RES: RES: How does CUI works? How does anonymous works? Im lost
Daniel Guimaraes Pena
daniel.pena at mpdft.mp.br
Wed Jun 24 22:02:22 CEST 2020
I've been running and analyzing debug log for a while now...
This worked (for 99,9%):
> Does it have to be like this?
>> update outer.session-state {
>> User-Name := &request:User-Name
>> }
So I don’t need to block via filter.
Talking to a user, I discovered how these outer users appears: configuring androids anonymous identity (obvius, I know, but I never tried it)
Well, as I can't force them to left this field empty, I have to discover why these 0,1% is not working.
Here is tow logs: working and one not working (at the botton, if needed, my inner-tunnel e default site-enabled)
============== DEBUG FOR WORKING PACKET ============
(757) Received Access-Request Id 251 from 10.34.87.223:58030 to 10.34.242.3:1812 length 260
(757) User-Name = "321457"
(757) NAS-IP-Address = 10.34.87.223
(757) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(757) NAS-Port-Id = "00000001"
(757) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(757) NAS-Port-Type = Wireless-802.11
(757) Event-Timestamp = "Jun 24 2020 14:21:10 -03"
(757) Service-Type = Framed-User
(757) Calling-Station-Id = "70-FD-46-BE-0D-8A"
(757) Connect-Info = "CONNECT 0Mbps 802.11b"
(757) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(757) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(757) WLAN-Pairwise-Cipher = 1027076
(757) WLAN-Group-Cipher = 1027076
(757) WLAN-AKM-Suite = 1027073
(757) Framed-MTU = 1400
(757) EAP-Message = 0x0243000b01333231343537
(757) Message-Authenticator = 0x5b97d8214a2888c145bf0fefcc4e78d1
(757) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(757) authorize {
(757) policy filter_username {
(757) if (&User-Name) {
(757) if (&User-Name) -> TRUE
(757) if (&User-Name) {
(757) if (&User-Name != "%{tolower:%{User-Name}}") {
(757) EXPAND %{tolower:%{User-Name}}
(757) --> 321457
(757) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(757) if (&User-Name =~ /\// ) {
(757) if (&User-Name =~ /\// ) -> FALSE
(757) if (&User-Name =~ / /) {
(757) if (&User-Name =~ / /) -> FALSE
(757) if (&User-Name =~ /@[^@]*@/ ) {
(757) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(757) if (&User-Name =~ /\.\./ ) {
(757) if (&User-Name =~ /\.\./ ) -> FALSE
(757) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(757) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(757) if (&User-Name =~ /\.$/) {
(757) if (&User-Name =~ /\.$/) -> FALSE
(757) if (&User-Name =~ /@\./) {
(757) if (&User-Name =~ /@\./) -> FALSE
(757) } # if (&User-Name) = notfound
(757) } # policy filter_username = notfound
(757) policy split_username_nai {
(757) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(757) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(757) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(757) update request {
(757) EXPAND %{1}
(757) --> 321457
(757) &Stripped-User-Name := 321457
(757) EXPAND %{3}
(757) -->
(757) &Stripped-User-Domain =
(757) } # update request = noop
(757) [updated] = updated
(757) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(757) ... skipping else: Preceding "if" was taken
(757) } # policy split_username_nai = updated
(757) [preprocess] = ok
(757) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(757) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(757) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(757) auth_log: EXPAND %t
(757) auth_log: --> Wed Jun 24 14:21:12 2020
(757) [auth_log] = ok
(757) [chap] = noop
(757) [mschap] = noop
(757) [digest] = noop
(757) suffix: Checking for suffix after "@"
(757) suffix: No '@' in User-Name = "321457", looking up realm NULL
(757) suffix: No such realm "NULL"
(757) [suffix] = noop
(757) eap: Peer sent EAP Response (code 2) ID 67 length 11
(757) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(757) [eap] = ok
(757) } # authorize = ok
(757) Found Auth-Type = eap
(757) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(757) authenticate {
(757) eap: Peer sent packet with method EAP Identity (1)
(757) eap: Calling submodule eap_md5 to process data
(757) eap_md5: Issuing MD5 Challenge
(757) eap: Sending EAP Request (code 1) ID 68 length 22
(757) eap: EAP session adding &reply:State = 0xa44f7f64a40b7b04
(757) [eap] = handled
(757) } # authenticate = handled
(757) Using Post-Auth-Type Challenge
(757) Post-Auth-Type sub-section not found. Ignoring.
(757) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(757) Sent Access-Challenge Id 251 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(757) EAP-Message = 0x0144001604107b9dac6052ee6e19390d5bcefa2b7bfd
(757) Message-Authenticator = 0x00000000000000000000000000000000
(757) State = 0xa44f7f64a40b7b04dd9f2a05e7c26035
(757) Finished request
(760) Received Access-Request Id 252 from 10.34.87.223:58030 to 10.34.242.3:1812 length 273
(760) User-Name = "321457"
(760) NAS-IP-Address = 10.34.87.223
(760) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(760) NAS-Port-Id = "00000001"
(760) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(760) NAS-Port-Type = Wireless-802.11
(760) Event-Timestamp = "Jun 24 2020 14:21:10 -03"
(760) Service-Type = Framed-User
(760) Calling-Station-Id = "70-FD-46-BE-0D-8A"
(760) Connect-Info = "CONNECT 0Mbps 802.11b"
(760) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(760) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(760) WLAN-Pairwise-Cipher = 1027076
(760) WLAN-Group-Cipher = 1027076
(760) WLAN-AKM-Suite = 1027073
(760) Framed-MTU = 1400
(760) EAP-Message = 0x024400060319
(760) State = 0xa44f7f64a40b7b04dd9f2a05e7c26035
(760) Message-Authenticator = 0xc5f7d82f6510961bc609c44849336443
(760) session-state: No cached attributes
(760) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(760) authorize {
(760) policy filter_username {
(760) if (&User-Name) {
(760) if (&User-Name) -> TRUE
(760) if (&User-Name) {
(760) if (&User-Name != "%{tolower:%{User-Name}}") {
(760) EXPAND %{tolower:%{User-Name}}
(760) --> 321457
(760) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(760) if (&User-Name =~ /\// ) {
(760) if (&User-Name =~ /\// ) -> FALSE
(760) if (&User-Name =~ / /) {
(760) if (&User-Name =~ / /) -> FALSE
(760) if (&User-Name =~ /@[^@]*@/ ) {
(760) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(760) if (&User-Name =~ /\.\./ ) {
(760) if (&User-Name =~ /\.\./ ) -> FALSE
(760) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(760) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(760) if (&User-Name =~ /\.$/) {
(760) if (&User-Name =~ /\.$/) -> FALSE
(760) if (&User-Name =~ /@\./) {
(760) if (&User-Name =~ /@\./) -> FALSE
(760) } # if (&User-Name) = notfound
(760) } # policy filter_username = notfound
(760) policy split_username_nai {
(760) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(760) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(760) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(760) update request {
(760) EXPAND %{1}
(760) --> 321457
(760) &Stripped-User-Name := 321457
(760) EXPAND %{3}
(760) -->
(760) &Stripped-User-Domain =
(760) } # update request = noop
(760) [updated] = updated
(760) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(760) ... skipping else: Preceding "if" was taken
(760) } # policy split_username_nai = updated
(760) [preprocess] = ok
(760) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(760) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(760) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(760) auth_log: EXPAND %t
(760) auth_log: --> Wed Jun 24 14:21:13 2020
(760) [auth_log] = ok
(760) [chap] = noop
(760) [mschap] = noop
(760) [digest] = noop
(760) suffix: Checking for suffix after "@"
(760) suffix: No '@' in User-Name = "321457", looking up realm NULL
(760) suffix: No such realm "NULL"
(760) [suffix] = noop
(760) eap: Peer sent EAP Response (code 2) ID 68 length 6
(760) eap: No EAP Start, assuming it's an on-going EAP conversation
(760) [eap] = updated
(760) files: Failed resolving UID: No error
(760) files: Failed resolving UID: No error
(760) files: Failed resolving UID: No error
(760) files: Failed resolving UID: No error
(760) files: Failed resolving UID: No error
(760) [files] = noop
(760) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(760) sql: --> 321457
(760) sql: SQL-User-Name set to '321457'
(760) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(760) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '321457' ORDER BY id
(760) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '321457' ORDER BY id
(760) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(760) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='321457' ORDER BY priority
(760) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='321457' ORDER BY priority
(760) sql: User not found in any groups
(760) [sql] = notfound
(760) [expiration] = noop
(760) [logintime] = noop
(760) if (ok) {
(760) if (ok) -> FALSE
(760) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(760) pap: WARNING: Authentication will fail unless a "known good" password is available
(760) [pap] = noop
(760) } # authorize = updated
(760) Found Auth-Type = eap
(760) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(760) authenticate {
(760) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(760) eap: Finished EAP session with state 0xa44f7f64a40b7b04
(760) eap: Previous EAP request found for state 0xa44f7f64a40b7b04, released from the list
(760) eap: Peer sent packet with method EAP NAK (3)
(760) eap: Found mutually acceptable type PEAP (25)
(760) eap: Calling submodule eap_peap to process data
(760) eap_peap: Initiating new EAP-TLS session
(760) eap_peap: [eaptls start] = request
(760) eap: Sending EAP Request (code 1) ID 69 length 6
(760) eap: EAP session adding &reply:State = 0xa44f7f64a50a6604
(760) [eap] = handled
(760) } # authenticate = handled
(760) Using Post-Auth-Type Challenge
(760) Post-Auth-Type sub-section not found. Ignoring.
(760) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(760) Sent Access-Challenge Id 252 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(760) EAP-Message = 0x014500061920
(760) Message-Authenticator = 0x00000000000000000000000000000000
(760) State = 0xa44f7f64a50a6604dd9f2a05e7c26035
(760) Finished request
(763) Received Access-Request Id 253 from 10.34.87.223:58030 to 10.34.242.3:1812 length 438
(763) User-Name = "321457"
(763) NAS-IP-Address = 10.34.87.223
(763) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(763) NAS-Port-Id = "00000001"
(763) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(763) NAS-Port-Type = Wireless-802.11
(763) Event-Timestamp = "Jun 24 2020 14:21:11 -03"
(763) Service-Type = Framed-User
(763) Calling-Station-Id = "70-FD-46-BE-0D-8A"
(763) Connect-Info = "CONNECT 0Mbps 802.11b"
(763) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(763) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(763) WLAN-Pairwise-Cipher = 1027076
(763) WLAN-Group-Cipher = 1027076
(763) WLAN-AKM-Suite = 1027073
(763) Framed-MTU = 1400
(763) EAP-Message = 0x024500ab1980000000a1160301009c01000098030381b72e1f7d9acc726933c5b2658331ef8cc8806b275a6f9d6b23f15fe385d85400003cc02bc02f009ec02cc030009fcca9cca8c009c023c013c02700330067c00ac024c014c0280039006bc007c011009c009d002f003c0035003d0005000a010000
(763) State = 0xa44f7f64a50a6604dd9f2a05e7c26035
(763) Message-Authenticator = 0xc101a5cabfd2b6dc7fd2863e25399ace
(763) session-state: No cached attributes
(763) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(763) authorize {
(763) policy filter_username {
(763) if (&User-Name) {
(763) if (&User-Name) -> TRUE
(763) if (&User-Name) {
(763) if (&User-Name != "%{tolower:%{User-Name}}") {
(763) EXPAND %{tolower:%{User-Name}}
(763) --> 321457
(763) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(763) if (&User-Name =~ /\// ) {
(763) if (&User-Name =~ /\// ) -> FALSE
(763) if (&User-Name =~ / /) {
(763) if (&User-Name =~ / /) -> FALSE
(763) if (&User-Name =~ /@[^@]*@/ ) {
(763) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(763) if (&User-Name =~ /\.\./ ) {
(763) if (&User-Name =~ /\.\./ ) -> FALSE
(763) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(763) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(763) if (&User-Name =~ /\.$/) {
(763) if (&User-Name =~ /\.$/) -> FALSE
(763) if (&User-Name =~ /@\./) {
(763) if (&User-Name =~ /@\./) -> FALSE
(763) } # if (&User-Name) = notfound
(763) } # policy filter_username = notfound
(763) policy split_username_nai {
(763) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(763) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(763) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(763) update request {
(763) EXPAND %{1}
(763) --> 321457
(763) &Stripped-User-Name := 321457
(763) EXPAND %{3}
(763) -->
(763) &Stripped-User-Domain =
(763) } # update request = noop
(763) [updated] = updated
(763) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(763) ... skipping else: Preceding "if" was taken
(763) } # policy split_username_nai = updated
(763) [preprocess] = ok
(763) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(763) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(763) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(763) auth_log: EXPAND %t
(763) auth_log: --> Wed Jun 24 14:21:13 2020
(763) [auth_log] = ok
(763) [chap] = noop
(763) [mschap] = noop
(763) [digest] = noop
(763) suffix: Checking for suffix after "@"
(763) suffix: No '@' in User-Name = "321457", looking up realm NULL
(763) suffix: No such realm "NULL"
(763) [suffix] = noop
(763) eap: Peer sent EAP Response (code 2) ID 69 length 171
(763) eap: Continuing tunnel setup
(763) [eap] = ok
(763) } # authorize = ok
(763) Found Auth-Type = eap
(763) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(763) authenticate {
(763) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(763) eap: Finished EAP session with state 0xa44f7f64a50a6604
(763) eap: Previous EAP request found for state 0xa44f7f64a50a6604, released from the list
(763) eap: Peer sent packet with method EAP PEAP (25)
(763) eap: Calling submodule eap_peap to process data
(763) eap_peap: Continuing EAP-TLS
(763) eap_peap: Peer indicated complete TLS record size will be 161 bytes
(763) eap_peap: Got complete TLS record (161 bytes)
(763) eap_peap: [eaptls verify] = length included
(763) eap_peap: (other): before SSL initialization
(763) eap_peap: TLS_accept: before SSL initialization
(763) eap_peap: TLS_accept: before SSL initialization
(763) eap_peap: <<< recv TLS 1.2 [length 009c]
(763) eap_peap: TLS_accept: SSLv3/TLS read client hello
(763) eap_peap: >>> send TLS 1.2 [length 003d]
(763) eap_peap: TLS_accept: SSLv3/TLS write server hello
(763) eap_peap: >>> send TLS 1.2 [length 0309]
(763) eap_peap: TLS_accept: SSLv3/TLS write certificate
(763) eap_peap: >>> send TLS 1.2 [length 014d]
(763) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(763) eap_peap: >>> send TLS 1.2 [length 0004]
(763) eap_peap: TLS_accept: SSLv3/TLS write server done
(763) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(763) eap_peap: In SSL Handshake Phase
(763) eap_peap: In SSL Accept mode
(763) eap_peap: [eaptls process] = handled
(763) eap: Sending EAP Request (code 1) ID 70 length 1004
(763) eap: EAP session adding &reply:State = 0xa44f7f64a6096604
(763) [eap] = handled
(763) } # authenticate = handled
(763) Using Post-Auth-Type Challenge
(763) Post-Auth-Type sub-section not found. Ignoring.
