RES: Incorrect username being registered by freeradius
Daniel Guimaraes Pena
daniel.pena at mpdft.mp.br
Tue Jun 23 17:34:30 CEST 2020
Thanks for anwaring, Alan, you were right: that is his MAC Address.
Sorry for that missing debug... I had just restarted server and lost all logs.
Until this moment, no mac address appeared at radacct table, so I don’t have debug for that yet.
For this, if I may ask, why user is registered in radacct table with mac address but in radius log appears his real username?
And this one here, that is NOT a mac address:
[local]:5432 radius at radius=> select * from radacct where radacctid = '6000795';
-[ RECORD 1 ]------+---------------------------------
radacctid | 6000795
acctsessionid | 38EBA713-00000041
acctuniqueid | 6b521bf17a61aa914f0f67b33c558e07
username | 347117
groupname |
realm |
nasipaddress | 10.34.15.221
nasportid | 2
nasporttype | Wireless-802.11
acctstarttime | 2020-06-23 11:18:40-03
acctupdatetime | 2020-06-23 11:18:40-03
acctstoptime |
acctinterval |
acctsessiontime | 0
acctauthentic | RADIUS
connectinfo_start | CONNECT 54Mbps 802.11g
connectinfo_stop |
acctinputoctets | 0
acctoutputoctets | 0
calledstationid | 5C-D9-98-14-37-48:MPDFT
callingstationid | 48-49-C7-71-79-66
acctterminatecause |
servicetype |
framedprotocol |
framedipaddress |
Time: 4.267 ms
[local]:5432 radius at radius=>
Reading debug, real login is "luciana.nogueira"
Here the debug log for this entry:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.06.23 12:21:07 =~=~=~=~=~=~=~=~=~=~=~=
grep -E "\(4925[7-9]\)|\(4926[0-7]\)" debug.log
(49257) Received Access-Request Id 151 from 10.34.15.221:1384 to 10.34.242.3:1812 length 151
(49257) User-Name = "347117"
(49257) NAS-IP-Address = 10.34.15.221
(49257) NAS-Port = 2
(49257) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49257) Calling-Station-Id = "48-49-C7-71-79-66"
(49257) Framed-MTU = 1400
(49257) NAS-Port-Type = Wireless-802.11
(49257) Connect-Info = "CONNECT 54Mbps 802.11g"
(49257) EAP-Message = 0x0200000b01333437313137
(49257) Message-Authenticator = 0x05d29ff74e6c4903b1ab83208153a6ad
(49257) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49257) authorize {
(49257) policy filter_username {
(49257) if (&User-Name) {
(49257) if (&User-Name) -> TRUE
(49257) if (&User-Name) {
(49257) if (&User-Name != "%{tolower:%{User-Name}}") {
(49257) EXPAND %{tolower:%{User-Name}}
(49257) --> 347117
(49257) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(49257) if (&User-Name =~ / /) {
(49257) if (&User-Name =~ / /) -> FALSE
(49257) if (&User-Name =~ /@[^@]*@/ ) {
(49257) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(49257) if (&User-Name =~ /\.\./ ) {
(49257) if (&User-Name =~ /\.\./ ) -> FALSE
(49257) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(49257) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(49257) if (&User-Name =~ /\.$/) {
(49257) if (&User-Name =~ /\.$/) -> FALSE
(49257) if (&User-Name =~ /@\./) {
(49257) if (&User-Name =~ /@\./) -> FALSE
(49257) } # if (&User-Name) = notfound
(49257) } # policy filter_username = notfound
(49257) [preprocess] = ok
(49257) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49257) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49257) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49257) auth_log: EXPAND %t
(49257) auth_log: --> Tue Jun 23 11:18:40 2020
(49257) [auth_log] = ok
(49257) [chap] = noop
(49257) [mschap] = noop
(49257) [digest] = noop
(49257) suffix: Checking for suffix after "@"
(49257) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49257) suffix: No such realm "NULL"
(49257) [suffix] = noop
(49257) eap: Peer sent EAP Response (code 2) ID 0 length 11
(49257) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(49257) [eap] = ok
(49257) } # authorize = ok
(49257) Found Auth-Type = eap
(49257) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49257) authenticate {
(49257) eap: Peer sent packet with method EAP Identity (1)
(49257) eap: Calling submodule eap_md5 to process data
(49257) eap_md5: Issuing MD5 Challenge
(49257) eap: Sending EAP Request (code 1) ID 1 length 22
(49257) eap: EAP session adding &reply:State = 0x343264483433605b
(49257) [eap] = handled
(49257) } # authenticate = handled
(49257) Using Post-Auth-Type Challenge
(49257) Post-Auth-Type sub-section not found. Ignoring.
(49257) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49257) Sent Access-Challenge Id 151 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49257) EAP-Message = 0x010100160410f293b8de33b4c8cebe98befea9b4bfc6
(49257) Message-Authenticator = 0x00000000000000000000000000000000
(49257) State = 0x343264483433605baa04a227c6849a7d
(49257) Finished request
(49258) Received Access-Request Id 152 from 10.34.15.221:1384 to 10.34.242.3:1812 length 164
(49258) User-Name = "347117"
(49258) NAS-IP-Address = 10.34.15.221
(49258) NAS-Port = 2
(49258) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49258) Calling-Station-Id = "48-49-C7-71-79-66"
(49258) Framed-MTU = 1400
(49258) NAS-Port-Type = Wireless-802.11
(49258) Connect-Info = "CONNECT 54Mbps 802.11g"
(49258) EAP-Message = 0x020100060319
(49258) State = 0x343264483433605baa04a227c6849a7d
(49258) Message-Authenticator = 0x2e74fdc7c9c9592fc2232375736fd39e
(49258) session-state: No cached attributes
(49258) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49258) authorize {
(49258) policy filter_username {
(49258) if (&User-Name) {
(49258) if (&User-Name) -> TRUE
(49258) if (&User-Name) {
(49258) if (&User-Name != "%{tolower:%{User-Name}}") {
(49258) EXPAND %{tolower:%{User-Name}}
(49258) --> 347117
(49258) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(49258) if (&User-Name =~ / /) {
(49258) if (&User-Name =~ / /) -> FALSE
(49258) if (&User-Name =~ /@[^@]*@/ ) {
(49258) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(49258) if (&User-Name =~ /\.\./ ) {
(49258) if (&User-Name =~ /\.\./ ) -> FALSE
(49258) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(49258) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(49258) if (&User-Name =~ /\.$/) {
(49258) if (&User-Name =~ /\.$/) -> FALSE
(49258) if (&User-Name =~ /@\./) {
(49258) if (&User-Name =~ /@\./) -> FALSE
(49258) } # if (&User-Name) = notfound
(49258) } # policy filter_username = notfound
(49258) [preprocess] = ok
(49258) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49258) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49258) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49258) auth_log: EXPAND %t
(49258) auth_log: --> Tue Jun 23 11:18:40 2020
(49258) [auth_log] = ok
(49258) [chap] = noop
(49258) [mschap] = noop
(49258) [digest] = noop
(49258) suffix: Checking for suffix after "@"
(49258) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49258) suffix: No such realm "NULL"
(49258) [suffix] = noop
(49258) eap: Peer sent EAP Response (code 2) ID 1 length 6
(49258) eap: No EAP Start, assuming it's an on-going EAP conversation
(49258) [eap] = updated
(49258) files: Failed resolving UID: No error
(49258) files: Failed resolving UID: No error
(49258) files: Failed resolving UID: No error
(49258) files: Failed resolving UID: No error
(49258) files: Failed resolving UID: No error
(49258) [files] = noop
(49258) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(49258) sql: --> 347117
(49258) sql: SQL-User-Name set to '347117'
(49258) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(49258) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '347117' ORDER BY id
(49258) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '347117' ORDER BY id
(49258) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(49258) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='347117' ORDER BY priority
(49258) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='347117' ORDER BY priority
(49258) sql: User not found in any groups
(49258) [sql] = notfound
(49258) [expiration] = noop
(49258) [logintime] = noop
(49258) if (ok) {
(49258) if (ok) -> FALSE
(49258) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(49258) pap: WARNING: Authentication will fail unless a "known good" password is available
(49258) [pap] = noop
(49258) } # authorize = updated
(49258) Found Auth-Type = eap
(49258) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49258) authenticate {
(49258) eap: Expiring EAP session with state 0x9e6734429e602efe
(49258) eap: Finished EAP session with state 0x343264483433605b
(49258) eap: Previous EAP request found for state 0x343264483433605b, released from the list
(49258) eap: Peer sent packet with method EAP NAK (3)
(49258) eap: Found mutually acceptable type PEAP (25)
(49258) eap: Calling submodule eap_peap to process data
(49258) eap_peap: Initiating new EAP-TLS session
(49258) eap_peap: [eaptls start] = request
(49258) eap: Sending EAP Request (code 1) ID 2 length 6
(49258) eap: EAP session adding &reply:State = 0x3432644835307d5b
(49258) [eap] = handled
(49258) } # authenticate = handled
(49258) Using Post-Auth-Type Challenge
(49258) Post-Auth-Type sub-section not found. Ignoring.
