vlan assignment
Zenon Matuszyk
zenon.matuszyk at networkers.pl
Fri Aug 25 11:02:45 CEST 2017
Hi,
Debug below
I have a problem with vlan assignment on the group. If user is in group wi-fi should get ip with vlan 200 if it is in another group should get ip with vlan 216. I attach file witch freeradius -X. Users and group are in SAMBA4. If i login to wifi i get allways ip on vlan 216. I use login at mydomain.pl to connect wifi.
In file users I add:
DEFAULT LDAP-Group == "wi-fi"
Reply-Message="XXXX HIT: wi-fi",
Tunnel-Private-Group-Id := 200,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
freeradius: FreeRADIUS Version 2.2.5, for host x86_64-pc-linux-gnu, built on Aug 10 2017 at 07:25:15
Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/radrelay
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/rediswho
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/replicate
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/redis
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/dhcp_sqlippool
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/soh
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/cache
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/default.orig
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server radius14x.xxx.x.40 {
ipaddr = 14x.xxx.x.40
port = 1812
type = "auth"
secret = "xxxxxxxx"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
home_server radius14x.xxx.x.66 {
ipaddr = 14x.xxx.x.66
port = 1812
type = "auth"
secret = "Cxxxxxx"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
no_response_fail = no
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
realm NULL {
}
realm LOCAL {
}
realm mydomain.pl {
authhost = LOCAL
accthost = LOCAL
}
realm DEFAULT {
nostrip
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
netmask = 32
require_message_authenticator = no
secret = "testing123"
shortname = "localhost"
nastype = "other"
}
client 10.xxx.xxx.xxx {
ipaddr = 10.xx.xxx.xxx
netmask = 32
require_message_authenticator = no
secret = "vxxxxxxx"
nastype = "cisco"
}
client 14x.xxx.x.xx {
require_message_authenticator = no
secret = "Cxxxxxx"
nastype = "other"
}
client 14x.xxx.xx.xxx {
require_message_authenticator = no
secret = "Cxxxxx"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server { # from file ?
modules {
Module: Creating Auth-Type = digest
Module: Creating Auth-Type = LDAP
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = no
require_encryption = no
require_strong = no
with_ntdomain_hack = no
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
allow_retry = yes
}
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Linked to module rlm_ldap
Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
ldap {
server = "ldap1.xxxxxxxxxxx"
port = 389
password = "xxxxxxx"
expect_password = yes
identity = "cn=freeradius,ou=services,dc=xxx,dc=pan,dc=local"
net_timeout = 1
timeout = 4
timelimit = 3
max_uses = 0
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "dc=xxx,dc=xxx,dc=local"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
chase_referrals = yes
rebind = yes
groupname_attribute = "cn"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = "memberOf"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 0
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = no
set_auth_type = yes
keepalive {
idle = 60
probes = 3
interval = 3
}
}
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id
conns: 0x2172c00
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 1024
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "si7lkweflefkoi"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /etc/freeradius/huntgroups
reading pairlist file /etc/freeradius/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
reading pairlist file /etc/freeradius/users
reading pairlist file /etc/freeradius/acct_users
reading pairlist file /etc/freeradius/preproxy_users
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /etc/freeradius/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
... adding new socket proxy address * port 43178
... adding new socket proxy address * port 41263
... adding new socket proxy address * port 39874
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=81, length=291
