Cannot get 802.1X EAP with mac-auth running
thomas heidkamp
profi-it at outlook.de
Thu Jul 4 09:34:45 CEST 2019
First I will describe my setup:
Freeradius (Daloradius) running latest release on centos 7 with authentication
On local mysql as well on remote Microsoft ADS (Ldap) with ntlm_auth.
Everything works well with mac only auth as well user + pass 802.1x EAP accounts running on local Mysql as well on Microsoft ADS.
I am familar with the radiusd -X and will provide debug outputs.
I made the changes in /etc/raddb/mods-available/eap
ttls {
copy_request_to_tunnel = yes
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
/etc/raddb/mods-available/mschap
mschap {
ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{mschap:User-Name} --domain=DETMOLD.WORTMANN.COM --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
passchange {
ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1 --allow-mschapv2"
ntlm_auth_username = "username: %{mschap:User-Name}"
ntlm_auth_domain = "nt-domain: DETMOLD.WORTMANN.COM"
/etc/raddb/mods-available/ntlm_auth
exec ntlm_auth {
wait = yes
program = "usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --domain=DETMOLD.WORTMANN.COM --username=%{mschap:User-Name} --password=%{User-Password}"
}
/etc/raddb/sites-available/inner-tunnel
authenticate {
ntlm_auth
/etc/raddb/policy.d/group_authorization
group_authorization {
if (&Huntgroup-Name == "wo-byod") {
if (&LDAP-Group[*] == "CN=wo-byod,OU=Wifi,OU=Administration,DC=wifi,DC=wortmann,DC=com") {
#reject
ok
}
else {
reject
}
}
elsif (&Huntgroup-Name == "wo-secure") {
if (&LDAP-Group[*] == "CN=wo-secure,OU=Wifi,OU=Administration,DC=wifi,DC=wortmann,DC=com") {
ok
}
else {
reject
}
}
}
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Now I would like to create account with 802.1x EAP user + Pass + mac.
I created a user + pass on local server (not microsoft ADS) and the following attributes:
Calling-Station-Id := XX:XX:YY: (MAC)
MS-CHAP-Use-NTLM-Auth :=No #cause local user in mysql no user on microsoft ads
-----------
Output of 802.1x User + Pass + MAC-AUTH (This does not work)
(0) Received Access-Request Id 178 from 192.168.70.15:18487 to 192.168.199.69:1812 length 369
(0) User-Name = "24:fb:65:69:06:af"
(0) User-Password = "24:fb:65:69:06:af"
(0) NAS-IP-Address = 192.168.70.63
(0) NAS-Identifier = "ruckuscontroller"
(0) Called-Station-Id = "34-FA-9F-BA-58-8F:test-radius-user+pass+mac"
(0) Calling-Station-Id = "24-FB-65-69-06-AF"
(0) Service-Type = Framed-User
(0) NAS-Port-Type = Wireless-802.11
(0) Location-Data = 0x31304445170a49542d53657276696365
(0) Ruckus-SSID = "test-radius-user+pass+mac"
(0) Ruckus-BSSID = 0x34fa9fba588f
(0) Ruckus-Location = "IT-Service"
(0) Ruckus-VLAN-ID = 1
(0) Ruckus-SCG-CBlade-IP = 3232253455
(0) Ruckus-Zone-Name = "Detmold"
(0) Attr-26.25053.154 = 0x576f72746d616e6e
(0) Ruckus-Wlan-Name = "test-radius-user+pass+mac"
(0) Message-Authenticator = 0xacdb9cb8915c51eabb275d3f52265694
(0) Chargeable-User-Identity = 0x00
(0) Proxy-State = 0x3230
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (name=24:fb:65:69:06:af)
(0) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=24:fb:65:69:06:af)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap02.detmold.wortmann.com:50027
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = notfound
(0) policy group_authorization {
(0) if (&Huntgroup-Name == "wo-byod") {
(0) ERROR: Failed retrieving values required to evaluate condition
(0) elsif (&Huntgroup-Name == "wo-secure") {
(0) ERROR: Failed retrieving values required to evaluate condition
(0) } # policy group_authorization = notfound
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) policy filter_password {
(0) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(0) EXPAND %{string:User-Password}
(0) --> 24:fb:65:69:06:af
(0) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(0) } # policy filter_password = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "24:fb:65:69:06:af", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) sql: EXPAND %{User-Name}
(0) sql: --> 24:fb:65:69:06:af
(0) sql: SQL-User-Name set to '24:fb:65:69:06:af'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '24:fb:65:69:06:af' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '24:fb:65:69:06:af' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = '24:fb:65:69:06:af' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '24:fb:65:69:06:af' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.40-MariaDB, protocol version 10
(0) [sql] = notfound
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND %{User-Name}
(0) sql: --> 24:fb:65:69:06:af
(0) sql: SQL-User-Name set to '24:fb:65:69:06:af'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '24:fb:65:69:06:af', '24:fb:65:69:06:af', 'Access-Reject', '2019-07-03 15:06:39.437779')
(0) sql: EXPAND /var/log/radius/sqllog.sql
(0) sql: --> /var/log/radius/sqllog.sql
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '24:fb:65:69:06:af', '24:fb:65:69:06:af', 'Access-Reject', '2019-07-03 15:06:39.437779')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> 24:fb:65:69:06:af
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 178 from 192.168.199.69:1812 to 192.168.70.15:18487 length 24
(0) Proxy-State = 0x3230
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 178 with timestamp +21
Ready to process requests
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
And here comes the output with 802.1x with User + Pass (This works)
(0) Received Access-Request Id 118 from 192.168.70.15:18487 to 192.168.199.69:1812 length 370
(0) Acct-Session-Id = "5D1CA994-67A4B00F"
(0) User-Name = "wifitestmac01"
(0) NAS-IP-Address = 192.168.70.63
(0) NAS-Identifier = "ruckuscontroller"
(0) NAS-Port = 1
(0) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(0) Calling-Station-Id = "24-FB-65-69-06-AF"
(0) Location-Data = 0x31304445170a49542d53657276696365
(0) Service-Type = Framed-User
(0) Chargeable-User-Identity = 0x00
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 802.11a/n/ac"
(0) EAP-Message = 0x020000120177696669746573746d61633031
(0) Ruckus-SSID = "test-radius-user+pass"
(0) Ruckus-BSSID = 0x34fa9ffa588e
(0) Ruckus-Location = "IT-Service"
(0) Ruckus-VLAN-ID = 1
(0) Ruckus-SCG-CBlade-IP = 3232253455
