Working With EAP-TTLS, and LDAP
Nate .
nate2077developer at gmail.com
Fri Mar 8 21:59:53 CET 2019
I realized my stupidity here. Using PAP, but for some reason only my phone
will use PAP, our desktops are not giving me any choice. I found this:
https://wiki.freeradius.org/guide/eduroam#configuration_the-outer-virtual-server_sites-available-default
I had originally followed that in my very first round of trying all of
this, but it never got it working.
I've also tested connecting using the flat user credentials, it worked! I
attached that result too, just in case.
On Fri, Mar 8, 2019 at 1:02 PM Nate . <nate2077developer at gmail.com> wrote:
> Sorry for the delay. I've updated the files, LDAP is working now, I'm
> sorry I didn't catch that part in the configuration, I feel slightly
> overwhelmed. Good news though, LDAP is working using "radtest -t pap" and
> without the "-t pap".
> I've gone ahead and tested via the Wireless controller now, and I am
> seeing..
> (9) mschap: WARNING: No Cleartext-Password configured. Cannot create
> NT-Password
> (9) mschap: WARNING: No Cleartext-Password configured. Cannot create
> LM-Password
> and
> (9) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform
> authentication
> (9) mschap: ERROR: MS-CHAP2-Response is incorrect
>
> Now, I know there's a way to map attributes using the LDAP modules
> 'update' section, but I have no idea how this works and I also do not know
> what googles structure is. So if this is the route I have to take, I'll
> have to do a bit of research on that then. I feel like that's what the
> problem is here, but at the same time, Authentication via radtest was
> successful, so I am having doubts.
>
> I've attached a full log of me connecting via WIFI for convenience.
>
> On Fri, Mar 8, 2019 at 12:05 PM Alan DeKok <aland at deployingradius.com>
> wrote:
>
>> On Mar 8, 2019, at 12:01 PM, Nate . <nate2077developer at gmail.com> wrote:
>> >
>> > Ok, duly noted. I've restored the defaults. Migrated settings for
>> > certificates, and the LDAP. Now my LDAP isn't working anymore. Where am
>> I
>> > looking to edit first so that I can begin testing and not accidentally
>> jump
>> > ahead of myself?
>> > I added the flat file user, as many recommend, that's working. "radtest
>> > flatuser testpass 127.0.0.1 0 testing123"
>> > When I run the test using my LDAP credentials I get "ERROR: No Auth-Type
>> > found: rejecting the user via Post-Auth-Type = Reject"
>>
>> See mods-available/ldap. It has documentation on how to fix this.
>> Look for "Auth-Type".
>>
>> You will also need to uncomment the "Auth-Type LDAP" block
>> sites-enabled/default, in the "authenticate" section.
>>
>> Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
-------------- next part --------------
(0) Received Access-Request Id 245 from 192.000.000.20:41064 to 192.000.000.111:1812 length 324
(0) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-24-F6-77-12-29-F8-5C-82-D5-FF-00-00-FD-5C"
(0) Acct-Session-Id = "1fbb6e79-000043c5"
(0) NAS-Port = 13653
(0) NAS-Port-Type = Wireless-802.11
(0) NAS-Identifier = "SSO Wireless"
(0) NAS-IP-Address = 192.000.000.100
(0) Framed-MTU = 1496
(0) User-Name = "flatuser"
(0) Calling-Station-Id = "24-F6-77-12-29-F8"
(0) Called-Station-Id = "D8-9D-67-4E-87-C6"
(0) Service-Type = Framed-User
(0) EAP-Message = 0x0285000d01666c617475736572
(0) Colubris-AVPair = "ssid=Weefee"
(0) Colubris-AVPair = "incoming-vlan-id=10"
(0) Colubris-AVPair = "group=<SNIP>"
(0) Colubris-AVPair = "phytype=IEEE802dot11n"
(0) Attr-26.8744.250 = 0x00000002
(0) Attr-26.8744.249 = 0xc0a8106f
(0) Message-Authenticator = 0x4d30ca45c3f472b931fe93cc980f6efe
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "flatuser", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 133 length 13
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 134 length 22
(0) eap: EAP session adding &reply:State = 0x522cbd6252aab9da
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 245 from 192.000.000.111:1812 to 192.000.000.20:41064 length 0
(0) EAP-Message = 0x0186001604106c49ca818115cccf17ca6ed627831d2e
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x522cbd6252aab9daf1040d6d0f2c2fcf
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 40 from 192.000.000.20:41064 to 192.000.000.111:1812 length 337
(1) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-24-F6-77-12-29-F8-5C-82-D5-FF-00-00-FD-5C"
(1) Acct-Session-Id = "1fbb6e79-000043c5"
(1) NAS-Port = 13653
(1) NAS-Port-Type = Wireless-802.11
(1) NAS-Identifier = "SSO Wireless"
