AD Group Check - multi SSID - Pass "Require-membership-of" to NTLM_AUTH as variable.

Mon Jan 30 08:01:56 CET 2017

Hi all,

I am trying to set up a FreeRadius (v3.12 on debian8) to authenticate
against MS Active Directory, with AD group membership requierement for
"multiple SSID".

So, for exemple, SSID-Corp-Employee is only accessible to a certain users,
member of ADgroupA , and SSID-Corp-Direction, only accessible to users,
member of ADgroupB

When only authenticating with 1 single AD group, there is no problem, the :

> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --require-membership-of=GALAXY\rad01 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --domain=%{%{mschap:NT-Domain}:-GALAXY.PRIV}
> --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Re
> sponse}:-00}"

does the trick...

So, what I thaught could be the easiest way, is to pass the
"--require-membership-of=" as parameter... and even more, that AD group
would be the same as the SSID ...

So, when a new SSID is created, no need to change any in the freeradius,
just create the AD group according to the SSID, and ... that's it.

i put this in the Authorize section of "DEFAULT" and "inner-tunnel", just
after the "filter_username"

############################################################
#############################
rewrite_called_station_id
if (&Called-Station-SSID == "rad01") {
        update request {
            NTLM-Group-Required := "GALAXY\rad01"
User-Name := "pierre"
        }
   }
    elsif (%Called-Station-SSID == "RAD02") {
        update request {
            NTLM-Group-Required := "GALAXY\RAD02"
        }
    }

############################################################
#############################

It seems that it's parsed correct:

# policy rewrite_called_station_id = updated
(76)     if (&Called-Station-SSID == "rad01") {
(76)     if (&Called-Station-SSID == "rad01")  -> TRUE
(76)     if (&Called-Station-SSID == "rad01")  {
(76)       update request {
(76)         NTLM-Group-Required := "GALAXY\rad01"

and my "NTLM_Auth" is the:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --require-membership-of=%NTLM-Group-Required
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --domain=%{%{mschap:NT-Domain}:-GALAXY.PRIV}
> --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Re
> sponse}:-00}"

but it does not work... for information, if I replace  %NTLM-Group-Required
by GALAXY\rad01  it does work correct.

Is there any way someone could give me advice on how to achieve this... or
any other way to achieve this ?

Of course, needless to say, I am no expert in "FreeRadius", so, please,
excuses me if it's not the way to go, or if my assomption are wrond

Thanks in advance for your reading and your time.

I have join to the mail a attached file with "a radiusd -X" session.... (No
idea if "attached files pass... sorry, not used the mailling list much so
fare :-D )

