Stale Sessions Freeradius 3.0

Ryan Raamsumair ryan at uwiapartment.com
Wed Sep 5 19:05:09 CEST 2018


​I previously ran freeradius 2 incident free , having recently upgraded to freeradius 3 . I am bogged down with stale sessions
freeradius is already the newest version (3.0.12+dfsg-5+deb9u1).

The Nas are linksys accesspoints running on openwrt

If the user manually disconnects from the network , and acctstop is updated and the records close properly , but if the person walks away from the network no update is made

#######################################################################################################################################
Here is a snippet from the radacct table



138	5B801D36-00000A2C	e43af52ec2774d18313225d069f615ec	aarti_lutchmiesingh			161.0.155.238	9	Wireless-802.11	05/09/2018 10:23	05/09/2018 10:23	NULL	NULL	0	RADIUS	CONNECT 54Mbps 802.11g		0	0	00-25-9C-13-AF-58:Ryan 9 - Radius	10-F1-F2-0D-BC-43

168	5B801C20-00000E97	a893aa385671e09334072372c0904fdb	abd-al-qaadir_islam			161.0.155.238	9	Wireless-802.11	05/09/2018 10:30	05/09/2018 10:30	NULL	NULL	0	RADIUS	CONNECT 54Mbps 802.11g		0	0	00-25-9C-13-AF-58:Ryan 9 - Radius	10-F1-F2-0D-BC-43

