Connection issues with Android Marshmallow
Tod A. Sandman
sandmant at rice.edu
Thu Oct 15 19:28:46 CEST 2015
Android users here who have upgraded to Marshmallow can no longer connect, even after I upgraded from freeradius-2.2.8 to freeradius-2.2.9. My server is RHEL6.4 with "OpenSSL 1.0.1e-fips 11 Feb 2013". We are using PEAP/EAP-MSCHAPv2.
>From the radius server the connection seems to work fine. And our network guy says all looks fine from his view. For instance:
Oct 13 13:48:05 net3 radiusd[23302]: Login OK: [hm6] (from client wireless64a port 0 via TLS tunnel)
Oct 13 13:48:05 net3 radiusd[23302]: Login OK: [hm6] (from client wireless64a port 13 cli 14-1a-a3-93-54-21)
Time :2015-Oct-13, 13:48:05 CDT Severity :INFO Controller ID :10.64.76.100 Message :Client moved to associated state successfully.
But as a user described: No error message, it just hangs and times out. I'll get "Authenticating..." and "Scanning..." for a while then it will just say Disconnected.
I'm following https://code.google.com/p/android/issues/detail?id=188867 but am posting here in case ...
I've attached a radius debug session of the android connection (that is not working for a user) as well as one for a connection with the user's ipad, which is working for the same user. They look quite the same to me. I've also attached a few config files - let me know if more would be useful.
Thanks.
Tod Sandman
Sr. Systems Administrator
Middleware Development & Integration
Rice University
-------------- next part --------------
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=196, length=285
Wed Oct 14 10:38:17 2015 : Debug: User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x0201000801686d36
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0xc56b144a4d423f22243806045d10c4a9
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 1 length 8
Wed Oct 14 10:38:17 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = updated
Wed Oct 14 10:38:17 2015 : Debug: ++[unix] = notfound
Wed Oct 14 10:38:17 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 10:38:17 2015 : Debug: ++[files] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++[expiration] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[logintime] = noop
Wed Oct 14 10:38:17 2015 : Debug: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Wed Oct 14 10:38:17 2015 : Debug: ++[pap] = noop
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = updated
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP Identity
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type tls
Wed Oct 14 10:38:17 2015 : Debug: [tls] Requiring client certificate
Wed Oct 14 10:38:17 2015 : Debug: [tls] Initiate
Wed Oct 14 10:38:17 2015 : Debug: [tls] Start returned 1
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=196, length=0
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x010200060d20
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd2bd5fe7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8668982.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=197, length=301
Wed Oct 14 10:38:17 2015 : Debug: User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x020200060319
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd2bd5fe7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0xc91a03f12cddc0dff1efa1da4f2cad06
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 2 length 6
Wed Oct 14 10:38:17 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = updated
Wed Oct 14 10:38:17 2015 : Debug: ++[unix] = notfound
Wed Oct 14 10:38:17 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 10:38:17 2015 : Debug: ++[files] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++[expiration] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[logintime] = noop
Wed Oct 14 10:38:17 2015 : Debug: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Wed Oct 14 10:38:17 2015 : Debug: ++[pap] = noop
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = updated
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP NAK
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP-NAK asked for EAP-Type/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type tls
Wed Oct 14 10:38:17 2015 : Debug: [tls] Initiate
Wed Oct 14 10:38:17 2015 : Debug: [tls] Start returned 1
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=197, length=0
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x010300061920
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd3bc4be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8668983.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=200, length=463
Wed Oct 14 10:38:17 2015 : Debug: User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x020300a819800000009e160301009901000095030399003f89ceb614e8779deaf18bf16ef575108a8f296a3b6987f73e7ef5a00c2800003cc02cc030009fc02bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a00ff0100003000170000000d001600140601060305010503040104030301030302010203000b00020100000a00080006001700180019
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd3bc4be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x6b636a15a47267852eb5f1e66555b77d
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 3 length 168
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Length Included
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 11
Wed Oct 14 10:38:17 2015 : Debug: [peap] (other): before/accept initialization
Wed Oct 14 10:38:17 2015 : Debug: [peap] TLS_accept: before/accept initialization
Wed Oct 14 10:38:17 2015 : Debug: [peap] TLS_accept: SSLv3 read client hello A
Wed Oct 14 10:38:17 2015 : Debug: [peap] TLS_accept: SSLv3 write server hello A
Wed Oct 14 10:38:17 2015 : Debug: [peap] TLS_accept: SSLv3 write certificate A
Wed Oct 14 10:38:17 2015 : Debug: [peap] TLS_accept: SSLv3 write key exchange A
Wed Oct 14 10:38:17 2015 : Debug: [peap] TLS_accept: SSLv3 write server done A
Wed Oct 14 10:38:17 2015 : Debug: [peap] TLS_accept: SSLv3 flush data
Wed Oct 14 10:38:17 2015 : Debug: [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
Wed Oct 14 10:38:17 2015 : Debug: [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 13
Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=200, length=0
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x0104040019c00000127516030300510200004d0303561e76e95197ed406fd8149d26f490d27122bb9c77c5bab8154eeab3677a63a42006bfdc6efc5854cbf8e04d60fe89fe27c669d9c79a1a187ab3b12c8f00a97163009f000005ff010001001603030efd0b000ef9000ef60005ec308205e8308204d0a003020102021100d2214325afda98a298320a313910b0a7300d06092a864886f70d01010505003051310b300906035504061302555331123010060355040a1309496e7465726e6574323111300f060355040b1308496e436f6d6d6f6e311b301906035504031312496e436f6d6d6f6e20536572766572204341301e170d3134303832353030
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x303030305a170d3137303832343233353935395a3081c0310b3009060355040613025553311330110603550411130a37373235312d31383932310e300c0603550408130554657861733110300e06035504071307486f7573746f6e311430120603550409130b504f20426f782031383932310f300d060355040913064d532031313931183016060355040a130f5269636520556e6976657273697479311f301d060355040b1316496e666f726d6174696f6e20546563686e6f6c6f6779311830160603550403130f7261646975732e726963652e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100c0abafe128
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x6bc30df0a3c2d2819ae89a3c0e4784956c31ce16f7845b0f72b8dd7dcc63e31b61b3943179e74feeb4f674712104b873e21b03c024c1a92c322bc112e76ce4bf126a944f32fe70e72128cbe6688c2bd64e4b97107410d77d80bf40904621d19b5977aa0a2c6ff5097aa84c4d3863032007db7ba738833594f29547be596c8989f26824bc26024146e1b678d28fb18f3d7da5a8217529d9dcc51d67d2b6b79e89363050ed5e11f5ad64167d11ae80a9c8b0bb2bcf54974c2c4ddefe3bddafeee7b0848580c750c964b05bb9700044ebc77944bfafaed6270fcba7e5fa8821b15bc62e0137f8f40f6f5caf9c1c39912617acb6ae037ef812442e4ccd0203
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x010001a382024930820245301f0603551d23041830168014484f5afa2f4a9a5ee050f36b7b55a5def5be345d301d0603551d0e04160414fca71db4ce69391b700243650721246bebc46497300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b0601050507030230670603551d200460305e3052060c2b06010401ae2301040301013042304006082b06010505070201163468747470733a2f2f7777772e696e636f6d6d6f6e2e6f72672f636572742f7265706f7369746f72792f6370735f73736c2e7064663008060667810c010202303d0603551d1f0436303430
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x32a030a02e862c687474703a
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd0bb4be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8668986.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=203, length=301
Wed Oct 14 10:38:17 2015 : Debug: User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x020400061900
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd0bb4be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x11ee91de7b8e767c047be5d57bc04e2d
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 4 length 6
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 10:38:17 2015 : Debug: [peap] ACK handshake fragment handler
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 1
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 13
Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=203, length=0
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x010503fc19402f2f63726c2e696e636f6d6d6f6e2e6f72672f496e436f6d6d6f6e53657276657243412e63726c306f06082b0601050507010104633061303906082b06010505073002862d687474703a2f2f636572742e696e636f6d6d6f6e2e6f72672f496e436f6d6d6f6e53657276657243412e637274302406082b060105050730018618687474703a2f2f6f6373702e696e636f6d6d6f6e2e6f72673081ac0603551d110481a43081a1820f7261646975732e726963652e65647582186e65777261646975732d612e6e65742e726963652e65647582186e65777261646975732d622e6e65742e726963652e65647582157261646975732d612e6e
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x65742e726963652e65647582157261646975732d622e6e65742e726963652e65647582157261646975732d632e6e65742e726963652e65647582157261646975732d642e6e65742e726963652e656475300d06092a864886f70d0101050500038201010024b8ca39f8c5c7f30b29b43b46d5a205a13cff521c12aa709dba4a38b2db77d20a727adcf7a1f9fbb14ba8ef4b42ff5a17d4a50afa0539284f32566b1aa6c4ce179ccaeb57849e15465a592e9a6687ea84ba8cfece9d5480911b6b1bf0e539707e8e47951fbb90dbcdce93548fa1a8a2e36444b878c84fbe52740039e794686cd81d29ac09fcb9fc397d5b5c47b4904dd54640d8709c42a9dd
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x051695e9dfc9123a2f34881eb6888ff944bb0711cff3ea080287dbdd52811c91ea341f310e1ff2bd196b946d47264ec297d29eb65dba202b4309df303a2b8b80393aea3e914d7adfc9ad596a26d3866f221ef17e0db57a0573481457393ecd678788ce4afa12360004c7308204c3308203aba00302010202107f71c1d3a226b0d2b113f3e68167643e300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x726e616c20434120526f6f74301e170d3130313230373030303030305a170d3230303533303130343833385a3051310b300906035504061302555331123010060355040a1309496e7465726e6574323111300f060355040b1308496e436f6d6d6f6e311b301906035504031312496e436f6d6d6f6e2053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100977cc7c8feb3e9206aa3a44f8e8e345606b37a6caa109b48612b369069e3340a47a7bb7bdeaa6afbeb82958fca1d7faf75a6a84cda2067611a0d86c1cac187afac4ee4de621b2f9db198afc601fb1770dbac1459ec6f3f337fa6980be4
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0xe238aff57f856d0e
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd1ba4be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8668989.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=204, length=301
Wed Oct 14 10:38:17 2015 : Debug: User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x020500061900
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd1ba4be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0xb89ed1560360ceca46a5f123d4a29060
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 5 length 6
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 10:38:17 2015 : Debug: [peap] ACK handshake fragment handler
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 1
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 13
Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=204, length=0
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x010603fc194074049df62786c79b8fe7712a08f403024063247d40578f54e0547eb6134861f1dece0ebdb6fa4d98b2d90d8d79a6e0aacd0c919aa5dfab73bbca14785c4729a1cac5ba9fc7da60f7ffe77ff2d9daa12d0f4916a7d30092cf8a47d94df8d59566d374f98063004f4c84161fb3f5241fa14edee895d6b20b098b2c6bc75c2f8c63c999cb52b1627b7301627f636cd868a0ee6aa88d1f29f3d018acad0203010001a382017730820173301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e04160414484f5afa2f4a9a5ee050f36b7b55a5def5be345d300e0603551d0f0101ff0404030201
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x0630120603551d130101ff040830060101ff02010030110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c3081b306082b060105050701010481a63081a3303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e703763303906082b06010505073002862d687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737455544e53474343412e637274
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010505000382010100936621807445854bc2abce32b029fedddfd6245bbf036a6f503e0e1bb30d88a35beec4a4123b56ef067fcf7f2195563b4131fee1aa93d295f3950d3c47abca5c26ad3ef1f98c346e11bef467e30249f9a67c7b6425dd1746f250e3e30a213a4924cdc68465686768b0452d4799cd9cab86291172dcd69c364374f3d4979e56a0fe5f4058d2d5d77e7cc58e1ab2045c92660e85ad2e06cec8a3d8eb142791decf17308153b66612ad37e4f5ef965c200e36e9ac627d19818af59061a649abce3cdfe6
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0xca64ee826539459516ba41060098ba0c5661e4c6c68601cf66a9222902d63dcfc42a8d99defb09149e0ed1d5c6d781ddad24abac0705e21d68c370665fd300043a308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b3009060355040613
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x0253453114301206
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd6b94be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8668990.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=205, length=301
Wed Oct 14 10:38:17 2015 : Debug: User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x020600061900
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd6b94be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x0a6f66bdee6d622f214ead9c712c5483
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 6 length 6
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 10:38:17 2015 : Debug: [peap] ACK handshake fragment handler
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 1
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 13
Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=205, length=0
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x010703fc19400355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b3
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x50600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b3009
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x06035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc51
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x42a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604160303030f0c00030b0100ed62d54d0d16abdddbf775ef679af503cb1dcb2a0e46890f9335b92cfd62fcb5aeea94a4b269f6e2d87adfe9076ba5cdf9b4f0e4c3ad531cacb4aa5d94c732ba343ac7d6a70dee7681cc09cce6d387654dff6253af216b50c936e995074eabff87a53fe2b3d4f6fadf6440f821
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x0c7d10e0f13cd6eb
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd7b84be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8668991.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=206, length=301
Wed Oct 14 10:38:17 2015 : Debug: User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x020700061900
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd7b84be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0xda646618af8946d718d40f1e65fc1c51
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 7 length 6
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 10:38:17 2015 : Debug: [peap] ACK handshake fragment handler
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 1
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 13
Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=206, length=0
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x010802a31900235117f28a47b4795ecfe8c241d8cb16a3fbb155ef7bc9fe89f4db168e1771802cbb8cc407db26e80f26a0d6f603d389871936a47ad44c832a1f434a0dce681e4776baedd455ff6ab46be0e18bd0fdc968d099cc7bf196177a0528bc3fb3421c5c7e0a6750ed98c25168379f2d6072df0e479af6b79986830f9df1d233c20646276bcdc8f76bc0646774db000102010095d70de564ac6321b6f2fa34a8f6f0f881a28278460a98729ee48fa262a9ff76ab6fd8848cadb811f5a88cd0516bb19c9dd1be35f0a0723231324e39ee74308f2d6f560558e2ca09c384f806c8734d88a31bcfe7a6e0ab051267772ba2504c865984645bad4b33
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x170c11a5694b7e11e6a965fc13ca2ff14f63a956fe5e63d9d5cc4c8e466a97afa8ed0a6000dce7b08a2a26c554a0f1c29b43cb79e36391138ce779f5d963eea55e15a9d40dd013508065d7c16439d753994353896fdfa07306b79f0b94ac90b73aaf0330f727d35a07b9157072a8b9afbebcfe218c70c1e045a9d4055304023b3ac96afdde3fc8d7abb202362c5922c736c7ea1b7e223caf630601010064fa03e822e949869f216967d54154e79350cbdd97b03baec66145e171347e7440efe4fe29c8ea3cb870eb3cd88dce15a6a33831e3e39e080be1f9c6ac4fd40fd7de1e9b18b36c25bce9826405cc779df170e3d9990845b83fc625cbf391f5c6
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0xe33e8fa52f7f0487095e0c9e7a8f72d25ae16df5a123349372db07aa3603f96aa8dd384d957bf99d28dc0b9de4ffd0f478faf8b89d1036c567a02d8562c1572ee7bbe117b7ebab5d7ba0a19294b83c3b85d684444410def483b6975ca3d3e5f9284961273ec26c6dd14462b2df7d787e413ccfd2abce7db78e67eac485a8c8b09faed036b20edcebe1179c15dd1622c00cb437ee43ba6d5aa911ff45625bb9c016030300040e000000
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd4b74be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8668992.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=225, length=625
Wed Oct 14 10:38:17 2015 : Debug: User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x0208014819800000013e16030301061000010201004c30b626c500e80edb7c6aef9e28be6cb7d5657ea3e182f8c3968c9795abadd370162ad9d1e090e101f456906147450eeccd865497cf5d7272a1b5c1eb1429ac67f9ef08acf6c4ebcd6a495e0f8ae57473016f124c1ef73460fba53c75cdea439cfeafe43c075444a75a19eeaab98014df5b68ce50e6c0457c38183530e96d40ea130253a963308089cc5f8b9fbdd00588a998cef63cce5ce72201efb8d1f18fe87714ea7fdda56f993c5a30ad0a44ad3daa00d28dc4976d61219e69fbc939aad8fcf4148916a5f3b79d5ef0addf77daa13f58fe234f14d084c7eb9380c296e42b4624af60bb7435
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0xaebd84f2a507f3180f2a4f8a5e503fde2b95363debbb13b3140303000101160303002800000000000000003fa33a59a6eb8c323400781c7619aec325bc5284fb946ff309eeea8689967ca2
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd4b74be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0xbdf4a4494cf41792229408a2738ddad6
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 8 length 253
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Length Included
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 11
Wed Oct 14 10:38:17 2015 : Debug: [peap] TLS_accept: SSLv3 read client key exchange A
Wed Oct 14 10:38:17 2015 : Debug: [peap] TLS_accept: SSLv3 read finished A
Wed Oct 14 10:38:17 2015 : Debug: [peap] TLS_accept: SSLv3 write change cipher spec A
Wed Oct 14 10:38:17 2015 : Debug: [peap] TLS_accept: SSLv3 write finished A
Wed Oct 14 10:38:17 2015 : Debug: [peap] TLS_accept: SSLv3 flush data
Wed Oct 14 10:38:17 2015 : Debug: [peap] (other): SSL negotiation finished successfully
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 13
Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=225, length=0
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x0109003919001403030001011603030028c0e818d89141685c9605de6806d749144022f7d80084d23e34d8159b1e814c240667437ed2e3fbe6
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd5b64be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8669026.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=228, length=301
Wed Oct 14 10:38:17 2015 : Debug: User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x020900061900
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd5b64be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0xa9934d96f5b57462bb0b1574354a3b7e
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 9 length 6
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 10:38:17 2015 : Debug: [peap] ACK handshake is finished
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 3
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 3
Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_SUCCESS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Session established. Decoding tunneled attributes.
