PEAP-MSCHAPv2: Cannot recover attributes from TLS Session Cache
Wussler, Doug
doug.wussler at fsu.edu
Thu Aug 4 21:59:47 CEST 2016
I have been working on this for a couple of weeks, scouring the doc and
mail list.
I have experimented with so many different configurations I feel like I¹m
now chasing my tail.
I clearly lack the understanding of how these attributes are shuttled
between the inner
and outer tunnels as well as from TLS session cache to session-state cache.
First thing to know, I have PEAP-MSCHAPv2 working just fine, for a couple
of years now.
I have upgraded to v3.0.11, rebuilt the configs and got everything working
just great again.
But now I am trying to add TLS Session Cache, which looks like an
under-appreciated and very
cool capability.
In my inner-tunnel post-auth I successfully do this:
# Submit attributes to TLS Session Cache from inner post-auth
update reply {
&User-Name := "%{reply:User-Name}"
&Cached-Session-Policy += "%{reply:Service-Type}"
&Cached-Session-Policy += "%{reply:Tunnel-Medium-Type}"
&Cached-Session-Policy += "%{reply:Tunnel-Type}"
&Cached-Session-Policy += "%{reply:My-Local-employeeStatus}"
&Cached-Session-Policy += "%{reply:Tunnel-Private-Group-ID}"
}
In the following packet exchange I see this:
(9) eap_peap: caching User-Name := "dw10j"
(9) eap_peap: caching Stripped-User-Name = "dw10j"
(9) eap_peap: caching Cached-Session-Policy += "Framed-User"
(9) eap_peap: caching Cached-Session-Policy += "IEEE-802"
(9) eap_peap: caching Cached-Session-Policy += "VLAN"
(9) eap_peap: caching Cached-Session-Policy += "Active"
(9) eap_peap: caching Cached-Session-Policy += "employee3a"
and an Access-Accept is sent in reply (9).
If I now roam to a nearby access point, the TLS Session is resumed and we
see this:
(12) eap_peap: Adding cached attributes from session
d312f4c83df5f5b153ebd94b01549795be582dcbfe421e961aa038b062699143
(12) eap_peap: reply:User-Name := "dw10j"
(12) eap_peap: reply:Stripped-User-Name = "dw10j"
(12) eap_peap: reply:Cached-Session-Policy += "Framed-User"
(12) eap_peap: reply:Cached-Session-Policy += "IEEE-802"
(12) eap_peap: reply:Cached-Session-Policy += "VLAN"
(12) eap_peap: reply:Cached-Session-Policy += "Active"
(12) eap_peap: reply:Cached-Session-Policy += "employee3a"
(12) eap_peap: [eaptls process] = success
(12) eap_peap: Session established. Decoding tunneled attributes
(12) eap_peap: PEAP state TUNNEL ESTABLISHED
(12) eap_peap: Skipping Phase2 because of session resumption
(12) eap_peap: SUCCESS
But post-auth does not get called at this point so I am unclear on how to
restore these to
session-state (if that¹s what I¹m supposed to do).
And in the following packet exchange, where I receive an Access-Accept but
with
empty attributes, we see this:
(13) session-state: No cached attributes
An abridged log follows and I would be happy to provide full debug log if
that
is desired. But hopefully I am overlooking one of those obvious things
that
will make me feel foolish.
Alternatively, if you are using TLS Session Cache and have a full and
detailed
example, I would appreciate it if you could share that with me.
Doug Wussler
850.645.4201
Application Developer/Designer Core Network Team
Information Technology Services
RK Shaw Building
644 W. Call Street
Tallahassee, FL 32304
Server was built with:
accounting : yes
authentication : yes
ascend-binary-attributes : yes
coa : yes
control-socket : yes
detail : yes
dhcp : yes
dynamic-clients : yes
osfc2 : no
proxy : yes
regex-pcre : yes
regex-posix : no
regex-posix-extended : no
session-management : yes
stats : yes
tcp : yes
threads : yes
tls : yes
unlang : yes
vmps : yes
developer : no
Server core libs:
freeradius-server : 3.0.11
talloc : 2.0.*
ssl : 1.0.2h release
pcre : 8.32 2012-11-30
Endianness:
little
Compilation flags:
cppflags : -isystem /usr/local/include/openssl/
cflags : -I/downloads/freeradius-server-3.0.11
-I/downloads/freeradius-server-3.0.11/src -include
/downloads/freeradius-server-3.0.11/src/freeradius-devel/autoconf.h
-include /downloads/freeradius-server-3.0.11/src/freeradius-devel/build.h
-include
/downloads/freeradius-server-3.0.11/src/freeradius-devel/features.h
-include
/downloads/freeradius-server-3.0.11/src/freeradius-devel/radpaths.h
-fno-strict-aliasing -Werror -g -O2 -Wall -std=c99 -D_GNU_SOURCE
-D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG
-DIS_MODULE=1
ldflags : -L/usr/local/lib64 -Wl,-rpath,/usr/local/lib64
libs : -lcrypto -lssl -ltalloc -lpcre -lcap -lnsl -lresolv -ldl
-lpthread -lreadline
.....
