vlan assignment

Zenon Matuszyk zenon.matuszyk at networkers.pl
Fri Aug 25 11:02:45 CEST 2017


Hi,

Debug below


I have a problem with vlan assignment on the group. If user is in group wi-fi should get ip with vlan 200 if it is in another group should get ip with vlan 216. I attach file witch freeradius -X. Users and group are in SAMBA4. If i login to wifi i get allways ip on vlan 216. I use login at mydomain.pl to connect wifi.

In file users I add:

DEFAULT LDAP-Group == "wi-fi"

         Reply-Message="XXXX HIT: wi-fi",



        Tunnel-Private-Group-Id := 200,

       Tunnel-Type = VLAN,

        Tunnel-Medium-Type = IEEE-802,




freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Aug 10 2017 at 07:25:15
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/default.orig
main {
	user = "freerad"
	group = "freerad"
	allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
	name = "freeradius"
	prefix = "/usr"
	localstatedir = "/var"
	sbindir = "/usr/sbin"
	logdir = "/var/log/freeradius"
	run_dir = "/var/run/freeradius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/freeradius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 1024
	pidfile = "/var/run/freeradius/freeradius.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
  log {
  	stripped_names = no
  	auth = no
  	auth_badpass = no
  	auth_goodpass = no
  }
  security {
  	max_attributes = 200
  	reject_delay = 1
  	status_server = yes
  	allow_vulnerable_openssl = no
  }
}
radiusd: #### Loading Realms and Home Servers ####
  proxy server {
  	retry_delay = 5
  	retry_count = 3
  	default_fallback = no
  	dead_time = 120
  	wake_all_if_all_dead = no
  }
  home_server radius14x.xxx.x.40 {
  	ipaddr = 14x.xxx.x.40
  	port = 1812
  	type = "auth"
  	secret = "xxxxxxxx"
  	response_window = 20
  	max_outstanding = 65536
  	require_message_authenticator = yes
  	zombie_period = 40
  	status_check = "status-server"
  	ping_interval = 30
  	check_interval = 30
  	num_answers_to_alive = 3
  	num_pings_to_alive = 3
  	revive_interval = 300
  	status_check_timeout = 4
  }
  home_server radius14x.xxx.x.66 {
  	ipaddr = 14x.xxx.x.66
  	port = 1812
  	type = "auth"
  	secret = "Cxxxxxx"
  	response_window = 20
  	max_outstanding = 65536
  	require_message_authenticator = yes
  	zombie_period = 40
  	status_check = "status-server"
  	ping_interval = 30
  	check_interval = 30
  	num_answers_to_alive = 3
  	num_pings_to_alive = 3
  	revive_interval = 300
  	status_check_timeout = 4
  }
  home_server localhost {
  	ipaddr = 127.0.0.1
  	port = 1812
  	type = "auth"
  	secret = "testing123"
  	response_window = 20
  	no_response_fail = no
  	max_outstanding = 65536
  	require_message_authenticator = yes
  	zombie_period = 40
  	status_check = "status-server"
  	ping_interval = 30
  	check_interval = 30
  	num_answers_to_alive = 3
  	num_pings_to_alive = 3
  	revive_interval = 120
  	status_check_timeout = 4
   coa {
   	irt = 2
   	mrt = 16
   	mrc = 5
   	mrd = 30
   }
  }
  realm NULL {
  }
  realm LOCAL {
  }
  realm mydomain.pl {
	authhost = LOCAL
	accthost = LOCAL
  }
  realm DEFAULT {
	nostrip
  }
radiusd: #### Loading Clients ####
  client localhost {
  	ipaddr = 127.0.0.1
  	netmask = 32
  	require_message_authenticator = no
  	secret = "testing123"
  	shortname = "localhost"
  	nastype = "other"
  }
  client 10.xxx.xxx.xxx {
  	ipaddr = 10.xx.xxx.xxx
  	netmask = 32
  	require_message_authenticator = no
  	secret = "vxxxxxxx"
  	nastype = "cisco"
  }
  client 14x.xxx.x.xx {
  	require_message_authenticator = no
  	secret = "Cxxxxxx"
  	nastype = "other"
  }
  client 14x.xxx.xx.xxx {
  	require_message_authenticator = no
  	secret = "Cxxxxx"
  	nastype = "other"
  }
radiusd: #### Instantiating modules ####
  instantiate {
  Module: Linked to module rlm_exec
  Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
   exec {
   	wait = no
   	input_pairs = "request"
   	shell_escape = yes
   	timeout = 10
   }
  Module: Linked to module rlm_expr
  Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
  Module: Linked to module rlm_expiration
  Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
   expiration {
   	reply-message = "Password Has Expired  "
   }
  Module: Linked to module rlm_logintime
  Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
   logintime {
   	reply-message = "You are calling outside your allowed timespan  "
   	minimum-timeout = 60
   }
  }
radiusd: #### Loading Virtual Servers ####
server { # from file ?