Wed Oct 14 10:38:17 2015 : Debug: [peap] Peap state TUNNEL ESTABLISHED
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=228, length=0
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x010a00281900170303001dc0e818d89141685d75d7043b62873453b0c5841147101884fb408bee25
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbdab54be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8669030.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=229, length=334
Wed Oct 14 10:38:17 2015 : Debug: User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x020a00271900170303001c00000000000000012c03ad1a53ceeacb87e4e9937cd769fc8dc8284a
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbdab54be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x43702d53a1130c3122b86e3d13da6954
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 10 length 39
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 7
Wed Oct 14 10:38:17 2015 : Debug: [peap] Done initial handshake
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 7
Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_OK
Wed Oct 14 10:38:17 2015 : Debug: [peap] Session established. Decoding tunneled attributes.
Wed Oct 14 10:38:17 2015 : Debug: [peap] Peap state WAITING FOR INNER IDENTITY
Wed Oct 14 10:38:17 2015 : Debug: [peap] Identity - hm6
Wed Oct 14 10:38:17 2015 : Debug: [peap] Got inner identity 'hm6'
Wed Oct 14 10:38:17 2015 : Debug: [peap] Setting default EAP type for tunneled EAP session.
Wed Oct 14 10:38:17 2015 : Debug: [peap] Setting User-Name to hm6
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[unix] = notfound
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++update control {
Wed Oct 14 10:38:17 2015 : Debug: ++} # update control = noop
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 10 length 8
Wed Oct 14 10:38:17 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = updated
Wed Oct 14 10:38:17 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 10:38:17 2015 : Debug: ++[files] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++load-balance redundant_ldap {
Wed Oct 14 10:38:17 2015 : Debug: ++redundant-load-balance group redundant_ldap {
Wed Oct 14 10:38:17 2015 : Debug: [ldap2] performing user authorization for hm6
Wed Oct 14 10:38:17 2015 : Debug: [ldap2] expand: %{Stripped-User-Name} -> hm6
Wed Oct 14 10:38:17 2015 : Debug: [ldap2] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=hm6)
Wed Oct 14 10:38:17 2015 : Debug: [ldap2] expand: dc=rice,dc=edu -> dc=rice,dc=edu
Wed Oct 14 10:38:17 2015 : Debug: [ldap2] checking if remote access for hm6 is allowed by riceClass
Wed Oct 14 10:38:17 2015 : Debug: [ldap2] looking for check items in directory...
Wed Oct 14 10:38:17 2015 : Debug: [ldap2] looking for reply items in directory...
Wed Oct 14 10:38:17 2015 : Debug: [ldap2] user hm6 authorized to use remote access
Wed Oct 14 10:38:17 2015 : Debug: +++[ldap2] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++} # redundant-load-balance group redundant_ldap = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++if (reply:Connect-Info =~ /[a-z]* student/) {
Wed Oct 14 10:38:17 2015 : Debug: +++update reply {
Wed Oct 14 10:38:17 2015 : Debug: +++} # update reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++} # if (reply:Connect-Info =~ /[a-z]* student/) = noop
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669032: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669032: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669032: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff"))
Wed Oct 14 10:38:17 2015 : Debug: (Attribute Hint was not found)
Wed Oct 14 10:38:17 2015 : Debug: ?? Evaluating (Hint == "JOINstudent" ) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ?? Skipping (reply:Connect-Info == "staff")
Wed Oct 14 10:38:17 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff")) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++[perl] = updated
Wed Oct 14 10:38:17 2015 : Debug: ++update reply {
Wed Oct 14 10:38:17 2015 : Debug: expand: %{reply:Tunnel-Private-Group-Id} -> student
Wed Oct 14 10:38:17 2015 : Debug: ++} # update reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[expiration] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[logintime] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[pap] = noop
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = updated
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP Identity
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type mschapv2
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: [peap] Got tunneled Access-Challenge
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=229, length=0
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x010b003c19001703030031c0e818d89141685ed4756a4de2576f89af4ea3e1cd4457df7b2cb560c00f3b77469425c491748bcac703d3c88837dd9ac2
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbdbb44be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8669032.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=231, length=388
Wed Oct 14 10:38:17 2015 : Debug: User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x020b005d190017030300520000000000000002a97c835bae8374ab8d8bbfd91999adda230ae387595070be5defc2bc7c78c6c2867f3c5894838cb7ae576426364a1404bfcf0eec8ab3061275d3d9652f81d645d6140181a52d4d4e88b5
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbdbb44be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x3c44d9b222e5b9dcea129094c75d2680
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 11 length 93
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 7
Wed Oct 14 10:38:17 2015 : Debug: [peap] Done initial handshake
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 7
Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_OK
Wed Oct 14 10:38:17 2015 : Debug: [peap] Session established. Decoding tunneled attributes.
Wed Oct 14 10:38:17 2015 : Debug: [peap] Peap state phase2
Wed Oct 14 10:38:17 2015 : Debug: [peap] EAP type mschapv2
Wed Oct 14 10:38:17 2015 : Debug: [peap] Setting User-Name to hm6
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[unix] = notfound
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++update control {
Wed Oct 14 10:38:17 2015 : Debug: ++} # update control = noop
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 11 length 62
Wed Oct 14 10:38:17 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = updated
Wed Oct 14 10:38:17 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 10:38:17 2015 : Debug: ++[files] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++load-balance redundant_ldap {
Wed Oct 14 10:38:17 2015 : Debug: ++redundant-load-balance group redundant_ldap {
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] performing user authorization for hm6
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] expand: %{Stripped-User-Name} -> hm6
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=hm6)
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] expand: dc=rice,dc=edu -> dc=rice,dc=edu
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] checking if remote access for hm6 is allowed by riceClass
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] looking for check items in directory...
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] looking for reply items in directory...
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] user hm6 authorized to use remote access
Wed Oct 14 10:38:17 2015 : Debug: +++[ldap3] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++} # redundant-load-balance group redundant_ldap = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++if (reply:Connect-Info =~ /[a-z]* student/) {
Wed Oct 14 10:38:17 2015 : Debug: +++update reply {
Wed Oct 14 10:38:17 2015 : Debug: +++} # update reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++} # if (reply:Connect-Info =~ /[a-z]* student/) = noop
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669034: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669034: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669034: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff"))
Wed Oct 14 10:38:17 2015 : Debug: (Attribute Hint was not found)
Wed Oct 14 10:38:17 2015 : Debug: ?? Evaluating (Hint == "JOINstudent" ) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ?? Skipping (reply:Connect-Info == "staff")
Wed Oct 14 10:38:17 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff")) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++[perl] = updated
Wed Oct 14 10:38:17 2015 : Debug: ++update reply {
Wed Oct 14 10:38:17 2015 : Debug: expand: %{reply:Tunnel-Private-Group-Id} -> student
Wed Oct 14 10:38:17 2015 : Debug: ++} # update reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[expiration] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[logintime] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[pap] = noop
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = updated
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/mschapv2
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type mschapv2
Wed Oct 14 10:38:17 2015 : Debug: [mschapv2] # Executing group from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 10:38:17 2015 : Debug: [mschapv2] +group MS-CHAP {
Wed Oct 14 10:38:17 2015 : Debug: [mschap] Creating challenge hash with username: hm6
Wed Oct 14 10:38:17 2015 : Debug: [mschap] Client is using MS-CHAPv2 for hm6, we need NT-Password
Wed Oct 14 10:38:17 2015 : Debug: [mschap] expand: %{Stripped-User-Name} -> hm6
Wed Oct 14 10:38:17 2015 : Debug: [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-%{User-Name}}} -> --username=hm6
Wed Oct 14 10:38:17 2015 : Debug: [mschap] No NT-Domain was found in the User-Name.
Wed Oct 14 10:38:17 2015 : Debug: [mschap] expand: --domain=%{mschap:NT-Domain:-ADRICE} -> --domain=
Wed Oct 14 10:38:17 2015 : Debug: [mschap] Creating challenge hash with username: hm6
Wed Oct 14 10:38:17 2015 : Debug: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=c1b5930b981f7cb3
Wed Oct 14 10:38:17 2015 : Debug: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=c5ff0b2ee1fc6f01d9bbad2d31f4c082811f86363ec9d645
Wed Oct 14 10:38:17 2015 : Debug: [mschap] Exec: program returned: 0
Wed Oct 14 10:38:17 2015 : Debug: [mschap] adding MS-CHAPv2 MPPE keys
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group MS-CHAP = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: [peap] Got tunneled Access-Challenge
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=231, length=0
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x010c005219001703030047c0e818d89141685fe8d226ad69155044d09e7d795326f1242391d7e11fe25aed69840fb7d0fdd3557f6fadbff7f2735e2ab95a70948061a52d783352cf181dd1a66d5c394bc989
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd8b34be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8669034.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=235, length=332
Wed Oct 14 10:38:17 2015 : Debug: User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x020c00251900170303001a000000000000000373280432f973498aecaddcc6ca92bbba196f
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd8b34be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x5ee7a4da527d81a3902218a6bab37f9f
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 12 length 37
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 7
Wed Oct 14 10:38:17 2015 : Debug: [peap] Done initial handshake
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 7
Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_OK
Wed Oct 14 10:38:17 2015 : Debug: [peap] Session established. Decoding tunneled attributes.
Wed Oct 14 10:38:17 2015 : Debug: [peap] Peap state phase2
Wed Oct 14 10:38:17 2015 : Debug: [peap] EAP type mschapv2
Wed Oct 14 10:38:17 2015 : Debug: [peap] Setting User-Name to hm6
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[unix] = notfound
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++update control {
Wed Oct 14 10:38:17 2015 : Debug: ++} # update control = noop
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 12 length 6
Wed Oct 14 10:38:17 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = updated
Wed Oct 14 10:38:17 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 10:38:17 2015 : Debug: ++[files] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++load-balance redundant_ldap {
Wed Oct 14 10:38:17 2015 : Debug: ++redundant-load-balance group redundant_ldap {
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] performing user authorization for hm6
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] expand: %{Stripped-User-Name} -> hm6
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=hm6)
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] expand: dc=rice,dc=edu -> dc=rice,dc=edu
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] checking if remote access for hm6 is allowed by riceClass
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] looking for check items in directory...
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] looking for reply items in directory...
Wed Oct 14 10:38:17 2015 : Debug: [ldap3] user hm6 authorized to use remote access
Wed Oct 14 10:38:17 2015 : Debug: +++[ldap3] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++} # redundant-load-balance group redundant_ldap = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++if (reply:Connect-Info =~ /[a-z]* student/) {
Wed Oct 14 10:38:17 2015 : Debug: +++update reply {
Wed Oct 14 10:38:17 2015 : Debug: +++} # update reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++} # if (reply:Connect-Info =~ /[a-z]* student/) = noop
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669041: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669041: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++ ... skipping elsif for request 8669041: Preceding "if" was taken
Wed Oct 14 10:38:17 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff"))
Wed Oct 14 10:38:17 2015 : Debug: (Attribute Hint was not found)
Wed Oct 14 10:38:17 2015 : Debug: ?? Evaluating (Hint == "JOINstudent" ) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ?? Skipping (reply:Connect-Info == "staff")
Wed Oct 14 10:38:17 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff")) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++[perl] = updated
Wed Oct 14 10:38:17 2015 : Debug: ++update reply {
Wed Oct 14 10:38:17 2015 : Debug: expand: %{reply:Tunnel-Private-Group-Id} -> student
Wed Oct 14 10:38:17 2015 : Debug: ++} # update reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[expiration] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[logintime] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[pap] = noop
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = updated
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/mschapv2
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type mschapv2
Wed Oct 14 10:38:17 2015 : Debug: [eap] Freeing handler
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = ok
Wed Oct 14 10:38:17 2015 : Debug: # Executing section post-auth from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 10:38:17 2015 : Debug: +group post-auth {
Wed Oct 14 10:38:17 2015 : Debug: [reply_log] expand: /var/opt/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/opt/freeradius/radacct/10.64.76.100/reply-detail-20151014
Wed Oct 14 10:38:17 2015 : Debug: [reply_log] /var/opt/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/opt/freeradius/radacct/10.64.76.100/reply-detail-20151014
Wed Oct 14 10:38:17 2015 : Debug: [reply_log] expand: %t -> Wed Oct 14 10:38:17 2015
Wed Oct 14 10:38:17 2015 : Debug: ++[reply_log] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++update outer.reply {
Wed Oct 14 10:38:17 2015 : Debug: expand: %{request:User-Name} -> hm6
Wed Oct 14 10:38:17 2015 : Debug: ++} # update outer.reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++? if (! reply:Cached-Session-Policy)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating !(reply:Cached-Session-Policy) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (! reply:Cached-Session-Policy) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++if (! reply:Cached-Session-Policy) {
Wed Oct 14 10:38:17 2015 : Debug: +++update reply {
Wed Oct 14 10:38:17 2015 : Debug: expand: TPG=%{reply:Tunnel-Private-Group-Id},CI=%{reply:Connect-Info} -> TPG=student,CI=student
Wed Oct 14 10:38:17 2015 : Debug: +++} # update reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++} # if (! reply:Cached-Session-Policy) = noop
Wed Oct 14 10:38:17 2015 : Debug: +} # group post-auth = ok
Wed Oct 14 10:38:17 2015 : Debug: [peap] Tunneled authentication was successful.
Wed Oct 14 10:38:17 2015 : Debug: [peap] SUCCESS
Wed Oct 14 10:38:17 2015 : Debug: [peap] Saving tunneled attributes for later
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = handled
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=235, length=0
Wed Oct 14 10:38:17 2015 : Debug: User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x010d002e19001703030023c0e818d8914168600522a03fe9268f7877bd85d4ec70f5a81c2f2e8c76993cab8b3c72
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd9b24be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8669041.
Wed Oct 14 10:38:17 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=236, length=341
Wed Oct 14 10:38:17 2015 : Debug: User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 10:38:17 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 10:38:17 2015 : Debug: Calling-Station-Id = "14-1a-a3-93-54-21"
Wed Oct 14 10:38:17 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port = 13
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127ea43561e76e8"
Wed Oct 14 10:38:17 2015 : Debug: Acct-Session-Id = "561e76e8/14:1a:a3:93:54:21/10411163"
Wed Oct 14 10:38:17 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 10:38:17 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 10:38:17 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 10:38:17 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 10:38:17 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 10:38:17 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 10:38:17 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Private-Group-Id:0 = "355"
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x020d002e190017030300230000000000000004bba91b3a334d6a4076622f2294653030df6080f73dfbe7fbc28ded
Wed Oct 14 10:38:17 2015 : Debug: State = 0xd2bf52bbd9b24be7705f38cb236b93a9
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0xca71508c36a2309050ea8cb81f0b1095
Wed Oct 14 10:38:17 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authorize {
Wed Oct 14 10:38:17 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[chap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[mschap] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++[digest] = noop
Wed Oct 14 10:38:17 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 10:38:17 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 10:38:17 2015 : Debug: ++[suffix] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP packet type response id 13 length 46
Wed Oct 14 10:38:17 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authorize = ok
Wed Oct 14 10:38:17 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 10:38:17 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group authenticate {
Wed Oct 14 10:38:17 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 10:38:17 2015 : Debug: [eap] EAP/peap
Wed Oct 14 10:38:17 2015 : Debug: [eap] processing type peap
Wed Oct 14 10:38:17 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_verify returned 7
Wed Oct 14 10:38:17 2015 : Debug: [peap] Done initial handshake
Wed Oct 14 10:38:17 2015 : Debug: [peap] eaptls_process returned 7
Wed Oct 14 10:38:17 2015 : Debug: [peap] EAPTLS_OK
Wed Oct 14 10:38:17 2015 : Debug: [peap] Session established. Decoding tunneled attributes.
Wed Oct 14 10:38:17 2015 : Debug: [peap] Peap state send tlv success
Wed Oct 14 10:38:17 2015 : Debug: [peap] Received EAP-TLV response.
