Freeradius and Unifi Vlan
Gabriel Ozaki
gabriel.ozaki at kemi.com.br
Fri Nov 11 13:06:51 CET 2016
Thanks Brian and Alan
I enable the update blocks and works on the first time, but on second too,
but in the thirt connection the reply VLAN is not present
Process:
Connect to wifi(works with vlan)
disconnect and reconnect(Sometimes works)
disconnect and reconnect again(don't work)
And looking in the radpostauth table i see some accept-accept replys with
login without password :O
+----+----------+----------+---------------+---------------------+
| id | username | pass | reply | authdate |
+----+----------+----------+---------------+---------------------+
| 1 | kemi2 | 1q2w3e4r | Access-Reject | 2016-11-10 12:04:35 |
| 2 | kemi | 1q2w3e4r | Access-Accept | 2016-11-10 12:06:00 |
| 3 | kemi2 | 1q2w3e4r | Access-Reject | 2016-11-10 15:26:27 |
| 4 | kemi2 | 1q2w3e4r | Access-Reject | 2016-11-10 15:27:52 |
| 5 | kemi2 | 1q2w3e4r | Access-Reject | 2016-11-10 15:28:04 |
| 6 | kemi2 | 1q2w3e4r | Access-Accept | 2016-11-10 15:28:58 |
| 7 | kemi2 | | Access-Accept | 2016-11-10 15:37:49 |
| 8 | kemi2 | | Access-Accept | 2016-11-10 15:37:49 |
| 9 | kemi2 | 1q2w3e4r | Access-Accept | 2016-11-10 15:49:14 |
| 10 | kemi2 | 1q2w3e4 | Access-Reject | 2016-11-10 15:49:18 |
| 11 | kemi2 | 1q2w3e4r | Access-Accept | 2016-11-10 15:49:25 |
| 12 | kemi2 | | Access-Accept | 2016-11-10 15:49:54 |
| 13 | kemi2 | | Access-Accept | 2016-11-10 15:49:54 |
| 14 | kemi2 | | Access-Reject | 2016-11-10 16:10:44 |
...
| 54 | kemi2 | | Access-Accept | 2016-11-11 09:45:48 |
| 55 | kemi2 | | Access-Accept | 2016-11-11 09:45:56 |
+----+----------+----------+---------------+---------------------+
There is any flowchart of freeradius 3 to help me understand how the login
proccess? if i understand the log is something like:
client send wireless request -> eap decode, send to sql(via inner-tunnel?)
-> sql validate, if fails try other options(ex:users file), then send back
to eap(via inner-tunnel?) -> eap send reply to client
2016-11-11 9:23 GMT-02:00 Alan Buxey <A.L.M.Buxey at lboro.ac.uk>:
> and on 3.0.12 etc you dont use that option, read the inner-tunnel and
> enable:
>
> #
> # Instead of "use_tunneled_reply", uncomment the
> # next two "update" blocks.
> #
> # update {
> # &outer.session-state: += &reply:
> # }
>
> #
> # These attributes are for the inner session only.
> # They MUST NOT be sent in the outer reply.
> #
> # If you uncomment the previous block and leave
> # this one commented out, WiFi WILL NOT WORK,
> # because the client will get two MS-MPPE-keys
> #
> # update outer.session-state {
> # MS-MPPE-Encryption-Policy !* ANY
> # MS-MPPE-Encryption-Types !* ANY
> # MS-MPPE-Send-Key !* ANY
> # MS-MPPE-Recv-Key !* ANY
> # Message-Authenticator !* ANY
> # EAP-Message !* ANY
> # Proxy-State !* ANY
> # }
-------------- next part --------------
FreeRADIUS Version 3.0.12
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/dhcp
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/sql
including configuration file /usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/date
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "CVE-2016-6304"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client private-network-1 {
ipaddr = 192.168.3.0/24
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
}
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/usr/local/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_digest
# Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_exec
# Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_detail
# Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
detail {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_dhcp
# Loading module "dhcp" from file /usr/local/etc/raddb/mods-enabled/dhcp
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/usr/local/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/usr/local/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_sql
# Loading module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
sql {
driver = "rlm_sql_mysql"
server = "localhost"
port = 3306
login = "root"
password = <<< secret >>>
radius_db = "radius"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-Group}' AND acctstoptime IS NULL"
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}.query}"
type {
accounting-on {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
}
accounting-off {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = (%{%{integer:Event-Timestamp}:-strftime('%%s', 'now')} - strftime('%%s', acctstarttime)), acctterminatecause = '%{Acct-Terminate-Cause}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= %{integer:Event-Timestamp}"
}
start {
query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
}
interim-update {
query = "UPDATE radacct SET acctupdatetime = %{%{integer:Event-Timestamp}:-date('now')}, acctinterval = 0, framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0} WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
stop {
query = "UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
}
}
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
# Loaded module rlm_files
# Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_date
# Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
}
instantiate {
}
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
ca_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/usr/local/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
# Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
# Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "sql" from file /usr/local/etc/raddb/mods-enabled/sql
rlm_sql_mysql: libmysql version: 5.5.53
mysql {
tls {
}
warnings = "auto"
}
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.53-0+deb8u1, protocol version 10
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.53-0+deb8u1, protocol version 10
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.53-0+deb8u1, protocol version 10
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.53-0+deb8u1, protocol version 10
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.53-0+deb8u1, protocol version 10
# Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server inner-tunnel
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 49975
Listening on proxy address :: port 53635
Ready to process requests
(0) Received Access-Request Id 125 from 192.168.3.190:41615 to 192.168.3.1:1812 length 156
(0) User-Name = "kemi2"
(0) NAS-Identifier = "802aa8907353"
(0) NAS-Port = 0
(0) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(0) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 0Mbps 802.11b"
(0) EAP-Message = 0x0264000a016b656d6932
(0) Message-Authenticator = 0x551b25d8c886a6613c21301ab68859a8
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 100 length 10
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 101 length 22
(0) eap: EAP session adding &reply:State = 0x4f4966564f2c62db
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 125 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(0) EAP-Message = 0x0165001604109e4ff055da9c5d053c1cd25e461fa73a
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x4f4966564f2c62db9b244d60b14c09d5
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 126 from 192.168.3.190:41615 to 192.168.3.1:1812 length 170
(1) User-Name = "kemi2"
(1) NAS-Identifier = "802aa8907353"
(1) NAS-Port = 0
(1) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(1) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 0Mbps 802.11b"
(1) EAP-Message = 0x026500060315
(1) State = 0x4f4966564f2c62db9b244d60b14c09d5
(1) Message-Authenticator = 0x9fe3b6d96ca0ab1e621391cd8fa63216
(1) session-state: No cached attributes
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 101 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) sql: EXPAND %{User-Name}
(1) sql: --> kemi2
(1) sql: SQL-User-Name set to 'kemi2'
rlm_sql (sql): Reserved connection (0)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(1) sql: User found in radcheck table
(1) sql: Conditional check items matched, merging assignment check items
(1) sql: Cleartext-Password := "1q2w3e4r"
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(1) sql: User found in radreply table, merging reply items
(1) sql: Tunnel-Type := VLAN
(1) sql: Tunnel-Medium-Type := IEEE-802
(1) sql: Tunnel-Private-Group-Id := "5"
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql: --> SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(1) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
rlm_sql (sql): Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.53-0+deb8u1, protocol version 10
(1) [sql] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x4f4966564f2c62db
(1) eap: Finished EAP session with state 0x4f4966564f2c62db
(1) eap: Previous EAP request found for state 0x4f4966564f2c62db, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Initiating new EAP-TLS session
(1) eap_ttls: Flushing SSL sessions (of #0)
(1) eap_ttls: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 102 length 6
(1) eap: EAP session adding &reply:State = 0x4f4966564e2f73db
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 126 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(1) Tunnel-Type = VLAN
(1) Tunnel-Medium-Type = IEEE-802
(1) Tunnel-Private-Group-Id = "5"
(1) EAP-Message = 0x016600061520
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x4f4966564e2f73db9b244d60b14c09d5
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 127 from 192.168.3.190:41615 to 192.168.3.1:1812 length 363
(2) User-Name = "kemi2"
(2) NAS-Identifier = "802aa8907353"
(2) NAS-Port = 0
(2) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(2) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = "CONNECT 0Mbps 802.11b"
(2) EAP-Message = 0x026600c7150016030100bc010000b80301522840b01601790707a03962cf63ef82fb3154ef55e50d6dc280feda4f0a723600004ac014c00a0039003800880087c00fc00500350084c013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc00200050004c012c00800160013c0
(2) State = 0x4f4966564e2f73db9b244d60b14c09d5
(2) Message-Authenticator = 0x8f368602331c9001e9e68207b0481a44
(2) session-state: No cached attributes
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 102 length 199
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x4f4966564e2f73db
(2) eap: Finished EAP session with state 0x4f4966564e2f73db
(2) eap: Previous EAP request found for state 0x4f4966564e2f73db, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: [eaptls verify] = ok
(2) eap_ttls: Done initial handshake
(2) eap_ttls: (other): before/accept initialization
(2) eap_ttls: TLS_accept: before/accept initialization
(2) eap_ttls: <<< recv TLS 1.0 Handshake [length 00bc], ClientHello
(2) eap_ttls: TLS_accept: unknown state
(2) eap_ttls: >>> send TLS 1.0 Handshake [length 005e], ServerHello
(2) eap_ttls: TLS_accept: unknown state
(2) eap_ttls: >>> send TLS 1.0 Handshake [length 08d3], Certificate
(2) eap_ttls: TLS_accept: unknown state
(2) eap_ttls: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2) eap_ttls: TLS_accept: unknown state
(2) eap_ttls: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
(2) eap_ttls: TLS_accept: unknown state
(2) eap_ttls: TLS_accept: unknown state
(2) eap_ttls: TLS_accept: Need to read more data: unknown state
(2) eap_ttls: TLS_accept: Need to read more data: unknown state
(2) eap_ttls: In SSL Handshake Phase
(2) eap_ttls: In SSL Accept mode
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 103 length 1004
(2) eap: EAP session adding &reply:State = 0x4f4966564d2e73db
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 127 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(2) EAP-Message = 0x016703ec15c000000a94160301005e0200005a03016d75dbf5e162c31cee8780b3494d716b0082a0a80ce1e850a6c0158903eb9a5d20b06b45e38a8a9841539c5ec70b1009e2b5e32153262a1c3c2072ff220a28b7eac014000012ff01000100000b000403000102000f00010116030108d30b0008cf00
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x4f4966564d2e73db9b244d60b14c09d5
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 128 from 192.168.3.190:41615 to 192.168.3.1:1812 length 170
(3) User-Name = "kemi2"
(3) NAS-Identifier = "802aa8907353"
(3) NAS-Port = 0
(3) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(3) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = "CONNECT 0Mbps 802.11b"
(3) EAP-Message = 0x026700061500
(3) State = 0x4f4966564d2e73db9b244d60b14c09d5
(3) Message-Authenticator = 0x00102a3b3bac49a88ccb456c7acb178a
(3) session-state: No cached attributes
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 103 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x4f4966564d2e73db
(3) eap: Finished EAP session with state 0x4f4966564d2e73db
(3) eap: Previous EAP request found for state 0x4f4966564d2e73db, released from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer ACKed our handshake fragment
(3) eap_ttls: [eaptls verify] = request
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 104 length 1004
(3) eap: EAP session adding &reply:State = 0x4f4966564c2173db
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 128 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(3) EAP-Message = 0x016803ec15c000000a944d57088e7a6c8d2858c0a5605a600bd0789ec2972b54e36d010ed759aeaba472a8a530aa337e1005769e8da0b61a9fd7bd397edebd33167c3bdda45d554e47856038f7a0997abf62456272ee5f2498dec6ce756feea02069c35f642c452009e1d902bb02465651b62287e8c438
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x4f4966564c2173db9b244d60b14c09d5
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 129 from 192.168.3.190:41615 to 192.168.3.1:1812 length 170
(4) User-Name = "kemi2"
(4) NAS-Identifier = "802aa8907353"
(4) NAS-Port = 0
(4) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(4) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = "CONNECT 0Mbps 802.11b"
(4) EAP-Message = 0x026800061500
(4) State = 0x4f4966564c2173db9b244d60b14c09d5
(4) Message-Authenticator = 0x8c4046390a9c732d33c94d6e426ed00b
(4) session-state: No cached attributes
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 104 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x4f4966564c2173db
(4) eap: Finished EAP session with state 0x4f4966564c2173db
(4) eap: Previous EAP request found for state 0x4f4966564c2173db, released from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: Peer ACKed our handshake fragment
(4) eap_ttls: [eaptls verify] = request
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 105 length 730
(4) eap: EAP session adding &reply:State = 0x4f4966564b2073db
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 129 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(4) EAP-Message = 0x016902da158000000a94696361746520417574686f72697479820900cc5356c9329d1494300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x4f4966564b2073db9b244d60b14c09d5
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 130 from 192.168.3.190:41615 to 192.168.3.1:1812 length 304
(5) User-Name = "kemi2"
(5) NAS-Identifier = "802aa8907353"
(5) NAS-Port = 0
(5) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(5) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = "CONNECT 0Mbps 802.11b"
(5) EAP-Message = 0x0269008c1500160301004610000042410431bea9f56f1dffc9afd166b59b7f2f2db2a46a17886c14468f7b4ecc0693b926d3c41a1f83998784dbf3c532d26ae3e03170fc37d4e950f60e82fc46edacb7991403010001011603010030da6ad5d9d43e15457a329dfcf9a83939968bf391d942d4d2e5ef20
(5) State = 0x4f4966564b2073db9b244d60b14c09d5
(5) Message-Authenticator = 0x6d0bf3a3fe00b5d0fbe74a672e76fe41
(5) session-state: No cached attributes
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 105 length 140
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x4f4966564b2073db
(5) eap: Finished EAP session with state 0x4f4966564b2073db
(5) eap: Previous EAP request found for state 0x4f4966564b2073db, released from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5) eap_ttls: TLS_accept: unknown state
(5) eap_ttls: TLS_accept: unknown state
(5) eap_ttls: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_ttls: <<< recv TLS 1.0 Handshake [length 0010], Finished
(5) eap_ttls: TLS_accept: unknown state
(5) eap_ttls: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(5) eap_ttls: TLS_accept: unknown state
(5) eap_ttls: >>> send TLS 1.0 Handshake [length 0010], Finished
(5) eap_ttls: TLS_accept: unknown state
(5) eap_ttls: TLS_accept: unknown state
(5) eap_ttls: (other): SSL negotiation finished successfully
(5) eap_ttls: SSL Connection Established
(5) eap_ttls: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 106 length 69
(5) eap: EAP session adding &reply:State = 0x4f4966564a2373db
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5) Sent Access-Challenge Id 130 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(5) EAP-Message = 0x016a004515800000003b1403010001011603010030b88e1441d5d6f7a18262b68bf6907c15930a012973611b25b0fac7471336d9de80405e82321efcecc44368463a419946
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x4f4966564a2373db9b244d60b14c09d5
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 131 from 192.168.3.190:41615 to 192.168.3.1:1812 length 260
(6) User-Name = "kemi2"
(6) NAS-Identifier = "802aa8907353"
(6) NAS-Port = 0
(6) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(6) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = "CONNECT 0Mbps 802.11b"
(6) EAP-Message = 0x026a006015001703010020f9d08dc5582f92d7a7b210be0d72ef2ba00b543946d3a3b3e47cc1ac12e9367b1703010030cc524166a53d7ceae20049dda9213a826355880d484aeb3af555fafc569100637a175fb8430fbc90a4cf2bc68051bf4d
(6) State = 0x4f4966564a2373db9b244d60b14c09d5
(6) Message-Authenticator = 0xe16e5b4b005d956a97c36d7fa75584be
(6) session-state: No cached attributes
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 106 length 96
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x4f4966564a2373db
(6) eap: Finished EAP session with state 0x4f4966564a2373db
(6) eap: Previous EAP request found for state 0x4f4966564a2373db, released from the list
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: Continuing EAP-TLS
(6) eap_ttls: [eaptls verify] = ok
(6) eap_ttls: Done initial handshake
(6) eap_ttls: [eaptls process] = ok
(6) eap_ttls: Session established. Proceeding to decode tunneled attributes
(6) eap_ttls: Got tunneled request
(6) eap_ttls: EAP-Message = 0x0200000a016b656d6932
(6) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_ttls: Got tunneled identity of kemi2
(6) eap_ttls: Setting default EAP type for tunneled EAP session
(6) eap_ttls: Sending tunneled request
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x0200000a016b656d6932
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "kemi2"
(6) NAS-Identifier = "802aa8907353"
(6) NAS-Port = 0
(6) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(6) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = "CONNECT 0Mbps 802.11b"
(6) Event-Timestamp = "Nov 11 2016 09:45:37 BRST"
(6) NAS-IP-Address = 192.168.3.190
(6) WARNING: Outer and inner identities are the same. User privacy is compromised.