You would have expected that because the calling station id is the same in both records that freeradius would have declared the older record a stale session
###############################################freeradius -X##########################################################################
FreeRADIUS Version 3.0.12
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/sql
including configuration file /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
main {
 security {
 	user = "freerad"
 	group = "freerad"
 	allow_core_dumps = no
 }
	name = "freeradius"
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/freeradius"
	run_dir = "/var/run/freeradius"
}
main {
	name = "freeradius"
	prefix = "/usr"
	localstatedir = "/var"
	sbindir = "/usr/sbin"
	logdir = "/var/log/freeradius"
	run_dir = "/var/run/freeradius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/freeradius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 16384
	pidfile = "/var/run/freeradius/freeradius.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = no
 log {
 	stripped_names = no
 	auth = no
 	auth_badpass = no
 	auth_goodpass = no
 	colourise = yes
 	msg_denied = "You are already logged in - access denied"
 }
 resources {
 }
 security {
 	max_attributes = 200
 	reject_delay = 1.000000
 	status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
 	retry_delay = 5
 	retry_count = 3
 	default_fallback = no
 	dead_time = 120
 	wake_all_if_all_dead = no
 }
 home_server localhost {
 	ipaddr = 127.0.0.1
 	port = 1812
 	type = "auth"
 	secret = <<< secret >>>
 	response_window = 20.000000
 	response_timeouts = 1
 	max_outstanding = 65536
 	zombie_period = 40
 	status_check = "status-server"
 	ping_interval = 30
 	check_interval = 30
 	check_timeout = 4
 	num_answers_to_alive = 3
 	revive_interval = 120
  limit {
  	max_connections = 16
  	max_requests = 0
  	lifetime = 0
  	idle_timeout = 0
  }
  coa {
  	irt = 2
  	mrt = 16
  	mrc = 5
  	mrd = 30
  }
 }
 home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
 }
 realm example.com {
	auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
 	ipaddr = *
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	nas_type = "cisco"
 	proto = "*"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
 client localhost_ipv6 {
 	ipv6addr = ::1
 	require_message_authenticator = no
 	secret = <<< secret >>>
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
Debugger not attached
 # Creating Auth-Type = mschap
 # Creating Auth-Type = digest
 # Creating Auth-Type = eap
 # Creating Auth-Type = PAP
 # Creating Auth-Type = CHAP
 # Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
 modules {
  # Loaded module rlm_utf8
  # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
  # Loaded module rlm_always
  # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
  always reject {
  	rcode = "reject"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
  always fail {
  	rcode = "fail"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
  always ok {
  	rcode = "ok"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
  always handled {
  	rcode = "handled"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
  always invalid {
  	rcode = "invalid"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
  always userlock {
  	rcode = "userlock"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
  always notfound {
  	rcode = "notfound"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
  always noop {
  	rcode = "noop"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
  always updated {
  	rcode = "updated"
  	simulcount = 0
  	mpp = no
  }
  # Loaded module rlm_exec
  # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
  exec {
  	wait = no
  	input_pairs = "request"
  	shell_escape = yes
  	timeout = 10
  }
  # Loaded module rlm_sql
  # Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
  sql {
  	driver = "rlm_sql_mysql"
  	server = "localhost"
  	port = 3306
  	login = "root"
  	password = <<< secret >>>
  	radius_db = "radius"
  	read_groups = yes
  	read_profiles = yes
  	read_clients = yes
  	delete_stale_sessions = yes
  	sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"
  	default_user_profile = ""
  	client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
  	authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
  	authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
  	authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
  	authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
  	group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
  	simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL "
  	simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, #framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
  	safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
   accounting {
   	reference = "%{tolower:type.%{Acct-Status-Type}.query}"
    type {
     accounting-on {
     	query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime	= '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
     }
     accounting-off {
     	query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime	= '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
     }
     start {
     	query = "INSERT INTO radacct (acctsessionid,		acctuniqueid,	username, realm,			nasipaddress,		nasportid, nasporttype,acctstarttime,		acctupdatetime, acctstoptime,		acctsessiontime, 	acctauthentic, connectinfo_start,	connectinfo_stop, 	acctinputoctets, acctoutputoctets,	calledstationid, 	callingstationid, acctterminatecause,	servicetype,		framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
     }
     interim-update {
     	query = "UPDATE radacct SET acctstoptime	= FROM_UNIXTIME(%{integer:Event-Timestamp}), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND callingstationid   = '%{Calling-Station-Id}'AND acctstarttime IS NOT FROM_UNIXTIME(%{integer:Event-Timestamp})"
     }
     stop {
     	query = "INSERT INTO radacctold SELECT * FROM radacct WHERE acctstoptime <> 'NULL'"
     }
    }
   }
   post-auth {
   	reference = ".query"
   	query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
   }
  }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
  # Loaded module rlm_mschap
  # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
  mschap {
  	use_mppe = yes
  	require_encryption = no
  	require_strong = no
  	with_ntdomain_hack = yes
   passchange {
   }
  	allow_retry = yes
  }
  # Loaded module rlm_radutmp
  # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
  radutmp sradutmp {
  	filename = "/var/log/freeradius/sradutmp"
  	username = "%{User-Name}"
  	case_sensitive = yes
  	check_with_nas = yes
  	permissions = 420
  	caller_id = no
  }
  # Loaded module rlm_eap
  # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
  eap {
  	default_eap_type = "md5"
  	timer_expire = 60
  	ignore_unknown_eap_types = no
  	cisco_accounting_username_bug = no
  	max_sessions = 16384
  }
  # Loaded module rlm_attr_filter
  # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.post-proxy {
  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
  	key = "%{Realm}"
  	relaxed = no
  }
  # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.pre-proxy {
  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
  	key = "%{Realm}"
  	relaxed = no
  }
  # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.access_reject {
  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
  	key = "%{User-Name}"
  	relaxed = no
  }
  # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.access_challenge {
  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
  	key = "%{User-Name}"
  	relaxed = no
  }
  # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.accounting_response {
  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
  	key = "%{User-Name}"
  	relaxed = no
  }
  # Loaded module rlm_unix
  # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
  unix {
  	radwtmp = "/var/log/freeradius/radwtmp"
  }
Creating attribute Unix-Group
  # Loaded module rlm_realm
  # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
  realm IPASS {
  	format = "prefix"
  	delimiter = "/"
  	ignore_default = no
  	ignore_null = no
  }
  # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
  realm suffix {
  	format = "suffix"
  	delimiter = "@"
  	ignore_default = no
  	ignore_null = no
  }
  # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
  realm realmpercent {
  	format = "suffix"
  	delimiter = "%"
  	ignore_default = no
  	ignore_null = no
  }
  # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
  realm ntdomain {
  	format = "prefix"
  	delimiter = "\\"
  	ignore_default = no
  	ignore_null = no
  }
  # Loaded module rlm_unpack
  # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
  # Loaded module rlm_detail
  # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail auth_log {
  	filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail reply_log {
  	filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail pre_proxy_log {
  	filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail post_proxy_log {
  	filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loaded module rlm_dynamic_clients
  # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
  # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
  radutmp {
  	filename = "/var/log/freeradius/radutmp"
  	username = "%{User-Name}"
  	case_sensitive = yes
  	check_with_nas = yes
  	permissions = 384
  	caller_id = yes
  }
  # Loaded module rlm_files
  # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
  files {
  	filename = "/etc/freeradius/3.0/mods-config/files/authorize"
  	acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
  	preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
  }
  # Loaded module rlm_pap
  # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
  pap {
  	normalise = yes
  }
  # Loaded module rlm_chap
  # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
  # Loaded module rlm_linelog
  # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
  linelog {
  	filename = "/var/log/freeradius/linelog"
  	escape_filenames = no
  	syslog_severity = "info"
  	permissions = 384
  	format = "This is a log message for %{User-Name}"
  	reference = "messages.%{%{reply:Packet-Type}:-default}"
  }
  # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
  linelog log_accounting {
  	filename = "/var/log/freeradius/linelog-accounting"
  	escape_filenames = no
  	syslog_severity = "info"
  	permissions = 384
  	format = ""
  	reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  }
  # Loaded module rlm_logintime
  # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
  logintime {
  	minimum_timeout = 60
  }
  # Loaded module rlm_cache
  # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
  cache cache_eap {
  	driver = "rlm_cache_rbtree"
  	key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
  	ttl = 15
  	max_entries = 0
  	epoch = 0
  	add_stats = no
  }
  # Loaded module rlm_expr
  # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
  expr {
  	safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  }
  # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
  exec echo {
  	wait = yes
  	program = "/bin/echo %{User-Name}"
  	input_pairs = "request"
  	output_pairs = "reply"
  	shell_escape = yes
  }
  # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
  detail {
  	filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
  exec ntlm_auth {
  	wait = yes
  	program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
  	shell_escape = yes
  }
  # Loaded module rlm_preprocess
  # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
  preprocess {
  	huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
  	hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
  	with_ascend_hack = no
  	ascend_channels_per_line = 23
  	with_ntdomain_hack = no
  	with_specialix_jetstream_hack = no
  	with_cisco_vsa_hack = no
  	with_alvarion_vsa_hack = no
  }
  # Loaded module rlm_digest
  # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
  # Loaded module rlm_replicate
  # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
  # Loaded module rlm_soh
  # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
  soh {
  	dhcp = yes
  }
  # Loaded module rlm_passwd
  # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
  passwd etc_passwd {
  	filename = "/etc/passwd"
  	format = "*User-Name:Crypt-Password:"
  	delimiter = ":"
  	ignore_nislike = no
  	ignore_empty = yes
  	allow_multiple_keys = no
  	hash_size = 100
  }
  # Loaded module rlm_expiration
  # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
  instantiate {
  }
  # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
rlm_sql_mysql: libmysql version: 10.1.26-MariaDB
   mysql {
    tls {
    }
   	warnings = "auto"
   }
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
   pool {
   	start = 5
   	min = 3
   	max = 32
   	spare = 10
   	uses = 0
   	lifetime = 0
   	cleanup_interval = 30
   	idle_timeout = 60
   	retry_delay = 30
   	spread = no
   }
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Released connection (0)
rlm_sql (sql): Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
  # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
  # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
   # Linked to sub-module rlm_eap_md5
   # Linked to sub-module rlm_eap_leap
   # Linked to sub-module rlm_eap_gtc
   gtc {
   	challenge = "Password: "
   	auth_type = "PAP"
   }
   # Linked to sub-module rlm_eap_tls
   tls {
   	tls = "tls-common"
   }
   tls-config tls-common {
   	verify_depth = 0
   	ca_path = "/etc/freeradius/3.0/certs"
   	pem_file_type = yes
   	private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
   	certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
   	ca_file = "/etc/ssl/certs/ca-certificates.crt"
   	private_key_password = <<< secret >>>
   	dh_file = "/etc/freeradius/3.0/certs/dh"
   	fragment_size = 1024
   	include_length = yes
   	auto_chain = yes
   	check_crl = no
   	check_all_crl = no
   	cipher_list = "DEFAULT"
   	ecdh_curve = "prime256v1"
   	disable_tlsv1_2 = yes
    cache {
    	enable = yes
    	lifetime = 24
    	max_entries = 255
    }
    verify {
    	skip_if_ocsp_ok = no
    }
    ocsp {
    	enable = no
    	override_cert_url = yes
    	url = "http://127.0.0.1/ocsp/"
    	use_nonce = yes
    	timeout = 0
    	softfail = no
    }
   }
   # Linked to sub-module rlm_eap_ttls
   ttls {
   	tls = "tls-common"
   	default_eap_type = "md5"
   	copy_request_to_tunnel = no
   	use_tunneled_reply = no
   	virtual_server = "inner-tunnel"
   	include_length = yes
   	require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_peap
   peap {
   	tls = "tls-common"
   	default_eap_type = "mschapv2"
   	copy_request_to_tunnel = no
   	use_tunneled_reply = no
   	proxy_tunneled_request_as_eap = yes
   	virtual_server = "inner-tunnel"
   	soh = no
   	require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_mschapv2
   mschapv2 {
   	with_ntdomain_hack = no
   	send_error = no
   }
  # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
  # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
  # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" 	found in filter list for realm "DEFAULT". 
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" 	found in filter list for realm "DEFAULT". 
  # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
  # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
  # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
  # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
  # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
  # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
  # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
  # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
  # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
  # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
  # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
  # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
 } # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
 # Loading authenticate {...}
 # Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
 # Loading preacct {...}
 # Loading accounting {...}
 # Loading session {...}
 # Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading session {...}
 # Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
  	type = "auth"
  	ipaddr = *
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
  	type = "acct"
  	ipaddr = *
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
  	type = "auth"
  	ipv6addr = ::
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
  	type = "acct"
  	ipv6addr = ::
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
  	type = "auth"
  	ipaddr = 127.0.0.1
  	port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Ready to process requests
(0) Received Access-Request Id 59 from 131.100.39.166:51503 to 198.58.110.29:1812 length 239
(0)   User-Name = "sharisse_pragsingh"
(0)   NAS-Identifier = "Ryan4-2ghz-Radius"
(0)   Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Service-Type = Framed-User
(0)   NAS-Port = 14
(0)   Calling-Station-Id = "80-4E-81-86-03-C5"
(0)   Connect-Info = "CONNECT 54Mbps 802.11g"
(0)   Acct-Session-Id = "B15D601DE21D9FFF"
(0)   WLAN-Pairwise-Cipher = 1027076
(0)   WLAN-Group-Cipher = 1027076
(0)   WLAN-AKM-Suite = 1027073
(0)   Framed-MTU = 1400
(0)   EAP-Message = 0x02b400170173686172697373655f7072616773696e6768
(0)   Message-Authenticator = 0x8d98008fc1b0cc92a987b3e7b23c0696
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "sharisse_pragsingh", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 180 length 23
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 181 length 22
(0) eap: EAP session adding &reply:State = 0x5adb3d025a6e3931
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Sent Access-Challenge Id 59 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0
(0)   EAP-Message = 0x01b50016041063537c4fe2a0c46f29a02d18749c41c7
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x5adb3d025a6e3931aa88cfc6895d11e4
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 60 from 131.100.39.166:51503 to 198.58.110.29:1812 length 240
(1)   User-Name = "sharisse_pragsingh"
(1)   NAS-Identifier = "Ryan4-2ghz-Radius"
(1)   Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Service-Type = Framed-User
(1)   NAS-Port = 14
(1)   Calling-Station-Id = "80-4E-81-86-03-C5"
(1)   Connect-Info = "CONNECT 54Mbps 802.11g"
(1)   Acct-Session-Id = "B15D601DE21D9FFF"
(1)   WLAN-Pairwise-Cipher = 1027076
(1)   WLAN-Group-Cipher = 1027076
(1)   WLAN-AKM-Suite = 1027073
(1)   Framed-MTU = 1400
(1)   EAP-Message = 0x02b500060319
(1)   State = 0x5adb3d025a6e3931aa88cfc6895d11e4
(1)   Message-Authenticator = 0xb38a6583f2c160efa5d419c5b2d8454e
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "sharisse_pragsingh", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 181 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(1) sql:    --> sharisse_pragsingh
(1) sql: SQL-User-Name set to 'sharisse_pragsingh'
rlm_sql (sql): Reserved connection (1)
(1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(1) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'sharisse_pragsingh' ORDER BY id
(1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'sharisse_pragsingh' ORDER BY id
(1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(1) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'sharisse_pragsingh' ORDER BY priority
(1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'sharisse_pragsingh' ORDER BY priority
(1) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
rlm_sql (sql): Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
(1)     [sql] = notfound
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password is available
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0x5adb3d025a6e3931
(1) eap: Finished EAP session with state 0x5adb3d025a6e3931
(1) eap: Previous EAP request found for state 0x5adb3d025a6e3931, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 182 length 6
(1) eap: EAP session adding &reply:State = 0x5adb3d025b6d2431
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found.  Ignoring.
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Sent Access-Challenge Id 60 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0
(1)   EAP-Message = 0x01b600061920
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x5adb3d025b6d2431aa88cfc6895d11e4
(1) Finished request
Waking up in 4.9 seconds.
^C
root at box:~# freeradius -X
FreeRADIUS Version 3.0.12
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/sql
including configuration file /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
main {
 security {
 	user = "freerad"
 	group = "freerad"
 	allow_core_dumps = no
 }
	name = "freeradius"
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/freeradius"
	run_dir = "/var/run/freeradius"
}
main {
	name = "freeradius"
	prefix = "/usr"
	localstatedir = "/var"
	sbindir = "/usr/sbin"
	logdir = "/var/log/freeradius"
	run_dir = "/var/run/freeradius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/freeradius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 16384
	pidfile = "/var/run/freeradius/freeradius.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = no
 log {
 	stripped_names = no
 	auth = no
 	auth_badpass = no
 	auth_goodpass = no
 	colourise = yes
 	msg_denied = "You are already logged in - access denied"
 }
 resources {
 }
 security {
 	max_attributes = 200
 	reject_delay = 1.000000
 	status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
 	retry_delay = 5
 	retry_count = 3
 	default_fallback = no
 	dead_time = 120
 	wake_all_if_all_dead = no
 }
 home_server localhost {
 	ipaddr = 127.0.0.1
 	port = 1812
 	type = "auth"
 	secret = <<< secret >>>
 	response_window = 20.000000
 	response_timeouts = 1
 	max_outstanding = 65536
 	zombie_period = 40
 	status_check = "status-server"
 	ping_interval = 30
 	check_interval = 30
 	check_timeout = 4
 	num_answers_to_alive = 3
 	revive_interval = 120
  limit {
  	max_connections = 16
  	max_requests = 0
  	lifetime = 0
  	idle_timeout = 0
  }
  coa {
  	irt = 2
  	mrt = 16
  	mrc = 5
  	mrd = 30
  }
 }
 home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
 }
 realm example.com {
	auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
 	ipaddr = *
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	nas_type = "cisco"
 	proto = "*"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
 client localhost_ipv6 {
 	ipv6addr = ::1
 	require_message_authenticator = no
 	secret = <<< secret >>>
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
Debugger not attached
 # Creating Auth-Type = mschap
 # Creating Auth-Type = digest
 # Creating Auth-Type = eap
 # Creating Auth-Type = PAP
 # Creating Auth-Type = CHAP
 # Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
 modules {
  # Loaded module rlm_utf8
  # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
  # Loaded module rlm_always
  # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
  always reject {
  	rcode = "reject"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
  always fail {
  	rcode = "fail"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
  always ok {
  	rcode = "ok"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
  always handled {
  	rcode = "handled"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
  always invalid {
  	rcode = "invalid"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
  always userlock {
  	rcode = "userlock"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
  always notfound {
  	rcode = "notfound"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
  always noop {
  	rcode = "noop"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
  always updated {
  	rcode = "updated"
  	simulcount = 0
  	mpp = no
  }
  # Loaded module rlm_exec
  # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
  exec {
  	wait = no
  	input_pairs = "request"
  	shell_escape = yes
  	timeout = 10
  }
  # Loaded module rlm_sql
  # Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
  sql {
  	driver = "rlm_sql_mysql"
  	server = "localhost"
  	port = 3306
  	login = "root"
  	password = <<< secret >>>
  	radius_db = "radius"
  	read_groups = yes
  	read_profiles = yes
  	read_clients = yes
  	delete_stale_sessions = yes
  	sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"
  	default_user_profile = ""
  	client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
  	authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
  	authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
  	authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id"
  	authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id"
  	group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
  	simul_count_query = "SELECT COUNT(*) FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL "
  	simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, #framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
  	safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
   accounting {
   	reference = "%{tolower:type.%{Acct-Status-Type}.query}"
    type {
     accounting-on {
     	query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime	= '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
     }
     accounting-off {
     	query = "UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime	= '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress   = '%{NAS-IP-Address}' AND acctstarttime <= FROM_UNIXTIME(%{integer:Event-Timestamp})"
     }
     start {
     	query = "INSERT INTO radacct (acctsessionid,		acctuniqueid,	username, realm,			nasipaddress,		nasportid, nasporttype,acctstarttime,		acctupdatetime, acctstoptime,		acctsessiontime, 	acctauthentic, connectinfo_start,	connectinfo_stop, 	acctinputoctets, acctoutputoctets,	calledstationid, 	callingstationid, acctterminatecause,	servicetype,		framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')"
     }
     interim-update {
     	query = "UPDATE radacct SET acctstoptime	= FROM_UNIXTIME(%{integer:Event-Timestamp}), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND callingstationid   = '%{Calling-Station-Id}'AND acctstarttime IS NOT FROM_UNIXTIME(%{integer:Event-Timestamp})"
     }
     stop {
     	query = "INSERT INTO radacctold SELECT * FROM radacct WHERE acctstoptime <> 'NULL'"
     }
    }
   }
   post-auth {
   	reference = ".query"
   	query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
   }
  }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Creating attribute SQL-Group
  # Loaded module rlm_mschap
  # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
  mschap {
  	use_mppe = yes
  	require_encryption = no
  	require_strong = no
  	with_ntdomain_hack = yes
   passchange {
   }
  	allow_retry = yes
  }
  # Loaded module rlm_radutmp
  # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
  radutmp sradutmp {
  	filename = "/var/log/freeradius/sradutmp"
  	username = "%{User-Name}"
  	case_sensitive = yes
  	check_with_nas = yes
  	permissions = 420
  	caller_id = no
  }
  # Loaded module rlm_eap
  # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
  eap {
  	default_eap_type = "md5"
  	timer_expire = 60
  	ignore_unknown_eap_types = no
  	cisco_accounting_username_bug = no
  	max_sessions = 16384
  }
