How to disable machine authentication
Daniel Guimaraes Pena
daniel.pena at mpdft.mp.br
Wed Jun 24 00:22:04 CEST 2020
Is it possible?
I tried in users file:
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT Group == "disabled", Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#
DEFAULT Group == "Domain Computers", Auth-Type := Reject
Reply-Message = "Autenticacao de maquinas desabilitada."
DEFAULT Group == "TodasContasEspeciais", Auth-Type := Reject
Reply-Message = "Autenticacao de contas de servico desabilitada."
Domain Computers doesnt work. TodasContasEspeciais Works fine.
This entry here works fine too:
DEFAULT Group == "domain users", Simultaneous-Use := 2
Idle-Timeout := 300,
Fall-Through = Yes
Logs, if needed. (Sorry for another post so soon... I solved a lot of problems but some...)
(83533) Received Access-Request Id 116 from 10.34.177.220:37268 to 10.34.242.3:1812 length 296
(83533) User-Name = "host/n65144.mpdft.gov.br"
(83533) NAS-IP-Address = 10.34.177.220
(83533) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83533) NAS-Port-Id = "00000001"
(83533) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83533) NAS-Port-Type = Wireless-802.11
(83533) Event-Timestamp = "Jun 23 2020 13:47:23 -03"
(83533) Service-Type = Framed-User
(83533) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83533) Connect-Info = "CONNECT 0Mbps 802.11b"
(83533) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83533) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83533) WLAN-Pairwise-Cipher = 1027076
(83533) WLAN-Group-Cipher = 1027076
(83533) WLAN-AKM-Suite = 1027073
(83533) Framed-MTU = 1400
(83533) EAP-Message = 0x02bf001d01686f73742f6e36353134342e6d706466742e676f762e6272
(83533) Message-Authenticator = 0x7c8882b39ec98c99e1110bdf525b977f
(83533) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83533) authorize {
(83533) policy filter_username {
(83533) if (&User-Name) {
(83533) if (&User-Name) -> TRUE
(83533) if (&User-Name) {
(83533) if (&User-Name != "%{tolower:%{User-Name}}") {
(83533) EXPAND %{tolower:%{User-Name}}
(83533) --> host/n65144.mpdft.gov.br
(83533) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83533) if (&User-Name =~ / /) {
(83533) if (&User-Name =~ / /) -> FALSE
(83533) if (&User-Name =~ /@[^@]*@/ ) {
(83533) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83533) if (&User-Name =~ /\.\./ ) {
(83533) if (&User-Name =~ /\.\./ ) -> FALSE
(83533) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(83533) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(83533) if (&User-Name =~ /\.$/) {
(83533) if (&User-Name =~ /\.$/) -> FALSE
(83533) if (&User-Name =~ /@\./) {
(83533) if (&User-Name =~ /@\./) -> FALSE
(83533) } # if (&User-Name) = notfound
(83533) } # policy filter_username = notfound
(83533) [preprocess] = ok
(83533) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83533) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83533) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83533) auth_log: EXPAND %t
(83533) auth_log: --> Tue Jun 23 13:47:25 2020
(83533) [auth_log] = ok
(83533) [chap] = noop
(83533) [mschap] = noop
(83533) [digest] = noop
(83533) suffix: Checking for suffix after "@"
(83533) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83533) suffix: No such realm "NULL"
(83533) [suffix] = noop
(83533) eap: Peer sent EAP Response (code 2) ID 191 length 29
(83533) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(83533) [eap] = ok
(83533) } # authorize = ok
(83533) Found Auth-Type = eap
(83533) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83533) authenticate {
(83533) eap: Peer sent packet with method EAP Identity (1)
(83533) eap: Calling submodule eap_md5 to process data
(83533) eap_md5: Issuing MD5 Challenge
(83533) eap: Sending EAP Request (code 1) ID 192 length 22
(83533) eap: EAP session adding &reply:State = 0x592274a559e270cf
(83533) [eap] = handled
(83533) } # authenticate = handled
(83533) Using Post-Auth-Type Challenge
(83533) Post-Auth-Type sub-section not found. Ignoring.
(83533) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83533) Sent Access-Challenge Id 116 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83533) EAP-Message = 0x01c00016041005768a2deba77dd47f9bb481032d785f
(83533) Message-Authenticator = 0x00000000000000000000000000000000
(83533) State = 0x592274a559e270cf5d11088ba56bbac4
(83533) Finished request
(83534) Received Access-Request Id 117 from 10.34.177.220:37268 to 10.34.242.3:1812 length 291
(83534) User-Name = "host/n65144.mpdft.gov.br"
(83534) NAS-IP-Address = 10.34.177.220
(83534) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83534) NAS-Port-Id = "00000001"
(83534) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83534) NAS-Port-Type = Wireless-802.11
(83534) Event-Timestamp = "Jun 23 2020 13:47:23 -03"
(83534) Service-Type = Framed-User
(83534) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83534) Connect-Info = "CONNECT 0Mbps 802.11b"
(83534) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83534) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83534) WLAN-Pairwise-Cipher = 1027076
(83534) WLAN-Group-Cipher = 1027076
(83534) WLAN-AKM-Suite = 1027073
(83534) Framed-MTU = 1400
(83534) EAP-Message = 0x02c000060319
(83534) State = 0x592274a559e270cf5d11088ba56bbac4
(83534) Message-Authenticator = 0x255275434bb38a137ce44e1cdbbd154d
(83534) session-state: No cached attributes
(83534) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83534) authorize {
(83534) policy filter_username {
(83534) if (&User-Name) {
(83534) if (&User-Name) -> TRUE
(83534) if (&User-Name) {
(83534) if (&User-Name != "%{tolower:%{User-Name}}") {
(83534) EXPAND %{tolower:%{User-Name}}
(83534) --> host/n65144.mpdft.gov.br
(83534) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83534) if (&User-Name =~ / /) {
(83534) if (&User-Name =~ / /) -> FALSE
(83534) if (&User-Name =~ /@[^@]*@/ ) {
(83534) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83534) if (&User-Name =~ /\.\./ ) {
(83534) if (&User-Name =~ /\.\./ ) -> FALSE
(83534) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(83534) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(83534) if (&User-Name =~ /\.$/) {
(83534) if (&User-Name =~ /\.$/) -> FALSE
(83534) if (&User-Name =~ /@\./) {
(83534) if (&User-Name =~ /@\./) -> FALSE
(83534) } # if (&User-Name) = notfound
(83534) } # policy filter_username = notfound
(83534) [preprocess] = ok
(83534) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83534) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83534) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83534) auth_log: EXPAND %t
(83534) auth_log: --> Tue Jun 23 13:47:25 2020
(83534) [auth_log] = ok
(83534) [chap] = noop
(83534) [mschap] = noop
(83534) [digest] = noop
(83534) suffix: Checking for suffix after "@"
(83534) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83534) suffix: No such realm "NULL"
(83534) [suffix] = noop
(83534) eap: Peer sent EAP Response (code 2) ID 192 length 6
(83534) eap: No EAP Start, assuming it's an on-going EAP conversation
(83534) [eap] = updated
(83534) files: Failed resolving UID: No error
(83534) files: Failed resolving UID: No error
(83534) files: Failed resolving UID: No error
(83534) files: Failed resolving UID: No error
(83534) files: Failed resolving UID: No error
(83534) [files] = noop
(83534) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83534) sql: --> host/n65144.mpdft.gov.br
(83534) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83534) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(83534) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83534) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83534) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(83534) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83534) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83534) sql: User not found in any groups
(83534) [sql] = notfound
(83534) [expiration] = noop
(83534) [logintime] = noop
(83534) if (ok) {
(83534) if (ok) -> FALSE
(83534) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(83534) pap: WARNING: Authentication will fail unless a "known good" password is available
(83534) [pap] = noop
(83534) } # authorize = updated
(83534) Found Auth-Type = eap
(83534) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83534) authenticate {
(83534) eap: Expiring EAP session with state 0x9017180393030136
(83534) eap: Finished EAP session with state 0x592274a559e270cf
(83534) eap: Previous EAP request found for state 0x592274a559e270cf, released from the list
(83534) eap: Peer sent packet with method EAP NAK (3)
(83534) eap: Found mutually acceptable type PEAP (25)
(83534) eap: Calling submodule eap_peap to process data
(83534) eap_peap: Initiating new EAP-TLS session
(83534) eap_peap: [eaptls start] = request
(83534) eap: Sending EAP Request (code 1) ID 193 length 6
(83534) eap: EAP session adding &reply:State = 0x592274a558e36dcf
(83534) [eap] = handled
(83534) } # authenticate = handled
(83534) Using Post-Auth-Type Challenge
(83534) Post-Auth-Type sub-section not found. Ignoring.