Pierre de Jong
-------------- next part --------------
Ready to process requests
(0) Received Access-Request Id 227 from 10.2.103.4:40014 to 10.2.103.8:1812 length 158
(0)   User-Name = "pierre"
(0)   NAS-Identifier = "44d9e7fc21c1"
(0)   NAS-Port = 0
(0)   Called-Station-Id = "56-D9-E7-FE-21-C1:rad01"
(0)   Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(0)   Framed-MTU = 1400
(0)   NAS-Port-Type = Wireless-802.11
(0)   Connect-Info = "CONNECT 0Mbps 802.11b"
(0)   EAP-Message = 0x02cf000b01706965727265
(0)   Message-Authenticator = 0x1ff9a6a599dadec46b7d48157c55dd3b
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     policy rewrite_called_station_id {
(0)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(0)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(0)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(0)         update request {
(0)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(0)              --> 56-D9-E7-FE-21-C1
(0)           &Called-Station-Id := 56-D9-E7-FE-21-C1
(0)         } # update request = noop
(0)         if ("%{8}") {
(0)         EXPAND %{8}
(0)            --> rad01
(0)         if ("%{8}")  -> TRUE
(0)         if ("%{8}")  {
(0)           update request {
(0)             EXPAND %{8}
(0)                --> rad01
(0)             &Called-Station-SSID := rad01
(0)           } # update request = noop
(0)         } # if ("%{8}")  = noop
(0)         [updated] = updated
(0)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(0)       ... skipping else: Preceding "if" was taken
(0)     } # policy rewrite_called_station_id = updated
(0)     if (&Called-Station-SSID == "rad01") {
(0)     if (&Called-Station-SSID == "rad01")  -> TRUE
(0)     if (&Called-Station-SSID == "rad01")  {
(0)       update request {
(0)         NTLM-Group-Required := "GALAXY\rad01"
(0)         User-Name := "pierre"
(0)       } # update request = noop
(0)     } # if (&Called-Station-SSID == "rad01")  = noop
(0)     ... skipping elsif: Preceding "if" was taken
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "pierre", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 207 length 11
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 208 length 6
(0) eap: EAP session adding &reply:State = 0xb35f3ca7b38f259c
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Sent Access-Challenge Id 227 from 10.2.103.8:1812 to 10.2.103.4:40014 length 0
(0)   EAP-Message = 0x01d000061920
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xb35f3ca7b38f259c2c1a966e4e8d8fb9
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 228 from 10.2.103.4:40014 to 10.2.103.8:1812 length 333
(1)   User-Name = "pierre"
(1)   NAS-Identifier = "44d9e7fc21c1"
(1)   NAS-Port = 0
(1)   Called-Station-Id = "56-D9-E7-FE-21-C1:rad01"
(1)   Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(1)   Framed-MTU = 1400
(1)   NAS-Port-Type = Wireless-802.11
(1)   Connect-Info = "CONNECT 0Mbps 802.11b"
(1)   EAP-Message = 0x02d000a819800000009e16030100990100009503038732e549c9cb2ba64d9daf9fb679fd3a4cdcb07930744efd664f513dd3900e4e00003cc02cc030009fc02bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a00ff010000
(1)   State = 0xb35f3ca7b38f259c2c1a966e4e8d8fb9
(1)   Message-Authenticator = 0xdb5dc55b8e7445e26d2fb9693d4dbc54
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     policy rewrite_called_station_id {
(1)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(1)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(1)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(1)         update request {
(1)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1)              --> 56-D9-E7-FE-21-C1
(1)           &Called-Station-Id := 56-D9-E7-FE-21-C1
(1)         } # update request = noop
(1)         if ("%{8}") {
(1)         EXPAND %{8}
(1)            --> rad01
(1)         if ("%{8}")  -> TRUE
(1)         if ("%{8}")  {
(1)           update request {
(1)             EXPAND %{8}
(1)                --> rad01
(1)             &Called-Station-SSID := rad01
(1)           } # update request = noop
(1)         } # if ("%{8}")  = noop
(1)         [updated] = updated
(1)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(1)       ... skipping else: Preceding "if" was taken
(1)     } # policy rewrite_called_station_id = updated
(1)     if (&Called-Station-SSID == "rad01") {
(1)     if (&Called-Station-SSID == "rad01")  -> TRUE
(1)     if (&Called-Station-SSID == "rad01")  {
(1)       update request {
(1)         NTLM-Group-Required := "GALAXY\rad01"
(1)         User-Name := "pierre"
(1)       } # update request = noop
(1)     } # if (&Called-Station-SSID == "rad01")  = noop
(1)     ... skipping elsif: Preceding "if" was taken
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "pierre", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 208 length 168
(1) eap: Continuing tunnel setup
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0xb35f3ca7b38f259c
(1) eap: Finished EAP session with state 0xb35f3ca7b38f259c
(1) eap: Previous EAP request found for state 0xb35f3ca7b38f259c, released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 158 bytes
(1) eap_peap: Got complete TLS record (158 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< recv TLS 1.2  [length 0099]
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: >>> send TLS 1.2  [length 0059]
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: >>> send TLS 1.2  [length 08d3]
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: >>> send TLS 1.2  [length 014d]
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: >>> send TLS 1.2  [length 0004]
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: TLS_accept: unknown state
(1) eap_peap: TLS_accept: Need to read more data: unknown state
(1) eap_peap: TLS_accept: Need to read more data: unknown state
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 209 length 1004