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
Debugger not attached
# Creating Auth-Type = LDAP
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = FSU-PAP
# Creating Auth-Type = EAP
# Creating Autz-Type = Status-Server
# Loaded module rlm_eap
# Loading module "fsu-eap" from file
/usr/local/etc/raddb/mods-enabled/fsu-eap
eap fsu-eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
# Instantiating module "fsu-eap" from file
/usr/local/etc/raddb/mods-enabled/fsu-eap
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/usr/local/etc/raddb/certs/dh_2048.pem"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "HIGH +SHA !aNULL !eNULL !LOW !3DES !SSLv2 !MD5 !EXP
!DSS !PSK !SRP !CAMELLIA"
ecdh_curve = "prime256v1"
disable_tlsv1_2 = no
cache {
enable = yes
lifetime = 4
max_entries = 8000
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "fsu-peap-inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
identity = "Auth0_eap_mschapv2"
}
...
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server fsu-peap-1814 { # from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
# Loading authenticate {...}
# Loading authorize {...}
# Loading post-auth {...}
} # server fsu-peap-1814
server fsu-peap-inner-tunnel { # from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
# Loading post-auth {...}
} # server fsu-peap-inner-tunnel
listen {
type = "auth"
ipv4addr = *
port = 1814
}
listen {
type = "acct"
ipv4addr = *
port = 1815
}
Listening on auth address * port 1814 bound to server fsu-peap-1814
Listening on acct address * port 1815 bound to server fsu-peap-1814
...
Ready to process requests
(0) Received Access-Request Id 34 from 128.186.255.238:42749 to
128.186.255.220:1814 length 217
(0) User-Name = "dw10j"
(0) NAS-IP-Address = 128.186.255.200
(0) NAS-Port = 0
(0) NAS-Identifier = "128.186.255.238"
(0) NAS-Port-Type = Wireless-802.11
(0) Calling-Station-Id = "B8E856A8659B"
(0) Called-Station-Id = "001A1E0083D8"
(0) Service-Type = Framed-User
(0) Framed-MTU = 1100
(0) EAP-Message = 0x0201000a01647731306a
(0) Aruba-Essid-Name = "FSUCorex"
(0) Aruba-Location-Id = "wg-a105-132-rm.rsb.wireless.fsu.edu"
(0) Aruba-AP-Group = "Shaw"
(0) Aruba-Device-Type = "iPhone"
(0) Message-Authenticator = 0x30af9933cb00e5d441604b11b36b0f0a
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(0) authorize {
(0) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) {
(0) EXPAND %{request:User-Name}
(0) --> dw10j
(0) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE
(0) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) {
(0) EXPAND %{request:User-Name}
(0) --> dw10j
(0) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) -> FALSE
(0) ntdomain: Checking for prefix before "\"
(0) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config.
(0) [ntdomain] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "dw10j", looking up realm NULL
(0) suffix: Found realm "NULL"
(0) suffix: Adding Stripped-User-Name = "dw10j"
(0) suffix: Adding Realm = "NULL"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
(0) fsu-eap: Peer sent EAP Response (code 2) ID 1 length 10
(0) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit
the rest of authorize
(0) [fsu-eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = fsu-eap
(0) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(0) Auth-Type fsu-eap {
(0) fsu-eap: Peer sent packet with method EAP Identity (1)
(0) fsu-eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: [eaptls start] = request
(0) fsu-eap: Sending EAP Request (code 1) ID 2 length 6
(0) fsu-eap: EAP session adding &reply:State = 0x860fee2e860df726
(0) [fsu-eap] = handled
(0) } # Auth-Type fsu-eap = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(0) Sent Access-Challenge Id 34 from 128.186.255.220:1814 to
128.186.255.238:42749 length 0
(0) EAP-Message = 0x010200061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x860fee2e860df726c6e8c1b1cbfeb884
(0) Finished request
Waking up in 1.9 seconds.
...
Waking up in 1.8 seconds.
(8) Received Access-Request Id 42 from 128.186.255.238:42749 to
128.186.255.220:1814 length 268
(8) Found Auth-Type = fsu-eap
(8) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(8) Auth-Type fsu-eap {
(8) fsu-eap: Expiring EAP session with state 0x84bad54285b3cfdb
(8) fsu-eap: Finished EAP session with state 0x84bad54285b3cfdb
(8) fsu-eap: Previous EAP request found for state 0x84bad54285b3cfdb,
released from the list
(8) fsu-eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) fsu-eap: Calling submodule eap_mschapv2 to process data
(8) fsu-eap: Sending EAP Success (code 3) ID 9 length 4
(8) fsu-eap: Freeing handler
(8) [fsu-eap] = ok
(8) } # Auth-Type fsu-eap = ok
(8) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(8) post-auth {
(8) update {
(8) &outer.session-state:User-Name += &reply:User-Name[*] ->
'dw10j'
(8) &outer.session-state:Service-Type += &reply:Service-Type[*] ->
Framed-User
(8) &outer.session-state:Tunnel-Medium-Type +=
&reply:Tunnel-Medium-Type[*] -> IEEE-802
(8) &outer.session-state:Tunnel-Type += &reply:Tunnel-Type[*] ->
VLAN
(8) &outer.session-state:My-Local-employeeStatus +=
&reply:My-Local-employeeStatus[*] -> 'Active'
(8) &outer.session-state:Tunnel-Private-Group-Id +=
&reply:Tunnel-Private-Group-Id[*] -> 'employee3a'
(8) &outer.session-state:My-Local-ntPassword +=