(83534) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83534) Sent Access-Challenge Id 117 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83534) EAP-Message = 0x01c100061920
(83534) Message-Authenticator = 0x00000000000000000000000000000000
(83534) State = 0x592274a558e36dcf5d11088ba56bbac4
(83534) Finished request
(83535) Received Access-Request Id 118 from 10.34.177.220:37268 to 10.34.242.3:1812 length 451
(83535) User-Name = "host/n65144.mpdft.gov.br"
(83535) NAS-IP-Address = 10.34.177.220
(83535) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83535) NAS-Port-Id = "00000001"
(83535) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83535) NAS-Port-Type = Wireless-802.11
(83535) Event-Timestamp = "Jun 23 2020 13:47:23 -03"
(83535) Service-Type = Framed-User
(83535) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83535) Connect-Info = "CONNECT 0Mbps 802.11b"
(83535) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83535) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83535) WLAN-Pairwise-Cipher = 1027076
(83535) WLAN-Group-Cipher = 1027076
(83535) WLAN-AKM-Suite = 1027073
(83535) Framed-MTU = 1400
(83535) EAP-Message = 0x02c100a619800000009c16030300970100009303035ef232201f924dbda3d2ec6cfae7c1dd5d52c00d55fa1bc32d9736d6302f8c6c00002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d
(83535) State = 0x592274a558e36dcf5d11088ba56bbac4
(83535) Message-Authenticator = 0xe12affe4dba2b169cdc68ff635c36fb5
(83535) session-state: No cached attributes
(83535) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83535) authorize {
(83535) policy filter_username {
(83535) if (&User-Name) {
(83535) if (&User-Name) -> TRUE
(83535) if (&User-Name) {
(83535) if (&User-Name != "%{tolower:%{User-Name}}") {
(83535) EXPAND %{tolower:%{User-Name}}
(83535) --> host/n65144.mpdft.gov.br
(83535) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83535) if (&User-Name =~ / /) {
(83535) if (&User-Name =~ / /) -> FALSE
(83535) if (&User-Name =~ /@[^@]*@/ ) {
(83535) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83535) if (&User-Name =~ /\.\./ ) {
(83535) if (&User-Name =~ /\.\./ ) -> FALSE
(83535) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(83535) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(83535) if (&User-Name =~ /\.$/) {
(83535) if (&User-Name =~ /\.$/) -> FALSE
(83535) if (&User-Name =~ /@\./) {
(83535) if (&User-Name =~ /@\./) -> FALSE
(83535) } # if (&User-Name) = notfound
(83535) } # policy filter_username = notfound
(83535) [preprocess] = ok
(83535) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83535) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83535) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83535) auth_log: EXPAND %t
(83535) auth_log: --> Tue Jun 23 13:47:25 2020
(83535) [auth_log] = ok
(83535) [chap] = noop
(83535) [mschap] = noop
(83535) [digest] = noop
(83535) suffix: Checking for suffix after "@"
(83535) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83535) suffix: No such realm "NULL"
(83535) [suffix] = noop
(83535) eap: Peer sent EAP Response (code 2) ID 193 length 166
(83535) eap: Continuing tunnel setup
(83535) [eap] = ok
(83535) } # authorize = ok
(83535) Found Auth-Type = eap
(83535) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83535) authenticate {
(83535) eap: Expiring EAP session with state 0x9017180393030136
(83535) eap: Finished EAP session with state 0x592274a558e36dcf
(83535) eap: Previous EAP request found for state 0x592274a558e36dcf, released from the list
(83535) eap: Peer sent packet with method EAP PEAP (25)
(83535) eap: Calling submodule eap_peap to process data
(83535) eap_peap: Continuing EAP-TLS
(83535) eap_peap: Peer indicated complete TLS record size will be 156 bytes
(83535) eap_peap: Got complete TLS record (156 bytes)
(83535) eap_peap: [eaptls verify] = length included
(83535) eap_peap: (other): before SSL initialization
(83535) eap_peap: TLS_accept: before SSL initialization
(83535) eap_peap: TLS_accept: before SSL initialization
(83535) eap_peap: <<< recv TLS 1.2 [length 0097]
(83535) eap_peap: TLS_accept: SSLv3/TLS read client hello
(83535) eap_peap: >>> send TLS 1.2 [length 003d]
(83535) eap_peap: TLS_accept: SSLv3/TLS write server hello
(83535) eap_peap: >>> send TLS 1.2 [length 0309]
(83535) eap_peap: TLS_accept: SSLv3/TLS write certificate
(83535) eap_peap: >>> send TLS 1.2 [length 014d]
(83535) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(83535) eap_peap: >>> send TLS 1.2 [length 0004]
(83535) eap_peap: TLS_accept: SSLv3/TLS write server done
(83535) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(83535) eap_peap: In SSL Handshake Phase
(83535) eap_peap: In SSL Accept mode
(83535) eap_peap: [eaptls process] = handled
(83535) eap: Sending EAP Request (code 1) ID 194 length 1004
(83535) eap: EAP session adding &reply:State = 0x592274a55be06dcf
(83535) [eap] = handled
(83535) } # authenticate = handled
(83535) Using Post-Auth-Type Challenge
(83535) Post-Auth-Type sub-section not found. Ignoring.
(83535) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83535) Sent Access-Challenge Id 118 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83535) EAP-Message = 0x01c203ec19c0000004ab160303003d0200003903039308bda32e5a82ed478ea55a2e3b34d753ba6e340f36dcfffba42072b5d3038700c030000011ff01000100000b0004030001020017000016030303090b0003050003020002ff308202fb308201e3a003020102020900c2aeeb1715cab80a300d0609
(83535) Message-Authenticator = 0x00000000000000000000000000000000
(83535) State = 0x592274a55be06dcf5d11088ba56bbac4
(83535) Finished request
(83536) Received Access-Request Id 119 from 10.34.177.220:37268 to 10.34.242.3:1812 length 291
(83536) User-Name = "host/n65144.mpdft.gov.br"
(83536) NAS-IP-Address = 10.34.177.220
(83536) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83536) NAS-Port-Id = "00000001"
(83536) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83536) NAS-Port-Type = Wireless-802.11
(83536) Event-Timestamp = "Jun 23 2020 13:47:23 -03"
(83536) Service-Type = Framed-User
(83536) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83536) Connect-Info = "CONNECT 0Mbps 802.11b"
(83536) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83536) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83536) WLAN-Pairwise-Cipher = 1027076
(83536) WLAN-Group-Cipher = 1027076
(83536) WLAN-AKM-Suite = 1027073
(83536) Framed-MTU = 1400
(83536) EAP-Message = 0x02c200061900
(83536) State = 0x592274a55be06dcf5d11088ba56bbac4
(83536) Message-Authenticator = 0x75aeeb98b14c048409007526e8333933
(83536) session-state: No cached attributes
(83536) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83536) authorize {
(83536) policy filter_username {
(83536) if (&User-Name) {
(83536) if (&User-Name) -> TRUE
(83536) if (&User-Name) {
(83536) if (&User-Name != "%{tolower:%{User-Name}}") {
(83536) EXPAND %{tolower:%{User-Name}}
(83536) --> host/n65144.mpdft.gov.br
(83536) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83536) if (&User-Name =~ / /) {
(83536) if (&User-Name =~ / /) -> FALSE
(83536) if (&User-Name =~ /@[^@]*@/ ) {
(83536) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83536) if (&User-Name =~ /\.\./ ) {
(83536) if (&User-Name =~ /\.\./ ) -> FALSE
(83536) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(83536) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(83536) if (&User-Name =~ /\.$/) {
(83536) if (&User-Name =~ /\.$/) -> FALSE
(83536) if (&User-Name =~ /@\./) {
(83536) if (&User-Name =~ /@\./) -> FALSE
(83536) } # if (&User-Name) = notfound
(83536) } # policy filter_username = notfound
(83536) [preprocess] = ok
(83536) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83536) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83536) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83536) auth_log: EXPAND %t
(83536) auth_log: --> Tue Jun 23 13:47:25 2020
(83536) [auth_log] = ok
(83536) [chap] = noop
(83536) [mschap] = noop
(83536) [digest] = noop
(83536) suffix: Checking for suffix after "@"
(83536) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83536) suffix: No such realm "NULL"
(83536) [suffix] = noop
(83536) eap: Peer sent EAP Response (code 2) ID 194 length 6
(83536) eap: Continuing tunnel setup
(83536) [eap] = ok
(83536) } # authorize = ok
(83536) Found Auth-Type = eap
(83536) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83536) authenticate {
(83536) eap: Expiring EAP session with state 0x9017180393030136
(83536) eap: Finished EAP session with state 0x592274a55be06dcf
(83536) eap: Previous EAP request found for state 0x592274a55be06dcf, released from the list
(83536) eap: Peer sent packet with method EAP PEAP (25)
(83536) eap: Calling submodule eap_peap to process data
(83536) eap_peap: Continuing EAP-TLS
(83536) eap_peap: Peer ACKed our handshake fragment
(83536) eap_peap: [eaptls verify] = request
(83536) eap_peap: [eaptls process] = handled
(83536) eap: Sending EAP Request (code 1) ID 195 length 207
(83536) eap: EAP session adding &reply:State = 0x592274a55ae16dcf
(83536) [eap] = handled
(83536) } # authenticate = handled
(83536) Using Post-Auth-Type Challenge
(83536) Post-Auth-Type sub-section not found. Ignoring.
