FreeRadius 3.0.13 - Using SSID to check AD groups
Pierre de Jong
pierredejong at gmail.com
Wed Apr 5 16:27:03 CEST 2017
As promised, I send you an radiusd -X output. complete.
I see that straight at the beginning, policy rewrite_called_station_id is
done.
--> EXPAND %{Called-Station-SSID}
(0) --> TSSID1
even with that, as I said, I cannot use that "%{Called-Station-SSID}
anywhere else than in "post-auth"...
Is that normal?
Do you see "horror" in those logs ? :-D
Thanks for reading, and thanks for your return.
(0) Received Access-Request Id 194 from 192.168.30.206:42291 to
192.168.30.66:1812 length 151
(0) User-Name = "u2"
(0) NAS-Identifier = "44d9e7023ad1"
(0) NAS-Port = 0
(0) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1"
(0) Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 0Mbps 802.11b"
(0) EAP-Message = 0x02e20007017532
(0) Message-Authenticator = 0x6df4581814e8c5685f1821d6d50c6180
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) policy rewrite_called_station_id {
(0) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(0) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
-> TRUE
(0) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(0) update request {
(0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(0) --> 46-D9-E7-03-3A-D1
(0) &Called-Station-Id := 46-D9-E7-03-3A-D1
(0) } # update request = noop
(0) if ("%{8}") {
(0) EXPAND %{8}
(0) --> TSSID1
(0) if ("%{8}") -> TRUE
(0) if ("%{8}") {
(0) update request {
(0) EXPAND %{8}
(0) --> TSSID1
(0) &Called-Station-SSID := TSSID1
(0) EXPAND %{Called-Station-SSID}
(0) --> TSSID1
(0) &My-Called-Station-SSID := TSSID1
(0) } # update request = noop
(0) } # if ("%{8}") = noop
(0) [updated] = updated
(0) } # if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
= updated
(0) ... skipping else: Preceding "if" was taken
(0) } # policy rewrite_called_station_id = updated
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "u2", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 226 length 7
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 227 length 6
(0) eap: EAP session adding &reply:State = 0x26e3acd92600b50e
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 194 from 192.168.30.66:1812 to
192.168.30.206:42291 length 0
(0) EAP-Message = 0x01e300061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x26e3acd92600b50e9de8616e7140b5da
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 195 from 192.168.30.206:42291 to
192.168.30.66:1812 length 330
(1) User-Name = "u2"
(1) NAS-Identifier = "44d9e7023ad1"
(1) NAS-Port = 0
(1) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1"
(1) Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 0Mbps 802.11b"
(1) EAP-Message =
0x02e300a819800000009e1603010099010000950303b275ec6ca03d6c07079f0f5fd77bc702c544c56e69b4c7a9e3d595de38d5cd6200003cc02cc030009fc02bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a00ff010000
(1) State = 0x26e3acd92600b50e9de8616e7140b5da
(1) Message-Authenticator = 0xf99f35009091fa6c60abe4f208c2805d
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) policy rewrite_called_station_id {
(1) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(1) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
-> TRUE
(1) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(1) update request {
(1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1) --> 46-D9-E7-03-3A-D1
(1) &Called-Station-Id := 46-D9-E7-03-3A-D1
(1) } # update request = noop
(1) if ("%{8}") {
(1) EXPAND %{8}
(1) --> TSSID1
(1) if ("%{8}") -> TRUE
(1) if ("%{8}") {
(1) update request {
(1) EXPAND %{8}
(1) --> TSSID1
(1) &Called-Station-SSID := TSSID1
(1) EXPAND %{Called-Station-SSID}
(1) --> TSSID1
(1) &My-Called-Station-SSID := TSSID1
(1) } # update request = noop
(1) } # if ("%{8}") = noop
(1) [updated] = updated
(1) } # if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
= updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy rewrite_called_station_id = updated
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "u2", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 227 length 168
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x26e3acd92600b50e
(1) eap: Finished EAP session with state 0x26e3acd92600b50e
(1) eap: Previous EAP request found for state 0x26e3acd92600b50e, released
from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 158 bytes
(1) eap_peap: Got complete TLS record (158 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< recv TLS 1.2 [length 0099]
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: >>> send TLS 1.2 [length 0059]
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: >>> send TLS 1.2 [length 08d3]
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: >>> send TLS 1.2 [length 014d]
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: >>> send TLS 1.2 [length 0004]
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: TLS_accept: Need to read more data: unknown state
(1) eap_peap: TLS_accept: Need to read more data: unknown state
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 228 length 1004