(6) server inner-tunnel {
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 0 length 10
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_md5 to process data
(6) eap_md5: Issuing MD5 Challenge
(6) eap: Sending EAP Request (code 1) ID 1 length 22
(6) eap: EAP session adding &reply:State = 0x38adf99038acfdd8
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message = 0x010100160410e1ef4adc5aa360cfd0545c0a8d3ce099
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x38adf99038acfdd8b6f9d59935252ce9
(6) eap_ttls: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 107 length 79
(6) eap: EAP session adding &reply:State = 0x4f496656492273db
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) Sent Access-Challenge Id 131 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(6) EAP-Message = 0x016b004f15800000004517030100401e50d950c2c3f04299f51bde8a83b30d53f4f735ec97eed9ca184dc1643482c585711db72a1105fcedb6f91611f202951f6870eba3796867761b2c66b4817acc
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x4f496656492273db9b244d60b14c09d5
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 132 from 192.168.3.190:41615 to 192.168.3.1:1812 length 260
(7) User-Name = "kemi2"
(7) NAS-Identifier = "802aa8907353"
(7) NAS-Port = 0
(7) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(7) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = "CONNECT 0Mbps 802.11b"
(7) EAP-Message = 0x026b0060150017030100209076acd072ef861cac1ed72a3c84b9bf9a6865a745da464cb0139c95f0fff5641703010030577d5c3fef8f6fafaff6be6bc5c2552e609a5958163ccad11e4c0642f6782dc524e9ea120d7f94d1cde86b914fa10a7a
(7) State = 0x4f496656492273db9b244d60b14c09d5
(7) Message-Authenticator = 0x2e8140249b8b7bd00c42a359495e82be
(7) session-state: No cached attributes
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 107 length 96
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x38adf99038acfdd8
(7) eap: Finished EAP session with state 0x4f496656492273db
(7) eap: Previous EAP request found for state 0x4f496656492273db, released from the list
(7) eap: Peer sent packet with method EAP TTLS (21)
(7) eap: Calling submodule eap_ttls to process data
(7) eap_ttls: Authenticate
(7) eap_ttls: Continuing EAP-TLS
(7) eap_ttls: [eaptls verify] = ok
(7) eap_ttls: Done initial handshake
(7) eap_ttls: [eaptls process] = ok
(7) eap_ttls: Session established. Proceeding to decode tunneled attributes
(7) eap_ttls: Got tunneled request
(7) eap_ttls: EAP-Message = 0x02010006031a
(7) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_ttls: Sending tunneled request
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x02010006031a
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "kemi2"
(7) State = 0x38adf99038acfdd8b6f9d59935252ce9
(7) NAS-Identifier = "802aa8907353"
(7) NAS-Port = 0
(7) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(7) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = "CONNECT 0Mbps 802.11b"
(7) Event-Timestamp = "Nov 11 2016 09:45:37 BRST"
(7) NAS-IP-Address = 192.168.3.190
(7) WARNING: Outer and inner identities are the same. User privacy is compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 1 length 6
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) sql: EXPAND %{User-Name}
(7) sql: --> kemi2
(7) sql: SQL-User-Name set to 'kemi2'
rlm_sql (sql): Reserved connection (1)
(7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(7) sql: User found in radcheck table
(7) sql: Conditional check items matched, merging assignment check items
(7) sql: Cleartext-Password := "1q2w3e4r"
(7) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(7) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(7) sql: User found in radreply table, merging reply items
(7) sql: Tunnel-Type := VLAN
(7) sql: Tunnel-Medium-Type := IEEE-802
(7) sql: Tunnel-Private-Group-Id := "5"
(7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(7) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
(7) [sql] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) pap: WARNING: Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x38adf99038acfdd8
(7) eap: Finished EAP session with state 0x38adf99038acfdd8
(7) eap: Previous EAP request found for state 0x38adf99038acfdd8, released from the list
(7) eap: Peer sent packet with method EAP NAK (3)
(7) eap: Found mutually acceptable type MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) eap: Sending EAP Request (code 1) ID 2 length 43
(7) eap: EAP session adding &reply:State = 0x38adf99039afe3d8
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) Tunnel-Type = VLAN
(7) Tunnel-Medium-Type = IEEE-802
(7) Tunnel-Private-Group-Id = "5"
(7) EAP-Message = 0x0102002b1a010200261022ea131b68e7798b43958f1c6d87dbf9667265657261646975732d332e302e3132
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x38adf99039afe3d8b6f9d59935252ce9
(7) eap_ttls: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 108 length 95
(7) eap: EAP session adding &reply:State = 0x4f496656482573db
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7) Sent Access-Challenge Id 132 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(7) EAP-Message = 0x016c005f1580000000551703010050d5e519a953e72864f98ba464f66aa1654707ed04d522da8581ff4763f403a4dd9e2c9db7d2b6a55aeea8a5aa28437a1c6650fc0a0a161bf6e3a46d6736a8878aaa4ac19bb457c7a9bc9d7a1078835f6f
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x4f496656482573db9b244d60b14c09d5
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 133 from 192.168.3.190:41615 to 192.168.3.1:1812 length 308
(8) User-Name = "kemi2"
(8) NAS-Identifier = "802aa8907353"
(8) NAS-Port = 0
(8) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(8) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = "CONNECT 0Mbps 802.11b"
(8) EAP-Message = 0x026c0090150017030100207856933e6c839cdd9daa977711fbae91806fe9f4119594b5a11effbb5c4e6b93170301006019b59a707c14cf2463ae3fc3efc094a6ad8d5631347add92efeb31032fe20c41fb0a0f4079a4deda15a9431113072dd9ac97232a6ae551bbcb5f5d0621a601c8f200415ff10fa3
(8) State = 0x4f496656482573db9b244d60b14c09d5
(8) Message-Authenticator = 0x0ac33c79e45c15b0ba518cbc2b98c086
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 108 length 144
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x38adf99039afe3d8
(8) eap: Finished EAP session with state 0x4f496656482573db
(8) eap: Previous EAP request found for state 0x4f496656482573db, released from the list
(8) eap: Peer sent packet with method EAP TTLS (21)
(8) eap: Calling submodule eap_ttls to process data
(8) eap_ttls: Authenticate
(8) eap_ttls: Continuing EAP-TLS
(8) eap_ttls: [eaptls verify] = ok
(8) eap_ttls: Done initial handshake
(8) eap_ttls: [eaptls process] = ok
(8) eap_ttls: Session established. Proceeding to decode tunneled attributes
(8) eap_ttls: Got tunneled request
(8) eap_ttls: EAP-Message = 0x020200401a0202003b319b5928208f2c5ceb245f6b654d6ea4e20000000000000000cb334eed02d63ca077e6c022b1d390fd6a971711c91b4b25006b656d6932
(8) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_ttls: Sending tunneled request
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020200401a0202003b319b5928208f2c5ceb245f6b654d6ea4e20000000000000000cb334eed02d63ca077e6c022b1d390fd6a971711c91b4b25006b656d6932
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "kemi2"
(8) State = 0x38adf99039afe3d8b6f9d59935252ce9
(8) NAS-Identifier = "802aa8907353"
(8) NAS-Port = 0
(8) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(8) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = "CONNECT 0Mbps 802.11b"
(8) Event-Timestamp = "Nov 11 2016 09:45:37 BRST"
(8) NAS-IP-Address = 192.168.3.190
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 2 length 64
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
(8) sql: EXPAND %{User-Name}
(8) sql: --> kemi2
(8) sql: SQL-User-Name set to 'kemi2'
rlm_sql (sql): Reserved connection (2)
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(8) sql: User found in radcheck table
(8) sql: Conditional check items matched, merging assignment check items
(8) sql: Cleartext-Password := "1q2w3e4r"
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(8) sql: User found in radreply table, merging reply items
(8) sql: Tunnel-Type := VLAN
(8) sql: Tunnel-Medium-Type := IEEE-802
(8) sql: Tunnel-Private-Group-Id := "5"
(8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(8) sql: --> SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(8) sql: User not found in any groups
rlm_sql (sql): Released connection (2)
(8) [sql] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x38adf99039afe3d8
(8) eap: Finished EAP session with state 0x38adf99039afe3d8
(8) eap: Previous EAP request found for state 0x38adf99039afe3d8, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) eap_mschapv2: authenticate {
(8) mschap: Found Cleartext-Password, hashing to create NT-Password
(8) mschap: Found Cleartext-Password, hashing to create LM-Password
(8) mschap: Creating challenge hash with username: kemi2
(8) mschap: Client is using MS-CHAPv2
(8) mschap: Adding MS-CHAPv2 MPPE keys
(8) [mschap] = ok
(8) } # authenticate = ok
(8) MSCHAP Success
(8) eap: Sending EAP Request (code 1) ID 3 length 51
(8) eap: EAP session adding &reply:State = 0x38adf9903aaee3d8
(8) [eap] = handled
(8) } # authenticate = handled
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) Tunnel-Type = VLAN
(8) Tunnel-Medium-Type = IEEE-802
(8) Tunnel-Private-Group-Id = "5"
(8) EAP-Message = 0x010300331a0302002e533d39433330313442304537463241383938393933333439323333463537363941313232383646463139
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x38adf9903aaee3d8b6f9d59935252ce9
(8) eap_ttls: Got tunneled Access-Challenge
(8) eap: Sending EAP Request (code 1) ID 109 length 111
(8) eap: EAP session adding &reply:State = 0x4f496656472473db
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) Sent Access-Challenge Id 133 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(8) EAP-Message = 0x016d006f15800000006517030100605c1dc1e3a8ce9e83918c5656d21ae90443fbd0194c2c8c2b29e0b7938973feb03dfb81467b951d80fcbe0372f3cb83ac8edb5ea9c204f5f102a111488eff917fa86a00331584104434f5e580f524ecc4707534fd1ed193217dae3d4e81ffe490
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x4f496656472473db9b244d60b14c09d5
(8) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 134 from 192.168.3.190:41615 to 192.168.3.1:1812 length 260
(9) User-Name = "kemi2"
(9) NAS-Identifier = "802aa8907353"
(9) NAS-Port = 0
(9) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(9) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Connect-Info = "CONNECT 0Mbps 802.11b"
(9) EAP-Message = 0x026d0060150017030100204c0df9cb3016bbf3d1ad42d7bff8a590fed743db427848e8054d9f4a8a3630c61703010030b67031ca61625c3f199e51c8fdad3ea0e3ea31945a8b774b0d665ba0a54f3d9cec4a4bc17c2e695ba32aec0256d39f56
(9) State = 0x4f496656472473db9b244d60b14c09d5
(9) Message-Authenticator = 0xcb7f3515edb2ed13d5bfe4a0962b8ff2
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 109 length 96
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x38adf9903aaee3d8
(9) eap: Finished EAP session with state 0x4f496656472473db
(9) eap: Previous EAP request found for state 0x4f496656472473db, released from the list
(9) eap: Peer sent packet with method EAP TTLS (21)
(9) eap: Calling submodule eap_ttls to process data
(9) eap_ttls: Authenticate
(9) eap_ttls: Continuing EAP-TLS
(9) eap_ttls: [eaptls verify] = ok
(9) eap_ttls: Done initial handshake
(9) eap_ttls: [eaptls process] = ok
(9) eap_ttls: Session established. Proceeding to decode tunneled attributes
(9) eap_ttls: Got tunneled request
(9) eap_ttls: EAP-Message = 0x020300061a03
(9) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_ttls: Sending tunneled request
(9) Virtual server inner-tunnel received request
(9) EAP-Message = 0x020300061a03
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "kemi2"
(9) State = 0x38adf9903aaee3d8b6f9d59935252ce9
(9) NAS-Identifier = "802aa8907353"
(9) NAS-Port = 0
(9) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(9) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Connect-Info = "CONNECT 0Mbps 802.11b"
(9) Event-Timestamp = "Nov 11 2016 09:45:37 BRST"
(9) NAS-IP-Address = 192.168.3.190
(9) WARNING: Outer and inner identities are the same. User privacy is compromised.