&reply:My-Local-ntPassword[*] -> 'ACC1E2ED4455527965628BF7A008B062'
(8) &outer.session-state:MS-MPPE-Encryption-Policy +=
&reply:MS-MPPE-Encryption-Policy[*] -> Encryption-Allowed
(8) &outer.session-state:MS-MPPE-Encryption-Types +=
&reply:MS-MPPE-Encryption-Types[*] -> RC4-40or128-bit-Allowed
(8) &outer.session-state:MS-MPPE-Send-Key +=
&reply:MS-MPPE-Send-Key[*] -> 0xf2f40d2c99a86338ec77abd87f6bc004
(8) &outer.session-state:MS-MPPE-Recv-Key +=
&reply:MS-MPPE-Recv-Key[*] -> 0xd0c82e1f94537f44e3290ed225405e8c
(8) &outer.session-state:EAP-Message += &reply:EAP-Message[*] ->
0x03090004
(8) &outer.session-state:Message-Authenticator +=
&reply:Message-Authenticator[*] -> 0x00000000000000000000000000000000
(8) } # update = noop
(8) update outer.session-state {
(8) MS-MPPE-Encryption-Policy !* ANY
(8) MS-MPPE-Encryption-Types !* ANY
(8) MS-MPPE-Send-Key !* ANY
(8) MS-MPPE-Recv-Key !* ANY
(8) Message-Authenticator !* ANY
(8) EAP-Message !* ANY
(8) Proxy-State !* ANY
(8) } # update outer.session-state = noop
(8) update reply {
(8) EXPAND %{reply:User-Name}
(8) --> dw10j
(8) &User-Name := dw10j
(8) EXPAND %{reply:Service-Type}
(8) --> Framed-User
(8) &Cached-Session-Policy += Framed-User
(8) EXPAND %{reply:Tunnel-Medium-Type}
(8) --> IEEE-802
(8) &Cached-Session-Policy += IEEE-802
(8) EXPAND %{reply:Tunnel-Type}
(8) --> VLAN
(8) &Cached-Session-Policy += VLAN
(8) EXPAND %{reply:My-Local-employeeStatus}
(8) --> Active
(8) &Cached-Session-Policy += Active
(8) EXPAND %{reply:Tunnel-Private-Group-ID}
(8) --> employee3a
(8) &Cached-Session-Policy += employee3a
(8) } # update reply = noop
(8) if ( reply:My-Local-fsuEduWINStatus ) {
(8) if ( reply:My-Local-fsuEduWINStatus ) -> FALSE
(8) } # post-auth = noop
(8) EXPAND %{Aruba-Essid-Name} %{Aruba-Location-Id} %{Aruba-AP-Group}
%{Aruba-Device-Type} %{reply:My-Local-fsuEduWINStatus}
(8) -->
(8) Login OK: [dw10j] (from client CamL8 port 0 via TLS tunnel)
(8) } # server fsu-peap-inner-tunnel
(8) Virtual server sending reply
(8) User-Name := "dw10j"
(8) Service-Type = Framed-User
(8) Tunnel-Medium-Type = IEEE-802
(8) Tunnel-Type = VLAN
(8) My-Local-employeeStatus = "Active"
(8) Tunnel-Private-Group-Id = "employee3a"
(8) My-Local-ntPassword = "ACC1E2ED4455527965628BF7A008B062"
(8) MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) MS-MPPE-Send-Key = 0xf2f40d2c99a86338ec77abd87f6bc004
(8) MS-MPPE-Recv-Key = 0xd0c82e1f94537f44e3290ed225405e8c
(8) EAP-Message = 0x03090004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) Cached-Session-Policy += "Framed-User"
(8) Cached-Session-Policy += "IEEE-802"
(8) Cached-Session-Policy += "VLAN"
(8) Cached-Session-Policy += "Active"
(8) Cached-Session-Policy += "employee3a"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: User-Name := "dw10j"
(8) eap_peap: Service-Type = Framed-User
(8) eap_peap: Tunnel-Medium-Type = IEEE-802
(8) eap_peap: Tunnel-Type = VLAN
(8) eap_peap: My-Local-employeeStatus = "Active"
(8) eap_peap: Tunnel-Private-Group-Id = "employee3a"
(8) eap_peap: My-Local-ntPassword = "ACC1E2ED4455527965628BF7A008B062"
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0xf2f40d2c99a86338ec77abd87f6bc004
(8) eap_peap: MS-MPPE-Recv-Key = 0xd0c82e1f94537f44e3290ed225405e8c
(8) eap_peap: EAP-Message = 0x03090004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Cached-Session-Policy += "Framed-User"
(8) eap_peap: Cached-Session-Policy += "IEEE-802"
(8) eap_peap: Cached-Session-Policy += "VLAN"
(8) eap_peap: Cached-Session-Policy += "Active"
(8) eap_peap: Cached-Session-Policy += "employee3a"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: User-Name := "dw10j"
(8) eap_peap: Service-Type = Framed-User
(8) eap_peap: Tunnel-Medium-Type = IEEE-802
(8) eap_peap: Tunnel-Type = VLAN
(8) eap_peap: My-Local-employeeStatus = "Active"
(8) eap_peap: Tunnel-Private-Group-Id = "employee3a"
(8) eap_peap: My-Local-ntPassword = "ACC1E2ED4455527965628BF7A008B062"
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0xf2f40d2c99a86338ec77abd87f6bc004
(8) eap_peap: MS-MPPE-Recv-Key = 0xd0c82e1f94537f44e3290ed225405e8c
(8) eap_peap: EAP-Message = 0x03090004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: Cached-Session-Policy += "Framed-User"
(8) eap_peap: Cached-Session-Policy += "IEEE-802"
(8) eap_peap: Cached-Session-Policy += "VLAN"
(8) eap_peap: Cached-Session-Policy += "Active"
(8) eap_peap: Cached-Session-Policy += "employee3a"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap_peap: Saving tunneled attributes for later
(8) fsu-eap: Sending EAP Request (code 1) ID 10 length 43
(8) fsu-eap: EAP session adding &reply:State = 0x860fee2e8e05f726
(8) [fsu-eap] = handled
(8) } # Auth-Type fsu-eap = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(8) session-state: Saving cached attributes
(8) User-Name += "dw10j"
(8) Service-Type += Framed-User
(8) Tunnel-Medium-Type += IEEE-802
(8) Tunnel-Type += VLAN
(8) My-Local-employeeStatus += "Active"
(8) Tunnel-Private-Group-Id += "employee3a"
(8) My-Local-ntPassword += "ACC1E2ED4455527965628BF7A008B062"
(8) Sent Access-Challenge Id 42 from 128.186.255.220:1814 to
128.186.255.238:42749 length 0
(8) EAP-Message =
0x010a002b19001703010020fcb7e3cf0b673c79ef41a11a56c8da40ab1ca7cfc3a07914a18
31032d774a6dd
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x860fee2e8e05f726c6e8c1b1cbfeb884
(8) Finished request
Waking up in 1.8 seconds.
