passing Tunnel-Private-Group-ID
Alan Buxey
alan.buxey at gmail.com
Tue May 15 21:41:47 CEST 2018
so...you are checking the user data in the inner-tunnel (good) - and are
setting the value there.... so , you just need to copy those values to the
outer phase
(or just copy them to outer:reply ) - the default/vanilla config has some
examples of this in the configuration files.
alan
On 15 May 2018 at 15:29, Daniel Lietz <dlietz at inghamisd.org> wrote:
> Here is the complete debug from starting radiusd -X to the device getting
> on the network. The user jdoe authenticates, and gets an IP address, but
> it's an IP on the native vlan (10.2.1.x) rather than the vlan the user
> should be on (vlan tag 522). Users have the radiusTunnelPrivateGroupId
> attribute set in eDirectory to the vlan tag for the network they should be
> allowed on. With my production server, the attribute is sent to the aruba
> controller and is used to place the device on the appropriate vlan. With my
> new test server, the device always ends up on the native vlan, (vlan 1)
> which is the access point management network.
>
> radiusd: FreeRADIUS Version 3.0.3, for host x86_64-suse-linux-gnu, built
> on Dec 19 2016 at 11:19
> Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/share/freeradius/dictionary
> including dictionary file /usr/share/freeradius/dictionary.dhcp
> including dictionary file /usr/share/freeradius/dictionary.vqp
> including dictionary file /etc/raddb/dictionary
> including configuration file /etc/raddb/radiusd.conf
> including configuration file /etc/raddb/proxy.conf
> including configuration file /etc/raddb/clients.conf
> including files in directory /etc/raddb/mods-enabled/
> including configuration file /etc/raddb/mods-enabled/always
> including configuration file /etc/raddb/mods-enabled/attr_filter
> including configuration file /etc/raddb/mods-enabled/cache_eap
> including configuration file /etc/raddb/mods-enabled/chap
> including configuration file /etc/raddb/mods-enabled/detail
> including configuration file /etc/raddb/mods-enabled/detail.log
> including configuration file /etc/raddb/mods-enabled/dhcp
> including configuration file /etc/raddb/mods-enabled/digest
> including configuration file /etc/raddb/mods-enabled/dynamic_clients
> including configuration file /etc/raddb/mods-enabled/eap
> including configuration file /etc/raddb/mods-enabled/echo
> including configuration file /etc/raddb/mods-enabled/exec
> including configuration file /etc/raddb/mods-enabled/expiration
> including configuration file /etc/raddb/mods-enabled/expr
> including configuration file /etc/raddb/mods-enabled/files
> including configuration file /etc/raddb/mods-enabled/linelog
> including configuration file /etc/raddb/mods-enabled/logintime
> including configuration file /etc/raddb/mods-enabled/mschap
> including configuration file /etc/raddb/mods-enabled/ntlm_auth
> including configuration file /etc/raddb/mods-enabled/pap
> including configuration file /etc/raddb/mods-enabled/passwd
> including configuration file /etc/raddb/mods-enabled/preprocess
> including configuration file /etc/raddb/mods-enabled/radutmp
> including configuration file /etc/raddb/mods-enabled/realm
> including configuration file /etc/raddb/mods-enabled/replicate
> including configuration file /etc/raddb/mods-enabled/soh
> including configuration file /etc/raddb/mods-enabled/sradutmp
> including configuration file /etc/raddb/mods-enabled/unix
> including configuration file /etc/raddb/mods-enabled/unpack
> including configuration file /etc/raddb/mods-enabled/utf8
> including configuration file /etc/raddb/mods-enabled/ldap
> including files in directory /etc/raddb/policy.d/
> including configuration file /etc/raddb/policy.d/accounting
> including configuration file /etc/raddb/policy.d/canonicalization
> including configuration file /etc/raddb/policy.d/control
> including configuration file /etc/raddb/policy.d/cui
> including configuration file /etc/raddb/policy.d/dhcp
> including configuration file /etc/raddb/policy.d/eap
> including configuration file /etc/raddb/policy.d/filter
> including configuration file /etc/raddb/policy.d/operator-name
> including files in directory /etc/raddb/sites-enabled/
> including configuration file /etc/raddb/sites-enabled/default
> including configuration file /etc/raddb/sites-enabled/inner-tunnel
> main {
> security {
> allow_core_dumps = no
> }
> }
> main {
> name = "radiusd"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/radius"
> run_dir = "/var/run/radiusd"
> libdir = "/usr/lib64/freeradius"
> radacctdir = "/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 1024
> pidfile = "/var/run/radiusd/radiusd.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> colourise = yes
> msg_denied = "You are already logged in - access denied"
> }
> security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> allow_vulnerable_openssl = "no"
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
> }
> home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = <<< secret >>>
> response_window = 20
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_interval = 30
> check_interval = 30
> num_answers_to_alive = 3
> revive_interval = 120
> status_check_timeout = 4
> coa {
> irt = 2
> mrt = 16
> mrc = 5
> mrd = 30
> }
> limit {
> max_connections = 16
> max_requests = 0
> lifetime = 0
> idle_timeout = 0
> }
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
> radiusd: #### Loading Clients ####
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = <<< secret >>>
> nas_type = "other"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> client ArubaComEd {
> ipaddr = 10.2.1.1
> netmask = 32
> require_message_authenticator = no
> secret = <<< secret >>>
> shortname = "ArubaComEd"
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> radiusd: #### Instantiating modules ####
> instantiate {
> }
> modules {
> # Loaded module rlm_always
> # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
> always reject {
> rcode = "reject"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
> always fail {
> rcode = "fail"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
> always ok {
> rcode = "ok"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
> always handled {
> rcode = "handled"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
> always invalid {
> rcode = "invalid"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "userlock" from file
> /etc/raddb/mods-enabled/always
> always userlock {
> rcode = "userlock"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "notfound" from file
> /etc/raddb/mods-enabled/always
> always notfound {
> rcode = "notfound"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
> always noop {
> rcode = "noop"
> simulcount = 0
> mpp = no
> }
> # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
> always updated {
> rcode = "updated"
> simulcount = 0
> mpp = no
> }
> # Loaded module rlm_attr_filter
> # Instantiating module "attr_filter.post-proxy" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.post-proxy {
> filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
> # Instantiating module "attr_filter.pre-proxy" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.pre-proxy {
> filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
> key = "%{Realm}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
> # Instantiating module "attr_filter.access_reject" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.access_reject {
> filename = "/etc/raddb/mods-config/attr_filter/access_reject"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
> # Instantiating module "attr_filter.access_challenge" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.access_challenge {
> filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
> # Instantiating module "attr_filter.accounting_response" from file
> /etc/raddb/mods-enabled/attr_filter
> attr_filter attr_filter.accounting_response {
> filename = "/etc/raddb/mods-config/attr_
> filter/accounting_response"
> key = "%{User-Name}"
> relaxed = no
> }
> reading pairlist file /etc/raddb/mods-config/attr_
> filter/accounting_response
> # Loaded module rlm_cache
> # Instantiating module "cache_eap" from file
> /etc/raddb/mods-enabled/cache_eap
> cache cache_eap {
> key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
> ttl = 15
> max_entries = 16384
> epoch = 0
> add_stats = no
> }
> # Loaded module rlm_chap
> # Instantiating module "chap" from file /etc/raddb/mods-enabled/chap
> # Loaded module rlm_detail
> # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
> detail {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/
> detail.log
> detail auth_log {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
> detail output
> # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/
> detail.log
> detail reply_log {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/
> detail.log
> detail pre_proxy_log {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> # Instantiating module "post_proxy_log" from file
> /etc/raddb/mods-enabled/detail.log
> detail post_proxy_log {
> filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{
> Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
> header = "%t"
> permissions = 384
> locking = no
> log_packet_header = no
> }
> # Loaded module rlm_dhcp
> # Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp
> # Loaded module rlm_digest
> # Instantiating module "digest" from file /etc/raddb/mods-enabled/digest
> # Loaded module rlm_dynamic_clients
> # Instantiating module "dynamic_clients" from file
> /etc/raddb/mods-enabled/dynamic_clients
> # Loaded module rlm_eap
> # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
> eap {
> default_eap_type = "peap"
> timer_expire = 60
> ignore_unknown_eap_types = no
> mod_accounting_username_bug = no
> max_sessions = 1024
> }
> # Linked to sub-module rlm_eap_md5
> # Linked to sub-module rlm_eap_leap
> # Linked to sub-module rlm_eap_gtc
> gtc {
> challenge = "Password: "
> auth_type = "PAP"
> }
> # Linked to sub-module rlm_eap_tls
> tls {
> tls = "tls-common"
> }
> tls-config tls-common {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 512
> verify_depth = 0
> ca_path = "/etc/raddb/certs"
> pem_file_type = yes
> private_key_file = "/etc/raddb/certs/servercert.pem"
> certificate_file = "/etc/raddb/certs/servercert.pem"
> ca_file = "/etc/raddb/certs/rootCAcert.pem"
> private_key_password = <<< secret >>>
> dh_file = "/etc/raddb/certs/dh"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "DEFAULT"
> ecdh_curve = "prime256v1"
> cache {
> enable = yes
> lifetime = 24
> max_entries = 255
> }
> verify {
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> use_nonce = yes
> timeout = 0
> softfail = yes
> }
> }
> # Linked to sub-module rlm_eap_ttls
> ttls {
> tls = "tls-common"
> default_eap_type = "md5"
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> include_length = yes
> require_client_cert = no
> }
> Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_peap
> peap {
> tls = "tls-common"
> default_method = "mschapv2"
> copy_request_to_tunnel = yes
> use_tunneled_reply = yes
> proxy_tunneled_request_as_eap = yes
> virtual_server = "inner-tunnel"
> soh = no
> require_client_cert = no
> }
> Using cached TLS configuration from previous invocation
> # Linked to sub-module rlm_eap_mschapv2
> mschapv2 {
> with_ntdomain_hack = no
> send_error = no
> }
> # Loaded module rlm_exec
> # Instantiating module "echo" from file /etc/raddb/mods-enabled/echo
> exec echo {
> wait = yes
> program = "/bin/echo %{User-Name}"
> input_pairs = "request"
> output_pairs = "reply"
> shell_escape = yes
> }
> # Instantiating module "exec" from file /etc/raddb/mods-enabled/exec
> exec {
> wait = no
> input_pairs = "request"
> shell_escape = yes
> timeout = 10
> }
> # Loaded module rlm_expiration
> # Instantiating module "expiration" from file /etc/raddb/mods-enabled/
> expiration
> # Loaded module rlm_expr
> # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr
> expr {
> safe_characters = "@abcdefghijklmnopqrstuvwxyzABCD
> EFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
> }
> # Loaded module rlm_files
> # Instantiating module "files" from file /etc/raddb/mods-enabled/files
> files {
> filename = "/etc/raddb/mods-config/files/authorize"
> usersfile = "/etc/raddb/mods-config/files/authorize"
> acctusersfile = "/etc/raddb/mods-config/files/accounting"
> preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
> compat = "cistron"
> }
> reading pairlist file /etc/raddb/mods-config/files/authorize
> [/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility checks
> for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility checks
> for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks
> for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:198 Cistron compatibility checks
> for entry DEFAULT ...