(9) server inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) &Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 3 length 6
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) [files] = noop
(9) sql: EXPAND %{User-Name}
(9) sql: --> kemi2
(9) sql: SQL-User-Name set to 'kemi2'
rlm_sql (sql): Reserved connection (3)
(9) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(9) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(9) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(9) sql: User found in radcheck table
(9) sql: Conditional check items matched, merging assignment check items
(9) sql: Cleartext-Password := "1q2w3e4r"
(9) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(9) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(9) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(9) sql: User found in radreply table, merging reply items
(9) sql: Tunnel-Type := VLAN
(9) sql: Tunnel-Medium-Type := IEEE-802
(9) sql: Tunnel-Private-Group-Id := "5"
(9) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(9) sql: --> SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(9) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(9) sql: User not found in any groups
rlm_sql (sql): Released connection (3)
(9) [sql] = ok
(9) [expiration] = noop
(9) [logintime] = noop
(9) pap: WARNING: Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = eap
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Expiring EAP session with state 0x38adf9903aaee3d8
(9) eap: Finished EAP session with state 0x38adf9903aaee3d8
(9) eap: Previous EAP request found for state 0x38adf9903aaee3d8, released from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap: Sending EAP Success (code 3) ID 3 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) post-auth {
(9) sql: EXPAND .query
(9) sql: --> .query
(9) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(9) sql: EXPAND %{User-Name}
(9) sql: --> kemi2
(9) sql: SQL-User-Name set to 'kemi2'
(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(9) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'kemi2', '', 'Access-Accept', '2016-11-11 09:45:37')
(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'kemi2', '', 'Access-Accept', '2016-11-11 09:45:37')
(9) sql: SQL query returned: success
(9) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(9) [sql] = ok
(9) update {
(9) &outer.session-state::Tunnel-Type += &reply:Tunnel-Type[*] -> VLAN
(9) &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] -> IEEE-802
(9) &outer.session-state::Tunnel-Private-Group-Id += &reply:Tunnel-Private-Group-Id[*] -> '5'
(9) &outer.session-state::MS-MPPE-Encryption-Policy += &reply:MS-MPPE-Encryption-Policy[*] -> Encryption-Required
(9) &outer.session-state::MS-MPPE-Encryption-Types += &reply:MS-MPPE-Encryption-Types[*] -> 4
(9) &outer.session-state::MS-MPPE-Send-Key += &reply:MS-MPPE-Send-Key[*] -> 0x3c68a506eff28bfd53df11291b518342
(9) &outer.session-state::MS-MPPE-Recv-Key += &reply:MS-MPPE-Recv-Key[*] -> 0xf2a59965661017a414aaac36ce7f5cf0
(9) &outer.session-state::EAP-Message += &reply:EAP-Message[*] -> 0x03030004
(9) &outer.session-state::Message-Authenticator += &reply:Message-Authenticator[*] -> 0x00000000000000000000000000000000
(9) &outer.session-state::User-Name += &reply:User-Name[*] -> 'kemi2'
(9) } # update = noop
(9) update outer.session-state {
(9) MS-MPPE-Encryption-Policy !* ANY
(9) MS-MPPE-Encryption-Types !* ANY
(9) MS-MPPE-Send-Key !* ANY
(9) MS-MPPE-Recv-Key !* ANY
(9) Message-Authenticator !* ANY
(9) EAP-Message !* ANY
(9) Proxy-State !* ANY
(9) } # update outer.session-state = noop
(9) } # post-auth = ok
(9) Login OK: [kemi2/<via Auth-Type = eap>] (from client private-network-1 port 0 cli F8-2F-A8-F5-12-97 via TLS tunnel)
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) Tunnel-Type = VLAN
(9) Tunnel-Medium-Type = IEEE-802
(9) Tunnel-Private-Group-Id = "5"
(9) MS-MPPE-Encryption-Policy = Encryption-Required
(9) MS-MPPE-Encryption-Types = 4
(9) MS-MPPE-Send-Key = 0x3c68a506eff28bfd53df11291b518342
(9) MS-MPPE-Recv-Key = 0xf2a59965661017a414aaac36ce7f5cf0
(9) EAP-Message = 0x03030004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = "kemi2"
(9) eap_ttls: Got tunneled Access-Accept
(9) eap_ttls: caching User-Name = "kemi2"
(9) eap_ttls: Failed to find 'persist_dir' in TLS configuration. Session will not be cached on disk.
(9) eap: Sending EAP Success (code 3) ID 109 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(9) post-auth {
(9) update {
(9) &reply::Tunnel-Type += &session-state:Tunnel-Type[*] -> VLAN
(9) &reply::Tunnel-Medium-Type += &session-state:Tunnel-Medium-Type[*] -> IEEE-802
(9) &reply::Tunnel-Private-Group-Id += &session-state:Tunnel-Private-Group-Id[*] -> '5'
(9) &reply::User-Name += &session-state:User-Name[*] -> 'kemi2'
(9) } # update = noop
(9) sql: EXPAND .query
(9) sql: --> .query
(9) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (0)
(9) sql: EXPAND %{User-Name}
(9) sql: --> kemi2
(9) sql: SQL-User-Name set to 'kemi2'
(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(9) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'kemi2', '', 'Access-Accept', '2016-11-11 09:45:37')
(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'kemi2', '', 'Access-Accept', '2016-11-11 09:45:37')
(9) sql: SQL query returned: success
(9) sql: 1 record(s) updated
rlm_sql (sql): Released connection (0)
(9) [sql] = ok
(9) [exec] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # post-auth = ok
(9) Login OK: [kemi2/<via Auth-Type = eap>] (from client private-network-1 port 0 cli F8-2F-A8-F5-12-97)
(9) Sent Access-Accept Id 134 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(9) Tunnel-Type = VLAN
(9) Tunnel-Medium-Type = IEEE-802
(9) Tunnel-Private-Group-Id = "5"
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = "kemi2"
(9) MS-MPPE-Recv-Key = 0x7599b8ba8fff9c0b56c61c426c7436f711bf7496255a68a5926d7ca8f922a96e
(9) MS-MPPE-Send-Key = 0x0236c4fa627b6918e0c9c0288667e94ea9a34d30a7da36f3060f6c3b6c4c45a9
(9) EAP-Message = 0x036d0004
(9) Tunnel-Type += VLAN
(9) Tunnel-Medium-Type += IEEE-802
(9) Tunnel-Private-Group-Id += "5"
(9) User-Name += "kemi2"
(9) Finished request
Waking up in 4.8 seconds.
(10) Received Accounting-Request Id 135 from 192.168.3.190:47157 to 192.168.3.1:1813 length 151
(10) Acct-Session-Id = "58258DE7-0000000C"
(10) Acct-Status-Type = Start
(10) Acct-Authentic = RADIUS
(10) User-Name = "kemi2"
(10) NAS-Identifier = "802aa8907353"
(10) NAS-Port = 0
(10) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(10) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(10) NAS-Port-Type = Wireless-802.11
(10) Connect-Info = "CONNECT 0Mbps 802.11b"
(10) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
(10) preacct {
(10) [preprocess] = ok
(10) policy acct_unique {
(10) update request {
(10) Tmp-String-9 := "ai:"
(10) } # update request = noop
(10) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(10) EXPAND %{hex:&Class}
(10) -->
(10) EXPAND ^%{hex:&Tmp-String-9}
(10) --> ^61693a
(10) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(10) else {
(10) update request {
(10) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(10) --> b999f42c87c638b62266c59b3ab6c37f
(10) &Acct-Unique-Session-Id := b999f42c87c638b62266c59b3ab6c37f
(10) } # update request = noop
(10) } # else = noop
(10) } # policy acct_unique = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) [files] = noop
(10) } # preacct = ok
(10) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default
(10) accounting {
(10) detail: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(10) detail: --> /usr/local/var/log/radius/radacct/192.168.3.190/detail-20161111
(10) detail: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.3.190/detail-20161111
(10) detail: EXPAND %t
(10) detail: --> Fri Nov 11 09:45:37 2016
(10) [detail] = ok
(10) [unix] = ok
(10) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(10) sql: --> type.start.query
(10) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (5)
(10) sql: EXPAND %{User-Name}
(10) sql: --> kemi2
(10) sql: SQL-User-Name set to 'kemi2'
(10) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')
(10) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('58258DE7-0000000C', 'b999f42c87c638b62266c59b3ab6c37f', 'kemi2', '', '192.168.3.190', '0', 'Wireless-802.11', 1478864737, 1478864737, NULL, '0', 'RADIUS', 'CONNECT 0Mbps 802.11b', '', '0', '0', '80-2A-A8-91-73-53:TESTE', 'F8-2F-A8-F5-12-97', '', '', '', '')
(10) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('58258DE7-0000000C', 'b999f42c87c638b62266c59b3ab6c37f', 'kemi2', '', '192.168.3.190', '0', 'Wireless-802.11', 1478864737, 1478864737, NULL, '0', 'RADIUS', 'CONNECT 0Mbps 802.11b', '', '0', '0', '80-2A-A8-91-73-53:TESTE', 'F8-2F-A8-F5-12-97', '', '', '', '')
(10) sql: SQL query returned: success
(10) sql: 1 record(s) updated
rlm_sql (sql): Released connection (5)
(10) [sql] = ok
(10) [exec] = noop
(10) attr_filter.accounting_response: EXPAND %{User-Name}
(10) attr_filter.accounting_response: --> kemi2
(10) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(10) [attr_filter.accounting_response] = updated
(10) } # accounting = updated
(10) Sent Accounting-Response Id 135 from 192.168.3.1:1813 to 192.168.3.190:47157 length 0
(10) Finished request
(10) Cleaning up request packet ID 135 with timestamp +17
Waking up in 4.7 seconds.
(0) Cleaning up request packet ID 125 with timestamp +17
(1) Cleaning up request packet ID 126 with timestamp +17
(2) Cleaning up request packet ID 127 with timestamp +17
(3) Cleaning up request packet ID 128 with timestamp +17
(4) Cleaning up request packet ID 129 with timestamp +17
(5) Cleaning up request packet ID 130 with timestamp +17
(6) Cleaning up request packet ID 131 with timestamp +17
(7) Cleaning up request packet ID 132 with timestamp +17
(8) Cleaning up request packet ID 133 with timestamp +17
(9) Cleaning up request packet ID 134 with timestamp +17
Ready to process requests
(11) Received Accounting-Request Id 136 from 192.168.3.190:47157 to 192.168.3.1:1813 length 193
(11) Acct-Session-Id = "58258DE7-0000000C"
(11) Acct-Status-Type = Stop
(11) Acct-Authentic = RADIUS
(11) User-Name = "kemi2"
(11) NAS-Identifier = "802aa8907353"
(11) NAS-Port = 0
(11) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(11) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(11) NAS-Port-Type = Wireless-802.11
(11) Connect-Info = "CONNECT 0Mbps 802.11b"
(11) Acct-Session-Time = 6
(11) Acct-Input-Packets = 48
(11) Acct-Output-Packets = 40
(11) Acct-Input-Octets = 7359
(11) Acct-Output-Octets = 8793
(11) Event-Timestamp = "Nov 11 2016 09:45:45 BRST"
(11) Acct-Terminate-Cause = User-Request
(11) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
(11) preacct {
(11) [preprocess] = ok
(11) policy acct_unique {
(11) update request {
(11) Tmp-String-9 := "ai:"
(11) } # update request = noop
(11) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(11) EXPAND %{hex:&Class}
(11) -->
(11) EXPAND ^%{hex:&Tmp-String-9}
(11) --> ^61693a
(11) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(11) else {
(11) update request {
(11) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(11) --> b999f42c87c638b62266c59b3ab6c37f
(11) &Acct-Unique-Session-Id := b999f42c87c638b62266c59b3ab6c37f
(11) } # update request = noop
(11) } # else = noop
(11) } # policy acct_unique = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) [files] = noop
(11) } # preacct = ok
(11) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default
(11) accounting {
(11) detail: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(11) detail: --> /usr/local/var/log/radius/radacct/192.168.3.190/detail-20161111
(11) detail: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.3.190/detail-20161111
(11) detail: EXPAND %t
(11) detail: --> Fri Nov 11 09:45:44 2016
(11) [detail] = ok
(11) [unix] = ok
(11) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(11) sql: --> type.stop.query
(11) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (1)
(11) sql: EXPAND %{User-Name}
(11) sql: --> kemi2
(11) sql: SQL-User-Name set to 'kemi2'
(11) sql: EXPAND UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'
(11) sql: --> UPDATE radacct SET acctstoptime = 1478864745, acctsessiontime = 6, acctinputoctets = 0 << 32 | 7359, acctoutputoctets = 0 << 32 | 8793, acctterminatecause = 'User-Request', connectinfo_stop = 'CONNECT 0Mbps 802.11b' WHERE AcctUniqueId = 'b999f42c87c638b62266c59b3ab6c37f'
(11) sql: Executing query: UPDATE radacct SET acctstoptime = 1478864745, acctsessiontime = 6, acctinputoctets = 0 << 32 | 7359, acctoutputoctets = 0 << 32 | 8793, acctterminatecause = 'User-Request', connectinfo_stop = 'CONNECT 0Mbps 802.11b' WHERE AcctUniqueId = 'b999f42c87c638b62266c59b3ab6c37f'
rlm_sql_mysql: Rows matched: 1 Changed: 1 Warnings: 1
(11) sql: SQL query returned: success
(11) sql: 1 record(s) updated
rlm_sql (sql): Released connection (1)
rlm_sql (sql): Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.53-0+deb8u1, protocol version 10
(11) [sql] = ok
(11) [exec] = noop
(11) attr_filter.accounting_response: EXPAND %{User-Name}
(11) attr_filter.accounting_response: --> kemi2
(11) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(11) [attr_filter.accounting_response] = updated
(11) } # accounting = updated
(11) Sent Accounting-Response Id 136 from 192.168.3.1:1813 to 192.168.3.190:47157 length 0
(11) Finished request
(11) Cleaning up request packet ID 136 with timestamp +24
Ready to process requests
(12) Received Access-Request Id 137 from 192.168.3.190:41615 to 192.168.3.1:1812 length 156
(12) User-Name = "kemi2"
(12) NAS-Identifier = "802aa8907353"
(12) NAS-Port = 0
(12) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(12) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(12) Framed-MTU = 1400
(12) NAS-Port-Type = Wireless-802.11
(12) Connect-Info = "CONNECT 0Mbps 802.11b"
(12) EAP-Message = 0x02c5000a016b656d6932
(12) Message-Authenticator = 0xf21a7ad6d91552fc26134d4b52f95123
(12) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /@\./) {
(12) if (&User-Name =~ /@\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) [chap] = noop
(12) [mschap] = noop
(12) [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(12) suffix: No such realm "NULL"
(12) [suffix] = noop
(12) eap: Peer sent EAP Response (code 2) ID 197 length 10
(12) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(12) [eap] = ok
(12) } # authorize = ok
(12) Found Auth-Type = eap
(12) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(12) authenticate {
(12) eap: Peer sent packet with method EAP Identity (1)
(12) eap: Calling submodule eap_md5 to process data
(12) eap_md5: Issuing MD5 Challenge
(12) eap: Sending EAP Request (code 1) ID 198 length 22
(12) eap: EAP session adding &reply:State = 0x2c74ef782cb2ebf8
(12) [eap] = handled
(12) } # authenticate = handled
(12) Using Post-Auth-Type Challenge
(12) Post-Auth-Type sub-section not found. Ignoring.
(12) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(12) Sent Access-Challenge Id 137 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(12) EAP-Message = 0x01c600160410dcda2d0b51dfd9d51534a7e952968d9e
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) State = 0x2c74ef782cb2ebf8c3c1b6629de18c5a
(12) Finished request
Waking up in 4.9 seconds.