(49258) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49258) Sent Access-Challenge Id 152 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49258) EAP-Message = 0x010200061920
(49258) Message-Authenticator = 0x00000000000000000000000000000000
(49258) State = 0x3432644835307d5baa04a227c6849a7d
(49258) Finished request
(49259) Received Access-Request Id 153 from 10.34.15.221:1384 to 10.34.242.3:1812 length 326
(49259) User-Name = "347117"
(49259) NAS-IP-Address = 10.34.15.221
(49259) NAS-Port = 2
(49259) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49259) Calling-Station-Id = "48-49-C7-71-79-66"
(49259) Framed-MTU = 1400
(49259) NAS-Port-Type = Wireless-802.11
(49259) Connect-Info = "CONNECT 54Mbps 802.11g"
(49259) EAP-Message = 0x020200a819800000009e1603010099010000950303262d96da74efd8b3abd9ea487f3eefd244880121eafd4d7ae21333a470c9fa8000003cc02cc030009fc02bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a00ff010000
(49259) State = 0x3432644835307d5baa04a227c6849a7d
(49259) Message-Authenticator = 0x50041aeb08622f23641026170cf40598
(49259) session-state: No cached attributes
(49259) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49259) authorize {
(49259) policy filter_username {
(49259) if (&User-Name) {
(49259) if (&User-Name) -> TRUE
(49259) if (&User-Name) {
(49259) if (&User-Name != "%{tolower:%{User-Name}}") {
(49259) EXPAND %{tolower:%{User-Name}}
(49259) --> 347117
(49259) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(49259) if (&User-Name =~ / /) {
(49259) if (&User-Name =~ / /) -> FALSE
(49259) if (&User-Name =~ /@[^@]*@/ ) {
(49259) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(49259) if (&User-Name =~ /\.\./ ) {
(49259) if (&User-Name =~ /\.\./ ) -> FALSE
(49259) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(49259) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(49259) if (&User-Name =~ /\.$/) {
(49259) if (&User-Name =~ /\.$/) -> FALSE
(49259) if (&User-Name =~ /@\./) {
(49259) if (&User-Name =~ /@\./) -> FALSE
(49259) } # if (&User-Name) = notfound
(49259) } # policy filter_username = notfound
(49259) [preprocess] = ok
(49259) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49259) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49259) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49259) auth_log: EXPAND %t
(49259) auth_log: --> Tue Jun 23 11:18:40 2020
(49259) [auth_log] = ok
(49259) [chap] = noop
(49259) [mschap] = noop
(49259) [digest] = noop
(49259) suffix: Checking for suffix after "@"
(49259) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49259) suffix: No such realm "NULL"
(49259) [suffix] = noop
(49259) eap: Peer sent EAP Response (code 2) ID 2 length 168
(49259) eap: Continuing tunnel setup
(49259) [eap] = ok
(49259) } # authorize = ok
(49259) Found Auth-Type = eap
(49259) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49259) authenticate {
(49259) eap: Expiring EAP session with state 0x9e6734429e602efe
(49259) eap: Finished EAP session with state 0x3432644835307d5b
(49259) eap: Previous EAP request found for state 0x3432644835307d5b, released from the list
(49259) eap: Peer sent packet with method EAP PEAP (25)
(49259) eap: Calling submodule eap_peap to process data
(49259) eap_peap: Continuing EAP-TLS
(49259) eap_peap: Peer indicated complete TLS record size will be 158 bytes
(49259) eap_peap: Got complete TLS record (158 bytes)
(49259) eap_peap: [eaptls verify] = length included
(49259) eap_peap: (other): before SSL initialization
(49259) eap_peap: TLS_accept: before SSL initialization
(49259) eap_peap: TLS_accept: before SSL initialization
(49259) eap_peap: <<< recv TLS 1.2 [length 0099]
(49259) eap_peap: TLS_accept: SSLv3/TLS read client hello
(49259) eap_peap: >>> send TLS 1.2 [length 003d]
(49259) eap_peap: TLS_accept: SSLv3/TLS write server hello
(49259) eap_peap: >>> send TLS 1.2 [length 0309]
(49259) eap_peap: TLS_accept: SSLv3/TLS write certificate
(49259) eap_peap: >>> send TLS 1.2 [length 014d]
(49259) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(49259) eap_peap: >>> send TLS 1.2 [length 0004]
(49259) eap_peap: TLS_accept: SSLv3/TLS write server done
(49259) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(49259) eap_peap: In SSL Handshake Phase
(49259) eap_peap: In SSL Accept mode
(49259) eap_peap: [eaptls process] = handled
(49259) eap: Sending EAP Request (code 1) ID 3 length 1004
(49259) eap: EAP session adding &reply:State = 0x3432644836317d5b
(49259) [eap] = handled
(49259) } # authenticate = handled
(49259) Using Post-Auth-Type Challenge
(49259) Post-Auth-Type sub-section not found. Ignoring.
(49259) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49259) Sent Access-Challenge Id 153 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49259) EAP-Message = 0x010303ec19c0000004ab160303003d020000390303f241d7c71827a10f2a9b2a858a6aa1d49a9d9ac5b04e7214afadfd6e9e950a4500c030000011ff01000100000b0004030001020017000016030303090b0003050003020002ff308202fb308201e3a003020102020900c2aeeb1715cab80a300d0609
(49259) Message-Authenticator = 0x00000000000000000000000000000000
(49259) State = 0x3432644836317d5baa04a227c6849a7d
(49259) Finished request
(49260) Received Access-Request Id 154 from 10.34.15.221:1384 to 10.34.242.3:1812 length 164
(49260) User-Name = "347117"
(49260) NAS-IP-Address = 10.34.15.221
(49260) NAS-Port = 2
(49260) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49260) Calling-Station-Id = "48-49-C7-71-79-66"
(49260) Framed-MTU = 1400
(49260) NAS-Port-Type = Wireless-802.11
(49260) Connect-Info = "CONNECT 54Mbps 802.11g"
(49260) EAP-Message = 0x020300061900
(49260) State = 0x3432644836317d5baa04a227c6849a7d
(49260) Message-Authenticator = 0x1f873dbabab484975e0fafe17930a45a
(49260) session-state: No cached attributes
(49260) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49260) authorize {
(49260) policy filter_username {
(49260) if (&User-Name) {
(49260) if (&User-Name) -> TRUE
(49260) if (&User-Name) {
(49260) if (&User-Name != "%{tolower:%{User-Name}}") {
(49260) EXPAND %{tolower:%{User-Name}}
(49260) --> 347117
(49260) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(49260) if (&User-Name =~ / /) {
(49260) if (&User-Name =~ / /) -> FALSE
(49260) if (&User-Name =~ /@[^@]*@/ ) {
(49260) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(49260) if (&User-Name =~ /\.\./ ) {
(49260) if (&User-Name =~ /\.\./ ) -> FALSE
(49260) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(49260) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(49260) if (&User-Name =~ /\.$/) {
(49260) if (&User-Name =~ /\.$/) -> FALSE
(49260) if (&User-Name =~ /@\./) {
(49260) if (&User-Name =~ /@\./) -> FALSE
(49260) } # if (&User-Name) = notfound
(49260) } # policy filter_username = notfound
(49260) [preprocess] = ok
(49260) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49260) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49260) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49260) auth_log: EXPAND %t
(49260) auth_log: --> Tue Jun 23 11:18:40 2020
(49260) [auth_log] = ok
(49260) [chap] = noop
(49260) [mschap] = noop
(49260) [digest] = noop
(49260) suffix: Checking for suffix after "@"
(49260) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49260) suffix: No such realm "NULL"
(49260) [suffix] = noop
(49260) eap: Peer sent EAP Response (code 2) ID 3 length 6
(49260) eap: Continuing tunnel setup
(49260) [eap] = ok
(49260) } # authorize = ok
(49260) Found Auth-Type = eap
(49260) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49260) authenticate {
(49260) eap: Expiring EAP session with state 0x9e6734429e602efe
(49260) eap: Finished EAP session with state 0x3432644836317d5b
(49260) eap: Previous EAP request found for state 0x3432644836317d5b, released from the list
(49260) eap: Peer sent packet with method EAP PEAP (25)
(49260) eap: Calling submodule eap_peap to process data
(49260) eap_peap: Continuing EAP-TLS
(49260) eap_peap: Peer ACKed our handshake fragment
(49260) eap_peap: [eaptls verify] = request
(49260) eap_peap: [eaptls process] = handled
(49260) eap: Sending EAP Request (code 1) ID 4 length 207
(49260) eap: EAP session adding &reply:State = 0x3432644837367d5b
(49260) [eap] = handled
(49260) } # authenticate = handled
(49260) Using Post-Auth-Type Challenge
(49260) Post-Auth-Type sub-section not found. Ignoring.