  modules {
   Module: Creating Auth-Type = digest
   Module: Creating Auth-Type = LDAP
   Module: Creating Post-Auth-Type = REJECT
  Module: Checking authenticate {...} for more modules to load
  Module: Linked to module rlm_pap
  Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
   pap {
   	encryption_scheme = "auto"
   	auto_header = no
   }
  Module: Linked to module rlm_chap
  Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
  Module: Linked to module rlm_mschap
  Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
   mschap {
   	use_mppe = no
   	require_encryption = no
   	require_strong = no
   	with_ntdomain_hack = no
   	ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
   	allow_retry = yes
   }
  Module: Linked to module rlm_digest
  Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
  Module: Linked to module rlm_ldap
  Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
   ldap {
   	server = "ldap1.xxxxxxxxxxx"
   	port = 389
   	password = "xxxxxxx"
   	expect_password = yes
   	identity = "cn=freeradius,ou=services,dc=xxx,dc=pan,dc=local"
   	net_timeout = 1
   	timeout = 4
   	timelimit = 3
   	max_uses = 0
   	tls_mode = no
   	start_tls = no
   	tls_require_cert = "allow"
    tls {
    	start_tls = no
    	require_cert = "allow"
    }
   	basedn = "dc=xxx,dc=xxx,dc=local"
   	filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
   	base_filter = "(objectclass=radiusprofile)"
   	auto_header = no
   	access_attr_used_for_allow = yes
   	chase_referrals = yes
   	rebind = yes
   	groupname_attribute = "cn"
   	groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
   	groupmembership_attribute = "memberOf"
   	dictionary_mapping = "/etc/freeradius/ldap.attrmap"
   	ldap_debug = 0
   	ldap_connections_number = 5
   	compare_check_items = no
   	do_xlat = yes
   	edir_account_policy_check = no
   	set_auth_type = yes
    keepalive {
    	idle = 60
    	probes = 3
    	interval = 3
    }
   }
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x2172c00
  Module: Linked to module rlm_eap
  Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
   eap {
   	default_eap_type = "md5"
   	timer_expire = 60
   	ignore_unknown_eap_types = no
   	cisco_accounting_username_bug = no
   	max_sessions = 1024
   }
  Module: Linked to sub-module rlm_eap_md5
  Module: Instantiating eap-md5
  Module: Linked to sub-module rlm_eap_leap
  Module: Instantiating eap-leap
  Module: Linked to sub-module rlm_eap_gtc
  Module: Instantiating eap-gtc
    gtc {
    	challenge = "Password: "
    	auth_type = "PAP"
    }
  Module: Linked to sub-module rlm_eap_tls
  Module: Instantiating eap-tls
    tls {
    	rsa_key_exchange = no
    	dh_key_exchange = yes
    	rsa_key_length = 512
    	dh_key_length = 512
    	verify_depth = 0
    	CA_path = "/etc/freeradius/certs"
    	pem_file_type = yes
    	private_key_file = "/etc/freeradius/certs/server.key"
    	certificate_file = "/etc/freeradius/certs/server.pem"
    	CA_file = "/etc/freeradius/certs/ca.pem"
    	private_key_password = "si7lkweflefkoi"
    	dh_file = "/etc/freeradius/certs/dh"
    	random_file = "/dev/urandom"
    	fragment_size = 1024
    	include_length = yes
    	check_crl = no
    	cipher_list = "DEFAULT"
    	make_cert_command = "/etc/freeradius/certs/bootstrap"
    	ecdh_curve = "prime256v1"
     cache {
     	enable = no
     	lifetime = 24
     	max_entries = 255
     }
     verify {
     }
     ocsp {
     	enable = no
     	override_cert_url = yes
     	url = "http://127.0.0.1/ocsp/"
     	use_nonce = yes
     	timeout = 0
     	softfail = no
     }
    }
  Module: Linked to sub-module rlm_eap_ttls
  Module: Instantiating eap-ttls
    ttls {
    	default_eap_type = "md5"
    	copy_request_to_tunnel = yes
    	use_tunneled_reply = yes
    	virtual_server = "inner-tunnel"
    	include_length = yes
    }
  Module: Linked to sub-module rlm_eap_peap
  Module: Instantiating eap-peap
    peap {
    	default_eap_type = "mschapv2"
    	copy_request_to_tunnel = yes
    	use_tunneled_reply = yes
    	proxy_tunneled_request_as_eap = yes
    	virtual_server = "inner-tunnel"
    	soh = no
    }
  Module: Linked to sub-module rlm_eap_mschapv2
  Module: Instantiating eap-mschapv2
    mschapv2 {
    	with_ntdomain_hack = no
    	send_error = no
    }
  Module: Checking authorize {...} for more modules to load
  Module: Linked to module rlm_preprocess
  Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
   preprocess {
   	huntgroups = "/etc/freeradius/huntgroups"
   	hints = "/etc/freeradius/hints"
   	with_ascend_hack = no
   	ascend_channels_per_line = 23
   	with_ntdomain_hack = no
   	with_specialix_jetstream_hack = no
   	with_cisco_vsa_hack = no
   	with_alvarion_vsa_hack = no
   }
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
  Module: Linked to module rlm_realm
  Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
   realm suffix {
   	format = "suffix"
   	delimiter = "@"
   	ignore_default = no
   	ignore_null = no
   }
  Module: Linked to module rlm_files
  Module: Instantiating module "files" from file /etc/freeradius/modules/files
   files {
   	usersfile = "/etc/freeradius/users"
   	acctusersfile = "/etc/freeradius/acct_users"
   	preproxy_usersfile = "/etc/freeradius/preproxy_users"
   	compat = "no"
   }
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
  Module: Checking preacct {...} for more modules to load
  Module: Linked to module rlm_acct_unique
  Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
   acct_unique {
   	key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
   }
  Module: Checking accounting {...} for more modules to load
  Module: Linked to module rlm_detail
  Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
   detail {
   	detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
   	header = "%t"
   	detailperm = 384
   	dirperm = 493
   	locking = no
   	log_packet_header = no
   }
  Module: Linked to module rlm_unix
  Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
   unix {
   	radwtmp = "/var/log/freeradius/radwtmp"
   }
  Module: Linked to module rlm_attr_filter
  Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
   attr_filter attr_filter.accounting_response {
   	attrsfile = "/etc/freeradius/attrs.accounting_response"
   	key = "%{User-Name}"
   	relaxed = no
   }
reading pairlist file /etc/freeradius/attrs.accounting_response
  Module: Checking session {...} for more modules to load
  Module: Linked to module rlm_radutmp
  Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
   radutmp {
   	filename = "/var/log/freeradius/radutmp"
   	username = "%{User-Name}"
   	case_sensitive = yes
   	check_with_nas = yes
   	perm = 384
   	callerid = yes
   }
  Module: Checking post-proxy {...} for more modules to load
  Module: Checking post-auth {...} for more modules to load
  Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
   attr_filter attr_filter.access_reject {
   	attrsfile = "/etc/freeradius/attrs.access_reject"
   	key = "%{User-Name}"
   	relaxed = no
   }
reading pairlist file /etc/freeradius/attrs.access_reject
  } # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
  modules {
  Module: Checking authenticate {...} for more modules to load
  Module: Checking authorize {...} for more modules to load
  Module: Checking session {...} for more modules to load
  Module: Checking post-proxy {...} for more modules to load
  Module: Checking post-auth {...} for more modules to load
  } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
  	type = "auth"
  	ipaddr = *
  	port = 0
}
listen {
  	type = "acct"
  	ipaddr = *
  	port = 0
}
listen {
   	type = "auth"
   	ipaddr = 127.0.0.1
   	port = 18120
}
  ... adding new socket proxy address * port 43178
  ... adding new socket proxy address * port 41263
  ... adding new socket proxy address * port 39874
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=81, length=291
	User-Name = "zmatuszyk at mydomain.pl"
	Chargeable-User-Identity = ""
	Location-Capable = Civix-Location
	Calling-Station-Id = "08-ed-b9-92-1e-85"
	Called-Station-Id = "7c-0e-ce-ea-b7-20:eduroam"
	NAS-Port = 13
	Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
	Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
	NAS-IP-Address = 10.24.100.41
	NAS-Identifier = "eduroam"
	Airespace-Wlan-Id = 3
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "216"
	EAP-Message = 0x02020019017a6d617475737a796b40696a702e70616e2e706c
	Message-Authenticator = 0xfec018116a180d4d864c9f139585d5da
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "xxx.pan.pl" for User-Name = "zmatuszyk at xxx.pan.pl"
[suffix] Found realm "xxx.pan.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 2 length 25
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
   [ldap] Entering ldap_groupcmp()
[files] 	expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
[files] 	expand: %{Stripped-User-Name} -> zmatuszyk
[files] 	expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk)
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] attempting LDAP reconnection
   [ldap] (re)connect to ldap1.mydomain.local:389, authentication 0
   [ldap] bind as cn=freeradius,ou=services,dc=xxx,dc=pan,dc=local/rad--xxx--02 to ldap1.mydomain.local:389
   [ldap] waiting for bind result ...
   [ldap] Bind was successful
   [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk)
   [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
   [ldap] ldap_release_conn: Release Id: 0
[files] 	expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal)))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (&(cn=eduroam)(|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))))
   [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
   [ldap] object not found
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in CN=Zenon Matuszyk,CN=Users,DC=xxx,DC=pan,DC=local, with filter (objectclass=*)
   [ldap] performing search in CN=eduroam,CN=Users,DC=xxx,DC=pan,DC=local, with filter (cn=wi-fi)
rlm_ldap::ldap_groupcmp: User found in group wi-fi
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] Entering ldap_groupcmp()
[files] 	expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
[files] 	expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal)))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (&(cn=wi-fi)(|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))))
   [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
   [ldap] object not found
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in CN=Zenon Matuszyk,CN=Users,DC=xxx,DC=pan,DC=local, with filter (objectclass=*)
   [ldap] performing search in CN=wi-fi,CN=Users,DC=xxx,DC=pan,DC=local, with filter (cn=wi-fi)
rlm_ldap::ldap_groupcmp: User found in group wi-fi
   [ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 11
++[files] = ok
[ldap] performing user authorization for zmatuszyk
[ldap] 	expand: %{Stripped-User-Name} -> zmatuszyk
[ldap] 	expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk)
[ldap] 	expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk)
   [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 81 to 10.24.100.41 port 32773
	Reply-Message = "XXXX HIT: wi-fi"
	EAP-Message = 0x010300160410b04415eae4f0496023757b62a9129028
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe11c2bc5e11f2fea6e5ad9dc9448f6dd