Wed Oct 14 10:38:17 2015 : Debug: [peap] Success
Wed Oct 14 10:38:17 2015 : Debug: [peap] Using saved attributes from the original Access-Accept
Wed Oct 14 10:38:17 2015 : Debug: [peap] Saving response in the cache
Wed Oct 14 10:38:17 2015 : Debug: [eap] Freeing handler
Wed Oct 14 10:38:17 2015 : Debug: ++[eap] = ok
Wed Oct 14 10:38:17 2015 : Debug: +} # group authenticate = ok
Wed Oct 14 10:38:17 2015 : Debug: # Executing section post-auth from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 10:38:17 2015 : Debug: +group post-auth {
Wed Oct 14 10:38:17 2015 : Debug: [reply_log] expand: /var/opt/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/opt/freeradius/radacct/10.64.76.100/reply-detail-20151014
Wed Oct 14 10:38:17 2015 : Debug: [reply_log] /var/opt/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/opt/freeradius/radacct/10.64.76.100/reply-detail-20151014
Wed Oct 14 10:38:17 2015 : Debug: [reply_log] expand: %t -> Wed Oct 14 10:38:17 2015
Wed Oct 14 10:38:17 2015 : Debug: ++[reply_log] = ok
Wed Oct 14 10:38:17 2015 : Debug: ++[exec] = noop
Wed Oct 14 10:38:17 2015 : Debug: ++? if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/)
Wed Oct 14 10:38:17 2015 : Debug: ? Evaluating (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++? if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) -> TRUE
Wed Oct 14 10:38:17 2015 : Debug: ++if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) {
Wed Oct 14 10:38:17 2015 : Debug: +++update reply {
Wed Oct 14 10:38:17 2015 : Debug: expand: %{1} -> student
Wed Oct 14 10:38:17 2015 : Debug: expand: %{2} -> student
Wed Oct 14 10:38:17 2015 : Debug: +++} # update reply = noop
Wed Oct 14 10:38:17 2015 : Debug: ++} # if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) = noop
Wed Oct 14 10:38:17 2015 : Debug: +} # group post-auth = ok
Wed Oct 14 10:38:17 2015 : Debug: Sending Access-Accept packet to host 10.64.76.100 port 32770, id=236, length=0
Wed Oct 14 10:38:17 2015 : Debug: Connect-Info = "student"
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 10:38:17 2015 : Debug: Tunnel-Private-Group-Id:0 = "student"
Wed Oct 14 10:38:17 2015 : Debug: User-Name = "hm6"
Wed Oct 14 10:38:17 2015 : Debug: Cached-Session-Policy = "TPG=student,CI=student"
Wed Oct 14 10:38:17 2015 : Debug: MS-MPPE-Recv-Key = 0x44b548185372c8a886dcc1126f6223f71d6df51507c61a3ecc63d101fbb63151
Wed Oct 14 10:38:17 2015 : Debug: MS-MPPE-Send-Key = 0xfb088233dc414a36129de240105954054ef16417bfa5b5022ee01dde562c16e3
Wed Oct 14 10:38:17 2015 : Debug: EAP-MSK = 0x44b548185372c8a886dcc1126f6223f71d6df51507c61a3ecc63d101fbb63151fb088233dc414a36129de240105954054ef16417bfa5b5022ee01dde562c16e3
Wed Oct 14 10:38:17 2015 : Debug: EAP-EMSK = 0x54c09152b3e71253db345017c99e5c0141050fbfcf65edc514b76adbc471c9ad7f30272e7780368e5e6305e6071f031d72fe08ad43ebcf64e4e35b396e36de96
Wed Oct 14 10:38:17 2015 : Debug: EAP-Session-Id = 0x1999003f89ceb614e8779deaf18bf16ef575108a8f296a3b6987f73e7ef5a00c28561e76e95197ed406fd8149d26f490d27122bb9c77c5bab8154eeab3677a63a4
Wed Oct 14 10:38:17 2015 : Debug: EAP-Message = 0x030d0004
Wed Oct 14 10:38:17 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 10:38:17 2015 : Debug: Finished request 8669042.
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8668982 ID 196 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8668983 ID 197 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8668986 ID 200 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8668989 ID 203 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8668990 ID 204 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8668991 ID 205 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8668992 ID 206 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8669026 ID 225 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8669030 ID 228 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8669032 ID 229 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8669034 ID 231 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8669041 ID 235 with timestamp +103464
Wed Oct 14 10:38:21 2015 : Debug: Cleaning up request 8669042 ID 236 with timestamp +103464
-------------- next part --------------
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=207, length=285
Wed Oct 14 11:06:35 2015 : Debug: User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x0201000801686d36
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0xa29c55e08457085f2f34d996d5338aa0
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 1 length 8
Wed Oct 14 11:06:35 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = updated
Wed Oct 14 11:06:35 2015 : Debug: ++[unix] = notfound
Wed Oct 14 11:06:35 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 11:06:35 2015 : Debug: ++[files] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++[expiration] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[logintime] = noop
Wed Oct 14 11:06:35 2015 : Debug: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Wed Oct 14 11:06:35 2015 : Debug: ++[pap] = noop
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = updated
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP Identity
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type tls
Wed Oct 14 11:06:35 2015 : Debug: [tls] Requiring client certificate
Wed Oct 14 11:06:35 2015 : Debug: [tls] Initiate
Wed Oct 14 11:06:35 2015 : Debug: [tls] Start returned 1
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=207, length=0
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x010200060d20
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb73e2caa1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057415.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=209, length=301
Wed Oct 14 11:06:35 2015 : Debug: User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x020200060319
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb73e2caa1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0xc9cf5b1bc7fa1852acd956b6df896e82
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 2 length 6
Wed Oct 14 11:06:35 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = updated
Wed Oct 14 11:06:35 2015 : Debug: ++[unix] = notfound
Wed Oct 14 11:06:35 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 11:06:35 2015 : Debug: ++[files] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++[expiration] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[logintime] = noop
Wed Oct 14 11:06:35 2015 : Debug: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Wed Oct 14 11:06:35 2015 : Debug: ++[pap] = noop
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = updated
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP NAK
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP-NAK asked for EAP-Type/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type tls
Wed Oct 14 11:06:35 2015 : Debug: [tls] Initiate
Wed Oct 14 11:06:35 2015 : Debug: [tls] Start returned 1
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=209, length=0
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x010300061920
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb72e3dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057420.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=210, length=447
Wed Oct 14 11:06:35 2015 : Debug: User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x0203009819800000008e1603010089010000850301561e7d8ceb6b159381eb964528005513132c4b913cf9958ac64937c507e9774000004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c0005000401000012000a00080006001700180019000b00020100
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb72e3dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x6496bde2f2c4fb94ed2a87f7fa69f30c
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 3 length 152
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Length Included
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 11
Wed Oct 14 11:06:35 2015 : Debug: [peap] (other): before/accept initialization
Wed Oct 14 11:06:35 2015 : Debug: [peap] TLS_accept: before/accept initialization
Wed Oct 14 11:06:35 2015 : Debug: [peap] TLS_accept: SSLv3 read client hello A
Wed Oct 14 11:06:35 2015 : Debug: [peap] TLS_accept: SSLv3 write server hello A
Wed Oct 14 11:06:35 2015 : Debug: [peap] TLS_accept: SSLv3 write certificate A
Wed Oct 14 11:06:35 2015 : Debug: [peap] TLS_accept: SSLv3 write key exchange A
Wed Oct 14 11:06:35 2015 : Debug: [peap] TLS_accept: SSLv3 write server done A
Wed Oct 14 11:06:35 2015 : Debug: [peap] TLS_accept: SSLv3 flush data
Wed Oct 14 11:06:35 2015 : Debug: [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
Wed Oct 14 11:06:35 2015 : Debug: [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 13
Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=210, length=0
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x0104040019c00000127316030100510200004d0301561e7d8be4a39e0ba6cd482c0f70ec79000e3385cfbfb6217470e77130ee8d1e2018f5770292e626ce9e6943812b2252a0511c8dfe79d49224e24cb61c6a58ccc30039000005ff010001001603010efd0b000ef9000ef60005ec308205e8308204d0a003020102021100d2214325afda98a298320a313910b0a7300d06092a864886f70d01010505003051310b300906035504061302555331123010060355040a1309496e7465726e6574323111300f060355040b1308496e436f6d6d6f6e311b301906035504031312496e436f6d6d6f6e20536572766572204341301e170d3134303832353030
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x303030305a170d3137303832343233353935395a3081c0310b3009060355040613025553311330110603550411130a37373235312d31383932310e300c0603550408130554657861733110300e06035504071307486f7573746f6e311430120603550409130b504f20426f782031383932310f300d060355040913064d532031313931183016060355040a130f5269636520556e6976657273697479311f301d060355040b1316496e666f726d6174696f6e20546563686e6f6c6f6779311830160603550403130f7261646975732e726963652e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100c0abafe128
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x6bc30df0a3c2d2819ae89a3c0e4784956c31ce16f7845b0f72b8dd7dcc63e31b61b3943179e74feeb4f674712104b873e21b03c024c1a92c322bc112e76ce4bf126a944f32fe70e72128cbe6688c2bd64e4b97107410d77d80bf40904621d19b5977aa0a2c6ff5097aa84c4d3863032007db7ba738833594f29547be596c8989f26824bc26024146e1b678d28fb18f3d7da5a8217529d9dcc51d67d2b6b79e89363050ed5e11f5ad64167d11ae80a9c8b0bb2bcf54974c2c4ddefe3bddafeee7b0848580c750c964b05bb9700044ebc77944bfafaed6270fcba7e5fa8821b15bc62e0137f8f40f6f5caf9c1c39912617acb6ae037ef812442e4ccd0203
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x010001a382024930820245301f0603551d23041830168014484f5afa2f4a9a5ee050f36b7b55a5def5be345d301d0603551d0e04160414fca71db4ce69391b700243650721246bebc46497300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b0601050507030230670603551d200460305e3052060c2b06010401ae2301040301013042304006082b06010505070201163468747470733a2f2f7777772e696e636f6d6d6f6e2e6f72672f636572742f7265706f7369746f72792f6370735f73736c2e7064663008060667810c010202303d0603551d1f0436303430
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x32a030a02e862c687474703a
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb71e4dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057421.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=211, length=301
Wed Oct 14 11:06:35 2015 : Debug: User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x020400061900
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb71e4dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0xbe167059ca1392112fa2e7920c899151
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 4 length 6
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 11:06:35 2015 : Debug: [peap] ACK handshake fragment handler
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 1
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 13
Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=211, length=0
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x010503fc19402f2f63726c2e696e636f6d6d6f6e2e6f72672f496e436f6d6d6f6e53657276657243412e63726c306f06082b0601050507010104633061303906082b06010505073002862d687474703a2f2f636572742e696e636f6d6d6f6e2e6f72672f496e436f6d6d6f6e53657276657243412e637274302406082b060105050730018618687474703a2f2f6f6373702e696e636f6d6d6f6e2e6f72673081ac0603551d110481a43081a1820f7261646975732e726963652e65647582186e65777261646975732d612e6e65742e726963652e65647582186e65777261646975732d622e6e65742e726963652e65647582157261646975732d612e6e
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x65742e726963652e65647582157261646975732d622e6e65742e726963652e65647582157261646975732d632e6e65742e726963652e65647582157261646975732d642e6e65742e726963652e656475300d06092a864886f70d0101050500038201010024b8ca39f8c5c7f30b29b43b46d5a205a13cff521c12aa709dba4a38b2db77d20a727adcf7a1f9fbb14ba8ef4b42ff5a17d4a50afa0539284f32566b1aa6c4ce179ccaeb57849e15465a592e9a6687ea84ba8cfece9d5480911b6b1bf0e539707e8e47951fbb90dbcdce93548fa1a8a2e36444b878c84fbe52740039e794686cd81d29ac09fcb9fc397d5b5c47b4904dd54640d8709c42a9dd
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x051695e9dfc9123a2f34881eb6888ff944bb0711cff3ea080287dbdd52811c91ea341f310e1ff2bd196b946d47264ec297d29eb65dba202b4309df303a2b8b80393aea3e914d7adfc9ad596a26d3866f221ef17e0db57a0573481457393ecd678788ce4afa12360004c7308204c3308203aba00302010202107f71c1d3a226b0d2b113f3e68167643e300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x726e616c20434120526f6f74301e170d3130313230373030303030305a170d3230303533303130343833385a3051310b300906035504061302555331123010060355040a1309496e7465726e6574323111300f060355040b1308496e436f6d6d6f6e311b301906035504031312496e436f6d6d6f6e2053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100977cc7c8feb3e9206aa3a44f8e8e345606b37a6caa109b48612b369069e3340a47a7bb7bdeaa6afbeb82958fca1d7faf75a6a84cda2067611a0d86c1cac187afac4ee4de621b2f9db198afc601fb1770dbac1459ec6f3f337fa6980be4
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0xe238aff57f856d0e
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb70e5dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057422.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=213, length=301
Wed Oct 14 11:06:35 2015 : Debug: User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x020500061900
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb70e5dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x65b8bc2b9f221054fd434b23d071df41
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 5 length 6
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 11:06:35 2015 : Debug: [peap] ACK handshake fragment handler
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 1
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 13
Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=213, length=0
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x010603fc194074049df62786c79b8fe7712a08f403024063247d40578f54e0547eb6134861f1dece0ebdb6fa4d98b2d90d8d79a6e0aacd0c919aa5dfab73bbca14785c4729a1cac5ba9fc7da60f7ffe77ff2d9daa12d0f4916a7d30092cf8a47d94df8d59566d374f98063004f4c84161fb3f5241fa14edee895d6b20b098b2c6bc75c2f8c63c999cb52b1627b7301627f636cd868a0ee6aa88d1f29f3d018acad0203010001a382017730820173301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e04160414484f5afa2f4a9a5ee050f36b7b55a5def5be345d300e0603551d0f0101ff0404030201
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x0630120603551d130101ff040830060101ff02010030110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c3081b306082b060105050701010481a63081a3303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e703763303906082b06010505073002862d687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737455544e53474343412e637274
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010505000382010100936621807445854bc2abce32b029fedddfd6245bbf036a6f503e0e1bb30d88a35beec4a4123b56ef067fcf7f2195563b4131fee1aa93d295f3950d3c47abca5c26ad3ef1f98c346e11bef467e30249f9a67c7b6425dd1746f250e3e30a213a4924cdc68465686768b0452d4799cd9cab86291172dcd69c364374f3d4979e56a0fe5f4058d2d5d77e7cc58e1ab2045c92660e85ad2e06cec8a3d8eb142791decf17308153b66612ad37e4f5ef965c200e36e9ac627d19818af59061a649abce3cdfe6
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0xca64ee826539459516ba41060098ba0c5661e4c6c68601cf66a9222902d63dcfc42a8d99defb09149e0ed1d5c6d781ddad24abac0705e21d68c370665fd300043a308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b3009060355040613
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x0253453114301206
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb77e6dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057425.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=216, length=301
Wed Oct 14 11:06:35 2015 : Debug: User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x020600061900
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb77e6dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0xf5dd9a6b00f45e88a716beb498941a1d
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 6 length 6
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 11:06:35 2015 : Debug: [peap] ACK handshake fragment handler
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 1
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 13
Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=216, length=0
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x010703fc19400355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b3
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x50600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b3009
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x06035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc51
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x42a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604160301030d0c0003090100ed62d54d0d16abdddbf775ef679af503cb1dcb2a0e46890f9335b92cfd62fcb5aeea94a4b269f6e2d87adfe9076ba5cdf9b4f0e4c3ad531cacb4aa5d94c732ba343ac7d6a70dee7681cc09cce6d387654dff6253af216b50c936e995074eabff87a53fe2b3d4f6fadf6440f821
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x0c7d10e0f13cd6eb
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb76e7dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057429.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=218, length=301
Wed Oct 14 11:06:35 2015 : Debug: User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x020700061900
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb76e7dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x9b176e9332770f69134f7b7ed457ee15
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 7 length 6
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 11:06:35 2015 : Debug: [peap] ACK handshake fragment handler
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 1
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 13
Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=218, length=0
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x010802a11900235117f28a47b4795ecfe8c241d8cb16a3fbb155ef7bc9fe89f4db168e1771802cbb8cc407db26e80f26a0d6f603d389871936a47ad44c832a1f434a0dce681e4776baedd455ff6ab46be0e18bd0fdc968d099cc7bf196177a0528bc3fb3421c5c7e0a6750ed98c25168379f2d6072df0e479af6b79986830f9df1d233c20646276bcdc8f76bc0646774db0001020100a50d494e8b203e36ac82a8e7cc5719fd9b2f38c73a7beeb1ff1fc16765a393b35de612abd209c1013ec4cf5db0840438ded55835120e3f16fae7bd9508f5bca865de9055229a00e2c494fa185590cff47b35b2f95ae77dcf65301500fa67850726dedc6283ea0e
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0xb4ba67015bedf84a0166cef4a7f0090a3d73535e17d816de399da68c21801db816421fb3a41ac823e404482a214b09386ebfd230a73f298d0fc409c645f0d920962ab0998fe92c44dff5fa83811c82c0888978d9c86382cee4774f7bf5e2ad3279d6fba6592d4ad1d7b586aebf2ad60b59ab8ca72a9d167c0a9be03f7a26f8c954ad78fc7b34da830adce58f3f8836e9a66790a243373c1991010089d57ddefc37cb6deabd5364db65d79b26b0e84264d7f3b9778c067d4d495301d288e2ae6df7a39915933fdcc674d1fd2a607d0a7ae91b6ec54df3b279405c71e6bd7ef4d3a75b155f9fcc39e96c7d7bb3cf299118f1b60d446c023c643b24593056
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x4fd534b7852fcfd2ebb32b1339ad958705aec660590775119d368d39c688431f54104a5f41ed4224993f16b55467117386436b4dcb0856877d3e0065556b1507177b838947d27a555e0233ba7924d6d067f31113959dcaf97f23a621f1135054aa48aac08a7f4836c430300dd44aff813611bfa2a2543a10a57449cf52163ca3605aabc986a9c12e2950c834a4034b9d79532426f43e5a5a2cb63550e13416030100040e000000
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb75e8dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057431.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=242, length=633
Wed Oct 14 11:06:35 2015 : Debug: User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x0208015019800000014616030101061000010201003ce2e6ab8ba7bbcf40053c71323c7ad52028a669d8b35e005ffa84f08697d90cb999af9f4dd0f52de9545c9a2886232c3e41dce36eeb03d805afc68aaac576489303220338bd04c2f9d399fd368580eb69bd4d52fc3df96af24a051e6053cf1aab0509f03d998fe9f1b43babde319ebeb84edb7c02653882b3d30738064bafbc7bd295f50f2acd573653b6c5565b8f63b967ba8668934c2719357ba3759420228be55c5ae4ecaf4480b8bb1a4546a6e2007a5807a7c5c3bcc35f6257c0c15d2c7fe9c88b9c665464e2d6c515bdbe9dc62b0bc3b780df70e1b85197626cb55980bbefe8ccbf5bdd03
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0xff6ab6dd6c81aa7bfc67790725b45516722c18425a87887d1403010001011603010030e8711af27bcdabc15db30c320998bc420c326daf5df8f5acb78bcfc6ad7d068f51f42965f89795ca55b7505dcdcb5e23
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb75e8dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0xe914b0a35421cf2417c0780f57544a19
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 8 length 253
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Length Included
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 11
Wed Oct 14 11:06:35 2015 : Debug: [peap] TLS_accept: SSLv3 read client key exchange A
Wed Oct 14 11:06:35 2015 : Debug: [peap] TLS_accept: SSLv3 read finished A
Wed Oct 14 11:06:35 2015 : Debug: [peap] TLS_accept: SSLv3 write change cipher spec A
Wed Oct 14 11:06:35 2015 : Debug: [peap] TLS_accept: SSLv3 write finished A
Wed Oct 14 11:06:35 2015 : Debug: [peap] TLS_accept: SSLv3 flush data
Wed Oct 14 11:06:35 2015 : Debug: [peap] (other): SSL negotiation finished successfully
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 13
Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_HANDLED
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=242, length=0
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x01090041190014030100010116030100307662a63f3c56e363ae0ba6c6cfc3bb228e30c9e53bdc89b160377579730b189dde7a410bace015576b769ffe1e6cfc5f
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb74e9dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057460.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=245, length=301
Wed Oct 14 11:06:35 2015 : Debug: User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x020900061900
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb74e9dea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0xd34aeac8bcbf7eed7fac47d00972a9e6
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 9 length 6
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Received TLS ACK
Wed Oct 14 11:06:35 2015 : Debug: [peap] ACK handshake is finished
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 3
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 3
Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_SUCCESS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Session established. Decoding tunneled attributes.
