Authorized MAC users stopped authenticating
R.Geller
rg1 at robertgeller.net
Thu Dec 28 15:53:55 CET 2017
Hi Users.
I'm Running 3.0.13 for a while now. I set it up to support cert
authentication, as well as authorized MACs. I didn't deploy any clients
using certs, only set up with user/pass and authorized MACs.
Sometime last week, users couldn't authenticate. I see errors in debug
stated there are 2 auth types, I can see the MAC auth is working, but users
are failing to authenticate because of EAP failure. At this point, I want
to be able to use both MAC / user+pass auth, and if in the future we decide
to deploy certs, than allow that too. If we need to disable EAP or certs
to get this working, that is an option too. Not sure why it stopped
working out of the blue. The radius server hasn't been touched since the
initial working config.
Any ideas?
(0) Received Access-Request Id 168 from 10.2.1.53:41523 to 10.2.2.35:1812
length 218
(0) User-Name = "rbadani"
(0) NAS-Identifier = "pakedge"
(0) Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) NAS-Port = 0
(0) Calling-Station-Id = "34-F3-9A-86-59-57"
(0) Connect-Info = "CONNECT 0Mbps 802.11b"
(0) Acct-Session-Id = "196EB9DAB87DC1A9"
(0) Acct-Multi-Session-Id = "A7617A3B4E8A4349"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027073
(0) Framed-MTU = 1400
(0) EAP-Message = 0x02e1000c0172626164616e69
(0) Message-Authenticator = 0xa0ce8c9f4fc59786614b51de2a9d2ec5
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) policy rewrite_calling_station_id {
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(0) update request {
(0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(0) --> 34-F3-9A-86-59-57
(0) &Calling-Station-Id := 34-F3-9A-86-59-57
(0) } # update request = noop
(0) [updated] = updated
(0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(0) ... skipping else: Preceding "if" was taken
(0) } # policy rewrite_calling_station_id = updated
(0) authorized_macs: EXPAND %{Calling-Station-ID}
(0) authorized_macs: --> 34-F3-9A-86-59-57
(0) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
(0) [authorized_macs] = ok
(0) if (!ok) {
(0) if (!ok) -> FALSE
(0) else {
(0) update control {
(0) Auth-Type := Accept
(0) } # update control = noop
(0) } # else = noop
(0) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: --> /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(0) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(0) auth_log: EXPAND %t
(0) auth_log: --> Wed Dec 27 16:56:02 2017
(0) [auth_log] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "rbadani", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 225 length 12
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = Accept
(0) Found Auth-Type = eap
(0) ERROR: Warning: Found 2 auth-types on request for user 'rbadani'
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 226 length 22
(0) eap: EAP session adding &reply:State = 0x6b29e7526bcbe320
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 168 from 10.2.2.35:1812 to 10.2.1.53:41523
length 0
(0) EAP-Message = 0x01e200160410f2c51c0a8574f54c59f1fb4f5448daec
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x6b29e7526bcbe32030426126b755182c
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 169 from 10.2.1.53:41523 to 10.2.2.35:1812
length 230
(1) User-Name = "rbadani"
(1) NAS-Identifier = "pakedge"
(1) Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) NAS-Port = 0
(1) Calling-Station-Id = "34-F3-9A-86-59-57"
(1) Connect-Info = "CONNECT 0Mbps 802.11b"
(1) Acct-Session-Id = "196EB9DAB87DC1A9"
(1) Acct-Multi-Session-Id = "A7617A3B4E8A4349"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027073
(1) Framed-MTU = 1400
(1) EAP-Message = 0x02e200060319
(1) State = 0x6b29e7526bcbe32030426126b755182c
(1) Message-Authenticator = 0x832b06e0af58a82af454cf2ffc708452
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) policy rewrite_calling_station_id {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(1) update request {
(1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1) --> 34-F3-9A-86-59-57
(1) &Calling-Station-Id := 34-F3-9A-86-59-57
(1) } # update request = noop
(1) [updated] = updated
(1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy rewrite_calling_station_id = updated
(1) authorized_macs: EXPAND %{Calling-Station-ID}
(1) authorized_macs: --> 34-F3-9A-86-59-57
(1) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
(1) [authorized_macs] = ok
(1) if (!ok) {
(1) if (!ok) -> FALSE
(1) else {
(1) update control {
(1) Auth-Type := Accept
(1) } # update control = noop
(1) } # else = noop
(1) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: --> /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(1) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(1) auth_log: EXPAND %t