(763) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(763) Sent Access-Challenge Id 253 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(763) EAP-Message = 0x014603ec19c0000004ab160303003d0200003903031421541e93d31add097acc5d5c4b54d61a77aadc4239976b7410b514c7153cdb00c02f000011ff01000100000b0004030001020017000016030303090b0003050003020002ff308202fb308201e3a003020102020900c2aeeb1715cab80a300d0609
(763) Message-Authenticator = 0x00000000000000000000000000000000
(763) State = 0xa44f7f64a6096604dd9f2a05e7c26035
(763) Finished request
(764) Received Access-Request Id 254 from 10.34.87.223:58030 to 10.34.242.3:1812 length 273
(764) User-Name = "321457"
(764) NAS-IP-Address = 10.34.87.223
(764) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(764) NAS-Port-Id = "00000001"
(764) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(764) NAS-Port-Type = Wireless-802.11
(764) Event-Timestamp = "Jun 24 2020 14:21:11 -03"
(764) Service-Type = Framed-User
(764) Calling-Station-Id = "70-FD-46-BE-0D-8A"
(764) Connect-Info = "CONNECT 0Mbps 802.11b"
(764) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(764) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(764) WLAN-Pairwise-Cipher = 1027076
(764) WLAN-Group-Cipher = 1027076
(764) WLAN-AKM-Suite = 1027073
(764) Framed-MTU = 1400
(764) EAP-Message = 0x024600061900
(764) State = 0xa44f7f64a6096604dd9f2a05e7c26035
(764) Message-Authenticator = 0x8e9c53dd077cd7d0230acfb260c8aed6
(764) session-state: No cached attributes
(764) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(764) authorize {
(764) policy filter_username {
(764) if (&User-Name) {
(764) if (&User-Name) -> TRUE
(764) if (&User-Name) {
(764) if (&User-Name != "%{tolower:%{User-Name}}") {
(764) EXPAND %{tolower:%{User-Name}}
(764) --> 321457
(764) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(764) if (&User-Name =~ /\// ) {
(764) if (&User-Name =~ /\// ) -> FALSE
(764) if (&User-Name =~ / /) {
(764) if (&User-Name =~ / /) -> FALSE
(764) if (&User-Name =~ /@[^@]*@/ ) {
(764) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(764) if (&User-Name =~ /\.\./ ) {
(764) if (&User-Name =~ /\.\./ ) -> FALSE
(764) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(764) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(764) if (&User-Name =~ /\.$/) {
(764) if (&User-Name =~ /\.$/) -> FALSE
(764) if (&User-Name =~ /@\./) {
(764) if (&User-Name =~ /@\./) -> FALSE
(764) } # if (&User-Name) = notfound
(764) } # policy filter_username = notfound
(764) policy split_username_nai {
(764) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(764) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(764) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(764) update request {
(764) EXPAND %{1}
(764) --> 321457
(764) &Stripped-User-Name := 321457
(764) EXPAND %{3}
(764) -->
(764) &Stripped-User-Domain =
(764) } # update request = noop
(764) [updated] = updated
(764) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(764) ... skipping else: Preceding "if" was taken
(764) } # policy split_username_nai = updated
(764) [preprocess] = ok
(764) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(764) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(764) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(764) auth_log: EXPAND %t
(764) auth_log: --> Wed Jun 24 14:21:13 2020
(764) [auth_log] = ok
(764) [chap] = noop
(764) [mschap] = noop
(764) [digest] = noop
(764) suffix: Checking for suffix after "@"
(764) suffix: No '@' in User-Name = "321457", looking up realm NULL
(764) suffix: No such realm "NULL"
(764) [suffix] = noop
(764) eap: Peer sent EAP Response (code 2) ID 70 length 6
(764) eap: Continuing tunnel setup
(764) [eap] = ok
(764) } # authorize = ok
(764) Found Auth-Type = eap
(764) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(764) authenticate {
(764) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(764) eap: Finished EAP session with state 0xa44f7f64a6096604
(764) eap: Previous EAP request found for state 0xa44f7f64a6096604, released from the list
(764) eap: Peer sent packet with method EAP PEAP (25)
(764) eap: Calling submodule eap_peap to process data
(764) eap_peap: Continuing EAP-TLS
(764) eap_peap: Peer ACKed our handshake fragment
(764) eap_peap: [eaptls verify] = request
(764) eap_peap: [eaptls process] = handled
(764) eap: Sending EAP Request (code 1) ID 71 length 207
(764) eap: EAP session adding &reply:State = 0xa44f7f64a7086604
(764) [eap] = handled
(764) } # authenticate = handled
(764) Using Post-Auth-Type Challenge
(764) Post-Auth-Type sub-section not found. Ignoring.
(764) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(764) Sent Access-Challenge Id 254 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(764) EAP-Message = 0x014700cf1900e61bd97b1dc7439c95566d9ae87f362b9195be7adc3f77b668a41bed7f9dd833ba6250b3cd63779058702bc59c08b96f2628c0762cd1014094155e90b96601fa2b38b786eb4c5783ac98bb79901a11cf2c84319de6937e6fde7385cdd97d4fec1f6035d8a61bf158ce7f8fa1f4c9356473
(764) Message-Authenticator = 0x00000000000000000000000000000000
(764) State = 0xa44f7f64a7086604dd9f2a05e7c26035
(764) Finished request
(765) Received Access-Request Id 255 from 10.34.87.223:58030 to 10.34.242.3:1812 length 403
(765) User-Name = "321457"
(765) NAS-IP-Address = 10.34.87.223
(765) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(765) NAS-Port-Id = "00000001"
(765) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(765) NAS-Port-Type = Wireless-802.11
(765) Event-Timestamp = "Jun 24 2020 14:21:11 -03"
(765) Service-Type = Framed-User
(765) Calling-Station-Id = "70-FD-46-BE-0D-8A"
(765) Connect-Info = "CONNECT 0Mbps 802.11b"
(765) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(765) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(765) WLAN-Pairwise-Cipher = 1027076
(765) WLAN-Group-Cipher = 1027076
(765) WLAN-AKM-Suite = 1027073
(765) Framed-MTU = 1400
(765) EAP-Message = 0x0247008819800000007e16030300461000004241040108ad053cb70377bd49ebd354b63037f761b15e1ab5440b5585714f3229f0bc82b38369a49acea7dce100805920db3e47dabfc2d08bffca2c25dbe63625dca51403030001011603030028000000000000000075b1ccb921c95a58aa06c792ed58f4
(765) State = 0xa44f7f64a7086604dd9f2a05e7c26035
(765) Message-Authenticator = 0x8ba6a03d424e4961b4bd0fadf8e7e500
(765) session-state: No cached attributes
(765) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(765) authorize {
(765) policy filter_username {
(765) if (&User-Name) {
(765) if (&User-Name) -> TRUE
(765) if (&User-Name) {
(765) if (&User-Name != "%{tolower:%{User-Name}}") {
(765) EXPAND %{tolower:%{User-Name}}
(765) --> 321457
(765) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(765) if (&User-Name =~ /\// ) {
(765) if (&User-Name =~ /\// ) -> FALSE
(765) if (&User-Name =~ / /) {
(765) if (&User-Name =~ / /) -> FALSE
(765) if (&User-Name =~ /@[^@]*@/ ) {
(765) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(765) if (&User-Name =~ /\.\./ ) {
(765) if (&User-Name =~ /\.\./ ) -> FALSE
(765) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(765) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(765) if (&User-Name =~ /\.$/) {
(765) if (&User-Name =~ /\.$/) -> FALSE
(765) if (&User-Name =~ /@\./) {
(765) if (&User-Name =~ /@\./) -> FALSE
(765) } # if (&User-Name) = notfound
(765) } # policy filter_username = notfound
(765) policy split_username_nai {
(765) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(765) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(765) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(765) update request {
(765) EXPAND %{1}
(765) --> 321457
(765) &Stripped-User-Name := 321457
(765) EXPAND %{3}
(765) -->
(765) &Stripped-User-Domain =
(765) } # update request = noop
(765) [updated] = updated
(765) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(765) ... skipping else: Preceding "if" was taken
(765) } # policy split_username_nai = updated
(765) [preprocess] = ok
(765) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(765) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(765) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(765) auth_log: EXPAND %t
(765) auth_log: --> Wed Jun 24 14:21:13 2020
(765) [auth_log] = ok
(765) [chap] = noop
(765) [mschap] = noop
(765) [digest] = noop
(765) suffix: Checking for suffix after "@"
(765) suffix: No '@' in User-Name = "321457", looking up realm NULL
(765) suffix: No such realm "NULL"
(765) [suffix] = noop
(765) eap: Peer sent EAP Response (code 2) ID 71 length 136
(765) eap: Continuing tunnel setup
(765) [eap] = ok
(765) } # authorize = ok
(765) Found Auth-Type = eap
(765) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(765) authenticate {
(765) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(765) eap: Finished EAP session with state 0xa44f7f64a7086604
(765) eap: Previous EAP request found for state 0xa44f7f64a7086604, released from the list
(765) eap: Peer sent packet with method EAP PEAP (25)
(765) eap: Calling submodule eap_peap to process data
(765) eap_peap: Continuing EAP-TLS
(765) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(765) eap_peap: Got complete TLS record (126 bytes)
(765) eap_peap: [eaptls verify] = length included
(765) eap_peap: TLS_accept: SSLv3/TLS write server done
(765) eap_peap: <<< recv TLS 1.2 [length 0046]
(765) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(765) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(765) eap_peap: <<< recv TLS 1.2 [length 0010]
(765) eap_peap: TLS_accept: SSLv3/TLS read finished
(765) eap_peap: >>> send TLS 1.2 [length 0001]
(765) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(765) eap_peap: >>> send TLS 1.2 [length 0010]
(765) eap_peap: TLS_accept: SSLv3/TLS write finished
(765) eap_peap: (other): SSL negotiation finished successfully
(765) eap_peap: SSL Connection Established
(765) eap_peap: [eaptls process] = handled
(765) eap: Sending EAP Request (code 1) ID 72 length 57
(765) eap: EAP session adding &reply:State = 0xa44f7f64a0076604
(765) [eap] = handled
(765) } # authenticate = handled
(765) Using Post-Auth-Type Challenge
(765) Post-Auth-Type sub-section not found. Ignoring.
(765) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(765) Sent Access-Challenge Id 255 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(765) EAP-Message = 0x0148003919001403030001011603030028a3eb5bde72e8f757a60ca8a9b6b7f7ba318970644cc8cf9cedfe251fd9659666083fe867938067b1
(765) Message-Authenticator = 0x00000000000000000000000000000000
(765) State = 0xa44f7f64a0076604dd9f2a05e7c26035
(765) Finished request
(766) Received Access-Request Id 0 from 10.34.87.223:58030 to 10.34.242.3:1812 length 273
(766) User-Name = "321457"
(766) NAS-IP-Address = 10.34.87.223
(766) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(766) NAS-Port-Id = "00000001"
(766) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(766) NAS-Port-Type = Wireless-802.11
(766) Event-Timestamp = "Jun 24 2020 14:21:11 -03"
(766) Service-Type = Framed-User
(766) Calling-Station-Id = "70-FD-46-BE-0D-8A"
(766) Connect-Info = "CONNECT 0Mbps 802.11b"
(766) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(766) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(766) WLAN-Pairwise-Cipher = 1027076
(766) WLAN-Group-Cipher = 1027076
(766) WLAN-AKM-Suite = 1027073
(766) Framed-MTU = 1400
(766) EAP-Message = 0x024800061900
(766) State = 0xa44f7f64a0076604dd9f2a05e7c26035
(766) Message-Authenticator = 0x34618cd7843285417f2bf22c018e9956
(766) session-state: No cached attributes
(766) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(766) authorize {
(766) policy filter_username {
(766) if (&User-Name) {
(766) if (&User-Name) -> TRUE
(766) if (&User-Name) {
(766) if (&User-Name != "%{tolower:%{User-Name}}") {
(766) EXPAND %{tolower:%{User-Name}}
(766) --> 321457
(766) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(766) if (&User-Name =~ /\// ) {
(766) if (&User-Name =~ /\// ) -> FALSE
(766) if (&User-Name =~ / /) {
(766) if (&User-Name =~ / /) -> FALSE
(766) if (&User-Name =~ /@[^@]*@/ ) {
(766) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(766) if (&User-Name =~ /\.\./ ) {
(766) if (&User-Name =~ /\.\./ ) -> FALSE
(766) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(766) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(766) if (&User-Name =~ /\.$/) {
(766) if (&User-Name =~ /\.$/) -> FALSE
(766) if (&User-Name =~ /@\./) {
(766) if (&User-Name =~ /@\./) -> FALSE
(766) } # if (&User-Name) = notfound
(766) } # policy filter_username = notfound
(766) policy split_username_nai {
(766) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(766) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(766) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(766) update request {
(766) EXPAND %{1}
(766) --> 321457
(766) &Stripped-User-Name := 321457
(766) EXPAND %{3}
(766) -->
(766) &Stripped-User-Domain =
(766) } # update request = noop
(766) [updated] = updated
(766) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(766) ... skipping else: Preceding "if" was taken
(766) } # policy split_username_nai = updated
(766) [preprocess] = ok
(766) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(766) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(766) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(766) auth_log: EXPAND %t
(766) auth_log: --> Wed Jun 24 14:21:13 2020
(766) [auth_log] = ok
(766) [chap] = noop
(766) [mschap] = noop
(766) [digest] = noop
(766) suffix: Checking for suffix after "@"
(766) suffix: No '@' in User-Name = "321457", looking up realm NULL
(766) suffix: No such realm "NULL"
(766) [suffix] = noop
(766) eap: Peer sent EAP Response (code 2) ID 72 length 6
(766) eap: Continuing tunnel setup
(766) [eap] = ok
(766) } # authorize = ok
(766) Found Auth-Type = eap
(766) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(766) authenticate {
(766) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(766) eap: Finished EAP session with state 0xa44f7f64a0076604
(766) eap: Previous EAP request found for state 0xa44f7f64a0076604, released from the list
(766) eap: Peer sent packet with method EAP PEAP (25)
(766) eap: Calling submodule eap_peap to process data
(766) eap_peap: Continuing EAP-TLS
(766) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(766) eap_peap: [eaptls verify] = success
(766) eap_peap: [eaptls process] = success
(766) eap_peap: Session established. Decoding tunneled attributes
(766) eap_peap: PEAP state TUNNEL ESTABLISHED
(766) eap: Sending EAP Request (code 1) ID 73 length 40
(766) eap: EAP session adding &reply:State = 0xa44f7f64a1066604
(766) [eap] = handled
(766) } # authenticate = handled
(766) Using Post-Auth-Type Challenge
(766) Post-Auth-Type sub-section not found. Ignoring.
