tlscache
Munroe Sollog
mus3 at lehigh.edu
Thu Aug 29 19:01:09 CEST 2019
I'm trying to enable tls caching on my radius server. the radius -X output
is included below. I'm also including some additional information for
reference. Looking at the debug output I see where the cache config is
loaded and it looks right to me. I don't see any errors around it.
I'm expecting to see a file in the tlscache folder after a successful auth,
however the folder remains empty.
# freeradius -v
radiusd: FreeRADIUS Version 3.0.17, for host x86_64-pc-linux-gnu, built on
Apr 22 2019 at 21:23:36
FreeRADIUS Version 3.0.17
# ls -al /var/lib/radiusd
total 12
drwxr-xr-x 3 freerad freerad 4096 Aug 29 12:27 .
drwxr-xr-x 29 root root 4096 Aug 29 12:26 ..
drwxr-xr-x 2 freerad freerad 4096 Aug 29 12:27 tlscache
=============radius -X output=============
Ready to process requests
(0) Received Access-Request Id 0 from 128.180.10.10:37390 to
128.180.1.12:1812 length 126
(0) User-Name = "x19a19"
(0) Calling-Station-Id = "00-0A-CD-31-6C-B4"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) NAS-IP-Address = 128.180.10.10
(0) EAP-Message = 0x0257000b01783139613139
(0) Message-Authenticator = 0x3a48dc0be2decd0e236d376f69ffe48a
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "x19a19", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 87 length 11
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 88 length 6
(0) eap: EAP session adding &reply:State = 0xd5cab529d592ace4
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 0 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0
(0) EAP-Message = 0x015800061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xd5cab529d592ace4f6d40de07aff4d01
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 1 from 128.180.10.10:37390 to
128.180.1.12:1812 length 333
(1) User-Name = "x19a19"
(1) Calling-Station-Id = "00-0A-CD-31-6C-B4"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) NAS-IP-Address = 128.180.10.10
(1) EAP-Message =
0x025800c81980000000be16030100b9010000b50303132d25755eaabb15aee43b60d657ccc2cc1fd1edb3aae7d48eaabd8658411197000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b00
(1) State = 0xd5cab529d592ace4f6d40de07aff4d01
(1) Message-Authenticator = 0xbd4519f715be469fa75c83986884eab7
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [mschap] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "x19a19", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 88 length 200
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xd5cab529d592ace4
(1) eap: Finished EAP session with state 0xd5cab529d592ace4
(1) eap: Previous EAP request found for state 0xd5cab529d592ace4, released
from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 190 bytes
(1) eap_peap: Got complete TLS record (190 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 00b9]
(1) eap_peap: TLS_accept: SSLv3/TLS read client hello
(1) eap_peap: >>> send TLS 1.2 [length 003d]
(1) eap_peap: TLS_accept: SSLv3/TLS write server hello
(1) eap_peap: >>> send TLS 1.2 [length 02ff]
(1) eap_peap: TLS_accept: SSLv3/TLS write certificate
(1) eap_peap: >>> send TLS 1.2 [length 014d]
(1) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(1) eap_peap: >>> send TLS 1.2 [length 0004]
(1) eap_peap: TLS_accept: SSLv3/TLS write server done
(1) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 89 length 1004
(1) eap: EAP session adding &reply:State = 0xd5cab529d493ace4
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 1 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0
(1) EAP-Message =
0x015903ec19c0000004a1160303003d020000390303dd83be8c2d3373ce58eee72115d28fd891a538ba5fcf3717444f574e4752440100c030000011ff01000100000b0004030001020017000016030302ff0b0002fb0002f80002f5308202f1308201d9a00302010202146434b6d539827cbeb8e5394cc7
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xd5cab529d493ace4f6d40de07aff4d01
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 2 from 128.180.10.10:37390 to