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=82, length=290
	User-Name = "zmatuszyk at mydomain.pl"
	Chargeable-User-Identity = ""
	Location-Capable = Civix-Location
	Calling-Station-Id = "08-ed-b9-92-1e-85"
	Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
	NAS-Port = 13
	Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
	Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
	NAS-IP-Address = 10.24.100.41
	NAS-Identifier = "wi-fi"
	Airespace-Wlan-Id = 3
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "216"
	EAP-Message = 0x020300060319
	State = 0xe11c2bc5e11f2fea6e5ad9dc9448f6dd
	Message-Authenticator = 0x7846d5ea8b4236193a892abe92bbbe07
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
   [ldap] Entering ldap_groupcmp()
[files] 	expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
[files] 	expand: %{Stripped-User-Name} -> zmatuszyk
[files] 	expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk)
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk)
   [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
   [ldap] ldap_release_conn: Release Id: 0
[files] 	expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal)))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (&(cn=wi-fi)(|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))))
   [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
   [ldap] object not found
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in CN=Zenon Matuszyk,CN=Users,DC=xxx,DC=pan,DC=local, with filter (objectclass=*)
   [ldap] performing search in CN=wi-fi,CN=Users,DC=xxx,DC=pan,DC=local, with filter (cn=wi-fi)
rlm_ldap::ldap_groupcmp: User found in group wi-fi
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] Entering ldap_groupcmp()
[files] 	expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
[files] 	expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal)))
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (&(cn=wi-fi)(|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))))
   [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
   [ldap] object not found
   [ldap] ldap_release_conn: Release Id: 0
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in CN=Zenon Matuszyk,CN=Users,DC=xxx,DC=pan,DC=local, with filter (objectclass=*)
   [ldap] performing search in CN=wi-fi,CN=Users,DC=xxx,DC=pan,DC=local, with filter (cn=wi-fi)
rlm_ldap::ldap_groupcmp: User found in group wi-fi
   [ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 11
++[files] = ok
[ldap] performing user authorization for zmatuszyk
[ldap] 	expand: %{Stripped-User-Name} -> zmatuszyk
[ldap] 	expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk)
[ldap] 	expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk)
   [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 82 to 10.24.100.41 port 32773
	Reply-Message = "XXXX HIT: wi-fi"
	EAP-Message = 0x010400061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe11c2bc5e01832ea6e5ad9dc9448f6dd
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=83, length=397
	User-Name = "zmatuszyk at mydomain.pl"
	Chargeable-User-Identity = ""
	Location-Capable = Civix-Location
	Calling-Station-Id = "08-ed-b9-92-1e-85"
	Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
	NAS-Port = 13
	Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
	Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
	NAS-IP-Address = 10.24.100.41
	NAS-Identifier = "wi-fi"
	Airespace-Wlan-Id = 3
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "216"
	EAP-Message = 0x0204007119800000006716030100620100005e0301599d761e186b3ad71bc1d662fd93d93ce1aae50e891e7afbb65d8eec636f2af100001cc014c013003900330035002fc00ac00900380032000a00130005000401000019000a0006000400170018000b0002010000170000ff01000100
	State = 0xe11c2bc5e01832ea6e5ad9dc9448f6dd
	Message-Authenticator = 0x588bfa32eeab12189b35da5d3ac1e404
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 4 length 113
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
   TLS Length 103
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0062], ClientHello
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 08a6], Certificate
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 83 to 10.24.100.41 port 32773
	EAP-Message = 0x0105040019c000000a421603010039020000350301047843db1e15511c9d10280a115edaabc49d922bdeae71891afb67c4d7c6ddaa00c01400000dff01000100000b00040300010216030108a60b0008a200089f000488308204843082036ca003020102020100300d06092a864886f70d0101050500308188310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b6965310f300d06035504070c064b72616b6f7731263024060355040a0c1d496e737479747574204a657a796b6120506f6c736b6965676f2050414e310b3009060355040b0c024954311d301b06035504030c147375626361312e696a702e70616e2e6c
	EAP-Message = 0x6f63616c301e170d3137303832313131303233355a170d3332303831373131303233355a308187310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b6965310f300d06035504070c064b72616b6f7731263024060355040a0c1d496e737479747574204a657a796b6120506f6c736b6965676f2050414e310b3009060355040b0c024954311c301a06035504030c136c646170312e696a702e70616e2e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100bf2015679983021d7e971d84ea7c7f5ba06e4b4808b7674f687fc0880cf4635a2db718cb22982ddd8822afe970ec
	EAP-Message = 0x2d745deac6e6acf21e7330b77cd86fdb28ab4e04eda8789771a6e30890e6b67c3e111bcd017b12856072c19afefc1d07fcd1a6c53e66cdd8008e8766a1e7dbce66966e07814e08c6bbc2399cae3694dba14c021b588a967cbf5e23197c8593cf28bd84f44a03ecfdfc4e34000e07e9edf676b57633787cb5c3a7b4406c8f4d535c2ffe08f5ce60756500f3887c62b1c34c1088b27de433a9aef286b914e38f6bb307d322586bb33dcd74352dfc37e28eae33f4299d5d120a521a6c691a0980a22ad63ed220331210383ee14edd24be3088b90203010001a381f73081f430090603551d1304023000302c06096086480186f842010d041f161d4f70656e
