FW: EAP authentication with Windows 10
Rob Rutledge
robertrutledge2005 at charter.net
Sun Apr 23 19:09:33 CEST 2017
Hi All,
I finally got radiusd to start again after configuring new certificates. I had to go into the mods-enabled/eap file and set the private_key_password to what I configured in server.cnf.
Now I am back to where I was when it quit working again. I am asked to verify the certificate, but it still does not connect even though I put in the credentials manually before accepting the certificate. Here is my debug output now (sorry it is so long).
Any other comments would be appreciated. Thanks.
Ready to process requests
(0) Received Access-Request Id 240 from 10.160.134.40:1645 to 10.160.134.60:1812 length 204
(0) User-Name = "Robby"
(0) Framed-MTU = 1400
(0) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(0) Calling-Station-Id = "c8f7.334c.b878"
(0) Cisco-AVPair = "ssid=BigBang_2"
(0) Service-Type = Login-User
(0) Cisco-AVPair = "service-type=Login"
(0) Message-Authenticator = 0x3336cd6797c32cf5e83b7ff873de87a7
(0) EAP-Message = 0x0202000a01526f626279
(0) NAS-Port-Type = Wireless-802.11
(0) NAS-Port = 670
(0) NAS-Port-Id = "670"
(0) NAS-IP-Address = 10.160.134.40
(0) NAS-Identifier = "txweahomxp-ap1142001"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 2 length 10
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 3 length 22
(0) eap: EAP session adding &reply:State = 0x2ffc95c62fff91a4
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 240 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(0) EAP-Message = 0x010300160410312c2f97bdd01f98348ecfb7a82c8966
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x2ffc95c62fff91a46ff41499fc9cc211
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 241 from 10.160.134.40:1645 to 10.160.134.60:1812 length 221
(1) User-Name = "Robby"
(1) Framed-MTU = 1400
(1) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(1) Calling-Station-Id = "c8f7.334c.b878"
(1) Cisco-AVPair = "ssid=BigBang_2"
(1) Service-Type = Login-User
(1) Cisco-AVPair = "service-type=Login"
(1) Message-Authenticator = 0xb8bf910d1e8325d3157961a70ee1bebc
(1) EAP-Message = 0x020300090319152b11
(1) NAS-Port-Type = Wireless-802.11
(1) NAS-Port = 670
(1) NAS-Port-Id = "670"
(1) State = 0x2ffc95c62fff91a46ff41499fc9cc211
(1) NAS-IP-Address = 10.160.134.40
(1) NAS-Identifier = "txweahomxp-ap1142001"
(1) session-state: No cached attributes
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 3 length 9
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry Robby at line 26
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x2ffc95c62fff91a4
(1) eap: Finished EAP session with state 0x2ffc95c62fff91a4
(1) eap: Previous EAP request found for state 0x2ffc95c62fff91a4, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: Flushing SSL sessions (of #0)
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 4 length 6
(1) eap: EAP session adding &reply:State = 0x2ffc95c62ef88ca4
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 241 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(1) EAP-Message = 0x010400061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x2ffc95c62ef88ca46ff41499fc9cc211
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 242 from 10.160.134.40:1645 to 10.160.134.60:1812 length 422
(2) User-Name = "Robby"
(2) Framed-MTU = 1400
(2) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(2) Calling-Station-Id = "c8f7.334c.b878"
(2) Cisco-AVPair = "ssid=BigBang_2"
(2) Service-Type = Login-User
(2) Cisco-AVPair = "service-type=Login"
(2) Message-Authenticator = 0x708881782e1053beacca68b75f6a7775
(2) EAP-Message = 0x020400d21980000000c816030300c3010000bf030358fcdb55ad6e4862b6c68aff23d1222da3fa1cae8bce37bdda920ab80b270dd5c8deedfd4b7dbbcb7061d85a1786ec0a8a88f8994968ba65aec67003cc02cc02bc030c24c023c028c027c00ac009c014c013003900
(2) NAS-Port-Type = Wireless-802.11
(2) NAS-Port = 670
(2) NAS-Port-Id = "670"
(2) State = 0x2ffc95c62ef88ca46ff41499fc9cc211
(2) NAS-IP-Address = 10.160.134.40
(2) NAS-Identifier = "txweahomxp-ap1142001"
(2) session-state: No cached attributes
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 4 length 210
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x2ffc95c62ef88ca4
(2) eap: Finished EAP session with state 0x2ffc95c62ef88ca4
(2) eap: Previous EAP request found for state 0x2ffc95c62ef88ca4, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 200 bytes
(2) eap_peap: Got complete TLS record (200 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before/accept initialization
(2) eap_peap: TLS_accept: before/accept initialization
(2) eap_peap: <<< recv TLS 1.2 [length 00c3]
(2) eap_peap: TLS_accept: SSLv3 read client hello A
(2) eap_peap: >>> send TLS 1.2 [length 0059]
(2) eap_peap: TLS_accept: SSLv3 write server hello A
(2) eap_peap: >>> send TLS 1.2 [length 094f]
(2) eap_peap: TLS_accept: SSLv3 write certificate A
(2) eap_peap: >>> send TLS 1.2 [length 014d]
(2) eap_peap: TLS_accept: SSLv3 write key exchange A
(2) eap_peap: >>> send TLS 1.2 [length 0004]
(2) eap_peap: TLS_accept: SSLv3 write server done A
(2) eap_peap: TLS_accept: SSLv3 flush data
(2) eap_peap: TLS_accept: SSLv3 read client certificate A
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(2) eap_peap: In SSL Handshake Phase
(2) eap_peap: In SSL Accept mode
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 5 length 1004
(2) eap: EAP session adding &reply:State = 0x2ffc95c62df98ca4
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 242 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(2) EAP-Message = 0x010503ec19c000000b0d160303005902000055030331a3343747c9c5fb9ba5d113102ce57942dc0f11de0bf99782520ce97646f5106783d63d8f87f5e868404fdcfeb374819fab6df87cad4271731edc03000000dff01000000102160303094f0b00094b00094800040f
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x2ffc95c62df98ca46ff41499fc9cc211
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 243 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(3) User-Name = "Robby"
(3) Framed-MTU = 1400
(3) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(3) Calling-Station-Id = "c8f7.334c.b878"
(3) Cisco-AVPair = "ssid=BigBang_2"
(3) Service-Type = Login-User
(3) Cisco-AVPair = "service-type=Login"
(3) Message-Authenticator = 0x55938501273bff309d443a0fa80de3fe
(3) EAP-Message = 0x020500061900
(3) NAS-Port-Type = Wireless-802.11
(3) NAS-Port = 670
(3) NAS-Port-Id = "670"
(3) State = 0x2ffc95c62df98ca46ff41499fc9cc211
(3) NAS-IP-Address = 10.160.134.40
(3) NAS-Identifier = "txweahomxp-ap1142001"
(3) session-state: No cached attributes
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 5 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x2ffc95c62df98ca4
(3) eap: Finished EAP session with state 0x2ffc95c62df98ca4
(3) eap: Previous EAP request found for state 0x2ffc95c62df98ca4, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 6 length 1000
(3) eap: EAP session adding &reply:State = 0x2ffc95c62cfa8ca4
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 243 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(3) EAP-Message = 0x010603e81940e767d3d95ba791c609604734de65f20761255945382f6caeddf488a7b22286eac5feb00b15e7f9a2e4d0247e1e6f0b6cbf3f240f9a08b4ec3119d5ad6dfce704325c36c113bbd63616056fb615fc26a7f0a8d2a9ee58dea9e13bc001f156be9694fb518a
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x2ffc95c62cfa8ca46ff41499fc9cc211
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 244 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(4) User-Name = "Robby"
(4) Framed-MTU = 1400
(4) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(4) Calling-Station-Id = "c8f7.334c.b878"
(4) Cisco-AVPair = "ssid=BigBang_2"
(4) Service-Type = Login-User
(4) Cisco-AVPair = "service-type=Login"
(4) Message-Authenticator = 0xacec6641abdcdb9315b14db1bec37dc2
(4) EAP-Message = 0x020600061900
(4) NAS-Port-Type = Wireless-802.11
(4) NAS-Port = 670
(4) NAS-Port-Id = "670"
(4) State = 0x2ffc95c62cfa8ca46ff41499fc9cc211
(4) NAS-IP-Address = 10.160.134.40
(4) NAS-Identifier = "txweahomxp-ap1142001"
(4) session-state: No cached attributes
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 6 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x2ffc95c62cfa8ca4
(4) eap: Finished EAP session with state 0x2ffc95c62cfa8ca4
(4) eap: Previous EAP request found for state 0x2ffc95c62cfa8ca4, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 7 length 847
(4) eap: EAP session adding &reply:State = 0x2ffc95c62bfb8ca4
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 244 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(4) EAP-Message = 0x0107034f19000c0b57656174686572666f726431183016060355040a0c0f6d617273696e6e6f7312d302b06092a864886f70d010901161e726f626572747275746c656467653230303540636861727465722e6e6574312e30c256d617273696e6e6f766174696f6e7320
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x2ffc95c62bfb8ca46ff41499fc9cc211
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 245 from 10.160.134.40:1645 to 10.160.134.60:1812 length 348
(5) User-Name = "Robby"
(5) Framed-MTU = 1400
(5) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(5) Calling-Station-Id = "c8f7.334c.b878"
(5) Cisco-AVPair = "ssid=BigBang_2"
(5) Service-Type = Login-User
(5) Cisco-AVPair = "service-type=Login"
(5) Message-Authenticator = 0xbb99cae7213575cea5c83c2734adb099
(5) EAP-Message = 0x0207008819800000007e16030300461000004241044bd42b8dab13062b00477e1df0490fe577003bfaceb1f32e0ace2e6ea8577ba1890e1169d164c955d4323745f16e99562054430495640f637241403030001011603030000000e26388809d83b0df2294f9622c31c5
(5) NAS-Port-Type = Wireless-802.11
(5) NAS-Port = 670
(5) NAS-Port-Id = "670"
(5) State = 0x2ffc95c62bfb8ca46ff41499fc9cc211
(5) NAS-IP-Address = 10.160.134.40
(5) NAS-Identifier = "txweahomxp-ap1142001"
(5) session-state: No cached attributes
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 7 length 136
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x2ffc95c62bfb8ca4
(5) eap: Finished EAP session with state 0x2ffc95c62bfb8ca4
(5) eap: Previous EAP request found for state 0x2ffc95c62bfb8ca4, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(5) eap_peap: Got complete TLS record (126 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: <<< recv TLS 1.2 [length 0046]
(5) eap_peap: TLS_accept: SSLv3 read client key exchange A
(5) eap_peap: TLS_accept: SSLv3 read certificate verify A
(5) eap_peap: <<< recv TLS 1.2 [length 0001]
(5) eap_peap: <<< recv TLS 1.2 [length 0010]
(5) eap_peap: TLS_accept: SSLv3 read finished A
(5) eap_peap: >>> send TLS 1.2 [length 0001]
(5) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap: >>> send TLS 1.2 [length 0010]
(5) eap_peap: TLS_accept: SSLv3 write finished A
(5) eap_peap: TLS_accept: SSLv3 flush data
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: SSL Connection Established
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 8 length 57
(5) eap: EAP session adding &reply:State = 0x2ffc95c62af48ca4
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5) Sent Access-Challenge Id 245 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(5) EAP-Message = 0x01080039190014030300010116030300282c9c2abcfa7fcdde28dae3b730bf17ee43b1476761858029b57dc77804cf638b304
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x2ffc95c62af48ca46ff41499fc9cc211
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 246 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(6) User-Name = "Robby"
(6) Framed-MTU = 1400
(6) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(6) Calling-Station-Id = "c8f7.334c.b878"
(6) Cisco-AVPair = "ssid=BigBang_2"
(6) Service-Type = Login-User
(6) Cisco-AVPair = "service-type=Login"
(6) Message-Authenticator = 0x3c37aeb6040251598fda97a3b3d710b5
(6) EAP-Message = 0x020800061900
(6) NAS-Port-Type = Wireless-802.11
(6) NAS-Port = 670
(6) NAS-Port-Id = "670"
(6) State = 0x2ffc95c62af48ca46ff41499fc9cc211
(6) NAS-IP-Address = 10.160.134.40
(6) NAS-Identifier = "txweahomxp-ap1142001"
(6) session-state: No cached attributes
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 8 length 6
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x2ffc95c62af48ca4
(6) eap: Finished EAP session with state 0x2ffc95c62af48ca4
(6) eap: Previous EAP request found for state 0x2ffc95c62af48ca4, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(6) eap_peap: [eaptls verify] = success
(6) eap_peap: [eaptls process] = success
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: Sending EAP Request (code 1) ID 9 length 40
(6) eap: EAP session adding &reply:State = 0x2ffc95c629f58ca4
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) Sent Access-Challenge Id 246 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(6) EAP-Message = 0x010900281900170303001d2c9c2abcfa7fcddfc8d64ed3d43396c4c10c3e130c551cc24344539
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x2ffc95c629f58ca46ff41499fc9cc211
(6) Finished request
Waking up in 2.5 seconds.
(7) Received Access-Request Id 247 from 10.160.134.40:1645 to 10.160.134.60:1812 length 253
(7) User-Name = "Robby"
(7) Framed-MTU = 1400
(7) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(7) Calling-Station-Id = "c8f7.334c.b878"
(7) Cisco-AVPair = "ssid=BigBang_2"
(7) Service-Type = Login-User
(7) Cisco-AVPair = "service-type=Login"
(7) Message-Authenticator = 0x7284cd769f42a127b66ae370763a8ee2
(7) EAP-Message = 0x020900291900170303001e0000000000000001345a5a554715a8668681478e018f9cfaea152e9
(7) NAS-Port-Type = Wireless-802.11
(7) NAS-Port = 670
(7) NAS-Port-Id = "670"
(7) State = 0x2ffc95c629f58ca46ff41499fc9cc211
(7) NAS-IP-Address = 10.160.134.40
(7) NAS-Identifier = "txweahomxp-ap1142001"
(7) session-state: No cached attributes
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 9 length 41
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x2ffc95c629f58ca4
(7) eap: Finished EAP session with state 0x2ffc95c629f58ca4
(7) eap: Previous EAP request found for state 0x2ffc95c629f58ca4, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - Robby
(7) eap_peap: Got inner identity 'Robby'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x0209000a01526f626279
(7) eap_peap: Setting User-Name to Robby
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x0209000a01526f626279
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "Robby"
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x0209000a01526f626279
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "Robby"
(7) WARNING: Outer and inner identities are the same. User privacy is compromised.
(7) server inner-tunnel {
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 9 length 10
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) eap: Sending EAP Request (code 1) ID 10 length 43
(7) eap: EAP session adding &reply:State = 0x9d6b43a39d6159a9
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x010a002b1a010a00261085c5433fa0b0545f7be0039772bd9088667265657261646975732d332
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x9d6b43a39d6159a92ac5e70b6aa44524
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x010a002b1a010a00261085c5433fa0b0545f7be0039772bd90886672656572616462e3132
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x9d6b43a39d6159a92ac5e70b6aa44524
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message = 0x010a002b1a010a00261085c5433fa0b0545f7be0039772bd90886672656572616462e3132
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x9d6b43a39d6159a92ac5e70b6aa44524
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 10 length 74
(7) eap: EAP session adding &reply:State = 0x2ffc95c628f68ca4
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7) Sent Access-Challenge Id 247 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(7) EAP-Message = 0x010a004a1900170303003f2c9c2abcfa7fcde0fded872c4799e46c58573376369feabf8b7f268957056d141ca7c1ff175cd91d02ff06e652f41781876a372fd38b7bfdb
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x2ffc95c628f68ca46ff41499fc9cc211
(7) Finished request
Waking up in 2.5 seconds.
(8) Received Access-Request Id 248 from 10.160.134.40:1645 to 10.160.134.60:1812 length 307
(8) User-Name = "Robby"
(8) Framed-MTU = 1400
(8) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(8) Calling-Station-Id = "c8f7.334c.b878"
(8) Cisco-AVPair = "ssid=BigBang_2"
(8) Service-Type = Login-User
(8) Cisco-AVPair = "service-type=Login"
(8) Message-Authenticator = 0x97c754fdf23e6047a5062384be7eee34
(8) EAP-Message = 0x020a005f190017030300540000000000000002aee2dbd0750a9879a30a4b8b98529af198728ec65363c40afae155e77323aa765e97ad992faf2a0c56ebe75e89b5f1513ea7a12b4000a5804e5ed9f40127f9cdecf4f6ccfc
(8) NAS-Port-Type = Wireless-802.11
(8) NAS-Port = 670
(8) NAS-Port-Id = "670"
(8) State = 0x2ffc95c628f68ca46ff41499fc9cc211
(8) NAS-IP-Address = 10.160.134.40
(8) NAS-Identifier = "txweahomxp-ap1142001"
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 10 length 95
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x9d6b43a39d6159a9
(8) eap: Finished EAP session with state 0x2ffc95c628f68ca4
(8) eap: Previous EAP request found for state 0x2ffc95c628f68ca4, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020a00401a020a003b319586be4863bea980ff4114cb17552162000000000000000ee945d46d9499c735713604b2bf11ae5aab000526f626279
(8) eap_peap: Setting User-Name to Robby
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x020a00401a020a003b319586be4863bea980ff4114cb17552162000000000000000ee945d46d9499c735713604b2bf11ae5aab000526f626279
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "Robby"
(8) eap_peap: State = 0x9d6b43a39d6159a92ac5e70b6aa44524
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020a00401a020a003b319586be4863bea980ff4114cb175521620000000000000000c42df7be6499c735713604b2bf11ae5aab000526f626279
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "Robby"
(8) State = 0x9d6b43a39d6159a92ac5e70b6aa44524
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 10 length 64
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) files: users: Matched entry Robby at line 26
(8) [files] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x9d6b43a39d6159a9
(8) eap: Finished EAP session with state 0x9d6b43a39d6159a9
(8) eap: Previous EAP request found for state 0x9d6b43a39d6159a9, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) eap_mschapv2: authenticate {
(8) mschap: Found Cleartext-Password, hashing to create NT-Password
(8) mschap: Found Cleartext-Password, hashing to create LM-Password
(8) mschap: Creating challenge hash with username: Robby
(8) mschap: Client is using MS-CHAPv2
(8) mschap: Adding MS-CHAPv2 MPPE keys
(8) [mschap] = ok
(8) } # authenticate = ok
(8) MSCHAP Success
(8) eap: Sending EAP Request (code 1) ID 11 length 51
(8) eap: EAP session adding &reply:State = 0x9d6b43a39c6059a9
(8) [eap] = handled
(8) } # authenticate = handled
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message = 0x010b00331a030a002e533d3330413432383241363534373242414446383632453832333330423414342313943
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x9d6b43a39c6059a92ac5e70b6aa44524
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: EAP-Message = 0x010b00331a030a002e533d3330413432383241363534373242414446383632453834532413339414342313943
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0x9d6b43a39c6059a92ac5e70b6aa44524
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap: EAP-Message = 0x010b00331a030a002e533d3330413432383241363534373242414446383632453834532413339414342313943
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0x9d6b43a39c6059a92ac5e70b6aa44524
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: Sending EAP Request (code 1) ID 11 length 82
(8) eap: EAP session adding &reply:State = 0x2ffc95c627f78ca4
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) Sent Access-Challenge Id 248 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(8) EAP-Message = 0x010b0052190017030300472c9c2abcfa7fcde19abf3666397047384a088b907177749fee4fa01a4961461a5e00b10904aa4a3d063c9b41b0386458b22eaf13700eaa26258ade9dc69dcebc0
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x2ffc95c627f78ca46ff41499fc9cc211
(8) Finished request
Waking up in 2.5 seconds.
(9) Received Access-Request Id 249 from 10.160.134.40:1645 to 10.160.134.60:1812 length 249
(9) User-Name = "Robby"
(9) Framed-MTU = 1400
(9) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(9) Calling-Station-Id = "c8f7.334c.b878"
(9) Cisco-AVPair = "ssid=BigBang_2"
(9) Service-Type = Login-User
(9) Cisco-AVPair = "service-type=Login"
(9) Message-Authenticator = 0xfb34a84bfed06dc28b20976a84b5980a
(9) EAP-Message = 0x020b00251900170303001a00000000000000031c4d5a19032cab793909611e2b6d1f21bd29
(9) NAS-Port-Type = Wireless-802.11
(9) NAS-Port = 670
(9) NAS-Port-Id = "670"
(9) State = 0x2ffc95c627f78ca46ff41499fc9cc211
(9) NAS-IP-Address = 10.160.134.40
(9) NAS-Identifier = "txweahomxp-ap1142001"
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 11 length 37
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x9d6b43a39c6059a9
(9) eap: Finished EAP session with state 0x2ffc95c627f78ca4
(9) eap: Previous EAP request found for state 0x2ffc95c627f78ca4, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x020b00061a03
(9) eap_peap: Setting User-Name to Robby
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message = 0x020b00061a03
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "Robby"
(9) eap_peap: State = 0x9d6b43a39c6059a92ac5e70b6aa44524
(9) Virtual server inner-tunnel received request
(9) EAP-Message = 0x020b00061a03
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "Robby"
(9) State = 0x9d6b43a39c6059a92ac5e70b6aa44524
(9) WARNING: Outer and inner identities are the same. User privacy is compromised.
(9) server inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) &Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 11 length 6
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) files: users: Matched entry Robby at line 26
(9) [files] = ok
(9) [expiration] = noop
(9) [logintime] = noop
(9) pap: WARNING: Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = eap
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Expiring EAP session with state 0x9d6b43a39c6059a9
(9) eap: Finished EAP session with state 0x9d6b43a39c6059a9
(9) eap: Previous EAP request found for state 0x9d6b43a39c6059a9, released from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap: Sending EAP Success (code 3) ID 11 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) post-auth { ... } # empty sub-section is ignored
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) MS-MPPE-Send-Key = 0x6f93481db880dbbc32d1458020ae5e78
(9) MS-MPPE-Recv-Key = 0x3bd2f0c30cd1c1f6207982967a503506
(9) EAP-Message = 0x030b0004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = "Robby"
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap: MS-MPPE-Send-Key = 0x6f93481db880dbbc32d1458020ae5e78
(9) eap_peap: MS-MPPE-Recv-Key = 0x3bd2f0c30cd1c1f6207982967a503506
(9) eap_peap: EAP-Message = 0x030b0004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = "Robby"
(9) eap_peap: Got tunneled reply RADIUS code 2
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap: MS-MPPE-Send-Key = 0x6f93481db880dbbc32d1458020ae5e78
(9) eap_peap: MS-MPPE-Recv-Key = 0x3bd2f0c30cd1c1f6207982967a503506
(9) eap_peap: EAP-Message = 0x030b0004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = "Robby"
(9) eap_peap: Tunneled authentication was successful
(9) eap_peap: SUCCESS
(9) eap: Sending EAP Request (code 1) ID 12 length 46
(9) eap: EAP session adding &reply:State = 0x2ffc95c626f08ca4
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(9) Sent Access-Challenge Id 249 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(9) EAP-Message = 0x010c002e190017030300232c9c2abcfa7fcde26cdc33365a0c4b926b59f9cc61015989a85bdd9d8
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x2ffc95c626f08ca46ff41499fc9cc211
(9) Finished request
Waking up in 2.5 seconds.
(10) Received Access-Request Id 250 from 10.160.134.40:1645 to 10.160.134.60:1812 length 258
(10) User-Name = "Robby"
(10) Framed-MTU = 1400
(10) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(10) Calling-Station-Id = "c8f7.334c.b878"
(10) Cisco-AVPair = "ssid=BigBang_2"
(10) Service-Type = Login-User
(10) Cisco-AVPair = "service-type=Login"
(10) Message-Authenticator = 0xbddce953bb0661dae28c65000a5156bf
(10) EAP-Message = 0x020c002e19001703030023000000000000000445f1a160592d3bb9f754102f275d92a02f3c32a47
(10) NAS-Port-Type = Wireless-802.11
(10) NAS-Port = 670
(10) NAS-Port-Id = "670"
(10) State = 0x2ffc95c626f08ca46ff41499fc9cc211
(10) NAS-IP-Address = 10.160.134.40
(10) NAS-Identifier = "txweahomxp-ap1142001"
(10) session-state: No cached attributes
(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 12 length 46
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0x2ffc95c626f08ca4
(10) eap: Finished EAP session with state 0x2ffc95c626f08ca4
(10) eap: Previous EAP request found for state 0x2ffc95c626f08ca4, released from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap_peap: No information to cache: session caching will be disabled for session ce97646f51067868404fdcfeb374819fab6df87cad4271731ed
(10) eap: Sending EAP Success (code 3) ID 12 length 4
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(10) post-auth {
(10) update {
(10) No attributes updated
(10) } # update = noop
(10) [exec] = noop
(10) policy remove_reply_message_if_eap {
(10) if (&reply:EAP-Message && &reply:Reply-Message) {
(10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(10) else {
(10) [noop] = noop
(10) } # else = noop
(10) } # policy remove_reply_message_if_eap = noop
(10) } # post-auth = noop
(10) Sent Access-Accept Id 250 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(10) MS-MPPE-Recv-Key = 0xffc4f2898f45c13eea803a93d6ecef0f2ffc19089f68e5133fdf9028e9f62569
(10) MS-MPPE-Send-Key = 0x65418fac1156b62ec5883ac420a8dd1f8ea5959722bf78c09936eafa6d0f3547
(10) EAP-Message = 0x030c0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = "Robby"
(10) Finished request
Waking up in 2.5 seconds.
(0) Cleaning up request packet ID 240 with timestamp +32
(1) Cleaning up request packet ID 241 with timestamp +32
(2) Cleaning up request packet ID 242 with timestamp +32
(3) Cleaning up request packet ID 243 with timestamp +32
(4) Cleaning up request packet ID 244 with timestamp +32
(5) Cleaning up request packet ID 245 with timestamp +32
Waking up in 2.3 seconds.
(11) Received Access-Request Id 251 from 10.160.134.40:1645 to 10.160.134.60:1812 length 204
(11) User-Name = "Robby"
(11) Framed-MTU = 1400
(11) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(11) Calling-Station-Id = "c8f7.334c.b878"
(11) Cisco-AVPair = "ssid=BigBang_2"
(11) Service-Type = Login-User
(11) Cisco-AVPair = "service-type=Login"
(11) Message-Authenticator = 0x44936eecf334632aa86cdf5c324c9fb7
(11) EAP-Message = 0x0201000a01526f626279
(11) NAS-Port-Type = Wireless-802.11
(11) NAS-Port = 671
(11) NAS-Port-Id = "671"
(11) NAS-IP-Address = 10.160.134.40
(11) NAS-Identifier = "txweahomxp-ap1142001"
(11) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /@\./) {
(11) if (&User-Name =~ /@\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) [digest] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) eap: Peer sent EAP Response (code 2) ID 1 length 10
(11) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(11) authenticate {
(11) eap: Peer sent packet with method EAP Identity (1)
(11) eap: Calling submodule eap_md5 to process data
(11) eap_md5: Issuing MD5 Challenge
(11) eap: Sending EAP Request (code 1) ID 2 length 22
(11) eap: EAP session adding &reply:State = 0xf0ec24b8f0ee202b
(11) [eap] = handled
(11) } # authenticate = handled
(11) Using Post-Auth-Type Challenge
(11) Post-Auth-Type sub-section not found. Ignoring.
(11) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(11) Sent Access-Challenge Id 251 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(11) EAP-Message = 0x010200160410448c2a3ed99f4a6e4bef9e9e50ab8a79
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) State = 0xf0ec24b8f0ee202b0870a2ceef44252b
(11) Finished request
Waking up in 1.6 seconds.
(12) Received Access-Request Id 252 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(12) User-Name = "Robby"
(12) Framed-MTU = 1400
(12) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(12) Calling-Station-Id = "c8f7.334c.b878"
(12) Cisco-AVPair = "ssid=BigBang_2"
(12) Service-Type = Login-User
(12) Cisco-AVPair = "service-type=Login"
(12) Message-Authenticator = 0x5956148001622f607807e0cb4645fd12
(12) EAP-Message = 0x020200060319
(12) NAS-Port-Type = Wireless-802.11
(12) NAS-Port = 671
(12) NAS-Port-Id = "671"
(12) State = 0xf0ec24b8f0ee202b0870a2ceef44252b
(12) NAS-IP-Address = 10.160.134.40
(12) NAS-Identifier = "txweahomxp-ap1142001"
(12) session-state: No cached attributes
(12) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /@\./) {
(12) if (&User-Name =~ /@\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) [chap] = noop
(12) [mschap] = noop
(12) [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(12) suffix: No such realm "NULL"
(12) [suffix] = noop
(12) eap: Peer sent EAP Response (code 2) ID 2 length 6
(12) eap: No EAP Start, assuming it's an on-going EAP conversation
(12) [eap] = updated
(12) files: users: Matched entry Robby at line 26
(12) [files] = ok
(12) [expiration] = noop
(12) [logintime] = noop
(12) pap: WARNING: Auth-Type already set. Not setting to PAP
(12) [pap] = noop
(12) } # authorize = updated
(12) Found Auth-Type = eap
(12) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(12) authenticate {
(12) eap: Expiring EAP session with state 0xf0ec24b8f0ee202b
(12) eap: Finished EAP session with state 0xf0ec24b8f0ee202b
(12) eap: Previous EAP request found for state 0xf0ec24b8f0ee202b, released from the list
(12) eap: Peer sent packet with method EAP NAK (3)
(12) eap: Found mutually acceptable type PEAP (25)
(12) eap: Calling submodule eap_peap to process data
(12) eap_peap: Initiating new EAP-TLS session
(12) eap_peap: [eaptls start] = request
(12) eap: Sending EAP Request (code 1) ID 3 length 6
(12) eap: EAP session adding &reply:State = 0xf0ec24b8f1ef3d2b
(12) [eap] = handled
(12) } # authenticate = handled
(12) Using Post-Auth-Type Challenge
(12) Post-Auth-Type sub-section not found. Ignoring.
