticator = yes
 	zombie_period = 40
 	status_check = "status-server"
 	ping_interval = 30
 	check_interval = 30
 	num_answers_to_alive = 3
 	num_pings_to_alive = 3
 	revive_interval = 120
 	status_check_timeout = 4
 }
 realm LOCAL {
 }
 realm NULL {
 }
 realm unistuttgart.de {
 }
 home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
 }
radiusd: #### Loading Clients ####
 client ar30a-y1t-s5 {
 	ipaddr = 172.18.198.32
 	require_message_authenticator = no
 	secret = "..."
 	nastype = "other"
 }
 client localhost {
 	ipaddr = 127.0.0.1
 	require_message_authenticator = no
 	secret = "..."
 	nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
  exec {
  	wait = no
  	input_pairs = "request"
  	shell_escape = yes
  	timeout = 10
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
  expiration {
  	reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
  logintime {
  	reply-message = "You are calling outside your allowed timespan  "
  	minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file £Ýç?
 modules {
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
  eap {
  	default_eap_type = "peap"
  	timer_expire = 60
  	ignore_unknown_eap_types = no
  	cisco_accounting_username_bug = no
  	max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
   	rsa_key_exchange = no
   	dh_key_exchange = yes
   	rsa_key_length = 4096
   	dh_key_length = 1024
   	verify_depth = 3
   	CA_path = "/etc/freeradius/certs"
   	pem_file_type = yes
   	private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key"
   	certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt"
   	private_key_password = "..."
   	dh_file = "/etc/freeradius/certs/dh"
   	random_file = "/dev/urandom"
   	fragment_size = 1024
   	include_length = yes
   	check_crl = no
   	cipher_list = "HIGH:ALL:!ADH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4"
   	make_cert_command = "/etc/freeradius/certs/bootstrap"
   	ecdh_curve = "prime256v1"
    cache {
    	enable = no
    	lifetime = 24
    	max_entries = 255
    }
    verify {
    }
    ocsp {
    	enable = no
    	override_cert_url = yes
    	url = "http://127.0.0.1/ocsp/"
    	use_nonce = yes
    	timeout = 0
    	softfail = no
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
   	default_eap_type = "mschapv2"
   	copy_request_to_tunnel = yes
   	use_tunneled_reply = no
   	virtual_server = "inner-tunnel"
   	include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
   	default_eap_type = "mschapv2"
   	copy_request_to_tunnel = yes
   	use_tunneled_reply = no
   	proxy_tunneled_request_as_eap = yes
   	virtual_server = "inner-tunnel"
   	soh = yes
   	soh_virtual_server = "soh-server"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
   	with_ntdomain_hack = no
   	send_error = no
   }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/modules/attr_filter
  attr_filter attr_filter.access_challenge {
  	attrsfile = "/etc/freeradius/attrs.access_challenge"
  	key = "%{User-Name}"
  	relaxed = no
  }
reading pairlist file /etc/freeradius/attrs.access_challenge
 Module: Linked to module rlm_always
 Module: Instantiating module "handled" from file /etc/freeradius/modules/always
  always handled {
  	rcode = "handled"
  	simulcount = 0
  	mpp = no
  }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
  preprocess {
  	huntgroups = "/etc/freeradius/huntgroups"
  	hints = "/etc/freeradius/hints"
  	with_ascend_hack = no
  	ascend_channels_per_line = 23
  	with_ntdomain_hack = no
  	with_specialix_jetstream_hack = no
  	with_cisco_vsa_hack = no
  	with_alvarion_vsa_hack = no
  }
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
  realm suffix {
  	format = "suffix"
  	delimiter = "@"
  	ignore_default = no
  	ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /etc/freeradius/modules/files
  files {
  	usersfile = "/etc/freeradius/users"
  	acctusersfile = "/etc/freeradius/acct_users"
  	preproxy_usersfile = "/etc/freeradius/preproxy_users"
  	compat = "no"
  }
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
  acct_unique {
  	key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
  unix {
  	radwtmp = "/var/log/freeradius/radwtmp"
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
  radutmp {
  	filename = "/var/log/freeradius/radutmp"
  	username = "%{User-Name}"
  	case_sensitive = yes
  	check_with_nas = yes
  	perm = 384
  	callerid = yes
  }
 Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
  attr_filter attr_filter.accounting_response {
  	attrsfile = "/etc/freeradius/attrs.accounting_response"
  	key = "%{User-Name}"
  	relaxed = no
  }
reading pairlist file /etc/freeradius/attrs.accounting_response
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
  attr_filter attr_filter.access_reject {
  	attrsfile = "/etc/freeradius/attrs.access_reject"
  	key = "%{User-Name}"
  	relaxed = no
  }
reading pairlist file /etc/freeradius/attrs.access_reject
 } # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
 modules {
  Module: Creating Auth-Type = LDAP
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
  mschap {
  	use_mppe = no
  	require_encryption = yes
  	require_strong = yes
  	with_ntdomain_hack = yes
  	ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-RUS} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
  	allow_retry = yes
  }
 Module: Linked to module rlm_ldap
 Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
  ldap {
  	server = "server1"
  	port = 389
  	password = "..."
  	expect_password = yes
  	identity = "CN=..."
  	net_timeout = 1
  	timeout = 4
  	timelimit = 3
  	max_uses = 0
  	tls_mode = no
  	start_tls = no
  	tls_require_cert = "allow"
   tls {
   	start_tls = yes
   	cacertfile = "/usr/share/ca-certificates/uni-stuttgart.de/chain-with-dtag.crt"
   	require_cert = "demand"
   }
  	basedn = "DC=rus,DC=uni-stuttgart,DC=de"
  	filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
  	base_filter = "(objectClass=inetOrgPerson)"
  	auto_header = no
  	access_attr = "msNPAllowDialin"
  	access_attr_used_for_allow = yes
  	chase_referrals = no
  	rebind = no
  	groupname_attribute = "cn"
  	groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{control:Ldap-UserDn})))"
  	groupmembership_attribute = "memberOf"
  	dictionary_mapping = "/etc/freeradius/ldap.attrmap"
  	ldap_debug = 0
  	ldap_connections_number = 20
  	compare_check_items = no
  	do_xlat = yes
  	edir_account_policy_check = no
  	set_auth_type = yes
   keepalive {
   	idle = 60
   	probes = 3
   	interval = 3
   }
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x822e40
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
server soh-server { # from file /etc/freeradius/sites-enabled/soh
 modules {
 Module: Checking authorize {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
 	type = "auth"
 	ipaddr = *
 	port = 0
}
listen {
 	type = "acct"
 	ipaddr = *
 	port = 0
}
 ... adding new socket proxy address * port 35971
 ... adding new socket proxy address * port 34413
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=115, length=147
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x021500090174657374
	Message-Authenticator = 0x928beab47c7c13d806d39e797867faeb
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 21 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 115 to 172.18.198.32 port 1645
	EAP-Message = 0x011600061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xcd5dc4fbcd4bdd42446ffd395a7bb16f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=116, length=288
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x0216008419001603010079010000750301e25a5a77e01eac5a9a77a6256c6668143107032bfcb2fb2ea76ca94ff3af5ee3000036c014c00a003900380035c013c00900330032002fc011c00700050004c012c00800160013000a001500120009001400110008000300ff01000016000b000403000102000a000a00080019001800170013
	Message-Authenticator = 0xda56d8cc7c7ebc0962c23ee6dd512d27
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xcd5dc4fbcd4bdd42446ffd395a7bb16f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 22 length 132
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0079], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0724], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange  
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 116 to 172.18.198.32 port 1645
	EAP-Message = 0x0117040019c0000009c0160301003902000035030154f5947f695740f9b09e657ddcdb52cf4acd224da737df3533889577038dd75100c01400000dff01000100000b00040300010216030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763
	EAP-Message = 0x612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a677f7fb699
	EAP-Message = 0x54c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8de531e3132
	EAP-Message = 0x44d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d475650203010001a3
	EAP-Message = 0x82026630820262304f060355
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xcd5dc4fbcc4add42446ffd395a7bb16f
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=117, length=162
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x021700061900
	Message-Authenticator = 0x0942be5e680f9361fd3b672fa8fd82f7
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xcd5dc4fbcc4add42446ffd395a7bb16f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 23 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 117 to 172.18.198.32 port 1645
	EAP-Message = 0x011803fc19401d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d0603551d1f
	EAP-Message = 0x048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e692d73747574
	EAP-Message = 0x74676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de54325584da860e15
	EAP-Message = 0x39435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c00024703001741045babac7b408546c2e87c22a233c0b8ccf597c77e4c04897add92855c96e87b2d2f9613b52782c533ae66347f774328b283005e87e73316825eff068b17d5352c02003aead46f3d5de78bf7e05b8a66d2a0d21db962db9e01871ff4445693c7da5a132eaaeea85f6229202222a134f9
	EAP-Message = 0x4079ace979428146
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xcd5dc4fbcf45dd42446ffd395a7bb16f
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=118, length=162
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x021800061900
	Message-Authenticator = 0xbaa29964fe01b08e0e85fcfe53dab543
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xcd5dc4fbcf45dd42446ffd395a7bb16f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 24 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 118 to 172.18.198.32 port 1645
	EAP-Message = 0x011901da1900ab8d7cbb29abc62ff4d9569ffe1410094442f2c651841eb495307c87e0609d2e8e2a63b9960a0cf88bfdedb9ce1478caccbc7abb86b5cd6901921759ffe44d6ce4747d64b7df9fd1c73782e055dbdb5baab0edfc6ef185da277554fe891cc039bacc2c5bff2633eef3d040c071872b26d71f10bbae8e38e98f6117815d9cf3e8026fcf53b571753b60993efea53e7fd58378202db4e825220ad183bba43002bc007bfc1e7e2d898f9f7466d85a1913320b3cdd5aed123d79c6c7f9311b69a5d7b9bd8ab79cb0297fa380229b06253026fb131e5d697f4feeb3958debbe8074a8fe75b21296386b5c3f666df0c11a40752c587f2dead659
	EAP-Message = 0xb7aa544a240651e75ce75fa47205df2759c2bb78aa196b5b68dfd2d0867d03e6fead87cf9f7fa827047b1dc994e6f46634b3011806388d7bfe5f66efa2349ee22ecb9f97ede15f2369098445334b2906a23ef1b69daa63deb20ae01525a55871d9a3545decad567660a5267f403aad3a6c7f778d259208e75e92705873a975f2fc23879a4dc298fd2800ad0590d9d4707acef2308694088c08dd5327c7bb38a955b4c06f9d2b37b5488bd38b2bcb783bdb836121be70e03a33c37f606c6542b9ea73e26a210640a2d22c8b05a0109f3c5cdd60aa16030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xcd5dc4fbce44dd42446ffd395a7bb16f
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=119, length=296
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x0219008c190016030100461000004241045f59e48b26f3964c81c8cd86d7fb237e290d979b2954dcc7b40aab5c8e1c303bc64ac5e66edbddee9a4a98714fe901bfaf176a30374f377945a50e2483e775171403010001011603010030f136f69cef068f1336096133e8805d50fbc0a4052ab4a586a057ae8841e5ec728601a980526018c0bb8c2d1267e3f8d3
	Message-Authenticator = 0xe0a74f62073469b67b023d259b503e9b
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xcd5dc4fbce44dd42446ffd395a7bb16f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 25 length 140
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange  
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[peap] <<< TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 119 to 172.18.198.32 port 1645
	EAP-Message = 0x011a0041190014030100010116030100308f22dae63d39cc06a7c858ba9bc95a5f9a6357d71bdece3de33d6b90ba81a871e1f1f328e87d136072c9879d961b58fe
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xcd5dc4fbc947dd42446ffd395a7bb16f
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=120, length=162
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x021a00061900
	Message-Authenticator = 0x4ff49831f3d3c18f8c3ae25c3c0e086f
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xcd5dc4fbc947dd42446ffd395a7bb16f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 26 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 120 to 172.18.198.32 port 1645
	EAP-Message = 0x011b002b190017030100203a1fa1fede068be34b77a627bf79ece4331c84c8e680fa56f038be9292048d28
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xcd5dc4fbc846dd42446ffd395a7bb16f
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=121, length=236
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x021b005019001703010020712017e92240dd4eda7e155e52c8d754751f33898f7004241ca7286a97ec9a5517030100209dd1894242f272d607b5c1ac058964babbc2f4a37e9bf9a83680d4dce24b2af2
	Message-Authenticator = 0x4f22c2d143aadbfcb3bdc1307fdece0a
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xcd5dc4fbc846dd42446ffd395a7bb16f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 27 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test
[peap] Got inner identity 'test'
[peap] Requesting SoH from client
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 121 to 172.18.198.32 port 1645
	EAP-Message = 0x011c003b19001703010030bac336433016e5b57fd6ad3f31c06a2047549f45033e9d4e05c8ebb1d622c1303d4d59f64e40e9fbf7a085acc4695f8b
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xcd5dc4fbcb41dd42446ffd395a7bb16f
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=122, length=252
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x021c006019001703010020c361d362beec75836d28cd66ff8c43a6f08455395b16ff14a33e92c1c177554e17030100309d1f880456359376450fc9bb764e62d54e9e93d25727a1f8ba4286857a40d1aaeadef04fa08e087ed2a643fef33ed5b7
	Message-Authenticator = 0x242e5e529d9ac60f54f1e9caa298e4ba
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xcd5dc4fbcb41dd42446ffd395a7bb16f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 28 length 96
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR SOH RESPONSE
[peap] EAP type 254
[peap] SoH - extended eap vendor 00000000 is not Microsoft
[peap] Setting User-Name to test
[peap] Processing SoH request
	SoH-Supported = no
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	NAS-IP-Address = 172.18.198.32
[peap] server soh-server {
# Executing section authorize from file /etc/freeradius/sites-enabled/soh
+group authorize {
++update config {
++} # update config = noop
+} # group authorize = noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [test] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel)
  WARNING: Empty post-auth section.  Using default return values.