(1) NAS-IP-Address = 192.000.000.100
(1) Framed-MTU = 1496
(1) User-Name = "flatuser"
(1) Calling-Station-Id = "24-F6-77-12-29-F8"
(1) Called-Station-Id = "D8-9D-67-4E-87-C6"
(1) Service-Type = Framed-User
(1) EAP-Message = 0x028600080319152b
(1) State = 0x522cbd6252aab9daf1040d6d0f2c2fcf
(1) Colubris-AVPair = "ssid=Weefee"
(1) Colubris-AVPair = "incoming-vlan-id=10"
(1) Colubris-AVPair = "group=<SNIP>"
(1) Colubris-AVPair = "phytype=IEEE802dot11n"
(1) Attr-26.8744.250 = 0x00000002
(1) Attr-26.8744.249 = 0xc0a8106f
(1) Message-Authenticator = 0x2efe89c429245e103c9fd2ef2f45f892
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "flatuser", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 134 length 8
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry flatuser at line 40
(1) [files] = ok
rlm_ldap (ldap): Reserved connection (0)
(1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap: --> (uid=flatuser)
(1) ldap: Performing search in "dc=<SNIP>,dc=<SNIP>" with filter "(uid=flatuser)", scope "sub"
(1) ldap: Waiting for search result...
(1) ldap: Search returned no results
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1) [ldap] = notfound
(1) if ((ok || updated) && User-Password) {
(1) if ((ok || updated) && User-Password) -> FALSE
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x522cbd6252aab9da
(1) eap: Finished EAP session with state 0x522cbd6252aab9da
(1) eap: Previous EAP request found for state 0x522cbd6252aab9da, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 135 length 6
(1) eap: EAP session adding &reply:State = 0x522cbd6253aba4da
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 40 from 192.000.000.111:1812 to 192.000.000.20:41064 length 0
(1) EAP-Message = 0x018700061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x522cbd6253aba4daf1040d6d0f2c2fcf
(1) Finished request
Waking up in 4.3 seconds.
(2) Received Access-Request Id 92 from 192.000.000.20:41064 to 192.000.000.111:1812 length 490
(2) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-24-F6-77-12-29-F8-5C-82-D5-FF-00-00-FD-5C"
(2) Acct-Session-Id = "1fbb6e79-000043c5"
(2) NAS-Port = 13653
(2) NAS-Port-Type = Wireless-802.11
(2) NAS-Identifier = "SSO Wireless"
(2) NAS-IP-Address = 192.000.000.100
(2) Framed-MTU = 1496
(2) User-Name = "flatuser"
(2) Calling-Station-Id = "24-F6-77-12-29-F8"
(2) Called-Station-Id = "D8-9D-67-4E-87-C6"
(2) Service-Type = Framed-User
(2) EAP-Message = 0x028700a119800000009716030100920100008e03035c82d5fe7c6a8b19f5d63a7b1d0b0b98b6cc3a0f416ca933a4d5237deb87673800002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00
(2) State = 0x522cbd6253aba4daf1040d6d0f2c2fcf
(2) Colubris-AVPair = "ssid=Weefee"
(2) Colubris-AVPair = "incoming-vlan-id=10"
(2) Colubris-AVPair = "group=<SNIP>"
(2) Colubris-AVPair = "phytype=IEEE802dot11n"
(2) Attr-26.8744.250 = 0x00000002
(2) Attr-26.8744.249 = 0xc0a8106f
(2) Message-Authenticator = 0x90c485cde53812e79bbdb416b354dfd0
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "flatuser", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 135 length 161
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x522cbd6253aba4da
(2) eap: Finished EAP session with state 0x522cbd6253aba4da
(2) eap: Previous EAP request found for state 0x522cbd6253aba4da, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 151 bytes
(2) eap_peap: Got complete TLS record (151 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv TLS 1.2 [length 0092]
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send TLS 1.2 [length 003d]
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: >>> send TLS 1.2 [length 0836]
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: >>> send TLS 1.2 [length 014d]
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: >>> send TLS 1.2 [length 0004]
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(2) eap_peap: In SSL Handshake Phase
(2) eap_peap: In SSL Accept mode
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 136 length 1004
(2) eap: EAP session adding &reply:State = 0x522cbd6250a4a4da
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 92 from 192.000.000.111:1812 to 192.000.000.20:41064 length 0
(2) EAP-Message = 0x018803ec19c0000009d8160303003d020000390303728498a7233e5a4d075c174f26320b4a70473adf444b1ba0eaeb14edc37a646800c030000011ff01000100000b0004030001020017000016030308360b00083200082f0003a33082039f30820287a003020102020101300d06092a864886f70d0101
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x522cbd6250a4a4daf1040d6d0f2c2fcf
(2) Finished request
Waking up in 4.3 seconds.