	EAP-Message = 0x53534c2047656e657261746564204365727469666963617465301d0603551d0e041604143b1a3710cdf72a3288cc76cc3d5ad3e9b2384503301f0603551d23041830168014c1d62dd5cd9967b990856c18acc7f2e64f40a29c304106082b0601050507010104353033303106082b060105050730028625687474703a2f2f6b302e696a702e70616e2e6c6f63616c2f63612f7375626361312e63727430360603551d1f042f302d302ba029a0278625687474703a2f2f6b312e696a702e70616e2e6c6f63616c2f63612f7375626361312e63726c300d06092a864886f70d0101050500038201010062dae87f130c1ab3ef0acf5bd31aed2b4f524b4a84
	EAP-Message = 0xaf5192d4e9d1c6301ce43d01
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe11c2bc5e31932ea6e5ad9dc9448f6dd
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=84, length=290
	User-Name = "zmatuszyk at mydomain.pl"
	Chargeable-User-Identity = ""
	Location-Capable = Civix-Location
	Calling-Station-Id = "08-ed-b9-92-1e-85"
	Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
	NAS-Port = 13
	Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
	Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
	NAS-IP-Address = 10.24.100.41
	NAS-Identifier = "wi-fi"
	Airespace-Wlan-Id = 3
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "216"
	EAP-Message = 0x020500061900
	State = 0xe11c2bc5e31932ea6e5ad9dc9448f6dd
	Message-Authenticator = 0x6b9e5fe560487a1d133a50f9f8522760
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 84 to 10.24.100.41 port 32773
	EAP-Message = 0x010603fc1940b01e45053cb5d289d8a07c691f42babbaf4150ea36d712beb08a0c1eaa301b5df2b9d6975f9dfecbe42c847567bd961d58a520d68fb34854326b7dba525597e4ac0b1a5a66b9d677be1f5e0adfd325311af927356634a7f8aee2770898b4044daf46d89745f7262026f2e1b81caa53a4aebd5310ba988cd6364fd6b79795f38e23d047ad0af23bbcd5407317cb01b49b61eac8d67cf784948797aba3968b094cdfb93c2177da70b000f1797bf3bd979b8317daec32cd87cfa3a471d891abdacea5776581fb2416c93b2f01ba6b6728099d7e26d7974eec099035ee212077e70004113082040d308202f5a003020102020900fda7ea2091
	EAP-Message = 0x83fda3300d06092a864886f70d01010505003077310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b696531263024060355040a0c1d496e737479747574204a657a796b6120506f6c736b6965676f2050414e310b3009060355040b0c024954311d301b06035504030c14726f6f7463612e696a702e70616e2e6c6f63616c301e170d3137303832313130343434315a170d3337303831363130343434315a308188310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b6965310f300d06035504070c064b72616b6f7731263024060355040a0c1d496e737479747574204a657a796b6120
	EAP-Message = 0x506f6c736b6965676f2050414e310b3009060355040b0c024954311d301b06035504030c147375626361312e696a702e70616e2e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100cec338083565b45728e1f8176ba4daabda4ea88555201f503e3977492e85b49759cd232e7934acd16194ca3889d6975a29f68017427738b2fe57db0951e879afb9f5eae6a75a8d8b96cc12acb9686227322a555ec7e298b77b139874e9c0935d52117991a27281644f351bbacf3f804a1da86f26e784a507ec21e3aacfaf5e686fc01e570397f2dcc5822edd7c0b59f20dc48c408453ba7e9ea170a72c175ca352818c
	EAP-Message = 0xf095d192d42cf58272c00c477f2e1755104ced45567186bd44f7b3ab6c947a427e0f3e54c5d88e544c349f16737de5c8191785c2a5af1be735466dff6bdb08682494b1b54c25429014c59437925c441f4c1e42ceb12b7d060b7159f5350203010001a38189308186301d0603551d0e04160414c1d62dd5cd9967b990856c18acc7f2e64f40a29c301f0603551d230418301680148ae199d104b425c1279d439e0b0d2487dfda236c300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f6b312e696a702e70616e2e6c6f63616c2f63612f726f6f7463612e63726c300d06092a864886f70d0101050500
	EAP-Message = 0x0382010100a7ba01
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe11c2bc5e21a32ea6e5ad9dc9448f6dd
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=85, length=290
	User-Name = "zmatuszyk at mydomain.pl"
	Chargeable-User-Identity = ""
	Location-Capable = Civix-Location
	Calling-Station-Id = "08-ed-b9-92-1e-85"
	Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
	NAS-Port = 13
	Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
	Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
	NAS-IP-Address = 10.24.100.41
	NAS-Identifier = "wi-fi"
	Airespace-Wlan-Id = 3
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "216"
	EAP-Message = 0x020600061900
	State = 0xe11c2bc5e21a32ea6e5ad9dc9448f6dd
	Message-Authenticator = 0xd86ea26576af50657802f55266ec0d29
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 85 to 10.24.100.41 port 32773
	EAP-Message = 0x0107025c19004d16d1c7a4c127b06c3974533a055af202e7fe05f13dc5f78bf50eb852b25913965c85f981b45b174003af43ddbb5d8754406a26645dd06a9d4ce4b1622de1b4cec8a3d91f973b6332ba5fd78ff18e6feb1b87e664ee981c68523c4d9517a9c8f97abbefd1d76ba66dbeee1fe4e8d4420f6606ff280119897d3026e466910f5ebb892ce764e60fc8d7e4eb2f1609348a405b6e92133d1f4a6f612f4a6eee9c1c04677bcf3e574dc88d64e8972be7d01a080968f189d9258bca3419feff11a7409ae6471a32eab899837f79f8c8116f27ecf63daf802cd7b0df1b3a767d46bb4a40f07b0ead84f31ba36292b6df736e38d9b2f25e2e1483
	EAP-Message = 0x6e854d35643c160301014b0c0001470300174104e5c14a72735c1214b4413beb253acba89b44b8add08ec59f1cbf2ce5b5f985981a889150d763c45becf8351e787375aa8dabc2f695b23d38a0c3ed1a76ec37d201001e96c40801443b9bdc6c0fe6e2841a26c83fcfb18071173df60364b6f1c86cd430fdc35a964ac4a7071754e2ac9176b72f675281a72e703ace3daabae10f29482bccba3b77b291220c53f3ccf9a4e5e3835ac9aa71b7603d3c2ed915a107d894d5363ae544b316922a23858fe2bdcade941aefe142c74a662979a74426b745e4788eaa83f66edd616196281cfa750f19ec6d0f8760d2e914a0af7858120ba01fe8bd49dd269bdd
	EAP-Message = 0xdf99f9e6ee6bdb7e85bfc054ade219758d9ea980090c3ba4ac092f54b63698d1a367c3440c26973240a13acab7d5aade92ef8aed0151254763f94fe7500b14a26e048c7b908cd42ec9cdf009ebaaf19e07a744b0a4d0629d0916030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe11c2bc5e51b32ea6e5ad9dc9448f6dd