(1) eap: EAP session adding &reply:State = 0xb35f3ca7b28e259c
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found.  Ignoring.
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Sent Access-Challenge Id 228 from 10.2.103.8:1812 to 10.2.103.4:40014 length 0
(1)   EAP-Message = 0x01d103ec19c000000a9116030300590200005503032747dfd00ab4276a30db125f86919e2eeeca73193f140276200b3c4410da807b208b28f44d19a58e3ffeff69974ef14fa5e334ee8105936640efadc616e989ec09c03000000dff01000100000b00040300010216030308d30b0008cf0008cc0003de
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0xb35f3ca7b28e259c2c1a966e4e8d8fb9
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 229 from 10.2.103.4:40014 to 10.2.103.8:1812 length 171
(2)   User-Name = "pierre"
(2)   NAS-Identifier = "44d9e7fc21c1"
(2)   NAS-Port = 0
(2)   Called-Station-Id = "56-D9-E7-FE-21-C1:rad01"
(2)   Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(2)   Framed-MTU = 1400
(2)   NAS-Port-Type = Wireless-802.11
(2)   Connect-Info = "CONNECT 0Mbps 802.11b"
(2)   EAP-Message = 0x02d100061900
(2)   State = 0xb35f3ca7b28e259c2c1a966e4e8d8fb9
(2)   Message-Authenticator = 0xab46f30e16a4884c6ea6cf1b064a1896
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     policy rewrite_called_station_id {
(2)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(2)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(2)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(2)         update request {
(2)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(2)              --> 56-D9-E7-FE-21-C1
(2)           &Called-Station-Id := 56-D9-E7-FE-21-C1
(2)         } # update request = noop
(2)         if ("%{8}") {
(2)         EXPAND %{8}
(2)            --> rad01
(2)         if ("%{8}")  -> TRUE
(2)         if ("%{8}")  {
(2)           update request {
(2)             EXPAND %{8}
(2)                --> rad01
(2)             &Called-Station-SSID := rad01
(2)           } # update request = noop
(2)         } # if ("%{8}")  = noop
(2)         [updated] = updated
(2)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(2)       ... skipping else: Preceding "if" was taken
(2)     } # policy rewrite_called_station_id = updated
(2)     if (&Called-Station-SSID == "rad01") {
(2)     if (&Called-Station-SSID == "rad01")  -> TRUE
(2)     if (&Called-Station-SSID == "rad01")  {
(2)       update request {
(2)         NTLM-Group-Required := "GALAXY\rad01"
(2)         User-Name := "pierre"
(2)       } # update request = noop
(2)     } # if (&Called-Station-SSID == "rad01")  = noop
(2)     ... skipping elsif: Preceding "if" was taken
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "pierre", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 209 length 6
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0xb35f3ca7b28e259c
(2) eap: Finished EAP session with state 0xb35f3ca7b28e259c
(2) eap: Previous EAP request found for state 0xb35f3ca7b28e259c, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 210 length 1000
(2) eap: EAP session adding &reply:State = 0xb35f3ca7b18d259c
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found.  Ignoring.
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) Sent Access-Challenge Id 229 from 10.2.103.8:1812 to 10.2.103.4:40014 length 0
(2)   EAP-Message = 0x01d203e8194032fb76abbff22167647943d7bad0c4180db5579da5942956cdf7c83f3d5c3d0a5b5f750a5d2254f6258d6675ad2a4fcbc9878d6e09aa89edd155a681a4c446addfc0753ef0de32a89a9eb4a0d45dc24a95bf6e1feeb45cc516dabb148b0464a12f827fc9efc390d5310004e8308204e430
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0xb35f3ca7b18d259c2c1a966e4e8d8fb9
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 230 from 10.2.103.4:40014 to 10.2.103.8:1812 length 171
(3)   User-Name = "pierre"
(3)   NAS-Identifier = "44d9e7fc21c1"
(3)   NAS-Port = 0
(3)   Called-Station-Id = "56-D9-E7-FE-21-C1:rad01"
(3)   Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(3)   Framed-MTU = 1400
(3)   NAS-Port-Type = Wireless-802.11
(3)   Connect-Info = "CONNECT 0Mbps 802.11b"
(3)   EAP-Message = 0x02d200061900
(3)   State = 0xb35f3ca7b18d259c2c1a966e4e8d8fb9
(3)   Message-Authenticator = 0x0df761451bd09c38e82561bc114d295b
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     policy rewrite_called_station_id {
(3)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(3)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(3)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(3)         update request {
(3)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(3)              --> 56-D9-E7-FE-21-C1
(3)           &Called-Station-Id := 56-D9-E7-FE-21-C1
(3)         } # update request = noop
(3)         if ("%{8}") {
(3)         EXPAND %{8}
(3)            --> rad01
(3)         if ("%{8}")  -> TRUE
(3)         if ("%{8}")  {
(3)           update request {
(3)             EXPAND %{8}
(3)                --> rad01
(3)             &Called-Station-SSID := rad01
(3)           } # update request = noop
(3)         } # if ("%{8}")  = noop
(3)         [updated] = updated
(3)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(3)       ... skipping else: Preceding "if" was taken
(3)     } # policy rewrite_called_station_id = updated
(3)     if (&Called-Station-SSID == "rad01") {
(3)     if (&Called-Station-SSID == "rad01")  -> TRUE
(3)     if (&Called-Station-SSID == "rad01")  {
(3)       update request {
(3)         NTLM-Group-Required := "GALAXY\rad01"
(3)         User-Name := "pierre"
(3)       } # update request = noop
(3)     } # if (&Called-Station-SSID == "rad01")  = noop
(3)     ... skipping elsif: Preceding "if" was taken
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "pierre", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 210 length 6
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0xb35f3ca7b18d259c
(3) eap: Finished EAP session with state 0xb35f3ca7b18d259c
