freeRadius dynamic vlan unifi AP
Jan-Christoph Fuchs
jcfuchs at me.com
Sat Feb 11 18:01:36 CET 2017
Hi Forum,
i have setup a freeradius server with MySQL for Dynamic VLAN assignment. Everything works fine with TP-Link AP running openWRT.
Now I have changed to Unifi AP (Unifi Security Gateway Pro, Unifi Switch US-24 POE Unifi AP Pro) and the dynamic VLAN assignment will not work anymore. When I try to connect to the WPA2 Enterprise WLAN, credentials are accepted but I always been put to default VLAN.
I googled around and found the Link, but I had no success anyway.
http://freeradius.1045715.n5.nabble.com/Freeradius-and-Unifi-Vlan-td5743402.html <http://freeradius.1045715.n5.nabble.com/Freeradius-and-Unifi-Vlan-td5743402.html>
Anyone has any ideas to help me please?
Which further information do you need?
I have a full freeradius -X
Thanks
Foxy
freeradius debug:
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=0, length=162
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x0267000a01766c616e32
Message-Authenticator = 0x06d999db3a89921c59829a06fc6a668c
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 103 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql] expand: %{User-Name} -> vlan2
[sql] sql_set_user escaped user --> 'vlan2'
rlm_sql (sql): Reserving sql socket id: 31
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vlan2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'vlan2' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'vlan2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vlan2' ORDER BY id
[sql] User found in group vlan2
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vlan2' ORDER BY id
rlm_sql (sql): Released sql socket id: 31
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 0 to 10.4.0.3 port 58475
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
EAP-Message = 0x016800160410d4aaf5baf1249b0b9757e28baaeaaa5f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd05bd62b4f6758a6e7768e6c4f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=1, length=178
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x026800080319152b
State = 0x5bbe2fd05bd62b4f6758a6e7768e6c4f
Message-Authenticator = 0x832e2a49ed7f71a89ddd64c031384e96
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 104 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql] expand: %{User-Name} -> vlan2
[sql] sql_set_user escaped user --> 'vlan2'
rlm_sql (sql): Reserving sql socket id: 30
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vlan2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'vlan2' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'vlan2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vlan2' ORDER BY id
[sql] User found in group vlan2
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vlan2' ORDER BY id
rlm_sql (sql): Released sql socket id: 30
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 1 to 10.4.0.3 port 58475
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
EAP-Message = 0x016900061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd05ad7364f6758a6e7768e6c4f
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=2, length=297
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x0269007f19800000007516030100700100006c0301589ed44589c48a46cf539f29ccb55919d495885606f29ed44e2a6c29bd86d9eb00002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
State = 0x5bbe2fd05ad7364f6758a6e7768e6c4f
Message-Authenticator = 0x36c578d87de859f5bb186da5d12f866d
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 105 length 127
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 117
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0070], ClientHello
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0039], ServerHello
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 02ca], Certificate
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 2 to 10.4.0.3 port 58475
EAP-Message = 0x016a040019c0000004661603010039020000350301ca88fca516ec799abd1ac079f7dcde1a67301926aae2707dc648d90fad15555400c01400000dff01000100000b00040300010216030102ca0b0002c60002c30002c0308202bc308201a4a003020102020900a5fffa2bd980f52f300d06092a864886f70d01010b050030163114301206035504030c0b7261737062657272797069301e170d3136303531363039353930305a170d3236303531343039353930305a30163114301206035504030c0b726173706265727279706930820122300d06092a864886f70d01010105000382010f003082010a0282010100c3d09a5c1cf391c424a9db1c9546