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=86, length=428
	User-Name = "zmatuszyk at mydomain.pl"
	Chargeable-User-Identity = ""
	Location-Capable = Civix-Location
	Calling-Station-Id = "08-ed-b9-92-1e-85"
	Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
	NAS-Port = 13
	Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
	Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
	NAS-IP-Address = 10.24.100.41
	NAS-Identifier = "wi-fi"
	Airespace-Wlan-Id = 3
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "216"
	EAP-Message = 0x02070090198000000086160301004610000042410441d4e9da4f0dee00258330e7eefe26437faf3977c86bc6bcda3f9ae4a38dbc9fb97559b0d16d481add56d34dc07eb79b0d94b57f87e8e2eb1b7fa7bd199c5f7b14030100010116030100303462633e66f7c5a81bd94bbfa5a129c0eb6389859ce33c5219d80a4440f5fe25568da27a97a234bcf06f1d18b9dc3c5d
	State = 0xe11c2bc5e51b32ea6e5ad9dc9448f6dd
	Message-Authenticator = 0xdb6f802835872c23130041fc4007ac52
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 7 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
   TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: unknown state
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: unknown state
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 86 to 10.24.100.41 port 32773
	EAP-Message = 0x01080041190014030100010116030100305bf3edc257025b940387d79d9c795ae0343d8cc5394b7f07b731f51b3de87d29fa187a2c8cab69927ee6e532cdbf7935
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe11c2bc5e41432ea6e5ad9dc9448f6dd
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=87, length=290
	User-Name = "zmatuszyk at mydomain.pl"
	Chargeable-User-Identity = ""
	Location-Capable = Civix-Location
	Calling-Station-Id = "08-ed-b9-92-1e-85"
	Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
	NAS-Port = 13
	Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
	Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
	NAS-IP-Address = 10.24.100.41
	NAS-Identifier = "wi-fi"
	Airespace-Wlan-Id = 3
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "216"
	EAP-Message = 0x020800061900
	State = 0xe11c2bc5e41432ea6e5ad9dc9448f6dd
	Message-Authenticator = 0x9e81fefac2ae2908717fef6b4932bb38
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 8 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 87 to 10.24.100.41 port 32773
	EAP-Message = 0x0109002b1900170301002077f01fd17d3f22ade23d7192c53d1b88a27b9b2ffd8f55337be8bd4d38a42968
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe11c2bc5e71532ea6e5ad9dc9448f6dd
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=88, length=343
	User-Name = "zmatuszyk at mydomain.pl"
	Chargeable-User-Identity = ""
	Location-Capable = Civix-Location
	Calling-Station-Id = "08-ed-b9-92-1e-85"
	Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
	NAS-Port = 13
	Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
	Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
	NAS-IP-Address = 10.24.100.41
	NAS-Identifier = "wi-fi"
	Airespace-Wlan-Id = 3
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "216"
	EAP-Message = 0x0209003b19001703010030578da54b82482dfe9cfd000bfc23dcce4d8e1bca2eef46f681216a29d8c2c311152fae08d97aa2225fc0d47b8a1a3ef7
	State = 0xe11c2bc5e71532ea6e5ad9dc9448f6dd
	Message-Authenticator = 0x9f5437d3e3d6aac993010c1ce5f1b29c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 9 length 59
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - zmatuszyk at mydomain.pl
[peap] Got inner identity 'zmatuszyk at mydomain.pl'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
	EAP-Message = 0x02090019017a6d617475737a796b40696a702e70616e2e706c
server  {
[peap] Setting User-Name to zmatuszyk at mydomain.pl
Sending tunneled request
	EAP-Message = 0x02090019017a6d617475737a796b40696a702e70616e2e706c
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "zmatuszyk at mydomain.pl"
	Chargeable-User-Identity = ""
	Location-Capable = Civix-Location
	Calling-Station-Id = "08-ed-b9-92-1e-85"
	Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
	NAS-Port = 13
	Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
	Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
	NAS-IP-Address = 10.24.100.41
	NAS-Identifier = "wi-fi"
	Airespace-Wlan-Id = 3
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "216"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 9 length 25
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[ldap] performing user authorization for zmatuszyk
[ldap] 	expand: %{Stripped-User-Name} -> zmatuszyk
[ldap] 	expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk)
[ldap] 	expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk)
   [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
	EAP-Message = 0x010a002e1a010a002910a51fcc532a18ba94e33e5859fda0807b7a6d617475737a796b40696a702e70616e2e706c
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa04d94bba0478e21869b454cf59410b2
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 0x010a002e1a010a002910a51fcc532a18ba94e33e5859fda0807b7a6d617475737a796b40696a702e70616e2e706c
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa04d94bba0478e21869b454cf59410b2
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 88 to 10.24.100.41 port 32773
	EAP-Message = 0x010a004b1900170301004034bb429d07c6d6099ca3460f19f8e3b57922184a863f462430677150b9f81d8b2657a2a06a00fb03e5708c4b89f2b3fa91a26e3ef432f933c1afae4a1846a69b
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe11c2bc5e61632ea6e5ad9dc9448f6dd
Finished request 7.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=89, length=391
	User-Name = "zmatuszyk at mydomain.pl"
	Chargeable-User-Identity = ""
	Location-Capable = Civix-Location
