Cannot get 802.1X EAP with mac-auth running
Alan Buxey
alan.buxey at gmail.com
Thu Jul 4 21:42:21 CEST 2019
hi,
>802.1x EAP user + Pass + mac.
so you can do 802.1X EAP (user+pass - eg PEAP/MSCHAPv2 ) - and then
have a check item that the Calling-Station-ID is what you expect too
(MAC address)
but you cannot get chuck a basic MAC authentication and expect EAP to
fire up -- which is what your debug appears to be doing.
alan
On Thu, 4 Jul 2019 at 08:37, thomas heidkamp <profi-it at outlook.de> wrote:
>
> First I will describe my setup:
> Freeradius (Daloradius) running latest release on centos 7 with authentication
> On local mysql as well on remote Microsoft ADS (Ldap) with ntlm_auth.
>
> Everything works well with mac only auth as well user + pass 802.1x EAP accounts running on local Mysql as well on Microsoft ADS.
> I am familar with the radiusd -X and will provide debug outputs.
>
> I made the changes in /etc/raddb/mods-available/eap
>
> ttls {
> copy_request_to_tunnel = yes
>
> peap {
> default_eap_type = mschapv2
> copy_request_to_tunnel = yes
>
>
> /etc/raddb/mods-available/mschap
>
> mschap {
> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{mschap:User-Name} --domain=DETMOLD.WORTMANN.COM --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
>
> passchange {
> ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1 --allow-mschapv2"
> ntlm_auth_username = "username: %{mschap:User-Name}"
> ntlm_auth_domain = "nt-domain: DETMOLD.WORTMANN.COM"
>
>
>
> /etc/raddb/mods-available/ntlm_auth
>
> exec ntlm_auth {
> wait = yes
> program = "usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --domain=DETMOLD.WORTMANN.COM --username=%{mschap:User-Name} --password=%{User-Password}"
> }
>
>
> /etc/raddb/sites-available/inner-tunnel
>
> authenticate {
> ntlm_auth
>
>
> /etc/raddb/policy.d/group_authorization
>
> group_authorization {
>
> if (&Huntgroup-Name == "wo-byod") {
> if (&LDAP-Group[*] == "CN=wo-byod,OU=Wifi,OU=Administration,DC=wifi,DC=wortmann,DC=com") {
> #reject
> ok
> }
> else {
> reject
> }
>
> }
>
> elsif (&Huntgroup-Name == "wo-secure") {
> if (&LDAP-Group[*] == "CN=wo-secure,OU=Wifi,OU=Administration,DC=wifi,DC=wortmann,DC=com") {
> ok
> }
> else {
> reject
> }
> }
>
> }
>
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Now I would like to create account with 802.1x EAP user + Pass + mac.
>
> I created a user + pass on local server (not microsoft ADS) and the following attributes:
>
> Calling-Station-Id := XX:XX:YY: (MAC)
> MS-CHAP-Use-NTLM-Auth :=No #cause local user in mysql no user on microsoft ads
>
>
> -----------
>
> Output of 802.1x User + Pass + MAC-AUTH (This does not work)
>
> (0) Received Access-Request Id 178 from 192.168.70.15:18487 to 192.168.199.69:1812 length 369
> (0) User-Name = "24:fb:65:69:06:af"
> (0) User-Password = "24:fb:65:69:06:af"
> (0) NAS-IP-Address = 192.168.70.63
> (0) NAS-Identifier = "ruckuscontroller"
> (0) Called-Station-Id = "34-FA-9F-BA-58-8F:test-radius-user+pass+mac"
> (0) Calling-Station-Id = "24-FB-65-69-06-AF"
> (0) Service-Type = Framed-User
> (0) NAS-Port-Type = Wireless-802.11
> (0) Location-Data = 0x31304445170a49542d53657276696365
> (0) Ruckus-SSID = "test-radius-user+pass+mac"
> (0) Ruckus-BSSID = 0x34fa9fba588f
> (0) Ruckus-Location = "IT-Service"
> (0) Ruckus-VLAN-ID = 1
> (0) Ruckus-SCG-CBlade-IP = 3232253455
> (0) Ruckus-Zone-Name = "Detmold"
> (0) Attr-26.25053.154 = 0x576f72746d616e6e
> (0) Ruckus-Wlan-Name = "test-radius-user+pass+mac"
> (0) Message-Authenticator = 0xacdb9cb8915c51eabb275d3f52265694
> (0) Chargeable-User-Identity = 0x00
> (0) Proxy-State = 0x3230
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (0) authorize {
> rlm_ldap (ldap): Reserved connection (0)
> (0) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) ldap: --> (name=24:fb:65:69:06:af)
> (0) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=24:fb:65:69:06:af)", scope "sub"
> (0) ldap: Waiting for search result...
> (0) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
> rlm_ldap (ldap): Connecting to ldaps://ldap02.detmold.wortmann.com:50027
> TLSMC: MozNSS compatibility interception begins.
> tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
> tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
> TLSMC: MozNSS compatibility interception ends.
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (0) [ldap] = notfound
> (0) policy group_authorization {
> (0) if (&Huntgroup-Name == "wo-byod") {
> (0) ERROR: Failed retrieving values required to evaluate condition
> (0) elsif (&Huntgroup-Name == "wo-secure") {
> (0) ERROR: Failed retrieving values required to evaluate condition
> (0) } # policy group_authorization = notfound
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) policy filter_password {
> (0) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
> (0) EXPAND %{string:User-Password}
> (0) --> 24:fb:65:69:06:af
> (0) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
> (0) } # policy filter_password = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "24:fb:65:69:06:af", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0) [suffix] = noop
> (0) eap: No EAP-Message, not doing EAP
> (0) [eap] = noop
> (0) [files] = noop
> (0) sql: EXPAND %{User-Name}
> (0) sql: --> 24:fb:65:69:06:af
> (0) sql: SQL-User-Name set to '24:fb:65:69:06:af'
> rlm_sql (sql): Reserved connection (1)
> (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
> (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '24:fb:65:69:06:af' ORDER BY id
> (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '24:fb:65:69:06:af' ORDER BY id
> (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
> (0) sql: --> SELECT groupname FROM radusergroup WHERE username = '24:fb:65:69:06:af' ORDER BY priority
> (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '24:fb:65:69:06:af' ORDER BY priority
> (0) sql: User not found in any groups
> rlm_sql (sql): Released connection (1)
> Need 4 more connections to reach 10 spares
> rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
> rlm_sql_mysql: Starting connect to MySQL server
> rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.40-MariaDB, protocol version 10
> (0) [sql] = notfound
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
> (0) pap: WARNING: Authentication will fail unless a "known good" password is available
> (0) [pap] = noop
> (0) } # authorize = ok
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0) Post-Auth-Type REJECT {
> (0) sql: EXPAND .query
> (0) sql: --> .query
> (0) sql: Using query template 'query'
> rlm_sql (sql): Reserved connection (2)
> (0) sql: EXPAND %{User-Name}
> (0) sql: --> 24:fb:65:69:06:af
> (0) sql: SQL-User-Name set to '24:fb:65:69:06:af'
> (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
> (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '24:fb:65:69:06:af', '24:fb:65:69:06:af', 'Access-Reject', '2019-07-03 15:06:39.437779')
> (0) sql: EXPAND /var/log/radius/sqllog.sql
> (0) sql: --> /var/log/radius/sqllog.sql
> (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '24:fb:65:69:06:af', '24:fb:65:69:06:af', 'Access-Reject', '2019-07-03 15:06:39.437779')
> (0) sql: SQL query returned: success
> (0) sql: 1 record(s) updated
> rlm_sql (sql): Released connection (2)
> (0) [sql] = ok
> (0) attr_filter.access_reject: EXPAND %{User-Name}
> (0) attr_filter.access_reject: --> 24:fb:65:69:06:af
> (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (0) [attr_filter.access_reject] = updated
> (0) [eap] = noop
> (0) policy remove_reply_message_if_eap {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) {
> (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (0) else {
> (0) [noop] = noop
> (0) } # else = noop
> (0) } # policy remove_reply_message_if_eap = noop
> (0) } # Post-Auth-Type REJECT = updated
> (0) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (0) Sending delayed response
> (0) Sent Access-Reject Id 178 from 192.168.199.69:1812 to 192.168.70.15:18487 length 24
> (0) Proxy-State = 0x3230
> Waking up in 3.9 seconds.
> (0) Cleaning up request packet ID 178 with timestamp +21
> Ready to process requests
>
>
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> And here comes the output with 802.1x with User + Pass (This works)
>
>
>
>
>
> (0) Received Access-Request Id 118 from 192.168.70.15:18487 to 192.168.199.69:1812 length 370
> (0) Acct-Session-Id = "5D1CA994-67A4B00F"
> (0) User-Name = "wifitestmac01"
> (0) NAS-IP-Address = 192.168.70.63
> (0) NAS-Identifier = "ruckuscontroller"
> (0) NAS-Port = 1
> (0) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
> (0) Calling-Station-Id = "24-FB-65-69-06-AF"
> (0) Location-Data = 0x31304445170a49542d53657276696365
> (0) Service-Type = Framed-User
> (0) Chargeable-User-Identity = 0x00
> (0) NAS-Port-Type = Wireless-802.11
> (0) Connect-Info = "CONNECT 802.11a/n/ac"
> (0) EAP-Message = 0x020000120177696669746573746d61633031
> (0) Ruckus-SSID = "test-radius-user+pass"
> (0) Ruckus-BSSID = 0x34fa9ffa588e
> (0) Ruckus-Location = "IT-Service"
> (0) Ruckus-VLAN-ID = 1
> (0) Ruckus-SCG-CBlade-IP = 3232253455
> (0) Ruckus-Zone-Name = "Detmold"
> (0) Ruckus-Wlan-Name = "test-radius-user+pass"
> (0) Message-Authenticator = 0x159a3af56a73ce0394ac2b647dab9fdc
> (0) Proxy-State = 0x3636
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (0) authorize {
> rlm_ldap (ldap): Reserved connection (0)
> (0) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
> (0) ldap: --> (name=wifitestmac01)
> (0) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
> (0) ldap: Waiting for search result...
> (0) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (0)
> Need 5 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
> rlm_ldap (ldap): Connecting to ldaps://ldap02.detmold.wortmann.com:50027
> TLSMC: MozNSS compatibility interception begins.
> tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
> tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
> TLSMC: MozNSS compatibility interception ends.