> reading pairlist file /etc/raddb/mods-config/files/authorize
> [/etc/raddb/mods-config/files/authorize]:181 Cistron compatibility checks
> for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:188 Cistron compatibility checks
> for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:195 Cistron compatibility checks
> for entry DEFAULT ...
> [/etc/raddb/mods-config/files/authorize]:198 Cistron compatibility checks
> for entry DEFAULT ...
> reading pairlist file /etc/raddb/mods-config/files/accounting
> reading pairlist file /etc/raddb/mods-config/files/pre-proxy
> # Loaded module rlm_linelog
> # Instantiating module "linelog" from file /etc/raddb/mods-enabled/
> linelog
> linelog {
> filename = "/var/log/radius/linelog"
> permissions = 384
> format = "This is a log message for %{User-Name}"
> reference = "messages.%{%{Packet-Type}:-default}"
> }
> # Instantiating module "log_accounting" from file
> /etc/raddb/mods-enabled/linelog
> linelog log_accounting {
> filename = "/var/log/radius/linelog-accounting"
> permissions = 384
> format = ""
> reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
> }
> # Loaded module rlm_logintime
> # Instantiating module "logintime" from file /etc/raddb/mods-enabled/
> logintime
> logintime {
> minimum_timeout = 60
> }
> # Loaded module rlm_mschap
> # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
> mschap {
> use_mppe = yes
> require_encryption = no
> require_strong = no
> with_ntdomain_hack = yes
> passchange {
> }
> allow_retry = yes
> }
> # Instantiating module "ntlm_auth" from file
> /etc/raddb/mods-enabled/ntlm_auth
> exec ntlm_auth {
> wait = yes
> program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
> --username=%{mschap:User-Name} --password=%{User-Password}"
> shell_escape = yes
> }
> # Loaded module rlm_pap
> # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
> pap {
> normalise = yes
> }
> # Loaded module rlm_passwd
> # Instantiating module "etc_passwd" from file
> /etc/raddb/mods-enabled/passwd
> passwd etc_passwd {
> filename = "/etc/passwd"
> format = "*User-Name:Crypt-Password:"
> delimiter = ":"
> ignore_nislike = no
> ignore_empty = yes
> allow_multiple_keys = no
> hash_size = 100
> }
> rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
> # Loaded module rlm_preprocess
> # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/
> preprocess
> preprocess {
> huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
> hints = "/etc/raddb/mods-config/preprocess/hints"
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> with_alvarion_vsa_hack = no
> }
> reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
> reading pairlist file /etc/raddb/mods-config/preprocess/hints
> # Loaded module rlm_radutmp
> # Instantiating module "radutmp" from file /etc/raddb/mods-enabled/
> radutmp
> radutmp {
> filename = "/var/log/radius/radutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 384
> caller_id = yes
> }
> # Loaded module rlm_realm
> # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
> realm IPASS {
> format = "prefix"
> delimiter = "/"
> ignore_default = no
> ignore_null = no
> }
> # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
> realm suffix {
> format = "suffix"
> delimiter = "@"
> ignore_default = no
> ignore_null = no
> }
> # Instantiating module "realmpercent" from file
> /etc/raddb/mods-enabled/realm
> realm realmpercent {
> format = "suffix"
> delimiter = "%"
> ignore_default = no
> ignore_null = no
> }
> # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
> realm ntdomain {
> format = "prefix"
> delimiter = "\"
> ignore_default = no
> ignore_null = no
> }
> # Loaded module rlm_replicate
> # Instantiating module "replicate" from file /etc/raddb/mods-enabled/
> replicate
> # Loaded module rlm_soh
> # Instantiating module "soh" from file /etc/raddb/mods-enabled/soh
> soh {
> dhcp = yes
> }
> # Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/
> sradutmp
> radutmp sradutmp {
> filename = "/var/log/radius/sradutmp"
> username = "%{User-Name}"
> case_sensitive = yes
> check_with_nas = yes
> permissions = 420
> caller_id = no
> }
> # Loaded module rlm_unix
> # Instantiating module "unix" from file /etc/raddb/mods-enabled/unix
> unix {
> radwtmp = "/var/log/radius/radwtmp"
> }
> # Loaded module rlm_unpack
> # Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack
> # Loaded module rlm_utf8
> # Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8
> # Loaded module rlm_ldap
> # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
> ldap {
> server = "10.1.1.10"
> port = 636
> password = <<< secret >>>
> identity = "cn=freeRadius,o=ORG"
> edir = yes
> edir_autz = yes
> user {
> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
> scope = "sub"
> base_dn = "o=ORG"
> access_attribute = "dialupAccess"
> access_positive = yes
> }
> group {
> filter = "(objectClass=posixGroup)"
> scope = "sub"
> base_dn = "o=ORG"
> name_attribute = "cn"
> membership_attribute = "memberOf"
> cacheable_name = no
> cacheable_dn = no
> }
> client {
> filter = "(objectClass=frClient)"
> scope = "sub"
> base_dn = "o=ORG"
> attribute {
> identifier = "radiusClientIdentifier"
> shortname = "cn"
> secret = "radiusClientSecret"
> }
> }
> profile {
> filter = "(&)"
> }
> options {
> ldap_debug = 40
> chase_referrals = yes
> rebind = yes
> net_timeout = 1
> res_timeout = 20
> srv_timelimit = 20
> idle = 60
> probes = 3
> interval = 3
> }
> tls {
> ca_file = "/etc/raddb/certs/rootCAcert.pem"
> ca_path = "/etc/raddb/certs"
> start_tls = no
> require_cert = "demand"
> }
> }
> accounting {
> reference = "%{tolower:type.%{Acct-Status-Type}}"
> }
> post-auth {
> reference = "."
> }
> rlm_ldap (ldap): Initialising connection pool
> pool {
> start = 5
> min = 4
> max = 32
> spare = 3
> uses = 0
> lifetime = 0
> cleanup_interval = 30
> idle_timeout = 60
> retry_delay = 1
> spread = no
> }
> rlm_ldap (ldap): Opening additional connection (0)
> rlm_ldap (ldap): Connecting to 10.1.1.10:636
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (1)
> rlm_ldap (ldap): Connecting to 10.1.1.10:636
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (2)
> rlm_ldap (ldap): Connecting to 10.1.1.10:636
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (3)
> rlm_ldap (ldap): Connecting to 10.1.1.10:636
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Opening additional connection (4)
> rlm_ldap (ldap): Connecting to 10.1.1.10:636
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> } # modules
> radiusd: #### Loading Virtual Servers ####
> server { # from file /etc/raddb/radiusd.conf
> } # server
> server default { # from file /etc/raddb/sites-enabled/default
> # Creating Auth-Type = LDAP
> # Loading authenticate {...}
> # Loading authorize {...}
> Ignoring "sql" (see raddb/mods-available/README.rst)
> # Loading preacct {...}
> # Loading accounting {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> } # server default
> server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading session {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> } # server inner-tunnel
> radiusd: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "acct"
> ipaddr = *
> port = 0
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
> listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120
> }
> Listening on auth address * port 1812 as server default
> Listening on acct address * port 1813 as server default
> Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
> Opening new proxy socket 'proxy address * port 0'
> Listening on proxy address * port 37067
> Ready to process requests.