(766) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(766) Sent Access-Challenge Id 0 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(766) EAP-Message = 0x014900281900170303001da3eb5bde72e8f7589f7933f043a7f8fd1d94a80bca8a3e4b7ca1a17bc4
(766) Message-Authenticator = 0x00000000000000000000000000000000
(766) State = 0xa44f7f64a1066604dd9f2a05e7c26035
(766) Finished request
(769) Received Access-Request Id 1 from 10.34.87.223:58030 to 10.34.242.3:1812 length 313
(769) User-Name = "321457"
(769) NAS-IP-Address = 10.34.87.223
(769) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(769) NAS-Port-Id = "00000001"
(769) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(769) NAS-Port-Type = Wireless-802.11
(769) Event-Timestamp = "Jun 24 2020 14:21:11 -03"
(769) Service-Type = Framed-User
(769) Calling-Station-Id = "70-FD-46-BE-0D-8A"
(769) Connect-Info = "CONNECT 0Mbps 802.11b"
(769) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(769) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(769) WLAN-Pairwise-Cipher = 1027076
(769) WLAN-Group-Cipher = 1027076
(769) WLAN-AKM-Suite = 1027073
(769) Framed-MTU = 1400
(769) EAP-Message = 0x0249002e1900170303002300000000000000015379bd5554b89258e3f28428fd044c453ae83a5bb03868943f5ae8
(769) State = 0xa44f7f64a1066604dd9f2a05e7c26035
(769) Message-Authenticator = 0x42020da0a72aa257ddd03a35e6524652
(769) session-state: No cached attributes
(769) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(769) authorize {
(769) policy filter_username {
(769) if (&User-Name) {
(769) if (&User-Name) -> TRUE
(769) if (&User-Name) {
(769) if (&User-Name != "%{tolower:%{User-Name}}") {
(769) EXPAND %{tolower:%{User-Name}}
(769) --> 321457
(769) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(769) if (&User-Name =~ /\// ) {
(769) if (&User-Name =~ /\// ) -> FALSE
(769) if (&User-Name =~ / /) {
(769) if (&User-Name =~ / /) -> FALSE
(769) if (&User-Name =~ /@[^@]*@/ ) {
(769) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(769) if (&User-Name =~ /\.\./ ) {
(769) if (&User-Name =~ /\.\./ ) -> FALSE
(769) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(769) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(769) if (&User-Name =~ /\.$/) {
(769) if (&User-Name =~ /\.$/) -> FALSE
(769) if (&User-Name =~ /@\./) {
(769) if (&User-Name =~ /@\./) -> FALSE
(769) } # if (&User-Name) = notfound
(769) } # policy filter_username = notfound
(769) policy split_username_nai {
(769) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(769) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(769) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(769) update request {
(769) EXPAND %{1}
(769) --> 321457
(769) &Stripped-User-Name := 321457
(769) EXPAND %{3}
(769) -->
(769) &Stripped-User-Domain =
(769) } # update request = noop
(769) [updated] = updated
(769) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(769) ... skipping else: Preceding "if" was taken
(769) } # policy split_username_nai = updated
(769) [preprocess] = ok
(769) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(769) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(769) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(769) auth_log: EXPAND %t
(769) auth_log: --> Wed Jun 24 14:21:13 2020
(769) [auth_log] = ok
(769) [chap] = noop
(769) [mschap] = noop
(769) [digest] = noop
(769) suffix: Checking for suffix after "@"
(769) suffix: No '@' in User-Name = "321457", looking up realm NULL
(769) suffix: No such realm "NULL"
(769) [suffix] = noop
(769) eap: Peer sent EAP Response (code 2) ID 73 length 46
(769) eap: Continuing tunnel setup
(769) [eap] = ok
(769) } # authorize = ok
(769) Found Auth-Type = eap
(769) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(769) authenticate {
(769) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(769) eap: Finished EAP session with state 0xa44f7f64a1066604
(769) eap: Previous EAP request found for state 0xa44f7f64a1066604, released from the list
(769) eap: Peer sent packet with method EAP PEAP (25)
(769) eap: Calling submodule eap_peap to process data
(769) eap_peap: Continuing EAP-TLS
(769) eap_peap: [eaptls verify] = ok
(769) eap_peap: Done initial handshake
(769) eap_peap: [eaptls process] = ok
(769) eap_peap: Session established. Decoding tunneled attributes
(769) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(769) eap_peap: Identity - joao.bosco
(769) eap_peap: Got inner identity 'joao.bosco'
(769) eap_peap: Setting default EAP type for tunneled EAP session
(769) eap_peap: Got tunneled request
(769) eap_peap: EAP-Message = 0x0249000f016a6f616f2e626f73636f
(769) eap_peap: Setting User-Name to joao.bosco
(769) eap_peap: Sending tunneled request to inner-tunnel
(769) eap_peap: EAP-Message = 0x0249000f016a6f616f2e626f73636f
(769) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(769) eap_peap: User-Name = "joao.bosco"
(769) Virtual server inner-tunnel received request
(769) EAP-Message = 0x0249000f016a6f616f2e626f73636f
(769) FreeRADIUS-Proxied-To = 127.0.0.1
(769) User-Name = "joao.bosco"
(769) WARNING: Outer User-Name is not anonymized. User privacy is compromised.
(769) server inner-tunnel {
(769) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(769) authorize {
(769) policy filter_username {
(769) if (&User-Name) {
(769) if (&User-Name) -> TRUE
(769) if (&User-Name) {
(769) if (&User-Name != "%{tolower:%{User-Name}}") {
(769) EXPAND %{tolower:%{User-Name}}
(769) --> joao.bosco
(769) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(769) if (&User-Name =~ /\// ) {
(769) if (&User-Name =~ /\// ) -> FALSE
(769) if (&User-Name =~ / /) {
(769) if (&User-Name =~ / /) -> FALSE
(769) if (&User-Name =~ /@[^@]*@/ ) {
(769) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(769) if (&User-Name =~ /\.\./ ) {
(769) if (&User-Name =~ /\.\./ ) -> FALSE
(769) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(769) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(769) if (&User-Name =~ /\.$/) {
(769) if (&User-Name =~ /\.$/) -> FALSE
(769) if (&User-Name =~ /@\./) {
(769) if (&User-Name =~ /@\./) -> FALSE
(769) } # if (&User-Name) = notfound
(769) } # policy filter_username = notfound
(769) policy split_username_nai {
(769) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(769) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(769) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(769) update request {
(769) EXPAND %{1}
(769) --> joao.bosco
(769) &Stripped-User-Name := joao.bosco
(769) EXPAND %{3}
(769) -->
(769) &Stripped-User-Domain =
(769) } # update request = noop
(769) [updated] = updated
(769) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(769) ... skipping else: Preceding "if" was taken
(769) } # policy split_username_nai = updated
(769) [chap] = noop
(769) [mschap] = noop
(769) suffix: Checking for suffix after "@"
(769) suffix: No '@' in User-Name = "joao.bosco", looking up realm NULL
(769) suffix: No such realm "NULL"
(769) [suffix] = noop
(769) update control {
(769) &Proxy-To-Realm := LOCAL
(769) } # update control = noop
(769) eap: Peer sent EAP Response (code 2) ID 73 length 15
(769) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(769) [eap] = ok
(769) } # authorize = ok
(769) Found Auth-Type = eap
(769) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(769) authenticate {
(769) eap: Peer sent packet with method EAP Identity (1)
(769) eap: Calling submodule eap_mschapv2 to process data
(769) eap_mschapv2: Issuing Challenge
(769) eap: Sending EAP Request (code 1) ID 74 length 43
(769) eap: EAP session adding &reply:State = 0x51d9eef05193f45a
(769) [eap] = handled
(769) } # authenticate = handled
(769) } # server inner-tunnel
(769) Virtual server sending reply
(769) EAP-Message = 0x014a002b1a014a00261053addb6f534452e9c21a2a061cee1b2a667265657261646975732d332e302e3132
(769) Message-Authenticator = 0x00000000000000000000000000000000
(769) State = 0x51d9eef05193f45af86aca3e309ab33f
(769) eap_peap: Got tunneled reply code 11
(769) eap_peap: EAP-Message = 0x014a002b1a014a00261053addb6f534452e9c21a2a061cee1b2a667265657261646975732d332e302e3132
(769) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(769) eap_peap: State = 0x51d9eef05193f45af86aca3e309ab33f
(769) eap_peap: Got tunneled reply RADIUS code 11
(769) eap_peap: EAP-Message = 0x014a002b1a014a00261053addb6f534452e9c21a2a061cee1b2a667265657261646975732d332e302e3132
(769) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(769) eap_peap: State = 0x51d9eef05193f45af86aca3e309ab33f
(769) eap_peap: Got tunneled Access-Challenge
(769) eap: Sending EAP Request (code 1) ID 74 length 74
(769) eap: EAP session adding &reply:State = 0xa44f7f64a2056604
(769) [eap] = handled
(769) } # authenticate = handled
(769) Using Post-Auth-Type Challenge
(769) Post-Auth-Type sub-section not found. Ignoring.
(769) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(769) Sent Access-Challenge Id 1 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(769) EAP-Message = 0x014a004a1900170303003fa3eb5bde72e8f75908b3a5551d4fd734c4be4e09e9211c532244f154694140ee39a2a5221652cfa9ab03c3479ac2e7d73997491148efc814c98268d04423e2
(769) Message-Authenticator = 0x00000000000000000000000000000000
(769) State = 0xa44f7f64a2056604dd9f2a05e7c26035
(769) Finished request
(770) Received Access-Request Id 2 from 10.34.87.223:58030 to 10.34.242.3:1812 length 367
(770) User-Name = "321457"
(770) NAS-IP-Address = 10.34.87.223
(770) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(770) NAS-Port-Id = "00000001"
(770) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(770) NAS-Port-Type = Wireless-802.11
(770) Event-Timestamp = "Jun 24 2020 14:21:11 -03"
(770) Service-Type = Framed-User
(770) Calling-Station-Id = "70-FD-46-BE-0D-8A"
(770) Connect-Info = "CONNECT 0Mbps 802.11b"
(770) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(770) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(770) WLAN-Pairwise-Cipher = 1027076
(770) WLAN-Group-Cipher = 1027076
(770) WLAN-AKM-Suite = 1027073
(770) Framed-MTU = 1400
(770) EAP-Message = 0x024a00641900170303005900000000000000029179f847ab4dc2d21f2daf73a3a77edf63beb405acfc69222021171c355883591ce3ae2d5f00b46c89c17d09604e3f7e028edc15852a723a23f6c06096e82ea8b599cf339177286214a3a99b316b259513
(770) State = 0xa44f7f64a2056604dd9f2a05e7c26035
(770) Message-Authenticator = 0x64fa5d7bb2a5e5c26483f9babb52af0e
(770) session-state: No cached attributes
(770) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(770) authorize {
(770) policy filter_username {
(770) if (&User-Name) {
(770) if (&User-Name) -> TRUE
(770) if (&User-Name) {
(770) if (&User-Name != "%{tolower:%{User-Name}}") {
(770) EXPAND %{tolower:%{User-Name}}
(770) --> 321457
(770) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(770) if (&User-Name =~ /\// ) {
(770) if (&User-Name =~ /\// ) -> FALSE
(770) if (&User-Name =~ / /) {
(770) if (&User-Name =~ / /) -> FALSE
(770) if (&User-Name =~ /@[^@]*@/ ) {
(770) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(770) if (&User-Name =~ /\.\./ ) {
(770) if (&User-Name =~ /\.\./ ) -> FALSE
(770) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(770) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(770) if (&User-Name =~ /\.$/) {
(770) if (&User-Name =~ /\.$/) -> FALSE
(770) if (&User-Name =~ /@\./) {
(770) if (&User-Name =~ /@\./) -> FALSE
(770) } # if (&User-Name) = notfound
(770) } # policy filter_username = notfound
(770) policy split_username_nai {
(770) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(770) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(770) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(770) update request {
(770) EXPAND %{1}
(770) --> 321457
(770) &Stripped-User-Name := 321457
(770) EXPAND %{3}
(770) -->
(770) &Stripped-User-Domain =
(770) } # update request = noop
(770) [updated] = updated
(770) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(770) ... skipping else: Preceding "if" was taken
(770) } # policy split_username_nai = updated
(770) [preprocess] = ok
(770) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(770) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(770) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(770) auth_log: EXPAND %t
(770) auth_log: --> Wed Jun 24 14:21:13 2020
(770) [auth_log] = ok
(770) [chap] = noop
(770) [mschap] = noop
(770) [digest] = noop
(770) suffix: Checking for suffix after "@"
(770) suffix: No '@' in User-Name = "321457", looking up realm NULL
(770) suffix: No such realm "NULL"
(770) [suffix] = noop
(770) eap: Peer sent EAP Response (code 2) ID 74 length 100
(770) eap: Continuing tunnel setup
(770) [eap] = ok
(770) } # authorize = ok
(770) Found Auth-Type = eap
(770) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(770) authenticate {
(770) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(770) eap: Finished EAP session with state 0xa44f7f64a2056604
(770) eap: Previous EAP request found for state 0xa44f7f64a2056604, released from the list
(770) eap: Peer sent packet with method EAP PEAP (25)
(770) eap: Calling submodule eap_peap to process data
(770) eap_peap: Continuing EAP-TLS
(770) eap_peap: [eaptls verify] = ok
(770) eap_peap: Done initial handshake
(770) eap_peap: [eaptls process] = ok
(770) eap_peap: Session established. Decoding tunneled attributes
(770) eap_peap: PEAP state phase2
(770) eap_peap: EAP method MSCHAPv2 (26)
(770) eap_peap: Got tunneled request
(770) eap_peap: EAP-Message = 0x024a00451a024a0040317edd61bab3a4a5dba22fa64805ad6b3a000000000000000095644adfe99660d5436482536faa63b841fdaa186c01d601006a6f616f2e626f73636f
(770) eap_peap: Setting User-Name to joao.bosco
(770) eap_peap: Sending tunneled request to inner-tunnel
(770) eap_peap: EAP-Message = 0x024a00451a024a0040317edd61bab3a4a5dba22fa64805ad6b3a000000000000000095644adfe99660d5436482536faa63b841fdaa186c01d601006a6f616f2e626f73636f
(770) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(770) eap_peap: User-Name = "joao.bosco"
(770) eap_peap: State = 0x51d9eef05193f45af86aca3e309ab33f
(770) Virtual server inner-tunnel received request
(770) EAP-Message = 0x024a00451a024a0040317edd61bab3a4a5dba22fa64805ad6b3a000000000000000095644adfe99660d5436482536faa63b841fdaa186c01d601006a6f616f2e626f73636f
(770) FreeRADIUS-Proxied-To = 127.0.0.1
(770) User-Name = "joao.bosco"
(770) State = 0x51d9eef05193f45af86aca3e309ab33f
(770) WARNING: Outer User-Name is not anonymized. User privacy is compromised.