(83536) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83536) Sent Access-Challenge Id 119 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83536) EAP-Message = 0x01c300cf19003adad27975fdfa785ffac44ee108d8838b13e1123beab2b8798afd3e35cd995637b894ae0e18112d45144eba479ff30dc4e993ff3f295c8c064c8d46e7e064f5730fc35330cdfec07f886298dba50e9d2d2aaa6aac6198571a6155afbbdc35ebcd32d90dc658f48e3a273e031294d34abf
(83536) Message-Authenticator = 0x00000000000000000000000000000000
(83536) State = 0x592274a55ae16dcf5d11088ba56bbac4
(83536) Finished request
(83537) Received Access-Request Id 120 from 10.34.177.220:37268 to 10.34.242.3:1812 length 421
(83537) User-Name = "host/n65144.mpdft.gov.br"
(83537) NAS-IP-Address = 10.34.177.220
(83537) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83537) NAS-Port-Id = "00000001"
(83537) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83537) NAS-Port-Type = Wireless-802.11
(83537) Event-Timestamp = "Jun 23 2020 13:47:23 -03"
(83537) Service-Type = Framed-User
(83537) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83537) Connect-Info = "CONNECT 0Mbps 802.11b"
(83537) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83537) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83537) WLAN-Pairwise-Cipher = 1027076
(83537) WLAN-Group-Cipher = 1027076
(83537) WLAN-AKM-Suite = 1027073
(83537) Framed-MTU = 1400
(83537) EAP-Message = 0x02c3008819800000007e1603030046100000424104ca73327a1aa86d548f1bab867288bf53e4bb907e877b520127d42986a20dc91111d47d38caadab01d14914ea7fecb7f982b3ad50f1706ca7ac7508604badfa501403030001011603030028000000000000000074fe6c972b1cbfe176c9161a99d6ee
(83537) State = 0x592274a55ae16dcf5d11088ba56bbac4
(83537) Message-Authenticator = 0x13188abc81665fe76a84d5ae53be2694
(83537) session-state: No cached attributes
(83537) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83537) authorize {
(83537) policy filter_username {
(83537) if (&User-Name) {
(83537) if (&User-Name) -> TRUE
(83537) if (&User-Name) {
(83537) if (&User-Name != "%{tolower:%{User-Name}}") {
(83537) EXPAND %{tolower:%{User-Name}}
(83537) --> host/n65144.mpdft.gov.br
(83537) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83537) if (&User-Name =~ / /) {
(83537) if (&User-Name =~ / /) -> FALSE
(83537) if (&User-Name =~ /@[^@]*@/ ) {
(83537) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83537) if (&User-Name =~ /\.\./ ) {
(83537) if (&User-Name =~ /\.\./ ) -> FALSE
(83537) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(83537) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(83537) if (&User-Name =~ /\.$/) {
(83537) if (&User-Name =~ /\.$/) -> FALSE
(83537) if (&User-Name =~ /@\./) {
(83537) if (&User-Name =~ /@\./) -> FALSE
(83537) } # if (&User-Name) = notfound
(83537) } # policy filter_username = notfound
(83537) [preprocess] = ok
(83537) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83537) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83537) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83537) auth_log: EXPAND %t
(83537) auth_log: --> Tue Jun 23 13:47:25 2020
(83537) [auth_log] = ok
(83537) [chap] = noop
(83537) [mschap] = noop
(83537) [digest] = noop
(83537) suffix: Checking for suffix after "@"
(83537) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83537) suffix: No such realm "NULL"
(83537) [suffix] = noop
(83537) eap: Peer sent EAP Response (code 2) ID 195 length 136
(83537) eap: Continuing tunnel setup
(83537) [eap] = ok
(83537) } # authorize = ok
(83537) Found Auth-Type = eap
(83537) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83537) authenticate {
(83537) eap: Expiring EAP session with state 0x9017180393030136
(83537) eap: Finished EAP session with state 0x592274a55ae16dcf
(83537) eap: Previous EAP request found for state 0x592274a55ae16dcf, released from the list
(83537) eap: Peer sent packet with method EAP PEAP (25)
(83537) eap: Calling submodule eap_peap to process data
(83537) eap_peap: Continuing EAP-TLS
(83537) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(83537) eap_peap: Got complete TLS record (126 bytes)
(83537) eap_peap: [eaptls verify] = length included
(83537) eap_peap: TLS_accept: SSLv3/TLS write server done
(83537) eap_peap: <<< recv TLS 1.2 [length 0046]
(83537) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(83537) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(83537) eap_peap: <<< recv TLS 1.2 [length 0010]
(83537) eap_peap: TLS_accept: SSLv3/TLS read finished
(83537) eap_peap: >>> send TLS 1.2 [length 0001]
(83537) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(83537) eap_peap: >>> send TLS 1.2 [length 0010]
(83537) eap_peap: TLS_accept: SSLv3/TLS write finished
(83537) eap_peap: (other): SSL negotiation finished successfully
(83537) eap_peap: SSL Connection Established
(83537) eap_peap: [eaptls process] = handled
(83537) eap: Sending EAP Request (code 1) ID 196 length 57
(83537) eap: EAP session adding &reply:State = 0x592274a55de66dcf
(83537) [eap] = handled
(83537) } # authenticate = handled
(83537) Using Post-Auth-Type Challenge
(83537) Post-Auth-Type sub-section not found. Ignoring.
(83537) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83537) Sent Access-Challenge Id 120 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83537) EAP-Message = 0x01c4003919001403030001011603030028fb13cb712244c06c9b03a1b435796e337e52fd31841ccd87539254fce0bde1743fdf2c63be546af0
(83537) Message-Authenticator = 0x00000000000000000000000000000000
(83537) State = 0x592274a55de66dcf5d11088ba56bbac4
(83537) Finished request
(83538) Received Access-Request Id 121 from 10.34.177.220:37268 to 10.34.242.3:1812 length 291
(83538) User-Name = "host/n65144.mpdft.gov.br"
(83538) NAS-IP-Address = 10.34.177.220
(83538) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83538) NAS-Port-Id = "00000001"
(83538) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83538) NAS-Port-Type = Wireless-802.11
(83538) Event-Timestamp = "Jun 23 2020 13:47:24 -03"
(83538) Service-Type = Framed-User
(83538) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83538) Connect-Info = "CONNECT 0Mbps 802.11b"
(83538) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83538) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83538) WLAN-Pairwise-Cipher = 1027076
(83538) WLAN-Group-Cipher = 1027076
(83538) WLAN-AKM-Suite = 1027073
(83538) Framed-MTU = 1400
(83538) EAP-Message = 0x02c400061900
(83538) State = 0x592274a55de66dcf5d11088ba56bbac4
(83538) Message-Authenticator = 0x039c283f11ffbfe1b00e0453467c8cea
(83538) session-state: No cached attributes
(83538) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83538) authorize {
(83538) policy filter_username {
(83538) if (&User-Name) {
(83538) if (&User-Name) -> TRUE
(83538) if (&User-Name) {
(83538) if (&User-Name != "%{tolower:%{User-Name}}") {
(83538) EXPAND %{tolower:%{User-Name}}
(83538) --> host/n65144.mpdft.gov.br
(83538) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83538) if (&User-Name =~ / /) {
(83538) if (&User-Name =~ / /) -> FALSE
(83538) if (&User-Name =~ /@[^@]*@/ ) {
(83538) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83538) if (&User-Name =~ /\.\./ ) {
(83538) if (&User-Name =~ /\.\./ ) -> FALSE
(83538) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(83538) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(83538) if (&User-Name =~ /\.$/) {
(83538) if (&User-Name =~ /\.$/) -> FALSE
(83538) if (&User-Name =~ /@\./) {
(83538) if (&User-Name =~ /@\./) -> FALSE
(83538) } # if (&User-Name) = notfound
(83538) } # policy filter_username = notfound
(83538) [preprocess] = ok
(83538) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83538) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83538) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83538) auth_log: EXPAND %t
(83538) auth_log: --> Tue Jun 23 13:47:25 2020
(83538) [auth_log] = ok
(83538) [chap] = noop
(83538) [mschap] = noop
(83538) [digest] = noop
(83538) suffix: Checking for suffix after "@"
(83538) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83538) suffix: No such realm "NULL"
(83538) [suffix] = noop
(83538) eap: Peer sent EAP Response (code 2) ID 196 length 6
(83538) eap: Continuing tunnel setup
(83538) [eap] = ok
(83538) } # authorize = ok
(83538) Found Auth-Type = eap
(83538) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83538) authenticate {
(83538) eap: Expiring EAP session with state 0x9017180393030136
(83538) eap: Finished EAP session with state 0x592274a55de66dcf
(83538) eap: Previous EAP request found for state 0x592274a55de66dcf, released from the list
(83538) eap: Peer sent packet with method EAP PEAP (25)
(83538) eap: Calling submodule eap_peap to process data
(83538) eap_peap: Continuing EAP-TLS
(83538) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(83538) eap_peap: [eaptls verify] = success
(83538) eap_peap: [eaptls process] = success
(83538) eap_peap: Session established. Decoding tunneled attributes
(83538) eap_peap: PEAP state TUNNEL ESTABLISHED
(83538) eap: Sending EAP Request (code 1) ID 197 length 40
(83538) eap: EAP session adding &reply:State = 0x592274a55ce76dcf
(83538) [eap] = handled
(83538) } # authenticate = handled
(83538) Using Post-Auth-Type Challenge
(83538) Post-Auth-Type sub-section not found. Ignoring.