  # Loaded module rlm_attr_filter
  # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.post-proxy {
  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
  	key = "%{Realm}"
  	relaxed = no
  }
  # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.pre-proxy {
  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
  	key = "%{Realm}"
  	relaxed = no
  }
  # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.access_reject {
  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
  	key = "%{User-Name}"
  	relaxed = no
  }
  # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.access_challenge {
  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
  	key = "%{User-Name}"
  	relaxed = no
  }
  # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.accounting_response {
  	filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
  	key = "%{User-Name}"
  	relaxed = no
  }
  # Loaded module rlm_unix
  # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
  unix {
  	radwtmp = "/var/log/freeradius/radwtmp"
  }
Creating attribute Unix-Group
  # Loaded module rlm_realm
  # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
  realm IPASS {
  	format = "prefix"
  	delimiter = "/"
  	ignore_default = no
  	ignore_null = no
  }
  # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
  realm suffix {
  	format = "suffix"
  	delimiter = "@"
  	ignore_default = no
  	ignore_null = no
  }
  # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
  realm realmpercent {
  	format = "suffix"
  	delimiter = "%"
  	ignore_default = no
  	ignore_null = no
  }
  # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
  realm ntdomain {
  	format = "prefix"
  	delimiter = "\\"
  	ignore_default = no
  	ignore_null = no
  }
  # Loaded module rlm_unpack
  # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
  # Loaded module rlm_detail
  # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail auth_log {
  	filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail reply_log {
  	filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail pre_proxy_log {
  	filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail post_proxy_log {
  	filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loaded module rlm_dynamic_clients
  # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
  # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
  radutmp {
  	filename = "/var/log/freeradius/radutmp"
  	username = "%{User-Name}"
  	case_sensitive = yes
  	check_with_nas = yes
  	permissions = 384
  	caller_id = yes
  }
  # Loaded module rlm_files
  # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
  files {
  	filename = "/etc/freeradius/3.0/mods-config/files/authorize"
  	acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
  	preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
  }
  # Loaded module rlm_pap
  # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
  pap {
  	normalise = yes
  }
  # Loaded module rlm_chap
  # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
  # Loaded module rlm_linelog
  # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
  linelog {
  	filename = "/var/log/freeradius/linelog"
  	escape_filenames = no
  	syslog_severity = "info"
  	permissions = 384
  	format = "This is a log message for %{User-Name}"
  	reference = "messages.%{%{reply:Packet-Type}:-default}"
  }
  # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
  linelog log_accounting {
  	filename = "/var/log/freeradius/linelog-accounting"
  	escape_filenames = no
  	syslog_severity = "info"
  	permissions = 384
  	format = ""
  	reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  }
  # Loaded module rlm_logintime
  # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
  logintime {
  	minimum_timeout = 60
  }
  # Loaded module rlm_cache
  # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
  cache cache_eap {
  	driver = "rlm_cache_rbtree"
  	key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
  	ttl = 15
  	max_entries = 0
  	epoch = 0
  	add_stats = no
  }
  # Loaded module rlm_expr
  # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
  expr {
  	safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  }
  # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
  exec echo {
  	wait = yes
  	program = "/bin/echo %{User-Name}"
  	input_pairs = "request"
  	output_pairs = "reply"
  	shell_escape = yes
  }
  # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
  detail {
  	filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
  exec ntlm_auth {
  	wait = yes
  	program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
  	shell_escape = yes
  }
  # Loaded module rlm_preprocess
  # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
  preprocess {
  	huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
  	hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
  	with_ascend_hack = no
  	ascend_channels_per_line = 23
  	with_ntdomain_hack = no
  	with_specialix_jetstream_hack = no
  	with_cisco_vsa_hack = no
  	with_alvarion_vsa_hack = no
  }
  # Loaded module rlm_digest
  # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
  # Loaded module rlm_replicate
  # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
  # Loaded module rlm_soh
  # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
  soh {
  	dhcp = yes
  }
  # Loaded module rlm_passwd
  # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
  passwd etc_passwd {
  	filename = "/etc/passwd"
  	format = "*User-Name:Crypt-Password:"
  	delimiter = ":"
  	ignore_nislike = no
  	ignore_empty = yes
  	allow_multiple_keys = no
  	hash_size = 100
  }
  # Loaded module rlm_expiration
  # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
  instantiate {
  }
  # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
rlm_sql_mysql: libmysql version: 10.1.26-MariaDB
   mysql {
    tls {
    }
   	warnings = "auto"
   }
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
   pool {
   	start = 5
   	min = 3
   	max = 32
   	spare = 10
   	uses = 0
   	lifetime = 0
   	cleanup_interval = 30
   	idle_timeout = 60
   	retry_delay = 30
   	spread = no
   }
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Released connection (0)
rlm_sql (sql): Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
  # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
  # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
   # Linked to sub-module rlm_eap_md5
   # Linked to sub-module rlm_eap_leap
   # Linked to sub-module rlm_eap_gtc
   gtc {
   	challenge = "Password: "
   	auth_type = "PAP"
   }
   # Linked to sub-module rlm_eap_tls
   tls {
   	tls = "tls-common"
   }
   tls-config tls-common {
   	verify_depth = 0
   	ca_path = "/etc/freeradius/3.0/certs"
   	pem_file_type = yes
   	private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
   	certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
   	ca_file = "/etc/ssl/certs/ca-certificates.crt"
   	private_key_password = <<< secret >>>
   	dh_file = "/etc/freeradius/3.0/certs/dh"
   	fragment_size = 1024
   	include_length = yes
   	auto_chain = yes
   	check_crl = no
   	check_all_crl = no
   	cipher_list = "DEFAULT"
   	ecdh_curve = "prime256v1"
   	disable_tlsv1_2 = yes
    cache {
    	enable = yes
    	lifetime = 24
    	max_entries = 255
    }
    verify {
    	skip_if_ocsp_ok = no
    }
    ocsp {
    	enable = no
    	override_cert_url = yes
    	url = "http://127.0.0.1/ocsp/"
    	use_nonce = yes
    	timeout = 0
    	softfail = no
    }
   }
   # Linked to sub-module rlm_eap_ttls
   ttls {
   	tls = "tls-common"
   	default_eap_type = "md5"
   	copy_request_to_tunnel = no
   	use_tunneled_reply = no
   	virtual_server = "inner-tunnel"
   	include_length = yes
   	require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_peap
   peap {
   	tls = "tls-common"
   	default_eap_type = "mschapv2"
   	copy_request_to_tunnel = no
   	use_tunneled_reply = no
   	proxy_tunneled_request_as_eap = yes
   	virtual_server = "inner-tunnel"
   	soh = no
   	require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_mschapv2
   mschapv2 {
   	with_ntdomain_hack = no
   	send_error = no
   }
  # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
  # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
  # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" 	found in filter list for realm "DEFAULT". 
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" 	found in filter list for realm "DEFAULT". 
  # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
  # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
  # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
  # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
  # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
  # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
  # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
  # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
  # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
  # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
  # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
  # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
 } # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
 # Loading authenticate {...}
 # Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
 # Loading preacct {...}
 # Loading accounting {...}
 # Loading session {...}
 # Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading session {...}
 # Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
  	type = "auth"
  	ipaddr = *
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
  	type = "acct"
  	ipaddr = *
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
  	type = "auth"
  	ipv6addr = ::
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
  	type = "acct"
  	ipv6addr = ::
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
  	type = "auth"
  	ipaddr = 127.0.0.1
  	port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Ready to process requests
(0) Received Access-Request Id 61 from 131.100.39.166:51503 to 198.58.110.29:1812 length 430
(0)   User-Name = "sharisse_pragsingh"
(0)   NAS-Identifier = "Ryan4-2ghz-Radius"
(0)   Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Service-Type = Framed-User
(0)   NAS-Port = 14
(0)   Calling-Station-Id = "80-4E-81-86-03-C5"
(0)   Connect-Info = "CONNECT 54Mbps 802.11g"
(0)   Acct-Session-Id = "B15D601DE21D9FFF"
(0)   WLAN-Pairwise-Cipher = 1027076
(0)   WLAN-Group-Cipher = 1027076
(0)   WLAN-AKM-Suite = 1027073
(0)   Framed-MTU = 1400
(0)   EAP-Message = 0x02b600c41980000000ba16030100b5010000b10301b03b81650d6cb379ba73d735073391bb8f9fbe87e64f28a843146c2c68a40a30000048c014c00a00390038c00fc0050035c013c00900330032c00ec004002fc011c007c00cc00200050004c012c00800160013c00dc003000a001500120009001400
(0)   State = 0x5adb3d025b6d2431aa88cfc6895d11e4
(0)   Message-Authenticator = 0x004581f9ac8035ff327e927eece6eb4d
(0) session-state: No cached attributes
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "sharisse_pragsingh", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 182 length 196
(0) eap: Continuing tunnel setup
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
rlm_eap (EAP): No EAP session matching state 0x5adb3d025b6d2431
(0) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(0) eap: Failed in handler
(0)     [eap] = invalid
(0)   } # authenticate = invalid
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) sql: EXPAND .query
(0) sql:    --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(0) sql:    --> sharisse_pragsingh
(0) sql: SQL-User-Name set to 'sharisse_pragsingh'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'sharisse_pragsingh', '', 'Access-Reject', '2018-09-05 13:02:17')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'sharisse_pragsingh', '', 'Access-Reject', '2018-09-05 13:02:17')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (1)
rlm_sql (sql): Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
(0)     [sql] = ok
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> sharisse_pragsingh
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
rlm_eap (EAP): No EAP session matching state 0x5adb3d025b6d2431
(0) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(0) eap: Failed to get handler, probably already removed, not inserting EAP-Failure
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.6 seconds.
Waking up in 0.3 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 61 from 198.58.110.29:1812 to 131.100.39.166:51503 length 20
Waking up in 3.9 seconds.
(1) Received Access-Request Id 62 from 131.100.39.166:51503 to 198.58.110.29:1812 length 231
(1)   User-Name = "victoria_ghool"
(1)   NAS-Identifier = "Ryan4-2ghz-Radius"
(1)   Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Service-Type = Framed-User
(1)   NAS-Port = 15
(1)   Calling-Station-Id = "14-B4-84-40-1F-DC"
(1)   Connect-Info = "CONNECT 54Mbps 802.11g"
(1)   Acct-Session-Id = "CEF73F6854ED0E37"
(1)   WLAN-Pairwise-Cipher = 1027076
(1)   WLAN-Group-Cipher = 1027076
(1)   WLAN-AKM-Suite = 1027073
(1)   Framed-MTU = 1400
(1)   EAP-Message = 0x027a001301766963746f7269615f67686f6f6c
(1)   Message-Authenticator = 0x6947e9245c529271a1a96a6c359860c0
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 122 length 19
(1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Peer sent packet with method EAP Identity (1)
(1) eap: Calling submodule eap_md5 to process data
(1) eap_md5: Issuing MD5 Challenge
(1) eap: Sending EAP Request (code 1) ID 123 length 22
(1) eap: EAP session adding &reply:State = 0xc71cb679c767b212
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found.  Ignoring.
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Sent Access-Challenge Id 62 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0
(1)   EAP-Message = 0x017b00160410587eb3fc850295c3b88924853c914dcb
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0xc71cb679c767b212581da811d62e0aa7
(1) Finished request
Waking up in 3.2 seconds.
(2) Received Access-Request Id 63 from 131.100.39.166:51503 to 198.58.110.29:1812 length 236
(2)   User-Name = "victoria_ghool"
(2)   NAS-Identifier = "Ryan4-2ghz-Radius"
(2)   Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N"
(2)   NAS-Port-Type = Wireless-802.11
(2)   Service-Type = Framed-User
(2)   NAS-Port = 15
(2)   Calling-Station-Id = "14-B4-84-40-1F-DC"
(2)   Connect-Info = "CONNECT 54Mbps 802.11g"
(2)   Acct-Session-Id = "CEF73F6854ED0E37"
(2)   WLAN-Pairwise-Cipher = 1027076
(2)   WLAN-Group-Cipher = 1027076
(2)   WLAN-AKM-Suite = 1027073
(2)   Framed-MTU = 1400
(2)   EAP-Message = 0x027b00060319
(2)   State = 0xc71cb679c767b212581da811d62e0aa7
(2)   Message-Authenticator = 0xd84dde2206036377d997e5645602c63a
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 123 length 6
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2)     [eap] = updated
(2) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(2) sql:    --> victoria_ghool
(2) sql: SQL-User-Name set to 'victoria_ghool'
rlm_sql (sql): Reserved connection (2)
(2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'victoria_ghool' ORDER BY id
(2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'victoria_ghool' ORDER BY id
(2) sql: User found in radcheck table
(2) sql: Conditional check items matched, merging assignment check items
(2) sql:   Cleartext-Password := "WaterFalls16"
(2) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'victoria_ghool' ORDER BY id
(2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'victoria_ghool' ORDER BY id
(2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(2) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'victoria_ghool' ORDER BY priority
(2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'victoria_ghool' ORDER BY priority
(2) sql: User found in the group table
(2) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(2) sql:    --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id
(2) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id
(2) sql: Group "dialup": Conditional check items matched
(2) sql: Group "dialup": Merging assignment check items
(2) sql:   Simultaneous-Use := 200
(2) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(2) sql:    --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id
(2) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id
(2) sql: Group "dialup": Merging reply items
rlm_sql (sql): Released connection (2)
rlm_sql (sql): Need 3 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (7), 1 of 25 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
(2)     [sql] = ok
(2)     [expiration] = noop
(2)     [logintime] = noop
(2) pap: WARNING: Auth-Type already set.  Not setting to PAP
(2)     [pap] = noop
(2)   } # authorize = updated
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0xc71cb679c767b212
(2) eap: Finished EAP session with state 0xc71cb679c767b212
(2) eap: Previous EAP request found for state 0xc71cb679c767b212, released from the list
(2) eap: Peer sent packet with method EAP NAK (3)
(2) eap: Found mutually acceptable type PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Initiating new EAP-TLS session
(2) eap_peap: [eaptls start] = request
(2) eap: Sending EAP Request (code 1) ID 124 length 6
(2) eap: EAP session adding &reply:State = 0xc71cb679c660af12
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found.  Ignoring.
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Sent Access-Challenge Id 63 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0
(2)   EAP-Message = 0x017c00061920
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0xc71cb679c660af12581da811d62e0aa7
(2) Finished request
Waking up in 3.2 seconds.
(3) Received Access-Request Id 64 from 131.100.39.166:51503 to 198.58.110.29:1812 length 438
(3)   User-Name = "victoria_ghool"
(3)   NAS-Identifier = "Ryan4-2ghz-Radius"
(3)   Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N"
(3)   NAS-Port-Type = Wireless-802.11
(3)   Service-Type = Framed-User
(3)   NAS-Port = 15
(3)   Calling-Station-Id = "14-B4-84-40-1F-DC"
(3)   Connect-Info = "CONNECT 54Mbps 802.11g"
(3)   Acct-Session-Id = "CEF73F6854ED0E37"
(3)   WLAN-Pairwise-Cipher = 1027076
(3)   WLAN-Group-Cipher = 1027076
(3)   WLAN-AKM-Suite = 1027073
(3)   Framed-MTU = 1400
(3)   EAP-Message = 0x027c00d01980000000c616030100c1010000bd03015b900c1abde6f6c0ff7fe300f1015c8d8878387a955d4741fc03394c80d0b5a8000054c014c00ac022c02100390038c00fc0050035c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032c00ec004002fc011c007c00cc00200
(3)   State = 0xc71cb679c660af12581da811d62e0aa7
(3)   Message-Authenticator = 0x71a1c7e0502fa99ef80aad9d09ae88cc
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 124 length 208
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0xc71cb679c660af12
(3) eap: Finished EAP session with state 0xc71cb679c660af12
(3) eap: Previous EAP request found for state 0xc71cb679c660af12, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer indicated complete TLS record size will be 198 bytes
(3) eap_peap: Got complete TLS record (198 bytes)
(3) eap_peap: [eaptls verify] = length included
(3) eap_peap: (other): before SSL initialization
(3) eap_peap: TLS_accept: before SSL initialization
(3) eap_peap: TLS_accept: before SSL initialization
(3) eap_peap: <<< recv TLS 1.2  [length 00c1] 
(3) eap_peap: TLS_accept: SSLv3/TLS read client hello
(3) eap_peap: >>> send TLS 1.0 Handshake [length 0039], ServerHello 
(3) eap_peap: TLS_accept: SSLv3/TLS write server hello
(3) eap_peap: >>> send TLS 1.0 Handshake [length 02fd], Certificate 
(3) eap_peap: TLS_accept: SSLv3/TLS write certificate
(3) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange 
(3) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(3) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone 
(3) eap_peap: TLS_accept: SSLv3/TLS write server done
(3) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(3) eap_peap: In SSL Handshake Phase
(3) eap_peap: In SSL Accept mode
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 125 length 1004
(3) eap: EAP session adding &reply:State = 0xc71cb679c561af12
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found.  Ignoring.
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Sent Access-Challenge Id 64 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0
(3)   EAP-Message = 0x017d03ec19c00000049916030100390200003503010f4b49d9df3b30f484e30a9bee297f36fdcd022c065c567b3fa4e9da8980a0e900c01400000dff01000100000b00040300010216030102fd0b0002f90002f60002f3308202ef308201d7a00302010202090093b40acbed3d0944300d06092a864886
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0xc71cb679c561af12581da811d62e0aa7
(3) Finished request
Waking up in 3.0 seconds.
(4) Received Access-Request Id 65 from 131.100.39.166:51503 to 198.58.110.29:1812 length 236
(4)   User-Name = "victoria_ghool"
(4)   NAS-Identifier = "Ryan4-2ghz-Radius"
(4)   Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N"
(4)   NAS-Port-Type = Wireless-802.11
(4)   Service-Type = Framed-User
(4)   NAS-Port = 15
(4)   Calling-Station-Id = "14-B4-84-40-1F-DC"
(4)   Connect-Info = "CONNECT 54Mbps 802.11g"
(4)   Acct-Session-Id = "CEF73F6854ED0E37"
(4)   WLAN-Pairwise-Cipher = 1027076
(4)   WLAN-Group-Cipher = 1027076
(4)   WLAN-AKM-Suite = 1027073
(4)   Framed-MTU = 1400
(4)   EAP-Message = 0x027d00061900
(4)   State = 0xc71cb679c561af12581da811d62e0aa7
(4)   Message-Authenticator = 0x9e0cf5f848a983a0a9cd18e98d71905b
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 125 length 6
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0xc71cb679c561af12
(4) eap: Finished EAP session with state 0xc71cb679c561af12
(4) eap: Previous EAP request found for state 0xc71cb679c561af12, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 126 length 189
(4) eap: EAP session adding &reply:State = 0xc71cb679c462af12
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found.  Ignoring.
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Sent Access-Challenge Id 65 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0
(4)   EAP-Message = 0x017e00bd19004968fea2c5fdcee3fd5be12cf2782d130c9b165bd5e59681b1f2c8def9f0a730517a9dc0d7a47088149b7729b044838e53b0b2257179da8577bb6818004b4069fbb947f4ca24c61b2263f141f0da55088156257549347ddec48a790f4221680f7a9ef2943859b0b627a90ffe7217399d1e
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0xc71cb679c462af12581da811d62e0aa7
(4) Finished request
Waking up in 2.9 seconds.
(5) Received Access-Request Id 66 from 131.100.39.166:51503 to 198.58.110.29:1812 length 374
(5)   User-Name = "victoria_ghool"
(5)   NAS-Identifier = "Ryan4-2ghz-Radius"
(5)   Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N"
(5)   NAS-Port-Type = Wireless-802.11
(5)   Service-Type = Framed-User
(5)   NAS-Port = 15
(5)   Calling-Station-Id = "14-B4-84-40-1F-DC"
(5)   Connect-Info = "CONNECT 54Mbps 802.11g"
(5)   Acct-Session-Id = "CEF73F6854ED0E37"
(5)   WLAN-Pairwise-Cipher = 1027076
(5)   WLAN-Group-Cipher = 1027076
(5)   WLAN-AKM-Suite = 1027073
(5)   Framed-MTU = 1400
(5)   EAP-Message = 0x027e009019800000008616030100461000004241041eea0b672ce9470e959ca5b2c3c1d3f70f8442cd51ace441ebfc536505f80e306265431fd3115f3bac064503060d272bc1ad184a2b83a46735a92195e1d0e8be14030100010116030100300a4c5d7cba81d687d1ba355636194f71abc703d87e923d
(5)   State = 0xc71cb679c462af12581da811d62e0aa7
(5)   Message-Authenticator = 0xe049f18183792f7d027fa2dacc74367a
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 126 length 144
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0xc71cb679c462af12
(5) eap: Finished EAP session with state 0xc71cb679c462af12
(5) eap: Previous EAP request found for state 0xc71cb679c462af12, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(5) eap_peap: Got complete TLS record (134 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: TLS_accept: SSLv3/TLS write server done
(5) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange 
(5) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(5) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(5) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished 
(5) eap_peap: TLS_accept: SSLv3/TLS read finished
(5) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001] 
(5) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(5) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished 
(5) eap_peap: TLS_accept: SSLv3/TLS write finished
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: SSL Connection Established
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 127 length 65
(5) eap: EAP session adding &reply:State = 0xc71cb679c363af12
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found.  Ignoring.
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Sent Access-Challenge Id 66 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0
(5)   EAP-Message = 0x017f004119001403010001011603010030aafc4e1f3e70822a01839414449efaa8f10398f15118b7b64a47bc5f60a90ab1e44f83305881591220fb6973efdde0c2
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0xc71cb679c363af12581da811d62e0aa7
(5) Finished request
Waking up in 2.8 seconds.
(6) Received Access-Request Id 67 from 131.100.39.166:51503 to 198.58.110.29:1812 length 236
(6)   User-Name = "victoria_ghool"
(6)   NAS-Identifier = "Ryan4-2ghz-Radius"
(6)   Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N"
(6)   NAS-Port-Type = Wireless-802.11
(6)   Service-Type = Framed-User
(6)   NAS-Port = 15
(6)   Calling-Station-Id = "14-B4-84-40-1F-DC"
(6)   Connect-Info = "CONNECT 54Mbps 802.11g"
(6)   Acct-Session-Id = "CEF73F6854ED0E37"
(6)   WLAN-Pairwise-Cipher = 1027076
(6)   WLAN-Group-Cipher = 1027076
(6)   WLAN-AKM-Suite = 1027073
(6)   Framed-MTU = 1400
(6)   EAP-Message = 0x027f00061900
(6)   State = 0xc71cb679c363af12581da811d62e0aa7
(6)   Message-Authenticator = 0x5f31b1ca41ac472e209f89eb73871d30
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(6)   authorize {
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> TRUE
(6)       if (&User-Name)  {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /)  -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ )  -> FALSE
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)         if (&User-Name =~ /\.$/)  {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./)  {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name)  = notfound
(6)     } # policy filter_username = notfound
(6)     [preprocess] = ok
(6)     [chap] = noop
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 127 length 6
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0xc71cb679c363af12
(6) eap: Finished EAP session with state 0xc71cb679c363af12
(6) eap: Previous EAP request found for state 0xc71cb679c363af12, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(6) eap_peap: [eaptls verify] = success
(6) eap_peap: [eaptls process] = success
(6) eap_peap: Session established.  Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: Sending EAP Request (code 1) ID 128 length 43
(6) eap: EAP session adding &reply:State = 0xc71cb679c29caf12
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found.  Ignoring.
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) Sent Access-Challenge Id 67 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0
(6)   EAP-Message = 0x0180002b190017030100203c45cd1af0cfec87b4097b018f98e0a2b7b2c071ed2d3739878a9f76661bd858
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0xc71cb679c29caf12581da811d62e0aa7
(6) Finished request
Waking up in 2.7 seconds.
(7) Received Access-Request Id 68 from 131.100.39.166:51503 to 198.58.110.29:1812 length 326