EAP-Message = 0xe2d0d56ef0c7992e58cc9fddfcca2e1e792de870f1b44732e39760c9be69d00bee75ebb6544ef6e7552cd6071cf42a0314dfcf5f6588403e82906d1bdc76e22d83d897f5822cc3ad4e8688b26a7e51272de8f12178c18eeef3736db12c082c610cf4ed064ca669a8502cd0b304f9b347e9b6e792d22b7477447b724fc1a5b8feaa5bc2dab89c47f61083f2ad2a713346a45779f64738f78e6c6b50dd9fba57b8c429d9130ffe2852ae300f0da67338d241c7f9ed1a3edfd9e60e4a204888db9e7c2b2c4b2720cac0bb75955fdc8dededdcd3005b33e3c3665cb56f8fea647fe98b100ac37981f6664b06baf77672578b49510203010001a30d300b3009
EAP-Message = 0x0603551d1304023000300d06092a864886f70d01010b0500038201010059f5ccb527a5c95bd585d481cf2c0d940a2100bfe19c781f8fc6c9fe6ecf9581cc11899915a4a4a76f93ce5d9a27a1377e9f5b595d0c91b85158b46264b6bbf53d663f5972a29bb9ee27f94fa19c0e10cb315bbfff1a0b9dada6af7b44055bde3a97fce3d03d0e3d9dd2ca98d02899654c38e978067be45716b8095b7eec985ed5766a840d768fde1384f8d70c2b2b62f3bf1ce577e8c7e55870217ef8101973e33c417108d7645823438b1b637bf66d11755e23ccceabf7256480a3ce55f410d5479aa862e7cd048a3661213131c38bdcfae6a8223dbc92e680e4e8feee2c86
EAP-Message = 0xf60edf462d78a0cd61d0be2a807c82feddfb62a74cd23265bc34cf55c8de1296160301014b0c00014703001741049b8ce76c18bbad24703b1770055b370369335679cf94ea52ffcf0fb82725e6e4180acdba12d45dc91ce19392b2aeeb8af3081f8475a36236ad67689782d72840010035cfee51ff337f1eb937b5a66c75b726e96a2c585d4987a1cbda13df17060e3ae4791a5b09b611fab6be846494ba450248e1da4d1e693940510d3dd879dbe65927e90cd4d325b64514f1af880c2b8b6bd2b702f3315084069dadfde74e622f29654c3ba1862ec885bbf541858571ab5e12c1b9baf903ade005a27da49e31b4f80697c4901e100f61f6c093f751
EAP-Message = 0xc33825db86cc5193821c21c0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd059d4364f6758a6e7768e6c4f
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=3, length=176
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x026a00061900
State = 0x5bbe2fd059d4364f6758a6e7768e6c4f
Message-Authenticator = 0x99a1d9d626da9befea61798a088dcaa5
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 106 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 3 to 10.4.0.3 port 58475
EAP-Message = 0x016b0076190084b8ddc47f9ae932aad390c476d83be799f4a0573ba9ffc44bb7ab4acd2aee1bf8c481909e6fb235ad5904953e0da13f76cab712d08f270272699821617e7c9bbbf02fe16724e3e118fb1544a1425a42b33d7627f1ac1a3ab6b40de72becd841b631813edf992c16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd058d5364f6758a6e7768e6c4f
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=4, length=314
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x026b0090198000000086160301004610000042410492699d0b4133e01f3077df1dd32450bb838549add65693b94f1403cc929899231cbad80effab16998dbc60b8de0238ddbe8fefdbbe3e770c3f662d37b37371771403010001011603010030164a6ac78696439e80a7b6e06d205e5a2a6b9a90d8531892b0a24de189284588156554a2a15cbbcb8cc0e9e8f87810c8
State = 0x5bbe2fd058d5364f6758a6e7768e6c4f
Message-Authenticator = 0xbd183035d6eb70e1cf4df33759a104a0
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 107 length 144
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: unknown state
[peap] TLS_accept: unknown state
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 4 to 10.4.0.3 port 58475
EAP-Message = 0x016c0041190014030100010116030100302db38c5a4a30e8a20e40e33ea5c90ffc4390aa26733fa055d9e44df2df3fe2efec91ee64752fbaa81952491f4de66b73
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd05fd2364f6758a6e7768e6c4f
Finished request 4.
Going to the next request
Waking up in 2.2 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=5, length=176
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x026c00061900
State = 0x5bbe2fd05fd2364f6758a6e7768e6c4f
Message-Authenticator = 0xfe48702c915ce42bd6857c1c98c2ad33
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 108 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 5 to 10.4.0.3 port 58475
EAP-Message = 0x016d002b19001703010020720525055a03208c8942699fac52371c34564e69c8ad2dca9670eb2ad7d7990b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd05ed3364f6758a6e7768e6c4f
Finished request 5.