(0) Ruckus-Zone-Name = "Detmold"
(0) Ruckus-Wlan-Name = "test-radius-user+pass"
(0) Message-Authenticator = 0x159a3af56a73ce0394ac2b647dab9fdc
(0) Proxy-State = 0x3636
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (name=wifitestmac01)
(0) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap02.detmold.wortmann.com:50027
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = notfound
(0) policy group_authorization {
(0) if (&Huntgroup-Name == "wo-byod") {
(0) ERROR: Failed retrieving values required to evaluate condition
(0) elsif (&Huntgroup-Name == "wo-secure") {
(0) ERROR: Failed retrieving values required to evaluate condition
(0) } # policy group_authorization = notfound
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) policy filter_password {
(0) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(0) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(0) } # policy filter_password = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 18
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0x3bd334c23bd22d5a
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 118 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(0) EAP-Message = 0x010100061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x3bd334c23bd22d5a464d9b22d2e35ffe
(0) Proxy-State = 0x3636
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 192 from 192.168.70.15:18487 to 192.168.199.69:1812 length 523
(1) Acct-Session-Id = "5D1CA994-67A4B00F"
(1) User-Name = "wifitestmac01"
(1) NAS-IP-Address = 192.168.70.63
(1) NAS-Identifier = "ruckuscontroller"
(1) NAS-Port = 1
(1) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(1) Calling-Station-Id = "24-FB-65-69-06-AF"
(1) Location-Data = 0x31304445170a49542d53657276696365
(1) Service-Type = Framed-User
(1) Chargeable-User-Identity = 0x00
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 802.11a/n/ac"
(1) EAP-Message = 0x0201009919800000008f160301008a010000860303835329bad69de11579396dd64e0f503fa00db84d3fa1677093e39b7a165697b600002ac02bc02fc02cc030cca9cca8c009c023c013c027c00ac024c014c028009c009d002f003c0035003d000a01000033ff0100010000170000000d001400120403
(1) State = 0x3bd334c23bd22d5a464d9b22d2e35ffe
(1) Ruckus-SSID = "test-radius-user+pass"
(1) Ruckus-BSSID = 0x34fa9ffa588e
(1) Ruckus-Location = "IT-Service"
(1) Ruckus-VLAN-ID = 1
(1) Ruckus-SCG-CBlade-IP = 3232253455
(1) Ruckus-Zone-Name = "Detmold"
(1) Ruckus-Wlan-Name = "test-radius-user+pass"
(1) Message-Authenticator = 0x7bc819acb7da691a1924f0d0f7cdfe1c
(1) Proxy-State = 0x3637
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
rlm_ldap (ldap): Reserved connection (1)
(1) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap: --> (name=wifitestmac01)
(1) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(1) ldap: Waiting for search result...
(1) ldap: Search returned no results
rlm_ldap (ldap): Released connection (1)
(1) [ldap] = notfound
(1) policy group_authorization {
(1) if (&Huntgroup-Name == "wo-byod") {
(1) ERROR: Failed retrieving values required to evaluate condition
(1) elsif (&Huntgroup-Name == "wo-secure") {
(1) ERROR: Failed retrieving values required to evaluate condition
(1) } # policy group_authorization = notfound
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) policy filter_password {
(1) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(1) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(1) } # policy filter_password = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 153
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x3bd334c23bd22d5a
(1) eap: Finished EAP session with state 0x3bd334c23bd22d5a
(1) eap: Previous EAP request found for state 0x3bd334c23bd22d5a, released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 143 bytes
(1) eap_peap: Got complete TLS record (143 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< recv TLS 1.2 [length 008a]
(1) eap_peap: TLS_accept: SSLv3 read client hello A
(1) eap_peap: >>> send TLS 1.2 [length 0039]
(1) eap_peap: TLS_accept: SSLv3 write server hello A
(1) eap_peap: >>> send TLS 1.2 [length 08d3]
(1) eap_peap: TLS_accept: SSLv3 write certificate A
(1) eap_peap: >>> send TLS 1.2 [length 014d]
(1) eap_peap: TLS_accept: SSLv3 write key exchange A
(1) eap_peap: >>> send TLS 1.2 [length 0004]
(1) eap_peap: TLS_accept: SSLv3 write server done A
(1) eap_peap: TLS_accept: SSLv3 flush data
(1) eap_peap: TLS_accept: SSLv3 read client certificate A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 2 length 1004
(1) eap: EAP session adding &reply:State = 0x3bd334c23ad12d5a
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 192 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(1) EAP-Message = 0x010203ec19c000000a7116030300390200003503038fd7c9ffc7d69edac5f51c36f36bb4cd3683efff8a28e5db6b9b61ec4e4b534100c02f00000dff01000100000b00040300010216030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b050030
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x3bd334c23ad12d5a464d9b22d2e35ffe
(1) Proxy-State = 0x3637
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 219 from 192.168.70.15:18487 to 192.168.199.69:1812 length 376
(2) Acct-Session-Id = "5D1CA994-67A4B00F"
(2) User-Name = "wifitestmac01"
(2) NAS-IP-Address = 192.168.70.63
(2) NAS-Identifier = "ruckuscontroller"
(2) NAS-Port = 1
(2) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(2) Calling-Station-Id = "24-FB-65-69-06-AF"
(2) Location-Data = 0x31304445170a49542d53657276696365
(2) Service-Type = Framed-User
(2) Chargeable-User-Identity = 0x00
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = "CONNECT 802.11a/n/ac"
(2) EAP-Message = 0x020200061900
(2) State = 0x3bd334c23ad12d5a464d9b22d2e35ffe
(2) Ruckus-SSID = "test-radius-user+pass"
(2) Ruckus-BSSID = 0x34fa9ffa588e
(2) Ruckus-Location = "IT-Service"
(2) Ruckus-VLAN-ID = 1
(2) Ruckus-SCG-CBlade-IP = 3232253455
(2) Ruckus-Zone-Name = "Detmold"
(2) Ruckus-Wlan-Name = "test-radius-user+pass"
(2) Message-Authenticator = 0xb247f926b23e2510c40d16d6cff0ecab
(2) Proxy-State = 0x3638
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
rlm_ldap (ldap): Reserved connection (2)
(2) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(2) ldap: --> (name=wifitestmac01)
(2) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(2) ldap: Waiting for search result...