> Received Access-Request Id 42 from 10.2.1.1:58610 to 10.1.1.12:1812
> length 201
> User-Name = 'jdoe'
> NAS-IP-Address = 10.2.1.1
> NAS-Port = 0
> NAS-Identifier = '10.2.1.99'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = 'a0cc2b80adbb'
> Called-Station-Id = 'aca31ec2d29c'
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x0201000c016c6965747a6462
> Aruba-Essid-Name = 'PrivateWifi'
> Aruba-Location-Id = 'ComEd-APtech'
> Aruba-AP-Group = 'ComEdAVC'
> Aruba-Device-Type = 'Linux'
> Message-Authenticator = 0x388b1133b22e9b707fe063bb62990d51
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (0) authorize {
> (0) filter_username filter_username {
> (0) if (User-Name != "%{tolower:%{User-Name}}")
> (0) EXPAND %{tolower:%{User-Name}}
> (0) --> jdoe
> (0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (0) if (User-Name =~ / /)
> (0) if (User-Name =~ / /) -> FALSE
> (0) if (User-Name =~ /@.*@/ )
> (0) if (User-Name =~ /@.*@/ ) -> FALSE
> (0) if (User-Name =~ /\\.\\./ )
> (0) if (User-Name =~ /\\.\\./ ) -> FALSE
> (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (0) if (User-Name =~ /\\.$/)
> (0) if (User-Name =~ /\\.$/) -> FALSE
> (0) if (User-Name =~ /@\\./)
> (0) if (User-Name =~ /@\\./) -> FALSE
> (0) } # filter_username filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) suffix : No '@' in User-Name = "jdoe", looking up realm NULL
> (0) suffix : No such realm "NULL"
> (0) [suffix] = noop
> (0) eap : EAP packet type response id 1 length 12
> (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = EAP
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0) authenticate {
> (0) eap : Peer sent Identity (1)
> (0) eap : Calling eap_peap to process EAP data
> (0) eap_peap : Flushing SSL sessions (of #0)
> (0) eap_peap : Initiate
> (0) eap_peap : Start returned 1
> (0) eap : New EAP session, adding 'State' attribute to reply
> 0x0334791e03366016
> (0) [eap] = handled
> (0) } # authenticate = handled
> Sending Access-Challenge Id 42 from 10.1.1.12:1812 to 10.2.1.1:58610
> EAP-Message = 0x010200061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x0334791e033660161c87c4227f6edc6f
> (0) Finished request
> Waking up in 0.3 seconds.
> Received Access-Request Id 43 from 10.2.1.1:58610 to 10.1.1.12:1812
> length 374
> User-Name = 'jdoe'
> NAS-IP-Address = 10.2.1.1
> NAS-Port = 0
> NAS-Identifier = '10.2.1.99'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = 'a0cc2b80adbb'
> Called-Station-Id = 'aca31ec2d29c'
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x020200a719800000009d16030100
> 98010000940303d5a687ae569b08a5074447a11fbb36162b46752e9353f8
> 8d07f7bcf8e620ac1700003cc02bc02f009ec02cc030009fcca9cca8c009
> c023c013c02700330067c00ac024c014c0280039006bc007c011009c009d
> 002f003c0035003d0005000a0100002fff0100010000170000000d001000
> 0e0403040105030501060306010201000b00020100000a00080006001d00170018
> State = 0x0334791e033660161c87c4227f6edc6f
> Aruba-Essid-Name = 'PrivateWifi'
> Aruba-Location-Id = 'ComEd-APtech'
> Aruba-AP-Group = 'ComEdAVC'
> Aruba-Device-Type = 'Linux'
> Message-Authenticator = 0xf36c20a6d78beca0e2ac1782d6593291
> (1) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (1) authorize {
> (1) filter_username filter_username {
> (1) if (User-Name != "%{tolower:%{User-Name}}")
> (1) EXPAND %{tolower:%{User-Name}}
> (1) --> jdoe
> (1) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (1) if (User-Name =~ / /)
> (1) if (User-Name =~ / /) -> FALSE
> (1) if (User-Name =~ /@.*@/ )
> (1) if (User-Name =~ /@.*@/ ) -> FALSE
> (1) if (User-Name =~ /\\.\\./ )
> (1) if (User-Name =~ /\\.\\./ ) -> FALSE
> (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (1) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (1) if (User-Name =~ /\\.$/)
> (1) if (User-Name =~ /\\.$/) -> FALSE
> (1) if (User-Name =~ /@\\./)
> (1) if (User-Name =~ /@\\./) -> FALSE
> (1) } # filter_username filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) suffix : No '@' in User-Name = "jdoe", looking up realm NULL
> (1) suffix : No such realm "NULL"
> (1) [suffix] = noop
> (1) eap : EAP packet type response id 2 length 167
> (1) eap : Continuing tunnel setup.
> (1) [eap] = ok
> (1) } # authorize = ok
> (1) Found Auth-Type = EAP
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1) authenticate {
> (1) eap : Expiring EAP session with state 0x0334791e03366016
> (1) eap : Finished EAP session with state 0x0334791e03366016
> (1) eap : Previous EAP request found for state 0x0334791e03366016,
> released from the list
> (1) eap : Peer sent PEAP (25)
> (1) eap : EAP PEAP (25)
> (1) eap : Calling eap_peap to process EAP data
> (1) eap_peap : processing EAP-TLS
> TLS Length 157
> (1) eap_peap : Length Included
> (1) eap_peap : eaptls_verify returned 11
> (1) eap_peap : (other): before/accept initialization
> (1) eap_peap : TLS_accept: before/accept initialization
> (1) eap_peap : <<< TLS 1.0 Handshake [length 0098], ClientHello
> (1) eap_peap : TLS_accept: SSLv3 read client hello A
> (1) eap_peap : >>> TLS 1.0 Handshake [length 0059], ServerHello
> (1) eap_peap : TLS_accept: SSLv3 write server hello A
> (1) eap_peap : >>> TLS 1.0 Handshake [length 0a71], Certificate
> (1) eap_peap : TLS_accept: SSLv3 write certificate A
> (1) eap_peap : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
> (1) eap_peap : TLS_accept: SSLv3 write key exchange A
> (1) eap_peap : >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> (1) eap_peap : TLS_accept: SSLv3 write server done A
> (1) eap_peap : TLS_accept: SSLv3 flush data
> (1) eap_peap : TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> (1) eap_peap : eaptls_process returned 13
> (1) eap_peap : FR_TLS_HANDLED
> (1) eap : New EAP session, adding 'State' attribute to reply
> 0x0334791e02376016
> (1) [eap] = handled
> (1) } # authenticate = handled
> Sending Access-Challenge Id 43 from 10.1.1.12:1812 to 10.2.1.1:58610
> EAP-Message = 0x010303ec19c000000c2d16030100
> 59020000550301ee2a9e46204dd651ae831c0a98e4afd98feaf4445c7c8e
> 75887eea342b6de4c3206fbd6ba3e4a5f3cb6fd2bfafb19a96703a87a8e0
> 918021bcb2964916706b1160c01300000dff01000100000b000403000102
> 1603010a710b000a6d000a6a0005323082052e30820416a0030201020225
> 021c14e16e79e3e4952b9a3ec29e5d36dce1e4bcb8d7aa4d557f0c5af1c5
> 020301a126d675300d06092a864886f70d0101050500302f311a30180603
> 55040b13114f7267616e697a6174696f6e616c2043413111300f06035504
> 0a14084850535f54524545301e170d3136303732353139303932315a170d
> 3138303732353139303932315a302c3111300f060355040a14084850535f
> 54524545311730150603550403130e6870735241442e6870732e646f6d30
> 820122300d06092a864886f70d01010105000382010f003082010a028201
> 0100d1b2b39358eb47a2e3fccd7c20b4023ce4798b2361dc451ea5897446
> 77880f1a939b4db4a6812f4313b286364ea27757dda24a52058d9cc060a6
> a7a131919c490e4727bf429808871c31757ba632ed3e162b1a542b9d0ed7
> 0365a876e4d8999991aeca5196038e16541b2a4ac788e17e0d43eb0498df
> 45b34de318c63c328e66992ff7369a926018916b8c235df1b2798f842deb
> 97229e1018bd47824
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x0334791e023760161c87c4227f6edc6f
> (1) Finished request
> Waking up in 0.3 seconds.
> Received Access-Request Id 44 from 10.2.1.1:58610 to 10.1.1.12:1812
> length 213
> User-Name = 'jdoe'
> NAS-IP-Address = 10.2.1.1
> NAS-Port = 0
> NAS-Identifier = '10.2.1.99'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = 'a0cc2b80adbb'
> Called-Station-Id = 'aca31ec2d29c'
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x020300061900
> State = 0x0334791e023760161c87c4227f6edc6f
> Aruba-Essid-Name = 'PrivateWifi'
> Aruba-Location-Id = 'ComEd-APtech'
> Aruba-AP-Group = 'ComEdAVC'
> Aruba-Device-Type = 'Linux'
> Message-Authenticator = 0xac8694ed2e2e4490a9742ee4d843b7dd
> (2) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (2) authorize {
> (2) filter_username filter_username {
> (2) if (User-Name != "%{tolower:%{User-Name}}")
> (2) EXPAND %{tolower:%{User-Name}}
> (2) --> jdoe
> (2) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (2) if (User-Name =~ / /)
> (2) if (User-Name =~ / /) -> FALSE
> (2) if (User-Name =~ /@.*@/ )
> (2) if (User-Name =~ /@.*@/ ) -> FALSE
> (2) if (User-Name =~ /\\.\\./ )
> (2) if (User-Name =~ /\\.\\./ ) -> FALSE
> (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (2) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (2) if (User-Name =~ /\\.$/)
> (2) if (User-Name =~ /\\.$/) -> FALSE
> (2) if (User-Name =~ /@\\./)
> (2) if (User-Name =~ /@\\./) -> FALSE
> (2) } # filter_username filter_username = notfound
> (2) [preprocess] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) suffix : No '@' in User-Name = "jdoe", looking up realm NULL
> (2) suffix : No such realm "NULL"
> (2) [suffix] = noop
> (2) eap : EAP packet type response id 3 length 6
> (2) eap : Continuing tunnel setup.