(12) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(12) Sent Access-Challenge Id 252 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(12) EAP-Message = 0x010300061920
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) State = 0xf0ec24b8f1ef3d2b0870a2ceef44252b
(12) Finished request
Waking up in 1.6 seconds.
(13) Received Access-Request Id 253 from 10.160.134.40:1645 to 10.160.134.60:1812 length 422
(13) User-Name = "Robby"
(13) Framed-MTU = 1400
(13) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(13) Calling-Station-Id = "c8f7.334c.b878"
(13) Cisco-AVPair = "ssid=BigBang_2"
(13) Service-Type = Login-User
(13) Cisco-AVPair = "service-type=Login"
(13) Message-Authenticator = 0x4c4254f6ccc2f0b9094f6968268075bc
(13) EAP-Message = 0x020300d21980000000c816030300c3010000bf030358fcdb5b3bc312bfc5d2072999759aa9899c43fa21fa366629520ce97646f5106783d63d8f87f5e868404fdcfeb374819fab6df87cad4271731ed003cc02cc02bc030024c023c028c027c00ac009c014c013003900
(13) NAS-Port-Type = Wireless-802.11
(13) NAS-Port = 671
(13) NAS-Port-Id = "671"
(13) State = 0xf0ec24b8f1ef3d2b0870a2ceef44252b
(13) NAS-IP-Address = 10.160.134.40
(13) NAS-Identifier = "txweahomxp-ap1142001"
(13) session-state: No cached attributes
(13) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(13) authorize {
(13) policy filter_username {
(13) if (&User-Name) {
(13) if (&User-Name) -> TRUE
(13) if (&User-Name) {
(13) if (&User-Name =~ / /) {
(13) if (&User-Name =~ / /) -> FALSE
(13) if (&User-Name =~ /@[^@]*@/ ) {
(13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(13) if (&User-Name =~ /\.\./ ) {
(13) if (&User-Name =~ /\.\./ ) -> FALSE
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(13) if (&User-Name =~ /\.$/) {
(13) if (&User-Name =~ /\.$/) -> FALSE
(13) if (&User-Name =~ /@\./) {
(13) if (&User-Name =~ /@\./) -> FALSE
(13) } # if (&User-Name) = notfound
(13) } # policy filter_username = notfound
(13) [preprocess] = ok
(13) [chap] = noop
(13) [mschap] = noop
(13) [digest] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(13) suffix: No such realm "NULL"
(13) [suffix] = noop
(13) eap: Peer sent EAP Response (code 2) ID 3 length 210
(13) eap: Continuing tunnel setup
(13) [eap] = ok
(13) } # authorize = ok
(13) Found Auth-Type = eap
(13) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(13) authenticate {
(13) eap: Expiring EAP session with state 0xf0ec24b8f1ef3d2b
(13) eap: Finished EAP session with state 0xf0ec24b8f1ef3d2b
(13) eap: Previous EAP request found for state 0xf0ec24b8f1ef3d2b, released from the list
(13) eap: Peer sent packet with method EAP PEAP (25)
(13) eap: Calling submodule eap_peap to process data
(13) eap_peap: Continuing EAP-TLS
(13) eap_peap: Peer indicated complete TLS record size will be 200 bytes
(13) eap_peap: Got complete TLS record (200 bytes)
(13) eap_peap: [eaptls verify] = length included
(13) eap_peap: (other): before/accept initialization
(13) eap_peap: TLS_accept: before/accept initialization
(13) eap_peap: <<< recv TLS 1.2 [length 00c3]
(13) eap_peap: TLS_accept: SSLv3 read client hello A
(13) eap_peap: >>> send TLS 1.2 [length 0059]
(13) eap_peap: TLS_accept: SSLv3 write server hello A
(13) eap_peap: >>> send TLS 1.2 [length 094f]
(13) eap_peap: TLS_accept: SSLv3 write certificate A
(13) eap_peap: >>> send TLS 1.2 [length 014d]
(13) eap_peap: TLS_accept: SSLv3 write key exchange A
(13) eap_peap: >>> send TLS 1.2 [length 0004]
(13) eap_peap: TLS_accept: SSLv3 write server done A
(13) eap_peap: TLS_accept: SSLv3 flush data
(13) eap_peap: TLS_accept: SSLv3 read client certificate A
(13) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(13) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(13) eap_peap: In SSL Handshake Phase
(13) eap_peap: In SSL Accept mode
(13) eap_peap: [eaptls process] = handled
(13) eap: Sending EAP Request (code 1) ID 4 length 1004
(13) eap: EAP session adding &reply:State = 0xf0ec24b8f2e83d2b
(13) [eap] = handled
(13) } # authenticate = handled
(13) Using Post-Auth-Type Challenge
(13) Post-Auth-Type sub-section not found. Ignoring.
(13) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(13) Sent Access-Challenge Id 253 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(13) EAP-Message = 0x010403ec19c000000b0d160303005902000055030373b06e19fa174121a9bc2ad9057c5f489185a16e316537211f420c800c07eab8b5c5c2898fcf33e1c4fcf02d941331b2cd9af9ebc3b25472b455ac03000000dff01003000102160303094f0b00094b00094800040f
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) State = 0xf0ec24b8f2e83d2b0870a2ceef44252b
(13) Finished request
Waking up in 1.6 seconds.
(14) Received Access-Request Id 254 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(14) User-Name = "Robby"
(14) Framed-MTU = 1400
(14) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(14) Calling-Station-Id = "c8f7.334c.b878"
(14) Cisco-AVPair = "ssid=BigBang_2"
(14) Service-Type = Login-User
(14) Cisco-AVPair = "service-type=Login"
(14) Message-Authenticator = 0x7955cefe5d9bb482c1f55e68f443b4b4
(14) EAP-Message = 0x020400061900
(14) NAS-Port-Type = Wireless-802.11
(14) NAS-Port = 671
(14) NAS-Port-Id = "671"
(14) State = 0xf0ec24b8f2e83d2b0870a2ceef44252b
(14) NAS-IP-Address = 10.160.134.40
(14) NAS-Identifier = "txweahomxp-ap1142001"
(14) session-state: No cached attributes
(14) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(14) authorize {
(14) policy filter_username {
(14) if (&User-Name) {
(14) if (&User-Name) -> TRUE
(14) if (&User-Name) {
(14) if (&User-Name =~ / /) {
(14) if (&User-Name =~ / /) -> FALSE
(14) if (&User-Name =~ /@[^@]*@/ ) {
(14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(14) if (&User-Name =~ /\.\./ ) {
(14) if (&User-Name =~ /\.\./ ) -> FALSE
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(14) if (&User-Name =~ /\.$/) {
(14) if (&User-Name =~ /\.$/) -> FALSE
(14) if (&User-Name =~ /@\./) {
(14) if (&User-Name =~ /@\./) -> FALSE
(14) } # if (&User-Name) = notfound
(14) } # policy filter_username = notfound
(14) [preprocess] = ok
(14) [chap] = noop
(14) [mschap] = noop
(14) [digest] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(14) suffix: No such realm "NULL"
(14) [suffix] = noop
(14) eap: Peer sent EAP Response (code 2) ID 4 length 6
(14) eap: Continuing tunnel setup
(14) [eap] = ok
(14) } # authorize = ok
(14) Found Auth-Type = eap
(14) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(14) authenticate {
(14) eap: Expiring EAP session with state 0xf0ec24b8f2e83d2b
(14) eap: Finished EAP session with state 0xf0ec24b8f2e83d2b
(14) eap: Previous EAP request found for state 0xf0ec24b8f2e83d2b, released from the list
(14) eap: Peer sent packet with method EAP PEAP (25)
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: Continuing EAP-TLS
(14) eap_peap: Peer ACKed our handshake fragment
(14) eap_peap: [eaptls verify] = request
(14) eap_peap: [eaptls process] = handled
(14) eap: Sending EAP Request (code 1) ID 5 length 1000
(14) eap: EAP session adding &reply:State = 0xf0ec24b8f3e93d2b
(14) [eap] = handled
(14) } # authenticate = handled
(14) Using Post-Auth-Type Challenge
(14) Post-Auth-Type sub-section not found. Ignoring.
(14) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(14) Sent Access-Challenge Id 254 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(14) EAP-Message = 0x010503e81940e767d3d95ba791c609604734de65f20761255945382f6caeddf488a7b22286ea65feb00b15e7f9a2e4d0247e1e6f0b6cbf3f240f9a08b4ec3119d5ad6dfce704325c36c113bbd63616056fb615fc26a7f0abd2a9ee58dea9e13bc001f156be9694fb518a
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0xf0ec24b8f3e93d2b0870a2ceef44252b
(14) Finished request
Waking up in 1.5 seconds.
(15) Received Access-Request Id 255 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(15) User-Name = "Robby"
(15) Framed-MTU = 1400
(15) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(15) Calling-Station-Id = "c8f7.334c.b878"
(15) Cisco-AVPair = "ssid=BigBang_2"
(15) Service-Type = Login-User
(15) Cisco-AVPair = "service-type=Login"
(15) Message-Authenticator = 0x980bbb641310986df2e5f7452574b1c9
(15) EAP-Message = 0x020500061900
(15) NAS-Port-Type = Wireless-802.11
(15) NAS-Port = 671
(15) NAS-Port-Id = "671"
(15) State = 0xf0ec24b8f3e93d2b0870a2ceef44252b
(15) NAS-IP-Address = 10.160.134.40
(15) NAS-Identifier = "txweahomxp-ap1142001"
(15) session-state: No cached attributes
(15) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(15) authorize {
(15) policy filter_username {
(15) if (&User-Name) {
(15) if (&User-Name) -> TRUE
(15) if (&User-Name) {
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@[^@]*@/ ) {
(15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /@\./) {
(15) if (&User-Name =~ /@\./) -> FALSE
(15) } # if (&User-Name) = notfound
(15) } # policy filter_username = notfound
(15) [preprocess] = ok
(15) [chap] = noop
(15) [mschap] = noop
(15) [digest] = noop
(15) suffix: Checking for suffix after "@"
(15) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(15) suffix: No such realm "NULL"
(15) [suffix] = noop
(15) eap: Peer sent EAP Response (code 2) ID 5 length 6
(15) eap: Continuing tunnel setup
(15) [eap] = ok
(15) } # authorize = ok
(15) Found Auth-Type = eap
(15) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(15) authenticate {
(15) eap: Expiring EAP session with state 0xf0ec24b8f3e93d2b
(15) eap: Finished EAP session with state 0xf0ec24b8f3e93d2b
(15) eap: Previous EAP request found for state 0xf0ec24b8f3e93d2b, released from the list
(15) eap: Peer sent packet with method EAP PEAP (25)
(15) eap: Calling submodule eap_peap to process data
(15) eap_peap: Continuing EAP-TLS
(15) eap_peap: Peer ACKed our handshake fragment
(15) eap_peap: [eaptls verify] = request
(15) eap_peap: [eaptls process] = handled
(15) eap: Sending EAP Request (code 1) ID 6 length 847
(15) eap: EAP session adding &reply:State = 0xf0ec24b8f4ea3d2b
(15) [eap] = handled
(15) } # authenticate = handled
(15) Using Post-Auth-Type Challenge
(15) Post-Auth-Type sub-section not found. Ignoring.
(15) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(15) Sent Access-Challenge Id 255 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(15) EAP-Message = 0x0106034f19000c0b57656174686572666f726431183016060355040a0c0f6d617273696e6e6f3312d302b06092a864886f70d010901161e726f626572747275746c656467653230303540636861727465722e6e6574312e30c256d617273696e6e6f766174696f6e7320
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0xf0ec24b8f4ea3d2b0870a2ceef44252b
(15) Finished request
Waking up in 1.5 seconds.
(16) Received Access-Request Id 0 from 10.160.134.40:1645 to 10.160.134.60:1812 length 348
(16) User-Name = "Robby"
(16) Framed-MTU = 1400
(16) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(16) Calling-Station-Id = "c8f7.334c.b878"
(16) Cisco-AVPair = "ssid=BigBang_2"
(16) Service-Type = Login-User
(16) Cisco-AVPair = "service-type=Login"
(16) Message-Authenticator = 0xf6aef84dca805a32033df80ef30fc0c6
(16) EAP-Message = 0x0206008819800000007e160303004610000042410478e116722c850530756596e423ca7ad22d8068595fff203873fda26fc60bb3a438fad3db8977c3f9d81261392715d6dec120a9aea1aa478e9bb14030300010116030300000003a3b7ad9befa8fced693760bef3eb5
(16) NAS-Port-Type = Wireless-802.11
(16) NAS-Port = 671
(16) NAS-Port-Id = "671"
(16) State = 0xf0ec24b8f4ea3d2b0870a2ceef44252b
(16) NAS-IP-Address = 10.160.134.40
(16) NAS-Identifier = "txweahomxp-ap1142001"
(16) session-state: No cached attributes
(16) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(16) authorize {
(16) policy filter_username {
(16) if (&User-Name) {
(16) if (&User-Name) -> TRUE
(16) if (&User-Name) {
(16) if (&User-Name =~ / /) {
(16) if (&User-Name =~ / /) -> FALSE
(16) if (&User-Name =~ /@[^@]*@/ ) {
(16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(16) if (&User-Name =~ /\.\./ ) {
(16) if (&User-Name =~ /\.\./ ) -> FALSE
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(16) if (&User-Name =~ /\.$/) {
(16) if (&User-Name =~ /\.$/) -> FALSE
(16) if (&User-Name =~ /@\./) {
(16) if (&User-Name =~ /@\./) -> FALSE
(16) } # if (&User-Name) = notfound
(16) } # policy filter_username = notfound
(16) [preprocess] = ok
(16) [chap] = noop
(16) [mschap] = noop
(16) [digest] = noop
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(16) suffix: No such realm "NULL"
(16) [suffix] = noop
(16) eap: Peer sent EAP Response (code 2) ID 6 length 136
(16) eap: Continuing tunnel setup
(16) [eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = eap
(16) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(16) authenticate {
(16) eap: Expiring EAP session with state 0xf0ec24b8f4ea3d2b
(16) eap: Finished EAP session with state 0xf0ec24b8f4ea3d2b
(16) eap: Previous EAP request found for state 0xf0ec24b8f4ea3d2b, released from the list
(16) eap: Peer sent packet with method EAP PEAP (25)
(16) eap: Calling submodule eap_peap to process data
(16) eap_peap: Continuing EAP-TLS
(16) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(16) eap_peap: Got complete TLS record (126 bytes)
(16) eap_peap: [eaptls verify] = length included
(16) eap_peap: <<< recv TLS 1.2 [length 0046]
(16) eap_peap: TLS_accept: SSLv3 read client key exchange A
(16) eap_peap: TLS_accept: SSLv3 read certificate verify A
(16) eap_peap: <<< recv TLS 1.2 [length 0001]
(16) eap_peap: <<< recv TLS 1.2 [length 0010]
(16) eap_peap: TLS_accept: SSLv3 read finished A
(16) eap_peap: >>> send TLS 1.2 [length 0001]
(16) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(16) eap_peap: >>> send TLS 1.2 [length 0010]
(16) eap_peap: TLS_accept: SSLv3 write finished A
(16) eap_peap: TLS_accept: SSLv3 flush data
(16) eap_peap: (other): SSL negotiation finished successfully
(16) eap_peap: SSL Connection Established
(16) eap_peap: [eaptls process] = handled
(16) eap: Sending EAP Request (code 1) ID 7 length 57
(16) eap: EAP session adding &reply:State = 0xf0ec24b8f5eb3d2b
(16) [eap] = handled
(16) } # authenticate = handled
(16) Using Post-Auth-Type Challenge
(16) Post-Auth-Type sub-section not found. Ignoring.
(16) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(16) Sent Access-Challenge Id 0 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(16) EAP-Message = 0x01070039190014030300010116030300287b8137385b4d16eba7560e9b18c2f936681b540489e69a14485920bc28dbf841a8d
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0xf0ec24b8f5eb3d2b0870a2ceef44252b
(16) Finished request
Waking up in 1.5 seconds.
(17) Received Access-Request Id 1 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(17) User-Name = "Robby"
(17) Framed-MTU = 1400
(17) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(17) Calling-Station-Id = "c8f7.334c.b878"
(17) Cisco-AVPair = "ssid=BigBang_2"
(17) Service-Type = Login-User
(17) Cisco-AVPair = "service-type=Login"
(17) Message-Authenticator = 0x3145335bc58c32ff859a204bb759ad73
(17) EAP-Message = 0x020700061900
(17) NAS-Port-Type = Wireless-802.11
(17) NAS-Port = 671
(17) NAS-Port-Id = "671"
(17) State = 0xf0ec24b8f5eb3d2b0870a2ceef44252b
(17) NAS-IP-Address = 10.160.134.40
(17) NAS-Identifier = "txweahomxp-ap1142001"
(17) session-state: No cached attributes
(17) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(17) authorize {
(17) policy filter_username {
(17) if (&User-Name) {
(17) if (&User-Name) -> TRUE
(17) if (&User-Name) {
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@[^@]*@/ ) {
(17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /@\./) {
(17) if (&User-Name =~ /@\./) -> FALSE
(17) } # if (&User-Name) = notfound
(17) } # policy filter_username = notfound
(17) [preprocess] = ok
(17) [chap] = noop
(17) [mschap] = noop
(17) [digest] = noop
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(17) suffix: No such realm "NULL"
(17) [suffix] = noop
(17) eap: Peer sent EAP Response (code 2) ID 7 length 6
(17) eap: Continuing tunnel setup
(17) [eap] = ok
(17) } # authorize = ok
(17) Found Auth-Type = eap
(17) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(17) authenticate {
(17) eap: Expiring EAP session with state 0xf0ec24b8f5eb3d2b
(17) eap: Finished EAP session with state 0xf0ec24b8f5eb3d2b
(17) eap: Previous EAP request found for state 0xf0ec24b8f5eb3d2b, released from the list
(17) eap: Peer sent packet with method EAP PEAP (25)
(17) eap: Calling submodule eap_peap to process data
(17) eap_peap: Continuing EAP-TLS
(17) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(17) eap_peap: [eaptls verify] = success
(17) eap_peap: [eaptls process] = success
(17) eap_peap: Session established. Decoding tunneled attributes
(17) eap_peap: PEAP state TUNNEL ESTABLISHED
(17) eap: Sending EAP Request (code 1) ID 8 length 40
(17) eap: EAP session adding &reply:State = 0xf0ec24b8f6e43d2b
(17) [eap] = handled
(17) } # authenticate = handled
(17) Using Post-Auth-Type Challenge
(17) Post-Auth-Type sub-section not found. Ignoring.
(17) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(17) Sent Access-Challenge Id 1 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(17) EAP-Message = 0x010800281900170303001d7b8137385b4d16ec8bc265745f194e1dd508ef77d9be988367c40b
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0xf0ec24b8f6e43d2b0870a2ceef44252b
(17) Finished request
Waking up in 1.5 seconds.
(18) Received Access-Request Id 2 from 10.160.134.40:1645 to 10.160.134.60:1812 length 253
(18) User-Name = "Robby"
(18) Framed-MTU = 1400
(18) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(18) Calling-Station-Id = "c8f7.334c.b878"
(18) Cisco-AVPair = "ssid=BigBang_2"
(18) Service-Type = Login-User
(18) Cisco-AVPair = "service-type=Login"
(18) Message-Authenticator = 0x0a1daa6e9045414ae0d3ea3ed5649d95
(18) EAP-Message = 0x020800291900170303001e00000000000000011af1798118c8a0060e4de2a92ab66996cfd03e
(18) NAS-Port-Type = Wireless-802.11
(18) NAS-Port = 671
(18) NAS-Port-Id = "671"
(18) State = 0xf0ec24b8f6e43d2b0870a2ceef44252b
(18) NAS-IP-Address = 10.160.134.40
(18) NAS-Identifier = "txweahomxp-ap1142001"
(18) session-state: No cached attributes
(18) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(18) authorize {
(18) policy filter_username {
(18) if (&User-Name) {
(18) if (&User-Name) -> TRUE
(18) if (&User-Name) {
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@[^@]*@/ ) {
(18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /@\./) {
(18) if (&User-Name =~ /@\./) -> FALSE
(18) } # if (&User-Name) = notfound
(18) } # policy filter_username = notfound
(18) [preprocess] = ok
(18) [chap] = noop
(18) [mschap] = noop
(18) [digest] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(18) suffix: No such realm "NULL"
(18) [suffix] = noop
(18) eap: Peer sent EAP Response (code 2) ID 8 length 41
(18) eap: Continuing tunnel setup
(18) [eap] = ok
(18) } # authorize = ok
(18) Found Auth-Type = eap
(18) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(18) authenticate {
(18) eap: Expiring EAP session with state 0xf0ec24b8f6e43d2b
(18) eap: Finished EAP session with state 0xf0ec24b8f6e43d2b
(18) eap: Previous EAP request found for state 0xf0ec24b8f6e43d2b, released from the list
(18) eap: Peer sent packet with method EAP PEAP (25)
(18) eap: Calling submodule eap_peap to process data
(18) eap_peap: Continuing EAP-TLS
(18) eap_peap: [eaptls verify] = ok
(18) eap_peap: Done initial handshake
(18) eap_peap: [eaptls process] = ok
(18) eap_peap: Session established. Decoding tunneled attributes
(18) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(18) eap_peap: Identity - Robby
(18) eap_peap: Got inner identity 'Robby'
(18) eap_peap: Setting default EAP type for tunneled EAP session
(18) eap_peap: Got tunneled request
(18) eap_peap: EAP-Message = 0x0208000a01526f626279
(18) eap_peap: Setting User-Name to Robby
(18) eap_peap: Sending tunneled request to inner-tunnel
(18) eap_peap: EAP-Message = 0x0208000a01526f626279
(18) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(18) eap_peap: User-Name = "Robby"
(18) Virtual server inner-tunnel received request
(18) EAP-Message = 0x0208000a01526f626279
(18) FreeRADIUS-Proxied-To = 127.0.0.1
(18) User-Name = "Robby"
(18) WARNING: Outer and inner identities are the same. User privacy is compromised.
(18) server inner-tunnel {
(18) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(18) authorize {
(18) policy filter_username {
(18) if (&User-Name) {
(18) if (&User-Name) -> TRUE
(18) if (&User-Name) {
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@[^@]*@/ ) {
(18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /@\./) {
(18) if (&User-Name =~ /@\./) -> FALSE
(18) } # if (&User-Name) = notfound
(18) } # policy filter_username = notfound
(18) [chap] = noop
(18) [mschap] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(18) suffix: No such realm "NULL"
(18) [suffix] = noop
(18) update control {
(18) &Proxy-To-Realm := LOCAL
(18) } # update control = noop
(18) eap: Peer sent EAP Response (code 2) ID 8 length 10
(18) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(18) [eap] = ok
(18) } # authorize = ok
(18) Found Auth-Type = eap
(18) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(18) authenticate {
(18) eap: Peer sent packet with method EAP Identity (1)
(18) eap: Calling submodule eap_mschapv2 to process data
(18) eap_mschapv2: Issuing Challenge
(18) eap: Sending EAP Request (code 1) ID 9 length 43
(18) eap: EAP session adding &reply:State = 0x888dee818884f403
(18) [eap] = handled
(18) } # authenticate = handled
(18) } # server inner-tunnel
(18) Virtual server sending reply
(18) EAP-Message = 0x0109002b1a01090026101f279445140849806ba9cb002d3d19f3667265657261646975732d33
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0x888dee818884f403de8ce3946afb520a
(18) eap_peap: Got tunneled reply code 11
(18) eap_peap: EAP-Message = 0x0109002b1a01090026101f279445140849806ba9cb002d3d19f36672656572616402e3132
(18) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(18) eap_peap: State = 0x888dee818884f403de8ce3946afb520a
(18) eap_peap: Got tunneled reply RADIUS code 11
(18) eap_peap: EAP-Message = 0x0109002b1a01090026101f279445140849806ba9cb002d3d19f36672656572616402e3132
(18) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(18) eap_peap: State = 0x888dee818884f403de8ce3946afb520a
(18) eap_peap: Got tunneled Access-Challenge
(18) eap: Sending EAP Request (code 1) ID 9 length 74
(18) eap: EAP session adding &reply:State = 0xf0ec24b8f7e53d2b
(18) [eap] = handled
(18) } # authenticate = handled
(18) Using Post-Auth-Type Challenge
(18) Post-Auth-Type sub-section not found. Ignoring.
(18) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(18) Sent Access-Challenge Id 2 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(18) EAP-Message = 0x0109004a1900170303003f7b8137385b4d16ed1ac6fdb0c631913990a07002951ab1973902b087dc2d7c34c731da3daee268c3b0f1e050e10ca61ea02edd5c456da924e
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0xf0ec24b8f7e53d2b0870a2ceef44252b
(18) Finished request
Waking up in 1.5 seconds.
(19) Received Access-Request Id 3 from 10.160.134.40:1645 to 10.160.134.60:1812 length 307
(19) User-Name = "Robby"
(19) Framed-MTU = 1400
(19) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(19) Calling-Station-Id = "c8f7.334c.b878"
(19) Cisco-AVPair = "ssid=BigBang_2"
(19) Service-Type = Login-User
(19) Cisco-AVPair = "service-type=Login"
(19) Message-Authenticator = 0x78ebf8d7849ee65546511edfad6649a3
(19) EAP-Message = 0x0209005f190017030300540000000000000002abd28a000377b1659d154929a68788cafba4636bacaf38b24ea3601048fbeebd813d1db21a6beea134dbb498515d27d44bd5e2ddf06a407b9e96540e2326b1b9e232d6767
(19) NAS-Port-Type = Wireless-802.11
(19) NAS-Port = 671
(19) NAS-Port-Id = "671"
(19) State = 0xf0ec24b8f7e53d2b0870a2ceef44252b
(19) NAS-IP-Address = 10.160.134.40
(19) NAS-Identifier = "txweahomxp-ap1142001"
(19) session-state: No cached attributes
(19) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /@\./) {
(19) if (&User-Name =~ /@\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [preprocess] = ok
(19) [chap] = noop
(19) [mschap] = noop
(19) [digest] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(19) suffix: No such realm "NULL"
(19) [suffix] = noop
(19) eap: Peer sent EAP Response (code 2) ID 9 length 95
(19) eap: Continuing tunnel setup
(19) [eap] = ok
(19) } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(19) authenticate {
(19) eap: Expiring EAP session with state 0x888dee818884f403
(19) eap: Finished EAP session with state 0xf0ec24b8f7e53d2b
(19) eap: Previous EAP request found for state 0xf0ec24b8f7e53d2b, released from the list
(19) eap: Peer sent packet with method EAP PEAP (25)
(19) eap: Calling submodule eap_peap to process data
(19) eap_peap: Continuing EAP-TLS
(19) eap_peap: [eaptls verify] = ok
(19) eap_peap: Done initial handshake
(19) eap_peap: [eaptls process] = ok
(19) eap_peap: Session established. Decoding tunneled attributes
(19) eap_peap: PEAP state phase2
(19) eap_peap: EAP method MSCHAPv2 (26)
(19) eap_peap: Got tunneled request
(19) eap_peap: EAP-Message = 0x020900401a0209003b31d636ce8eaaa7d9ae36a718c33d1d51d90000000000000082de9f8a8790d3d6181905ec39b7c2803abe300526f626279
(19) eap_peap: Setting User-Name to Robby
(19) eap_peap: Sending tunneled request to inner-tunnel
(19) eap_peap: EAP-Message = 0x020900401a0209003b31d636ce8eaaa7d9ae36a718c33d1d51d90000000000000082de9f8a8790d3d6181905ec39b7c2803abe300526f626279
(19) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(19) eap_peap: User-Name = "Robby"
(19) eap_peap: State = 0x888dee818884f403de8ce3946afb520a
(19) Virtual server inner-tunnel received request
(19) EAP-Message = 0x020900401a0209003b31d636ce8eaaa7d9ae36a718c33d1d51d90000000000000000e3fbad4d90d3d6181905ec39b7c2803abe300526f626279
(19) FreeRADIUS-Proxied-To = 127.0.0.1
(19) User-Name = "Robby"
(19) State = 0x888dee818884f403de8ce3946afb520a
(19) WARNING: Outer and inner identities are the same. User privacy is compromised.
(19) server inner-tunnel {
(19) session-state: No cached attributes
(19) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /@\./) {
(19) if (&User-Name =~ /@\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [chap] = noop
(19) [mschap] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(19) suffix: No such realm "NULL"
(19) [suffix] = noop
(19) update control {
(19) &Proxy-To-Realm := LOCAL
(19) } # update control = noop
(19) eap: Peer sent EAP Response (code 2) ID 9 length 64
(19) eap: No EAP Start, assuming it's an on-going EAP conversation
(19) [eap] = updated
(19) files: users: Matched entry Robby at line 26
(19) [files] = ok
(19) [expiration] = noop
(19) [logintime] = noop
(19) pap: WARNING: Auth-Type already set. Not setting to PAP
(19) [pap] = noop
(19) } # authorize = updated
(19) Found Auth-Type = eap
(19) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(19) authenticate {
(19) eap: Expiring EAP session with state 0x888dee818884f403
(19) eap: Finished EAP session with state 0x888dee818884f403
(19) eap: Previous EAP request found for state 0x888dee818884f403, released from the list
(19) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(19) eap: Calling submodule eap_mschapv2 to process data
(19) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(19) eap_mschapv2: authenticate {
(19) mschap: Found Cleartext-Password, hashing to create NT-Password
(19) mschap: Found Cleartext-Password, hashing to create LM-Password
(19) mschap: Creating challenge hash with username: Robby
(19) mschap: Client is using MS-CHAPv2
(19) mschap: Adding MS-CHAPv2 MPPE keys
(19) [mschap] = ok
(19) } # authenticate = ok
(19) MSCHAP Success
(19) eap: Sending EAP Request (code 1) ID 10 length 51
(19) eap: EAP session adding &reply:State = 0x888dee818987f403
(19) [eap] = handled
(19) } # authenticate = handled
(19) } # server inner-tunnel
(19) Virtual server sending reply
(19) EAP-Message = 0x010a00331a0309002e533d3135433243423535343039444236443446453545413832323741372434631384632
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0x888dee818987f403de8ce3946afb520a
(19) eap_peap: Got tunneled reply code 11
(19) eap_peap: EAP-Message = 0x010a00331a0309002e533d3135433243423535343039444236443446453545413853145423832434631384632
(19) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(19) eap_peap: State = 0x888dee818987f403de8ce3946afb520a
(19) eap_peap: Got tunneled reply RADIUS code 11
(19) eap_peap: EAP-Message = 0x010a00331a0309002e533d3135433243423535343039444236443446453545413853145423832434631384632
(19) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(19) eap_peap: State = 0x888dee818987f403de8ce3946afb520a
(19) eap_peap: Got tunneled Access-Challenge
(19) eap: Sending EAP Request (code 1) ID 10 length 82
(19) eap: EAP session adding &reply:State = 0xf0ec24b8f8e63d2b
(19) [eap] = handled
(19) } # authenticate = handled
(19) Using Post-Auth-Type Challenge
(19) Post-Auth-Type sub-section not found. Ignoring.