(1) eap: EAP session adding &reply:State = 0x26e3acd92707b50e
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 195 from 192.168.30.66:1812 to
192.168.30.206:42291 length 0
(1) EAP-Message =
0x01e403ec19c000000a911603030059020000550303a1388d44dabe97aee61c3b20a7ab8fc1aec4ad52dee38fe3c7b26167a0dbc1bc201e612a6685965633b12ff0d4fcb41a265c0e72dbded7812586c0e3347a5b896cc03000000dff01000100000b00040300010216030308d30b0008cf0008cc0003de
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x26e3acd92707b50e9de8616e7140b5da
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 196 from 192.168.30.206:42291 to
192.168.30.66:1812 length 168
(2) User-Name = "u2"
(2) NAS-Identifier = "44d9e7023ad1"
(2) NAS-Port = 0
(2) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1"
(2) Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = "CONNECT 0Mbps 802.11b"
(2) EAP-Message = 0x02e400061900
(2) State = 0x26e3acd92707b50e9de8616e7140b5da
(2) Message-Authenticator = 0x8a1d94e2d52ec81230dc52382337ebde
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) policy rewrite_called_station_id {
(2) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(2) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
-> TRUE
(2) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(2) update request {
(2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(2) --> 46-D9-E7-03-3A-D1
(2) &Called-Station-Id := 46-D9-E7-03-3A-D1
(2) } # update request = noop
(2) if ("%{8}") {
(2) EXPAND %{8}
(2) --> TSSID1
(2) if ("%{8}") -> TRUE
(2) if ("%{8}") {
(2) update request {
(2) EXPAND %{8}
(2) --> TSSID1
(2) &Called-Station-SSID := TSSID1
(2) EXPAND %{Called-Station-SSID}
(2) --> TSSID1
(2) &My-Called-Station-SSID := TSSID1
(2) } # update request = noop
(2) } # if ("%{8}") = noop
(2) [updated] = updated
(2) } # if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
= updated
(2) ... skipping else: Preceding "if" was taken
(2) } # policy rewrite_called_station_id = updated
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "u2", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 228 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x26e3acd92707b50e
(2) eap: Finished EAP session with state 0x26e3acd92707b50e
(2) eap: Previous EAP request found for state 0x26e3acd92707b50e, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 229 length 1000
(2) eap: EAP session adding &reply:State = 0x26e3acd92406b50e
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 196 from 192.168.30.66:1812 to
192.168.30.206:42291 length 0
(2) EAP-Message =
0x01e503e81940ca12fabb7964d6cb47ff4dbc736cca7b619482c69523520dbb422565f5fe26b0a27fa749595187b23ae6cdf379898cc96d5538f5a0203165548e1402a0716da7e63fe3d1a6f4f4d80e6dadca36b1d34815cb792b0d55ff2aa0a05d77b2ecefd55cbb7d356e7fb6ce430004e8308204e430
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x26e3acd92406b50e9de8616e7140b5da
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 197 from 192.168.30.206:42291 to
192.168.30.66:1812 length 168
(3) User-Name = "u2"
(3) NAS-Identifier = "44d9e7023ad1"
(3) NAS-Port = 0
(3) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1"
(3) Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = "CONNECT 0Mbps 802.11b"
(3) EAP-Message = 0x02e500061900
(3) State = 0x26e3acd92406b50e9de8616e7140b5da
(3) Message-Authenticator = 0x69984560004ba33d4af83118efaf52e9
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) policy rewrite_called_station_id {
(3) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(3) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
-> TRUE
(3) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(3) update request {
(3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(3) --> 46-D9-E7-03-3A-D1
(3) &Called-Station-Id := 46-D9-E7-03-3A-D1
(3) } # update request = noop
(3) if ("%{8}") {
(3) EXPAND %{8}
(3) --> TSSID1
(3) if ("%{8}") -> TRUE
(3) if ("%{8}") {
(3) update request {
(3) EXPAND %{8}
(3) --> TSSID1
(3) &Called-Station-SSID := TSSID1
(3) EXPAND %{Called-Station-SSID}
(3) --> TSSID1
(3) &My-Called-Station-SSID := TSSID1
(3) } # update request = noop
(3) } # if ("%{8}") = noop
(3) [updated] = updated
(3) } # if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
= updated
(3) ... skipping else: Preceding "if" was taken
(3) } # policy rewrite_called_station_id = updated
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "u2", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 229 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x26e3acd92406b50e
(3) eap: Finished EAP session with state 0x26e3acd92406b50e
(3) eap: Previous EAP request found for state 0x26e3acd92406b50e, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 230 length 723
(3) eap: EAP session adding &reply:State = 0x26e3acd92505b50e
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 197 from 192.168.30.66:1812 to
192.168.30.206:42291 length 0
(3) EAP-Message =
0x01e602d3190020417574686f72697479820900f93d1298efaa0149300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x26e3acd92505b50e9de8616e7140b5da