Wed Oct 14 11:06:35 2015 : Debug: [peap] Peap state TUNNEL ESTABLISHED
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=245, length=0
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x010a002b19001703010020ec9929c081653f2d761ea9fc99c531ac00f25f54024307c0b3d44ee320cabaed
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb7beadea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057464.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=246, length=338
Wed Oct 14 11:06:35 2015 : Debug: User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x020a002b19001703010020ce55956ebf5b9b20c665c479712bd7520e8ea1beaf28d20983bab2da85fcc0a7
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb7beadea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x54e5615d85a4b330ce7437c0a33767b9
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 10 length 43
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 7
Wed Oct 14 11:06:35 2015 : Debug: [peap] Done initial handshake
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 7
Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_OK
Wed Oct 14 11:06:35 2015 : Debug: [peap] Session established. Decoding tunneled attributes.
Wed Oct 14 11:06:35 2015 : Debug: [peap] Peap state WAITING FOR INNER IDENTITY
Wed Oct 14 11:06:35 2015 : Debug: [peap] Identity - hm6
Wed Oct 14 11:06:35 2015 : Debug: [peap] Got inner identity 'hm6'
Wed Oct 14 11:06:35 2015 : Debug: [peap] Setting default EAP type for tunneled EAP session.
Wed Oct 14 11:06:35 2015 : Debug: [peap] Setting User-Name to hm6
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[unix] = notfound
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++update control {
Wed Oct 14 11:06:35 2015 : Debug: ++} # update control = noop
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 10 length 8
Wed Oct 14 11:06:35 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = updated
Wed Oct 14 11:06:35 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 11:06:35 2015 : Debug: ++[files] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++load-balance redundant_ldap {
Wed Oct 14 11:06:35 2015 : Debug: ++redundant-load-balance group redundant_ldap {
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] performing user authorization for hm6
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] expand: %{Stripped-User-Name} -> hm6
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=hm6)
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] expand: dc=rice,dc=edu -> dc=rice,dc=edu
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] checking if remote access for hm6 is allowed by riceClass
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] looking for check items in directory...
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] looking for reply items in directory...
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] user hm6 authorized to use remote access
Wed Oct 14 11:06:35 2015 : Debug: +++[ldap2] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++} # redundant-load-balance group redundant_ldap = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++if (reply:Connect-Info =~ /[a-z]* student/) {
Wed Oct 14 11:06:35 2015 : Debug: +++update reply {
Wed Oct 14 11:06:35 2015 : Debug: +++} # update reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++} # if (reply:Connect-Info =~ /[a-z]* student/) = noop
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057465: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057465: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057465: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff"))
Wed Oct 14 11:06:35 2015 : Debug: (Attribute Hint was not found)
Wed Oct 14 11:06:35 2015 : Debug: ?? Evaluating (Hint == "JOINstudent" ) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ?? Skipping (reply:Connect-Info == "staff")
Wed Oct 14 11:06:35 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff")) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++[perl] = updated
Wed Oct 14 11:06:35 2015 : Debug: ++update reply {
Wed Oct 14 11:06:35 2015 : Debug: expand: %{reply:Tunnel-Private-Group-Id} -> student
Wed Oct 14 11:06:35 2015 : Debug: ++} # update reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[expiration] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[logintime] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[pap] = noop
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = updated
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP Identity
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type mschapv2
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: [peap] Got tunneled Access-Challenge
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=246, length=0
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x010b003b1900170301003049d8728f2df8f7cc708214c08c1945ca8c14a7c6b8fdef8d35742122d5e14ca7e0464ddd319c24f09bf1e81b33d4fd0b
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb7aebdea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057465.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=248, length=386
Wed Oct 14 11:06:35 2015 : Debug: User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x020b005b19001703010050e914c55f667f3fc177ef910567dd74dd7c6b3be9c954a26b8c82a1d982237052a2ab687f9baaf73cd44d1adde1bf238e0f41bc8c8d7d6b49c95a5eb168c61d45ee229da0613c2d77e08cff12f05fe0a1
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb7aebdea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x4bec218eb833a573f94413c2d44f68cc
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 11 length 91
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 7
Wed Oct 14 11:06:35 2015 : Debug: [peap] Done initial handshake
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 7
Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_OK
Wed Oct 14 11:06:35 2015 : Debug: [peap] Session established. Decoding tunneled attributes.
Wed Oct 14 11:06:35 2015 : Debug: [peap] Peap state phase2
Wed Oct 14 11:06:35 2015 : Debug: [peap] EAP type mschapv2
Wed Oct 14 11:06:35 2015 : Debug: [peap] Setting User-Name to hm6
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[unix] = notfound
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++update control {
Wed Oct 14 11:06:35 2015 : Debug: ++} # update control = noop
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 11 length 62
Wed Oct 14 11:06:35 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = updated
Wed Oct 14 11:06:35 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 11:06:35 2015 : Debug: ++[files] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++load-balance redundant_ldap {
Wed Oct 14 11:06:35 2015 : Debug: ++redundant-load-balance group redundant_ldap {
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] performing user authorization for hm6
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] expand: %{Stripped-User-Name} -> hm6
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=hm6)
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] expand: dc=rice,dc=edu -> dc=rice,dc=edu
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] checking if remote access for hm6 is allowed by riceClass
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] looking for check items in directory...
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] looking for reply items in directory...
Wed Oct 14 11:06:35 2015 : Debug: [ldap2] user hm6 authorized to use remote access
Wed Oct 14 11:06:35 2015 : Debug: +++[ldap2] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++} # redundant-load-balance group redundant_ldap = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++if (reply:Connect-Info =~ /[a-z]* student/) {
Wed Oct 14 11:06:35 2015 : Debug: +++update reply {
Wed Oct 14 11:06:35 2015 : Debug: +++} # update reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++} # if (reply:Connect-Info =~ /[a-z]* student/) = noop
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057467: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057467: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057467: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff"))
Wed Oct 14 11:06:35 2015 : Debug: (Attribute Hint was not found)
Wed Oct 14 11:06:35 2015 : Debug: ?? Evaluating (Hint == "JOINstudent" ) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ?? Skipping (reply:Connect-Info == "staff")
Wed Oct 14 11:06:35 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff")) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++[perl] = updated
Wed Oct 14 11:06:35 2015 : Debug: ++update reply {
Wed Oct 14 11:06:35 2015 : Debug: expand: %{reply:Tunnel-Private-Group-Id} -> student
Wed Oct 14 11:06:35 2015 : Debug: ++} # update reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[expiration] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[logintime] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[pap] = noop
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = updated
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/mschapv2
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type mschapv2
Wed Oct 14 11:06:35 2015 : Debug: [mschapv2] # Executing group from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 11:06:35 2015 : Debug: [mschapv2] +group MS-CHAP {
Wed Oct 14 11:06:35 2015 : Debug: [mschap] Creating challenge hash with username: hm6
Wed Oct 14 11:06:35 2015 : Debug: [mschap] Client is using MS-CHAPv2 for hm6, we need NT-Password
Wed Oct 14 11:06:35 2015 : Debug: [mschap] expand: %{Stripped-User-Name} -> hm6
Wed Oct 14 11:06:35 2015 : Debug: [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{mschap:User-Name}:-%{User-Name}}} -> --username=hm6
Wed Oct 14 11:06:35 2015 : Debug: [mschap] No NT-Domain was found in the User-Name.
Wed Oct 14 11:06:35 2015 : Debug: [mschap] expand: --domain=%{mschap:NT-Domain:-ADRICE} -> --domain=
Wed Oct 14 11:06:35 2015 : Debug: [mschap] Creating challenge hash with username: hm6
Wed Oct 14 11:06:35 2015 : Debug: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=c6b6be6394fb80be
Wed Oct 14 11:06:35 2015 : Debug: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=c93bab6136a2420593d3dd328dbda3d5bf887ce07b3887bb
Wed Oct 14 11:06:35 2015 : Debug: [mschap] Exec: program returned: 0
Wed Oct 14 11:06:35 2015 : Debug: [mschap] adding MS-CHAPv2 MPPE keys
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group MS-CHAP = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: [peap] Got tunneled Access-Challenge
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=248, length=0
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x010c005b190017030100500e527fefe8b2ef735b397f33660e0a46f0587eb4809f047fe575068e013b42bbcf7f18c2a2fe1c440d3380e4babf39811441fd5814761722b160bc0cd5851dcd1d8df9d87063c9d0ba38fc1f2ed2592d
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb79ecdea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057467.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=255, length=338
Wed Oct 14 11:06:35 2015 : Debug: User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x020c002b19001703010020ef40d3f6b32d3c0667bfbe62768fb20209c755b908c286191a3d9ec491646db5
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb79ecdea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x6ed39cb5049e3132b5ebdf02704a4102
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 12 length 43
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 7
Wed Oct 14 11:06:35 2015 : Debug: [peap] Done initial handshake
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 7
Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_OK
Wed Oct 14 11:06:35 2015 : Debug: [peap] Session established. Decoding tunneled attributes.
Wed Oct 14 11:06:35 2015 : Debug: [peap] Peap state phase2
Wed Oct 14 11:06:35 2015 : Debug: [peap] EAP type mschapv2
Wed Oct 14 11:06:35 2015 : Debug: [peap] Setting User-Name to hm6
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[unix] = notfound
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++update control {
Wed Oct 14 11:06:35 2015 : Debug: ++} # update control = noop
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 12 length 6
Wed Oct 14 11:06:35 2015 : Debug: [eap] No EAP Start, assuming it's an on-going EAP conversation
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = updated
Wed Oct 14 11:06:35 2015 : Debug: [files] users: Matched entry DEFAULT at line 92
Wed Oct 14 11:06:35 2015 : Debug: ++[files] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (control:Auth-Type == Kerberos) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++load-balance redundant_ldap {
Wed Oct 14 11:06:35 2015 : Debug: ++redundant-load-balance group redundant_ldap {
Wed Oct 14 11:06:35 2015 : Debug: [ldap1] performing user authorization for hm6
Wed Oct 14 11:06:35 2015 : Debug: [ldap1] expand: %{Stripped-User-Name} -> hm6
Wed Oct 14 11:06:35 2015 : Debug: [ldap1] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=hm6)
Wed Oct 14 11:06:35 2015 : Debug: [ldap1] expand: dc=rice,dc=edu -> dc=rice,dc=edu
Wed Oct 14 11:06:35 2015 : Debug: [ldap1] checking if remote access for hm6 is allowed by riceClass
Wed Oct 14 11:06:35 2015 : Debug: [ldap1] looking for check items in directory...
Wed Oct 14 11:06:35 2015 : Debug: [ldap1] looking for reply items in directory...
Wed Oct 14 11:06:35 2015 : Debug: [ldap1] user hm6 authorized to use remote access
Wed Oct 14 11:06:35 2015 : Debug: +++[ldap1] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++} # redundant-load-balance group redundant_ldap = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (reply:Connect-Info =~ /[a-z]* student/) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++if (reply:Connect-Info =~ /[a-z]* student/) {
Wed Oct 14 11:06:35 2015 : Debug: +++update reply {
Wed Oct 14 11:06:35 2015 : Debug: +++} # update reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++} # if (reply:Connect-Info =~ /[a-z]* student/) = noop
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057483: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057483: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++ ... skipping elsif for request 9057483: Preceding "if" was taken
Wed Oct 14 11:06:35 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff"))
Wed Oct 14 11:06:35 2015 : Debug: (Attribute Hint was not found)
Wed Oct 14 11:06:35 2015 : Debug: ?? Evaluating (Hint == "JOINstudent" ) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ?? Skipping (reply:Connect-Info == "staff")
Wed Oct 14 11:06:35 2015 : Debug: ++? if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff")) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++[perl] = updated
Wed Oct 14 11:06:35 2015 : Debug: ++update reply {
Wed Oct 14 11:06:35 2015 : Debug: expand: %{reply:Tunnel-Private-Group-Id} -> student
Wed Oct 14 11:06:35 2015 : Debug: ++} # update reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[expiration] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[logintime] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[pap] = noop
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = updated
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/mschapv2
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type mschapv2
Wed Oct 14 11:06:35 2015 : Debug: [eap] Freeing handler
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = ok
Wed Oct 14 11:06:35 2015 : Debug: # Executing section post-auth from file /etc/opt/freeradius/sites-enabled/inner-tunnel
Wed Oct 14 11:06:35 2015 : Debug: +group post-auth {
Wed Oct 14 11:06:35 2015 : Debug: [reply_log] expand: /var/opt/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/opt/freeradius/radacct/10.64.76.100/reply-detail-20151014
Wed Oct 14 11:06:35 2015 : Debug: [reply_log] /var/opt/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/opt/freeradius/radacct/10.64.76.100/reply-detail-20151014
Wed Oct 14 11:06:35 2015 : Debug: [reply_log] expand: %t -> Wed Oct 14 11:06:35 2015
Wed Oct 14 11:06:35 2015 : Debug: ++[reply_log] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++update outer.reply {
Wed Oct 14 11:06:35 2015 : Debug: expand: %{request:User-Name} -> hm6
Wed Oct 14 11:06:35 2015 : Debug: ++} # update outer.reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++? if (! reply:Cached-Session-Policy)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating !(reply:Cached-Session-Policy) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (! reply:Cached-Session-Policy) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++if (! reply:Cached-Session-Policy) {
Wed Oct 14 11:06:35 2015 : Debug: +++update reply {
Wed Oct 14 11:06:35 2015 : Debug: expand: TPG=%{reply:Tunnel-Private-Group-Id},CI=%{reply:Connect-Info} -> TPG=student,CI=student
Wed Oct 14 11:06:35 2015 : Debug: +++} # update reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++} # if (! reply:Cached-Session-Policy) = noop
Wed Oct 14 11:06:35 2015 : Debug: +} # group post-auth = ok
Wed Oct 14 11:06:35 2015 : Debug: [peap] Tunneled authentication was successful.
Wed Oct 14 11:06:35 2015 : Debug: [peap] SUCCESS
Wed Oct 14 11:06:35 2015 : Debug: [peap] Saving tunneled attributes for later
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = handled
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = handled
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Challenge packet to host 10.64.76.100 port 32770, id=255, length=0
Wed Oct 14 11:06:35 2015 : Debug: User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x010d002b19001703010020d68d7d314369e1b1dc19347c66be477be80485fabcfcc62f6e6e489eea754605
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb78eddea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057483.
Wed Oct 14 11:06:35 2015 : Debug: Received Access-Request packet from host 10.64.76.100 port 32770, id=0, length=338
Wed Oct 14 11:06:35 2015 : Debug: User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: Chargeable-User-Identity = ""
Wed Oct 14 11:06:35 2015 : Debug: Location-Capable = Civix-Location
Wed Oct 14 11:06:35 2015 : Debug: Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: Called-Station-Id = "00-23-eb-2e-3d-f0:Rice Owls"
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "mDNS=true"
Wed Oct 14 11:06:35 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: Service-Type = Framed-User
Wed Oct 14 11:06:35 2015 : Debug: Framed-MTU = 1300
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Private-Group-Id:0 = "345"
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x020d002b190017030100207fe9dd32300c88353767ed4bffbab3e279fa3258403e2f50d7e8a4a286124c91
Wed Oct 14 11:06:35 2015 : Debug: State = 0x73e0c7cb78eddea1ed6477b7b8d8584b
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x7f3735fa881fa91fe2550706f3825d88
Wed Oct 14 11:06:35 2015 : Debug: # Executing section authorize from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authorize {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[chap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[mschap] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++[digest] = noop
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Authentication realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm =~ /wlan.*gppnetwork\.org/) -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com")
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (Realm == "WiFi.sktelecom.com") -> FALSE
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP packet type response id 13 length 43
Wed Oct 14 11:06:35 2015 : Debug: [eap] Continuing tunnel setup.