(49260) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49260) Sent Access-Challenge Id 154 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49260) EAP-Message = 0x010400cf1900305906ade17209efbcdb1498025ff3d98879761462b514b58ec19daff0e28525b8909274c327a5b9f22c77451d049714cbe1b8e95e49ff1eb91889a006f05bba93c0807640ba9eeb989f8c432facb809700019a772e41794c376b7529859d9e66686b46b10ac8917506a28b5c755f6f8b1
(49260) Message-Authenticator = 0x00000000000000000000000000000000
(49260) State = 0x3432644837367d5baa04a227c6849a7d
(49260) Finished request
(49261) Received Access-Request Id 155 from 10.34.15.221:1384 to 10.34.242.3:1812 length 294
(49261) User-Name = "347117"
(49261) NAS-IP-Address = 10.34.15.221
(49261) NAS-Port = 2
(49261) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49261) Calling-Station-Id = "48-49-C7-71-79-66"
(49261) Framed-MTU = 1400
(49261) NAS-Port-Type = Wireless-802.11
(49261) Connect-Info = "CONNECT 54Mbps 802.11g"
(49261) EAP-Message = 0x0204008819800000007e1603030046100000424104e347c229d4720d030776a26d2195a9d2619346feaa947b8d43fe9fad8481577166a001a8d60a615e17594c4f5d1c555f15ad394a27ea517bd9a9ee202255842914030300010116030300280000000000000000129345887899d05232b771b7479ff7
(49261) State = 0x3432644837367d5baa04a227c6849a7d
(49261) Message-Authenticator = 0x8f80e28e4efc8628917e8dcbe18e0622
(49261) session-state: No cached attributes
(49261) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49261) authorize {
(49261) policy filter_username {
(49261) if (&User-Name) {
(49261) if (&User-Name) -> TRUE
(49261) if (&User-Name) {
(49261) if (&User-Name != "%{tolower:%{User-Name}}") {
(49261) EXPAND %{tolower:%{User-Name}}
(49261) --> 347117
(49261) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(49261) if (&User-Name =~ / /) {
(49261) if (&User-Name =~ / /) -> FALSE
(49261) if (&User-Name =~ /@[^@]*@/ ) {
(49261) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(49261) if (&User-Name =~ /\.\./ ) {
(49261) if (&User-Name =~ /\.\./ ) -> FALSE
(49261) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(49261) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(49261) if (&User-Name =~ /\.$/) {
(49261) if (&User-Name =~ /\.$/) -> FALSE
(49261) if (&User-Name =~ /@\./) {
(49261) if (&User-Name =~ /@\./) -> FALSE
(49261) } # if (&User-Name) = notfound
(49261) } # policy filter_username = notfound
(49261) [preprocess] = ok
(49261) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49261) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49261) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49261) auth_log: EXPAND %t
(49261) auth_log: --> Tue Jun 23 11:18:40 2020
(49261) [auth_log] = ok
(49261) [chap] = noop
(49261) [mschap] = noop
(49261) [digest] = noop
(49261) suffix: Checking for suffix after "@"
(49261) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49261) suffix: No such realm "NULL"
(49261) [suffix] = noop
(49261) eap: Peer sent EAP Response (code 2) ID 4 length 136
(49261) eap: Continuing tunnel setup
(49261) [eap] = ok
(49261) } # authorize = ok
(49261) Found Auth-Type = eap
(49261) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49261) authenticate {
(49261) eap: Expiring EAP session with state 0x9e6734429e602efe
(49261) eap: Finished EAP session with state 0x3432644837367d5b
(49261) eap: Previous EAP request found for state 0x3432644837367d5b, released from the list
(49261) eap: Peer sent packet with method EAP PEAP (25)
(49261) eap: Calling submodule eap_peap to process data
(49261) eap_peap: Continuing EAP-TLS
(49261) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(49261) eap_peap: Got complete TLS record (126 bytes)
(49261) eap_peap: [eaptls verify] = length included
(49261) eap_peap: TLS_accept: SSLv3/TLS write server done
(49261) eap_peap: <<< recv TLS 1.2 [length 0046]
(49261) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(49261) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(49261) eap_peap: <<< recv TLS 1.2 [length 0010]
(49261) eap_peap: TLS_accept: SSLv3/TLS read finished
(49261) eap_peap: >>> send TLS 1.2 [length 0001]
(49261) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(49261) eap_peap: >>> send TLS 1.2 [length 0010]
(49261) eap_peap: TLS_accept: SSLv3/TLS write finished
(49261) eap_peap: (other): SSL negotiation finished successfully
(49261) eap_peap: SSL Connection Established
(49261) eap_peap: [eaptls process] = handled
(49261) eap: Sending EAP Request (code 1) ID 5 length 57
(49261) eap: EAP session adding &reply:State = 0x3432644830377d5b
(49261) [eap] = handled
(49261) } # authenticate = handled
(49261) Using Post-Auth-Type Challenge
(49261) Post-Auth-Type sub-section not found. Ignoring.
(49261) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49261) Sent Access-Challenge Id 155 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49261) EAP-Message = 0x01050039190014030300010116030300288ad05ce60e5ee56aa8fd940dbf64fb565398577f45d3a8687b23d15f21a95ece7c4c893f88783014
(49261) Message-Authenticator = 0x00000000000000000000000000000000
(49261) State = 0x3432644830377d5baa04a227c6849a7d
(49261) Finished request
(49262) Received Access-Request Id 156 from 10.34.15.221:1384 to 10.34.242.3:1812 length 164
(49262) User-Name = "347117"
(49262) NAS-IP-Address = 10.34.15.221
(49262) NAS-Port = 2
(49262) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49262) Calling-Station-Id = "48-49-C7-71-79-66"
(49262) Framed-MTU = 1400
(49262) NAS-Port-Type = Wireless-802.11
(49262) Connect-Info = "CONNECT 54Mbps 802.11g"
(49262) EAP-Message = 0x020500061900
(49262) State = 0x3432644830377d5baa04a227c6849a7d
(49262) Message-Authenticator = 0x9a71a530fc4e39a0cda671f47b038d60
(49262) session-state: No cached attributes
(49262) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49262) authorize {
(49262) policy filter_username {
(49262) if (&User-Name) {
(49262) if (&User-Name) -> TRUE
(49262) if (&User-Name) {
(49262) if (&User-Name != "%{tolower:%{User-Name}}") {
(49262) EXPAND %{tolower:%{User-Name}}
(49262) --> 347117
(49262) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(49262) if (&User-Name =~ / /) {
(49262) if (&User-Name =~ / /) -> FALSE
(49262) if (&User-Name =~ /@[^@]*@/ ) {
(49262) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(49262) if (&User-Name =~ /\.\./ ) {
(49262) if (&User-Name =~ /\.\./ ) -> FALSE
(49262) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(49262) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(49262) if (&User-Name =~ /\.$/) {
(49262) if (&User-Name =~ /\.$/) -> FALSE
(49262) if (&User-Name =~ /@\./) {
(49262) if (&User-Name =~ /@\./) -> FALSE
(49262) } # if (&User-Name) = notfound
(49262) } # policy filter_username = notfound
(49262) [preprocess] = ok
(49262) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49262) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49262) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49262) auth_log: EXPAND %t
(49262) auth_log: --> Tue Jun 23 11:18:40 2020
(49262) [auth_log] = ok
(49262) [chap] = noop
(49262) [mschap] = noop
(49262) [digest] = noop
(49262) suffix: Checking for suffix after "@"
(49262) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49262) suffix: No such realm "NULL"
(49262) [suffix] = noop
(49262) eap: Peer sent EAP Response (code 2) ID 5 length 6
(49262) eap: Continuing tunnel setup
(49262) [eap] = ok
(49262) } # authorize = ok
(49262) Found Auth-Type = eap
(49262) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49262) authenticate {
(49262) eap: Expiring EAP session with state 0x9e6734429e602efe
(49262) eap: Finished EAP session with state 0x3432644830377d5b
(49262) eap: Previous EAP request found for state 0x3432644830377d5b, released from the list
(49262) eap: Peer sent packet with method EAP PEAP (25)
(49262) eap: Calling submodule eap_peap to process data
(49262) eap_peap: Continuing EAP-TLS
(49262) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(49262) eap_peap: [eaptls verify] = success
(49262) eap_peap: [eaptls process] = success
(49262) eap_peap: Session established. Decoding tunneled attributes
(49262) eap_peap: PEAP state TUNNEL ESTABLISHED
(49262) eap: Sending EAP Request (code 1) ID 6 length 40
(49262) eap: EAP session adding &reply:State = 0x3432644831347d5b
(49262) [eap] = handled
(49262) } # authenticate = handled
(49262) Using Post-Auth-Type Challenge
(49262) Post-Auth-Type sub-section not found. Ignoring.