(19) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(19) Sent Access-Challenge Id 3 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(19) EAP-Message = 0x010a0052190017030300477b8137385b4d16ee94f2ebd53642add1967d50651f179adaefb025e14a354aefe662ad9d4689c2cc8f5d550ee5f6e767611ef43acc54ff82978fe05f42c060b5a
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0xf0ec24b8f8e63d2b0870a2ceef44252b
(19) Finished request
Waking up in 1.5 seconds.
(20) Received Access-Request Id 4 from 10.160.134.40:1645 to 10.160.134.60:1812 length 249
(20) User-Name = "Robby"
(20) Framed-MTU = 1400
(20) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(20) Calling-Station-Id = "c8f7.334c.b878"
(20) Cisco-AVPair = "ssid=BigBang_2"
(20) Service-Type = Login-User
(20) Cisco-AVPair = "service-type=Login"
(20) Message-Authenticator = 0xff41a796cf1be6407ee36185dab5758d
(20) EAP-Message = 0x020a00251900170303001a00000000000000035a1b98ae0077c59d5d878d513c26f45cdbf0
(20) NAS-Port-Type = Wireless-802.11
(20) NAS-Port = 671
(20) NAS-Port-Id = "671"
(20) State = 0xf0ec24b8f8e63d2b0870a2ceef44252b
(20) NAS-IP-Address = 10.160.134.40
(20) NAS-Identifier = "txweahomxp-ap1142001"
(20) session-state: No cached attributes
(20) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(20) authorize {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /@\./) {
(20) if (&User-Name =~ /@\./) -> FALSE
(20) } # if (&User-Name) = notfound
(20) } # policy filter_username = notfound
(20) [preprocess] = ok
(20) [chap] = noop
(20) [mschap] = noop
(20) [digest] = noop
(20) suffix: Checking for suffix after "@"
(20) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(20) suffix: No such realm "NULL"
(20) [suffix] = noop
(20) eap: Peer sent EAP Response (code 2) ID 10 length 37
(20) eap: Continuing tunnel setup
(20) [eap] = ok
(20) } # authorize = ok
(20) Found Auth-Type = eap
(20) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(20) authenticate {
(20) eap: Expiring EAP session with state 0x888dee818987f403
(20) eap: Finished EAP session with state 0xf0ec24b8f8e63d2b
(20) eap: Previous EAP request found for state 0xf0ec24b8f8e63d2b, released from the list
(20) eap: Peer sent packet with method EAP PEAP (25)
(20) eap: Calling submodule eap_peap to process data
(20) eap_peap: Continuing EAP-TLS
(20) eap_peap: [eaptls verify] = ok
(20) eap_peap: Done initial handshake
(20) eap_peap: [eaptls process] = ok
(20) eap_peap: Session established. Decoding tunneled attributes
(20) eap_peap: PEAP state phase2
(20) eap_peap: EAP method MSCHAPv2 (26)
(20) eap_peap: Got tunneled request
(20) eap_peap: EAP-Message = 0x020a00061a03
(20) eap_peap: Setting User-Name to Robby
(20) eap_peap: Sending tunneled request to inner-tunnel
(20) eap_peap: EAP-Message = 0x020a00061a03
(20) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(20) eap_peap: User-Name = "Robby"
(20) eap_peap: State = 0x888dee818987f403de8ce3946afb520a
(20) Virtual server inner-tunnel received request
(20) EAP-Message = 0x020a00061a03
(20) FreeRADIUS-Proxied-To = 127.0.0.1
(20) User-Name = "Robby"
(20) State = 0x888dee818987f403de8ce3946afb520a
(20) WARNING: Outer and inner identities are the same. User privacy is compromised.
(20) server inner-tunnel {
(20) session-state: No cached attributes
(20) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(20) authorize {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /@\./) {
(20) if (&User-Name =~ /@\./) -> FALSE
(20) } # if (&User-Name) = notfound
(20) } # policy filter_username = notfound
(20) [chap] = noop
(20) [mschap] = noop
(20) suffix: Checking for suffix after "@"
(20) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(20) suffix: No such realm "NULL"
(20) [suffix] = noop
(20) update control {
(20) &Proxy-To-Realm := LOCAL
(20) } # update control = noop
(20) eap: Peer sent EAP Response (code 2) ID 10 length 6
(20) eap: No EAP Start, assuming it's an on-going EAP conversation
(20) [eap] = updated
(20) files: users: Matched entry Robby at line 26
(20) [files] = ok
(20) [expiration] = noop
(20) [logintime] = noop
(20) pap: WARNING: Auth-Type already set. Not setting to PAP
(20) [pap] = noop
(20) } # authorize = updated
(20) Found Auth-Type = eap
(20) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(20) authenticate {
(20) eap: Expiring EAP session with state 0x888dee818987f403
(20) eap: Finished EAP session with state 0x888dee818987f403
(20) eap: Previous EAP request found for state 0x888dee818987f403, released from the list
(20) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(20) eap: Calling submodule eap_mschapv2 to process data
(20) eap: Sending EAP Success (code 3) ID 10 length 4
(20) eap: Freeing handler
(20) [eap] = ok
(20) } # authenticate = ok
(20) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(20) post-auth { ... } # empty sub-section is ignored
(20) } # server inner-tunnel
(20) Virtual server sending reply
(20) MS-MPPE-Encryption-Policy = Encryption-Allowed
(20) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(20) MS-MPPE-Send-Key = 0x33892edd9104a0f150db2bdf88a30ec8
(20) MS-MPPE-Recv-Key = 0xcb148e037879595f7690ccf51932b018
(20) EAP-Message = 0x030a0004
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) User-Name = "Robby"
(20) eap_peap: Got tunneled reply code 2
(20) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(20) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(20) eap_peap: MS-MPPE-Send-Key = 0x33892edd9104a0f150db2bdf88a30ec8
(20) eap_peap: MS-MPPE-Recv-Key = 0xcb148e037879595f7690ccf51932b018
(20) eap_peap: EAP-Message = 0x030a0004
(20) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(20) eap_peap: User-Name = "Robby"
(20) eap_peap: Got tunneled reply RADIUS code 2
(20) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(20) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(20) eap_peap: MS-MPPE-Send-Key = 0x33892edd9104a0f150db2bdf88a30ec8
(20) eap_peap: MS-MPPE-Recv-Key = 0xcb148e037879595f7690ccf51932b018
(20) eap_peap: EAP-Message = 0x030a0004
(20) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(20) eap_peap: User-Name = "Robby"
(20) eap_peap: Tunneled authentication was successful
(20) eap_peap: SUCCESS
(20) eap: Sending EAP Request (code 1) ID 11 length 46
(20) eap: EAP session adding &reply:State = 0xf0ec24b8f9e73d2b
(20) [eap] = handled
(20) } # authenticate = handled
(20) Using Post-Auth-Type Challenge
(20) Post-Auth-Type sub-section not found. Ignoring.
(20) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(20) Sent Access-Challenge Id 4 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(20) EAP-Message = 0x010b002e190017030300237b8137385b4d16ef1bf3ecb68e2fce6536d8f4db7904d5da4ebd218a7
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0xf0ec24b8f9e73d2b0870a2ceef44252b
(20) Finished request
Waking up in 1.5 seconds.
(21) Received Access-Request Id 5 from 10.160.134.40:1645 to 10.160.134.60:1812 length 258
(21) User-Name = "Robby"
(21) Framed-MTU = 1400
(21) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(21) Calling-Station-Id = "c8f7.334c.b878"
(21) Cisco-AVPair = "ssid=BigBang_2"
(21) Service-Type = Login-User
(21) Cisco-AVPair = "service-type=Login"
(21) Message-Authenticator = 0x8e13eccca18073d4953850b2d50d26c3
(21) EAP-Message = 0x020b002e190017030300230000000000000004be1592d038439ecafc6088d7d6514e9090cc8e0fa
(21) NAS-Port-Type = Wireless-802.11
(21) NAS-Port = 671
(21) NAS-Port-Id = "671"
(21) State = 0xf0ec24b8f9e73d2b0870a2ceef44252b
(21) NAS-IP-Address = 10.160.134.40
(21) NAS-Identifier = "txweahomxp-ap1142001"
(21) session-state: No cached attributes
(21) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(21) authorize {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /@\./) {
(21) if (&User-Name =~ /@\./) -> FALSE
(21) } # if (&User-Name) = notfound
(21) } # policy filter_username = notfound
(21) [preprocess] = ok
(21) [chap] = noop
(21) [mschap] = noop
(21) [digest] = noop
(21) suffix: Checking for suffix after "@"
(21) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(21) suffix: No such realm "NULL"
(21) [suffix] = noop
(21) eap: Peer sent EAP Response (code 2) ID 11 length 46
(21) eap: Continuing tunnel setup
(21) [eap] = ok
(21) } # authorize = ok
(21) Found Auth-Type = eap
(21) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(21) authenticate {
(21) eap: Expiring EAP session with state 0xf0ec24b8f9e73d2b
(21) eap: Finished EAP session with state 0xf0ec24b8f9e73d2b
(21) eap: Previous EAP request found for state 0xf0ec24b8f9e73d2b, released from the list
(21) eap: Peer sent packet with method EAP PEAP (25)
(21) eap: Calling submodule eap_peap to process data
(21) eap_peap: Continuing EAP-TLS
(21) eap_peap: [eaptls verify] = ok
(21) eap_peap: Done initial handshake
(21) eap_peap: [eaptls process] = ok
(21) eap_peap: Session established. Decoding tunneled attributes
(21) eap_peap: PEAP state send tlv success
(21) eap_peap: Received EAP-TLV response
(21) eap_peap: Success
(21) eap_peap: No information to cache: session caching will be disabled for session c800c07eab8b5cc4fcf02d941331b2cd9af9ebc3b25472b455a
(21) eap: Sending EAP Success (code 3) ID 11 length 4
(21) eap: Freeing handler
(21) [eap] = ok
(21) } # authenticate = ok
(21) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(21) post-auth {
(21) update {
(21) No attributes updated
(21) } # update = noop
(21) [exec] = noop
(21) policy remove_reply_message_if_eap {
(21) if (&reply:EAP-Message && &reply:Reply-Message) {
(21) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(21) else {
(21) [noop] = noop
(21) } # else = noop
(21) } # policy remove_reply_message_if_eap = noop
(21) } # post-auth = noop
(21) Sent Access-Accept Id 5 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(21) MS-MPPE-Recv-Key = 0x3792dfb421aa537aa7199f5f0a35e46344cf2cc32990716f72646b58eac47626
(21) MS-MPPE-Send-Key = 0x5f3fcc9c6b35a1ce14b9be0f02012fca1319aff17d3c00a6017d3c8dc53930e5
(21) EAP-Message = 0x030b0004
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) User-Name = "Robby"
(21) Finished request
Waking up in 1.5 seconds.
(6) Cleaning up request packet ID 246 with timestamp +35
(7) Cleaning up request packet ID 247 with timestamp +35
(8) Cleaning up request packet ID 248 with timestamp +35
(9) Cleaning up request packet ID 249 with timestamp +35
(10) Cleaning up request packet ID 250 with timestamp +35
Waking up in 3.3 seconds.
(22) Received Access-Request Id 6 from 10.160.134.40:1645 to 10.160.134.60:1812 length 204
(22) User-Name = "Robby"
(22) Framed-MTU = 1400
(22) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(22) Calling-Station-Id = "c8f7.334c.b878"
(22) Cisco-AVPair = "ssid=BigBang_2"
(22) Service-Type = Login-User
(22) Cisco-AVPair = "service-type=Login"
(22) Message-Authenticator = 0x3378f2522ce49075015f3d21e6c6c709
(22) EAP-Message = 0x0201000a01526f626279
(22) NAS-Port-Type = Wireless-802.11
(22) NAS-Port = 672
(22) NAS-Port-Id = "672"
(22) NAS-IP-Address = 10.160.134.40
(22) NAS-Identifier = "txweahomxp-ap1142001"
(22) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(22) authorize {
(22) policy filter_username {
(22) if (&User-Name) {
(22) if (&User-Name) -> TRUE
(22) if (&User-Name) {
(22) if (&User-Name =~ / /) {
(22) if (&User-Name =~ / /) -> FALSE
(22) if (&User-Name =~ /@[^@]*@/ ) {
(22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(22) if (&User-Name =~ /\.\./ ) {
(22) if (&User-Name =~ /\.\./ ) -> FALSE
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(22) if (&User-Name =~ /\.$/) {
(22) if (&User-Name =~ /\.$/) -> FALSE
(22) if (&User-Name =~ /@\./) {
(22) if (&User-Name =~ /@\./) -> FALSE
(22) } # if (&User-Name) = notfound
(22) } # policy filter_username = notfound
(22) [preprocess] = ok
(22) [chap] = noop
(22) [mschap] = noop
(22) [digest] = noop
(22) suffix: Checking for suffix after "@"
(22) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(22) suffix: No such realm "NULL"
(22) [suffix] = noop
(22) eap: Peer sent EAP Response (code 2) ID 1 length 10
(22) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(22) [eap] = ok
(22) } # authorize = ok
(22) Found Auth-Type = eap
(22) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(22) authenticate {
(22) eap: Peer sent packet with method EAP Identity (1)
(22) eap: Calling submodule eap_md5 to process data
(22) eap_md5: Issuing MD5 Challenge
(22) eap: Sending EAP Request (code 1) ID 2 length 22
(22) eap: EAP session adding &reply:State = 0x7e7556c97e77521e
(22) [eap] = handled
(22) } # authenticate = handled
(22) Using Post-Auth-Type Challenge
(22) Post-Auth-Type sub-section not found. Ignoring.
(22) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(22) Sent Access-Challenge Id 6 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(22) EAP-Message = 0x0102001604109f67d7b4a0320b67c047ee8a9bad5be7
(22) Message-Authenticator = 0x00000000000000000000000000000000
(22) State = 0x7e7556c97e77521ed9094abe3616539c
(22) Finished request
Waking up in 1.5 seconds.
(23) Received Access-Request Id 7 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(23) User-Name = "Robby"
(23) Framed-MTU = 1400
(23) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(23) Calling-Station-Id = "c8f7.334c.b878"
(23) Cisco-AVPair = "ssid=BigBang_2"
(23) Service-Type = Login-User
(23) Cisco-AVPair = "service-type=Login"
(23) Message-Authenticator = 0xd364eb2ed010f8cf800e5c85c325b310
(23) EAP-Message = 0x020200060319
(23) NAS-Port-Type = Wireless-802.11
(23) NAS-Port = 672
(23) NAS-Port-Id = "672"
(23) State = 0x7e7556c97e77521ed9094abe3616539c
(23) NAS-IP-Address = 10.160.134.40
(23) NAS-Identifier = "txweahomxp-ap1142001"
(23) session-state: No cached attributes
(23) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(23) authorize {
(23) policy filter_username {
(23) if (&User-Name) {
(23) if (&User-Name) -> TRUE
(23) if (&User-Name) {
(23) if (&User-Name =~ / /) {
(23) if (&User-Name =~ / /) -> FALSE
(23) if (&User-Name =~ /@[^@]*@/ ) {
(23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(23) if (&User-Name =~ /\.\./ ) {
(23) if (&User-Name =~ /\.\./ ) -> FALSE
(23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(23) if (&User-Name =~ /\.$/) {
(23) if (&User-Name =~ /\.$/) -> FALSE
(23) if (&User-Name =~ /@\./) {
(23) if (&User-Name =~ /@\./) -> FALSE
(23) } # if (&User-Name) = notfound
(23) } # policy filter_username = notfound
(23) [preprocess] = ok
(23) [chap] = noop
(23) [mschap] = noop
(23) [digest] = noop
(23) suffix: Checking for suffix after "@"
(23) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(23) suffix: No such realm "NULL"
(23) [suffix] = noop
(23) eap: Peer sent EAP Response (code 2) ID 2 length 6
(23) eap: No EAP Start, assuming it's an on-going EAP conversation
(23) [eap] = updated
(23) files: users: Matched entry Robby at line 26
(23) [files] = ok
(23) [expiration] = noop
(23) [logintime] = noop
(23) pap: WARNING: Auth-Type already set. Not setting to PAP
(23) [pap] = noop
(23) } # authorize = updated
(23) Found Auth-Type = eap
(23) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(23) authenticate {
(23) eap: Expiring EAP session with state 0x7e7556c97e77521e
(23) eap: Finished EAP session with state 0x7e7556c97e77521e
(23) eap: Previous EAP request found for state 0x7e7556c97e77521e, released from the list
(23) eap: Peer sent packet with method EAP NAK (3)
(23) eap: Found mutually acceptable type PEAP (25)
(23) eap: Calling submodule eap_peap to process data
(23) eap_peap: Initiating new EAP-TLS session
(23) eap_peap: [eaptls start] = request
(23) eap: Sending EAP Request (code 1) ID 3 length 6
(23) eap: EAP session adding &reply:State = 0x7e7556c97f764f1e
(23) [eap] = handled
(23) } # authenticate = handled
(23) Using Post-Auth-Type Challenge
(23) Post-Auth-Type sub-section not found. Ignoring.
(23) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(23) Sent Access-Challenge Id 7 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(23) EAP-Message = 0x010300061920
(23) Message-Authenticator = 0x00000000000000000000000000000000
(23) State = 0x7e7556c97f764f1ed9094abe3616539c
(23) Finished request
Waking up in 1.5 seconds.
(24) Received Access-Request Id 8 from 10.160.134.40:1645 to 10.160.134.60:1812 length 422
(24) User-Name = "Robby"
(24) Framed-MTU = 1400
(24) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(24) Calling-Station-Id = "c8f7.334c.b878"
(24) Cisco-AVPair = "ssid=BigBang_2"
(24) Service-Type = Login-User
(24) Cisco-AVPair = "service-type=Login"
(24) Message-Authenticator = 0xd92bf69cf91b0a11281fa08b8b088b21
(24) EAP-Message = 0x020300d21980000000c816030300c3010000bf030358fcdb5e6e0f1b71e06fc811644f494e1cf63cbcd2bb50dde7820c800c07eab8b5c5c2898fcf33e1c4fcf02d941331b2cd9af9ebc3b25472b455a003cc02cc02bc030024c023c028c027c00ac009c014c013003900
(24) NAS-Port-Type = Wireless-802.11
(24) NAS-Port = 672
(24) NAS-Port-Id = "672"
(24) State = 0x7e7556c97f764f1ed9094abe3616539c
(24) NAS-IP-Address = 10.160.134.40
(24) NAS-Identifier = "txweahomxp-ap1142001"
(24) session-state: No cached attributes
(24) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(24) authorize {
(24) policy filter_username {
(24) if (&User-Name) {
(24) if (&User-Name) -> TRUE
(24) if (&User-Name) {
(24) if (&User-Name =~ / /) {
(24) if (&User-Name =~ / /) -> FALSE
(24) if (&User-Name =~ /@[^@]*@/ ) {
(24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(24) if (&User-Name =~ /\.\./ ) {
(24) if (&User-Name =~ /\.\./ ) -> FALSE
(24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(24) if (&User-Name =~ /\.$/) {
(24) if (&User-Name =~ /\.$/) -> FALSE
(24) if (&User-Name =~ /@\./) {
(24) if (&User-Name =~ /@\./) -> FALSE
(24) } # if (&User-Name) = notfound
(24) } # policy filter_username = notfound
(24) [preprocess] = ok
(24) [chap] = noop
(24) [mschap] = noop
(24) [digest] = noop
(24) suffix: Checking for suffix after "@"
(24) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(24) suffix: No such realm "NULL"
(24) [suffix] = noop
(24) eap: Peer sent EAP Response (code 2) ID 3 length 210
(24) eap: Continuing tunnel setup
(24) [eap] = ok
(24) } # authorize = ok
(24) Found Auth-Type = eap
(24) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(24) authenticate {
(24) eap: Expiring EAP session with state 0x7e7556c97f764f1e
(24) eap: Finished EAP session with state 0x7e7556c97f764f1e
(24) eap: Previous EAP request found for state 0x7e7556c97f764f1e, released from the list
(24) eap: Peer sent packet with method EAP PEAP (25)
(24) eap: Calling submodule eap_peap to process data
(24) eap_peap: Continuing EAP-TLS
(24) eap_peap: Peer indicated complete TLS record size will be 200 bytes
(24) eap_peap: Got complete TLS record (200 bytes)
(24) eap_peap: [eaptls verify] = length included
(24) eap_peap: (other): before/accept initialization
(24) eap_peap: TLS_accept: before/accept initialization
(24) eap_peap: <<< recv TLS 1.2 [length 00c3]
(24) eap_peap: TLS_accept: SSLv3 read client hello A
(24) eap_peap: >>> send TLS 1.2 [length 0059]
(24) eap_peap: TLS_accept: SSLv3 write server hello A
(24) eap_peap: >>> send TLS 1.2 [length 094f]
(24) eap_peap: TLS_accept: SSLv3 write certificate A
(24) eap_peap: >>> send TLS 1.2 [length 014d]
(24) eap_peap: TLS_accept: SSLv3 write key exchange A
(24) eap_peap: >>> send TLS 1.2 [length 0004]
(24) eap_peap: TLS_accept: SSLv3 write server done A
(24) eap_peap: TLS_accept: SSLv3 flush data
(24) eap_peap: TLS_accept: SSLv3 read client certificate A
(24) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(24) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(24) eap_peap: In SSL Handshake Phase
(24) eap_peap: In SSL Accept mode
(24) eap_peap: [eaptls process] = handled
(24) eap: Sending EAP Request (code 1) ID 4 length 1004
(24) eap: EAP session adding &reply:State = 0x7e7556c97c714f1e
(24) [eap] = handled
(24) } # authenticate = handled
(24) Using Post-Auth-Type Challenge
(24) Post-Auth-Type sub-section not found. Ignoring.
(24) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(24) Sent Access-Challenge Id 8 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(24) EAP-Message = 0x010403ec19c000000b0d1603030059020000550303585629d871bfce3af5b22772bf483d7374e4327627cf716d0932060595f432d3bd17a07049ceffc9399873ece66001b0e8d5ce052209ab864e496c03000000dff01003000102160303094f0b00094b00094800040f
(24) Message-Authenticator = 0x00000000000000000000000000000000
(24) State = 0x7e7556c97c714f1ed9094abe3616539c
(24) Finished request
Waking up in 1.5 seconds.
(25) Received Access-Request Id 9 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(25) User-Name = "Robby"
(25) Framed-MTU = 1400
(25) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(25) Calling-Station-Id = "c8f7.334c.b878"
(25) Cisco-AVPair = "ssid=BigBang_2"
(25) Service-Type = Login-User
(25) Cisco-AVPair = "service-type=Login"
(25) Message-Authenticator = 0x11bffcebe52cb48410ef1aeda5060144
(25) EAP-Message = 0x020400061900
(25) NAS-Port-Type = Wireless-802.11
(25) NAS-Port = 672
(25) NAS-Port-Id = "672"
(25) State = 0x7e7556c97c714f1ed9094abe3616539c
(25) NAS-IP-Address = 10.160.134.40
(25) NAS-Identifier = "txweahomxp-ap1142001"
(25) session-state: No cached attributes
(25) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(25) authorize {
(25) policy filter_username {
(25) if (&User-Name) {
(25) if (&User-Name) -> TRUE
(25) if (&User-Name) {
(25) if (&User-Name =~ / /) {
(25) if (&User-Name =~ / /) -> FALSE
(25) if (&User-Name =~ /@[^@]*@/ ) {
(25) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(25) if (&User-Name =~ /\.\./ ) {
(25) if (&User-Name =~ /\.\./ ) -> FALSE
(25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(25) if (&User-Name =~ /\.$/) {
(25) if (&User-Name =~ /\.$/) -> FALSE
(25) if (&User-Name =~ /@\./) {
(25) if (&User-Name =~ /@\./) -> FALSE
(25) } # if (&User-Name) = notfound
(25) } # policy filter_username = notfound
(25) [preprocess] = ok
(25) [chap] = noop
(25) [mschap] = noop
(25) [digest] = noop
(25) suffix: Checking for suffix after "@"
(25) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(25) suffix: No such realm "NULL"
(25) [suffix] = noop
(25) eap: Peer sent EAP Response (code 2) ID 4 length 6
(25) eap: Continuing tunnel setup
(25) [eap] = ok
(25) } # authorize = ok
(25) Found Auth-Type = eap
(25) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(25) authenticate {
(25) eap: Expiring EAP session with state 0x7e7556c97c714f1e
(25) eap: Finished EAP session with state 0x7e7556c97c714f1e
(25) eap: Previous EAP request found for state 0x7e7556c97c714f1e, released from the list
(25) eap: Peer sent packet with method EAP PEAP (25)
(25) eap: Calling submodule eap_peap to process data
(25) eap_peap: Continuing EAP-TLS
(25) eap_peap: Peer ACKed our handshake fragment
(25) eap_peap: [eaptls verify] = request
(25) eap_peap: [eaptls process] = handled
(25) eap: Sending EAP Request (code 1) ID 5 length 1000
(25) eap: EAP session adding &reply:State = 0x7e7556c97d704f1e
(25) [eap] = handled
(25) } # authenticate = handled
(25) Using Post-Auth-Type Challenge
(25) Post-Auth-Type sub-section not found. Ignoring.
(25) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(25) Sent Access-Challenge Id 9 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(25) EAP-Message = 0x010503e81940e767d3d95ba791c609604734de65f20761255945382f6caeddf488a7b22286ea65feb00b15e7f9a2e4d0247e1e6f0b6cbf3f240f9a08b4ec3119d5ad6dfce704325c36c113bbd63616056fb615fc26a7f0abd2a9ee58dea9e13bc001f156be9694fb518a
(25) Message-Authenticator = 0x00000000000000000000000000000000
(25) State = 0x7e7556c97d704f1ed9094abe3616539c
(25) Finished request
Waking up in 1.5 seconds.
(26) Received Access-Request Id 10 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(26) User-Name = "Robby"
(26) Framed-MTU = 1400
(26) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(26) Calling-Station-Id = "c8f7.334c.b878"
(26) Cisco-AVPair = "ssid=BigBang_2"
(26) Service-Type = Login-User
(26) Cisco-AVPair = "service-type=Login"
(26) Message-Authenticator = 0x765e526ec561f01539ce299e0903dd24
(26) EAP-Message = 0x020500061900
(26) NAS-Port-Type = Wireless-802.11
(26) NAS-Port = 672
(26) NAS-Port-Id = "672"
(26) State = 0x7e7556c97d704f1ed9094abe3616539c
(26) NAS-IP-Address = 10.160.134.40
(26) NAS-Identifier = "txweahomxp-ap1142001"
(26) session-state: No cached attributes
(26) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(26) authorize {
(26) policy filter_username {
(26) if (&User-Name) {
(26) if (&User-Name) -> TRUE
(26) if (&User-Name) {
(26) if (&User-Name =~ / /) {
(26) if (&User-Name =~ / /) -> FALSE
(26) if (&User-Name =~ /@[^@]*@/ ) {
(26) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(26) if (&User-Name =~ /\.\./ ) {
(26) if (&User-Name =~ /\.\./ ) -> FALSE
(26) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(26) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(26) if (&User-Name =~ /\.$/) {
(26) if (&User-Name =~ /\.$/) -> FALSE
(26) if (&User-Name =~ /@\./) {
(26) if (&User-Name =~ /@\./) -> FALSE
(26) } # if (&User-Name) = notfound
(26) } # policy filter_username = notfound
(26) [preprocess] = ok
(26) [chap] = noop
(26) [mschap] = noop
(26) [digest] = noop
(26) suffix: Checking for suffix after "@"
(26) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(26) suffix: No such realm "NULL"
(26) [suffix] = noop
(26) eap: Peer sent EAP Response (code 2) ID 5 length 6
(26) eap: Continuing tunnel setup
(26) [eap] = ok
(26) } # authorize = ok
(26) Found Auth-Type = eap
(26) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(26) authenticate {
(26) eap: Expiring EAP session with state 0x7e7556c97d704f1e
(26) eap: Finished EAP session with state 0x7e7556c97d704f1e
(26) eap: Previous EAP request found for state 0x7e7556c97d704f1e, released from the list
(26) eap: Peer sent packet with method EAP PEAP (25)
(26) eap: Calling submodule eap_peap to process data
(26) eap_peap: Continuing EAP-TLS
(26) eap_peap: Peer ACKed our handshake fragment
(26) eap_peap: [eaptls verify] = request
(26) eap_peap: [eaptls process] = handled
(26) eap: Sending EAP Request (code 1) ID 6 length 847
(26) eap: EAP session adding &reply:State = 0x7e7556c97a734f1e
(26) [eap] = handled
(26) } # authenticate = handled
(26) Using Post-Auth-Type Challenge
(26) Post-Auth-Type sub-section not found. Ignoring.
(26) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(26) Sent Access-Challenge Id 10 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(26) EAP-Message = 0x0106034f19000c0b57656174686572666f726431183016060355040a0c0f6d617273696e6e6f3312d302b06092a864886f70d010901161e726f626572747275746c656467653230303540636861727465722e6e6574312e30c256d617273696e6e6f766174696f6e7320
(26) Message-Authenticator = 0x00000000000000000000000000000000
(26) State = 0x7e7556c97a734f1ed9094abe3616539c
(26) Finished request
Waking up in 1.5 seconds.