(3) eap: Previous EAP request found for state 0xb35f3ca7b18d259c, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 211 length 723
(3) eap: EAP session adding &reply:State = 0xb35f3ca7b08c259c
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found.  Ignoring.
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) Sent Access-Challenge Id 230 from 10.2.103.8:1812 to 10.2.103.4:40014 length 0
(3)   EAP-Message = 0x01d302d3190020417574686f72697479820900b4d7ec4991844547300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0xb35f3ca7b08c259c2c1a966e4e8d8fb9
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 231 from 10.2.103.4:40014 to 10.2.103.8:1812 length 301
(4)   User-Name = "pierre"
(4)   NAS-Identifier = "44d9e7fc21c1"
(4)   NAS-Port = 0
(4)   Called-Station-Id = "56-D9-E7-FE-21-C1:rad01"
(4)   Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(4)   Framed-MTU = 1400
(4)   NAS-Port-Type = Wireless-802.11
(4)   Connect-Info = "CONNECT 0Mbps 802.11b"
(4)   EAP-Message = 0x02d3008819800000007e1603030046100000424104b38da94cf6b538e9a702d09a9dd9c42911885a7b8804d36b4acbbf4859c6741dd7cfda9e5c613511218ac6bd51309bfb4b8537b991be1d93bc3ab4a448db0d7f140303000101160303002800000000000000009fb82bcc00778730b2a3d352604c27
(4)   State = 0xb35f3ca7b08c259c2c1a966e4e8d8fb9
(4)   Message-Authenticator = 0x22d199b5de9b5599dbcceeb450b56113
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     policy rewrite_called_station_id {
(4)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(4)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(4)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(4)         update request {
(4)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(4)              --> 56-D9-E7-FE-21-C1
(4)           &Called-Station-Id := 56-D9-E7-FE-21-C1
(4)         } # update request = noop
(4)         if ("%{8}") {
(4)         EXPAND %{8}
(4)            --> rad01
(4)         if ("%{8}")  -> TRUE
(4)         if ("%{8}")  {
(4)           update request {
(4)             EXPAND %{8}
(4)                --> rad01
(4)             &Called-Station-SSID := rad01
(4)           } # update request = noop
(4)         } # if ("%{8}")  = noop
(4)         [updated] = updated
(4)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(4)       ... skipping else: Preceding "if" was taken
(4)     } # policy rewrite_called_station_id = updated
(4)     if (&Called-Station-SSID == "rad01") {
(4)     if (&Called-Station-SSID == "rad01")  -> TRUE
(4)     if (&Called-Station-SSID == "rad01")  {
(4)       update request {
(4)         NTLM-Group-Required := "GALAXY\rad01"
(4)         User-Name := "pierre"
(4)       } # update request = noop
(4)     } # if (&Called-Station-SSID == "rad01")  = noop
(4)     ... skipping elsif: Preceding "if" was taken
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "pierre", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 211 length 136
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0xb35f3ca7b08c259c
(4) eap: Finished EAP session with state 0xb35f3ca7b08c259c
(4) eap: Previous EAP request found for state 0xb35f3ca7b08c259c, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(4) eap_peap: Got complete TLS record (126 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: <<< recv TLS 1.2  [length 0046]
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: <<< recv TLS 1.2  [length 0001]
(4) eap_peap: <<< recv TLS 1.2  [length 0010]
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: >>> send TLS 1.2  [length 0001]
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: >>> send TLS 1.2  [length 0010]
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: TLS_accept: unknown state
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: SSL Connection Established
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 212 length 57
(4) eap: EAP session adding &reply:State = 0xb35f3ca7b78b259c
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found.  Ignoring.
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) Sent Access-Challenge Id 231 from 10.2.103.8:1812 to 10.2.103.4:40014 length 0
(4)   EAP-Message = 0x01d4003919001403030001011603030028504d2dbb5c7fcbb8baf8b6de136307521de9e7c9a3ec098cf81fc4e7a952135397a86fd8da77edd6
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0xb35f3ca7b78b259c2c1a966e4e8d8fb9
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 232 from 10.2.103.4:40014 to 10.2.103.8:1812 length 171
(5)   User-Name = "pierre"
(5)   NAS-Identifier = "44d9e7fc21c1"
(5)   NAS-Port = 0
(5)   Called-Station-Id = "56-D9-E7-FE-21-C1:rad01"
(5)   Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(5)   Framed-MTU = 1400
(5)   NAS-Port-Type = Wireless-802.11
(5)   Connect-Info = "CONNECT 0Mbps 802.11b"
(5)   EAP-Message = 0x02d400061900
(5)   State = 0xb35f3ca7b78b259c2c1a966e4e8d8fb9
(5)   Message-Authenticator = 0xf59cebeaa4fbb32b1b887ae960bbe4be
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     policy rewrite_called_station_id {
(5)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(5)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(5)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(5)         update request {
(5)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(5)              --> 56-D9-E7-FE-21-C1
(5)           &Called-Station-Id := 56-D9-E7-FE-21-C1
(5)         } # update request = noop
(5)         if ("%{8}") {
(5)         EXPAND %{8}
(5)            --> rad01
(5)         if ("%{8}")  -> TRUE
(5)         if ("%{8}")  {
(5)           update request {
(5)             EXPAND %{8}
(5)                --> rad01
(5)             &Called-Station-SSID := rad01
(5)           } # update request = noop
(5)         } # if ("%{8}")  = noop
(5)         [updated] = updated
(5)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(5)       ... skipping else: Preceding "if" was taken