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 198 from 192.168.30.206:42291 to
192.168.30.66:1812 length 298
(4) User-Name = "u2"
(4) NAS-Identifier = "44d9e7023ad1"
(4) NAS-Port = 0
(4) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1"
(4) Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = "CONNECT 0Mbps 802.11b"
(4) EAP-Message =
0x02e6008819800000007e1603030046100000424104041b7c41a3bd64a8a8a136b69913d4abc758ff6523448fa1ee5da8cba6d7fb812d9d38c80e1f33e0bb86f396168fdf04b86ad694122d1860aa66672d05e3acc61403030001011603030028000000000000000030d814976854b1841781e86747494b
(4) State = 0x26e3acd92505b50e9de8616e7140b5da
(4) Message-Authenticator = 0x71361b97fa00595f1c1e7e1b49674c86
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) policy rewrite_called_station_id {
(4) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(4) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
-> TRUE
(4) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(4) update request {
(4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(4) --> 46-D9-E7-03-3A-D1
(4) &Called-Station-Id := 46-D9-E7-03-3A-D1
(4) } # update request = noop
(4) if ("%{8}") {
(4) EXPAND %{8}
(4) --> TSSID1
(4) if ("%{8}") -> TRUE
(4) if ("%{8}") {
(4) update request {
(4) EXPAND %{8}
(4) --> TSSID1
(4) &Called-Station-SSID := TSSID1
(4) EXPAND %{Called-Station-SSID}
(4) --> TSSID1
(4) &My-Called-Station-SSID := TSSID1
(4) } # update request = noop
(4) } # if ("%{8}") = noop
(4) [updated] = updated
(4) } # if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
= updated
(4) ... skipping else: Preceding "if" was taken
(4) } # policy rewrite_called_station_id = updated
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "u2", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 230 length 136
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x26e3acd92505b50e
(4) eap: Finished EAP session with state 0x26e3acd92505b50e
(4) eap: Previous EAP request found for state 0x26e3acd92505b50e, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(4) eap_peap: Got complete TLS record (126 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: <<< recv TLS 1.2 [length 0046]
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: <<< recv TLS 1.2 [length 0001]
(4) eap_peap: <<< recv TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: >>> send TLS 1.2 [length 0001]
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: >>> send TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: SSL Connection Established
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 231 length 57
(4) eap: EAP session adding &reply:State = 0x26e3acd92204b50e
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 198 from 192.168.30.66:1812 to
192.168.30.206:42291 length 0
(4) EAP-Message =
0x01e7003919001403030001011603030028afdc310d6ec3ecf82929a0132b49427d16fa26597f15966113b9002b91d656814059fce9e456ede0
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x26e3acd92204b50e9de8616e7140b5da
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 199 from 192.168.30.206:42291 to
192.168.30.66:1812 length 168
(5) User-Name = "u2"
(5) NAS-Identifier = "44d9e7023ad1"
(5) NAS-Port = 0
(5) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1"
(5) Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = "CONNECT 0Mbps 802.11b"
(5) EAP-Message = 0x02e700061900
(5) State = 0x26e3acd92204b50e9de8616e7140b5da
(5) Message-Authenticator = 0x4f8ea83811fddc3ef626018a5a3028fd
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) policy rewrite_called_station_id {
(5) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(5) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
-> TRUE
(5) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(5) update request {
(5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(5) --> 46-D9-E7-03-3A-D1
(5) &Called-Station-Id := 46-D9-E7-03-3A-D1
(5) } # update request = noop
(5) if ("%{8}") {
(5) EXPAND %{8}
(5) --> TSSID1
(5) if ("%{8}") -> TRUE
(5) if ("%{8}") {
(5) update request {
(5) EXPAND %{8}
(5) --> TSSID1
(5) &Called-Station-SSID := TSSID1
(5) EXPAND %{Called-Station-SSID}
(5) --> TSSID1
(5) &My-Called-Station-SSID := TSSID1
(5) } # update request = noop
(5) } # if ("%{8}") = noop
(5) [updated] = updated
(5) } # if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
= updated
(5) ... skipping else: Preceding "if" was taken
(5) } # policy rewrite_called_station_id = updated
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "u2", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 231 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x26e3acd92204b50e
(5) eap: Finished EAP session with state 0x26e3acd92204b50e
(5) eap: Previous EAP request found for state 0x26e3acd92204b50e, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 232 length 40
(5) eap: EAP session adding &reply:State = 0x26e3acd9230bb50e
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 199 from 192.168.30.66:1812 to
192.168.30.206:42291 length 0
(5) EAP-Message =
0x01e800281900170303001dafdc310d6ec3ecf911d9a53ca339359c7b7e5d1d31e2740ac7b3cc1fc8