128.180.1.12:1812 length 139
(2) User-Name = "x19a19"
(2) Calling-Station-Id = "00-0A-CD-31-6C-B4"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) NAS-IP-Address = 128.180.10.10
(2) EAP-Message = 0x025900061900
(2) State = 0xd5cab529d493ace4f6d40de07aff4d01
(2) Message-Authenticator = 0x7b647a04b11930721a7fe202c4e2db1d
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [mschap] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "x19a19", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 89 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xd5cab529d493ace4
(2) eap: Finished EAP session with state 0xd5cab529d493ace4
(2) eap: Previous EAP request found for state 0xd5cab529d493ace4, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 90 length 197
(2) eap: EAP session adding &reply:State = 0xd5cab529d790ace4
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 2 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0
(2) EAP-Message =
0x015a00c519009514387a2a99cbc5bc7bf00cd5a29c255b83772ba796b69dae86ff9b01f62cd587cd98518e7b3476015a262ecd457d3d4907b7ea5078d7f296d2f954319aa2bff38c213fd16268b2602ae9b69d9e89420a7a7232915386dac92e9f835425586551deb8019cfb47aca33d279ff611294f8b
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xd5cab529d790ace4f6d40de07aff4d01
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 3 from 128.180.10.10:37390 to
128.180.1.12:1812 length 269
(3) User-Name = "x19a19"
(3) Calling-Station-Id = "00-0A-CD-31-6C-B4"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) NAS-IP-Address = 128.180.10.10
(3) EAP-Message =
0x025a008819800000007e1603030046100000424104fc5bb0a7a1c6d364acac1b9577d6da13d37ae7f5be2269a13a2dd8ff073c07355810fe52fe84b6478bf08c55e531ced723650d13c9c3eb6b6ccd8b9a303640be140303000101160303002850823d0b0711a0e3ca25a3d3c0b0608532302156d36f93
(3) State = 0xd5cab529d790ace4f6d40de07aff4d01
(3) Message-Authenticator = 0xb228fa99ab9bc2c005e4a529b3e61308
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [mschap] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "x19a19", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 90 length 136
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xd5cab529d790ace4
(3) eap: Finished EAP session with state 0xd5cab529d790ace4
(3) eap: Previous EAP request found for state 0xd5cab529d790ace4, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(3) eap_peap: Got complete TLS record (126 bytes)
(3) eap_peap: [eaptls verify] = length included
(3) eap_peap: TLS_accept: SSLv3/TLS write server done
(3) eap_peap: <<< recv TLS 1.2 [length 0046]
(3) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(3) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(3) eap_peap: <<< recv TLS 1.2 [length 0010]
(3) eap_peap: TLS_accept: SSLv3/TLS read finished
(3) eap_peap: >>> send TLS 1.2 [length 0001]
(3) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(3) eap_peap: >>> send TLS 1.2 [length 0010]
(3) eap_peap: TLS_accept: SSLv3/TLS write finished
(3) eap_peap: (other): SSL negotiation finished successfully
(3) eap_peap: SSL Connection Established
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 91 length 57
(3) eap: EAP session adding &reply:State = 0xd5cab529d691ace4
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 3 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0
(3) EAP-Message =
0x015b0039190014030300010116030300284d99b5c3c5193bcc51b4aa1ed19ca2be71cfdb79c560a09d671240792b6456674737f95c176ab1d7
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xd5cab529d691ace4f6d40de07aff4d01
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 4 from 128.180.10.10:37390 to
128.180.1.12:1812 length 139
(4) User-Name = "x19a19"
(4) Calling-Station-Id = "00-0A-CD-31-6C-B4"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) NAS-IP-Address = 128.180.10.10
(4) EAP-Message = 0x025b00061900
(4) State = 0xd5cab529d691ace4f6d40de07aff4d01
(4) Message-Authenticator = 0xf00cd599fd7c7eb90b7e5382f9f10bde