(49262) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49262) Sent Access-Challenge Id 156 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49262) EAP-Message = 0x010600281900170303001d8ad05ce60e5ee56b04ae2e2e3b80438ad90309abe6117ae0e5da1b62b4
(49262) Message-Authenticator = 0x00000000000000000000000000000000
(49262) State = 0x3432644831347d5baa04a227c6849a7d
(49262) Finished request
(49263) Received Access-Request Id 157 from 10.34.15.221:1384 to 10.34.242.3:1812 length 210
(49263) User-Name = "347117"
(49263) NAS-IP-Address = 10.34.15.221
(49263) NAS-Port = 2
(49263) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49263) Calling-Station-Id = "48-49-C7-71-79-66"
(49263) Framed-MTU = 1400
(49263) NAS-Port-Type = Wireless-802.11
(49263) Connect-Info = "CONNECT 54Mbps 802.11g"
(49263) EAP-Message = 0x0206003419001703030029000000000000000128fd4cc44d77dddfae0f69a41d8c6d206cad6d4b0935736eb8e7051c2e6845eeff
(49263) State = 0x3432644831347d5baa04a227c6849a7d
(49263) Message-Authenticator = 0x8eb9fb4fd0d08a9bab42661adcc8d699
(49263) session-state: No cached attributes
(49263) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49263) authorize {
(49263) policy filter_username {
(49263) if (&User-Name) {
(49263) if (&User-Name) -> TRUE
(49263) if (&User-Name) {
(49263) if (&User-Name != "%{tolower:%{User-Name}}") {
(49263) EXPAND %{tolower:%{User-Name}}
(49263) --> 347117
(49263) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(49263) if (&User-Name =~ / /) {
(49263) if (&User-Name =~ / /) -> FALSE
(49263) if (&User-Name =~ /@[^@]*@/ ) {
(49263) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(49263) if (&User-Name =~ /\.\./ ) {
(49263) if (&User-Name =~ /\.\./ ) -> FALSE
(49263) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(49263) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(49263) if (&User-Name =~ /\.$/) {
(49263) if (&User-Name =~ /\.$/) -> FALSE
(49263) if (&User-Name =~ /@\./) {
(49263) if (&User-Name =~ /@\./) -> FALSE
(49263) } # if (&User-Name) = notfound
(49263) } # policy filter_username = notfound
(49263) [preprocess] = ok
(49263) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49263) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49263) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49263) auth_log: EXPAND %t
(49263) auth_log: --> Tue Jun 23 11:18:40 2020
(49263) [auth_log] = ok
(49263) [chap] = noop
(49263) [mschap] = noop
(49263) [digest] = noop
(49263) suffix: Checking for suffix after "@"
(49263) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49263) suffix: No such realm "NULL"
(49263) [suffix] = noop
(49263) eap: Peer sent EAP Response (code 2) ID 6 length 52
(49263) eap: Continuing tunnel setup
(49263) [eap] = ok
(49263) } # authorize = ok
(49263) Found Auth-Type = eap
(49263) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49263) authenticate {
(49263) eap: Expiring EAP session with state 0x9e6734429e602efe
(49263) eap: Finished EAP session with state 0x3432644831347d5b
(49263) eap: Previous EAP request found for state 0x3432644831347d5b, released from the list
(49263) eap: Peer sent packet with method EAP PEAP (25)
(49263) eap: Calling submodule eap_peap to process data
(49263) eap_peap: Continuing EAP-TLS
(49263) eap_peap: [eaptls verify] = ok
(49263) eap_peap: Done initial handshake
(49263) eap_peap: [eaptls process] = ok
(49263) eap_peap: Session established. Decoding tunneled attributes
(49263) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(49263) eap_peap: Identity - luciana.nogueira
(49263) eap_peap: Got inner identity 'luciana.nogueira'
(49263) eap_peap: Setting default EAP type for tunneled EAP session
(49263) eap_peap: Got tunneled request
(49263) eap_peap: EAP-Message = 0x02060015016c756369616e612e6e6f677565697261
(49263) eap_peap: Setting User-Name to luciana.nogueira
(49263) eap_peap: Sending tunneled request to inner-tunnel
(49263) eap_peap: EAP-Message = 0x02060015016c756369616e612e6e6f677565697261
(49263) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(49263) eap_peap: User-Name = "luciana.nogueira"
(49263) Virtual server inner-tunnel received request
(49263) EAP-Message = 0x02060015016c756369616e612e6e6f677565697261
(49263) FreeRADIUS-Proxied-To = 127.0.0.1
(49263) User-Name = "luciana.nogueira"
(49263) WARNING: Outer User-Name is not anonymized. User privacy is compromised.
(49263) server inner-tunnel {
(49263) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49263) authorize {
(49263) policy filter_username {
(49263) if (&User-Name) {
(49263) if (&User-Name) -> TRUE
(49263) if (&User-Name) {
(49263) if (&User-Name != "%{tolower:%{User-Name}}") {
(49263) EXPAND %{tolower:%{User-Name}}
(49263) --> luciana.nogueira
(49263) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(49263) if (&User-Name =~ / /) {
(49263) if (&User-Name =~ / /) -> FALSE
(49263) if (&User-Name =~ /@[^@]*@/ ) {
(49263) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(49263) if (&User-Name =~ /\.\./ ) {
(49263) if (&User-Name =~ /\.\./ ) -> FALSE
(49263) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(49263) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(49263) if (&User-Name =~ /\.$/) {
(49263) if (&User-Name =~ /\.$/) -> FALSE
(49263) if (&User-Name =~ /@\./) {
(49263) if (&User-Name =~ /@\./) -> FALSE
(49263) } # if (&User-Name) = notfound
(49263) } # policy filter_username = notfound
(49263) [chap] = noop
(49263) [mschap] = noop
(49263) suffix: Checking for suffix after "@"
(49263) suffix: No '@' in User-Name = "luciana.nogueira", looking up realm NULL
(49263) suffix: No such realm "NULL"
(49263) [suffix] = noop
(49263) update control {
(49263) &Proxy-To-Realm := LOCAL
(49263) } # update control = noop
(49263) eap: Peer sent EAP Response (code 2) ID 6 length 21
(49263) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(49263) [eap] = ok
(49263) } # authorize = ok
(49263) Found Auth-Type = eap
(49263) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49263) authenticate {
(49263) eap: Peer sent packet with method EAP Identity (1)
(49263) eap: Calling submodule eap_mschapv2 to process data
(49263) eap_mschapv2: Issuing Challenge
(49263) eap: Sending EAP Request (code 1) ID 7 length 43
(49263) eap: EAP session adding &reply:State = 0x214671d321416b6e
(49263) [eap] = handled
(49263) } # authenticate = handled
(49263) } # server inner-tunnel
(49263) Virtual server sending reply
(49263) EAP-Message = 0x0107002b1a01070026109a0612b5b180d839a6e75523a82f49ec667265657261646975732d332e302e3132
(49263) Message-Authenticator = 0x00000000000000000000000000000000
(49263) State = 0x214671d321416b6e6c123acd822f47ac
(49263) eap_peap: Got tunneled reply code 11
(49263) eap_peap: EAP-Message = 0x0107002b1a01070026109a0612b5b180d839a6e75523a82f49ec667265657261646975732d332e302e3132
(49263) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(49263) eap_peap: State = 0x214671d321416b6e6c123acd822f47ac
(49263) eap_peap: Got tunneled reply RADIUS code 11
(49263) eap_peap: EAP-Message = 0x0107002b1a01070026109a0612b5b180d839a6e75523a82f49ec667265657261646975732d332e302e3132
(49263) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(49263) eap_peap: State = 0x214671d321416b6e6c123acd822f47ac
(49263) eap_peap: Got tunneled Access-Challenge
(49263) eap: Sending EAP Request (code 1) ID 7 length 74
(49263) eap: EAP session adding &reply:State = 0x3432644832357d5b
(49263) [eap] = handled
(49263) } # authenticate = handled
(49263) Using Post-Auth-Type Challenge
(49263) Post-Auth-Type sub-section not found. Ignoring.