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x26e3acd9230bb50e9de8616e7140b5da
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 200 from 192.168.30.206:42291 to
192.168.30.66:1812 length 200
(6) User-Name = "u2"
(6) NAS-Identifier = "44d9e7023ad1"
(6) NAS-Port = 0
(6) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1"
(6) Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = "CONNECT 0Mbps 802.11b"
(6) EAP-Message =
0x02e800261900170303001b0000000000000001a7d595fb1c1358287b3a2de65b1505c2800a8c
(6) State = 0x26e3acd9230bb50e9de8616e7140b5da
(6) Message-Authenticator = 0xfd38b6b4bced113086272427b1e47ec5
(6) session-state: No cached attributes
(6) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) policy rewrite_called_station_id {
(6) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(6) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
-> TRUE
(6) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(6) update request {
(6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6) --> 46-D9-E7-03-3A-D1
(6) &Called-Station-Id := 46-D9-E7-03-3A-D1
(6) } # update request = noop
(6) if ("%{8}") {
(6) EXPAND %{8}
(6) --> TSSID1
(6) if ("%{8}") -> TRUE
(6) if ("%{8}") {
(6) update request {
(6) EXPAND %{8}
(6) --> TSSID1
(6) &Called-Station-SSID := TSSID1
(6) EXPAND %{Called-Station-SSID}
(6) --> TSSID1
(6) &My-Called-Station-SSID := TSSID1
(6) } # update request = noop
(6) } # if ("%{8}") = noop
(6) [updated] = updated
(6) } # if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
= updated
(6) ... skipping else: Preceding "if" was taken
(6) } # policy rewrite_called_station_id = updated
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "u2", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 232 length 38
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x26e3acd9230bb50e
(6) eap: Finished EAP session with state 0x26e3acd9230bb50e
(6) eap: Previous EAP request found for state 0x26e3acd9230bb50e, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - u2
(6) eap_peap: Got inner identity 'u2'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x02e80007017532
(6) eap_peap: Setting User-Name to u2
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x02e80007017532
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "u2"
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x02e80007017532
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "u2"
(6) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(6) server inner-tunnel {
(6) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "u2", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 232 length 7
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 233 length 43
(6) eap: EAP session adding &reply:State = 0xe964d6a3e98dccf7
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message =
0x01e9002b1a01e9002610da269c8e35bd6e35d1e82df925280719667265657261646975732d332e302e3133
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xe964d6a3e98dccf7d9a7bb91d2128446
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message =
0x01e9002b1a01e9002610da269c8e35bd6e35d1e82df925280719667265657261646975732d332e302e3133
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0xe964d6a3e98dccf7d9a7bb91d2128446
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message =
0x01e9002b1a01e9002610da269c8e35bd6e35d1e82df925280719667265657261646975732d332e302e3133
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0xe964d6a3e98dccf7d9a7bb91d2128446
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 233 length 74
(6) eap: EAP session adding &reply:State = 0x26e3acd9200ab50e
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 200 from 192.168.30.66:1812 to
192.168.30.206:42291 length 0
(6) EAP-Message =
0x01e9004a1900170303003fafdc310d6ec3ecfa6ad7b9bd7b5b3d632836005d9b48d843c30661e85ac54e7f84b5c8cd2cc6e05b9a0707af2f27b0a300ddb2b161bcf37c279ed789d753df
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x26e3acd9200ab50e9de8616e7140b5da
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 201 from 192.168.30.206:42291 to
192.168.30.66:1812 length 254
(7) User-Name = "u2"
(7) NAS-Identifier = "44d9e7023ad1"
(7) NAS-Port = 0
(7) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1"
(7) Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = "CONNECT 0Mbps 802.11b"
(7) EAP-Message =
0x02e9005c1900170303005100000000000000029d8c08242bcc95810a5b03538963ca587b615f552ddeec106afa23ac3a8d27adb88db9eeb117c104ece273d2b6fc96fdb2389f69a80ee3f417d1d98781ad9b31d22375b85325728ba4
(7) State = 0x26e3acd9200ab50e9de8616e7140b5da
(7) Message-Authenticator = 0xb5acd68497179836600f3c0e5e91bffa
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) policy rewrite_called_station_id {
(7) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(7) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
-> TRUE
(7) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(7) update request {
(7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(7) --> 46-D9-E7-03-3A-D1
(7) &Called-Station-Id := 46-D9-E7-03-3A-D1
(7) } # update request = noop
(7) if ("%{8}") {