User-Name = "zmatuszyk at mydomain.pl"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:eduroam"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "eduroam"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x02020019017a6d617475737a796b40696a702e70616e2e706c
Message-Authenticator = 0xfec018116a180d4d864c9f139585d5da
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "xxx.pan.pl" for User-Name = "zmatuszyk at xxx.pan.pl"
[suffix] Found realm "xxx.pan.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 2 length 25
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[ldap] Entering ldap_groupcmp()
[files] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
[files] expand: %{Stripped-User-Name} -> zmatuszyk
[files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldap1.mydomain.local:389, authentication 0
[ldap] bind as cn=freeradius,ou=services,dc=xxx,dc=pan,dc=local/rad--xxx--02 to ldap1.mydomain.local:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk)
[ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
[ldap] ldap_release_conn: Release Id: 0
[files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (&(cn=eduroam)(|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))))
[ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in CN=Zenon Matuszyk,CN=Users,DC=xxx,DC=pan,DC=local, with filter (objectclass=*)
[ldap] performing search in CN=eduroam,CN=Users,DC=xxx,DC=pan,DC=local, with filter (cn=wi-fi)
rlm_ldap::ldap_groupcmp: User found in group wi-fi
[ldap] ldap_release_conn: Release Id: 0
[ldap] Entering ldap_groupcmp()
[files] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
[files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (&(cn=wi-fi)(|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))))
[ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in CN=Zenon Matuszyk,CN=Users,DC=xxx,DC=pan,DC=local, with filter (objectclass=*)
[ldap] performing search in CN=wi-fi,CN=Users,DC=xxx,DC=pan,DC=local, with filter (cn=wi-fi)
rlm_ldap::ldap_groupcmp: User found in group wi-fi
[ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 11
++[files] = ok
[ldap] performing user authorization for zmatuszyk
[ldap] expand: %{Stripped-User-Name} -> zmatuszyk
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk)
[ldap] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk)
[ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 81 to 10.24.100.41 port 32773
Reply-Message = "XXXX HIT: wi-fi"
EAP-Message = 0x010300160410b04415eae4f0496023757b62a9129028
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe11c2bc5e11f2fea6e5ad9dc9448f6dd
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=82, length=290
User-Name = "zmatuszyk at mydomain.pl"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "wi-fi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x020300060319
State = 0xe11c2bc5e11f2fea6e5ad9dc9448f6dd
Message-Authenticator = 0x7846d5ea8b4236193a892abe92bbbe07
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[ldap] Entering ldap_groupcmp()
[files] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
[files] expand: %{Stripped-User-Name} -> zmatuszyk
[files] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk)
[ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
[ldap] ldap_release_conn: Release Id: 0
[files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (&(cn=wi-fi)(|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))))
[ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in CN=Zenon Matuszyk,CN=Users,DC=xxx,DC=pan,DC=local, with filter (objectclass=*)
[ldap] performing search in CN=wi-fi,CN=Users,DC=xxx,DC=pan,DC=local, with filter (cn=wi-fi)
rlm_ldap::ldap_groupcmp: User found in group wi-fi
[ldap] ldap_release_conn: Release Id: 0
[ldap] Entering ldap_groupcmp()
[files] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
[files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (&(cn=wi-fi)(|(&(objectClass=GroupOfNames)(member=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dZenon Matuszyk\2cCN\3dUsers\2cDC\3dxxx\2cDC\3dpan\2cDC\3dlocal))))
[ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in CN=Zenon Matuszyk,CN=Users,DC=xxx,DC=pan,DC=local, with filter (objectclass=*)
[ldap] performing search in CN=wi-fi,CN=Users,DC=xxx,DC=pan,DC=local, with filter (cn=wi-fi)
rlm_ldap::ldap_groupcmp: User found in group wi-fi
[ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 11
++[files] = ok
[ldap] performing user authorization for zmatuszyk