(3) Received Access-Request Id 176 from 192.000.000.20:41064 to 192.000.000.111:1812 length 335
(3) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-24-F6-77-12-29-F8-5C-82-D5-FF-00-00-FD-5C"
(3) Acct-Session-Id = "1fbb6e79-000043c5"
(3) NAS-Port = 13653
(3) NAS-Port-Type = Wireless-802.11
(3) NAS-Identifier = "SSO Wireless"
(3) NAS-IP-Address = 192.000.000.100
(3) Framed-MTU = 1496
(3) User-Name = "flatuser"
(3) Calling-Station-Id = "24-F6-77-12-29-F8"
(3) Called-Station-Id = "D8-9D-67-4E-87-C6"
(3) Service-Type = Framed-User
(3) EAP-Message = 0x028800061900
(3) State = 0x522cbd6250a4a4daf1040d6d0f2c2fcf
(3) Colubris-AVPair = "ssid=Weefee"
(3) Colubris-AVPair = "incoming-vlan-id=10"
(3) Colubris-AVPair = "group=<SNIP>"
(3) Colubris-AVPair = "phytype=IEEE802dot11n"
(3) Attr-26.8744.250 = 0x00000002
(3) Attr-26.8744.249 = 0xc0a8106f
(3) Message-Authenticator = 0x35298a88f483753e563f08f8216b521a
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "flatuser", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 136 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x522cbd6250a4a4da
(3) eap: Finished EAP session with state 0x522cbd6250a4a4da
(3) eap: Previous EAP request found for state 0x522cbd6250a4a4da, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 137 length 1000
(3) eap: EAP session adding &reply:State = 0x522cbd6251a5a4da
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 176 from 192.000.000.111:1812 to 192.000.000.20:41064 length 0
(3) EAP-Message = 0x018903e81940862485855a324333242108341281d922a03f000486308204823082036aa003020102020900d69fb1aac1610490300d06092a864886f70d01010b05003074310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x522cbd6251a5a4daf1040d6d0f2c2fcf
(3) Finished request
Waking up in 4.2 seconds.
(4) Received Access-Request Id 28 from 192.000.000.20:41064 to 192.000.000.111:1812 length 335
(4) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-24-F6-77-12-29-F8-5C-82-D5-FF-00-00-FD-5C"
(4) Acct-Session-Id = "1fbb6e79-000043c5"
(4) NAS-Port = 13653
(4) NAS-Port-Type = Wireless-802.11
(4) NAS-Identifier = "SSO Wireless"
(4) NAS-IP-Address = 192.000.000.100
(4) Framed-MTU = 1496
(4) User-Name = "flatuser"
(4) Calling-Station-Id = "24-F6-77-12-29-F8"
(4) Called-Station-Id = "D8-9D-67-4E-87-C6"
(4) Service-Type = Framed-User
(4) EAP-Message = 0x028900061900
(4) State = 0x522cbd6251a5a4daf1040d6d0f2c2fcf
(4) Colubris-AVPair = "ssid=Weefee"
(4) Colubris-AVPair = "incoming-vlan-id=10"
(4) Colubris-AVPair = "group=<SNIP>"
(4) Colubris-AVPair = "phytype=IEEE802dot11n"
(4) Attr-26.8744.250 = 0x00000002
(4) Attr-26.8744.249 = 0xc0a8106f
(4) Message-Authenticator = 0x1a6a7910683ba625569ae689d1fc552b
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "flatuser", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 137 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x522cbd6251a5a4da
(4) eap: Finished EAP session with state 0x522cbd6251a5a4da
(4) eap: Previous EAP request found for state 0x522cbd6251a5a4da, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 138 length 538
(4) eap: EAP session adding &reply:State = 0x522cbd6256a6a4da
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 28 from 192.000.000.111:1812 to 192.000.000.20:41064 length 0
(4) EAP-Message = 0x018a021a1900bc758a293755c9377b75cd7effbab806577281491f89078215beece00682cfda8731b8869d89283ec5f2a1df48169104a277a9be7803aa8fb26a2d479c04ff8f54ab234b55803f8d272f4b013e91b32f711fd4f226eece6c01508ec36c7f11c668e0cbd3511d66e02af0bb2875da3ca275
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x522cbd6256a6a4daf1040d6d0f2c2fcf
(4) Finished request
Waking up in 4.2 seconds.