[peap] } # server soh-server
[peap] Got SoH reply
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
	EAP-Message = 0x021c00090174657374
server  {
[peap] Setting User-Name to test
Sending tunneled request
	EAP-Message = 0x021c00090174657374
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	NAS-IP-Address = 172.18.198.32
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 28 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
	EAP-Message = 0x011d001e1a011d0019103bd5dadecf4690c3042c15623ed0e57774657374
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x3d0368273d1e72fe5df8dd5da55aea6a
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 0x011d001e1a011d0019103bd5dadecf4690c3042c15623ed0e57774657374
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x3d0368273d1e72fe5df8dd5da55aea6a
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 122 to 172.18.198.32 port 1645
	EAP-Message = 0x011d003b190017030100309802783e3a59d9c56f0b6c3f9206057652857f95b6a456181d91239d2d99935d9b7c0edc627c554d32b9bf8e49c01f1f
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xcd5dc4fbca40dd42446ffd395a7bb16f
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=123, length=300
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x021d009019001703010020783d86a0a76b549704671f8283e5276a7ae8048a06ec558f0973758fd84ed733170301006031b1499ee0f76154f8d8f7bcf698a701d90df6bc7c98cfc56bcb3123b94e47d3b153cafde228820aa13dc36eee6cb12512e47b2566b66ffe244c1de2da30ac0faf9248f3cc169fc720fee22a3a6b222afad1daf180e5086688116ce93320780d
	Message-Authenticator = 0x2ea4d7f854cda09df102cb62d047dd0c
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xcd5dc4fbca40dd42446ffd395a7bb16f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 29 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type 254
[peap] Got tunneled request
	EAP-Message = 0x021d0046fe0000000000001a021d003a316e882ba02b15bc9aec09decfe03db1fb0000000000000000ad6990749d5255b204c8a2d90fe0e1496dc5ee88dc54bfc30074657374
server  {
[peap] Setting User-Name to test
Sending tunneled request
	EAP-Message = 0x021d0046fe0000000000001a021d003a316e882ba02b15bc9aec09decfe03db1fb0000000000000000ad6990749d5255b204c8a2d90fe0e1496dc5ee88dc54bfc30074657374
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "test"
	State = 0x3d0368273d1e72fe5df8dd5da55aea6a
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	NAS-IP-Address = 172.18.198.32
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 29 length 70
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Badly formatted EAP Message: Ignoring the packet
[eap] Failed in handler
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [test] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel)
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] 	expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 123 to 172.18.198.32 port 1645
	EAP-Message = 0x011e002b1900170301002078c06ddf27b6fd9a59447de45007d1fbd3dc0230ce8f8ccb1c56dafa1c877fa9
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xcd5dc4fbc543dd42446ffd395a7bb16f
Finished request 8.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=124, length=236
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x021e005019001703010020a04bd006cc78e6e1decf8d7867bbc35f8c6b7b6c0c3e1682d002a4dcd781ae2317030100200b7b6d3119ae30f4929cec62ddad8bf67110d9269dd26db2e377f6b663a1b3bd
	Message-Authenticator = 0x936c2d859e8b42e3502b038b1bb3aee4
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xcd5dc4fbc543dd42446ffd395a7bb16f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 30 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [test] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8)
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] 	expand: %{User-Name} -> test
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 124 to 172.18.198.32 port 1645
	EAP-Message = 0x041e0004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
-(snip)-

-(snip:PEAP without SoH)-
freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/tls_log
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/cui_log
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/inner_log
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/asa_log
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/nksusers
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/soh
including dictionary file /etc/freeradius/dictionary
main {
	name = "freeradius"
	prefix = "/usr"
	localstatedir = "/var"
	sbindir = "/usr/sbin"
	logdir = "/var/log/freeradius"
	run_dir = "/var/run/freeradius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/freeradius/radacct"
	hostname_lookups = no
	max_request_time = 5
	cleanup_delay = 5
	max_requests = 2048
	pidfile = "/var/run/freeradius/freeradius.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log {
 	stripped_names = no
 	auth = yes
 	auth_badpass = no
 	auth_goodpass = no
 }
 security {
 	max_attributes = 200
 	reject_delay = 1
 	status_server = yes
 	allow_vulnerable_openssl = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
 	retry_delay = 5
 	retry_count = 3
 	default_fallback = no
 	dead_time = 120
 	wake_all_if_all_dead = no
 }
 home_server localhost {
 	ipaddr = 127.0.0.1
 	port = 1812
 	type = "auth+acct"
 	secret = "testing123"
 	response_window = 20
 	max_outstanding = 65536
 	require_message_authenticator = yes
 	zombie_period = 40
 	status_check = "status-server"
 	ping_interval = 30
 	check_interval = 30
 	num_answers_to_alive = 3
 	num_pings_to_alive = 3
 	revive_interval = 120
 	status_check_timeout = 4
 }
 realm LOCAL {
 }
 realm NULL {
 }
 realm unistuttgart.de {
 }
 home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
 }
radiusd: #### Loading Clients ####
 client ar30a-y1t-s5 {
 	ipaddr = 172.18.198.32
 	require_message_authenticator = no
 	secret = "..."
 	nastype = "other"
 }
 client localhost {
 	ipaddr = 127.0.0.1
 	require_message_authenticator = no
 	secret = "..."
 	nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
  exec {
  	wait = no
  	input_pairs = "request"
  	shell_escape = yes
  	timeout = 10
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
  expiration {
  	reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
  logintime {
  	reply-message = "You are calling outside your allowed timespan  "
  	minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file £Ýç?
 modules {
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
  eap {
  	default_eap_type = "peap"
  	timer_expire = 60
  	ignore_unknown_eap_types = no
  	cisco_accounting_username_bug = no
  	max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
   	rsa_key_exchange = no
   	dh_key_exchange = yes
   	rsa_key_length = 4096
   	dh_key_length = 1024
   	verify_depth = 3
   	CA_path = "/etc/freeradius/certs"
   	pem_file_type = yes
   	private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key"
   	certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt"
   	private_key_password = "..."
   	dh_file = "/etc/freeradius/certs/dh"
   	random_file = "/dev/urandom"
   	fragment_size = 1024
   	include_length = yes
   	check_crl = no
   	cipher_list = "HIGH:ALL:!ADH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4"
   	make_cert_command = "/etc/freeradius/certs/bootstrap"
   	ecdh_curve = "prime256v1"
    cache {
    	enable = no
    	lifetime = 24
    	max_entries = 255
    }
    verify {
    }
    ocsp {
    	enable = no
    	override_cert_url = yes
    	url = "http://127.0.0.1/ocsp/"
    	use_nonce = yes
    	timeout = 0
    	softfail = no
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
   	default_eap_type = "mschapv2"
   	copy_request_to_tunnel = yes
   	use_tunneled_reply = no
   	virtual_server = "inner-tunnel"
   	include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
   	default_eap_type = "mschapv2"
   	copy_request_to_tunnel = yes
   	use_tunneled_reply = no
   	proxy_tunneled_request_as_eap = yes
   	virtual_server = "inner-tunnel"
   	soh = no
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
   	with_ntdomain_hack = no
   	send_error = no
   }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/modules/attr_filter
  attr_filter attr_filter.access_challenge {
  	attrsfile = "/etc/freeradius/attrs.access_challenge"
  	key = "%{User-Name}"
  	relaxed = no
  }
reading pairlist file /etc/freeradius/attrs.access_challenge
 Module: Linked to module rlm_always
 Module: Instantiating module "handled" from file /etc/freeradius/modules/always
  always handled {
  	rcode = "handled"
  	simulcount = 0
  	mpp = no
  }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
  preprocess {
  	huntgroups = "/etc/freeradius/huntgroups"
  	hints = "/etc/freeradius/hints"
  	with_ascend_hack = no
  	ascend_channels_per_line = 23
  	with_ntdomain_hack = no
  	with_specialix_jetstream_hack = no
  	with_cisco_vsa_hack = no
  	with_alvarion_vsa_hack = no
  }
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
  realm suffix {
  	format = "suffix"
  	delimiter = "@"
  	ignore_default = no
  	ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /etc/freeradius/modules/files
  files {
  	usersfile = "/etc/freeradius/users"
  	acctusersfile = "/etc/freeradius/acct_users"
  	preproxy_usersfile = "/etc/freeradius/preproxy_users"
  	compat = "no"
  }
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
  acct_unique {
  	key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
  unix {
  	radwtmp = "/var/log/freeradius/radwtmp"
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
  radutmp {
  	filename = "/var/log/freeradius/radutmp"
  	username = "%{User-Name}"
  	case_sensitive = yes
  	check_with_nas = yes
  	perm = 384
  	callerid = yes
  }
 Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
  attr_filter attr_filter.accounting_response {
  	attrsfile = "/etc/freeradius/attrs.accounting_response"
  	key = "%{User-Name}"
  	relaxed = no
  }
reading pairlist file /etc/freeradius/attrs.accounting_response
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
  attr_filter attr_filter.access_reject {
  	attrsfile = "/etc/freeradius/attrs.access_reject"
  	key = "%{User-Name}"
  	relaxed = no
  }
reading pairlist file /etc/freeradius/attrs.access_reject
 } # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
 modules {
  Module: Creating Auth-Type = LDAP
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
  mschap {
  	use_mppe = no
  	require_encryption = yes
  	require_strong = yes
  	with_ntdomain_hack = yes
  	ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-RUS} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
  	allow_retry = yes
  }
 Module: Linked to module rlm_ldap
 Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
  ldap {
  	server = "server1"
  	port = 389
  	password = "..."