(2) ldap: Search returned no results
rlm_ldap (ldap): Released connection (2)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap02.detmold.wortmann.com:50027
TLSMC: MozNSS compatibility interception begins.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(2) [ldap] = notfound
(2) policy group_authorization {
(2) if (&Huntgroup-Name == "wo-byod") {
(2) ERROR: Failed retrieving values required to evaluate condition
(2) elsif (&Huntgroup-Name == "wo-secure") {
(2) ERROR: Failed retrieving values required to evaluate condition
(2) } # policy group_authorization = notfound
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) policy filter_password {
(2) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(2) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(2) } # policy filter_password = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x3bd334c23ad12d5a
(2) eap: Finished EAP session with state 0x3bd334c23ad12d5a
(2) eap: Previous EAP request found for state 0x3bd334c23ad12d5a, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1000
(2) eap: EAP session adding &reply:State = 0x3bd334c239d02d5a
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 219 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(2) EAP-Message = 0x010303e8194091bfa579e2faf519ba55b78dda4a69f41a426f5e0c2c6f73a6b54147ba90603059eb0e91ad1221d42cb94f40b2d6f4bfd1026f390833e0d09c94696b1b5bef8a50f83b31b6fff4e1a20004e8308204e4308203cca003020102020900fcbb37b2469beea7300d06092a864886f70d01010b
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x3bd334c239d02d5a464d9b22d2e35ffe
(2) Proxy-State = 0x3638
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 32 from 192.168.70.15:18487 to 192.168.199.69:1812 length 376
(3) Acct-Session-Id = "5D1CA994-67A4B00F"
(3) User-Name = "wifitestmac01"
(3) NAS-IP-Address = 192.168.70.63
(3) NAS-Identifier = "ruckuscontroller"
(3) NAS-Port = 1
(3) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(3) Calling-Station-Id = "24-FB-65-69-06-AF"
(3) Location-Data = 0x31304445170a49542d53657276696365
(3) Service-Type = Framed-User
(3) Chargeable-User-Identity = 0x00
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = "CONNECT 802.11a/n/ac"
(3) EAP-Message = 0x020300061900
(3) State = 0x3bd334c239d02d5a464d9b22d2e35ffe
(3) Ruckus-SSID = "test-radius-user+pass"
(3) Ruckus-BSSID = 0x34fa9ffa588e
(3) Ruckus-Location = "IT-Service"
(3) Ruckus-VLAN-ID = 1
(3) Ruckus-SCG-CBlade-IP = 3232253455
(3) Ruckus-Zone-Name = "Detmold"
(3) Ruckus-Wlan-Name = "test-radius-user+pass"
(3) Message-Authenticator = 0x987f2b5f4dace466c0f0b4acf02c3574
(3) Proxy-State = 0x3639
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
rlm_ldap (ldap): Reserved connection (3)
(3) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(3) ldap: --> (name=wifitestmac01)
(3) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(3) ldap: Waiting for search result...
(3) ldap: Search returned no results
rlm_ldap (ldap): Released connection (3)
(3) [ldap] = notfound
(3) policy group_authorization {
(3) if (&Huntgroup-Name == "wo-byod") {
(3) ERROR: Failed retrieving values required to evaluate condition
(3) elsif (&Huntgroup-Name == "wo-secure") {
(3) ERROR: Failed retrieving values required to evaluate condition
(3) } # policy group_authorization = notfound
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) policy filter_password {
(3) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(3) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(3) } # policy filter_password = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x3bd334c239d02d5a
(3) eap: Finished EAP session with state 0x3bd334c239d02d5a
(3) eap: Previous EAP request found for state 0x3bd334c239d02d5a, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 691
(3) eap: EAP session adding &reply:State = 0x3bd334c238d72d5a
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 32 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(3) EAP-Message = 0x010402b319000530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101009d2d36e5e65062434bce33d522f21aa5fc16f766f283a13b276fc9ebf7f118
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x3bd334c238d72d5a464d9b22d2e35ffe
(3) Proxy-State = 0x3639
(3) Finished request
Waking up in 4.7 seconds.
(4) Received Access-Request Id 28 from 192.168.70.15:18487 to 192.168.199.69:1812 length 506
(4) Acct-Session-Id = "5D1CA994-67A4B00F"
(4) User-Name = "wifitestmac01"
(4) NAS-IP-Address = 192.168.70.63
(4) NAS-Identifier = "ruckuscontroller"
(4) NAS-Port = 1
(4) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(4) Calling-Station-Id = "24-FB-65-69-06-AF"
(4) Location-Data = 0x31304445170a49542d53657276696365
(4) Service-Type = Framed-User
(4) Chargeable-User-Identity = 0x00
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = "CONNECT 802.11a/n/ac"
(4) EAP-Message = 0x0204008819800000007e1603030046100000424104adbbc0a47dec1a64cf71dd948d1cc6eeb600228b9ec1c419b2931cb6742f75033ea0cfe3368b858b07feb235a1c46f8936048a0d55e2f87fb62156f1fedb985814030300010116030300280000000000000000ab71501664950b092c4c0b8b88170f
(4) State = 0x3bd334c238d72d5a464d9b22d2e35ffe
(4) Ruckus-SSID = "test-radius-user+pass"
(4) Ruckus-BSSID = 0x34fa9ffa588e
(4) Ruckus-Location = "IT-Service"
(4) Ruckus-VLAN-ID = 1
(4) Ruckus-SCG-CBlade-IP = 3232253455
(4) Ruckus-Zone-Name = "Detmold"
(4) Ruckus-Wlan-Name = "test-radius-user+pass"
(4) Message-Authenticator = 0xaa7a33857a9cd2bd2a0a520d9b8229f1
(4) Proxy-State = 0x3730
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
rlm_ldap (ldap): Reserved connection (4)
(4) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(4) ldap: --> (name=wifitestmac01)
(4) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(4) ldap: Waiting for search result...