(49263) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49263) Sent Access-Challenge Id 157 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49263) EAP-Message = 0x0107004a1900170303003f8ad05ce60e5ee56c153fb28473439215526db8736ab97058edf5170bf7b140e9d16783b78ce6e18c1cb2d3fa04bb51df1ecdc736140a04d7d4e797dc3229c3
(49263) Message-Authenticator = 0x00000000000000000000000000000000
(49263) State = 0x3432644832357d5baa04a227c6849a7d
(49263) Finished request
(49264) Received Access-Request Id 158 from 10.34.15.221:1384 to 10.34.242.3:1812 length 264
(49264) User-Name = "347117"
(49264) NAS-IP-Address = 10.34.15.221
(49264) NAS-Port = 2
(49264) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49264) Calling-Station-Id = "48-49-C7-71-79-66"
(49264) Framed-MTU = 1400
(49264) NAS-Port-Type = Wireless-802.11
(49264) Connect-Info = "CONNECT 54Mbps 802.11g"
(49264) EAP-Message = 0x0207006a1900170303005f0000000000000002d9c7a4e9ae59cfe3d90af91aa0aee002c3b4dc78422285bc88a8e33d7ffa1e58aa98f6fac7d72b4dbffe3a3b4aeccaeaa42df4ab91e78e2aeee31026e98609cd8b51b88663710a6bb29088279292a2cb18a4259c051294
(49264) State = 0x3432644832357d5baa04a227c6849a7d
(49264) Message-Authenticator = 0x4b17fd5d5a9b8fd97344948d8a46de86
(49264) session-state: No cached attributes
(49264) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49264) authorize {
(49264) policy filter_username {
(49264) if (&User-Name) {
(49264) if (&User-Name) -> TRUE
(49264) if (&User-Name) {
(49264) if (&User-Name != "%{tolower:%{User-Name}}") {
(49264) EXPAND %{tolower:%{User-Name}}
(49264) --> 347117
(49264) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(49264) if (&User-Name =~ / /) {
(49264) if (&User-Name =~ / /) -> FALSE
(49264) if (&User-Name =~ /@[^@]*@/ ) {
(49264) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(49264) if (&User-Name =~ /\.\./ ) {
(49264) if (&User-Name =~ /\.\./ ) -> FALSE
(49264) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(49264) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(49264) if (&User-Name =~ /\.$/) {
(49264) if (&User-Name =~ /\.$/) -> FALSE
(49264) if (&User-Name =~ /@\./) {
(49264) if (&User-Name =~ /@\./) -> FALSE
(49264) } # if (&User-Name) = notfound
(49264) } # policy filter_username = notfound
(49264) [preprocess] = ok
(49264) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49264) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49264) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49264) auth_log: EXPAND %t
(49264) auth_log: --> Tue Jun 23 11:18:40 2020
(49264) [auth_log] = ok
(49264) [chap] = noop
(49264) [mschap] = noop
(49264) [digest] = noop
(49264) suffix: Checking for suffix after "@"
(49264) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49264) suffix: No such realm "NULL"
(49264) [suffix] = noop
(49264) eap: Peer sent EAP Response (code 2) ID 7 length 106
(49264) eap: Continuing tunnel setup
(49264) [eap] = ok
(49264) } # authorize = ok
(49264) Found Auth-Type = eap
(49264) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49264) authenticate {
(49264) eap: Expiring EAP session with state 0x9e6734429e602efe
(49264) eap: Finished EAP session with state 0x3432644832357d5b
(49264) eap: Previous EAP request found for state 0x3432644832357d5b, released from the list
(49264) eap: Peer sent packet with method EAP PEAP (25)
(49264) eap: Calling submodule eap_peap to process data
(49264) eap_peap: Continuing EAP-TLS
(49264) eap_peap: [eaptls verify] = ok
(49264) eap_peap: Done initial handshake
(49264) eap_peap: [eaptls process] = ok
(49264) eap_peap: Session established. Decoding tunneled attributes
(49264) eap_peap: PEAP state phase2
(49264) eap_peap: EAP method MSCHAPv2 (26)
(49264) eap_peap: Got tunneled request
(49264) eap_peap: EAP-Message = 0x0207004b1a02070046317d5d43a19660ebbee7c397f7438f711a00000000000000004fa6868fa93a73fa085c7782f38db715816854ca6d1cc81b006c756369616e612e6e6f677565697261
(49264) eap_peap: Setting User-Name to luciana.nogueira
(49264) eap_peap: Sending tunneled request to inner-tunnel
(49264) eap_peap: EAP-Message = 0x0207004b1a02070046317d5d43a19660ebbee7c397f7438f711a00000000000000004fa6868fa93a73fa085c7782f38db715816854ca6d1cc81b006c756369616e612e6e6f677565697261
(49264) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(49264) eap_peap: User-Name = "luciana.nogueira"
(49264) eap_peap: State = 0x214671d321416b6e6c123acd822f47ac
(49264) Virtual server inner-tunnel received request
(49264) EAP-Message = 0x0207004b1a02070046317d5d43a19660ebbee7c397f7438f711a00000000000000004fa6868fa93a73fa085c7782f38db715816854ca6d1cc81b006c756369616e612e6e6f677565697261
(49264) FreeRADIUS-Proxied-To = 127.0.0.1
(49264) User-Name = "luciana.nogueira"
(49264) State = 0x214671d321416b6e6c123acd822f47ac
(49264) WARNING: Outer User-Name is not anonymized. User privacy is compromised.