(770) server inner-tunnel {
(770) session-state: No cached attributes
(770) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(770) authorize {
(770) policy filter_username {
(770) if (&User-Name) {
(770) if (&User-Name) -> TRUE
(770) if (&User-Name) {
(770) if (&User-Name != "%{tolower:%{User-Name}}") {
(770) EXPAND %{tolower:%{User-Name}}
(770) --> joao.bosco
(770) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(770) if (&User-Name =~ /\// ) {
(770) if (&User-Name =~ /\// ) -> FALSE
(770) if (&User-Name =~ / /) {
(770) if (&User-Name =~ / /) -> FALSE
(770) if (&User-Name =~ /@[^@]*@/ ) {
(770) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(770) if (&User-Name =~ /\.\./ ) {
(770) if (&User-Name =~ /\.\./ ) -> FALSE
(770) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(770) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(770) if (&User-Name =~ /\.$/) {
(770) if (&User-Name =~ /\.$/) -> FALSE
(770) if (&User-Name =~ /@\./) {
(770) if (&User-Name =~ /@\./) -> FALSE
(770) } # if (&User-Name) = notfound
(770) } # policy filter_username = notfound
(770) policy split_username_nai {
(770) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(770) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(770) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(770) update request {
(770) EXPAND %{1}
(770) --> joao.bosco
(770) &Stripped-User-Name := joao.bosco
(770) EXPAND %{3}
(770) -->
(770) &Stripped-User-Domain =
(770) } # update request = noop
(770) [updated] = updated
(770) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(770) ... skipping else: Preceding "if" was taken
(770) } # policy split_username_nai = updated
(770) [chap] = noop
(770) [mschap] = noop
(770) suffix: Checking for suffix after "@"
(770) suffix: No '@' in User-Name = "joao.bosco", looking up realm NULL
(770) suffix: No such realm "NULL"
(770) [suffix] = noop
(770) update control {
(770) &Proxy-To-Realm := LOCAL
(770) } # update control = noop
(770) eap: Peer sent EAP Response (code 2) ID 74 length 69
(770) eap: No EAP Start, assuming it's an on-going EAP conversation
(770) [eap] = updated
(770) files: users: Matched entry DEFAULT at line 84
(770) [files] = ok
(770) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(770) sql: --> joao.bosco
(770) sql: SQL-User-Name set to 'joao.bosco'
(770) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(770) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'joao.bosco' ORDER BY id
(770) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'joao.bosco' ORDER BY id
(770) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(770) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='joao.bosco' ORDER BY priority
(770) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='joao.bosco' ORDER BY priority
(770) sql: User not found in any groups
(770) [sql] = notfound
(770) [expiration] = noop
(770) [logintime] = noop
(770) [pap] = noop
(770) } # authorize = updated
(770) Found Auth-Type = eap
(770) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(770) authenticate {
(770) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(770) eap: Finished EAP session with state 0x51d9eef05193f45a
(770) eap: Previous EAP request found for state 0x51d9eef05193f45a, released from the list
(770) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(770) eap: Calling submodule eap_mschapv2 to process data
(770) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(770) eap_mschapv2: authenticate {
(770) mschap: Creating challenge hash with username: joao.bosco
(770) mschap: Client is using MS-CHAPv2
(770) mschap: EXPAND %{mschap:User-Name}
(770) mschap: --> joao.bosco
(770) mschap: ERROR: No NT-Domain was found in the User-Name
(770) mschap: EXPAND %{mschap:NT-Domain}
(770) mschap: -->
(770) mschap: sending authentication request user='joao.bosco' domain=''
(770) mschap: Authenticated successfully
(770) mschap: Adding MS-CHAPv2 MPPE keys
(770) [mschap] = ok
(770) } # authenticate = ok
(770) MSCHAP Success
(770) eap: Sending EAP Request (code 1) ID 75 length 51
(770) eap: EAP session adding &reply:State = 0x51d9eef05092f45a
(770) [eap] = handled
(770) } # authenticate = handled
(770) } # server inner-tunnel
(770) Virtual server sending reply
(770) Idle-Timeout = 300
(770) EAP-Message = 0x014b00331a034a002e533d34353544333243423735363233313430433346303032323335313132314345383332444346363641
(770) Message-Authenticator = 0x00000000000000000000000000000000
(770) State = 0x51d9eef05092f45af86aca3e309ab33f
(770) eap_peap: Got tunneled reply code 11
(770) eap_peap: Idle-Timeout = 300
(770) eap_peap: EAP-Message = 0x014b00331a034a002e533d34353544333243423735363233313430433346303032323335313132314345383332444346363641
(770) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(770) eap_peap: State = 0x51d9eef05092f45af86aca3e309ab33f
(770) eap_peap: Got tunneled reply RADIUS code 11
(770) eap_peap: Idle-Timeout = 300
(770) eap_peap: EAP-Message = 0x014b00331a034a002e533d34353544333243423735363233313430433346303032323335313132314345383332444346363641
(770) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(770) eap_peap: State = 0x51d9eef05092f45af86aca3e309ab33f
(770) eap_peap: Got tunneled Access-Challenge
(770) eap: Sending EAP Request (code 1) ID 75 length 82
(770) eap: EAP session adding &reply:State = 0xa44f7f64a3046604
(770) [eap] = handled
(770) } # authenticate = handled
(770) Using Post-Auth-Type Challenge
(770) Post-Auth-Type sub-section not found. Ignoring.
(770) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(770) Sent Access-Challenge Id 2 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(770) EAP-Message = 0x014b005219001703030047a3eb5bde72e8f75a1f4b8481c411504c33305b9637036aea4e7db053f95d7c31e935156455848f079d12243134fcaf4553b54c28c82891ffa3e4f8690fba5ed94c2af6efaa77e8
(770) Message-Authenticator = 0x00000000000000000000000000000000
(770) State = 0xa44f7f64a3046604dd9f2a05e7c26035
(770) Finished request
(771) Received Access-Request Id 3 from 10.34.87.223:58030 to 10.34.242.3:1812 length 304
(771) User-Name = "321457"
(771) NAS-IP-Address = 10.34.87.223
(771) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(771) NAS-Port-Id = "00000001"
(771) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(771) NAS-Port-Type = Wireless-802.11
(771) Event-Timestamp = "Jun 24 2020 14:21:11 -03"
(771) Service-Type = Framed-User
(771) Calling-Station-Id = "70-FD-46-BE-0D-8A"
(771) Connect-Info = "CONNECT 0Mbps 802.11b"
(771) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(771) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(771) WLAN-Pairwise-Cipher = 1027076
(771) WLAN-Group-Cipher = 1027076
(771) WLAN-AKM-Suite = 1027073
(771) Framed-MTU = 1400
(771) EAP-Message = 0x024b00251900170303001a0000000000000003695705aa6ea3fa4f9e764db8342fc4ef284e
(771) State = 0xa44f7f64a3046604dd9f2a05e7c26035
(771) Message-Authenticator = 0x9442f992d6c781983fbd2914045a1126
(771) session-state: No cached attributes
(771) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(771) authorize {
(771) policy filter_username {
(771) if (&User-Name) {
(771) if (&User-Name) -> TRUE
(771) if (&User-Name) {
(771) if (&User-Name != "%{tolower:%{User-Name}}") {
(771) EXPAND %{tolower:%{User-Name}}
(771) --> 321457
(771) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(771) if (&User-Name =~ /\// ) {
(771) if (&User-Name =~ /\// ) -> FALSE
(771) if (&User-Name =~ / /) {
(771) if (&User-Name =~ / /) -> FALSE
(771) if (&User-Name =~ /@[^@]*@/ ) {
(771) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(771) if (&User-Name =~ /\.\./ ) {
(771) if (&User-Name =~ /\.\./ ) -> FALSE
(771) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(771) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(771) if (&User-Name =~ /\.$/) {
(771) if (&User-Name =~ /\.$/) -> FALSE
(771) if (&User-Name =~ /@\./) {
(771) if (&User-Name =~ /@\./) -> FALSE
(771) } # if (&User-Name) = notfound
(771) } # policy filter_username = notfound
(771) policy split_username_nai {
(771) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(771) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(771) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(771) update request {
(771) EXPAND %{1}
(771) --> 321457
(771) &Stripped-User-Name := 321457
(771) EXPAND %{3}
(771) -->
(771) &Stripped-User-Domain =
(771) } # update request = noop
(771) [updated] = updated
(771) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(771) ... skipping else: Preceding "if" was taken
(771) } # policy split_username_nai = updated
(771) [preprocess] = ok
(771) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(771) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(771) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(771) auth_log: EXPAND %t
(771) auth_log: --> Wed Jun 24 14:21:13 2020
(771) [auth_log] = ok
(771) [chap] = noop
(771) [mschap] = noop
(771) [digest] = noop
(771) suffix: Checking for suffix after "@"
(771) suffix: No '@' in User-Name = "321457", looking up realm NULL
(771) suffix: No such realm "NULL"
(771) [suffix] = noop
(771) eap: Peer sent EAP Response (code 2) ID 75 length 37
(771) eap: Continuing tunnel setup
(771) [eap] = ok
(771) } # authorize = ok
(771) Found Auth-Type = eap
(771) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(771) authenticate {
(771) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(771) eap: Finished EAP session with state 0xa44f7f64a3046604
(771) eap: Previous EAP request found for state 0xa44f7f64a3046604, released from the list
(771) eap: Peer sent packet with method EAP PEAP (25)
(771) eap: Calling submodule eap_peap to process data
(771) eap_peap: Continuing EAP-TLS
(771) eap_peap: [eaptls verify] = ok
(771) eap_peap: Done initial handshake
(771) eap_peap: [eaptls process] = ok
(771) eap_peap: Session established. Decoding tunneled attributes
(771) eap_peap: PEAP state phase2
(771) eap_peap: EAP method MSCHAPv2 (26)
(771) eap_peap: Got tunneled request
(771) eap_peap: EAP-Message = 0x024b00061a03
(771) eap_peap: Setting User-Name to joao.bosco
(771) eap_peap: Sending tunneled request to inner-tunnel
(771) eap_peap: EAP-Message = 0x024b00061a03
(771) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(771) eap_peap: User-Name = "joao.bosco"
(771) eap_peap: State = 0x51d9eef05092f45af86aca3e309ab33f
(771) Virtual server inner-tunnel received request
(771) EAP-Message = 0x024b00061a03
(771) FreeRADIUS-Proxied-To = 127.0.0.1
(771) User-Name = "joao.bosco"
(771) State = 0x51d9eef05092f45af86aca3e309ab33f
(771) WARNING: Outer User-Name is not anonymized. User privacy is compromised.
(771) server inner-tunnel {
(771) session-state: No cached attributes
(771) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(771) authorize {
(771) policy filter_username {
(771) if (&User-Name) {
(771) if (&User-Name) -> TRUE
(771) if (&User-Name) {
(771) if (&User-Name != "%{tolower:%{User-Name}}") {
(771) EXPAND %{tolower:%{User-Name}}
(771) --> joao.bosco
(771) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(771) if (&User-Name =~ /\// ) {
(771) if (&User-Name =~ /\// ) -> FALSE
(771) if (&User-Name =~ / /) {
(771) if (&User-Name =~ / /) -> FALSE
(771) if (&User-Name =~ /@[^@]*@/ ) {
(771) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(771) if (&User-Name =~ /\.\./ ) {
(771) if (&User-Name =~ /\.\./ ) -> FALSE
(771) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(771) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(771) if (&User-Name =~ /\.$/) {
(771) if (&User-Name =~ /\.$/) -> FALSE
(771) if (&User-Name =~ /@\./) {
(771) if (&User-Name =~ /@\./) -> FALSE
(771) } # if (&User-Name) = notfound
(771) } # policy filter_username = notfound
(771) policy split_username_nai {
(771) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(771) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(771) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(771) update request {
(771) EXPAND %{1}
(771) --> joao.bosco
(771) &Stripped-User-Name := joao.bosco
(771) EXPAND %{3}
(771) -->
(771) &Stripped-User-Domain =
(771) } # update request = noop
(771) [updated] = updated
(771) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(771) ... skipping else: Preceding "if" was taken
(771) } # policy split_username_nai = updated
(771) [chap] = noop
(771) [mschap] = noop
(771) suffix: Checking for suffix after "@"
(771) suffix: No '@' in User-Name = "joao.bosco", looking up realm NULL
(771) suffix: No such realm "NULL"
(771) [suffix] = noop
(771) update control {
(771) &Proxy-To-Realm := LOCAL
(771) } # update control = noop
(771) eap: Peer sent EAP Response (code 2) ID 75 length 6
(771) eap: No EAP Start, assuming it's an on-going EAP conversation
(771) [eap] = updated
(771) files: users: Matched entry DEFAULT at line 84
(771) [files] = ok
(771) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(771) sql: --> joao.bosco
(771) sql: SQL-User-Name set to 'joao.bosco'
(771) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(771) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'joao.bosco' ORDER BY id
(771) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'joao.bosco' ORDER BY id
(771) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(771) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='joao.bosco' ORDER BY priority
(771) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='joao.bosco' ORDER BY priority
(771) sql: User not found in any groups
(771) [sql] = notfound
(771) [expiration] = noop
(771) [logintime] = noop
(771) [pap] = noop
(771) } # authorize = updated
(771) Found Auth-Type = eap
(771) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(771) authenticate {
(771) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(771) eap: Finished EAP session with state 0x51d9eef05092f45a
(771) eap: Previous EAP request found for state 0x51d9eef05092f45a, released from the list
(771) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(771) eap: Calling submodule eap_mschapv2 to process data
(771) eap: Sending EAP Success (code 3) ID 75 length 4
(771) eap: Freeing handler
(771) [eap] = ok
(771) } # authenticate = ok
(771) # Executing section session from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(771) session {
(771) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(771) sql: --> joao.bosco
(771) sql: SQL-User-Name set to 'joao.bosco'
(771) sql: EXPAND SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL
(771) sql: --> SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL
(771) sql: Executing select query: SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL
(771) [sql] = ok
(771) } # session = ok
(771) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(771) post-auth {
(771) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail
(771) reply_log: --> /var/log/freeradius/radacct/10.34.87.223/reply-detail
(771) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail expands to /var/log/freeradius/radacct/10.34.87.223/reply-detail
(771) reply_log: EXPAND %t
(771) reply_log: --> Wed Jun 24 14:21:13 2020
(771) [reply_log] = ok
(771) update outer.session-state {
(771) User-Name := &request:User-Name -> 'joao.bosco'
(771) } # update outer.session-state = noop
(771) } # post-auth = ok
(771) Login OK: [joao.bosco] (from client AP-CEI-TER-223 port 0 via TLS tunnel)
(771) } # server inner-tunnel
(771) Virtual server sending reply
(771) Idle-Timeout = 300
(771) MS-MPPE-Encryption-Policy = Encryption-Allowed
(771) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(771) MS-MPPE-Send-Key = 0xcbb480d7f6179c96599ec58bdbf6eddc
(771) MS-MPPE-Recv-Key = 0x6163fd50b56fefb6a5e7a12ccc4bd252
(771) EAP-Message = 0x034b0004
(771) Message-Authenticator = 0x00000000000000000000000000000000
(771) Stripped-User-Name := "joao.bosco"
(771) eap_peap: Got tunneled reply code 2
(771) eap_peap: Idle-Timeout = 300
(771) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(771) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(771) eap_peap: MS-MPPE-Send-Key = 0xcbb480d7f6179c96599ec58bdbf6eddc
(771) eap_peap: MS-MPPE-Recv-Key = 0x6163fd50b56fefb6a5e7a12ccc4bd252
(771) eap_peap: EAP-Message = 0x034b0004
(771) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(771) eap_peap: Stripped-User-Name := "joao.bosco"
(771) eap_peap: Got tunneled reply RADIUS code 2
(771) eap_peap: Idle-Timeout = 300
(771) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(771) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(771) eap_peap: MS-MPPE-Send-Key = 0xcbb480d7f6179c96599ec58bdbf6eddc
(771) eap_peap: MS-MPPE-Recv-Key = 0x6163fd50b56fefb6a5e7a12ccc4bd252
(771) eap_peap: EAP-Message = 0x034b0004
(771) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(771) eap_peap: Stripped-User-Name := "joao.bosco"
(771) eap_peap: Tunneled authentication was successful
(771) eap_peap: SUCCESS
(771) eap: Sending EAP Request (code 1) ID 76 length 46
(771) eap: EAP session adding &reply:State = 0xa44f7f64ac036604
(771) [eap] = handled
(771) } # authenticate = handled
(771) Using Post-Auth-Type Challenge
(771) Post-Auth-Type sub-section not found. Ignoring.