	Calling-Station-Id = "08-ed-b9-92-1e-85"
	Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
	NAS-Port = 13
	Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
	Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
	NAS-IP-Address = 10.24.100.41
	NAS-Identifier = "wi-fi"
	Airespace-Wlan-Id = 3
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "216"
	EAP-Message = 0x020a006b190017030100606e38a934794212cf6a918b10fcc5607d7bdc487faa8d2b75bee77b0dba7dff21eff091d59e0ce5b4eace425fe7679182b8c9a3cdcdd97b78542bfd2021517af23a835314a873fa4899d4094adf06ca1ebb6d4439b1a73b610b83fe181a355223
	State = 0xe11c2bc5e61632ea6e5ad9dc9448f6dd
	Message-Authenticator = 0x3cfff3760e60e4d6d060697d4f9e7c55
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 10 length 107
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
	EAP-Message = 0x020a004f1a020a004a31d4ce15bfa36520a198e503dd32dae5ac0000000000000000b349595743a15b250c5196ae0a8b999906041d39f5b6e39f007a6d617475737a796b40696a702e70616e2e706c
server  {
[peap] Setting User-Name to zmatuszyk at mydomain.pl
Sending tunneled request
	EAP-Message = 0x020a004f1a020a004a31d4ce15bfa36520a198e503dd32dae5ac0000000000000000b349595743a15b250c5196ae0a8b999906041d39f5b6e39f007a6d617475737a796b40696a702e70616e2e706c
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "zmatuszyk at mydomain.pl"
	State = 0xa04d94bba0478e21869b454cf59410b2
	Chargeable-User-Identity = ""
	Location-Capable = Civix-Location
	Calling-Station-Id = "08-ed-b9-92-1e-85"
	Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
	NAS-Port = 13
	Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
	Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
	NAS-IP-Address = 10.24.100.41
	NAS-Identifier = "wi-fi"
	Airespace-Wlan-Id = 3
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "216"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 10 length 79
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[ldap] performing user authorization for zmatuszyk
[ldap] 	expand: %{Stripped-User-Name} -> zmatuszyk
[ldap] 	expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk)
[ldap] 	expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk)
   [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Creating challenge hash with username: zmatuszyk at mydomain.pl
[mschap] Client is using MS-CHAPv2 for zmatuszyk at mydomain.pl, we need NT-Password
[mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[mschap] 	expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=zmatuszyk
[mschap] Creating challenge hash with username: zmatuszyk at mydomain.pl
[mschap] 	expand: --challenge=%{mschap:Challenge:-00} -> --challenge=014e29ddb376815b
[mschap] 	expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=b349595743a15b250c5196ae0a8b999906041d39f5b6e39f
Exec output: NT_KEY: 9D8185FBD8D2FC1E80FD215E29B3A6F8
Exec plaintext: NT_KEY: 9D8185FBD8D2FC1E80FD215E29B3A6F8
[mschap] Exec: program returned: 0
++[mschap] = ok
+} # group MS-CHAP = ok
MSCHAP Success
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
	EAP-Message = 0x010b00331a030a002e533d42443237464535383534333036334537454446394545374538463544323938373339323131454441
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa04d94bba1468e21869b454cf59410b2
[peap] Got tunneled reply RADIUS code 11
	EAP-Message = 0x010b00331a030a002e533d42443237464535383534333036334537454446394545374538463544323938373339323131454441
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa04d94bba1468e21869b454cf59410b2
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 89 to 10.24.100.41 port 32773
	EAP-Message = 0x010b005b1900170301005053f6ddaa68148f5c294833d49ba96ddc9f05676626dc587b248f4eccf1b21a3e666688ce5b46358bbc5539b5c419a0583c7efcf24d0e5f586a46f2142db1edec536b302e5b4d9148cc9b3ddd8f250bbf
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe11c2bc5e91732ea6e5ad9dc9448f6dd
Finished request 8.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=90, length=327
	User-Name = "zmatuszyk at mydomain.pl"
	Chargeable-User-Identity = ""
	Location-Capable = Civix-Location
	Calling-Station-Id = "08-ed-b9-92-1e-85"
	Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
	NAS-Port = 13
	Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
	Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
	NAS-IP-Address = 10.24.100.41
	NAS-Identifier = "wi-fi"
	Airespace-Wlan-Id = 3
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "216"
	EAP-Message = 0x020b002b1900170301002012cb0cf8ac5719f1b57d2c2346df5c1987fc4cdcbd934bf36cd287f84b738340
	State = 0xe11c2bc5e91732ea6e5ad9dc9448f6dd
	Message-Authenticator = 0x1b0fb418df527a97d3986e4a40acfec9
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 11 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
	EAP-Message = 0x020b00061a03
server  {
[peap] Setting User-Name to zmatuszyk at mydomain.pl
Sending tunneled request
	EAP-Message = 0x020b00061a03
	FreeRADIUS-Proxied-To = 127.0.0.1
	User-Name = "zmatuszyk at mydomain.pl"
	State = 0xa04d94bba1468e21869b454cf59410b2
	Chargeable-User-Identity = ""
	Location-Capable = Civix-Location
	Calling-Station-Id = "08-ed-b9-92-1e-85"
	Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
	NAS-Port = 13
	Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
	Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
	NAS-IP-Address = 10.24.100.41
	NAS-Identifier = "wi-fi"
	Airespace-Wlan-Id = 3
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "216"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 11 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[ldap] performing user authorization for zmatuszyk
[ldap] 	expand: %{Stripped-User-Name} -> zmatuszyk
[ldap] 	expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk)