(49264) server inner-tunnel {
(49264) session-state: No cached attributes
(49264) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49264) authorize {
(49264) policy filter_username {
(49264) if (&User-Name) {
(49264) if (&User-Name) -> TRUE
(49264) if (&User-Name) {
(49264) if (&User-Name != "%{tolower:%{User-Name}}") {
(49264) EXPAND %{tolower:%{User-Name}}
(49264) --> luciana.nogueira
(49264) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(49264) if (&User-Name =~ / /) {
(49264) if (&User-Name =~ / /) -> FALSE
(49264) if (&User-Name =~ /@[^@]*@/ ) {
(49264) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(49264) if (&User-Name =~ /\.\./ ) {
(49264) if (&User-Name =~ /\.\./ ) -> FALSE
(49264) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(49264) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(49264) if (&User-Name =~ /\.$/) {
(49264) if (&User-Name =~ /\.$/) -> FALSE
(49264) if (&User-Name =~ /@\./) {
(49264) if (&User-Name =~ /@\./) -> FALSE
(49264) } # if (&User-Name) = notfound
(49264) } # policy filter_username = notfound
(49264) [chap] = noop
(49264) [mschap] = noop
(49264) suffix: Checking for suffix after "@"
(49264) suffix: No '@' in User-Name = "luciana.nogueira", looking up realm NULL
(49264) suffix: No such realm "NULL"
(49264) [suffix] = noop
(49264) update control {
(49264) &Proxy-To-Realm := LOCAL
(49264) } # update control = noop
(49264) eap: Peer sent EAP Response (code 2) ID 7 length 75
(49264) eap: No EAP Start, assuming it's an on-going EAP conversation
(49264) [eap] = updated
(49264) files: users: Matched entry DEFAULT at line 90
(49264) [files] = ok
(49264) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(49264) sql: --> luciana.nogueira
(49264) sql: SQL-User-Name set to 'luciana.nogueira'
(49264) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(49264) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'luciana.nogueira' ORDER BY id
(49264) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'luciana.nogueira' ORDER BY id
(49264) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(49264) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='luciana.nogueira' ORDER BY priority
(49264) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='luciana.nogueira' ORDER BY priority
(49264) sql: User not found in any groups
(49264) [sql] = notfound
(49264) [expiration] = noop
(49264) [logintime] = noop
(49264) [pap] = noop
(49264) } # authorize = updated
(49264) Found Auth-Type = eap
(49264) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49264) authenticate {
(49264) eap: Expiring EAP session with state 0x9e6734429e602efe
(49264) eap: Finished EAP session with state 0x214671d321416b6e
(49264) eap: Previous EAP request found for state 0x214671d321416b6e, released from the list
(49264) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(49264) eap: Calling submodule eap_mschapv2 to process data
(49264) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49264) eap_mschapv2: authenticate {
(49264) mschap: Creating challenge hash with username: luciana.nogueira
(49264) mschap: Client is using MS-CHAPv2
(49264) mschap: EXPAND %{mschap:User-Name}
(49264) mschap: --> luciana.nogueira
(49264) mschap: ERROR: No NT-Domain was found in the User-Name
(49264) mschap: EXPAND %{mschap:NT-Domain}
(49264) mschap: -->
(49264) mschap: sending authentication request user='luciana.nogueira' domain=''
(49264) mschap: Authenticated successfully
(49264) mschap: Adding MS-CHAPv2 MPPE keys
(49264) [mschap] = ok
(49264) } # authenticate = ok
(49264) MSCHAP Success
(49264) eap: Sending EAP Request (code 1) ID 8 length 51
(49264) eap: EAP session adding &reply:State = 0x214671d3204e6b6e
(49264) [eap] = handled
(49264) } # authenticate = handled
(49264) } # server inner-tunnel
(49264) Virtual server sending reply
(49264) Idle-Timeout = 300
(49264) EAP-Message = 0x010800331a0307002e533d37324435314333433134354231383437464635313334414535453342374531304436323434453630
(49264) Message-Authenticator = 0x00000000000000000000000000000000
(49264) State = 0x214671d3204e6b6e6c123acd822f47ac
(49264) eap_peap: Got tunneled reply code 11
(49264) eap_peap: Idle-Timeout = 300
(49264) eap_peap: EAP-Message = 0x010800331a0307002e533d37324435314333433134354231383437464635313334414535453342374531304436323434453630
(49264) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(49264) eap_peap: State = 0x214671d3204e6b6e6c123acd822f47ac
(49264) eap_peap: Got tunneled reply RADIUS code 11
(49264) eap_peap: Idle-Timeout = 300
(49264) eap_peap: EAP-Message = 0x010800331a0307002e533d37324435314333433134354231383437464635313334414535453342374531304436323434453630
(49264) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(49264) eap_peap: State = 0x214671d3204e6b6e6c123acd822f47ac
(49264) eap_peap: Got tunneled Access-Challenge
(49264) eap: Sending EAP Request (code 1) ID 8 length 82
(49264) eap: EAP session adding &reply:State = 0x34326448333a7d5b
(49264) [eap] = handled
(49264) } # authenticate = handled
(49264) Using Post-Auth-Type Challenge
(49264) Post-Auth-Type sub-section not found. Ignoring.
(49264) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49264) Sent Access-Challenge Id 158 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49264) EAP-Message = 0x01080052190017030300478ad05ce60e5ee56dce23340a3be2c962cc4f7d1ee8e7ae9aef666bf4fac4aa03796c641f3b59020ff440d471af287ef622a0fb7b6e3775db7348671ab310c104c57ca5045628d7
(49264) Message-Authenticator = 0x00000000000000000000000000000000
(49264) State = 0x34326448333a7d5baa04a227c6849a7d
(49264) Finished request
(49265) Received Access-Request Id 159 from 10.34.15.221:1384 to 10.34.242.3:1812 length 195
(49265) User-Name = "347117"
(49265) NAS-IP-Address = 10.34.15.221
(49265) NAS-Port = 2
(49265) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49265) Calling-Station-Id = "48-49-C7-71-79-66"
(49265) Framed-MTU = 1400
(49265) NAS-Port-Type = Wireless-802.11
(49265) Connect-Info = "CONNECT 54Mbps 802.11g"
(49265) EAP-Message = 0x020800251900170303001a00000000000000031247ab59722d1f524f21b21b65b88b21dc63
(49265) State = 0x34326448333a7d5baa04a227c6849a7d
(49265) Message-Authenticator = 0x4e23dd00e538823df81cfcd85802e7d5
(49265) session-state: No cached attributes
(49265) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49265) authorize {
(49265) policy filter_username {
(49265) if (&User-Name) {
(49265) if (&User-Name) -> TRUE
(49265) if (&User-Name) {
(49265) if (&User-Name != "%{tolower:%{User-Name}}") {
(49265) EXPAND %{tolower:%{User-Name}}
(49265) --> 347117
(49265) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(49265) if (&User-Name =~ / /) {
(49265) if (&User-Name =~ / /) -> FALSE
(49265) if (&User-Name =~ /@[^@]*@/ ) {
(49265) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(49265) if (&User-Name =~ /\.\./ ) {
(49265) if (&User-Name =~ /\.\./ ) -> FALSE
(49265) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(49265) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(49265) if (&User-Name =~ /\.$/) {
(49265) if (&User-Name =~ /\.$/) -> FALSE
(49265) if (&User-Name =~ /@\./) {
(49265) if (&User-Name =~ /@\./) -> FALSE
(49265) } # if (&User-Name) = notfound
(49265) } # policy filter_username = notfound
(49265) [preprocess] = ok
(49265) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49265) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49265) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49265) auth_log: EXPAND %t
(49265) auth_log: --> Tue Jun 23 11:18:40 2020
(49265) [auth_log] = ok
(49265) [chap] = noop
(49265) [mschap] = noop
(49265) [digest] = noop
(49265) suffix: Checking for suffix after "@"
(49265) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49265) suffix: No such realm "NULL"
(49265) [suffix] = noop
(49265) eap: Peer sent EAP Response (code 2) ID 8 length 37
(49265) eap: Continuing tunnel setup
(49265) [eap] = ok
(49265) } # authorize = ok
(49265) Found Auth-Type = eap
(49265) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49265) authenticate {
(49265) eap: Expiring EAP session with state 0x9e6734429e602efe
(49265) eap: Finished EAP session with state 0x34326448333a7d5b
(49265) eap: Previous EAP request found for state 0x34326448333a7d5b, released from the list
(49265) eap: Peer sent packet with method EAP PEAP (25)
(49265) eap: Calling submodule eap_peap to process data
(49265) eap_peap: Continuing EAP-TLS
(49265) eap_peap: [eaptls verify] = ok
(49265) eap_peap: Done initial handshake
(49265) eap_peap: [eaptls process] = ok
(49265) eap_peap: Session established. Decoding tunneled attributes
(49265) eap_peap: PEAP state phase2
(49265) eap_peap: EAP method MSCHAPv2 (26)
(49265) eap_peap: Got tunneled request
(49265) eap_peap: EAP-Message = 0x020800061a03
(49265) eap_peap: Setting User-Name to luciana.nogueira
(49265) eap_peap: Sending tunneled request to inner-tunnel
(49265) eap_peap: EAP-Message = 0x020800061a03
(49265) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(49265) eap_peap: User-Name = "luciana.nogueira"
(49265) eap_peap: State = 0x214671d3204e6b6e6c123acd822f47ac
(49265) Virtual server inner-tunnel received request
(49265) EAP-Message = 0x020800061a03
(49265) FreeRADIUS-Proxied-To = 127.0.0.1
(49265) User-Name = "luciana.nogueira"
(49265) State = 0x214671d3204e6b6e6c123acd822f47ac
(49265) WARNING: Outer User-Name is not anonymized. User privacy is compromised.