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authorize = ok
Wed Oct 14 11:06:35 2015 : Debug: Found Auth-Type = EAP
Wed Oct 14 11:06:35 2015 : Debug: # Executing group from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group authenticate {
Wed Oct 14 11:06:35 2015 : Debug: [eap] Request found, released from the list
Wed Oct 14 11:06:35 2015 : Debug: [eap] EAP/peap
Wed Oct 14 11:06:35 2015 : Debug: [eap] processing type peap
Wed Oct 14 11:06:35 2015 : Debug: [peap] processing EAP-TLS
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_verify returned 7
Wed Oct 14 11:06:35 2015 : Debug: [peap] Done initial handshake
Wed Oct 14 11:06:35 2015 : Debug: [peap] eaptls_process returned 7
Wed Oct 14 11:06:35 2015 : Debug: [peap] EAPTLS_OK
Wed Oct 14 11:06:35 2015 : Debug: [peap] Session established. Decoding tunneled attributes.
Wed Oct 14 11:06:35 2015 : Debug: [peap] Peap state send tlv success
Wed Oct 14 11:06:35 2015 : Debug: [peap] Received EAP-TLV response.
Wed Oct 14 11:06:35 2015 : Debug: [peap] Success
Wed Oct 14 11:06:35 2015 : Debug: [peap] Using saved attributes from the original Access-Accept
Wed Oct 14 11:06:35 2015 : Debug: [peap] Saving response in the cache
Wed Oct 14 11:06:35 2015 : Debug: [eap] Freeing handler
Wed Oct 14 11:06:35 2015 : Debug: ++[eap] = ok
Wed Oct 14 11:06:35 2015 : Debug: +} # group authenticate = ok
Wed Oct 14 11:06:35 2015 : Debug: # Executing section post-auth from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group post-auth {
Wed Oct 14 11:06:35 2015 : Debug: [reply_log] expand: /var/opt/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /var/opt/freeradius/radacct/10.64.76.100/reply-detail-20151014
Wed Oct 14 11:06:35 2015 : Debug: [reply_log] /var/opt/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/opt/freeradius/radacct/10.64.76.100/reply-detail-20151014
Wed Oct 14 11:06:35 2015 : Debug: [reply_log] expand: %t -> Wed Oct 14 11:06:35 2015
Wed Oct 14 11:06:35 2015 : Debug: ++[reply_log] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[exec] = noop
Wed Oct 14 11:06:35 2015 : Debug: ++? if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/)
Wed Oct 14 11:06:35 2015 : Debug: ? Evaluating (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++? if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) -> TRUE
Wed Oct 14 11:06:35 2015 : Debug: ++if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) {
Wed Oct 14 11:06:35 2015 : Debug: +++update reply {
Wed Oct 14 11:06:35 2015 : Debug: expand: %{1} -> student
Wed Oct 14 11:06:35 2015 : Debug: expand: %{2} -> student
Wed Oct 14 11:06:35 2015 : Debug: +++} # update reply = noop
Wed Oct 14 11:06:35 2015 : Debug: ++} # if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) = noop
Wed Oct 14 11:06:35 2015 : Debug: +} # group post-auth = ok
Wed Oct 14 11:06:35 2015 : Debug: Sending Access-Accept packet to host 10.64.76.100 port 32770, id=0, length=0
Wed Oct 14 11:06:35 2015 : Debug: Connect-Info = "student"
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Private-Group-Id:0 = "student"
Wed Oct 14 11:06:35 2015 : Debug: User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: Cached-Session-Policy = "TPG=student,CI=student"
Wed Oct 14 11:06:35 2015 : Debug: MS-MPPE-Recv-Key = 0xd6fc61507727f965242767e2951fa31390772d22397eda27f20ad3eda77f17f0
Wed Oct 14 11:06:35 2015 : Debug: MS-MPPE-Send-Key = 0x0a3aeaa6bd45ca7c59120616d94d8bbbde1a3bd3584aa1c747317378d29f2abc
Wed Oct 14 11:06:35 2015 : Debug: EAP-MSK = 0xd6fc61507727f965242767e2951fa31390772d22397eda27f20ad3eda77f17f00a3aeaa6bd45ca7c59120616d94d8bbbde1a3bd3584aa1c747317378d29f2abc
Wed Oct 14 11:06:35 2015 : Debug: EAP-EMSK = 0xc871c16e062585ab146537669c11f929e0dc78daf334f1796eddebe6052822f0093f71095873686c05bb1612d3d76aa1cbbde9ddd33be02e428862a6e80ef16f
Wed Oct 14 11:06:35 2015 : Debug: EAP-Session-Id = 0x19561e7d8ceb6b159381eb964528005513132c4b913cf9958ac64937c507e97740561e7d8be4a39e0ba6cd482c0f70ec79000e3385cfbfb6217470e77130ee8d1e
Wed Oct 14 11:06:35 2015 : Debug: EAP-Message = 0x030d0004
Wed Oct 14 11:06:35 2015 : Debug: Message-Authenticator = 0x00000000000000000000000000000000
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057486.
Wed Oct 14 11:06:35 2015 : Debug: Received Accounting-Request packet from host 10.64.76.100 port 32770, id=131, length=281
Wed Oct 14 11:06:35 2015 : Debug: User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port = 13
Wed Oct 14 11:06:35 2015 : Debug: NAS-IP-Address = 10.64.76.100
Wed Oct 14 11:06:35 2015 : Debug: Framed-IP-Address = 10.116.79.74
Wed Oct 14 11:06:35 2015 : Debug: NAS-Identifier = "WiSM2-HA1-1"
Wed Oct 14 11:06:35 2015 : Debug: Airespace-Wlan-Id = 1
Wed Oct 14 11:06:35 2015 : Debug: Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428"
Wed Oct 14 11:06:35 2015 : Debug: NAS-Port-Type = Wireless-802.11
Wed Oct 14 11:06:35 2015 : Debug: Cisco-AVPair = "audit-session-id=0a404c640127a12a561e621e"
Wed Oct 14 11:06:35 2015 : Debug: Acct-Authentic = RADIUS
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Type:0 = VLAN
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Medium-Type:0 = IEEE-802
Wed Oct 14 11:06:35 2015 : Debug: Tunnel-Private-Group-Id:0 = "343"
Wed Oct 14 11:06:35 2015 : Debug: Event-Timestamp = "Oct 14 2015 11:06:35 CDT"
Wed Oct 14 11:06:35 2015 : Debug: Acct-Status-Type = Interim-Update
Wed Oct 14 11:06:35 2015 : Debug: Acct-Input-Octets = 4472429
Wed Oct 14 11:06:35 2015 : Debug: Acct-Input-Gigawords = 0
Wed Oct 14 11:06:35 2015 : Debug: Acct-Output-Octets = 4299801
Wed Oct 14 11:06:35 2015 : Debug: Acct-Output-Gigawords = 0
Wed Oct 14 11:06:35 2015 : Debug: Acct-Input-Packets = 52431
Wed Oct 14 11:06:35 2015 : Debug: Acct-Output-Packets = 34784
Wed Oct 14 11:06:35 2015 : Debug: Acct-Session-Time = 7014
Wed Oct 14 11:06:35 2015 : Debug: Acct-Delay-Time = 0
Wed Oct 14 11:06:35 2015 : Debug: Calling-Station-Id = "14-99-e2-bf-24-70"
Wed Oct 14 11:06:35 2015 : Debug: Called-Station-Id = "6c-20-56-2c-20-80"
Wed Oct 14 11:06:35 2015 : Debug: # Executing section preacct from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group preacct {
Wed Oct 14 11:06:35 2015 : Debug: ++[preprocess] = ok
Wed Oct 14 11:06:35 2015 : Debug: [acct_unique] Hashing 'NAS-Port = 13,NAS-Identifier = "WiSM2-HA1-1",NAS-IP-Address = 10.64.76.100,Acct-Session-Id = "561e621e/14:99:e2:bf:24:70/10398428",User-Name = "hm6"'
Wed Oct 14 11:06:35 2015 : Debug: [acct_unique] Acct-Unique-Session-ID = "d8afff7ef8dc3708".
Wed Oct 14 11:06:35 2015 : Debug: ++[acct_unique] = ok
Wed Oct 14 11:06:35 2015 : Debug: [suffix] No '@' in User-Name = "hm6", looking up realm NULL
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Found realm "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Stripped-User-Name = "hm6"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Adding Realm = "NULL"
Wed Oct 14 11:06:35 2015 : Debug: [suffix] Accounting realm is LOCAL.
Wed Oct 14 11:06:35 2015 : Debug: ++[suffix] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[files] = noop
Wed Oct 14 11:06:35 2015 : Debug: +} # group preacct = ok
Wed Oct 14 11:06:35 2015 : Debug: # Executing section accounting from file /etc/opt/freeradius/sites-enabled/default
Wed Oct 14 11:06:35 2015 : Debug: +group accounting {
Wed Oct 14 11:06:35 2015 : Debug: [detail] expand: /var/opt/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/opt/freeradius/radacct/10.64.76.100/detail-20151014
Wed Oct 14 11:06:35 2015 : Debug: [detail] /var/opt/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/opt/freeradius/radacct/10.64.76.100/detail-20151014
Wed Oct 14 11:06:35 2015 : Debug: [detail] expand: %t -> Wed Oct 14 11:06:35 2015
Wed Oct 14 11:06:35 2015 : Debug: ++[detail] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[unix] = noop
Wed Oct 14 11:06:35 2015 : Debug: [radutmp] expand: /var/opt/freeradius/radutmp -> /var/opt/freeradius/radutmp
Wed Oct 14 11:06:35 2015 : Debug: [radutmp] expand: %{User-Name} -> hm6
Wed Oct 14 11:06:35 2015 : Debug: ++[radutmp] = ok
Wed Oct 14 11:06:35 2015 : Debug: ++[exec] = noop
Wed Oct 14 11:06:35 2015 : Debug: [attr_filter.accounting_response] expand: %{User-Name} -> hm6
Wed Oct 14 11:06:35 2015 : Debug: ++[attr_filter.accounting_response] = updated
Wed Oct 14 11:06:35 2015 : Debug: +} # group accounting = updated
Wed Oct 14 11:06:35 2015 : Debug: Sending Accounting-Response packet to host 10.64.76.100 port 32770, id=131, length=0
Wed Oct 14 11:06:35 2015 : Debug: Finished request 9057490.
Wed Oct 14 11:06:36 2015 : Debug: Cleaning up request 9057490 ID 131 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057415 ID 207 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057420 ID 209 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057421 ID 210 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057422 ID 211 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057425 ID 213 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057429 ID 216 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057431 ID 218 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057460 ID 242 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057464 ID 245 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057465 ID 246 with timestamp +105162
Wed Oct 14 11:06:37 2015 : Debug: Cleaning up request 9057467 ID 248 with timestamp +105162
Wed Oct 14 11:06:38 2015 : Debug: Cleaning up request 9057483 ID 255 with timestamp +105162
Wed Oct 14 11:06:38 2015 : Debug: Cleaning up request 9057486 ID 0 with timestamp +105162
-------------- next part --------------
# -*- text -*-
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id: 81a565ed4e970318914f4c7798215a04d9ca8c15 $
##
######################################################################
#
# Read "man radiusd" before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble.
#
# Run the server in debugging mode, and READ the output.
#
# $ radiusd -X
#
# We cannot emphasize this point strongly enough. The vast
# majority of problems can be solved by carefully reading the
# debugging output, which includes warnings about common issues,
# and suggestions for how they may be fixed.
#
# There may be a lot of output, but look carefully for words like:
# "warning", "error", "reject", or "failure". The messages there
# will usually be enough to guide you to a solution.
#
# If you are going to ask a question on the mailing list, then
# explain what you are trying to do, and include the output from
# debugging mode (radiusd -X). Failure to do so means that all
# of the responses to your question will be people telling you
# to "post the output of radiusd -X".
######################################################################
#
# The location of other config files and logfiles are declared
# in this file.
#
# Also general configuration for modules can be done in this
# file, it is exported through the API to modules that ask for
# it.
#
# See "man radiusd.conf" for documentation on the format of this
# file. Note that the individual configuration items are NOT
# documented in that "man" page. They are only documented here,
# in the comments.
#
# As of 2.0.0, FreeRADIUS supports a simple processing language
# in the "authorize", "authenticate", "accounting", etc. sections.
# See "man unlang" for details.
#
prefix = /usr/site/freeradius
exec_prefix = ${prefix}
sysconfdir = /etc/opt/freeradius
localstatedir = /var/opt/freeradius
sbindir = ${exec_prefix}/sbin
logdir = /var/opt/freeradius
raddbdir = /etc/opt/freeradius
radacctdir = ${logdir}/radacct
#
# name of the running server. See also the "-n" command-line option.
name = radiusd
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
# Should likely be ${localstatedir}/lib/radiusd
db_dir = ${raddbdir}
#
# libdir: Where to find the rlm_* modules.
#
# This should be automatically set at configuration time.
#
# If the server builds and installs, but fails at execution time
# with an 'undefined symbol' error, then you can use the libdir
# directive to work around the problem.
#
# The cause is usually that a library has been installed on your
# system in a place where the dynamic linker CANNOT find it. When
# executing as root (or another user), your personal environment MAY
# be set up to allow the dynamic linker to find the library. When
# executing as a daemon, FreeRADIUS MAY NOT have the same
# personalized configuration.
#
# To work around the problem, find out which library contains that symbol,
# and add the directory containing that library to the end of 'libdir',
# with a colon separating the directory names. NO spaces are allowed.
#
# e.g. libdir = /usr/local/lib:/opt/package/lib
#
# You can also try setting the LD_LIBRARY_PATH environment variable
# in a script which starts the server.
#
# If that does not work, then you can re-configure and re-build the
# server to NOT use shared libraries, via:
#
# ./configure --disable-shared
# make
# make install
#
libdir = ${exec_prefix}/lib
# pidfile: Where to place the PID of the RADIUS server.
#
# The server may be signalled while it's running by using this
# file.
#
# This file is written when ONLY running in daemon mode.
#
# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/${name}.pid
# chroot: directory where the server does "chroot".
#
# The chroot is done very early in the process of starting the server.
# After the chroot has been performed it switches to the "user" listed
# below (which MUST be specified). If "group" is specified, it switchs
# to that group, too. Any other groups listed for the specified "user"
# in "/etc/group" are also added as part of this process.
#
# The current working directory (chdir / cd) is left *outside* of the
# chroot until all of the modules have been initialized. This allows
# the "raddb" directory to be left outside of the chroot. Once the
# modules have been initialized, it does a "chdir" to ${logdir}. This
# means that it should be impossible to break out of the chroot.
#
# If you are worried about security issues related to this use of chdir,
# then simply ensure that the "raddb" directory is inside of the chroot,
# end be sure to do "cd raddb" BEFORE starting the server.
#
# If the server is statically linked, then the only files that have
# to exist in the chroot are ${run_dir} and ${logdir}. If you do the
# "cd raddb" as discussed above, then the "raddb" directory has to be
# inside of the chroot directory, too.
#
#chroot = /path/to/chroot/directory
# user/group: The name (or #number) of the user/group to run radiusd as.
#
# If these are commented out, the server will run as the user/group
# that started it. In order to change to a different user/group, you
# MUST be root ( or have root privleges ) to start the server.
#
# We STRONGLY recommend that you run the server with as few permissions
# as possible. That is, if you're not using shadow passwords, the
# user and group items below should be set to radius'.
#
# NOTE that some kernels refuse to setgid(group) when the value of
# (unsigned)group is above 60000; don't use group nobody on these systems!
#
# On systems with shadow passwords, you might have to set 'group = shadow'
# for the server to be able to read the shadow password file. If you can
# authenticate users while in debug mode, but not in daemon mode, it may be
# that the debugging mode server is running as a user that can read the
# shadow info, and the user listed below can not.
#
# The server will also try to use "initgroups" to read /etc/groups.
# It will join all groups where "user" is a member. This can allow
# for some finer-grained access controls.
#
user = radius
group = radius
# panic_action: Command to execute if the server dies unexpectedly.
#
# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT.
# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS.
# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART.