(1) auth_log: --> Wed Dec 27 16:56:02 2017
(1) [auth_log] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "rbadani", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 226 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry rbadani at line 8
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = Accept
(1) Found Auth-Type = eap
(1) ERROR: Warning: Found 2 auth-types on request for user 'rbadani'
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x6b29e7526bcbe320
(1) eap: Finished EAP session with state 0x6b29e7526bcbe320
(1) eap: Previous EAP request found for state 0x6b29e7526bcbe320, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 227 length 6
(1) eap: EAP session adding &reply:State = 0x6b29e7526acafe20
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 169 from 10.2.2.35:1812 to 10.2.1.53:41523
length 0
(1) EAP-Message = 0x01e300061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x6b29e7526acafe2030426126b755182c
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 170 from 10.2.1.53:41523 to 10.2.2.35:1812
length 394
(2) User-Name = "rbadani"
(2) NAS-Identifier = "pakedge"
(2) Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) NAS-Port = 0
(2) Calling-Station-Id = "34-F3-9A-86-59-57"
(2) Connect-Info = "CONNECT 0Mbps 802.11b"
(2) Acct-Session-Id = "196EB9DAB87DC1A9"
(2) Acct-Multi-Session-Id = "A7617A3B4E8A4349"
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027076
(2) WLAN-AKM-Suite = 1027073
(2) Framed-MTU = 1400
(2) EAP-Message =
0x02e300aa1980000000a0160303009b0100009703035a444122e1641f29196378fe1c9196ff77cac7424e30263c29b46a54f4bc39a500002ec02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a0005000401000040000500050100000000000a0008
(2) State = 0x6b29e7526acafe2030426126b755182c
(2) Message-Authenticator = 0xe0f5b4a26689126da9c07570236cee15
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) policy rewrite_calling_station_id {
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(2) update request {
(2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(2) --> 34-F3-9A-86-59-57
(2) &Calling-Station-Id := 34-F3-9A-86-59-57
(2) } # update request = noop
(2) [updated] = updated
(2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(2) ... skipping else: Preceding "if" was taken
(2) } # policy rewrite_calling_station_id = updated
(2) authorized_macs: EXPAND %{Calling-Station-ID}
(2) authorized_macs: --> 34-F3-9A-86-59-57
(2) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
(2) [authorized_macs] = ok
(2) if (!ok) {
(2) if (!ok) -> FALSE
(2) else {
(2) update control {
(2) Auth-Type := Accept
(2) } # update control = noop
(2) } # else = noop
(2) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(2) auth_log: --> /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(2) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(2) auth_log: EXPAND %t
(2) auth_log: --> Wed Dec 27 16:56:02 2017
(2) [auth_log] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "rbadani", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 227 length 170
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = Accept
(2) Found Auth-Type = eap
(2) ERROR: Warning: Found 2 auth-types on request for user 'rbadani'
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x6b29e7526acafe20
(2) eap: Finished EAP session with state 0x6b29e7526acafe20
(2) eap: Previous EAP request found for state 0x6b29e7526acafe20, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 160 bytes
(2) eap_peap: Got complete TLS record (160 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before/accept initialization
(2) eap_peap: TLS_accept: before/accept initialization
(2) eap_peap: <<< recv TLS 1.2 [length 009b]
(2) eap_peap: TLS_accept: SSLv3 read client hello A
(2) eap_peap: >>> send TLS 1.2 [length 0039]
(2) eap_peap: TLS_accept: SSLv3 write server hello A
(2) eap_peap: >>> send TLS 1.2 [length 0867]
(2) eap_peap: TLS_accept: SSLv3 write certificate A
(2) eap_peap: >>> send TLS 1.2 [length 014d]
(2) eap_peap: TLS_accept: SSLv3 write key exchange A
(2) eap_peap: >>> send TLS 1.2 [length 0004]
(2) eap_peap: TLS_accept: SSLv3 write server done A
(2) eap_peap: TLS_accept: SSLv3 flush data
(2) eap_peap: TLS_accept: SSLv3 read client certificate A
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key
exchange A
(2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key
exchange A
(2) eap_peap: In SSL Handshake Phase
(2) eap_peap: In SSL Accept mode
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 228 length 1004
(2) eap: EAP session adding &reply:State = 0x6b29e75269cdfe20
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 170 from 10.2.2.35:1812 to 10.2.1.53:41523