(5) Received Access-Request Id 139 from 192.000.000.20:41064 to 192.000.000.111:1812 length 465
(5) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-24-F6-77-12-29-F8-5C-82-D5-FF-00-00-FD-5C"
(5) Acct-Session-Id = "1fbb6e79-000043c5"
(5) NAS-Port = 13653
(5) NAS-Port-Type = Wireless-802.11
(5) NAS-Identifier = "SSO Wireless"
(5) NAS-IP-Address = 192.000.000.100
(5) Framed-MTU = 1496
(5) User-Name = "flatuser"
(5) Calling-Station-Id = "24-F6-77-12-29-F8"
(5) Called-Station-Id = "D8-9D-67-4E-87-C6"
(5) Service-Type = Framed-User
(5) EAP-Message = 0x028a008819800000007e1603030046100000424104e4eb427401ce86040c8a268cd7450e24c2636083b7c623a8ac3cb6311b2eab7155ff51828f45617c5ca89f4c6b577eebf2281af9f19f43db1222e5cf332888131403030001011603030028df6618f200cba03ae2c99f53f09c5cb92499ecc882b08a
(5) State = 0x522cbd6256a6a4daf1040d6d0f2c2fcf
(5) Colubris-AVPair = "ssid=Weefee"
(5) Colubris-AVPair = "incoming-vlan-id=10"
(5) Colubris-AVPair = "group=<SNIP>"
(5) Colubris-AVPair = "phytype=IEEE802dot11n"
(5) Attr-26.8744.250 = 0x00000002
(5) Attr-26.8744.249 = 0xc0a8106f
(5) Message-Authenticator = 0xbbeec99154d41f182f7a4c34b48546ce
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "flatuser", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 138 length 136
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x522cbd6256a6a4da
(5) eap: Finished EAP session with state 0x522cbd6256a6a4da
(5) eap: Previous EAP request found for state 0x522cbd6256a6a4da, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(5) eap_peap: Got complete TLS record (126 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: TLS_accept: SSLv3/TLS write server done
(5) eap_peap: <<< recv TLS 1.2 [length 0046]
(5) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(5) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(5) eap_peap: <<< recv TLS 1.2 [length 0010]
(5) eap_peap: TLS_accept: SSLv3/TLS read finished
(5) eap_peap: >>> send TLS 1.2 [length 0001]
(5) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(5) eap_peap: >>> send TLS 1.2 [length 0010]
(5) eap_peap: TLS_accept: SSLv3/TLS write finished
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: SSL Connection Established
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 139 length 57
(5) eap: EAP session adding &reply:State = 0x522cbd6257a7a4da
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 139 from 192.000.000.111:1812 to 192.000.000.20:41064 length 0
(5) EAP-Message = 0x018b003919001403030001011603030028ea2c70f1a05e3236a92daa7e93f508fe5f2c90c560896e16a1c8e4936d8c591a5a75888eaa0dedb7
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x522cbd6257a7a4daf1040d6d0f2c2fcf
(5) Finished request
Waking up in 4.2 seconds.
(6) Received Access-Request Id 26 from 192.000.000.20:41064 to 192.000.000.111:1812 length 335
(6) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-24-F6-77-12-29-F8-5C-82-D5-FF-00-00-FD-5C"
(6) Acct-Session-Id = "1fbb6e79-000043c5"
(6) NAS-Port = 13653
(6) NAS-Port-Type = Wireless-802.11
(6) NAS-Identifier = "SSO Wireless"
(6) NAS-IP-Address = 192.000.000.100
(6) Framed-MTU = 1496
(6) User-Name = "flatuser"
(6) Calling-Station-Id = "24-F6-77-12-29-F8"
(6) Called-Station-Id = "D8-9D-67-4E-87-C6"
(6) Service-Type = Framed-User
(6) EAP-Message = 0x028b00061900
(6) State = 0x522cbd6257a7a4daf1040d6d0f2c2fcf
(6) Colubris-AVPair = "ssid=Weefee"
(6) Colubris-AVPair = "incoming-vlan-id=10"
(6) Colubris-AVPair = "group=<SNIP>"
(6) Colubris-AVPair = "phytype=IEEE802dot11n"
(6) Attr-26.8744.250 = 0x00000002
(6) Attr-26.8744.249 = 0xc0a8106f
(6) Message-Authenticator = 0x9262affeaa00e31fdf8ad3157ed488c5
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "flatuser", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 139 length 6
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x522cbd6257a7a4da
(6) eap: Finished EAP session with state 0x522cbd6257a7a4da
(6) eap: Previous EAP request found for state 0x522cbd6257a7a4da, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(6) eap_peap: [eaptls verify] = success
(6) eap_peap: [eaptls process] = success
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap: Sending EAP Request (code 1) ID 140 length 40
(6) eap: EAP session adding &reply:State = 0x522cbd6254a0a4da
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 26 from 192.000.000.111:1812 to 192.000.000.20:41064 length 0
(6) EAP-Message = 0x018c00281900170303001dea2c70f1a05e323734c87c4cd8038d932414ce24ffc7461784ea84386a
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x522cbd6254a0a4daf1040d6d0f2c2fcf
(6) Finished request
Waking up in 4.2 seconds.