(7) EXPAND %{8}
(7) --> TSSID1
(7) if ("%{8}") -> TRUE
(7) if ("%{8}") {
(7) update request {
(7) EXPAND %{8}
(7) --> TSSID1
(7) &Called-Station-SSID := TSSID1
(7) EXPAND %{Called-Station-SSID}
(7) --> TSSID1
(7) &My-Called-Station-SSID := TSSID1
(7) } # update request = noop
(7) } # if ("%{8}") = noop
(7) [updated] = updated
(7) } # if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
= updated
(7) ... skipping else: Preceding "if" was taken
(7) } # policy rewrite_called_station_id = updated
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "u2", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 233 length 92
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0xe964d6a3e98dccf7
(7) eap: Finished EAP session with state 0x26e3acd9200ab50e
(7) eap: Previous EAP request found for state 0x26e3acd9200ab50e, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message =
0x02e9003d1a02e90038314f450d7d3778496ac408ec5ae22c5cf800000000000000007e8efaecb1519f66b99fda6c16258fac43cd7d2ab37ae22b007532
(7) eap_peap: Setting User-Name to u2
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message =
0x02e9003d1a02e90038314f450d7d3778496ac408ec5ae22c5cf800000000000000007e8efaecb1519f66b99fda6c16258fac43cd7d2ab37ae22b007532
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "u2"
(7) eap_peap: State = 0xe964d6a3e98dccf7d9a7bb91d2128446
(7) Virtual server inner-tunnel received request
(7) EAP-Message =
0x02e9003d1a02e90038314f450d7d3778496ac408ec5ae22c5cf800000000000000007e8efaecb1519f66b99fda6c16258fac43cd7d2ab37ae22b007532
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "u2"
(7) State = 0xe964d6a3e98dccf7d9a7bb91d2128446
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "u2", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 233 length 61
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(7) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap: --> (samaccountname=u2)
(7) ldap: Performing search in "dc=mt,dc=priv" with filter
"(samaccountname=u2)", scope "sub"
(7) ldap: Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldap://ForestDnsZones.mt.priv/DC=ForestDnsZones,DC=mt,DC=priv
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://DomainDnsZones.mt.priv/DC=DomainDnsZones,DC=mt,DC=priv
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://mt.priv/CN=Configuration,DC=mt,DC=priv
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(7) ldap: User object found at DN "CN=User2
last,OU=MT-Users,OU=MT-Objects,DC=mt,DC=priv"
(7) ldap: Processing user attributes
(7) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute
(7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
(if that is what you were trying to configure)
rlm_ldap (ldap): Deleting connection (0)
Need 6 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 28 pending slots
used
rlm_ldap (ldap): Connecting to ldap://192.168.30.64:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(7) [ldap] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0xe964d6a3e98dccf7
(7) eap: Finished EAP session with state 0xe964d6a3e98dccf7
(7) eap: Previous EAP request found for state 0xe964d6a3e98dccf7, released
from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
(7) eap_mschapv2: authenticate {
(7) mschap: Creating challenge hash with username: u2
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{%{mschap:NT-Domain}:-mt.priv}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(7) mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(7) mschap: --> --username=u2
(7) mschap: ERROR: No NT-Domain was found in the User-Name
(7) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-mt.priv}
(7) mschap: --> --domain=mt.priv
(7) mschap: Creating challenge hash with username: u2
(7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(7) mschap: --> --challenge=fec47cb1e1e89ea6
(7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(7) mschap: -->
--nt-response=7e8efaecb1519f66b99fda6c16258fac43cd7d2ab37ae22b
(7) mschap: Program returned code (0) and output 'NT_KEY:
9B2636A6B6FEB8B39BA0972EB1B4126F'
(7) mschap: Adding MS-CHAPv2 MPPE keys
(7) [mschap] = ok
(7) } # authenticate = ok
(7) MSCHAP Success
(7) eap: Sending EAP Request (code 1) ID 234 length 51
(7) eap: EAP session adding &reply:State = 0xe964d6a3e88eccf7
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message =
0x01ea00331a03e9002e533d32324130423439373042463632383037453537374235344635323145393844463546344141383736
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xe964d6a3e88eccf7d9a7bb91d2128446
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message =
0x01ea00331a03e9002e533d32324130423439373042463632383037453537374235344635323145393844463546344141383736
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xe964d6a3e88eccf7d9a7bb91d2128446
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message =
0x01ea00331a03e9002e533d32324130423439373042463632383037453537374235344635323145393844463546344141383736
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0xe964d6a3e88eccf7d9a7bb91d2128446