length 0
(2) EAP-Message =
0x01e403ec19c000000a0516030300390200003503036ebcda08da00855d6c3903df56f6204584a3ed5ce1f6ec53737cfbbcc0aed45300c03000000dff01000100000b00040300010216030308670b0008630008600003b8308203b43082029ca003020102020103300d06092a864886f70d01010b050030
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x6b29e75269cdfe2030426126b755182c
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 171 from 10.2.1.53:41523 to 10.2.2.35:1812
length 230
(3) User-Name = "rbadani"
(3) NAS-Identifier = "pakedge"
(3) Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) NAS-Port = 0
(3) Calling-Station-Id = "34-F3-9A-86-59-57"
(3) Connect-Info = "CONNECT 0Mbps 802.11b"
(3) Acct-Session-Id = "196EB9DAB87DC1A9"
(3) Acct-Multi-Session-Id = "A7617A3B4E8A4349"
(3) WLAN-Pairwise-Cipher = 1027076
(3) WLAN-Group-Cipher = 1027076
(3) WLAN-AKM-Suite = 1027073
(3) Framed-MTU = 1400
(3) EAP-Message = 0x02e400061900
(3) State = 0x6b29e75269cdfe2030426126b755182c
(3) Message-Authenticator = 0x32ce0d06029a65d0b7bde17bbedd6a2d
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) policy rewrite_calling_station_id {
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(3) update request {
(3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(3) --> 34-F3-9A-86-59-57
(3) &Calling-Station-Id := 34-F3-9A-86-59-57
(3) } # update request = noop
(3) [updated] = updated
(3) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(3) ... skipping else: Preceding "if" was taken
(3) } # policy rewrite_calling_station_id = updated
(3) authorized_macs: EXPAND %{Calling-Station-ID}
(3) authorized_macs: --> 34-F3-9A-86-59-57
(3) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
(3) [authorized_macs] = ok
(3) if (!ok) {
(3) if (!ok) -> FALSE
(3) else {
(3) update control {
(3) Auth-Type := Accept
(3) } # update control = noop
(3) } # else = noop
(3) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(3) auth_log: --> /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(3) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(3) auth_log: EXPAND %t
(3) auth_log: --> Wed Dec 27 16:56:02 2017
(3) [auth_log] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "rbadani", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 228 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = Accept
(3) Found Auth-Type = eap
(3) ERROR: Warning: Found 2 auth-types on request for user 'rbadani'
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x6b29e75269cdfe20
(3) eap: Finished EAP session with state 0x6b29e75269cdfe20
(3) eap: Previous EAP request found for state 0x6b29e75269cdfe20, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 229 length 1000
(3) eap: EAP session adding &reply:State = 0x6b29e75268ccfe20
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 171 from 10.2.2.35:1812 to 10.2.1.53:41523
length 0
(3) EAP-Message =
0x01e503e8194071011954c4fbd3ea40e221db1dc5d77725bc6912e81c7f2ade46e59bab56d3bd12d1210004a23082049e30820386a003020102020900fb9eca29e490e9c3300d06092a864886f70d01010b0500307d310b3009060355040613025553310b300906035504080c024341310b300906035504
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x6b29e75268ccfe2030426126b755182c
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 172 from 10.2.1.53:41523 to 10.2.2.35:1812
length 230
(4) User-Name = "rbadani"
(4) NAS-Identifier = "pakedge"
(4) Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) NAS-Port = 0
(4) Calling-Station-Id = "34-F3-9A-86-59-57"
(4) Connect-Info = "CONNECT 0Mbps 802.11b"
(4) Acct-Session-Id = "196EB9DAB87DC1A9"
(4) Acct-Multi-Session-Id = "A7617A3B4E8A4349"
(4) WLAN-Pairwise-Cipher = 1027076
(4) WLAN-Group-Cipher = 1027076
(4) WLAN-AKM-Suite = 1027073
(4) Framed-MTU = 1400
(4) EAP-Message = 0x02e500061900
(4) State = 0x6b29e75268ccfe2030426126b755182c
(4) Message-Authenticator = 0x7739a6384734a45ec44ace0b45406285
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) policy rewrite_calling_station_id {
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(4) update request {
(4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(4) --> 34-F3-9A-86-59-57
(4) &Calling-Station-Id := 34-F3-9A-86-59-57
(4) } # update request = noop
(4) [updated] = updated
(4) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(4) ... skipping else: Preceding "if" was taken
(4) } # policy rewrite_calling_station_id = updated
(4) authorized_macs: EXPAND %{Calling-Station-ID}
(4) authorized_macs: --> 34-F3-9A-86-59-57
(4) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
(4) [authorized_macs] = ok
(4) if (!ok) {
(4) if (!ok) -> FALSE
(4) else {
(4) update control {
(4) Auth-Type := Accept
(4) } # update control = noop
(4) } # else = noop