(7) Received Access-Request Id 206 from 192.000.000.20:41064 to 192.000.000.111:1812 length 373
(7) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-24-F6-77-12-29-F8-5C-82-D5-FF-00-00-FD-5C"
(7) Acct-Session-Id = "1fbb6e79-000043c5"
(7) NAS-Port = 13653
(7) NAS-Port-Type = Wireless-802.11
(7) NAS-Identifier = "SSO Wireless"
(7) NAS-IP-Address = 192.000.000.100
(7) Framed-MTU = 1496
(7) User-Name = "flatuser"
(7) Calling-Station-Id = "24-F6-77-12-29-F8"
(7) Called-Station-Id = "D8-9D-67-4E-87-C6"
(7) Service-Type = Framed-User
(7) EAP-Message = 0x028c002c19001703030021df6618f200cba03b12e278db9ed8a9a09f52f33434f72a338d309eb154c2e27d14
(7) State = 0x522cbd6254a0a4daf1040d6d0f2c2fcf
(7) Colubris-AVPair = "ssid=Weefee"
(7) Colubris-AVPair = "incoming-vlan-id=10"
(7) Colubris-AVPair = "group=<SNIP>"
(7) Colubris-AVPair = "phytype=IEEE802dot11n"
(7) Attr-26.8744.250 = 0x00000002
(7) Attr-26.8744.249 = 0xc0a8106f
(7) Message-Authenticator = 0x83297c0e1bd0094a55a388f2fc0967db
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "flatuser", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 140 length 44
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x522cbd6254a0a4da
(7) eap: Finished EAP session with state 0x522cbd6254a0a4da
(7) eap: Previous EAP request found for state 0x522cbd6254a0a4da, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - flatuser
(7) eap_peap: Got inner identity 'flatuser'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x028c000d01666c617475736572
(7) eap_peap: Setting User-Name to flatuser
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x028c000d01666c617475736572
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "flatuser"
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x028c000d01666c617475736572
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "flatuser"
(7) WARNING: Outer and inner identities are the same. User privacy is compromised.
(7) server inner-tunnel {
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "flatuser", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 140 length 13
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) eap: Sending EAP Request (code 1) ID 141 length 43
(7) eap: EAP session adding &reply:State = 0x6f57e7256fdafdd0
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x018d002b1a018d00261007780bf32937261380ae935caf3af9cc667265657261646975732d332e302e3136
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x6f57e7256fdafdd0540d34aeadb88aec
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x018d002b1a018d00261007780bf32937261380ae935caf3af9cc667265657261646975732d332e302e3136
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x6f57e7256fdafdd0540d34aeadb88aec
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message = 0x018d002b1a018d00261007780bf32937261380ae935caf3af9cc667265657261646975732d332e302e3136
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x6f57e7256fdafdd0540d34aeadb88aec
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 141 length 74
(7) eap: EAP session adding &reply:State = 0x522cbd6255a1a4da
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) Sent Access-Challenge Id 206 from 192.000.000.111:1812 to 192.000.000.20:41064 length 0
(7) EAP-Message = 0x018d004a1900170303003fea2c70f1a05e32384a847638667f4bc8584d34145230ac426c2c7641ec1e99b8e417272e8f9ff947c99a0150c444aad58027cf87fa5c6c955b487758ec37a2
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x522cbd6255a1a4daf1040d6d0f2c2fcf
(7) Finished request
Waking up in 4.2 seconds.