(9) Received Access-Request Id 43 from 128.186.255.238:42749 to
128.186.255.220:1814 length 268
(9) User-Name = "dw10j"
(9) NAS-IP-Address = 128.186.255.200
(9) NAS-Port = 0
(9) NAS-Identifier = "128.186.255.238"
(9) NAS-Port-Type = Wireless-802.11
(9) Calling-Station-Id = "B8E856A8659B"
(9) Called-Station-Id = "001A1E0083D8"
(9) Service-Type = Framed-User
(9) Framed-MTU = 1100
(9) EAP-Message =
0x020a002b1900170301002086df2a56026c1d4d64621307316b04234d9a15d5fdab11424c3
edfb9f41f5e7c
(9) State = 0x860fee2e8e05f726c6e8c1b1cbfeb884
(9) Aruba-Essid-Name = "FSUCorex"
(9) Aruba-Location-Id = "wg-a105-132-rm.rsb.wireless.fsu.edu"
(9) Aruba-AP-Group = "Shaw"
(9) Aruba-Device-Type = "iPhone"
(9) Message-Authenticator = 0x6329c315d037919dc588d0b2ead70f15
(9) Restoring &session-state
(9) &session-state:User-Name += "dw10j"
(9) &session-state:Service-Type += Framed-User
(9) &session-state:Tunnel-Medium-Type += IEEE-802
(9) &session-state:Tunnel-Type += VLAN
(9) &session-state:My-Local-employeeStatus += "Active"
(9) &session-state:Tunnel-Private-Group-Id += "employee3a"
(9) &session-state:My-Local-ntPassword +=
"ACC1E2ED4455527965628BF7A008B062"
(9) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(9) authorize {
(9) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) {
(9) EXPAND %{request:User-Name}
(9) --> dw10j
(9) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE
(9) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) {
(9) EXPAND %{request:User-Name}
(9) --> dw10j
(9) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) -> FALSE
(9) ntdomain: Checking for prefix before "\"
(9) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config.
(9) [ntdomain] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "dw10j", looking up realm NULL
(9) suffix: Found realm "NULL"
(9) suffix: Adding Stripped-User-Name = "dw10j"
(9) suffix: Adding Realm = "NULL"
(9) suffix: Authentication realm is LOCAL
(9) [suffix] = ok
(9) fsu-eap: Peer sent EAP Response (code 2) ID 10 length 43
(9) fsu-eap: Continuing tunnel setup
(9) [fsu-eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = fsu-eap
(9) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(9) Auth-Type fsu-eap {
(9) fsu-eap: Expiring EAP session with state 0x860fee2e8e05f726
(9) fsu-eap: Finished EAP session with state 0x860fee2e8e05f726
(9) fsu-eap: Previous EAP request found for state 0x860fee2e8e05f726,
released from the list
(9) fsu-eap: Peer sent packet with method EAP PEAP (25)
(9) fsu-eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: Using saved attributes from the original Access-Accept
(9) eap_peap: User-Name := "dw10j"
(9) eap_peap: Service-Type = Framed-User
(9) eap_peap: Tunnel-Medium-Type = IEEE-802
(9) eap_peap: Tunnel-Type = VLAN
(9) eap_peap: My-Local-employeeStatus = "Active"
(9) eap_peap: Tunnel-Private-Group-Id = "employee3a"
(9) eap_peap: My-Local-ntPassword = "ACC1E2ED4455527965628BF7A008B062"
(9) eap_peap: Cached-Session-Policy += "Framed-User"
(9) eap_peap: Cached-Session-Policy += "IEEE-802"
(9) eap_peap: Cached-Session-Policy += "VLAN"
(9) eap_peap: Cached-Session-Policy += "Active"
(9) eap_peap: Cached-Session-Policy += "employee3a"
(9) eap_peap: caching User-Name := "dw10j"
(9) eap_peap: caching Stripped-User-Name = "dw10j"
(9) eap_peap: caching Cached-Session-Policy += "Framed-User"
(9) eap_peap: caching Cached-Session-Policy += "IEEE-802"
(9) eap_peap: caching Cached-Session-Policy += "VLAN"
(9) eap_peap: caching Cached-Session-Policy += "Active"
(9) eap_peap: caching Cached-Session-Policy += "employee3a"
(9) eap_peap: Failed to find 'persist_dir' in TLS configuration. Session
will not be cached on disk.