(771) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(771) session-state: Saving cached attributes
(771) User-Name := "joao.bosco"
(771) Sent Access-Challenge Id 3 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(771) EAP-Message = 0x014c002e19001703030023a3eb5bde72e8f75b476d764d57d47de14e8b3244cdb2bdd44f4bf0fc595be62545171a
(771) Message-Authenticator = 0x00000000000000000000000000000000
(771) State = 0xa44f7f64ac036604dd9f2a05e7c26035
(771) Finished request
(772) Received Access-Request Id 4 from 10.34.87.223:58030 to 10.34.242.3:1812 length 313
(772) User-Name = "321457"
(772) NAS-IP-Address = 10.34.87.223
(772) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(772) NAS-Port-Id = "00000001"
(772) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(772) NAS-Port-Type = Wireless-802.11
(772) Event-Timestamp = "Jun 24 2020 14:21:11 -03"
(772) Service-Type = Framed-User
(772) Calling-Station-Id = "70-FD-46-BE-0D-8A"
(772) Connect-Info = "CONNECT 0Mbps 802.11b"
(772) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(772) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(772) WLAN-Pairwise-Cipher = 1027076
(772) WLAN-Group-Cipher = 1027076
(772) WLAN-AKM-Suite = 1027073
(772) Framed-MTU = 1400
(772) EAP-Message = 0x024c002e190017030300230000000000000004fda2bf219fdc0ef55bf7050cfc147e2b1ac003860d8506d1cf400b
(772) State = 0xa44f7f64ac036604dd9f2a05e7c26035
(772) Message-Authenticator = 0x08c421bbfa2e7157408a6f2cf3214e1f
(772) Restoring &session-state
(772) &session-state:User-Name := "joao.bosco"
(772) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(772) authorize {
(772) policy filter_username {
(772) if (&User-Name) {
(772) if (&User-Name) -> TRUE
(772) if (&User-Name) {
(772) if (&User-Name != "%{tolower:%{User-Name}}") {
(772) EXPAND %{tolower:%{User-Name}}
(772) --> 321457
(772) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(772) if (&User-Name =~ /\// ) {
(772) if (&User-Name =~ /\// ) -> FALSE
(772) if (&User-Name =~ / /) {
(772) if (&User-Name =~ / /) -> FALSE
(772) if (&User-Name =~ /@[^@]*@/ ) {
(772) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(772) if (&User-Name =~ /\.\./ ) {
(772) if (&User-Name =~ /\.\./ ) -> FALSE
(772) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(772) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(772) if (&User-Name =~ /\.$/) {
(772) if (&User-Name =~ /\.$/) -> FALSE
(772) if (&User-Name =~ /@\./) {
(772) if (&User-Name =~ /@\./) -> FALSE
(772) } # if (&User-Name) = notfound
(772) } # policy filter_username = notfound
(772) policy split_username_nai {
(772) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(772) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(772) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(772) update request {
(772) EXPAND %{1}
(772) --> 321457
(772) &Stripped-User-Name := 321457
(772) EXPAND %{3}
(772) -->
(772) &Stripped-User-Domain =
(772) } # update request = noop
(772) [updated] = updated
(772) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(772) ... skipping else: Preceding "if" was taken
(772) } # policy split_username_nai = updated
(772) [preprocess] = ok
(772) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(772) auth_log: --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(772) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(772) auth_log: EXPAND %t
(772) auth_log: --> Wed Jun 24 14:21:13 2020
(772) [auth_log] = ok
(772) [chap] = noop
(772) [mschap] = noop
(772) [digest] = noop
(772) suffix: Checking for suffix after "@"
(772) suffix: No '@' in User-Name = "321457", looking up realm NULL
(772) suffix: No such realm "NULL"
(772) [suffix] = noop
(772) eap: Peer sent EAP Response (code 2) ID 76 length 46
(772) eap: Continuing tunnel setup
(772) [eap] = ok
(772) } # authorize = ok
(772) Found Auth-Type = eap
(772) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(772) authenticate {
(772) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(772) eap: Finished EAP session with state 0xa44f7f64ac036604
(772) eap: Previous EAP request found for state 0xa44f7f64ac036604, released from the list
(772) eap: Peer sent packet with method EAP PEAP (25)
(772) eap: Calling submodule eap_peap to process data
(772) eap_peap: Continuing EAP-TLS
(772) eap_peap: [eaptls verify] = ok
(772) eap_peap: Done initial handshake
(772) eap_peap: [eaptls process] = ok
(772) eap_peap: Session established. Decoding tunneled attributes
(772) eap_peap: PEAP state send tlv success
(772) eap_peap: Received EAP-TLV response
(772) eap_peap: Success
(772) eap: Sending EAP Success (code 3) ID 76 length 4
(772) eap: Freeing handler
(772) [eap] = ok
(772) } # authenticate = ok
(772) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(772) post-auth {
(772) update {
(772) &reply::User-Name += &session-state:User-Name[*] -> 'joao.bosco'
(772) } # update = noop
(772) sql: EXPAND .query
(772) sql: --> .query
(772) sql: Using query template 'query'
(772) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(772) sql: --> 321457
(772) sql: SQL-User-Name set to '321457'
(772) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{SQL-User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{%{integer:Event-Timestamp}:-NOW()}))
(772) sql: --> INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('321457', 'Chap-Password', 'Access-Accept', '50-D4-F7-5B-86-9C:MPDFT', '70-FD-46-BE-0D-8A', TO_TIMESTAMP(1593019271))
(772) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('321457', 'Chap-Password', 'Access-Accept', '50-D4-F7-5B-86-9C:MPDFT', '70-FD-46-BE-0D-8A', TO_TIMESTAMP(1593019271))
(772) sql: SQL query returned: success
(772) sql: 1 record(s) updated
(772) [sql] = ok
(772) [exec] = noop
(772) policy remove_reply_message_if_eap {
(772) if (&reply:EAP-Message && &reply:Reply-Message) {
(772) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(772) else {
(772) [noop] = noop
(772) } # else = noop
(772) } # policy remove_reply_message_if_eap = noop
(772) } # post-auth = ok
(772) Login OK: [321457] (from client AP-CEI-TER-223 port 0 cli 70-FD-46-BE-0D-8A)
(772) Sent Access-Accept Id 4 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(772) MS-MPPE-Recv-Key = 0xd4c273e37c10886abb1167c9c64b7e7a9555c080e574df74fdac80585fe89c4a
(772) MS-MPPE-Send-Key = 0xbb83cd2094c7880532831cdf5e3c7986149e6a5c1d6bc4a84b9151c0988336a1
(772) EAP-Message = 0x034c0004
(772) Message-Authenticator = 0x00000000000000000000000000000000
(772) User-Name += "joao.bosco"
(772) Finished request
(785) Received Accounting-Request Id 5 from 10.34.87.223:36144 to 10.34.242.3:1813 length 251
(785) Acct-Status-Type = Start
(785) Acct-Authentic = RADIUS
(785) User-Name = "joao.bosco"
(785) NAS-IP-Address = 10.34.87.223
(785) NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(785) NAS-Port-Id = "00000001"
(785) Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(785) NAS-Port-Type = Wireless-802.11
(785) Event-Timestamp = "Jun 24 2020 14:21:14 -03"
(785) Service-Type = Framed-User
(785) Calling-Station-Id = "70-FD-46-BE-0D-8A"
(785) Connect-Info = "CONNECT 0Mbps 802.11b"
(785) Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(785) Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(785) WLAN-Pairwise-Cipher = 1027076
(785) WLAN-Group-Cipher = 1027076
(785) WLAN-AKM-Suite = 1027073
(785) Framed-IP-Address = 172.28.255.182
(785) Acct-Delay-Time = 0
(785) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(785) preacct {
(785) [preprocess] = ok
(785) policy split_username_nai {
(785) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(785) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(785) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(785) update request {
(785) EXPAND %{1}
(785) --> joao.bosco
(785) &Stripped-User-Name := joao.bosco
(785) EXPAND %{3}
(785) -->
(785) &Stripped-User-Domain =
(785) } # update request = noop
(785) [updated] = updated
(785) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(785) ... skipping else: Preceding "if" was taken
(785) } # policy split_username_nai = updated
(785) update request {
(785) EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}
(785) --> 1593019276
(785) FreeRADIUS-Acct-Session-Start-Time = Jun 24 2020 14:21:16 -03
(785) } # update request = noop
(785) policy acct_unique {
(785) update request {
(785) Tmp-String-9 := "ai:"
(785) } # update request = noop
(785) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(785) EXPAND %{hex:&Class}
(785) -->
(785) EXPAND ^%{hex:&Tmp-String-9}
(785) --> ^61693a
(785) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(785) else {
(785) update request {
(785) EXPAND %{Acct-Session-ID}
(785) --> 50d4f75b869c-393F96E03B858B46
(785) &Acct-Unique-Session-Id := 50d4f75b869c-393F96E03B858B46
(785) EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(785) --> joao.bosco
(785) &Acct-Unique-Session-Id := joao.bosco
(785) EXPAND %{md5:%{%{Stripped-User-Name}:-%{User-Name}},%{Acct-Session-ID},%{Calling-Station-Id}}
(785) --> 40fed0fa478c6669d9d1768d71840a84
(785) &Acct-Unique-Session-Id := 40fed0fa478c6669d9d1768d71840a84
(785) } # update request = noop
(785) } # else = noop
(785) } # policy acct_unique = noop
(785) suffix: Checking for suffix after "@"
(785) suffix: No '@' in User-Name = "joao.bosco", looking up realm NULL
(785) suffix: No such realm "NULL"
(785) [suffix] = noop
(785) files: acct_users: Matched entry DEFAULT at line 22
(785) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(785) files: --> joao.bosco
(785) [files] = ok
(785) } # preacct = updated
(785) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(785) accounting {
(785) log_accounting: EXPAND Accounting-Request.%{%{Acct-Status-Type}:-unknown}
(785) log_accounting: --> Accounting-Request.Start
(785) log_accounting: EXPAND %{date:Event-Timestamp} Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})
(785) log_accounting: --> Wed, 24-06-2020 14:21:14 Connect: [joao.bosco] (did 50-D4-F7-5B-86-9C:MPDFT cli 70-FD-46-BE-0D-8A port ip 172.28.255.182)
(785) log_accounting: EXPAND /var/log/freeradius/linelog-accounting
(785) log_accounting: --> /var/log/freeradius/linelog-accounting
(785) [log_accounting] = ok
(785) sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query}
(785) sql: --> type.start.query
(785) sql: Using query template 'query'
(785) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(785) sql: --> joao.bosco
(785) sql: SQL-User-Name set to 'joao.bosco'
(785) sql: EXPAND INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)
(785) sql: --> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('50d4f75b869c-393F96E03B858B46', '40fed0fa478c6669d9d1768d71840a84', 'joao.bosco', NULLIF('', ''), '10.34.87.223', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1593019274), TO_TIMESTAMP(1593019274), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '50-D4-F7-5B-86-9C:MPDFT', '70-FD-46-BE-0D-8A', NULL, 'Framed-User', '', NULLIF('172.28.255.182', '')::inet)
(785) sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('50d4f75b869c-393F96E03B858B46', '40fed0fa478c6669d9d1768d71840a84', 'joao.bosco', NULLIF('', ''), '10.34.87.223', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1593019274), TO_TIMESTAMP(1593019274), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '50-D4-F7-5B-86-9C:MPDFT', '70-FD-46-BE-0D-8A', NULL, 'Framed-User', '', NULLIF('172.28.255.182', '')::inet)
(785) sql: SQL query returned: success
(785) sql: 1 record(s) updated
(785) [sql] = ok
(785) if (&request:Acct-Status-Type == start) {
(785) if (&request:Acct-Status-Type == start) -> TRUE
(785) if (&request:Acct-Status-Type == start) {
(785) EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(785) --> joao.bosco
(785) SQL-User-Name set to 'joao.bosco'
(785) Executing query: UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(1593019274), AcctUpdateTime = TO_TIMESTAMP(1593019274), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = 'CONNECT 0Mbps 802.11b' WHERE UserName = 'joao.bosco' AND AcctUniqueId <> '40fed0fa478c6669d9d1768d71840a84' AND CallingStationId = '70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL
(785) SQL query affected no rows
(785) EXPAND %{sql:UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = '%{Connect-Info}' WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' AND CallingStationId = '%{Calling-Station-Id}' AND AcctStopTime IS NULL}
(785) -->
(785) } # if (&request:Acct-Status-Type == start) = ok
(785) [exec] = noop
(785) attr_filter.accounting_response: EXPAND %{User-Name}
(785) attr_filter.accounting_response: --> joao.bosco
(785) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(785) [attr_filter.accounting_response] = updated
(785) } # accounting = updated
(785) Sent Accounting-Response Id 5 from 10.34.242.3:1813 to 10.34.87.223:36144 length 0
(785) Finished request
(785) Cleaning up request packet ID 5 with timestamp +196
(757) Cleaning up request packet ID 251 with timestamp +192
(760) Cleaning up request packet ID 252 with timestamp +193
(763) Cleaning up request packet ID 253 with timestamp +193
(764) Cleaning up request packet ID 254 with timestamp +193
(765) Cleaning up request packet ID 255 with timestamp +193
(766) Cleaning up request packet ID 0 with timestamp +193
(769) Cleaning up request packet ID 1 with timestamp +193
(770) Cleaning up request packet ID 2 with timestamp +193
(771) Cleaning up request packet ID 3 with timestamp +193
(772) Cleaning up request packet ID 4 with timestamp +193
============== DEBUG FOR !!!!NOT WORKING!!!! PACKET ============
(11048) Received Access-Request Id 139 from 10.34.27.220:3489 to 10.34.242.3:1812 length 149
(11048) User-Name = "mpdft"
(11048) NAS-IP-Address = 10.34.27.220
(11048) NAS-Port = 2
(11048) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11048) Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11048) Framed-MTU = 1400
(11048) NAS-Port-Type = Wireless-802.11
(11048) Connect-Info = "CONNECT 54Mbps 802.11g"
(11048) EAP-Message = 0x0200000a016d70646674
(11048) Message-Authenticator = 0x408a3294efb8f536a6500de929db9311
(11048) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11048) authorize {
(11048) policy filter_username {
(11048) if (&User-Name) {
(11048) if (&User-Name) -> TRUE
(11048) if (&User-Name) {
(11048) if (&User-Name != "%{tolower:%{User-Name}}") {
(11048) EXPAND %{tolower:%{User-Name}}
(11048) --> mpdft
(11048) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(11048) if (&User-Name =~ /\// ) {
(11048) if (&User-Name =~ /\// ) -> FALSE
(11048) if (&User-Name =~ / /) {
(11048) if (&User-Name =~ / /) -> FALSE
(11048) if (&User-Name =~ /@[^@]*@/ ) {
(11048) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11048) if (&User-Name =~ /\.\./ ) {
(11048) if (&User-Name =~ /\.\./ ) -> FALSE
(11048) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11048) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11048) if (&User-Name =~ /\.$/) {
(11048) if (&User-Name =~ /\.$/) -> FALSE
(11048) if (&User-Name =~ /@\./) {
(11048) if (&User-Name =~ /@\./) -> FALSE
(11048) } # if (&User-Name) = notfound
(11048) } # policy filter_username = notfound
(11048) policy split_username_nai {
(11048) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11048) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(11048) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11048) update request {
(11048) EXPAND %{1}
(11048) --> mpdft
(11048) &Stripped-User-Name := mpdft
(11048) EXPAND %{3}
(11048) -->
(11048) &Stripped-User-Domain =
(11048) } # update request = noop
(11048) [updated] = updated
(11048) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(11048) ... skipping else: Preceding "if" was taken
(11048) } # policy split_username_nai = updated
(11048) [preprocess] = ok
(11048) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11048) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11048) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11048) auth_log: EXPAND %t
(11048) auth_log: --> Wed Jun 24 15:00:27 2020
(11048) [auth_log] = ok
(11048) [chap] = noop
(11048) [mschap] = noop
(11048) [digest] = noop
(11048) suffix: Checking for suffix after "@"
(11048) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11048) suffix: No such realm "NULL"
(11048) [suffix] = noop
(11048) eap: Peer sent EAP Response (code 2) ID 0 length 10
(11048) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(11048) [eap] = ok
(11048) } # authorize = ok
(11048) Found Auth-Type = eap
(11048) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11048) authenticate {
(11048) eap: Peer sent packet with method EAP Identity (1)
(11048) eap: Calling submodule eap_md5 to process data
(11048) eap_md5: Issuing MD5 Challenge
(11048) eap: Sending EAP Request (code 1) ID 1 length 22
(11048) eap: EAP session adding &reply:State = 0xbb52a0a1bb53a4af
(11048) [eap] = handled
(11048) } # authenticate = handled
(11048) Using Post-Auth-Type Challenge
(11048) Post-Auth-Type sub-section not found. Ignoring.