(27) Received Access-Request Id 11 from 10.160.134.40:1645 to 10.160.134.60:1812 length 348
(27) User-Name = "Robby"
(27) Framed-MTU = 1400
(27) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(27) Calling-Station-Id = "c8f7.334c.b878"
(27) Cisco-AVPair = "ssid=BigBang_2"
(27) Service-Type = Login-User
(27) Cisco-AVPair = "service-type=Login"
(27) Message-Authenticator = 0xa28cebff9340d0e3c20f1789f83967c2
(27) EAP-Message = 0x0206008819800000007e1603030046100000424104678e3983472e9df3c2129f6263273574e6dcf699d8711bae49adec7c547cb94ea19e08c4805d118cdf183bed0b0f02956be4fabe3b0c0814f971403030001011603030000000212b5444f94292ebbc5473e4b90e82
(27) NAS-Port-Type = Wireless-802.11
(27) NAS-Port = 672
(27) NAS-Port-Id = "672"
(27) State = 0x7e7556c97a734f1ed9094abe3616539c
(27) NAS-IP-Address = 10.160.134.40
(27) NAS-Identifier = "txweahomxp-ap1142001"
(27) session-state: No cached attributes
(27) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(27) authorize {
(27) policy filter_username {
(27) if (&User-Name) {
(27) if (&User-Name) -> TRUE
(27) if (&User-Name) {
(27) if (&User-Name =~ / /) {
(27) if (&User-Name =~ / /) -> FALSE
(27) if (&User-Name =~ /@[^@]*@/ ) {
(27) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(27) if (&User-Name =~ /\.\./ ) {
(27) if (&User-Name =~ /\.\./ ) -> FALSE
(27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(27) if (&User-Name =~ /\.$/) {
(27) if (&User-Name =~ /\.$/) -> FALSE
(27) if (&User-Name =~ /@\./) {
(27) if (&User-Name =~ /@\./) -> FALSE
(27) } # if (&User-Name) = notfound
(27) } # policy filter_username = notfound
(27) [preprocess] = ok
(27) [chap] = noop
(27) [mschap] = noop
(27) [digest] = noop
(27) suffix: Checking for suffix after "@"
(27) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(27) suffix: No such realm "NULL"
(27) [suffix] = noop
(27) eap: Peer sent EAP Response (code 2) ID 6 length 136
(27) eap: Continuing tunnel setup
(27) [eap] = ok
(27) } # authorize = ok
(27) Found Auth-Type = eap
(27) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(27) authenticate {
(27) eap: Expiring EAP session with state 0x7e7556c97a734f1e
(27) eap: Finished EAP session with state 0x7e7556c97a734f1e
(27) eap: Previous EAP request found for state 0x7e7556c97a734f1e, released from the list
(27) eap: Peer sent packet with method EAP PEAP (25)
(27) eap: Calling submodule eap_peap to process data
(27) eap_peap: Continuing EAP-TLS
(27) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(27) eap_peap: Got complete TLS record (126 bytes)
(27) eap_peap: [eaptls verify] = length included
(27) eap_peap: <<< recv TLS 1.2 [length 0046]
(27) eap_peap: TLS_accept: SSLv3 read client key exchange A
(27) eap_peap: TLS_accept: SSLv3 read certificate verify A
(27) eap_peap: <<< recv TLS 1.2 [length 0001]
(27) eap_peap: <<< recv TLS 1.2 [length 0010]
(27) eap_peap: TLS_accept: SSLv3 read finished A
(27) eap_peap: >>> send TLS 1.2 [length 0001]
(27) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(27) eap_peap: >>> send TLS 1.2 [length 0010]
(27) eap_peap: TLS_accept: SSLv3 write finished A
(27) eap_peap: TLS_accept: SSLv3 flush data
(27) eap_peap: (other): SSL negotiation finished successfully
(27) eap_peap: SSL Connection Established
(27) eap_peap: [eaptls process] = handled
(27) eap: Sending EAP Request (code 1) ID 7 length 57
(27) eap: EAP session adding &reply:State = 0x7e7556c97b724f1e
(27) [eap] = handled
(27) } # authenticate = handled
(27) Using Post-Auth-Type Challenge
(27) Post-Auth-Type sub-section not found. Ignoring.
(27) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(27) Sent Access-Challenge Id 11 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(27) EAP-Message = 0x0107003919001403030001011603030028b791d4d9c5c514f3285aab2c530795155e894e59c22a883eaa009cc047a7e6bc18b
(27) Message-Authenticator = 0x00000000000000000000000000000000
(27) State = 0x7e7556c97b724f1ed9094abe3616539c
(27) Finished request
Waking up in 1.5 seconds.
(28) Received Access-Request Id 12 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(28) User-Name = "Robby"
(28) Framed-MTU = 1400
(28) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(28) Calling-Station-Id = "c8f7.334c.b878"
(28) Cisco-AVPair = "ssid=BigBang_2"
(28) Service-Type = Login-User
(28) Cisco-AVPair = "service-type=Login"
(28) Message-Authenticator = 0x1740bfaa4ee0f934b103035dd0fb53f1
(28) EAP-Message = 0x020700061900
(28) NAS-Port-Type = Wireless-802.11
(28) NAS-Port = 672
(28) NAS-Port-Id = "672"
(28) State = 0x7e7556c97b724f1ed9094abe3616539c
(28) NAS-IP-Address = 10.160.134.40
(28) NAS-Identifier = "txweahomxp-ap1142001"
(28) session-state: No cached attributes
(28) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(28) authorize {
(28) policy filter_username {
(28) if (&User-Name) {
(28) if (&User-Name) -> TRUE
(28) if (&User-Name) {
(28) if (&User-Name =~ / /) {
(28) if (&User-Name =~ / /) -> FALSE
(28) if (&User-Name =~ /@[^@]*@/ ) {
(28) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(28) if (&User-Name =~ /\.\./ ) {
(28) if (&User-Name =~ /\.\./ ) -> FALSE
(28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(28) if (&User-Name =~ /\.$/) {
(28) if (&User-Name =~ /\.$/) -> FALSE
(28) if (&User-Name =~ /@\./) {
(28) if (&User-Name =~ /@\./) -> FALSE
(28) } # if (&User-Name) = notfound
(28) } # policy filter_username = notfound
(28) [preprocess] = ok
(28) [chap] = noop
(28) [mschap] = noop
(28) [digest] = noop
(28) suffix: Checking for suffix after "@"
(28) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(28) suffix: No such realm "NULL"
(28) [suffix] = noop
(28) eap: Peer sent EAP Response (code 2) ID 7 length 6
(28) eap: Continuing tunnel setup
(28) [eap] = ok
(28) } # authorize = ok
(28) Found Auth-Type = eap
(28) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(28) authenticate {
(28) eap: Expiring EAP session with state 0x7e7556c97b724f1e
(28) eap: Finished EAP session with state 0x7e7556c97b724f1e
(28) eap: Previous EAP request found for state 0x7e7556c97b724f1e, released from the list
(28) eap: Peer sent packet with method EAP PEAP (25)
(28) eap: Calling submodule eap_peap to process data
(28) eap_peap: Continuing EAP-TLS
(28) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(28) eap_peap: [eaptls verify] = success
(28) eap_peap: [eaptls process] = success
(28) eap_peap: Session established. Decoding tunneled attributes
(28) eap_peap: PEAP state TUNNEL ESTABLISHED
(28) eap: Sending EAP Request (code 1) ID 8 length 40
(28) eap: EAP session adding &reply:State = 0x7e7556c9787d4f1e
(28) [eap] = handled
(28) } # authenticate = handled
(28) Using Post-Auth-Type Challenge
(28) Post-Auth-Type sub-section not found. Ignoring.
(28) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(28) Sent Access-Challenge Id 12 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(28) EAP-Message = 0x010800281900170303001db791d4d9c5c514f4a0883b40639f02bdfbe8bbfed78408c0efc01b
(28) Message-Authenticator = 0x00000000000000000000000000000000
(28) State = 0x7e7556c9787d4f1ed9094abe3616539c
(28) Finished request
Waking up in 1.5 seconds.
(29) Received Access-Request Id 13 from 10.160.134.40:1645 to 10.160.134.60:1812 length 253
(29) User-Name = "Robby"
(29) Framed-MTU = 1400
(29) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(29) Calling-Station-Id = "c8f7.334c.b878"
(29) Cisco-AVPair = "ssid=BigBang_2"
(29) Service-Type = Login-User
(29) Cisco-AVPair = "service-type=Login"
(29) Message-Authenticator = 0xb8f23492e95708832d8e66af727de4b4
(29) EAP-Message = 0x020800291900170303001e00000000000000018347ca2d5d93ac863ab387c6b54a0481a75e96
(29) NAS-Port-Type = Wireless-802.11
(29) NAS-Port = 672
(29) NAS-Port-Id = "672"
(29) State = 0x7e7556c9787d4f1ed9094abe3616539c
(29) NAS-IP-Address = 10.160.134.40
(29) NAS-Identifier = "txweahomxp-ap1142001"
(29) session-state: No cached attributes
(29) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(29) authorize {
(29) policy filter_username {
(29) if (&User-Name) {
(29) if (&User-Name) -> TRUE
(29) if (&User-Name) {
(29) if (&User-Name =~ / /) {
(29) if (&User-Name =~ / /) -> FALSE
(29) if (&User-Name =~ /@[^@]*@/ ) {
(29) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(29) if (&User-Name =~ /\.\./ ) {
(29) if (&User-Name =~ /\.\./ ) -> FALSE
(29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(29) if (&User-Name =~ /\.$/) {
(29) if (&User-Name =~ /\.$/) -> FALSE
(29) if (&User-Name =~ /@\./) {
(29) if (&User-Name =~ /@\./) -> FALSE
(29) } # if (&User-Name) = notfound
(29) } # policy filter_username = notfound
(29) [preprocess] = ok
(29) [chap] = noop
(29) [mschap] = noop
(29) [digest] = noop
(29) suffix: Checking for suffix after "@"
(29) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(29) suffix: No such realm "NULL"
(29) [suffix] = noop
(29) eap: Peer sent EAP Response (code 2) ID 8 length 41
(29) eap: Continuing tunnel setup
(29) [eap] = ok
(29) } # authorize = ok
(29) Found Auth-Type = eap
(29) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(29) authenticate {
(29) eap: Expiring EAP session with state 0x7e7556c9787d4f1e
(29) eap: Finished EAP session with state 0x7e7556c9787d4f1e
(29) eap: Previous EAP request found for state 0x7e7556c9787d4f1e, released from the list
(29) eap: Peer sent packet with method EAP PEAP (25)
(29) eap: Calling submodule eap_peap to process data
(29) eap_peap: Continuing EAP-TLS
(29) eap_peap: [eaptls verify] = ok
(29) eap_peap: Done initial handshake
(29) eap_peap: [eaptls process] = ok
(29) eap_peap: Session established. Decoding tunneled attributes
(29) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(29) eap_peap: Identity - Robby
(29) eap_peap: Got inner identity 'Robby'
(29) eap_peap: Setting default EAP type for tunneled EAP session
(29) eap_peap: Got tunneled request
(29) eap_peap: EAP-Message = 0x0208000a01526f626279
(29) eap_peap: Setting User-Name to Robby
(29) eap_peap: Sending tunneled request to inner-tunnel
(29) eap_peap: EAP-Message = 0x0208000a01526f626279
(29) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(29) eap_peap: User-Name = "Robby"
(29) Virtual server inner-tunnel received request
(29) EAP-Message = 0x0208000a01526f626279
(29) FreeRADIUS-Proxied-To = 127.0.0.1
(29) User-Name = "Robby"
(29) WARNING: Outer and inner identities are the same. User privacy is compromised.
(29) server inner-tunnel {
(29) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(29) authorize {
(29) policy filter_username {
(29) if (&User-Name) {
(29) if (&User-Name) -> TRUE
(29) if (&User-Name) {
(29) if (&User-Name =~ / /) {
(29) if (&User-Name =~ / /) -> FALSE
(29) if (&User-Name =~ /@[^@]*@/ ) {
(29) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(29) if (&User-Name =~ /\.\./ ) {
(29) if (&User-Name =~ /\.\./ ) -> FALSE
(29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(29) if (&User-Name =~ /\.$/) {
(29) if (&User-Name =~ /\.$/) -> FALSE
(29) if (&User-Name =~ /@\./) {
(29) if (&User-Name =~ /@\./) -> FALSE
(29) } # if (&User-Name) = notfound
(29) } # policy filter_username = notfound
(29) [chap] = noop
(29) [mschap] = noop
(29) suffix: Checking for suffix after "@"
(29) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(29) suffix: No such realm "NULL"
(29) [suffix] = noop
(29) update control {
(29) &Proxy-To-Realm := LOCAL
(29) } # update control = noop
(29) eap: Peer sent EAP Response (code 2) ID 8 length 10
(29) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(29) [eap] = ok
(29) } # authorize = ok
(29) Found Auth-Type = eap
(29) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(29) authenticate {
(29) eap: Peer sent packet with method EAP Identity (1)
(29) eap: Calling submodule eap_mschapv2 to process data
(29) eap_mschapv2: Issuing Challenge
(29) eap: Sending EAP Request (code 1) ID 9 length 43
(29) eap: EAP session adding &reply:State = 0xef066c49ef0f764a
(29) [eap] = handled
(29) } # authenticate = handled
(29) } # server inner-tunnel
(29) Virtual server sending reply
(29) EAP-Message = 0x0109002b1a01090026105e43ec0dd3c1feb86e3e16daf106428a667265657261646975732d33
(29) Message-Authenticator = 0x00000000000000000000000000000000
(29) State = 0xef066c49ef0f764a127b9c7c6f65f995
(29) eap_peap: Got tunneled reply code 11
(29) eap_peap: EAP-Message = 0x0109002b1a01090026105e43ec0dd3c1feb86e3e16daf106428a6672656572616402e3132
(29) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(29) eap_peap: State = 0xef066c49ef0f764a127b9c7c6f65f995
(29) eap_peap: Got tunneled reply RADIUS code 11
(29) eap_peap: EAP-Message = 0x0109002b1a01090026105e43ec0dd3c1feb86e3e16daf106428a6672656572616402e3132
(29) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(29) eap_peap: State = 0xef066c49ef0f764a127b9c7c6f65f995
(29) eap_peap: Got tunneled Access-Challenge
(29) eap: Sending EAP Request (code 1) ID 9 length 74
(29) eap: EAP session adding &reply:State = 0x7e7556c9797c4f1e
(29) [eap] = handled
(29) } # authenticate = handled
(29) Using Post-Auth-Type Challenge
(29) Post-Auth-Type sub-section not found. Ignoring.
(29) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(29) Sent Access-Challenge Id 13 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(29) EAP-Message = 0x0109004a1900170303003fb791d4d9c5c514f596f3ac84618a7f35aad73e6936cf854131af1e4063d825cc53f21a615fb76bb1a3124e465b51c585f5c1314d044373831
(29) Message-Authenticator = 0x00000000000000000000000000000000
(29) State = 0x7e7556c9797c4f1ed9094abe3616539c
(29) Finished request
Waking up in 1.5 seconds.
(30) Received Access-Request Id 14 from 10.160.134.40:1645 to 10.160.134.60:1812 length 307
(30) User-Name = "Robby"
(30) Framed-MTU = 1400
(30) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(30) Calling-Station-Id = "c8f7.334c.b878"
(30) Cisco-AVPair = "ssid=BigBang_2"
(30) Service-Type = Login-User
(30) Cisco-AVPair = "service-type=Login"
(30) Message-Authenticator = 0x1c59650d3bc8b39e030ec31dbfee0f1f
(30) EAP-Message = 0x0209005f1900170303005400000000000000020fe8c49104307a2dc5a1a8910a03984ebe6447fd95fe48e9e7b27a0903dcd6fd11a505d4171cdb9617248af2f60e3fecefb3e9fa5fd913045f58946a955cb80ba0e039f10
(30) NAS-Port-Type = Wireless-802.11
(30) NAS-Port = 672
(30) NAS-Port-Id = "672"
(30) State = 0x7e7556c9797c4f1ed9094abe3616539c
(30) NAS-IP-Address = 10.160.134.40
(30) NAS-Identifier = "txweahomxp-ap1142001"
(30) session-state: No cached attributes
(30) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(30) authorize {
(30) policy filter_username {
(30) if (&User-Name) {
(30) if (&User-Name) -> TRUE
(30) if (&User-Name) {
(30) if (&User-Name =~ / /) {
(30) if (&User-Name =~ / /) -> FALSE
(30) if (&User-Name =~ /@[^@]*@/ ) {
(30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(30) if (&User-Name =~ /\.\./ ) {
(30) if (&User-Name =~ /\.\./ ) -> FALSE
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(30) if (&User-Name =~ /\.$/) {
(30) if (&User-Name =~ /\.$/) -> FALSE
(30) if (&User-Name =~ /@\./) {
(30) if (&User-Name =~ /@\./) -> FALSE
(30) } # if (&User-Name) = notfound
(30) } # policy filter_username = notfound
(30) [preprocess] = ok
(30) [chap] = noop
(30) [mschap] = noop
(30) [digest] = noop
(30) suffix: Checking for suffix after "@"
(30) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(30) suffix: No such realm "NULL"
(30) [suffix] = noop
(30) eap: Peer sent EAP Response (code 2) ID 9 length 95
(30) eap: Continuing tunnel setup
(30) [eap] = ok
(30) } # authorize = ok
(30) Found Auth-Type = eap
(30) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(30) authenticate {
(30) eap: Expiring EAP session with state 0xef066c49ef0f764a
(30) eap: Finished EAP session with state 0x7e7556c9797c4f1e
(30) eap: Previous EAP request found for state 0x7e7556c9797c4f1e, released from the list
(30) eap: Peer sent packet with method EAP PEAP (25)
(30) eap: Calling submodule eap_peap to process data
(30) eap_peap: Continuing EAP-TLS
(30) eap_peap: [eaptls verify] = ok
(30) eap_peap: Done initial handshake
(30) eap_peap: [eaptls process] = ok
(30) eap_peap: Session established. Decoding tunneled attributes
(30) eap_peap: PEAP state phase2
(30) eap_peap: EAP method MSCHAPv2 (26)
(30) eap_peap: Got tunneled request
(30) eap_peap: EAP-Message = 0x020900401a0209003b31cbbb4001216060ee543cf8ec5c22fea800000000000000cf233042a5e441791bab6a38aa1b4b5aa4a0800526f626279
(30) eap_peap: Setting User-Name to Robby
(30) eap_peap: Sending tunneled request to inner-tunnel
(30) eap_peap: EAP-Message = 0x020900401a0209003b31cbbb4001216060ee543cf8ec5c22fea800000000000000cf233042a5e441791bab6a38aa1b4b5aa4a0800526f626279
(30) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(30) eap_peap: User-Name = "Robby"
(30) eap_peap: State = 0xef066c49ef0f764a127b9c7c6f65f995
(30) Virtual server inner-tunnel received request
(30) EAP-Message = 0x020900401a0209003b31cbbb4001216060ee543cf8ec5c22fea8000000000000000060adbb98e441791bab6a38aa1b4b5aa4a0800526f626279
(30) FreeRADIUS-Proxied-To = 127.0.0.1
(30) User-Name = "Robby"
(30) State = 0xef066c49ef0f764a127b9c7c6f65f995
(30) WARNING: Outer and inner identities are the same. User privacy is compromised.
(30) server inner-tunnel {
(30) session-state: No cached attributes
(30) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(30) authorize {
(30) policy filter_username {
(30) if (&User-Name) {
(30) if (&User-Name) -> TRUE
(30) if (&User-Name) {
(30) if (&User-Name =~ / /) {
(30) if (&User-Name =~ / /) -> FALSE
(30) if (&User-Name =~ /@[^@]*@/ ) {
(30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(30) if (&User-Name =~ /\.\./ ) {
(30) if (&User-Name =~ /\.\./ ) -> FALSE
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(30) if (&User-Name =~ /\.$/) {
(30) if (&User-Name =~ /\.$/) -> FALSE
(30) if (&User-Name =~ /@\./) {
(30) if (&User-Name =~ /@\./) -> FALSE
(30) } # if (&User-Name) = notfound
(30) } # policy filter_username = notfound
(30) [chap] = noop
(30) [mschap] = noop
(30) suffix: Checking for suffix after "@"
(30) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(30) suffix: No such realm "NULL"
(30) [suffix] = noop
(30) update control {
(30) &Proxy-To-Realm := LOCAL
(30) } # update control = noop
(30) eap: Peer sent EAP Response (code 2) ID 9 length 64
(30) eap: No EAP Start, assuming it's an on-going EAP conversation
(30) [eap] = updated
(30) files: users: Matched entry Robby at line 26
(30) [files] = ok
(30) [expiration] = noop
(30) [logintime] = noop
(30) pap: WARNING: Auth-Type already set. Not setting to PAP
(30) [pap] = noop
(30) } # authorize = updated
(30) Found Auth-Type = eap
(30) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(30) authenticate {
(30) eap: Expiring EAP session with state 0xef066c49ef0f764a
(30) eap: Finished EAP session with state 0xef066c49ef0f764a
(30) eap: Previous EAP request found for state 0xef066c49ef0f764a, released from the list
(30) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(30) eap: Calling submodule eap_mschapv2 to process data
(30) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(30) eap_mschapv2: authenticate {
(30) mschap: Found Cleartext-Password, hashing to create NT-Password
(30) mschap: Found Cleartext-Password, hashing to create LM-Password
(30) mschap: Creating challenge hash with username: Robby
(30) mschap: Client is using MS-CHAPv2
(30) mschap: Adding MS-CHAPv2 MPPE keys
(30) [mschap] = ok
(30) } # authenticate = ok
(30) MSCHAP Success
(30) eap: Sending EAP Request (code 1) ID 10 length 51
(30) eap: EAP session adding &reply:State = 0xef066c49ee0c764a
(30) [eap] = handled
(30) } # authenticate = handled
(30) } # server inner-tunnel
(30) Virtual server sending reply
(30) EAP-Message = 0x010a00331a0309002e533d3246313345433233334432333231453033344144374536464631396343132443738
(30) Message-Authenticator = 0x00000000000000000000000000000000
(30) State = 0xef066c49ee0c764a127b9c7c6f65f995
(30) eap_peap: Got tunneled reply code 11
(30) eap_peap: EAP-Message = 0x010a00331a0309002e533d3246313345433233334432333231453033344144374513041333036343132443738
(30) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(30) eap_peap: State = 0xef066c49ee0c764a127b9c7c6f65f995
(30) eap_peap: Got tunneled reply RADIUS code 11
(30) eap_peap: EAP-Message = 0x010a00331a0309002e533d3246313345433233334432333231453033344144374513041333036343132443738
(30) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(30) eap_peap: State = 0xef066c49ee0c764a127b9c7c6f65f995
(30) eap_peap: Got tunneled Access-Challenge
(30) eap: Sending EAP Request (code 1) ID 10 length 82
(30) eap: EAP session adding &reply:State = 0x7e7556c9767f4f1e
(30) [eap] = handled
(30) } # authenticate = handled
(30) Using Post-Auth-Type Challenge
(30) Post-Auth-Type sub-section not found. Ignoring.
(30) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(30) Sent Access-Challenge Id 14 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(30) EAP-Message = 0x010a005219001703030047b791d4d9c5c514f6933023114c664fe5d241caf5134a6bc307a2cca6cd3d4e8af37a6670654e23ab4704324f3eca6202f0f83390ca7ecd287aa0232a73d635439
(30) Message-Authenticator = 0x00000000000000000000000000000000
(30) State = 0x7e7556c9767f4f1ed9094abe3616539c
(30) Finished request
Waking up in 1.5 seconds.
(31) Received Access-Request Id 15 from 10.160.134.40:1645 to 10.160.134.60:1812 length 249
(31) User-Name = "Robby"
(31) Framed-MTU = 1400
(31) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(31) Calling-Station-Id = "c8f7.334c.b878"
(31) Cisco-AVPair = "ssid=BigBang_2"
(31) Service-Type = Login-User
(31) Cisco-AVPair = "service-type=Login"
(31) Message-Authenticator = 0xef5a09fe78860acc971b2bc429c8bbab
(31) EAP-Message = 0x020a00251900170303001a0000000000000003c656216cd151a59415036d5ec8b16a7e1161
(31) NAS-Port-Type = Wireless-802.11
(31) NAS-Port = 672
(31) NAS-Port-Id = "672"
(31) State = 0x7e7556c9767f4f1ed9094abe3616539c
(31) NAS-IP-Address = 10.160.134.40
(31) NAS-Identifier = "txweahomxp-ap1142001"
(31) session-state: No cached attributes
(31) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(31) authorize {
(31) policy filter_username {
(31) if (&User-Name) {
(31) if (&User-Name) -> TRUE
(31) if (&User-Name) {
(31) if (&User-Name =~ / /) {
(31) if (&User-Name =~ / /) -> FALSE
(31) if (&User-Name =~ /@[^@]*@/ ) {
(31) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(31) if (&User-Name =~ /\.\./ ) {
(31) if (&User-Name =~ /\.\./ ) -> FALSE
(31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(31) if (&User-Name =~ /\.$/) {
(31) if (&User-Name =~ /\.$/) -> FALSE
(31) if (&User-Name =~ /@\./) {
(31) if (&User-Name =~ /@\./) -> FALSE
(31) } # if (&User-Name) = notfound
(31) } # policy filter_username = notfound
(31) [preprocess] = ok
(31) [chap] = noop
(31) [mschap] = noop
(31) [digest] = noop
(31) suffix: Checking for suffix after "@"
(31) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(31) suffix: No such realm "NULL"
(31) [suffix] = noop
(31) eap: Peer sent EAP Response (code 2) ID 10 length 37
(31) eap: Continuing tunnel setup
(31) [eap] = ok
(31) } # authorize = ok
(31) Found Auth-Type = eap
(31) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(31) authenticate {
(31) eap: Expiring EAP session with state 0xef066c49ee0c764a
(31) eap: Finished EAP session with state 0x7e7556c9767f4f1e
(31) eap: Previous EAP request found for state 0x7e7556c9767f4f1e, released from the list
(31) eap: Peer sent packet with method EAP PEAP (25)
(31) eap: Calling submodule eap_peap to process data
(31) eap_peap: Continuing EAP-TLS
(31) eap_peap: [eaptls verify] = ok
(31) eap_peap: Done initial handshake
(31) eap_peap: [eaptls process] = ok
(31) eap_peap: Session established. Decoding tunneled attributes
(31) eap_peap: PEAP state phase2
(31) eap_peap: EAP method MSCHAPv2 (26)
(31) eap_peap: Got tunneled request
(31) eap_peap: EAP-Message = 0x020a00061a03
(31) eap_peap: Setting User-Name to Robby
(31) eap_peap: Sending tunneled request to inner-tunnel
(31) eap_peap: EAP-Message = 0x020a00061a03
(31) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(31) eap_peap: User-Name = "Robby"
(31) eap_peap: State = 0xef066c49ee0c764a127b9c7c6f65f995
(31) Virtual server inner-tunnel received request
(31) EAP-Message = 0x020a00061a03
(31) FreeRADIUS-Proxied-To = 127.0.0.1
(31) User-Name = "Robby"
(31) State = 0xef066c49ee0c764a127b9c7c6f65f995
(31) WARNING: Outer and inner identities are the same. User privacy is compromised.
(31) server inner-tunnel {
(31) session-state: No cached attributes
(31) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(31) authorize {
(31) policy filter_username {
(31) if (&User-Name) {
(31) if (&User-Name) -> TRUE
(31) if (&User-Name) {
(31) if (&User-Name =~ / /) {
(31) if (&User-Name =~ / /) -> FALSE
(31) if (&User-Name =~ /@[^@]*@/ ) {
(31) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(31) if (&User-Name =~ /\.\./ ) {
(31) if (&User-Name =~ /\.\./ ) -> FALSE
(31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(31) if (&User-Name =~ /\.$/) {
(31) if (&User-Name =~ /\.$/) -> FALSE
(31) if (&User-Name =~ /@\./) {
(31) if (&User-Name =~ /@\./) -> FALSE
(31) } # if (&User-Name) = notfound
(31) } # policy filter_username = notfound
(31) [chap] = noop
(31) [mschap] = noop
(31) suffix: Checking for suffix after "@"
(31) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(31) suffix: No such realm "NULL"
(31) [suffix] = noop
(31) update control {
(31) &Proxy-To-Realm := LOCAL
(31) } # update control = noop
(31) eap: Peer sent EAP Response (code 2) ID 10 length 6
(31) eap: No EAP Start, assuming it's an on-going EAP conversation
(31) [eap] = updated
(31) files: users: Matched entry Robby at line 26
(31) [files] = ok
(31) [expiration] = noop
(31) [logintime] = noop
(31) pap: WARNING: Auth-Type already set. Not setting to PAP
(31) [pap] = noop
(31) } # authorize = updated
(31) Found Auth-Type = eap
(31) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(31) authenticate {
(31) eap: Expiring EAP session with state 0xef066c49ee0c764a
(31) eap: Finished EAP session with state 0xef066c49ee0c764a
(31) eap: Previous EAP request found for state 0xef066c49ee0c764a, released from the list
(31) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(31) eap: Calling submodule eap_mschapv2 to process data
(31) eap: Sending EAP Success (code 3) ID 10 length 4
(31) eap: Freeing handler
(31) [eap] = ok
(31) } # authenticate = ok
(31) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(31) post-auth { ... } # empty sub-section is ignored
(31) } # server inner-tunnel
(31) Virtual server sending reply
(31) MS-MPPE-Encryption-Policy = Encryption-Allowed
(31) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(31) MS-MPPE-Send-Key = 0x41175535364a0e40b45ea12716edd49f
(31) MS-MPPE-Recv-Key = 0x7143e8206bac2138c1e18159b52fc28d
(31) EAP-Message = 0x030a0004
(31) Message-Authenticator = 0x00000000000000000000000000000000
(31) User-Name = "Robby"
(31) eap_peap: Got tunneled reply code 2
(31) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(31) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(31) eap_peap: MS-MPPE-Send-Key = 0x41175535364a0e40b45ea12716edd49f
(31) eap_peap: MS-MPPE-Recv-Key = 0x7143e8206bac2138c1e18159b52fc28d
(31) eap_peap: EAP-Message = 0x030a0004
(31) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(31) eap_peap: User-Name = "Robby"
(31) eap_peap: Got tunneled reply RADIUS code 2
(31) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(31) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(31) eap_peap: MS-MPPE-Send-Key = 0x41175535364a0e40b45ea12716edd49f
(31) eap_peap: MS-MPPE-Recv-Key = 0x7143e8206bac2138c1e18159b52fc28d
(31) eap_peap: EAP-Message = 0x030a0004
(31) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(31) eap_peap: User-Name = "Robby"
(31) eap_peap: Tunneled authentication was successful
(31) eap_peap: SUCCESS
(31) eap: Sending EAP Request (code 1) ID 11 length 46
(31) eap: EAP session adding &reply:State = 0x7e7556c9777e4f1e
(31) [eap] = handled
(31) } # authenticate = handled
(31) Using Post-Auth-Type Challenge
(31) Post-Auth-Type sub-section not found. Ignoring.