(7)   User-Name = "victoria_ghool"
(7)   NAS-Identifier = "Ryan4-2ghz-Radius"
(7)   Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N"
(7)   NAS-Port-Type = Wireless-802.11
(7)   Service-Type = Framed-User
(7)   NAS-Port = 15
(7)   Calling-Station-Id = "14-B4-84-40-1F-DC"
(7)   Connect-Info = "CONNECT 54Mbps 802.11g"
(7)   Acct-Session-Id = "CEF73F6854ED0E37"
(7)   WLAN-Pairwise-Cipher = 1027076
(7)   WLAN-Group-Cipher = 1027076
(7)   WLAN-AKM-Suite = 1027073
(7)   Framed-MTU = 1400
(7)   EAP-Message = 0x0280006019001703010020ce67d91a2bbfa70039f17489dac9d9706b096712c8615e170bc14a27c3cfc9961703010030c4b2434771097f53eaeaa9fb73fd74dea58ec4d6d2538ef34719a8e4dfb7dc7f351b2f88f02f4d6ccf061ec572902934
(7)   State = 0xc71cb679c29caf12581da811d62e0aa7
(7)   Message-Authenticator = 0x7d16dafcd8b302cf3175badc535a5001
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 128 length 96
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0xc71cb679c29caf12
(7) eap: Finished EAP session with state 0xc71cb679c29caf12
(7) eap: Previous EAP request found for state 0xc71cb679c29caf12, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - victoria_ghool
(7) eap_peap: Got inner identity 'victoria_ghool'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap:   EAP-Message = 0x0280001301766963746f7269615f67686f6f6c
(7) eap_peap: Setting User-Name to victoria_ghool
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap:   EAP-Message = 0x0280001301766963746f7269615f67686f6f6c
(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap:   User-Name = "victoria_ghool"
(7) Virtual server inner-tunnel received request
(7)   EAP-Message = 0x0280001301766963746f7269615f67686f6f6c
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "victoria_ghool"
(7) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(7) server inner-tunnel {
(7)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7)     authorize {
(7)       policy filter_username {
(7)         if (&User-Name) {
(7)         if (&User-Name)  -> TRUE
(7)         if (&User-Name)  {
(7)           if (&User-Name =~ / /) {
(7)           if (&User-Name =~ / /)  -> FALSE
(7)           if (&User-Name =~ /@[^@]*@/ ) {
(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)           if (&User-Name =~ /\.\./ ) {
(7)           if (&User-Name =~ /\.\./ )  -> FALSE
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)           if (&User-Name =~ /\.$/)  {
(7)           if (&User-Name =~ /\.$/)   -> FALSE
(7)           if (&User-Name =~ /@\./)  {
(7)           if (&User-Name =~ /@\./)   -> FALSE
(7)         } # if (&User-Name)  = notfound
(7)       } # policy filter_username = notfound
(7)       [chap] = noop
(7)       [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)       [suffix] = noop
(7)       update control {
(7)         &Proxy-To-Realm := LOCAL
(7)       } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 128 length 19
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(7)       [eap] = ok
(7)     } # authorize = ok
(7)   Found Auth-Type = eap
(7)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7)     authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) eap: Sending EAP Request (code 1) ID 129 length 43
(7) eap: EAP session adding &reply:State = 0x6581a8b46500b26d
(7)       [eap] = handled
(7)     } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7)   EAP-Message = 0x0181002b1a0181002610808cabf382627e81820ea15bfbaba6c7667265657261646975732d332e302e3132
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0x6581a8b46500b26d4c1af2a42017fb07
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap:   EAP-Message = 0x0181002b1a0181002610808cabf382627e81820ea15bfbaba6c7667265657261646975732d332e302e3132
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   State = 0x6581a8b46500b26d4c1af2a42017fb07
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap:   EAP-Message = 0x0181002b1a0181002610808cabf382627e81820ea15bfbaba6c7667265657261646975732d332e302e3132
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   State = 0x6581a8b46500b26d4c1af2a42017fb07
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 129 length 75
(7) eap: EAP session adding &reply:State = 0xc71cb679c19daf12
(7)     [eap] = handled
(7)   } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found.  Ignoring.
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) Sent Access-Challenge Id 68 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0
(7)   EAP-Message = 0x0181004b19001703010040c0f93c1efe819bde1f8e4b8963983def94ca8413d9d4906aa24a0b8d9801a16a7806dae013613bebaaa9771d490e93b0e92e9cc012179adb4f28ec55ab77bebc
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0xc71cb679c19daf12581da811d62e0aa7
(7) Finished request
Waking up in 2.6 seconds.
(8) Received Access-Request Id 69 from 131.100.39.166:51503 to 198.58.110.29:1812 length 374
(8)   User-Name = "victoria_ghool"
(8)   NAS-Identifier = "Ryan4-2ghz-Radius"
(8)   Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N"
(8)   NAS-Port-Type = Wireless-802.11
(8)   Service-Type = Framed-User
(8)   NAS-Port = 15
(8)   Calling-Station-Id = "14-B4-84-40-1F-DC"
(8)   Connect-Info = "CONNECT 54Mbps 802.11g"
(8)   Acct-Session-Id = "CEF73F6854ED0E37"
(8)   WLAN-Pairwise-Cipher = 1027076
(8)   WLAN-Group-Cipher = 1027076
(8)   WLAN-AKM-Suite = 1027073
(8)   Framed-MTU = 1400
(8)   EAP-Message = 0x0281009019001703010020df6d7a0000dcf7cc20a56a5368b647a0b6cec88cf6d8f74c2e2b8dbc0b911e5917030100608bbbc2935bb16e42046a6b6361af98d62a8a9d8e72b01c52ecdaa8ad3ff528175f9530750744ee5c1f583f2235ae0845aa5114e78c61abd52ec36d574d8ae17ae660273165dfca
(8)   State = 0xc71cb679c19daf12581da811d62e0aa7
(8)   Message-Authenticator = 0xb8bcc788e454b8050fa7261dafa266ae
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8)   authorize {
(8)     policy filter_username {
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = notfound
(8)     } # policy filter_username = notfound
(8)     [preprocess] = ok
(8)     [chap] = noop
(8)     [mschap] = noop
(8)     [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 129 length 144
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0x6581a8b46500b26d
(8) eap: Finished EAP session with state 0xc71cb679c19daf12
(8) eap: Previous EAP request found for state 0xc71cb679c19daf12, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message = 0x028100491a0281004431e717f6003bf96983c5c6510c1bb72230000000000000000064bb35523924120e94c7e0a57fd5ca1b6854cfe15242ab5000766963746f7269615f67686f6f6c
(8) eap_peap: Setting User-Name to victoria_ghool
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap:   EAP-Message = 0x028100491a0281004431e717f6003bf96983c5c6510c1bb72230000000000000000064bb35523924120e94c7e0a57fd5ca1b6854cfe15242ab5000766963746f7269615f67686f6f6c
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = "victoria_ghool"
(8) eap_peap:   State = 0x6581a8b46500b26d4c1af2a42017fb07
(8) Virtual server inner-tunnel received request
(8)   EAP-Message = 0x028100491a0281004431e717f6003bf96983c5c6510c1bb72230000000000000000064bb35523924120e94c7e0a57fd5ca1b6854cfe15242ab5000766963746f7269615f67686f6f6c
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = "victoria_ghool"
(8)   State = 0x6581a8b46500b26d4c1af2a42017fb07
(8) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(8) server inner-tunnel {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8)     authorize {
(8)       policy filter_username {
(8)         if (&User-Name) {
(8)         if (&User-Name)  -> TRUE
(8)         if (&User-Name)  {
(8)           if (&User-Name =~ / /) {
(8)           if (&User-Name =~ / /)  -> FALSE
(8)           if (&User-Name =~ /@[^@]*@/ ) {
(8)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)           if (&User-Name =~ /\.\./ ) {
(8)           if (&User-Name =~ /\.\./ )  -> FALSE
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)           if (&User-Name =~ /\.$/)  {
(8)           if (&User-Name =~ /\.$/)   -> FALSE
(8)           if (&User-Name =~ /@\./)  {
(8)           if (&User-Name =~ /@\./)   -> FALSE
(8)         } # if (&User-Name)  = notfound
(8)       } # policy filter_username = notfound
(8)       [chap] = noop
(8)       [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)       [suffix] = noop
(8)       update control {
(8)         &Proxy-To-Realm := LOCAL
(8)       } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 129 length 73
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8)       [eap] = updated
(8) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(8) sql:    --> victoria_ghool
(8) sql: SQL-User-Name set to 'victoria_ghool'
rlm_sql (sql): Reserved connection (3)
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'victoria_ghool' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'victoria_ghool' ORDER BY id
(8) sql: User found in radcheck table
(8) sql: Conditional check items matched, merging assignment check items
(8) sql:   Cleartext-Password := "WaterFalls16"
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'victoria_ghool' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'victoria_ghool' ORDER BY id
(8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(8) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'victoria_ghool' ORDER BY priority
(8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'victoria_ghool' ORDER BY priority
(8) sql: User found in the group table
(8) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(8) sql:    --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id
(8) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id
(8) sql: Group "dialup": Conditional check items matched
(8) sql: Group "dialup": Merging assignment check items
(8) sql:   Simultaneous-Use := 200
(8) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(8) sql:    --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id
(8) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id
(8) sql: Group "dialup": Merging reply items
rlm_sql (sql): Released connection (3)
rlm_sql (sql): Need 2 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (8), 1 of 24 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
(8)       [sql] = ok
(8)       [expiration] = noop
(8)       [logintime] = noop
(8) pap: WARNING: Auth-Type already set.  Not setting to PAP
(8)       [pap] = noop
(8)     } # authorize = updated
(8)   Found Auth-Type = eap
(8)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8)     authenticate {
(8) eap: Expiring EAP session with state 0x6581a8b46500b26d
(8) eap: Finished EAP session with state 0x6581a8b46500b26d
(8) eap: Previous EAP request found for state 0x6581a8b46500b26d, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) eap_mschapv2:   authenticate {
(8) mschap: Found Cleartext-Password, hashing to create NT-Password
(8) mschap: Found Cleartext-Password, hashing to create LM-Password
(8) mschap: Creating challenge hash with username: victoria_ghool
(8) mschap: Client is using MS-CHAPv2
(8) mschap: Adding MS-CHAPv2 MPPE keys
(8)     [mschap] = ok
(8)   } # authenticate = ok
(8) MSCHAP Success
(8) eap: Sending EAP Request (code 1) ID 130 length 51
(8) eap: EAP session adding &reply:State = 0x6581a8b46403b26d
(8)       [eap] = handled
(8)     } # authenticate = handled
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8)   EAP-Message = 0x018200331a0381002e533d36383835433941383230374535354644323637313932433135343339423931443733444345364444
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0x6581a8b46403b26d4c1af2a42017fb07
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap:   EAP-Message = 0x018200331a0381002e533d36383835433941383230374535354644323637313932433135343339423931443733444345364444
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap:   State = 0x6581a8b46403b26d4c1af2a42017fb07
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap:   EAP-Message = 0x018200331a0381002e533d36383835433941383230374535354644323637313932433135343339423931443733444345364444
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap:   State = 0x6581a8b46403b26d4c1af2a42017fb07
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: Sending EAP Request (code 1) ID 130 length 91
(8) eap: EAP session adding &reply:State = 0xc71cb679c09eaf12
(8)     [eap] = handled
(8)   } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found.  Ignoring.
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) Sent Access-Challenge Id 69 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0
(8)   EAP-Message = 0x0182005b19001703010050a985e34fc1a70f310df4ef5e3b72f605227538370fb8d892624aca33ba5350b9bee8967259ebefe47093f381633227250ae0442af6513adb3a48a0997c64139f77e0d026024266b2a7f16ebb6b24ce8c
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0xc71cb679c09eaf12581da811d62e0aa7
(8) Finished request
Waking up in 2.5 seconds.
(9) Received Access-Request Id 70 from 131.100.39.166:51503 to 198.58.110.29:1812 length 310
(9)   User-Name = "victoria_ghool"
(9)   NAS-Identifier = "Ryan4-2ghz-Radius"
(9)   Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N"
(9)   NAS-Port-Type = Wireless-802.11
(9)   Service-Type = Framed-User
(9)   NAS-Port = 15
(9)   Calling-Station-Id = "14-B4-84-40-1F-DC"
(9)   Connect-Info = "CONNECT 54Mbps 802.11g"
(9)   Acct-Session-Id = "CEF73F6854ED0E37"
(9)   WLAN-Pairwise-Cipher = 1027076
(9)   WLAN-Group-Cipher = 1027076
(9)   WLAN-AKM-Suite = 1027073
(9)   Framed-MTU = 1400
(9)   EAP-Message = 0x0282005019001703010020e7954ce1237c93bc33c537ee5de1cdf3c989932a72c5f7c1d390e81f4f4967f2170301002005669fd4c14eb3cf382aeceb5559628fbe5fdbb9c1a022a9cc280ff0a977b2f0
(9)   State = 0xc71cb679c09eaf12581da811d62e0aa7
(9)   Message-Authenticator = 0xb37e6b3b50cda656f799fa7e720e8d3c
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(9)   authorize {
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     [preprocess] = ok
(9)     [chap] = noop
(9)     [mschap] = noop
(9)     [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 130 length 80
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0x6581a8b46403b26d
(9) eap: Finished EAP session with state 0xc71cb679c09eaf12
(9) eap: Previous EAP request found for state 0xc71cb679c09eaf12, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap:   EAP-Message = 0x028200061a03
(9) eap_peap: Setting User-Name to victoria_ghool
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap:   EAP-Message = 0x028200061a03
(9) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap:   User-Name = "victoria_ghool"
(9) eap_peap:   State = 0x6581a8b46403b26d4c1af2a42017fb07
(9) Virtual server inner-tunnel received request
(9)   EAP-Message = 0x028200061a03
(9)   FreeRADIUS-Proxied-To = 127.0.0.1
(9)   User-Name = "victoria_ghool"
(9)   State = 0x6581a8b46403b26d4c1af2a42017fb07
(9) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(9) server inner-tunnel {
(9)   session-state: No cached attributes
(9)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(9)     authorize {
(9)       policy filter_username {
(9)         if (&User-Name) {
(9)         if (&User-Name)  -> TRUE
(9)         if (&User-Name)  {
(9)           if (&User-Name =~ / /) {
(9)           if (&User-Name =~ / /)  -> FALSE
(9)           if (&User-Name =~ /@[^@]*@/ ) {
(9)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)           if (&User-Name =~ /\.\./ ) {
(9)           if (&User-Name =~ /\.\./ )  -> FALSE
(9)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(9)           if (&User-Name =~ /\.$/)  {
(9)           if (&User-Name =~ /\.$/)   -> FALSE
(9)           if (&User-Name =~ /@\./)  {
(9)           if (&User-Name =~ /@\./)   -> FALSE
(9)         } # if (&User-Name)  = notfound
(9)       } # policy filter_username = notfound
(9)       [chap] = noop
(9)       [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)       [suffix] = noop
(9)       update control {
(9)         &Proxy-To-Realm := LOCAL
(9)       } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 130 length 6
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9)       [eap] = updated
(9) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(9) sql:    --> victoria_ghool
(9) sql: SQL-User-Name set to 'victoria_ghool'
rlm_sql (sql): Reserved connection (4)
(9) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(9) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'victoria_ghool' ORDER BY id
(9) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'victoria_ghool' ORDER BY id
(9) sql: User found in radcheck table
(9) sql: Conditional check items matched, merging assignment check items
(9) sql:   Cleartext-Password := "WaterFalls16"
(9) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(9) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'victoria_ghool' ORDER BY id
(9) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'victoria_ghool' ORDER BY id
(9) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(9) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'victoria_ghool' ORDER BY priority
(9) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'victoria_ghool' ORDER BY priority
(9) sql: User found in the group table
(9) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(9) sql:    --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id
(9) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id
(9) sql: Group "dialup": Conditional check items matched
(9) sql: Group "dialup": Merging assignment check items
(9) sql:   Simultaneous-Use := 200
(9) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(9) sql:    --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id
(9) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id
(9) sql: Group "dialup": Merging reply items
rlm_sql (sql): Released connection (4)
(9)       [sql] = ok
(9)       [expiration] = noop
(9)       [logintime] = noop
(9) pap: WARNING: Auth-Type already set.  Not setting to PAP
(9)       [pap] = noop
(9)     } # authorize = updated
(9)   Found Auth-Type = eap
(9)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(9)     authenticate {
(9) eap: Expiring EAP session with state 0x6581a8b46403b26d
(9) eap: Finished EAP session with state 0x6581a8b46403b26d
(9) eap: Previous EAP request found for state 0x6581a8b46403b26d, released from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap: Sending EAP Success (code 3) ID 130 length 4
(9) eap: Freeing handler
(9)       [eap] = ok
(9)     } # authenticate = ok
(9)   # Executing section session from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(9)     session {
(9) radutmp: EXPAND /var/log/freeradius/radutmp
(9) radutmp:    --> /var/log/freeradius/radutmp
(9) radutmp: EXPAND %{User-Name}
(9) radutmp:    --> victoria_ghool
(9)       [radutmp] = ok
(9)     } # session = ok
(9)   # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(9)     post-auth {
(9) sql: EXPAND .query
(9) sql:    --> .query
(9) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (0)
(9) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(9) sql:    --> victoria_ghool
(9) sql: SQL-User-Name set to 'victoria_ghool'
(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(9) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'victoria_ghool', '', 'Access-Accept', '2018-09-05 13:02:20')
(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'victoria_ghool', '', 'Access-Accept', '2018-09-05 13:02:20')
(9) sql: SQL query returned: success
(9) sql: 1 record(s) updated
rlm_sql (sql): Released connection (0)
(9)       [sql] = ok
(9)     } # post-auth = ok
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(9)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9)   MS-MPPE-Send-Key = 0x0b4231615ae3e7fd3094e5d39de5f7c7
(9)   MS-MPPE-Recv-Key = 0xe1301e846fcad9a1bf19018c4c9685e5
(9)   EAP-Message = 0x03820004
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   User-Name = "victoria_ghool"
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap:   MS-MPPE-Send-Key = 0x0b4231615ae3e7fd3094e5d39de5f7c7
(9) eap_peap:   MS-MPPE-Recv-Key = 0xe1301e846fcad9a1bf19018c4c9685e5
(9) eap_peap:   EAP-Message = 0x03820004
(9) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap:   User-Name = "victoria_ghool"
(9) eap_peap: Got tunneled reply RADIUS code 2
(9) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap:   MS-MPPE-Send-Key = 0x0b4231615ae3e7fd3094e5d39de5f7c7
(9) eap_peap:   MS-MPPE-Recv-Key = 0xe1301e846fcad9a1bf19018c4c9685e5
(9) eap_peap:   EAP-Message = 0x03820004
(9) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap:   User-Name = "victoria_ghool"
(9) eap_peap: Tunneled authentication was successful
(9) eap_peap: SUCCESS
(9) eap: Sending EAP Request (code 1) ID 131 length 43
(9) eap: EAP session adding &reply:State = 0xc71cb679cf9faf12
(9)     [eap] = handled
(9)   } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found.  Ignoring.
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9) Sent Access-Challenge Id 70 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0
(9)   EAP-Message = 0x0183002b19001703010020896019e97c4c517d4b43048455c6d4b24634455babf837c0f3c810cba91b4dee
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   State = 0xc71cb679cf9faf12581da811d62e0aa7
(9) Finished request
Waking up in 2.4 seconds.
(10) Received Access-Request Id 71 from 131.100.39.166:51503 to 198.58.110.29:1812 length 310
(10)   User-Name = "victoria_ghool"
(10)   NAS-Identifier = "Ryan4-2ghz-Radius"
(10)   Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N"
(10)   NAS-Port-Type = Wireless-802.11
(10)   Service-Type = Framed-User
(10)   NAS-Port = 15
(10)   Calling-Station-Id = "14-B4-84-40-1F-DC"
(10)   Connect-Info = "CONNECT 54Mbps 802.11g"
(10)   Acct-Session-Id = "CEF73F6854ED0E37"
(10)   WLAN-Pairwise-Cipher = 1027076
(10)   WLAN-Group-Cipher = 1027076
(10)   WLAN-AKM-Suite = 1027073
(10)   Framed-MTU = 1400
(10)   EAP-Message = 0x028300501900170301002030b46d3fb23de6d64752535400d6c85cc571b653dff298fa8e02b035b81af742170301002098a80a7152effcca6ce046b82f56bac2f0b6a0401152ef8d0913b759967467c2
(10)   State = 0xc71cb679cf9faf12581da811d62e0aa7
(10)   Message-Authenticator = 0x8d8212058640174b75086cdc61a75764
(10) session-state: No cached attributes
(10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(10)   authorize {
(10)     policy filter_username {
(10)       if (&User-Name) {
(10)       if (&User-Name)  -> TRUE
(10)       if (&User-Name)  {
(10)         if (&User-Name =~ / /) {
(10)         if (&User-Name =~ / /)  -> FALSE
(10)         if (&User-Name =~ /@[^@]*@/ ) {
(10)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(10)         if (&User-Name =~ /\.\./ ) {
(10)         if (&User-Name =~ /\.\./ )  -> FALSE
(10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(10)         if (&User-Name =~ /\.$/)  {
(10)         if (&User-Name =~ /\.$/)   -> FALSE
(10)         if (&User-Name =~ /@\./)  {
(10)         if (&User-Name =~ /@\./)   -> FALSE
(10)       } # if (&User-Name)  = notfound
(10)     } # policy filter_username = notfound
(10)     [preprocess] = ok
(10)     [chap] = noop
(10)     [mschap] = noop
(10)     [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL
(10) suffix: No such realm "NULL"
(10)     [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 131 length 80
(10) eap: Continuing tunnel setup
(10)     [eap] = ok
(10)   } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(10)   authenticate {
(10) eap: Expiring EAP session with state 0xc71cb679cf9faf12
(10) eap: Finished EAP session with state 0xc71cb679cf9faf12
(10) eap: Previous EAP request found for state 0xc71cb679cf9faf12, released from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established.  Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap: Sending EAP Success (code 3) ID 131 length 4
(10) eap: Freeing handler
(10)     [eap] = ok
(10)   } # authenticate = ok
(10) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(10)   post-auth {
(10)     update {
(10)       No attributes updated
(10)     } # update = noop
(10) sql: EXPAND .query
(10) sql:    --> .query
(10) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (5)
(10) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(10) sql:    --> victoria_ghool
(10) sql: SQL-User-Name set to 'victoria_ghool'
(10) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(10) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'victoria_ghool', '', 'Access-Accept', '2018-09-05 13:02:20')
(10) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'victoria_ghool', '', 'Access-Accept', '2018-09-05 13:02:20')
(10) sql: SQL query returned: success
(10) sql: 1 record(s) updated
rlm_sql (sql): Released connection (5)
(10)     [sql] = ok
(10)     [exec] = noop
(10)     policy remove_reply_message_if_eap {
(10)       if (&reply:EAP-Message && &reply:Reply-Message) {
(10)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(10)       else {
(10)         [noop] = noop
(10)       } # else = noop
(10)     } # policy remove_reply_message_if_eap = noop
(10)   } # post-auth = ok
(10) Sent Access-Accept Id 71 from 198.58.110.29:1812 to 131.100.39.166:51503 length 0
(10)   MS-MPPE-Recv-Key = 0xdf747ac6983392d3d7afa992005a997ce771acde2adb324435a5122646fd4a62
(10)   MS-MPPE-Send-Key = 0xf261857a7080c8e095f9530acf7b2544aa4c30094dd9a66ba546c29181ad9472
(10)   EAP-Message = 0x03830004
(10)   Message-Authenticator = 0x00000000000000000000000000000000
(10)   User-Name = "victoria_ghool"
(10) Finished request
Waking up in 2.3 seconds.
(11) Received Accounting-Request Id 72 from 131.100.39.166:64857 to 198.58.110.29:1813 length 210
(11)   Acct-Status-Type = Start
(11)   Acct-Authentic = RADIUS
(11)   User-Name = "victoria_ghool"
(11)   NAS-Identifier = "Ryan4-2ghz-Radius"
(11)   Called-Station-Id = "16-91-82-C6-38-F7:Ryan4-Radius-N"
(11)   NAS-Port-Type = Wireless-802.11
(11)   Service-Type = Framed-User
(11)   NAS-Port = 15
(11)   Calling-Station-Id = "14-B4-84-40-1F-DC"
(11)   Connect-Info = "CONNECT 54Mbps 802.11g"
(11)   Acct-Session-Id = "CEF73F6854ED0E37"
(11)   WLAN-Pairwise-Cipher = 1027076
(11)   WLAN-Group-Cipher = 1027076
(11)   WLAN-AKM-Suite = 1027073
(11)   Event-Timestamp = "Sep  5 2018 13:02:20 AST"
(11)   Acct-Delay-Time = 0
(11) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(11)   preacct {
(11)     [preprocess] = ok
(11)     policy acct_unique {
(11)       update request {
(11)         Tmp-String-9 := "ai:"
(11)       } # update request = noop
(11)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && 	    ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(11)       EXPAND %{hex:&Class}
(11)          --> 
(11)       EXPAND ^%{hex:&Tmp-String-9}
(11)          --> ^61693a
(11)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && 	    ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE
(11)       else {
(11)         update request {
(11)           EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(11)              --> 5ffef8deb1d414c7ab9813cb06977e5a
(11)           &Acct-Unique-Session-Id := 5ffef8deb1d414c7ab9813cb06977e5a
(11)         } # update request = noop
(11)       } # else = noop
(11)     } # policy acct_unique = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "victoria_ghool", looking up realm NULL
(11) suffix: No such realm "NULL"
(11)     [suffix] = noop
(11)     [files] = noop
(11)   } # preacct = ok
(11) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(11)   accounting {
(11) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(11) detail:    --> /var/log/freeradius/radacct/131.100.39.166/detail-20180905
(11) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/131.100.39.166/detail-20180905
(11) detail: EXPAND %t
(11) detail:    --> Wed Sep  5 13:02:20 2018