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 234 length 82
(7) eap: EAP session adding &reply:State = 0x26e3acd92109b50e
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) Sent Access-Challenge Id 201 from 192.168.30.66:1812 to
192.168.30.206:42291 length 0
(7) EAP-Message =
0x01ea005219001703030047afdc310d6ec3ecfb9e6c30da4240048c4f730e520ea1adb199993e22a9af5b7974473effa782835f7aa711cfada821e84f3a1cabf0393f522379e3e9223b7418611722b9db7623
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x26e3acd92109b50e9de8616e7140b5da
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 202 from 192.168.30.206:42291 to
192.168.30.66:1812 length 199
(8) User-Name = "u2"
(8) NAS-Identifier = "44d9e7023ad1"
(8) NAS-Port = 0
(8) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1"
(8) Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = "CONNECT 0Mbps 802.11b"
(8) EAP-Message =
0x02ea00251900170303001a0000000000000003d92e7f5e0e434d437cc57a596fcb7e4d3177
(8) State = 0x26e3acd92109b50e9de8616e7140b5da
(8) Message-Authenticator = 0x87b4b40497cd83d6c2bc7ff399ebbc67
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) policy rewrite_called_station_id {
(8) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(8) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
-> TRUE
(8) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(8) update request {
(8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(8) --> 46-D9-E7-03-3A-D1
(8) &Called-Station-Id := 46-D9-E7-03-3A-D1
(8) } # update request = noop
(8) if ("%{8}") {
(8) EXPAND %{8}
(8) --> TSSID1
(8) if ("%{8}") -> TRUE
(8) if ("%{8}") {
(8) update request {
(8) EXPAND %{8}
(8) --> TSSID1
(8) &Called-Station-SSID := TSSID1
(8) EXPAND %{Called-Station-SSID}
(8) --> TSSID1
(8) &My-Called-Station-SSID := TSSID1
(8) } # update request = noop
(8) } # if ("%{8}") = noop
(8) [updated] = updated
(8) } # if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
= updated
(8) ... skipping else: Preceding "if" was taken
(8) } # policy rewrite_called_station_id = updated
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "u2", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 234 length 37
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0xe964d6a3e88eccf7
(8) eap: Finished EAP session with state 0x26e3acd92109b50e
(8) eap: Previous EAP request found for state 0x26e3acd92109b50e, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x02ea00061a03
(8) eap_peap: Setting User-Name to u2
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x02ea00061a03
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "u2"
(8) eap_peap: State = 0xe964d6a3e88eccf7d9a7bb91d2128446
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x02ea00061a03
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "u2"
(8) State = 0xe964d6a3e88eccf7d9a7bb91d2128446
(8) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "u2", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 234 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
rlm_ldap (ldap): Reserved connection (1)
(8) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap: --> (samaccountname=u2)
(8) ldap: Performing search in "dc=mt,dc=priv" with filter
"(samaccountname=u2)", scope "sub"
(8) ldap: Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldap://ForestDnsZones.mt.priv/DC=ForestDnsZones,DC=mt,DC=priv
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://DomainDnsZones.mt.priv/DC=DomainDnsZones,DC=mt,DC=priv
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://mt.priv/CN=Configuration,DC=mt,DC=priv
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(8) ldap: User object found at DN "CN=User2
last,OU=MT-Users,OU=MT-Objects,DC=mt,DC=priv"
(8) ldap: Processing user attributes
(8) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute
(8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
(if that is what you were trying to configure)
rlm_ldap (ldap): Deleting connection (1)
(8) [ldap] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0xe964d6a3e88eccf7
(8) eap: Finished EAP session with state 0xe964d6a3e88eccf7
(8) eap: Previous EAP request found for state 0xe964d6a3e88eccf7, released
from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 234 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file
/etc/freeradius/sites-enabled/inner-tunnel
(8) post-auth {
(8) if (0) {
(8) if (0) -> FALSE
(8) } # post-auth = noop
(8) EXPAND GOODPASS
(8) --> GOODPASS
(8) Login OK: [u2/<via Auth-Type = eap>] (from client vLan-Tech port 0
via TLS tunnel) GOODPASS
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) MS-MPPE-Send-Key = 0x5a63cb9a1d9e080f1d59d075194aaef7
(8) MS-MPPE-Recv-Key = 0x351a8649c506ccb5556cc2e2a6ad00dc
(8) EAP-Message = 0x03ea0004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "u2"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0x5a63cb9a1d9e080f1d59d075194aaef7
(8) eap_peap: MS-MPPE-Recv-Key = 0x351a8649c506ccb5556cc2e2a6ad00dc
(8) eap_peap: EAP-Message = 0x03ea0004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "u2"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0x5a63cb9a1d9e080f1d59d075194aaef7