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (0) [ldap] = notfound
> (0) policy group_authorization {
> (0) if (&Huntgroup-Name == "wo-byod") {
> (0) ERROR: Failed retrieving values required to evaluate condition
> (0) elsif (&Huntgroup-Name == "wo-secure") {
> (0) ERROR: Failed retrieving values required to evaluate condition
> (0) } # policy group_authorization = notfound
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) policy filter_password {
> (0) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
> (0) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
> (0) } # policy filter_password = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0) [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 0 length 18
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0) authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_peap to process data
> (0) eap_peap: Initiating new EAP-TLS session
> (0) eap_peap: [eaptls start] = request
> (0) eap: Sending EAP Request (code 1) ID 1 length 6
> (0) eap: EAP session adding &reply:State = 0x3bd334c23bd22d5a
> (0) [eap] = handled
> (0) } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0) Challenge { ... } # empty sub-section is ignored
> (0) Sent Access-Challenge Id 118 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
> (0) EAP-Message = 0x010100061920
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> (0) State = 0x3bd334c23bd22d5a464d9b22d2e35ffe
> (0) Proxy-State = 0x3636
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 192 from 192.168.70.15:18487 to 192.168.199.69:1812 length 523
> (1) Acct-Session-Id = "5D1CA994-67A4B00F"
> (1) User-Name = "wifitestmac01"
> (1) NAS-IP-Address = 192.168.70.63
> (1) NAS-Identifier = "ruckuscontroller"
> (1) NAS-Port = 1
> (1) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
> (1) Calling-Station-Id = "24-FB-65-69-06-AF"
> (1) Location-Data = 0x31304445170a49542d53657276696365
> (1) Service-Type = Framed-User
> (1) Chargeable-User-Identity = 0x00
> (1) NAS-Port-Type = Wireless-802.11
> (1) Connect-Info = "CONNECT 802.11a/n/ac"
> (1) EAP-Message = 0x0201009919800000008f160301008a010000860303835329bad69de11579396dd64e0f503fa00db84d3fa1677093e39b7a165697b600002ac02bc02fc02cc030cca9cca8c009c023c013c027c00ac024c014c028009c009d002f003c0035003d000a01000033ff0100010000170000000d001400120403
> (1) State = 0x3bd334c23bd22d5a464d9b22d2e35ffe
> (1) Ruckus-SSID = "test-radius-user+pass"
> (1) Ruckus-BSSID = 0x34fa9ffa588e
> (1) Ruckus-Location = "IT-Service"
> (1) Ruckus-VLAN-ID = 1
> (1) Ruckus-SCG-CBlade-IP = 3232253455
> (1) Ruckus-Zone-Name = "Detmold"
> (1) Ruckus-Wlan-Name = "test-radius-user+pass"
> (1) Message-Authenticator = 0x7bc819acb7da691a1924f0d0f7cdfe1c
> (1) Proxy-State = 0x3637
> (1) session-state: No cached attributes
> (1) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (1) authorize {
> rlm_ldap (ldap): Reserved connection (1)
> (1) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
> (1) ldap: --> (name=wifitestmac01)
> (1) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
> (1) ldap: Waiting for search result...
> (1) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (1)
> (1) [ldap] = notfound
> (1) policy group_authorization {
> (1) if (&Huntgroup-Name == "wo-byod") {
> (1) ERROR: Failed retrieving values required to evaluate condition
> (1) elsif (&Huntgroup-Name == "wo-secure") {
> (1) ERROR: Failed retrieving values required to evaluate condition
> (1) } # policy group_authorization = notfound
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /@\./) {
> (1) if (&User-Name =~ /@\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) policy filter_password {
> (1) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
> (1) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
> (1) } # policy filter_password = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1) [suffix] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 1 length 153
> (1) eap: Continuing tunnel setup
> (1) [eap] = ok
> (1) } # authorize = ok
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1) authenticate {
> (1) eap: Expiring EAP session with state 0x3bd334c23bd22d5a
> (1) eap: Finished EAP session with state 0x3bd334c23bd22d5a
> (1) eap: Previous EAP request found for state 0x3bd334c23bd22d5a, released from the list
> (1) eap: Peer sent packet with method EAP PEAP (25)
> (1) eap: Calling submodule eap_peap to process data
> (1) eap_peap: Continuing EAP-TLS
> (1) eap_peap: Peer indicated complete TLS record size will be 143 bytes
> (1) eap_peap: Got complete TLS record (143 bytes)
> (1) eap_peap: [eaptls verify] = length included
> (1) eap_peap: (other): before/accept initialization
> (1) eap_peap: TLS_accept: before/accept initialization
> (1) eap_peap: <<< recv TLS 1.2 [length 008a]
> (1) eap_peap: TLS_accept: SSLv3 read client hello A
> (1) eap_peap: >>> send TLS 1.2 [length 0039]
> (1) eap_peap: TLS_accept: SSLv3 write server hello A
> (1) eap_peap: >>> send TLS 1.2 [length 08d3]
> (1) eap_peap: TLS_accept: SSLv3 write certificate A
> (1) eap_peap: >>> send TLS 1.2 [length 014d]
> (1) eap_peap: TLS_accept: SSLv3 write key exchange A
> (1) eap_peap: >>> send TLS 1.2 [length 0004]
> (1) eap_peap: TLS_accept: SSLv3 write server done A
> (1) eap_peap: TLS_accept: SSLv3 flush data
> (1) eap_peap: TLS_accept: SSLv3 read client certificate A
> (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
> (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client key exchange A
> (1) eap_peap: In SSL Handshake Phase
> (1) eap_peap: In SSL Accept mode
> (1) eap_peap: [eaptls process] = handled
> (1) eap: Sending EAP Request (code 1) ID 2 length 1004
> (1) eap: EAP session adding &reply:State = 0x3bd334c23ad12d5a
> (1) [eap] = handled
> (1) } # authenticate = handled
> (1) Using Post-Auth-Type Challenge
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1) Challenge { ... } # empty sub-section is ignored
> (1) Sent Access-Challenge Id 192 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
> (1) EAP-Message = 0x010203ec19c000000a7116030300390200003503038fd7c9ffc7d69edac5f51c36f36bb4cd3683efff8a28e5db6b9b61ec4e4b534100c02f00000dff01000100000b00040300010216030308d30b0008cf0008cc0003de308203da308202c2a003020102020101300d06092a864886f70d01010b050030
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> (1) State = 0x3bd334c23ad12d5a464d9b22d2e35ffe
> (1) Proxy-State = 0x3637
> (1) Finished request
> Waking up in 4.9 seconds.
> (2) Received Access-Request Id 219 from 192.168.70.15:18487 to 192.168.199.69:1812 length 376
> (2) Acct-Session-Id = "5D1CA994-67A4B00F"
> (2) User-Name = "wifitestmac01"
> (2) NAS-IP-Address = 192.168.70.63
> (2) NAS-Identifier = "ruckuscontroller"
> (2) NAS-Port = 1
> (2) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
> (2) Calling-Station-Id = "24-FB-65-69-06-AF"
> (2) Location-Data = 0x31304445170a49542d53657276696365
> (2) Service-Type = Framed-User
> (2) Chargeable-User-Identity = 0x00
> (2) NAS-Port-Type = Wireless-802.11
> (2) Connect-Info = "CONNECT 802.11a/n/ac"
> (2) EAP-Message = 0x020200061900
> (2) State = 0x3bd334c23ad12d5a464d9b22d2e35ffe
> (2) Ruckus-SSID = "test-radius-user+pass"
> (2) Ruckus-BSSID = 0x34fa9ffa588e
> (2) Ruckus-Location = "IT-Service"
> (2) Ruckus-VLAN-ID = 1
> (2) Ruckus-SCG-CBlade-IP = 3232253455
> (2) Ruckus-Zone-Name = "Detmold"
> (2) Ruckus-Wlan-Name = "test-radius-user+pass"
> (2) Message-Authenticator = 0xb247f926b23e2510c40d16d6cff0ecab
> (2) Proxy-State = 0x3638
> (2) session-state: No cached attributes
> (2) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (2) authorize {
> rlm_ldap (ldap): Reserved connection (2)
> (2) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
> (2) ldap: --> (name=wifitestmac01)
> (2) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
> (2) ldap: Waiting for search result...
> (2) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (2)
> Need 4 more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
> rlm_ldap (ldap): Connecting to ldaps://ldap02.detmold.wortmann.com:50027
> TLSMC: MozNSS compatibility interception begins.
> tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
> tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
> TLSMC: MozNSS compatibility interception ends.
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (2) [ldap] = notfound
> (2) policy group_authorization {
> (2) if (&Huntgroup-Name == "wo-byod") {
> (2) ERROR: Failed retrieving values required to evaluate condition
> (2) elsif (&Huntgroup-Name == "wo-secure") {
> (2) ERROR: Failed retrieving values required to evaluate condition
> (2) } # policy group_authorization = notfound
> (2) policy filter_username {
> (2) if (&User-Name) {
> (2) if (&User-Name) -> TRUE
> (2) if (&User-Name) {
> (2) if (&User-Name =~ / /) {
> (2) if (&User-Name =~ / /) -> FALSE
> (2) if (&User-Name =~ /@[^@]*@/ ) {
> (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (2) if (&User-Name =~ /\.\./ ) {
> (2) if (&User-Name =~ /\.\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (2) if (&User-Name =~ /\.$/) {
> (2) if (&User-Name =~ /\.$/) -> FALSE
> (2) if (&User-Name =~ /@\./) {
> (2) if (&User-Name =~ /@\./) -> FALSE
> (2) } # if (&User-Name) = notfound
> (2) } # policy filter_username = notfound
> (2) policy filter_password {
> (2) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
> (2) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
> (2) } # policy filter_password = notfound
> (2) [preprocess] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
> (2) suffix: No such realm "NULL"
> (2) [suffix] = noop
> (2) eap: Peer sent EAP Response (code 2) ID 2 length 6
> (2) eap: Continuing tunnel setup
> (2) [eap] = ok
> (2) } # authorize = ok
> (2) Found Auth-Type = eap
> (2) # Executing group from file /etc/raddb/sites-enabled/default
> (2) authenticate {
> (2) eap: Expiring EAP session with state 0x3bd334c23ad12d5a
> (2) eap: Finished EAP session with state 0x3bd334c23ad12d5a
> (2) eap: Previous EAP request found for state 0x3bd334c23ad12d5a, released from the list
> (2) eap: Peer sent packet with method EAP PEAP (25)
> (2) eap: Calling submodule eap_peap to process data
> (2) eap_peap: Continuing EAP-TLS
> (2) eap_peap: Peer ACKed our handshake fragment
> (2) eap_peap: [eaptls verify] = request
> (2) eap_peap: [eaptls process] = handled
> (2) eap: Sending EAP Request (code 1) ID 3 length 1000
> (2) eap: EAP session adding &reply:State = 0x3bd334c239d02d5a
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) # Executing group from file /etc/raddb/sites-enabled/default
> (2) Challenge { ... } # empty sub-section is ignored
> (2) Sent Access-Challenge Id 219 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
> (2) EAP-Message = 0x010303e8194091bfa579e2faf519ba55b78dda4a69f41a426f5e0c2c6f73a6b54147ba90603059eb0e91ad1221d42cb94f40b2d6f4bfd1026f390833e0d09c94696b1b5bef8a50f83b31b6fff4e1a20004e8308204e4308203cca003020102020900fcbb37b2469beea7300d06092a864886f70d01010b
> (2) Message-Authenticator = 0x00000000000000000000000000000000
> (2) State = 0x3bd334c239d02d5a464d9b22d2e35ffe
> (2) Proxy-State = 0x3638
> (2) Finished request
> Waking up in 4.8 seconds.