(13) Received Access-Request Id 138 from 192.168.3.190:41615 to 192.168.3.1:1812 length 170
(13) User-Name = "kemi2"
(13) NAS-Identifier = "802aa8907353"
(13) NAS-Port = 0
(13) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(13) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(13) Framed-MTU = 1400
(13) NAS-Port-Type = Wireless-802.11
(13) Connect-Info = "CONNECT 0Mbps 802.11b"
(13) EAP-Message = 0x02c600060315
(13) State = 0x2c74ef782cb2ebf8c3c1b6629de18c5a
(13) Message-Authenticator = 0xdaeb6ced88ac59b4fd3e295253fadb24
(13) session-state: No cached attributes
(13) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(13) authorize {
(13) policy filter_username {
(13) if (&User-Name) {
(13) if (&User-Name) -> TRUE
(13) if (&User-Name) {
(13) if (&User-Name =~ / /) {
(13) if (&User-Name =~ / /) -> FALSE
(13) if (&User-Name =~ /@[^@]*@/ ) {
(13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(13) if (&User-Name =~ /\.\./ ) {
(13) if (&User-Name =~ /\.\./ ) -> FALSE
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(13) if (&User-Name =~ /\.$/) {
(13) if (&User-Name =~ /\.$/) -> FALSE
(13) if (&User-Name =~ /@\./) {
(13) if (&User-Name =~ /@\./) -> FALSE
(13) } # if (&User-Name) = notfound
(13) } # policy filter_username = notfound
(13) [preprocess] = ok
(13) [chap] = noop
(13) [mschap] = noop
(13) [digest] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(13) suffix: No such realm "NULL"
(13) [suffix] = noop
(13) eap: Peer sent EAP Response (code 2) ID 198 length 6
(13) eap: No EAP Start, assuming it's an on-going EAP conversation
(13) [eap] = updated
(13) [files] = noop
(13) sql: EXPAND %{User-Name}
(13) sql: --> kemi2
(13) sql: SQL-User-Name set to 'kemi2'
rlm_sql (sql): Reserved connection (2)
(13) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(13) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(13) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(13) sql: User found in radcheck table
(13) sql: Conditional check items matched, merging assignment check items
(13) sql: Cleartext-Password := "1q2w3e4r"
(13) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(13) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(13) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(13) sql: User found in radreply table, merging reply items
(13) sql: Tunnel-Type := VLAN
(13) sql: Tunnel-Medium-Type := IEEE-802
(13) sql: Tunnel-Private-Group-Id := "5"
(13) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(13) sql: --> SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(13) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(13) sql: User not found in any groups
rlm_sql (sql): Released connection (2)
rlm_sql (sql): Need 3 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 25 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.53-0+deb8u1, protocol version 10
(13) [sql] = ok
(13) [expiration] = noop
(13) [logintime] = noop
(13) pap: WARNING: Auth-Type already set. Not setting to PAP
(13) [pap] = noop
(13) } # authorize = updated
(13) Found Auth-Type = eap
(13) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(13) authenticate {
(13) eap: Expiring EAP session with state 0x2c74ef782cb2ebf8
(13) eap: Finished EAP session with state 0x2c74ef782cb2ebf8
(13) eap: Previous EAP request found for state 0x2c74ef782cb2ebf8, released from the list
(13) eap: Peer sent packet with method EAP NAK (3)
(13) eap: Found mutually acceptable type TTLS (21)
(13) eap: Calling submodule eap_ttls to process data
(13) eap_ttls: Initiating new EAP-TLS session
(13) eap_ttls: [eaptls start] = request
(13) eap: Sending EAP Request (code 1) ID 199 length 6
(13) eap: EAP session adding &reply:State = 0x2c74ef782db3faf8
(13) [eap] = handled
(13) } # authenticate = handled
(13) Using Post-Auth-Type Challenge
(13) Post-Auth-Type sub-section not found. Ignoring.
(13) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(13) Sent Access-Challenge Id 138 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(13) Tunnel-Type = VLAN
(13) Tunnel-Medium-Type = IEEE-802
(13) Tunnel-Private-Group-Id = "5"
(13) EAP-Message = 0x01c700061520
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) State = 0x2c74ef782db3faf8c3c1b6629de18c5a
(13) Finished request
Waking up in 4.9 seconds.
(14) Received Access-Request Id 139 from 192.168.3.190:41615 to 192.168.3.1:1812 length 363
(14) User-Name = "kemi2"
(14) NAS-Identifier = "802aa8907353"
(14) NAS-Port = 0
(14) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(14) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(14) Framed-MTU = 1400
(14) NAS-Port-Type = Wireless-802.11
(14) Connect-Info = "CONNECT 0Mbps 802.11b"
(14) EAP-Message = 0x02c700c7150016030100bc010000b80301473417eb7bd5bbb98c652f5dde89f77a721fb6bd2b7f3a6f09efe3ed9b8500bf00004ac014c00a0039003800880087c00fc00500350084c013c00900330032009a009900450044c00ec004002f00960041c011c007c00cc00200050004c012c00800160013c0
(14) State = 0x2c74ef782db3faf8c3c1b6629de18c5a
(14) Message-Authenticator = 0xdc136e929fa0ffdb7459e0ecb12f2bf6
(14) session-state: No cached attributes
(14) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(14) authorize {
(14) policy filter_username {
(14) if (&User-Name) {
(14) if (&User-Name) -> TRUE
(14) if (&User-Name) {
(14) if (&User-Name =~ / /) {
(14) if (&User-Name =~ / /) -> FALSE
(14) if (&User-Name =~ /@[^@]*@/ ) {
(14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(14) if (&User-Name =~ /\.\./ ) {
(14) if (&User-Name =~ /\.\./ ) -> FALSE
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(14) if (&User-Name =~ /\.$/) {
(14) if (&User-Name =~ /\.$/) -> FALSE
(14) if (&User-Name =~ /@\./) {
(14) if (&User-Name =~ /@\./) -> FALSE
(14) } # if (&User-Name) = notfound
(14) } # policy filter_username = notfound
(14) [preprocess] = ok
(14) [chap] = noop
(14) [mschap] = noop
(14) [digest] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(14) suffix: No such realm "NULL"
(14) [suffix] = noop
(14) eap: Peer sent EAP Response (code 2) ID 199 length 199
(14) eap: Continuing tunnel setup
(14) [eap] = ok
(14) } # authorize = ok
(14) Found Auth-Type = eap
(14) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(14) authenticate {
(14) eap: Expiring EAP session with state 0x2c74ef782db3faf8
(14) eap: Finished EAP session with state 0x2c74ef782db3faf8
(14) eap: Previous EAP request found for state 0x2c74ef782db3faf8, released from the list
(14) eap: Peer sent packet with method EAP TTLS (21)
(14) eap: Calling submodule eap_ttls to process data
(14) eap_ttls: Authenticate
(14) eap_ttls: Continuing EAP-TLS
(14) eap_ttls: [eaptls verify] = ok
(14) eap_ttls: Done initial handshake
(14) eap_ttls: (other): before/accept initialization
(14) eap_ttls: TLS_accept: before/accept initialization
(14) eap_ttls: <<< recv TLS 1.0 Handshake [length 00bc], ClientHello
(14) eap_ttls: TLS_accept: unknown state
(14) eap_ttls: >>> send TLS 1.0 Handshake [length 005e], ServerHello
(14) eap_ttls: TLS_accept: unknown state
(14) eap_ttls: >>> send TLS 1.0 Handshake [length 08d3], Certificate
(14) eap_ttls: TLS_accept: unknown state
(14) eap_ttls: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
(14) eap_ttls: TLS_accept: unknown state
(14) eap_ttls: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
(14) eap_ttls: TLS_accept: unknown state
(14) eap_ttls: TLS_accept: unknown state
(14) eap_ttls: TLS_accept: Need to read more data: unknown state
(14) eap_ttls: TLS_accept: Need to read more data: unknown state
(14) eap_ttls: In SSL Handshake Phase
(14) eap_ttls: In SSL Accept mode
(14) eap_ttls: [eaptls process] = handled
(14) eap: Sending EAP Request (code 1) ID 200 length 1004
(14) eap: EAP session adding &reply:State = 0x2c74ef782ebcfaf8
(14) [eap] = handled
(14) } # authenticate = handled
(14) Using Post-Auth-Type Challenge
(14) Post-Auth-Type sub-section not found. Ignoring.
(14) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(14) Sent Access-Challenge Id 139 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(14) EAP-Message = 0x01c803ec15c000000a94160301005e0200005a0301c14130efa45d86f7882e9209369b5bf7dad9a1ee4cce4575b870498a5d410a5c20c4b9d08c4e7df7023cdd73405f38be9c53ed140c5db1080a6f57ad34c26c0aa4c014000012ff01000100000b000403000102000f00010116030108d30b0008cf00
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0x2c74ef782ebcfaf8c3c1b6629de18c5a
(14) Finished request
Waking up in 4.9 seconds.
(15) Received Access-Request Id 140 from 192.168.3.190:41615 to 192.168.3.1:1812 length 170
(15) User-Name = "kemi2"
(15) NAS-Identifier = "802aa8907353"
(15) NAS-Port = 0
(15) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(15) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(15) Framed-MTU = 1400
(15) NAS-Port-Type = Wireless-802.11
(15) Connect-Info = "CONNECT 0Mbps 802.11b"
(15) EAP-Message = 0x02c800061500
(15) State = 0x2c74ef782ebcfaf8c3c1b6629de18c5a
(15) Message-Authenticator = 0xcb2cb7bc1e2e074f9f9f25ad240fdcdb
(15) session-state: No cached attributes
(15) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(15) authorize {
(15) policy filter_username {
(15) if (&User-Name) {
(15) if (&User-Name) -> TRUE
(15) if (&User-Name) {
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@[^@]*@/ ) {
(15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /@\./) {
(15) if (&User-Name =~ /@\./) -> FALSE
(15) } # if (&User-Name) = notfound
(15) } # policy filter_username = notfound
(15) [preprocess] = ok
(15) [chap] = noop
(15) [mschap] = noop
(15) [digest] = noop
(15) suffix: Checking for suffix after "@"
(15) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(15) suffix: No such realm "NULL"
(15) [suffix] = noop
(15) eap: Peer sent EAP Response (code 2) ID 200 length 6
(15) eap: Continuing tunnel setup
(15) [eap] = ok
(15) } # authorize = ok
(15) Found Auth-Type = eap
(15) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(15) authenticate {
(15) eap: Expiring EAP session with state 0x2c74ef782ebcfaf8
(15) eap: Finished EAP session with state 0x2c74ef782ebcfaf8
(15) eap: Previous EAP request found for state 0x2c74ef782ebcfaf8, released from the list
(15) eap: Peer sent packet with method EAP TTLS (21)
(15) eap: Calling submodule eap_ttls to process data
(15) eap_ttls: Authenticate
(15) eap_ttls: Continuing EAP-TLS
(15) eap_ttls: Peer ACKed our handshake fragment
(15) eap_ttls: [eaptls verify] = request
(15) eap_ttls: [eaptls process] = handled
(15) eap: Sending EAP Request (code 1) ID 201 length 1004
(15) eap: EAP session adding &reply:State = 0x2c74ef782fbdfaf8
(15) [eap] = handled
(15) } # authenticate = handled
(15) Using Post-Auth-Type Challenge
(15) Post-Auth-Type sub-section not found. Ignoring.
(15) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(15) Sent Access-Challenge Id 140 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(15) EAP-Message = 0x01c903ec15c000000a944d57088e7a6c8d2858c0a5605a600bd0789ec2972b54e36d010ed759aeaba472a8a530aa337e1005769e8da0b61a9fd7bd397edebd33167c3bdda45d554e47856038f7a0997abf62456272ee5f2498dec6ce756feea02069c35f642c452009e1d902bb02465651b62287e8c438
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0x2c74ef782fbdfaf8c3c1b6629de18c5a
(15) Finished request
Waking up in 4.9 seconds.
(16) Received Access-Request Id 141 from 192.168.3.190:41615 to 192.168.3.1:1812 length 170
(16) User-Name = "kemi2"
(16) NAS-Identifier = "802aa8907353"
(16) NAS-Port = 0
(16) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(16) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(16) Framed-MTU = 1400
(16) NAS-Port-Type = Wireless-802.11
(16) Connect-Info = "CONNECT 0Mbps 802.11b"
(16) EAP-Message = 0x02c900061500
(16) State = 0x2c74ef782fbdfaf8c3c1b6629de18c5a
(16) Message-Authenticator = 0x15d29ccc3b5beac872971b3df55a3ea3
(16) session-state: No cached attributes
(16) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(16) authorize {
(16) policy filter_username {
(16) if (&User-Name) {
(16) if (&User-Name) -> TRUE
(16) if (&User-Name) {
(16) if (&User-Name =~ / /) {
(16) if (&User-Name =~ / /) -> FALSE
(16) if (&User-Name =~ /@[^@]*@/ ) {
(16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(16) if (&User-Name =~ /\.\./ ) {
(16) if (&User-Name =~ /\.\./ ) -> FALSE
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(16) if (&User-Name =~ /\.$/) {
(16) if (&User-Name =~ /\.$/) -> FALSE
(16) if (&User-Name =~ /@\./) {
(16) if (&User-Name =~ /@\./) -> FALSE
(16) } # if (&User-Name) = notfound
(16) } # policy filter_username = notfound
(16) [preprocess] = ok
(16) [chap] = noop
(16) [mschap] = noop
(16) [digest] = noop
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(16) suffix: No such realm "NULL"
(16) [suffix] = noop
(16) eap: Peer sent EAP Response (code 2) ID 201 length 6
(16) eap: Continuing tunnel setup
(16) [eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = eap
(16) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(16) authenticate {
(16) eap: Expiring EAP session with state 0x2c74ef782fbdfaf8
(16) eap: Finished EAP session with state 0x2c74ef782fbdfaf8
(16) eap: Previous EAP request found for state 0x2c74ef782fbdfaf8, released from the list
(16) eap: Peer sent packet with method EAP TTLS (21)
(16) eap: Calling submodule eap_ttls to process data
(16) eap_ttls: Authenticate
(16) eap_ttls: Continuing EAP-TLS
(16) eap_ttls: Peer ACKed our handshake fragment
(16) eap_ttls: [eaptls verify] = request
(16) eap_ttls: [eaptls process] = handled
(16) eap: Sending EAP Request (code 1) ID 202 length 730
(16) eap: EAP session adding &reply:State = 0x2c74ef7828befaf8
(16) [eap] = handled
(16) } # authenticate = handled
(16) Using Post-Auth-Type Challenge
(16) Post-Auth-Type sub-section not found. Ignoring.
(16) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(16) Sent Access-Challenge Id 141 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(16) EAP-Message = 0x01ca02da158000000a94696361746520417574686f72697479820900cc5356c9329d1494300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0x2c74ef7828befaf8c3c1b6629de18c5a
(16) Finished request
Waking up in 4.9 seconds.
(17) Received Access-Request Id 142 from 192.168.3.190:41615 to 192.168.3.1:1812 length 304
(17) User-Name = "kemi2"
(17) NAS-Identifier = "802aa8907353"
(17) NAS-Port = 0
(17) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(17) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(17) Framed-MTU = 1400
(17) NAS-Port-Type = Wireless-802.11
(17) Connect-Info = "CONNECT 0Mbps 802.11b"
(17) EAP-Message = 0x02ca008c15001603010046100000424104814297ea0f4c491e6ba6491db4f3b4f72b4e6856df9f97b90ca779f5bfb4025b635826adf387ef7edc2b165e494b6007189ad7e284264919fd89a153b30220e91403010001011603010030a127fde86fbf398652461aac681d2951510442613d78e09f586060
(17) State = 0x2c74ef7828befaf8c3c1b6629de18c5a
(17) Message-Authenticator = 0x173d177fcdf76d0b12062487d6483ded
(17) session-state: No cached attributes
(17) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(17) authorize {
(17) policy filter_username {
(17) if (&User-Name) {
(17) if (&User-Name) -> TRUE
(17) if (&User-Name) {
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@[^@]*@/ ) {
(17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /@\./) {
(17) if (&User-Name =~ /@\./) -> FALSE
(17) } # if (&User-Name) = notfound
(17) } # policy filter_username = notfound
(17) [preprocess] = ok
(17) [chap] = noop
(17) [mschap] = noop
(17) [digest] = noop
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(17) suffix: No such realm "NULL"
(17) [suffix] = noop
(17) eap: Peer sent EAP Response (code 2) ID 202 length 140
(17) eap: Continuing tunnel setup
(17) [eap] = ok
(17) } # authorize = ok
(17) Found Auth-Type = eap
(17) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(17) authenticate {
(17) eap: Expiring EAP session with state 0x2c74ef7828befaf8
(17) eap: Finished EAP session with state 0x2c74ef7828befaf8
(17) eap: Previous EAP request found for state 0x2c74ef7828befaf8, released from the list
(17) eap: Peer sent packet with method EAP TTLS (21)
(17) eap: Calling submodule eap_ttls to process data
(17) eap_ttls: Authenticate
(17) eap_ttls: Continuing EAP-TLS
(17) eap_ttls: [eaptls verify] = ok
(17) eap_ttls: Done initial handshake
(17) eap_ttls: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
(17) eap_ttls: TLS_accept: unknown state
(17) eap_ttls: TLS_accept: unknown state
(17) eap_ttls: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(17) eap_ttls: <<< recv TLS 1.0 Handshake [length 0010], Finished
(17) eap_ttls: TLS_accept: unknown state
(17) eap_ttls: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(17) eap_ttls: TLS_accept: unknown state
(17) eap_ttls: >>> send TLS 1.0 Handshake [length 0010], Finished
(17) eap_ttls: TLS_accept: unknown state
(17) eap_ttls: TLS_accept: unknown state
(17) eap_ttls: (other): SSL negotiation finished successfully
(17) eap_ttls: SSL Connection Established
(17) eap_ttls: [eaptls process] = handled
(17) eap: Sending EAP Request (code 1) ID 203 length 69
(17) eap: EAP session adding &reply:State = 0x2c74ef7829bffaf8
(17) [eap] = handled
(17) } # authenticate = handled
(17) Using Post-Auth-Type Challenge
(17) Post-Auth-Type sub-section not found. Ignoring.