(11)     [detail] = ok
(11)     [unix] = ok
(11) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(11) sql:    --> type.start.query
(11) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (1)
(11) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(11) sql:    --> victoria_ghool
(11) sql: SQL-User-Name set to 'victoria_ghool'
(11) sql: EXPAND INSERT INTO radacct (acctsessionid,		acctuniqueid,	username, realm,			nasipaddress,		nasportid, nasporttype,acctstarttime,		acctupdatetime, acctstoptime,		acctsessiontime, 	acctauthentic, connectinfo_start,	connectinfo_stop, 	acctinputoctets, acctoutputoctets,	calledstationid, 	callingstationid, acctterminatecause,	servicetype,		framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')
(11) sql:    --> INSERT INTO radacct (acctsessionid,		acctuniqueid,	username, realm,			nasipaddress,		nasportid, nasporttype,acctstarttime,		acctupdatetime, acctstoptime,		acctsessiontime, 	acctauthentic, connectinfo_start,	connectinfo_stop, 	acctinputoctets, acctoutputoctets,	calledstationid, 	callingstationid, acctterminatecause,	servicetype,		framedprotocol, framedipaddress) VALUES ('CEF73F6854ED0E37', '5ffef8deb1d414c7ab9813cb06977e5a', 'victoria_ghool', '', '131.100.39.166', '15', 'Wireless-802.11', FROM_UNIXTIME(1536166940), FROM_UNIXTIME(1536166940), NULL, '0', 'RADIUS', 'CONNECT 54Mbps 802.11g', '', '0', '0', '16-91-82-C6-38-F7:Ryan4-Radius-N', '14-B4-84-40-1F-DC', '', 'Framed-User', '', '')
(11) sql: Executing query: INSERT INTO radacct (acctsessionid,		acctuniqueid,		username, realm,			nasipaddress,		nasportid, nasporttype,		acctstarttime,		acctupdatetime, acctstoptime,		acctsessiontime, 	acctauthentic, connectinfo_start,	connectinfo_stop, 	acctinputoctets, acctoutputoctets,	calledstationid, 	callingstationid, acctterminatecause,	servicetype,		framedprotocol, framedipaddress) VALUES ('CEF73F6854ED0E37', '5ffef8deb1d414c7ab9813cb06977e5a', 'victoria_ghool', '', '131.100.39.166', '15', 'Wireless-802.11', FROM_UNIXTIME(1536166940), FROM_UNIXTIME(1536166940), NULL, '0', 'RADIUS', 'CONNECT 54Mbps 802.11g', '', '0', '0', '16-91-82-C6-38-F7:Ryan4-Radius-N', '14-B4-84-40-1F-DC', '', 'Framed-User', '', '')
(11) sql: SQL query returned: success
(11) sql: 1 record(s) updated
rlm_sql (sql): Released connection (1)
(11)     [sql] = ok
(11)     [exec] = noop
(11) attr_filter.accounting_response: EXPAND %{User-Name}
(11) attr_filter.accounting_response:    --> victoria_ghool
(11) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(11)     [attr_filter.accounting_response] = updated
(11)   } # accounting = updated
(11) Sent Accounting-Response Id 72 from 198.58.110.29:1813 to 131.100.39.166:64857 length 0
(11) Finished request
(11) Cleaning up request packet ID 72 with timestamp +13
Waking up in 2.1 seconds.
(0) Cleaning up request packet ID 61 with timestamp +10
Waking up in 1.7 seconds.
(1) Cleaning up request packet ID 62 with timestamp +12
(2) Cleaning up request packet ID 63 with timestamp +12
Waking up in 0.1 seconds.
(3) Cleaning up request packet ID 64 with timestamp +12
Waking up in 0.1 seconds.
(4) Cleaning up request packet ID 65 with timestamp +12
Waking up in 0.1 seconds.
(5) Cleaning up request packet ID 66 with timestamp +13
(6) Cleaning up request packet ID 67 with timestamp +13
(7) Cleaning up request packet ID 68 with timestamp +13
(8) Cleaning up request packet ID 69 with timestamp +13
(9) Cleaning up request packet ID 70 with timestamp +13
(10) Cleaning up request packet ID 71 with timestamp +13
Ready to process requests
(12) Received Access-Request Id 143 from 190.213.227.180:50909 to 198.58.110.29:1812 length 208
(12)   User-Name = "khadija_dyer"
(12)   NAS-Identifier = "ryan5"
(12)   Called-Station-Id = "10-6F-3F-0C-14-96:ryan5-radius"
(12)   NAS-Port-Type = Wireless-802.11
(12)   NAS-Port = 10
(12)   Calling-Station-Id = "D8-5D-E2-E3-A5-D9"
(12)   Connect-Info = "CONNECT 54Mbps 802.11g"
(12)   Acct-Session-Id = "5B801D36-00000A57"
(12)   WLAN-Pairwise-Cipher = 1027076
(12)   WLAN-Group-Cipher = 1027076
(12)   WLAN-AKM-Suite = 1027073
(12)   Framed-MTU = 1400
(12)   EAP-Message = 0x020e0011016b686164696a615f64796572
(12)   Message-Authenticator = 0x7f46c02a9fad1440fed4e171b00f99b3
(12) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(12)   authorize {
(12)     policy filter_username {
(12)       if (&User-Name) {
(12)       if (&User-Name)  -> TRUE
(12)       if (&User-Name)  {
(12)         if (&User-Name =~ / /) {
(12)         if (&User-Name =~ / /)  -> FALSE
(12)         if (&User-Name =~ /@[^@]*@/ ) {
(12)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(12)         if (&User-Name =~ /\.\./ ) {
(12)         if (&User-Name =~ /\.\./ )  -> FALSE
(12)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(12)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(12)         if (&User-Name =~ /\.$/)  {
(12)         if (&User-Name =~ /\.$/)   -> FALSE
(12)         if (&User-Name =~ /@\./)  {
(12)         if (&User-Name =~ /@\./)   -> FALSE
(12)       } # if (&User-Name)  = notfound
(12)     } # policy filter_username = notfound
(12)     [preprocess] = ok
(12)     [chap] = noop
(12)     [mschap] = noop
(12)     [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "khadija_dyer", looking up realm NULL
(12) suffix: No such realm "NULL"
(12)     [suffix] = noop
(12) eap: Peer sent EAP Response (code 2) ID 14 length 17
(12) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(12)     [eap] = ok
(12)   } # authorize = ok
(12) Found Auth-Type = eap
(12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(12)   authenticate {
(12) eap: Peer sent packet with method EAP Identity (1)
(12) eap: Calling submodule eap_md5 to process data
(12) eap_md5: Issuing MD5 Challenge
(12) eap: Sending EAP Request (code 1) ID 15 length 22
(12) eap: EAP session adding &reply:State = 0xc25708d1c2580c43
(12)     [eap] = handled
(12)   } # authenticate = handled
(12) Using Post-Auth-Type Challenge
(12) Post-Auth-Type sub-section not found.  Ignoring.
(12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(12) Sent Access-Challenge Id 143 from 198.58.110.29:1812 to 190.213.227.180:50909 length 0
(12)   EAP-Message = 0x010f001604102f7a86066ae4b6898f6ea80dc5614f73
(12)   Message-Authenticator = 0x00000000000000000000000000000000
(12)   State = 0xc25708d1c2580c4397c377255ce49eba
(12) Finished request
Waking up in 4.9 seconds.
(13) Received Access-Request Id 144 from 190.213.227.180:50909 to 198.58.110.29:1812 length 215
(13)   User-Name = "khadija_dyer"
(13)   NAS-Identifier = "ryan5"
(13)   Called-Station-Id = "10-6F-3F-0C-14-96:ryan5-radius"
(13)   NAS-Port-Type = Wireless-802.11
(13)   NAS-Port = 10
(13)   Calling-Station-Id = "D8-5D-E2-E3-A5-D9"
(13)   Connect-Info = "CONNECT 54Mbps 802.11g"
(13)   Acct-Session-Id = "5B801D36-00000A57"
(13)   WLAN-Pairwise-Cipher = 1027076
(13)   WLAN-Group-Cipher = 1027076
(13)   WLAN-AKM-Suite = 1027073
(13)   Framed-MTU = 1400
(13)   EAP-Message = 0x020f00060319
(13)   State = 0xc25708d1c2580c4397c377255ce49eba
(13)   Message-Authenticator = 0x10748d6855404cef3ab315c6cceb925f
(13) session-state: No cached attributes
(13) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(13)   authorize {
(13)     policy filter_username {
(13)       if (&User-Name) {
(13)       if (&User-Name)  -> TRUE
(13)       if (&User-Name)  {
(13)         if (&User-Name =~ / /) {
(13)         if (&User-Name =~ / /)  -> FALSE
(13)         if (&User-Name =~ /@[^@]*@/ ) {
(13)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(13)         if (&User-Name =~ /\.\./ ) {
(13)         if (&User-Name =~ /\.\./ )  -> FALSE
(13)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(13)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(13)         if (&User-Name =~ /\.$/)  {
(13)         if (&User-Name =~ /\.$/)   -> FALSE
(13)         if (&User-Name =~ /@\./)  {
(13)         if (&User-Name =~ /@\./)   -> FALSE
(13)       } # if (&User-Name)  = notfound
(13)     } # policy filter_username = notfound
(13)     [preprocess] = ok
(13)     [chap] = noop
(13)     [mschap] = noop
(13)     [digest] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "khadija_dyer", looking up realm NULL
(13) suffix: No such realm "NULL"
(13)     [suffix] = noop
(13) eap: Peer sent EAP Response (code 2) ID 15 length 6
(13) eap: No EAP Start, assuming it's an on-going EAP conversation
(13)     [eap] = updated
(13) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(13) sql:    --> khadija_dyer
(13) sql: SQL-User-Name set to 'khadija_dyer'
rlm_sql (sql): Reserved connection (6)
(13) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(13) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'khadija_dyer' ORDER BY id
(13) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'khadija_dyer' ORDER BY id
(13) sql: User found in radcheck table
(13) sql: Conditional check items matched, merging assignment check items
(13) sql:   Cleartext-Password := "sanghai123"
(13) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(13) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'khadija_dyer' ORDER BY id
(13) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'khadija_dyer' ORDER BY id
(13) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(13) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'khadija_dyer' ORDER BY priority
(13) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'khadija_dyer' ORDER BY priority
(13) sql: User found in the group table
(13) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(13) sql:    --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id
(13) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dialup' ORDER BY id
(13) sql: Group "dialup": Conditional check items matched
(13) sql: Group "dialup": Merging assignment check items
(13) sql:   Simultaneous-Use := 200
(13) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(13) sql:    --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id
(13) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dialup' ORDER BY id
(13) sql: Group "dialup": Merging reply items
rlm_sql (sql): Released connection (6)
rlm_sql (sql): Need 1 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (9), 1 of 23 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.26-MariaDB-0+deb9u1, protocol version 10
(13)     [sql] = ok
(13)     [expiration] = noop
(13)     [logintime] = noop
(13) pap: WARNING: Auth-Type already set.  Not setting to PAP
(13)     [pap] = noop
(13)   } # authorize = updated
(13) Found Auth-Type = eap
(13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(13)   authenticate {
(13) eap: Expiring EAP session with state 0xc25708d1c2580c43
(13) eap: Finished EAP session with state 0xc25708d1c2580c43
(13) eap: Previous EAP request found for state 0xc25708d1c2580c43, released from the list
(13) eap: Peer sent packet with method EAP NAK (3)
(13) eap: Found mutually acceptable type PEAP (25)
(13) eap: Calling submodule eap_peap to process data
(13) eap_peap: Initiating new EAP-TLS session
(13) eap_peap: [eaptls start] = request
(13) eap: Sending EAP Request (code 1) ID 16 length 6
(13) eap: EAP session adding &reply:State = 0xc25708d1c3471143
(13)     [eap] = handled
(13)   } # authenticate = handled
(13) Using Post-Auth-Type Challenge
(13) Post-Auth-Type sub-section not found.  Ignoring.
(13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(13) Sent Access-Challenge Id 144 from 198.58.110.29:1812 to 190.213.227.180:50909 length 0
(13)   EAP-Message = 0x011000061920
(13)   Message-Authenticator = 0x00000000000000000000000000000000
(13)   State = 0xc25708d1c347114397c377255ce49eba
(13) Finished request
Waking up in 4.8 seconds.
(14) Received Access-Request Id 145 from 190.213.227.180:50909 to 198.58.110.29:1812 length 331
(14)   User-Name = "khadija_dyer"
(14)   NAS-Identifier = "ryan5"
(14)   Called-Station-Id = "10-6F-3F-0C-14-96:ryan5-radius"
(14)   NAS-Port-Type = Wireless-802.11
(14)   NAS-Port = 10
(14)   Calling-Station-Id = "D8-5D-E2-E3-A5-D9"
(14)   Connect-Info = "CONNECT 54Mbps 802.11g"
(14)   Acct-Session-Id = "5B801D36-00000A57"
(14)   WLAN-Pairwise-Cipher = 1027076
(14)   WLAN-Group-Cipher = 1027076
(14)   WLAN-AKM-Suite = 1027073
(14)   Framed-MTU = 1400
(14)   EAP-Message = 0x0210007a198000000070160301006b0100006703015b900c1fa1294d2f712a57cc2e7c771d13af866892ac510bf7fcd4bbf3ef1a66000018c014c0130035002fc00ac00900380032000a00130005000401000026000500050100000000000a0006000400170018000b000201000023000000170000ff01
(14)   State = 0xc25708d1c347114397c377255ce49eba
(14)   Message-Authenticator = 0x6345a7d3214c2a6e05da5b343c8dc40d
(14) session-state: No cached attributes
(14) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(14)   authorize {
(14)     policy filter_username {
(14)       if (&User-Name) {
(14)       if (&User-Name)  -> TRUE
(14)       if (&User-Name)  {
(14)         if (&User-Name =~ / /) {
(14)         if (&User-Name =~ / /)  -> FALSE
(14)         if (&User-Name =~ /@[^@]*@/ ) {
(14)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(14)         if (&User-Name =~ /\.\./ ) {
(14)         if (&User-Name =~ /\.\./ )  -> FALSE
(14)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(14)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(14)         if (&User-Name =~ /\.$/)  {
(14)         if (&User-Name =~ /\.$/)   -> FALSE
(14)         if (&User-Name =~ /@\./)  {
(14)         if (&User-Name =~ /@\./)   -> FALSE
(14)       } # if (&User-Name)  = notfound
(14)     } # policy filter_username = notfound
(14)     [preprocess] = ok
(14)     [chap] = noop
(14)     [mschap] = noop
(14)     [digest] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: No '@' in User-Name = "khadija_dyer", looking up realm NULL
(14) suffix: No such realm "NULL"
(14)     [suffix] = noop
(14) eap: Peer sent EAP Response (code 2) ID 16 length 122
(14) eap: Continuing tunnel setup
(14)     [eap] = ok
(14)   } # authorize = ok
(14) Found Auth-Type = eap
(14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(14)   authenticate {
(14) eap: Expiring EAP session with state 0xc25708d1c3471143
(14) eap: Finished EAP session with state 0xc25708d1c3471143
(14) eap: Previous EAP request found for state 0xc25708d1c3471143, released from the list
(14) eap: Peer sent packet with method EAP PEAP (25)
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: Continuing EAP-TLS
(14) eap_peap: Peer indicated complete TLS record size will be 112 bytes
(14) eap_peap: Got complete TLS record (112 bytes)
(14) eap_peap: [eaptls verify] = length included
(14) eap_peap: (other): before SSL initialization
(14) eap_peap: TLS_accept: before SSL initialization
(14) eap_peap: TLS_accept: before SSL initialization
(14) eap_peap: <<< recv TLS 1.2  [length 006b] 
(14) eap_peap: TLS_accept: SSLv3/TLS read client hello
(14) eap_peap: >>> send TLS 1.0 Handshake [length 003d], ServerHello 
(14) eap_peap: TLS_accept: SSLv3/TLS write server hello
(14) eap_peap: >>> send TLS 1.0 Handshake [length 02fd], Certificate 
(14) eap_peap: TLS_accept: SSLv3/TLS write certificate
(14) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange 
(14) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(14) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone 
(14) eap_peap: TLS_accept: SSLv3/TLS write server done
(14) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(14) eap_peap: In SSL Handshake Phase
(14) eap_peap: In SSL Accept mode
(14) eap_peap: [eaptls process] = handled
(14) eap: Sending EAP Request (code 1) ID 17 length 1004
(14) eap: EAP session adding &reply:State = 0xc25708d1c0461143
(14)     [eap] = handled
(14)   } # authenticate = handled
(14) Using Post-Auth-Type Challenge
(14) Post-Auth-Type sub-section not found.  Ignoring.
(14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(14) Sent Access-Challenge Id 145 from 198.58.110.29:1812 to 190.213.227.180:50909 length 0
(14)   EAP-Message = 0x011103ec19c00000049d160301003d020000390301b74dc1446b0af5692d41ad96c114341fcd709cbf06a29ef3a8c206920a7f740700c014000011ff01000100000b0004030001020017000016030102fd0b0002f90002f60002f3308202ef308201d7a00302010202090093b40acbed3d0944300d0609
(14)   Message-Authenticator = 0x00000000000000000000000000000000
(14)   State = 0xc25708d1c046114397c377255ce49eba
(14) Finished request
Waking up in 4.7 seconds.
(15) Received Access-Request Id 146 from 190.213.227.180:50909 to 198.58.110.29:1812 length 215
(15)   User-Name = "khadija_dyer"
(15)   NAS-Identifier = "ryan5"
(15)   Called-Station-Id = "10-6F-3F-0C-14-96:ryan5-radius"
(15)   NAS-Port-Type = Wireless-802.11
(15)   NAS-Port = 10
(15)   Calling-Station-Id = "D8-5D-E2-E3-A5-D9"
(15)   Connect-Info = "CONNECT 54Mbps 802.11g"
(15)   Acct-Session-Id = "5B801D36-00000A57"
(15)   WLAN-Pairwise-Cipher = 1027076
(15)   WLAN-Group-Cipher = 1027076
(15)   WLAN-AKM-Suite = 1027073
(15)   Framed-MTU = 1400
(15)   EAP-Message = 0x021100061900
(15)   State = 0xc25708d1c046114397c377255ce49eba
(15)   Message-Authenticator = 0xd619840612e85bfb1a6b23f1a34af544
(15) session-state: No cached attributes
(15) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(15)   authorize {
(15)     policy filter_username {
(15)       if (&User-Name) {
(15)       if (&User-Name)  -> TRUE
(15)       if (&User-Name)  {
(15)         if (&User-Name =~ / /) {
(15)         if (&User-Name =~ / /)  -> FALSE
(15)         if (&User-Name =~ /@[^@]*@/ ) {
(15)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(15)         if (&User-Name =~ /\.\./ ) {
(15)         if (&User-Name =~ /\.\./ )  -> FALSE
(15)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(15)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(15)         if (&User-Name =~ /\.$/)  {
(15)         if (&User-Name =~ /\.$/)   -> FALSE
(15)         if (&User-Name =~ /@\./)  {
(15)         if (&User-Name =~ /@\./)   -> FALSE
(15)       } # if (&User-Name)  = notfound
(15)     } # policy filter_username = notfound
(15)     [preprocess] = ok
(15)     [chap] = noop
(15)     [mschap] = noop
(15)     [digest] = noop
(15) suffix: Checking for suffix after "@"
(15) suffix: No '@' in User-Name = "khadija_dyer", looking up realm NULL
(15) suffix: No such realm "NULL"
(15)     [suffix] = noop
(15) eap: Peer sent EAP Response (code 2) ID 17 length 6
(15) eap: Continuing tunnel setup
(15)     [eap] = ok
(15)   } # authorize = ok
(15) Found Auth-Type = eap
(15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(15)   authenticate {
(15) eap: Expiring EAP session with state 0xc25708d1c0461143
(15) eap: Finished EAP session with state 0xc25708d1c0461143
(15) eap: Previous EAP request found for state 0xc25708d1c0461143, released from the list
(15) eap: Peer sent packet with method EAP PEAP (25)
(15) eap: Calling submodule eap_peap to process data
(15) eap_peap: Continuing EAP-TLS
(15) eap_peap: Peer ACKed our handshake fragment
(15) eap_peap: [eaptls verify] = request
(15) eap_peap: [eaptls process] = handled
(15) eap: Sending EAP Request (code 1) ID 18 length 193
(15) eap: EAP session adding &reply:State = 0xc25708d1c1451143
(15)     [eap] = handled
(15)   } # authenticate = handled
(15) Using Post-Auth-Type Challenge
(15) Post-Auth-Type sub-section not found.  Ignoring.
(15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(15) Sent Access-Challenge Id 146 from 198.58.110.29:1812 to 190.213.227.180:50909 length 0
(15)   EAP-Message = 0x011200c11900c1994f5cf271aa2daa12e9f2817c2c2f654485d266fe39fa9eaaa39605b31ca371978fcebd6f8690e2fcd9d4ba51c3df3d3c67288940cd0fe34be8d8acdcbedd30a88e28ab4bf2c5b5b9a46cbba4e9f2aee5df7c3c3c7788910763ebb401a578499b6b533cb0bdd1ebf6bf4de421ae8fa4
(15)   Message-Authenticator = 0x00000000000000000000000000000000
(15)   State = 0xc25708d1c145114397c377255ce49eba
(15) Finished request
Waking up in 4.6 seconds.
(16) Received Access-Request Id 147 from 190.213.227.180:50909 to 198.58.110.29:1812 length 353
(16)   User-Name = "khadija_dyer"
(16)   NAS-Identifier = "ryan5"
(16)   Called-Station-Id = "10-6F-3F-0C-14-96:ryan5-radius"
(16)   NAS-Port-Type = Wireless-802.11
(16)   NAS-Port = 10
(16)   Calling-Station-Id = "D8-5D-E2-E3-A5-D9"
(16)   Connect-Info = "CONNECT 54Mbps 802.11g"
(16)   Acct-Session-Id = "5B801D36-00000A57"
(16)   WLAN-Pairwise-Cipher = 1027076
(16)   WLAN-Group-Cipher = 1027076
(16)   WLAN-AKM-Suite = 1027073
(16)   Framed-MTU = 1400
(16)   EAP-Message = 0x021200901980000000861603010046100000424104d3e55df7748455aa1f59972ddb1fc5ddafcf3a41412304355ae5b5bfefe491e65ad85a1282b37a160dadd3b6f62b14efe1ebf34c915096419b3a90af0c666ad5140301000101160301003094669adbca6f44c0295518dcc685f9bfe76a147a0b8f13
(16)   State = 0xc25708d1c145114397c377255ce49eba
(16)   Message-Authenticator = 0xb04d47d1d89fc4257e5caf60a87b2ae8
(16) session-state: No cached attributes
(16) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(16)   authorize {
(16)     policy filter_username {
(16)       if (&User-Name) {
(16)       if (&User-Name)  -> TRUE
(16)       if (&User-Name)  {
(16)         if (&User-Name =~ / /) {
(16)         if (&User-Name =~ / /)  -> FALSE
(16)         if (&User-Name =~ /@[^@]*@/ ) {
(16)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(16)         if (&User-Name =~ /\.\./ ) {
(16)         if (&User-Name =~ /\.\./ )  -> FALSE
(16)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(16)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(16)         if (&User-Name =~ /\.$/)  {
(16)         if (&User-Name =~ /\.$/)   -> FALSE
(16)         if (&User-Name =~ /@\./)  {
(16)         if (&User-Name =~ /@\./)   -> FALSE
(16)       } # if (&User-Name)  = notfound
(16)     } # policy filter_username = notfound
(16)     [preprocess] = ok
(16)     [chap] = noop
(16)     [mschap] = noop
(16)     [digest] = noop
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "khadija_dyer", looking up realm NULL
(16) suffix: No such realm "NULL"
(16)     [suffix] = noop
(16) eap: Peer sent EAP Response (code 2) ID 18 length 144
(16) eap: Continuing tunnel setup
(16)     [eap] = ok
(16)   } # authorize = ok
(16) Found Auth-Type = eap
(16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(16)   authenticate {
(16) eap: Expiring EAP session with state 0xc25708d1c1451143
(16) eap: Finished EAP session with state 0xc25708d1c1451143
(16) eap: Previous EAP request found for state 0xc25708d1c1451143, released from the list
(16) eap: Peer sent packet with method EAP PEAP (25)
(16) eap: Calling submodule eap_peap to process data
(16) eap_peap: Continuing EAP-TLS
(16) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(16) eap_peap: Got complete TLS record (134 bytes)
(16) eap_peap: [eaptls verify] = length included
(16) eap_peap: TLS_accept: SSLv3/TLS write server done
(16) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange 
(16) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(16) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(16) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished 
(16) eap_peap: TLS_accept: SSLv3/TLS read finished
(16) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001] 
(16) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(16) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished 
(16) eap_peap: TLS_accept: SSLv3/TLS write finished
(16) eap_peap: (other): SSL negotiation finished successfully
(16) eap_peap: SSL Connection Established
(16) eap_peap: [eaptls process] = handled
(16) eap: Sending EAP Request (code 1) ID 19 length 65
(16) eap: EAP session adding &reply:State = 0xc25708d1c6441143
(16)     [eap] = handled
(16)   } # authenticate = handled
(16) Using Post-Auth-Type Challenge
(16) Post-Auth-Type sub-section not found.  Ignoring.
(16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(16) Sent Access-Challenge Id 147 from 198.58.110.29:1812 to 190.213.227.180:50909 length 0
(16)   EAP-Message = 0x01130041190014030100010116030100309dcf0d560833f4bfae995b203594eaeeb6aada1a90414974a6caff215c1f9933a228a6f2488d66f01f411b1695224e82
(16)   Message-Authenticator = 0x00000000000000000000000000000000
(16)   State = 0xc25708d1c644114397c377255ce49eba
(16) Finished request
Waking up in 4.4 seconds.
(17) Received Access-Request Id 148 from 190.213.227.180:50909 to 198.58.110.29:1812 length 215
(17)   User-Name = "khadija_dyer"
(17)   NAS-Identifier = "ryan5"
(17)   Called-Station-Id = "10-6F-3F-0C-14-96:ryan5-radius"
(17)   NAS-Port-Type = Wireless-802.11
(17)   NAS-Port = 10
(17)   Calling-Station-Id = "D8-5D-E2-E3-A5-D9"
(17)   Connect-Info = "CONNECT 54Mbps 802.11g"
(17)   Acct-Session-Id = "5B801D36-00000A57"
(17)   WLAN-Pairwise-Cipher = 1027076
(17)   WLAN-Group-Cipher = 1027076
(17)   WLAN-AKM-Suite = 1027073
(17)   Framed-MTU = 1400
(17)   EAP-Message = 0x021300061900
(17)   State = 0xc25708d1c644114397c377255ce49eba
(17)   Message-Authenticator = 0x3e2a0e69af369d7b59528aba2cee0ce3
(17) session-state: No cached attributes
(17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(17)   authorize {
(17)     policy filter_username {
(17)       if (&User-Name) {
(17)       if (&User-Name)  -> TRUE
(17)       if (&User-Name)  {
(17)         if (&User-Name =~ / /) {
(17)         if (&User-Name =~ / /)  -> FALSE
(17)         if (&User-Name =~ /@[^@]*@/ ) {
(17)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(17)         if (&User-Name =~ /\.\./ ) {
(17)         if (&User-Name =~ /\.\./ )  -> FALSE
(17)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(17)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(17)         if (&User-Name =~ /\.$/)  {
(17)         if (&User-Name =~ /\.$/)   -> FALSE
(17)         if (&User-Name =~ /@\./)  {
(17)         if (&User-Name =~ /@\./)   -> FALSE
(17)       } # if (&User-Name)  = notfound
(17)     } # policy filter_username = notfound
(17)     [preprocess] = ok
(17)     [chap] = noop
(17)     [mschap] = noop
(17)     [digest] = noop
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "khadija_dyer", looking up realm NULL
(17) suffix: No such realm "NULL"
(17)     [suffix] = noop
(17) eap: Peer sent EAP Response (code 2) ID 19 length 6
(17) eap: Continuing tunnel setup
(17)     [eap] = ok
(17)   } # authorize = ok
(17) Found Auth-Type = eap
(17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(17)   authenticate {
(17) eap: Expiring EAP session with state 0xc25708d1c6441143
(17) eap: Finished EAP session with state 0xc25708d1c6441143
(17) eap: Previous EAP request found for state 0xc25708d1c6441143, released from the list
(17) eap: Peer sent packet with method EAP PEAP (25)
(17) eap: Calling submodule eap_peap to process data
(17) eap_peap: Continuing EAP-TLS
(17) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(17) eap_peap: [eaptls verify] = success
(17) eap_peap: [eaptls process] = success
(17) eap_peap: Session established.  Decoding tunneled attributes
(17) eap_peap: PEAP state TUNNEL ESTABLISHED
(17) eap: Sending EAP Request (code 1) ID 20 length 43
(17) eap: EAP session adding &reply:State = 0xc25708d1c7431143
(17)     [eap] = handled
(17)   } # authenticate = handled
(17) Using Post-Auth-Type Challenge
(17) Post-Auth-Type sub-section not found.  Ignoring.
(17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(17) Sent Access-Challenge Id 148 from 198.58.110.29:1812 to 190.213.227.180:50909 length 0
(17)   EAP-Message = 0x0114002b190017030100200e7023f8fee87ad2a50b75d94e03a5bdfa63221cc7a8e5f664d51da66a376caa
(17)   Message-Authenticator = 0x00000000000000000000000000000000
(17)   State = 0xc25708d1c743114397c377255ce49eba
(17) Finished request
Waking up in 4.3 seconds.
#######################################################################################################################################