> (2) [eap] = ok
> (2) } # authorize = ok
> (2) Found Auth-Type = EAP
> (2) # Executing group from file /etc/raddb/sites-enabled/default
> (2) authenticate {
> (2) eap : Expiring EAP session with state 0x0334791e02376016
> (2) eap : Finished EAP session with state 0x0334791e02376016
> (2) eap : Previous EAP request found for state 0x0334791e02376016,
> released from the list
> (2) eap : Peer sent PEAP (25)
> (2) eap : EAP PEAP (25)
> (2) eap : Calling eap_peap to process EAP data
> (2) eap_peap : processing EAP-TLS
> (2) eap_peap : Received TLS ACK
> (2) eap_peap : Received TLS ACK
> (2) eap_peap : ACK handshake fragment handler
> (2) eap_peap : eaptls_verify returned 1
> (2) eap_peap : eaptls_process returned 13
> (2) eap_peap : FR_TLS_HANDLED
> (2) eap : New EAP session, adding 'State' attribute to reply
> 0x0334791e01306016
> (2) [eap] = handled
> (2) } # authenticate = handled
> Sending Access-Challenge Id 44 from 10.1.1.12:1812 to 10.2.1.1:58610
> EAP-Message = 0x010403e8194058020102020200ff
> 020100030d00400000000000000000000000030900400000000000000030
> 18301002010002087fffffffffffffff010100020414e16e793018301002
> 010002087fffffffffffffff010100020414e16e79a24e304c0201020201
> 00020200ff030d0080000000000000000000000003090080000000000000
> 003012301002010002087fffffffffffffff010100301230100201000208
> 7fffffffffffffff010100300d06092a864886f70d010105050003820101
> 003add0b584651aee3b68efb0f001d41a8452e9e040371820552eca1d150
> 3b33f2497e9878b2bea84b7e5731f2e130c57ffb1d34cb872d3d396990cf
> 23f87205f91cc5103960ee9b68dbe80d602a255c74d7178f13609e243261
> d0776367914b96f63a1ace42246a776d18f6ab049bfbb429453a536e65de
> df411a9b9e5bd3d540b547c2b70c96c415b94dd91e252e76f288117fe826
> 6f35090f8844f6afdd1b472b16f2bc70a880ee5f6b2e3b2eb3776cad8683
> f658d86f468cc84b182cd4c3b9a1ba50b41a025fd25f727b64570b59bc52
> f769c00aa2e2c767bb56df03f48320718089099762bbc066c170d72b5471
> e4040bcc458da75641fa912ad93de4cc1e0005323082052e30820416a003
> 0201020225021c14e16e79e3e4952b9a3ec29e5d36dce1e4bcb8d7aa4d55
> 7f0c5af1c5020301a
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x0334791e013060161c87c4227f6edc6f
> (2) Finished request
> Waking up in 0.2 seconds.
> Received Access-Request Id 45 from 10.2.1.1:58610 to 10.1.1.12:1812
> length 213
> User-Name = 'jdoe'
> NAS-IP-Address = 10.2.1.1
> NAS-Port = 0
> NAS-Identifier = '10.2.1.99'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = 'a0cc2b80adbb'
> Called-Station-Id = 'aca31ec2d29c'
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x020400061900
> State = 0x0334791e013060161c87c4227f6edc6f
> Aruba-Essid-Name = 'PrivateWifi'
> Aruba-Location-Id = 'ComEd-APtech'
> Aruba-AP-Group = 'ComEdAVC'
> Aruba-Device-Type = 'Linux'
> Message-Authenticator = 0x9f86941df2f404316867b64473844047
> (3) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (3) authorize {
> (3) filter_username filter_username {
> (3) if (User-Name != "%{tolower:%{User-Name}}")
> (3) EXPAND %{tolower:%{User-Name}}
> (3) --> jdoe
> (3) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (3) if (User-Name =~ / /)
> (3) if (User-Name =~ / /) -> FALSE
> (3) if (User-Name =~ /@.*@/ )
> (3) if (User-Name =~ /@.*@/ ) -> FALSE
> (3) if (User-Name =~ /\\.\\./ )
> (3) if (User-Name =~ /\\.\\./ ) -> FALSE
> (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (3) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (3) if (User-Name =~ /\\.$/)
> (3) if (User-Name =~ /\\.$/) -> FALSE
> (3) if (User-Name =~ /@\\./)
> (3) if (User-Name =~ /@\\./) -> FALSE
> (3) } # filter_username filter_username = notfound
> (3) [preprocess] = ok
> (3) [chap] = noop
> (3) [mschap] = noop
> (3) suffix : No '@' in User-Name = "jdoe", looking up realm NULL
> (3) suffix : No such realm "NULL"
> (3) [suffix] = noop
> (3) eap : EAP packet type response id 4 length 6
> (3) eap : Continuing tunnel setup.
> (3) [eap] = ok
> (3) } # authorize = ok
> (3) Found Auth-Type = EAP
> (3) # Executing group from file /etc/raddb/sites-enabled/default
> (3) authenticate {
> (3) eap : Expiring EAP session with state 0x0334791e01306016
> (3) eap : Finished EAP session with state 0x0334791e01306016
> (3) eap : Previous EAP request found for state 0x0334791e01306016,
> released from the list
> (3) eap : Peer sent PEAP (25)
> (3) eap : EAP PEAP (25)
> (3) eap : Calling eap_peap to process EAP data
> (3) eap_peap : processing EAP-TLS
> (3) eap_peap : Received TLS ACK
> (3) eap_peap : Received TLS ACK
> (3) eap_peap : ACK handshake fragment handler
> (3) eap_peap : eaptls_verify returned 1
> (3) eap_peap : eaptls_process returned 13
> (3) eap_peap : FR_TLS_HANDLED
> (3) eap : New EAP session, adding 'State' attribute to reply
> 0x0334791e00316016
> (3) [eap] = handled
> (3) } # authenticate = handled
> Sending Access-Challenge Id 45 from 10.1.1.12:1812 to 10.2.1.1:58610
> EAP-Message = 0x010503e81940682c869fb124e6eb
> 32c27c1931cd7fc907300c0603551d13040530030101ff300b0603551d0f
> 040403020106308201cc060b6086480186f83701090401048201bb308201
> b7040201000101ff131d4e6f76656c6c2053656375726974792041747472
> 696275746528746d291643687474703a2f2f646576656c6f7065722e6e6f
> 76656c6c2e636f6d2f7265706f7369746f72792f61747472696275746573
> 2f6365727461747472735f7631302e68746d30820148a01a010100300830
> 060201010201463008300602010102010a020169a11a0101003008300602
> 010102010030083006020101020100020100a2060201180101ffa3820104
> a058020102020200ff020100030d00800000000000000000000000030900
> 80000000000000003018301002010002087fffffffffffffff0101000204
> 06f0df483018301002010002087fffffffffffffff010100020406f0df48
> a158020102020200ff020100030d00400000000000000000000000030900
> 40000000000000003018301002010002087fffffffffffffff0101000204
> 14e16e793018301002010002087fffffffffffffff010100020414e16e79
> a24e304c020102020200ff020100030d0080ffffffffffffffffffffff03
> 090080ffffffffffffff3012301002010002087fffffffffffffff0101ff
> 30123010020100020
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x0334791e003160161c87c4227f6edc6f
> (3) Finished request
> Waking up in 0.2 seconds.
> Received Access-Request Id 46 from 10.2.1.1:58610 to 10.1.1.12:1812
> length 213
> User-Name = 'jdoe'
> NAS-IP-Address = 10.2.1.1
> NAS-Port = 0
> NAS-Identifier = '10.2.1.99'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = 'a0cc2b80adbb'
> Called-Station-Id = 'aca31ec2d29c'
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x020500061900
> State = 0x0334791e003160161c87c4227f6edc6f
> Aruba-Essid-Name = 'PrivateWifi'
> Aruba-Location-Id = 'ComEd-APtech'
> Aruba-AP-Group = 'ComEdAVC'
> Aruba-Device-Type = 'Linux'
> Message-Authenticator = 0xcfa89250dae129d83ad18906e9cf3e40
> (4) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (4) authorize {
> (4) filter_username filter_username {
> (4) if (User-Name != "%{tolower:%{User-Name}}")
> (4) EXPAND %{tolower:%{User-Name}}
> (4) --> jdoe
> (4) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (4) if (User-Name =~ / /)
> (4) if (User-Name =~ / /) -> FALSE
> (4) if (User-Name =~ /@.*@/ )
> (4) if (User-Name =~ /@.*@/ ) -> FALSE
> (4) if (User-Name =~ /\\.\\./ )
> (4) if (User-Name =~ /\\.\\./ ) -> FALSE
> (4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (4) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (4) if (User-Name =~ /\\.$/)
> (4) if (User-Name =~ /\\.$/) -> FALSE
> (4) if (User-Name =~ /@\\./)
> (4) if (User-Name =~ /@\\./) -> FALSE
> (4) } # filter_username filter_username = notfound
> (4) [preprocess] = ok
> (4) [chap] = noop
> (4) [mschap] = noop
> (4) suffix : No '@' in User-Name = "jdoe", looking up realm NULL
> (4) suffix : No such realm "NULL"
> (4) [suffix] = noop
> (4) eap : EAP packet type response id 5 length 6
> (4) eap : Continuing tunnel setup.