  	expect_password = yes
  	identity = "CN=..."
  	net_timeout = 1
  	timeout = 4
  	timelimit = 3
  	max_uses = 0
  	tls_mode = no
  	start_tls = no
  	tls_require_cert = "allow"
   tls {
   	start_tls = yes
   	cacertfile = "/usr/share/ca-certificates/uni-stuttgart.de/chain-with-dtag.crt"
   	require_cert = "demand"
   }
  	basedn = "DC=rus,DC=uni-stuttgart,DC=de"
  	filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
  	base_filter = "(objectClass=inetOrgPerson)"
  	auto_header = no
  	access_attr = "msNPAllowDialin"
  	access_attr_used_for_allow = yes
  	chase_referrals = no
  	rebind = no
  	groupname_attribute = "cn"
  	groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{control:Ldap-UserDn})))"
  	groupmembership_attribute = "memberOf"
  	dictionary_mapping = "/etc/freeradius/ldap.attrmap"
  	ldap_debug = 0
  	ldap_connections_number = 20
  	compare_check_items = no
  	do_xlat = yes
  	edir_account_policy_check = no
  	set_auth_type = yes
   keepalive {
   	idle = 60
   	probes = 3
   	interval = 3
   }
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x822f60
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
server soh-server { # from file /etc/freeradius/sites-enabled/soh
 modules {
 Module: Checking authorize {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
 	type = "auth"
 	ipaddr = *
 	port = 0
}
listen {
 	type = "acct"
 	ipaddr = *
 	port = 0
}
 ... adding new socket proxy address * port 60025
 ... adding new socket proxy address * port 33159
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=94, length=147
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x020100090174657374
	Message-Authenticator = 0xcf8f61e19fda9dd8e3084485b0228b9c
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 1 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 94 to 172.18.198.32 port 1645
	EAP-Message = 0x010200061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x9b4d4a279b4f533796287c14f130a087
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=95, length=147
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x020100090174657374
	Message-Authenticator = 0xafb0dd93be1f0cffaaaf221de4045dd7
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 1 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 95 to 172.18.198.32 port 1645
	EAP-Message = 0x010200061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xbb2ab5d0bb28acbdb91ce7a2572b723f
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=96, length=288
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x02020084190016030100790100007503017401bf61c33a106003371a11bf11ef4d828d67f3f3aa766f637112fc8d05c637000036c014c00a003900380035c013c00900330032002fc011c00700050004c012c00800160013000a001500120009001400110008000300ff01000016000b000403000102000a000a00080019001800170013
	Message-Authenticator = 0xccfb81d4264d77ec23e7aaa52d55f66e
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xbb2ab5d0bb28acbdb91ce7a2572b723f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 2 length 132
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0079], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0724], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange  
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 96 to 172.18.198.32 port 1645
	EAP-Message = 0x0103040019c0000009c0160301003902000035030154f593aaca21a8214b1ea7b2d9bc7f421f1f749c48797ed4c804ed7831e1133b00c01400000dff01000100000b00040300010216030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d010901161763
	EAP-Message = 0x612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a677f7fb699
	EAP-Message = 0x54c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8de531e3132
	EAP-Message = 0x44d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d475650203010001a3
	EAP-Message = 0x82026630820262304f060355
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xbb2ab5d0ba29acbdb91ce7a2572b723f
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=97, length=162
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x020300061900
	Message-Authenticator = 0x2e9d9c56d3626bc077576f071ca511f9
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xbb2ab5d0ba29acbdb91ce7a2572b723f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 97 to 172.18.198.32 port 1645
	EAP-Message = 0x010403fc19401d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d0603551d1f
	EAP-Message = 0x048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e692d73747574
	EAP-Message = 0x74676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de54325584da860e15
	EAP-Message = 0x39435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c00024703001741049239ef7b5dad25bdccc15f8ffc96e172a71e1b1bfac95d4104dd9d1690ac4284a3896c05f48e7149dd6a70637be6b4cf7d86d3d6367b5bae36c5ddc3afd10de302003499e8e993f66f7c60f0ade1eac13f3cf752f8863c0be1c2610f9bfa4dbf2742e813abeec3b133ef0911179abd
	EAP-Message = 0x399aab8286647ada
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xbb2ab5d0b92eacbdb91ce7a2572b723f
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=98, length=162
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x020400061900
	Message-Authenticator = 0x9f50561dcab7188f23d46bab5248d97a
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xbb2ab5d0b92eacbdb91ce7a2572b723f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 98 to 172.18.198.32 port 1645
	EAP-Message = 0x010501da1900ab7ac0c1eacb373203d5dd89f7fd4dff3e96c660155171c53db5c062e59b18fad7755d7c74c59af81a54c0df081e8e92a7512523da3a9257432bd93d336fbb74c0b1605d733abd24417f40da6d5da702576b793061b5fe0059f5bd5c21bb302b3301255eec8c68b3c011557f4b47926fcdf83a3b81d31c90af7f04ac19bb683ada446d4388c824ef671ccc17ece411ad95203bdf8eaf9685a899cc914b869ccbd909874c65c323d01fcbe894b6e029d971d8021195143bd6648c358baf06a9144e12985289ae3fe2788ed22fc25890c43fb50727c593a512dde2226fc9dd720a85b13681acd7213f0bfa03e47ba5fb2df2a3af6862ba44
	EAP-Message = 0xeedcdf04878099c6fef854ed9514a571f92599447d319dc68ffab977649eab30c785a1cf8ba584c035930da6a2d4cbd7f10a2e322b505dafd201ab975c6a1203e698af1685fb8f330fdfab1f5f2f3248d63fb2c7468af2f59dac1fc505c290b90ae948f0a862a29d9418c04e6bcc059246ebbe50fea5a8a1ed1975f788cf06044dad87e52436b4d35d04621b921caf486494623d8b4b5e1d5b02b8279b3703e60b5efcbaa489894bf2d3b6ef874749697b987bf15d31bf1fa246d0bc72d80555e956edf8d2ff7c4ac33691cbd2eebe60dccd7e3716030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xbb2ab5d0b82facbdb91ce7a2572b723f
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=99, length=296
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x0205008c190016030100461000004241046a740362e0d616de772c72d41ee5ea386a53be3e206d45b0651521e238a8b7226cf8af3f85aed5878d8a72960291b2199aa1805bce5da3f035ead6f067de8f1b1403010001011603010030b21c85083a266af718d1e69d85719af3a916c5c840e3f17ffdfce8c1fa9c3e85644dd6a1886850ba2196ef6eb28c64c2
	Message-Authenticator = 0x2d33ae480ec38fdf618635dba1779b40
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xbb2ab5d0b82facbdb91ce7a2572b723f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 5 length 140
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange  
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[peap] <<< TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 99 to 172.18.198.32 port 1645
	EAP-Message = 0x010600411900140301000101160301003090b81f39df590362caf2d99dfe9fe368235406a26c5c6eb4818d890c785e40361beb223f2639a968c9b7dd6d2ac51101
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xbb2ab5d0bf2cacbdb91ce7a2572b723f
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=100, length=162
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x020600061900
	Message-Authenticator = 0x16572769069b79c9ba629f078a6d1e6a
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xbb2ab5d0bf2cacbdb91ce7a2572b723f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 100 to 172.18.198.32 port 1645
	EAP-Message = 0x0107002b19001703010020b31358b537b7134e57360dcd37eae6c2d38196d58b611edec302fa3fec68d2df
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xbb2ab5d0be2dacbdb91ce7a2572b723f
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=101, length=236
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x020700501900170301002018a664b19a325ea049be4c621e8049cfd4426244ca5c959a65a73588b34abb4b1703010020c37fbc749595c99a78ce484d6f1db9650b66645dcf7fb2f5840f5b61cb3748aa
	Message-Authenticator = 0xc8b6fc92af307b8e8ca068d23965cb51
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xbb2ab5d0be2dacbdb91ce7a2572b723f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 7 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test
[peap] Got inner identity 'test'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
	EAP-Message = 0x020700090174657374
server  {
[peap] Setting User-Name to test
Sending tunneled request
	EAP-Message = 0x020700090174657374
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	NAS-IP-Address = 172.18.198.32
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 7 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
	EAP-Message = 0x0108001e1a010800191084ba62722c03c483a91352c175f1529a74657374
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x0efe69570ef6732709c3b87ea131e257
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 0x0108001e1a010800191084ba62722c03c483a91352c175f1529a74657374
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x0efe69570ef6732709c3b87ea131e257
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 101 to 172.18.198.32 port 1645
	EAP-Message = 0x0108003b190017030100306026b403c13a55239766d3fadfc4a98dbabf1fc11a639a64c85d2cf3560ec75a3531c2f5de861846995088eafdac1abf
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xbb2ab5d0bd22acbdb91ce7a2572b723f
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=102, length=284
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x0208008019001703010020b92988ae427d6241a55df5ecc6399406855790402a55c456b90c855c20f97fc71703010050ca8b6f23a8e3550b072d3ba37051e12f40abfc7dbce03d6457aadad81c4800de2b7bcca9efd6d3bd85f593263532176a1fc3b26084752dd271021a523cddd79456560c499314b05c79168d3d75aa47ef
	Message-Authenticator = 0x8affbffffe30400d59c4008936563b33
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xbb2ab5d0bd22acbdb91ce7a2572b723f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 8 length 128
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
	EAP-Message = 0x0208003f1a0208003a31a48840d1a1de4d77d87cb99559c6573e000000000000000047cb2e79d82abd625e4009b419a149727c649c1481dc49130074657374
server  {
[peap] Setting User-Name to test
Sending tunneled request
	EAP-Message = 0x0208003f1a0208003a31a48840d1a1de4d77d87cb99559c6573e000000000000000047cb2e79d82abd625e4009b419a149727c649c1481dc49130074657374
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "test"
	State = 0x0efe69570ef6732709c3b87ea131e257
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	NAS-IP-Address = 172.18.198.32
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 8 length 63
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Creating challenge hash with username: test
[mschap] Client is using MS-CHAPv2 for test, we need NT-Password
++[mschap] = ok
+} # group MS-CHAP = ok
MSCHAP Success 
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
	EAP-Message = 0x010900331a0308002e533d45374337383938423944303331353531304534323842383635324336373830433431384230373645
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x0efe69570ff7732709c3b87ea131e257