[ldap] expand: %{Stripped-User-Name} -> zmatuszyk
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk)
[ldap] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk)
[ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 82 to 10.24.100.41 port 32773
Reply-Message = "XXXX HIT: wi-fi"
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe11c2bc5e01832ea6e5ad9dc9448f6dd
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=83, length=397
User-Name = "zmatuszyk at mydomain.pl"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "wi-fi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x0204007119800000006716030100620100005e0301599d761e186b3ad71bc1d662fd93d93ce1aae50e891e7afbb65d8eec636f2af100001cc014c013003900330035002fc00ac00900380032000a00130005000401000019000a0006000400170018000b0002010000170000ff01000100
State = 0xe11c2bc5e01832ea6e5ad9dc9448f6dd
Message-Authenticator = 0x588bfa32eeab12189b35da5d3ac1e404
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 4 length 113
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 103
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0062], ClientHello
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 08a6], Certificate
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 83 to 10.24.100.41 port 32773
EAP-Message = 0x0105040019c000000a421603010039020000350301047843db1e15511c9d10280a115edaabc49d922bdeae71891afb67c4d7c6ddaa00c01400000dff01000100000b00040300010216030108a60b0008a200089f000488308204843082036ca003020102020100300d06092a864886f70d0101050500308188310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b6965310f300d06035504070c064b72616b6f7731263024060355040a0c1d496e737479747574204a657a796b6120506f6c736b6965676f2050414e310b3009060355040b0c024954311d301b06035504030c147375626361312e696a702e70616e2e6c
EAP-Message = 0x6f63616c301e170d3137303832313131303233355a170d3332303831373131303233355a308187310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b6965310f300d06035504070c064b72616b6f7731263024060355040a0c1d496e737479747574204a657a796b6120506f6c736b6965676f2050414e310b3009060355040b0c024954311c301a06035504030c136c646170312e696a702e70616e2e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100bf2015679983021d7e971d84ea7c7f5ba06e4b4808b7674f687fc0880cf4635a2db718cb22982ddd8822afe970ec
EAP-Message = 0x2d745deac6e6acf21e7330b77cd86fdb28ab4e04eda8789771a6e30890e6b67c3e111bcd017b12856072c19afefc1d07fcd1a6c53e66cdd8008e8766a1e7dbce66966e07814e08c6bbc2399cae3694dba14c021b588a967cbf5e23197c8593cf28bd84f44a03ecfdfc4e34000e07e9edf676b57633787cb5c3a7b4406c8f4d535c2ffe08f5ce60756500f3887c62b1c34c1088b27de433a9aef286b914e38f6bb307d322586bb33dcd74352dfc37e28eae33f4299d5d120a521a6c691a0980a22ad63ed220331210383ee14edd24be3088b90203010001a381f73081f430090603551d1304023000302c06096086480186f842010d041f161d4f70656e
EAP-Message = 0x53534c2047656e657261746564204365727469666963617465301d0603551d0e041604143b1a3710cdf72a3288cc76cc3d5ad3e9b2384503301f0603551d23041830168014c1d62dd5cd9967b990856c18acc7f2e64f40a29c304106082b0601050507010104353033303106082b060105050730028625687474703a2f2f6b302e696a702e70616e2e6c6f63616c2f63612f7375626361312e63727430360603551d1f042f302d302ba029a0278625687474703a2f2f6b312e696a702e70616e2e6c6f63616c2f63612f7375626361312e63726c300d06092a864886f70d0101050500038201010062dae87f130c1ab3ef0acf5bd31aed2b4f524b4a84
EAP-Message = 0xaf5192d4e9d1c6301ce43d01
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe11c2bc5e31932ea6e5ad9dc9448f6dd
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=84, length=290
User-Name = "zmatuszyk at mydomain.pl"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "wi-fi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x020500061900
State = 0xe11c2bc5e31932ea6e5ad9dc9448f6dd
Message-Authenticator = 0x6b9e5fe560487a1d133a50f9f8522760
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 84 to 10.24.100.41 port 32773
EAP-Message = 0x010603fc1940b01e45053cb5d289d8a07c691f42babbaf4150ea36d712beb08a0c1eaa301b5df2b9d6975f9dfecbe42c847567bd961d58a520d68fb34854326b7dba525597e4ac0b1a5a66b9d677be1f5e0adfd325311af927356634a7f8aee2770898b4044daf46d89745f7262026f2e1b81caa53a4aebd5310ba988cd6364fd6b79795f38e23d047ad0af23bbcd5407317cb01b49b61eac8d67cf784948797aba3968b094cdfb93c2177da70b000f1797bf3bd979b8317daec32cd87cfa3a471d891abdacea5776581fb2416c93b2f01ba6b6728099d7e26d7974eec099035ee212077e70004113082040d308202f5a003020102020900fda7ea2091