(4) ldap: Search returned no results
rlm_ldap (ldap): Released connection (4)
(4) [ldap] = notfound
(4) policy group_authorization {
(4) if (&Huntgroup-Name == "wo-byod") {
(4) ERROR: Failed retrieving values required to evaluate condition
(4) elsif (&Huntgroup-Name == "wo-secure") {
(4) ERROR: Failed retrieving values required to evaluate condition
(4) } # policy group_authorization = notfound
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) policy filter_password {
(4) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(4) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(4) } # policy filter_password = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 136
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x3bd334c238d72d5a
(4) eap: Finished EAP session with state 0x3bd334c238d72d5a
(4) eap: Previous EAP request found for state 0x3bd334c238d72d5a, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(4) eap_peap: Got complete TLS record (126 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: <<< recv TLS 1.2 [length 0046]
(4) eap_peap: TLS_accept: SSLv3 read client key exchange A
(4) eap_peap: TLS_accept: SSLv3 read certificate verify A
(4) eap_peap: <<< recv TLS 1.2 [length 0001]
(4) eap_peap: <<< recv TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: SSLv3 read finished A
(4) eap_peap: >>> send TLS 1.2 [length 0001]
(4) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(4) eap_peap: >>> send TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: SSLv3 write finished A
(4) eap_peap: TLS_accept: SSLv3 flush data
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: SSL Connection Established
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 57
(4) eap: EAP session adding &reply:State = 0x3bd334c23fd62d5a
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 28 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(4) EAP-Message = 0x0105003919001403030001011603030028d5ec48bada42fbd160a0e9edd0eb49dfdd71efa906eeeeca879b4e3db15c178c51fb9fa222a5ed41
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x3bd334c23fd62d5a464d9b22d2e35ffe
(4) Proxy-State = 0x3730
(4) Finished request
Waking up in 4.6 seconds.
(5) Received Access-Request Id 53 from 192.168.70.15:18487 to 192.168.199.69:1812 length 376
(5) Acct-Session-Id = "5D1CA994-67A4B00F"
(5) User-Name = "wifitestmac01"
(5) NAS-IP-Address = 192.168.70.63
(5) NAS-Identifier = "ruckuscontroller"
(5) NAS-Port = 1
(5) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(5) Calling-Station-Id = "24-FB-65-69-06-AF"
(5) Location-Data = 0x31304445170a49542d53657276696365
(5) Service-Type = Framed-User
(5) Chargeable-User-Identity = 0x00
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = "CONNECT 802.11a/n/ac"
(5) EAP-Message = 0x020500061900
(5) State = 0x3bd334c23fd62d5a464d9b22d2e35ffe
(5) Ruckus-SSID = "test-radius-user+pass"
(5) Ruckus-BSSID = 0x34fa9ffa588e
(5) Ruckus-Location = "IT-Service"
(5) Ruckus-VLAN-ID = 1
(5) Ruckus-SCG-CBlade-IP = 3232253455
(5) Ruckus-Zone-Name = "Detmold"
(5) Ruckus-Wlan-Name = "test-radius-user+pass"
(5) Message-Authenticator = 0x66edffe796ea4dd8ad07c9eb195678ba
(5) Proxy-State = 0x3731
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
rlm_ldap (ldap): Reserved connection (0)
(5) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(5) ldap: --> (name=wifitestmac01)
(5) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(5) ldap: Waiting for search result...
(5) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
(5) [ldap] = notfound
(5) policy group_authorization {
(5) if (&Huntgroup-Name == "wo-byod") {
(5) ERROR: Failed retrieving values required to evaluate condition
(5) elsif (&Huntgroup-Name == "wo-secure") {
(5) ERROR: Failed retrieving values required to evaluate condition
(5) } # policy group_authorization = notfound
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) policy filter_password {
(5) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(5) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(5) } # policy filter_password = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x3bd334c23fd62d5a
(5) eap: Finished EAP session with state 0x3bd334c23fd62d5a
(5) eap: Previous EAP request found for state 0x3bd334c23fd62d5a, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 6 length 40
(5) eap: EAP session adding &reply:State = 0x3bd334c23ed52d5a
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 53 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(5) EAP-Message = 0x010600281900170303001dd5ec48bada42fbd2efc073480c7529e47c1add6cb4438a099c10325e70
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x3bd334c23ed52d5a464d9b22d2e35ffe
(5) Proxy-State = 0x3731
(5) Finished request
Waking up in 4.6 seconds.
(6) Received Access-Request Id 156 from 192.168.70.15:18487 to 192.168.199.69:1812 length 419
(6) Acct-Session-Id = "5D1CA994-67A4B00F"
(6) User-Name = "wifitestmac01"
(6) NAS-IP-Address = 192.168.70.63
(6) NAS-Identifier = "ruckuscontroller"
(6) NAS-Port = 1
(6) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(6) Calling-Station-Id = "24-FB-65-69-06-AF"
(6) Location-Data = 0x31304445170a49542d53657276696365
(6) Service-Type = Framed-User
(6) Chargeable-User-Identity = 0x00
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = "CONNECT 802.11a/n/ac"
(6) EAP-Message = 0x020600311900170303002600000000000000015698d55ae694291d750d607613ec0078f789474257506b16b6bbfb645851
(6) State = 0x3bd334c23ed52d5a464d9b22d2e35ffe
(6) Ruckus-SSID = "test-radius-user+pass"
(6) Ruckus-BSSID = 0x34fa9ffa588e
(6) Ruckus-Location = "IT-Service"
(6) Ruckus-VLAN-ID = 1
(6) Ruckus-SCG-CBlade-IP = 3232253455
(6) Ruckus-Zone-Name = "Detmold"
(6) Ruckus-Wlan-Name = "test-radius-user+pass"
(6) Message-Authenticator = 0x34c64d7bfe181cdb376fcd5e5ddf54bc
(6) Proxy-State = 0x3732
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
rlm_ldap (ldap): Reserved connection (5)
(6) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(6) ldap: --> (name=wifitestmac01)
(6) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(6) ldap: Waiting for search result...