(11048) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11048) Sent Access-Challenge Id 139 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11048) EAP-Message = 0x010100160410b7e1efa9084013e0889cf10e97931880
(11048) Message-Authenticator = 0x00000000000000000000000000000000
(11048) State = 0xbb52a0a1bb53a4afa6d420c8f1230505
(11048) Finished request
(11049) Received Access-Request Id 140 from 10.34.27.220:3489 to 10.34.242.3:1812 length 163
(11049) User-Name = "mpdft"
(11049) NAS-IP-Address = 10.34.27.220
(11049) NAS-Port = 2
(11049) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11049) Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11049) Framed-MTU = 1400
(11049) NAS-Port-Type = Wireless-802.11
(11049) Connect-Info = "CONNECT 54Mbps 802.11g"
(11049) EAP-Message = 0x020100060319
(11049) State = 0xbb52a0a1bb53a4afa6d420c8f1230505
(11049) Message-Authenticator = 0x56eea29636534482dd0626f91ccc367c
(11049) session-state: No cached attributes
(11049) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11049) authorize {
(11049) policy filter_username {
(11049) if (&User-Name) {
(11049) if (&User-Name) -> TRUE
(11049) if (&User-Name) {
(11049) if (&User-Name != "%{tolower:%{User-Name}}") {
(11049) EXPAND %{tolower:%{User-Name}}
(11049) --> mpdft
(11049) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(11049) if (&User-Name =~ /\// ) {
(11049) if (&User-Name =~ /\// ) -> FALSE
(11049) if (&User-Name =~ / /) {
(11049) if (&User-Name =~ / /) -> FALSE
(11049) if (&User-Name =~ /@[^@]*@/ ) {
(11049) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11049) if (&User-Name =~ /\.\./ ) {
(11049) if (&User-Name =~ /\.\./ ) -> FALSE
(11049) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11049) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11049) if (&User-Name =~ /\.$/) {
(11049) if (&User-Name =~ /\.$/) -> FALSE
(11049) if (&User-Name =~ /@\./) {
(11049) if (&User-Name =~ /@\./) -> FALSE
(11049) } # if (&User-Name) = notfound
(11049) } # policy filter_username = notfound
(11049) policy split_username_nai {
(11049) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11049) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(11049) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11049) update request {
(11049) EXPAND %{1}
(11049) --> mpdft
(11049) &Stripped-User-Name := mpdft
(11049) EXPAND %{3}
(11049) -->
(11049) &Stripped-User-Domain =
(11049) } # update request = noop
(11049) [updated] = updated
(11049) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(11049) ... skipping else: Preceding "if" was taken
(11049) } # policy split_username_nai = updated
(11049) [preprocess] = ok
(11049) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11049) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11049) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11049) auth_log: EXPAND %t
(11049) auth_log: --> Wed Jun 24 15:00:27 2020
(11049) [auth_log] = ok
(11049) [chap] = noop
(11049) [mschap] = noop
(11049) [digest] = noop
(11049) suffix: Checking for suffix after "@"
(11049) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11049) suffix: No such realm "NULL"
(11049) [suffix] = noop
(11049) eap: Peer sent EAP Response (code 2) ID 1 length 6
(11049) eap: No EAP Start, assuming it's an on-going EAP conversation
(11049) [eap] = updated
(11049) files: Failed resolving UID: No error
(11049) files: Failed resolving UID: No error
(11049) files: Failed resolving UID: No error
(11049) files: Failed resolving UID: No error
(11049) files: Failed resolving UID: No error
(11049) [files] = noop
(11049) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(11049) sql: --> mpdft
(11049) sql: SQL-User-Name set to 'mpdft'
(11049) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(11049) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'mpdft' ORDER BY id
(11049) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'mpdft' ORDER BY id
(11049) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(11049) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='mpdft' ORDER BY priority
(11049) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='mpdft' ORDER BY priority
(11049) sql: User not found in any groups
(11049) [sql] = notfound
(11049) [expiration] = noop
(11049) [logintime] = noop
(11049) if (ok) {
(11049) if (ok) -> FALSE
(11049) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(11049) pap: WARNING: Authentication will fail unless a "known good" password is available
(11049) [pap] = noop
(11049) } # authorize = updated
(11049) Found Auth-Type = eap
(11049) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11049) authenticate {
(11049) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11049) eap: Finished EAP session with state 0xbb52a0a1bb53a4af
(11049) eap: Previous EAP request found for state 0xbb52a0a1bb53a4af, released from the list
(11049) eap: Peer sent packet with method EAP NAK (3)
(11049) eap: Found mutually acceptable type PEAP (25)
(11049) eap: Calling submodule eap_peap to process data
(11049) eap_peap: Initiating new EAP-TLS session
(11049) eap_peap: [eaptls start] = request
(11049) eap: Sending EAP Request (code 1) ID 2 length 6
(11049) eap: EAP session adding &reply:State = 0xbb52a0a1ba50b9af
(11049) [eap] = handled
(11049) } # authenticate = handled
(11049) Using Post-Auth-Type Challenge
(11049) Post-Auth-Type sub-section not found. Ignoring.
(11049) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11049) Sent Access-Challenge Id 140 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11049) EAP-Message = 0x010200061920
(11049) Message-Authenticator = 0x00000000000000000000000000000000
(11049) State = 0xbb52a0a1ba50b9afa6d420c8f1230505
(11049) Finished request
(11050) Received Access-Request Id 141 from 10.34.27.220:3489 to 10.34.242.3:1812 length 328
(11050) User-Name = "mpdft"
(11050) NAS-IP-Address = 10.34.27.220
(11050) NAS-Port = 2
(11050) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11050) Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11050) Framed-MTU = 1400
(11050) NAS-Port-Type = Wireless-802.11
(11050) Connect-Info = "CONNECT 54Mbps 802.11g"
(11050) EAP-Message = 0x020200ab1980000000a1160301009c0100009803039c4c361bc616647397a5fcbb62da353c8e280950e62470a9b076ee8a4df5731200003cc02bc02f009ec02cc030009fcca9cca8c009c023c013c02700330067c00ac024c014c0280039006bc007c011009c009d002f003c0035003d0005000a010000
(11050) State = 0xbb52a0a1ba50b9afa6d420c8f1230505
(11050) Message-Authenticator = 0xee12d9c33e702dde45cc68d947157e10
(11050) session-state: No cached attributes
(11050) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11050) authorize {
(11050) policy filter_username {
(11050) if (&User-Name) {
(11050) if (&User-Name) -> TRUE
(11050) if (&User-Name) {
(11050) if (&User-Name != "%{tolower:%{User-Name}}") {
(11050) EXPAND %{tolower:%{User-Name}}
(11050) --> mpdft
(11050) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(11050) if (&User-Name =~ /\// ) {
(11050) if (&User-Name =~ /\// ) -> FALSE
(11050) if (&User-Name =~ / /) {
(11050) if (&User-Name =~ / /) -> FALSE
(11050) if (&User-Name =~ /@[^@]*@/ ) {
(11050) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11050) if (&User-Name =~ /\.\./ ) {
(11050) if (&User-Name =~ /\.\./ ) -> FALSE
(11050) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11050) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11050) if (&User-Name =~ /\.$/) {
(11050) if (&User-Name =~ /\.$/) -> FALSE
(11050) if (&User-Name =~ /@\./) {
(11050) if (&User-Name =~ /@\./) -> FALSE
(11050) } # if (&User-Name) = notfound
(11050) } # policy filter_username = notfound
(11050) policy split_username_nai {
(11050) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11050) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(11050) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11050) update request {
(11050) EXPAND %{1}
(11050) --> mpdft
(11050) &Stripped-User-Name := mpdft
(11050) EXPAND %{3}
(11050) -->
(11050) &Stripped-User-Domain =
(11050) } # update request = noop
(11050) [updated] = updated
(11050) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(11050) ... skipping else: Preceding "if" was taken
(11050) } # policy split_username_nai = updated
(11050) [preprocess] = ok
(11050) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11050) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11050) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11050) auth_log: EXPAND %t
(11050) auth_log: --> Wed Jun 24 15:00:27 2020
(11050) [auth_log] = ok
(11050) [chap] = noop
(11050) [mschap] = noop
(11050) [digest] = noop
(11050) suffix: Checking for suffix after "@"
(11050) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11050) suffix: No such realm "NULL"
(11050) [suffix] = noop
(11050) eap: Peer sent EAP Response (code 2) ID 2 length 171
(11050) eap: Continuing tunnel setup
(11050) [eap] = ok
(11050) } # authorize = ok
(11050) Found Auth-Type = eap
(11050) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11050) authenticate {
(11050) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11050) eap: Finished EAP session with state 0xbb52a0a1ba50b9af
(11050) eap: Previous EAP request found for state 0xbb52a0a1ba50b9af, released from the list
(11050) eap: Peer sent packet with method EAP PEAP (25)
(11050) eap: Calling submodule eap_peap to process data
(11050) eap_peap: Continuing EAP-TLS
(11050) eap_peap: Peer indicated complete TLS record size will be 161 bytes
(11050) eap_peap: Got complete TLS record (161 bytes)
(11050) eap_peap: [eaptls verify] = length included
(11050) eap_peap: (other): before SSL initialization
(11050) eap_peap: TLS_accept: before SSL initialization
(11050) eap_peap: TLS_accept: before SSL initialization
(11050) eap_peap: <<< recv TLS 1.2 [length 009c]
(11050) eap_peap: TLS_accept: SSLv3/TLS read client hello
(11050) eap_peap: >>> send TLS 1.2 [length 003d]
(11050) eap_peap: TLS_accept: SSLv3/TLS write server hello
(11050) eap_peap: >>> send TLS 1.2 [length 0309]
(11050) eap_peap: TLS_accept: SSLv3/TLS write certificate
(11050) eap_peap: >>> send TLS 1.2 [length 014d]
(11050) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(11050) eap_peap: >>> send TLS 1.2 [length 0004]
(11050) eap_peap: TLS_accept: SSLv3/TLS write server done
(11050) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(11050) eap_peap: In SSL Handshake Phase
(11050) eap_peap: In SSL Accept mode
(11050) eap_peap: [eaptls process] = handled
(11050) eap: Sending EAP Request (code 1) ID 3 length 1004
(11050) eap: EAP session adding &reply:State = 0xbb52a0a1b951b9af
(11050) [eap] = handled
(11050) } # authenticate = handled
(11050) Using Post-Auth-Type Challenge
(11050) Post-Auth-Type sub-section not found. Ignoring.