> (3) Received Access-Request Id 32 from 192.168.70.15:18487 to 192.168.199.69:1812 length 376
> (3) Acct-Session-Id = "5D1CA994-67A4B00F"
> (3) User-Name = "wifitestmac01"
> (3) NAS-IP-Address = 192.168.70.63
> (3) NAS-Identifier = "ruckuscontroller"
> (3) NAS-Port = 1
> (3) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
> (3) Calling-Station-Id = "24-FB-65-69-06-AF"
> (3) Location-Data = 0x31304445170a49542d53657276696365
> (3) Service-Type = Framed-User
> (3) Chargeable-User-Identity = 0x00
> (3) NAS-Port-Type = Wireless-802.11
> (3) Connect-Info = "CONNECT 802.11a/n/ac"
> (3) EAP-Message = 0x020300061900
> (3) State = 0x3bd334c239d02d5a464d9b22d2e35ffe
> (3) Ruckus-SSID = "test-radius-user+pass"
> (3) Ruckus-BSSID = 0x34fa9ffa588e
> (3) Ruckus-Location = "IT-Service"
> (3) Ruckus-VLAN-ID = 1
> (3) Ruckus-SCG-CBlade-IP = 3232253455
> (3) Ruckus-Zone-Name = "Detmold"
> (3) Ruckus-Wlan-Name = "test-radius-user+pass"
> (3) Message-Authenticator = 0x987f2b5f4dace466c0f0b4acf02c3574
> (3) Proxy-State = 0x3639
> (3) session-state: No cached attributes
> (3) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (3) authorize {
> rlm_ldap (ldap): Reserved connection (3)
> (3) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
> (3) ldap: --> (name=wifitestmac01)
> (3) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
> (3) ldap: Waiting for search result...
> (3) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (3)
> (3) [ldap] = notfound
> (3) policy group_authorization {
> (3) if (&Huntgroup-Name == "wo-byod") {
> (3) ERROR: Failed retrieving values required to evaluate condition
> (3) elsif (&Huntgroup-Name == "wo-secure") {
> (3) ERROR: Failed retrieving values required to evaluate condition
> (3) } # policy group_authorization = notfound
> (3) policy filter_username {
> (3) if (&User-Name) {
> (3) if (&User-Name) -> TRUE
> (3) if (&User-Name) {
> (3) if (&User-Name =~ / /) {
> (3) if (&User-Name =~ / /) -> FALSE
> (3) if (&User-Name =~ /@[^@]*@/ ) {
> (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (3) if (&User-Name =~ /\.\./ ) {
> (3) if (&User-Name =~ /\.\./ ) -> FALSE
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (3) if (&User-Name =~ /\.$/) {
> (3) if (&User-Name =~ /\.$/) -> FALSE
> (3) if (&User-Name =~ /@\./) {
> (3) if (&User-Name =~ /@\./) -> FALSE
> (3) } # if (&User-Name) = notfound
> (3) } # policy filter_username = notfound
> (3) policy filter_password {
> (3) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
> (3) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
> (3) } # policy filter_password = notfound
> (3) [preprocess] = ok
> (3) [chap] = noop
> (3) [mschap] = noop
> (3) [digest] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
> (3) suffix: No such realm "NULL"
> (3) [suffix] = noop
> (3) eap: Peer sent EAP Response (code 2) ID 3 length 6
> (3) eap: Continuing tunnel setup
> (3) [eap] = ok
> (3) } # authorize = ok
> (3) Found Auth-Type = eap
> (3) # Executing group from file /etc/raddb/sites-enabled/default
> (3) authenticate {
> (3) eap: Expiring EAP session with state 0x3bd334c239d02d5a
> (3) eap: Finished EAP session with state 0x3bd334c239d02d5a
> (3) eap: Previous EAP request found for state 0x3bd334c239d02d5a, released from the list
> (3) eap: Peer sent packet with method EAP PEAP (25)
> (3) eap: Calling submodule eap_peap to process data
> (3) eap_peap: Continuing EAP-TLS
> (3) eap_peap: Peer ACKed our handshake fragment
> (3) eap_peap: [eaptls verify] = request
> (3) eap_peap: [eaptls process] = handled
> (3) eap: Sending EAP Request (code 1) ID 4 length 691
> (3) eap: EAP session adding &reply:State = 0x3bd334c238d72d5a
> (3) [eap] = handled
> (3) } # authenticate = handled
> (3) Using Post-Auth-Type Challenge
> (3) # Executing group from file /etc/raddb/sites-enabled/default
> (3) Challenge { ... } # empty sub-section is ignored
> (3) Sent Access-Challenge Id 32 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
> (3) EAP-Message = 0x010402b319000530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101009d2d36e5e65062434bce33d522f21aa5fc16f766f283a13b276fc9ebf7f118
> (3) Message-Authenticator = 0x00000000000000000000000000000000
> (3) State = 0x3bd334c238d72d5a464d9b22d2e35ffe
> (3) Proxy-State = 0x3639
> (3) Finished request
> Waking up in 4.7 seconds.
> (4) Received Access-Request Id 28 from 192.168.70.15:18487 to 192.168.199.69:1812 length 506
> (4) Acct-Session-Id = "5D1CA994-67A4B00F"
> (4) User-Name = "wifitestmac01"
> (4) NAS-IP-Address = 192.168.70.63
> (4) NAS-Identifier = "ruckuscontroller"
> (4) NAS-Port = 1
> (4) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
> (4) Calling-Station-Id = "24-FB-65-69-06-AF"
> (4) Location-Data = 0x31304445170a49542d53657276696365
> (4) Service-Type = Framed-User
> (4) Chargeable-User-Identity = 0x00
> (4) NAS-Port-Type = Wireless-802.11
> (4) Connect-Info = "CONNECT 802.11a/n/ac"
> (4) EAP-Message = 0x0204008819800000007e1603030046100000424104adbbc0a47dec1a64cf71dd948d1cc6eeb600228b9ec1c419b2931cb6742f75033ea0cfe3368b858b07feb235a1c46f8936048a0d55e2f87fb62156f1fedb985814030300010116030300280000000000000000ab71501664950b092c4c0b8b88170f
> (4) State = 0x3bd334c238d72d5a464d9b22d2e35ffe
> (4) Ruckus-SSID = "test-radius-user+pass"
> (4) Ruckus-BSSID = 0x34fa9ffa588e
> (4) Ruckus-Location = "IT-Service"
> (4) Ruckus-VLAN-ID = 1
> (4) Ruckus-SCG-CBlade-IP = 3232253455
> (4) Ruckus-Zone-Name = "Detmold"
> (4) Ruckus-Wlan-Name = "test-radius-user+pass"
> (4) Message-Authenticator = 0xaa7a33857a9cd2bd2a0a520d9b8229f1
> (4) Proxy-State = 0x3730
> (4) session-state: No cached attributes
> (4) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (4) authorize {
> rlm_ldap (ldap): Reserved connection (4)
> (4) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
> (4) ldap: --> (name=wifitestmac01)
> (4) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
> (4) ldap: Waiting for search result...