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 0x010900331a0308002e533d45374337383938423944303331353531304534323842383635324336373830433431384230373645
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x0efe69570ff7732709c3b87ea131e257
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 102 to 172.18.198.32 port 1645
	EAP-Message = 0x0109005b190017030100505d1a5a1287bc8a2e9d94aaa3eb4e89db49e3afead1d6bfee2303378554aae9bc65c7678f104be1be2cb9831ff282efba9eaf6440be14992bcca1be885b15a0011675bb686dff0e79e1de15ab3f34db28
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xbb2ab5d0bc23acbdb91ce7a2572b723f
Finished request 8.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=103, length=236
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x0209005019001703010020fdfdcbe62f4be282f11da86e1a120de98815b0fc7ba7dcedeba9ebffe2e228a01703010020abbbb9d0d4c938049351af3bfa3950a2c86dece773cb047c260cc7a469fc9b91
	Message-Authenticator = 0x5571d4907711c404122993abfe28206b
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xbb2ab5d0bc23acbdb91ce7a2572b723f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 9 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
	EAP-Message = 0x020900061a03
server  {
[peap] Setting User-Name to test
Sending tunneled request
	EAP-Message = 0x020900061a03
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "test"
	State = 0x0efe69570ff7732709c3b87ea131e257
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	NAS-IP-Address = 172.18.198.32
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 9 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [test] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8 via TLS tunnel)
  WARNING: Empty post-auth section.  Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
	EAP-Message = 0x03090004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "test"
[peap] Got tunneled reply RADIUS code 2
	EAP-Message = 0x03090004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "test"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 103 to 172.18.198.32 port 1645
	EAP-Message = 0x010a002b1900170301002065bf7fda742db5bef2bc180d98a0cad8ae421ae976ff065e10e5a055b7036415
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xbb2ab5d0b320acbdb91ce7a2572b723f
Finished request 9.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.18.198.32 port 1645, id=104, length=236
	User-Name = "test"
	Service-Type = Framed-User
	Framed-MTU = 1500
	Called-Station-Id = "3C-08-F6-48-9D-01"
	Calling-Station-Id = "00-15-17-51-6E-C8"
	EAP-Message = 0x020a005019001703010020fca0a033a16be8e163cf06002f5c82354dcf37a8585a45feb83579bfa09db8bf170301002069f53585cc685ef8d9f83e833001f3e53d5d655d46787c4d53d87c9cad1ab42c
	Message-Authenticator = 0x0d4dc553d712677f0b5cbc388facbff3
	NAS-Port-Type = Ethernet
	NAS-Port = 50101
	NAS-Port-Id = "GigabitEthernet1/0/1"
	State = 0xbb2ab5d0b320acbdb91ce7a2572b723f
	NAS-IP-Address = 172.18.198.32
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 10 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [test] (from client ar30a-y1t-s5 port 50101 cli 00-15-17-51-6E-C8)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id)
? Evaluating (NAS-Port-Type == "Ethernet" ) -> TRUE
? Evaluating (reply:EAP-Session-Id) -> TRUE
++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) -> TRUE
++if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) {
+++update reply {
	expand: %{reply:EAP-Session-Id} -> 0x197401bf61c33a106003371a11bf11ef4d828d67f3f3aa766f637112fc8d05c63754f593aaca21a8214b1ea7b2d9bc7f421f1f749c48797ed4c804ed7831e1133b
+++} # update reply = noop
++} # if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) = noop
+} # group post-auth = noop
Sending Access-Accept of id 104 to 172.18.198.32 port 1645
	MS-MPPE-Recv-Key = 0xacf9fb54eef637d542208e760604e0c0bd8d3d86ab97d6285a841fed54adbd60
	MS-MPPE-Send-Key = 0x186ffb2f33e99465cd5f3fb12e063993f2870c0ecea47fb36c822608ea2791fd
	EAP-Message = 0x030a0004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "test"
	EAP-Key-Name = 0x197401bf61c33a106003371a11bf11ef4d828d67f3f3aa766f637112fc8d05c63754f593aaca21a8214b1ea7b2d9bc7f421f1f749c48797ed4c804ed7831e1133b
Finished request 10.
Going to the next request
Waking up in 4.7 seconds.
-(snip)-

-(snip:CUI with use_tunneled)-
freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/tls_log
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/cui_log
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/inner_log
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/asa_log
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/nksusers
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/soh
including dictionary file /etc/freeradius/dictionary
main {
	name = "freeradius"
	prefix = "/usr"
	localstatedir = "/var"
	sbindir = "/usr/sbin"
	logdir = "/var/log/freeradius"
	run_dir = "/var/run/freeradius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/freeradius/radacct"
	hostname_lookups = no
	max_request_time = 5
	cleanup_delay = 5
	max_requests = 2048
	pidfile = "/var/run/freeradius/freeradius.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log {
 	stripped_names = no
 	auth = yes
 	auth_badpass = no
 	auth_goodpass = no
 }
 security {
 	max_attributes = 200
 	reject_delay = 1
 	status_server = yes
 	allow_vulnerable_openssl = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
 	retry_delay = 5
 	retry_count = 3
 	default_fallback = no
 	dead_time = 120
 	wake_all_if_all_dead = no
 }
 home_server localhost {
 	ipaddr = 127.0.0.1
 	port = 1812
 	type = "auth+acct"
 	secret = "testing123"
 	response_window = 20
 	max_outstanding = 65536
 	require_message_authenticator = yes
 	zombie_period = 40
 	status_check = "status-server"
 	ping_interval = 30
 	check_interval = 30
 	num_answers_to_alive = 3
 	num_pings_to_alive = 3
 	revive_interval = 120
 	status_check_timeout = 4
 }
 realm LOCAL {
 }
 realm NULL {
 }
 realm unistuttgart.de {
 }
 home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
 }
radiusd: #### Loading Clients ####
 client localhost {
 	ipaddr = 127.0.0.1
 	require_message_authenticator = no
 	secret = "..."
 	nastype = "other"
 }
 client test {
 	ipaddr = 127.0.0.2
 	require_message_authenticator = no
 	secret = "..."
 	nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
  exec {
  	wait = no
  	input_pairs = "request"
  	shell_escape = yes
  	timeout = 10
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
  expiration {
  	reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
  logintime {
  	reply-message = "You are calling outside your allowed timespan  "
  	minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file £Ýç?
 modules {
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
  eap {
  	default_eap_type = "peap"
  	timer_expire = 60
  	ignore_unknown_eap_types = no
  	cisco_accounting_username_bug = no
  	max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
   	rsa_key_exchange = no
   	dh_key_exchange = yes
   	rsa_key_length = 4096
   	dh_key_length = 1024
   	verify_depth = 3
   	CA_path = "/etc/freeradius/certs"
   	pem_file_type = yes
   	private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key"
   	certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt"
   	private_key_password = "..."
   	dh_file = "/etc/freeradius/certs/dh"
   	random_file = "/dev/urandom"
   	fragment_size = 1024
   	include_length = yes
   	check_crl = no
   	cipher_list = "HIGH:ALL:!ADH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4"
   	make_cert_command = "/etc/freeradius/certs/bootstrap"
   	ecdh_curve = "prime256v1"
    cache {
    	enable = no
    	lifetime = 24
    	max_entries = 255
    }
    verify {
    }
    ocsp {
    	enable = no
    	override_cert_url = yes
    	url = "http://127.0.0.1/ocsp/"
    	use_nonce = yes
    	timeout = 0
    	softfail = no
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
   	default_eap_type = "mschapv2"
   	copy_request_to_tunnel = yes
   	use_tunneled_reply = yes
   	virtual_server = "inner-tunnel"
   	include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
   	default_eap_type = "mschapv2"
   	copy_request_to_tunnel = yes
   	use_tunneled_reply = yes
   	proxy_tunneled_request_as_eap = yes
   	virtual_server = "inner-tunnel"
   	soh = yes
   	soh_virtual_server = "soh-server"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
   	with_ntdomain_hack = no
   	send_error = no
   }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/modules/attr_filter
  attr_filter attr_filter.access_challenge {
  	attrsfile = "/etc/freeradius/attrs.access_challenge"
  	key = "%{User-Name}"
  	relaxed = no
  }
reading pairlist file /etc/freeradius/attrs.access_challenge
 Module: Linked to module rlm_always
 Module: Instantiating module "handled" from file /etc/freeradius/modules/always
  always handled {
  	rcode = "handled"
  	simulcount = 0
  	mpp = no
  }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
  preprocess {
  	huntgroups = "/etc/freeradius/huntgroups"
  	hints = "/etc/freeradius/hints"
  	with_ascend_hack = no
  	ascend_channels_per_line = 23
  	with_ntdomain_hack = no
  	with_specialix_jetstream_hack = no
  	with_cisco_vsa_hack = no
  	with_alvarion_vsa_hack = no
  }
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
 Module: Loading virtual module cui_authorize
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
  realm suffix {
  	format = "suffix"
  	delimiter = "@"
  	ignore_default = no
  	ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /etc/freeradius/modules/files
  files {
  	usersfile = "/etc/freeradius/users"
  	acctusersfile = "/etc/freeradius/acct_users"
  	preproxy_usersfile = "/etc/freeradius/preproxy_users"
  	compat = "no"
  }
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
  acct_unique {
  	key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
  unix {
  	radwtmp = "/var/log/freeradius/radwtmp"
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
  radutmp {
  	filename = "/var/log/freeradius/radutmp"
  	username = "%{User-Name}"
  	case_sensitive = yes
  	check_with_nas = yes
  	perm = 384
  	callerid = yes
  }
 Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
  attr_filter attr_filter.accounting_response {
  	attrsfile = "/etc/freeradius/attrs.accounting_response"
  	key = "%{User-Name}"
  	relaxed = no
  }
reading pairlist file /etc/freeradius/attrs.accounting_response
 Module: Checking session {...} for more modules to load
 Module: Checking pre-proxy {...} for more modules to load
 Module: Loading virtual module cui_pre_proxy
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
  attr_filter attr_filter.access_reject {
  	attrsfile = "/etc/freeradius/attrs.access_reject"
  	key = "%{User-Name}"
  	relaxed = no
  }
reading pairlist file /etc/freeradius/attrs.access_reject
 } # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
 modules {
  Module: Creating Auth-Type = LDAP
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
  mschap {
  	use_mppe = no
  	require_encryption = yes
  	require_strong = yes
  	with_ntdomain_hack = yes
  	ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-RUS} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
  	allow_retry = yes
  }
 Module: Linked to module rlm_ldap
 Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
  ldap {
  	server = "server1"
  	port = 389
  	password = "..."