(49265) server inner-tunnel {
(49265) session-state: No cached attributes
(49265) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49265) authorize {
(49265) policy filter_username {
(49265) if (&User-Name) {
(49265) if (&User-Name) -> TRUE
(49265) if (&User-Name) {
(49265) if (&User-Name != "%{tolower:%{User-Name}}") {
(49265) EXPAND %{tolower:%{User-Name}}
(49265) --> luciana.nogueira
(49265) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(49265) if (&User-Name =~ / /) {
(49265) if (&User-Name =~ / /) -> FALSE
(49265) if (&User-Name =~ /@[^@]*@/ ) {
(49265) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(49265) if (&User-Name =~ /\.\./ ) {
(49265) if (&User-Name =~ /\.\./ ) -> FALSE
(49265) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(49265) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(49265) if (&User-Name =~ /\.$/) {
(49265) if (&User-Name =~ /\.$/) -> FALSE
(49265) if (&User-Name =~ /@\./) {
(49265) if (&User-Name =~ /@\./) -> FALSE
(49265) } # if (&User-Name) = notfound
(49265) } # policy filter_username = notfound
(49265) [chap] = noop
(49265) [mschap] = noop
(49265) suffix: Checking for suffix after "@"
(49265) suffix: No '@' in User-Name = "luciana.nogueira", looking up realm NULL
(49265) suffix: No such realm "NULL"
(49265) [suffix] = noop
(49265) update control {
(49265) &Proxy-To-Realm := LOCAL
(49265) } # update control = noop
(49265) eap: Peer sent EAP Response (code 2) ID 8 length 6
(49265) eap: No EAP Start, assuming it's an on-going EAP conversation
(49265) [eap] = updated
(49265) files: users: Matched entry DEFAULT at line 90
(49265) [files] = ok
(49265) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(49265) sql: --> luciana.nogueira
(49265) sql: SQL-User-Name set to 'luciana.nogueira'
(49265) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(49265) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'luciana.nogueira' ORDER BY id
(49265) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'luciana.nogueira' ORDER BY id
(49265) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(49265) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='luciana.nogueira' ORDER BY priority
(49265) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='luciana.nogueira' ORDER BY priority
(49265) sql: User not found in any groups
(49265) [sql] = notfound
(49265) [expiration] = noop
(49265) [logintime] = noop
(49265) [pap] = noop
(49265) } # authorize = updated
(49265) Found Auth-Type = eap
(49265) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49265) authenticate {
(49265) eap: Expiring EAP session with state 0x9e6734429e602efe
(49265) eap: Finished EAP session with state 0x214671d3204e6b6e
(49265) eap: Previous EAP request found for state 0x214671d3204e6b6e, released from the list
(49265) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(49265) eap: Calling submodule eap_mschapv2 to process data
(49265) eap: Sending EAP Success (code 3) ID 8 length 4
(49265) eap: Freeing handler
(49265) [eap] = ok
(49265) } # authenticate = ok
(49265) # Executing section session from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49265) session {
(49265) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(49265) sql: --> luciana.nogueira
(49265) sql: SQL-User-Name set to 'luciana.nogueira'
(49265) sql: EXPAND SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL
(49265) sql: --> SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='luciana.nogueira' AND CallingStationId<>'48-49-C7-71-79-66' AND AcctStopTime IS NULL
(49265) sql: Executing select query: SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='luciana.nogueira' AND CallingStationId<>'48-49-C7-71-79-66' AND AcctStopTime IS NULL
(49265) [sql] = ok
(49265) } # session = ok
(49265) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49265) post-auth {
(49265) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail
(49265) reply_log: --> /var/log/freeradius/radacct/10.34.15.221/reply-detail
(49265) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail expands to /var/log/freeradius/radacct/10.34.15.221/reply-detail
(49265) reply_log: EXPAND %t
(49265) reply_log: --> Tue Jun 23 11:18:40 2020
(49265) [reply_log] = ok
(49265) } # post-auth = ok
(49265) Login OK: [luciana.nogueira] (from client AP-SD1-A03-Q01 port 0 via TLS tunnel)
(49265) } # server inner-tunnel
(49265) Virtual server sending reply
(49265) Idle-Timeout = 300
(49265) MS-MPPE-Encryption-Policy = Encryption-Allowed
(49265) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(49265) MS-MPPE-Send-Key = 0x0442265aeb85be20654b653f432e0880
(49265) MS-MPPE-Recv-Key = 0x1e4c074598ed6ae313dab160b53e5d6c
(49265) EAP-Message = 0x03080004
(49265) Message-Authenticator = 0x00000000000000000000000000000000
(49265) User-Name = "luciana.nogueira"
(49265) eap_peap: Got tunneled reply code 2
(49265) eap_peap: Idle-Timeout = 300
(49265) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(49265) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(49265) eap_peap: MS-MPPE-Send-Key = 0x0442265aeb85be20654b653f432e0880
(49265) eap_peap: MS-MPPE-Recv-Key = 0x1e4c074598ed6ae313dab160b53e5d6c
(49265) eap_peap: EAP-Message = 0x03080004
(49265) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(49265) eap_peap: User-Name = "luciana.nogueira"
(49265) eap_peap: Got tunneled reply RADIUS code 2
(49265) eap_peap: Idle-Timeout = 300
(49265) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(49265) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(49265) eap_peap: MS-MPPE-Send-Key = 0x0442265aeb85be20654b653f432e0880
(49265) eap_peap: MS-MPPE-Recv-Key = 0x1e4c074598ed6ae313dab160b53e5d6c
(49265) eap_peap: EAP-Message = 0x03080004
(49265) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(49265) eap_peap: User-Name = "luciana.nogueira"
(49265) eap_peap: Tunneled authentication was successful
(49265) eap_peap: SUCCESS
(49265) eap: Sending EAP Request (code 1) ID 9 length 46
(49265) eap: EAP session adding &reply:State = 0x343264483c3b7d5b
(49265) [eap] = handled
(49265) } # authenticate = handled
(49265) Using Post-Auth-Type Challenge
(49265) Post-Auth-Type sub-section not found. Ignoring.
(49265) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49265) Sent Access-Challenge Id 159 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49265) EAP-Message = 0x0109002e190017030300238ad05ce60e5ee56e3f85995ad4d9fa3e7353121ef0323fdf5e8a60cf3b9b554a80d3dd
(49265) Message-Authenticator = 0x00000000000000000000000000000000
(49265) State = 0x343264483c3b7d5baa04a227c6849a7d
(49265) Finished request
(49266) Received Access-Request Id 160 from 10.34.15.221:1384 to 10.34.242.3:1812 length 204
(49266) User-Name = "347117"
(49266) NAS-IP-Address = 10.34.15.221
(49266) NAS-Port = 2
(49266) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49266) Calling-Station-Id = "48-49-C7-71-79-66"
(49266) Framed-MTU = 1400
(49266) NAS-Port-Type = Wireless-802.11
(49266) Connect-Info = "CONNECT 54Mbps 802.11g"
(49266) EAP-Message = 0x0209002e190017030300230000000000000004c778ad733d5b70db3716819554f83810f465ba77cd7845e575c9ff
(49266) State = 0x343264483c3b7d5baa04a227c6849a7d
(49266) Message-Authenticator = 0x855882f09e771e57421e4a41f6ea470c
(49266) session-state: No cached attributes
(49266) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49266) authorize {
(49266) policy filter_username {
(49266) if (&User-Name) {
(49266) if (&User-Name) -> TRUE
(49266) if (&User-Name) {
(49266) if (&User-Name != "%{tolower:%{User-Name}}") {
(49266) EXPAND %{tolower:%{User-Name}}
(49266) --> 347117
(49266) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(49266) if (&User-Name =~ / /) {
(49266) if (&User-Name =~ / /) -> FALSE
(49266) if (&User-Name =~ /@[^@]*@/ ) {
(49266) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(49266) if (&User-Name =~ /\.\./ ) {
(49266) if (&User-Name =~ /\.\./ ) -> FALSE
(49266) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(49266) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(49266) if (&User-Name =~ /\.$/) {
(49266) if (&User-Name =~ /\.$/) -> FALSE
(49266) if (&User-Name =~ /@\./) {
(49266) if (&User-Name =~ /@\./) -> FALSE
(49266) } # if (&User-Name) = notfound
(49266) } # policy filter_username = notfound
(49266) [preprocess] = ok
(49266) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49266) auth_log: --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49266) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49266) auth_log: EXPAND %t
(49266) auth_log: --> Tue Jun 23 11:18:40 2020
(49266) [auth_log] = ok
(49266) [chap] = noop
(49266) [mschap] = noop
(49266) [digest] = noop
(49266) suffix: Checking for suffix after "@"
(49266) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49266) suffix: No such realm "NULL"