> (4) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (4)
> (4) [ldap] = notfound
> (4) policy group_authorization {
> (4) if (&Huntgroup-Name == "wo-byod") {
> (4) ERROR: Failed retrieving values required to evaluate condition
> (4) elsif (&Huntgroup-Name == "wo-secure") {
> (4) ERROR: Failed retrieving values required to evaluate condition
> (4) } # policy group_authorization = notfound
> (4) policy filter_username {
> (4) if (&User-Name) {
> (4) if (&User-Name) -> TRUE
> (4) if (&User-Name) {
> (4) if (&User-Name =~ / /) {
> (4) if (&User-Name =~ / /) -> FALSE
> (4) if (&User-Name =~ /@[^@]*@/ ) {
> (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (4) if (&User-Name =~ /\.\./ ) {
> (4) if (&User-Name =~ /\.\./ ) -> FALSE
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (4) if (&User-Name =~ /\.$/) {
> (4) if (&User-Name =~ /\.$/) -> FALSE
> (4) if (&User-Name =~ /@\./) {
> (4) if (&User-Name =~ /@\./) -> FALSE
> (4) } # if (&User-Name) = notfound
> (4) } # policy filter_username = notfound
> (4) policy filter_password {
> (4) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
> (4) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
> (4) } # policy filter_password = notfound
> (4) [preprocess] = ok
> (4) [chap] = noop
> (4) [mschap] = noop
> (4) [digest] = noop
> (4) suffix: Checking for suffix after "@"
> (4) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
> (4) suffix: No such realm "NULL"
> (4) [suffix] = noop
> (4) eap: Peer sent EAP Response (code 2) ID 4 length 136
> (4) eap: Continuing tunnel setup
> (4) [eap] = ok
> (4) } # authorize = ok
> (4) Found Auth-Type = eap
> (4) # Executing group from file /etc/raddb/sites-enabled/default
> (4) authenticate {
> (4) eap: Expiring EAP session with state 0x3bd334c238d72d5a
> (4) eap: Finished EAP session with state 0x3bd334c238d72d5a
> (4) eap: Previous EAP request found for state 0x3bd334c238d72d5a, released from the list
> (4) eap: Peer sent packet with method EAP PEAP (25)
> (4) eap: Calling submodule eap_peap to process data
> (4) eap_peap: Continuing EAP-TLS
> (4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
> (4) eap_peap: Got complete TLS record (126 bytes)
> (4) eap_peap: [eaptls verify] = length included
> (4) eap_peap: <<< recv TLS 1.2 [length 0046]
> (4) eap_peap: TLS_accept: SSLv3 read client key exchange A
> (4) eap_peap: TLS_accept: SSLv3 read certificate verify A
> (4) eap_peap: <<< recv TLS 1.2 [length 0001]
> (4) eap_peap: <<< recv TLS 1.2 [length 0010]
> (4) eap_peap: TLS_accept: SSLv3 read finished A
> (4) eap_peap: >>> send TLS 1.2 [length 0001]
> (4) eap_peap: TLS_accept: SSLv3 write change cipher spec A
> (4) eap_peap: >>> send TLS 1.2 [length 0010]
> (4) eap_peap: TLS_accept: SSLv3 write finished A
> (4) eap_peap: TLS_accept: SSLv3 flush data
> (4) eap_peap: (other): SSL negotiation finished successfully
> (4) eap_peap: SSL Connection Established
> (4) eap_peap: [eaptls process] = handled
> (4) eap: Sending EAP Request (code 1) ID 5 length 57
> (4) eap: EAP session adding &reply:State = 0x3bd334c23fd62d5a
> (4) [eap] = handled
> (4) } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) # Executing group from file /etc/raddb/sites-enabled/default
> (4) Challenge { ... } # empty sub-section is ignored
> (4) Sent Access-Challenge Id 28 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
> (4) EAP-Message = 0x0105003919001403030001011603030028d5ec48bada42fbd160a0e9edd0eb49dfdd71efa906eeeeca879b4e3db15c178c51fb9fa222a5ed41
> (4) Message-Authenticator = 0x00000000000000000000000000000000
> (4) State = 0x3bd334c23fd62d5a464d9b22d2e35ffe
> (4) Proxy-State = 0x3730
> (4) Finished request
> Waking up in 4.6 seconds.
> (5) Received Access-Request Id 53 from 192.168.70.15:18487 to 192.168.199.69:1812 length 376
> (5) Acct-Session-Id = "5D1CA994-67A4B00F"
> (5) User-Name = "wifitestmac01"
> (5) NAS-IP-Address = 192.168.70.63
> (5) NAS-Identifier = "ruckuscontroller"
> (5) NAS-Port = 1
> (5) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
> (5) Calling-Station-Id = "24-FB-65-69-06-AF"
> (5) Location-Data = 0x31304445170a49542d53657276696365
> (5) Service-Type = Framed-User
> (5) Chargeable-User-Identity = 0x00
> (5) NAS-Port-Type = Wireless-802.11
> (5) Connect-Info = "CONNECT 802.11a/n/ac"
> (5) EAP-Message = 0x020500061900
> (5) State = 0x3bd334c23fd62d5a464d9b22d2e35ffe
> (5) Ruckus-SSID = "test-radius-user+pass"
> (5) Ruckus-BSSID = 0x34fa9ffa588e
> (5) Ruckus-Location = "IT-Service"
> (5) Ruckus-VLAN-ID = 1
> (5) Ruckus-SCG-CBlade-IP = 3232253455
> (5) Ruckus-Zone-Name = "Detmold"
> (5) Ruckus-Wlan-Name = "test-radius-user+pass"
> (5) Message-Authenticator = 0x66edffe796ea4dd8ad07c9eb195678ba
> (5) Proxy-State = 0x3731
> (5) session-state: No cached attributes
> (5) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (5) authorize {
> rlm_ldap (ldap): Reserved connection (0)
> (5) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
> (5) ldap: --> (name=wifitestmac01)
> (5) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
> (5) ldap: Waiting for search result...
> (5) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (0)
> (5) [ldap] = notfound
> (5) policy group_authorization {
> (5) if (&Huntgroup-Name == "wo-byod") {
> (5) ERROR: Failed retrieving values required to evaluate condition
> (5) elsif (&Huntgroup-Name == "wo-secure") {
> (5) ERROR: Failed retrieving values required to evaluate condition
> (5) } # policy group_authorization = notfound
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /@\./) {
> (5) if (&User-Name =~ /@\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) policy filter_password {
> (5) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
> (5) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
> (5) } # policy filter_password = notfound
> (5) [preprocess] = ok
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) [digest] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5) [suffix] = noop
> (5) eap: Peer sent EAP Response (code 2) ID 5 length 6
> (5) eap: Continuing tunnel setup
> (5) [eap] = ok
> (5) } # authorize = ok
> (5) Found Auth-Type = eap
> (5) # Executing group from file /etc/raddb/sites-enabled/default
> (5) authenticate {
> (5) eap: Expiring EAP session with state 0x3bd334c23fd62d5a
> (5) eap: Finished EAP session with state 0x3bd334c23fd62d5a
> (5) eap: Previous EAP request found for state 0x3bd334c23fd62d5a, released from the list
> (5) eap: Peer sent packet with method EAP PEAP (25)
> (5) eap: Calling submodule eap_peap to process data
> (5) eap_peap: Continuing EAP-TLS
> (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
> (5) eap_peap: [eaptls verify] = success
> (5) eap_peap: [eaptls process] = success
> (5) eap_peap: Session established. Decoding tunneled attributes
> (5) eap_peap: PEAP state TUNNEL ESTABLISHED
> (5) eap: Sending EAP Request (code 1) ID 6 length 40
> (5) eap: EAP session adding &reply:State = 0x3bd334c23ed52d5a
> (5) [eap] = handled
> (5) } # authenticate = handled
> (5) Using Post-Auth-Type Challenge
> (5) # Executing group from file /etc/raddb/sites-enabled/default
> (5) Challenge { ... } # empty sub-section is ignored
> (5) Sent Access-Challenge Id 53 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
> (5) EAP-Message = 0x010600281900170303001dd5ec48bada42fbd2efc073480c7529e47c1add6cb4438a099c10325e70
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> (5) State = 0x3bd334c23ed52d5a464d9b22d2e35ffe
> (5) Proxy-State = 0x3731
> (5) Finished request
> Waking up in 4.6 seconds.
> (6) Received Access-Request Id 156 from 192.168.70.15:18487 to 192.168.199.69:1812 length 419
> (6) Acct-Session-Id = "5D1CA994-67A4B00F"
> (6) User-Name = "wifitestmac01"
> (6) NAS-IP-Address = 192.168.70.63
> (6) NAS-Identifier = "ruckuscontroller"
> (6) NAS-Port = 1
> (6) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
> (6) Calling-Station-Id = "24-FB-65-69-06-AF"
> (6) Location-Data = 0x31304445170a49542d53657276696365
> (6) Service-Type = Framed-User
> (6) Chargeable-User-Identity = 0x00
> (6) NAS-Port-Type = Wireless-802.11
> (6) Connect-Info = "CONNECT 802.11a/n/ac"
> (6) EAP-Message = 0x020600311900170303002600000000000000015698d55ae694291d750d607613ec0078f789474257506b16b6bbfb645851
> (6) State = 0x3bd334c23ed52d5a464d9b22d2e35ffe
> (6) Ruckus-SSID = "test-radius-user+pass"
> (6) Ruckus-BSSID = 0x34fa9ffa588e
> (6) Ruckus-Location = "IT-Service"
> (6) Ruckus-VLAN-ID = 1
> (6) Ruckus-SCG-CBlade-IP = 3232253455
> (6) Ruckus-Zone-Name = "Detmold"
> (6) Ruckus-Wlan-Name = "test-radius-user+pass"
> (6) Message-Authenticator = 0x34c64d7bfe181cdb376fcd5e5ddf54bc
> (6) Proxy-State = 0x3732
> (6) session-state: No cached attributes
> (6) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (6) authorize {
> rlm_ldap (ldap): Reserved connection (5)
> (6) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
> (6) ldap: --> (name=wifitestmac01)
> (6) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
> (6) ldap: Waiting for search result...