EAP-Message = 0x83fda3300d06092a864886f70d01010505003077310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b696531263024060355040a0c1d496e737479747574204a657a796b6120506f6c736b6965676f2050414e310b3009060355040b0c024954311d301b06035504030c14726f6f7463612e696a702e70616e2e6c6f63616c301e170d3137303832313130343434315a170d3337303831363130343434315a308188310b300906035504061302504c3114301206035504080c0b4d616c6f706f6c736b6965310f300d06035504070c064b72616b6f7731263024060355040a0c1d496e737479747574204a657a796b6120
EAP-Message = 0x506f6c736b6965676f2050414e310b3009060355040b0c024954311d301b06035504030c147375626361312e696a702e70616e2e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100cec338083565b45728e1f8176ba4daabda4ea88555201f503e3977492e85b49759cd232e7934acd16194ca3889d6975a29f68017427738b2fe57db0951e879afb9f5eae6a75a8d8b96cc12acb9686227322a555ec7e298b77b139874e9c0935d52117991a27281644f351bbacf3f804a1da86f26e784a507ec21e3aacfaf5e686fc01e570397f2dcc5822edd7c0b59f20dc48c408453ba7e9ea170a72c175ca352818c
EAP-Message = 0xf095d192d42cf58272c00c477f2e1755104ced45567186bd44f7b3ab6c947a427e0f3e54c5d88e544c349f16737de5c8191785c2a5af1be735466dff6bdb08682494b1b54c25429014c59437925c441f4c1e42ceb12b7d060b7159f5350203010001a38189308186301d0603551d0e04160414c1d62dd5cd9967b990856c18acc7f2e64f40a29c301f0603551d230418301680148ae199d104b425c1279d439e0b0d2487dfda236c300c0603551d13040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f6b312e696a702e70616e2e6c6f63616c2f63612f726f6f7463612e63726c300d06092a864886f70d0101050500
EAP-Message = 0x0382010100a7ba01
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe11c2bc5e21a32ea6e5ad9dc9448f6dd
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=85, length=290
User-Name = "zmatuszyk at mydomain.pl"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "wi-fi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x020600061900
State = 0xe11c2bc5e21a32ea6e5ad9dc9448f6dd
Message-Authenticator = 0xd86ea26576af50657802f55266ec0d29
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 85 to 10.24.100.41 port 32773
EAP-Message = 0x0107025c19004d16d1c7a4c127b06c3974533a055af202e7fe05f13dc5f78bf50eb852b25913965c85f981b45b174003af43ddbb5d8754406a26645dd06a9d4ce4b1622de1b4cec8a3d91f973b6332ba5fd78ff18e6feb1b87e664ee981c68523c4d9517a9c8f97abbefd1d76ba66dbeee1fe4e8d4420f6606ff280119897d3026e466910f5ebb892ce764e60fc8d7e4eb2f1609348a405b6e92133d1f4a6f612f4a6eee9c1c04677bcf3e574dc88d64e8972be7d01a080968f189d9258bca3419feff11a7409ae6471a32eab899837f79f8c8116f27ecf63daf802cd7b0df1b3a767d46bb4a40f07b0ead84f31ba36292b6df736e38d9b2f25e2e1483
EAP-Message = 0x6e854d35643c160301014b0c0001470300174104e5c14a72735c1214b4413beb253acba89b44b8add08ec59f1cbf2ce5b5f985981a889150d763c45becf8351e787375aa8dabc2f695b23d38a0c3ed1a76ec37d201001e96c40801443b9bdc6c0fe6e2841a26c83fcfb18071173df60364b6f1c86cd430fdc35a964ac4a7071754e2ac9176b72f675281a72e703ace3daabae10f29482bccba3b77b291220c53f3ccf9a4e5e3835ac9aa71b7603d3c2ed915a107d894d5363ae544b316922a23858fe2bdcade941aefe142c74a662979a74426b745e4788eaa83f66edd616196281cfa750f19ec6d0f8760d2e914a0af7858120ba01fe8bd49dd269bdd
EAP-Message = 0xdf99f9e6ee6bdb7e85bfc054ade219758d9ea980090c3ba4ac092f54b63698d1a367c3440c26973240a13acab7d5aade92ef8aed0151254763f94fe7500b14a26e048c7b908cd42ec9cdf009ebaaf19e07a744b0a4d0629d0916030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe11c2bc5e51b32ea6e5ad9dc9448f6dd
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=86, length=428
User-Name = "zmatuszyk at mydomain.pl"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "wi-fi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x02070090198000000086160301004610000042410441d4e9da4f0dee00258330e7eefe26437faf3977c86bc6bcda3f9ae4a38dbc9fb97559b0d16d481add56d34dc07eb79b0d94b57f87e8e2eb1b7fa7bd199c5f7b14030100010116030100303462633e66f7c5a81bd94bbfa5a129c0eb6389859ce33c5219d80a4440f5fe25568da27a97a234bcf06f1d18b9dc3c5d
State = 0xe11c2bc5e51b32ea6e5ad9dc9448f6dd
Message-Authenticator = 0xdb6f802835872c23130041fc4007ac52
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 7 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 86 to 10.24.100.41 port 32773
EAP-Message = 0x01080041190014030100010116030100305bf3edc257025b940387d79d9c795ae0343d8cc5394b7f07b731f51b3de87d29fa187a2c8cab69927ee6e532cdbf7935