(4) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(4) auth_log: --> /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(4) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(4) auth_log: EXPAND %t
(4) auth_log: --> Wed Dec 27 16:56:02 2017
(4) [auth_log] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "rbadani", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 229 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = Accept
(4) Found Auth-Type = eap
(4) ERROR: Warning: Found 2 auth-types on request for user 'rbadani'
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x6b29e75268ccfe20
(4) eap: Finished EAP session with state 0x6b29e75268ccfe20
(4) eap: Previous EAP request found for state 0x6b29e75268ccfe20, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 230 length 583
(4) eap: EAP session adding &reply:State = 0x6b29e7526fcffe20
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 172 from 10.2.2.35:1812 to 10.2.1.53:41523
length 0
(4) EAP-Message =
0x01e60247190073f384abcce0dc6bd99d41c7308a2ec286779db1ac2b4a9fa101913c9eff54715a9f99e2d2e6d6216d873cbac8894daa5fb56c68bf9bac69bbe516b2b8b0e0f187ffaca6abb8a1065d90af0d81b75ed06b75ef6c624c8e41b5f461944111a9bdbe4004178fdf81b1220f11bd3db9bc26a9
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x6b29e7526fcffe2030426126b755182c
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 173 from 10.2.1.53:41523 to 10.2.2.35:1812
length 360
(5) User-Name = "rbadani"
(5) NAS-Identifier = "pakedge"
(5) Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) NAS-Port = 0
(5) Calling-Station-Id = "34-F3-9A-86-59-57"
(5) Connect-Info = "CONNECT 0Mbps 802.11b"
(5) Acct-Session-Id = "196EB9DAB87DC1A9"
(5) Acct-Multi-Session-Id = "A7617A3B4E8A4349"
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027076
(5) WLAN-AKM-Suite = 1027073
(5) Framed-MTU = 1400
(5) EAP-Message =
0x02e6008819800000007e1603030046100000424104d33c0ca6bed2496ed0ad157f243201b932ed73853b41b8def5f71764e3a434e98d15d1477fc921b14b1737929024dd22964795dc547dfad5ba1f6eaa05df358e140303000101160303002800000000000000005130785f81b63c506013130a51fa52
(5) State = 0x6b29e7526fcffe2030426126b755182c
(5) Message-Authenticator = 0x542305e6de3e64f4761fd45c4254dd66
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) policy rewrite_calling_station_id {
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(5) update request {
(5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(5) --> 34-F3-9A-86-59-57
(5) &Calling-Station-Id := 34-F3-9A-86-59-57
(5) } # update request = noop
(5) [updated] = updated
(5) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(5) ... skipping else: Preceding "if" was taken
(5) } # policy rewrite_calling_station_id = updated
(5) authorized_macs: EXPAND %{Calling-Station-ID}
(5) authorized_macs: --> 34-F3-9A-86-59-57
(5) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
(5) [authorized_macs] = ok
(5) if (!ok) {
(5) if (!ok) -> FALSE
(5) else {
(5) update control {
(5) Auth-Type := Accept
(5) } # update control = noop
(5) } # else = noop
(5) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(5) auth_log: --> /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(5) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(5) auth_log: EXPAND %t
(5) auth_log: --> Wed Dec 27 16:56:02 2017
(5) [auth_log] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "rbadani", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 230 length 136
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = Accept
(5) Found Auth-Type = eap
(5) ERROR: Warning: Found 2 auth-types on request for user 'rbadani'
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x6b29e7526fcffe20
(5) eap: Finished EAP session with state 0x6b29e7526fcffe20
(5) eap: Previous EAP request found for state 0x6b29e7526fcffe20, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(5) eap_peap: Got complete TLS record (126 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: <<< recv TLS 1.2 [length 0046]
(5) eap_peap: TLS_accept: SSLv3 read client key exchange A
(5) eap_peap: TLS_accept: SSLv3 read certificate verify A
(5) eap_peap: <<< recv TLS 1.2 [length 0001]
(5) eap_peap: <<< recv TLS 1.2 [length 0010]
(5) eap_peap: TLS_accept: SSLv3 read finished A
(5) eap_peap: >>> send TLS 1.2 [length 0001]
(5) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(5) eap_peap: >>> send TLS 1.2 [length 0010]
(5) eap_peap: TLS_accept: SSLv3 write finished A
(5) eap_peap: TLS_accept: SSLv3 flush data
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: SSL Connection Established
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 231 length 57
(5) eap: EAP session adding &reply:State = 0x6b29e7526ecefe20
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 173 from 10.2.2.35:1812 to 10.2.1.53:41523
length 0