(5)     } # policy rewrite_called_station_id = updated
(5)     if (&Called-Station-SSID == "rad01") {
(5)     if (&Called-Station-SSID == "rad01")  -> TRUE
(5)     if (&Called-Station-SSID == "rad01")  {
(5)       update request {
(5)         NTLM-Group-Required := "GALAXY\rad01"
(5)         User-Name := "pierre"
(5)       } # update request = noop
(5)     } # if (&Called-Station-SSID == "rad01")  = noop
(5)     ... skipping elsif: Preceding "if" was taken
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "pierre", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 212 length 6
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0xb35f3ca7b78b259c
(5) eap: Finished EAP session with state 0xb35f3ca7b78b259c
(5) eap: Previous EAP request found for state 0xb35f3ca7b78b259c, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established.  Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 213 length 40
(5) eap: EAP session adding &reply:State = 0xb35f3ca7b68a259c
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found.  Ignoring.
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) Sent Access-Challenge Id 232 from 10.2.103.8:1812 to 10.2.103.4:40014 length 0
(5)   EAP-Message = 0x01d500281900170303001d504d2dbb5c7fcbb9f7ff8f8e63a463592487f851520beba2e2b38792be
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0xb35f3ca7b68a259c2c1a966e4e8d8fb9
(5) Finished request
Waking up in 4.8 seconds.
(6) Received Access-Request Id 233 from 10.2.103.4:40014 to 10.2.103.8:1812 length 207
(6)   User-Name = "pierre"
(6)   NAS-Identifier = "44d9e7fc21c1"
(6)   NAS-Port = 0
(6)   Called-Station-Id = "56-D9-E7-FE-21-C1:rad01"
(6)   Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(6)   Framed-MTU = 1400
(6)   NAS-Port-Type = Wireless-802.11
(6)   Connect-Info = "CONNECT 0Mbps 802.11b"
(6)   EAP-Message = 0x02d5002a1900170303001f00000000000000011b13f5e2b9c4536d5e2345c972295ba64e13ef659e9962
(6)   State = 0xb35f3ca7b68a259c2c1a966e4e8d8fb9
(6)   Message-Authenticator = 0x4efe9ecef83e2f675000776d422c7e81
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(6)   authorize {
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> TRUE
(6)       if (&User-Name)  {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /)  -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ )  -> FALSE
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)         if (&User-Name =~ /\.$/)  {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./)  {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name)  = notfound
(6)     } # policy filter_username = notfound
(6)     policy rewrite_called_station_id {
(6)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(6)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(6)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(6)         update request {
(6)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6)              --> 56-D9-E7-FE-21-C1
(6)           &Called-Station-Id := 56-D9-E7-FE-21-C1
(6)         } # update request = noop
(6)         if ("%{8}") {
(6)         EXPAND %{8}
(6)            --> rad01
(6)         if ("%{8}")  -> TRUE
(6)         if ("%{8}")  {
(6)           update request {
(6)             EXPAND %{8}
(6)                --> rad01
(6)             &Called-Station-SSID := rad01
(6)           } # update request = noop
(6)         } # if ("%{8}")  = noop
(6)         [updated] = updated
(6)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(6)       ... skipping else: Preceding "if" was taken
(6)     } # policy rewrite_called_station_id = updated
(6)     if (&Called-Station-SSID == "rad01") {
(6)     if (&Called-Station-SSID == "rad01")  -> TRUE
(6)     if (&Called-Station-SSID == "rad01")  {
(6)       update request {
(6)         NTLM-Group-Required := "GALAXY\rad01"
(6)         User-Name := "pierre"
(6)       } # update request = noop
(6)     } # if (&Called-Station-SSID == "rad01")  = noop
(6)     ... skipping elsif: Preceding "if" was taken
(6)     [preprocess] = ok
(6)     [chap] = noop
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "pierre", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 213 length 42
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0xb35f3ca7b68a259c
(6) eap: Finished EAP session with state 0xb35f3ca7b68a259c
(6) eap: Previous EAP request found for state 0xb35f3ca7b68a259c, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established.  Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - pierre
(6) eap_peap: Got inner identity 'pierre'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap:   EAP-Message = 0x02d5000b01706965727265
(6) eap_peap: Setting User-Name to pierre
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap:   EAP-Message = 0x02d5000b01706965727265
(6) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap:   User-Name = "pierre"
(6) Virtual server inner-tunnel received request
(6)   EAP-Message = 0x02d5000b01706965727265
(6)   FreeRADIUS-Proxied-To = 127.0.0.1
(6)   User-Name = "pierre"
(6) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(6) server inner-tunnel {
(6)   # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(6)     authorize {
(6)       policy filter_username {
(6)         if (&User-Name) {
(6)         if (&User-Name)  -> TRUE
(6)         if (&User-Name)  {
(6)           if (&User-Name =~ / /) {
(6)           if (&User-Name =~ / /)  -> FALSE
(6)           if (&User-Name =~ /@[^@]*@/ ) {
(6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)           if (&User-Name =~ /\.\./ ) {
(6)           if (&User-Name =~ /\.\./ )  -> FALSE
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)           if (&User-Name =~ /\.$/)  {
(6)           if (&User-Name =~ /\.$/)   -> FALSE
(6)           if (&User-Name =~ /@\./)  {
(6)           if (&User-Name =~ /@\./)   -> FALSE
(6)         } # if (&User-Name)  = notfound
(6)       } # policy filter_username = notfound