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe11c2bc5e41432ea6e5ad9dc9448f6dd
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=87, length=290
User-Name = "zmatuszyk at mydomain.pl"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "wi-fi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x020800061900
State = 0xe11c2bc5e41432ea6e5ad9dc9448f6dd
Message-Authenticator = 0x9e81fefac2ae2908717fef6b4932bb38
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 8 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 87 to 10.24.100.41 port 32773
EAP-Message = 0x0109002b1900170301002077f01fd17d3f22ade23d7192c53d1b88a27b9b2ffd8f55337be8bd4d38a42968
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe11c2bc5e71532ea6e5ad9dc9448f6dd
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=88, length=343
User-Name = "zmatuszyk at mydomain.pl"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "wi-fi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x0209003b19001703010030578da54b82482dfe9cfd000bfc23dcce4d8e1bca2eef46f681216a29d8c2c311152fae08d97aa2225fc0d47b8a1a3ef7
State = 0xe11c2bc5e71532ea6e5ad9dc9448f6dd
Message-Authenticator = 0x9f5437d3e3d6aac993010c1ce5f1b29c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 9 length 59
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - zmatuszyk at mydomain.pl
[peap] Got inner identity 'zmatuszyk at mydomain.pl'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x02090019017a6d617475737a796b40696a702e70616e2e706c
server {
[peap] Setting User-Name to zmatuszyk at mydomain.pl
Sending tunneled request
EAP-Message = 0x02090019017a6d617475737a796b40696a702e70616e2e706c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "zmatuszyk at mydomain.pl"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "wi-fi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 9 length 25
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[ldap] performing user authorization for zmatuszyk
[ldap] expand: %{Stripped-User-Name} -> zmatuszyk
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk)
[ldap] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk)
[ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010a002e1a010a002910a51fcc532a18ba94e33e5859fda0807b7a6d617475737a796b40696a702e70616e2e706c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa04d94bba0478e21869b454cf59410b2
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010a002e1a010a002910a51fcc532a18ba94e33e5859fda0807b7a6d617475737a796b40696a702e70616e2e706c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa04d94bba0478e21869b454cf59410b2
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 88 to 10.24.100.41 port 32773
EAP-Message = 0x010a004b1900170301004034bb429d07c6d6099ca3460f19f8e3b57922184a863f462430677150b9f81d8b2657a2a06a00fb03e5708c4b89f2b3fa91a26e3ef432f933c1afae4a1846a69b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe11c2bc5e61632ea6e5ad9dc9448f6dd
Finished request 7.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=89, length=391
User-Name = "zmatuszyk at mydomain.pl"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "wi-fi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x020a006b190017030100606e38a934794212cf6a918b10fcc5607d7bdc487faa8d2b75bee77b0dba7dff21eff091d59e0ce5b4eace425fe7679182b8c9a3cdcdd97b78542bfd2021517af23a835314a873fa4899d4094adf06ca1ebb6d4439b1a73b610b83fe181a355223
State = 0xe11c2bc5e61632ea6e5ad9dc9448f6dd
Message-Authenticator = 0x3cfff3760e60e4d6d060697d4f9e7c55
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 10 length 107
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020a004f1a020a004a31d4ce15bfa36520a198e503dd32dae5ac0000000000000000b349595743a15b250c5196ae0a8b999906041d39f5b6e39f007a6d617475737a796b40696a702e70616e2e706c
server {
[peap] Setting User-Name to zmatuszyk at mydomain.pl
Sending tunneled request
EAP-Message = 0x020a004f1a020a004a31d4ce15bfa36520a198e503dd32dae5ac0000000000000000b349595743a15b250c5196ae0a8b999906041d39f5b6e39f007a6d617475737a796b40696a702e70616e2e706c
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "zmatuszyk at mydomain.pl"
State = 0xa04d94bba0478e21869b454cf59410b2
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "wi-fi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 10 length 79