> (4) [eap] = ok
> (4) } # authorize = ok
> (4) Found Auth-Type = EAP
> (4) # Executing group from file /etc/raddb/sites-enabled/default
> (4) authenticate {
> (4) eap : Expiring EAP session with state 0x0334791e00316016
> (4) eap : Finished EAP session with state 0x0334791e00316016
> (4) eap : Previous EAP request found for state 0x0334791e00316016,
> released from the list
> (4) eap : Peer sent PEAP (25)
> (4) eap : EAP PEAP (25)
> (4) eap : Calling eap_peap to process EAP data
> (4) eap_peap : processing EAP-TLS
> (4) eap_peap : Received TLS ACK
> (4) eap_peap : Received TLS ACK
> (4) eap_peap : ACK handshake fragment handler
> (4) eap_peap : eaptls_verify returned 1
> (4) eap_peap : eaptls_process returned 13
> (4) eap_peap : FR_TLS_HANDLED
> (4) eap : New EAP session, adding 'State' attribute to reply
> 0x0334791e07326016
> (4) [eap] = handled
> (4) } # authenticate = handled
> Sending Access-Challenge Id 46 from 10.1.1.12:1812 to 10.2.1.1:58610
> EAP-Message = 0x0106008d1900aa8bb7908551c17a
> d9a31659220ff8595190bd8a947d7b18c9d94676e6eebd820d156e0b044c
> 78e0d025c4c253816f90619756a3e0548e59d097a18bba0ab1ba9c52df0d
> bb8aa07843a2c0d4f8d5c407e65a9d34999395a1de2e55f5ae132c20c03c
> ef2c1c44c218e38163a1f2605560a1a14f8840dd5efe42916f165de616030100040e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x0334791e073260161c87c4227f6edc6f
> (4) Finished request
> Waking up in 0.2 seconds.
> Received Access-Request Id 47 from 10.2.1.1:58610 to 10.1.1.12:1812
> length 351
> User-Name = 'jdoe'
> NAS-IP-Address = 10.2.1.1
> NAS-Port = 0
> NAS-Identifier = '10.2.1.99'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = 'a0cc2b80adbb'
> Called-Station-Id = 'aca31ec2d29c'
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x0206009019800000008616030100
> 46100000424104128e21ee934a563f4a9f9358a7db9d439d26d836d2d04f
> c33aa5c8a359748c0b6371c7e8818995a126449c863bdea984fca5d6fd4a
> 4f012a248c50d8e2f7c85714030100010116030100307098071b21f1b5cc
> 63a81f94498b9d431fcaf9127bd8bde265a2e890fad1718444e15d9f8d57
> f5625dec5a06e643e52e
> State = 0x0334791e073260161c87c4227f6edc6f
> Aruba-Essid-Name = 'PrivateWifi'
> Aruba-Location-Id = 'ComEd-APtech'
> Aruba-AP-Group = 'ComEdAVC'
> Aruba-Device-Type = 'Linux'
> Message-Authenticator = 0xd1fe9d8bc4de12ad20b7aa81deaff9bf
> (5) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (5) authorize {
> (5) filter_username filter_username {
> (5) if (User-Name != "%{tolower:%{User-Name}}")
> (5) EXPAND %{tolower:%{User-Name}}
> (5) --> jdoe
> (5) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (5) if (User-Name =~ / /)
> (5) if (User-Name =~ / /) -> FALSE
> (5) if (User-Name =~ /@.*@/ )
> (5) if (User-Name =~ /@.*@/ ) -> FALSE
> (5) if (User-Name =~ /\\.\\./ )
> (5) if (User-Name =~ /\\.\\./ ) -> FALSE
> (5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (5) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (5) if (User-Name =~ /\\.$/)
> (5) if (User-Name =~ /\\.$/) -> FALSE
> (5) if (User-Name =~ /@\\./)
> (5) if (User-Name =~ /@\\./) -> FALSE
> (5) } # filter_username filter_username = notfound
> (5) [preprocess] = ok
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) suffix : No '@' in User-Name = "jdoe", looking up realm NULL
> (5) suffix : No such realm "NULL"
> (5) [suffix] = noop
> (5) eap : EAP packet type response id 6 length 144
> (5) eap : Continuing tunnel setup.
> (5) [eap] = ok
> (5) } # authorize = ok
> (5) Found Auth-Type = EAP
> (5) # Executing group from file /etc/raddb/sites-enabled/default
> (5) authenticate {
> (5) eap : Expiring EAP session with state 0x0334791e07326016
> (5) eap : Finished EAP session with state 0x0334791e07326016
> (5) eap : Previous EAP request found for state 0x0334791e07326016,
> released from the list
> (5) eap : Peer sent PEAP (25)
> (5) eap : EAP PEAP (25)
> (5) eap : Calling eap_peap to process EAP data
> (5) eap_peap : processing EAP-TLS
> TLS Length 134
> (5) eap_peap : Length Included
> (5) eap_peap : eaptls_verify returned 11
> (5) eap_peap : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
> (5) eap_peap : TLS_accept: SSLv3 read client key exchange A
> (5) eap_peap : <<< TLS 1.0 ChangeCipherSpec [length 0001]
> (5) eap_peap : <<< TLS 1.0 Handshake [length 0010], Finished
> (5) eap_peap : TLS_accept: SSLv3 read finished A
> (5) eap_peap : >>> TLS 1.0 ChangeCipherSpec [length 0001]
> (5) eap_peap : TLS_accept: SSLv3 write change cipher spec A
> (5) eap_peap : >>> TLS 1.0 Handshake [length 0010], Finished
> (5) eap_peap : TLS_accept: SSLv3 write finished A
> (5) eap_peap : TLS_accept: SSLv3 flush data
> SSL: adding session 6fbd6ba3e4a5f3cb6fd2bfafb19a96
> 703a87a8e0918021bcb2964916706b1160 to cache
> (5) eap_peap : (other): SSL negotiation finished successfully
> SSL Connection Established
> (5) eap_peap : eaptls_process returned 13
> (5) eap_peap : FR_TLS_HANDLED
> (5) eap : New EAP session, adding 'State' attribute to reply
> 0x0334791e06336016
> (5) [eap] = handled
> (5) } # authenticate = handled
> Sending Access-Challenge Id 47 from 10.1.1.12:1812 to 10.2.1.1:58610
> EAP-Message = 0x0107004119001403010001011603
> 010030eaac4836e7cd06cba4e9ae519990ea081fe1ac588cb58d95d496c7
> 15b1f8a394b8731877bf16a752c3558a88e243aad2
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x0334791e063360161c87c4227f6edc6f
> (5) Finished request
> Waking up in 0.1 seconds.
> Received Access-Request Id 48 from 10.2.1.1:58610 to 10.1.1.12:1812
> length 213
> User-Name = 'jdoe'
> NAS-IP-Address = 10.2.1.1
> NAS-Port = 0
> NAS-Identifier = '10.2.1.99'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = 'a0cc2b80adbb'
> Called-Station-Id = 'aca31ec2d29c'
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x020700061900
> State = 0x0334791e063360161c87c4227f6edc6f
> Aruba-Essid-Name = 'PrivateWifi'
> Aruba-Location-Id = 'ComEd-APtech'
> Aruba-AP-Group = 'ComEdAVC'
> Aruba-Device-Type = 'Linux'
> Message-Authenticator = 0xbb77c7c77c4ee13f26f91886d715e5fe
> (6) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (6) authorize {
> (6) filter_username filter_username {
> (6) if (User-Name != "%{tolower:%{User-Name}}")
> (6) EXPAND %{tolower:%{User-Name}}
> (6) --> jdoe
> (6) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (6) if (User-Name =~ / /)
> (6) if (User-Name =~ / /) -> FALSE
> (6) if (User-Name =~ /@.*@/ )
> (6) if (User-Name =~ /@.*@/ ) -> FALSE
> (6) if (User-Name =~ /\\.\\./ )
> (6) if (User-Name =~ /\\.\\./ ) -> FALSE
> (6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (6) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (6) if (User-Name =~ /\\.$/)
> (6) if (User-Name =~ /\\.$/) -> FALSE
> (6) if (User-Name =~ /@\\./)
> (6) if (User-Name =~ /@\\./) -> FALSE
> (6) } # filter_username filter_username = notfound
> (6) [preprocess] = ok
> (6) [chap] = noop
> (6) [mschap] = noop
> (6) suffix : No '@' in User-Name = "jdoe", looking up realm NULL
> (6) suffix : No such realm "NULL"
> (6) [suffix] = noop
> (6) eap : EAP packet type response id 7 length 6
> (6) eap : Continuing tunnel setup.
> (6) [eap] = ok
> (6) } # authorize = ok
> (6) Found Auth-Type = EAP
> (6) # Executing group from file /etc/raddb/sites-enabled/default
> (6) authenticate {
> (6) eap : Expiring EAP session with state 0x0334791e06336016
> (6) eap : Finished EAP session with state 0x0334791e06336016
> (6) eap : Previous EAP request found for state 0x0334791e06336016,
> released from the list
> (6) eap : Peer sent PEAP (25)
> (6) eap : EAP PEAP (25)
> (6) eap : Calling eap_peap to process EAP data
> (6) eap_peap : processing EAP-TLS
> (6) eap_peap : Received TLS ACK
> (6) eap_peap : Received TLS ACK
> (6) eap_peap : ACK handshake is finished
> (6) eap_peap : eaptls_verify returned 3
> (6) eap_peap : eaptls_process returned 3
> (6) eap_peap : FR_TLS_SUCCESS
> (6) eap_peap : Session established. Decoding tunneled attributes.
> (6) eap_peap : Peap state TUNNEL ESTABLISHED
> (6) eap : New EAP session, adding 'State' attribute to reply
> 0x0334791e053c6016
> (6) [eap] = handled
> (6) } # authenticate = handled
> Sending Access-Challenge Id 48 from 10.1.1.12:1812 to 10.2.1.1:58610
> EAP-Message = 0x0108002b1900170301002039e41d
> 51f9c16e29fdbcef54cdc82c10f4de01db061563d4c3fa5a6de01462f1
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x0334791e053c60161c87c4227f6edc6f
> (6) Finished request
> Waking up in 0.1 seconds.