(6) ldap: Search returned no results
rlm_ldap (ldap): Released connection (5)
(6) [ldap] = notfound
(6) policy group_authorization {
(6) if (&Huntgroup-Name == "wo-byod") {
(6) ERROR: Failed retrieving values required to evaluate condition
(6) elsif (&Huntgroup-Name == "wo-secure") {
(6) ERROR: Failed retrieving values required to evaluate condition
(6) } # policy group_authorization = notfound
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) policy filter_password {
(6) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(6) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(6) } # policy filter_password = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 49
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x3bd334c23ed52d5a
(6) eap: Finished EAP session with state 0x3bd334c23ed52d5a
(6) eap: Previous EAP request found for state 0x3bd334c23ed52d5a, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - wifitestmac01
(6) eap_peap: Got inner identity 'wifitestmac01'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x020600120177696669746573746d61633031
(6) eap_peap: Setting User-Name to wifitestmac01
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x020600120177696669746573746d61633031
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "wifitestmac01"
(6) eap_peap: Acct-Session-Id = "5D1CA994-67A4B00F"
(6) eap_peap: NAS-IP-Address = 192.168.70.63
(6) eap_peap: NAS-Identifier = "ruckuscontroller"
(6) eap_peap: NAS-Port = 1
(6) eap_peap: Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(6) eap_peap: Calling-Station-Id = "24-FB-65-69-06-AF"
(6) eap_peap: Location-Data = 0x31304445170a49542d53657276696365
(6) eap_peap: Service-Type = Framed-User
(6) eap_peap: Chargeable-User-Identity = 0x00
(6) eap_peap: NAS-Port-Type = Wireless-802.11
(6) eap_peap: Connect-Info = "CONNECT 802.11a/n/ac"
(6) eap_peap: Ruckus-SSID = "test-radius-user+pass"
(6) eap_peap: Ruckus-BSSID = 0x34fa9ffa588e
(6) eap_peap: Ruckus-Location = "IT-Service"
(6) eap_peap: Ruckus-VLAN-ID = 1
(6) eap_peap: Ruckus-SCG-CBlade-IP = 3232253455
(6) eap_peap: Ruckus-Zone-Name = "Detmold"
(6) eap_peap: Ruckus-Wlan-Name = "test-radius-user+pass"
(6) eap_peap: Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x020600120177696669746573746d61633031
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "wifitestmac01"
(6) Acct-Session-Id = "5D1CA994-67A4B00F"
(6) NAS-IP-Address = 192.168.70.63
(6) NAS-Identifier = "ruckuscontroller"
(6) NAS-Port = 1
(6) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(6) Calling-Station-Id = "24-FB-65-69-06-AF"
(6) Location-Data = 0x31304445170a49542d53657276696365
(6) Service-Type = Framed-User
(6) Chargeable-User-Identity = 0x00
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = "CONNECT 802.11a/n/ac"
(6) Ruckus-SSID = "test-radius-user+pass"
(6) Ruckus-BSSID = 0x34fa9ffa588e
(6) Ruckus-Location = "IT-Service"
(6) Ruckus-VLAN-ID = 1
(6) Ruckus-SCG-CBlade-IP = 3232253455
(6) Ruckus-Zone-Name = "Detmold"
(6) Ruckus-Wlan-Name = "test-radius-user+pass"
(6) Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
(6) WARNING: Outer and inner identities are the same. User privacy is compromised.
(6) server inner-tunnel {
(6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 18
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 43
(6) eap: EAP session adding &reply:State = 0x78a9799278ae6313
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message = 0x0107002b1a0107002610acc3fe6199de746d49fc93f49582fc03667265657261646975732d332e302e3133
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x78a9799278ae6313f359dd39dd5c9f11
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message = 0x0107002b1a0107002610acc3fe6199de746d49fc93f49582fc03667265657261646975732d332e302e3133
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x78a9799278ae6313f359dd39dd5c9f11
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message = 0x0107002b1a0107002610acc3fe6199de746d49fc93f49582fc03667265657261646975732d332e302e3133
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x78a9799278ae6313f359dd39dd5c9f11
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 74
(6) eap: EAP session adding &reply:State = 0x3bd334c23dd42d5a
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 156 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(6) EAP-Message = 0x0107004a1900170303003fd5ec48bada42fbd39481e9f00adb4e04c21da70a884fc7d37895cfdbd260a4aa2189d9d36c81ebc4a14d73b74ba2eb169b57fd36b0ecb4393df44715a4222e
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x3bd334c23dd42d5a464d9b22d2e35ffe
(6) Proxy-State = 0x3732
(6) Finished request
Waking up in 4.5 seconds.
(7) Received Access-Request Id 35 from 192.168.70.15:18487 to 192.168.199.69:1812 length 473
(7) Acct-Session-Id = "5D1CA994-67A4B00F"
(7) User-Name = "wifitestmac01"
(7) NAS-IP-Address = 192.168.70.63
(7) NAS-Identifier = "ruckuscontroller"
(7) NAS-Port = 1
(7) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(7) Calling-Station-Id = "24-FB-65-69-06-AF"
(7) Location-Data = 0x31304445170a49542d53657276696365
(7) Service-Type = Framed-User
(7) Chargeable-User-Identity = 0x00
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = "CONNECT 802.11a/n/ac"
(7) EAP-Message = 0x020700671900170303005c000000000000000260bd309024ce07ecc1dd6fb714cd4aab28a634e3636effeb72f8162068747c873ba798f59a4cd64c069ba2159698e14743104d45d20c019e727efc75fdac7624b0b06f869e8bc2cfc1cc6cfd33ed977ae6015649
(7) State = 0x3bd334c23dd42d5a464d9b22d2e35ffe
(7) Ruckus-SSID = "test-radius-user+pass"
(7) Ruckus-BSSID = 0x34fa9ffa588e
(7) Ruckus-Location = "IT-Service"
(7) Ruckus-VLAN-ID = 1
(7) Ruckus-SCG-CBlade-IP = 3232253455
(7) Ruckus-Zone-Name = "Detmold"
(7) Ruckus-Wlan-Name = "test-radius-user+pass"
(7) Message-Authenticator = 0x3b507e4e852475a8216cc0c453588426
(7) Proxy-State = 0x3733
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
rlm_ldap (ldap): Reserved connection (1)
(7) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap: --> (name=wifitestmac01)
(7) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: Search returned no results
rlm_ldap (ldap): Released connection (1)
(7) [ldap] = notfound
(7) policy group_authorization {
(7) if (&Huntgroup-Name == "wo-byod") {
(7) ERROR: Failed retrieving values required to evaluate condition
(7) elsif (&Huntgroup-Name == "wo-secure") {
(7) ERROR: Failed retrieving values required to evaluate condition
(7) } # policy group_authorization = notfound
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) policy filter_password {
(7) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(7) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(7) } # policy filter_password = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 103