> (6) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (5)
> (6) [ldap] = notfound
> (6) policy group_authorization {
> (6) if (&Huntgroup-Name == "wo-byod") {
> (6) ERROR: Failed retrieving values required to evaluate condition
> (6) elsif (&Huntgroup-Name == "wo-secure") {
> (6) ERROR: Failed retrieving values required to evaluate condition
> (6) } # policy group_authorization = notfound
> (6) policy filter_username {
> (6) if (&User-Name) {
> (6) if (&User-Name) -> TRUE
> (6) if (&User-Name) {
> (6) if (&User-Name =~ / /) {
> (6) if (&User-Name =~ / /) -> FALSE
> (6) if (&User-Name =~ /@[^@]*@/ ) {
> (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (6) if (&User-Name =~ /\.\./ ) {
> (6) if (&User-Name =~ /\.\./ ) -> FALSE
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (6) if (&User-Name =~ /\.$/) {
> (6) if (&User-Name =~ /\.$/) -> FALSE
> (6) if (&User-Name =~ /@\./) {
> (6) if (&User-Name =~ /@\./) -> FALSE
> (6) } # if (&User-Name) = notfound
> (6) } # policy filter_username = notfound
> (6) policy filter_password {
> (6) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
> (6) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
> (6) } # policy filter_password = notfound
> (6) [preprocess] = ok
> (6) [chap] = noop
> (6) [mschap] = noop
> (6) [digest] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6) [suffix] = noop
> (6) eap: Peer sent EAP Response (code 2) ID 6 length 49
> (6) eap: Continuing tunnel setup
> (6) [eap] = ok
> (6) } # authorize = ok
> (6) Found Auth-Type = eap
> (6) # Executing group from file /etc/raddb/sites-enabled/default
> (6) authenticate {
> (6) eap: Expiring EAP session with state 0x3bd334c23ed52d5a
> (6) eap: Finished EAP session with state 0x3bd334c23ed52d5a
> (6) eap: Previous EAP request found for state 0x3bd334c23ed52d5a, released from the list
> (6) eap: Peer sent packet with method EAP PEAP (25)
> (6) eap: Calling submodule eap_peap to process data
> (6) eap_peap: Continuing EAP-TLS
> (6) eap_peap: [eaptls verify] = ok
> (6) eap_peap: Done initial handshake
> (6) eap_peap: [eaptls process] = ok
> (6) eap_peap: Session established. Decoding tunneled attributes
> (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
> (6) eap_peap: Identity - wifitestmac01
> (6) eap_peap: Got inner identity 'wifitestmac01'
> (6) eap_peap: Setting default EAP type for tunneled EAP session
> (6) eap_peap: Got tunneled request
> (6) eap_peap: EAP-Message = 0x020600120177696669746573746d61633031
> (6) eap_peap: Setting User-Name to wifitestmac01
> (6) eap_peap: Sending tunneled request to inner-tunnel
> (6) eap_peap: EAP-Message = 0x020600120177696669746573746d61633031
> (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (6) eap_peap: User-Name = "wifitestmac01"
> (6) eap_peap: Acct-Session-Id = "5D1CA994-67A4B00F"
> (6) eap_peap: NAS-IP-Address = 192.168.70.63
> (6) eap_peap: NAS-Identifier = "ruckuscontroller"
> (6) eap_peap: NAS-Port = 1
> (6) eap_peap: Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
> (6) eap_peap: Calling-Station-Id = "24-FB-65-69-06-AF"
> (6) eap_peap: Location-Data = 0x31304445170a49542d53657276696365
> (6) eap_peap: Service-Type = Framed-User
> (6) eap_peap: Chargeable-User-Identity = 0x00
> (6) eap_peap: NAS-Port-Type = Wireless-802.11
> (6) eap_peap: Connect-Info = "CONNECT 802.11a/n/ac"
> (6) eap_peap: Ruckus-SSID = "test-radius-user+pass"
> (6) eap_peap: Ruckus-BSSID = 0x34fa9ffa588e
> (6) eap_peap: Ruckus-Location = "IT-Service"
> (6) eap_peap: Ruckus-VLAN-ID = 1
> (6) eap_peap: Ruckus-SCG-CBlade-IP = 3232253455
> (6) eap_peap: Ruckus-Zone-Name = "Detmold"
> (6) eap_peap: Ruckus-Wlan-Name = "test-radius-user+pass"
> (6) eap_peap: Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
> (6) Virtual server inner-tunnel received request
> (6) EAP-Message = 0x020600120177696669746573746d61633031
> (6) FreeRADIUS-Proxied-To = 127.0.0.1
> (6) User-Name = "wifitestmac01"
> (6) Acct-Session-Id = "5D1CA994-67A4B00F"
> (6) NAS-IP-Address = 192.168.70.63
> (6) NAS-Identifier = "ruckuscontroller"
> (6) NAS-Port = 1
> (6) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
> (6) Calling-Station-Id = "24-FB-65-69-06-AF"
> (6) Location-Data = 0x31304445170a49542d53657276696365
> (6) Service-Type = Framed-User
> (6) Chargeable-User-Identity = 0x00
> (6) NAS-Port-Type = Wireless-802.11
> (6) Connect-Info = "CONNECT 802.11a/n/ac"
> (6) Ruckus-SSID = "test-radius-user+pass"
> (6) Ruckus-BSSID = 0x34fa9ffa588e
> (6) Ruckus-Location = "IT-Service"
> (6) Ruckus-VLAN-ID = 1
> (6) Ruckus-SCG-CBlade-IP = 3232253455
> (6) Ruckus-Zone-Name = "Detmold"
> (6) Ruckus-Wlan-Name = "test-radius-user+pass"
> (6) Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
> (6) WARNING: Outer and inner identities are the same. User privacy is compromised.
> (6) server inner-tunnel {
> (6) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
> (6) authorize {
> (6) policy filter_username {
> (6) if (&User-Name) {
> (6) if (&User-Name) -> TRUE
> (6) if (&User-Name) {
> (6) if (&User-Name =~ / /) {
> (6) if (&User-Name =~ / /) -> FALSE
> (6) if (&User-Name =~ /@[^@]*@/ ) {
> (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (6) if (&User-Name =~ /\.\./ ) {
> (6) if (&User-Name =~ /\.\./ ) -> FALSE
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (6) if (&User-Name =~ /\.$/) {
> (6) if (&User-Name =~ /\.$/) -> FALSE
> (6) if (&User-Name =~ /@\./) {
> (6) if (&User-Name =~ /@\./) -> FALSE
> (6) } # if (&User-Name) = notfound
> (6) } # policy filter_username = notfound
> (6) [chap] = noop
> (6) [mschap] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6) [suffix] = noop
> (6) update control {
> (6) &Proxy-To-Realm := LOCAL
> (6) } # update control = noop
> (6) eap: Peer sent EAP Response (code 2) ID 6 length 18
> (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
> (6) [eap] = ok
> (6) } # authorize = ok
> (6) Found Auth-Type = eap
> (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (6) authenticate {
> (6) eap: Peer sent packet with method EAP Identity (1)
> (6) eap: Calling submodule eap_mschapv2 to process data
> (6) eap_mschapv2: Issuing Challenge
> (6) eap: Sending EAP Request (code 1) ID 7 length 43
> (6) eap: EAP session adding &reply:State = 0x78a9799278ae6313
> (6) [eap] = handled
> (6) } # authenticate = handled
> (6) } # server inner-tunnel
> (6) Virtual server sending reply
> (6) EAP-Message = 0x0107002b1a0107002610acc3fe6199de746d49fc93f49582fc03667265657261646975732d332e302e3133
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> (6) State = 0x78a9799278ae6313f359dd39dd5c9f11
> (6) eap_peap: Got tunneled reply code 11
> (6) eap_peap: EAP-Message = 0x0107002b1a0107002610acc3fe6199de746d49fc93f49582fc03667265657261646975732d332e302e3133
> (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (6) eap_peap: State = 0x78a9799278ae6313f359dd39dd5c9f11
> (6) eap_peap: Got tunneled reply RADIUS code 11
> (6) eap_peap: EAP-Message = 0x0107002b1a0107002610acc3fe6199de746d49fc93f49582fc03667265657261646975732d332e302e3133
> (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (6) eap_peap: State = 0x78a9799278ae6313f359dd39dd5c9f11
> (6) eap_peap: Got tunneled Access-Challenge
> (6) eap: Sending EAP Request (code 1) ID 7 length 74
> (6) eap: EAP session adding &reply:State = 0x3bd334c23dd42d5a
> (6) [eap] = handled
> (6) } # authenticate = handled
> (6) Using Post-Auth-Type Challenge
> (6) # Executing group from file /etc/raddb/sites-enabled/default
> (6) Challenge { ... } # empty sub-section is ignored
> (6) Sent Access-Challenge Id 156 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
> (6) EAP-Message = 0x0107004a1900170303003fd5ec48bada42fbd39481e9f00adb4e04c21da70a884fc7d37895cfdbd260a4aa2189d9d36c81ebc4a14d73b74ba2eb169b57fd36b0ecb4393df44715a4222e
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> (6) State = 0x3bd334c23dd42d5a464d9b22d2e35ffe
> (6) Proxy-State = 0x3732
> (6) Finished request
> Waking up in 4.5 seconds.
> (7) Received Access-Request Id 35 from 192.168.70.15:18487 to 192.168.199.69:1812 length 473
> (7) Acct-Session-Id = "5D1CA994-67A4B00F"
> (7) User-Name = "wifitestmac01"
> (7) NAS-IP-Address = 192.168.70.63
> (7) NAS-Identifier = "ruckuscontroller"
> (7) NAS-Port = 1
> (7) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
> (7) Calling-Station-Id = "24-FB-65-69-06-AF"
> (7) Location-Data = 0x31304445170a49542d53657276696365
> (7) Service-Type = Framed-User
> (7) Chargeable-User-Identity = 0x00
> (7) NAS-Port-Type = Wireless-802.11
> (7) Connect-Info = "CONNECT 802.11a/n/ac"
> (7) EAP-Message = 0x020700671900170303005c000000000000000260bd309024ce07ecc1dd6fb714cd4aab28a634e3636effeb72f8162068747c873ba798f59a4cd64c069ba2159698e14743104d45d20c019e727efc75fdac7624b0b06f869e8bc2cfc1cc6cfd33ed977ae6015649
> (7) State = 0x3bd334c23dd42d5a464d9b22d2e35ffe
> (7) Ruckus-SSID = "test-radius-user+pass"
> (7) Ruckus-BSSID = 0x34fa9ffa588e
> (7) Ruckus-Location = "IT-Service"
> (7) Ruckus-VLAN-ID = 1
> (7) Ruckus-SCG-CBlade-IP = 3232253455
> (7) Ruckus-Zone-Name = "Detmold"
> (7) Ruckus-Wlan-Name = "test-radius-user+pass"
> (7) Message-Authenticator = 0x3b507e4e852475a8216cc0c453588426
> (7) Proxy-State = 0x3733
> (7) session-state: No cached attributes
> (7) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (7) authorize {
> rlm_ldap (ldap): Reserved connection (1)
> (7) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
> (7) ldap: --> (name=wifitestmac01)
> (7) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
> (7) ldap: Waiting for search result...