Ill  post the contents of the configuration files

#######################################################################################################################################
# -*- text -*-
##
## clients.conf -- client configuration directives
##
##	$Id: 76b300d3c55f1c5c052289b76bf28ac3a370bbb2 $


client localhost {

	proto = *
	secret = whatever


	require_message_authenticator = no

	
	#
	nas_type	 = cisco	# localhost isn't usually a NAS...

		idle_timeout = 30
	}
}

# IPv6 Client
client localhost_ipv6 {
	ipv6addr	= ::1
	secret		= testing123
}

#######################################################################################################################################
# -*- text -*-
##
## sql.conf -- SQL modules
##
##	$Id: 4a59483c35c77f573fb177919e19ba4434cc3da1 $

######################################################################
#
#  Configuration for the SQL module
#
#  The database schemas and queries are located in subdirectories:
#
#	sql/<DB>/main/schema.sql	Schema
#	sql/<DB>/main/queries.conf	Authorisation and Accounting queries
#
#  Where "DB" is mysql, mssql, oracle, or postgresql.
#
#

sql {
	# The sub-module to use to execute queries. This should match
	# the database you're attempting to connect to.
	#
	#    * rlm_sql_mysql
	#    * rlm_sql_mssql
	#    * rlm_sql_oracle
	#    * rlm_sql_postgresql
	#    * rlm_sql_sqlite
	#    * rlm_sql_null (log queries to disk)
	#
	driver = "rlm_sql_mysql"


	dialect = "mysql"

	# Connection info:
	#
	server = "localhost"
	port = 3306
	login = "root"
	password = "**********"

	# Database table configuration for everything except Oracle
	radius_db = "radius"

	# If you are using Oracle then use this instead
#	radius_db = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))"

	# If you're using postgresql this can also be used instead of the connection info parameters
#	radius_db = "dbname=radius host=localhost user=radius password=raddpass"

        # Postgreql doesn't take tls{} options in its module config like mysql does - if you want to
        # use SSL connections then use this form of connection info parameter
#	radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt" 

	# If you want both stop and start records logged to the
	# same SQL table, leave this as is.  If you want them in
	# different tables, put the start table in acct_table1
	# and stop table in acct_table2
	acct_table1 = "radacct"
	acct_table2 = "radacct"
        acct_table3 = "radacctold"

	# Allow for storing data after authentication
	postauth_table = "radpostauth"

	# Tables containing 'check' items
	authcheck_table = "radcheck"
	groupcheck_table = "radgroupcheck"

	# Tables containing 'reply' items
	authreply_table = "radreply"
	groupreply_table = "radgroupreply"

	# Table to keep group info
	usergroup_table = "radusergroup"

	# If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table.
	# If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table.
	read_groups = yes

	# If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table.
	# If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table.
	read_profiles = yes

	# Remove stale session if checkrad does not see a double login
	delete_stale_sessions = yes

	# Write SQL queries to a logfile. This is potentially useful for tracing
	# issues with authorization queries.  See also "logfile" directives in
	# mods-config/sql/main/*/queries.conf.  You can enable per-section logging
	# by enabling "logfile" there, or global logging by enabling "logfile" here.
	#
	# Per-section logging can be disabled by setting "logfile = ''"
#	logfile = ${logdir}/sqllog.sql

	#  Set the maximum query duration and connection timeout
	#  for rlm_sql_mysql.
#	query_timeout = 5

	#  As of version 3.0, the "pool" section has replaced the
	#  following configuration items:
	#
	#  num_sql_socks
	#  connect_failure_retry_delay
	#  lifetime
	#  max_queries

	#
	#  The connection pool is new for 3.0, and will be used in many
	#  modules, for all kinds of connection-related activity.
	#
	# When the server is not threaded, the connection pool
	# limits are ignored, and only one connection is used.
	#
	# If you want to have multiple SQL modules re-use the same
	# connection pool, use "pool = name" instead of a "pool"
	# section.  e.g.
	#
	#	sql1 {
	#	    ...
	#	    pool {
	#	    	 ...
	#	    }
	#	}
	#
	#	# sql2 will use the connection pool from sql1
	#	sql2 {
	#	     ...
	#	     pool = sql1
	#	}
	#
	pool {
		#  Connections to create during module instantiation.
		#  If the server cannot create specified number of
		#  connections during instantiation it will exit.
		#  Set to 0 to allow the server to start without the
		#  database being available.
		start = ${thread[pool].start_servers}

		#  Minimum number of connections to keep open
		min = ${thread[pool].min_spare_servers}

		#  Maximum number of connections
		#
		#  If these connections are all in use and a new one
		#  is requested, the request will NOT get a connection.
		#
		#  Setting 'max' to LESS than the number of threads means
		#  that some threads may starve, and you will see errors
		#  like 'No connections available and at max connection limit'
		#
		#  Setting 'max' to MORE than the number of threads means
		#  that there are more connections than necessary.
		max = ${thread[pool].max_servers}

		#  Spare connections to be left idle
		#
		#  NOTE: Idle connections WILL be closed if "idle_timeout"
		#  is set.  This should be less than or equal to "max" above.
		spare = ${thread[pool].max_spare_servers}

		#  Number of uses before the connection is closed
		#
		#  0 means "infinite"
		uses = 0

		#  The number of seconds to wait after the server tries
		#  to open a connection, and fails.  During this time,
		#  no new connections will be opened.
		retry_delay = 30

		# The lifetime (in seconds) of the connection
		lifetime = 0

		#  idle timeout (in seconds).  A connection which is
		#  unused for this length of time will be closed.
		idle_timeout = 60

		#  NOTE: All configuration settings are enforced.  If a
		#  connection is closed because of "idle_timeout",
		#  "uses", or "lifetime", then the total number of
		#  connections MAY fall below "min".  When that
		#  happens, it will open a new connection.  It will
		#  also log a WARNING message.
		#
		#  The solution is to either lower the "min" connections,
		#  or increase lifetime/idle_timeout.
	}

	# Set to 'yes' to read radius clients from the database ('nas' table)
	# Clients will ONLY be read on server startup.
	read_clients = yes

	# Table to keep radius client info
	client_table = "nas"

	#
	# The group attribute specific to this instance of rlm_sql
	#

	# This entry should be used for additional instances (sql foo {})
	# of the SQL module.
#	group_attribute = "${.:instance}-SQL-Group"

	# This entry should be used for the default instance (sql {})
	# of the SQL module.
	group_attribute = "SQL-Group"

	# Read database-specific queries
	$INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf

#######################################################################################################################################


# -*- text -*-
#
#  main/mysql/queries.conf-- MySQL configuration for default schema (schema.sql)
#
#  $Id: 40508024d5fd6a319bbb85775c3fe1e8388be656 $

# Safe characters list for sql queries. Everything else is replaced
# with their mime-encoded equivalents.
# The default list should be ok
#safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"

#######################################################################
#  Connection config
#######################################################################
# The character set is not configurable. The default character set of
# the mysql client library is used. To control the character set,
# create/edit my.cnf (typically in /etc/mysql/my.cnf or /etc/my.cnf)
# and enter
# [client]
# default-character-set = utf8
#

#######################################################################
#  Query config:  Username
#######################################################################
# This is the username that will get substituted, escaped, and added
# as attribute 'SQL-User-Name'. '%{SQL-User-Name}' should be used below
# everywhere a username substitution is needed so you you can be sure
# the username passed from the client is escaped properly.
#
# Uncomment the next line, if you want the sql_user_name to mean:
#
#	Use Stripped-User-Name, if it's there.
#	Else use User-Name, if it's there,
#	Else use hard-coded string "DEFAULT" as the user name.
sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"
#
#sql_user_name = "%{User-Name}"

#######################################################################
# Default profile
#######################################################################
# This is the default profile. It is found in SQL by group membership.
# That means that this profile must be a member of at least one group
# which will contain the corresponding check and reply items.
# This profile will be queried in the authorize section for every user.
# The point is to assign all users a default profile without having to
# manually add each one to a group that will contain the profile.
# The SQL module will also honor the User-Profile attribute. This
# attribute can be set anywhere in the authorize section (ie the users
# file). It is found exactly as the default profile is found.
# If it is set then it will *overwrite* the default profile setting.
# The idea is to select profiles based on checks on the incoming packets,
# not on user group membership. For example:
# -- users file --
# DEFAULT	Service-Type == Outbound-User, User-Profile := "outbound"
# DEFAULT	Service-Type == Framed-User, User-Profile := "framed"
#
# By default the default_user_profile is not set
#
#default_user_profile = "DEFAULT"

#######################################################################
# NAS Query
#######################################################################
# This query retrieves the radius clients
#
# 0. Row ID (currently unused)
# 1. Name (or IP address)
# 2. Shortname
# 3. Type
# 4. Secret
# 5. Server
#######################################################################

client_query = "\
	SELECT id, nasname, shortname, type, secret, server \
	FROM ${client_table}"

#######################################################################
# Authorization Queries
#######################################################################
# These queries compare the check items for the user
# in ${authcheck_table} and setup the reply items in
# ${authreply_table}. You can use any query/tables
# you want, but the return data for each row MUST
# be in the following order:
#
# 0. Row ID (currently unused)
# 1. UserName/GroupName
# 2. Item Attr Name
# 3. Item Attr Value
# 4. Item Attr Operation
#######################################################################
# Use these for case sensitive usernames.

#authorize_check_query = "\
#	SELECT id, username, attribute, value, op \
#	FROM ${authcheck_table} \
#	WHERE username = BINARY '%{SQL-User-Name}' \
#	ORDER BY id"

#authorize_reply_query = "\
#	SELECT id, username, attribute, value, op \
#	FROM ${authreply_table} \
#	WHERE username = BINARY '%{SQL-User-Name}' \
#	ORDER BY id"

#
#  The default queries are case insensitive. (for compatibility with
#  older versions of FreeRADIUS)
#
authorize_check_query = "\
	SELECT id, username, attribute, value, op \
	FROM ${authcheck_table} \
	WHERE username = '%{SQL-User-Name}' \
	ORDER BY id"

authorize_reply_query = "\
	SELECT id, username, attribute, value, op \
	FROM ${authreply_table} \
	WHERE username = '%{SQL-User-Name}' \
	ORDER BY id"

#
#  Use these for case sensitive usernames.
#
#group_membership_query = "\
#	SELECT groupname \
#	FROM ${usergroup_table} \
#	WHERE username = BINARY '%{SQL-User-Name}' \
#	ORDER BY priority"

group_membership_query = "\
	SELECT groupname \
	FROM ${usergroup_table} \
	WHERE username = '%{SQL-User-Name}' \
	ORDER BY priority"

authorize_group_check_query = "\
	SELECT id, groupname, attribute, \
	Value, op \
	FROM ${groupcheck_table} \
	WHERE groupname = '%{${group_attribute}}' \
	ORDER BY id"

authorize_group_reply_query = "\
	SELECT id, groupname, attribute, \
	value, op \
	FROM ${groupreply_table} \
	WHERE groupname = '%{${group_attribute}}' \
	ORDER BY id"

#######################################################################
# Simultaneous Use Checking Queries
#######################################################################
# simul_count_query	- query for the number of current connections
#			- If this is not defined, no simultaneous use checking
#			- will be performed by this module instance
# simul_verify_query	- query to return details of current connections
#				for verification
#			- Leave blank or commented out to disable verification step
#			- Note that the returned field order should not be changed.
#######################################################################

simul_count_query = "\
	SELECT COUNT(*) \
	FROM ${acct_table1} \
	WHERE username = '%{SQL-User-Name}' \
	AND acctstoptime IS NULL "






simul_verify_query = "\
	SELECT \
		radacctid, acctsessionid, username, nasipaddress, nasportid, #framedipaddress, \
		callingstationid, framedprotocol \
	FROM ${acct_table1} \
	WHERE username = '%{SQL-User-Name}' \
	AND acctstoptime IS NULL"

#######################################################################
# Accounting and Post-Auth Queries
#######################################################################
# These queries insert/update accounting and authentication records.
# The query to use is determined by the value of 'reference'.
# This value is used as a configuration path and should resolve to one
# or more 'query's. If reference points to multiple queries, and a query
# fails, the next query is executed.
#
# Behaviour is identical to the old 1.x/2.x module, except we can now
# fail between N queries, and query selection can be based on any
# combination of attributes, or custom 'Acct-Status-Type' values.
#######################################################################
accounting {
	reference = "%{tolower:type.%{Acct-Status-Type}.query}"

	# Write SQL queries to a logfile. This is potentially useful for bulk inserts
	# when used with the rlm_sql_null driver.
#	logfile = ${logdir}/accounting.sql

	column_list = "\
		acctsessionid,		acctuniqueid,		username, \
		realm,			nasipaddress,		nasportid, \
		nasporttype,		acctstarttime,		acctupdatetime, \
		acctstoptime,		acctsessiontime, 	acctauthentic, \
		connectinfo_start,	connectinfo_stop, 	acctinputoctets, \
		acctoutputoctets,	calledstationid, 	callingstationid, \
		acctterminatecause,	servicetype,		framedprotocol, \
		framedipaddress"

	type {
		accounting-on {
			#
			#  Bulk terminate all sessions associated with a given NAS
			#
			query = "\
				UPDATE ${....acct_table1} \
				SET \
					acctstoptime = FROM_UNIXTIME(\
						%{integer:Event-Timestamp}), \
					acctsessiontime	= '%{integer:Event-Timestamp}' \
						- UNIX_TIMESTAMP(acctstarttime), \
					acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' \
				WHERE acctstoptime IS NULL \
				AND nasipaddress   = '%{NAS-IP-Address}' \
				AND acctstarttime <= FROM_UNIXTIME(\
					%{integer:Event-Timestamp})"
		}

		accounting-off {
			query = "${..accounting-on.query}"
		}

		start {
			#
			#  Insert a new record into the sessions table
			#





			query = "\
				INSERT INTO ${....acct_table1} \
					(${...column_list}) \
				VALUES \
					('%{Acct-Session-Id}', \
					'%{Acct-Unique-Session-Id}', \
					'%{SQL-User-Name}', \
					'%{Realm}', \
					'%{NAS-IP-Address}', \
					'%{%{NAS-Port-ID}:-%{NAS-Port}}', \
					'%{NAS-Port-Type}', \
					FROM_UNIXTIME(%{integer:Event-Timestamp}), \
					FROM_UNIXTIME(%{integer:Event-Timestamp}), \
					NULL, \
					'0', \
					'%{Acct-Authentic}', \
					'%{Connect-Info}', \
					'', \
					'0', \
					'0', \
					'%{Called-Station-Id}', \
					'%{Calling-Station-Id}', \
					'', \
					'%{Service-Type}', \
					'%{Framed-Protocol}', \
					'%{Framed-IP-Address}')"

			#
			#  Key constraints prevented us from inserting a new session,
			#  use the alternate query to update an existing session.
			#
			query = "\
				UPDATE ${....acct_table1} SET \
					acctstarttime	= FROM_UNIXTIME(%{integer:Event-Timestamp}), \
					acctupdatetime	= FROM_UNIXTIME(%{integer:Event-Timestamp}), \
					connectinfo_start = '%{Connect-Info}' \
				WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
		


                query = "\
		UPDATE ${....acct_table1} SET \
		acctstoptime	= FROM_UNIXTIME(%{integer:Event-Timestamp}), \
                acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' \
		WHERE acctstoptime IS NULL \
	        AND callingstationid   = '%{Calling-Station-Id}'\
                AND acctstarttime IS NOT FROM_UNIXTIME(%{integer:Event-Timestamp})"


}

		interim-update {
			#
			#  Update an existing session and calculate the interval
			#  between the last data we received for the session and this
			#  update. This can be used to find stale sessions.
			#





query = "\
		UPDATE ${....acct_table1} SET \
		acctstoptime	= FROM_UNIXTIME(%{integer:Event-Timestamp}), \
                acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' \
		WHERE acctstoptime IS NULL \
	        AND callingstationid   = '%{Calling-Station-Id}'\
                AND acctstarttime IS NOT FROM_UNIXTIME(%{integer:Event-Timestamp})"



			query = "\
				UPDATE ${....acct_table1} \
				SET \
					acctupdatetime  = (@acctupdatetime_old:=acctupdatetime), \
					acctupdatetime  = FROM_UNIXTIME(\
						%{integer:Event-Timestamp}), \
					acctinterval    = %{integer:Event-Timestamp} - \
						UNIX_TIMESTAMP(@acctupdatetime_old), \
					framedipaddress = '%{Framed-IP-Address}', \
					acctsessiontime = %{%{Acct-Session-Time}:-NULL}, \
					acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' \
						<< 32 | '%{%{Acct-Input-Octets}:-0}', \
					acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' \
						<< 32 | '%{%{Acct-Output-Octets}:-0}' \
				WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"

			#
			#  The update condition matched no existing sessions. Use
			#  the values provided in the update to create a new session.
			#
			query = "\
				INSERT INTO ${....acct_table1} \
					(${...column_list}) \
				VALUES \
					('%{Acct-Session-Id}', \
					'%{Acct-Unique-Session-Id}', \
					'%{SQL-User-Name}', \
					'%{Realm}', \
					'%{NAS-IP-Address}', \
					'%{%{NAS-Port-ID}:-%{NAS-Port}}', \
					'%{NAS-Port-Type}', \
					FROM_UNIXTIME(%{integer:Event-Timestamp} - %{%{Acct-Session-Time}:-0}), \
					FROM_UNIXTIME(%{integer:Event-Timestamp}), \
					NULL, \
					%{%{Acct-Session-Time}:-NULL}, \
					'%{Acct-Authentic}', \
					'%{Connect-Info}', \
					'', \
					'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', \
					'%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', \
					'%{Called-Station-Id}', \
					'%{Calling-Station-Id}', \
					'', \
					'%{Service-Type}', \
					'%{Framed-Protocol}', \
					'%{Framed-IP-Address}')"
		}

		stop {
			#
			#  Session has terminated, update the stop time and statistics.
			#
    ##########################################    delete taolle
                                query = "\
				INSERT INTO ${....acct_table3} \
                                SELECT * FROM ${....acct_table1} \
                                WHERE acctstoptime <> 'NULL'"