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x78a9799278ae6313
(7) eap: Finished EAP session with state 0x3bd334c23dd42d5a
(7) eap: Previous EAP request found for state 0x3bd334c23dd42d5a, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x020700481a0207004331511e472c9167eed5163063c100f421e70000000000000000f82f405055c2818c487d7d078bd9aafccf93e2e4db9c11f60077696669746573746d61633031
(7) eap_peap: Setting User-Name to wifitestmac01
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x020700481a0207004331511e472c9167eed5163063c100f421e70000000000000000f82f405055c2818c487d7d078bd9aafccf93e2e4db9c11f60077696669746573746d61633031
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "wifitestmac01"
(7) eap_peap: State = 0x78a9799278ae6313f359dd39dd5c9f11
(7) eap_peap: Acct-Session-Id = "5D1CA994-67A4B00F"
(7) eap_peap: NAS-IP-Address = 192.168.70.63
(7) eap_peap: NAS-Identifier = "ruckuscontroller"
(7) eap_peap: NAS-Port = 1
(7) eap_peap: Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(7) eap_peap: Calling-Station-Id = "24-FB-65-69-06-AF"
(7) eap_peap: Location-Data = 0x31304445170a49542d53657276696365
(7) eap_peap: Service-Type = Framed-User
(7) eap_peap: Chargeable-User-Identity = 0x00
(7) eap_peap: NAS-Port-Type = Wireless-802.11
(7) eap_peap: Connect-Info = "CONNECT 802.11a/n/ac"
(7) eap_peap: Ruckus-SSID = "test-radius-user+pass"
(7) eap_peap: Ruckus-BSSID = 0x34fa9ffa588e
(7) eap_peap: Ruckus-Location = "IT-Service"
(7) eap_peap: Ruckus-VLAN-ID = 1
(7) eap_peap: Ruckus-SCG-CBlade-IP = 3232253455
(7) eap_peap: Ruckus-Zone-Name = "Detmold"
(7) eap_peap: Ruckus-Wlan-Name = "test-radius-user+pass"
(7) eap_peap: Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x020700481a0207004331511e472c9167eed5163063c100f421e70000000000000000f82f405055c2818c487d7d078bd9aafccf93e2e4db9c11f60077696669746573746d61633031
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "wifitestmac01"
(7) State = 0x78a9799278ae6313f359dd39dd5c9f11
(7) Acct-Session-Id = "5D1CA994-67A4B00F"
(7) NAS-IP-Address = 192.168.70.63
(7) NAS-Identifier = "ruckuscontroller"
(7) NAS-Port = 1
(7) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(7) Calling-Station-Id = "24-FB-65-69-06-AF"
(7) Location-Data = 0x31304445170a49542d53657276696365
(7) Service-Type = Framed-User
(7) Chargeable-User-Identity = 0x00
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = "CONNECT 802.11a/n/ac"
(7) Ruckus-SSID = "test-radius-user+pass"
(7) Ruckus-BSSID = 0x34fa9ffa588e
(7) Ruckus-Location = "IT-Service"
(7) Ruckus-VLAN-ID = 1
(7) Ruckus-SCG-CBlade-IP = 3232253455
(7) Ruckus-Zone-Name = "Detmold"
(7) Ruckus-Wlan-Name = "test-radius-user+pass"
(7) Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
(7) WARNING: Outer and inner identities are the same. User privacy is compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 72
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) sql: EXPAND %{User-Name}
(7) sql: --> wifitestmac01
(7) sql: SQL-User-Name set to 'wifitestmac01'
rlm_sql (sql): Reserved connection (1)
(7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id
(7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id
(7) sql: User found in radcheck table
(7) sql: Conditional check items matched, merging assignment check items
(7) sql: Cleartext-Password := "tester555"
(7) sql: MS-CHAP-Use-NTLM-Auth := No
(7) sql: Calling-Station-Id := "24-FB-65-69-06-AF"
(7) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(7) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id
(7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id
(7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority
(7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority
(7) sql: User found in the group table
(7) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(7) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id
(7) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id
(7) sql: Group "wifi_wo-secure": Conditional check items matched
(7) sql: Group "wifi_wo-secure": Merging assignment check items
(7) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(7) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id
(7) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id
(7) sql: Group "wifi_wo-secure": Merging reply items
(7) sql: Huntgroup-Name := "wo-secure"
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.40-MariaDB, protocol version 10
(7) [sql] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) pap: WARNING: Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x78a9799278ae6313
(7) eap: Finished EAP session with state 0x78a9799278ae6313
(7) eap: Previous EAP request found for state 0x78a9799278ae6313, released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2: authenticate {
(7) mschap: Found Cleartext-Password, hashing to create NT-Password
(7) mschap: Found Cleartext-Password, hashing to create LM-Password
(7) mschap: Creating challenge hash with username: wifitestmac01
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Adding MS-CHAPv2 MPPE keys
(7) [mschap] = ok
(7) } # authenticate = ok
(7) MSCHAP Success
(7) eap: Sending EAP Request (code 1) ID 8 length 51
(7) eap: EAP session adding &reply:State = 0x78a9799279a16313
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) Huntgroup-Name = "wo-secure"
(7) EAP-Message = 0x010800331a0307002e533d41423746314439413946443643463639353932453639354141353944454243424636423533383944
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x78a9799279a16313f359dd39dd5c9f11
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: Huntgroup-Name = "wo-secure"
(7) eap_peap: EAP-Message = 0x010800331a0307002e533d41423746314439413946443643463639353932453639354141353944454243424636423533383944
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x78a9799279a16313f359dd39dd5c9f11
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: Huntgroup-Name = "wo-secure"
(7) eap_peap: EAP-Message = 0x010800331a0307002e533d41423746314439413946443643463639353932453639354141353944454243424636423533383944
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x78a9799279a16313f359dd39dd5c9f11
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 8 length 82
(7) eap: EAP session adding &reply:State = 0x3bd334c23cdb2d5a
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) Sent Access-Challenge Id 35 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(7) EAP-Message = 0x0108005219001703030047d5ec48bada42fbd4a02ea88aa51ecde0431fc6ac9846f7c0bc036ed64ec4a3c3a48c11c16ba8cdeed9c4ac5890895c8591ac992d69a16fc27bc54f573dc888eb7d087f53f723fd
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x3bd334c23cdb2d5a464d9b22d2e35ffe
(7) Proxy-State = 0x3733
(7) Finished request
Waking up in 4.5 seconds.