(17) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(17) Sent Access-Challenge Id 142 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(17) EAP-Message = 0x01cb004515800000003b14030100010116030100308798d76f9a4b494f73a240f22b17758eec9021e8dfba4c0294b8859ff9b54845c216d0b3d9636be4bf4f3bba1ec51947
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0x2c74ef7829bffaf8c3c1b6629de18c5a
(17) Finished request
Waking up in 4.9 seconds.
(18) Received Access-Request Id 143 from 192.168.3.190:41615 to 192.168.3.1:1812 length 260
(18) User-Name = "kemi2"
(18) NAS-Identifier = "802aa8907353"
(18) NAS-Port = 0
(18) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(18) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(18) Framed-MTU = 1400
(18) NAS-Port-Type = Wireless-802.11
(18) Connect-Info = "CONNECT 0Mbps 802.11b"
(18) EAP-Message = 0x02cb0060150017030100204504f794c59538e03ced13cd47710fae7261370b1aa556156a12d6f5c43bb0ac17030100305e8518c127dd5ebf61151b5e9ef86b6f9c3f73547c51896865d48390ba69aaa61d3123cb3c7682dd446f0d36b0c08e61
(18) State = 0x2c74ef7829bffaf8c3c1b6629de18c5a
(18) Message-Authenticator = 0x391fbe1e8f20775844512f80e8ef9278
(18) session-state: No cached attributes
(18) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(18) authorize {
(18) policy filter_username {
(18) if (&User-Name) {
(18) if (&User-Name) -> TRUE
(18) if (&User-Name) {
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@[^@]*@/ ) {
(18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /@\./) {
(18) if (&User-Name =~ /@\./) -> FALSE
(18) } # if (&User-Name) = notfound
(18) } # policy filter_username = notfound
(18) [preprocess] = ok
(18) [chap] = noop
(18) [mschap] = noop
(18) [digest] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(18) suffix: No such realm "NULL"
(18) [suffix] = noop
(18) eap: Peer sent EAP Response (code 2) ID 203 length 96
(18) eap: Continuing tunnel setup
(18) [eap] = ok
(18) } # authorize = ok
(18) Found Auth-Type = eap
(18) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(18) authenticate {
(18) eap: Expiring EAP session with state 0x2c74ef7829bffaf8
(18) eap: Finished EAP session with state 0x2c74ef7829bffaf8
(18) eap: Previous EAP request found for state 0x2c74ef7829bffaf8, released from the list
(18) eap: Peer sent packet with method EAP TTLS (21)
(18) eap: Calling submodule eap_ttls to process data
(18) eap_ttls: Authenticate
(18) eap_ttls: Continuing EAP-TLS
(18) eap_ttls: [eaptls verify] = ok
(18) eap_ttls: Done initial handshake
(18) eap_ttls: [eaptls process] = ok
(18) eap_ttls: Session established. Proceeding to decode tunneled attributes
(18) eap_ttls: Got tunneled request
(18) eap_ttls: EAP-Message = 0x0200000a016b656d6932
(18) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(18) eap_ttls: Got tunneled identity of kemi2
(18) eap_ttls: Setting default EAP type for tunneled EAP session
(18) eap_ttls: Sending tunneled request
(18) Virtual server inner-tunnel received request
(18) EAP-Message = 0x0200000a016b656d6932
(18) FreeRADIUS-Proxied-To = 127.0.0.1
(18) User-Name = "kemi2"
(18) NAS-Identifier = "802aa8907353"
(18) NAS-Port = 0
(18) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(18) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(18) Framed-MTU = 1400
(18) NAS-Port-Type = Wireless-802.11
(18) Connect-Info = "CONNECT 0Mbps 802.11b"
(18) Event-Timestamp = "Nov 11 2016 09:45:48 BRST"
(18) NAS-IP-Address = 192.168.3.190
(18) WARNING: Outer and inner identities are the same. User privacy is compromised.
(18) server inner-tunnel {
(18) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(18) authorize {
(18) policy filter_username {
(18) if (&User-Name) {
(18) if (&User-Name) -> TRUE
(18) if (&User-Name) {
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@[^@]*@/ ) {
(18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /@\./) {
(18) if (&User-Name =~ /@\./) -> FALSE
(18) } # if (&User-Name) = notfound
(18) } # policy filter_username = notfound
(18) [chap] = noop
(18) [mschap] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(18) suffix: No such realm "NULL"
(18) [suffix] = noop
(18) update control {
(18) &Proxy-To-Realm := LOCAL
(18) } # update control = noop
(18) eap: Peer sent EAP Response (code 2) ID 0 length 10
(18) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(18) [eap] = ok
(18) } # authorize = ok
(18) Found Auth-Type = eap
(18) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(18) authenticate {
(18) eap: Peer sent packet with method EAP Identity (1)
(18) eap: Calling submodule eap_md5 to process data
(18) eap_md5: Issuing MD5 Challenge
(18) eap: Sending EAP Request (code 1) ID 1 length 22
(18) eap: EAP session adding &reply:State = 0x2e3b0b4f2e3a0f47
(18) [eap] = handled
(18) } # authenticate = handled
(18) } # server inner-tunnel
(18) Virtual server sending reply
(18) EAP-Message = 0x010100160410a5a0ab7d92a6b93b8f7f1e26edf406d0
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0x2e3b0b4f2e3a0f47ef4738bb329cb3c2
(18) eap_ttls: Got tunneled Access-Challenge
(18) eap: Sending EAP Request (code 1) ID 204 length 79
(18) eap: EAP session adding &reply:State = 0x2c74ef782ab8faf8
(18) [eap] = handled
(18) } # authenticate = handled
(18) Using Post-Auth-Type Challenge
(18) Post-Auth-Type sub-section not found. Ignoring.
(18) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(18) Sent Access-Challenge Id 143 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(18) EAP-Message = 0x01cc004f1580000000451703010040c261e047a2b5c3d2e86575d464f2cea5842853da5065c3ddb19dead37c4258c6e8a96aee86ab6d77a1a8d3601104f10db4c273f1c7ae9ca28a13c57e7d842787
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0x2c74ef782ab8faf8c3c1b6629de18c5a
(18) Finished request
Waking up in 4.9 seconds.
(19) Received Access-Request Id 144 from 192.168.3.190:41615 to 192.168.3.1:1812 length 260
(19) User-Name = "kemi2"
(19) NAS-Identifier = "802aa8907353"
(19) NAS-Port = 0
(19) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(19) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(19) Framed-MTU = 1400
(19) NAS-Port-Type = Wireless-802.11
(19) Connect-Info = "CONNECT 0Mbps 802.11b"
(19) EAP-Message = 0x02cc0060150017030100200e5a5425fa65d55f0a1dfcd6d5a60e8eecd23672a464de01a0f073c3531fa771170301003053d37f96e802c39ef24507ef9587e2a182feba7b3d3f0a6c5c8e9d36d514c5b5484f341dc349143aa1bf168b0961988d
(19) State = 0x2c74ef782ab8faf8c3c1b6629de18c5a
(19) Message-Authenticator = 0x0305645476fd797b8601544f73a6d3c7
(19) session-state: No cached attributes
(19) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /@\./) {
(19) if (&User-Name =~ /@\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [preprocess] = ok
(19) [chap] = noop
(19) [mschap] = noop
(19) [digest] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(19) suffix: No such realm "NULL"
(19) [suffix] = noop
(19) eap: Peer sent EAP Response (code 2) ID 204 length 96
(19) eap: Continuing tunnel setup
(19) [eap] = ok
(19) } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(19) authenticate {
(19) eap: Expiring EAP session with state 0x2e3b0b4f2e3a0f47
(19) eap: Finished EAP session with state 0x2c74ef782ab8faf8
(19) eap: Previous EAP request found for state 0x2c74ef782ab8faf8, released from the list
(19) eap: Peer sent packet with method EAP TTLS (21)
(19) eap: Calling submodule eap_ttls to process data
(19) eap_ttls: Authenticate
(19) eap_ttls: Continuing EAP-TLS
(19) eap_ttls: [eaptls verify] = ok
(19) eap_ttls: Done initial handshake
(19) eap_ttls: [eaptls process] = ok
(19) eap_ttls: Session established. Proceeding to decode tunneled attributes
(19) eap_ttls: Got tunneled request
(19) eap_ttls: EAP-Message = 0x02010006031a
(19) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(19) eap_ttls: Sending tunneled request
(19) Virtual server inner-tunnel received request
(19) EAP-Message = 0x02010006031a
(19) FreeRADIUS-Proxied-To = 127.0.0.1
(19) User-Name = "kemi2"
(19) State = 0x2e3b0b4f2e3a0f47ef4738bb329cb3c2
(19) NAS-Identifier = "802aa8907353"
(19) NAS-Port = 0
(19) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(19) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(19) Framed-MTU = 1400
(19) NAS-Port-Type = Wireless-802.11
(19) Connect-Info = "CONNECT 0Mbps 802.11b"
(19) Event-Timestamp = "Nov 11 2016 09:45:48 BRST"
(19) NAS-IP-Address = 192.168.3.190
(19) WARNING: Outer and inner identities are the same. User privacy is compromised.
(19) server inner-tunnel {
(19) session-state: No cached attributes
(19) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /@\./) {
(19) if (&User-Name =~ /@\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [chap] = noop
(19) [mschap] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(19) suffix: No such realm "NULL"
(19) [suffix] = noop
(19) update control {
(19) &Proxy-To-Realm := LOCAL
(19) } # update control = noop
(19) eap: Peer sent EAP Response (code 2) ID 1 length 6
(19) eap: No EAP Start, assuming it's an on-going EAP conversation
(19) [eap] = updated
(19) [files] = noop
(19) sql: EXPAND %{User-Name}
(19) sql: --> kemi2
(19) sql: SQL-User-Name set to 'kemi2'
rlm_sql (sql): Reserved connection (3)
(19) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(19) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(19) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(19) sql: User found in radcheck table
(19) sql: Conditional check items matched, merging assignment check items
(19) sql: Cleartext-Password := "1q2w3e4r"
(19) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(19) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(19) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(19) sql: User found in radreply table, merging reply items
(19) sql: Tunnel-Type := VLAN
(19) sql: Tunnel-Medium-Type := IEEE-802
(19) sql: Tunnel-Private-Group-Id := "5"
(19) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(19) sql: --> SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(19) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(19) sql: User not found in any groups
rlm_sql (sql): Released connection (3)
(19) [sql] = ok
(19) [expiration] = noop
(19) [logintime] = noop
(19) pap: WARNING: Auth-Type already set. Not setting to PAP
(19) [pap] = noop
(19) } # authorize = updated
(19) Found Auth-Type = eap
(19) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(19) authenticate {
(19) eap: Expiring EAP session with state 0x2e3b0b4f2e3a0f47
(19) eap: Finished EAP session with state 0x2e3b0b4f2e3a0f47
(19) eap: Previous EAP request found for state 0x2e3b0b4f2e3a0f47, released from the list
(19) eap: Peer sent packet with method EAP NAK (3)
(19) eap: Found mutually acceptable type MSCHAPv2 (26)
(19) eap: Calling submodule eap_mschapv2 to process data
(19) eap_mschapv2: Issuing Challenge
(19) eap: Sending EAP Request (code 1) ID 2 length 43
(19) eap: EAP session adding &reply:State = 0x2e3b0b4f2f391147
(19) [eap] = handled
(19) } # authenticate = handled
(19) } # server inner-tunnel
(19) Virtual server sending reply
(19) Tunnel-Type = VLAN
(19) Tunnel-Medium-Type = IEEE-802
(19) Tunnel-Private-Group-Id = "5"
(19) EAP-Message = 0x0102002b1a01020026109b4c82d84f0296fc2f0d92b539f31d66667265657261646975732d332e302e3132
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0x2e3b0b4f2f391147ef4738bb329cb3c2
(19) eap_ttls: Got tunneled Access-Challenge
(19) eap: Sending EAP Request (code 1) ID 205 length 95
(19) eap: EAP session adding &reply:State = 0x2c74ef782bb9faf8
(19) [eap] = handled
(19) } # authenticate = handled
(19) Using Post-Auth-Type Challenge
(19) Post-Auth-Type sub-section not found. Ignoring.
(19) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(19) Sent Access-Challenge Id 144 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(19) EAP-Message = 0x01cd005f1580000000551703010050b3f668b1b62f0b987d1243daaaebff372f78cfc37d2360babb608726c6791fdfd9e2e7e73573584741dd88ae2508349fadef1f11c0347ba1121641bcbeb0eadfb64e57f2ed2ac97456ef4317186de2c7
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0x2c74ef782bb9faf8c3c1b6629de18c5a
(19) Finished request
Waking up in 4.8 seconds.