> Received Access-Request Id 49 from 10.2.1.1:58610 to 10.1.1.12:1812
> length 250
> User-Name = 'jdoe'
> NAS-IP-Address = 10.2.1.1
> NAS-Port = 0
> NAS-Identifier = '10.2.1.99'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = 'a0cc2b80adbb'
> Called-Station-Id = 'aca31ec2d29c'
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x0208002b190017030100206783b4
> fad17c7679ac541d9461aca602e778e856217703c4cc8cf10995aa4fec
> State = 0x0334791e053c60161c87c4227f6edc6f
> Aruba-Essid-Name = 'PrivateWifi'
> Aruba-Location-Id = 'ComEd-APtech'
> Aruba-AP-Group = 'ComEdAVC'
> Aruba-Device-Type = 'Linux'
> Message-Authenticator = 0x9fe005ef05f5d7f3533d8a8000d454b4
> (7) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (7) authorize {
> (7) filter_username filter_username {
> (7) if (User-Name != "%{tolower:%{User-Name}}")
> (7) EXPAND %{tolower:%{User-Name}}
> (7) --> jdoe
> (7) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (7) if (User-Name =~ / /)
> (7) if (User-Name =~ / /) -> FALSE
> (7) if (User-Name =~ /@.*@/ )
> (7) if (User-Name =~ /@.*@/ ) -> FALSE
> (7) if (User-Name =~ /\\.\\./ )
> (7) if (User-Name =~ /\\.\\./ ) -> FALSE
> (7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (7) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (7) if (User-Name =~ /\\.$/)
> (7) if (User-Name =~ /\\.$/) -> FALSE
> (7) if (User-Name =~ /@\\./)
> (7) if (User-Name =~ /@\\./) -> FALSE
> (7) } # filter_username filter_username = notfound
> (7) [preprocess] = ok
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) suffix : No '@' in User-Name = "jdoe", looking up realm NULL
> (7) suffix : No such realm "NULL"
> (7) [suffix] = noop
> (7) eap : EAP packet type response id 8 length 43
> (7) eap : Continuing tunnel setup.
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = EAP
> (7) # Executing group from file /etc/raddb/sites-enabled/default
> (7) authenticate {
> (7) eap : Expiring EAP session with state 0x0334791e053c6016
> (7) eap : Finished EAP session with state 0x0334791e053c6016
> (7) eap : Previous EAP request found for state 0x0334791e053c6016,
> released from the list
> (7) eap : Peer sent PEAP (25)
> (7) eap : EAP PEAP (25)
> (7) eap : Calling eap_peap to process EAP data
> (7) eap_peap : processing EAP-TLS
> (7) eap_peap : eaptls_verify returned 7
> (7) eap_peap : Done initial handshake
> (7) eap_peap : eaptls_process returned 7
> (7) eap_peap : FR_TLS_OK
> (7) eap_peap : Session established. Decoding tunneled attributes.
> (7) eap_peap : Peap state WAITING FOR INNER IDENTITY
> (7) eap_peap : Identity - jdoe
> (7) eap_peap : Got inner identity 'jdoe'
> (7) eap_peap : Setting default EAP type for tunneled EAP session.
> (7) eap_peap : Got tunneled request
> EAP-Message = 0x0208000c016c6965747a6462
> server default {
> (7) eap_peap : Setting User-Name to jdoe
> Sending tunneled request
> EAP-Message = 0x0208000c016c6965747a6462
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = 'jdoe'
> NAS-IP-Address = 10.2.1.1
> NAS-Port = 0
> NAS-Identifier = '10.2.1.99'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = 'a0cc2b80adbb'
> Called-Station-Id = 'aca31ec2d29c'
> Service-Type = Login-User
> Framed-MTU = 1100
> Aruba-Essid-Name = 'PrivateWifi'
> Aruba-Location-Id = 'ComEd-APtech'
> Aruba-AP-Group = 'ComEdAVC'
> Aruba-Device-Type = 'Linux'
> server inner-tunnel {
> (7) # Executing section authorize from file /etc/raddb/sites-enabled/
> inner-tunnel
> (7) authorize {
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) suffix : No '@' in User-Name = "jdoe", looking up realm NULL
> (7) suffix : No such realm "NULL"
> (7) [suffix] = noop
> (7) update control {
> (7) Proxy-To-Realm := 'LOCAL'
> (7) } # update control = noop
> (7) eap : EAP packet type response id 8 length 12
> (7) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = EAP
> (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (7) authenticate {
> (7) eap : Peer sent Identity (1)
> (7) eap : Calling eap_mschapv2 to process EAP data
> (7) eap_mschapv2 : Issuing Challenge
> (7) eap : New EAP session, adding 'State' attribute to reply
> 0x990fbb749906a1c7
> (7) [eap] = handled
> (7) } # authenticate = handled
> } # server inner-tunnel
> (7) eap_peap : Got tunneled reply code 11
> EAP-Message = 0x010900211a0109001c10b115beaf
> ccb4bfca8a9242a0f8792d666c6965747a6462
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x990fbb749906a1c7eff1e068bea8ce53
> (7) eap_peap : Got tunneled reply RADIUS code 11
> EAP-Message = 0x010900211a0109001c10b115beaf
> ccb4bfca8a9242a0f8792d666c6965747a6462
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x990fbb749906a1c7eff1e068bea8ce53
> (7) eap_peap : Got tunneled Access-Challenge
> (7) eap : New EAP session, adding 'State' attribute to reply
> 0x0334791e043d6016
> (7) [eap] = handled
> (7) } # authenticate = handled
> Sending Access-Challenge Id 49 from 10.1.1.12:1812 to 10.2.1.1:58610
> EAP-Message = 0x0109004b1900170301004044fa41
> b976202b504808a8f63aed25b78748595d9b224d763721b85cb20c9a2590
> 4d8953fd75658e93fa60edee84d7a0e7838ad6f4c2285ad72ee07023feb1fe
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x0334791e043d60161c87c4227f6edc6f
> (7) Finished request
> Waking up in 0.1 seconds.
> Received Access-Request Id 50 from 10.2.1.1:58610 to 10.1.1.12:1812
> length 314
> User-Name = 'jdoe'
> NAS-IP-Address = 10.2.1.1
> NAS-Port = 0
> NAS-Identifier = '10.2.1.99'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = 'a0cc2b80adbb'
> Called-Station-Id = 'aca31ec2d29c'
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x0209006b190017030100607c23de
> c1884839a39558cd925bc5a6a482bf8c090aa5ce403ef07d102e6bdbb3a9
> befe6e11e425ac0ce2912670e03557224ee5bad147a27b4f7a45c2f05ae0
> e4962b21880d6f628e965cf9fbfbecbbe10c77d131aa538b80547aeea80e721f59
> State = 0x0334791e043d60161c87c4227f6edc6f
> Aruba-Essid-Name = 'PrivateWifi'
> Aruba-Location-Id = 'ComEd-APtech'
> Aruba-AP-Group = 'ComEdAVC'
> Aruba-Device-Type = 'Linux'
> Message-Authenticator = 0x271aa3d6fd0b27c66d9b8e75f7c2b18c
> (8) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (8) authorize {
> (8) filter_username filter_username {
> (8) if (User-Name != "%{tolower:%{User-Name}}")
> (8) EXPAND %{tolower:%{User-Name}}
> (8) --> jdoe
> (8) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (8) if (User-Name =~ / /)
> (8) if (User-Name =~ / /) -> FALSE
> (8) if (User-Name =~ /@.*@/ )
> (8) if (User-Name =~ /@.*@/ ) -> FALSE
> (8) if (User-Name =~ /\\.\\./ )
> (8) if (User-Name =~ /\\.\\./ ) -> FALSE
> (8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (8) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (8) if (User-Name =~ /\\.$/)
> (8) if (User-Name =~ /\\.$/) -> FALSE
> (8) if (User-Name =~ /@\\./)
> (8) if (User-Name =~ /@\\./) -> FALSE
> (8) } # filter_username filter_username = notfound
> (8) [preprocess] = ok
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) suffix : No '@' in User-Name = "jdoe", looking up realm NULL
> (8) suffix : No such realm "NULL"
> (8) [suffix] = noop
> (8) eap : EAP packet type response id 9 length 107
> (8) eap : Continuing tunnel setup.
> (8) [eap] = ok
> (8) } # authorize = ok
> (8) Found Auth-Type = EAP
> (8) # Executing group from file /etc/raddb/sites-enabled/default
> (8) authenticate {
> (8) eap : Expiring EAP session with state 0x990fbb749906a1c7
> (8) eap : Finished EAP session with state 0x0334791e043d6016
> (8) eap : Previous EAP request found for state 0x0334791e043d6016,
> released from the list
> (8) eap : Peer sent PEAP (25)
> (8) eap : EAP PEAP (25)
> (8) eap : Calling eap_peap to process EAP data
> (8) eap_peap : processing EAP-TLS
> (8) eap_peap : eaptls_verify returned 7
> (8) eap_peap : Done initial handshake
> (8) eap_peap : eaptls_process returned 7
> (8) eap_peap : FR_TLS_OK
> (8) eap_peap : Session established. Decoding tunneled attributes.