(8) Received Access-Request Id 97 from 192.000.000.20:41064 to 192.000.000.111:1812 length 427
(8) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-24-F6-77-12-29-F8-5C-82-D5-FF-00-00-FD-5C"
(8) Acct-Session-Id = "1fbb6e79-000043c5"
(8) NAS-Port = 13653
(8) NAS-Port-Type = Wireless-802.11
(8) NAS-Identifier = "SSO Wireless"
(8) NAS-IP-Address = 192.000.000.100
(8) Framed-MTU = 1496
(8) User-Name = "flatuser"
(8) Calling-Station-Id = "24-F6-77-12-29-F8"
(8) Called-Station-Id = "D8-9D-67-4E-87-C6"
(8) Service-Type = Framed-User
(8) EAP-Message = 0x028d006219001703030057df6618f200cba03c35ea8a92fa93c71c2089df0c6c0304dd3c882fbab7bd1275300673cfe51ed869f09490d6f2ae1308a83b06454a577aebb2186da427676c155a8313f4010b2677753b192907daf16b9c8ecf579d8cdb
(8) State = 0x522cbd6255a1a4daf1040d6d0f2c2fcf
(8) Colubris-AVPair = "ssid=Weefee"
(8) Colubris-AVPair = "incoming-vlan-id=10"
(8) Colubris-AVPair = "group=<SNIP>"
(8) Colubris-AVPair = "phytype=IEEE802dot11n"
(8) Attr-26.8744.250 = 0x00000002
(8) Attr-26.8744.249 = 0xc0a8106f
(8) Message-Authenticator = 0xc3221bceae84bfcfa44af1b84380e6fc
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "flatuser", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 141 length 98
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x6f57e7256fdafdd0
(8) eap: Finished EAP session with state 0x522cbd6255a1a4da
(8) eap: Previous EAP request found for state 0x522cbd6255a1a4da, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x028d00431a028d003e315723bdf509410641862a807b37a54a260000000000000000cfbe0dbfd1cade119366ed23842af53c35b4b7312a348c8700666c617475736572
(8) eap_peap: Setting User-Name to flatuser
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x028d00431a028d003e315723bdf509410641862a807b37a54a260000000000000000cfbe0dbfd1cade119366ed23842af53c35b4b7312a348c8700666c617475736572
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "flatuser"
(8) eap_peap: State = 0x6f57e7256fdafdd0540d34aeadb88aec
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x028d00431a028d003e315723bdf509410641862a807b37a54a260000000000000000cfbe0dbfd1cade119366ed23842af53c35b4b7312a348c8700666c617475736572
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "flatuser"
(8) State = 0x6f57e7256fdafdd0540d34aeadb88aec
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "flatuser", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 141 length 67
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) files: users: Matched entry flatuser at line 40
(8) [files] = ok
rlm_ldap (ldap): Reserved connection (1)
(8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap: --> (uid=flatuser)
(8) ldap: Performing search in "dc=<SNIP>,dc=<SNIP>" with filter "(uid=flatuser)", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: Search returned no results
rlm_ldap (ldap): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(8) [ldap] = notfound
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x6f57e7256fdafdd0
(8) eap: Finished EAP session with state 0x6f57e7256fdafdd0
(8) eap: Previous EAP request found for state 0x6f57e7256fdafdd0, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) eap_mschapv2: authenticate {
(8) mschap: Found Cleartext-Password, hashing to create NT-Password
(8) mschap: Found Cleartext-Password, hashing to create LM-Password
(8) mschap: Creating challenge hash with username: flatuser
(8) mschap: Client is using MS-CHAPv2
(8) mschap: Adding MS-CHAPv2 MPPE keys
(8) [mschap] = ok
(8) } # authenticate = ok
(8) MSCHAP Success
(8) eap: Sending EAP Request (code 1) ID 142 length 51
(8) eap: EAP session adding &reply:State = 0x6f57e7256ed9fdd0
(8) [eap] = handled
(8) } # authenticate = handled
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message = 0x018e00331a038d002e533d30373535363845423935443537434142323730323331333046454341303532373833444443314336
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x6f57e7256ed9fdd0540d34aeadb88aec
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: EAP-Message = 0x018e00331a038d002e533d30373535363845423935443537434142323730323331333046454341303532373833444443314336
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0x6f57e7256ed9fdd0540d34aeadb88aec
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap: EAP-Message = 0x018e00331a038d002e533d30373535363845423935443537434142323730323331333046454341303532373833444443314336
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0x6f57e7256ed9fdd0540d34aeadb88aec
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: Sending EAP Request (code 1) ID 142 length 82
(8) eap: EAP session adding &reply:State = 0x522cbd625aa2a4da
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) Sent Access-Challenge Id 97 from 192.000.000.111:1812 to 192.000.000.20:41064 length 0
(8) EAP-Message = 0x018e005219001703030047ea2c70f1a05e323924455c6391f63040a0a8a062376316552e532eeb7e58a31c44c4ed9f70a00bf07ae075f7c12ba239fc3e7134988f47fcb0a195922673353e50f57f90769855
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x522cbd625aa2a4daf1040d6d0f2c2fcf
(8) Finished request
Waking up in 3.5 seconds.