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[ldap] performing user authorization for zmatuszyk
[ldap] expand: %{Stripped-User-Name} -> zmatuszyk
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk)
[ldap] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk)
[ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Creating challenge hash with username: zmatuszyk at mydomain.pl
[mschap] Client is using MS-CHAPv2 for zmatuszyk at mydomain.pl, we need NT-Password
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[mschap] expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=zmatuszyk
[mschap] Creating challenge hash with username: zmatuszyk at mydomain.pl
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=014e29ddb376815b
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=b349595743a15b250c5196ae0a8b999906041d39f5b6e39f
Exec output: NT_KEY: 9D8185FBD8D2FC1E80FD215E29B3A6F8
Exec plaintext: NT_KEY: 9D8185FBD8D2FC1E80FD215E29B3A6F8
[mschap] Exec: program returned: 0
++[mschap] = ok
+} # group MS-CHAP = ok
MSCHAP Success
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010b00331a030a002e533d42443237464535383534333036334537454446394545374538463544323938373339323131454441
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa04d94bba1468e21869b454cf59410b2
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010b00331a030a002e533d42443237464535383534333036334537454446394545374538463544323938373339323131454441
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa04d94bba1468e21869b454cf59410b2
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 89 to 10.24.100.41 port 32773
EAP-Message = 0x010b005b1900170301005053f6ddaa68148f5c294833d49ba96ddc9f05676626dc587b248f4eccf1b21a3e666688ce5b46358bbc5539b5c419a0583c7efcf24d0e5f586a46f2142db1edec536b302e5b4d9148cc9b3ddd8f250bbf
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe11c2bc5e91732ea6e5ad9dc9448f6dd
Finished request 8.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=90, length=327
User-Name = "zmatuszyk at mydomain.pl"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "wi-fi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x020b002b1900170301002012cb0cf8ac5719f1b57d2c2346df5c1987fc4cdcbd934bf36cd287f84b738340
State = 0xe11c2bc5e91732ea6e5ad9dc9448f6dd
Message-Authenticator = 0x1b0fb418df527a97d3986e4a40acfec9
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 11 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020b00061a03
server {
[peap] Setting User-Name to zmatuszyk at mydomain.pl
Sending tunneled request
EAP-Message = 0x020b00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "zmatuszyk at mydomain.pl"
State = 0xa04d94bba1468e21869b454cf59410b2
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "wi-fi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 11 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[ldap] performing user authorization for zmatuszyk
[ldap] expand: %{Stripped-User-Name} -> zmatuszyk
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=zmatuszyk)
[ldap] expand: dc=xxx,dc=pan,dc=local -> dc=xxx,dc=pan,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=xxx,dc=pan,dc=local, with filter (sAMAccountName=zmatuszyk)
[ldap] rebind to URL ldap://mydomain.local/CN=Configuration,DC=xxx,DC=pan,DC=local
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "zmatuszyk"
[peap] Got tunneled reply RADIUS code 2
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "zmatuszyk"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 90 to 10.24.100.41 port 32773
EAP-Message = 0x010c002b190017030100200d545dc56da8a11537b3736476c057d46722da9da13ac68c59701a572f68bc77
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe11c2bc5e81032ea6e5ad9dc9448f6dd
Finished request 9.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.24.100.41 port 32773, id=91, length=327
User-Name = "zmatuszyk at mydomain.pl"
Chargeable-User-Identity = ""
Location-Capable = Civix-Location
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
NAS-Port = 13
Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
NAS-IP-Address = 10.24.100.41
NAS-Identifier = "wi-fi"
Airespace-Wlan-Id = 3
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
EAP-Message = 0x020c002b1900170301002027762168802a383047205d36d9061db6c143af20fa4230f13373e378a0990659
State = 0xe11c2bc5e81032ea6e5ad9dc9448f6dd
Message-Authenticator = 0x5f9ba3b7bf1a0baba21da915e0511b49