(31) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(31) Sent Access-Challenge Id 15 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(31) EAP-Message = 0x010b002e19001703030023b791d4d9c5c514f75894f47819f90ba1da4ff0f4472c8f59a001ab18b
(31) Message-Authenticator = 0x00000000000000000000000000000000
(31) State = 0x7e7556c9777e4f1ed9094abe3616539c
(31) Finished request
Waking up in 1.5 seconds.
(32) Received Access-Request Id 16 from 10.160.134.40:1645 to 10.160.134.60:1812 length 258
(32) User-Name = "Robby"
(32) Framed-MTU = 1400
(32) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(32) Calling-Station-Id = "c8f7.334c.b878"
(32) Cisco-AVPair = "ssid=BigBang_2"
(32) Service-Type = Login-User
(32) Cisco-AVPair = "service-type=Login"
(32) Message-Authenticator = 0xe2616e88bd1c55b893867db659abac9e
(32) EAP-Message = 0x020b002e190017030300230000000000000004caab2801051eaa1df308be4845d6e0215a7a00620
(32) NAS-Port-Type = Wireless-802.11
(32) NAS-Port = 672
(32) NAS-Port-Id = "672"
(32) State = 0x7e7556c9777e4f1ed9094abe3616539c
(32) NAS-IP-Address = 10.160.134.40
(32) NAS-Identifier = "txweahomxp-ap1142001"
(32) session-state: No cached attributes
(32) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(32) authorize {
(32) policy filter_username {
(32) if (&User-Name) {
(32) if (&User-Name) -> TRUE
(32) if (&User-Name) {
(32) if (&User-Name =~ / /) {
(32) if (&User-Name =~ / /) -> FALSE
(32) if (&User-Name =~ /@[^@]*@/ ) {
(32) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(32) if (&User-Name =~ /\.\./ ) {
(32) if (&User-Name =~ /\.\./ ) -> FALSE
(32) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(32) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(32) if (&User-Name =~ /\.$/) {
(32) if (&User-Name =~ /\.$/) -> FALSE
(32) if (&User-Name =~ /@\./) {
(32) if (&User-Name =~ /@\./) -> FALSE
(32) } # if (&User-Name) = notfound
(32) } # policy filter_username = notfound
(32) [preprocess] = ok
(32) [chap] = noop
(32) [mschap] = noop
(32) [digest] = noop
(32) suffix: Checking for suffix after "@"
(32) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(32) suffix: No such realm "NULL"
(32) [suffix] = noop
(32) eap: Peer sent EAP Response (code 2) ID 11 length 46
(32) eap: Continuing tunnel setup
(32) [eap] = ok
(32) } # authorize = ok
(32) Found Auth-Type = eap
(32) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(32) authenticate {
(32) eap: Expiring EAP session with state 0x7e7556c9777e4f1e
(32) eap: Finished EAP session with state 0x7e7556c9777e4f1e
(32) eap: Previous EAP request found for state 0x7e7556c9777e4f1e, released from the list
(32) eap: Peer sent packet with method EAP PEAP (25)
(32) eap: Calling submodule eap_peap to process data
(32) eap_peap: Continuing EAP-TLS
(32) eap_peap: [eaptls verify] = ok
(32) eap_peap: Done initial handshake
(32) eap_peap: [eaptls process] = ok
(32) eap_peap: Session established. Decoding tunneled attributes
(32) eap_peap: PEAP state send tlv success
(32) eap_peap: Received EAP-TLV response
(32) eap_peap: Success
(32) eap_peap: No information to cache: session caching will be disabled for session 60595f432d3bd1399873ece66001b0e8d5ce052209ab864e496
(32) eap: Sending EAP Success (code 3) ID 11 length 4
(32) eap: Freeing handler
(32) [eap] = ok
(32) } # authenticate = ok
(32) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(32) post-auth {
(32) update {
(32) No attributes updated
(32) } # update = noop
(32) [exec] = noop
(32) policy remove_reply_message_if_eap {
(32) if (&reply:EAP-Message && &reply:Reply-Message) {
(32) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(32) else {
(32) [noop] = noop
(32) } # else = noop
(32) } # policy remove_reply_message_if_eap = noop
(32) } # post-auth = noop
(32) Sent Access-Accept Id 16 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(32) MS-MPPE-Recv-Key = 0x0f9fae971f1985164e2eeff7e536acd09c31fe66cfc3732f25b13e2046d6c288
(32) MS-MPPE-Send-Key = 0x21a52ca97358d2154eecc9a7c034bff85515ca6a510e1af4344edd374a6bc38c
(32) EAP-Message = 0x030b0004
(32) Message-Authenticator = 0x00000000000000000000000000000000
(32) User-Name = "Robby"
(32) Finished request
Waking up in 1.5 seconds.
(11) Cleaning up request packet ID 251 with timestamp +38
(12) Cleaning up request packet ID 252 with timestamp +38
(13) Cleaning up request packet ID 253 with timestamp +38
(14) Cleaning up request packet ID 254 with timestamp +38
(15) Cleaning up request packet ID 255 with timestamp +38
(16) Cleaning up request packet ID 0 with timestamp +38
(17) Cleaning up request packet ID 1 with timestamp +38
(18) Cleaning up request packet ID 2 with timestamp +38
(19) Cleaning up request packet ID 3 with timestamp +38
(20) Cleaning up request packet ID 4 with timestamp +38
(21) Cleaning up request packet ID 5 with timestamp +38
Waking up in 3.3 seconds.
(33) Received Access-Request Id 17 from 10.160.134.40:1645 to 10.160.134.60:1812 length 204
(33) User-Name = "Robby"
(33) Framed-MTU = 1400
(33) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(33) Calling-Station-Id = "c8f7.334c.b878"
(33) Cisco-AVPair = "ssid=BigBang_2"
(33) Service-Type = Login-User
(33) Cisco-AVPair = "service-type=Login"
(33) Message-Authenticator = 0x661e2fda590e1e8b2e4e63b0da2cb94a
(33) EAP-Message = 0x0201000a01526f626279
(33) NAS-Port-Type = Wireless-802.11
(33) NAS-Port = 673
(33) NAS-Port-Id = "673"
(33) NAS-IP-Address = 10.160.134.40
(33) NAS-Identifier = "txweahomxp-ap1142001"
(33) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(33) authorize {
(33) policy filter_username {
(33) if (&User-Name) {
(33) if (&User-Name) -> TRUE
(33) if (&User-Name) {
(33) if (&User-Name =~ / /) {
(33) if (&User-Name =~ / /) -> FALSE
(33) if (&User-Name =~ /@[^@]*@/ ) {
(33) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(33) if (&User-Name =~ /\.\./ ) {
(33) if (&User-Name =~ /\.\./ ) -> FALSE
(33) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(33) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(33) if (&User-Name =~ /\.$/) {
(33) if (&User-Name =~ /\.$/) -> FALSE
(33) if (&User-Name =~ /@\./) {
(33) if (&User-Name =~ /@\./) -> FALSE
(33) } # if (&User-Name) = notfound
(33) } # policy filter_username = notfound
(33) [preprocess] = ok
(33) [chap] = noop
(33) [mschap] = noop
(33) [digest] = noop
(33) suffix: Checking for suffix after "@"
(33) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(33) suffix: No such realm "NULL"
(33) [suffix] = noop
(33) eap: Peer sent EAP Response (code 2) ID 1 length 10
(33) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(33) [eap] = ok
(33) } # authorize = ok
(33) Found Auth-Type = eap
(33) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(33) authenticate {
(33) eap: Peer sent packet with method EAP Identity (1)
(33) eap: Calling submodule eap_md5 to process data
(33) eap_md5: Issuing MD5 Challenge
(33) eap: Sending EAP Request (code 1) ID 2 length 22
(33) eap: EAP session adding &reply:State = 0x784cb630784eb2df
(33) [eap] = handled
(33) } # authenticate = handled
(33) Using Post-Auth-Type Challenge
(33) Post-Auth-Type sub-section not found. Ignoring.
(33) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(33) Sent Access-Challenge Id 17 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(33) EAP-Message = 0x0102001604108e8fd233e0ab088b1015da5b2db680ce
(33) Message-Authenticator = 0x00000000000000000000000000000000
(33) State = 0x784cb630784eb2dfedbea19fe2f5fda7
(33) Finished request
Waking up in 1.5 seconds.
(34) Received Access-Request Id 18 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(34) User-Name = "Robby"
(34) Framed-MTU = 1400
(34) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(34) Calling-Station-Id = "c8f7.334c.b878"
(34) Cisco-AVPair = "ssid=BigBang_2"
(34) Service-Type = Login-User
(34) Cisco-AVPair = "service-type=Login"
(34) Message-Authenticator = 0x4ee5b25c765b02fab91f728eb1d397f8
(34) EAP-Message = 0x020200060319
(34) NAS-Port-Type = Wireless-802.11
(34) NAS-Port = 673
(34) NAS-Port-Id = "673"
(34) State = 0x784cb630784eb2dfedbea19fe2f5fda7
(34) NAS-IP-Address = 10.160.134.40
(34) NAS-Identifier = "txweahomxp-ap1142001"
(34) session-state: No cached attributes
(34) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(34) authorize {
(34) policy filter_username {
(34) if (&User-Name) {
(34) if (&User-Name) -> TRUE
(34) if (&User-Name) {
(34) if (&User-Name =~ / /) {
(34) if (&User-Name =~ / /) -> FALSE
(34) if (&User-Name =~ /@[^@]*@/ ) {
(34) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(34) if (&User-Name =~ /\.\./ ) {
(34) if (&User-Name =~ /\.\./ ) -> FALSE
(34) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(34) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(34) if (&User-Name =~ /\.$/) {
(34) if (&User-Name =~ /\.$/) -> FALSE
(34) if (&User-Name =~ /@\./) {
(34) if (&User-Name =~ /@\./) -> FALSE
(34) } # if (&User-Name) = notfound
(34) } # policy filter_username = notfound
(34) [preprocess] = ok
(34) [chap] = noop
(34) [mschap] = noop
(34) [digest] = noop
(34) suffix: Checking for suffix after "@"
(34) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(34) suffix: No such realm "NULL"
(34) [suffix] = noop
(34) eap: Peer sent EAP Response (code 2) ID 2 length 6
(34) eap: No EAP Start, assuming it's an on-going EAP conversation
(34) [eap] = updated
(34) files: users: Matched entry Robby at line 26
(34) [files] = ok
(34) [expiration] = noop
(34) [logintime] = noop
(34) pap: WARNING: Auth-Type already set. Not setting to PAP
(34) [pap] = noop
(34) } # authorize = updated
(34) Found Auth-Type = eap
(34) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(34) authenticate {
(34) eap: Expiring EAP session with state 0x784cb630784eb2df
(34) eap: Finished EAP session with state 0x784cb630784eb2df
(34) eap: Previous EAP request found for state 0x784cb630784eb2df, released from the list
(34) eap: Peer sent packet with method EAP NAK (3)
(34) eap: Found mutually acceptable type PEAP (25)
(34) eap: Calling submodule eap_peap to process data
(34) eap_peap: Initiating new EAP-TLS session
(34) eap_peap: [eaptls start] = request
(34) eap: Sending EAP Request (code 1) ID 3 length 6
(34) eap: EAP session adding &reply:State = 0x784cb630794fafdf
(34) [eap] = handled
(34) } # authenticate = handled
(34) Using Post-Auth-Type Challenge
(34) Post-Auth-Type sub-section not found. Ignoring.
(34) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(34) Sent Access-Challenge Id 18 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(34) EAP-Message = 0x010300061920
(34) Message-Authenticator = 0x00000000000000000000000000000000
(34) State = 0x784cb630794fafdfedbea19fe2f5fda7
(34) Finished request
Waking up in 1.5 seconds.
(35) Received Access-Request Id 19 from 10.160.134.40:1645 to 10.160.134.60:1812 length 422
(35) User-Name = "Robby"
(35) Framed-MTU = 1400
(35) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(35) Calling-Station-Id = "c8f7.334c.b878"
(35) Cisco-AVPair = "ssid=BigBang_2"
(35) Service-Type = Login-User
(35) Cisco-AVPair = "service-type=Login"
(35) Message-Authenticator = 0x4d540dff1b6b597a311a34d2c81ae041
(35) EAP-Message = 0x020300d21980000000c816030300c3010000bf030358fcdb62f5f11f89c92ae8cb0cc3df5d0a773f105f7086d08532060595f432d3bd17a07049ceffc9399873ece66001b0e8d5ce052209ab864e496003cc02cc02bc030024c023c028c027c00ac009c014c013003900
(35) NAS-Port-Type = Wireless-802.11
(35) NAS-Port = 673
(35) NAS-Port-Id = "673"
(35) State = 0x784cb630794fafdfedbea19fe2f5fda7
(35) NAS-IP-Address = 10.160.134.40
(35) NAS-Identifier = "txweahomxp-ap1142001"
(35) session-state: No cached attributes
(35) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(35) authorize {
(35) policy filter_username {
(35) if (&User-Name) {
(35) if (&User-Name) -> TRUE
(35) if (&User-Name) {
(35) if (&User-Name =~ / /) {
(35) if (&User-Name =~ / /) -> FALSE
(35) if (&User-Name =~ /@[^@]*@/ ) {
(35) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(35) if (&User-Name =~ /\.\./ ) {
(35) if (&User-Name =~ /\.\./ ) -> FALSE
(35) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(35) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(35) if (&User-Name =~ /\.$/) {
(35) if (&User-Name =~ /\.$/) -> FALSE
(35) if (&User-Name =~ /@\./) {
(35) if (&User-Name =~ /@\./) -> FALSE
(35) } # if (&User-Name) = notfound
(35) } # policy filter_username = notfound
(35) [preprocess] = ok
(35) [chap] = noop
(35) [mschap] = noop
(35) [digest] = noop
(35) suffix: Checking for suffix after "@"
(35) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(35) suffix: No such realm "NULL"
(35) [suffix] = noop
(35) eap: Peer sent EAP Response (code 2) ID 3 length 210
(35) eap: Continuing tunnel setup
(35) [eap] = ok
(35) } # authorize = ok
(35) Found Auth-Type = eap
(35) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(35) authenticate {
(35) eap: Expiring EAP session with state 0x784cb630794fafdf
(35) eap: Finished EAP session with state 0x784cb630794fafdf
(35) eap: Previous EAP request found for state 0x784cb630794fafdf, released from the list
(35) eap: Peer sent packet with method EAP PEAP (25)
(35) eap: Calling submodule eap_peap to process data
(35) eap_peap: Continuing EAP-TLS
(35) eap_peap: Peer indicated complete TLS record size will be 200 bytes
(35) eap_peap: Got complete TLS record (200 bytes)
(35) eap_peap: [eaptls verify] = length included
(35) eap_peap: (other): before/accept initialization
(35) eap_peap: TLS_accept: before/accept initialization
(35) eap_peap: <<< recv TLS 1.2 [length 00c3]
(35) eap_peap: TLS_accept: SSLv3 read client hello A
(35) eap_peap: >>> send TLS 1.2 [length 0059]
(35) eap_peap: TLS_accept: SSLv3 write server hello A
(35) eap_peap: >>> send TLS 1.2 [length 094f]
(35) eap_peap: TLS_accept: SSLv3 write certificate A
(35) eap_peap: >>> send TLS 1.2 [length 014d]
(35) eap_peap: TLS_accept: SSLv3 write key exchange A
(35) eap_peap: >>> send TLS 1.2 [length 0004]
(35) eap_peap: TLS_accept: SSLv3 write server done A
(35) eap_peap: TLS_accept: SSLv3 flush data
(35) eap_peap: TLS_accept: SSLv3 read client certificate A
(35) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(35) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(35) eap_peap: In SSL Handshake Phase
(35) eap_peap: In SSL Accept mode
(35) eap_peap: [eaptls process] = handled
(35) eap: Sending EAP Request (code 1) ID 4 length 1004
(35) eap: EAP session adding &reply:State = 0x784cb6307a48afdf
(35) [eap] = handled
(35) } # authenticate = handled
(35) Using Post-Auth-Type Challenge
(35) Post-Auth-Type sub-section not found. Ignoring.
(35) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(35) Sent Access-Challenge Id 19 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(35) EAP-Message = 0x010403ec19c000000b0d16030300590200005503030cd0ee5cbdd55dec8612e947c4f20c55539dabdfeb56ee76ff5203737ac8b460bb3c448e5e060272f41511d51e43eec57a9cd4c594b7efd7d2477c03000000dff01003000102160303094f0b00094b00094800040f
(35) Message-Authenticator = 0x00000000000000000000000000000000
(35) State = 0x784cb6307a48afdfedbea19fe2f5fda7
(35) Finished request
Waking up in 1.5 seconds.
(36) Received Access-Request Id 20 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(36) User-Name = "Robby"
(36) Framed-MTU = 1400
(36) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(36) Calling-Station-Id = "c8f7.334c.b878"
(36) Cisco-AVPair = "ssid=BigBang_2"
(36) Service-Type = Login-User
(36) Cisco-AVPair = "service-type=Login"
(36) Message-Authenticator = 0x7618798eadfb53224a0df4fd9a73f2c3
(36) EAP-Message = 0x020400061900
(36) NAS-Port-Type = Wireless-802.11
(36) NAS-Port = 673
(36) NAS-Port-Id = "673"
(36) State = 0x784cb6307a48afdfedbea19fe2f5fda7
(36) NAS-IP-Address = 10.160.134.40
(36) NAS-Identifier = "txweahomxp-ap1142001"
(36) session-state: No cached attributes
(36) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(36) authorize {
(36) policy filter_username {
(36) if (&User-Name) {
(36) if (&User-Name) -> TRUE
(36) if (&User-Name) {
(36) if (&User-Name =~ / /) {
(36) if (&User-Name =~ / /) -> FALSE
(36) if (&User-Name =~ /@[^@]*@/ ) {
(36) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(36) if (&User-Name =~ /\.\./ ) {
(36) if (&User-Name =~ /\.\./ ) -> FALSE
(36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(36) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(36) if (&User-Name =~ /\.$/) {
(36) if (&User-Name =~ /\.$/) -> FALSE
(36) if (&User-Name =~ /@\./) {
(36) if (&User-Name =~ /@\./) -> FALSE
(36) } # if (&User-Name) = notfound
(36) } # policy filter_username = notfound
(36) [preprocess] = ok
(36) [chap] = noop
(36) [mschap] = noop
(36) [digest] = noop
(36) suffix: Checking for suffix after "@"
(36) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(36) suffix: No such realm "NULL"
(36) [suffix] = noop
(36) eap: Peer sent EAP Response (code 2) ID 4 length 6
(36) eap: Continuing tunnel setup
(36) [eap] = ok
(36) } # authorize = ok
(36) Found Auth-Type = eap
(36) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(36) authenticate {
(36) eap: Expiring EAP session with state 0x784cb6307a48afdf
(36) eap: Finished EAP session with state 0x784cb6307a48afdf
(36) eap: Previous EAP request found for state 0x784cb6307a48afdf, released from the list
(36) eap: Peer sent packet with method EAP PEAP (25)
(36) eap: Calling submodule eap_peap to process data
(36) eap_peap: Continuing EAP-TLS
(36) eap_peap: Peer ACKed our handshake fragment
(36) eap_peap: [eaptls verify] = request
(36) eap_peap: [eaptls process] = handled
(36) eap: Sending EAP Request (code 1) ID 5 length 1000
(36) eap: EAP session adding &reply:State = 0x784cb6307b49afdf
(36) [eap] = handled
(36) } # authenticate = handled
(36) Using Post-Auth-Type Challenge
(36) Post-Auth-Type sub-section not found. Ignoring.
(36) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(36) Sent Access-Challenge Id 20 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(36) EAP-Message = 0x010503e81940e767d3d95ba791c609604734de65f20761255945382f6caeddf488a7b22286ea65feb00b15e7f9a2e4d0247e1e6f0b6cbf3f240f9a08b4ec3119d5ad6dfce704325c36c113bbd63616056fb615fc26a7f0abd2a9ee58dea9e13bc001f156be9694fb518a
(36) Message-Authenticator = 0x00000000000000000000000000000000
(36) State = 0x784cb6307b49afdfedbea19fe2f5fda7
(36) Finished request
Waking up in 1.5 seconds.
(37) Received Access-Request Id 21 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(37) User-Name = "Robby"
(37) Framed-MTU = 1400
(37) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(37) Calling-Station-Id = "c8f7.334c.b878"
(37) Cisco-AVPair = "ssid=BigBang_2"
(37) Service-Type = Login-User
(37) Cisco-AVPair = "service-type=Login"
(37) Message-Authenticator = 0xd17e183e5ee089259c9ed6d22caec660
(37) EAP-Message = 0x020500061900
(37) NAS-Port-Type = Wireless-802.11
(37) NAS-Port = 673
(37) NAS-Port-Id = "673"
(37) State = 0x784cb6307b49afdfedbea19fe2f5fda7
(37) NAS-IP-Address = 10.160.134.40
(37) NAS-Identifier = "txweahomxp-ap1142001"
(37) session-state: No cached attributes
(37) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(37) authorize {
(37) policy filter_username {
(37) if (&User-Name) {
(37) if (&User-Name) -> TRUE
(37) if (&User-Name) {
(37) if (&User-Name =~ / /) {
(37) if (&User-Name =~ / /) -> FALSE
(37) if (&User-Name =~ /@[^@]*@/ ) {
(37) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(37) if (&User-Name =~ /\.\./ ) {
(37) if (&User-Name =~ /\.\./ ) -> FALSE
(37) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(37) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(37) if (&User-Name =~ /\.$/) {
(37) if (&User-Name =~ /\.$/) -> FALSE
(37) if (&User-Name =~ /@\./) {
(37) if (&User-Name =~ /@\./) -> FALSE
(37) } # if (&User-Name) = notfound
(37) } # policy filter_username = notfound
(37) [preprocess] = ok
(37) [chap] = noop
(37) [mschap] = noop
(37) [digest] = noop
(37) suffix: Checking for suffix after "@"
(37) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(37) suffix: No such realm "NULL"
(37) [suffix] = noop
(37) eap: Peer sent EAP Response (code 2) ID 5 length 6
(37) eap: Continuing tunnel setup
(37) [eap] = ok
(37) } # authorize = ok
(37) Found Auth-Type = eap
(37) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(37) authenticate {
(37) eap: Expiring EAP session with state 0x784cb6307b49afdf
(37) eap: Finished EAP session with state 0x784cb6307b49afdf
(37) eap: Previous EAP request found for state 0x784cb6307b49afdf, released from the list
(37) eap: Peer sent packet with method EAP PEAP (25)
(37) eap: Calling submodule eap_peap to process data
(37) eap_peap: Continuing EAP-TLS
(37) eap_peap: Peer ACKed our handshake fragment
(37) eap_peap: [eaptls verify] = request
(37) eap_peap: [eaptls process] = handled
(37) eap: Sending EAP Request (code 1) ID 6 length 847
(37) eap: EAP session adding &reply:State = 0x784cb6307c4aafdf
(37) [eap] = handled
(37) } # authenticate = handled
(37) Using Post-Auth-Type Challenge
(37) Post-Auth-Type sub-section not found. Ignoring.
(37) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(37) Sent Access-Challenge Id 21 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(37) EAP-Message = 0x0106034f19000c0b57656174686572666f726431183016060355040a0c0f6d617273696e6e6f3312d302b06092a864886f70d010901161e726f626572747275746c656467653230303540636861727465722e6e6574312e30c256d617273696e6e6f766174696f6e7320
(37) Message-Authenticator = 0x00000000000000000000000000000000
(37) State = 0x784cb6307c4aafdfedbea19fe2f5fda7
(37) Finished request
Waking up in 1.5 seconds.
(38) Received Access-Request Id 22 from 10.160.134.40:1645 to 10.160.134.60:1812 length 348
(38) User-Name = "Robby"
(38) Framed-MTU = 1400
(38) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(38) Calling-Station-Id = "c8f7.334c.b878"
(38) Cisco-AVPair = "ssid=BigBang_2"
(38) Service-Type = Login-User
(38) Cisco-AVPair = "service-type=Login"
(38) Message-Authenticator = 0x3d8630fe56d0f8b042a276b8f70d054e
(38) EAP-Message = 0x0206008819800000007e1603030046100000424104935d3fb902fc8c140d066ac2d8b04ab3c9363938483b8ccdc472e51344bdc050aa91901493b1d2806958649d056e9ccae381088c050a83be4fe1403030001011603030000000e6e9cfde9790d6676c342eb69ca22a
(38) NAS-Port-Type = Wireless-802.11
(38) NAS-Port = 673
(38) NAS-Port-Id = "673"
(38) State = 0x784cb6307c4aafdfedbea19fe2f5fda7
(38) NAS-IP-Address = 10.160.134.40
(38) NAS-Identifier = "txweahomxp-ap1142001"
(38) session-state: No cached attributes
(38) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(38) authorize {
(38) policy filter_username {
(38) if (&User-Name) {
(38) if (&User-Name) -> TRUE
(38) if (&User-Name) {
(38) if (&User-Name =~ / /) {
(38) if (&User-Name =~ / /) -> FALSE
(38) if (&User-Name =~ /@[^@]*@/ ) {
(38) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(38) if (&User-Name =~ /\.\./ ) {
(38) if (&User-Name =~ /\.\./ ) -> FALSE
(38) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(38) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(38) if (&User-Name =~ /\.$/) {
(38) if (&User-Name =~ /\.$/) -> FALSE
(38) if (&User-Name =~ /@\./) {
(38) if (&User-Name =~ /@\./) -> FALSE
(38) } # if (&User-Name) = notfound
(38) } # policy filter_username = notfound
(38) [preprocess] = ok
(38) [chap] = noop
(38) [mschap] = noop
(38) [digest] = noop
(38) suffix: Checking for suffix after "@"
(38) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(38) suffix: No such realm "NULL"
(38) [suffix] = noop
(38) eap: Peer sent EAP Response (code 2) ID 6 length 136
(38) eap: Continuing tunnel setup
(38) [eap] = ok
(38) } # authorize = ok
(38) Found Auth-Type = eap
(38) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(38) authenticate {
(38) eap: Expiring EAP session with state 0x784cb6307c4aafdf
(38) eap: Finished EAP session with state 0x784cb6307c4aafdf
(38) eap: Previous EAP request found for state 0x784cb6307c4aafdf, released from the list
(38) eap: Peer sent packet with method EAP PEAP (25)
(38) eap: Calling submodule eap_peap to process data
(38) eap_peap: Continuing EAP-TLS
(38) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(38) eap_peap: Got complete TLS record (126 bytes)
(38) eap_peap: [eaptls verify] = length included
(38) eap_peap: <<< recv TLS 1.2 [length 0046]
(38) eap_peap: TLS_accept: SSLv3 read client key exchange A
(38) eap_peap: TLS_accept: SSLv3 read certificate verify A
(38) eap_peap: <<< recv TLS 1.2 [length 0001]
(38) eap_peap: <<< recv TLS 1.2 [length 0010]
(38) eap_peap: TLS_accept: SSLv3 read finished A
(38) eap_peap: >>> send TLS 1.2 [length 0001]
(38) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(38) eap_peap: >>> send TLS 1.2 [length 0010]
(38) eap_peap: TLS_accept: SSLv3 write finished A
(38) eap_peap: TLS_accept: SSLv3 flush data
(38) eap_peap: (other): SSL negotiation finished successfully
(38) eap_peap: SSL Connection Established
(38) eap_peap: [eaptls process] = handled
(38) eap: Sending EAP Request (code 1) ID 7 length 57
(38) eap: EAP session adding &reply:State = 0x784cb6307d4bafdf
(38) [eap] = handled
(38) } # authenticate = handled
(38) Using Post-Auth-Type Challenge
(38) Post-Auth-Type sub-section not found. Ignoring.
(38) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(38) Sent Access-Challenge Id 22 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(38) EAP-Message = 0x0107003919001403030001011603030028772914d3821ee35a65cc0cc9ebcbba8ca16d7fa790b3d6fb310d51b9df6818d4e79
(38) Message-Authenticator = 0x00000000000000000000000000000000
(38) State = 0x784cb6307d4bafdfedbea19fe2f5fda7
(38) Finished request
Waking up in 1.5 seconds.