(9) fsu-eap: Sending EAP Success (code 3) ID 10 length 4
(9) fsu-eap: Freeing handler
(9) [fsu-eap] = ok
(9) } # Auth-Type fsu-eap = ok
(9) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(9) post-auth {
(9) if ( session-state: ) {
(9) if ( session-state: ) -> TRUE
(9) if ( session-state: ) {
(9) update {
(9) &reply::User-Name += &session-state:User-Name[*] -> 'dw10j'
(9) &reply::Service-Type += &session-state:Service-Type[*] ->
Framed-User
(9) &reply::Tunnel-Medium-Type +=
&session-state:Tunnel-Medium-Type[*] -> IEEE-802
(9) &reply::Tunnel-Type += &session-state:Tunnel-Type[*] -> VLAN
(9) &reply::My-Local-employeeStatus +=
&session-state:My-Local-employeeStatus[*] -> 'Active'
(9) &reply::Tunnel-Private-Group-Id +=
&session-state:Tunnel-Private-Group-Id[*] -> 'employee3a'
(9) &reply::My-Local-ntPassword +=
&session-state:My-Local-ntPassword[*] -> 'ACC1E2ED4455527965628BF7A008B062'
(9) } # update = noop
(9) } # if ( session-state: ) = noop
(9) ... skipping else for request 9: Preceding "if" was taken
(9) } # post-auth = noop
(9) EXPAND %{Aruba-Essid-Name} %{Aruba-Location-Id} %{Aruba-AP-Group}
%{Aruba-Device-Type} %{reply:My-Local-fsuEduWINStatus}
(9) --> FSUCorex wg-a105-132-rm.rsb.wireless.fsu.edu Shaw iPhone
(9) Login OK: [dw10j] (from client CamL8 port 0 cli B8E856A8659B) FSUCorex
wg-a105-132-rm.rsb.wireless.fsu.edu Shaw iPhone
(9) Sent Access-Accept Id 43 from 128.186.255.220:1814 to
128.186.255.238:42749 length 0
(9) User-Name := "dw10j"
(9) Service-Type = Framed-User
(9) Tunnel-Medium-Type = IEEE-802
(9) Tunnel-Type = VLAN
(9) Tunnel-Private-Group-Id = "employee3a"
(9) MS-MPPE-Recv-Key =
0xa5f4fcb1629a45eac5bd6b0f3679985c288a81021062c7a903807ebfb65d2d9f
(9) MS-MPPE-Send-Key =
0xee4e988ac836c3cd0df97edf5aa006c77b98328e12e93f325f36c1ef3957f500
(9) EAP-Message = 0x030a0004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name += "dw10j"
(9) Service-Type += Framed-User
(9) Tunnel-Medium-Type += IEEE-802
(9) Tunnel-Type += VLAN
(9) Tunnel-Private-Group-Id += "employee3a"
(9) Finished request
Waking up in 1.8 seconds.
(0) Cleaning up request packet ID 34 with timestamp +18
(1) Cleaning up request packet ID 35 with timestamp +18
(2) Cleaning up request packet ID 36 with timestamp +18
(3) Cleaning up request packet ID 37 with timestamp +19
(4) Cleaning up request packet ID 38 with timestamp +19
(5) Cleaning up request packet ID 39 with timestamp +19
(6) Cleaning up request packet ID 40 with timestamp +19
(7) Cleaning up request packet ID 41 with timestamp +19
(8) Cleaning up request packet ID 42 with timestamp +19
(9) Cleaning up request packet ID 43 with timestamp +19
Ready to process requests
(10) Received Access-Request Id 44 from 128.186.255.238:42749 to
128.186.255.220:1814 length 218
(10) User-Name = "dw10j"
(10) NAS-IP-Address = 128.186.255.200
(10) NAS-Port = 0
(10) NAS-Identifier = "128.186.255.238"
(10) NAS-Port-Type = Wireless-802.11
(10) Calling-Station-Id = "B8E856A8659B"
(10) Called-Station-Id = "001A1E0083D8"
(10) Service-Type = Framed-User
(10) Framed-MTU = 1100
(10) EAP-Message = 0x0201000a01647731306a
(10) Aruba-Essid-Name = "FSUCorex"
(10) Aruba-Location-Id = "wg-a105-136-hrm.rsb.wireless.fsu.edu"
(10) Aruba-AP-Group = "Shaw"
(10) Aruba-Device-Type = "iPhone"
(10) Message-Authenticator = 0xf08aac88e0af79de1be8bebee816ab7f
(10) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(10) authorize {
(10) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) {
(10) EXPAND %{request:User-Name}
(10) --> dw10j
(10) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE
(10) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) {
(10) EXPAND %{request:User-Name}
(10) --> dw10j
(10) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) -> FALSE
(10) ntdomain: Checking for prefix before "\"
(10) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config.