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [mschap] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "x19a19", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 91 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xd5cab529d691ace4
(4) eap: Finished EAP session with state 0xd5cab529d691ace4
(4) eap: Previous EAP request found for state 0xd5cab529d691ace4, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(4) eap_peap: [eaptls verify] = success
(4) eap_peap: [eaptls process] = success
(4) eap_peap: Session established. Decoding tunneled attributes
(4) eap_peap: PEAP state TUNNEL ESTABLISHED
(4) eap: Sending EAP Request (code 1) ID 92 length 40
(4) eap: EAP session adding &reply:State = 0xd5cab529d196ace4
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 4 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0
(4) EAP-Message =
0x015c00281900170303001d4d99b5c3c5193bcd9137302e88e4ffe708354e681dbf61a648e63395ac
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xd5cab529d196ace4f6d40de07aff4d01
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 5 from 128.180.10.10:37390 to
128.180.1.12:1812 length 175
(5) User-Name = "x19a19"
(5) Calling-Station-Id = "00-0A-CD-31-6C-B4"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) NAS-IP-Address = 128.180.10.10
(5) EAP-Message =
0x025c002a1900170303001f50823d0b0711a0e49fe1c10b3d17b529a59955d132202ac16d913e01a58e73
(5) State = 0xd5cab529d196ace4f6d40de07aff4d01
(5) Message-Authenticator = 0x3f6f9dcc52fc81ba4a45772b1c6ffc6b
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "x19a19", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 92 length 42
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xd5cab529d196ace4
(5) eap: Finished EAP session with state 0xd5cab529d196ace4
(5) eap: Previous EAP request found for state 0xd5cab529d196ace4, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: [eaptls verify] = ok
(5) eap_peap: Done initial handshake
(5) eap_peap: [eaptls process] = ok
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(5) eap_peap: Identity - x19a19
(5) eap_peap: Got inner identity 'x19a19'
(5) eap_peap: Setting default EAP type for tunneled EAP session
(5) eap_peap: Got tunneled request
(5) eap_peap: EAP-Message = 0x025c000b01783139613139
(5) eap_peap: Setting User-Name to x19a19
(5) eap_peap: Sending tunneled request to inner-tunnel
(5) eap_peap: EAP-Message = 0x025c000b01783139613139
(5) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(5) eap_peap: User-Name = "x19a19"
(5) Virtual server inner-tunnel received request
(5) EAP-Message = 0x025c000b01783139613139
(5) FreeRADIUS-Proxied-To = 127.0.0.1
(5) User-Name = "x19a19"
(5) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(5) server inner-tunnel {
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [chap] = noop
(5) [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "x19a19", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) update control {
(5) &Proxy-To-Realm := LOCAL
(5) } # update control = noop
(5) eap: Peer sent EAP Response (code 2) ID 92 length 11
(5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) authenticate {
(5) eap: Peer sent packet with method EAP Identity (1)
(5) eap: Calling submodule eap_mschapv2 to process data
(5) eap_mschapv2: Issuing Challenge
(5) eap: Sending EAP Request (code 1) ID 93 length 43
(5) eap: EAP session adding &reply:State = 0x97ebaf3b97b6b5d2
(5) [eap] = handled
(5) } # authenticate = handled
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5) EAP-Message =
0x015d002b1a015d0026107c13a4105e1039e486e7f86a4e2d4b9c667265657261646975732d332e302e3137
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x97ebaf3b97b6b5d21f4ac90eaae0ae9c
(5) eap_peap: Got tunneled reply code 11
(5) eap_peap: EAP-Message =
0x015d002b1a015d0026107c13a4105e1039e486e7f86a4e2d4b9c667265657261646975732d332e302e3137
(5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(5) eap_peap: State = 0x97ebaf3b97b6b5d21f4ac90eaae0ae9c