Going to the next request
Waking up in 2.2 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=6, length=213
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x026d002b1900170301002047bc3b02b2b161c69c407fcc9499570fc44846071487cddd3238a74a6f1b5486
State = 0x5bbe2fd05ed3364f6758a6e7768e6c4f
Message-Authenticator = 0x3043fa8c67010675ab157c9b041ec8e0
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 109 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - vlan2
[peap] Got inner identity 'vlan2'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x026d000a01766c616e32
server {
[peap] Setting User-Name to vlan2
Sending tunneled request
EAP-Message = 0x026d000a01766c616e32
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
NAS-IP-Address = 10.4.0.3
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 109 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql] expand: %{User-Name} -> vlan2
[sql] sql_set_user escaped user --> 'vlan2'
rlm_sql (sql): Reserving sql socket id: 29
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vlan2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'vlan2' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'vlan2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vlan2' ORDER BY id
[sql] User found in group vlan2
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vlan2' ORDER BY id
rlm_sql (sql): Released sql socket id: 29
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
EAP-Message = 0x016e001f1a016e001a10e77e02f329ceda823151bee45600a691766c616e32
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbf69de36bf07c49c7fdd6a5522e854fb
[peap] Got tunneled reply RADIUS code 11
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
EAP-Message = 0x016e001f1a016e001a10e77e02f329ceda823151bee45600a691766c616e32
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbf69de36bf07c49c7fdd6a5522e854fb
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 6 to 10.4.0.3 port 58475
EAP-Message = 0x016e003b19001703010030273a2344da33da6bd4f07a68939b2d6fe8f074d5c8fc5d3bd995b603066ecf0ebadaa7b9c6bb0857de06eb1732da1372
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd05dd0364f6758a6e7768e6c4f
Finished request 6.
Going to the next request
Waking up in 2.2 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=7, length=277
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x026e006b190017030100609d599b8771f229409a0c80966b2d47df23ee2d458e0aa22554971c8dcbff5c8d6fd24841ac1f33f77b523ad33f435410bd3b5061388f389cf35852f2bbe989d6e79c80c01fa06efa1ac48960c28057604e2d52eaf27fcb9592b15bd81b9d9352
State = 0x5bbe2fd05dd0364f6758a6e7768e6c4f
Message-Authenticator = 0x49a65641575dbc71665aa3a24ed858d4
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 110 length 107
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x026e00401a026e003b315e0f62a689f025e1df998ee87babf9de00000000000000007564685ceec9262c6ebfe53b4108d24ae06e720a0fe08a6c00766c616e32
server {
[peap] Setting User-Name to vlan2
Sending tunneled request
EAP-Message = 0x026e00401a026e003b315e0f62a689f025e1df998ee87babf9de00000000000000007564685ceec9262c6ebfe53b4108d24ae06e720a0fe08a6c00766c616e32
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "vlan2"
State = 0xbf69de36bf07c49c7fdd6a5522e854fb
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
NAS-IP-Address = 10.4.0.3
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 110 length 64
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql] expand: %{User-Name} -> vlan2
[sql] sql_set_user escaped user --> 'vlan2'
rlm_sql (sql): Reserving sql socket id: 28
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vlan2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'vlan2' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'vlan2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vlan2' ORDER BY id
[sql] User found in group vlan2
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vlan2' ORDER BY id
rlm_sql (sql): Released sql socket id: 28
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] Creating challenge hash with username: vlan2
[mschap] Client is using MS-CHAPv2 for vlan2, we need NT-Password
++[mschap] = ok
+} # group MS-CHAP = ok
MSCHAP Success
++[eap] = handled
+} # group authenticate = handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
EAP-Message = 0x016f00331a036e002e533d41463237344142313833423934363930354534383236463136343338333230333744323432413432
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbf69de36be06c49c7fdd6a5522e854fb
[peap] Got tunneled reply RADIUS code 11
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
EAP-Message = 0x016f00331a036e002e533d41463237344142313833423934363930354534383236463136343338333230333744323432413432
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbf69de36be06c49c7fdd6a5522e854fb
[peap] Got tunneled Access-Challenge
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 7 to 10.4.0.3 port 58475
EAP-Message = 0x016f005b19001703010050379671a1652397822077c4939f603c0697b5ad4acda69af23684b69747b835bc2eee51061ba9de8736ee1a212c16986b4976389fe0080d8f0d71a892795b124f8bcb4cf473180414321ba05012d9c804
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd05cd1364f6758a6e7768e6c4f
Finished request 7.