                                query = "\
				DELETE FROM ${....acct_table1} \
                                WHERE acctstoptime IS NOT NULL"


         


			query = "\
				UPDATE ${....acct_table2} SET \
					acctstoptime	= FROM_UNIXTIME(\
						%{integer:Event-Timestamp}), \
					acctsessiontime	= %{%{Acct-Session-Time}:-NULL}, \
					acctinputoctets	= '%{%{Acct-Input-Gigawords}:-0}' \
						<< 32 | '%{%{Acct-Input-Octets}:-0}', \
					acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' \
						<< 32 | '%{%{Acct-Output-Octets}:-0}', \
					acctterminatecause = '%{Acct-Terminate-Cause}', \
					connectinfo_stop = '%{Connect-Info}' \
				WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"

			#
			#  The update condition matched no existing sessions. Use
			#  the values provided in the update to create a new session.
			#
			query = "\
				INSERT INTO ${....acct_table2} \
					(${...column_list}) \
				VALUES \
					('%{Acct-Session-Id}', \
					'%{Acct-Unique-Session-Id}', \
					'%{SQL-User-Name}', \
					'%{Realm}', \
					'%{NAS-IP-Address}', \
					'%{%{NAS-Port-ID}:-%{NAS-Port}}', \
					'%{NAS-Port-Type}', \
					FROM_UNIXTIME(%{integer:Event-Timestamp} - %{%{Acct-Session-Time}:-0}), \
					FROM_UNIXTIME(%{integer:Event-Timestamp}), \
					FROM_UNIXTIME(%{integer:Event-Timestamp}), \
					%{%{Acct-Session-Time}:-NULL}, \
					'%{Acct-Authentic}', \
					'', \
					'%{Connect-Info}', \
					'%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', \
					'%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', \
					'%{Called-Station-Id}', \
					'%{Calling-Station-Id}', \
					'%{Acct-Terminate-Cause}', \
					'%{Service-Type}', \
					'%{Framed-Protocol}', \
					'%{Framed-IP-Address}')"
		}
	}
}


#######################################################################
# Authentication Logging Queries
#######################################################################
# postauth_query	- Insert some info after authentication
#######################################################################

post-auth {
	# Write SQL queries to a logfile. This is potentially useful for bulk inserts
	# when used with the rlm_sql_null driver.
#	logfile = ${logdir}/post-auth.sql

	query =	"\
		INSERT INTO ${..postauth_table} \
			(username, pass, reply, authdate) \
		VALUES ( \
			'%{SQL-User-Name}', \
			'%{%{User-Password}:-%{Chap-Password}}', \
			'%{reply:Packet-Type}', \
			'%S')"


}

####################################################################################################################################

######################################################################
#
#	As of 2.0.0, FreeRADIUS supports virtual hosts using the
#	"server" section, and configuration directives.
#
#	Virtual hosts should be put into the "sites-available"
#	directory.  Soft links should be created in the "sites-enabled"
#	directory to these files.  This is done in a normal installation.
#
#	If you are using 802.1X (EAP) authentication, please see also
#	the "inner-tunnel" virtual server.  You will likely have to edit
#	that, too, for authentication to work.
#
#	$Id: 083407596aa5074d665adac9606e7de655b634aa $
#
######################################################################
#
#	Read "man radiusd" before editing this file.  See the section
#	titled DEBUGGING.  It outlines a method where you can quickly
#	obtain the configuration you want, without running into
#	trouble.  See also "man unlang", which documents the format
#	of this file.
#
#	This configuration is designed to work in the widest possible
#	set of circumstances, with the widest possible number of
#	authentication methods.  This means that in general, you should
#	need to make very few changes to this file.
#
#	The best way to configure the server for your local system
#	is to CAREFULLY edit this file.  Most attempts to make large
#	edits to this file will BREAK THE SERVER.  Any edits should
#	be small, and tested by running the server with "radiusd -X".
#	Once the edits have been verified to work, save a copy of these
#	configuration files somewhere.  (e.g. as a "tar" file).  Then,
#	make more edits, and test, as above.
#
#	There are many "commented out" references to modules such
#	as ldap, sql, etc.  These references serve as place-holders.
#	If you need the functionality of that module, then configure
#	it in radiusd.conf, and un-comment the references to it in
#	this file.  In most cases, those small changes will result
#	in the server being able to connect to the DB, and to
#	authenticate users.
#
######################################################################

server default {
#
#  If you want the server to listen on additional addresses, or on
#  additional ports, you can use multiple "listen" sections.
#
#  Each section make the server listen for only one type of packet,
#  therefore authentication and accounting have to be configured in
#  different sections.
#
#  The server ignore all "listen" section if you are using '-i' and '-p'
#  on the command line.
#
listen {
	#  Type of packets to listen for.
	#  Allowed values are:
	#	auth	listen for authentication packets
	#	acct	listen for accounting packets
	#	proxy   IP to use for sending proxied packets
	#	detail  Read from the detail file.  For examples, see
	#               raddb/sites-available/copy-acct-to-home-server
	#	status  listen for Status-Server packets.  For examples,
	#		see raddb/sites-available/status
	#	coa     listen for CoA-Request and Disconnect-Request
	#		packets.  For examples, see the file
	#		raddb/sites-available/coa
	#
	type = auth

	#  Note: "type = proxy" lets you control the source IP used for
	#        proxying packets, with some limitations:
	#
	#    * A proxy listener CANNOT be used in a virtual server section.
	#    * You should probably set "port = 0".
	#    * Any "clients" configuration will be ignored.
	#
	#  See also proxy.conf, and the "src_ipaddr" configuration entry
	#  in the sample "home_server" section.  When you specify the
	#  source IP address for packets sent to a home server, the
	#  proxy listeners are automatically created.

	#  ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
	#  Out of several options the first one will be used.
	#
	#  Allowed values are:
	#	IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr)
	#	IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr)
	#	hostname     (radius.example.com,
	#			A record for ipv4addr,
	#       		AAAA record for ipv6addr,
	#			A or AAAA record for ipaddr)
	#       wildcard     (*)
	#
	# ipv4addr = *
	# ipv6addr = *
	ipaddr = *

	#  Port on which to listen.
	#  Allowed values are:
	#	integer port number (1812)
	#	0 means "use /etc/services for the proper port"
	port = 0

	#  Some systems support binding to an interface, in addition
	#  to the IP address.  This feature isn't strictly necessary,
	#  but for sites with many IP addresses on one interface,
	#  it's useful to say "listen on all addresses for eth0".
	#
	#  If your system does not support this feature, you will
	#  get an error if you try to use it.
	#
#	interface = eth0

	#  Per-socket lists of clients.  This is a very useful feature.
	#
	#  The name here is a reference to a section elsewhere in
	#  radiusd.conf, or clients.conf.  Having the name as
	#  a reference allows multiple sockets to use the same
	#  set of clients.
	#
	#  If this configuration is used, then the global list of clients
	#  is IGNORED for this "listen" section.  Take care configuring
	#  this feature, to ensure you don't accidentally disable a
	#  client you need.
	#
	#  See clients.conf for the configuration of "per_socket_clients".
	#
#	clients = per_socket_clients

	#
	#  Connection limiting for sockets with "proto = tcp".
	#
	#  This section is ignored for other kinds of sockets.
	#
	limit {
	      #
	      #  Limit the number of simultaneous TCP connections to the socket
	      #
	      #  The default is 16.
	      #  Setting this to 0 means "no limit"
	      max_connections = 16

	      #  The per-socket "max_requests" option does not exist.

	      #
	      #  The lifetime, in seconds, of a TCP connection.  After
	      #  this lifetime, the connection will be closed.
	      #
	      #  Setting this to 0 means "forever".
	      lifetime = 0

	      #
	      #  The idle timeout, in seconds, of a TCP connection.
	      #  If no packets have been received over the connection for
	      #  this time, the connection will be closed.
	      #
	      #  Setting this to 0 means "no timeout".
	      #
	      #  We STRONGLY RECOMMEND that you set an idle timeout.
	      #
	      idle_timeout = 30
	}
}

#
#  This second "listen" section is for listening on the accounting
#  port, too.
#
listen {
	ipaddr = *
#	ipv6addr = ::
	port = 0
	type = acct
#	interface = eth0
#	clients = per_socket_clients

	limit {
		#  The number of packets received can be rate limited via the
		#  "max_pps" configuration item.  When it is set, the server
		#  tracks the total number of packets received in the previous
		#  second.  If the count is greater than "max_pps", then the
		#  new packet is silently discarded.  This helps the server
		#  deal with overload situations.
		#
		#  The packets/s counter is tracked in a sliding window.  This
		#  means that the pps calculation is done for the second
		#  before the current packet was received.  NOT for the current
		#  wall-clock second, and NOT for the previous wall-clock second.
		#
		#  Useful values are 0 (no limit), or 100 to 10000.
		#  Values lower than 100 will likely cause the server to ignore
		#  normal traffic.  Few systems are capable of handling more than
		#  10K packets/s.
		#
		#  It is most useful for accounting systems.  Set it to 50%
		#  more than the normal accounting load, and you can be sure that
		#  the server will never get overloaded
		#
#		max_pps = 0

		# Only for "proto = tcp". These are ignored for "udp" sockets.
		#
#		idle_timeout = 0
#		lifetime = 0
#		max_connections = 0
	}
}

# IPv6 versions of the above - read their full config to understand options
listen {
	type = auth
	ipv6addr = ::	# any.  ::1 == localhost
	port = 0
#	interface = eth0
#	clients = per_socket_clients
	limit {
	      max_connections = 16
	      lifetime = 0
	      idle_timeout = 30
	}
}

listen {
	ipv6addr = ::
	port = 0
	type = acct
#	interface = eth0
#	clients = per_socket_clients

	limit {
#		max_pps = 0
#		idle_timeout = 0
#		lifetime = 0
#		max_connections = 0
	}
}

#  Authorization. First preprocess (hints and huntgroups files),
#  then realms, and finally look in the "users" file.
#
#  Any changes made here should also be made to the "inner-tunnel"
#  virtual server.
#
#  The order of the realm modules will determine the order that
#  we try to find a matching realm.
#
#  Make *sure* that 'preprocess' comes before any realm if you
#  need to setup hints for the remote radius server
authorize {
	#
	#  Take a User-Name, and perform some checks on it, for spaces and other
	#  invalid characters.  If the User-Name appears invalid, reject the
	#  request.
	#
	#  See policy.d/filter for the definition of the filter_username policy.
	#
	filter_username

	#
	#  Some broken equipment sends passwords with embedded zeros.
	#  i.e. the debug output will show
	#
	#	User-Password = "password\000\000"
	#
	#  This policy will fix it to just be "password".
	#
#	filter_password

	#
	#  The preprocess module takes care of sanitizing some bizarre
	#  attributes in the request, and turning them into attributes
	#  which are more standard.
	#
	#  It takes care of processing the 'raddb/mods-config/preprocess/hints' 
	#  and the 'raddb/mods-config/preprocess/huntgroups' files.
	preprocess

	#  If you intend to use CUI and you require that the Operator-Name
	#  be set for CUI generation and you want to generate CUI also
	#  for your local clients then uncomment the operator-name
	#  below and set the operator-name for your clients in clients.conf
#	operator-name

	#
	#  If you want to generate CUI for some clients that do not
	#  send proper CUI requests, then uncomment the
	#  cui below and set "add_cui = yes" for these clients in clients.conf
#	cui

	#
	#  If you want to have a log of authentication requests,
	#  un-comment the following line.
#	auth_log

	#
	#  The chap module will set 'Auth-Type := CHAP' if we are
	#  handling a CHAP request and Auth-Type has not already been set
	chap

	#
	#  If the users are logging in with an MS-CHAP-Challenge
	#  attribute for authentication, the mschap module will find
	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
	#  to the request, which will cause the server to then use
	#  the mschap module for authentication.
	mschap

	#
	#  If you have a Cisco SIP server authenticating against
	#  FreeRADIUS, uncomment the following line, and the 'digest'
	#  line in the 'authenticate' section.
	digest

	#
	#  The WiMAX specification says that the Calling-Station-Id
	#  is 6 octets of the MAC.  This definition conflicts with
	#  RFC 3580, and all common RADIUS practices.  Un-commenting
	#  the "wimax" module here means that it will fix the
	#  Calling-Station-Id attribute to the normal format as
	#  specified in RFC 3580 Section 3.21
#	wimax

	#
	#  Look for IPASS style 'realm/', and if not found, look for
	#  '@realm', and decide whether or not to proxy, based on
	#  that.
#	IPASS

	#
	#  If you are using multiple kinds of realms, you probably
	#  want to set "ignore_null = yes" for all of them.
	#  Otherwise, when the first style of realm doesn't match,
	#  the other styles won't be checked.
	#
	suffix
#	ntdomain

	#
	#  This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP
	#  authentication.
	#
	#  It also sets the EAP-Type attribute in the request
	#  attribute list to the EAP type from the packet.
	#
	#  The EAP module returns "ok" if it is not yet ready to
	#  authenticate the user.  The configuration below checks for
	#  that code, and stops processing the "authorize" section if
	#  so.
	#
	#  Any LDAP and/or SQL servers will not be queried for the
	#  initial set of packets that go back and forth to set up
	#  TTLS or PEAP.
	#
	eap {
		ok = return
	}

	#
	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
	#  using the system API's to get the password.  If you want
	#  to read /etc/passwd or /etc/shadow directly, see the
	#  mods-available/passwd module.
	#
#	unix

	#
	#  Read the 'users' file.  In v3, this is located in
	#  raddb/mods-config/files/authorize
	#files

	#
	#  Look in an SQL database.  The schema of the database
	#  is meant to mirror the "users" file.
	#
	#  See "Authorization Queries" in mods-available/sql
	sql

	#
	#  If you are using /etc/smbpasswd, and are also doing
	#  mschap authentication, the un-comment this line, and
	#  configure the 'smbpasswd' module.
#	smbpasswd

	#
	#  The ldap module reads passwords from the LDAP database.
	-ldap

	#
	#  Enforce daily limits on time spent logged in.
#	daily

	#
	expiration
	logintime

	#
	#  If no other module has claimed responsibility for
	#  authentication, then try to use PAP.  This allows the
	#  other modules listed above to add a "known good" password
	#  to the request, and to do nothing else.  The PAP module
	#  will then see that password, and use it to do PAP
	#  authentication.
	#
	#  This module should be listed last, so that the other modules
	#  get a chance to set Auth-Type for themselves.
	#
	pap

	#
	#  If "status_server = yes", then Status-Server messages are passed
	#  through the following section, and ONLY the following section.
	#  This permits you to do DB queries, for example.  If the modules
	#  listed here return "fail", then NO response is sent.
	#
#	Autz-Type Status-Server {
#
#	}
}


#  Authentication.
#
#
#  This section lists which modules are available for authentication.
#  Note that it does NOT mean 'try each module in order'.  It means
#  that a module from the 'authorize' section adds a configuration
#  attribute 'Auth-Type := FOO'.  That authentication type is then
#  used to pick the appropriate module from the list below.
#

#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
#  will figure it out on its own, and will do the right thing.  The
#  most common side effect of erroneously setting the Auth-Type
#  attribute is that one authentication method will work, but the
#  others will not.
#
#  The common reasons to set the Auth-Type attribute by hand
#  is to either forcibly reject the user (Auth-Type := Reject),
#  or to or forcibly accept the user (Auth-Type := Accept).
#
#  Note that Auth-Type := Accept will NOT work with EAP.
#
#  Please do not put "unlang" configurations into the "authenticate"
#  section.  Put them in the "post-auth" section instead.  That's what
#  the post-auth section is for.
#
authenticate {
	#
	#  PAP authentication, when a back-end database listed
	#  in the 'authorize' section supplies a password.  The
	#  password can be clear-text, or encrypted.
	Auth-Type PAP {
		pap
	}

	#
	#  Most people want CHAP authentication
	#  A back-end database listed in the 'authorize' section
	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
	#  won't work.
	Auth-Type CHAP {
		chap
	}

	#
	#  MSCHAP authentication.
	Auth-Type MS-CHAP {
		mschap
	}

	#
	#  For old names, too.
	#
	mschap

	#
	#  If you have a Cisco SIP server authenticating against
	#  FreeRADIUS, uncomment the following line, and the 'digest'
	#  line in the 'authorize' section.
	digest

	#
	#  Pluggable Authentication Modules.
#	pam

	#  Uncomment it if you want to use ldap for authentication
	#
	#  Note that this means "check plain-text password against
	#  the ldap database", which means that EAP won't work,
	#  as it does not supply a plain-text password.
	#
	#  We do NOT recommend using this.  LDAP servers are databases.
	#  They are NOT authentication servers.  FreeRADIUS is an
	#  authentication server, and knows what to do with authentication.
	#  LDAP servers do not.
	#
#	Auth-Type LDAP {
#		ldap
#	}

	#
	#  Allow EAP authentication.
	eap

	#
	#  The older configurations sent a number of attributes in
	#  Access-Challenge packets, which wasn't strictly correct.
	#  If you want to filter out these attributes, uncomment
	#  the following lines.
	#
#	Auth-Type eap {
#		eap {
#			handled = 1
#		}
#		if (handled && (Response-Packet-Type == Access-Challenge)) {
#			attr_filter.access_challenge.post-auth
#			handled  # override the "updated" code from attr_filter
#		}
#	}
}


#
#  Pre-accounting.  Decide which accounting type to use.
#
preacct {
	preprocess

	#
	#  Merge Acct-[Input|Output]-Gigawords and Acct-[Input-Output]-Octets
	#  into a single 64bit counter Acct-[Input|Output]-Octets64.
	#
#	acct_counters64

	#
	#  Session start times are *implied* in RADIUS.
	#  The NAS never sends a "start time".  Instead, it sends
	#  a start packet, *possibly* with an Acct-Delay-Time.
	#  The server is supposed to conclude that the start time
	#  was "Acct-Delay-Time" seconds in the past.
	#
	#  The code below creates an explicit start time, which can
	#  then be used in other modules.  It will be *mostly* correct.
	#  Any errors are due to the 1-second resolution of RADIUS,
	#  and the possibility that the time on the NAS may be off.
	#
	#  The start time is: NOW - delay - session_length
	#

#	update request {
#	  	FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
#	}


	#
	#  Ensure that we have a semi-unique identifier for every
	#  request, and many NAS boxes are broken.
	acct_unique

	#
	#  Look for IPASS-style 'realm/', and if not found, look for
	#  '@realm', and decide whether or not to proxy, based on
	#  that.
	#
	#  Accounting requests are generally proxied to the same
	#  home server as authentication requests.
#	IPASS
	suffix
#	ntdomain

	#
	#  Read the 'acct_users' file
	files
}

#
#  Accounting.  Log the accounting data.
#
accounting {
	#  Update accounting packet by adding the CUI attribute
	#  recorded from the corresponding Access-Accept
	#  use it only if your NAS boxes do not support CUI themselves
#	cui
	#
	#  Create a 'detail'ed log of the packets.
	#  Note that accounting requests which are proxied
	#  are also logged in the detail file.
	detail
#	daily

	#  Update the wtmp file
	#
	#  If you don't use "radlast", you can delete this line.
	unix

	#
	#  For Simultaneous-Use tracking.
	#
	#  Due to packet losses in the network, the data here
	#  may be incorrect.  There is little we can do about it.
	#radutmp
	#sradutmp

	#  Return an address to the IP Pool when we see a stop record.
#	main_pool

	#
	#  Log traffic to an SQL database.
	#
	#  See "Accounting queries" in mods-available/sql
	sql

	#
	#  If you receive stop packets with zero session length,
	#  they will NOT be logged in the database.  The SQL module
	#  will print a message (only in debugging mode), and will
	#  return "noop".
	#
	#  You can ignore these packets by uncommenting the following
	#  three lines.  Otherwise, the server will not respond to the
	#  accounting request, and the NAS will retransmit.
	#
#	if (noop) {
#		ok
#	}