(5) eap_peap: Got tunneled reply RADIUS code 11
(5) eap_peap: EAP-Message =
0x015d002b1a015d0026107c13a4105e1039e486e7f86a4e2d4b9c667265657261646975732d332e302e3137
(5) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(5) eap_peap: State = 0x97ebaf3b97b6b5d21f4ac90eaae0ae9c
(5) eap_peap: Got tunneled Access-Challenge
(5) eap: Sending EAP Request (code 1) ID 93 length 74
(5) eap: EAP session adding &reply:State = 0xd5cab529d097ace4
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 5 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0
(5) EAP-Message =
0x015d004a1900170303003f4d99b5c3c5193bced34dea26eb084492b33e0c0a8590d44411cccab329b81d25a3bb5c6eb0b98906ef940b0afff59de07f275f1743963056a5e713fdb5f1ae
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xd5cab529d097ace4f6d40de07aff4d01
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 6 from 128.180.10.10:37390 to
128.180.1.12:1812 length 229
(6) User-Name = "x19a19"
(6) Calling-Station-Id = "00-0A-CD-31-6C-B4"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) NAS-IP-Address = 128.180.10.10
(6) EAP-Message =
0x025d00601900170303005550823d0b0711a0e5c1ab4673218f7703e98d7ae9be258bb253344c2b53be68a837fd1f45e10d7a14397b7f051e20d1c55158b3638b42b8acfb55492ce8a90ba4f38da594d8dd9148ed0e509eee492ac6e9ab270a94
(6) State = 0xd5cab529d097ace4f6d40de07aff4d01
(6) Message-Authenticator = 0xcd8033c23d61a2240a845706bbc692e2
(6) session-state: No cached attributes
(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "x19a19", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 93 length 96
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x97ebaf3b97b6b5d2
(6) eap: Finished EAP session with state 0xd5cab529d097ace4
(6) eap: Previous EAP request found for state 0xd5cab529d097ace4, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state phase2
(6) eap_peap: EAP method MSCHAPv2 (26)
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message =
0x025d00411a025d003c31e0ecf5de1b0eaa47a2fae06c0ea80a06000000000000000061407f8eb8e26fb9e634cbed4006b3f6280b910bfaaf75c600783139613139
(6) eap_peap: Setting User-Name to x19a19
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message =
0x025d00411a025d003c31e0ecf5de1b0eaa47a2fae06c0ea80a06000000000000000061407f8eb8e26fb9e634cbed4006b3f6280b910bfaaf75c600783139613139
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "x19a19"
(6) eap_peap: State = 0x97ebaf3b97b6b5d21f4ac90eaae0ae9c
(6) Virtual server inner-tunnel received request
(6) EAP-Message =
0x025d00411a025d003c31e0ecf5de1b0eaa47a2fae06c0ea80a06000000000000000061407f8eb8e26fb9e634cbed4006b3f6280b910bfaaf75c600783139613139
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "x19a19"
(6) State = 0x97ebaf3b97b6b5d21f4ac90eaae0ae9c
(6) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(6) server inner-tunnel {
(6) session-state: No cached attributes
(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "x19a19", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 93 length 65
(6) eap: No EAP Start, assuming it's an on-going EAP conversation
(6) [eap] = updated
(6) [files] = noop
(6) [expiration] = noop
(6) [logintime] = noop
(6) [pap] = noop
(6) } # authorize = updated
(6) Found Auth-Type = eap
(6) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Expiring EAP session with state 0x97ebaf3b97b6b5d2
(6) eap: Finished EAP session with state 0x97ebaf3b97b6b5d2
(6) eap: Previous EAP request found for state 0x97ebaf3b97b6b5d2, released
from the list
(6) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) eap_mschapv2: authenticate {
(6) mschap: Creating challenge hash with username: x19a19
(6) mschap: Client is using MS-CHAPv2
(6) mschap: EXPAND %{mschap:User-Name}
(6) mschap: --> x19a19
rlm_mschap (mschap): Reserved connection (0)
(6) mschap: sending authentication request user='x19a19' domain='AD'
rlm_mschap (mschap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_mschap (mschap): Opening additional connection (5), 1 of 27 pending