(83538) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83538) Sent Access-Challenge Id 121 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83538) EAP-Message = 0x01c500281900170303001dfb13cb712244c06dd3b3319eda935797571c500deb4e259f6c76c7fd82
(83538) Message-Authenticator = 0x00000000000000000000000000000000
(83538) State = 0x592274a55ce76dcf5d11088ba56bbac4
(83538) Finished request
(83539) Received Access-Request Id 122 from 10.34.177.220:37268 to 10.34.242.3:1812 length 345
(83539) User-Name = "host/n65144.mpdft.gov.br"
(83539) NAS-IP-Address = 10.34.177.220
(83539) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83539) NAS-Port-Id = "00000001"
(83539) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83539) NAS-Port-Type = Wireless-802.11
(83539) Event-Timestamp = "Jun 23 2020 13:47:24 -03"
(83539) Service-Type = Framed-User
(83539) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83539) Connect-Info = "CONNECT 0Mbps 802.11b"
(83539) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83539) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83539) WLAN-Pairwise-Cipher = 1027076
(83539) WLAN-Group-Cipher = 1027076
(83539) WLAN-AKM-Suite = 1027073
(83539) Framed-MTU = 1400
(83539) EAP-Message = 0x02c5003c1900170303003100000000000000019e684626cfe0b3f0d0437b3374b0ca4957085fe2da28a7496a052aa8648f75adddf043780ba025962c
(83539) State = 0x592274a55ce76dcf5d11088ba56bbac4
(83539) Message-Authenticator = 0xd669040d031f113bf06fc26177e7970f
(83539) session-state: No cached attributes
(83539) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83539) authorize {
(83539) policy filter_username {
(83539) if (&User-Name) {
(83539) if (&User-Name) -> TRUE
(83539) if (&User-Name) {
(83539) if (&User-Name != "%{tolower:%{User-Name}}") {
(83539) EXPAND %{tolower:%{User-Name}}
(83539) --> host/n65144.mpdft.gov.br
(83539) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83539) if (&User-Name =~ / /) {
(83539) if (&User-Name =~ / /) -> FALSE
(83539) if (&User-Name =~ /@[^@]*@/ ) {
(83539) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83539) if (&User-Name =~ /\.\./ ) {
(83539) if (&User-Name =~ /\.\./ ) -> FALSE
(83539) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(83539) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(83539) if (&User-Name =~ /\.$/) {
(83539) if (&User-Name =~ /\.$/) -> FALSE
(83539) if (&User-Name =~ /@\./) {
(83539) if (&User-Name =~ /@\./) -> FALSE
(83539) } # if (&User-Name) = notfound
(83539) } # policy filter_username = notfound
(83539) [preprocess] = ok
(83539) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83539) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83539) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83539) auth_log: EXPAND %t
(83539) auth_log: --> Tue Jun 23 13:47:25 2020
(83539) [auth_log] = ok
(83539) [chap] = noop
(83539) [mschap] = noop
(83539) [digest] = noop
(83539) suffix: Checking for suffix after "@"
(83539) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83539) suffix: No such realm "NULL"
(83539) [suffix] = noop
(83539) eap: Peer sent EAP Response (code 2) ID 197 length 60
(83539) eap: Continuing tunnel setup
(83539) [eap] = ok
(83539) } # authorize = ok
(83539) Found Auth-Type = eap
(83539) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83539) authenticate {
(83539) eap: Expiring EAP session with state 0x9017180393030136
(83539) eap: Finished EAP session with state 0x592274a55ce76dcf
(83539) eap: Previous EAP request found for state 0x592274a55ce76dcf, released from the list
(83539) eap: Peer sent packet with method EAP PEAP (25)
(83539) eap: Calling submodule eap_peap to process data
(83539) eap_peap: Continuing EAP-TLS
(83539) eap_peap: [eaptls verify] = ok
(83539) eap_peap: Done initial handshake
(83539) eap_peap: [eaptls process] = ok
(83539) eap_peap: Session established. Decoding tunneled attributes
(83539) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(83539) eap_peap: Identity - host/n65144.mpdft.gov.br
(83539) eap_peap: Got inner identity 'host/n65144.mpdft.gov.br'
(83539) eap_peap: Setting default EAP type for tunneled EAP session
(83539) eap_peap: Got tunneled request
(83539) eap_peap: EAP-Message = 0x02c5001d01686f73742f6e36353134342e6d706466742e676f762e6272
(83539) eap_peap: Setting User-Name to host/n65144.mpdft.gov.br
(83539) eap_peap: Sending tunneled request to inner-tunnel
(83539) eap_peap: EAP-Message = 0x02c5001d01686f73742f6e36353134342e6d706466742e676f762e6272
(83539) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(83539) eap_peap: User-Name = "host/n65144.mpdft.gov.br"
(83539) Virtual server inner-tunnel received request
(83539) EAP-Message = 0x02c5001d01686f73742f6e36353134342e6d706466742e676f762e6272
(83539) FreeRADIUS-Proxied-To = 127.0.0.1
(83539) User-Name = "host/n65144.mpdft.gov.br"
(83539) WARNING: Outer and inner identities are the same. User privacy is compromised.
(83539) server inner-tunnel {
(83539) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83539) authorize {
(83539) policy filter_username {
(83539) if (&User-Name) {
(83539) if (&User-Name) -> TRUE
(83539) if (&User-Name) {
(83539) if (&User-Name != "%{tolower:%{User-Name}}") {
(83539) EXPAND %{tolower:%{User-Name}}
(83539) --> host/n65144.mpdft.gov.br
(83539) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83539) if (&User-Name =~ / /) {
(83539) if (&User-Name =~ / /) -> FALSE
(83539) if (&User-Name =~ /@[^@]*@/ ) {
(83539) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83539) if (&User-Name =~ /\.\./ ) {
(83539) if (&User-Name =~ /\.\./ ) -> FALSE
(83539) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(83539) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(83539) if (&User-Name =~ /\.$/) {
(83539) if (&User-Name =~ /\.$/) -> FALSE
(83539) if (&User-Name =~ /@\./) {
(83539) if (&User-Name =~ /@\./) -> FALSE
(83539) } # if (&User-Name) = notfound
(83539) } # policy filter_username = notfound
(83539) [chap] = noop
(83539) [mschap] = noop
(83539) suffix: Checking for suffix after "@"
(83539) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83539) suffix: No such realm "NULL"
(83539) [suffix] = noop
(83539) update control {
(83539) &Proxy-To-Realm := LOCAL
(83539) } # update control = noop
(83539) eap: Peer sent EAP Response (code 2) ID 197 length 29
(83539) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(83539) [eap] = ok
(83539) } # authorize = ok
(83539) Found Auth-Type = eap
(83539) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83539) authenticate {
(83539) eap: Peer sent packet with method EAP Identity (1)
(83539) eap: Calling submodule eap_mschapv2 to process data
(83539) eap_mschapv2: Issuing Challenge
(83539) eap: Sending EAP Request (code 1) ID 198 length 43
(83539) eap: EAP session adding &reply:State = 0x3abf883e3a79928a
(83539) [eap] = handled
(83539) } # authenticate = handled
(83539) } # server inner-tunnel
(83539) Virtual server sending reply
(83539) EAP-Message = 0x01c6002b1a01c6002610b9b128aa24ba92e070ab7c4b77a08adc667265657261646975732d332e302e3132
(83539) Message-Authenticator = 0x00000000000000000000000000000000
(83539) State = 0x3abf883e3a79928a4508626b4c893c09
(83539) eap_peap: Got tunneled reply code 11
(83539) eap_peap: EAP-Message = 0x01c6002b1a01c6002610b9b128aa24ba92e070ab7c4b77a08adc667265657261646975732d332e302e3132
(83539) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(83539) eap_peap: State = 0x3abf883e3a79928a4508626b4c893c09
(83539) eap_peap: Got tunneled reply RADIUS code 11
(83539) eap_peap: EAP-Message = 0x01c6002b1a01c6002610b9b128aa24ba92e070ab7c4b77a08adc667265657261646975732d332e302e3132
(83539) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(83539) eap_peap: State = 0x3abf883e3a79928a4508626b4c893c09
(83539) eap_peap: Got tunneled Access-Challenge
(83539) eap: Sending EAP Request (code 1) ID 198 length 74
(83539) eap: EAP session adding &reply:State = 0x592274a55fe46dcf
(83539) [eap] = handled
(83539) } # authenticate = handled
(83539) Using Post-Auth-Type Challenge
(83539) Post-Auth-Type sub-section not found. Ignoring.