> (8) eap_peap : Peap state phase2
> (8) eap_peap : EAP type MSCHAPv2 (26)
> (8) eap_peap : Got tunneled request
> EAP-Message = 0x020900421a0209003d31d867b8c3
> 07214474de771d5988390d36000000000000000072cf2bcbcb337259034c
> 73e9dfb826a7da57635d3d74ae89006c6965747a6462
> server default {
> (8) eap_peap : Setting User-Name to jdoe
> Sending tunneled request
> EAP-Message = 0x020900421a0209003d31d867b8c3
> 07214474de771d5988390d36000000000000000072cf2bcbcb337259034c
> 73e9dfb826a7da57635d3d74ae89006c6965747a6462
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = 'jdoe'
> State = 0x990fbb749906a1c7eff1e068bea8ce53
> NAS-IP-Address = 10.2.1.1
> NAS-Port = 0
> NAS-Identifier = '10.2.1.99'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = 'a0cc2b80adbb'
> Called-Station-Id = 'aca31ec2d29c'
> Service-Type = Login-User
> Framed-MTU = 1100
> Aruba-Essid-Name = 'PrivateWifi'
> Aruba-Location-Id = 'ComEd-APtech'
> Aruba-AP-Group = 'ComEdAVC'
> Aruba-Device-Type = 'Linux'
> server inner-tunnel {
> (8) # Executing section authorize from file /etc/raddb/sites-enabled/
> inner-tunnel
> (8) authorize {
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) suffix : No '@' in User-Name = "jdoe", looking up realm NULL
> (8) suffix : No such realm "NULL"
> (8) [suffix] = noop
> (8) update control {
> (8) Proxy-To-Realm := 'LOCAL'
> (8) } # update control = noop
> (8) eap : EAP packet type response id 9 length 66
> (8) eap : No EAP Start, assuming it's an on-going EAP conversation
> (8) [eap] = updated
> (8) files : users: Matched entry DEFAULT at line 198
> (8) [files] = ok
> rlm_ldap (ldap): Reserved connection (4)
> (8) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (8) ldap : --> (uid=jdoe)
> (8) ldap : EXPAND o=ORG
> (8) ldap : --> o=ORG
> (8) ldap : Performing search in 'o=ORG' with filter '(uid=jdoe)', scope
> 'sub'
> (8) ldap : Waiting for search result...
> (8) ldap : User object found at DN "cn=jdoe,ou=TECH,ou=CE,ou=AD,o=ORG"
> (8) ldap : Added eDirectory password
> (8) ldap : Binding as user for eDirectory authorization checks
> (8) ldap : Waiting for bind result...
> (8) ldap : Bind successful
> (8) ldap : Bind as user 'cn=jdoe,ou=TECH,ou=CE,ou=AD,o=ORG' was successful
> (8) ldap : Processing user attributes
> (8) ldap : reply:Tunnel-Private-Group-ID := ''522''
> rlm_ldap (ldap): Released connection (4)
> (8) [ldap] = ok
> (8) [expiration] = noop
> (8) [logintime] = noop
> (8) WARNING: pap : Auth-Type already set. Not setting to PAP
> (8) [pap] = noop
> (8) } # authorize = updated
> (8) Found Auth-Type = EAP
> (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (8) authenticate {
> (8) eap : Expiring EAP session with state 0x990fbb749906a1c7
> (8) eap : Finished EAP session with state 0x990fbb749906a1c7
> (8) eap : Previous EAP request found for state 0x990fbb749906a1c7,
> released from the list
> (8) eap : Peer sent MSCHAPv2 (26)
> (8) eap : EAP MSCHAPv2 (26)
> (8) eap : Calling eap_mschapv2 to process EAP data
> (8) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/
> inner-tunnel
> (8) eap_mschapv2 : Auth-Type MS-CHAP {
> (8) mschap : Found Cleartext-Password, hashing to create LM-Password
> (8) mschap : Found Cleartext-Password, hashing to create NT-Password
> (8) mschap : Creating challenge hash with username: jdoe
> (8) mschap : Client is using MS-CHAPv2
> (8) mschap : Adding MS-CHAPv2 MPPE keys
> (8) [mschap] = ok
> (8) } # Auth-Type MS-CHAP = ok
> MSCHAP Success
> (8) eap : New EAP session, adding 'State' attribute to reply
> 0x990fbb749805a1c7
> (8) [eap] = handled
> (8) } # authenticate = handled
> } # server inner-tunnel
> (8) eap_peap : Got tunneled reply code 11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 := '522'
> EAP-Message = 0x010a00331a0309002e533d463046
> 44414446304537333344393338344537343337393239324335344532383732424143343543
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x990fbb749805a1c7eff1e068bea8ce53
> (8) eap_peap : Got tunneled reply RADIUS code 11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 := '522'
> EAP-Message = 0x010a00331a0309002e533d463046
> 44414446304537333344393338344537343337393239324335344532383732424143343543
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x990fbb749805a1c7eff1e068bea8ce53
> (8) eap_peap : Got tunneled Access-Challenge
> (8) eap : New EAP session, adding 'State' attribute to reply
> 0x0334791e0b3e6016
> (8) [eap] = handled
> (8) } # authenticate = handled
> Sending Access-Challenge Id 50 from 10.1.1.12:1812 to 10.2.1.1:58610
> EAP-Message = 0x010a005b19001703010050d06e22
> 290e015ea2d39bdaa43bb43975a94e1618e9e174f63ac08e075fca679b7d
> ef46f957946690d086605106565191e0cf0de416a6f6e5a2b6169844f261
> 5fc7e8ffc501dd9bad3263e0b9768b8cf2
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x0334791e0b3e60161c87c4227f6edc6f
> (8) Finished request
> Received Access-Request Id 51 from 10.2.1.1:58610 to 10.1.1.12:1812
> length 250
> User-Name = 'jdoe'
> NAS-IP-Address = 10.2.1.1
> NAS-Port = 0
> NAS-Identifier = '10.2.1.99'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = 'a0cc2b80adbb'
> Called-Station-Id = 'aca31ec2d29c'
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x020a002b19001703010020f6ee8a
> 1b75814144a24aa40157309c1483f4d82aada22d42a549f225dbfca0f5
> State = 0x0334791e0b3e60161c87c4227f6edc6f
> Aruba-Essid-Name = 'PrivateWifi'
> Aruba-Location-Id = 'ComEd-APtech'
> Aruba-AP-Group = 'ComEdAVC'
> Aruba-Device-Type = 'Linux'
> Message-Authenticator = 0xf5f1a5ea9c716ec5006a8f6c49ef473a
> (9) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (9) authorize {
> (9) filter_username filter_username {
> (9) if (User-Name != "%{tolower:%{User-Name}}")
> (9) EXPAND %{tolower:%{User-Name}}
> (9) --> jdoe
> (9) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (9) if (User-Name =~ / /)
> (9) if (User-Name =~ / /) -> FALSE
> (9) if (User-Name =~ /@.*@/ )
> (9) if (User-Name =~ /@.*@/ ) -> FALSE
> (9) if (User-Name =~ /\\.\\./ )
> (9) if (User-Name =~ /\\.\\./ ) -> FALSE
> (9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (9) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (9) if (User-Name =~ /\\.$/)
> (9) if (User-Name =~ /\\.$/) -> FALSE
> (9) if (User-Name =~ /@\\./)
> (9) if (User-Name =~ /@\\./) -> FALSE
> (9) } # filter_username filter_username = notfound
> (9) [preprocess] = ok
> (9) [chap] = noop
> (9) [mschap] = noop
> (9) suffix : No '@' in User-Name = "jdoe", looking up realm NULL
> (9) suffix : No such realm "NULL"
> (9) [suffix] = noop
> (9) eap : EAP packet type response id 10 length 43
> (9) eap : Continuing tunnel setup.
> (9) [eap] = ok
> (9) } # authorize = ok
> (9) Found Auth-Type = EAP
> (9) # Executing group from file /etc/raddb/sites-enabled/default
> (9) authenticate {
> (9) eap : Expiring EAP session with state 0x990fbb749805a1c7
> (9) eap : Finished EAP session with state 0x0334791e0b3e6016
> (9) eap : Previous EAP request found for state 0x0334791e0b3e6016,
> released from the list
> (9) eap : Peer sent PEAP (25)
> (9) eap : EAP PEAP (25)
> (9) eap : Calling eap_peap to process EAP data
> (9) eap_peap : processing EAP-TLS
> (9) eap_peap : eaptls_verify returned 7
> (9) eap_peap : Done initial handshake
> (9) eap_peap : eaptls_process returned 7
> (9) eap_peap : FR_TLS_OK
> (9) eap_peap : Session established. Decoding tunneled attributes.
> (9) eap_peap : Peap state phase2
> (9) eap_peap : EAP type MSCHAPv2 (26)
> (9) eap_peap : Got tunneled request
> EAP-Message = 0x020a00061a03
> server default {
> (9) eap_peap : Setting User-Name to jdoe
> Sending tunneled request
> EAP-Message = 0x020a00061a03
> FreeRADIUS-Proxied-To = 127.0.0.1
> User-Name = 'jdoe'
> State = 0x990fbb749805a1c7eff1e068bea8ce53
> NAS-IP-Address = 10.2.1.1
> NAS-Port = 0
> NAS-Identifier = '10.2.1.99'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = 'a0cc2b80adbb'
> Called-Station-Id = 'aca31ec2d29c'
> Service-Type = Login-User
> Framed-MTU = 1100
> Aruba-Essid-Name = 'PrivateWifi'
> Aruba-Location-Id = 'ComEd-APtech'
> Aruba-AP-Group = 'ComEdAVC'
> Aruba-Device-Type = 'Linux'
> server inner-tunnel {
> (9) # Executing section authorize from file /etc/raddb/sites-enabled/
> inner-tunnel
> (9) authorize {
> (9) [chap] = noop
> (9) [mschap] = noop
> (9) suffix : No '@' in User-Name = "jdoe", looking up realm NULL
> (9) suffix : No such realm "NULL"
> (9) [suffix] = noop
> (9) update control {
> (9) Proxy-To-Realm := 'LOCAL'
> (9) } # update control = noop
> (9) eap : EAP packet type response id 10 length 6
> (9) eap : EAP-MSCHAPV2 success, returning short-circuit ok
> (9) [eap] = ok
> (9) } # authorize = ok
> (9) Found Auth-Type = EAP
> (9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (9) authenticate {
> (9) eap : Expiring EAP session with state 0x990fbb749805a1c7
> (9) eap : Finished EAP session with state 0x990fbb749805a1c7
> (9) eap : Previous EAP request found for state 0x990fbb749805a1c7,
> released from the list
> (9) eap : Peer sent MSCHAPv2 (26)
> (9) eap : EAP MSCHAPv2 (26)
> (9) eap : Calling eap_mschapv2 to process EAP data
> (9) eap : Freeing handler
> (9) [eap] = ok
> (9) } # authenticate = ok
> (9) # Executing section post-auth from file /etc/raddb/sites-enabled/
> inner-tunnel
> (9) post-auth {
> (9) ldap : EXPAND .