(6)       policy rewrite_called_station_id {
(6)         if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(6)         if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> FALSE
(6)         else {
(6)           [noop] = noop
(6)         } # else = noop
(6)       } # policy rewrite_called_station_id = noop
(6)       if (&Called-Station-SSID == "rad01") {
(6)       ERROR: Failed retrieving values required to evaluate condition
(6)       elsif (%Called-Station-SSID == "RAD02") {
(6)       elsif (%Called-Station-SSID == "RAD02")  -> FALSE
(6)       else {
(6)         update request {
(6)           NTLM-Group-Required := "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387"
(6)         } # update request = noop
(6)       } # else = noop
(6)       [chap] = noop
(6)       [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "pierre", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)       [suffix] = noop
(6)       update control {
(6)         &Proxy-To-Realm := LOCAL
(6)       } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 213 length 11
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6)       [eap] = ok
(6)     } # authorize = ok
(6)   Found Auth-Type = eap
(6)   # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(6)     authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 214 length 43
(6) eap: EAP session adding &reply:State = 0xbd54a3aabd82b9f3
(6)       [eap] = handled
(6)     } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6)   EAP-Message = 0x01d6002b1a01d60026109e3bdec9cbb411b67a164e86a272df16667265657261646975732d332e302e3132
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0xbd54a3aabd82b9f3309aeb04bc239791
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap:   EAP-Message = 0x01d6002b1a01d60026109e3bdec9cbb411b67a164e86a272df16667265657261646975732d332e302e3132
(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap:   State = 0xbd54a3aabd82b9f3309aeb04bc239791
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap:   EAP-Message = 0x01d6002b1a01d60026109e3bdec9cbb411b67a164e86a272df16667265657261646975732d332e302e3132
(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap:   State = 0xbd54a3aabd82b9f3309aeb04bc239791
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 214 length 74
(6) eap: EAP session adding &reply:State = 0xb35f3ca7b589259c
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found.  Ignoring.
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) Sent Access-Challenge Id 233 from 10.2.103.8:1812 to 10.2.103.4:40014 length 0
(6)   EAP-Message = 0x01d6004a1900170303003f504d2dbb5c7fcbba03101f4ae013daecee83a3de971bdc706fdb3aca12772f98e15a5590649295556cc5c8cdc69ca64ff7d002ef2f97ee6091008d8bb84699
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0xb35f3ca7b589259c2c1a966e4e8d8fb9
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 234 from 10.2.103.4:40014 to 10.2.103.8:1812 length 261
(7)   User-Name = "pierre"
(7)   NAS-Identifier = "44d9e7fc21c1"
(7)   NAS-Port = 0
(7)   Called-Station-Id = "56-D9-E7-FE-21-C1:rad01"
(7)   Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(7)   Framed-MTU = 1400
(7)   NAS-Port-Type = Wireless-802.11
(7)   Connect-Info = "CONNECT 0Mbps 802.11b"
(7)   EAP-Message = 0x02d600601900170303005500000000000000028e87cb590a701b47746c8016ce47b7f86b1fe6a45bc3acdcb316e82907eef552f0b955864689b57252686b22225ee49e5c8e8cb3402b58cea5ec49062bddcdc67d327e856106545e7af64dda90
(7)   State = 0xb35f3ca7b589259c2c1a966e4e8d8fb9
(7)   Message-Authenticator = 0x0573cf6c301fbbb191e4f3aefd62a2f8
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     policy rewrite_called_station_id {
(7)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(7)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(7)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(7)         update request {
(7)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(7)              --> 56-D9-E7-FE-21-C1
(7)           &Called-Station-Id := 56-D9-E7-FE-21-C1
(7)         } # update request = noop
(7)         if ("%{8}") {
(7)         EXPAND %{8}
(7)            --> rad01
(7)         if ("%{8}")  -> TRUE
(7)         if ("%{8}")  {
(7)           update request {
(7)             EXPAND %{8}
(7)                --> rad01
(7)             &Called-Station-SSID := rad01
(7)           } # update request = noop
(7)         } # if ("%{8}")  = noop
(7)         [updated] = updated
(7)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(7)       ... skipping else: Preceding "if" was taken
(7)     } # policy rewrite_called_station_id = updated
(7)     if (&Called-Station-SSID == "rad01") {
(7)     if (&Called-Station-SSID == "rad01")  -> TRUE
(7)     if (&Called-Station-SSID == "rad01")  {
(7)       update request {
(7)         NTLM-Group-Required := "GALAXY\rad01"
(7)         User-Name := "pierre"
(7)       } # update request = noop
(7)     } # if (&Called-Station-SSID == "rad01")  = noop
(7)     ... skipping elsif: Preceding "if" was taken
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "pierre", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 214 length 96
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0xbd54a3aabd82b9f3
(7) eap: Finished EAP session with state 0xb35f3ca7b589259c
(7) eap: Previous EAP request found for state 0xb35f3ca7b589259c, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap:   EAP-Message = 0x02d600411a02d6003c31091ec4c1a3227e314c0297013f462fc40000000000000000654bb73f2e49fdb82e96e89138933e449f612efb76875d2900706965727265
(7) eap_peap: Setting User-Name to pierre
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap:   EAP-Message = 0x02d600411a02d6003c31091ec4c1a3227e314c0297013f462fc40000000000000000654bb73f2e49fdb82e96e89138933e449f612efb76875d2900706965727265
(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap:   User-Name = "pierre"