(83539) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83539) Sent Access-Challenge Id 122 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83539) EAP-Message = 0x01c6004a1900170303003ffb13cb712244c06e54a5366995c39bdc1107aafc963bcbefefa5912d6b2b1ae5eb5108197757709c9aae011a2ddbf372662fc09dd88087fb1e9bb0f2978db4
(83539) Message-Authenticator = 0x00000000000000000000000000000000
(83539) State = 0x592274a55fe46dcf5d11088ba56bbac4
(83539) Finished request
(83540) Received Access-Request Id 123 from 10.34.177.220:37268 to 10.34.242.3:1812 length 399
(83540) User-Name = "host/n65144.mpdft.gov.br"
(83540) NAS-IP-Address = 10.34.177.220
(83540) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83540) NAS-Port-Id = "00000001"
(83540) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83540) NAS-Port-Type = Wireless-802.11
(83540) Event-Timestamp = "Jun 23 2020 13:47:24 -03"
(83540) Service-Type = Framed-User
(83540) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83540) Connect-Info = "CONNECT 0Mbps 802.11b"
(83540) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83540) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83540) WLAN-Pairwise-Cipher = 1027076
(83540) WLAN-Group-Cipher = 1027076
(83540) WLAN-AKM-Suite = 1027073
(83540) Framed-MTU = 1400
(83540) EAP-Message = 0x02c600721900170303006700000000000000021552c7414a6fe33963587194385413497356adaccb7d04280027aee00ff540e05eed36464f01c0e63d44edf60788f9e825b052378b1c052d4cd743622358e5780eade74a4113b0ac7efc5a15f9a5af8688350db96638d52ca7c4b4b1645a0a
(83540) State = 0x592274a55fe46dcf5d11088ba56bbac4
(83540) Message-Authenticator = 0x66ccd547f1f593cdda006e7b27c1d398
(83540) session-state: No cached attributes
(83540) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83540) authorize {
(83540) policy filter_username {
(83540) if (&User-Name) {
(83540) if (&User-Name) -> TRUE
(83540) if (&User-Name) {
(83540) if (&User-Name != "%{tolower:%{User-Name}}") {
(83540) EXPAND %{tolower:%{User-Name}}
(83540) --> host/n65144.mpdft.gov.br
(83540) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83540) if (&User-Name =~ / /) {
(83540) if (&User-Name =~ / /) -> FALSE
(83540) if (&User-Name =~ /@[^@]*@/ ) {
(83540) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83540) if (&User-Name =~ /\.\./ ) {
(83540) if (&User-Name =~ /\.\./ ) -> FALSE
(83540) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(83540) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(83540) if (&User-Name =~ /\.$/) {
(83540) if (&User-Name =~ /\.$/) -> FALSE
(83540) if (&User-Name =~ /@\./) {
(83540) if (&User-Name =~ /@\./) -> FALSE
(83540) } # if (&User-Name) = notfound
(83540) } # policy filter_username = notfound
(83540) [preprocess] = ok
(83540) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83540) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83540) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83540) auth_log: EXPAND %t
(83540) auth_log: --> Tue Jun 23 13:47:25 2020
(83540) [auth_log] = ok
(83540) [chap] = noop
(83540) [mschap] = noop
(83540) [digest] = noop
(83540) suffix: Checking for suffix after "@"
(83540) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83540) suffix: No such realm "NULL"
(83540) [suffix] = noop
(83540) eap: Peer sent EAP Response (code 2) ID 198 length 114
(83540) eap: Continuing tunnel setup
(83540) [eap] = ok
(83540) } # authorize = ok
(83540) Found Auth-Type = eap
(83540) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83540) authenticate {
(83540) eap: Expiring EAP session with state 0x9017180393030136
(83540) eap: Finished EAP session with state 0x592274a55fe46dcf
(83540) eap: Previous EAP request found for state 0x592274a55fe46dcf, released from the list
(83540) eap: Peer sent packet with method EAP PEAP (25)
(83540) eap: Calling submodule eap_peap to process data
(83540) eap_peap: Continuing EAP-TLS
(83540) eap_peap: [eaptls verify] = ok
(83540) eap_peap: Done initial handshake
(83540) eap_peap: [eaptls process] = ok
(83540) eap_peap: Session established. Decoding tunneled attributes
(83540) eap_peap: PEAP state phase2
(83540) eap_peap: EAP method MSCHAPv2 (26)
(83540) eap_peap: Got tunneled request
(83540) eap_peap: EAP-Message = 0x02c600531a02c6004e31c12986135e032396fdb381d88618e8910000000000000000cf211f820ab47b827144a503af38f8e1156b1bd0a4c0abf100686f73742f6e36353134342e6d706466742e676f762e6272
(83540) eap_peap: Setting User-Name to host/n65144.mpdft.gov.br
(83540) eap_peap: Sending tunneled request to inner-tunnel
(83540) eap_peap: EAP-Message = 0x02c600531a02c6004e31c12986135e032396fdb381d88618e8910000000000000000cf211f820ab47b827144a503af38f8e1156b1bd0a4c0abf100686f73742f6e36353134342e6d706466742e676f762e6272
(83540) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(83540) eap_peap: User-Name = "host/n65144.mpdft.gov.br"
(83540) eap_peap: State = 0x3abf883e3a79928a4508626b4c893c09
(83540) Virtual server inner-tunnel received request
(83540) EAP-Message = 0x02c600531a02c6004e31c12986135e032396fdb381d88618e8910000000000000000cf211f820ab47b827144a503af38f8e1156b1bd0a4c0abf100686f73742f6e36353134342e6d706466742e676f762e6272
(83540) FreeRADIUS-Proxied-To = 127.0.0.1
(83540) User-Name = "host/n65144.mpdft.gov.br"
(83540) State = 0x3abf883e3a79928a4508626b4c893c09
(83540) WARNING: Outer and inner identities are the same. User privacy is compromised.