(10) [ntdomain] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "dw10j", looking up realm NULL
(10) suffix: Found realm "NULL"
(10) suffix: Adding Stripped-User-Name = "dw10j"
(10) suffix: Adding Realm = "NULL"
(10) suffix: Authentication realm is LOCAL
(10) [suffix] = ok
(10) fsu-eap: Peer sent EAP Response (code 2) ID 1 length 10
(10) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit
the rest of authorize
(10) [fsu-eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = fsu-eap
(10) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(10) Auth-Type fsu-eap {
(10) fsu-eap: Peer sent packet with method EAP Identity (1)
(10) fsu-eap: Calling submodule eap_peap to process data
(10) eap_peap: Initiating new EAP-TLS session
(10) eap_peap: [eaptls start] = request
(10) fsu-eap: Sending EAP Request (code 1) ID 2 length 6
(10) fsu-eap: EAP session adding &reply:State = 0xc30d1631c30f0f80
(10) [fsu-eap] = handled
(10) } # Auth-Type fsu-eap = handled
(10) Using Post-Auth-Type Challenge
(10) Post-Auth-Type sub-section not found. Ignoring.
(10) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(10) Sent Access-Challenge Id 44 from 128.186.255.220:1814 to
128.186.255.238:42749 length 0
(10) EAP-Message = 0x010200061920
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0xc30d1631c30f0f80b3424d0b1e3d666b
(10) Finished request
Waking up in 1.9 seconds.
(11) Received Access-Request Id 45 from 128.186.255.238:42749 to
128.186.255.220:1814 length 389
(11) User-Name = "dw10j"
(11) NAS-IP-Address = 128.186.255.200
(11) NAS-Port = 0
(11) NAS-Identifier = "128.186.255.238"
(11) NAS-Port-Type = Wireless-802.11
(11) Calling-Station-Id = "B8E856A8659B"
(11) Called-Station-Id = "001A1E0083D8"
(11) Service-Type = Framed-User
(11) Framed-MTU = 1100
(11) EAP-Message =
0x020200a3198000000099160301009401000090030157a39502c59a38ab42d28fa5c8b5861
fdcbe1af0ccc1e17f9675b4a1ef41e00020d312f4c83df5f5b153ebd94b01549795be582dcb
fe421e961aa038b062699143002800ffc024c023c00ac009c008c028c027c014c013c012003
d003c0035002f00
(11) State = 0xc30d1631c30f0f80b3424d0b1e3d666b
(11) Aruba-Essid-Name = "FSUCorex"
(11) Aruba-Location-Id = "wg-a105-136-hrm.rsb.wireless.fsu.edu"
(11) Aruba-AP-Group = "Shaw"
(11) Aruba-Device-Type = "iPhone"
(11) Message-Authenticator = 0x4d3755f8101bb6b8f55764f42c817b4f
(11) session-state: No cached attributes
(11) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(11) authorize {
(11) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) {
(11) EXPAND %{request:User-Name}
(11) --> dw10j
(11) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE
(11) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) {
(11) EXPAND %{request:User-Name}
(11) --> dw10j
(11) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) -> FALSE
(11) ntdomain: Checking for prefix before "\"
(11) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config.
(11) [ntdomain] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "dw10j", looking up realm NULL
(11) suffix: Found realm "NULL"
(11) suffix: Adding Stripped-User-Name = "dw10j"
(11) suffix: Adding Realm = "NULL"
(11) suffix: Authentication realm is LOCAL
(11) [suffix] = ok
(11) fsu-eap: Peer sent EAP Response (code 2) ID 2 length 163
(11) fsu-eap: Continuing tunnel setup
(11) [fsu-eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = fsu-eap
(11) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(11) Auth-Type fsu-eap {
(11) fsu-eap: Expiring EAP session with state 0xc30d1631c30f0f80
(11) fsu-eap: Finished EAP session with state 0xc30d1631c30f0f80
(11) fsu-eap: Previous EAP request found for state 0xc30d1631c30f0f80,
released from the list
(11) fsu-eap: Peer sent packet with method EAP PEAP (25)
(11) fsu-eap: Calling submodule eap_peap to process data
(11) eap_peap: Continuing EAP-TLS
(11) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(11) eap_peap: Got complete TLS record (153 bytes)
(11) eap_peap: [eaptls verify] = length included
(11) eap_peap: (other): before/accept initialization
(11) eap_peap: TLS_accept: before/accept initialization
(11) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(11) eap_peap: TLS_accept: SSLv3 read client hello A
(11) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(11) eap_peap: TLS_accept: SSLv3 write server hello A
(11) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(11) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(11) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(11) eap_peap: TLS_accept: SSLv3 write finished A
(11) eap_peap: TLS_accept: SSLv3 flush data
(11) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(11) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(11) eap_peap: In SSL Handshake Phase
(11) eap_peap: In SSL Accept mode
(11) eap_peap: [eaptls process] = handled
(11) fsu-eap: Sending EAP Request (code 1) ID 3 length 159
(11) fsu-eap: EAP session adding &reply:State = 0xc30d1631c20e0f80
(11) [fsu-eap] = handled
(11) } # Auth-Type fsu-eap = handled
(11) Using Post-Auth-Type Challenge
(11) Post-Auth-Type sub-section not found. Ignoring.
(11) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(11) Sent Access-Challenge Id 45 from 128.186.255.220:1814 to
128.186.255.238:42749 length 0
(11) EAP-Message =
0x0103009f1900160301005902000055030129bbd8008ef3e12c96959f1bcddc130398122f5
f2b02f6b72aaaff3583113a4820d312f4c83df5f5b153ebd94b01549795be582dcbfe421e96
1aa038b062699143c01400000dff01000100000b00040300010214030100010116030100307
238d01320b761c4
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) State = 0xc30d1631c20e0f80b3424d0b1e3d666b
(11) Finished request
Waking up in 1.9 seconds.