(39) Received Access-Request Id 23 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(39) User-Name = "Robby"
(39) Framed-MTU = 1400
(39) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(39) Calling-Station-Id = "c8f7.334c.b878"
(39) Cisco-AVPair = "ssid=BigBang_2"
(39) Service-Type = Login-User
(39) Cisco-AVPair = "service-type=Login"
(39) Message-Authenticator = 0xda75f6ed61871149da3f03d00d9d3b35
(39) EAP-Message = 0x020700061900
(39) NAS-Port-Type = Wireless-802.11
(39) NAS-Port = 673
(39) NAS-Port-Id = "673"
(39) State = 0x784cb6307d4bafdfedbea19fe2f5fda7
(39) NAS-IP-Address = 10.160.134.40
(39) NAS-Identifier = "txweahomxp-ap1142001"
(39) session-state: No cached attributes
(39) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(39) authorize {
(39) policy filter_username {
(39) if (&User-Name) {
(39) if (&User-Name) -> TRUE
(39) if (&User-Name) {
(39) if (&User-Name =~ / /) {
(39) if (&User-Name =~ / /) -> FALSE
(39) if (&User-Name =~ /@[^@]*@/ ) {
(39) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(39) if (&User-Name =~ /\.\./ ) {
(39) if (&User-Name =~ /\.\./ ) -> FALSE
(39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(39) if (&User-Name =~ /\.$/) {
(39) if (&User-Name =~ /\.$/) -> FALSE
(39) if (&User-Name =~ /@\./) {
(39) if (&User-Name =~ /@\./) -> FALSE
(39) } # if (&User-Name) = notfound
(39) } # policy filter_username = notfound
(39) [preprocess] = ok
(39) [chap] = noop
(39) [mschap] = noop
(39) [digest] = noop
(39) suffix: Checking for suffix after "@"
(39) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(39) suffix: No such realm "NULL"
(39) [suffix] = noop
(39) eap: Peer sent EAP Response (code 2) ID 7 length 6
(39) eap: Continuing tunnel setup
(39) [eap] = ok
(39) } # authorize = ok
(39) Found Auth-Type = eap
(39) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(39) authenticate {
(39) eap: Expiring EAP session with state 0x784cb6307d4bafdf
(39) eap: Finished EAP session with state 0x784cb6307d4bafdf
(39) eap: Previous EAP request found for state 0x784cb6307d4bafdf, released from the list
(39) eap: Peer sent packet with method EAP PEAP (25)
(39) eap: Calling submodule eap_peap to process data
(39) eap_peap: Continuing EAP-TLS
(39) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(39) eap_peap: [eaptls verify] = success
(39) eap_peap: [eaptls process] = success
(39) eap_peap: Session established. Decoding tunneled attributes
(39) eap_peap: PEAP state TUNNEL ESTABLISHED
(39) eap: Sending EAP Request (code 1) ID 8 length 40
(39) eap: EAP session adding &reply:State = 0x784cb6307e44afdf
(39) [eap] = handled
(39) } # authenticate = handled
(39) Using Post-Auth-Type Challenge
(39) Post-Auth-Type sub-section not found. Ignoring.
(39) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(39) Sent Access-Challenge Id 23 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(39) EAP-Message = 0x010800281900170303001d772914d3821ee35ba7e2a451106a8df72aef8a19e99fe8dcde4a0d
(39) Message-Authenticator = 0x00000000000000000000000000000000
(39) State = 0x784cb6307e44afdfedbea19fe2f5fda7
(39) Finished request
Waking up in 1.5 seconds.
(40) Received Access-Request Id 24 from 10.160.134.40:1645 to 10.160.134.60:1812 length 253
(40) User-Name = "Robby"
(40) Framed-MTU = 1400
(40) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(40) Calling-Station-Id = "c8f7.334c.b878"
(40) Cisco-AVPair = "ssid=BigBang_2"
(40) Service-Type = Login-User
(40) Cisco-AVPair = "service-type=Login"
(40) Message-Authenticator = 0xc555fd8f3f35b07671f068ea9325087f
(40) EAP-Message = 0x020800291900170303001e0000000000000001081bcfb053e97eb79c7166caa58c7e78002d72
(40) NAS-Port-Type = Wireless-802.11
(40) NAS-Port = 673
(40) NAS-Port-Id = "673"
(40) State = 0x784cb6307e44afdfedbea19fe2f5fda7
(40) NAS-IP-Address = 10.160.134.40
(40) NAS-Identifier = "txweahomxp-ap1142001"
(40) session-state: No cached attributes
(40) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(40) authorize {
(40) policy filter_username {
(40) if (&User-Name) {
(40) if (&User-Name) -> TRUE
(40) if (&User-Name) {
(40) if (&User-Name =~ / /) {
(40) if (&User-Name =~ / /) -> FALSE
(40) if (&User-Name =~ /@[^@]*@/ ) {
(40) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(40) if (&User-Name =~ /\.\./ ) {
(40) if (&User-Name =~ /\.\./ ) -> FALSE
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(40) if (&User-Name =~ /\.$/) {
(40) if (&User-Name =~ /\.$/) -> FALSE
(40) if (&User-Name =~ /@\./) {
(40) if (&User-Name =~ /@\./) -> FALSE
(40) } # if (&User-Name) = notfound
(40) } # policy filter_username = notfound
(40) [preprocess] = ok
(40) [chap] = noop
(40) [mschap] = noop
(40) [digest] = noop
(40) suffix: Checking for suffix after "@"
(40) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(40) suffix: No such realm "NULL"
(40) [suffix] = noop
(40) eap: Peer sent EAP Response (code 2) ID 8 length 41
(40) eap: Continuing tunnel setup
(40) [eap] = ok
(40) } # authorize = ok
(40) Found Auth-Type = eap
(40) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(40) authenticate {
(40) eap: Expiring EAP session with state 0x784cb6307e44afdf
(40) eap: Finished EAP session with state 0x784cb6307e44afdf
(40) eap: Previous EAP request found for state 0x784cb6307e44afdf, released from the list
(40) eap: Peer sent packet with method EAP PEAP (25)
(40) eap: Calling submodule eap_peap to process data
(40) eap_peap: Continuing EAP-TLS
(40) eap_peap: [eaptls verify] = ok
(40) eap_peap: Done initial handshake
(40) eap_peap: [eaptls process] = ok
(40) eap_peap: Session established. Decoding tunneled attributes
(40) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(40) eap_peap: Identity - Robby
(40) eap_peap: Got inner identity 'Robby'
(40) eap_peap: Setting default EAP type for tunneled EAP session
(40) eap_peap: Got tunneled request
(40) eap_peap: EAP-Message = 0x0208000a01526f626279
(40) eap_peap: Setting User-Name to Robby
(40) eap_peap: Sending tunneled request to inner-tunnel
(40) eap_peap: EAP-Message = 0x0208000a01526f626279
(40) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(40) eap_peap: User-Name = "Robby"
(40) Virtual server inner-tunnel received request
(40) EAP-Message = 0x0208000a01526f626279
(40) FreeRADIUS-Proxied-To = 127.0.0.1
(40) User-Name = "Robby"
(40) WARNING: Outer and inner identities are the same. User privacy is compromised.
(40) server inner-tunnel {
(40) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(40) authorize {
(40) policy filter_username {
(40) if (&User-Name) {
(40) if (&User-Name) -> TRUE
(40) if (&User-Name) {
(40) if (&User-Name =~ / /) {
(40) if (&User-Name =~ / /) -> FALSE
(40) if (&User-Name =~ /@[^@]*@/ ) {
(40) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(40) if (&User-Name =~ /\.\./ ) {
(40) if (&User-Name =~ /\.\./ ) -> FALSE
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(40) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(40) if (&User-Name =~ /\.$/) {
(40) if (&User-Name =~ /\.$/) -> FALSE
(40) if (&User-Name =~ /@\./) {
(40) if (&User-Name =~ /@\./) -> FALSE
(40) } # if (&User-Name) = notfound
(40) } # policy filter_username = notfound
(40) [chap] = noop
(40) [mschap] = noop
(40) suffix: Checking for suffix after "@"
(40) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(40) suffix: No such realm "NULL"
(40) [suffix] = noop
(40) update control {
(40) &Proxy-To-Realm := LOCAL
(40) } # update control = noop
(40) eap: Peer sent EAP Response (code 2) ID 8 length 10
(40) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(40) [eap] = ok
(40) } # authorize = ok
(40) Found Auth-Type = eap
(40) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(40) authenticate {
(40) eap: Peer sent packet with method EAP Identity (1)
(40) eap: Calling submodule eap_mschapv2 to process data
(40) eap_mschapv2: Issuing Challenge
(40) eap: Sending EAP Request (code 1) ID 9 length 43
(40) eap: EAP session adding &reply:State = 0xa834e518a83dffc2
(40) [eap] = handled
(40) } # authenticate = handled
(40) } # server inner-tunnel
(40) Virtual server sending reply
(40) EAP-Message = 0x0109002b1a01090026107b5e0474adebbf86aa440889695825bb667265657261646975732d33
(40) Message-Authenticator = 0x00000000000000000000000000000000
(40) State = 0xa834e518a83dffc2687a39598b9e7510
(40) eap_peap: Got tunneled reply code 11
(40) eap_peap: EAP-Message = 0x0109002b1a01090026107b5e0474adebbf86aa440889695825bb6672656572616402e3132
(40) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(40) eap_peap: State = 0xa834e518a83dffc2687a39598b9e7510
(40) eap_peap: Got tunneled reply RADIUS code 11
(40) eap_peap: EAP-Message = 0x0109002b1a01090026107b5e0474adebbf86aa440889695825bb6672656572616402e3132
(40) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(40) eap_peap: State = 0xa834e518a83dffc2687a39598b9e7510
(40) eap_peap: Got tunneled Access-Challenge
(40) eap: Sending EAP Request (code 1) ID 9 length 74
(40) eap: EAP session adding &reply:State = 0x784cb6307f45afdf
(40) [eap] = handled
(40) } # authenticate = handled
(40) Using Post-Auth-Type Challenge
(40) Post-Auth-Type sub-section not found. Ignoring.
(40) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(40) Sent Access-Challenge Id 24 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(40) EAP-Message = 0x0109004a1900170303003f772914d3821ee35cd03a1c1a517b58fcdf7fd37961fdc6215c4e71d898d99b6889c259eb0eca183b78e48fbabf468929c33bb5d64bfeb71c3
(40) Message-Authenticator = 0x00000000000000000000000000000000
(40) State = 0x784cb6307f45afdfedbea19fe2f5fda7
(40) Finished request
Waking up in 1.5 seconds.
(41) Received Access-Request Id 25 from 10.160.134.40:1645 to 10.160.134.60:1812 length 307
(41) User-Name = "Robby"
(41) Framed-MTU = 1400
(41) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(41) Calling-Station-Id = "c8f7.334c.b878"
(41) Cisco-AVPair = "ssid=BigBang_2"
(41) Service-Type = Login-User
(41) Cisco-AVPair = "service-type=Login"
(41) Message-Authenticator = 0x68b274d42f39ed9fe9f2f25824c8a94d
(41) EAP-Message = 0x0209005f19001703030054000000000000000210b39292554b52daf15fbda9a92afeb9fbdb484e17f7756b60d35958bfaccc5aea964c7c2991c0af215883142982297ad264a458a04c5ef4eacfba51dcb23cc883dd6722a
(41) NAS-Port-Type = Wireless-802.11
(41) NAS-Port = 673
(41) NAS-Port-Id = "673"
(41) State = 0x784cb6307f45afdfedbea19fe2f5fda7
(41) NAS-IP-Address = 10.160.134.40
(41) NAS-Identifier = "txweahomxp-ap1142001"
(41) session-state: No cached attributes
(41) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(41) authorize {
(41) policy filter_username {
(41) if (&User-Name) {
(41) if (&User-Name) -> TRUE
(41) if (&User-Name) {
(41) if (&User-Name =~ / /) {
(41) if (&User-Name =~ / /) -> FALSE
(41) if (&User-Name =~ /@[^@]*@/ ) {
(41) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(41) if (&User-Name =~ /\.\./ ) {
(41) if (&User-Name =~ /\.\./ ) -> FALSE
(41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(41) if (&User-Name =~ /\.$/) {
(41) if (&User-Name =~ /\.$/) -> FALSE
(41) if (&User-Name =~ /@\./) {
(41) if (&User-Name =~ /@\./) -> FALSE
(41) } # if (&User-Name) = notfound
(41) } # policy filter_username = notfound
(41) [preprocess] = ok
(41) [chap] = noop
(41) [mschap] = noop
(41) [digest] = noop
(41) suffix: Checking for suffix after "@"
(41) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(41) suffix: No such realm "NULL"
(41) [suffix] = noop
(41) eap: Peer sent EAP Response (code 2) ID 9 length 95
(41) eap: Continuing tunnel setup
(41) [eap] = ok
(41) } # authorize = ok
(41) Found Auth-Type = eap
(41) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(41) authenticate {
(41) eap: Expiring EAP session with state 0xa834e518a83dffc2
(41) eap: Finished EAP session with state 0x784cb6307f45afdf
(41) eap: Previous EAP request found for state 0x784cb6307f45afdf, released from the list
(41) eap: Peer sent packet with method EAP PEAP (25)
(41) eap: Calling submodule eap_peap to process data
(41) eap_peap: Continuing EAP-TLS
(41) eap_peap: [eaptls verify] = ok
(41) eap_peap: Done initial handshake
(41) eap_peap: [eaptls process] = ok
(41) eap_peap: Session established. Decoding tunneled attributes
(41) eap_peap: PEAP state phase2
(41) eap_peap: EAP method MSCHAPv2 (26)
(41) eap_peap: Got tunneled request
(41) eap_peap: EAP-Message = 0x020900401a0209003b3131c230004845bdd4d08318ad06b43e0f00000000000000492eb02848eb25a4f9f92c1d5ffbd7574ea5700526f626279
(41) eap_peap: Setting User-Name to Robby
(41) eap_peap: Sending tunneled request to inner-tunnel
(41) eap_peap: EAP-Message = 0x020900401a0209003b3131c230004845bdd4d08318ad06b43e0f00000000000000492eb02848eb25a4f9f92c1d5ffbd7574ea5700526f626279
(41) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(41) eap_peap: User-Name = "Robby"
(41) eap_peap: State = 0xa834e518a83dffc2687a39598b9e7510
(41) Virtual server inner-tunnel received request
(41) EAP-Message = 0x020900401a0209003b3131c230004845bdd4d08318ad06b43e0f0000000000000000edb9e99deb25a4f9f92c1d5ffbd7574ea5700526f626279
(41) FreeRADIUS-Proxied-To = 127.0.0.1
(41) User-Name = "Robby"
(41) State = 0xa834e518a83dffc2687a39598b9e7510
(41) WARNING: Outer and inner identities are the same. User privacy is compromised.
(41) server inner-tunnel {
(41) session-state: No cached attributes
(41) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(41) authorize {
(41) policy filter_username {
(41) if (&User-Name) {
(41) if (&User-Name) -> TRUE
(41) if (&User-Name) {
(41) if (&User-Name =~ / /) {
(41) if (&User-Name =~ / /) -> FALSE
(41) if (&User-Name =~ /@[^@]*@/ ) {
(41) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(41) if (&User-Name =~ /\.\./ ) {
(41) if (&User-Name =~ /\.\./ ) -> FALSE
(41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(41) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(41) if (&User-Name =~ /\.$/) {
(41) if (&User-Name =~ /\.$/) -> FALSE
(41) if (&User-Name =~ /@\./) {
(41) if (&User-Name =~ /@\./) -> FALSE
(41) } # if (&User-Name) = notfound
(41) } # policy filter_username = notfound
(41) [chap] = noop
(41) [mschap] = noop
(41) suffix: Checking for suffix after "@"
(41) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(41) suffix: No such realm "NULL"
(41) [suffix] = noop
(41) update control {
(41) &Proxy-To-Realm := LOCAL
(41) } # update control = noop
(41) eap: Peer sent EAP Response (code 2) ID 9 length 64
(41) eap: No EAP Start, assuming it's an on-going EAP conversation
(41) [eap] = updated
(41) files: users: Matched entry Robby at line 26
(41) [files] = ok
(41) [expiration] = noop
(41) [logintime] = noop
(41) pap: WARNING: Auth-Type already set. Not setting to PAP
(41) [pap] = noop
(41) } # authorize = updated
(41) Found Auth-Type = eap
(41) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(41) authenticate {
(41) eap: Expiring EAP session with state 0xa834e518a83dffc2
(41) eap: Finished EAP session with state 0xa834e518a83dffc2
(41) eap: Previous EAP request found for state 0xa834e518a83dffc2, released from the list
(41) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(41) eap: Calling submodule eap_mschapv2 to process data
(41) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(41) eap_mschapv2: authenticate {
(41) mschap: Found Cleartext-Password, hashing to create NT-Password
(41) mschap: Found Cleartext-Password, hashing to create LM-Password
(41) mschap: Creating challenge hash with username: Robby
(41) mschap: Client is using MS-CHAPv2
(41) mschap: Adding MS-CHAPv2 MPPE keys
(41) [mschap] = ok
(41) } # authenticate = ok
(41) MSCHAP Success
(41) eap: Sending EAP Request (code 1) ID 10 length 51
(41) eap: EAP session adding &reply:State = 0xa834e518a93effc2
(41) [eap] = handled
(41) } # authenticate = handled
(41) } # server inner-tunnel
(41) Virtual server sending reply
(41) EAP-Message = 0x010a00331a0309002e533d3633453042434644443243364234424335454632343044393530342453343394638
(41) Message-Authenticator = 0x00000000000000000000000000000000
(41) State = 0xa834e518a93effc2687a39598b9e7510
(41) eap_peap: Got tunneled reply code 11
(41) eap_peap: EAP-Message = 0x010a00331a0309002e533d3633453042434644443243364234424335454632343053132383042453343394638
(41) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(41) eap_peap: State = 0xa834e518a93effc2687a39598b9e7510
(41) eap_peap: Got tunneled reply RADIUS code 11
(41) eap_peap: EAP-Message = 0x010a00331a0309002e533d3633453042434644443243364234424335454632343053132383042453343394638
(41) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(41) eap_peap: State = 0xa834e518a93effc2687a39598b9e7510
(41) eap_peap: Got tunneled Access-Challenge
(41) eap: Sending EAP Request (code 1) ID 10 length 82
(41) eap: EAP session adding &reply:State = 0x784cb6307046afdf
(41) [eap] = handled
(41) } # authenticate = handled
(41) Using Post-Auth-Type Challenge
(41) Post-Auth-Type sub-section not found. Ignoring.
(41) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(41) Sent Access-Challenge Id 25 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(41) EAP-Message = 0x010a005219001703030047772914d3821ee35d7079e0d338fc2479da14989d82f45d01bc6a269c5bda9c8e10f8f68d7a7ea9998f34c06acf7f93d738b9f6605fd21dce5d5a858d7e031df6f
(41) Message-Authenticator = 0x00000000000000000000000000000000
(41) State = 0x784cb6307046afdfedbea19fe2f5fda7
(41) Finished request
Waking up in 1.5 seconds.
(42) Received Access-Request Id 26 from 10.160.134.40:1645 to 10.160.134.60:1812 length 249
(42) User-Name = "Robby"
(42) Framed-MTU = 1400
(42) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(42) Calling-Station-Id = "c8f7.334c.b878"
(42) Cisco-AVPair = "ssid=BigBang_2"
(42) Service-Type = Login-User
(42) Cisco-AVPair = "service-type=Login"
(42) Message-Authenticator = 0x3d5c5262acc0230426b07e0200114d2c
(42) EAP-Message = 0x020a00251900170303001a00000000000000032f17478eed41f6eee41097e5d552a88bbeae
(42) NAS-Port-Type = Wireless-802.11
(42) NAS-Port = 673
(42) NAS-Port-Id = "673"
(42) State = 0x784cb6307046afdfedbea19fe2f5fda7
(42) NAS-IP-Address = 10.160.134.40
(42) NAS-Identifier = "txweahomxp-ap1142001"
(42) session-state: No cached attributes
(42) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(42) authorize {
(42) policy filter_username {
(42) if (&User-Name) {
(42) if (&User-Name) -> TRUE
(42) if (&User-Name) {
(42) if (&User-Name =~ / /) {
(42) if (&User-Name =~ / /) -> FALSE
(42) if (&User-Name =~ /@[^@]*@/ ) {
(42) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(42) if (&User-Name =~ /\.\./ ) {
(42) if (&User-Name =~ /\.\./ ) -> FALSE
(42) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(42) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(42) if (&User-Name =~ /\.$/) {
(42) if (&User-Name =~ /\.$/) -> FALSE
(42) if (&User-Name =~ /@\./) {
(42) if (&User-Name =~ /@\./) -> FALSE
(42) } # if (&User-Name) = notfound
(42) } # policy filter_username = notfound
(42) [preprocess] = ok
(42) [chap] = noop
(42) [mschap] = noop
(42) [digest] = noop
(42) suffix: Checking for suffix after "@"
(42) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(42) suffix: No such realm "NULL"
(42) [suffix] = noop
(42) eap: Peer sent EAP Response (code 2) ID 10 length 37
(42) eap: Continuing tunnel setup
(42) [eap] = ok
(42) } # authorize = ok
(42) Found Auth-Type = eap
(42) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(42) authenticate {
(42) eap: Expiring EAP session with state 0xa834e518a93effc2
(42) eap: Finished EAP session with state 0x784cb6307046afdf
(42) eap: Previous EAP request found for state 0x784cb6307046afdf, released from the list
(42) eap: Peer sent packet with method EAP PEAP (25)
(42) eap: Calling submodule eap_peap to process data
(42) eap_peap: Continuing EAP-TLS
(42) eap_peap: [eaptls verify] = ok
(42) eap_peap: Done initial handshake
(42) eap_peap: [eaptls process] = ok
(42) eap_peap: Session established. Decoding tunneled attributes
(42) eap_peap: PEAP state phase2
(42) eap_peap: EAP method MSCHAPv2 (26)
(42) eap_peap: Got tunneled request
(42) eap_peap: EAP-Message = 0x020a00061a03
(42) eap_peap: Setting User-Name to Robby
(42) eap_peap: Sending tunneled request to inner-tunnel
(42) eap_peap: EAP-Message = 0x020a00061a03
(42) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(42) eap_peap: User-Name = "Robby"
(42) eap_peap: State = 0xa834e518a93effc2687a39598b9e7510
(42) Virtual server inner-tunnel received request
(42) EAP-Message = 0x020a00061a03
(42) FreeRADIUS-Proxied-To = 127.0.0.1
(42) User-Name = "Robby"
(42) State = 0xa834e518a93effc2687a39598b9e7510
(42) WARNING: Outer and inner identities are the same. User privacy is compromised.
(42) server inner-tunnel {
(42) session-state: No cached attributes
(42) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(42) authorize {
(42) policy filter_username {
(42) if (&User-Name) {
(42) if (&User-Name) -> TRUE
(42) if (&User-Name) {
(42) if (&User-Name =~ / /) {
(42) if (&User-Name =~ / /) -> FALSE
(42) if (&User-Name =~ /@[^@]*@/ ) {
(42) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(42) if (&User-Name =~ /\.\./ ) {
(42) if (&User-Name =~ /\.\./ ) -> FALSE
(42) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(42) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(42) if (&User-Name =~ /\.$/) {
(42) if (&User-Name =~ /\.$/) -> FALSE
(42) if (&User-Name =~ /@\./) {
(42) if (&User-Name =~ /@\./) -> FALSE
(42) } # if (&User-Name) = notfound
(42) } # policy filter_username = notfound
(42) [chap] = noop
(42) [mschap] = noop
(42) suffix: Checking for suffix after "@"
(42) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(42) suffix: No such realm "NULL"
(42) [suffix] = noop
(42) update control {
(42) &Proxy-To-Realm := LOCAL
(42) } # update control = noop
(42) eap: Peer sent EAP Response (code 2) ID 10 length 6
(42) eap: No EAP Start, assuming it's an on-going EAP conversation
(42) [eap] = updated
(42) files: users: Matched entry Robby at line 26
(42) [files] = ok
(42) [expiration] = noop
(42) [logintime] = noop
(42) pap: WARNING: Auth-Type already set. Not setting to PAP
(42) [pap] = noop
(42) } # authorize = updated
(42) Found Auth-Type = eap
(42) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(42) authenticate {
(42) eap: Expiring EAP session with state 0xa834e518a93effc2
(42) eap: Finished EAP session with state 0xa834e518a93effc2
(42) eap: Previous EAP request found for state 0xa834e518a93effc2, released from the list
(42) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(42) eap: Calling submodule eap_mschapv2 to process data
(42) eap: Sending EAP Success (code 3) ID 10 length 4
(42) eap: Freeing handler
(42) [eap] = ok
(42) } # authenticate = ok
(42) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(42) post-auth { ... } # empty sub-section is ignored
(42) } # server inner-tunnel
(42) Virtual server sending reply
(42) MS-MPPE-Encryption-Policy = Encryption-Allowed
(42) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(42) MS-MPPE-Send-Key = 0x8280d01c37a3da30ff7cd3ef48269c00
(42) MS-MPPE-Recv-Key = 0x355f9b8b6ccbad970120ee352d27eeac
(42) EAP-Message = 0x030a0004
(42) Message-Authenticator = 0x00000000000000000000000000000000
(42) User-Name = "Robby"
(42) eap_peap: Got tunneled reply code 2
(42) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(42) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(42) eap_peap: MS-MPPE-Send-Key = 0x8280d01c37a3da30ff7cd3ef48269c00
(42) eap_peap: MS-MPPE-Recv-Key = 0x355f9b8b6ccbad970120ee352d27eeac
(42) eap_peap: EAP-Message = 0x030a0004
(42) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(42) eap_peap: User-Name = "Robby"
(42) eap_peap: Got tunneled reply RADIUS code 2
(42) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(42) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(42) eap_peap: MS-MPPE-Send-Key = 0x8280d01c37a3da30ff7cd3ef48269c00
(42) eap_peap: MS-MPPE-Recv-Key = 0x355f9b8b6ccbad970120ee352d27eeac
(42) eap_peap: EAP-Message = 0x030a0004
(42) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(42) eap_peap: User-Name = "Robby"
(42) eap_peap: Tunneled authentication was successful
(42) eap_peap: SUCCESS
(42) eap: Sending EAP Request (code 1) ID 11 length 46
(42) eap: EAP session adding &reply:State = 0x784cb6307147afdf
(42) [eap] = handled
(42) } # authenticate = handled
(42) Using Post-Auth-Type Challenge
(42) Post-Auth-Type sub-section not found. Ignoring.
(42) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(42) Sent Access-Challenge Id 26 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(42) EAP-Message = 0x010b002e19001703030023772914d3821ee35e47449c5618df2ceedf275040d5209509c9967b34f
(42) Message-Authenticator = 0x00000000000000000000000000000000
(42) State = 0x784cb6307147afdfedbea19fe2f5fda7
(42) Finished request
Waking up in 1.5 seconds.
(43) Received Access-Request Id 27 from 10.160.134.40:1645 to 10.160.134.60:1812 length 258
(43) User-Name = "Robby"
(43) Framed-MTU = 1400
(43) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(43) Calling-Station-Id = "c8f7.334c.b878"
(43) Cisco-AVPair = "ssid=BigBang_2"
(43) Service-Type = Login-User
(43) Cisco-AVPair = "service-type=Login"
(43) Message-Authenticator = 0x8482615dcad5283661e1b61a261fb7b3
(43) EAP-Message = 0x020b002e1900170303002300000000000000043374b73be95c63c5253d67962ca3822cbf1a4ac8a
(43) NAS-Port-Type = Wireless-802.11
(43) NAS-Port = 673
(43) NAS-Port-Id = "673"
(43) State = 0x784cb6307147afdfedbea19fe2f5fda7
(43) NAS-IP-Address = 10.160.134.40
(43) NAS-Identifier = "txweahomxp-ap1142001"
(43) session-state: No cached attributes
(43) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(43) authorize {
(43) policy filter_username {
(43) if (&User-Name) {
(43) if (&User-Name) -> TRUE
(43) if (&User-Name) {
(43) if (&User-Name =~ / /) {
(43) if (&User-Name =~ / /) -> FALSE
(43) if (&User-Name =~ /@[^@]*@/ ) {
(43) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(43) if (&User-Name =~ /\.\./ ) {
(43) if (&User-Name =~ /\.\./ ) -> FALSE
(43) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(43) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(43) if (&User-Name =~ /\.$/) {
(43) if (&User-Name =~ /\.$/) -> FALSE
(43) if (&User-Name =~ /@\./) {
(43) if (&User-Name =~ /@\./) -> FALSE
(43) } # if (&User-Name) = notfound
(43) } # policy filter_username = notfound
(43) [preprocess] = ok
(43) [chap] = noop
(43) [mschap] = noop
(43) [digest] = noop
(43) suffix: Checking for suffix after "@"
(43) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(43) suffix: No such realm "NULL"
(43) [suffix] = noop
(43) eap: Peer sent EAP Response (code 2) ID 11 length 46
(43) eap: Continuing tunnel setup
(43) [eap] = ok
(43) } # authorize = ok
(43) Found Auth-Type = eap
(43) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(43) authenticate {
(43) eap: Expiring EAP session with state 0x784cb6307147afdf
(43) eap: Finished EAP session with state 0x784cb6307147afdf
(43) eap: Previous EAP request found for state 0x784cb6307147afdf, released from the list
(43) eap: Peer sent packet with method EAP PEAP (25)
(43) eap: Calling submodule eap_peap to process data
(43) eap_peap: Continuing EAP-TLS
(43) eap_peap: [eaptls verify] = ok
(43) eap_peap: Done initial handshake
(43) eap_peap: [eaptls process] = ok
(43) eap_peap: Session established. Decoding tunneled attributes
(43) eap_peap: PEAP state send tlv success
(43) eap_peap: Received EAP-TLV response
(43) eap_peap: Success
(43) eap_peap: No information to cache: session caching will be disabled for session 3737ac8b460bb3f41511d51e43eec57a9cd4c594b7efd7d2477
(43) eap: Sending EAP Success (code 3) ID 11 length 4
(43) eap: Freeing handler
(43) [eap] = ok
(43) } # authenticate = ok
(43) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(43) post-auth {
(43) update {
(43) No attributes updated
(43) } # update = noop
(43) [exec] = noop
(43) policy remove_reply_message_if_eap {
(43) if (&reply:EAP-Message && &reply:Reply-Message) {
(43) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(43) else {
(43) [noop] = noop
(43) } # else = noop
(43) } # policy remove_reply_message_if_eap = noop
(43) } # post-auth = noop
(43) Sent Access-Accept Id 27 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(43) MS-MPPE-Recv-Key = 0x8ba727d4a7d475bd0c535d6a54a2d4d211fbaefcaf8b31d1ada65060aa514f26
(43) MS-MPPE-Send-Key = 0x088808b252a771da3e54a565e99c5009221ca87825fde2fb1fa9a26a40d16e0a
(43) EAP-Message = 0x030b0004
(43) Message-Authenticator = 0x00000000000000000000000000000000
(43) User-Name = "Robby"
(43) Finished request
Waking up in 1.5 seconds.