(83540) server inner-tunnel {
(83540) session-state: No cached attributes
(83540) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83540) authorize {
(83540) policy filter_username {
(83540) if (&User-Name) {
(83540) if (&User-Name) -> TRUE
(83540) if (&User-Name) {
(83540) if (&User-Name != "%{tolower:%{User-Name}}") {
(83540) EXPAND %{tolower:%{User-Name}}
(83540) --> host/n65144.mpdft.gov.br
(83540) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83540) if (&User-Name =~ / /) {
(83540) if (&User-Name =~ / /) -> FALSE
(83540) if (&User-Name =~ /@[^@]*@/ ) {
(83540) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83540) if (&User-Name =~ /\.\./ ) {
(83540) if (&User-Name =~ /\.\./ ) -> FALSE
(83540) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(83540) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(83540) if (&User-Name =~ /\.$/) {
(83540) if (&User-Name =~ /\.$/) -> FALSE
(83540) if (&User-Name =~ /@\./) {
(83540) if (&User-Name =~ /@\./) -> FALSE
(83540) } # if (&User-Name) = notfound
(83540) } # policy filter_username = notfound
(83540) [chap] = noop
(83540) [mschap] = noop
(83540) suffix: Checking for suffix after "@"
(83540) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83540) suffix: No such realm "NULL"
(83540) [suffix] = noop
(83540) update control {
(83540) &Proxy-To-Realm := LOCAL
(83540) } # update control = noop
(83540) eap: Peer sent EAP Response (code 2) ID 198 length 83
(83540) eap: No EAP Start, assuming it's an on-going EAP conversation
(83540) [eap] = updated
(83540) files: Failed resolving UID: No error
(83540) files: Failed resolving UID: No error
(83540) files: Failed resolving UID: No error
(83540) files: Failed resolving UID: No error
(83540) files: Failed resolving UID: No error
(83540) [files] = noop
(83540) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83540) sql: --> host/n65144.mpdft.gov.br
(83540) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83540) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(83540) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83540) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83540) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(83540) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83540) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83540) sql: User not found in any groups
(83540) [sql] = notfound
(83540) [expiration] = noop
(83540) [logintime] = noop
(83540) [pap] = noop
(83540) } # authorize = updated
(83540) Found Auth-Type = eap
(83540) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83540) authenticate {
(83540) eap: Expiring EAP session with state 0x9017180393030136
(83540) eap: Finished EAP session with state 0x3abf883e3a79928a
(83540) eap: Previous EAP request found for state 0x3abf883e3a79928a, released from the list
(83540) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(83540) eap: Calling submodule eap_mschapv2 to process data
(83540) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83540) eap_mschapv2: authenticate {
(83540) mschap: Creating challenge hash with username: host/n65144.mpdft.gov.br
(83540) mschap: Client is using MS-CHAPv2
(83540) mschap: EXPAND %{mschap:User-Name}
(83540) mschap: --> n65144$
(83540) mschap: EXPAND %{mschap:NT-Domain}
(83540) mschap: --> mpdft
(83540) mschap: sending authentication request user='n65144$' domain='mpdft'
(83540) mschap: Authenticated successfully
(83540) mschap: Adding MS-CHAPv2 MPPE keys
(83540) [mschap] = ok
(83540) } # authenticate = ok
(83540) MSCHAP Success
(83540) eap: Sending EAP Request (code 1) ID 199 length 51
(83540) eap: EAP session adding &reply:State = 0x3abf883e3b78928a
(83540) [eap] = handled
(83540) } # authenticate = handled
(83540) } # server inner-tunnel
(83540) Virtual server sending reply
(83540) EAP-Message = 0x01c700331a03c6002e533d31383637453133363631444632383631453734424233384633443336454339323045394531454541
(83540) Message-Authenticator = 0x00000000000000000000000000000000
(83540) State = 0x3abf883e3b78928a4508626b4c893c09
(83540) eap_peap: Got tunneled reply code 11
(83540) eap_peap: EAP-Message = 0x01c700331a03c6002e533d31383637453133363631444632383631453734424233384633443336454339323045394531454541
(83540) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(83540) eap_peap: State = 0x3abf883e3b78928a4508626b4c893c09
(83540) eap_peap: Got tunneled reply RADIUS code 11
(83540) eap_peap: EAP-Message = 0x01c700331a03c6002e533d31383637453133363631444632383631453734424233384633443336454339323045394531454541
(83540) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(83540) eap_peap: State = 0x3abf883e3b78928a4508626b4c893c09
(83540) eap_peap: Got tunneled Access-Challenge
(83540) eap: Sending EAP Request (code 1) ID 199 length 82
(83540) eap: EAP session adding &reply:State = 0x592274a55ee56dcf
(83540) [eap] = handled
(83540) } # authenticate = handled
(83540) Using Post-Auth-Type Challenge
(83540) Post-Auth-Type sub-section not found. Ignoring.
(83540) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83540) Sent Access-Challenge Id 123 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83540) EAP-Message = 0x01c7005219001703030047fb13cb712244c06fb9349c1a922348d032aa6f4c23c7d2f5143a72f99f00383819d97b9eb2ede7a3a9837f7deac267f4c81c6172bb7f9a4aae783a922eb875456f78c2ade1a752
(83540) Message-Authenticator = 0x00000000000000000000000000000000
(83540) State = 0x592274a55ee56dcf5d11088ba56bbac4
(83540) Finished request
(83541) Received Access-Request Id 124 from 10.34.177.220:37268 to 10.34.242.3:1812 length 322
(83541) User-Name = "host/n65144.mpdft.gov.br"
(83541) NAS-IP-Address = 10.34.177.220
(83541) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83541) NAS-Port-Id = "00000001"
(83541) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83541) NAS-Port-Type = Wireless-802.11
(83541) Event-Timestamp = "Jun 23 2020 13:47:24 -03"
(83541) Service-Type = Framed-User
(83541) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83541) Connect-Info = "CONNECT 0Mbps 802.11b"
(83541) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83541) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83541) WLAN-Pairwise-Cipher = 1027076
(83541) WLAN-Group-Cipher = 1027076
(83541) WLAN-AKM-Suite = 1027073
(83541) Framed-MTU = 1400
(83541) EAP-Message = 0x02c700251900170303001a0000000000000003331ad865b28d977d1e131e3443c76ac7ba97
(83541) State = 0x592274a55ee56dcf5d11088ba56bbac4
(83541) Message-Authenticator = 0x57e05acff1a9e398d34e97b0934830a6
(83541) session-state: No cached attributes
(83541) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83541) authorize {
(83541) policy filter_username {
(83541) if (&User-Name) {
(83541) if (&User-Name) -> TRUE
(83541) if (&User-Name) {
(83541) if (&User-Name != "%{tolower:%{User-Name}}") {
(83541) EXPAND %{tolower:%{User-Name}}
(83541) --> host/n65144.mpdft.gov.br
(83541) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83541) if (&User-Name =~ / /) {
(83541) if (&User-Name =~ / /) -> FALSE
(83541) if (&User-Name =~ /@[^@]*@/ ) {
(83541) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83541) if (&User-Name =~ /\.\./ ) {
(83541) if (&User-Name =~ /\.\./ ) -> FALSE
(83541) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(83541) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(83541) if (&User-Name =~ /\.$/) {
(83541) if (&User-Name =~ /\.$/) -> FALSE
(83541) if (&User-Name =~ /@\./) {
(83541) if (&User-Name =~ /@\./) -> FALSE
(83541) } # if (&User-Name) = notfound
(83541) } # policy filter_username = notfound
(83541) [preprocess] = ok
(83541) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83541) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83541) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83541) auth_log: EXPAND %t
(83541) auth_log: --> Tue Jun 23 13:47:25 2020
(83541) [auth_log] = ok
(83541) [chap] = noop
(83541) [mschap] = noop
(83541) [digest] = noop
(83541) suffix: Checking for suffix after "@"
(83541) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83541) suffix: No such realm "NULL"
(83541) [suffix] = noop
(83541) eap: Peer sent EAP Response (code 2) ID 199 length 37
(83541) eap: Continuing tunnel setup
(83541) [eap] = ok
(83541) } # authorize = ok
(83541) Found Auth-Type = eap
(83541) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83541) authenticate {
(83541) eap: Expiring EAP session with state 0x9017180393030136
(83541) eap: Finished EAP session with state 0x592274a55ee56dcf
(83541) eap: Previous EAP request found for state 0x592274a55ee56dcf, released from the list
(83541) eap: Peer sent packet with method EAP PEAP (25)
(83541) eap: Calling submodule eap_peap to process data
(83541) eap_peap: Continuing EAP-TLS
(83541) eap_peap: [eaptls verify] = ok
(83541) eap_peap: Done initial handshake
(83541) eap_peap: [eaptls process] = ok
(83541) eap_peap: Session established. Decoding tunneled attributes
(83541) eap_peap: PEAP state phase2
(83541) eap_peap: EAP method MSCHAPv2 (26)
(83541) eap_peap: Got tunneled request
(83541) eap_peap: EAP-Message = 0x02c700061a03
(83541) eap_peap: Setting User-Name to host/n65144.mpdft.gov.br
(83541) eap_peap: Sending tunneled request to inner-tunnel
(83541) eap_peap: EAP-Message = 0x02c700061a03
(83541) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(83541) eap_peap: User-Name = "host/n65144.mpdft.gov.br"
(83541) eap_peap: State = 0x3abf883e3b78928a4508626b4c893c09
(83541) Virtual server inner-tunnel received request
(83541) EAP-Message = 0x02c700061a03
(83541) FreeRADIUS-Proxied-To = 127.0.0.1
(83541) User-Name = "host/n65144.mpdft.gov.br"
(83541) State = 0x3abf883e3b78928a4508626b4c893c09
(83541) WARNING: Outer and inner identities are the same. User privacy is compromised.