(12) Received Access-Request Id 46 from 128.186.255.238:42749 to
128.186.255.220:1814 length 295
(12) User-Name = "dw10j"
(12) NAS-IP-Address = 128.186.255.200
(12) NAS-Port = 0
(12) NAS-Identifier = "128.186.255.238"
(12) NAS-Port-Type = Wireless-802.11
(12) Calling-Station-Id = "B8E856A8659B"
(12) Called-Station-Id = "001A1E0083D8"
(12) Service-Type = Framed-User
(12) Framed-MTU = 1100
(12) EAP-Message =
0x0203004519800000003b140301000101160301003078e68035b28baddc37a4ae1ad3fcbac
78d41648d3e1b500df0e77a08857d914def1313c303457658d9ddfbe32b37eca9
(12) State = 0xc30d1631c20e0f80b3424d0b1e3d666b
(12) Aruba-Essid-Name = "FSUCorex"
(12) Aruba-Location-Id = "wg-a105-136-hrm.rsb.wireless.fsu.edu"
(12) Aruba-AP-Group = "Shaw"
(12) Aruba-Device-Type = "iPhone"
(12) Message-Authenticator = 0xd9f5fa6fcd2d1e9ca612adc0a40aafae
(12) session-state: No cached attributes
(12) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(12) authorize {
(12) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) {
(12) EXPAND %{request:User-Name}
(12) --> dw10j
(12) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE
(12) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) {
(12) EXPAND %{request:User-Name}
(12) --> dw10j
(12) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) -> FALSE
(12) ntdomain: Checking for prefix before "\"
(12) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config.
(12) [ntdomain] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "dw10j", looking up realm NULL
(12) suffix: Found realm "NULL"
(12) suffix: Adding Stripped-User-Name = "dw10j"
(12) suffix: Adding Realm = "NULL"
(12) suffix: Authentication realm is LOCAL
(12) [suffix] = ok
(12) fsu-eap: Peer sent EAP Response (code 2) ID 3 length 69
(12) fsu-eap: Continuing tunnel setup
(12) [fsu-eap] = ok
(12) } # authorize = ok
(12) Found Auth-Type = fsu-eap
(12) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(12) Auth-Type fsu-eap {
(12) fsu-eap: Expiring EAP session with state 0xc30d1631c20e0f80
(12) fsu-eap: Finished EAP session with state 0xc30d1631c20e0f80
(12) fsu-eap: Previous EAP request found for state 0xc30d1631c20e0f80,
released from the list
(12) fsu-eap: Peer sent packet with method EAP PEAP (25)
(12) fsu-eap: Calling submodule eap_peap to process data
(12) eap_peap: Continuing EAP-TLS
(12) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(12) eap_peap: Got complete TLS record (59 bytes)
(12) eap_peap: [eaptls verify] = length included
(12) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(12) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(12) eap_peap: TLS_accept: SSLv3 read finished A
(12) eap_peap: (other): SSL negotiation finished successfully
(12) eap_peap: SSL Connection Established
(12) eap_peap: SSL Application Data
(12) eap_peap: Adding cached attributes from session
d312f4c83df5f5b153ebd94b01549795be582dcbfe421e961aa038b062699143
(12) eap_peap: reply:User-Name := "dw10j"
(12) eap_peap: reply:Stripped-User-Name = "dw10j"
(12) eap_peap: reply:Cached-Session-Policy += "Framed-User"
(12) eap_peap: reply:Cached-Session-Policy += "IEEE-802"
(12) eap_peap: reply:Cached-Session-Policy += "VLAN"
(12) eap_peap: reply:Cached-Session-Policy += "Active"
(12) eap_peap: reply:Cached-Session-Policy += "employee3a"
(12) eap_peap: [eaptls process] = success
(12) eap_peap: Session established. Decoding tunneled attributes
(12) eap_peap: PEAP state TUNNEL ESTABLISHED
(12) eap_peap: Skipping Phase2 because of session resumption
(12) eap_peap: SUCCESS
(12) fsu-eap: Sending EAP Request (code 1) ID 4 length 43
(12) fsu-eap: EAP session adding &reply:State = 0xc30d1631c1090f80
(12) [fsu-eap] = handled
(12) } # Auth-Type fsu-eap = handled
(12) Using Post-Auth-Type Challenge
(12) Post-Auth-Type sub-section not found. Ignoring.
(12) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(12) Sent Access-Challenge Id 46 from 128.186.255.220:1814 to
128.186.255.238:42749 length 0
(12) User-Name := "dw10j"
(12) EAP-Message =
0x0104002b19001703010020cbea953c76c41ac5cfe03c22a45b0f054910572036b7e27adae
89ef58f4ae2fc
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) State = 0xc30d1631c1090f80b3424d0b1e3d666b
(12) Finished request
Waking up in 1.9 seconds.