> (7) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (1)
> (7) [ldap] = notfound
> (7) policy group_authorization {
> (7) if (&Huntgroup-Name == "wo-byod") {
> (7) ERROR: Failed retrieving values required to evaluate condition
> (7) elsif (&Huntgroup-Name == "wo-secure") {
> (7) ERROR: Failed retrieving values required to evaluate condition
> (7) } # policy group_authorization = notfound
> (7) policy filter_username {
> (7) if (&User-Name) {
> (7) if (&User-Name) -> TRUE
> (7) if (&User-Name) {
> (7) if (&User-Name =~ / /) {
> (7) if (&User-Name =~ / /) -> FALSE
> (7) if (&User-Name =~ /@[^@]*@/ ) {
> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /@\./) {
> (7) if (&User-Name =~ /@\./) -> FALSE
> (7) } # if (&User-Name) = notfound
> (7) } # policy filter_username = notfound
> (7) policy filter_password {
> (7) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
> (7) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
> (7) } # policy filter_password = notfound
> (7) [preprocess] = ok
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) [digest] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) eap: Peer sent EAP Response (code 2) ID 7 length 103
> (7) eap: Continuing tunnel setup
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file /etc/raddb/sites-enabled/default
> (7) authenticate {
> (7) eap: Expiring EAP session with state 0x78a9799278ae6313
> (7) eap: Finished EAP session with state 0x3bd334c23dd42d5a
> (7) eap: Previous EAP request found for state 0x3bd334c23dd42d5a, released from the list
> (7) eap: Peer sent packet with method EAP PEAP (25)
> (7) eap: Calling submodule eap_peap to process data
> (7) eap_peap: Continuing EAP-TLS
> (7) eap_peap: [eaptls verify] = ok
> (7) eap_peap: Done initial handshake
> (7) eap_peap: [eaptls process] = ok
> (7) eap_peap: Session established. Decoding tunneled attributes
> (7) eap_peap: PEAP state phase2
> (7) eap_peap: EAP method MSCHAPv2 (26)
> (7) eap_peap: Got tunneled request
> (7) eap_peap: EAP-Message = 0x020700481a0207004331511e472c9167eed5163063c100f421e70000000000000000f82f405055c2818c487d7d078bd9aafccf93e2e4db9c11f60077696669746573746d61633031
> (7) eap_peap: Setting User-Name to wifitestmac01
> (7) eap_peap: Sending tunneled request to inner-tunnel
> (7) eap_peap: EAP-Message = 0x020700481a0207004331511e472c9167eed5163063c100f421e70000000000000000f82f405055c2818c487d7d078bd9aafccf93e2e4db9c11f60077696669746573746d61633031
> (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (7) eap_peap: User-Name = "wifitestmac01"
> (7) eap_peap: State = 0x78a9799278ae6313f359dd39dd5c9f11
> (7) eap_peap: Acct-Session-Id = "5D1CA994-67A4B00F"
> (7) eap_peap: NAS-IP-Address = 192.168.70.63
> (7) eap_peap: NAS-Identifier = "ruckuscontroller"
> (7) eap_peap: NAS-Port = 1
> (7) eap_peap: Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
> (7) eap_peap: Calling-Station-Id = "24-FB-65-69-06-AF"
> (7) eap_peap: Location-Data = 0x31304445170a49542d53657276696365
> (7) eap_peap: Service-Type = Framed-User
> (7) eap_peap: Chargeable-User-Identity = 0x00
> (7) eap_peap: NAS-Port-Type = Wireless-802.11
> (7) eap_peap: Connect-Info = "CONNECT 802.11a/n/ac"
> (7) eap_peap: Ruckus-SSID = "test-radius-user+pass"
> (7) eap_peap: Ruckus-BSSID = 0x34fa9ffa588e
> (7) eap_peap: Ruckus-Location = "IT-Service"
> (7) eap_peap: Ruckus-VLAN-ID = 1
> (7) eap_peap: Ruckus-SCG-CBlade-IP = 3232253455
> (7) eap_peap: Ruckus-Zone-Name = "Detmold"
> (7) eap_peap: Ruckus-Wlan-Name = "test-radius-user+pass"
> (7) eap_peap: Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
> (7) Virtual server inner-tunnel received request
> (7) EAP-Message = 0x020700481a0207004331511e472c9167eed5163063c100f421e70000000000000000f82f405055c2818c487d7d078bd9aafccf93e2e4db9c11f60077696669746573746d61633031
> (7) FreeRADIUS-Proxied-To = 127.0.0.1
> (7) User-Name = "wifitestmac01"
> (7) State = 0x78a9799278ae6313f359dd39dd5c9f11
> (7) Acct-Session-Id = "5D1CA994-67A4B00F"
> (7) NAS-IP-Address = 192.168.70.63
> (7) NAS-Identifier = "ruckuscontroller"
> (7) NAS-Port = 1
> (7) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
> (7) Calling-Station-Id = "24-FB-65-69-06-AF"
> (7) Location-Data = 0x31304445170a49542d53657276696365
> (7) Service-Type = Framed-User
> (7) Chargeable-User-Identity = 0x00
> (7) NAS-Port-Type = Wireless-802.11
> (7) Connect-Info = "CONNECT 802.11a/n/ac"
> (7) Ruckus-SSID = "test-radius-user+pass"
> (7) Ruckus-BSSID = 0x34fa9ffa588e
> (7) Ruckus-Location = "IT-Service"
> (7) Ruckus-VLAN-ID = 1
> (7) Ruckus-SCG-CBlade-IP = 3232253455
> (7) Ruckus-Zone-Name = "Detmold"
> (7) Ruckus-Wlan-Name = "test-radius-user+pass"
> (7) Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
> (7) WARNING: Outer and inner identities are the same. User privacy is compromised.
> (7) server inner-tunnel {
> (7) session-state: No cached attributes
> (7) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
> (7) authorize {
> (7) policy filter_username {
> (7) if (&User-Name) {
> (7) if (&User-Name) -> TRUE
> (7) if (&User-Name) {
> (7) if (&User-Name =~ / /) {
> (7) if (&User-Name =~ / /) -> FALSE
> (7) if (&User-Name =~ /@[^@]*@/ ) {
> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /@\./) {
> (7) if (&User-Name =~ /@\./) -> FALSE
> (7) } # if (&User-Name) = notfound
> (7) } # policy filter_username = notfound
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) update control {
> (7) &Proxy-To-Realm := LOCAL
> (7) } # update control = noop
> (7) eap: Peer sent EAP Response (code 2) ID 7 length 72
> (7) eap: No EAP Start, assuming it's an on-going EAP conversation
> (7) [eap] = updated
> (7) [files] = noop
> (7) sql: EXPAND %{User-Name}
> (7) sql: --> wifitestmac01
> (7) sql: SQL-User-Name set to 'wifitestmac01'
> rlm_sql (sql): Reserved connection (1)
> (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
> (7) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id
> (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id
> (7) sql: User found in radcheck table
> (7) sql: Conditional check items matched, merging assignment check items
> (7) sql: Cleartext-Password := "tester555"
> (7) sql: MS-CHAP-Use-NTLM-Auth := No
> (7) sql: Calling-Station-Id := "24-FB-65-69-06-AF"
> (7) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
> (7) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id
> (7) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id
> (7) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
> (7) sql: --> SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority
> (7) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority
> (7) sql: User found in the group table
> (7) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
> (7) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id
> (7) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id
> (7) sql: Group "wifi_wo-secure": Conditional check items matched
> (7) sql: Group "wifi_wo-secure": Merging assignment check items
> (7) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
> (7) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id
> (7) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id
> (7) sql: Group "wifi_wo-secure": Merging reply items
> (7) sql: Huntgroup-Name := "wo-secure"
> rlm_sql (sql): Released connection (1)
> Need 4 more connections to reach 10 spares
> rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
> rlm_sql_mysql: Starting connect to MySQL server
> rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.40-MariaDB, protocol version 10
> (7) [sql] = ok
> (7) [expiration] = noop
> (7) [logintime] = noop
> (7) pap: WARNING: Auth-Type already set. Not setting to PAP
> (7) [pap] = noop
> (7) } # authorize = updated
> (7) Found Auth-Type = eap
> (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (7) authenticate {
> (7) eap: Expiring EAP session with state 0x78a9799278ae6313
> (7) eap: Finished EAP session with state 0x78a9799278ae6313
> (7) eap: Previous EAP request found for state 0x78a9799278ae6313, released from the list
> (7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (7) eap: Calling submodule eap_mschapv2 to process data
> (7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (7) eap_mschapv2: authenticate {
> (7) mschap: Found Cleartext-Password, hashing to create NT-Password
> (7) mschap: Found Cleartext-Password, hashing to create LM-Password
> (7) mschap: Creating challenge hash with username: wifitestmac01
> (7) mschap: Client is using MS-CHAPv2
> (7) mschap: Adding MS-CHAPv2 MPPE keys
> (7) [mschap] = ok
> (7) } # authenticate = ok
> (7) MSCHAP Success
> (7) eap: Sending EAP Request (code 1) ID 8 length 51
> (7) eap: EAP session adding &reply:State = 0x78a9799279a16313
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) } # server inner-tunnel
> (7) Virtual server sending reply
> (7) Huntgroup-Name = "wo-secure"
> (7) EAP-Message = 0x010800331a0307002e533d41423746314439413946443643463639353932453639354141353944454243424636423533383944
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0x78a9799279a16313f359dd39dd5c9f11
> (7) eap_peap: Got tunneled reply code 11
> (7) eap_peap: Huntgroup-Name = "wo-secure"
> (7) eap_peap: EAP-Message = 0x010800331a0307002e533d41423746314439413946443643463639353932453639354141353944454243424636423533383944
> (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (7) eap_peap: State = 0x78a9799279a16313f359dd39dd5c9f11
> (7) eap_peap: Got tunneled reply RADIUS code 11
> (7) eap_peap: Huntgroup-Name = "wo-secure"
> (7) eap_peap: EAP-Message = 0x010800331a0307002e533d41423746314439413946443643463639353932453639354141353944454243424636423533383944
> (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (7) eap_peap: State = 0x78a9799279a16313f359dd39dd5c9f11
> (7) eap_peap: Got tunneled Access-Challenge
> (7) eap: Sending EAP Request (code 1) ID 8 length 82
> (7) eap: EAP session adding &reply:State = 0x3bd334c23cdb2d5a
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) Using Post-Auth-Type Challenge
> (7) # Executing group from file /etc/raddb/sites-enabled/default
> (7) Challenge { ... } # empty sub-section is ignored
> (7) Sent Access-Challenge Id 35 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
> (7) EAP-Message = 0x0108005219001703030047d5ec48bada42fbd4a02ea88aa51ecde0431fc6ac9846f7c0bc036ed64ec4a3c3a48c11c16ba8cdeed9c4ac5890895c8591ac992d69a16fc27bc54f573dc888eb7d087f53f723fd
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0x3bd334c23cdb2d5a464d9b22d2e35ffe
> (7) Proxy-State = 0x3733
> (7) Finished request
> Waking up in 4.5 seconds.