(83541) server inner-tunnel {
(83541) session-state: No cached attributes
(83541) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83541) authorize {
(83541) policy filter_username {
(83541) if (&User-Name) {
(83541) if (&User-Name) -> TRUE
(83541) if (&User-Name) {
(83541) if (&User-Name != "%{tolower:%{User-Name}}") {
(83541) EXPAND %{tolower:%{User-Name}}
(83541) --> host/n65144.mpdft.gov.br
(83541) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83541) if (&User-Name =~ / /) {
(83541) if (&User-Name =~ / /) -> FALSE
(83541) if (&User-Name =~ /@[^@]*@/ ) {
(83541) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83541) if (&User-Name =~ /\.\./ ) {
(83541) if (&User-Name =~ /\.\./ ) -> FALSE
(83541) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(83541) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(83541) if (&User-Name =~ /\.$/) {
(83541) if (&User-Name =~ /\.$/) -> FALSE
(83541) if (&User-Name =~ /@\./) {
(83541) if (&User-Name =~ /@\./) -> FALSE
(83541) } # if (&User-Name) = notfound
(83541) } # policy filter_username = notfound
(83541) [chap] = noop
(83541) [mschap] = noop
(83541) suffix: Checking for suffix after "@"
(83541) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83541) suffix: No such realm "NULL"
(83541) [suffix] = noop
(83541) update control {
(83541) &Proxy-To-Realm := LOCAL
(83541) } # update control = noop
(83541) eap: Peer sent EAP Response (code 2) ID 199 length 6
(83541) eap: No EAP Start, assuming it's an on-going EAP conversation
(83541) [eap] = updated
(83541) files: Failed resolving UID: No error
(83541) files: Failed resolving UID: No error
(83541) files: Failed resolving UID: No error
(83541) files: Failed resolving UID: No error
(83541) files: Failed resolving UID: No error
(83541) [files] = noop
(83541) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83541) sql: --> host/n65144.mpdft.gov.br
(83541) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83541) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(83541) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83541) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83541) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(83541) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83541) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83541) sql: User not found in any groups
(83541) [sql] = notfound
(83541) [expiration] = noop
(83541) [logintime] = noop
(83541) [pap] = noop
(83541) } # authorize = updated
(83541) Found Auth-Type = eap
(83541) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83541) authenticate {
(83541) eap: Expiring EAP session with state 0x9017180393030136
(83541) eap: Finished EAP session with state 0x3abf883e3b78928a
(83541) eap: Previous EAP request found for state 0x3abf883e3b78928a, released from the list
(83541) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(83541) eap: Calling submodule eap_mschapv2 to process data
(83541) eap: Sending EAP Success (code 3) ID 199 length 4
(83541) eap: Freeing handler
(83541) [eap] = ok
(83541) } # authenticate = ok
(83541) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83541) post-auth {
(83541) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail
(83541) reply_log: --> /var/log/freeradius/radacct/10.34.177.220/reply-detail
(83541) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail expands to /var/log/freeradius/radacct/10.34.177.220/reply-detail
(83541) reply_log: EXPAND %t
(83541) reply_log: --> Tue Jun 23 13:47:25 2020
(83541) [reply_log] = ok
(83541) } # post-auth = ok
(83541) Login OK: [host/n65144.mpdft.gov.br] (from client AP-NAI-A01-220 port 0 via TLS tunnel)
(83541) } # server inner-tunnel
(83541) Virtual server sending reply
(83541) MS-MPPE-Encryption-Policy = Encryption-Allowed
(83541) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(83541) MS-MPPE-Send-Key = 0x9d6e9953035b644f28179ce33e138747
(83541) MS-MPPE-Recv-Key = 0xe322c91d585221d8792d458de68d4cc4
(83541) EAP-Message = 0x03c70004
(83541) Message-Authenticator = 0x00000000000000000000000000000000
(83541) User-Name = "host/n65144.mpdft.gov.br"
(83541) eap_peap: Got tunneled reply code 2
(83541) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(83541) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(83541) eap_peap: MS-MPPE-Send-Key = 0x9d6e9953035b644f28179ce33e138747
(83541) eap_peap: MS-MPPE-Recv-Key = 0xe322c91d585221d8792d458de68d4cc4
(83541) eap_peap: EAP-Message = 0x03c70004
(83541) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(83541) eap_peap: User-Name = "host/n65144.mpdft.gov.br"
(83541) eap_peap: Got tunneled reply RADIUS code 2
(83541) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(83541) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(83541) eap_peap: MS-MPPE-Send-Key = 0x9d6e9953035b644f28179ce33e138747
(83541) eap_peap: MS-MPPE-Recv-Key = 0xe322c91d585221d8792d458de68d4cc4
(83541) eap_peap: EAP-Message = 0x03c70004
(83541) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(83541) eap_peap: User-Name = "host/n65144.mpdft.gov.br"
(83541) eap_peap: Tunneled authentication was successful
(83541) eap_peap: SUCCESS
(83541) eap: Sending EAP Request (code 1) ID 200 length 46
(83541) eap: EAP session adding &reply:State = 0x592274a551ea6dcf
(83541) [eap] = handled
(83541) } # authenticate = handled
(83541) Using Post-Auth-Type Challenge
(83541) Post-Auth-Type sub-section not found. Ignoring.
(83541) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83541) Sent Access-Challenge Id 124 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83541) EAP-Message = 0x01c8002e19001703030023fb13cb712244c0706e6e84e2592d8fff1bee7760032145bba442c608ceedd4c750c687
(83541) Message-Authenticator = 0x00000000000000000000000000000000
(83541) State = 0x592274a551ea6dcf5d11088ba56bbac4
(83541) Finished request
(83542) Received Access-Request Id 125 from 10.34.177.220:37268 to 10.34.242.3:1812 length 331
(83542) User-Name = "host/n65144.mpdft.gov.br"
(83542) NAS-IP-Address = 10.34.177.220
(83542) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83542) NAS-Port-Id = "00000001"
(83542) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83542) NAS-Port-Type = Wireless-802.11
(83542) Event-Timestamp = "Jun 23 2020 13:47:24 -03"
(83542) Service-Type = Framed-User
(83542) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83542) Connect-Info = "CONNECT 0Mbps 802.11b"
(83542) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83542) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83542) WLAN-Pairwise-Cipher = 1027076
(83542) WLAN-Group-Cipher = 1027076
(83542) WLAN-AKM-Suite = 1027073
(83542) Framed-MTU = 1400
(83542) EAP-Message = 0x02c8002e190017030300230000000000000004db3dc05d0228ead2f3ceaf6f5db445f3463c81d6f596111a7e908d
(83542) State = 0x592274a551ea6dcf5d11088ba56bbac4
(83542) Message-Authenticator = 0xb85792e60ceecbb66116afddc05d25c5
(83542) session-state: No cached attributes
(83542) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83542) authorize {
(83542) policy filter_username {
(83542) if (&User-Name) {
(83542) if (&User-Name) -> TRUE
(83542) if (&User-Name) {
(83542) if (&User-Name != "%{tolower:%{User-Name}}") {
(83542) EXPAND %{tolower:%{User-Name}}
(83542) --> host/n65144.mpdft.gov.br
(83542) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(83542) if (&User-Name =~ / /) {
(83542) if (&User-Name =~ / /) -> FALSE
(83542) if (&User-Name =~ /@[^@]*@/ ) {
(83542) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(83542) if (&User-Name =~ /\.\./ ) {
(83542) if (&User-Name =~ /\.\./ ) -> FALSE
(83542) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(83542) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(83542) if (&User-Name =~ /\.$/) {
(83542) if (&User-Name =~ /\.$/) -> FALSE
(83542) if (&User-Name =~ /@\./) {
(83542) if (&User-Name =~ /@\./) -> FALSE
(83542) } # if (&User-Name) = notfound
(83542) } # policy filter_username = notfound
(83542) [preprocess] = ok
(83542) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83542) auth_log: --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83542) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83542) auth_log: EXPAND %t
(83542) auth_log: --> Tue Jun 23 13:47:25 2020
(83542) [auth_log] = ok
(83542) [chap] = noop
(83542) [mschap] = noop
(83542) [digest] = noop
(83542) suffix: Checking for suffix after "@"
(83542) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83542) suffix: No such realm "NULL"
(83542) [suffix] = noop
(83542) eap: Peer sent EAP Response (code 2) ID 200 length 46
(83542) eap: Continuing tunnel setup
(83542) [eap] = ok
(83542) } # authorize = ok
(83542) Found Auth-Type = eap
(83542) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83542) authenticate {
(83542) eap: Expiring EAP session with state 0x9017180393030136
(83542) eap: Finished EAP session with state 0x592274a551ea6dcf
(83542) eap: Previous EAP request found for state 0x592274a551ea6dcf, released from the list