(8) Received Access-Request Id 62 from 192.168.70.15:18487 to 192.168.199.69:1812 length 407
(8) Acct-Session-Id = "5D1CA994-67A4B00F"
(8) User-Name = "wifitestmac01"
(8) NAS-IP-Address = 192.168.70.63
(8) NAS-Identifier = "ruckuscontroller"
(8) NAS-Port = 1
(8) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(8) Calling-Station-Id = "24-FB-65-69-06-AF"
(8) Location-Data = 0x31304445170a49542d53657276696365
(8) Service-Type = Framed-User
(8) Chargeable-User-Identity = 0x00
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = "CONNECT 802.11a/n/ac"
(8) EAP-Message = 0x020800251900170303001a0000000000000003559b9229317f3155d7720c582345c83dac3f
(8) State = 0x3bd334c23cdb2d5a464d9b22d2e35ffe
(8) Ruckus-SSID = "test-radius-user+pass"
(8) Ruckus-BSSID = 0x34fa9ffa588e
(8) Ruckus-Location = "IT-Service"
(8) Ruckus-VLAN-ID = 1
(8) Ruckus-SCG-CBlade-IP = 3232253455
(8) Ruckus-Zone-Name = "Detmold"
(8) Ruckus-Wlan-Name = "test-radius-user+pass"
(8) Message-Authenticator = 0x1990281948930e08ef66d420ea1928c8
(8) Proxy-State = 0x3734
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
rlm_ldap (ldap): Reserved connection (2)
(8) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap: --> (name=wifitestmac01)
(8) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: Search returned no results
rlm_ldap (ldap): Released connection (2)
(8) [ldap] = notfound
(8) policy group_authorization {
(8) if (&Huntgroup-Name == "wo-byod") {
(8) ERROR: Failed retrieving values required to evaluate condition
(8) elsif (&Huntgroup-Name == "wo-secure") {
(8) ERROR: Failed retrieving values required to evaluate condition
(8) } # policy group_authorization = notfound
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) policy filter_password {
(8) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(8) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(8) } # policy filter_password = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 37
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x78a9799279a16313
(8) eap: Finished EAP session with state 0x3bd334c23cdb2d5a
(8) eap: Previous EAP request found for state 0x3bd334c23cdb2d5a, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020800061a03
(8) eap_peap: Setting User-Name to wifitestmac01
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x020800061a03
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "wifitestmac01"
(8) eap_peap: State = 0x78a9799279a16313f359dd39dd5c9f11
(8) eap_peap: Acct-Session-Id = "5D1CA994-67A4B00F"
(8) eap_peap: NAS-IP-Address = 192.168.70.63
(8) eap_peap: NAS-Identifier = "ruckuscontroller"
(8) eap_peap: NAS-Port = 1
(8) eap_peap: Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(8) eap_peap: Calling-Station-Id = "24-FB-65-69-06-AF"
(8) eap_peap: Location-Data = 0x31304445170a49542d53657276696365
(8) eap_peap: Service-Type = Framed-User
(8) eap_peap: Chargeable-User-Identity = 0x00
(8) eap_peap: NAS-Port-Type = Wireless-802.11
(8) eap_peap: Connect-Info = "CONNECT 802.11a/n/ac"
(8) eap_peap: Ruckus-SSID = "test-radius-user+pass"
(8) eap_peap: Ruckus-BSSID = 0x34fa9ffa588e
(8) eap_peap: Ruckus-Location = "IT-Service"
(8) eap_peap: Ruckus-VLAN-ID = 1
(8) eap_peap: Ruckus-SCG-CBlade-IP = 3232253455
(8) eap_peap: Ruckus-Zone-Name = "Detmold"
(8) eap_peap: Ruckus-Wlan-Name = "test-radius-user+pass"
(8) eap_peap: Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020800061a03
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "wifitestmac01"
(8) State = 0x78a9799279a16313f359dd39dd5c9f11
(8) Acct-Session-Id = "5D1CA994-67A4B00F"
(8) NAS-IP-Address = 192.168.70.63
(8) NAS-Identifier = "ruckuscontroller"
(8) NAS-Port = 1
(8) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(8) Calling-Station-Id = "24-FB-65-69-06-AF"
(8) Location-Data = 0x31304445170a49542d53657276696365
(8) Service-Type = Framed-User
(8) Chargeable-User-Identity = 0x00
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = "CONNECT 802.11a/n/ac"
(8) Ruckus-SSID = "test-radius-user+pass"
(8) Ruckus-BSSID = 0x34fa9ffa588e
(8) Ruckus-Location = "IT-Service"
(8) Ruckus-VLAN-ID = 1
(8) Ruckus-SCG-CBlade-IP = 3232253455
(8) Ruckus-Zone-Name = "Detmold"
(8) Ruckus-Wlan-Name = "test-radius-user+pass"
(8) Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
(8) sql: EXPAND %{User-Name}
(8) sql: --> wifitestmac01
(8) sql: SQL-User-Name set to 'wifitestmac01'
rlm_sql (sql): Reserved connection (2)
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id
(8) sql: User found in radcheck table
(8) sql: Conditional check items matched, merging assignment check items
(8) sql: Cleartext-Password := "tester555"
(8) sql: MS-CHAP-Use-NTLM-Auth := No
(8) sql: Calling-Station-Id := "24-FB-65-69-06-AF"
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id
(8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(8) sql: --> SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority
(8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority
(8) sql: User found in the group table
(8) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(8) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id
(8) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id
(8) sql: Group "wifi_wo-secure": Conditional check items matched
(8) sql: Group "wifi_wo-secure": Merging assignment check items
(8) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(8) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id
(8) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id
(8) sql: Group "wifi_wo-secure": Merging reply items
(8) sql: Huntgroup-Name := "wo-secure"
rlm_sql (sql): Released connection (2)
(8) [sql] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x78a9799279a16313
(8) eap: Finished EAP session with state 0x78a9799279a16313
(8) eap: Previous EAP request found for state 0x78a9799279a16313, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 8 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(8) post-auth {