(9) Received Access-Request Id 186 from 192.000.000.20:41064 to 192.000.000.111:1812 length 366
(9) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-24-F6-77-12-29-F8-5C-82-D5-FF-00-00-FD-5C"
(9) Acct-Session-Id = "1fbb6e79-000043c5"
(9) NAS-Port = 13653
(9) NAS-Port-Type = Wireless-802.11
(9) NAS-Identifier = "SSO Wireless"
(9) NAS-IP-Address = 192.000.000.100
(9) Framed-MTU = 1496
(9) User-Name = "flatuser"
(9) Calling-Station-Id = "24-F6-77-12-29-F8"
(9) Called-Station-Id = "D8-9D-67-4E-87-C6"
(9) Service-Type = Framed-User
(9) EAP-Message = 0x028e00251900170303001adf6618f200cba03da310ddb037115bc0b9ca2730cef3ad52a8ff
(9) State = 0x522cbd625aa2a4daf1040d6d0f2c2fcf
(9) Colubris-AVPair = "ssid=Weefee"
(9) Colubris-AVPair = "incoming-vlan-id=10"
(9) Colubris-AVPair = "group=<SNIP>"
(9) Colubris-AVPair = "phytype=IEEE802dot11n"
(9) Attr-26.8744.250 = 0x00000002
(9) Attr-26.8744.249 = 0xc0a8106f
(9) Message-Authenticator = 0x7741bad26f0a395cae6b98f8cd3fbcda
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "flatuser", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 142 length 37
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x6f57e7256ed9fdd0
(9) eap: Finished EAP session with state 0x522cbd625aa2a4da
(9) eap: Previous EAP request found for state 0x522cbd625aa2a4da, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x028e00061a03
(9) eap_peap: Setting User-Name to flatuser
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message = 0x028e00061a03
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "flatuser"
(9) eap_peap: State = 0x6f57e7256ed9fdd0540d34aeadb88aec
(9) Virtual server inner-tunnel received request
(9) EAP-Message = 0x028e00061a03
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "flatuser"
(9) State = 0x6f57e7256ed9fdd0540d34aeadb88aec
(9) WARNING: Outer and inner identities are the same. User privacy is compromised.
(9) server inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "flatuser", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) &Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 142 length 6
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) files: users: Matched entry flatuser at line 40
(9) [files] = ok
rlm_ldap (ldap): Reserved connection (2)
(9) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(9) ldap: --> (uid=flatuser)
(9) ldap: Performing search in "dc=<SNIP>,dc=<SNIP>" with filter "(uid=flatuser)", scope "sub"
(9) ldap: Waiting for search result...
(9) ldap: Search returned no results
rlm_ldap (ldap): Released connection (2)
(9) [ldap] = notfound
(9) [expiration] = noop
(9) [logintime] = noop
(9) pap: WARNING: Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Expiring EAP session with state 0x6f57e7256ed9fdd0
(9) eap: Finished EAP session with state 0x6f57e7256ed9fdd0
(9) eap: Previous EAP request found for state 0x6f57e7256ed9fdd0, released from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap: Sending EAP Success (code 3) ID 142 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(9) post-auth {
(9) if (0) {
(9) if (0) -> FALSE
(9) } # post-auth = noop
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) MS-MPPE-Send-Key = 0xd3c9a0f6f88a4dad1c0d541ed2a6244c
(9) MS-MPPE-Recv-Key = 0xe41b7fcfb013d47b950e23727ee4b4af
(9) EAP-Message = 0x038e0004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = "flatuser"
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap: MS-MPPE-Send-Key = 0xd3c9a0f6f88a4dad1c0d541ed2a6244c
(9) eap_peap: MS-MPPE-Recv-Key = 0xe41b7fcfb013d47b950e23727ee4b4af
(9) eap_peap: EAP-Message = 0x038e0004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = "flatuser"
(9) eap_peap: Got tunneled reply RADIUS code 2
(9) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(9) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(9) eap_peap: MS-MPPE-Send-Key = 0xd3c9a0f6f88a4dad1c0d541ed2a6244c
(9) eap_peap: MS-MPPE-Recv-Key = 0xe41b7fcfb013d47b950e23727ee4b4af
(9) eap_peap: EAP-Message = 0x038e0004
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: User-Name = "flatuser"
(9) eap_peap: Tunneled authentication was successful
(9) eap_peap: SUCCESS
(9) eap: Sending EAP Request (code 1) ID 143 length 46
(9) eap: EAP session adding &reply:State = 0x522cbd625ba3a4da
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9) Challenge { ... } # empty sub-section is ignored
(9) Sent Access-Challenge Id 186 from 192.000.000.111:1812 to 192.000.000.20:41064 length 0
(9) EAP-Message = 0x018f002e19001703030023ea2c70f1a05e323a92c14a16583ac251b0853956f707ac1e26a63e30fb50dd58fa03cb
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x522cbd625ba3a4daf1040d6d0f2c2fcf
(9) Finished request
Waking up in 3.4 seconds.