(83542) eap: Peer sent packet with method EAP PEAP (25)
(83542) eap: Calling submodule eap_peap to process data
(83542) eap_peap: Continuing EAP-TLS
(83542) eap_peap: [eaptls verify] = ok
(83542) eap_peap: Done initial handshake
(83542) eap_peap: [eaptls process] = ok
(83542) eap_peap: Session established. Decoding tunneled attributes
(83542) eap_peap: PEAP state send tlv success
(83542) eap_peap: Received EAP-TLV response
(83542) eap_peap: Success
(83542) eap: Sending EAP Success (code 3) ID 200 length 4
(83542) eap: Freeing handler
(83542) [eap] = ok
(83542) } # authenticate = ok
(83542) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(83542) post-auth {
(83542) update {
(83542) No attributes updated
(83542) } # update = noop
(83542) sql: EXPAND .query
(83542) sql: --> .query
(83542) sql: Using query template 'query'
(83542) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83542) sql: --> host/n65144.mpdft.gov.br
(83542) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83542) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{integer:Event-Timestamp}))
(83542) sql: --> INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('host/n65144.mpdft.gov.br', 'Chap-Password', 'Access-Accept', '50-D4-F7-5B-96-CA:MPDFT', '5C-C9-D3-7C-98-79', TO_TIMESTAMP(1592930844))
(83542) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('host/n65144.mpdft.gov.br', 'Chap-Password', 'Access-Accept', '50-D4-F7-5B-96-CA:MPDFT', '5C-C9-D3-7C-98-79', TO_TIMESTAMP(1592930844))
(83542) sql: SQL query returned: success
(83542) sql: 1 record(s) updated
(83542) [sql] = ok
(83542) [exec] = noop
(83542) policy remove_reply_message_if_eap {
(83542) if (&reply:EAP-Message && &reply:Reply-Message) {
(83542) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(83542) else {
(83542) [noop] = noop
(83542) } # else = noop
(83542) } # policy remove_reply_message_if_eap = noop
(83542) } # post-auth = ok
(83542) Login OK: [host/n65144.mpdft.gov.br] (from client AP-NAI-A01-220 port 0 cli 5C-C9-D3-7C-98-79)
(83542) Sent Access-Accept Id 125 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83542) MS-MPPE-Recv-Key = 0xc67d0eee420d607c416ac6b9c783634d1566c5980653e2416d115bd4d80e7ad0
(83542) MS-MPPE-Send-Key = 0xc2093b112098bd8a87cc2799b7cfbabf4a04e544efac9655d813d5cd83885a26
(83542) EAP-Message = 0x03c80004
(83542) Message-Authenticator = 0x00000000000000000000000000000000
(83542) User-Name = "host/n65144.mpdft.gov.br"
(83542) Finished request
(83565) Received Accounting-Request Id 126 from 10.34.177.220:34685 to 10.34.242.3:1813 length 265
(83565) Acct-Status-Type = Start
(83565) Acct-Authentic = RADIUS
(83565) User-Name = "host/n65144.mpdft.gov.br"
(83565) NAS-IP-Address = 10.34.177.220
(83565) NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83565) NAS-Port-Id = "00000001"
(83565) Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83565) NAS-Port-Type = Wireless-802.11
(83565) Event-Timestamp = "Jun 23 2020 13:47:27 -03"
(83565) Service-Type = Framed-User
(83565) Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83565) Connect-Info = "CONNECT 0Mbps 802.11b"
(83565) Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83565) Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83565) WLAN-Pairwise-Cipher = 1027076
(83565) WLAN-Group-Cipher = 1027076
(83565) WLAN-AKM-Suite = 1027073
(83565) Framed-IP-Address = 172.28.252.122
(83565) Acct-Delay-Time = 0
(83565) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(83565) preacct {
(83565) [preprocess] = ok
(83565) update request {
(83565) EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}
(83565) --> 1592930848
(83565) FreeRADIUS-Acct-Session-Start-Time = Jun 23 2020 13:47:28 -03
(83565) } # update request = noop
(83565) policy acct_unique {
(83565) update request {
(83565) Tmp-String-9 := "ai:"
(83565) } # update request = noop
(83565) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(83565) EXPAND %{hex:&Class}
(83565) -->
(83565) EXPAND ^%{hex:&Tmp-String-9}
(83565) --> ^61693a
(83565) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(83565) else {
(83565) update request {
(83565) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{Calling-Station-Id}}
(83565) --> baf7ceacc097faf87151791ad22e16e8
(83565) &Acct-Unique-Session-Id := baf7ceacc097faf87151791ad22e16e8
(83565) } # update request = noop
(83565) } # else = noop
(83565) } # policy acct_unique = noop
(83565) suffix: Checking for suffix after "@"
(83565) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83565) suffix: No such realm "NULL"
(83565) [suffix] = noop
(83565) files: acct_users: Matched entry DEFAULT at line 22
(83565) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(83565) files: --> host/n65144.mpdft.gov.br
(83565) [files] = ok
(83565) } # preacct = ok
(83565) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(83565) accounting {
(83565) log_accounting: EXPAND Accounting-Request.%{%{Acct-Status-Type}:-unknown}
(83565) log_accounting: --> Accounting-Request.Start
(83565) log_accounting: EXPAND %{date:Event-Timestamp} Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})
(83565) log_accounting: --> Tue, 23-06-2020 13:47:27 Connect: [host/n65144.mpdft.gov.br] (did 50-D4-F7-5B-96-CA:MPDFT cli 5C-C9-D3-7C-98-79 port ip 172.28.252.122)
(83565) log_accounting: EXPAND /var/log/freeradius/linelog-accounting
(83565) log_accounting: --> /var/log/freeradius/linelog-accounting
(83565) [log_accounting] = ok
(83565) sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query}
(83565) sql: --> type.start.query
(83565) sql: Using query template 'query'
(83565) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83565) sql: --> host/n65144.mpdft.gov.br
(83565) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83565) sql: EXPAND INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)
(83565) sql: --> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('50d4f75b96ca-74D3D7E99FDF31B4', 'baf7ceacc097faf87151791ad22e16e8', 'host/n65144.mpdft.gov.br', NULLIF('', ''), '10.34.177.220', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1592930847), TO_TIMESTAMP(1592930847), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '50-D4-F7-5B-96-CA:MPDFT', '5C-C9-D3-7C-98-79', NULL, 'Framed-User', '', NULLIF('172.28.252.122', '')::inet)
(83565) sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('50d4f75b96ca-74D3D7E99FDF31B4', 'baf7ceacc097faf87151791ad22e16e8', 'host/n65144.mpdft.gov.br', NULLIF('', ''), '10.34.177.220', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1592930847), TO_TIMESTAMP(1592930847), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '50-D4-F7-5B-96-CA:MPDFT', '5C-C9-D3-7C-98-79', NULL, 'Framed-User', '', NULLIF('172.28.252.122', '')::inet)
(83565) sql: SQL query returned: success
(83565) sql: 1 record(s) updated
(83565) [sql] = ok
(83565) if (&request:Acct-Status-Type == start) {
(83565) if (&request:Acct-Status-Type == start) -> TRUE
(83565) if (&request:Acct-Status-Type == start) {
(83565) EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83565) --> host/n65144.mpdft.gov.br
(83565) SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83565) Executing query: UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(1592930847), AcctUpdateTime = TO_TIMESTAMP(1592930847), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = 'CONNECT 0Mbps 802.11b' WHERE UserName = 'host/n65144.mpdft.gov.br' AND AcctUniqueId <> 'baf7ceacc097faf87151791ad22e16e8' AND CallingStationId = '5C-C9-D3-7C-98-79' AND AcctStopTime IS NULL
(83565) SQL query affected no rows
(83565) EXPAND %{sql:UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = '%{Connect-Info}' WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' AND CallingStationId = '%{Calling-Station-Id}' AND AcctStopTime IS NULL}
(83565) -->
(83565) } # if (&request:Acct-Status-Type == start) = ok
(83565) [exec] = noop
(83565) attr_filter.accounting_response: EXPAND %{User-Name}
(83565) attr_filter.accounting_response: --> host/n65144.mpdft.gov.br
(83565) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(83565) [attr_filter.accounting_response] = updated
(83565) } # accounting = updated
(83565) Sent Accounting-Response Id 126 from 10.34.242.3:1813 to 10.34.177.220:34685 length 0
(83565) Finished request
(83565) Cleaning up request packet ID 126 with timestamp +51982
(83533) Cleaning up request packet ID 116 with timestamp +51979
(83534) Cleaning up request packet ID 117 with timestamp +51979
(83535) Cleaning up request packet ID 118 with timestamp +51979
(83536) Cleaning up request packet ID 119 with timestamp +51979
(83537) Cleaning up request packet ID 120 with timestamp +51979
(83538) Cleaning up request packet ID 121 with timestamp +51979
(83539) Cleaning up request packet ID 122 with timestamp +51979
(83540) Cleaning up request packet ID 123 with timestamp +51979
(83541) Cleaning up request packet ID 124 with timestamp +51979
(83542) Cleaning up request packet ID 125 with timestamp +51979
More information about the Freeradius-Users
mailing list