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "mydomain.pl" for User-Name = "zmatuszyk at mydomain.pl"
[suffix] Found realm "mydomain.pl"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "mydomain.pl"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 12 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
User-Name = "zmatuszyk"
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
++[ldap] = noop
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 91 to 10.24.100.41 port 32773
User-Name = "zmatuszyk"
MS-MPPE-Recv-Key = 0x00fad5b684fa871101e3f02fad3de6103205c5bb4a356047fa51b1325eeb471b
MS-MPPE-Send-Key = 0x3b67a98e0c9eb2a082c0353d8cc09532580e90ecc9b752cb4a626a4b779b04cb
EAP-Message = 0x030c0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 10.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Accounting-Request packet from host 10.24.100.41 port 32773, id=36, length=306
User-Name = "zmatuszyk"
NAS-Port = 13
NAS-IP-Address = 10.24.100.41
Framed-IP-Address = 10.24.216.185
Framed-IPv6-Prefix = fe80::/64
NAS-Identifier = "wi-fi"
Airespace-Wlan-Id = 3
Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138"
NAS-Port-Type = Wireless-802.11
Cisco-AVPair = "audit-session-id=0a18642900002534599d72da"
Acct-Authentic = RADIUS
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "216"
Event-Timestamp = "Aug 23 2017 14:33:27 CEST"
Acct-Status-Type = Interim-Update
Acct-Input-Octets = 40891
Acct-Input-Gigawords = 0
Acct-Output-Octets = 6787
Acct-Output-Gigawords = 0
Acct-Input-Packets = 212
Acct-Output-Packets = 50
Acct-Session-Time = 823
Acct-Delay-Time = 0
Calling-Station-Id = "08-ed-b9-92-1e-85"
Called-Station-Id = "7c-0e-ce-ea-b7-20:wi-fi"
# Executing section preacct from file /etc/freeradius/sites-enabled/default
+group preacct {
++[preprocess] = ok
[acct_unique] Hashing 'NAS-Port = 13,NAS-Identifier = "wi-fi",NAS-IP-Address = 10.24.100.41,Acct-Session-Id = "599d72da/08:ed:b9:92:1e:85/138",User-Name = "zmatuszyk"'
[acct_unique] Acct-Unique-Session-ID = "e8bd33a710179400".
++[acct_unique] = ok
[suffix] No '@' in User-Name = "zmatuszyk", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "zmatuszyk"
[suffix] Adding Realm = "NULL"
[suffix] Accounting realm is LOCAL.
++[suffix] = ok
++[files] = noop
+} # group preacct = ok
# Executing section accounting from file /etc/freeradius/sites-enabled/default
+group accounting {
[detail] expand: %{Packet-Src-IP-Address} -> 10.24.100.41
[detail] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/freeradius/radacct/10.24.100.41/detail-20170823
[detail] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.24.100.41/detail-20170823
[detail] expand: %t -> Wed Aug 23 14:33:27 2017
++[detail] = ok
++[unix] = noop
++[exec] = noop
[attr_filter.accounting_response] expand: %{User-Name} -> zmatuszyk
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] = updated
+} # group accounting = updated
Sending Accounting-Response of id 36 to 10.24.100.41 port 32773
Finished request 11.
Cleaning up request 11 ID 36 with timestamp +23
Going to the next request
Waking up in 4.7 seconds.
W dniu 24.08.2017 o 22:31, Alan DeKok pisze:
> On Aug 24, 2017, at 3:38 PM, Zenon Matuszyk <zenon.matuszyk at networkers.pl> wrote:
>> I have a problem with vlan assignment on the group. If user is in group wi-fi should get ip with vlan 200 if it is in another group should get ip with vlan 216. I attach file witch freeradius -X. Users and group are in SAMBA4. If i login to wifi i get allways ip on vlan 216. I use login at mydomain.pl to connect wifi.
>>
>> I try add in users but this is ignored
> What does that mean?
>
>> root at LDAP1 /etc/freeradius # cat users
> We always ask for the debug output, because that's what we need.
>
>> DEFAULT LDAP-Group != "wi-fi", Auth-Type:=Reject
>> Reply-Message="You are not allowed to connnect"
>> DEFAULT Realm == Null
>> Auth-Type := Reject
> If you run the server in debug mode and read the output, it will tell you that this entry is wrong. The "Auth-Type" belongs on the first line of the "users" file entry.
>
>> Please help
> Following the documentation helps.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Z poważaniem / Yours sincerely
Zenon Matuszyk
mobile: 00 48 797 004 938
e-mail: zenon.matuszyk at networkers.pl
www: http://www.networkers.pl
More information about the Freeradius-Users
mailing list