(10) Received Access-Request Id 197 from 192.000.000.20:41064 to 192.000.000.111:1812 length 375
(10) Acct-Multi-Session-Id = "D8-9D-67-4E-87-C6-24-F6-77-12-29-F8-5C-82-D5-FF-00-00-FD-5C"
(10) Acct-Session-Id = "1fbb6e79-000043c5"
(10) NAS-Port = 13653
(10) NAS-Port-Type = Wireless-802.11
(10) NAS-Identifier = "SSO Wireless"
(10) NAS-IP-Address = 192.000.000.100
(10) Framed-MTU = 1496
(10) User-Name = "flatuser"
(10) Calling-Station-Id = "24-F6-77-12-29-F8"
(10) Called-Station-Id = "D8-9D-67-4E-87-C6"
(10) Service-Type = Framed-User
(10) EAP-Message = 0x028f002e19001703030023df6618f200cba03ed483c9bad4f351352d576b29e470aed7d8a68e021123efdb76a306
(10) State = 0x522cbd625ba3a4daf1040d6d0f2c2fcf
(10) Colubris-AVPair = "ssid=Weefee"
(10) Colubris-AVPair = "incoming-vlan-id=10"
(10) Colubris-AVPair = "group=<SNIP>"
(10) Colubris-AVPair = "phytype=IEEE802dot11n"
(10) Attr-26.8744.250 = 0x00000002
(10) Attr-26.8744.249 = 0xc0a8106f
(10) Message-Authenticator = 0xf54a4d7a352bdf357f093d9fabf734ac
(10) session-state: No cached attributes
(10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "flatuser", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 143 length 46
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0x522cbd625ba3a4da
(10) eap: Finished EAP session with state 0x522cbd625ba3a4da
(10) eap: Previous EAP request found for state 0x522cbd625ba3a4da, released from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap: Sending EAP Success (code 3) ID 143 length 4
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(10) post-auth {
(10) update {
(10) No attributes updated
(10) } # update = noop
(10) [exec] = noop
(10) policy remove_reply_message_if_eap {
(10) if (&reply:EAP-Message && &reply:Reply-Message) {
(10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(10) else {
(10) [noop] = noop
(10) } # else = noop
(10) } # policy remove_reply_message_if_eap = noop
(10) } # post-auth = noop
(10) Sent Access-Accept Id 197 from 192.000.000.111:1812 to 192.000.000.20:41064 length 0
(10) MS-MPPE-Recv-Key = 0x823ab78c0883442ee2577e8b1ca74f784cfb2b952c331551102daabd01e7a680
(10) MS-MPPE-Send-Key = 0xcf172e04cfbf713e7a9cfdd0490cb4fddd76da119fdc953928c7445c1e90ce97
(10) EAP-Message = 0x038f0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = "flatuser"
(10) Finished request
Waking up in 3.4 seconds.
(0) Cleaning up request packet ID 245 with timestamp +16
Waking up in 0.6 seconds.
(1) Cleaning up request packet ID 40 with timestamp +16
(2) Cleaning up request packet ID 92 with timestamp +16
(3) Cleaning up request packet ID 176 with timestamp +16
(4) Cleaning up request packet ID 28 with timestamp +16
(5) Cleaning up request packet ID 139 with timestamp +16
(6) Cleaning up request packet ID 26 with timestamp +16
(7) Cleaning up request packet ID 206 with timestamp +16
Waking up in 0.6 seconds.
(8) Cleaning up request packet ID 97 with timestamp +16
Waking up in 0.1 seconds.
(9) Cleaning up request packet ID 186 with timestamp +17
(10) Cleaning up request packet ID 197 with timestamp +17
Ready to process requests
More information about the Freeradius-Users
mailing list