  	expect_password = yes
  	identity = "CN=..."
  	net_timeout = 1
  	timeout = 4
  	timelimit = 3
  	max_uses = 0
  	tls_mode = no
  	start_tls = no
  	tls_require_cert = "allow"
   tls {
   	start_tls = yes
   	cacertfile = "/usr/share/ca-certificates/uni-stuttgart.de/chain-with-dtag.crt"
   	require_cert = "demand"
   }
  	basedn = "DC=rus,DC=uni-stuttgart,DC=de"
  	filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
  	base_filter = "(objectClass=inetOrgPerson)"
  	auto_header = no
  	access_attr = "msNPAllowDialin"
  	access_attr_used_for_allow = yes
  	chase_referrals = no
  	rebind = no
  	groupname_attribute = "cn"
  	groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{control:Ldap-UserDn})))"
  	groupmembership_attribute = "memberOf"
  	dictionary_mapping = "/etc/freeradius/ldap.attrmap"
  	ldap_debug = 0
  	ldap_connections_number = 20
  	compare_check_items = no
  	do_xlat = yes
  	edir_account_policy_check = no
  	set_auth_type = yes
   keepalive {
   	idle = 60
   	probes = 3
   	interval = 3
   }
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x822350
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Loading virtual module cui_postauth
 } # modules
} # server
server soh-server { # from file /etc/freeradius/sites-enabled/soh
 modules {
 Module: Checking authorize {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
 	type = "auth"
 	ipaddr = *
 	port = 0
}
listen {
 	type = "acct"
 	ipaddr = *
 	port = 0
}
 ... adding new socket proxy address * port 49737
 ... adding new socket proxy address * port 59974
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=0, length=116
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x0200000e01616e6f6e796d6f7573
	Message-Authenticator = 0x595808a6df0d257c137a38998ee79867
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 127.0.0.2 port 48345
	EAP-Message = 0x010100061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x327f9bb9327e829e357b5a5436a16c14
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=1, length=343
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x020100df1980000000d516030100d0010000cc0301ca8a04aa540107592620c2160bb3f42a71ca744eae937a7f978658051d66c46400005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101
	State = 0x327f9bb9327e829e357b5a5436a16c14
	Message-Authenticator = 0x75898035e58e5ebf1cf694cd4a1589c9
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 1 length 223
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 213
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00d0], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 003e], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0724], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange  
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 1 to 127.0.0.2 port 48345
	EAP-Message = 0x0102040019c0000009c5160301003e0200003a030154f5a9f1fbadff28d111817a7356bb5e640f5877637303569e4a40c74eae7bdb00c014000012ff01000100000b000403000102000f00010116030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d01
	EAP-Message = 0x0901161763612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a
	EAP-Message = 0x677f7fb69954c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8
	EAP-Message = 0xde531e313244d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d4756502
	EAP-Message = 0x03010001a382026630820262
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x327f9bb9337d829e357b5a5436a16c14
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=2, length=126
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x020200061900
	State = 0x327f9bb9337d829e357b5a5436a16c14
	Message-Authenticator = 0x6888dcbbe8be13f63b3df1c04b6dfd6d
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 2 to 127.0.0.2 port 48345
	EAP-Message = 0x010303fc1940304f0603551d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d
	EAP-Message = 0x0603551d1f048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e69
	EAP-Message = 0x2d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de543255
	EAP-Message = 0x84da860e1539435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c00024703001741043350173df39886cda2ba626e72d0bb364421fba1ac14e9dc8415ce6fa0cb59cf6b70e8ad3fa5802c4383429ad5b0b766b4fe9518b419d2343cf6f8920b7a77110200076ed54647aa04e0eb8d4e7803d6f2f222476b9674e6568465e7ba8c0e34a6c4cef8499d99e98d23
	EAP-Message = 0x3203586c9cf439fa
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x327f9bb9307c829e357b5a5436a16c14
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=3, length=126
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x020300061900
	State = 0x327f9bb9307c829e357b5a5436a16c14
	Message-Authenticator = 0x1561f30102839d5ed3a896c12567b963
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 3 to 127.0.0.2 port 48345
	EAP-Message = 0x010401df1900fa7891981190bf2f119fb40b3416fd090e14f909d165e083ae92734b047cba30c2f8510867efa7124f9a4326f167a31c5e1ab60873d347d5de5c408af0c4cfa4f2c2c362903afe81d259396a1f9e975c2e708d9b5189d9d770b713154cfe3f560c0af05470be922b258b13478e0384c5ff9a5f7f5b6f879db9e6f3971c872ec5cddfe5de8a84f46db338bad448b149eb6c99b66d65f7fababb729531edbe3755d0336e27b29ffa8c4dc29bfca80ff52231948da48fd7b9d6dff3e362d474c5083210964b888339fc806721ca6be613b165a672eb6454b824127b69259f5179fc0b2155bea71ce4d8dcc367f8e40371aedf3ae5bf010c9f
	EAP-Message = 0x77b4a27e51ecbeeae358d881edac32a3ca3350aa6e00c8b3d085f68984e05a772e08567bffda2463aab7d6962f0333bcbddbf3730ac7855b3ef3363595e45375b294a3af25b05f71694aa716a0b9df5ccd64feede13eedbed6f32a34aeeb06536391bedb7ae65540ea7d90a9016f97b681e067462daa43cce69c9e9fbd9ff3c6f208f424f15b33278a2efedcb42724752bf2bf3e3429d9943a57c217ab6370aa22bac7b0b8a7b21f9a2582987adab826631552fe6d54fb8b5d0737c83a98292a154e82d4768c55698be87264db35b9dbd87410c67c96476c9616030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x327f9bb9317b829e357b5a5436a16c14
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=4, length=264
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x020400901980000000861603010046100000424104589f028d91f777f472a23572e0aba0709612be1b08b00c37382d019982a382afef0bc2bffbd08baacbfd4ee670c436f119fa9b0d7854205a5e6c14f221152d241403010001011603010030ff55a8bd146331235a47ee466bd285fa6b5a2cb812cbd6226938423e1394a38987a51e9a970d0d0b7e0e2080b1a32a3f
	State = 0x327f9bb9317b829e357b5a5436a16c14
	Message-Authenticator = 0xb6826a8549005cbb13d2a5d93e9ef5bf
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 4 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange  
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[peap] <<< TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 4 to 127.0.0.2 port 48345
	EAP-Message = 0x010500411900140301000101160301003020c85b82b0cdd61ffd9d232b616ef15501eecdcdc9a2e638f53272c3b4c35fdd3706f7e2ff607d3f62c4ae312320e0f6
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x327f9bb9367a829e357b5a5436a16c14
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=5, length=126
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x020500061900
	State = 0x327f9bb9367a829e357b5a5436a16c14
	Message-Authenticator = 0x2a17af58815712ca7799486235a92194
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 5 to 127.0.0.2 port 48345
	EAP-Message = 0x0106002b19001703010020796f17cf42b173edbcd5c862efda9644b27249be5bd78eaa15d51a0d81b142b8
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x327f9bb93779829e357b5a5436a16c14
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=6, length=200
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x0206005019001703010020aaced0418f9e6417d8b95954962ddb186629d82d0d8e48beeb27c1e9e56a4a9b17030100201d39a2a010f2500aea7914b27e981cdc89444fe1c0119fa44c3478f9cfa16036
	State = 0x327f9bb93779829e357b5a5436a16c14
	Message-Authenticator = 0xdff535226abc38dcd6fbf58b691496b0
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 6 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test
[peap] Got inner identity 'test'
[peap] Requesting SoH from client
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 6 to 127.0.0.2 port 48345
	EAP-Message = 0x0107003b19001703010030385a62c266b4e84f5d7314abe491ed7337b994237ac4924d1b7a3711a67fe2cb2968fefa0a866d2fed02ec5419a88053
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x327f9bb93478829e357b5a5436a16c14
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=7, length=200
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x02070050190017030100202b9d5178effeb43bf275a261b88440e9c8f7339b32c61ec34258e6e8d8d180bf1703010020c031353e552be39b85f17d864810468242c50424853dc6f49e5f80708ff9d5b8
	State = 0x327f9bb93478829e357b5a5436a16c14
	Message-Authenticator = 0x3aa4730e7f8cf83347b70b810447761d
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 7 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR SOH RESPONSE
[peap] EAP type nak
[peap] SoH - client NAKed
[peap] Setting User-Name to test
[peap] Processing SoH request
	SoH-Supported = no
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "test"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	Chargeable-User-Identity = ""
[peap] server soh-server {
# Executing section authorize from file /etc/freeradius/sites-enabled/soh
+group authorize {
++update config {
++} # update config = noop
+} # group authorize = noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [test] (from client test port 0 cli 70-6F-6C-69-73-68 via TLS tunnel)
  WARNING: Empty post-auth section.  Using default return values.