#
# The panic action is a command which will be executed if the server
# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS,
# SIGABRT or SIGFPE.
#
# This can be used to start an interactive debugging session so
# that information regarding the current state of the server can
# be acquired.
#
# The following string substitutions are available:
# - %e The currently executing program e.g. /sbin/radiusd
# - %p The PID of the currently executing program e.g. 12345
#
# Standard ${} substitutions are also allowed.
#
# An example panic action for opening an interactive session in GDB would be:
#
#panic_action = "gdb %e %p"
#
# Again, don't use that on a production system.
#
# An example panic action for opening an automated session in GDB would be:
#
#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p > ${logdir}/gdb-%e-%p.log 2>&1"
#
# That command can be used on a production system.
#
# max_request_time: The maximum time (in seconds) to handle a request.
#
# Requests which take more time than this to process may be killed, and
# a REJECT message is returned.
#
# WARNING: If you notice that requests take a long time to be handled,
# then this MAY INDICATE a bug in the server, in one of the modules
# used to handle a request, OR in your local configuration.
#
# This problem is most often seen when using an SQL database. If it takes
# more than a second or two to receive an answer from the SQL database,
# then it probably means that you haven't indexed the database. See your
# SQL server documentation for more information.
#
# Useful range of values: 5 to 120
#
max_request_time = 30
# cleanup_delay: The time to wait (in seconds) before cleaning up
# a reply which was sent to the NAS.
#
# The RADIUS request is normally cached internally for a short period
# of time, after the reply is sent to the NAS. The reply packet may be
# lost in the network, and the NAS will not see it. The NAS will then
# re-send the request, and the server will respond quickly with the
# cached reply.
#
# If this value is set too low, then duplicate requests from the NAS
# MAY NOT be detected, and will instead be handled as seperate requests.
#
# If this value is set too high, then the server will cache too many
# requests, and some new requests may get blocked. (See 'max_requests'.)
#
# Useful range of values: 2 to 10
#
cleanup_delay = 5
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
#
# If this number is too low, then when the server becomes busy,
# it will not respond to any new requests, until the 'cleanup_delay'
# time has passed, and it has removed the old requests.
#
# If this number is set too high, then the server will use a bit more
# memory for no real benefit.
#
# If you aren't sure what it should be set to, it's better to set it
# too high than too low. Setting it to 1000 per client is probably
# the highest it should be.
#
# Useful range of values: 256 to infinity
#
max_requests = 10240
# listen: Make the server listen on a particular IP address, and send
# replies out from that address. This directive is most useful for
# hosts with multiple IP addresses on one interface.
#
# If you want the server to listen on additional addresses, or on
# additionnal ports, you can use multiple "listen" sections.
#
# Each section make the server listen for only one type of packet,
# therefore authentication and accounting have to be configured in
# different sections.
#
# The server ignore all "listen" section if you are using '-i' and '-p'
# on the command line.
#
listen {
# Type of packets to listen for.
# Allowed values are:
# auth listen for authentication packets
# acct listen for accounting packets
# proxy IP to use for sending proxied packets
# detail Read from the detail file. For examples, see
# raddb/sites-available/copy-acct-to-home-server
# status listen for Status-Server packets. For examples,
# see raddb/sites-available/status
# coa listen for CoA-Request and Disconnect-Request
# packets. For examples, see the file
# raddb/sites-available/coa
#
type = auth
# Note: "type = proxy" lets you control the source IP used for
# proxying packets, with some limitations:
#
# * A proxy listener CANNOT be used in a virtual server section.
# * You should probably set "port = 0".
# * Any "clients" configuration will be ignored.
#
# See also proxy.conf, and the "src_ipaddr" configuration entry
# in the sample "home_server" section. When you specify the
# source IP address for packets sent to a home server, the
# proxy listeners are automatically created.
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
# wildcard (*)
ipaddr = 10.137.93.19
# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
port = 0
# Some systems support binding to an interface, in addition
# to the IP address. This feature isn't strictly necessary,
# but for sites with many IP addresses on one interface,
# it's useful to say "listen on all addresses for eth0".
#
# If your system does not support this feature, you will
# get an error if you try to use it.
#
# interface = eth0
# Per-socket lists of clients. This is a very useful feature.
#
# The name here is a reference to a section elsewhere in
# radiusd.conf, or clients.conf. Having the name as
# a reference allows multiple sockets to use the same
# set of clients.
#
# If this configuration is used, then the global list of clients
# is IGNORED for this "listen" section. Take care configuring
# this feature, to ensure you don't accidentally disable a
# client you need.
#
# See clients.conf for the configuration of "per_socket_clients".
#
# clients = per_socket_clients
}
# This second "listen" section is for listening on the accounting
# port, too.
#
listen {
ipaddr = 10.137.93.19
# ipv6addr = ::
port = 0
type = acct
# interface = eth0
# clients = per_socket_clients
}
# hostname_lookups: Log the names of clients or just their IP addresses
# e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
# The default is 'off' because it would be overall better for the net
# if people had to knowingly turn this feature on, since enabling it
# means that each client request will result in AT LEAST one lookup
# request to the nameserver. Enabling hostname_lookups will also
# mean that your server may stop randomly for 30 seconds from time
# to time, if the DNS requests take too long.
#
# Turning hostname lookups off also means that the server won't block
# for 30 seconds, if it sees an IP address which has no name associated
# with it.
#
# allowed values: {no, yes}
#
hostname_lookups = no
# Core dumps are a bad thing. This should only be set to 'yes'
# if you're debugging a problem with the server.
#
# allowed values: {no, yes}
#
allow_core_dumps = no
# Regular expressions
#
# These items are set at configure time. If they're set to "yes",
# then setting them to "no" turns off regular expression support.
#
# If they're set to "no" at configure time, then setting them to "yes"
# WILL NOT WORK. It will give you an error.
#
regular_expressions = yes
extended_expressions = yes
#
# Logging section. The various "log_*" configuration items
# will eventually be moved here.
#
log {
#
# Destination for log messages. This can be one of:
#
# files - log to "file", as defined below.
# syslog - to syslog (see also the "syslog_facility", below.
# stdout - standard output
# stderr - standard error.
#
# The command-line option "-X" over-rides this option, and forces
# logging to go to stdout.
#
destination = syslog
#
# The logging messages for the server are appended to the
# tail of this file if destination == "files"
#
# If the server is running in debugging mode, this file is
# NOT used.
#
file = ${logdir}/radius.log
#
# If this configuration parameter is set, then log messages for
# a *request* go to this file, rather than to radius.log.
#
# i.e. This is a log file per request, once the server has accepted
# the request as being from a valid client. Messages that are
# not associated with a request still go to radius.log.
#
# Not all log messages in the server core have been updated to use
# this new internal API. As a result, some messages will still
# go to radius.log. Please submit patches to fix this behavior.
#
# The file name is expanded dynamically. You should ONLY user
# server-side attributes for the filename (e.g. things you control).
# Using this feature MAY also slow down the server substantially,
# especially if you do thinks like SQL calls as part of the
# expansion of the filename.
#
# The name of the log file should use attributes that don't change
# over the lifetime of a request, such as User-Name,
# Virtual-Server or Packet-Src-IP-Address. Otherwise, the log
# messages will be distributed over multiple files.
#
# Logging can be enabled for an individual request by a special
# dynamic expansion macro: %{debug: 1}, where the debug level
# for this request is set to '1' (or 2, 3, etc.). e.g.
#
# ...
# update control {
# Tmp-String-0 = "%{debug:1}"
# }
# ...
#
# The attribute that the value is assigned to is unimportant,
# and should be a "throw-away" attribute with no side effects.
#
#requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log
#
# Which syslog facility to use, if ${destination} == "syslog"
#
# The exact values permitted here are OS-dependent. You probably
# don't want to change this.
#
syslog_facility = local6
# Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
auth = yes
# Log passwords with the authentication requests.
# auth_badpass - logs password if it's rejected
# auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
auth_badpass = no
auth_goodpass = no
# Log additional text at the end of the "Login OK" messages.
# for these to work, the "auth" and "auth_goopass" or "auth_badpass"
# configurations above have to be set to "yes".
#
# The strings below are dynamically expanded, which means that
# you can put anything you want in them. However, note that
# this expansion can be slow, and can negatively impact server
# performance.
#
# msg_goodpass = ""
# msg_badpass = ""
}
# The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad
# SECURITY CONFIGURATION
#
# There may be multiple methods of attacking on the server. This
# section holds the configuration items which minimize the impact
# of those attacks
#
security {
#
# max_attributes: The maximum number of attributes
# permitted in a RADIUS packet. Packets which have MORE
# than this number of attributes in them will be dropped.
#
# If this number is set too low, then no RADIUS packets
# will be accepted.
#
# If this number is set too high, then an attacker may be
# able to send a small number of packets which will cause
# the server to use all available memory on the machine.
#
# Setting this number to 0 means "allow any number of attributes"
max_attributes = 200
#
# reject_delay: When sending an Access-Reject, it can be
# delayed for a few seconds. This may help slow down a DoS
# attack. It also helps to slow down people trying to brute-force
# crack a users password.
#
# Setting this number to 0 means "send rejects immediately"
#
# If this number is set higher than 'cleanup_delay', then the
# rejects will be sent at 'cleanup_delay' time, when the request
# is deleted from the internal cache of requests.
#
# Useful ranges: 1 to 5
reject_delay = 1
#
# status_server: Whether or not the server will respond
# to Status-Server requests.
#
# When sent a Status-Server message, the server responds with
# an Access-Accept or Accounting-Response packet.
#
# This is mainly useful for administrators who want to "ping"
# the server, without adding test users, or creating fake
# accounting packets.
#
# It's also useful when a NAS marks a RADIUS server "dead".
# The NAS can periodically "ping" the server with a Status-Server
# packet. If the server responds, it must be alive, and the
# NAS can start using it for real requests.
#
# See also raddb/sites-available/status
#
status_server = yes
#
# allow_vulnerable_openssl: Allow the server to start with
# versions of OpenSSL known to have critical vulnerabilities.
#
# This check is based on the version number reported by libssl
# and may not reflect patches applied to libssl by
# distribution maintainers.
#
allow_vulnerable_openssl = no
}
# PROXY CONFIGURATION
#
# proxy_requests: Turns proxying of RADIUS requests on or off.
#
# The server has proxying turned on by default. If your system is NOT
# set up to proxy requests to another server, then you can turn proxying
# off here. This will save a small amount of resources on the server.
#
# If you have proxying turned off, and your configuration files say
# to proxy a request, then an error message will be logged.
#
# To disable proxying, change the "yes" to "no", and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE proxy.conf
# CLIENTS CONFIGURATION
#
# Client configuration is defined in "clients.conf".
#
# The 'clients.conf' file contains all of the information from the old
# 'clients' and 'naslist' configuration files. We recommend that you
# do NOT use 'client's or 'naslist', although they are still
# supported.
#
# Anything listed in 'clients.conf' will take precedence over the
# information from the old-style configuration files.
#
$INCLUDE clients.conf
# THREAD POOL CONFIGURATION
#
# The thread pool is a long-lived group of threads which
# take turns (round-robin) handling any incoming requests.
#
# You probably want to have a few spare threads around,
# so that high-load situations can be handled immediately. If you
# don't have any spare threads, then the request handling will
# be delayed while a new thread is created, and added to the pool.
#
# You probably don't want too many spare threads around,
# otherwise they'll be sitting there taking up resources, and
# not doing anything productive.
#
# The numbers given below should be adequate for most situations.
#
thread pool {
# Number of servers to start initially --- should be a reasonable
# ballpark figure.
start_servers = 16
# Limit on the total number of servers running.
#
# If this limit is ever reached, clients will be LOCKED OUT, so it
# should NOT BE SET TOO LOW. It is intended mainly as a brake to
# keep a runaway server from taking the system with it as it spirals
# down...
#
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
#
max_servers = 64
# Server-pool size regulation. Rather than making you guess
# how many servers you need, FreeRADIUS dynamically adapts to
# the load it sees, that is, it tries to maintain enough
# servers to handle the current load, plus a few spare
# servers to handle transient load spikes.
#
# It does this by periodically checking how many servers are
# waiting for a request. If there are fewer than
# min_spare_servers, it creates a new spare. If there are
# more than max_spare_servers, some of the spares die off.
# The default values are probably OK for most sites.
#
min_spare_servers = 3
max_spare_servers = 10
# When the server receives a packet, it places it onto an
# internal queue, where the worker threads (configured above)
# pick it up for processing. The maximum size of that queue
# is given here.
#
# When the queue is full, any new packets will be silently
# discarded.
#
# The most common cause of the queue being full is that the
# server is dependent on a slow database, and it has received
# a large "spike" of traffic. When that happens, there is
# very little you can do other than make sure the server
# receives less traffic, or make sure that the database can
# handle the load.
#
# max_queue_size = 65536
# There may be memory leaks or resource allocation problems with
# the server. If so, set this value to 300 or so, so that the
# resources will be cleaned up periodically.
#
# This should only be necessary if there are serious bugs in the
# server which have not yet been fixed.
#
# '0' is a special value meaning 'infinity', or 'the servers never
# exit'
max_requests_per_server = 0
}
# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
#
# Each module has a configuration as follows:
#
# name [ instance ] {
# config_item = value
# ...
# }
#
# The 'name' is used to load the 'rlm_name' library
# which implements the functionality of the module.
#
# The 'instance' is optional. To have two different instances
# of a module, it first must be referred to by 'name'.
# The different copies of the module are then created by
# inventing two 'instance' names, e.g. 'instance1' and 'instance2'
#
# The instance names can then be used in later configuration
# INSTEAD of the original 'name'. See the 'radutmp' configuration
# for an example.
#
#
# As of 2.0.5, most of the module configurations are in a
# sub-directory. Files matching the regex /[a-zA-Z0-9_.]+/
# are loaded. The modules are initialized ONLY if they are
# referenced in a processing section, such as authorize,
# authenticate, accounting, pre/post-proxy, etc.
#
$INCLUDE ${confdir}/modules/
# Extensible Authentication Protocol
#
# For all EAP related authentications.
# Now in another file, because it is very large.
#
$INCLUDE eap.conf
# Include another file that has the SQL-related configuration.
# This is another file only because it tends to be big.
#
# $INCLUDE sql.conf
#
# This module is an SQL enabled version of the counter module.
#
# Rather than maintaining seperate (GDBM) databases of
# accounting info for each counter, this module uses the data
# stored in the raddacct table by the sql modules. This
# module NEVER does any database INSERTs or UPDATEs. It is
# totally dependent on the SQL module to process Accounting
# packets.
#
# $INCLUDE sql/mysql/counter.conf
#
# IP addresses managed in an SQL table.
#
# $INCLUDE sqlippool.conf
}
# Instantiation
#
# This section orders the loading of the modules. Modules
# listed here will get loaded BEFORE the later sections like
# authorize, authenticate, etc. get examined.
#
# This section is not strictly needed. When a section like
# authorize refers to a module, it's automatically loaded and
# initialized. However, some modules may not be listed in any
# of the following sections, so they can be listed here.
#
# Also, listing modules here ensures that you have control over
# the order in which they are initalized. If one module needs
# something defined by another module, you can list them in order
# here, and ensure that the configuration will be OK.
#
instantiate {
#
# Allows the execution of external scripts.
# The entire command line (and output) must fit into 253 bytes.
#
# e.g. Framed-Pool = `%{exec:/bin/echo foo}`
exec
#
# The expression module doesn't do authorization,
# authentication, or accounting. It only does dynamic
# translation, of the form:
#
# Session-Timeout = `%{expr:2 + 3}`
#
# This module needs to be instantiated, but CANNOT be
# listed in any other section. See 'doc/rlm_expr' for
# more information.
#
# rlm_expr is also responsible for registering many
# other xlat functions such as md5, sha1 and lc.
#
# We do not recommend removing it's listing here.
expr
#
# We add the counter module here so that it registers
# the check-name attribute before any module which sets
# it
# daily
expiration
logintime
# subsections here can be thought of as "virtual" modules.
#
# e.g. If you have two redundant SQL servers, and you want to
# use them in the authorize and accounting sections, you could
# place a "redundant" block in each section, containing the
# exact same text. Or, you could uncomment the following
# lines, and list "redundant_sql" in the authorize and
# accounting sections.
#
#redundant redundant_sql {
# sql1
# sql2
#}
}
######################################################################
#
# Policies that can be applied in multiple places are listed
# globally. That way, they can be defined once, and referred
# to multiple times.
#
######################################################################
$INCLUDE policy.conf
######################################################################
#
# Load virtual servers.
#
# This next $INCLUDE line loads files in the directory that
# match the regular expression: /[a-zA-Z0-9_.]+/
#
# It allows you to define new virtual servers simply by placing
# a file into the raddb/sites-enabled/ directory.
#
$INCLUDE sites-enabled/
######################################################################
#
# All of the other configuration sections like "authorize {}",
# "authenticate {}", "accounting {}", have been moved to the
# the file:
#
# raddb/sites-available/default
#
# This is the "default" virtual server that has the same
# configuration as in version 1.0.x and 1.1.x. The default
# installation enables this virtual server. You should
# edit it to create policies for your local site.
#
# For more documentation on virtual servers, see:
#
# raddb/sites-available/README
#
######################################################################
-------------- next part --------------
######################################################################
#
# As of 2.0.0, FreeRADIUS supports virtual hosts using the
# "server" section, and configuration directives.
#
# Virtual hosts should be put into the "sites-available"
# directory. Soft links should be created in the "sites-enabled"
# directory to these files. This is done in a normal installation.
#
# If you are using 802.1X (EAP) authentication, please see also
# the "inner-tunnel" virtual server. You wll likely have to edit
# that, too, for authentication to work.
#
# $Id: 099f7f05a679af0d5577e39671ee8ad1e5abf407 $
#
######################################################################
#
# Read "man radiusd" before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble. See also "man unlang", which documents the format
# of this file.
#
# This configuration is designed to work in the widest possible
# set of circumstances, with the widest possible number of
# authentication methods. This means that in general, you should
# need to make very few changes to this file.
#
# The best way to configure the server for your local system
# is to CAREFULLY edit this file. Most attempts to make large
# edits to this file will BREAK THE SERVER. Any edits should
# be small, and tested by running the server with "radiusd -X".
# Once the edits have been verified to work, save a copy of these
# configuration files somewhere. (e.g. as a "tar" file). Then,
# make more edits, and test, as above.
#
# There are many "commented out" references to modules such
# as ldap, sql, etc. These references serve as place-holders.
# If you need the functionality of that module, then configure
# it in radiusd.conf, and un-comment the references to it in
# this file. In most cases, those small changes will result
# in the server being able to connect to the DB, and to
# authenticate users.
#
######################################################################
#
# In 1.x, the "authorize", etc. sections were global in
# radiusd.conf. As of 2.0, they SHOULD be in a server section.
#
# The server section with no virtual server name is the "default"
# section. It is used when no server name is specified.
#
# We don't indent the rest of this file, because doing so
# would make it harder to read.
#
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# Any changes made here should also be made to the "inner-tunnel"
# virtual server.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
#
# Security settings. Take a User-Name, and do some simple
# checks on it, for spaces and other invalid characters. If
# it looks like the user is trying to play games, reject it.
#
# This should probably be enabled by default.
#
# See policy.conf for the definition of the filter_username policy.
#
# filter_username
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
preprocess
#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
## 09/16/2013 sandmant: EduRoam requires logging the inner ID.
## 09/26/2013 sandmant: hopefully not! Too much logging!
# auth_log
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
digest
#
# The WiMAX specification says that the Calling-Station-Id
# is 6 octets of the MAC. This definition conflicts with
# RFC 3580, and all common RADIUS practices. Un-commenting
# the "wimax" module here means that it will fix the
# Calling-Station-Id attribute to the normal format as
# specified in RFC 3580 Section 3.21
# wimax
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
suffix
## Bogus account login attempts are annoying when trying to debug
## the EduRoam proxy; reject them instead of proxying them over.
if (Realm =~ /wlan.*gppnetwork\.org/) {
reject
}
if (Realm == "WiFi.sktelecom.com") {
reject
}
# ntdomain
#
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
# authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# As of 2.0, the EAP module returns "ok" in the authorize stage
# for TTLS and PEAP. In 1.x, it never returned "ok" here, so
# this change is compatible with older configurations.
#
# The example below uses module failover to avoid querying all
# of the following modules if the EAP module returns "ok".
# Therefore, your LDAP and/or SQL servers will not be queried
# for the many packets that go back and forth to set up TTLS
# or PEAP. The load on those servers will therefore be reduced.
#
eap {
ok = return
}
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# passwd module in radiusd.conf.