(7) eap_peap:   State = 0xbd54a3aabd82b9f3309aeb04bc239791
(7) Virtual server inner-tunnel received request
(7)   EAP-Message = 0x02d600411a02d6003c31091ec4c1a3227e314c0297013f462fc40000000000000000654bb73f2e49fdb82e96e89138933e449f612efb76875d2900706965727265
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "pierre"
(7)   State = 0xbd54a3aabd82b9f3309aeb04bc239791
(7) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(7) server inner-tunnel {
(7)   session-state: No cached attributes
(7)   # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
(7)     authorize {
(7)       policy filter_username {
(7)         if (&User-Name) {
(7)         if (&User-Name)  -> TRUE
(7)         if (&User-Name)  {
(7)           if (&User-Name =~ / /) {
(7)           if (&User-Name =~ / /)  -> FALSE
(7)           if (&User-Name =~ /@[^@]*@/ ) {
(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)           if (&User-Name =~ /\.\./ ) {
(7)           if (&User-Name =~ /\.\./ )  -> FALSE
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)           if (&User-Name =~ /\.$/)  {
(7)           if (&User-Name =~ /\.$/)   -> FALSE
(7)           if (&User-Name =~ /@\./)  {
(7)           if (&User-Name =~ /@\./)   -> FALSE
(7)         } # if (&User-Name)  = notfound
(7)       } # policy filter_username = notfound
(7)       policy rewrite_called_station_id {
(7)         if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(7)         if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> FALSE
(7)         else {
(7)           [noop] = noop
(7)         } # else = noop
(7)       } # policy rewrite_called_station_id = noop
(7)       if (&Called-Station-SSID == "rad01") {
(7)       ERROR: Failed retrieving values required to evaluate condition
(7)       elsif (%Called-Station-SSID == "RAD02") {
(7)       elsif (%Called-Station-SSID == "RAD02")  -> FALSE
(7)       else {
(7)         update request {
(7)           NTLM-Group-Required := "S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387"
(7)         } # update request = noop
(7)       } # else = noop
(7)       [chap] = noop
(7)       [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "pierre", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)       [suffix] = noop
(7)       update control {
(7)         &Proxy-To-Realm := LOCAL
(7)       } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 214 length 65
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)       [eap] = updated
(7)       [files] = noop
(7)       [expiration] = noop
(7)       [logintime] = noop
(7)       [pap] = noop
(7)     } # authorize = updated
(7)   Found Auth-Type = eap
(7)   # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7)     authenticate {
(7) eap: Expiring EAP session with state 0xbd54a3aabd82b9f3
(7) eap: Finished EAP session with state 0xbd54a3aabd82b9f3
(7) eap: Previous EAP request found for state 0xbd54a3aabd82b9f3, released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7) eap_mschapv2:   authenticate {
(7) mschap: Creating challenge hash with username: pierre
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --require-membership-of=%{NTLM-Group-Required} --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-GALAXY.PRIV} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
(7) mschap: EXPAND --require-membership-of=%{NTLM-Group-Required}
(7) mschap:    --> --require-membership-of=S-1-5-21-2281471460-mmmmmm-nnnnnnnnn-1387
(7) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(7) mschap:    --> --username=pierre
(7) mschap: ERROR: No NT-Domain was found in the User-Name
(7) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-GALAXY.PRIV}
(7) mschap:    --> --domain=GALAXY.PRIV
(7) mschap: Creating challenge hash with username: pierre
(7) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(7) mschap:    --> --challenge=a5aace215cfd7042
(7) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(7) mschap:    --> --nt-response=654bb73f2e49fdb82e96e89138933e449f612efb76875d29
(7) mschap: ERROR: Program returned code (1) and output 'Unexpected information received (0xc000000d)'
(7) mschap: External script failed
(7) mschap: ERROR: External script says: Unexpected information received (0xc000000d)
(7) mschap: ERROR: MS-CHAP2-Response is incorrect
(7)     [mschap] = reject
(7)   } # authenticate = reject
(7) eap: Sending EAP Failure (code 4) ID 214 length 4
(7) eap: Freeing handler
(7)       [eap] = reject
(7)     } # authenticate = reject
(7)   Failed to authenticate the user
(7)   Login incorrect (Failed retrieving values required to evaluate condition): [pierre/<via Auth-Type = eap>] (from client Galaxy.priv port 0 via TLS tunnel)
(7)   Using Post-Auth-Type Reject
(7)   # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7)     Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject:    --> pierre
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7)       [attr_filter.access_reject] = updated
(7)       update outer.session-state {
(7)         &Module-Failure-Message := &request:Module-Failure-Message -> 'Failed retrieving values required to evaluate condition'
(7)       } # update outer.session-state = noop
(7)     } # Post-Auth-Type REJECT = updated
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7)   MS-CHAP-Error = "\326E=691 R=1 C=3085b775235144ea99ea6f7ac706b6d4 V=3 M=Authentication failed"
(7)   EAP-Message = 0x04d60004
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Got tunneled reply code 3
(7) eap_peap:   MS-CHAP-Error = "\326E=691 R=1 C=3085b775235144ea99ea6f7ac706b6d4 V=3 M=Authentication failed"
(7) eap_peap:   EAP-Message = 0x04d60004
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Got tunneled reply RADIUS code 3
(7) eap_peap:   MS-CHAP-Error = "\326E=691 R=1 C=3085b775235144ea99ea6f7ac706b6d4 V=3 M=Authentication failed"
(7) eap_peap:   EAP-Message = 0x04d60004