(20) Received Access-Request Id 145 from 192.168.3.190:41615 to 192.168.3.1:1812 length 308
(20) User-Name = "kemi2"
(20) NAS-Identifier = "802aa8907353"
(20) NAS-Port = 0
(20) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(20) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(20) Framed-MTU = 1400
(20) NAS-Port-Type = Wireless-802.11
(20) Connect-Info = "CONNECT 0Mbps 802.11b"
(20) EAP-Message = 0x02cd0090150017030100202a9be3d8983e0b74d482e4b7da23d39e5fd4d6d1b504a2227eed8f1d42b187da1703010060de9db812f5df8bf140eb60cb8160c125064226736de28ef59b9f985722ed6e3a0d526d4b432151da9d077c294407c117b86f53a899e13ccb3decbea0927ad34b3a7a8ba8ab80e3
(20) State = 0x2c74ef782bb9faf8c3c1b6629de18c5a
(20) Message-Authenticator = 0x465b60d9564ed9b4223fd8c75907cba2
(20) session-state: No cached attributes
(20) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(20) authorize {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /@\./) {
(20) if (&User-Name =~ /@\./) -> FALSE
(20) } # if (&User-Name) = notfound
(20) } # policy filter_username = notfound
(20) [preprocess] = ok
(20) [chap] = noop
(20) [mschap] = noop
(20) [digest] = noop
(20) suffix: Checking for suffix after "@"
(20) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(20) suffix: No such realm "NULL"
(20) [suffix] = noop
(20) eap: Peer sent EAP Response (code 2) ID 205 length 144
(20) eap: Continuing tunnel setup
(20) [eap] = ok
(20) } # authorize = ok
(20) Found Auth-Type = eap
(20) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(20) authenticate {
(20) eap: Expiring EAP session with state 0x2e3b0b4f2f391147
(20) eap: Finished EAP session with state 0x2c74ef782bb9faf8
(20) eap: Previous EAP request found for state 0x2c74ef782bb9faf8, released from the list
(20) eap: Peer sent packet with method EAP TTLS (21)
(20) eap: Calling submodule eap_ttls to process data
(20) eap_ttls: Authenticate
(20) eap_ttls: Continuing EAP-TLS
(20) eap_ttls: [eaptls verify] = ok
(20) eap_ttls: Done initial handshake
(20) eap_ttls: [eaptls process] = ok
(20) eap_ttls: Session established. Proceeding to decode tunneled attributes
(20) eap_ttls: Got tunneled request
(20) eap_ttls: EAP-Message = 0x020200401a0202003b3106da263db71bdcb26c678457ce45c3fc0000000000000000d0194188b4bac79044f6f181df70af8218d930540a1a01d2006b656d6932
(20) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(20) eap_ttls: Sending tunneled request
(20) Virtual server inner-tunnel received request
(20) EAP-Message = 0x020200401a0202003b3106da263db71bdcb26c678457ce45c3fc0000000000000000d0194188b4bac79044f6f181df70af8218d930540a1a01d2006b656d6932
(20) FreeRADIUS-Proxied-To = 127.0.0.1
(20) User-Name = "kemi2"
(20) State = 0x2e3b0b4f2f391147ef4738bb329cb3c2
(20) NAS-Identifier = "802aa8907353"
(20) NAS-Port = 0
(20) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(20) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(20) Framed-MTU = 1400
(20) NAS-Port-Type = Wireless-802.11
(20) Connect-Info = "CONNECT 0Mbps 802.11b"
(20) Event-Timestamp = "Nov 11 2016 09:45:48 BRST"
(20) NAS-IP-Address = 192.168.3.190
(20) WARNING: Outer and inner identities are the same. User privacy is compromised.
(20) server inner-tunnel {
(20) session-state: No cached attributes
(20) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(20) authorize {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /@\./) {
(20) if (&User-Name =~ /@\./) -> FALSE
(20) } # if (&User-Name) = notfound
(20) } # policy filter_username = notfound
(20) [chap] = noop
(20) [mschap] = noop
(20) suffix: Checking for suffix after "@"
(20) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(20) suffix: No such realm "NULL"
(20) [suffix] = noop
(20) update control {
(20) &Proxy-To-Realm := LOCAL
(20) } # update control = noop
(20) eap: Peer sent EAP Response (code 2) ID 2 length 64
(20) eap: No EAP Start, assuming it's an on-going EAP conversation
(20) [eap] = updated
(20) [files] = noop
(20) sql: EXPAND %{User-Name}
(20) sql: --> kemi2
(20) sql: SQL-User-Name set to 'kemi2'
rlm_sql (sql): Reserved connection (4)
(20) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(20) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(20) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(20) sql: User found in radcheck table
(20) sql: Conditional check items matched, merging assignment check items
(20) sql: Cleartext-Password := "1q2w3e4r"
(20) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(20) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(20) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(20) sql: User found in radreply table, merging reply items
(20) sql: Tunnel-Type := VLAN
(20) sql: Tunnel-Medium-Type := IEEE-802
(20) sql: Tunnel-Private-Group-Id := "5"
(20) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(20) sql: --> SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(20) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(20) sql: User not found in any groups
rlm_sql (sql): Released connection (4)
(20) [sql] = ok
(20) [expiration] = noop
(20) [logintime] = noop
(20) pap: WARNING: Auth-Type already set. Not setting to PAP
(20) [pap] = noop
(20) } # authorize = updated
(20) Found Auth-Type = eap
(20) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(20) authenticate {
(20) eap: Expiring EAP session with state 0x2e3b0b4f2f391147
(20) eap: Finished EAP session with state 0x2e3b0b4f2f391147
(20) eap: Previous EAP request found for state 0x2e3b0b4f2f391147, released from the list
(20) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(20) eap: Calling submodule eap_mschapv2 to process data
(20) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(20) eap_mschapv2: authenticate {
(20) mschap: Found Cleartext-Password, hashing to create NT-Password
(20) mschap: Found Cleartext-Password, hashing to create LM-Password
(20) mschap: Creating challenge hash with username: kemi2
(20) mschap: Client is using MS-CHAPv2
(20) mschap: Adding MS-CHAPv2 MPPE keys
(20) [mschap] = ok
(20) } # authenticate = ok
(20) MSCHAP Success
(20) eap: Sending EAP Request (code 1) ID 3 length 51
(20) eap: EAP session adding &reply:State = 0x2e3b0b4f2c381147
(20) [eap] = handled
(20) } # authenticate = handled
(20) } # server inner-tunnel
(20) Virtual server sending reply
(20) Tunnel-Type = VLAN
(20) Tunnel-Medium-Type = IEEE-802
(20) Tunnel-Private-Group-Id = "5"
(20) EAP-Message = 0x010300331a0302002e533d45344430453546443945423945413135323239423038363530443730333541323243423636393035
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0x2e3b0b4f2c381147ef4738bb329cb3c2
(20) eap_ttls: Got tunneled Access-Challenge
(20) eap: Sending EAP Request (code 1) ID 206 length 111
(20) eap: EAP session adding &reply:State = 0x2c74ef7824bafaf8
(20) [eap] = handled
(20) } # authenticate = handled
(20) Using Post-Auth-Type Challenge
(20) Post-Auth-Type sub-section not found. Ignoring.
(20) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(20) Sent Access-Challenge Id 145 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(20) EAP-Message = 0x01ce006f158000000065170301006072f9feae450638a406b199e29763ff68eeaf352be2a1d2e2e72d95e47af329cc53e83c5ae5b0620df47c6eefc5aeed22da64bc589c38e31cd34b0420e1cd589100ada5b1a1e69ffd8684b1c6624447432fe98c3dab40e930ea3baa04d253a48d
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0x2c74ef7824bafaf8c3c1b6629de18c5a
(20) Finished request
Waking up in 4.8 seconds.
(21) Received Access-Request Id 146 from 192.168.3.190:41615 to 192.168.3.1:1812 length 260
(21) User-Name = "kemi2"
(21) NAS-Identifier = "802aa8907353"
(21) NAS-Port = 0
(21) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(21) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(21) Framed-MTU = 1400
(21) NAS-Port-Type = Wireless-802.11
(21) Connect-Info = "CONNECT 0Mbps 802.11b"
(21) EAP-Message = 0x02ce0060150017030100206e87b652f66c53a556908b8bd16b06b56da968038718298b8ae898f377cb7d361703010030fa073c93e97c1e555d6c81e56bdb47049ee48b9b93e253c8d3a96008b29ab4ce0076db5c5db8fedacb6cc34d695d8992
(21) State = 0x2c74ef7824bafaf8c3c1b6629de18c5a
(21) Message-Authenticator = 0x7e21ac6526d18e5052cb4ea0e12f373a
(21) session-state: No cached attributes
(21) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(21) authorize {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /@\./) {
(21) if (&User-Name =~ /@\./) -> FALSE
(21) } # if (&User-Name) = notfound
(21) } # policy filter_username = notfound
(21) [preprocess] = ok
(21) [chap] = noop
(21) [mschap] = noop
(21) [digest] = noop
(21) suffix: Checking for suffix after "@"
(21) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(21) suffix: No such realm "NULL"
(21) [suffix] = noop
(21) eap: Peer sent EAP Response (code 2) ID 206 length 96
(21) eap: Continuing tunnel setup
(21) [eap] = ok
(21) } # authorize = ok
(21) Found Auth-Type = eap
(21) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(21) authenticate {
(21) eap: Expiring EAP session with state 0x2e3b0b4f2c381147
(21) eap: Finished EAP session with state 0x2c74ef7824bafaf8
(21) eap: Previous EAP request found for state 0x2c74ef7824bafaf8, released from the list
(21) eap: Peer sent packet with method EAP TTLS (21)
(21) eap: Calling submodule eap_ttls to process data
(21) eap_ttls: Authenticate
(21) eap_ttls: Continuing EAP-TLS
(21) eap_ttls: [eaptls verify] = ok
(21) eap_ttls: Done initial handshake
(21) eap_ttls: [eaptls process] = ok
(21) eap_ttls: Session established. Proceeding to decode tunneled attributes
(21) eap_ttls: Got tunneled request
(21) eap_ttls: EAP-Message = 0x020300061a03
(21) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(21) eap_ttls: Sending tunneled request
(21) Virtual server inner-tunnel received request
(21) EAP-Message = 0x020300061a03
(21) FreeRADIUS-Proxied-To = 127.0.0.1
(21) User-Name = "kemi2"
(21) State = 0x2e3b0b4f2c381147ef4738bb329cb3c2
(21) NAS-Identifier = "802aa8907353"
(21) NAS-Port = 0
(21) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(21) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(21) Framed-MTU = 1400
(21) NAS-Port-Type = Wireless-802.11
(21) Connect-Info = "CONNECT 0Mbps 802.11b"
(21) Event-Timestamp = "Nov 11 2016 09:45:48 BRST"
(21) NAS-IP-Address = 192.168.3.190
(21) WARNING: Outer and inner identities are the same. User privacy is compromised.
(21) server inner-tunnel {
(21) session-state: No cached attributes
(21) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(21) authorize {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /@\./) {
(21) if (&User-Name =~ /@\./) -> FALSE
(21) } # if (&User-Name) = notfound
(21) } # policy filter_username = notfound
(21) [chap] = noop
(21) [mschap] = noop
(21) suffix: Checking for suffix after "@"
(21) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(21) suffix: No such realm "NULL"
(21) [suffix] = noop
(21) update control {
(21) &Proxy-To-Realm := LOCAL
(21) } # update control = noop
(21) eap: Peer sent EAP Response (code 2) ID 3 length 6
(21) eap: No EAP Start, assuming it's an on-going EAP conversation
(21) [eap] = updated
(21) [files] = noop
(21) sql: EXPAND %{User-Name}
(21) sql: --> kemi2
(21) sql: SQL-User-Name set to 'kemi2'
rlm_sql (sql): Reserved connection (0)
(21) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(21) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(21) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(21) sql: User found in radcheck table
(21) sql: Conditional check items matched, merging assignment check items
(21) sql: Cleartext-Password := "1q2w3e4r"
(21) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(21) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(21) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(21) sql: User found in radreply table, merging reply items
(21) sql: Tunnel-Type := VLAN
(21) sql: Tunnel-Medium-Type := IEEE-802
(21) sql: Tunnel-Private-Group-Id := "5"
(21) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(21) sql: --> SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(21) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(21) sql: User not found in any groups
rlm_sql (sql): Released connection (0)
(21) [sql] = ok
(21) [expiration] = noop
(21) [logintime] = noop
(21) pap: WARNING: Auth-Type already set. Not setting to PAP
(21) [pap] = noop
(21) } # authorize = updated
(21) Found Auth-Type = eap
(21) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(21) authenticate {
(21) eap: Expiring EAP session with state 0x2e3b0b4f2c381147
(21) eap: Finished EAP session with state 0x2e3b0b4f2c381147
(21) eap: Previous EAP request found for state 0x2e3b0b4f2c381147, released from the list
(21) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(21) eap: Calling submodule eap_mschapv2 to process data
(21) eap: Sending EAP Success (code 3) ID 3 length 4
(21) eap: Freeing handler
(21) [eap] = ok
(21) } # authenticate = ok
(21) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(21) post-auth {
(21) sql: EXPAND .query
(21) sql: --> .query
(21) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (5)
(21) sql: EXPAND %{User-Name}
(21) sql: --> kemi2
(21) sql: SQL-User-Name set to 'kemi2'
(21) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(21) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'kemi2', '', 'Access-Accept', '2016-11-11 09:45:48')
(21) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'kemi2', '', 'Access-Accept', '2016-11-11 09:45:48')
(21) sql: SQL query returned: success
(21) sql: 1 record(s) updated
rlm_sql (sql): Released connection (5)
(21) [sql] = ok
(21) update {
(21) &outer.session-state::Tunnel-Type += &reply:Tunnel-Type[*] -> VLAN
(21) &outer.session-state::Tunnel-Medium-Type += &reply:Tunnel-Medium-Type[*] -> IEEE-802
(21) &outer.session-state::Tunnel-Private-Group-Id += &reply:Tunnel-Private-Group-Id[*] -> '5'
(21) &outer.session-state::MS-MPPE-Encryption-Policy += &reply:MS-MPPE-Encryption-Policy[*] -> Encryption-Required
(21) &outer.session-state::MS-MPPE-Encryption-Types += &reply:MS-MPPE-Encryption-Types[*] -> 4
(21) &outer.session-state::MS-MPPE-Send-Key += &reply:MS-MPPE-Send-Key[*] -> 0xbb31efacda0760266cc3ba3d7a835735
(21) &outer.session-state::MS-MPPE-Recv-Key += &reply:MS-MPPE-Recv-Key[*] -> 0xe787005b71110e9e53e2f9cd4bff5060
(21) &outer.session-state::EAP-Message += &reply:EAP-Message[*] -> 0x03030004
(21) &outer.session-state::Message-Authenticator += &reply:Message-Authenticator[*] -> 0x00000000000000000000000000000000
(21) &outer.session-state::User-Name += &reply:User-Name[*] -> 'kemi2'
(21) } # update = noop
(21) update outer.session-state {
(21) MS-MPPE-Encryption-Policy !* ANY
(21) MS-MPPE-Encryption-Types !* ANY
(21) MS-MPPE-Send-Key !* ANY
(21) MS-MPPE-Recv-Key !* ANY
(21) Message-Authenticator !* ANY
(21) EAP-Message !* ANY
(21) Proxy-State !* ANY
(21) } # update outer.session-state = noop
(21) } # post-auth = ok
(21) Login OK: [kemi2/<via Auth-Type = eap>] (from client private-network-1 port 0 cli F8-2F-A8-F5-12-97 via TLS tunnel)
(21) } # server inner-tunnel
(21) Virtual server sending reply
(21) Tunnel-Type = VLAN
(21) Tunnel-Medium-Type = IEEE-802
(21) Tunnel-Private-Group-Id = "5"
(21) MS-MPPE-Encryption-Policy = Encryption-Required
(21) MS-MPPE-Encryption-Types = 4
(21) MS-MPPE-Send-Key = 0xbb31efacda0760266cc3ba3d7a835735
(21) MS-MPPE-Recv-Key = 0xe787005b71110e9e53e2f9cd4bff5060
(21) EAP-Message = 0x03030004
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) User-Name = "kemi2"
(21) eap_ttls: Got tunneled Access-Accept
(21) eap_ttls: caching User-Name = "kemi2"
(21) eap_ttls: Failed to find 'persist_dir' in TLS configuration. Session will not be cached on disk.