> (9) ldap : --> .
> (9) [ldap] = noop
> (9) } # post-auth = noop
> } # server inner-tunnel
> (9) eap_peap : Got tunneled reply code 2
> MS-MPPE-Encryption-Policy = Encryption-Allowed
> MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
> MS-MPPE-Send-Key = 0xa8120a9f46e99a42c6a14240b5647491
> MS-MPPE-Recv-Key = 0xb4fc7aa02311ce81ce08bc8ce410332f
> EAP-Message = 0x030a0004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = 'jdoe'
> (9) eap_peap : Got tunneled reply RADIUS code 2
> MS-MPPE-Encryption-Policy = Encryption-Allowed
> MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
> MS-MPPE-Send-Key = 0xa8120a9f46e99a42c6a14240b5647491
> MS-MPPE-Recv-Key = 0xb4fc7aa02311ce81ce08bc8ce410332f
> EAP-Message = 0x030a0004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = 'jdoe'
> (9) eap_peap : Tunneled authentication was successful.
> (9) eap_peap : SUCCESS
> (9) eap_peap : Saving tunneled attributes for later
> (9) eap : New EAP session, adding 'State' attribute to reply
> 0x0334791e0a3f6016
> (9) [eap] = handled
> (9) } # authenticate = handled
> Sending Access-Challenge Id 51 from 10.1.1.12:1812 to 10.2.1.1:58610
> EAP-Message = 0x010b002b1900170301002086df58
> 35ec64b246dad52553f351a7c0aa6735f454aceade850a916a208d07de
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x0334791e0a3f60161c87c4227f6edc6f
> (9) Finished request
> Received Access-Request Id 52 from 10.2.1.1:58610 to 10.1.1.12:1812
> length 250
> User-Name = 'jdoe'
> NAS-IP-Address = 10.2.1.1
> NAS-Port = 0
> NAS-Identifier = '10.2.1.99'
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = 'a0cc2b80adbb'
> Called-Station-Id = 'aca31ec2d29c'
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x020b002b190017030100206eeea6
> 794fb8c7bdc922d34b0f51627305b9fcf003ab4e723483eaae39f4d9a7
> State = 0x0334791e0a3f60161c87c4227f6edc6f
> Aruba-Essid-Name = 'PrivateWifi'
> Aruba-Location-Id = 'ComEd-APtech'
> Aruba-AP-Group = 'ComEdAVC'
> Aruba-Device-Type = 'Linux'
> Message-Authenticator = 0xc072db008e2c81bd016d226b8c083307
> (10) # Executing section authorize from file /etc/raddb/sites-enabled/
> default
> (10) authorize {
> (10) filter_username filter_username {
> (10) if (User-Name != "%{tolower:%{User-Name}}")
> (10) EXPAND %{tolower:%{User-Name}}
> (10) --> jdoe
> (10) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
> (10) if (User-Name =~ / /)
> (10) if (User-Name =~ / /) -> FALSE
> (10) if (User-Name =~ /@.*@/ )
> (10) if (User-Name =~ /@.*@/ ) -> FALSE
> (10) if (User-Name =~ /\\.\\./ )
> (10) if (User-Name =~ /\\.\\./ ) -> FALSE
> (10) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
> (10) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) ->
> FALSE
> (10) if (User-Name =~ /\\.$/)
> (10) if (User-Name =~ /\\.$/) -> FALSE
> (10) if (User-Name =~ /@\\./)
> (10) if (User-Name =~ /@\\./) -> FALSE
> (10) } # filter_username filter_username = notfound
> (10) [preprocess] = ok
> (10) [chap] = noop
> (10) [mschap] = noop
> (10) suffix : No '@' in User-Name = "jdoe", looking up realm NULL
> (10) suffix : No such realm "NULL"
> (10) [suffix] = noop
> (10) eap : EAP packet type response id 11 length 43
> (10) eap : Continuing tunnel setup.
> (10) [eap] = ok
> (10) } # authorize = ok
> (10) Found Auth-Type = EAP
> (10) # Executing group from file /etc/raddb/sites-enabled/default
> (10) authenticate {
> (10) eap : Expiring EAP session with state 0x0334791e0a3f6016
> (10) eap : Finished EAP session with state 0x0334791e0a3f6016
> (10) eap : Previous EAP request found for state 0x0334791e0a3f6016,
> released from the list
> (10) eap : Peer sent PEAP (25)
> (10) eap : EAP PEAP (25)
> (10) eap : Calling eap_peap to process EAP data
> (10) eap_peap : processing EAP-TLS
> (10) eap_peap : eaptls_verify returned 7
> (10) eap_peap : Done initial handshake
> (10) eap_peap : eaptls_process returned 7
> (10) eap_peap : FR_TLS_OK
> (10) eap_peap : Session established. Decoding tunneled attributes.
> (10) eap_peap : Peap state send tlv success
> (10) eap_peap : Received EAP-TLV response.
> (10) eap_peap : Success
> (10) eap_peap : Using saved attributes from the original Access-Accept
> User-Name = 'jdoe'
> (10) eap_peap : Saving session 6fbd6ba3e4a5f3cb6fd2bfafb19a96
> 703a87a8e0918021bcb2964916706b1160 vps 0x7fa42d6acd20 in the cache
> (10) eap : Freeing handler
> (10) [eap] = ok
> (10) } # authenticate = ok
> (10) # Executing section post-auth from file /etc/raddb/sites-enabled/
> default
> (10) post-auth {
> (10) ldap : EXPAND .
> (10) ldap : --> .
> (10) [ldap] = noop
> (10) [exec] = noop
> (10) remove_reply_message_if_eap remove_reply_message_if_eap {
> (10) if (reply:EAP-Message && reply:Reply-Message)
> (10) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
> (10) else else {
> (10) [noop] = noop
> (10) } # else else = noop
> (10) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
> (10) } # post-auth = noop
> Sending Access-Accept Id 52 from 10.1.1.12:1812 to 10.2.1.1:58610
> User-Name = 'jdoe'
> MS-MPPE-Recv-Key = 0x99b34de497ff17dac4331a85a849
> a8680c9a3c695079b19dcf6de08eeab4f5c1
> MS-MPPE-Send-Key = 0x9c028a05c41250acf630ee78ec80
> 65ba3c0471da457ecbe04aa382f39614f2d4
> EAP-Message = 0x030b0004
> Message-Authenticator = 0x00000000000000000000000000000000
> (10) Finished request
> Waking up in 4.3 seconds.
> (0) Cleaning up request packet ID 42 with timestamp +23
> (1) Cleaning up request packet ID 43 with timestamp +23
> (2) Cleaning up request packet ID 44 with timestamp +23
> (3) Cleaning up request packet ID 45 with timestamp +23
> (4) Cleaning up request packet ID 46 with timestamp +23
> (5) Cleaning up request packet ID 47 with timestamp +23
> (6) Cleaning up request packet ID 48 with timestamp +23
> (7) Cleaning up request packet ID 49 with timestamp +23
> (8) Cleaning up request packet ID 50 with timestamp +23
> (9) Cleaning up request packet ID 51 with timestamp +23
> (10) Cleaning up request packet ID 52 with timestamp +23
> Ready to process requests.
>
>
>
> -----Original Message-----
> From: Freeradius-Users [mailto:freeradius-users-bounces+dlietz=
> inghamisd.org at lists.freeradius.org] On Behalf Of Alan DeKok
> Sent: Monday, May 14, 2018 4:08 PM
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: Re: passing Tunnel-Private-Group-ID
>
>
> > On May 14, 2018, at 3:34 PM, Daniel Lietz <dlietz at inghamisd.org> wrote:
> >
> > I have an existing freeradius version 1 server running on SLES
> 11sp1/OES11 that I've been using to authenticate eDirectory users to an
> Aruba SSID for the last 3 years. I have it configured so that the
> tunnel-private-group-id for the user gets passed from the freeradius server
> to the Aruba Instant controller
>
> How? And I don't mean in the Access-Accept.
>
> > Now, I'm trying to build a refresh version on SLES 12sp1 running
> freeradius 3. I have authentication working, but when I authenticate
> against the new server server, the vlan tag is either not getting sent back
> to the wireless controller or it's not getting read by the controller
> correctly. There are enough differences between version 1 and 3 that I'm
> not sure I haven't missed configuring something in the config files, but
> I'm not sure what or where.
>
> Since you haven't posted the debug output, or even described what you
> did, we have no idea what's going wrong.
>
> http://wiki.freeradius.org/list-help
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
More information about the Freeradius-Users
mailing list