(13) Received Access-Request Id 47 from 128.186.255.238:42749 to
128.186.255.220:1814 length 269
(13) User-Name = "dw10j"
(13) NAS-IP-Address = 128.186.255.200
(13) NAS-Port = 0
(13) NAS-Identifier = "128.186.255.238"
(13) NAS-Port-Type = Wireless-802.11
(13) Calling-Station-Id = "B8E856A8659B"
(13) Called-Station-Id = "001A1E0083D8"
(13) Service-Type = Framed-User
(13) Framed-MTU = 1100
(13) EAP-Message =
0x0204002b19001703010020a351cf90095e7f532aa2a78ecca7a5846b67b9da57246ba6392
7838b473545ed
(13) State = 0xc30d1631c1090f80b3424d0b1e3d666b
(13) Aruba-Essid-Name = "FSUCorex"
(13) Aruba-Location-Id = "wg-a105-136-hrm.rsb.wireless.fsu.edu"
(13) Aruba-AP-Group = "Shaw"
(13) Aruba-Device-Type = "iPhone"
(13) Message-Authenticator = 0x26247fed677e752473789854799c9ac0
(13) session-state: No cached attributes
(13) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(13) authorize {
(13) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) {
(13) EXPAND %{request:User-Name}
(13) --> dw10j
(13) if (( "%{request:User-Name}" =~ /^host\//i ) && (
"%{request:User-Name}" !~ /^host\/COB-/i )) -> FALSE
(13) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) {
(13) EXPAND %{request:User-Name}
(13) --> dw10j
(13) if (( "%{request:User-Name}" =~ /^.*\\/ ) && (
"%{request:User-Name}" !~ /^med\\/i )) -> FALSE
(13) ntdomain: Checking for prefix before "\"
(13) ntdomain: No '\' in User-Name = "dw10j", skipping NULL due to config.
(13) [ntdomain] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "dw10j", looking up realm NULL
(13) suffix: Found realm "NULL"
(13) suffix: Adding Stripped-User-Name = "dw10j"
(13) suffix: Adding Realm = "NULL"
(13) suffix: Authentication realm is LOCAL
(13) [suffix] = ok
(13) fsu-eap: Peer sent EAP Response (code 2) ID 4 length 43
(13) fsu-eap: Continuing tunnel setup
(13) [fsu-eap] = ok
(13) } # authorize = ok
(13) Found Auth-Type = fsu-eap
(13) # Executing group from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(13) Auth-Type fsu-eap {
(13) fsu-eap: Expiring EAP session with state 0xc30d1631c1090f80
(13) fsu-eap: Finished EAP session with state 0xc30d1631c1090f80
(13) fsu-eap: Previous EAP request found for state 0xc30d1631c1090f80,
released from the list
(13) fsu-eap: Peer sent packet with method EAP PEAP (25)
(13) fsu-eap: Calling submodule eap_peap to process data
(13) eap_peap: Continuing EAP-TLS
(13) eap_peap: [eaptls verify] = ok
(13) eap_peap: Done initial handshake
(13) eap_peap: [eaptls process] = ok
(13) eap_peap: Session established. Decoding tunneled attributes
(13) eap_peap: PEAP state send tlv success
(13) eap_peap: Received EAP-TLV response
(13) eap_peap: Success
(13) eap_peap: No saved attributes in the original Access-Accept
(13) fsu-eap: Sending EAP Success (code 3) ID 4 length 4
(13) fsu-eap: Freeing handler
(13) [fsu-eap] = ok
(13) } # Auth-Type fsu-eap = ok
(13) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/fsu-peap-1814
(13) post-auth {
(13) if ( session-state: ) {
(13) if ( session-state: ) -> FALSE
(13) else {
(13) update reply {
(13) EXPAND %{reply:User-Name}
(13) -->
(13) &User-Name :=
(13) &Reply-Message += "This is from outer-post-auth"
(13) EXPAND %{reply:Cached-Session-Policy[0]}
(13) -->
(13) &Service-Type := 0
(13) EXPAND %{reply:Cached-Session-Policy[1]}
(13) -->
(13) &Tunnel-Medium-Type := 0
(13) EXPAND %{reply:Cached-Session-Policy[2]}
(13) -->
(13) &Tunnel-Type := 0
(13) EXPAND %{reply:Cached-Session-Policy[3]}
(13) -->
(13) &My-Local-employeeStatus :=
(13) EXPAND %{reply:Cached-Session-Policy[4]}
(13) -->
(13) &Tunnel-Private-Group-ID :=
(13) } # update reply = noop
(13) } # else = noop
(13) } # post-auth = noop
(13) EXPAND %{Aruba-Essid-Name} %{Aruba-Location-Id} %{Aruba-AP-Group}
%{Aruba-Device-Type} %{reply:My-Local-fsuEduWINStatus}
(13) --> FSUCorex wg-a105-136-hrm.rsb.wireless.fsu.edu Shaw iPhone
(13) Login OK: [dw10j] (from client CamL8 port 0 cli B8E856A8659B)
FSUCorex wg-a105-136-hrm.rsb.wireless.fsu.edu Shaw iPhone
(13) Sent Access-Accept Id 47 from 128.186.255.220:1814 to
128.186.255.238:42749 length 0
(13) MS-MPPE-Recv-Key =
0xd4642af1af234bbe423648b840dd1159c886031d2b8a3815366c6f99cc8328ab
(13) MS-MPPE-Send-Key =
0x92ae704edf421546f722959cde45b4adc7098784763b3c331a164a5170a823a5
(13) EAP-Message = 0x03040004
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) User-Name := ""
(13) Reply-Message += "This is from outer-post-auth"
(13) Service-Type := 0
(13) Tunnel-Medium-Type := 0
(13) Tunnel-Type := 0
(13) Tunnel-Private-Group-Id := ""
(13) Finished request
Waking up in 1.9 seconds.
(10) Cleaning up request packet ID 44 with timestamp +45
(11) Cleaning up request packet ID 45 with timestamp +45
(12) Cleaning up request packet ID 46 with timestamp +45
(13) Cleaning up request packet ID 47 with timestamp +45
More information about the Freeradius-Users
mailing list