(21) eap: Sending EAP Success (code 3) ID 206 length 4
(21) eap: Freeing handler
(21) [eap] = ok
(21) } # authenticate = ok
(21) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(21) post-auth {
(21) update {
(21) &reply::Tunnel-Type += &session-state:Tunnel-Type[*] -> VLAN
(21) &reply::Tunnel-Medium-Type += &session-state:Tunnel-Medium-Type[*] -> IEEE-802
(21) &reply::Tunnel-Private-Group-Id += &session-state:Tunnel-Private-Group-Id[*] -> '5'
(21) &reply::User-Name += &session-state:User-Name[*] -> 'kemi2'
(21) } # update = noop
(21) sql: EXPAND .query
(21) sql: --> .query
(21) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (1)
(21) sql: EXPAND %{User-Name}
(21) sql: --> kemi2
(21) sql: SQL-User-Name set to 'kemi2'
(21) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(21) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'kemi2', '', 'Access-Accept', '2016-11-11 09:45:48')
(21) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'kemi2', '', 'Access-Accept', '2016-11-11 09:45:48')
(21) sql: SQL query returned: success
(21) sql: 1 record(s) updated
rlm_sql (sql): Released connection (1)
(21) [sql] = ok
(21) [exec] = noop
(21) policy remove_reply_message_if_eap {
(21) if (&reply:EAP-Message && &reply:Reply-Message) {
(21) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(21) else {
(21) [noop] = noop
(21) } # else = noop
(21) } # policy remove_reply_message_if_eap = noop
(21) } # post-auth = ok
(21) Login OK: [kemi2/<via Auth-Type = eap>] (from client private-network-1 port 0 cli F8-2F-A8-F5-12-97)
(21) Sent Access-Accept Id 146 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(21) Tunnel-Type = VLAN
(21) Tunnel-Medium-Type = IEEE-802
(21) Tunnel-Private-Group-Id = "5"
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) User-Name = "kemi2"
(21) MS-MPPE-Recv-Key = 0xf8337cf6b099de571ef03ec45ed1e305b62bb33d435c87b31c7dfd7ad7f7adf7
(21) MS-MPPE-Send-Key = 0x40c668cbc79a247b437575087b2dbb23513d9d0575e6b459b30eb5957fcb7182
(21) EAP-Message = 0x03ce0004
(21) Tunnel-Type += VLAN
(21) Tunnel-Medium-Type += IEEE-802
(21) Tunnel-Private-Group-Id += "5"
(21) User-Name += "kemi2"
(21) Finished request
Waking up in 4.7 seconds.
(22) Received Accounting-Request Id 147 from 192.168.3.190:47157 to 192.168.3.1:1813 length 151
(22) Acct-Session-Id = "58258DE7-0000000D"
(22) Acct-Status-Type = Start
(22) Acct-Authentic = RADIUS
(22) User-Name = "kemi2"
(22) NAS-Identifier = "802aa8907353"
(22) NAS-Port = 0
(22) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(22) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(22) NAS-Port-Type = Wireless-802.11
(22) Connect-Info = "CONNECT 0Mbps 802.11b"
(22) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
(22) preacct {
(22) [preprocess] = ok
(22) policy acct_unique {
(22) update request {
(22) Tmp-String-9 := "ai:"
(22) } # update request = noop
(22) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(22) EXPAND %{hex:&Class}
(22) -->
(22) EXPAND ^%{hex:&Tmp-String-9}
(22) --> ^61693a
(22) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(22) else {
(22) update request {
(22) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(22) --> f124b2466dd83e26dae74c3fffb49656
(22) &Acct-Unique-Session-Id := f124b2466dd83e26dae74c3fffb49656
(22) } # update request = noop
(22) } # else = noop
(22) } # policy acct_unique = noop
(22) suffix: Checking for suffix after "@"
(22) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(22) suffix: No such realm "NULL"
(22) [suffix] = noop
(22) [files] = noop
(22) } # preacct = ok
(22) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default
(22) accounting {
(22) detail: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(22) detail: --> /usr/local/var/log/radius/radacct/192.168.3.190/detail-20161111
(22) detail: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.3.190/detail-20161111
(22) detail: EXPAND %t
(22) detail: --> Fri Nov 11 09:45:48 2016
(22) [detail] = ok
(22) [unix] = ok
(22) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(22) sql: --> type.start.query
(22) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (6)
(22) sql: EXPAND %{User-Name}
(22) sql: --> kemi2
(22) sql: SQL-User-Name set to 'kemi2'
(22) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')
(22) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('58258DE7-0000000D', 'f124b2466dd83e26dae74c3fffb49656', 'kemi2', '', '192.168.3.190', '0', 'Wireless-802.11', 1478864748, 1478864748, NULL, '0', 'RADIUS', 'CONNECT 0Mbps 802.11b', '', '0', '0', '80-2A-A8-91-73-53:TESTE', 'F8-2F-A8-F5-12-97', '', '', '', '')
(22) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('58258DE7-0000000D', 'f124b2466dd83e26dae74c3fffb49656', 'kemi2', '', '192.168.3.190', '0', 'Wireless-802.11', 1478864748, 1478864748, NULL, '0', 'RADIUS', 'CONNECT 0Mbps 802.11b', '', '0', '0', '80-2A-A8-91-73-53:TESTE', 'F8-2F-A8-F5-12-97', '', '', '', '')
(22) sql: SQL query returned: success
(22) sql: 1 record(s) updated
rlm_sql (sql): Released connection (6)
(22) [sql] = ok
(22) [exec] = noop
(22) attr_filter.accounting_response: EXPAND %{User-Name}
(22) attr_filter.accounting_response: --> kemi2
(22) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(22) [attr_filter.accounting_response] = updated
(22) } # accounting = updated
(22) Sent Accounting-Response Id 147 from 192.168.3.1:1813 to 192.168.3.190:47157 length 0
(22) Finished request
(22) Cleaning up request packet ID 147 with timestamp +28
Waking up in 4.7 seconds.
(12) Cleaning up request packet ID 137 with timestamp +28
(13) Cleaning up request packet ID 138 with timestamp +28
(14) Cleaning up request packet ID 139 with timestamp +28
(15) Cleaning up request packet ID 140 with timestamp +28
(16) Cleaning up request packet ID 141 with timestamp +28
(17) Cleaning up request packet ID 142 with timestamp +28
(18) Cleaning up request packet ID 143 with timestamp +28
(19) Cleaning up request packet ID 144 with timestamp +28
(20) Cleaning up request packet ID 145 with timestamp +28
Waking up in 0.1 seconds.
(21) Cleaning up request packet ID 146 with timestamp +28
Ready to process requests
(23) Received Accounting-Request Id 148 from 192.168.3.190:47157 to 192.168.3.1:1813 length 193
(23) Acct-Session-Id = "58258DE7-0000000D"
(23) Acct-Status-Type = Stop
(23) Acct-Authentic = RADIUS
(23) User-Name = "kemi2"
(23) NAS-Identifier = "802aa8907353"
(23) NAS-Port = 0
(23) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(23) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(23) NAS-Port-Type = Wireless-802.11
(23) Connect-Info = "CONNECT 0Mbps 802.11b"
(23) Acct-Session-Time = 5
(23) Acct-Input-Packets = 42
(23) Acct-Output-Packets = 42
(23) Acct-Input-Octets = 7755
(23) Acct-Output-Octets = 8608
(23) Event-Timestamp = "Nov 11 2016 09:45:55 BRST"
(23) Acct-Terminate-Cause = User-Request
(23) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
(23) preacct {
(23) [preprocess] = ok
(23) policy acct_unique {
(23) update request {
(23) Tmp-String-9 := "ai:"
(23) } # update request = noop
(23) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(23) EXPAND %{hex:&Class}
(23) -->
(23) EXPAND ^%{hex:&Tmp-String-9}
(23) --> ^61693a
(23) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(23) else {
(23) update request {
(23) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(23) --> f124b2466dd83e26dae74c3fffb49656
(23) &Acct-Unique-Session-Id := f124b2466dd83e26dae74c3fffb49656
(23) } # update request = noop
(23) } # else = noop
(23) } # policy acct_unique = noop
(23) suffix: Checking for suffix after "@"
(23) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(23) suffix: No such realm "NULL"
(23) [suffix] = noop
(23) [files] = noop
(23) } # preacct = ok
(23) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default
(23) accounting {
(23) detail: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(23) detail: --> /usr/local/var/log/radius/radacct/192.168.3.190/detail-20161111
(23) detail: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.3.190/detail-20161111
(23) detail: EXPAND %t
(23) detail: --> Fri Nov 11 09:45:53 2016
(23) [detail] = ok
(23) [unix] = ok
(23) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(23) sql: --> type.stop.query
(23) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(23) sql: EXPAND %{User-Name}
(23) sql: --> kemi2
(23) sql: SQL-User-Name set to 'kemi2'
(23) sql: EXPAND UPDATE radacct SET acctstoptime = %{%{integer:Event-Timestamp}:-date('now')}, acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = %{%{Acct-Input-Gigawords}:-0} << 32 | %{%{Acct-Input-Octets}:-0}, acctoutputoctets = %{%{Acct-Output-Gigawords}:-0} << 32 | %{%{Acct-Output-Octets}:-0}, acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'
(23) sql: --> UPDATE radacct SET acctstoptime = 1478864755, acctsessiontime = 5, acctinputoctets = 0 << 32 | 7755, acctoutputoctets = 0 << 32 | 8608, acctterminatecause = 'User-Request', connectinfo_stop = 'CONNECT 0Mbps 802.11b' WHERE AcctUniqueId = 'f124b2466dd83e26dae74c3fffb49656'
(23) sql: Executing query: UPDATE radacct SET acctstoptime = 1478864755, acctsessiontime = 5, acctinputoctets = 0 << 32 | 7755, acctoutputoctets = 0 << 32 | 8608, acctterminatecause = 'User-Request', connectinfo_stop = 'CONNECT 0Mbps 802.11b' WHERE AcctUniqueId = 'f124b2466dd83e26dae74c3fffb49656'
rlm_sql_mysql: Rows matched: 1 Changed: 1 Warnings: 1
(23) sql: SQL query returned: success
(23) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
rlm_sql (sql): Need 2 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (8), 1 of 24 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.53-0+deb8u1, protocol version 10
(23) [sql] = ok
(23) [exec] = noop
(23) attr_filter.accounting_response: EXPAND %{User-Name}
(23) attr_filter.accounting_response: --> kemi2
(23) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(23) [attr_filter.accounting_response] = updated
(23) } # accounting = updated
(23) Sent Accounting-Response Id 148 from 192.168.3.1:1813 to 192.168.3.190:47157 length 0
(23) Finished request
(23) Cleaning up request packet ID 148 with timestamp +33
Ready to process requests
(24) Received Access-Request Id 149 from 192.168.3.190:41615 to 192.168.3.1:1812 length 156
(24) User-Name = "kemi2"
(24) NAS-Identifier = "802aa8907353"
(24) NAS-Port = 0
(24) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(24) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(24) Framed-MTU = 1400
(24) NAS-Port-Type = Wireless-802.11
(24) Connect-Info = "CONNECT 0Mbps 802.11b"
(24) EAP-Message = 0x02aa000a016b656d6932
(24) Message-Authenticator = 0x66394c8e91d2c1bb1e898b43c9a295d1
(24) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(24) authorize {
(24) policy filter_username {
(24) if (&User-Name) {
(24) if (&User-Name) -> TRUE
(24) if (&User-Name) {
(24) if (&User-Name =~ / /) {
(24) if (&User-Name =~ / /) -> FALSE
(24) if (&User-Name =~ /@[^@]*@/ ) {
(24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(24) if (&User-Name =~ /\.\./ ) {
(24) if (&User-Name =~ /\.\./ ) -> FALSE
(24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(24) if (&User-Name =~ /\.$/) {
(24) if (&User-Name =~ /\.$/) -> FALSE
(24) if (&User-Name =~ /@\./) {
(24) if (&User-Name =~ /@\./) -> FALSE
(24) } # if (&User-Name) = notfound
(24) } # policy filter_username = notfound
(24) [preprocess] = ok
(24) [chap] = noop
(24) [mschap] = noop
(24) [digest] = noop
(24) suffix: Checking for suffix after "@"
(24) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(24) suffix: No such realm "NULL"
(24) [suffix] = noop
(24) eap: Peer sent EAP Response (code 2) ID 170 length 10
(24) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(24) [eap] = ok
(24) } # authorize = ok
(24) Found Auth-Type = eap
(24) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(24) authenticate {
(24) eap: Peer sent packet with method EAP Identity (1)
(24) eap: Calling submodule eap_md5 to process data
(24) eap_md5: Issuing MD5 Challenge
(24) eap: Sending EAP Request (code 1) ID 171 length 22
(24) eap: EAP session adding &reply:State = 0x0eefde160e44da57
(24) [eap] = handled
(24) } # authenticate = handled
(24) Using Post-Auth-Type Challenge
(24) Post-Auth-Type sub-section not found. Ignoring.
(24) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(24) Sent Access-Challenge Id 149 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(24) EAP-Message = 0x01ab001604109a6fbc464392ada216f251e669923951
(24) Message-Authenticator = 0x00000000000000000000000000000000
(24) State = 0x0eefde160e44da57a415225e3e56aad4
(24) Finished request
Waking up in 4.9 seconds.
(25) Received Access-Request Id 150 from 192.168.3.190:41615 to 192.168.3.1:1812 length 170
(25) User-Name = "kemi2"
(25) NAS-Identifier = "802aa8907353"
(25) NAS-Port = 0
(25) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(25) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(25) Framed-MTU = 1400
(25) NAS-Port-Type = Wireless-802.11
(25) Connect-Info = "CONNECT 0Mbps 802.11b"
(25) EAP-Message = 0x02ab00060315
(25) State = 0x0eefde160e44da57a415225e3e56aad4
(25) Message-Authenticator = 0xfca89b1fbab00b3d6559b531a7f6a2ec
(25) session-state: No cached attributes
(25) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(25) authorize {
(25) policy filter_username {
(25) if (&User-Name) {
(25) if (&User-Name) -> TRUE
(25) if (&User-Name) {
(25) if (&User-Name =~ / /) {
(25) if (&User-Name =~ / /) -> FALSE
(25) if (&User-Name =~ /@[^@]*@/ ) {
(25) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(25) if (&User-Name =~ /\.\./ ) {
(25) if (&User-Name =~ /\.\./ ) -> FALSE
(25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(25) if (&User-Name =~ /\.$/) {
(25) if (&User-Name =~ /\.$/) -> FALSE
(25) if (&User-Name =~ /@\./) {
(25) if (&User-Name =~ /@\./) -> FALSE
(25) } # if (&User-Name) = notfound
(25) } # policy filter_username = notfound
(25) [preprocess] = ok
(25) [chap] = noop
(25) [mschap] = noop
(25) [digest] = noop
(25) suffix: Checking for suffix after "@"
(25) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(25) suffix: No such realm "NULL"
(25) [suffix] = noop
(25) eap: Peer sent EAP Response (code 2) ID 171 length 6
(25) eap: No EAP Start, assuming it's an on-going EAP conversation
(25) [eap] = updated
(25) [files] = noop
(25) sql: EXPAND %{User-Name}
(25) sql: --> kemi2
(25) sql: SQL-User-Name set to 'kemi2'
rlm_sql (sql): Reserved connection (7)
(25) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(25) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(25) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'kemi2' ORDER BY id
(25) sql: User found in radcheck table
(25) sql: Conditional check items matched, merging assignment check items
(25) sql: Cleartext-Password := "1q2w3e4r"
(25) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(25) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(25) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'kemi2' ORDER BY id
(25) sql: User found in radreply table, merging reply items
(25) sql: Tunnel-Type := VLAN
(25) sql: Tunnel-Medium-Type := IEEE-802
(25) sql: Tunnel-Private-Group-Id := "5"
(25) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(25) sql: --> SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(25) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'kemi2' ORDER BY priority
(25) sql: User not found in any groups
rlm_sql (sql): Released connection (7)
rlm_sql (sql): Need 1 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (9), 1 of 23 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.53-0+deb8u1, protocol version 10
(25) [sql] = ok
(25) [expiration] = noop
(25) [logintime] = noop
(25) pap: WARNING: Auth-Type already set. Not setting to PAP
(25) [pap] = noop
(25) } # authorize = updated
(25) Found Auth-Type = eap
(25) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(25) authenticate {
(25) eap: Expiring EAP session with state 0x0eefde160e44da57
(25) eap: Finished EAP session with state 0x0eefde160e44da57
(25) eap: Previous EAP request found for state 0x0eefde160e44da57, released from the list
(25) eap: Peer sent packet with method EAP NAK (3)
(25) eap: Found mutually acceptable type TTLS (21)
(25) eap: Calling submodule eap_ttls to process data
(25) eap_ttls: Initiating new EAP-TLS session
(25) eap_ttls: [eaptls start] = request
(25) eap: Sending EAP Request (code 1) ID 172 length 6
(25) eap: EAP session adding &reply:State = 0x0eefde160f43cb57
(25) [eap] = handled
(25) } # authenticate = handled
(25) Using Post-Auth-Type Challenge
(25) Post-Auth-Type sub-section not found. Ignoring.