	#
	#  Instead of sending the query to the SQL server,
	#  write it into a log file.
	#
#	sql_log

	#  Cisco VoIP specific bulk accounting
#	pgsql-voip

	# For Exec-Program and Exec-Program-Wait
	exec

	#  Filter attributes from the accounting response.
	attr_filter.accounting_response

	#
	#  See "Autz-Type Status-Server" for how this works.
	#
#	Acct-Type Status-Server {
#
#	}
}


#  Session database, used for checking Simultaneous-Use. Either the radutmp
#  or rlm_sql module can handle this.
#  The rlm_sql module is *much* faster
session {
#	radutmp

	#
	#  See "Simultaneous Use Checking Queries" in mods-available/sql
       sql
}


#  Post-Authentication
#  Once we KNOW that the user has been authenticated, there are
#  additional steps we can take.
post-auth {
	#
	#  If you need to have a State attribute, you can
	#  add it here.  e.g. for later CoA-Request with
	#  State, and Service-Type = Authorize-Only.
	#
#	if (!&reply:State) {
#		update reply {
#			State := "0x%{randstr:16h}"
#		}
#	}

	#
	#  For EAP-TTLS and PEAP, add the cached attributes to the reply.
	#  The "session-state" attributes are automatically cached when
	#  an Access-Challenge is sent, and automatically retrieved
	#  when an Access-Request is received.
	#
	#  The session-state attributes are automatically deleted after
	#  an Access-Reject or Access-Accept is sent.
	#
	update {
		&reply: += &session-state:
	}

	#  Get an address from the IP Pool.
#	main_pool


	#  Create the CUI value and add the attribute to Access-Accept.
	#  Uncomment the line below if *returning* the CUI.
#	cui

	#
	#  If you want to have a log of authentication replies,
	#  un-comment the following line, and enable the
	#  'detail reply_log' module.
#	reply_log

	#
	#  After authenticating the user, do another SQL query.
	#
	#  See "Authentication Logging Queries" in mods-available/sql
	sql

	#
	#  Instead of sending the query to the SQL server,
	#  write it into a log file.
	#
#	sql_log

	#
	#  Un-comment the following if you want to modify the user's object
	#  in LDAP after a successful login.
	#
#	ldap

	# For Exec-Program and Exec-Program-Wait
	exec

	#
	#  Calculate the various WiMAX keys.  In order for this to work,
	#  you will need to define the WiMAX NAI, usually via
	#
	#	update request {
	#	       WiMAX-MN-NAI = "%{User-Name}"
	#	}
	#
	#  If you want various keys to be calculated, you will need to
	#  update the reply with "template" values.  The module will see
	#  this, and replace the template values with the correct ones
	#  taken from the cryptographic calculations.  e.g.
	#
	# 	update reply {
	#		WiMAX-FA-RK-Key = 0x00
	#		WiMAX-MSK = "%{EAP-MSK}"
	#	}
	#
	#  You may want to delete the MS-MPPE-*-Keys from the reply,
	#  as some WiMAX clients behave badly when those attributes
	#  are included.  See "raddb/modules/wimax", configuration
	#  entry "delete_mppe_keys" for more information.
	#
#	wimax


	#  If there is a client certificate (EAP-TLS, sometimes PEAP
	#  and TTLS), then some attributes are filled out after the
	#  certificate verification has been performed.  These fields
	#  MAY be available during the authentication, or they may be
	#  available only in the "post-auth" section.
	#
	#  The first set of attributes contains information about the
	#  issuing certificate which is being used.  The second
	#  contains information about the client certificate (if
	#  available).
#
#	update reply {
#	       Reply-Message += "%{TLS-Cert-Serial}"
#	       Reply-Message += "%{TLS-Cert-Expiration}"
#	       Reply-Message += "%{TLS-Cert-Subject}"
#	       Reply-Message += "%{TLS-Cert-Issuer}"
#	       Reply-Message += "%{TLS-Cert-Common-Name}"
#	       Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
#
#	       Reply-Message += "%{TLS-Client-Cert-Serial}"
#	       Reply-Message += "%{TLS-Client-Cert-Expiration}"
#	       Reply-Message += "%{TLS-Client-Cert-Subject}"
#	       Reply-Message += "%{TLS-Client-Cert-Issuer}"
#	       Reply-Message += "%{TLS-Client-Cert-Common-Name}"
#	       Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
#	}

	#  Insert class attribute (with unique value) into response,
	#  aids matching auth and acct records, and protects against duplicate
	#  Acct-Session-Id. Note: Only works if the NAS has implemented
	#  RFC 2865 behaviour for the class attribute, AND if the NAS
	#  supports long Class attributes.  Many older or cheap NASes
	#  only support 16-octet Class attributes.
#	insert_acct_class

	#  MacSEC requires the use of EAP-Key-Name.  However, we don't
	#  want to send it for all EAP sessions.  Therefore, the EAP
	#  modules put required data into the EAP-Session-Id attribute.
	#  This attribute is never put into a request or reply packet.
	#
	#  Uncomment the next few lines to copy the required data into
	#  the EAP-Key-Name attribute
#	if (&reply:EAP-Session-Id) {
#		update reply {
#			EAP-Key-Name := &reply:EAP-Session-Id
#		}
#	}

	#  Remove reply message if the response contains an EAP-Message
	remove_reply_message_if_eap

	#
	#  Access-Reject packets are sent through the REJECT sub-section of the
	#  post-auth section.
	#
	#  Add the ldap module name (or instance) if you have set
	#  'edir_account_policy_check = yes' in the ldap module configuration
	#
	#  The "session-state" attributes are not available here.
	#
	Post-Auth-Type REJECT {
		# log failed authentications in SQL, too.
		sql
		attr_filter.access_reject

		# Insert EAP-Failure message if the request was
		# rejected by policy instead of because of an
		# authentication failure
		eap

		#  Remove reply message if the response contains an EAP-Message
		remove_reply_message_if_eap
	}
}

#
#  When the server decides to proxy a request to a home server,
#  the proxied request is first passed through the pre-proxy
#  stage.  This stage can re-write the request, or decide to
#  cancel the proxy.
#
#  Only a few modules currently have this method.
#
pre-proxy {
	# Before proxing the request add an Operator-Name attribute identifying
	# if the operator-name is found for this client.
	# No need to uncomment this if you have already enabled this in
	# the authorize section.
#	operator-name

	#  The client requests the CUI by sending a CUI attribute
	#  containing one zero byte.
	#  Uncomment the line below if *requesting* the CUI.
#	cui

	#  Uncomment the following line if you want to change attributes
	#  as defined in the preproxy_users file.
#	files

	#  Uncomment the following line if you want to filter requests
	#  sent to remote servers based on the rules defined in the
	#  'attrs.pre-proxy' file.
#	attr_filter.pre-proxy

	#  If you want to have a log of packets proxied to a home
	#  server, un-comment the following line, and the
	#  'detail pre_proxy_log' section, above.
#	pre_proxy_log
}

#
#  When the server receives a reply to a request it proxied
#  to a home server, the request may be massaged here, in the
#  post-proxy stage.
#
post-proxy {

	#  If you want to have a log of replies from a home server,
	#  un-comment the following line, and the 'detail post_proxy_log'
	#  section, above.
#	post_proxy_log

	#  Uncomment the following line if you want to filter replies from
	#  remote proxies based on the rules defined in the 'attrs' file.
#	attr_filter.post-proxy

	#
	#  If you are proxying LEAP, you MUST configure the EAP
	#  module, and you MUST list it here, in the post-proxy
	#  stage.
	#
	#  You MUST also use the 'nostrip' option in the 'realm'
	#  configuration.  Otherwise, the User-Name attribute
	#  in the proxied request will not match the user name
	#  hidden inside of the EAP packet, and the end server will
	#  reject the EAP request.
	#
	eap

	#
	#  If the server tries to proxy a request and fails, then the
	#  request is processed through the modules in this section.
	#
	#  The main use of this section is to permit robust proxying
	#  of accounting packets.  The server can be configured to
	#  proxy accounting packets as part of normal processing.
	#  Then, if the home server goes down, accounting packets can
	#  be logged to a local "detail" file, for processing with
	#  radrelay.  When the home server comes back up, radrelay
	#  will read the detail file, and send the packets to the
	#  home server.
	#
	#  With this configuration, the server always responds to
	#  Accounting-Requests from the NAS, but only writes
	#  accounting packets to disk if the home server is down.
	#
#	Post-Proxy-Type Fail-Accounting {
#			detail
#	}
}
}

####################################################################################################################################



# -*- text -*-
######################################################################
#
#	This is a virtual server that handles *only* inner tunnel
#	requests for EAP-TTLS and PEAP types.
#
#	$Id: 2c6f9611bfc7b4b782aeb9764e47e832690739c4 $
#
######################################################################

server inner-tunnel {

#
#  This next section is here to allow testing of the "inner-tunnel"
#  authentication methods, independently from the "default" server.
#  It is listening on "localhost", so that it can only be used from
#  the same machine.
#
#	$ radtest USER PASSWORD 127.0.0.1:18120 0 testing123
#
#  If it works, you have configured the inner tunnel correctly.  To check
#  if PEAP will work, use:
#
#	$ radtest -t mschap USER PASSWORD 127.0.0.1:18120 0 testing123
#
#  If that works, PEAP should work.  If that command doesn't work, then
#
#	FIX THE INNER TUNNEL CONFIGURATION SO THAT IT WORKS.
#
#  Do NOT do any PEAP tests.  It won't help.  Instead, concentrate
#  on fixing the inner tunnel configuration.  DO NOTHING ELSE.
#
listen {
       ipaddr = 127.0.0.1
       port = 18120
       type = auth
}


#  Authorization. First preprocess (hints and huntgroups files),
#  then realms, and finally look in the "users" file.
#
#  The order of the realm modules will determine the order that
#  we try to find a matching realm.
#
#  Make *sure* that 'preprocess' comes before any realm if you
#  need to setup hints for the remote radius server
authorize {
	#
	#  Take a User-Name, and perform some checks on it, for spaces and other
	#  invalid characters.  If the User-Name appears invalid, reject the
	#  request.
	#
	#  See policy.d/filter for the definition of the filter_username policy.
	#
	filter_username

	#
	#  Do checks on outer / inner User-Name, so that users
	#  can't spoof us by using incompatible identities
	#
#	filter_inner_identity

	#
	#  The chap module will set 'Auth-Type := CHAP' if we are
	#  handling a CHAP request and Auth-Type has not already been set
	chap

	#
	#  If the users are logging in with an MS-CHAP-Challenge
	#  attribute for authentication, the mschap module will find
	#  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
	#  to the request, which will cause the server to then use
	#  the mschap module for authentication.
	mschap

	#
	#  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
	#  using the system API's to get the password.  If you want
	#  to read /etc/passwd or /etc/shadow directly, see the
	#  passwd module, above.
	#
#	unix

	#
	#  Look for IPASS style 'realm/', and if not found, look for
	#  '@realm', and decide whether or not to proxy, based on
	#  that.
#	IPASS

	#
	#  If you are using multiple kinds of realms, you probably
	#  want to set "ignore_null = yes" for all of them.
	#  Otherwise, when the first style of realm doesn't match,
	#  the other styles won't be checked.
	#
	#  Note that proxying the inner tunnel authentication means
	#  that the user MAY use one identity in the outer session
	#  (e.g. "anonymous", and a different one here
	#  (e.g. "user at example.com").  The inner session will then be
	#  proxied elsewhere for authentication.  If you are not
	#  careful, this means that the user can cause you to forward
	#  the authentication to another RADIUS server, and have the
	#  accounting logs *not* sent to the other server.  This makes
	#  it difficult to bill people for their network activity.
	#
	suffix
#	ntdomain

	#
	#  The "suffix" module takes care of stripping the domain
	#  (e.g. "@example.com") from the User-Name attribute, and the
	#  next few lines ensure that the request is not proxied.
	#
	#  If you want the inner tunnel request to be proxied, delete
	#  the next few lines.
	#
	update control {
		&Proxy-To-Realm := LOCAL
	}

	#
	#  This module takes care of EAP-MSCHAPv2 authentication.
	#
	#  It also sets the EAP-Type attribute in the request
	#  attribute list to the EAP type from the packet.
	#
	#  The example below uses module failover to avoid querying all
	#  of the following modules if the EAP module returns "ok".
	#  Therefore, your LDAP and/or SQL servers will not be queried
	#  for the many packets that go back and forth to set up TTLS
	#  or PEAP.  The load on those servers will therefore be reduced.
	#
	eap {
		ok = return
	}

	#
	#  Read the 'users' file
	#files

	#
	#  Look in an SQL database.  The schema of the database
	#  is meant to mirror the "users" file.
	#
	#  See "Authorization Queries" in sql.conf
	sql

	#
	#  If you are using /etc/smbpasswd, and are also doing
	#  mschap authentication, the un-comment this line, and
	#  enable the "smbpasswd" module.
#	smbpasswd

	#
	#  The ldap module reads passwords from the LDAP database.
	-ldap

	#
	#  Enforce daily limits on time spent logged in.
#	daily

	expiration
	logintime

	#
	#  If no other module has claimed responsibility for
	#  authentication, then try to use PAP.  This allows the
	#  other modules listed above to add a "known good" password
	#  to the request, and to do nothing else.  The PAP module
	#  will then see that password, and use it to do PAP
	#  authentication.
	#
	#  This module should be listed last, so that the other modules
	#  get a chance to set Auth-Type for themselves.
	#
	pap
}


#  Authentication.
#
#
#  This section lists which modules are available for authentication.
#  Note that it does NOT mean 'try each module in order'.  It means
#  that a module from the 'authorize' section adds a configuration
#  attribute 'Auth-Type := FOO'.  That authentication type is then
#  used to pick the appropriate module from the list below.
#

#  In general, you SHOULD NOT set the Auth-Type attribute.  The server
#  will figure it out on its own, and will do the right thing.  The
#  most common side effect of erroneously setting the Auth-Type
#  attribute is that one authentication method will work, but the
#  others will not.
#
#  The common reasons to set the Auth-Type attribute by hand
#  is to either forcibly reject the user, or forcibly accept him.
#
authenticate {
	#
	#  PAP authentication, when a back-end database listed
	#  in the 'authorize' section supplies a password.  The
	#  password can be clear-text, or encrypted.
	Auth-Type PAP {
		pap
	}

	#
	#  Most people want CHAP authentication
	#  A back-end database listed in the 'authorize' section
	#  MUST supply a CLEAR TEXT password.  Encrypted passwords
	#  won't work.
	Auth-Type CHAP {
		chap
	}

	#
	#  MSCHAP authentication.
	Auth-Type MS-CHAP {
		mschap
	}

	#
	#  For old names, too.
	#
	mschap

	#
	#  Pluggable Authentication Modules.
#	pam

	# Uncomment it if you want to use ldap for authentication
	#
	# Note that this means "check plain-text password against
	# the ldap database", which means that EAP won't work,
	# as it does not supply a plain-text password.
	#
	#  We do NOT recommend using this.  LDAP servers are databases.
	#  They are NOT authentication servers.  FreeRADIUS is an
	#  authentication server, and knows what to do with authentication.
	#  LDAP servers do not.
	#
#	Auth-Type LDAP {
#		ldap
#	}

	#
	#  Allow EAP authentication.
	eap
}

######################################################################
#
#	There are no accounting requests inside of EAP-TTLS or PEAP
#	tunnels.
#
######################################################################


#  Session database, used for checking Simultaneous-Use. Either the radutmp
#  or rlm_sql module can handle this.
#  The rlm_sql module is *much* faster
session {
	#radutmp

	#
	#  See "Simultaneous Use Checking Queries" in sql.conf
	sql
}


#  Post-Authentication
#  Once we KNOW that the user has been authenticated, there are
#  additional steps we can take.
#
#  Note that the last packet of the inner-tunnel authentication
#  MAY NOT BE the last packet of the outer session.  So updating
#  the outer reply MIGHT work, and sometimes MIGHT NOT.  The
#  exact functionality depends on both the inner and outer
#  authentication methods.
#
#  If you need to send a reply attribute in the outer session,
#  the ONLY safe way is to set "use_tunneled_reply = yes", and
#  then update the inner-tunnel reply.
post-auth {
	#  If you want privacy to remain, see the
	#  Chargeable-User-Identity attribute from RFC 4372.
	#  If you want to use it just uncomment the line below.
#       cui-inner

	#
	#  If you want to have a log of authentication replies,
	#  un-comment the following line, and enable the
	#  'detail reply_log' module.
#	reply_log

	#
	#  After authenticating the user, do another SQL query.
	#
	#  See "Authentication Logging Queries" in sql.conf
	sql

	#
	#  Instead of sending the query to the SQL server,
	#  write it into a log file.
	#
#	sql_log

	#
	#  Un-comment the following if you have set
	#  'edir_account_policy_check = yes' in the ldap module sub-section of
	#  the 'modules' section.
	#
#	ldap


	#
	#  Un-comment the following if you want to generate Moonshot (ABFAB) TargetedIds
	#  IMPORTANT: This requires the UUID package to be installed!
	#
#	moonshot_host_tid
#	moonshot_realm_tid
#	moonshot_coi_tid

	#
	#  Instead of "use_tunneled_reply", uncomment the
	#  next two "update" blocks.
	#
#	update {
#		&outer.session-state: += &reply:
#	}

	#
	#  These attributes are for the inner session only.
	#  They MUST NOT be sent in the outer reply.
	#
	#  If you uncomment the previous block and leave
	#  this one commented out, WiFi WILL NOT WORK,
	#  because the client will get two MS-MPPE-keys
	#
#	update outer.session-state {
#		MS-MPPE-Encryption-Policy !* ANY
#		MS-MPPE-Encryption-Types !* ANY
#		MS-MPPE-Send-Key !* ANY
#		MS-MPPE-Recv-Key !* ANY
#		Message-Authenticator !* ANY
#		EAP-Message !* ANY
#		Proxy-State !* ANY
#	}

	#
	#  Access-Reject packets are sent through the REJECT sub-section of the
	#  post-auth section.
	#
	#  Add the ldap module name (or instance) if you have set
	#  'edir_account_policy_check = yes' in the ldap module configuration
	#
	Post-Auth-Type REJECT {
		# log failed authentications in SQL, too.
		-sql
		attr_filter.access_reject

		#
		#  Let the outer session know which module failed, and why.
		#
		update outer.session-state {
			&Module-Failure-Message := &request:Module-Failure-Message
		}
	}
}

#
#  When the server decides to proxy a request to a home server,
#  the proxied request is first passed through the pre-proxy
#  stage.  This stage can re-write the request, or decide to
#  cancel the proxy.
#
#  Only a few modules currently have this method.
#
pre-proxy {
	#  Uncomment the following line if you want to change attributes
	#  as defined in the preproxy_users file.
#	files

	#  Uncomment the following line if you want to filter requests
	#  sent to remote servers based on the rules defined in the
	#  'attrs.pre-proxy' file.
#	attr_filter.pre-proxy

	#  If you want to have a log of packets proxied to a home
	#  server, un-comment the following line, and the
	#  'detail pre_proxy_log' section, above.
#	pre_proxy_log
}

#
#  When the server receives a reply to a request it proxied
#  to a home server, the request may be massaged here, in the
#  post-proxy stage.
#
post-proxy {

	#  If you want to have a log of replies from a home server,
	#  un-comment the following line, and the 'detail post_proxy_log'
	#  section, above.
#	post_proxy_log

	#  Uncomment the following line if you want to filter replies from
	#  remote proxies based on the rules defined in the 'attrs' file.
#	attr_filter.post-proxy

	#
	#  If you are proxying LEAP, you MUST configure the EAP
	#  module, and you MUST list it here, in the post-proxy
	#  stage.
	#
	#  You MUST also use the 'nostrip' option in the 'realm'
	#  configuration.  Otherwise, the User-Name attribute
	#  in the proxied request will not match the user name
	#  hidden inside of the EAP packet, and the end server will
	#  reject the EAP request.
	#
	eap
}

} # inner-tunnel server block

####################################################################################################################################

Any help would be gretly appreciated

Thanks Ryan



More information about the Freeradius-Users mailing list