[ldap] 	expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk)
   [ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
   WARNING: Empty post-auth section.  Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
	EAP-Message = 0x030b0004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "zmatuszyk"
[peap] Got tunneled reply RADIUS code 2
	EAP-Message = 0x030b0004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "zmatuszyk"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 90 to 10.24.100.41 port 32773
	EAP-Message = 0x010c002b190017030100200d545dc56da8a11537b3736476c057d46722da9da13ac68c59701a572f68bc77
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xe11c2bc5e81032ea6e5ad9dc9448f6dd
Finished request 9.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=91, length=327
	User-Name = "zmatuszyk at mydomain.pl"
	Chargeable-User-Identity = ""
	Location-Capable = Civix-Location
	Calling-Station-Id = "08-ed-b9-92-1e-85"
	Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
	NAS-Port = 13
	Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
	Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
	NAS-IP-Address = 10.24.100.41
	NAS-Identifier = "wi-fi"
	Airespace-Wlan-Id = 3
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "216"
	EAP-Message = 0x020c002b1900170301002027762168802a383047205d36d9061db6c143af20fa4230f13373e378a0990659
	State = 0xe11c2bc5e81032ea6e5ad9dc9448f6dd
	Message-Authenticator = 0x5f9ba3b7bf1a0baba21da915e0511b49
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 12 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
	User-Name = "zmatuszyk"
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[ldap] = noop
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 91 to 10.24.100.41 port 32773
	User-Name = "zmatuszyk"
	MS-MPPE-Recv-Key = 0x00fad5b684fa871101e3f02fad3de6103205c5bb4a356047fa51b1325eeb471b
	MS-MPPE-Send-Key = 0x3b67a98e0c9eb2a082c0353d8cc09532580e90ecc9b752cb4a626a4b779b04cb
	EAP-Message = 0x030c0004
	Message-Authenticator = 0x00000000000000000000000000000000
Finished request 10.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Accounting-Request packet from host 10.24.100.41 port 32773, id=36, length=306
	User-Name = "zmatuszyk"
	NAS-Port = 13
	NAS-IP-Address = 10.24.100.41
	Framed-IP-Address = 10.24.216.185
	Framed-IPv6-Prefix = fe80::/64
	NAS-Identifier = "wi-fi"
	Airespace-Wlan-Id = 3
	Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
	NAS-Port-Type = Wireless-802.11
	Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
	Acct-Authentic = RADIUS
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "216"
	Event-Timestamp = "Aug 23 2017 14:33:27 CEST"
	Acct-Status-Type = Interim-Update
	Acct-Input-Octets = 40891
	Acct-Input-Gigawords = 0
	Acct-Output-Octets = 6787
	Acct-Output-Gigawords = 0
	Acct-Input-Packets = 212
	Acct-Output-Packets = 50
	Acct-Session-Time = 823
	Acct-Delay-Time = 0
	Calling-Station-Id = "08-ed-b9-92-1e-85"
	Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
# Executing section preacct from file /etc/freeradius/sites-enabled/default
+group preacct {
++[preprocess] = ok
[acct_unique] Hashing 'NAS-Port = 13,NAS-Identifier = "wi-fi",NAS-IP-Address = 10.24.100.41,Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138",User-Name = "zmatuszyk"'
[acct_unique] Acct-Unique-Session-ID = "e8bd33a710179400".
++[acct_unique] = ok
[suffix] No '@' in User-Name = "zmatuszyk", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "NULL"
[suffix] Accounting realm is LOCAL.
++[suffix] = ok
++[files] = noop
+} # group preacct = ok
# Executing section accounting from file /etc/freeradius/sites-enabled/default
+group accounting {
[detail] 	expand: %{Packet-Src-IP-Address} -> 10.24.100.41
[detail] 	expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/freeradius/radacct/10.24.100.41/detail-20170823
[detail] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.24.100.41/detail-20170823
[detail] 	expand: %t -> Wed Aug 23 14:33:27 2017
++[detail] = ok
++[unix] = noop
++[exec] = noop
[attr_filter.accounting_response] 	expand: %{User-Name} -> zmatuszyk
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] = updated
+} # group accounting = updated
Sending Accounting-Response of id 36 to 10.24.100.41 port 32773
Finished request 11.
Cleaning up request 11 ID 36 with timestamp +23
Going to the next request
Waking up in 4.7 seconds.

W dniu 24.08.2017 o 22:31, Alan DeKok pisze:
> On Aug 24, 2017, at 3:38 PM, Zenon Matuszyk <zenon.matuszyk at networkers.pl> wrote:
>> I have a problem with vlan assignment on the group. If user is in group wi-fi should get ip with vlan 200 if it is in another group should get ip with vlan 216. I attach file witch freeradius -X. Users and group are in SAMBA4. If i login to wifi i get allways ip on vlan 216. I use login at mydomain.pl to connect wifi.
>>
>> I try add in users but this is ignored
>    What does that mean?
>
>> root at LDAP1 /etc/freeradius # cat users
>    We always ask for the debug output, because that's what we need.
>
>> DEFAULT LDAP-Group != "wi-fi", Auth-Type:=Reject
>>          Reply-Message="You are not allowed to connnect"
>> DEFAULT Realm == Null
>>          Auth-Type := Reject
>    If you run the server in debug mode and read the output, it will tell you that this entry is wrong.  The "Auth-Type" belongs on the first line of the "users" file entry.
>
>> Please help
>    Following the documentation helps.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Z poważaniem / Yours sincerely
Zenon Matuszyk
mobile: 00 48 797 004 938
e-mail: zenon.matuszyk at networkers.pl
www: http://www.networkers.pl




More information about the Freeradius-Users mailing list