(22) Cleaning up request packet ID 6 with timestamp +42
(23) Cleaning up request packet ID 7 with timestamp +42
(24) Cleaning up request packet ID 8 with timestamp +42
(25) Cleaning up request packet ID 9 with timestamp +42
(26) Cleaning up request packet ID 10 with timestamp +42
(27) Cleaning up request packet ID 11 with timestamp +42
(28) Cleaning up request packet ID 12 with timestamp +42
(29) Cleaning up request packet ID 13 with timestamp +42
(30) Cleaning up request packet ID 14 with timestamp +42
(31) Cleaning up request packet ID 15 with timestamp +42
(32) Cleaning up request packet ID 16 with timestamp +42
Waking up in 3.3 seconds.
(44) Received Access-Request Id 28 from 10.160.134.40:1645 to 10.160.134.60:1812 length 204
(44) User-Name = "Robby"
(44) Framed-MTU = 1400
(44) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(44) Calling-Station-Id = "c8f7.334c.b878"
(44) Cisco-AVPair = "ssid=BigBang_2"
(44) Service-Type = Login-User
(44) Cisco-AVPair = "service-type=Login"
(44) Message-Authenticator = 0x223e72cb51053b753e8cc8b143bc7b21
(44) EAP-Message = 0x0201000a01526f626279
(44) NAS-Port-Type = Wireless-802.11
(44) NAS-Port = 674
(44) NAS-Port-Id = "674"
(44) NAS-IP-Address = 10.160.134.40
(44) NAS-Identifier = "txweahomxp-ap1142001"
(44) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(44) authorize {
(44) policy filter_username {
(44) if (&User-Name) {
(44) if (&User-Name) -> TRUE
(44) if (&User-Name) {
(44) if (&User-Name =~ / /) {
(44) if (&User-Name =~ / /) -> FALSE
(44) if (&User-Name =~ /@[^@]*@/ ) {
(44) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(44) if (&User-Name =~ /\.\./ ) {
(44) if (&User-Name =~ /\.\./ ) -> FALSE
(44) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(44) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(44) if (&User-Name =~ /\.$/) {
(44) if (&User-Name =~ /\.$/) -> FALSE
(44) if (&User-Name =~ /@\./) {
(44) if (&User-Name =~ /@\./) -> FALSE
(44) } # if (&User-Name) = notfound
(44) } # policy filter_username = notfound
(44) [preprocess] = ok
(44) [chap] = noop
(44) [mschap] = noop
(44) [digest] = noop
(44) suffix: Checking for suffix after "@"
(44) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(44) suffix: No such realm "NULL"
(44) [suffix] = noop
(44) eap: Peer sent EAP Response (code 2) ID 1 length 10
(44) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(44) [eap] = ok
(44) } # authorize = ok
(44) Found Auth-Type = eap
(44) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(44) authenticate {
(44) eap: Peer sent packet with method EAP Identity (1)
(44) eap: Calling submodule eap_md5 to process data
(44) eap_md5: Issuing MD5 Challenge
(44) eap: Sending EAP Request (code 1) ID 2 length 22
(44) eap: EAP session adding &reply:State = 0x8afbe2b38af9e614
(44) [eap] = handled
(44) } # authenticate = handled
(44) Using Post-Auth-Type Challenge
(44) Post-Auth-Type sub-section not found. Ignoring.
(44) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(44) Sent Access-Challenge Id 28 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(44) EAP-Message = 0x01020016041074d607da5998ff18915929630739343d
(44) Message-Authenticator = 0x00000000000000000000000000000000
(44) State = 0x8afbe2b38af9e614782141186e7dc7a4
(44) Finished request
Waking up in 1.5 seconds.
(45) Received Access-Request Id 29 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(45) User-Name = "Robby"
(45) Framed-MTU = 1400
(45) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(45) Calling-Station-Id = "c8f7.334c.b878"
(45) Cisco-AVPair = "ssid=BigBang_2"
(45) Service-Type = Login-User
(45) Cisco-AVPair = "service-type=Login"
(45) Message-Authenticator = 0xc17f3ee502a2d413111ca559f5ad6a3d
(45) EAP-Message = 0x020200060319
(45) NAS-Port-Type = Wireless-802.11
(45) NAS-Port = 674
(45) NAS-Port-Id = "674"
(45) State = 0x8afbe2b38af9e614782141186e7dc7a4
(45) NAS-IP-Address = 10.160.134.40
(45) NAS-Identifier = "txweahomxp-ap1142001"
(45) session-state: No cached attributes
(45) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(45) authorize {
(45) policy filter_username {
(45) if (&User-Name) {
(45) if (&User-Name) -> TRUE
(45) if (&User-Name) {
(45) if (&User-Name =~ / /) {
(45) if (&User-Name =~ / /) -> FALSE
(45) if (&User-Name =~ /@[^@]*@/ ) {
(45) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(45) if (&User-Name =~ /\.\./ ) {
(45) if (&User-Name =~ /\.\./ ) -> FALSE
(45) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(45) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(45) if (&User-Name =~ /\.$/) {
(45) if (&User-Name =~ /\.$/) -> FALSE
(45) if (&User-Name =~ /@\./) {
(45) if (&User-Name =~ /@\./) -> FALSE
(45) } # if (&User-Name) = notfound
(45) } # policy filter_username = notfound
(45) [preprocess] = ok
(45) [chap] = noop
(45) [mschap] = noop
(45) [digest] = noop
(45) suffix: Checking for suffix after "@"
(45) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(45) suffix: No such realm "NULL"
(45) [suffix] = noop
(45) eap: Peer sent EAP Response (code 2) ID 2 length 6
(45) eap: No EAP Start, assuming it's an on-going EAP conversation
(45) [eap] = updated
(45) files: users: Matched entry Robby at line 26
(45) [files] = ok
(45) [expiration] = noop
(45) [logintime] = noop
(45) pap: WARNING: Auth-Type already set. Not setting to PAP
(45) [pap] = noop
(45) } # authorize = updated
(45) Found Auth-Type = eap
(45) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(45) authenticate {
(45) eap: Expiring EAP session with state 0x8afbe2b38af9e614
(45) eap: Finished EAP session with state 0x8afbe2b38af9e614
(45) eap: Previous EAP request found for state 0x8afbe2b38af9e614, released from the list
(45) eap: Peer sent packet with method EAP NAK (3)
(45) eap: Found mutually acceptable type PEAP (25)
(45) eap: Calling submodule eap_peap to process data
(45) eap_peap: Initiating new EAP-TLS session
(45) eap_peap: [eaptls start] = request
(45) eap: Sending EAP Request (code 1) ID 3 length 6
(45) eap: EAP session adding &reply:State = 0x8afbe2b38bf8fb14
(45) [eap] = handled
(45) } # authenticate = handled
(45) Using Post-Auth-Type Challenge
(45) Post-Auth-Type sub-section not found. Ignoring.
(45) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(45) Sent Access-Challenge Id 29 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(45) EAP-Message = 0x010300061920
(45) Message-Authenticator = 0x00000000000000000000000000000000
(45) State = 0x8afbe2b38bf8fb14782141186e7dc7a4
(45) Finished request
Waking up in 1.5 seconds.
(46) Received Access-Request Id 30 from 10.160.134.40:1645 to 10.160.134.60:1812 length 422
(46) User-Name = "Robby"
(46) Framed-MTU = 1400
(46) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(46) Calling-Station-Id = "c8f7.334c.b878"
(46) Cisco-AVPair = "ssid=BigBang_2"
(46) Service-Type = Login-User
(46) Cisco-AVPair = "service-type=Login"
(46) Message-Authenticator = 0x310fd123b8cb501541a20bdcae790850
(46) EAP-Message = 0x020300d21980000000c816030300c3010000bf030358fcdb653c4b370b6be6049670ba92034b1db785c8be5df220d203737ac8b460bb3c448e5e060272f41511d51e43eec57a9cd4c594b7efd7d2477003cc02cc02bc030024c023c028c027c00ac009c014c013003900
(46) NAS-Port-Type = Wireless-802.11
(46) NAS-Port = 674
(46) NAS-Port-Id = "674"
(46) State = 0x8afbe2b38bf8fb14782141186e7dc7a4
(46) NAS-IP-Address = 10.160.134.40
(46) NAS-Identifier = "txweahomxp-ap1142001"
(46) session-state: No cached attributes
(46) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(46) authorize {
(46) policy filter_username {
(46) if (&User-Name) {
(46) if (&User-Name) -> TRUE
(46) if (&User-Name) {
(46) if (&User-Name =~ / /) {
(46) if (&User-Name =~ / /) -> FALSE
(46) if (&User-Name =~ /@[^@]*@/ ) {
(46) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(46) if (&User-Name =~ /\.\./ ) {
(46) if (&User-Name =~ /\.\./ ) -> FALSE
(46) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(46) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(46) if (&User-Name =~ /\.$/) {
(46) if (&User-Name =~ /\.$/) -> FALSE
(46) if (&User-Name =~ /@\./) {
(46) if (&User-Name =~ /@\./) -> FALSE
(46) } # if (&User-Name) = notfound
(46) } # policy filter_username = notfound
(46) [preprocess] = ok
(46) [chap] = noop
(46) [mschap] = noop
(46) [digest] = noop
(46) suffix: Checking for suffix after "@"
(46) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(46) suffix: No such realm "NULL"
(46) [suffix] = noop
(46) eap: Peer sent EAP Response (code 2) ID 3 length 210
(46) eap: Continuing tunnel setup
(46) [eap] = ok
(46) } # authorize = ok
(46) Found Auth-Type = eap
(46) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(46) authenticate {
(46) eap: Expiring EAP session with state 0x8afbe2b38bf8fb14
(46) eap: Finished EAP session with state 0x8afbe2b38bf8fb14
(46) eap: Previous EAP request found for state 0x8afbe2b38bf8fb14, released from the list
(46) eap: Peer sent packet with method EAP PEAP (25)
(46) eap: Calling submodule eap_peap to process data
(46) eap_peap: Continuing EAP-TLS
(46) eap_peap: Peer indicated complete TLS record size will be 200 bytes
(46) eap_peap: Got complete TLS record (200 bytes)
(46) eap_peap: [eaptls verify] = length included
(46) eap_peap: (other): before/accept initialization
(46) eap_peap: TLS_accept: before/accept initialization
(46) eap_peap: <<< recv TLS 1.2 [length 00c3]
(46) eap_peap: TLS_accept: SSLv3 read client hello A
(46) eap_peap: >>> send TLS 1.2 [length 0059]
(46) eap_peap: TLS_accept: SSLv3 write server hello A
(46) eap_peap: >>> send TLS 1.2 [length 094f]
(46) eap_peap: TLS_accept: SSLv3 write certificate A
(46) eap_peap: >>> send TLS 1.2 [length 014d]
(46) eap_peap: TLS_accept: SSLv3 write key exchange A
(46) eap_peap: >>> send TLS 1.2 [length 0004]
(46) eap_peap: TLS_accept: SSLv3 write server done A
(46) eap_peap: TLS_accept: SSLv3 flush data
(46) eap_peap: TLS_accept: SSLv3 read client certificate A
(46) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(46) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(46) eap_peap: In SSL Handshake Phase
(46) eap_peap: In SSL Accept mode
(46) eap_peap: [eaptls process] = handled
(46) eap: Sending EAP Request (code 1) ID 4 length 1004
(46) eap: EAP session adding &reply:State = 0x8afbe2b388fffb14
(46) [eap] = handled
(46) } # authenticate = handled
(46) Using Post-Auth-Type Challenge
(46) Post-Auth-Type sub-section not found. Ignoring.
(46) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(46) Sent Access-Challenge Id 30 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(46) EAP-Message = 0x010403ec19c000000b0d1603030059020000550303df4a67f67be403b1377b5555ff96335a3868f3d8ed21d67e9b820709ffbc4d92873576b2ca521eb8d1a6444e9ef69420a9ae18f2b0185596be5cec03000000dff01003000102160303094f0b00094b00094800040f
(46) Message-Authenticator = 0x00000000000000000000000000000000
(46) State = 0x8afbe2b388fffb14782141186e7dc7a4
(46) Finished request
Waking up in 1.5 seconds.
(47) Received Access-Request Id 31 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(47) User-Name = "Robby"
(47) Framed-MTU = 1400
(47) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(47) Calling-Station-Id = "c8f7.334c.b878"
(47) Cisco-AVPair = "ssid=BigBang_2"
(47) Service-Type = Login-User
(47) Cisco-AVPair = "service-type=Login"
(47) Message-Authenticator = 0xabd59546e03b9b9505f8b9094585c2cb
(47) EAP-Message = 0x020400061900
(47) NAS-Port-Type = Wireless-802.11
(47) NAS-Port = 674
(47) NAS-Port-Id = "674"
(47) State = 0x8afbe2b388fffb14782141186e7dc7a4
(47) NAS-IP-Address = 10.160.134.40
(47) NAS-Identifier = "txweahomxp-ap1142001"
(47) session-state: No cached attributes
(47) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(47) authorize {
(47) policy filter_username {
(47) if (&User-Name) {
(47) if (&User-Name) -> TRUE
(47) if (&User-Name) {
(47) if (&User-Name =~ / /) {
(47) if (&User-Name =~ / /) -> FALSE
(47) if (&User-Name =~ /@[^@]*@/ ) {
(47) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(47) if (&User-Name =~ /\.\./ ) {
(47) if (&User-Name =~ /\.\./ ) -> FALSE
(47) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(47) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(47) if (&User-Name =~ /\.$/) {
(47) if (&User-Name =~ /\.$/) -> FALSE
(47) if (&User-Name =~ /@\./) {
(47) if (&User-Name =~ /@\./) -> FALSE
(47) } # if (&User-Name) = notfound
(47) } # policy filter_username = notfound
(47) [preprocess] = ok
(47) [chap] = noop
(47) [mschap] = noop
(47) [digest] = noop
(47) suffix: Checking for suffix after "@"
(47) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(47) suffix: No such realm "NULL"
(47) [suffix] = noop
(47) eap: Peer sent EAP Response (code 2) ID 4 length 6
(47) eap: Continuing tunnel setup
(47) [eap] = ok
(47) } # authorize = ok
(47) Found Auth-Type = eap
(47) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(47) authenticate {
(47) eap: Expiring EAP session with state 0x8afbe2b388fffb14
(47) eap: Finished EAP session with state 0x8afbe2b388fffb14
(47) eap: Previous EAP request found for state 0x8afbe2b388fffb14, released from the list
(47) eap: Peer sent packet with method EAP PEAP (25)
(47) eap: Calling submodule eap_peap to process data
(47) eap_peap: Continuing EAP-TLS
(47) eap_peap: Peer ACKed our handshake fragment
(47) eap_peap: [eaptls verify] = request
(47) eap_peap: [eaptls process] = handled
(47) eap: Sending EAP Request (code 1) ID 5 length 1000
(47) eap: EAP session adding &reply:State = 0x8afbe2b389fefb14
(47) [eap] = handled
(47) } # authenticate = handled
(47) Using Post-Auth-Type Challenge
(47) Post-Auth-Type sub-section not found. Ignoring.
(47) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(47) Sent Access-Challenge Id 31 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(47) EAP-Message = 0x010503e81940e767d3d95ba791c609604734de65f20761255945382f6caeddf488a7b22286ea65feb00b15e7f9a2e4d0247e1e6f0b6cbf3f240f9a08b4ec3119d5ad6dfce704325c36c113bbd63616056fb615fc26a7f0abd2a9ee58dea9e13bc001f156be9694fb518a
(47) Message-Authenticator = 0x00000000000000000000000000000000
(47) State = 0x8afbe2b389fefb14782141186e7dc7a4
(47) Finished request
Waking up in 1.5 seconds.
(48) Received Access-Request Id 32 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(48) User-Name = "Robby"
(48) Framed-MTU = 1400
(48) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(48) Calling-Station-Id = "c8f7.334c.b878"
(48) Cisco-AVPair = "ssid=BigBang_2"
(48) Service-Type = Login-User
(48) Cisco-AVPair = "service-type=Login"
(48) Message-Authenticator = 0xf8a820bf79090d919ed479411cfbb6e4
(48) EAP-Message = 0x020500061900
(48) NAS-Port-Type = Wireless-802.11
(48) NAS-Port = 674
(48) NAS-Port-Id = "674"
(48) State = 0x8afbe2b389fefb14782141186e7dc7a4
(48) NAS-IP-Address = 10.160.134.40
(48) NAS-Identifier = "txweahomxp-ap1142001"
(48) session-state: No cached attributes
(48) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(48) authorize {
(48) policy filter_username {
(48) if (&User-Name) {
(48) if (&User-Name) -> TRUE
(48) if (&User-Name) {
(48) if (&User-Name =~ / /) {
(48) if (&User-Name =~ / /) -> FALSE
(48) if (&User-Name =~ /@[^@]*@/ ) {
(48) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(48) if (&User-Name =~ /\.\./ ) {
(48) if (&User-Name =~ /\.\./ ) -> FALSE
(48) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(48) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(48) if (&User-Name =~ /\.$/) {
(48) if (&User-Name =~ /\.$/) -> FALSE
(48) if (&User-Name =~ /@\./) {
(48) if (&User-Name =~ /@\./) -> FALSE
(48) } # if (&User-Name) = notfound
(48) } # policy filter_username = notfound
(48) [preprocess] = ok
(48) [chap] = noop
(48) [mschap] = noop
(48) [digest] = noop
(48) suffix: Checking for suffix after "@"
(48) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(48) suffix: No such realm "NULL"
(48) [suffix] = noop
(48) eap: Peer sent EAP Response (code 2) ID 5 length 6
(48) eap: Continuing tunnel setup
(48) [eap] = ok
(48) } # authorize = ok
(48) Found Auth-Type = eap
(48) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(48) authenticate {
(48) eap: Expiring EAP session with state 0x8afbe2b389fefb14
(48) eap: Finished EAP session with state 0x8afbe2b389fefb14
(48) eap: Previous EAP request found for state 0x8afbe2b389fefb14, released from the list
(48) eap: Peer sent packet with method EAP PEAP (25)
(48) eap: Calling submodule eap_peap to process data
(48) eap_peap: Continuing EAP-TLS
(48) eap_peap: Peer ACKed our handshake fragment
(48) eap_peap: [eaptls verify] = request
(48) eap_peap: [eaptls process] = handled
(48) eap: Sending EAP Request (code 1) ID 6 length 847
(48) eap: EAP session adding &reply:State = 0x8afbe2b38efdfb14
(48) [eap] = handled
(48) } # authenticate = handled
(48) Using Post-Auth-Type Challenge
(48) Post-Auth-Type sub-section not found. Ignoring.
(48) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(48) Sent Access-Challenge Id 32 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(48) EAP-Message = 0x0106034f19000c0b57656174686572666f726431183016060355040a0c0f6d617273696e6e6f3312d302b06092a864886f70d010901161e726f626572747275746c656467653230303540636861727465722e6e6574312e30c256d617273696e6e6f766174696f6e7320
(48) Message-Authenticator = 0x00000000000000000000000000000000
(48) State = 0x8afbe2b38efdfb14782141186e7dc7a4
(48) Finished request
Waking up in 1.5 seconds.
(49) Received Access-Request Id 33 from 10.160.134.40:1645 to 10.160.134.60:1812 length 348
(49) User-Name = "Robby"
(49) Framed-MTU = 1400
(49) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(49) Calling-Station-Id = "c8f7.334c.b878"
(49) Cisco-AVPair = "ssid=BigBang_2"
(49) Service-Type = Login-User
(49) Cisco-AVPair = "service-type=Login"
(49) Message-Authenticator = 0x8af86105c7e244c053e0a0a45a387cc2
(49) EAP-Message = 0x0206008819800000007e1603030046100000424104536b4313e457b9984a71d5f8f415e58d32861a4c37fe855a07ecec4fa034098fd9e016a7c7133b9264c013e529a2c4a32480816c6eb5b3e22d514030300010116030300000005f3b04026002d8f5368d8a46900f7d
(49) NAS-Port-Type = Wireless-802.11
(49) NAS-Port = 674
(49) NAS-Port-Id = "674"
(49) State = 0x8afbe2b38efdfb14782141186e7dc7a4
(49) NAS-IP-Address = 10.160.134.40
(49) NAS-Identifier = "txweahomxp-ap1142001"
(49) session-state: No cached attributes
(49) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(49) authorize {
(49) policy filter_username {
(49) if (&User-Name) {
(49) if (&User-Name) -> TRUE
(49) if (&User-Name) {
(49) if (&User-Name =~ / /) {
(49) if (&User-Name =~ / /) -> FALSE
(49) if (&User-Name =~ /@[^@]*@/ ) {
(49) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(49) if (&User-Name =~ /\.\./ ) {
(49) if (&User-Name =~ /\.\./ ) -> FALSE
(49) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(49) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(49) if (&User-Name =~ /\.$/) {
(49) if (&User-Name =~ /\.$/) -> FALSE
(49) if (&User-Name =~ /@\./) {
(49) if (&User-Name =~ /@\./) -> FALSE
(49) } # if (&User-Name) = notfound
(49) } # policy filter_username = notfound
(49) [preprocess] = ok
(49) [chap] = noop
(49) [mschap] = noop
(49) [digest] = noop
(49) suffix: Checking for suffix after "@"
(49) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(49) suffix: No such realm "NULL"
(49) [suffix] = noop
(49) eap: Peer sent EAP Response (code 2) ID 6 length 136
(49) eap: Continuing tunnel setup
(49) [eap] = ok
(49) } # authorize = ok
(49) Found Auth-Type = eap
(49) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(49) authenticate {
(49) eap: Expiring EAP session with state 0x8afbe2b38efdfb14
(49) eap: Finished EAP session with state 0x8afbe2b38efdfb14
(49) eap: Previous EAP request found for state 0x8afbe2b38efdfb14, released from the list
(49) eap: Peer sent packet with method EAP PEAP (25)
(49) eap: Calling submodule eap_peap to process data
(49) eap_peap: Continuing EAP-TLS
(49) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(49) eap_peap: Got complete TLS record (126 bytes)
(49) eap_peap: [eaptls verify] = length included
(49) eap_peap: <<< recv TLS 1.2 [length 0046]
(49) eap_peap: TLS_accept: SSLv3 read client key exchange A
(49) eap_peap: TLS_accept: SSLv3 read certificate verify A
(49) eap_peap: <<< recv TLS 1.2 [length 0001]
(49) eap_peap: <<< recv TLS 1.2 [length 0010]
(49) eap_peap: TLS_accept: SSLv3 read finished A
(49) eap_peap: >>> send TLS 1.2 [length 0001]
(49) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(49) eap_peap: >>> send TLS 1.2 [length 0010]
(49) eap_peap: TLS_accept: SSLv3 write finished A
(49) eap_peap: TLS_accept: SSLv3 flush data
(49) eap_peap: (other): SSL negotiation finished successfully
(49) eap_peap: SSL Connection Established
(49) eap_peap: [eaptls process] = handled
(49) eap: Sending EAP Request (code 1) ID 7 length 57
(49) eap: EAP session adding &reply:State = 0x8afbe2b38ffcfb14
(49) [eap] = handled
(49) } # authenticate = handled
(49) Using Post-Auth-Type Challenge
(49) Post-Auth-Type sub-section not found. Ignoring.
(49) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(49) Sent Access-Challenge Id 33 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(49) EAP-Message = 0x010700391900140303000101160303002882e900312dd4036ab7a9b9ec5776ad37bd90419b736cb5518955878547bd492eb53
(49) Message-Authenticator = 0x00000000000000000000000000000000
(49) State = 0x8afbe2b38ffcfb14782141186e7dc7a4
(49) Finished request
Waking up in 1.5 seconds.
(50) Received Access-Request Id 34 from 10.160.134.40:1645 to 10.160.134.60:1812 length 218
(50) User-Name = "Robby"
(50) Framed-MTU = 1400
(50) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(50) Calling-Station-Id = "c8f7.334c.b878"
(50) Cisco-AVPair = "ssid=BigBang_2"
(50) Service-Type = Login-User
(50) Cisco-AVPair = "service-type=Login"
(50) Message-Authenticator = 0xa17757462726e62b0e86047c432c073c
(50) EAP-Message = 0x020700061900
(50) NAS-Port-Type = Wireless-802.11
(50) NAS-Port = 674
(50) NAS-Port-Id = "674"
(50) State = 0x8afbe2b38ffcfb14782141186e7dc7a4
(50) NAS-IP-Address = 10.160.134.40
(50) NAS-Identifier = "txweahomxp-ap1142001"
(50) session-state: No cached attributes
(50) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(50) authorize {
(50) policy filter_username {
(50) if (&User-Name) {
(50) if (&User-Name) -> TRUE
(50) if (&User-Name) {
(50) if (&User-Name =~ / /) {
(50) if (&User-Name =~ / /) -> FALSE
(50) if (&User-Name =~ /@[^@]*@/ ) {
(50) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(50) if (&User-Name =~ /\.\./ ) {
(50) if (&User-Name =~ /\.\./ ) -> FALSE
(50) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(50) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(50) if (&User-Name =~ /\.$/) {
(50) if (&User-Name =~ /\.$/) -> FALSE
(50) if (&User-Name =~ /@\./) {
(50) if (&User-Name =~ /@\./) -> FALSE
(50) } # if (&User-Name) = notfound
(50) } # policy filter_username = notfound
(50) [preprocess] = ok
(50) [chap] = noop
(50) [mschap] = noop
(50) [digest] = noop
(50) suffix: Checking for suffix after "@"
(50) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(50) suffix: No such realm "NULL"
(50) [suffix] = noop
(50) eap: Peer sent EAP Response (code 2) ID 7 length 6
(50) eap: Continuing tunnel setup
(50) [eap] = ok
(50) } # authorize = ok
(50) Found Auth-Type = eap
(50) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(50) authenticate {
(50) eap: Expiring EAP session with state 0x8afbe2b38ffcfb14
(50) eap: Finished EAP session with state 0x8afbe2b38ffcfb14
(50) eap: Previous EAP request found for state 0x8afbe2b38ffcfb14, released from the list
(50) eap: Peer sent packet with method EAP PEAP (25)
(50) eap: Calling submodule eap_peap to process data
(50) eap_peap: Continuing EAP-TLS
(50) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(50) eap_peap: [eaptls verify] = success
(50) eap_peap: [eaptls process] = success
(50) eap_peap: Session established. Decoding tunneled attributes
(50) eap_peap: PEAP state TUNNEL ESTABLISHED
(50) eap: Sending EAP Request (code 1) ID 8 length 40
(50) eap: EAP session adding &reply:State = 0x8afbe2b38cf3fb14
(50) [eap] = handled
(50) } # authenticate = handled
(50) Using Post-Auth-Type Challenge
(50) Post-Auth-Type sub-section not found. Ignoring.
(50) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(50) Sent Access-Challenge Id 34 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(50) EAP-Message = 0x010800281900170303001d82e900312dd4036b0b903e844e9aea7c62bf3bfce43058fcdafbce
(50) Message-Authenticator = 0x00000000000000000000000000000000
(50) State = 0x8afbe2b38cf3fb14782141186e7dc7a4
(50) Finished request
Waking up in 1.5 seconds.
(51) Received Access-Request Id 35 from 10.160.134.40:1645 to 10.160.134.60:1812 length 253
(51) User-Name = "Robby"
(51) Framed-MTU = 1400
(51) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(51) Calling-Station-Id = "c8f7.334c.b878"
(51) Cisco-AVPair = "ssid=BigBang_2"
(51) Service-Type = Login-User
(51) Cisco-AVPair = "service-type=Login"
(51) Message-Authenticator = 0xc21a980aecd848c6476c448805caa836
(51) EAP-Message = 0x020800291900170303001e0000000000000001b203f9cc17c4eae658a0908c745b397185a319
(51) NAS-Port-Type = Wireless-802.11
(51) NAS-Port = 674
(51) NAS-Port-Id = "674"
(51) State = 0x8afbe2b38cf3fb14782141186e7dc7a4
(51) NAS-IP-Address = 10.160.134.40
(51) NAS-Identifier = "txweahomxp-ap1142001"
(51) session-state: No cached attributes
(51) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(51) authorize {
(51) policy filter_username {
(51) if (&User-Name) {
(51) if (&User-Name) -> TRUE
(51) if (&User-Name) {
(51) if (&User-Name =~ / /) {
(51) if (&User-Name =~ / /) -> FALSE
(51) if (&User-Name =~ /@[^@]*@/ ) {
(51) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(51) if (&User-Name =~ /\.\./ ) {
(51) if (&User-Name =~ /\.\./ ) -> FALSE
(51) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(51) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(51) if (&User-Name =~ /\.$/) {
(51) if (&User-Name =~ /\.$/) -> FALSE
(51) if (&User-Name =~ /@\./) {
(51) if (&User-Name =~ /@\./) -> FALSE
(51) } # if (&User-Name) = notfound
(51) } # policy filter_username = notfound
(51) [preprocess] = ok
(51) [chap] = noop
(51) [mschap] = noop
(51) [digest] = noop
(51) suffix: Checking for suffix after "@"
(51) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(51) suffix: No such realm "NULL"
(51) [suffix] = noop
(51) eap: Peer sent EAP Response (code 2) ID 8 length 41
(51) eap: Continuing tunnel setup
(51) [eap] = ok
(51) } # authorize = ok
(51) Found Auth-Type = eap
(51) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(51) authenticate {
(51) eap: Expiring EAP session with state 0x8afbe2b38cf3fb14
(51) eap: Finished EAP session with state 0x8afbe2b38cf3fb14
(51) eap: Previous EAP request found for state 0x8afbe2b38cf3fb14, released from the list
(51) eap: Peer sent packet with method EAP PEAP (25)
(51) eap: Calling submodule eap_peap to process data
(51) eap_peap: Continuing EAP-TLS
(51) eap_peap: [eaptls verify] = ok
(51) eap_peap: Done initial handshake
(51) eap_peap: [eaptls process] = ok
(51) eap_peap: Session established. Decoding tunneled attributes
(51) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(51) eap_peap: Identity - Robby
(51) eap_peap: Got inner identity 'Robby'
(51) eap_peap: Setting default EAP type for tunneled EAP session
(51) eap_peap: Got tunneled request
(51) eap_peap: EAP-Message = 0x0208000a01526f626279
(51) eap_peap: Setting User-Name to Robby
(51) eap_peap: Sending tunneled request to inner-tunnel
(51) eap_peap: EAP-Message = 0x0208000a01526f626279
(51) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(51) eap_peap: User-Name = "Robby"
(51) Virtual server inner-tunnel received request
(51) EAP-Message = 0x0208000a01526f626279
(51) FreeRADIUS-Proxied-To = 127.0.0.1
(51) User-Name = "Robby"
(51) WARNING: Outer and inner identities are the same. User privacy is compromised.