(49266) [suffix] = noop
(49266) eap: Peer sent EAP Response (code 2) ID 9 length 46
(49266) eap: Continuing tunnel setup
(49266) [eap] = ok
(49266) } # authorize = ok
(49266) Found Auth-Type = eap
(49266) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49266) authenticate {
(49266) eap: Expiring EAP session with state 0x9e6734429e602efe
(49266) eap: Finished EAP session with state 0x343264483c3b7d5b
(49266) eap: Previous EAP request found for state 0x343264483c3b7d5b, released from the list
(49266) eap: Peer sent packet with method EAP PEAP (25)
(49266) eap: Calling submodule eap_peap to process data
(49266) eap_peap: Continuing EAP-TLS
(49266) eap_peap: [eaptls verify] = ok
(49266) eap_peap: Done initial handshake
(49266) eap_peap: [eaptls process] = ok
(49266) eap_peap: Session established. Decoding tunneled attributes
(49266) eap_peap: PEAP state send tlv success
(49266) eap_peap: Received EAP-TLV response
(49266) eap_peap: Success
(49266) eap: Sending EAP Success (code 3) ID 9 length 4
(49266) eap: Freeing handler
(49266) [eap] = ok
(49266) } # authenticate = ok
(49266) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(49266) post-auth {
(49266) update {
(49266) No attributes updated
(49266) } # update = noop
(49266) sql: EXPAND .query
(49266) sql: --> .query
(49266) sql: Using query template 'query'
(49266) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(49266) sql: --> 347117
(49266) sql: SQL-User-Name set to '347117'
(49266) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{integer:Event-Timestamp}))
(49266) sql: --> INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('347117', 'Chap-Password', 'Access-Accept', '5C-D9-98-14-37-48:MPDFT', '48-49-C7-71-79-66', TO_TIMESTAMP(1592921920))
(49266) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('347117', 'Chap-Password', 'Access-Accept', '5C-D9-98-14-37-48:MPDFT', '48-49-C7-71-79-66', TO_TIMESTAMP(1592921920))
(49266) sql: SQL query returned: success
(49266) sql: 1 record(s) updated
(49266) [sql] = ok
(49266) [exec] = noop
(49266) policy remove_reply_message_if_eap {
(49266) if (&reply:EAP-Message && &reply:Reply-Message) {
(49266) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(49266) else {
(49266) [noop] = noop
(49266) } # else = noop
(49266) } # policy remove_reply_message_if_eap = noop
(49266) } # post-auth = ok
(49266) Login OK: [347117] (from client AP-SD1-A03-Q01 port 2 cli 48-49-C7-71-79-66)
(49266) Sent Access-Accept Id 160 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49266) MS-MPPE-Recv-Key = 0x542d83c1eb40f8c303c2eb8158cb7e7db2151c3568559646f0ae6cc2b4834cdc
(49266) MS-MPPE-Send-Key = 0xe5c545e00159f5d356a41a506a2bfdda247960a2b6a0044c7bf9037a48336c63
(49266) EAP-Message = 0x03090004
(49266) Message-Authenticator = 0x00000000000000000000000000000000
(49266) User-Name = "347117"
(49266) Finished request
(49267) Received Accounting-Request Id 161 from 10.34.15.221:1386 to 10.34.242.3:1813 length 145
(49267) Acct-Session-Id = "38EBA713-00000041"
(49267) Acct-Status-Type = Start
(49267) Acct-Authentic = RADIUS
(49267) User-Name = "347117"
(49267) NAS-IP-Address = 10.34.15.221
(49267) NAS-Port = 2
(49267) Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49267) Calling-Station-Id = "48-49-C7-71-79-66"
(49267) NAS-Port-Type = Wireless-802.11
(49267) Connect-Info = "CONNECT 54Mbps 802.11g"
(49267) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(49267) preacct {
(49267) [preprocess] = ok
(49267) update request {
(49267) EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}
(49267) --> 1592921920
(49267) FreeRADIUS-Acct-Session-Start-Time = Jun 23 2020 11:18:40 -03
(49267) } # update request = noop
(49267) policy acct_unique {
(49267) update request {
(49267) Tmp-String-9 := "ai:"
(49267) } # update request = noop
(49267) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(49267) EXPAND %{hex:&Class}
(49267) -->
(49267) EXPAND ^%{hex:&Tmp-String-9}
(49267) --> ^61693a
(49267) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(49267) else {
(49267) update request {
(49267) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{Calling-Station-Id}}
(49267) --> 6b521bf17a61aa914f0f67b33c558e07
(49267) &Acct-Unique-Session-Id := 6b521bf17a61aa914f0f67b33c558e07
(49267) } # update request = noop
(49267) } # else = noop
(49267) } # policy acct_unique = noop
(49267) suffix: Checking for suffix after "@"
(49267) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49267) suffix: No such realm "NULL"
(49267) [suffix] = noop
(49267) files: acct_users: Matched entry DEFAULT at line 22
(49267) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(49267) files: --> 347117
(49267) [files] = ok
(49267) } # preacct = ok
(49267) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(49267) accounting {
(49267) log_accounting: EXPAND Accounting-Request.%{%{Acct-Status-Type}:-unknown}
(49267) log_accounting: --> Accounting-Request.Start
(49267) log_accounting: EXPAND %{date:Event-Timestamp} Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})
(49267) log_accounting: --> Tue, 23-06-2020 11:18:40 Connect: [347117] (did 5C-D9-98-14-37-48:MPDFT cli 48-49-C7-71-79-66 port 2 ip )
(49267) log_accounting: EXPAND /var/log/freeradius/linelog-accounting
(49267) log_accounting: --> /var/log/freeradius/linelog-accounting
(49267) [log_accounting] = ok
(49267) sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query}
(49267) sql: --> type.start.query
(49267) sql: Using query template 'query'
(49267) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(49267) sql: --> 347117
(49267) sql: SQL-User-Name set to '347117'
(49267) sql: EXPAND INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)
(49267) sql: --> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('38EBA713-00000041', '6b521bf17a61aa914f0f67b33c558e07', '347117', NULLIF('', ''), '10.34.15.221', NULLIF('2', ''), 'Wireless-802.11', TO_TIMESTAMP(1592921920), TO_TIMESTAMP(1592921920), NULL, 0, 'RADIUS', 'CONNECT 54Mbps 802.11g', NULL, 0, 0, '5C-D9-98-14-37-48:MPDFT', '48-49-C7-71-79-66', NULL, '', '', NULLIF('', '')::inet)
(49267) sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('38EBA713-00000041', '6b521bf17a61aa914f0f67b33c558e07', '347117', NULLIF('', ''), '10.34.15.221', NULLIF('2', ''), 'Wireless-802.11', TO_TIMESTAMP(1592921920), TO_TIMESTAMP(1592921920), NULL, 0, 'RADIUS', 'CONNECT 54Mbps 802.11g', NULL, 0, 0, '5C-D9-98-14-37-48:MPDFT', '48-49-C7-71-79-66', NULL, '', '', NULLIF('', '')::inet)
(49267) sql: SQL query returned: success
(49267) sql: 1 record(s) updated
(49267) [sql] = ok
(49267) if (&request:Acct-Status-Type == start) {
(49267) if (&request:Acct-Status-Type == start) -> TRUE
(49267) if (&request:Acct-Status-Type == start) {
(49267) EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(49267) --> 347117
(49267) SQL-User-Name set to '347117'
(49267) Executing query: UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(1592921920), AcctUpdateTime = TO_TIMESTAMP(1592921920), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = 'CONNECT 54Mbps 802.11g' WHERE UserName = '347117' AND AcctUniqueId <> '6b521bf17a61aa914f0f67b33c558e07' AND CallingStationId = '48-49-C7-71-79-66' AND AcctStopTime IS NULL
(49267) SQL query affected no rows
(49267) EXPAND %{sql:UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = '%{Connect-Info}' WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' AND CallingStationId = '%{Calling-Station-Id}' AND AcctStopTime IS NULL}
(49267) -->
(49267) } # if (&request:Acct-Status-Type == start) = ok
(49267) [exec] = noop
(49267) attr_filter.accounting_response: EXPAND %{User-Name}
(49267) attr_filter.accounting_response: --> 347117
(49267) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(49267) [attr_filter.accounting_response] = updated
(49267) } # accounting = updated
(49267) Sent Accounting-Response Id 161 from 10.34.242.3:1813 to 10.34.15.221:1386 length 0
(49267) Finished request
(49267) Cleaning up request packet ID 161 with timestamp +43054
(49257) Cleaning up request packet ID 151 with timestamp +43054
(49258) Cleaning up request packet ID 152 with timestamp +43054
(49259) Cleaning up request packet ID 153 with timestamp +43054
(49260) Cleaning up request packet ID 154 with timestamp +43054
(49261) Cleaning up request packet ID 155 with timestamp +43054
(49262) Cleaning up request packet ID 156 with timestamp +43054
(49263) Cleaning up request packet ID 157 with timestamp +43054
(49264) Cleaning up request packet ID 158 with timestamp +43054
(49265) Cleaning up request packet ID 159 with timestamp +43054
(49266) Cleaning up request packet ID 160 with timestamp +43054
root at vp2-seg-008:/var/log/freeradius#
More information about the Freeradius-Users
mailing list