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Tunneled authentication was rejected
(7) eap_peap: FAILURE
(7) eap: Sending EAP Request (code 1) ID 215 length 46
(7) eap: EAP session adding &reply:State = 0xb35f3ca7b488259c
(7)     [eap] = handled
(7)   } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found.  Ignoring.
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) session-state: Saving cached attributes
(7)   Module-Failure-Message := "Failed retrieving values required to evaluate condition"
(7) Sent Access-Challenge Id 234 from 10.2.103.8:1812 to 10.2.103.4:40014 length 0
(7)   EAP-Message = 0x01d7002e19001703030023504d2dbb5c7fcbbbc5469324f1a95f9ea55a2fce82dea2e00473109a28619661ae8222
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0xb35f3ca7b488259c2c1a966e4e8d8fb9
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 235 from 10.2.103.4:40014 to 10.2.103.8:1812 length 211
(8)   User-Name = "pierre"
(8)   NAS-Identifier = "44d9e7fc21c1"
(8)   NAS-Port = 0
(8)   Called-Station-Id = "56-D9-E7-FE-21-C1:rad01"
(8)   Calling-Station-Id = "C0-EE-FB-4B-FA-10"
(8)   Framed-MTU = 1400
(8)   NAS-Port-Type = Wireless-802.11
(8)   Connect-Info = "CONNECT 0Mbps 802.11b"
(8)   EAP-Message = 0x02d7002e19001703030023000000000000000320b22f60170206a92ede96e61c35df8cb165876aa4f581edad7701
(8)   State = 0xb35f3ca7b488259c2c1a966e4e8d8fb9
(8)   Message-Authenticator = 0xe4f48714798068aa684811266a444df0
(8) Restoring &session-state
(8)   &session-state:Module-Failure-Message := "Failed retrieving values required to evaluate condition"
(8) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(8)   authorize {
(8)     policy filter_username {
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = notfound
(8)     } # policy filter_username = notfound
(8)     policy rewrite_called_station_id {
(8)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(8)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(8)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(8)         update request {
(8)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(8)              --> 56-D9-E7-FE-21-C1
(8)           &Called-Station-Id := 56-D9-E7-FE-21-C1
(8)         } # update request = noop
(8)         if ("%{8}") {
(8)         EXPAND %{8}
(8)            --> rad01
(8)         if ("%{8}")  -> TRUE
(8)         if ("%{8}")  {
(8)           update request {
(8)             EXPAND %{8}
(8)                --> rad01
(8)             &Called-Station-SSID := rad01
(8)           } # update request = noop
(8)         } # if ("%{8}")  = noop
(8)         [updated] = updated
(8)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(8)       ... skipping else: Preceding "if" was taken
(8)     } # policy rewrite_called_station_id = updated
(8)     if (&Called-Station-SSID == "rad01") {
(8)     if (&Called-Station-SSID == "rad01")  -> TRUE
(8)     if (&Called-Station-SSID == "rad01")  {
(8)       update request {
(8)         NTLM-Group-Required := "GALAXY\rad01"
(8)         User-Name := "pierre"
(8)       } # update request = noop
(8)     } # if (&Called-Station-SSID == "rad01")  = noop
(8)     ... skipping elsif: Preceding "if" was taken
(8)     [preprocess] = ok
(8)     [chap] = noop
(8)     [mschap] = noop
(8)     [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "pierre", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 215 length 46
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0xb35f3ca7b488259c
(8) eap: Finished EAP session with state 0xb35f3ca7b488259c
(8) eap: Previous EAP request found for state 0xb35f3ca7b488259c, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state send tlv failure
(8) eap_peap: Received EAP-TLV response
(8) eap_peap:   The users session was previously rejected: returning reject (again.)
(8) eap_peap:   This means you need to read the PREVIOUS messages in the debug output
(8) eap_peap:   to find out the reason why the user was rejected
(8) eap_peap:   Look for "reject" or "fail".  Those earlier messages will tell you
(8) eap_peap:   what went wrong, and how to fix the problem
(8) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
(8) eap: Sending EAP Failure (code 4) ID 215 length 4
(8) eap: Failed in EAP select
(8)     [eap] = invalid
(8)   } # authenticate = invalid
(8) Failed to authenticate the user
(8) Login incorrect (eap: Failed continuing EAP PEAP (25) session.  EAP sub-module failed): [pierre/<via Auth-Type = eap>] (from client Galaxy.priv port 0 cli C0-EE-FB-4B-FA-10)
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8)   Post-Auth-Type REJECT {
(8) attr_filter.access_reject: EXPAND %{User-Name}
(8) attr_filter.access_reject:    --> pierre
(8) attr_filter.access_reject: Matched entry DEFAULT at line 11
(8)     [attr_filter.access_reject] = updated
(8)     [eap] = noop
(8)     policy remove_reply_message_if_eap {
(8)       if (&reply:EAP-Message && &reply:Reply-Message) {
(8)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(8)       else {
(8)         [noop] = noop
(8)       } # else = noop
(8)     } # policy remove_reply_message_if_eap = noop
(8)   } # Post-Auth-Type REJECT = updated
(8) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(8) Sending delayed response
(8) Sent Access-Reject Id 235 from 10.2.103.8:1812 to 10.2.103.4:40014 length 44
(8)   EAP-Message = 0x04d70004
(8)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
(0) Cleaning up request packet ID 227 with timestamp +5
(1) Cleaning up request packet ID 228 with timestamp +5
(2) Cleaning up request packet ID 229 with timestamp +5
(3) Cleaning up request packet ID 230 with timestamp +5
(4) Cleaning up request packet ID 231 with timestamp +5
(5) Cleaning up request packet ID 232 with timestamp +5
(6) Cleaning up request packet ID 233 with timestamp +5
(7) Cleaning up request packet ID 234 with timestamp +5
(8) Cleaning up request packet ID 235 with timestamp +5
Ready to process requests