[peap] } # server soh-server
[peap] Got SoH reply
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
	EAP-Message = 0x020700090174657374
server  {
[peap] Setting User-Name to test
Sending tunneled request
	EAP-Message = 0x020700090174657374
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "test"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	Chargeable-User-Identity = ""
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 7 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
	EAP-Message = 0x0108001e1a0108001910447ffc937bb419ef8d909103306fa47474657374
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xf5f48388f5fc994d57120af492298399
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 0x0108001e1a0108001910447ffc937bb419ef8d909103306fa47474657374
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xf5f48388f5fc994d57120af492298399
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 7 to 127.0.0.2 port 48345
	EAP-Message = 0x0108003b19001703010030cbd22509077e7f0738f486fe3b48f54b28395fdfcf38bfb08d7297a73ae86d66f6bcda9f0371005bd03911234fdd79c9
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x327f9bb93577829e357b5a5436a16c14
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=8, length=248
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x0208008019001703010020d17355b4f52a17aab27bcd9516dbf9aaa53c31ae42a062c31d548933b5f5d5d7170301005068f143add5db659dc0eef2e44bdaa9431a341c1ef520812a57513effdab568fb7c2a4ce9094161b3ac8ef8e0f756b7f12c5c91feebf5d7bf03d81e2ac0996d1185420363e0be1530f79c0200d443f08a
	State = 0x327f9bb93577829e357b5a5436a16c14
	Message-Authenticator = 0x097a2b9db2824b1513e6c0d123798106
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 8 length 128
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
	EAP-Message = 0x0208003f1a0208003a31fd9a39d29b1c1c3b1824248ba4b4376d0000000000000000ec5c20d426f710215334d3f7055202c3562c4c8bcd8b385c0074657374
server  {
[peap] Setting User-Name to test
Sending tunneled request
	EAP-Message = 0x0208003f1a0208003a31fd9a39d29b1c1c3b1824248ba4b4376d0000000000000000ec5c20d426f710215334d3f7055202c3562c4c8bcd8b385c0074657374
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "test"
	State = 0xf5f48388f5fc994d57120af492298399
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	Chargeable-User-Identity = ""
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 8 length 63
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Creating challenge hash with username: test
[mschap] Client is using MS-CHAPv2 for test, we need NT-Password
++[mschap] = ok
+} # group MS-CHAP = ok
MSCHAP Success 
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
	EAP-Message = 0x010900331a0308002e533d31363833413530383845423132443942413842433430374539383245433845383541414344324631
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xf5f48388f4fd994d57120af492298399
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 0x010900331a0308002e533d31363833413530383845423132443942413842433430374539383245433845383541414344324631
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xf5f48388f4fd994d57120af492298399
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 8 to 127.0.0.2 port 48345
	EAP-Message = 0x0109005b19001703010050d2b789718fcffbb9b674b1b69efe450b340e44e565663a223cbe31748804495e229923ad790f976fcc3cf03ff97135ee6111f49775c0ab5e3e97e9a344194b5573465a1fd499760bfc84e31e06c28207
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x327f9bb93a76829e357b5a5436a16c14
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=9, length=200
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x0209005019001703010020143d851aff8ba8edda8f418f7cab68b6d96eaa43b450a21b5d72972d32ca01e0170301002041fbab48b6aefd1744b4b3b9b02f14fb3819ddd9ee38f967206781fb058864e7
	State = 0x327f9bb93a76829e357b5a5436a16c14
	Message-Authenticator = 0x8aba2461edf6d7465a8b18632ef4cdf9
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 9 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
	EAP-Message = 0x020900061a03
server  {
[peap] Setting User-Name to test
Sending tunneled request
	EAP-Message = 0x020900061a03
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "test"
	State = 0xf5f48388f4fd994d57120af492298399
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	Chargeable-User-Identity = ""
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 9 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [test] (from client test port 0 cli 70-6F-6C-69-73-68 via TLS tunnel)
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
+group post-auth {
++policy cui_postauth {
+++? if (FreeRadius-Proxied-To == 127.0.0.1)
? Evaluating (FreeRadius-Proxied-To == 127.0.0.1) -> TRUE
+++? if (FreeRadius-Proxied-To == 127.0.0.1) -> TRUE
+++if (FreeRadius-Proxied-To == 127.0.0.1) {
++++? if (outer.request:Chargeable-User-Identity)
? Evaluating (outer.request:Chargeable-User-Identity) -> TRUE
++++? if (outer.request:Chargeable-User-Identity) -> TRUE
++++if (outer.request:Chargeable-User-Identity) {
+++++update reply {
	expand: test%{User-Name} -> testtest
	expand: %{md5:test%{User-Name}} -> 05a671c66aefea124cc08b76ea6d30bb
+++++} # update reply = noop
++++} # if (outer.request:Chargeable-User-Identity) = noop
+++} # if (FreeRadius-Proxied-To == 127.0.0.1) = noop
+++ ... skipping else for request 9: Preceding "if" was taken
++} # policy cui_postauth = noop
++update outer.reply {
	expand: %{reply:Chargeable-User-Identity} -> 05a671c66aefea124cc08b76ea6d30bb
++} # update outer.reply = noop
+} # group post-auth = noop
} # server inner-tunnel
[peap] Got tunneled reply code 2
	EAP-Message = 0x03090004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "test"
	Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb"
[peap] Got tunneled reply RADIUS code 2
	EAP-Message = 0x03090004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "test"
	Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 9 to 127.0.0.2 port 48345
	Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb"
	EAP-Message = 0x010a002b190017030100205c705bc6233aadd22c12d903313e62e73d03df9b06bd6014b4f0035496d6503b
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x327f9bb93b75829e357b5a5436a16c14
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 48345, id=10, length=200
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x020a005019001703010020fefd838dfd4ce0af03b1937450f77bc5b42b6a51a2eb2b13d4c2b86ad4a9cd341703010020d9380f0721001bc78a4e0db195a850084989147c97ed73847723ca8c01dd6b8d
	State = 0x327f9bb93b75829e357b5a5436a16c14
	Message-Authenticator = 0xb2384825a42489e30bbe8e57aecbdc2d
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 10 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
	User-Name = "test"
	Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb"
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [anonymous] (from client test port 0 cli 70-6F-6C-69-73-68)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id)
? Evaluating (NAS-Port-Type == "Ethernet" ) -> FALSE
? Skipping (reply:EAP-Session-Id)
++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) -> FALSE
+} # group post-auth = noop
Sending Access-Accept of id 10 to 127.0.0.2 port 48345
	User-Name = "test"
	Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb"
	MS-MPPE-Recv-Key = 0x2e4a9f0cd8626d474e58aad77fceec68cf3b758b43fd8822c565a5ac0634dc28
	MS-MPPE-Send-Key = 0x9d2033bd45afc4a0ab7c6b34877c6738236104e245e9006fb464d44ade3ac38c
	EAP-Message = 0x030a0004
	Message-Authenticator = 0x00000000000000000000000000000000
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
-(snip)-

-(snip:CUI without use_tunneled)-
freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Oct 28 2014 at 16:27:11
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/tls_log
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/cui_log
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/inner_log
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/asa_log
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/nksusers
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/soh
including dictionary file /etc/freeradius/dictionary
main {
	name = "freeradius"
	prefix = "/usr"
	localstatedir = "/var"
	sbindir = "/usr/sbin"
	logdir = "/var/log/freeradius"
	run_dir = "/var/run/freeradius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/freeradius/radacct"
	hostname_lookups = no
	max_request_time = 5
	cleanup_delay = 5
	max_requests = 2048
	pidfile = "/var/run/freeradius/freeradius.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log {
 	stripped_names = no
 	auth = yes
 	auth_badpass = no
 	auth_goodpass = no
 }
 security {
 	max_attributes = 200
 	reject_delay = 1
 	status_server = yes
 	allow_vulnerable_openssl = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
 	retry_delay = 5
 	retry_count = 3
 	default_fallback = no
 	dead_time = 120
 	wake_all_if_all_dead = no
 }
 home_server localhost {
 	ipaddr = 127.0.0.1
 	port = 1812
 	type = "auth+acct"
 	secret = "testing123"
 	response_window = 20
 	max_outstanding = 65536
 	require_message_authenticator = yes
 	zombie_period = 40
 	status_check = "status-server"
 	ping_interval = 30
 	check_interval = 30
 	num_answers_to_alive = 3
 	num_pings_to_alive = 3
 	revive_interval = 120
 	status_check_timeout = 4
 }
 realm LOCAL {
 }
 realm NULL {
 }
 realm unistuttgart.de {
 }
 home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
 }
radiusd: #### Loading Clients ####
 client localhost {
 	ipaddr = 127.0.0.1
 	require_message_authenticator = no
 	secret = "..."
 	nastype = "other"
 }
 client test {
 	ipaddr = 127.0.0.2
 	require_message_authenticator = no
 	secret = "..."
 	nastype = "other"
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
  exec {
  	wait = no
  	input_pairs = "request"
  	shell_escape = yes
  	timeout = 10
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
  expiration {
  	reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
  logintime {
  	reply-message = "You are calling outside your allowed timespan  "
  	minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server { # from file £Ýç?
 modules {
  Module: Creating Post-Auth-Type = REJECT
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
  eap {
  	default_eap_type = "peap"
  	timer_expire = 60
  	ignore_unknown_eap_types = no
  	cisco_accounting_username_bug = no
  	max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
   	rsa_key_exchange = no
   	dh_key_exchange = yes
   	rsa_key_length = 4096
   	dh_key_length = 1024
   	verify_depth = 3
   	CA_path = "/etc/freeradius/certs"
   	pem_file_type = yes
   	private_key_file = "/etc/ssl/private/test-auth1.rus.uni-stuttgart.de.key"
   	certificate_file = "/etc/ssl/certs/test-auth1.rus.uni-stuttgart.de.crt"
   	private_key_password = "..."
   	dh_file = "/etc/freeradius/certs/dh"
   	random_file = "/dev/urandom"
   	fragment_size = 1024
   	include_length = yes
   	check_crl = no
   	cipher_list = "HIGH:ALL:!ADH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4"
   	make_cert_command = "/etc/freeradius/certs/bootstrap"
   	ecdh_curve = "prime256v1"
    cache {
    	enable = no
    	lifetime = 24
    	max_entries = 255
    }
    verify {
    }
    ocsp {
    	enable = no
    	override_cert_url = yes
    	url = "http://127.0.0.1/ocsp/"
    	use_nonce = yes
    	timeout = 0
    	softfail = no
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
   	default_eap_type = "mschapv2"
   	copy_request_to_tunnel = yes
   	use_tunneled_reply = no
   	virtual_server = "inner-tunnel"
   	include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
   	default_eap_type = "mschapv2"
   	copy_request_to_tunnel = yes
   	use_tunneled_reply = no
   	proxy_tunneled_request_as_eap = yes
   	virtual_server = "inner-tunnel"
   	soh = yes
   	soh_virtual_server = "soh-server"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
   	with_ntdomain_hack = no
   	send_error = no
   }
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/modules/attr_filter
  attr_filter attr_filter.access_challenge {
  	attrsfile = "/etc/freeradius/attrs.access_challenge"
  	key = "%{User-Name}"
  	relaxed = no
  }
reading pairlist file /etc/freeradius/attrs.access_challenge
 Module: Linked to module rlm_always
 Module: Instantiating module "handled" from file /etc/freeradius/modules/always
  always handled {
  	rcode = "handled"
  	simulcount = 0
  	mpp = no
  }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
  preprocess {
  	huntgroups = "/etc/freeradius/huntgroups"
  	hints = "/etc/freeradius/hints"
  	with_ascend_hack = no
  	ascend_channels_per_line = 23
  	with_ntdomain_hack = no
  	with_specialix_jetstream_hack = no
  	with_cisco_vsa_hack = no
  	with_alvarion_vsa_hack = no
  }
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
 Module: Loading virtual module cui_authorize
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
  realm suffix {
  	format = "suffix"
  	delimiter = "@"
  	ignore_default = no
  	ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /etc/freeradius/modules/files
  files {
  	usersfile = "/etc/freeradius/users"
  	acctusersfile = "/etc/freeradius/acct_users"
  	preproxy_usersfile = "/etc/freeradius/preproxy_users"
  	compat = "no"
  }
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
  acct_unique {
  	key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
  unix {
  	radwtmp = "/var/log/freeradius/radwtmp"
  }
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
  radutmp {
  	filename = "/var/log/freeradius/radutmp"
  	username = "%{User-Name}"
  	case_sensitive = yes
  	check_with_nas = yes
  	perm = 384
  	callerid = yes
  }
 Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
  attr_filter attr_filter.accounting_response {
  	attrsfile = "/etc/freeradius/attrs.accounting_response"
  	key = "%{User-Name}"
  	relaxed = no
  }
reading pairlist file /etc/freeradius/attrs.accounting_response
 Module: Checking session {...} for more modules to load
 Module: Checking pre-proxy {...} for more modules to load
 Module: Loading virtual module cui_pre_proxy
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
  attr_filter attr_filter.access_reject {
  	attrsfile = "/etc/freeradius/attrs.access_reject"
  	key = "%{User-Name}"
  	relaxed = no
  }
reading pairlist file /etc/freeradius/attrs.access_reject
 } # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
 modules {
  Module: Creating Auth-Type = LDAP
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_mschap
 Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
  mschap {
  	use_mppe = no
  	require_encryption = yes
  	require_strong = yes
  	with_ntdomain_hack = yes
  	ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{%{mschap:NT-Domain}:-RUS} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
  	allow_retry = yes
  }
 Module: Linked to module rlm_ldap
 Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
  ldap {
  	server = "server1"
  	port = 389
  	password = "..."