#
unix
#
# Read the 'users' file
files
## For Kerberos, we must strip off @rice.edu if present.
if (control:Auth-Type == Kerberos) {
update request {
User-Name := "%{%{Stripped-User-Name}:-%{User-Name}}"
}
}
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
# sql
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'smbpasswd' module.
# smbpasswd
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
# ldap
#
# Enforce daily limits on time spent logged in.
# daily
#
# Use the checkval module
# checkval
expiration
logintime
#
# If no other module has claimed responsibility for
# authentication, then try to use PAP. This allows the
# other modules listed above to add a "known good" password
# to the request, and to do nothing else. The PAP module
# will then see that password, and use it to do PAP
# authentication.
#
# This module should be listed last, so that the other modules
# get a chance to set Auth-Type for themselves.
#
pap
#
# If "status_server = yes", then Status-Server messages are passed
# through the following section, and ONLY the following section.
# This permits you to do DB queries, for example. If the modules
# listed here return "fail", then NO response is sent.
#
# Autz-Type Status-Server {
#
# }
}
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user (Auth-Type := Reject),
# or to or forcibly accept the user (Auth-Type := Accept).
#
# Note that Auth-Type := Accept will NOT work with EAP.
#
# Please do not put "unlang" configurations into the "authenticate"
# section. Put them in the "post-auth" section instead. That's what
# the post-auth section is for.
#
authenticate {
Auth-Type Kerberos {
krb5
}
Auth-Type MOTP {
otpverify
}
Auth-Type NTLM {
ntlm_auth
}
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# For normal "crypt" authentication, the "pap" module should
# be used instead of the "unix" module. The "unix" module should
# be used for authentication ONLY for compatibility with legacy
# FreeRADIUS configurations.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
#
# The older configurations sent a number of attributes in
# Access-Challenge packets, which wasn't strictly correct.
# If you want to filter out these attributes, uncomment
# the following lines.
#
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled && (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the "updated" code from attr_filter
# }
# }
}
#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
preprocess
#
# Session start times are *implied* in RADIUS.
# The NAS never sends a "start time". Instead, it sends
# a start packet, *possibly* with an Acct-Delay-Time.
# The server is supposed to conclude that the start time
# was "Acct-Delay-Time" seconds in the past.
#
# The code below creates an explicit start time, which can
# then be used in other modules.
#
# The start time is: NOW - delay - session_length
#
# update request {
# FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
# }
#
# Ensure that we have a semi-unique identifier for every
# request, and many NAS boxes are broken.
acct_unique
#
# Look for IPASS-style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
#
# Accounting requests are generally proxied to the same
# home server as authentication requests.
# IPASS
suffix
# ntdomain
#
# Read the 'acct_users' file
files
}
#
# Accounting. Log the accounting data.
#
accounting {
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
# daily
# Update the wtmp file
#
# If you don't use "radlast", you can delete this line.
unix
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
radutmp
# sradutmp
# Return an address to the IP Pool when we see a stop record.
# main_pool
#
# Log traffic to an SQL database.
#
# See "Accounting queries" in sql.conf
# sql
#
# If you receive stop packets with zero session length,
# they will NOT be logged in the database. The SQL module
# will print a message (only in debugging mode), and will
# return "noop".
#
# You can ignore these packets by uncommenting the following
# three lines. Otherwise, the server will not respond to the
# accounting request, and the NAS will retransmit.
#
# if (noop) {
# ok
# }
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log
# Cisco VoIP specific bulk accounting
# pgsql-voip
# For Exec-Program and Exec-Program-Wait
exec
# Filter attributes from the accounting response.
attr_filter.accounting_response
#
# See "Autz-Type Status-Server" for how this works.
#
# Acct-Type Status-Server {
#
# }
}
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
#
# See "Simultaneous Use Checking Queries" in sql.conf
# sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Get an address from the IP Pool.
# main_pool
#
# If you want to have a log of authentication replies,
# un-comment the following line, and the 'detail reply_log'
# section, above.
reply_log
#
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in sql.conf
# sql
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log
#
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
# ldap
# For Exec-Program and Exec-Program-Wait
exec
#
# Calculate the various WiMAX keys. In order for this to work,
# you will need to define the WiMAX NAI, usually via
#
# update request {
# WiMAX-MN-NAI = "%{User-Name}"
# }
#
# If you want various keys to be calculated, you will need to
# update the reply with "template" values. The module will see
# this, and replace the template values with the correct ones
# taken from the cryptographic calculations. e.g.
#
# update reply {
# WiMAX-FA-RK-Key = 0x00
# WiMAX-MSK = "%{EAP-MSK}"
# }
#
# You may want to delete the MS-MPPE-*-Keys from the reply,
# as some WiMAX clients behave badly when those attributes
# are included. See "raddb/modules/wimax", configuration
# entry "delete_mppe_keys" for more information.
#
# wimax
# If there is a client certificate (EAP-TLS, sometimes PEAP
# and TTLS), then some attributes are filled out after the
# certificate verification has been performed. These fields
# MAY be available during the authentication, or they may be
# available only in the "post-auth" section.
#
# The first set of attributes contains information about the
# issuing certificate which is being used. The second
# contains information about the client certificate (if
# available).
#
# update reply {
# Reply-Message += "%{TLS-Cert-Serial}"
# Reply-Message += "%{TLS-Cert-Expiration}"
# Reply-Message += "%{TLS-Cert-Subject}"
# Reply-Message += "%{TLS-Cert-Issuer}"
# Reply-Message += "%{TLS-Cert-Common-Name}"
# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
#
# Reply-Message += "%{TLS-Client-Cert-Serial}"
# Reply-Message += "%{TLS-Client-Cert-Expiration}"
# Reply-Message += "%{TLS-Client-Cert-Subject}"
# Reply-Message += "%{TLS-Client-Cert-Issuer}"
# Reply-Message += "%{TLS-Client-Cert-Common-Name}"
# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
# }
# MacSEC requires the use of EAP-Key-Name. However, we don't
# want to send it for all EAP sessions. Therefore, the EAP
# modules put required data into the EAP-Session-Id attribute.
# This attribute is never put into a request or reply packet.
#
# Uncomment the next few lines to copy the required data into
# the EAP-Key-Name attribute
# if (reply:EAP-Session-Id) {
# update reply {
# EAP-Key-Name := "%{reply:EAP-Session-Id}"
# }
# }
# If the WiMAX module did it's work, you may want to do more
# things here, like delete the MS-MPPE-*-Key attributes.
#
# if (updated) {
# update reply {
# MS-MPPE-Recv-Key !* 0x00
# MS-MPPE-Send-Key !* 0x00
# }
# }
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# Add the ldap module name (or instance) if you have set
# 'edir_account_policy_check = yes' in the ldap module configuration
#
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
# sql
# Insert EAP-Failure message if the request was
# rejected by policy instead of because of an
# authentication failure
eap
attr_filter.access_reject
}
if (reply:Cached-Session-Policy =~ /TPG=(.+),CI=(.+)/) {
update reply {
Tunnel-Private-Group-Id = "%{1}"
Connect-Info = "%{2}"
}
}
}
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# attr_rewrite
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files
# Uncomment the following line if you want to filter requests
# sent to remote servers based on the rules defined in the
# 'attrs.pre-proxy' file.
# attr_filter.pre-proxy
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {
# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log
# attr_rewrite
# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter.post-proxy
#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap
#
# If the server tries to proxy a request and fails, then the
# request is processed through the modules in this section.
#
# The main use of this section is to permit robust proxying
# of accounting packets. The server can be configured to
# proxy accounting packets as part of normal processing.
# Then, if the home server goes down, accounting packets can
# be logged to a local "detail" file, for processing with
# radrelay. When the home server comes back up, radrelay
# will read the detail file, and send the packets to the
# home server.
#
# With this configuration, the server always responds to
# Accounting-Requests from the NAS, but only writes
# accounting packets to disk if the home server is down.
#
# Post-Proxy-Type Fail {
# detail
# }
}
-------------- next part --------------
# -*- text -*-
######################################################################
#
# This is a virtual server that handles *only* inner tunnel
# requests for EAP-TTLS and PEAP types.
#
# $Id: bb0b93bc9cc9ade4e78725ea113d6f228937fef7 $
#
######################################################################
server inner-tunnel {
#
# This next section is here to allow testing of the "inner-tunnel"
# authentication methods, independently from the "default" server.
# It is listening on "localhost", so that it can only be used from
# the same machine.
#
# $ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
#
# If it works, you have configured the inner tunnel correctly. To check
# if PEAP will work, use:
#
# $ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
#
# If that works, PEAP should work. If that command doesn't work, then
#
# FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
#
# Do NOT do any PEAP tests. It won't help. Instead, concentrate
# on fixing the inner tunnel configuration. DO NOTHING ELSE.
#
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
# Authorization. First preprocess (hints and huntgroups files),
# then realms, and finally look in the "users" file.
#
# The order of the realm modules will determine the order that
# we try to find a matching realm.
#
# Make *sure* that 'preprocess' comes before any realm if you
# need to setup hints for the remote radius server
authorize {
preprocess
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow directly, see the
# passwd module, above.
#
unix
#
# Look for IPASS style 'realm/', and if not found, look for
# '@realm', and decide whether or not to proxy, based on
# that.
# IPASS
#
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#
# Note that proxying the inner tunnel authentication means
# that the user MAY use one identity in the outer session
# (e.g. "anonymous", and a different one here
# (e.g. "user at example.com"). The inner session will then be
# proxied elsewhere for authentication. If you are not
# careful, this means that the user can cause you to forward
# the authentication to another RADIUS server, and have the
# accounting logs *not* sent to the other server. This makes
# it difficult to bill people for their network activity.
#
suffix
# ntdomain
#
# The "suffix" module takes care of stripping the domain
# (e.g. "@example.com") from the User-Name attribute, and the
# next few lines ensure that the request is not proxied.
#
# If you want the inner tunnel request to be proxied, delete
# the next few lines.
#
update control {
Proxy-To-Realm := LOCAL
}
#
# This module takes care of EAP-MSCHAPv2 authentication.
#
# It also sets the EAP-Type attribute in the request
# attribute list to the EAP type from the packet.
#
# The example below uses module failover to avoid querying all
# of the following modules if the EAP module returns "ok".
# Therefore, your LDAP and/or SQL servers will not be queried
# for the many packets that go back and forth to set up TTLS
# or PEAP. The load on those servers will therefore be reduced.
#
eap {
ok = return
}
#
# Read the 'users' file
files
## For Kerberos, we must strip off @rice.edu if present.
if (control:Auth-Type == Kerberos) {
update request {
User-Name := "%{%{Stripped-User-Name}:-%{User-Name}}"
}
}
#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
# sql
#
# If you are using /etc/smbpasswd, and are also doing
# mschap authentication, the un-comment this line, and
# configure the 'etc_smbpasswd' module, above.
# etc_smbpasswd
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
# ldap
redundant-load-balance redundant_ldap {
ldap1
ldap2
ldap3
#ldap4
#directory
}
## Tweak the Class and Connect-Info attributes a bit:
if (reply:Connect-Info =~ /[a-z]* student/) {
update reply {
Connect-Info := "student"
}
}
elsif (reply:Connect-Info == "faculty") {
update reply {
Connect-Info := "staff"
}
}
elsif (reply:Connect-Info =~ /emeritus/) {
update reply {
Connect-Info := "staff"
}
}
elsif (reply:Connect-Info =~ /guest_/) {
update reply {
Connect-Info := "guest"
}
}
if ((Hint == "JOINstudent" ) && (reply:Connect-Info == "staff")) {
update reply {
Connect-Info := "student"
}
if (control:Auth-Type == Kerberos) {
update request {
User-Name := "%{%{Stripped-User-Name}:-%{User-Name}}"
}
}
}
perl
update reply {
Tunnel-Private-Group-Id := "%{reply:Tunnel-Private-Group-Id}"
}
#
# Enforce daily limits on time spent logged in.
# daily
#
# Use the checkval module
# checkval
expiration
logintime
#
# If no other module has claimed responsibility for
# authentication, then try to use PAP. This allows the
# other modules listed above to add a "known good" password
# to the request, and to do nothing else. The PAP module
# will then see that password, and use it to do PAP
# authentication.
#
# This module should be listed last, so that the other modules
# get a chance to set Auth-Type for themselves.
#
pap
}
# Authentication.
#
#
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
# attribute 'Auth-Type := FOO'. That authentication type is then
# used to pick the apropriate module from the list below.
#
# In general, you SHOULD NOT set the Auth-Type attribute. The server
# will figure it out on its own, and will do the right thing. The
# most common side effect of erroneously setting the Auth-Type
# attribute is that one authentication method will work, but the
# others will not.
#
# The common reasons to set the Auth-Type attribute by hand
# is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
Auth-Type Kerberos {
krb5
}
Auth-Type MOTP {
otpverify
}
Auth-Type NTLM {
ntlm_auth
}
#
# Allow EAP authentication.
eap
}
######################################################################
#
# There are no accounting requests inside of EAP-TTLS or PEAP
# tunnels.
#
######################################################################
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
radutmp
#
# See "Simultaneous Use Checking Queries" in sql.conf
# sql
}
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
# Note that we do NOT assign IP addresses here.
# If you try to assign IP addresses for EAP authentication types,
# it WILL NOT WORK. You MUST use DHCP.
#
# If you want to have a log of authentication replies,
# un-comment the following line, and the 'detail reply_log'
# section, above.
reply_log
#
# After authenticating the user, do another SQL query.
#
# See "Authentication Logging Queries" in sql.conf
# sql
#
# Instead of sending the query to the SQL server,
# write it into a log file.
#
# sql_log
#
# Un-comment the following if you have set
# 'edir_account_policy_check = yes' in the ldap module sub-section of
# the 'modules' section.
#
# ldap
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# Add the ldap module name (or instance) if you have set
# 'edir_account_policy_check = yes' in the ldap module configuration
#
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
# sql
attr_filter.access_reject
}
#
# The example policy below updates the outer tunnel reply
# (usually Access-Accept) with the User-Name from the inner
# tunnel User-Name. Since this section is processed in the
# context of the inner tunnel, "request" here means "inner
# tunnel request", and "outer.reply" means "outer tunnel
# reply attributes".
#
# This example is most useful when the outer session contains
# a User-Name of "anonymous at ....", or a MAC address. If it
# is enabled, the NAS SHOULD use the inner tunnel User-Name
# in subsequent accounting packets. This makes it easier to
# track user sessions, as they will all be based on the real
# name, and not on "anonymous".
#
# The problem with doing this is that it ALSO exposes the
# real user name to any intermediate proxies. People use
# "anonymous" identifiers outside of the tunnel for a very
# good reason: it gives them more privacy. Setting the reply
# to contain the real user name removes ALL privacy from
# their session.
#
# If you want privacy to remain, see the
# Chargeable-User-Identity attribute from RFC 4372. In order
# to use that attribute, you will have to allocate a
# per-session identifier for the user, and store it in a
# long-term database (e.g. SQL). You should also use that
# attribute INSTEAD of the configuration below.
#
update outer.reply {
User-Name = "%{request:User-Name}"
}
if (! reply:Cached-Session-Policy) {
## If I update the outer.reply instead of reply here, ttls_pap works, but PEAP
## does not: in outer tunnel get: Attribute reply:Cached-Session-Policy was not found
update reply {
Cached-Session-Policy := "TPG=%{reply:Tunnel-Private-Group-Id},CI=%{reply:Connect-Info}"
}
}
}
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide to
# cancel the proxy.
#
# Only a few modules currently have this method.
#
pre-proxy {
# attr_rewrite
# Uncomment the following line if you want to change attributes
# as defined in the preproxy_users file.
# files
# Uncomment the following line if you want to filter requests
# sent to remote servers based on the rules defined in the
# 'attrs.pre-proxy' file.
# attr_filter.pre-proxy
# If you want to have a log of packets proxied to a home
# server, un-comment the following line, and the
# 'detail pre_proxy_log' section, above.
# pre_proxy_log
}
#
# When the server receives a reply to a request it proxied
# to a home server, the request may be massaged here, in the
# post-proxy stage.
#
post-proxy {
# If you want to have a log of replies from a home server,
# un-comment the following line, and the 'detail post_proxy_log'
# section, above.
# post_proxy_log
# attr_rewrite
# Uncomment the following line if you want to filter replies from
# remote proxies based on the rules defined in the 'attrs' file.
# attr_filter.post-proxy
#
# If you are proxying LEAP, you MUST configure the EAP
# module, and you MUST list it here, in the post-proxy
# stage.
#
# You MUST also use the 'nostrip' option in the 'realm'
# configuration. Otherwise, the User-Name attribute
# in the proxied request will not match the user name
# hidden inside of the EAP packet, and the end server will
# reject the EAP request.
#
eap
#
# If the server tries to proxy a request and fails, then the
# request is processed through the modules in this section.
#
# The main use of this section is to permit robust proxying
# of accounting packets. The server can be configured to
# proxy accounting packets as part of normal processing.
# Then, if the home server goes down, accounting packets can
# be logged to a local "detail" file, for processing with
# radrelay. When the home server comes back up, radrelay
# will read the detail file, and send the packets to the
# home server.
#
# With this configuration, the server always responds to
# Accounting-Requests from the NAS, but only writes
# accounting packets to disk if the home server is down.
#
# Post-Proxy-Type Fail {
# detail
# }
}
} # inner-tunnel server block
-------------- next part --------------
# -*- text -*-
##
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
## $Id: ac93fd22252126325c474cb59ac013a57644d12e $
#######################################################################
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# EAP types NOT listed here may be supported via the "eap2" module.