(8) sql: EXPAND .query
(8) sql: --> .query
(8) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (3)
(8) sql: EXPAND %{User-Name}
(8) sql: --> wifitestmac01
(8) sql: SQL-User-Name set to 'wifitestmac01'
(8) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(8) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.476885')
(8) sql: EXPAND /var/log/radius/sqllog.sql
(8) sql: --> /var/log/radius/sqllog.sql
(8) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.476885')
(8) sql: SQL query returned: success
(8) sql: 1 record(s) updated
rlm_sql (sql): Released connection (3)
(8) [sql] = ok
(8) if (0) {
(8) if (0) -> FALSE
(8) } # post-auth = ok
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) Huntgroup-Name = "wo-secure"
(8) MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) MS-MPPE-Send-Key = 0x09649f4423192a6d5709c19fe5125d4a
(8) MS-MPPE-Recv-Key = 0x6a4b0cefe1f26056c755aaa5f734ce7c
(8) EAP-Message = 0x03080004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "wifitestmac01"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: Huntgroup-Name = "wo-secure"
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0x09649f4423192a6d5709c19fe5125d4a
(8) eap_peap: MS-MPPE-Recv-Key = 0x6a4b0cefe1f26056c755aaa5f734ce7c
(8) eap_peap: EAP-Message = 0x03080004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "wifitestmac01"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: Huntgroup-Name = "wo-secure"
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0x09649f4423192a6d5709c19fe5125d4a
(8) eap_peap: MS-MPPE-Recv-Key = 0x6a4b0cefe1f26056c755aaa5f734ce7c
(8) eap_peap: EAP-Message = 0x03080004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "wifitestmac01"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap: Sending EAP Request (code 1) ID 9 length 46
(8) eap: EAP session adding &reply:State = 0x3bd334c233da2d5a
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) Sent Access-Challenge Id 62 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(8) EAP-Message = 0x0109002e19001703030023d5ec48bada42fbd57360d536a83db35fd6aa4c397ac57dc6b063543e6a7988551a9ecf
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x3bd334c233da2d5a464d9b22d2e35ffe
(8) Proxy-State = 0x3734
(8) Finished request
Waking up in 4.4 seconds.
(9) Received Access-Request Id 148 from 192.168.70.15:18487 to 192.168.199.69:1812 length 416
(9) Acct-Session-Id = "5D1CA994-67A4B00F"
(9) User-Name = "wifitestmac01"
(9) NAS-IP-Address = 192.168.70.63
(9) NAS-Identifier = "ruckuscontroller"
(9) NAS-Port = 1
(9) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
(9) Calling-Station-Id = "24-FB-65-69-06-AF"
(9) Location-Data = 0x31304445170a49542d53657276696365
(9) Service-Type = Framed-User
(9) Chargeable-User-Identity = 0x00
(9) NAS-Port-Type = Wireless-802.11
(9) Connect-Info = "CONNECT 802.11a/n/ac"
(9) EAP-Message = 0x0209002e190017030300230000000000000004e71ecbff60c571603fd792638be1058058177b3ddab992ee20e458
(9) State = 0x3bd334c233da2d5a464d9b22d2e35ffe
(9) Ruckus-SSID = "test-radius-user+pass"
(9) Ruckus-BSSID = 0x34fa9ffa588e
(9) Ruckus-Location = "IT-Service"
(9) Ruckus-VLAN-ID = 1
(9) Ruckus-SCG-CBlade-IP = 3232253455
(9) Ruckus-Zone-Name = "Detmold"
(9) Ruckus-Wlan-Name = "test-radius-user+pass"
(9) Message-Authenticator = 0x162c711631dc2d5883505d06283cda48
(9) Proxy-State = 0x3735
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
rlm_ldap (ldap): Reserved connection (6)
(9) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
(9) ldap: --> (name=wifitestmac01)
(9) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
(9) ldap: Waiting for search result...
(9) ldap: Search returned no results
rlm_ldap (ldap): Released connection (6)
(9) [ldap] = notfound
(9) policy group_authorization {
(9) if (&Huntgroup-Name == "wo-byod") {
(9) ERROR: Failed retrieving values required to evaluate condition
(9) elsif (&Huntgroup-Name == "wo-secure") {
(9) ERROR: Failed retrieving values required to evaluate condition
(9) } # policy group_authorization = notfound
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) policy filter_password {
(9) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
(9) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
(9) } # policy filter_password = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 46
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x3bd334c233da2d5a
(9) eap: Finished EAP session with state 0x3bd334c233da2d5a
(9) eap: Previous EAP request found for state 0x3bd334c233da2d5a, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap: Sending EAP Success (code 3) ID 9 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(9) post-auth {
(9) update {
(9) No attributes updated
(9) } # update = noop
(9) sql: EXPAND .query
(9) sql: --> .query
(9) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(9) sql: EXPAND %{User-Name}
(9) sql: --> wifitestmac01
(9) sql: SQL-User-Name set to 'wifitestmac01'
(9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(9) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.531951')
(9) sql: EXPAND /var/log/radius/sqllog.sql
(9) sql: --> /var/log/radius/sqllog.sql
(9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.531951')
(9) sql: SQL query returned: success
(9) sql: 1 record(s) updated
rlm_sql (sql): Released connection (4)
(9) [sql] = ok
(9) [exec] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # post-auth = ok
(9) Sent Access-Accept Id 148 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
(9) MS-MPPE-Recv-Key = 0xa63d5b43df19ab6338895fc4f40050e4990bc4207f4412edceb938cf1fcadd3e
(9) MS-MPPE-Send-Key = 0x29dabf22b9bda920c708becdd0886e0a8216f4d5881268045a296076fd901b90
(9) EAP-Message = 0x03090004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = "wifitestmac01"
(9) Proxy-State = 0x3735
(9) Finished request
Waking up in 4.4 seconds.
(0) Cleaning up request packet ID 118 with timestamp +48
More information about the Freeradius-Users
mailing list