> (8) Received Access-Request Id 62 from 192.168.70.15:18487 to 192.168.199.69:1812 length 407
> (8) Acct-Session-Id = "5D1CA994-67A4B00F"
> (8) User-Name = "wifitestmac01"
> (8) NAS-IP-Address = 192.168.70.63
> (8) NAS-Identifier = "ruckuscontroller"
> (8) NAS-Port = 1
> (8) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
> (8) Calling-Station-Id = "24-FB-65-69-06-AF"
> (8) Location-Data = 0x31304445170a49542d53657276696365
> (8) Service-Type = Framed-User
> (8) Chargeable-User-Identity = 0x00
> (8) NAS-Port-Type = Wireless-802.11
> (8) Connect-Info = "CONNECT 802.11a/n/ac"
> (8) EAP-Message = 0x020800251900170303001a0000000000000003559b9229317f3155d7720c582345c83dac3f
> (8) State = 0x3bd334c23cdb2d5a464d9b22d2e35ffe
> (8) Ruckus-SSID = "test-radius-user+pass"
> (8) Ruckus-BSSID = 0x34fa9ffa588e
> (8) Ruckus-Location = "IT-Service"
> (8) Ruckus-VLAN-ID = 1
> (8) Ruckus-SCG-CBlade-IP = 3232253455
> (8) Ruckus-Zone-Name = "Detmold"
> (8) Ruckus-Wlan-Name = "test-radius-user+pass"
> (8) Message-Authenticator = 0x1990281948930e08ef66d420ea1928c8
> (8) Proxy-State = 0x3734
> (8) session-state: No cached attributes
> (8) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (8) authorize {
> rlm_ldap (ldap): Reserved connection (2)
> (8) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
> (8) ldap: --> (name=wifitestmac01)
> (8) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
> (8) ldap: Waiting for search result...
> (8) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (2)
> (8) [ldap] = notfound
> (8) policy group_authorization {
> (8) if (&Huntgroup-Name == "wo-byod") {
> (8) ERROR: Failed retrieving values required to evaluate condition
> (8) elsif (&Huntgroup-Name == "wo-secure") {
> (8) ERROR: Failed retrieving values required to evaluate condition
> (8) } # policy group_authorization = notfound
> (8) policy filter_username {
> (8) if (&User-Name) {
> (8) if (&User-Name) -> TRUE
> (8) if (&User-Name) {
> (8) if (&User-Name =~ / /) {
> (8) if (&User-Name =~ / /) -> FALSE
> (8) if (&User-Name =~ /@[^@]*@/ ) {
> (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (8) if (&User-Name =~ /\.\./ ) {
> (8) if (&User-Name =~ /\.\./ ) -> FALSE
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (8) if (&User-Name =~ /\.$/) {
> (8) if (&User-Name =~ /\.$/) -> FALSE
> (8) if (&User-Name =~ /@\./) {
> (8) if (&User-Name =~ /@\./) -> FALSE
> (8) } # if (&User-Name) = notfound
> (8) } # policy filter_username = notfound
> (8) policy filter_password {
> (8) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
> (8) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
> (8) } # policy filter_password = notfound
> (8) [preprocess] = ok
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) [digest] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
> (8) suffix: No such realm "NULL"
> (8) [suffix] = noop
> (8) eap: Peer sent EAP Response (code 2) ID 8 length 37
> (8) eap: Continuing tunnel setup
> (8) [eap] = ok
> (8) } # authorize = ok
> (8) Found Auth-Type = eap
> (8) # Executing group from file /etc/raddb/sites-enabled/default
> (8) authenticate {
> (8) eap: Expiring EAP session with state 0x78a9799279a16313
> (8) eap: Finished EAP session with state 0x3bd334c23cdb2d5a
> (8) eap: Previous EAP request found for state 0x3bd334c23cdb2d5a, released from the list
> (8) eap: Peer sent packet with method EAP PEAP (25)
> (8) eap: Calling submodule eap_peap to process data
> (8) eap_peap: Continuing EAP-TLS
> (8) eap_peap: [eaptls verify] = ok
> (8) eap_peap: Done initial handshake
> (8) eap_peap: [eaptls process] = ok
> (8) eap_peap: Session established. Decoding tunneled attributes
> (8) eap_peap: PEAP state phase2
> (8) eap_peap: EAP method MSCHAPv2 (26)
> (8) eap_peap: Got tunneled request
> (8) eap_peap: EAP-Message = 0x020800061a03
> (8) eap_peap: Setting User-Name to wifitestmac01
> (8) eap_peap: Sending tunneled request to inner-tunnel
> (8) eap_peap: EAP-Message = 0x020800061a03
> (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (8) eap_peap: User-Name = "wifitestmac01"
> (8) eap_peap: State = 0x78a9799279a16313f359dd39dd5c9f11
> (8) eap_peap: Acct-Session-Id = "5D1CA994-67A4B00F"
> (8) eap_peap: NAS-IP-Address = 192.168.70.63
> (8) eap_peap: NAS-Identifier = "ruckuscontroller"
> (8) eap_peap: NAS-Port = 1
> (8) eap_peap: Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
> (8) eap_peap: Calling-Station-Id = "24-FB-65-69-06-AF"
> (8) eap_peap: Location-Data = 0x31304445170a49542d53657276696365
> (8) eap_peap: Service-Type = Framed-User
> (8) eap_peap: Chargeable-User-Identity = 0x00
> (8) eap_peap: NAS-Port-Type = Wireless-802.11
> (8) eap_peap: Connect-Info = "CONNECT 802.11a/n/ac"
> (8) eap_peap: Ruckus-SSID = "test-radius-user+pass"
> (8) eap_peap: Ruckus-BSSID = 0x34fa9ffa588e
> (8) eap_peap: Ruckus-Location = "IT-Service"
> (8) eap_peap: Ruckus-VLAN-ID = 1
> (8) eap_peap: Ruckus-SCG-CBlade-IP = 3232253455
> (8) eap_peap: Ruckus-Zone-Name = "Detmold"
> (8) eap_peap: Ruckus-Wlan-Name = "test-radius-user+pass"
> (8) eap_peap: Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
> (8) Virtual server inner-tunnel received request
> (8) EAP-Message = 0x020800061a03
> (8) FreeRADIUS-Proxied-To = 127.0.0.1
> (8) User-Name = "wifitestmac01"
> (8) State = 0x78a9799279a16313f359dd39dd5c9f11
> (8) Acct-Session-Id = "5D1CA994-67A4B00F"
> (8) NAS-IP-Address = 192.168.70.63
> (8) NAS-Identifier = "ruckuscontroller"
> (8) NAS-Port = 1
> (8) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
> (8) Calling-Station-Id = "24-FB-65-69-06-AF"
> (8) Location-Data = 0x31304445170a49542d53657276696365
> (8) Service-Type = Framed-User
> (8) Chargeable-User-Identity = 0x00
> (8) NAS-Port-Type = Wireless-802.11
> (8) Connect-Info = "CONNECT 802.11a/n/ac"
> (8) Ruckus-SSID = "test-radius-user+pass"
> (8) Ruckus-BSSID = 0x34fa9ffa588e
> (8) Ruckus-Location = "IT-Service"
> (8) Ruckus-VLAN-ID = 1
> (8) Ruckus-SCG-CBlade-IP = 3232253455
> (8) Ruckus-Zone-Name = "Detmold"
> (8) Ruckus-Wlan-Name = "test-radius-user+pass"
> (8) Event-Timestamp = "Jul 3 2019 15:11:54 CEST"
> (8) WARNING: Outer and inner identities are the same. User privacy is compromised.
> (8) server inner-tunnel {
> (8) session-state: No cached attributes
> (8) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
> (8) authorize {
> (8) policy filter_username {
> (8) if (&User-Name) {
> (8) if (&User-Name) -> TRUE
> (8) if (&User-Name) {
> (8) if (&User-Name =~ / /) {
> (8) if (&User-Name =~ / /) -> FALSE
> (8) if (&User-Name =~ /@[^@]*@/ ) {
> (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (8) if (&User-Name =~ /\.\./ ) {
> (8) if (&User-Name =~ /\.\./ ) -> FALSE
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (8) if (&User-Name =~ /\.$/) {
> (8) if (&User-Name =~ /\.$/) -> FALSE
> (8) if (&User-Name =~ /@\./) {
> (8) if (&User-Name =~ /@\./) -> FALSE
> (8) } # if (&User-Name) = notfound
> (8) } # policy filter_username = notfound
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
> (8) suffix: No such realm "NULL"
> (8) [suffix] = noop
> (8) update control {
> (8) &Proxy-To-Realm := LOCAL
> (8) } # update control = noop
> (8) eap: Peer sent EAP Response (code 2) ID 8 length 6
> (8) eap: No EAP Start, assuming it's an on-going EAP conversation
> (8) [eap] = updated
> (8) [files] = noop
> (8) sql: EXPAND %{User-Name}
> (8) sql: --> wifitestmac01
> (8) sql: SQL-User-Name set to 'wifitestmac01'
> rlm_sql (sql): Reserved connection (2)
> (8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
> (8) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id
> (8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'wifitestmac01' ORDER BY id
> (8) sql: User found in radcheck table
> (8) sql: Conditional check items matched, merging assignment check items
> (8) sql: Cleartext-Password := "tester555"
> (8) sql: MS-CHAP-Use-NTLM-Auth := No
> (8) sql: Calling-Station-Id := "24-FB-65-69-06-AF"
> (8) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
> (8) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id
> (8) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'wifitestmac01' ORDER BY id
> (8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
> (8) sql: --> SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority
> (8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'wifitestmac01' ORDER BY priority
> (8) sql: User found in the group table
> (8) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
> (8) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id
> (8) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'wifi_wo-secure' ORDER BY id
> (8) sql: Group "wifi_wo-secure": Conditional check items matched
> (8) sql: Group "wifi_wo-secure": Merging assignment check items
> (8) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
> (8) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id
> (8) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'wifi_wo-secure' ORDER BY id
> (8) sql: Group "wifi_wo-secure": Merging reply items
> (8) sql: Huntgroup-Name := "wo-secure"
> rlm_sql (sql): Released connection (2)
> (8) [sql] = ok
> (8) [expiration] = noop
> (8) [logintime] = noop
> (8) pap: WARNING: Auth-Type already set. Not setting to PAP
> (8) [pap] = noop
> (8) } # authorize = updated
> (8) Found Auth-Type = eap
> (8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (8) authenticate {