(11050) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11050) Sent Access-Challenge Id 141 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11050) EAP-Message = 0x010303ec19c0000004ab160303003d020000390303bff8d5bbdafc2ef1f9fe4ff68c004d2d5d255f840adf436732d14e188fb4896900c02f000011ff01000100000b0004030001020017000016030303090b0003050003020002ff308202fb308201e3a003020102020900c2aeeb1715cab80a300d0609
(11050) Message-Authenticator = 0x00000000000000000000000000000000
(11050) State = 0xbb52a0a1b951b9afa6d420c8f1230505
(11050) Finished request
(11051) Received Access-Request Id 142 from 10.34.27.220:3489 to 10.34.242.3:1812 length 163
(11051) User-Name = "mpdft"
(11051) NAS-IP-Address = 10.34.27.220
(11051) NAS-Port = 2
(11051) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11051) Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11051) Framed-MTU = 1400
(11051) NAS-Port-Type = Wireless-802.11
(11051) Connect-Info = "CONNECT 54Mbps 802.11g"
(11051) EAP-Message = 0x020300061900
(11051) State = 0xbb52a0a1b951b9afa6d420c8f1230505
(11051) Message-Authenticator = 0x91c78843c332dee8045c2bd4d2518647
(11051) session-state: No cached attributes
(11051) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11051) authorize {
(11051) policy filter_username {
(11051) if (&User-Name) {
(11051) if (&User-Name) -> TRUE
(11051) if (&User-Name) {
(11051) if (&User-Name != "%{tolower:%{User-Name}}") {
(11051) EXPAND %{tolower:%{User-Name}}
(11051) --> mpdft
(11051) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(11051) if (&User-Name =~ /\// ) {
(11051) if (&User-Name =~ /\// ) -> FALSE
(11051) if (&User-Name =~ / /) {
(11051) if (&User-Name =~ / /) -> FALSE
(11051) if (&User-Name =~ /@[^@]*@/ ) {
(11051) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11051) if (&User-Name =~ /\.\./ ) {
(11051) if (&User-Name =~ /\.\./ ) -> FALSE
(11051) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11051) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11051) if (&User-Name =~ /\.$/) {
(11051) if (&User-Name =~ /\.$/) -> FALSE
(11051) if (&User-Name =~ /@\./) {
(11051) if (&User-Name =~ /@\./) -> FALSE
(11051) } # if (&User-Name) = notfound
(11051) } # policy filter_username = notfound
(11051) policy split_username_nai {
(11051) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11051) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(11051) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11051) update request {
(11051) EXPAND %{1}
(11051) --> mpdft
(11051) &Stripped-User-Name := mpdft
(11051) EXPAND %{3}
(11051) -->
(11051) &Stripped-User-Domain =
(11051) } # update request = noop
(11051) [updated] = updated
(11051) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(11051) ... skipping else: Preceding "if" was taken
(11051) } # policy split_username_nai = updated
(11051) [preprocess] = ok
(11051) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11051) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11051) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11051) auth_log: EXPAND %t
(11051) auth_log: --> Wed Jun 24 15:00:27 2020
(11051) [auth_log] = ok
(11051) [chap] = noop
(11051) [mschap] = noop
(11051) [digest] = noop
(11051) suffix: Checking for suffix after "@"
(11051) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11051) suffix: No such realm "NULL"
(11051) [suffix] = noop
(11051) eap: Peer sent EAP Response (code 2) ID 3 length 6
(11051) eap: Continuing tunnel setup
(11051) [eap] = ok
(11051) } # authorize = ok
(11051) Found Auth-Type = eap
(11051) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11051) authenticate {
(11051) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11051) eap: Finished EAP session with state 0xbb52a0a1b951b9af
(11051) eap: Previous EAP request found for state 0xbb52a0a1b951b9af, released from the list
(11051) eap: Peer sent packet with method EAP PEAP (25)
(11051) eap: Calling submodule eap_peap to process data
(11051) eap_peap: Continuing EAP-TLS
(11051) eap_peap: Peer ACKed our handshake fragment
(11051) eap_peap: [eaptls verify] = request
(11051) eap_peap: [eaptls process] = handled
(11051) eap: Sending EAP Request (code 1) ID 4 length 207
(11051) eap: EAP session adding &reply:State = 0xbb52a0a1b856b9af
(11051) [eap] = handled
(11051) } # authenticate = handled
(11051) Using Post-Auth-Type Challenge
(11051) Post-Auth-Type sub-section not found. Ignoring.
(11051) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11051) Sent Access-Challenge Id 142 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11051) EAP-Message = 0x010400cf190077d923f57ef28aa1228670ecd396ae9f5120736fed21274cc4e43fe548da4b0018966c35ae455f4bd6fe6740c7c8414a8adcd72b383bcd96b08acbb06444bd5259dbef85f8b44d37c2cbfffeb6c98619f1bcdba6d5e2e6f70b494289c12f22675199072877351a1e1e55c1901b67e1c0ce
(11051) Message-Authenticator = 0x00000000000000000000000000000000
(11051) State = 0xbb52a0a1b856b9afa6d420c8f1230505
(11051) Finished request
(11052) Received Access-Request Id 143 from 10.34.27.220:3489 to 10.34.242.3:1812 length 293
(11052) User-Name = "mpdft"
(11052) NAS-IP-Address = 10.34.27.220
(11052) NAS-Port = 2
(11052) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11052) Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11052) Framed-MTU = 1400
(11052) NAS-Port-Type = Wireless-802.11
(11052) Connect-Info = "CONNECT 54Mbps 802.11g"
(11052) EAP-Message = 0x0204008819800000007e16030300461000004241049d1d0aa98e339ec73f7114217ba102b7ec0faa4f48bd4430255a0c9f30e6e43587cbd5b858dd3eb66644df3703a1a74c19bcf7f526a95af9d8605e85aaa0b4e114030300010116030300280000000000000000b8d30db4ebe845ea5264df4293f41a
(11052) State = 0xbb52a0a1b856b9afa6d420c8f1230505
(11052) Message-Authenticator = 0x8117b45ab21207f6cc0085f9906d6737
(11052) session-state: No cached attributes
(11052) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11052) authorize {
(11052) policy filter_username {
(11052) if (&User-Name) {
(11052) if (&User-Name) -> TRUE
(11052) if (&User-Name) {
(11052) if (&User-Name != "%{tolower:%{User-Name}}") {
(11052) EXPAND %{tolower:%{User-Name}}
(11052) --> mpdft
(11052) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(11052) if (&User-Name =~ /\// ) {
(11052) if (&User-Name =~ /\// ) -> FALSE
(11052) if (&User-Name =~ / /) {
(11052) if (&User-Name =~ / /) -> FALSE
(11052) if (&User-Name =~ /@[^@]*@/ ) {
(11052) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11052) if (&User-Name =~ /\.\./ ) {
(11052) if (&User-Name =~ /\.\./ ) -> FALSE
(11052) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11052) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11052) if (&User-Name =~ /\.$/) {
(11052) if (&User-Name =~ /\.$/) -> FALSE
(11052) if (&User-Name =~ /@\./) {
(11052) if (&User-Name =~ /@\./) -> FALSE
(11052) } # if (&User-Name) = notfound
(11052) } # policy filter_username = notfound
(11052) policy split_username_nai {
(11052) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11052) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(11052) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11052) update request {
(11052) EXPAND %{1}
(11052) --> mpdft
(11052) &Stripped-User-Name := mpdft
(11052) EXPAND %{3}
(11052) -->
(11052) &Stripped-User-Domain =
(11052) } # update request = noop
(11052) [updated] = updated
(11052) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(11052) ... skipping else: Preceding "if" was taken
(11052) } # policy split_username_nai = updated
(11052) [preprocess] = ok
(11052) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11052) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11052) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11052) auth_log: EXPAND %t
(11052) auth_log: --> Wed Jun 24 15:00:27 2020
(11052) [auth_log] = ok
(11052) [chap] = noop
(11052) [mschap] = noop
(11052) [digest] = noop
(11052) suffix: Checking for suffix after "@"
(11052) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11052) suffix: No such realm "NULL"
(11052) [suffix] = noop
(11052) eap: Peer sent EAP Response (code 2) ID 4 length 136
(11052) eap: Continuing tunnel setup
(11052) [eap] = ok
(11052) } # authorize = ok
(11052) Found Auth-Type = eap
(11052) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11052) authenticate {
(11052) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11052) eap: Finished EAP session with state 0xbb52a0a1b856b9af
(11052) eap: Previous EAP request found for state 0xbb52a0a1b856b9af, released from the list
(11052) eap: Peer sent packet with method EAP PEAP (25)
(11052) eap: Calling submodule eap_peap to process data
(11052) eap_peap: Continuing EAP-TLS
(11052) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(11052) eap_peap: Got complete TLS record (126 bytes)
(11052) eap_peap: [eaptls verify] = length included
(11052) eap_peap: TLS_accept: SSLv3/TLS write server done
(11052) eap_peap: <<< recv TLS 1.2 [length 0046]
(11052) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(11052) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(11052) eap_peap: <<< recv TLS 1.2 [length 0010]
(11052) eap_peap: TLS_accept: SSLv3/TLS read finished
(11052) eap_peap: >>> send TLS 1.2 [length 0001]
(11052) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(11052) eap_peap: >>> send TLS 1.2 [length 0010]
(11052) eap_peap: TLS_accept: SSLv3/TLS write finished
(11052) eap_peap: (other): SSL negotiation finished successfully
(11052) eap_peap: SSL Connection Established
(11052) eap_peap: [eaptls process] = handled
(11052) eap: Sending EAP Request (code 1) ID 5 length 57
(11052) eap: EAP session adding &reply:State = 0xbb52a0a1bf57b9af
(11052) [eap] = handled
(11052) } # authenticate = handled
(11052) Using Post-Auth-Type Challenge
(11052) Post-Auth-Type sub-section not found. Ignoring.
(11052) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11052) Sent Access-Challenge Id 143 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11052) EAP-Message = 0x01050039190014030300010116030300288995cd8a76492654a82f8d2fc75b6ca674a25e522583f0877dfaf2b235972f869cd889c0383b0a82
(11052) Message-Authenticator = 0x00000000000000000000000000000000
(11052) State = 0xbb52a0a1bf57b9afa6d420c8f1230505
(11052) Finished request
(11053) Received Access-Request Id 144 from 10.34.27.220:3489 to 10.34.242.3:1812 length 163
(11053) User-Name = "mpdft"
(11053) NAS-IP-Address = 10.34.27.220
(11053) NAS-Port = 2
(11053) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11053) Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11053) Framed-MTU = 1400
(11053) NAS-Port-Type = Wireless-802.11
(11053) Connect-Info = "CONNECT 54Mbps 802.11g"
(11053) EAP-Message = 0x020500061900
(11053) State = 0xbb52a0a1bf57b9afa6d420c8f1230505
(11053) Message-Authenticator = 0xcd93b19502ff6f920112fbb490021062
(11053) session-state: No cached attributes
(11053) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11053) authorize {
(11053) policy filter_username {
(11053) if (&User-Name) {
(11053) if (&User-Name) -> TRUE
(11053) if (&User-Name) {
(11053) if (&User-Name != "%{tolower:%{User-Name}}") {
(11053) EXPAND %{tolower:%{User-Name}}
(11053) --> mpdft
(11053) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(11053) if (&User-Name =~ /\// ) {
(11053) if (&User-Name =~ /\// ) -> FALSE
(11053) if (&User-Name =~ / /) {
(11053) if (&User-Name =~ / /) -> FALSE
(11053) if (&User-Name =~ /@[^@]*@/ ) {
(11053) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11053) if (&User-Name =~ /\.\./ ) {
(11053) if (&User-Name =~ /\.\./ ) -> FALSE
(11053) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11053) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11053) if (&User-Name =~ /\.$/) {
(11053) if (&User-Name =~ /\.$/) -> FALSE
(11053) if (&User-Name =~ /@\./) {
(11053) if (&User-Name =~ /@\./) -> FALSE
(11053) } # if (&User-Name) = notfound
(11053) } # policy filter_username = notfound
(11053) policy split_username_nai {
(11053) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11053) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(11053) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11053) update request {
(11053) EXPAND %{1}
(11053) --> mpdft
(11053) &Stripped-User-Name := mpdft
(11053) EXPAND %{3}
(11053) -->
(11053) &Stripped-User-Domain =
(11053) } # update request = noop
(11053) [updated] = updated
(11053) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(11053) ... skipping else: Preceding "if" was taken
(11053) } # policy split_username_nai = updated
(11053) [preprocess] = ok
(11053) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11053) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11053) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11053) auth_log: EXPAND %t
(11053) auth_log: --> Wed Jun 24 15:00:27 2020
(11053) [auth_log] = ok
(11053) [chap] = noop
(11053) [mschap] = noop
(11053) [digest] = noop
(11053) suffix: Checking for suffix after "@"
(11053) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11053) suffix: No such realm "NULL"
(11053) [suffix] = noop
(11053) eap: Peer sent EAP Response (code 2) ID 5 length 6
(11053) eap: Continuing tunnel setup
(11053) [eap] = ok
(11053) } # authorize = ok
(11053) Found Auth-Type = eap
(11053) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11053) authenticate {
(11053) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11053) eap: Finished EAP session with state 0xbb52a0a1bf57b9af
(11053) eap: Previous EAP request found for state 0xbb52a0a1bf57b9af, released from the list
(11053) eap: Peer sent packet with method EAP PEAP (25)
(11053) eap: Calling submodule eap_peap to process data
(11053) eap_peap: Continuing EAP-TLS
(11053) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(11053) eap_peap: [eaptls verify] = success
(11053) eap_peap: [eaptls process] = success
(11053) eap_peap: Session established. Decoding tunneled attributes
(11053) eap_peap: PEAP state TUNNEL ESTABLISHED
(11053) eap: Sending EAP Request (code 1) ID 6 length 40
(11053) eap: EAP session adding &reply:State = 0xbb52a0a1be54b9af
(11053) [eap] = handled
(11053) } # authenticate = handled
(11053) Using Post-Auth-Type Challenge
(11053) Post-Auth-Type sub-section not found. Ignoring.