(5) EAP-Message =
0x01e7003919001403030001011603030028dadb4eb42e0085becbd6fd6994801f5313c33c66c9cc80d3a42272a0d39d7b73ddc03b6589312f87
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x6b29e7526ecefe2030426126b755182c
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 174 from 10.2.1.53:41523 to 10.2.2.35:1812
length 265
(6) User-Name = "rbadani"
(6) NAS-Identifier = "pakedge"
(6) Called-Station-Id = "90-A7-C1-B8-AC-F3:APT-CORP"
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) NAS-Port = 0
(6) Calling-Station-Id = "34-F3-9A-86-59-57"
(6) Connect-Info = "CONNECT 0Mbps 802.11b"
(6) Acct-Session-Id = "196EB9DAB87DC1A9"
(6) Acct-Multi-Session-Id = "A7617A3B4E8A4349"
(6) WLAN-Pairwise-Cipher = 1027076
(6) WLAN-Group-Cipher = 1027076
(6) WLAN-AKM-Suite = 1027073
(6) Framed-MTU = 1400
(6) EAP-Message =
0x02e7002919800000001f150303001a000000000000000183535c188c7891749e86843fccb8f9afccd7
(6) State = 0x6b29e7526ecefe2030426126b755182c
(6) Message-Authenticator = 0x51b7e34c9a113e47185fa29ed2265939
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) policy rewrite_calling_station_id {
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(6) update request {
(6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6) --> 34-F3-9A-86-59-57
(6) &Calling-Station-Id := 34-F3-9A-86-59-57
(6) } # update request = noop
(6) [updated] = updated
(6) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(6) ... skipping else: Preceding "if" was taken
(6) } # policy rewrite_calling_station_id = updated
(6) authorized_macs: EXPAND %{Calling-Station-ID}
(6) authorized_macs: --> 34-F3-9A-86-59-57
(6) authorized_macs: users: Matched entry 34-F3-9A-86-59-57 at line 8
(6) [authorized_macs] = ok
(6) if (!ok) {
(6) if (!ok) -> FALSE
(6) else {
(6) update control {
(6) Auth-Type := Accept
(6) } # update control = noop
(6) } # else = noop
(6) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(6) auth_log: --> /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(6) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.2.1.53/auth-detail-20171227
(6) auth_log: EXPAND %t
(6) auth_log: --> Wed Dec 27 16:56:02 2017
(6) [auth_log] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "rbadani", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 231 length 41
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = Accept
(6) Found Auth-Type = eap
(6) ERROR: Warning: Found 2 auth-types on request for user 'rbadani'
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x6b29e7526ecefe20
(6) eap: Finished EAP session with state 0x6b29e7526ecefe20
(6) eap: Previous EAP request found for state 0x6b29e7526ecefe20, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer indicated complete TLS record size will be 31 bytes
(6) eap_peap: Got complete TLS record (31 bytes)
(6) eap_peap: [eaptls verify] = length included
(6) eap_peap: <<< recv TLS 1.2 [length 0002]
(6) eap_peap: ERROR: TLS Alert read:fatal:access denied
(6) eap_peap: WARNING: No data inside of the tunnel
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state ?
(6) eap_peap: ERROR: Tunneled data is invalid
(6) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed
(6) eap: Sending EAP Failure (code 4) ID 231 length 4
(6) eap: Failed in EAP select
(6) [eap] = invalid
(6) } # authenticate = invalid
(6) Failed to authenticate the user
(6) Login incorrect (Warning: Found 2 auth-types on request for user
'rbadani'): [rbadani] (from client 10.2.1.53 port 0 cli 34-F3-9A-86-59-57)
(6) Using Post-Auth-Type Reject
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Post-Auth-Type REJECT {
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject: --> rbadani
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6) [attr_filter.access_reject] = updated
(6) [eap] = noop
(6) policy remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message) {
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else {
(6) [noop] = noop
(6) } # else = noop
(6) } # policy remove_reply_message_if_eap = noop
(6) } # Post-Auth-Type REJECT = updated
(6) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(6) Sending delayed response
(6) Sent Access-Reject Id 174 from 10.2.2.35:1812 to 10.2.1.53:41523 length
44
(6) EAP-Message = 0x04e70004
(6) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 168 with timestamp +43
(1) Cleaning up request packet ID 169 with timestamp +43
(2) Cleaning up request packet ID 170 with timestamp +43
(3) Cleaning up request packet ID 171 with timestamp +43
(4) Cleaning up request packet ID 172 with timestamp +43
(5) Cleaning up request packet ID 173 with timestamp +43
(6) Cleaning up request packet ID 174 with timestamp +43
Ready to process requests
More information about the Freeradius-Users
mailing list