(8) eap_peap: MS-MPPE-Recv-Key = 0x351a8649c506ccb5556cc2e2a6ad00dc
(8) eap_peap: EAP-Message = 0x03ea0004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "u2"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap: Sending EAP Request (code 1) ID 235 length 46
(8) eap: EAP session adding &reply:State = 0x26e3acd92e08b50e
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) Sent Access-Challenge Id 202 from 192.168.30.66:1812 to
192.168.30.206:42291 length 0
(8) EAP-Message =
0x01eb002e19001703030023afdc310d6ec3ecfc229ddfb0d67089decdf03a173fe43279508cff8728033097145447
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x26e3acd92e08b50e9de8616e7140b5da
(8) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 203 from 192.168.30.206:42291 to
192.168.30.66:1812 length 208
(9) User-Name = "u2"
(9) NAS-Identifier = "44d9e7023ad1"
(9) NAS-Port = 0
(9) Called-Station-Id = "46-D9-E7-03-3A-D1:TSSID1"
(9) Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Connect-Info = "CONNECT 0Mbps 802.11b"
(9) EAP-Message =
0x02eb002e190017030300230000000000000004bbad0c85fff213c85c3df86106c8a96db5e13ddd612c77dee32bd2
(9) State = 0x26e3acd92e08b50e9de8616e7140b5da
(9) Message-Authenticator = 0x8d03cc4904839e96543fb59eb8936d63
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) policy rewrite_called_station_id {
(9) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(9) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
-> TRUE
(9) if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
{
(9) update request {
(9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(9) --> 46-D9-E7-03-3A-D1
(9) &Called-Station-Id := 46-D9-E7-03-3A-D1
(9) } # update request = noop
(9) if ("%{8}") {
(9) EXPAND %{8}
(9) --> TSSID1
(9) if ("%{8}") -> TRUE
(9) if ("%{8}") {
(9) update request {
(9) EXPAND %{8}
(9) --> TSSID1
(9) &Called-Station-SSID := TSSID1
(9) EXPAND %{Called-Station-SSID}
(9) --> TSSID1
(9) &My-Called-Station-SSID := TSSID1
(9) } # update request = noop
(9) } # if ("%{8}") = noop
(9) [updated] = updated
(9) } # if (&Called-Station-Id && (&Called-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))
= updated
(9) ... skipping else: Preceding "if" was taken
(9) } # policy rewrite_called_station_id = updated
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "u2", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 235 length 46
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x26e3acd92e08b50e
(9) eap: Finished EAP session with state 0x26e3acd92e08b50e
(9) eap: Previous EAP request found for state 0x26e3acd92e08b50e, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: No information to cache: session caching will be disabled for
session 1e612a6685965633b12ff0d4fcb41a265c0e72dbded7812586c0e3347a5b896c
(9) eap: Sending EAP Success (code 3) ID 235 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(9) post-auth {
(9) if (NAS-Port-Type == Wireless-802.11) {
(9) if (NAS-Port-Type == Wireless-802.11) -> TRUE
(9) if (NAS-Port-Type == Wireless-802.11) {
(9) if (&LDAP-Group[*] == "grp-ssid-%{Called-Station-SSID}") {
(9) EXPAND grp-ssid-%{Called-Station-SSID}
(9) --> grp-ssid-TSSID1
(9) Searching for user in group "grp-ssid-TSSID1"
rlm_ldap (ldap): Reserved connection (2)
(9) EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(9) --> (samaccountname=u2)
(9) Performing search in "dc=mt,dc=priv" with filter
"(samaccountname=u2)", scope "sub"
(9) Waiting for search result...
rlm_ldap (ldap): Rebinding to URL
ldap://ForestDnsZones.mt.priv/DC=ForestDnsZones,DC=mt,DC=priv
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://DomainDnsZones.mt.priv/DC=DomainDnsZones,DC=mt,DC=priv
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Rebinding to URL
ldap://mt.priv/CN=Configuration,DC=mt,DC=priv
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Bind successful
(9) User object found at DN "CN=User2
last,OU=MT-Users,OU=MT-Objects,DC=mt,DC=priv"
(9) Checking user object's memberOf attributes
(9) Waiting for bind result...
(9) Bind successful
(9) Performing unfiltered search in "CN=User2
last,OU=MT-Users,OU=MT-Objects,DC=mt,DC=priv", scope "base"
(9) Waiting for search result...
(9) Processing memberOf value
"CN=grp-ssid-TSSID2,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" as a DN
(9) Resolving group DN
"CN=grp-ssid-TSSID2,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" to group name
(9) Performing unfiltered search in
"CN=grp-ssid-TSSID2,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv", scope "base"
(9) Waiting for search result...
(9) Group DN
"CN=grp-ssid-TSSID2,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" resolves to
name "grp-ssid-TSSID2"
(9) Processing memberOf value
"CN=GRP-SEC-ALL-USERS,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" as a DN
(9) Resolving group DN
"CN=GRP-SEC-ALL-USERS,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" to group
name
(9) Performing unfiltered search in
"CN=GRP-SEC-ALL-USERS,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv", scope
"base"
(9) Waiting for search result...