slots used
(6) mschap: Authenticated successfully
(6) mschap: Adding MS-CHAPv2 MPPE keys
(6) [mschap] = ok
(6) } # authenticate = ok
(6) MSCHAP Success
(6) eap: Sending EAP Request (code 1) ID 94 length 51
(6) eap: EAP session adding &reply:State = 0x97ebaf3b96b5b5d2
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message =
0x015e00331a035d002e533d32364236443532434631443937453031424333314332343541464438364431304133363037454234
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x97ebaf3b96b5b5d21f4ac90eaae0ae9c
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message =
0x015e00331a035d002e533d32364236443532434631443937453031424333314332343541464438364431304133363037454234
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x97ebaf3b96b5b5d21f4ac90eaae0ae9c
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message =
0x015e00331a035d002e533d32364236443532434631443937453031424333314332343541464438364431304133363037454234
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x97ebaf3b96b5b5d21f4ac90eaae0ae9c
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 94 length 82
(6) eap: EAP session adding &reply:State = 0xd5cab529d394ace4
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 6 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0
(6) EAP-Message =
0x015e0052190017030300474d99b5c3c5193bcfed6bc205bbb3e97baa83ae82f585e2f28775992d1da91a9e8cba0c1a820eee27064fc71137c771a15c648a1dc5e69d794a37d671a294003a83ce621e4c9ca8
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xd5cab529d394ace4f6d40de07aff4d01
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 7 from 128.180.10.10:37390 to
128.180.1.12:1812 length 170
(7) User-Name = "x19a19"
(7) Calling-Station-Id = "00-0A-CD-31-6C-B4"
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Connect-Info = "CONNECT 11Mbps 802.11b"
(7) NAS-IP-Address = 128.180.10.10
(7) EAP-Message =
0x025e00251900170303001a50823d0b0711a0e6d862f400ba40e4e3346eb03ba1666f089bdb
(7) State = 0xd5cab529d394ace4f6d40de07aff4d01
(7) Message-Authenticator = 0x2187a05fc656d964f49bac68b0d01e1f
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "x19a19", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 94 length 37
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x97ebaf3b96b5b5d2
(7) eap: Finished EAP session with state 0xd5cab529d394ace4
(7) eap: Previous EAP request found for state 0xd5cab529d394ace4, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x025e00061a03
(7) eap_peap: Setting User-Name to x19a19
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x025e00061a03
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "x19a19"
(7) eap_peap: State = 0x97ebaf3b96b5b5d21f4ac90eaae0ae9c
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x025e00061a03
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "x19a19"
(7) State = 0x97ebaf3b96b5b5d21f4ac90eaae0ae9c
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "x19a19", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 94 length 6
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x97ebaf3b96b5b5d2
(7) eap: Finished EAP session with state 0x97ebaf3b96b5b5d2
(7) eap: Previous EAP request found for state 0x97ebaf3b96b5b5d2, released
from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap: Sending EAP Success (code 3) ID 94 length 4
(7) eap: Freeing handler
(7) [eap] = ok
(7) } # authenticate = ok
(7) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) post-auth {
(7) if (0) {
(7) if (0) -> FALSE
(7) } # post-auth = noop
(7) Login OK: [x19a19] (from client newguy port 0 via TLS tunnel)
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) MS-MPPE-Encryption-Policy = Encryption-Allowed
(7) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(7) MS-MPPE-Send-Key = 0x3dbd0e514b1011ad90ebe00e330e8c11
(7) MS-MPPE-Recv-Key = 0xd49ea8ea1406bcc4b9177cfd006a0a4d
(7) EAP-Message = 0x035e0004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) User-Name = "x19a19"