> (8) eap: Expiring EAP session with state 0x78a9799279a16313
> (8) eap: Finished EAP session with state 0x78a9799279a16313
> (8) eap: Previous EAP request found for state 0x78a9799279a16313, released from the list
> (8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (8) eap: Calling submodule eap_mschapv2 to process data
> (8) eap: Sending EAP Success (code 3) ID 8 length 4
> (8) eap: Freeing handler
> (8) [eap] = ok
> (8) } # authenticate = ok
> (8) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
> (8) post-auth {
> (8) sql: EXPAND .query
> (8) sql: --> .query
> (8) sql: Using query template 'query'
> rlm_sql (sql): Reserved connection (3)
> (8) sql: EXPAND %{User-Name}
> (8) sql: --> wifitestmac01
> (8) sql: SQL-User-Name set to 'wifitestmac01'
> (8) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
> (8) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.476885')
> (8) sql: EXPAND /var/log/radius/sqllog.sql
> (8) sql: --> /var/log/radius/sqllog.sql
> (8) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.476885')
> (8) sql: SQL query returned: success
> (8) sql: 1 record(s) updated
> rlm_sql (sql): Released connection (3)
> (8) [sql] = ok
> (8) if (0) {
> (8) if (0) -> FALSE
> (8) } # post-auth = ok
> (8) } # server inner-tunnel
> (8) Virtual server sending reply
> (8) Huntgroup-Name = "wo-secure"
> (8) MS-MPPE-Encryption-Policy = Encryption-Allowed
> (8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
> (8) MS-MPPE-Send-Key = 0x09649f4423192a6d5709c19fe5125d4a
> (8) MS-MPPE-Recv-Key = 0x6a4b0cefe1f26056c755aaa5f734ce7c
> (8) EAP-Message = 0x03080004
> (8) Message-Authenticator = 0x00000000000000000000000000000000
> (8) User-Name = "wifitestmac01"
> (8) eap_peap: Got tunneled reply code 2
> (8) eap_peap: Huntgroup-Name = "wo-secure"
> (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
> (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
> (8) eap_peap: MS-MPPE-Send-Key = 0x09649f4423192a6d5709c19fe5125d4a
> (8) eap_peap: MS-MPPE-Recv-Key = 0x6a4b0cefe1f26056c755aaa5f734ce7c
> (8) eap_peap: EAP-Message = 0x03080004
> (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (8) eap_peap: User-Name = "wifitestmac01"
> (8) eap_peap: Got tunneled reply RADIUS code 2
> (8) eap_peap: Huntgroup-Name = "wo-secure"
> (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
> (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
> (8) eap_peap: MS-MPPE-Send-Key = 0x09649f4423192a6d5709c19fe5125d4a
> (8) eap_peap: MS-MPPE-Recv-Key = 0x6a4b0cefe1f26056c755aaa5f734ce7c
> (8) eap_peap: EAP-Message = 0x03080004
> (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (8) eap_peap: User-Name = "wifitestmac01"
> (8) eap_peap: Tunneled authentication was successful
> (8) eap_peap: SUCCESS
> (8) eap: Sending EAP Request (code 1) ID 9 length 46
> (8) eap: EAP session adding &reply:State = 0x3bd334c233da2d5a
> (8) [eap] = handled
> (8) } # authenticate = handled
> (8) Using Post-Auth-Type Challenge
> (8) # Executing group from file /etc/raddb/sites-enabled/default
> (8) Challenge { ... } # empty sub-section is ignored
> (8) Sent Access-Challenge Id 62 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
> (8) EAP-Message = 0x0109002e19001703030023d5ec48bada42fbd57360d536a83db35fd6aa4c397ac57dc6b063543e6a7988551a9ecf
> (8) Message-Authenticator = 0x00000000000000000000000000000000
> (8) State = 0x3bd334c233da2d5a464d9b22d2e35ffe
> (8) Proxy-State = 0x3734
> (8) Finished request
> Waking up in 4.4 seconds.
> (9) Received Access-Request Id 148 from 192.168.70.15:18487 to 192.168.199.69:1812 length 416
> (9) Acct-Session-Id = "5D1CA994-67A4B00F"
> (9) User-Name = "wifitestmac01"
> (9) NAS-IP-Address = 192.168.70.63
> (9) NAS-Identifier = "ruckuscontroller"
> (9) NAS-Port = 1
> (9) Called-Station-Id = "34-FA-9F-FA-58-8E:test-radius-user+pass"
> (9) Calling-Station-Id = "24-FB-65-69-06-AF"
> (9) Location-Data = 0x31304445170a49542d53657276696365
> (9) Service-Type = Framed-User
> (9) Chargeable-User-Identity = 0x00
> (9) NAS-Port-Type = Wireless-802.11
> (9) Connect-Info = "CONNECT 802.11a/n/ac"
> (9) EAP-Message = 0x0209002e190017030300230000000000000004e71ecbff60c571603fd792638be1058058177b3ddab992ee20e458
> (9) State = 0x3bd334c233da2d5a464d9b22d2e35ffe
> (9) Ruckus-SSID = "test-radius-user+pass"
> (9) Ruckus-BSSID = 0x34fa9ffa588e
> (9) Ruckus-Location = "IT-Service"
> (9) Ruckus-VLAN-ID = 1
> (9) Ruckus-SCG-CBlade-IP = 3232253455
> (9) Ruckus-Zone-Name = "Detmold"
> (9) Ruckus-Wlan-Name = "test-radius-user+pass"
> (9) Message-Authenticator = 0x162c711631dc2d5883505d06283cda48
> (9) Proxy-State = 0x3735
> (9) session-state: No cached attributes
> (9) # Executing section authorize from file /etc/raddb/sites-enabled/default
> (9) authorize {
> rlm_ldap (ldap): Reserved connection (6)
> (9) ldap: EXPAND (name=%{%{Stripped-User-Name}:-%{User-Name}})
> (9) ldap: --> (name=wifitestmac01)
> (9) ldap: Performing search in "DC=wifi,DC=wortmann,DC=com" with filter "(name=wifitestmac01)", scope "sub"
> (9) ldap: Waiting for search result...
> (9) ldap: Search returned no results
> rlm_ldap (ldap): Released connection (6)
> (9) [ldap] = notfound
> (9) policy group_authorization {
> (9) if (&Huntgroup-Name == "wo-byod") {
> (9) ERROR: Failed retrieving values required to evaluate condition
> (9) elsif (&Huntgroup-Name == "wo-secure") {
> (9) ERROR: Failed retrieving values required to evaluate condition
> (9) } # policy group_authorization = notfound
> (9) policy filter_username {
> (9) if (&User-Name) {
> (9) if (&User-Name) -> TRUE
> (9) if (&User-Name) {
> (9) if (&User-Name =~ / /) {
> (9) if (&User-Name =~ / /) -> FALSE
> (9) if (&User-Name =~ /@[^@]*@/ ) {
> (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (9) if (&User-Name =~ /\.\./ ) {
> (9) if (&User-Name =~ /\.\./ ) -> FALSE
> (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> (9) if (&User-Name =~ /\.$/) {
> (9) if (&User-Name =~ /\.$/) -> FALSE
> (9) if (&User-Name =~ /@\./) {
> (9) if (&User-Name =~ /@\./) -> FALSE
> (9) } # if (&User-Name) = notfound
> (9) } # policy filter_username = notfound
> (9) policy filter_password {
> (9) if (&User-Password && (&User-Password != "%{string:User-Password}")) {
> (9) if (&User-Password && (&User-Password != "%{string:User-Password}")) -> FALSE
> (9) } # policy filter_password = notfound
> (9) [preprocess] = ok
> (9) [chap] = noop
> (9) [mschap] = noop
> (9) [digest] = noop
> (9) suffix: Checking for suffix after "@"
> (9) suffix: No '@' in User-Name = "wifitestmac01", looking up realm NULL
> (9) suffix: No such realm "NULL"
> (9) [suffix] = noop
> (9) eap: Peer sent EAP Response (code 2) ID 9 length 46
> (9) eap: Continuing tunnel setup
> (9) [eap] = ok
> (9) } # authorize = ok
> (9) Found Auth-Type = eap
> (9) # Executing group from file /etc/raddb/sites-enabled/default
> (9) authenticate {
> (9) eap: Expiring EAP session with state 0x3bd334c233da2d5a
> (9) eap: Finished EAP session with state 0x3bd334c233da2d5a
> (9) eap: Previous EAP request found for state 0x3bd334c233da2d5a, released from the list
> (9) eap: Peer sent packet with method EAP PEAP (25)
> (9) eap: Calling submodule eap_peap to process data
> (9) eap_peap: Continuing EAP-TLS
> (9) eap_peap: [eaptls verify] = ok
> (9) eap_peap: Done initial handshake
> (9) eap_peap: [eaptls process] = ok
> (9) eap_peap: Session established. Decoding tunneled attributes
> (9) eap_peap: PEAP state send tlv success
> (9) eap_peap: Received EAP-TLV response
> (9) eap_peap: Success
> (9) eap: Sending EAP Success (code 3) ID 9 length 4
> (9) eap: Freeing handler
> (9) [eap] = ok
> (9) } # authenticate = ok
> (9) # Executing section post-auth from file /etc/raddb/sites-enabled/default
> (9) post-auth {
> (9) update {
> (9) No attributes updated
> (9) } # update = noop
> (9) sql: EXPAND .query
> (9) sql: --> .query
> (9) sql: Using query template 'query'
> rlm_sql (sql): Reserved connection (4)
> (9) sql: EXPAND %{User-Name}
> (9) sql: --> wifitestmac01
> (9) sql: SQL-User-Name set to 'wifitestmac01'
> (9) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
> (9) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.531951')
> (9) sql: EXPAND /var/log/radius/sqllog.sql
> (9) sql: --> /var/log/radius/sqllog.sql
> (9) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'wifitestmac01', '', 'Access-Accept', '2019-07-03 15:11:54.531951')
> (9) sql: SQL query returned: success
> (9) sql: 1 record(s) updated
> rlm_sql (sql): Released connection (4)
> (9) [sql] = ok
> (9) [exec] = noop
> (9) policy remove_reply_message_if_eap {
> (9) if (&reply:EAP-Message && &reply:Reply-Message) {
> (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (9) else {
> (9) [noop] = noop
> (9) } # else = noop
> (9) } # policy remove_reply_message_if_eap = noop
> (9) } # post-auth = ok
> (9) Sent Access-Accept Id 148 from 192.168.199.69:1812 to 192.168.70.15:18487 length 0
> (9) MS-MPPE-Recv-Key = 0xa63d5b43df19ab6338895fc4f40050e4990bc4207f4412edceb938cf1fcadd3e
> (9) MS-MPPE-Send-Key = 0x29dabf22b9bda920c708becdd0886e0a8216f4d5881268045a296076fd901b90
> (9) EAP-Message = 0x03090004
> (9) Message-Authenticator = 0x00000000000000000000000000000000
> (9) User-Name = "wifitestmac01"
> (9) Proxy-State = 0x3735
> (9) Finished request
> Waking up in 4.4 seconds.
> (0) Cleaning up request packet ID 118 with timestamp +48
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list