(25) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(25) Sent Access-Challenge Id 150 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(25) Tunnel-Type = VLAN
(25) Tunnel-Medium-Type = IEEE-802
(25) Tunnel-Private-Group-Id = "5"
(25) EAP-Message = 0x01ac00061520
(25) Message-Authenticator = 0x00000000000000000000000000000000
(25) State = 0x0eefde160f43cb57a415225e3e56aad4
(25) Finished request
Waking up in 4.9 seconds.
(26) Received Access-Request Id 151 from 192.168.3.190:41615 to 192.168.3.1:1812 length 395
(26) User-Name = "kemi2"
(26) NAS-Identifier = "802aa8907353"
(26) NAS-Port = 0
(26) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(26) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(26) Framed-MTU = 1400
(26) NAS-Port-Type = Wireless-802.11
(26) Connect-Info = "CONNECT 0Mbps 802.11b"
(26) EAP-Message = 0x02ac00e7150016030100dc010000d8030173a2dcebf90ef5bf0db24a3bc3195725de2e000e58dc7494bfdace7a3b86efbc20c4b9d08c4e7df7023cdd73405f38be9c53ed140c5db1080a6f57ad34c26c0aa4004ac014c00a0039003800880087c00fc00500350084c013c00900330032009a0099004500
(26) State = 0x0eefde160f43cb57a415225e3e56aad4
(26) Message-Authenticator = 0x5fcbd98707e482baaefa167ee7101e69
(26) session-state: No cached attributes
(26) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(26) authorize {
(26) policy filter_username {
(26) if (&User-Name) {
(26) if (&User-Name) -> TRUE
(26) if (&User-Name) {
(26) if (&User-Name =~ / /) {
(26) if (&User-Name =~ / /) -> FALSE
(26) if (&User-Name =~ /@[^@]*@/ ) {
(26) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(26) if (&User-Name =~ /\.\./ ) {
(26) if (&User-Name =~ /\.\./ ) -> FALSE
(26) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(26) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(26) if (&User-Name =~ /\.$/) {
(26) if (&User-Name =~ /\.$/) -> FALSE
(26) if (&User-Name =~ /@\./) {
(26) if (&User-Name =~ /@\./) -> FALSE
(26) } # if (&User-Name) = notfound
(26) } # policy filter_username = notfound
(26) [preprocess] = ok
(26) [chap] = noop
(26) [mschap] = noop
(26) [digest] = noop
(26) suffix: Checking for suffix after "@"
(26) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(26) suffix: No such realm "NULL"
(26) [suffix] = noop
(26) eap: Peer sent EAP Response (code 2) ID 172 length 231
(26) eap: Continuing tunnel setup
(26) [eap] = ok
(26) } # authorize = ok
(26) Found Auth-Type = eap
(26) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(26) authenticate {
(26) eap: Expiring EAP session with state 0x0eefde160f43cb57
(26) eap: Finished EAP session with state 0x0eefde160f43cb57
(26) eap: Previous EAP request found for state 0x0eefde160f43cb57, released from the list
(26) eap: Peer sent packet with method EAP TTLS (21)
(26) eap: Calling submodule eap_ttls to process data
(26) eap_ttls: Authenticate
(26) eap_ttls: Continuing EAP-TLS
(26) eap_ttls: [eaptls verify] = ok
(26) eap_ttls: Done initial handshake
(26) eap_ttls: (other): before/accept initialization
(26) eap_ttls: TLS_accept: before/accept initialization
(26) eap_ttls: <<< recv TLS 1.0 Handshake [length 00dc], ClientHello
(26) eap_ttls: TLS_accept: unknown state
(26) eap_ttls: >>> send TLS 1.0 Handshake [length 005e], ServerHello
(26) eap_ttls: TLS_accept: unknown state
(26) eap_ttls: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(26) eap_ttls: TLS_accept: unknown state
(26) eap_ttls: >>> send TLS 1.0 Handshake [length 0010], Finished
(26) eap_ttls: TLS_accept: unknown state
(26) eap_ttls: TLS_accept: unknown state
(26) eap_ttls: TLS_accept: Need to read more data: unknown state
(26) eap_ttls: TLS_accept: Need to read more data: unknown state
(26) eap_ttls: In SSL Handshake Phase
(26) eap_ttls: In SSL Accept mode
(26) eap_ttls: [eaptls process] = handled
(26) eap: Sending EAP Request (code 1) ID 173 length 168
(26) eap: EAP session adding &reply:State = 0x0eefde160c42cb57
(26) [eap] = handled
(26) } # authenticate = handled
(26) Using Post-Auth-Type Challenge
(26) Post-Auth-Type sub-section not found. Ignoring.
(26) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(26) Sent Access-Challenge Id 151 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(26) EAP-Message = 0x01ad00a815800000009e160301005e0200005a0301c09046ab7148dec9c3ecc390b446f4fc6e6f6b8c7875f87f0dedbc25c1156e7120c4b9d08c4e7df7023cdd73405f38be9c53ed140c5db1080a6f57ad34c26c0aa4c014000012ff01000100000b000403000102000f00010114030100010116030100
(26) Message-Authenticator = 0x00000000000000000000000000000000
(26) State = 0x0eefde160c42cb57a415225e3e56aad4
(26) Finished request
Waking up in 4.9 seconds.
(27) Received Access-Request Id 152 from 192.168.3.190:41615 to 192.168.3.1:1812 length 229
(27) User-Name = "kemi2"
(27) NAS-Identifier = "802aa8907353"
(27) NAS-Port = 0
(27) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(27) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(27) Framed-MTU = 1400
(27) NAS-Port-Type = Wireless-802.11
(27) Connect-Info = "CONNECT 0Mbps 802.11b"
(27) EAP-Message = 0x02ad004115001403010001011603010030892f9330d1ff6be70d557f95c508904035e538574e295e11717b269ef9d1d98330163be256dbc9fead8b996c9060128f
(27) State = 0x0eefde160c42cb57a415225e3e56aad4
(27) Message-Authenticator = 0x44fe1535ecd133583c7908b988d8639b
(27) session-state: No cached attributes
(27) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(27) authorize {
(27) policy filter_username {
(27) if (&User-Name) {
(27) if (&User-Name) -> TRUE
(27) if (&User-Name) {
(27) if (&User-Name =~ / /) {
(27) if (&User-Name =~ / /) -> FALSE
(27) if (&User-Name =~ /@[^@]*@/ ) {
(27) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(27) if (&User-Name =~ /\.\./ ) {
(27) if (&User-Name =~ /\.\./ ) -> FALSE
(27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(27) if (&User-Name =~ /\.$/) {
(27) if (&User-Name =~ /\.$/) -> FALSE
(27) if (&User-Name =~ /@\./) {
(27) if (&User-Name =~ /@\./) -> FALSE
(27) } # if (&User-Name) = notfound
(27) } # policy filter_username = notfound
(27) [preprocess] = ok
(27) [chap] = noop
(27) [mschap] = noop
(27) [digest] = noop
(27) suffix: Checking for suffix after "@"
(27) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(27) suffix: No such realm "NULL"
(27) [suffix] = noop
(27) eap: Peer sent EAP Response (code 2) ID 173 length 65
(27) eap: Continuing tunnel setup
(27) [eap] = ok
(27) } # authorize = ok
(27) Found Auth-Type = eap
(27) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(27) authenticate {
(27) eap: Expiring EAP session with state 0x0eefde160c42cb57
(27) eap: Finished EAP session with state 0x0eefde160c42cb57
(27) eap: Previous EAP request found for state 0x0eefde160c42cb57, released from the list
(27) eap: Peer sent packet with method EAP TTLS (21)
(27) eap: Calling submodule eap_ttls to process data
(27) eap_ttls: Authenticate
(27) eap_ttls: Continuing EAP-TLS
(27) eap_ttls: [eaptls verify] = ok
(27) eap_ttls: Done initial handshake
(27) eap_ttls: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(27) eap_ttls: <<< recv TLS 1.0 Handshake [length 0010], Finished
(27) eap_ttls: TLS_accept: unknown state
(27) eap_ttls: (other): SSL negotiation finished successfully
(27) eap_ttls: SSL Connection Established
(27) eap_ttls: SSL Application Data
(27) eap_ttls: Adding cached attributes from session c4b9d08c4e7df7023cdd73405f38be9c53ed140c5db1080a6f57ad34c26c0aa4
(27) eap_ttls: reply:User-Name = "kemi2"
(27) eap_ttls: [eaptls process] = success
(27) eap_ttls: Skipping Phase2 due to session resumption
(27) eap: Sending EAP Success (code 3) ID 173 length 4
(27) eap: Freeing handler
(27) [eap] = ok
(27) } # authenticate = ok
(27) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(27) post-auth {
(27) update {
(27) No attributes updated
(27) } # update = noop
(27) sql: EXPAND .query
(27) sql: --> .query
(27) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (3)
(27) sql: EXPAND %{User-Name}
(27) sql: --> kemi2
(27) sql: SQL-User-Name set to 'kemi2'
(27) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(27) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'kemi2', '', 'Access-Accept', '2016-11-11 09:45:56')
(27) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'kemi2', '', 'Access-Accept', '2016-11-11 09:45:56')
(27) sql: SQL query returned: success
(27) sql: 1 record(s) updated
rlm_sql (sql): Released connection (3)
(27) [sql] = ok
(27) [exec] = noop
(27) policy remove_reply_message_if_eap {
(27) if (&reply:EAP-Message && &reply:Reply-Message) {
(27) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(27) else {
(27) [noop] = noop
(27) } # else = noop
(27) } # policy remove_reply_message_if_eap = noop
(27) } # post-auth = ok
(27) Login OK: [kemi2/<via Auth-Type = eap>] (from client private-network-1 port 0 cli F8-2F-A8-F5-12-97)
(27) Sent Access-Accept Id 152 from 192.168.3.1:1812 to 192.168.3.190:41615 length 0
(27) User-Name = "kemi2"
(27) MS-MPPE-Recv-Key = 0x539e935d86cb7f91c3280bf05df7213688f5a10d4635b535dd25408acfe4117b
(27) MS-MPPE-Send-Key = 0xb12d5651cbdbe9626ec9e58edaca32685a56900010fde7ebd25c10023919e8aa
(27) EAP-Message = 0x03ad0004
(27) Message-Authenticator = 0x00000000000000000000000000000000
(27) Finished request
Waking up in 4.9 seconds.
(28) Received Accounting-Request Id 153 from 192.168.3.190:47157 to 192.168.3.1:1813 length 151
(28) Acct-Session-Id = "58258DE7-0000000E"
(28) Acct-Status-Type = Start
(28) Acct-Authentic = RADIUS
(28) User-Name = "kemi2"
(28) NAS-Identifier = "802aa8907353"
(28) NAS-Port = 0
(28) Called-Station-Id = "80-2A-A8-91-73-53:TESTE"
(28) Calling-Station-Id = "F8-2F-A8-F5-12-97"
(28) NAS-Port-Type = Wireless-802.11
(28) Connect-Info = "CONNECT 0Mbps 802.11b"
(28) # Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
(28) preacct {
(28) [preprocess] = ok
(28) policy acct_unique {
(28) update request {
(28) Tmp-String-9 := "ai:"
(28) } # update request = noop
(28) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(28) EXPAND %{hex:&Class}
(28) -->
(28) EXPAND ^%{hex:&Tmp-String-9}
(28) --> ^61693a
(28) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(28) else {
(28) update request {
(28) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(28) --> 3e64ef86d9931cd40a4dcceffd3e22a9
(28) &Acct-Unique-Session-Id := 3e64ef86d9931cd40a4dcceffd3e22a9
(28) } # update request = noop
(28) } # else = noop
(28) } # policy acct_unique = noop
(28) suffix: Checking for suffix after "@"
(28) suffix: No '@' in User-Name = "kemi2", looking up realm NULL
(28) suffix: No such realm "NULL"
(28) [suffix] = noop
(28) [files] = noop
(28) } # preacct = ok
(28) # Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default
(28) accounting {
(28) detail: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(28) detail: --> /usr/local/var/log/radius/radacct/192.168.3.190/detail-20161111
(28) detail: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.3.190/detail-20161111
(28) detail: EXPAND %t
(28) detail: --> Fri Nov 11 09:45:56 2016
(28) [detail] = ok
(28) [unix] = ok
(28) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(28) sql: --> type.start.query
(28) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(28) sql: EXPAND %{User-Name}
(28) sql: --> kemi2
(28) sql: SQL-User-Name set to 'kemi2'
(28) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', %{%{integer:Event-Timestamp}:-date('now')}, %{%{integer:Event-Timestamp}:-date('now')}, NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')
(28) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('58258DE7-0000000E', '3e64ef86d9931cd40a4dcceffd3e22a9', 'kemi2', '', '192.168.3.190', '0', 'Wireless-802.11', 1478864756, 1478864756, NULL, '0', 'RADIUS', 'CONNECT 0Mbps 802.11b', '', '0', '0', '80-2A-A8-91-73-53:TESTE', 'F8-2F-A8-F5-12-97', '', '', '', '')
(28) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('58258DE7-0000000E', '3e64ef86d9931cd40a4dcceffd3e22a9', 'kemi2', '', '192.168.3.190', '0', 'Wireless-802.11', 1478864756, 1478864756, NULL, '0', 'RADIUS', 'CONNECT 0Mbps 802.11b', '', '0', '0', '80-2A-A8-91-73-53:TESTE', 'F8-2F-A8-F5-12-97', '', '', '', '')
(28) sql: SQL query returned: success
(28) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(28) [sql] = ok
(28) [exec] = noop
(28) attr_filter.accounting_response: EXPAND %{User-Name}
(28) attr_filter.accounting_response: --> kemi2
(28) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(28) [attr_filter.accounting_response] = updated
(28) } # accounting = updated
(28) Sent Accounting-Response Id 153 from 192.168.3.1:1813 to 192.168.3.190:47157 length 0
(28) Finished request
(28) Cleaning up request packet ID 153 with timestamp +36
Waking up in 4.8 seconds.
More information about the Freeradius-Users
mailing list