(9) Group DN
"CN=GRP-SEC-ALL-USERS,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" resolves to
name "GRP-SEC-ALL-USERS"
(9) Processing memberOf value
"CN=Profs,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" as a DN
(9) Resolving group DN
"CN=Profs,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" to group name
(9) Performing unfiltered search in
"CN=Profs,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv", scope "base"
(9) Waiting for search result...
(9) Group DN "CN=Profs,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv"
resolves to name "Profs"
(9) Processing memberOf value
"CN=Mt-Folder-Redirection,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" as a DN
(9) Resolving group DN
"CN=Mt-Folder-Redirection,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv" to
group name
(9) Performing unfiltered search in
"CN=Mt-Folder-Redirection,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv", scope
"base"
(9) Waiting for search result...
(9) Group DN
"CN=Mt-Folder-Redirection,OU=MT-Groups,OU=MT-Objects,DC=mt,DC=priv"
resolves to name "Mt-Folder-Redirection"
rlm_ldap (ldap): Deleting connection (2)
(9) User is not a member of "grp-ssid-TSSID1"
(9) if (&LDAP-Group[*] == "grp-ssid-%{Called-Station-SSID}") -> FALSE
(9) else {
(9) update reply {
(9) EXPAND Hello %{User-Name}: Vous n'avez pas accès
(9) --> Hello u2: Vous n'avez pas accès
(9) Reply-Message = Hello u2: Vous n'avez pas accès
(9) } # update reply = noop
(9) [reject] = reject
(9) } # else = reject
(9) } # if (NAS-Port-Type == Wireless-802.11) = reject
(9) } # post-auth = reject
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) Post-Auth-Type REJECT {
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject: --> u2
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9) [attr_filter.access_reject] = updated
(9) [eap] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> TRUE
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) update reply {
(9) &Reply-Message !* ANY
(9) } # update reply = noop
(9) } # if (&reply:EAP-Message && &reply:Reply-Message) = noop
(9) ... skipping else: Preceding "if" was taken
(9) } # policy remove_reply_message_if_eap = noop
(9) } # Post-Auth-Type REJECT = updated
(9) EXPAND BADPASS
(9) --> BADPASS
(9) Rejected in post-auth: [u2/<via Auth-Type = eap>] (from client
vLan-Tech port 0 cli C0-EE-FB-4B-FA-10) BADPASS
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 203 from 192.168.30.66:1812 to
192.168.30.206:42291 length 44
(9) EAP-Message = 0x03eb0004
(9) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
(0) Cleaning up request packet ID 194 with timestamp +36
(1) Cleaning up request packet ID 195 with timestamp +36
(2) Cleaning up request packet ID 196 with timestamp +36
(3) Cleaning up request packet ID 197 with timestamp +36
(4) Cleaning up request packet ID 198 with timestamp +36
(5) Cleaning up request packet ID 199 with timestamp +36
(6) Cleaning up request packet ID 200 with timestamp +36
(7) Cleaning up request packet ID 201 with timestamp +36
(8) Cleaning up request packet ID 202 with timestamp +36
(9) Cleaning up request packet ID 203 with timestamp +36
Ready to process requests
Pierre de Jong
-.-.-.-.-.-.-.-.-.-.-
2017-04-04 14:38 GMT+02:00 Alan DeKok <aland at deployingradius.com>:
> On Apr 4, 2017, at 7:47 AM, Pierre de Jong <pierredejong at gmail.com> wrote:
> >
> >>
> >> UNABLE to use "%{Called-Station-SSID}" (nor %Called-Station-SSID)
> >>
> > What do you mean by "unable to use"?
> >
> > I mean that when i try to "show" the %{Called-Station-SSID} ..... like,
> in
> > a message, we do a" ## %{user} - %{Called-Station-SSID} ## --> it
> returns:
> > ## username - ##
> >
> > That is what I mean.
>
> Then at the Called-Station-Id isn't available at that point.
>
> > I will send and radiusd -X output soon...
> >
> > But YES, in the radiusd -X, I can see that Called-Station-SSID is set to
> a
> > "RIGHT" value.... but we do not seem to be able to use it "anywhere".
>
> I doubt that very much.
>
> Put that check at the start of the "authorize" section, in the default
> virtual server. You *will* see it.
>
> My guess is that you're trying to expand it in the "inner-tunnel"
> virtual server, where it's not available. There are solutions for that.
>
> Again, as always... a *careful* reading of the debug output will show
> this. The server tells you what attributes are received, and what
> attributes are sent to the inner-tunnel virtual server.
>
> Alan DeKok.
>
>
More information about the Freeradius-Users
mailing list