Going to the next request
Waking up in 2.1 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=8, length=213
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x026f002b190017030100204e389e032c31ad1db1e6708b6e4b9d959b44e97a2133228df869f8852f589e6b
State = 0x5bbe2fd05cd1364f6758a6e7768e6c4f
Message-Authenticator = 0x931630aa75d0a3402894d50d928802c2
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 111 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x026f00061a03
server {
[peap] Setting User-Name to vlan2
Sending tunneled request
EAP-Message = 0x026f00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "vlan2"
State = 0xbf69de36be06c49c7fdd6a5522e854fb
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
NAS-IP-Address = 10.4.0.3
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 111 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
[sql] expand: %{User-Name} -> vlan2
[sql] sql_set_user escaped user --> 'vlan2'
rlm_sql (sql): Reserving sql socket id: 27
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vlan2' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'vlan2' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'vlan2' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vlan2' ORDER BY id
[sql] User found in group vlan2
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vlan2' ORDER BY id
rlm_sql (sql): Released sql socket id: 27
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
EAP-Message = 0x036f0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "vlan2"
[peap] Got tunneled reply RADIUS code 2
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
EAP-Message = 0x036f0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "vlan2"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
[peap] Saving tunneled attributes for later
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 8 to 10.4.0.3 port 58475
EAP-Message = 0x0170002b1900170301002016ca7fa553aa22f428b1cc092d8c0edce568f4304d792dc1e4f3ee96aee7dbf4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5bbe2fd053ce364f6758a6e7768e6c4f
Finished request 8.
Going to the next request
Waking up in 2.0 seconds.
rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=9, length=213
User-Name = "vlan2"
NAS-Identifier = "802aa8c9b930"
NAS-Port = 0
Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius"
Calling-Station-Id = "44-00-10-57-E4-82"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x0270002b19001703010020f1fad92ca1690eeab1fd596f4e05814f52fe6ca28544b4fa55eee6ea9709ba21
State = 0x5bbe2fd053ce364f6758a6e7768e6c4f
Message-Authenticator = 0xdb9f0883a110094183004dd28a6f5261
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "vlan2", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 112 length 43
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[peap] Using saved attributes from the original Access-Accept
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
User-Name = "vlan2"
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+group post-auth {
[sql] expand: %{User-Name} -> vlan2
[sql] sql_set_user escaped user --> 'vlan2'
[sql] expand: %{User-Password} ->
[sql] ... expanding second conditional
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vlan2', '', 'Access-Accept', '2017-02-11 09:54:40')
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vlan2', '', 'Access-Accept', '2017-02-11 09:54:40')
rlm_sql (sql): Reserving sql socket id: 26
rlm_sql (sql): Released sql socket id: 26
++[sql] = ok
++[exec] = noop
+} # group post-auth = ok
Sending Access-Accept of id 9 to 10.4.0.3 port 58475
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "2"
User-Name = "vlan2"
MS-MPPE-Recv-Key = 0xc42271ac1c9ce5bd6fd9be65a9eaf0b2c9512de5a0561888d8c4443a42a3ea0e
MS-MPPE-Send-Key = 0xe57e91b287bd2e2d536e08176c9a61fdaa9ae60687e59db5310af032b8c3e430
EAP-Message = 0x03700004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 9.
Going to the next request
Waking up in 2.0 seconds.
Cleaning up request 0 ID 0 with timestamp +47
Cleaning up request 1 ID 1 with timestamp +47
Cleaning up request 2 ID 2 with timestamp +47
Cleaning up request 3 ID 3 with timestamp +47
Waking up in 2.6 seconds.
Cleaning up request 4 ID 4 with timestamp +49
Cleaning up request 5 ID 5 with timestamp +49
Cleaning up request 6 ID 6 with timestamp +49
Cleaning up request 7 ID 7 with timestamp +49
Cleaning up request 8 ID 8 with timestamp +50
Cleaning up request 9 ID 9 with timestamp +50
Ready to process requests.
More information about the Freeradius-Users
mailing list