  	expect_password = yes
  	identity = "CN=..."
  	net_timeout = 1
  	timeout = 4
  	timelimit = 3
  	max_uses = 0
  	tls_mode = no
  	start_tls = no
  	tls_require_cert = "allow"
   tls {
   	start_tls = yes
   	cacertfile = "/usr/share/ca-certificates/uni-stuttgart.de/chain-with-dtag.crt"
   	require_cert = "demand"
   }
  	basedn = "DC=rus,DC=uni-stuttgart,DC=de"
  	filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
  	base_filter = "(objectClass=inetOrgPerson)"
  	auto_header = no
  	access_attr = "msNPAllowDialin"
  	access_attr_used_for_allow = yes
  	chase_referrals = no
  	rebind = no
  	groupname_attribute = "cn"
  	groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{control:Ldap-UserDn})))"
  	groupmembership_attribute = "memberOf"
  	dictionary_mapping = "/etc/freeradius/ldap.attrmap"
  	ldap_debug = 0
  	ldap_connections_number = 20
  	compare_check_items = no
  	do_xlat = yes
  	edir_account_policy_check = no
  	set_auth_type = yes
   keepalive {
   	idle = 60
   	probes = 3
   	interval = 3
   }
  }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x822350
 Module: Checking authorize {...} for more modules to load
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Loading virtual module cui_postauth
 } # modules
} # server
server soh-server { # from file /etc/freeradius/sites-enabled/soh
 modules {
 Module: Checking authorize {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
 	type = "auth"
 	ipaddr = *
 	port = 0
}
listen {
 	type = "acct"
 	ipaddr = *
 	port = 0
}
 ... adding new socket proxy address * port 53498
 ... adding new socket proxy address * port 35227
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=0, length=116
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x0200000e01616e6f6e796d6f7573
	Message-Authenticator = 0xc1d8c1f9918fe9f74d3e7f0652520b47
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 127.0.0.2 port 46747
	EAP-Message = 0x010100061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x47a7a29847a6bb36a3141a09bb27535f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=1, length=343
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x020100df1980000000d516030100d0010000cc03014e5372569e41097f511647c09e8f8a82ae426474b808ce1b7353ae5af2e385b600005ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101
	State = 0x47a7a29847a6bb36a3141a09bb27535f
	Message-Authenticator = 0xcd9e4c715d9cab478d82437f863bf8b2
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 1 length 223
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 213
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 00d0], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 003e], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0724], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 024b], ServerKeyExchange  
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 1 to 127.0.0.2 port 46747
	EAP-Message = 0x0102040019c0000009c5160301003e0200003a030154f5a9cfded1c635e5d68dd42f9b1299be58d8c967cef9e796ddbcd1eb5f80ea00c014000012ff01000100000b000403000102000f00010116030107240b00072000071d00071a30820716308205fea003020102020718d81bbaa80aae300d06092a864886f70d01010b0500308194310b30090603550406130244453112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274312830260603550403131f556e6976657273697461657420537475747467617274204341202d204730313126302406092a864886f70d01
	EAP-Message = 0x0901161763612d67303140756e692d7374757474676172742e6465301e170d3135303131363035313431395a170d3139303730393233353930305a308197310b3009060355040613024445311b301906035504081312426164656e2d577565727474656d626572673112301006035504071309537475747467617274311f301d060355040a1316556e6976657273697461657420537475747467617274310c300a060355040b13034e4b53312830260603550403131f746573742d61757468312e7275732e756e692d7374757474676172742e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100eddb28f383b67a
	EAP-Message = 0x677f7fb69954c7cbd70c3c768b357aeec0b4d54d05e71e25c9dedee00f0e23f80f79f635b52fab67d815c996640860d8947f85c64718494043d1bd3adaee6c9750984893dce4e331603147d801ab19c368e52e5a0a06368b052079aad840c4dfb618c17a228248778bc50c490807f51602142587577763b7310cfb675be3e7330fcfe569d3ca5d9675007a375ccfa1b091e1e487685edc6abb48ac9857c8f63728e9b477a8e0a86921a3ace86662b026819c3d7ecac083008a379a946bb72afcf2dfbe2c141d4aa29468013b2ba5d8455e4f5468fb71590f8e416227516e1338644c48650a4aa6871458c117460867cd6633368082e3cf900efd4b93f8
	EAP-Message = 0xde531e313244d81e791923d84c4f25bdedf54c0f29623af5db342df85b22b789140c76c651b901b59c2c45afce41e0d60ec28ecebc817ae5dd7933efbb102e0591f02c04228960a4772f3aadcfd99404161634b8d6b01466286c7b4a821bc24b837409ad2463e2f51e4080dbc9dbd3d0be72781a4bb0ad64b2e544b990578a3666850096bed5382b8b7126df3db285cbdccb456510f06df76af0ef0c30ffb358745042477dd6cfe5cae5aef6ac5c73db46ae84ae79acaa5ec0e3433803fb4d996ce74dd14a727a38e2c1f7afe625a27ada1fa35d5723afab17be5aecfa8beea1ecdb0cc417658552e73f423c4bbc7c829a70cf38e7ccbea5a5d4756502
	EAP-Message = 0x03010001a382026630820262
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x47a7a29846a5bb36a3141a09bb27535f
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=2, length=126
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x020200061900
	State = 0x47a7a29846a5bb36a3141a09bb27535f
	Message-Authenticator = 0xff7ec8eca5b28ca4c328ab0c59f3d41d
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 2 to 127.0.0.2 port 46747
	EAP-Message = 0x010303fc1940304f0603551d20044830463011060f2b0601040181ad21822c01010403033011060f2b0601040181ad21822c0201040301300f060d2b0601040181ad21822c010104300d060b2b0601040181ad21822c1e30090603551d1304023000300b0603551d0f0404030205e0301d0603551d250416301406082b0601050507030206082b06010505070301301d0603551d0e04160414480fe6922d6871e0a8e3a5fa1867f9fcec60263f301f0603551d23041830168014bdad275a2c37cf0d441f721aaab73799112e0204302a0603551d1104233021821f746573742d61757468312e7275732e756e692d7374757474676172742e646530818d
	EAP-Message = 0x0603551d1f048185308182303fa03da03b8639687474703a2f2f636470312e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c303fa03da03b8639687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f63726c2f636163726c2e63726c3081db06082b060105050701010481ce3081cb303306082b060105050730018627687474703a2f2f6f6373702e7063612e64666e2e64652f4f4353502d5365727665722f4f435350304906082b06010505073002863d687474703a2f2f636470312e7063612e64666e2e64652f756e69
	EAP-Message = 0x2d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274304906082b06010505073002863d687474703a2f2f636470322e7063612e64666e2e64652f756e692d7374757474676172742d63612f7075622f6361636572742f6361636572742e637274300d06092a864886f70d01010b050003820101009aff2a6046905b4a635511ff085b5c7f89cc0c99fabe06ed7ebe9e602db871ba0e764aaac767ec41521531232f34c4a73b98b2cae28bc8915ea3aff909e72651b7277d1a20b78dffcb18b9bb599d3a37fb13bf5d9d8497f0e07ae7a646b2f5f4637c255f3283343635791197dadd597584a2118f96d370de543255
	EAP-Message = 0x84da860e1539435eba8261268e4efc77518aa29fdd4a542e912b26be5e243d689b3673fd955b2a76a148c3580f16f3bfbe2883dc2aaff71e59b04ef813d11b251f7e9d510abb6569ac5a28f2d1d2749c2d38b164ec1fc1aff05725ddc6718a8d4e8f0a59accc3721eddcdf23b5f7baca4e635b544145c8578c5193775cac8c152e36408064160301024b0c00024703001741040d5ab8d92cc943c20461b24109474096cb9cb046603bded117a3fbaa550064d179ac857278a13d3c99a6e910a07cff4bdba05f0b0a2dba4ef1bae09a45ec01450200a757ff1882ea9f267e2687abe6bd0b7a1678e9395314285c173ccee3c57bc2044a0be32b213c9430
	EAP-Message = 0xb86c9bfedba48fc3
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x47a7a29845a4bb36a3141a09bb27535f
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=3, length=126
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x020300061900
	State = 0x47a7a29845a4bb36a3141a09bb27535f
	Message-Authenticator = 0xf178932508d31a8e7ee7dfa71734d78c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 3 to 127.0.0.2 port 46747
	EAP-Message = 0x010401df19003eacb85bdc7ad59cf2ab0898347620842bc010ca4e35da72a99bd91ddbf23ad77cac9a28d0f35aa9c2937c132c79f0b368bd46a80aa0e3229a85169f889322553b18d046303558def383d661ce9cc5b52588b6bc80019adcf9ec5b4458f52357349dade5c2c7b07a1b7f545553c8b9aa819e3ab50bb00ce839ce6f8e5714558cbd6796c7026a9b52ee7d3fa17cf22753eee4ffc652055df0fc073d4590cd3f52c29ff731f13af5271e6a976bf58ab92bdb699fbb9cebc3b7f2856c8612c8b4fae51b526e091e747d8d2b13fdf62bc09dd52a73cf48c25f6cd3f07972824b82010981c62c7961288b59e89c6270ee6967ac46c63931cdf6
	EAP-Message = 0xd39cf8db89498fe9e450008d7c2878cb4af1b11760a30edaa8afeb4f361e8240a1a2f69a7d1faddd0ce9e5773774f6c4a08869fbb53c2dbca08fcad63ef5cfbe64dfb76705409a0db515962a719381e1e0a9526b9b6e30d95fd18674b3ea03c16cef14165c839e20a32d16a191916691c51510d120bfaccad741435a37c892f1724b1d4f63ce75b54485568540670567a8aa5a78675b23fd334d0095f64c02187c7653c797ed42ff581efc6f3144204fe74c8acc2c1a629a04851282285dc6acb0888ba747fa7a957f7a5d1277fd3c45229e15c10d5d5a3d5d16030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x47a7a29844a3bb36a3141a09bb27535f
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=4, length=264
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x020400901980000000861603010046100000424104a53cd65b9d4c9b62ba16fed564a7073a1d0940bc94df4f19bbc71f12dc25e4ab97dce539002a220a5b162f9ea6d731e9352c295fc6cc1dae070fee40e8716dbb140301000101160301003049714ea65b278e5ab8e12a1efc49b51c54a8bf71c73181f5d9ff7d4462eda3e94feecc34d12036061efd9523aea20cc2
	State = 0x47a7a29844a3bb36a3141a09bb27535f
	Message-Authenticator = 0x5d2cedfdfc76d9ddc3edefc72f5697db
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 4 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange  
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[peap] <<< TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 4 to 127.0.0.2 port 46747
	EAP-Message = 0x0105004119001403010001011603010030ced84c9f8f7661ff4ba1aa6d2a12e97e81dd732a62986264024bcc2b3a59de6183284c44093187250018a1d60d2f668b
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x47a7a29843a2bb36a3141a09bb27535f
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=5, length=126
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x020500061900
	State = 0x47a7a29843a2bb36a3141a09bb27535f
	Message-Authenticator = 0x9390873444c6efd79f22cc756e0aca74
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 5 to 127.0.0.2 port 46747
	EAP-Message = 0x0106002b190017030100201ffd3457ccf3c8c3f7391b3b213ca493cb4f1d0fd56d65e1ae675eebc0bcd5e9
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x47a7a29842a1bb36a3141a09bb27535f
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=6, length=200
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x0206005019001703010020628e42e32a5eecb574db53436501efe8f62bfbf269019acf64874644c064a9131703010020993efe26ff0ae8e9b30d8aad412b28fb868621a64d7b73ac1678bce52eee6487
	State = 0x47a7a29842a1bb36a3141a09bb27535f
	Message-Authenticator = 0xee04c891296aec22b84cd3f09ddf0023
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 6 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - test
[peap] Got inner identity 'test'
[peap] Requesting SoH from client
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 6 to 127.0.0.2 port 46747
	EAP-Message = 0x0107003b1900170301003018479e6c86733c71a3964c56a1a4b70d68f87f73fe1eb759a4b5908edc0cc98a201d7064cb6c525efc5c9a8e1bc78fa0
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x47a7a29841a0bb36a3141a09bb27535f
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=7, length=200
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x02070050190017030100209edbe10bbc7ebad0ac19675bdef35a9a57e54ab1cb9bb7c7075b9882b03c76db1703010020b1a41c440b3f247fb43bd456df9bf28b806df68a3e2ed76df2d514090c4b42e1
	State = 0x47a7a29841a0bb36a3141a09bb27535f
	Message-Authenticator = 0x734a84af43cdba5fcd136e6482be380f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 7 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR SOH RESPONSE
[peap] EAP type nak
[peap] SoH - client NAKed
[peap] Setting User-Name to test
[peap] Processing SoH request
	SoH-Supported = no
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "test"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	Chargeable-User-Identity = ""
[peap] server soh-server {
# Executing section authorize from file /etc/freeradius/sites-enabled/soh
+group authorize {
++update config {
++} # update config = noop
+} # group authorize = noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [test] (from client test port 0 cli 70-6F-6C-69-73-68 via TLS tunnel)
  WARNING: Empty post-auth section.  Using default return values.