(7) eap_peap: Got tunneled reply code 2
(7) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(7) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(7) eap_peap: MS-MPPE-Send-Key = 0x3dbd0e514b1011ad90ebe00e330e8c11
(7) eap_peap: MS-MPPE-Recv-Key = 0xd49ea8ea1406bcc4b9177cfd006a0a4d
(7) eap_peap: EAP-Message = 0x035e0004
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: User-Name = "x19a19"
(7) eap_peap: Got tunneled reply RADIUS code 2
(7) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(7) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(7) eap_peap: MS-MPPE-Send-Key = 0x3dbd0e514b1011ad90ebe00e330e8c11
(7) eap_peap: MS-MPPE-Recv-Key = 0xd49ea8ea1406bcc4b9177cfd006a0a4d
(7) eap_peap: EAP-Message = 0x035e0004
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: User-Name = "x19a19"
(7) eap_peap: Tunneled authentication was successful
(7) eap_peap: SUCCESS
(7) eap_peap: Saving tunneled attributes for later
(7) eap: Sending EAP Request (code 1) ID 95 length 46
(7) eap: EAP session adding &reply:State = 0xd5cab529d295ace4
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) Sent Access-Challenge Id 7 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0
(7) EAP-Message =
0x015f002e190017030300234d99b5c3c5193bd0e3e0b11c153c0a53c5faf2042fe8196c9af5cb39839e67021928c9
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xd5cab529d295ace4f6d40de07aff4d01
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 8 from 128.180.10.10:37390 to
128.180.1.12:1812 length 179
(8) User-Name = "x19a19"
(8) Calling-Station-Id = "00-0A-CD-31-6C-B4"
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Connect-Info = "CONNECT 11Mbps 802.11b"
(8) NAS-IP-Address = 128.180.10.10
(8) EAP-Message =
0x025f002e1900170303002350823d0b0711a0e7d347b3a8a91250f7493bf70002a55422ab652f6755c4548e415fe6
(8) State = 0xd5cab529d295ace4f6d40de07aff4d01
(8) Message-Authenticator = 0x1a6e7c8c91c24cf2f319ba78834bf0a3
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "x19a19", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 95 length 46
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0xd5cab529d295ace4
(8) eap: Finished EAP session with state 0xd5cab529d295ace4
(8) eap: Previous EAP request found for state 0xd5cab529d295ace4, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state send tlv success
(8) eap_peap: Received EAP-TLV response
(8) eap_peap: Success
(8) eap_peap: Using saved attributes from the original Access-Accept
(8) eap_peap: User-Name = "x19a19"
(8) eap: Sending EAP Success (code 3) ID 95 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(8) post-auth {
(8) update {
(8) No attributes updated
(8) } # update = noop
(8) [exec] = noop
(8) policy remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message) {
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else {
(8) [noop] = noop
(8) } # else = noop
(8) } # policy remove_reply_message_if_eap = noop
(8) } # post-auth = noop
(8) Login OK: [x19a19] (from client newguy port 0 cli 00-0A-CD-31-6C-B4)
(8) Sent Access-Accept Id 8 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0
(8) User-Name = "x19a19"
(8) MS-MPPE-Recv-Key =
0xed9fcdc627d86a2652543851d8f6e2cc7aca7e941eaaac46904ea2d5cae72824
(8) MS-MPPE-Send-Key =
0x8d5faa43ee07dc194f806593f94351a2c29933f4944df7044a49b984e13e65a3
(8) EAP-Message = 0x035f0004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +3
(1) Cleaning up request packet ID 1 with timestamp +3
(2) Cleaning up request packet ID 2 with timestamp +3
(3) Cleaning up request packet ID 3 with timestamp +3
(4) Cleaning up request packet ID 4 with timestamp +3
(5) Cleaning up request packet ID 5 with timestamp +3
(6) Cleaning up request packet ID 6 with timestamp +3
(7) Cleaning up request packet ID 7 with timestamp +3
(8) Cleaning up request packet ID 8 with timestamp +3
Ready to process requests
--
Munroe Sollog
Senior Network Engineer
munroe at lehigh.edu
More information about the Freeradius-Users
mailing list