(51) server inner-tunnel {
(51) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(51) authorize {
(51) policy filter_username {
(51) if (&User-Name) {
(51) if (&User-Name) -> TRUE
(51) if (&User-Name) {
(51) if (&User-Name =~ / /) {
(51) if (&User-Name =~ / /) -> FALSE
(51) if (&User-Name =~ /@[^@]*@/ ) {
(51) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(51) if (&User-Name =~ /\.\./ ) {
(51) if (&User-Name =~ /\.\./ ) -> FALSE
(51) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(51) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(51) if (&User-Name =~ /\.$/) {
(51) if (&User-Name =~ /\.$/) -> FALSE
(51) if (&User-Name =~ /@\./) {
(51) if (&User-Name =~ /@\./) -> FALSE
(51) } # if (&User-Name) = notfound
(51) } # policy filter_username = notfound
(51) [chap] = noop
(51) [mschap] = noop
(51) suffix: Checking for suffix after "@"
(51) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(51) suffix: No such realm "NULL"
(51) [suffix] = noop
(51) update control {
(51) &Proxy-To-Realm := LOCAL
(51) } # update control = noop
(51) eap: Peer sent EAP Response (code 2) ID 8 length 10
(51) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(51) [eap] = ok
(51) } # authorize = ok
(51) Found Auth-Type = eap
(51) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(51) authenticate {
(51) eap: Peer sent packet with method EAP Identity (1)
(51) eap: Calling submodule eap_mschapv2 to process data
(51) eap_mschapv2: Issuing Challenge
(51) eap: Sending EAP Request (code 1) ID 9 length 43
(51) eap: EAP session adding &reply:State = 0x80fba18f80f2bbc7
(51) [eap] = handled
(51) } # authenticate = handled
(51) } # server inner-tunnel
(51) Virtual server sending reply
(51) EAP-Message = 0x0109002b1a01090026104cb6a8e16449119b4720387ce6d0ee3f667265657261646975732d33
(51) Message-Authenticator = 0x00000000000000000000000000000000
(51) State = 0x80fba18f80f2bbc7a42e6c0c98b253ab
(51) eap_peap: Got tunneled reply code 11
(51) eap_peap: EAP-Message = 0x0109002b1a01090026104cb6a8e16449119b4720387ce6d0ee3f6672656572616402e3132
(51) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(51) eap_peap: State = 0x80fba18f80f2bbc7a42e6c0c98b253ab
(51) eap_peap: Got tunneled reply RADIUS code 11
(51) eap_peap: EAP-Message = 0x0109002b1a01090026104cb6a8e16449119b4720387ce6d0ee3f6672656572616402e3132
(51) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(51) eap_peap: State = 0x80fba18f80f2bbc7a42e6c0c98b253ab
(51) eap_peap: Got tunneled Access-Challenge
(51) eap: Sending EAP Request (code 1) ID 9 length 74
(51) eap: EAP session adding &reply:State = 0x8afbe2b38df2fb14
(51) [eap] = handled
(51) } # authenticate = handled
(51) Using Post-Auth-Type Challenge
(51) Post-Auth-Type sub-section not found. Ignoring.
(51) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(51) Sent Access-Challenge Id 35 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(51) EAP-Message = 0x0109004a1900170303003f82e900312dd4036cba4da674512ad5997a9dfc6c680f14d6ceb70882b6df4701db3024200e67bc8f72fce4da453a2e848f99f2146189516cb
(51) Message-Authenticator = 0x00000000000000000000000000000000
(51) State = 0x8afbe2b38df2fb14782141186e7dc7a4
(51) Finished request
Waking up in 1.5 seconds.
(52) Received Access-Request Id 36 from 10.160.134.40:1645 to 10.160.134.60:1812 length 307
(52) User-Name = "Robby"
(52) Framed-MTU = 1400
(52) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(52) Calling-Station-Id = "c8f7.334c.b878"
(52) Cisco-AVPair = "ssid=BigBang_2"
(52) Service-Type = Login-User
(52) Cisco-AVPair = "service-type=Login"
(52) Message-Authenticator = 0x28d4d5c393a6930d0cc45226d26ba434
(52) EAP-Message = 0x0209005f1900170303005400000000000000021093386bc58bf2b60f38bed7b93033b7b03e4c07e33a0ca3580453ade3925464fa19ce415be02ca334cd87cbcf7837e2be6f0e8c6a0ecf5313294df1c1ac29270a235edd3
(52) NAS-Port-Type = Wireless-802.11
(52) NAS-Port = 674
(52) NAS-Port-Id = "674"
(52) State = 0x8afbe2b38df2fb14782141186e7dc7a4
(52) NAS-IP-Address = 10.160.134.40
(52) NAS-Identifier = "txweahomxp-ap1142001"
(52) session-state: No cached attributes
(52) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(52) authorize {
(52) policy filter_username {
(52) if (&User-Name) {
(52) if (&User-Name) -> TRUE
(52) if (&User-Name) {
(52) if (&User-Name =~ / /) {
(52) if (&User-Name =~ / /) -> FALSE
(52) if (&User-Name =~ /@[^@]*@/ ) {
(52) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(52) if (&User-Name =~ /\.\./ ) {
(52) if (&User-Name =~ /\.\./ ) -> FALSE
(52) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(52) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(52) if (&User-Name =~ /\.$/) {
(52) if (&User-Name =~ /\.$/) -> FALSE
(52) if (&User-Name =~ /@\./) {
(52) if (&User-Name =~ /@\./) -> FALSE
(52) } # if (&User-Name) = notfound
(52) } # policy filter_username = notfound
(52) [preprocess] = ok
(52) [chap] = noop
(52) [mschap] = noop
(52) [digest] = noop
(52) suffix: Checking for suffix after "@"
(52) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(52) suffix: No such realm "NULL"
(52) [suffix] = noop
(52) eap: Peer sent EAP Response (code 2) ID 9 length 95
(52) eap: Continuing tunnel setup
(52) [eap] = ok
(52) } # authorize = ok
(52) Found Auth-Type = eap
(52) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(52) authenticate {
(52) eap: Expiring EAP session with state 0x80fba18f80f2bbc7
(52) eap: Finished EAP session with state 0x8afbe2b38df2fb14
(52) eap: Previous EAP request found for state 0x8afbe2b38df2fb14, released from the list
(52) eap: Peer sent packet with method EAP PEAP (25)
(52) eap: Calling submodule eap_peap to process data
(52) eap_peap: Continuing EAP-TLS
(52) eap_peap: [eaptls verify] = ok
(52) eap_peap: Done initial handshake
(52) eap_peap: [eaptls process] = ok
(52) eap_peap: Session established. Decoding tunneled attributes
(52) eap_peap: PEAP state phase2
(52) eap_peap: EAP method MSCHAPv2 (26)
(52) eap_peap: Got tunneled request
(52) eap_peap: EAP-Message = 0x020900401a0209003b3169c10ce06f6ad662af0d9abf87a1aaab00000000000000974725e1d82f11e472f8b2f7370cd5ca9b27b00526f626279
(52) eap_peap: Setting User-Name to Robby
(52) eap_peap: Sending tunneled request to inner-tunnel
(52) eap_peap: EAP-Message = 0x020900401a0209003b3169c10ce06f6ad662af0d9abf87a1aaab00000000000000974725e1d82f11e472f8b2f7370cd5ca9b27b00526f626279
(52) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(52) eap_peap: User-Name = "Robby"
(52) eap_peap: State = 0x80fba18f80f2bbc7a42e6c0c98b253ab
(52) Virtual server inner-tunnel received request
(52) EAP-Message = 0x020900401a0209003b3169c10ce06f6ad662af0d9abf87a1aaab00000000000000009149b35e2f11e472f8b2f7370cd5ca9b27b00526f626279
(52) FreeRADIUS-Proxied-To = 127.0.0.1
(52) User-Name = "Robby"
(52) State = 0x80fba18f80f2bbc7a42e6c0c98b253ab
(52) WARNING: Outer and inner identities are the same. User privacy is compromised.
(52) server inner-tunnel {
(52) session-state: No cached attributes
(52) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(52) authorize {
(52) policy filter_username {
(52) if (&User-Name) {
(52) if (&User-Name) -> TRUE
(52) if (&User-Name) {
(52) if (&User-Name =~ / /) {
(52) if (&User-Name =~ / /) -> FALSE
(52) if (&User-Name =~ /@[^@]*@/ ) {
(52) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(52) if (&User-Name =~ /\.\./ ) {
(52) if (&User-Name =~ /\.\./ ) -> FALSE
(52) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(52) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(52) if (&User-Name =~ /\.$/) {
(52) if (&User-Name =~ /\.$/) -> FALSE
(52) if (&User-Name =~ /@\./) {
(52) if (&User-Name =~ /@\./) -> FALSE
(52) } # if (&User-Name) = notfound
(52) } # policy filter_username = notfound
(52) [chap] = noop
(52) [mschap] = noop
(52) suffix: Checking for suffix after "@"
(52) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(52) suffix: No such realm "NULL"
(52) [suffix] = noop
(52) update control {
(52) &Proxy-To-Realm := LOCAL
(52) } # update control = noop
(52) eap: Peer sent EAP Response (code 2) ID 9 length 64
(52) eap: No EAP Start, assuming it's an on-going EAP conversation
(52) [eap] = updated
(52) files: users: Matched entry Robby at line 26
(52) [files] = ok
(52) [expiration] = noop
(52) [logintime] = noop
(52) pap: WARNING: Auth-Type already set. Not setting to PAP
(52) [pap] = noop
(52) } # authorize = updated
(52) Found Auth-Type = eap
(52) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(52) authenticate {
(52) eap: Expiring EAP session with state 0x80fba18f80f2bbc7
(52) eap: Finished EAP session with state 0x80fba18f80f2bbc7
(52) eap: Previous EAP request found for state 0x80fba18f80f2bbc7, released from the list
(52) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(52) eap: Calling submodule eap_mschapv2 to process data
(52) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(52) eap_mschapv2: authenticate {
(52) mschap: Found Cleartext-Password, hashing to create NT-Password
(52) mschap: Found Cleartext-Password, hashing to create LM-Password
(52) mschap: Creating challenge hash with username: Robby
(52) mschap: Client is using MS-CHAPv2
(52) mschap: Adding MS-CHAPv2 MPPE keys
(52) [mschap] = ok
(52) } # authenticate = ok
(52) MSCHAP Success
(52) eap: Sending EAP Request (code 1) ID 10 length 51
(52) eap: EAP session adding &reply:State = 0x80fba18f81f1bbc7
(52) [eap] = handled
(52) } # authenticate = handled
(52) } # server inner-tunnel
(52) Virtual server sending reply
(52) EAP-Message = 0x010a00331a0309002e533d3945373732313138333542373637443334444632343834364639312343038313244
(52) Message-Authenticator = 0x00000000000000000000000000000000
(52) State = 0x80fba18f81f1bbc7a42e6c0c98b253ab
(52) eap_peap: Got tunneled reply code 11
(52) eap_peap: EAP-Message = 0x010a00331a0309002e533d3945373732313138333542373637443334444632343894438384232343038313244
(52) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(52) eap_peap: State = 0x80fba18f81f1bbc7a42e6c0c98b253ab
(52) eap_peap: Got tunneled reply RADIUS code 11
(52) eap_peap: EAP-Message = 0x010a00331a0309002e533d3945373732313138333542373637443334444632343894438384232343038313244
(52) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(52) eap_peap: State = 0x80fba18f81f1bbc7a42e6c0c98b253ab
(52) eap_peap: Got tunneled Access-Challenge
(52) eap: Sending EAP Request (code 1) ID 10 length 82
(52) eap: EAP session adding &reply:State = 0x8afbe2b382f1fb14
(52) [eap] = handled
(52) } # authenticate = handled
(52) Using Post-Auth-Type Challenge
(52) Post-Auth-Type sub-section not found. Ignoring.
(52) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(52) Sent Access-Challenge Id 36 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(52) EAP-Message = 0x010a00521900170303004782e900312dd4036dde9f67f257b9f750875abdd6e466998e6402ead4ce463edc55b5f3194ed50850088eb4b54c1522c8332feafa38291bc86644330ad4c735ba3
(52) Message-Authenticator = 0x00000000000000000000000000000000
(52) State = 0x8afbe2b382f1fb14782141186e7dc7a4
(52) Finished request
Waking up in 1.5 seconds.
(53) Received Access-Request Id 37 from 10.160.134.40:1645 to 10.160.134.60:1812 length 249
(53) User-Name = "Robby"
(53) Framed-MTU = 1400
(53) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(53) Calling-Station-Id = "c8f7.334c.b878"
(53) Cisco-AVPair = "ssid=BigBang_2"
(53) Service-Type = Login-User
(53) Cisco-AVPair = "service-type=Login"
(53) Message-Authenticator = 0x528a6f8e677d8f213714cd59512e5bb4
(53) EAP-Message = 0x020a00251900170303001a0000000000000003b506228b5a8d77a9c9413ac3a27731bb5c0d
(53) NAS-Port-Type = Wireless-802.11
(53) NAS-Port = 674
(53) NAS-Port-Id = "674"
(53) State = 0x8afbe2b382f1fb14782141186e7dc7a4
(53) NAS-IP-Address = 10.160.134.40
(53) NAS-Identifier = "txweahomxp-ap1142001"
(53) session-state: No cached attributes
(53) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(53) authorize {
(53) policy filter_username {
(53) if (&User-Name) {
(53) if (&User-Name) -> TRUE
(53) if (&User-Name) {
(53) if (&User-Name =~ / /) {
(53) if (&User-Name =~ / /) -> FALSE
(53) if (&User-Name =~ /@[^@]*@/ ) {
(53) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(53) if (&User-Name =~ /\.\./ ) {
(53) if (&User-Name =~ /\.\./ ) -> FALSE
(53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(53) if (&User-Name =~ /\.$/) {
(53) if (&User-Name =~ /\.$/) -> FALSE
(53) if (&User-Name =~ /@\./) {
(53) if (&User-Name =~ /@\./) -> FALSE
(53) } # if (&User-Name) = notfound
(53) } # policy filter_username = notfound
(53) [preprocess] = ok
(53) [chap] = noop
(53) [mschap] = noop
(53) [digest] = noop
(53) suffix: Checking for suffix after "@"
(53) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(53) suffix: No such realm "NULL"
(53) [suffix] = noop
(53) eap: Peer sent EAP Response (code 2) ID 10 length 37
(53) eap: Continuing tunnel setup
(53) [eap] = ok
(53) } # authorize = ok
(53) Found Auth-Type = eap
(53) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(53) authenticate {
(53) eap: Expiring EAP session with state 0x80fba18f81f1bbc7
(53) eap: Finished EAP session with state 0x8afbe2b382f1fb14
(53) eap: Previous EAP request found for state 0x8afbe2b382f1fb14, released from the list
(53) eap: Peer sent packet with method EAP PEAP (25)
(53) eap: Calling submodule eap_peap to process data
(53) eap_peap: Continuing EAP-TLS
(53) eap_peap: [eaptls verify] = ok
(53) eap_peap: Done initial handshake
(53) eap_peap: [eaptls process] = ok
(53) eap_peap: Session established. Decoding tunneled attributes
(53) eap_peap: PEAP state phase2
(53) eap_peap: EAP method MSCHAPv2 (26)
(53) eap_peap: Got tunneled request
(53) eap_peap: EAP-Message = 0x020a00061a03
(53) eap_peap: Setting User-Name to Robby
(53) eap_peap: Sending tunneled request to inner-tunnel
(53) eap_peap: EAP-Message = 0x020a00061a03
(53) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(53) eap_peap: User-Name = "Robby"
(53) eap_peap: State = 0x80fba18f81f1bbc7a42e6c0c98b253ab
(53) Virtual server inner-tunnel received request
(53) EAP-Message = 0x020a00061a03
(53) FreeRADIUS-Proxied-To = 127.0.0.1
(53) User-Name = "Robby"
(53) State = 0x80fba18f81f1bbc7a42e6c0c98b253ab
(53) WARNING: Outer and inner identities are the same. User privacy is compromised.
(53) server inner-tunnel {
(53) session-state: No cached attributes
(53) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(53) authorize {
(53) policy filter_username {
(53) if (&User-Name) {
(53) if (&User-Name) -> TRUE
(53) if (&User-Name) {
(53) if (&User-Name =~ / /) {
(53) if (&User-Name =~ / /) -> FALSE
(53) if (&User-Name =~ /@[^@]*@/ ) {
(53) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(53) if (&User-Name =~ /\.\./ ) {
(53) if (&User-Name =~ /\.\./ ) -> FALSE
(53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(53) if (&User-Name =~ /\.$/) {
(53) if (&User-Name =~ /\.$/) -> FALSE
(53) if (&User-Name =~ /@\./) {
(53) if (&User-Name =~ /@\./) -> FALSE
(53) } # if (&User-Name) = notfound
(53) } # policy filter_username = notfound
(53) [chap] = noop
(53) [mschap] = noop
(53) suffix: Checking for suffix after "@"
(53) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(53) suffix: No such realm "NULL"
(53) [suffix] = noop
(53) update control {
(53) &Proxy-To-Realm := LOCAL
(53) } # update control = noop
(53) eap: Peer sent EAP Response (code 2) ID 10 length 6
(53) eap: No EAP Start, assuming it's an on-going EAP conversation
(53) [eap] = updated
(53) files: users: Matched entry Robby at line 26
(53) [files] = ok
(53) [expiration] = noop
(53) [logintime] = noop
(53) pap: WARNING: Auth-Type already set. Not setting to PAP
(53) [pap] = noop
(53) } # authorize = updated
(53) Found Auth-Type = eap
(53) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(53) authenticate {
(53) eap: Expiring EAP session with state 0x80fba18f81f1bbc7
(53) eap: Finished EAP session with state 0x80fba18f81f1bbc7
(53) eap: Previous EAP request found for state 0x80fba18f81f1bbc7, released from the list
(53) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(53) eap: Calling submodule eap_mschapv2 to process data
(53) eap: Sending EAP Success (code 3) ID 10 length 4
(53) eap: Freeing handler
(53) [eap] = ok
(53) } # authenticate = ok
(53) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(53) post-auth { ... } # empty sub-section is ignored
(53) } # server inner-tunnel
(53) Virtual server sending reply
(53) MS-MPPE-Encryption-Policy = Encryption-Allowed
(53) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(53) MS-MPPE-Send-Key = 0x5adc17de03a0c14b6244dfc97ecea32d
(53) MS-MPPE-Recv-Key = 0x0d158d23f251dc24109fe284b8ccf5d1
(53) EAP-Message = 0x030a0004
(53) Message-Authenticator = 0x00000000000000000000000000000000
(53) User-Name = "Robby"
(53) eap_peap: Got tunneled reply code 2
(53) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(53) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(53) eap_peap: MS-MPPE-Send-Key = 0x5adc17de03a0c14b6244dfc97ecea32d
(53) eap_peap: MS-MPPE-Recv-Key = 0x0d158d23f251dc24109fe284b8ccf5d1
(53) eap_peap: EAP-Message = 0x030a0004
(53) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(53) eap_peap: User-Name = "Robby"
(53) eap_peap: Got tunneled reply RADIUS code 2
(53) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(53) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(53) eap_peap: MS-MPPE-Send-Key = 0x5adc17de03a0c14b6244dfc97ecea32d
(53) eap_peap: MS-MPPE-Recv-Key = 0x0d158d23f251dc24109fe284b8ccf5d1
(53) eap_peap: EAP-Message = 0x030a0004
(53) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(53) eap_peap: User-Name = "Robby"
(53) eap_peap: Tunneled authentication was successful
(53) eap_peap: SUCCESS
(53) eap: Sending EAP Request (code 1) ID 11 length 46
(53) eap: EAP session adding &reply:State = 0x8afbe2b383f0fb14
(53) [eap] = handled
(53) } # authenticate = handled
(53) Using Post-Auth-Type Challenge
(53) Post-Auth-Type sub-section not found. Ignoring.
(53) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(53) Sent Access-Challenge Id 37 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(53) EAP-Message = 0x010b002e1900170303002382e900312dd4036e23a203d69f8b6ec7d266e5d8abdcb637d27722fa2
(53) Message-Authenticator = 0x00000000000000000000000000000000
(53) State = 0x8afbe2b383f0fb14782141186e7dc7a4
(53) Finished request
Waking up in 1.4 seconds.
(54) Received Access-Request Id 38 from 10.160.134.40:1645 to 10.160.134.60:1812 length 258
(54) User-Name = "Robby"
(54) Framed-MTU = 1400
(54) Called-Station-Id = "0026.cba5.c330:BigBang_2"
(54) Calling-Station-Id = "c8f7.334c.b878"
(54) Cisco-AVPair = "ssid=BigBang_2"
(54) Service-Type = Login-User
(54) Cisco-AVPair = "service-type=Login"
(54) Message-Authenticator = 0x1e55ec6f12007936403104a21e999a92
(54) EAP-Message = 0x020b002e1900170303002300000000000000049df95b06d372214cc955dfc797c9807e59a44116f
(54) NAS-Port-Type = Wireless-802.11
(54) NAS-Port = 674
(54) NAS-Port-Id = "674"
(54) State = 0x8afbe2b383f0fb14782141186e7dc7a4
(54) NAS-IP-Address = 10.160.134.40
(54) NAS-Identifier = "txweahomxp-ap1142001"
(54) session-state: No cached attributes
(54) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(54) authorize {
(54) policy filter_username {
(54) if (&User-Name) {
(54) if (&User-Name) -> TRUE
(54) if (&User-Name) {
(54) if (&User-Name =~ / /) {
(54) if (&User-Name =~ / /) -> FALSE
(54) if (&User-Name =~ /@[^@]*@/ ) {
(54) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(54) if (&User-Name =~ /\.\./ ) {
(54) if (&User-Name =~ /\.\./ ) -> FALSE
(54) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(54) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(54) if (&User-Name =~ /\.$/) {
(54) if (&User-Name =~ /\.$/) -> FALSE
(54) if (&User-Name =~ /@\./) {
(54) if (&User-Name =~ /@\./) -> FALSE
(54) } # if (&User-Name) = notfound
(54) } # policy filter_username = notfound
(54) [preprocess] = ok
(54) [chap] = noop
(54) [mschap] = noop
(54) [digest] = noop
(54) suffix: Checking for suffix after "@"
(54) suffix: No '@' in User-Name = "Robby", looking up realm NULL
(54) suffix: No such realm "NULL"
(54) [suffix] = noop
(54) eap: Peer sent EAP Response (code 2) ID 11 length 46
(54) eap: Continuing tunnel setup
(54) [eap] = ok
(54) } # authorize = ok
(54) Found Auth-Type = eap
(54) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(54) authenticate {
(54) eap: Expiring EAP session with state 0x8afbe2b383f0fb14
(54) eap: Finished EAP session with state 0x8afbe2b383f0fb14
(54) eap: Previous EAP request found for state 0x8afbe2b383f0fb14, released from the list
(54) eap: Peer sent packet with method EAP PEAP (25)
(54) eap: Calling submodule eap_peap to process data
(54) eap_peap: Continuing EAP-TLS
(54) eap_peap: [eaptls verify] = ok
(54) eap_peap: Done initial handshake
(54) eap_peap: [eaptls process] = ok
(54) eap_peap: Session established. Decoding tunneled attributes
(54) eap_peap: PEAP state send tlv success
(54) eap_peap: Received EAP-TLV response
(54) eap_peap: Success
(54) eap_peap: No information to cache: session caching will be disabled for session 709ffbc4d92873d1a6444e9ef69420a9ae18f2b0185596be5ce
(54) eap: Sending EAP Success (code 3) ID 11 length 4
(54) eap: Freeing handler
(54) [eap] = ok
(54) } # authenticate = ok
(54) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(54) post-auth {
(54) update {
(54) No attributes updated
(54) } # update = noop
(54) [exec] = noop
(54) policy remove_reply_message_if_eap {
(54) if (&reply:EAP-Message && &reply:Reply-Message) {
(54) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(54) else {
(54) [noop] = noop
(54) } # else = noop
(54) } # policy remove_reply_message_if_eap = noop
(54) } # post-auth = noop
(54) Sent Access-Accept Id 38 from 10.160.134.60:1812 to 10.160.134.40:1645 length 0
(54) MS-MPPE-Recv-Key = 0x5260b6c51f635fb4174138e9566fe96b6ea41a940185eab1a0c3273a41c073dc
(54) MS-MPPE-Send-Key = 0x8c87966153c2d3fed5c33f6e375744234c76bad59c542dd87b767a2d9614ba93
(54) EAP-Message = 0x030b0004
(54) Message-Authenticator = 0x00000000000000000000000000000000
(54) User-Name = "Robby"
(54) Finished request
Waking up in 1.4 seconds.
(33) Cleaning up request packet ID 17 with timestamp +45
(34) Cleaning up request packet ID 18 with timestamp +45
(35) Cleaning up request packet ID 19 with timestamp +45
(36) Cleaning up request packet ID 20 with timestamp +45
(37) Cleaning up request packet ID 21 with timestamp +45
(38) Cleaning up request packet ID 22 with timestamp +45
(39) Cleaning up request packet ID 23 with timestamp +45
(40) Cleaning up request packet ID 24 with timestamp +45
(41) Cleaning up request packet ID 25 with timestamp +45
(42) Cleaning up request packet ID 26 with timestamp +45
(43) Cleaning up request packet ID 27 with timestamp +45
Waking up in 3.3 seconds.
(44) Cleaning up request packet ID 28 with timestamp +48
(45) Cleaning up request packet ID 29 with timestamp +48
(46) Cleaning up request packet ID 30 with timestamp +48
(47) Cleaning up request packet ID 31 with timestamp +48
(48) Cleaning up request packet ID 32 with timestamp +48
(49) Cleaning up request packet ID 33 with timestamp +48
(50) Cleaning up request packet ID 34 with timestamp +48
(51) Cleaning up request packet ID 35 with timestamp +48
(52) Cleaning up request packet ID 36 with timestamp +48
(53) Cleaning up request packet ID 37 with timestamp +49
(54) Cleaning up request packet ID 38 with timestamp +49
Ready to process requests
Rob Rutledge, CCNP CCDP
-----Original Message-----
From: Rob Rutledge [mailto:robertrutledge2005 at charter.net]
Sent: Saturday, April 22, 2017 6:19 PM
To: 'FreeRadius users mailing list' <freeradius-users at lists.freeradius.org>
Cc: robertrutledge2005 at charter.net
Subject: RE: FW: EAP authentication with Windows 10
Thanks for the quick response.
The way I updated the certificates was to save the original directory to a certs_bak directory. Then I followed the instructions in the README file to delete all the .pems, .ders, etc., etc. Something strange happened when I tried the make on the server.pem certificate and I got some error messages that it couldn't be written to the database although the certificate was created. When I tried to start radiusd in debug mode after that radiusd would not start complaining that it could not read the server.pem certificate. I then moved all the original certificates back into the certs/ directory and then I could get radiusd to start again. I assumed this put me back at the same setup I had before.
Other than that nothing changed on the Windows 10 laptop other than Windows updates maybe?? I don't know of anything else.
As a sidenote when I first set this up the ca.der would not install on the laptop advising it was not a valid security certificate. I was able to tftp the ca.pem certificate to my laptop and then install that from certmgr.
That's when I finally got it to work. That certificate is still in my certificate store although it is expired now. When I did create the new certificates the new ca.der certificate did install in my certificate store this time so I thought voiila it will work. No such luck. Anyway both certificates are still installed in my certificate store.
I will try manually configuring the SSID on my laptop and uncheck the CA cert validation.
Thanks.
Rob Rutledge, CCNP CCDP
-----Original Message-----
From: Freeradius-Users
[mailto:freeradius-users-bounces+robertrutledge2005=charter.net at lists.freeradius.org]
On Behalf Of Matthew Newton
Sent: Saturday, April 22, 2017 3:52 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: FW: EAP authentication with Windows 10
On 22 April 2017 21:26:04 BST, Rob Rutledge <robertrutledge2005 at charter.net>
wrote:
>I have had Freeradius up and running successfully since February. I
>set up a Windows 10 wireless client to authenticate to it along with an
>iPhone 6.
That's good.
>For some reason the Windows 10 client quit working last week. (The
>iPhone is still working fine although I see in the debugs it is using
>TLS1.0)
I would have preferred​ to be back at exactly the same setup you had then, and look at the debug log, rather than change some stuff which now means you might have more broken things. But that's probably not possible now...
The real question should be - what changed that stopped it working?
> I
>assumed it was a problem with the certificates expiring, but creating
>new ones has not helped. Therefore I went back to the originals. I
>was not able to get the client.p12 certificate installed so instead I
>use WPAV2 and I did not specify the username/password in my AP.
>Therefore the authentication process would let me enter the
>username/password combination and then have me accept the certificate
>which I only had to configure once.
>Then it stopped working and I cannot even get past the
>username/password combination now.
>(5) eap_peap: ERROR: TLS Alert read:fatal:access denied
Looks like it might be windows not trusting the server CA. Is the CA cert installed correctly in windows?
If it authenticates with CA cert verification disabled, then this is certainly the problem. But don't do that in normal operation as it's not secure.
--
Matthew
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list