[peap] } # server soh-server
[peap] Got SoH reply
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
	EAP-Message = 0x020700090174657374
server  {
[peap] Setting User-Name to test
Sending tunneled request
	EAP-Message = 0x020700090174657374
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "test"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	Chargeable-User-Identity = ""
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 7 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
	EAP-Message = 0x0108001e1a010800191004d013b4340898feb940894e75e41bca74657374
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xd7e55c2dd7ed46da256bf8042f7c4267
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 0x0108001e1a010800191004d013b4340898feb940894e75e41bca74657374
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xd7e55c2dd7ed46da256bf8042f7c4267
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 7 to 127.0.0.2 port 46747
	EAP-Message = 0x0108003b190017030100308f813e433eda61a76b72a06a528cafe050a4dcf3846527db9c4ab9819ed216854cd7ed0d98c22c36ac54ef43939d5f62
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x47a7a29840afbb36a3141a09bb27535f
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=8, length=248
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x0208008019001703010020737188bad62e44d0d634a0741a3fbf2be5898be0c8d1282629e4e8f22d86221017030100504200e28c7bf4ae7994e38a2b2aa3c35bd802d5e05f9d5b665813bd20c49061371e980503f5ff25d059b51e111b751f45bda3d5fdafe87d20b1eb564a43d7b347a8f1627f7c6dcc3b48b1767e7f5aad85
	State = 0x47a7a29840afbb36a3141a09bb27535f
	Message-Authenticator = 0x4f0d7bce4c38e0e809eb09894f8bee27
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 8 length 128
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
	EAP-Message = 0x0208003f1a0208003a31bf797748352ee9eba1ff4c7c721fd8820000000000000000a0bda344c23a528656263dc511689f77cc2809f6acdde5180074657374
server  {
[peap] Setting User-Name to test
Sending tunneled request
	EAP-Message = 0x0208003f1a0208003a31bf797748352ee9eba1ff4c7c721fd8820000000000000000a0bda344c23a528656263dc511689f77cc2809f6acdde5180074657374
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "test"
	State = 0xd7e55c2dd7ed46da256bf8042f7c4267
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	Chargeable-User-Identity = ""
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 8 length 63
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Creating challenge hash with username: test
[mschap] Client is using MS-CHAPv2 for test, we need NT-Password
++[mschap] = ok
+} # group MS-CHAP = ok
MSCHAP Success 
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
	EAP-Message = 0x010900331a0308002e533d33323339443539333646393837454134384642353136344332344537373746303641434437454235
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xd7e55c2dd6ec46da256bf8042f7c4267
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 0x010900331a0308002e533d33323339443539333646393837454134384642353136344332344537373746303641434437454235
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xd7e55c2dd6ec46da256bf8042f7c4267
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 8 to 127.0.0.2 port 46747
	EAP-Message = 0x0109005b190017030100500353f8f7c812c78b8f0248ce22e1f9a232aa0d6d84a42b9491dc5999d119aa40d5ab5d4d4962193e84a824f754dfb25f6438a10795fb78b3b28982f271dfaf88d5bf982f2b74c3ed9db322fb2e113a02
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x47a7a2984faebb36a3141a09bb27535f
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=9, length=200
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x02090050190017030100202427cc3deb8133ce9e988163efd7fdfd95c7ca1abf8b5fc6cca6e6c6b7ada3e917030100201d6cf9ee3566285549d9fefcc44f4f96eaaf85451313e2db1871a7ad8379dced
	State = 0x47a7a2984faebb36a3141a09bb27535f
	Message-Authenticator = 0xb8d7d9b1340fba44b99222a17476f5b5
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 9 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
	EAP-Message = 0x020900061a03
server  {
[peap] Setting User-Name to test
Sending tunneled request
	EAP-Message = 0x020900061a03
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "test"
	State = 0xd7e55c2dd6ec46da256bf8042f7c4267
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	Chargeable-User-Identity = ""
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++update control {
++} # update control = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "test"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
++update control {
++} # update control = noop
[eap] EAP packet type response id 9 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry test at line 61
++[files] = ok
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [test] (from client test port 0 cli 70-6F-6C-69-73-68 via TLS tunnel)
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
+group post-auth {
++policy cui_postauth {
+++? if (FreeRadius-Proxied-To == 127.0.0.1)
? Evaluating (FreeRadius-Proxied-To == 127.0.0.1) -> TRUE
+++? if (FreeRadius-Proxied-To == 127.0.0.1) -> TRUE
+++if (FreeRadius-Proxied-To == 127.0.0.1) {
++++? if (outer.request:Chargeable-User-Identity)
? Evaluating (outer.request:Chargeable-User-Identity) -> TRUE
++++? if (outer.request:Chargeable-User-Identity) -> TRUE
++++if (outer.request:Chargeable-User-Identity) {
+++++update reply {
	expand: test%{User-Name} -> testtest
	expand: %{md5:test%{User-Name}} -> 05a671c66aefea124cc08b76ea6d30bb
+++++} # update reply = noop
++++} # if (outer.request:Chargeable-User-Identity) = noop
+++} # if (FreeRadius-Proxied-To == 127.0.0.1) = noop
+++ ... skipping else for request 9: Preceding "if" was taken
++} # policy cui_postauth = noop
++update outer.reply {
	expand: %{reply:Chargeable-User-Identity} -> 05a671c66aefea124cc08b76ea6d30bb
++} # update outer.reply = noop
+} # group post-auth = noop
} # server inner-tunnel
[peap] Got tunneled reply code 2
	EAP-Message = 0x03090004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "test"
	Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb"
[peap] Got tunneled reply RADIUS code 2
	EAP-Message = 0x03090004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "test"
	Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 9 to 127.0.0.2 port 46747
	Chargeable-User-Identity = "05a671c66aefea124cc08b76ea6d30bb"
	EAP-Message = 0x010a002b1900170301002062204f03a60637a99d252a241d7f3905e63d3285a853906eb95155fe9486e1ed
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x47a7a2984eadbb36a3141a09bb27535f
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.2 port 46747, id=10, length=200
	User-Name = "anonymous"
	NAS-IP-Address = 127.0.0.1
	Calling-Station-Id = "70-6F-6C-69-73-68"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "check_radius"
	EAP-Message = 0x020a00501900170301002039fb116920fb3139a8cd97a0d24307ea4083e23dd0a74ed263ce72400080bbaf1703010020826cf4e6bd5e35794a7e151ed2810a457026d563b61c692ad5d4c2c5e891aceb
	State = 0x47a7a2984eadbb36a3141a09bb27535f
	Message-Authenticator = 0x5ea7b26d7593d52f3b153b0683089900
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++policy cui_authorize {
+++update request {
+++} # update request = noop
++} # policy cui_authorize = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "anonymous"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 10 length 80
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
Login OK: [anonymous] (from client test port 0 cli 70-6F-6C-69-73-68)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id)
? Evaluating (NAS-Port-Type == "Ethernet" ) -> FALSE
? Skipping (reply:EAP-Session-Id)
++? if (NAS-Port-Type == "Ethernet" && reply:EAP-Session-Id) -> FALSE
+} # group post-auth = noop
Sending Access-Accept of id 10 to 127.0.0.2 port 46747
	MS-MPPE-Recv-Key = 0x7c11a8f4ae35bf92ddb6df2e6606ea67079d67b55aa241a7dd0bc485077b884f
	MS-MPPE-Send-Key = 0x7713dc5356bb73cd722eeefa6dd73ff7e81d8db357d53d8b6ec84e1df4b574c9
	EAP-Message = 0x030a0004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "anonymous"
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +1
Cleaning up request 1 ID 1 with timestamp +1
Cleaning up request 2 ID 2 with timestamp +1
Cleaning up request 3 ID 3 with timestamp +1
Cleaning up request 4 ID 4 with timestamp +1
Cleaning up request 5 ID 5 with timestamp +1
Cleaning up request 6 ID 6 with timestamp +1
Cleaning up request 7 ID 7 with timestamp +1
Cleaning up request 8 ID 8 with timestamp +1
Cleaning up request 9 ID 9 with timestamp +1
Cleaning up request 10 ID 10 with timestamp +1
Ready to process requests.
-(snip)-

Best,
Kilian



More information about the Freeradius-Users mailing list