# See experimental.conf for documentation.
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = tls
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 120
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to "yes", you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
#
# Help prevent DoS attacks by limiting the number of
# sessions that the server is tracking. For simplicity,
# this is taken from the "max_requests" directive in
# radiusd.conf.
max_sessions = ${max_requests}
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
leap {
}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges" the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
gtc {
# The default challenge, which many clients
# ignore..
#challenge = "Password: "
# The plain-text response which comes back
# is put into a User-Password attribute,
# and passed to another module for
# authentication. This allows the EAP-GTC
# response to be checked against plain-text,
# or crypt'd passwords.
#
# If you say "Local" instead of "PAP", then
# the module will look for a User-Password
# configured for the request, and do the
# authentication itself.
#
auth_type = PAP
}
## EAP-TLS
#
# See raddb/certs/README for additional comments
# on certificates.
#
# If OpenSSL was not found at the time the server was
# built, the "tls", "ttls", and "peap" sections will
# be ignored.
#
# Otherwise, when the server first starts in debugging
# mode, test certificates will be created. See the
# "make_cert_command" below for details, and the README
# file in raddb/certs
#
# These test certificates SHOULD NOT be used in a normal
# deployment. They are created only to make it easier
# to install the server, and to perform some simple
# tests with EAP-TLS, TTLS, or PEAP.
#
# See also:
#
# http://www.dslreports.com/forum/remark,9286052~mode=flat
#
# Note that you should NOT use a globally known CA here!
# e.g. using a Verisign cert as a "known CA" means that
# ANYONE who has a certificate signed by them can
# authenticate via EAP-TLS! This is likely not what you want.
tls {
#
# These is used to simplify later configurations.
#
certdir = ${confdir}/certs
cadir = ${confdir}/certs
# private_key_password = whatever
private_key_file = ${certdir}/radius_rice_edu.key
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/radius_rice_edu.crt
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
CA_file = ${cadir}/radius_rice_edu_ca.crt
#
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
#
# openssl dhparam -out certs/dh 1024
#
dh_file = ${certdir}/dh
#
# If your system doesn't have /dev/urandom,
# you will need to create this file, and
# periodically change its contents.
#
# For security reasons, FreeRADIUS doesn't
# write to files in its configuration
# directory.
#
# random_file = ${certdir}/random
#
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
#
# fragment_size = 1024
# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
# include_length = yes
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
# 3) uncomment the lines below.
# 5) Restart radiusd
# check_crl = yes
# Check if intermediate CAs have been revoked.
# check_all_crl = yes
CA_path = ${cadir}
#
# If check_cert_issuer is set, the value will
# be checked against the DN of the issuer in
# the client certificate. If the values do not
# match, the cerficate verification will fail,
# rejecting the user.
#
# In 2.1.10 and later, this check can be done
# more generally by checking the value of the
# TLS-Client-Cert-Issuer attribute. This check
# can be done via any mechanism you choose.
#
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
#
# If check_cert_cn is set, the value will
# be xlat'ed and checked against the CN
# in the client certificate. If the values
# do not match, the certificate verification
# will fail rejecting the user.
#
# This check is done only if the previous
# "check_cert_issuer" is not set, or if
# the check succeeds.
#
# In 2.1.10 and later, this check can be done
# more generally by checking the value of the
# TLS-Client-Cert-CN attribute. This check
# can be done via any mechanism you choose.
#
# check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"
#
# As part of checking a client certificate, the EAP-TLS
# sets some attributes such as TLS-Client-Cert-CN. This
# virtual server has access to these attributes, and can
# be used to accept or reject the request.
#
# virtual_server = check-eap-tls
# This command creates the initial "snake oil"
# certificates when the server is run as root,
# and via "radiusd -X".
#
# As of 2.1.11, it *also* checks the server
# certificate for validity, including expiration.
# This means that radiusd will refuse to start
# when the certificate has expired. The alternative
# is to have the 802.1X clients refuse to connect
# when they discover the certificate has expired.
#
# Debugging client issues is hard, so it's better
# for the server to print out an error message,
# and refuse to start.
#
make_cert_command = "${certdir}/bootstrap"
#
# Elliptical cryptography configuration
#
# Only for OpenSSL >= 0.9.8.f
#
ecdh_curve = "prime256v1"
#
# Session resumption / fast reauthentication
# cache.
#
# The cache contains the following information:
#
# session Id - unique identifier, managed by SSL
# User-Name - from the Access-Accept
# Stripped-User-Name - from the Access-Request
# Cached-Session-Policy - from the Access-Accept
#
# The "Cached-Session-Policy" is the name of a
# policy which should be applied to the cached
# session. This policy can be used to assign
# VLANs, IP addresses, etc. It serves as a useful
# way to re-apply the policy from the original
# Access-Accept to the subsequent Access-Accept
# for the cached session.
#
# On session resumption, these attributes are
# copied from the cache, and placed into the
# reply list.
#
# You probably also want "use_tunneled_reply = yes"
# when using fast session resumption.
#
cache {
#
# Enable it. The default is "no".
# Deleting the entire "cache" subsection
# Also disables caching.
#
# You can disallow resumption for a
# particular user by adding the following
# attribute to the control item list:
#
# Allow-Session-Resumption = No
#
# If "enable = no" below, you CANNOT
# enable resumption for just one user
# by setting the above attribute to "yes".
#
enable = yes
#
# Lifetime of the cached entries, in hours.
# The sessions will be deleted after this
# time.
#
lifetime = 24 # hours
#
# The maximum number of entries in the
# cache. Set to "0" for "infinite".
#
# This could be set to the number of users
# who are logged in... which can be a LOT.
#
max_entries = 20000
}
#
# As of version 2.1.10, client certificates can be
# validated via an external command. This allows
# dynamic CRLs or OCSP to be used.
#
# This configuration is commented out in the
# default configuration. Uncomment it, and configure
# the correct paths below to enable it.
#
verify {
# A temporary directory where the client
# certificates are stored. This directory
# MUST be owned by the UID of the server,
# and MUST not be accessible by any other
# users. When the server starts, it will do
# "chmod go-rwx" on the directory, for
# security reasons. The directory MUST
# exist when the server starts.
#
# You should also delete all of the files
# in the directory when the server starts.
# tmpdir = /tmp/radiusd
# The command used to verify the client cert.
# We recommend using the OpenSSL command-line
# tool.
#
# The ${..CA_path} text is a reference to
# the CA_path variable defined above.
#
# The %{TLS-Client-Cert-Filename} is the name
# of the temporary file containing the cert
# in PEM format. This file is automatically
# deleted by the server when the command
# returns.
# client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
}
#
# OCSP Configuration
# Certificates can be verified against an OCSP
# Responder. This makes it possible to immediately
# revoke certificates without the distribution of
# new Certificate Revokation Lists (CRLs).
#
ocsp {
#
# Enable it. The default is "no".
# Deleting the entire "ocsp" subsection
# Also disables ocsp checking
#
enable = no
#
# The OCSP Responder URL can be automatically
# extracted from the certificate in question.
# To override the OCSP Responder URL set
# "override_cert_url = yes".
#
override_cert_url = yes
#
# If the OCSP Responder address is not
# extracted from the certificate, the
# URL can be defined here.
#
# Limitation: Currently the HTTP
# Request is not sending the "Host: "
# information to the web-server. This
# can be a problem if the OCSP
# Responder is running as a vhost.
#
url = "http://127.0.0.1/ocsp/"
#
# If the OCSP Responder can not cope with nonce
# in the request, then it can be disabled here.
#
# For security reasons, disabling this option
# is not recommended as nonce protects against
# replay attacks.
#
# Note that Microsoft AD Certificate Services OCSP
# Responder does not enable nonce by default. It is
# more secure to enable nonce on the responder than
# to disable it in the query here.
# See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
#
# use_nonce = yes
#
# Number of seconds before giving up waiting
# for OCSP response. 0 uses system default.
#
# timeout = 0
#
# Normally an error in querying the OCSP
# responder (no response from server, server did
# not understand the request, etc) will result in
# a validation failure.
#
# To treat these errors as 'soft' failures and
# still accept the certificate, enable this
# option.
#
# Warning: this may enable clients with revoked
# certificates to connect if the OCSP responder
# is not available. Use with caution.
#
# softfail = no
}
}
# The TTLS module implements the EAP-TTLS protocol,
# which can be described as EAP inside of Diameter,
# inside of TLS, inside of EAP, inside of RADIUS...
#
# Surprisingly, it works quite well.
#
# The TTLS module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-TTLS does not
# require a client certificate.
#
# You can make TTLS require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
ttls {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# TTLS tunnel, we recommend using EAP-MD5.
# If the request does not contain an EAP
# conversation, then this configuration entry
# is ignored.
default_eap_type = md5
# The tunneled authentication request does
# not usually contain useful attributes
# like 'Calling-Station-Id', etc. These
# attributes are outside of the tunnel,
# and normally unavailable to the tunneled
# authentication request.
#
# By setting this configuration entry to
# 'yes', any attribute which NOT in the
# tunneled authentication request, but
# which IS available outside of the tunnel,
# is copied to the tunneled request.
#
# allowed values: {no, yes}
copy_request_to_tunnel = no
# The reply attributes sent to the NAS are
# usually based on the name of the user
# 'outside' of the tunnel (usually
# 'anonymous'). If you want to send the
# reply attributes based on the user name
# inside of the tunnel, then set this
# configuration entry to 'yes', and the reply
# to the NAS will be taken from the reply to
# the tunneled request.
#
# allowed values: {no, yes}
use_tunneled_reply = yes
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
# This has the same meaning as the
# same field in the "tls" module, above.
# The default value here is "yes".
# include_length = yes
}
##################################################
#
# !!!!! WARNINGS for Windows compatibility !!!!!
#
##################################################
#
# If you see the server send an Access-Challenge,
# and the client never sends another Access-Request,
# then
#
# STOP!
#
# The server certificate has to have special OID's
# in it, or else the Microsoft clients will silently
# fail. See the "scripts/xpextensions" file for
# details, and the following page:
#
# http://support.microsoft.com/kb/814394/en-us
#
# For additional Windows XP SP2 issues, see:
#
# http://support.microsoft.com/kb/885453/en-us
#
#
# If is still doesn't work, and you're using Samba,
# you may be encountering a Samba bug. See:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
# Note that we do not necessarily agree with their
# explanation... but the fix does appear to work.
#
##################################################
#
# The tunneled EAP session needs a default EAP type
# which is separate from the one for the non-tunneled
# EAP module. Inside of the TLS/PEAP tunnel, we
# recommend using EAP-MS-CHAPv2.
#
# The PEAP module needs the TLS module to be installed
# and configured, in order to use the TLS tunnel
# inside of the EAP packet. You will still need to
# configure the TLS module, even if you do not want
# to deploy EAP-TLS in your network. Users will not
# be able to request EAP-TLS, as it requires them to
# have a client certificate. EAP-PEAP does not
# require a client certificate.
#
#
# You can make PEAP require a client cert by setting
#
# EAP-TLS-Require-Client-Cert = Yes
#
# in the control items for a request.
#
peap {
# The tunneled EAP session needs a default
# EAP type which is separate from the one for
# the non-tunneled EAP module. Inside of the
# PEAP tunnel, we recommend using MS-CHAPv2,
# as that is the default type supported by
# Windows clients.
default_eap_type = mschapv2
# the PEAP module also has these configuration
# items, which are the same as for TTLS.
copy_request_to_tunnel = no
use_tunneled_reply = yes
# When the tunneled session is proxied, the
# home server may not understand EAP-MSCHAP-V2.
# Set this entry to "no" to proxy the tunneled
# EAP-MSCHAP-V2 as normal MSCHAPv2.
# proxy_tunneled_request_as_eap = yes
#
# The inner tunneled request can be sent
# through a virtual server constructed
# specifically for this purpose.
#
# If this entry is commented out, the inner
# tunneled request will be sent through
# the virtual server that processed the
# outer requests.
#
virtual_server = "inner-tunnel"
# This option enables support for MS-SoH
# see doc/SoH.txt for more info.
# It is disabled by default.
#
# soh = yes
#
# The SoH reply will be turned into a request which
# can be sent to a specific virtual server:
#
# soh_virtual_server = "soh-server"
}
#
# This takes no configuration.
#
# Note that it is the EAP MS-CHAPv2 sub-module, not
# the main 'mschap' module.
#
# Note also that in order for this sub-module to work,
# the main 'mschap' module MUST ALSO be configured.
#
# This module is the *Microsoft* implementation of MS-CHAPv2
# in EAP. There is another (incompatible) implementation
# of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
# currently support.
#
mschapv2 {
# Prior to version 2.1.11, the module never
# sent the MS-CHAP-Error message to the
# client. This worked, but it had issues
# when the cached password was wrong. The
# server *should* send "E=691 R=0" to the
# client, which tells it to prompt the user
# for a new password.
#
# The default is to behave as in 2.1.10 and
# earlier, which is known to work. If you
# set "send_error = yes", then the error
# message will be sent back to the client.
# This *may* help some clients work better,
# but *may* also cause other clients to stop
# working.
#
# send_error = no
}
}
-------------- next part --------------
######################################################################
#
# Make file to be installed in /etc/raddb/certs to enable
# the easy creation of certificates.
#
# See the README file in this directory for more information.
#
# $Id: 6c3dccc174bf0f995bb7930711ee81d22088ca70 $
#
######################################################################
DH_KEY_SIZE = 2048
#
# Set the passwords
#
-include passwords.mk
######################################################################
#
# Make the necessary files, but not client certificates.
#
######################################################################
.PHONY: all
all: index.txt serial dh random server ca
.PHONY: client
client: client.pem
.PHONY: ca
ca: ca.der
.PHONY: server
server: server.pem server.vrfy
passwords.mk: server.cnf ca.cnf client.cnf
@echo "PASSWORD_SERVER = '$(shell grep output_password server.cnf | sed 's/.*=//;s/^ *//')'" > $@
@echo "PASSWORD_CA = '$(shell grep output_password ca.cnf | sed 's/.*=//;s/^ *//')'" >> $@
@echo "PASSWORD_CLIENT = '$(shell grep output_password client.cnf | sed 's/.*=//;s/^ *//')'" >> $@
@echo "USER_NAME = '$(shell grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//')'" >> $@
@echo "CA_DEFAULT_DAYS = '$(shell grep default_days ca.cnf | sed 's/.*=//;s/^ *//')'" >> $@
######################################################################
#
# Diffie-Hellman parameters
#
######################################################################
dh:
openssl gendh -out dh -2 $(DH_KEY_SIZE)
######################################################################
#
# Create a new self-signed CA certificate
#
######################################################################
ca.key ca.pem: ca.cnf
@[ -f index.txt ] || $(MAKE) index.txt
@[ -f serial ] || $(MAKE) serial
openssl req -new -x509 -keyout ca.key -out ca.pem \
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf
ca.der: ca.pem
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
######################################################################
#
# Create a new server certificate, signed by the above CA.
#
######################################################################
server.csr server.key: server.cnf
openssl req -new -out server.csr -keyout server.key -config ./server.cnf
server.crt: server.csr ca.key ca.pem
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
server.p12: server.crt
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
server.pem: server.p12
openssl pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
.PHONY: server.vrfy
server.vrfy: ca.pem
openssl verify -CAfile ca.pem server.pem
######################################################################
#
# Create a new client certificate, signed by the the above CA
#
######################################################################
client.csr client.key: client.cnf
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
client.crt: client.csr ca.pem ca.key
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
client.p12: client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
client.pem: client.p12
openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
cp client.pem $(USER_NAME).pem
.PHONY: client.vrfy
client.vrfy: ca.pem client.pem
c_rehash .
openssl verify -CApath . client.pem
######################################################################
#
# Miscellaneous rules.
#
######################################################################
index.txt:
@touch index.txt
serial:
@echo '01' > serial
random:
@if [ -c /dev/urandom ] ; then \
dd if=/dev/urandom of=./random count=10 >/dev/null 2>&1; \
else \
date > ./random; \
fi
print:
openssl x509 -text -in server.crt
printca:
openssl x509 -text -in ca.pem
clean:
@rm -f *~ *old client.csr client.key client.crt client.p12 client.pem
#
# Make a target that people won't run too often.
#
destroycerts:
rm -f *~ dh *.csr *.crt *.p12 *.der *.pem *.key index.txt* \
serial* random *\.0 *\.1
More information about the Freeradius-Users
mailing list