(11053) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11053) Sent Access-Challenge Id 144 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11053) EAP-Message = 0x010600281900170303001d8995cd8a76492655aa9ea54c3b4322eaca154c899222b9039194e9813a
(11053) Message-Authenticator = 0x00000000000000000000000000000000
(11053) State = 0xbb52a0a1be54b9afa6d420c8f1230505
(11053) Finished request
(11054) Received Access-Request Id 145 from 10.34.27.220:3489 to 10.34.242.3:1812 length 211
(11054) User-Name = "mpdft"
(11054) NAS-IP-Address = 10.34.27.220
(11054) NAS-Port = 2
(11054) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11054) Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11054) Framed-MTU = 1400
(11054) NAS-Port-Type = Wireless-802.11
(11054) Connect-Info = "CONNECT 54Mbps 802.11g"
(11054) EAP-Message = 0x020600361900170303002b0000000000000001d8fc0d85e42ff3c7a9007d28e781d3f96bc92ec34bdd11b8e07e78a5c01255342524f0
(11054) State = 0xbb52a0a1be54b9afa6d420c8f1230505
(11054) Message-Authenticator = 0x970cdd80924dea90c2936c50ab414e02
(11054) session-state: No cached attributes
(11054) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11054) authorize {
(11054) policy filter_username {
(11054) if (&User-Name) {
(11054) if (&User-Name) -> TRUE
(11054) if (&User-Name) {
(11054) if (&User-Name != "%{tolower:%{User-Name}}") {
(11054) EXPAND %{tolower:%{User-Name}}
(11054) --> mpdft
(11054) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(11054) if (&User-Name =~ /\// ) {
(11054) if (&User-Name =~ /\// ) -> FALSE
(11054) if (&User-Name =~ / /) {
(11054) if (&User-Name =~ / /) -> FALSE
(11054) if (&User-Name =~ /@[^@]*@/ ) {
(11054) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11054) if (&User-Name =~ /\.\./ ) {
(11054) if (&User-Name =~ /\.\./ ) -> FALSE
(11054) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11054) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11054) if (&User-Name =~ /\.$/) {
(11054) if (&User-Name =~ /\.$/) -> FALSE
(11054) if (&User-Name =~ /@\./) {
(11054) if (&User-Name =~ /@\./) -> FALSE
(11054) } # if (&User-Name) = notfound
(11054) } # policy filter_username = notfound
(11054) policy split_username_nai {
(11054) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11054) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(11054) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11054) update request {
(11054) EXPAND %{1}
(11054) --> mpdft
(11054) &Stripped-User-Name := mpdft
(11054) EXPAND %{3}
(11054) -->
(11054) &Stripped-User-Domain =
(11054) } # update request = noop
(11054) [updated] = updated
(11054) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(11054) ... skipping else: Preceding "if" was taken
(11054) } # policy split_username_nai = updated
(11054) [preprocess] = ok
(11054) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11054) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11054) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11054) auth_log: EXPAND %t
(11054) auth_log: --> Wed Jun 24 15:00:27 2020
(11054) [auth_log] = ok
(11054) [chap] = noop
(11054) [mschap] = noop
(11054) [digest] = noop
(11054) suffix: Checking for suffix after "@"
(11054) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11054) suffix: No such realm "NULL"
(11054) [suffix] = noop
(11054) eap: Peer sent EAP Response (code 2) ID 6 length 54
(11054) eap: Continuing tunnel setup
(11054) [eap] = ok
(11054) } # authorize = ok
(11054) Found Auth-Type = eap
(11054) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11054) authenticate {
(11054) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11054) eap: Finished EAP session with state 0xbb52a0a1be54b9af
(11054) eap: Previous EAP request found for state 0xbb52a0a1be54b9af, released from the list
(11054) eap: Peer sent packet with method EAP PEAP (25)
(11054) eap: Calling submodule eap_peap to process data
(11054) eap_peap: Continuing EAP-TLS
(11054) eap_peap: [eaptls verify] = ok
(11054) eap_peap: Done initial handshake
(11054) eap_peap: [eaptls process] = ok
(11054) eap_peap: Session established. Decoding tunneled attributes
(11054) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(11054) eap_peap: Identity - denisson.magalhaes
(11054) eap_peap: Got inner identity 'denisson.magalhaes'
(11054) eap_peap: Setting default EAP type for tunneled EAP session
(11054) eap_peap: Got tunneled request
(11054) eap_peap: EAP-Message = 0x020600170164656e6973736f6e2e6d6167616c68616573
(11054) eap_peap: Setting User-Name to denisson.magalhaes
(11054) eap_peap: Sending tunneled request to inner-tunnel
(11054) eap_peap: EAP-Message = 0x020600170164656e6973736f6e2e6d6167616c68616573
(11054) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(11054) eap_peap: User-Name = "denisson.magalhaes"
(11054) Virtual server inner-tunnel received request
(11054) EAP-Message = 0x020600170164656e6973736f6e2e6d6167616c68616573
(11054) FreeRADIUS-Proxied-To = 127.0.0.1
(11054) User-Name = "denisson.magalhaes"
(11054) WARNING: Outer User-Name is not anonymized. User privacy is compromised.
(11054) server inner-tunnel {
(11054) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11054) authorize {
(11054) policy filter_username {
(11054) if (&User-Name) {
(11054) if (&User-Name) -> TRUE
(11054) if (&User-Name) {
(11054) if (&User-Name != "%{tolower:%{User-Name}}") {
(11054) EXPAND %{tolower:%{User-Name}}
(11054) --> denisson.magalhaes
(11054) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(11054) if (&User-Name =~ /\// ) {
(11054) if (&User-Name =~ /\// ) -> FALSE
(11054) if (&User-Name =~ / /) {
(11054) if (&User-Name =~ / /) -> FALSE
(11054) if (&User-Name =~ /@[^@]*@/ ) {
(11054) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11054) if (&User-Name =~ /\.\./ ) {
(11054) if (&User-Name =~ /\.\./ ) -> FALSE
(11054) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11054) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11054) if (&User-Name =~ /\.$/) {
(11054) if (&User-Name =~ /\.$/) -> FALSE
(11054) if (&User-Name =~ /@\./) {
(11054) if (&User-Name =~ /@\./) -> FALSE
(11054) } # if (&User-Name) = notfound
(11054) } # policy filter_username = notfound
(11054) policy split_username_nai {
(11054) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11054) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(11054) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11054) update request {
(11054) EXPAND %{1}
(11054) --> denisson.magalhaes
(11054) &Stripped-User-Name := denisson.magalhaes
(11054) EXPAND %{3}
(11054) -->
(11054) &Stripped-User-Domain =
(11054) } # update request = noop
(11054) [updated] = updated
(11054) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(11054) ... skipping else: Preceding "if" was taken
(11054) } # policy split_username_nai = updated
(11054) [chap] = noop
(11054) [mschap] = noop
(11054) suffix: Checking for suffix after "@"
(11054) suffix: No '@' in User-Name = "denisson.magalhaes", looking up realm NULL
(11054) suffix: No such realm "NULL"
(11054) [suffix] = noop
(11054) update control {
(11054) &Proxy-To-Realm := LOCAL
(11054) } # update control = noop
(11054) eap: Peer sent EAP Response (code 2) ID 6 length 23
(11054) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(11054) [eap] = ok
(11054) } # authorize = ok
(11054) Found Auth-Type = eap
(11054) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11054) authenticate {
(11054) eap: Peer sent packet with method EAP Identity (1)
(11054) eap: Calling submodule eap_mschapv2 to process data
(11054) eap_mschapv2: Issuing Challenge
(11054) eap: Sending EAP Request (code 1) ID 7 length 43
(11054) eap: EAP session adding &reply:State = 0x42859db4428287cc
(11054) [eap] = handled
(11054) } # authenticate = handled
(11054) } # server inner-tunnel
(11054) Virtual server sending reply
(11054) EAP-Message = 0x0107002b1a0107002610f29348c6e9f606d19366f0b2aa8f7768667265657261646975732d332e302e3132
(11054) Message-Authenticator = 0x00000000000000000000000000000000
(11054) State = 0x42859db4428287cc3b9481c4f9ea1542
(11054) eap_peap: Got tunneled reply code 11
(11054) eap_peap: EAP-Message = 0x0107002b1a0107002610f29348c6e9f606d19366f0b2aa8f7768667265657261646975732d332e302e3132
(11054) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(11054) eap_peap: State = 0x42859db4428287cc3b9481c4f9ea1542
(11054) eap_peap: Got tunneled reply RADIUS code 11
(11054) eap_peap: EAP-Message = 0x0107002b1a0107002610f29348c6e9f606d19366f0b2aa8f7768667265657261646975732d332e302e3132
(11054) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(11054) eap_peap: State = 0x42859db4428287cc3b9481c4f9ea1542
(11054) eap_peap: Got tunneled Access-Challenge
(11054) eap: Sending EAP Request (code 1) ID 7 length 74
(11054) eap: EAP session adding &reply:State = 0xbb52a0a1bd55b9af
(11054) [eap] = handled
(11054) } # authenticate = handled
(11054) Using Post-Auth-Type Challenge
(11054) Post-Auth-Type sub-section not found. Ignoring.
(11054) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11054) Sent Access-Challenge Id 145 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11054) EAP-Message = 0x0107004a1900170303003f8995cd8a764926562bcf6a8d4e4fc36150939a3009148fd8d27651059f01ecb32a009ed57b2d586e2c8fdfc5574e7a006d90b1d5a56e19f86fd3ae11155229
(11054) Message-Authenticator = 0x00000000000000000000000000000000
(11054) State = 0xbb52a0a1bd55b9afa6d420c8f1230505
(11054) Finished request
(11055) Received Access-Request Id 146 from 10.34.27.220:3489 to 10.34.242.3:1812 length 265
(11055) User-Name = "mpdft"
(11055) NAS-IP-Address = 10.34.27.220
(11055) NAS-Port = 2
(11055) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11055) Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11055) Framed-MTU = 1400
(11055) NAS-Port-Type = Wireless-802.11
(11055) Connect-Info = "CONNECT 54Mbps 802.11g"
(11055) EAP-Message = 0x0207006c1900170303006100000000000000024d591a24a1d1ce11848fa5356bb8f2bf4f0862b3b05595d98b477efde9817e3fe9a90e73500086263fa7700d87902ddb01e2a0102b19e6c925e461ae10f42f0f17fda0b9381010aa00b76bb59fa7bf2091764c1fb3a468489a
(11055) State = 0xbb52a0a1bd55b9afa6d420c8f1230505
(11055) Message-Authenticator = 0xb206d85e899e2eb17db70c79d6d07fec
(11055) session-state: No cached attributes
(11055) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11055) authorize {
(11055) policy filter_username {
(11055) if (&User-Name) {
(11055) if (&User-Name) -> TRUE
(11055) if (&User-Name) {
(11055) if (&User-Name != "%{tolower:%{User-Name}}") {
(11055) EXPAND %{tolower:%{User-Name}}
(11055) --> mpdft
(11055) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(11055) if (&User-Name =~ /\// ) {
(11055) if (&User-Name =~ /\// ) -> FALSE
(11055) if (&User-Name =~ / /) {
(11055) if (&User-Name =~ / /) -> FALSE
(11055) if (&User-Name =~ /@[^@]*@/ ) {
(11055) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11055) if (&User-Name =~ /\.\./ ) {
(11055) if (&User-Name =~ /\.\./ ) -> FALSE
(11055) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11055) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11055) if (&User-Name =~ /\.$/) {
(11055) if (&User-Name =~ /\.$/) -> FALSE
(11055) if (&User-Name =~ /@\./) {
(11055) if (&User-Name =~ /@\./) -> FALSE
(11055) } # if (&User-Name) = notfound
(11055) } # policy filter_username = notfound
(11055) policy split_username_nai {
(11055) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11055) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(11055) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11055) update request {
(11055) EXPAND %{1}
(11055) --> mpdft
(11055) &Stripped-User-Name := mpdft
(11055) EXPAND %{3}
(11055) -->
(11055) &Stripped-User-Domain =
(11055) } # update request = noop
(11055) [updated] = updated
(11055) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(11055) ... skipping else: Preceding "if" was taken
(11055) } # policy split_username_nai = updated
(11055) [preprocess] = ok
(11055) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11055) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11055) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11055) auth_log: EXPAND %t
(11055) auth_log: --> Wed Jun 24 15:00:27 2020
(11055) [auth_log] = ok
(11055) [chap] = noop
(11055) [mschap] = noop
(11055) [digest] = noop
(11055) suffix: Checking for suffix after "@"
(11055) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11055) suffix: No such realm "NULL"
(11055) [suffix] = noop
(11055) eap: Peer sent EAP Response (code 2) ID 7 length 108
(11055) eap: Continuing tunnel setup
(11055) [eap] = ok
(11055) } # authorize = ok
(11055) Found Auth-Type = eap
(11055) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11055) authenticate {
(11055) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11055) eap: Finished EAP session with state 0xbb52a0a1bd55b9af
(11055) eap: Previous EAP request found for state 0xbb52a0a1bd55b9af, released from the list
(11055) eap: Peer sent packet with method EAP PEAP (25)
(11055) eap: Calling submodule eap_peap to process data
(11055) eap_peap: Continuing EAP-TLS
(11055) eap_peap: [eaptls verify] = ok
(11055) eap_peap: Done initial handshake
(11055) eap_peap: [eaptls process] = ok
(11055) eap_peap: Session established. Decoding tunneled attributes
(11055) eap_peap: PEAP state phase2
(11055) eap_peap: EAP method MSCHAPv2 (26)
(11055) eap_peap: Got tunneled request
(11055) eap_peap: EAP-Message = 0x0207004d1a0207004831136f25023f2aa6ee6d38270b3e2595e10000000000000000ec06ee23ed82afbcbc4b824a9d92d2d2391f9c837c9a06470064656e6973736f6e2e6d6167616c68616573
(11055) eap_peap: Setting User-Name to denisson.magalhaes
(11055) eap_peap: Sending tunneled request to inner-tunnel
(11055) eap_peap: EAP-Message = 0x0207004d1a0207004831136f25023f2aa6ee6d38270b3e2595e10000000000000000ec06ee23ed82afbcbc4b824a9d92d2d2391f9c837c9a06470064656e6973736f6e2e6d6167616c68616573
(11055) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(11055) eap_peap: User-Name = "denisson.magalhaes"
(11055) eap_peap: State = 0x42859db4428287cc3b9481c4f9ea1542
(11055) Virtual server inner-tunnel received request
(11055) EAP-Message = 0x0207004d1a0207004831136f25023f2aa6ee6d38270b3e2595e10000000000000000ec06ee23ed82afbcbc4b824a9d92d2d2391f9c837c9a06470064656e6973736f6e2e6d6167616c68616573
(11055) FreeRADIUS-Proxied-To = 127.0.0.1
(11055) User-Name = "denisson.magalhaes"
(11055) State = 0x42859db4428287cc3b9481c4f9ea1542
(11055) WARNING: Outer User-Name is not anonymized. User privacy is compromised.
(11055) server inner-tunnel {
(11055) session-state: No cached attributes
(11055) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11055) authorize {
(11055) policy filter_username {
(11055) if (&User-Name) {
(11055) if (&User-Name) -> TRUE
(11055) if (&User-Name) {
(11055) if (&User-Name != "%{tolower:%{User-Name}}") {
(11055) EXPAND %{tolower:%{User-Name}}
(11055) --> denisson.magalhaes
(11055) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(11055) if (&User-Name =~ /\// ) {
(11055) if (&User-Name =~ /\// ) -> FALSE
(11055) if (&User-Name =~ / /) {
(11055) if (&User-Name =~ / /) -> FALSE
(11055) if (&User-Name =~ /@[^@]*@/ ) {
(11055) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11055) if (&User-Name =~ /\.\./ ) {
(11055) if (&User-Name =~ /\.\./ ) -> FALSE
(11055) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11055) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11055) if (&User-Name =~ /\.$/) {
(11055) if (&User-Name =~ /\.$/) -> FALSE
(11055) if (&User-Name =~ /@\./) {
(11055) if (&User-Name =~ /@\./) -> FALSE
(11055) } # if (&User-Name) = notfound
(11055) } # policy filter_username = notfound
(11055) policy split_username_nai {
(11055) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11055) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(11055) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11055) update request {
(11055) EXPAND %{1}
(11055) --> denisson.magalhaes
(11055) &Stripped-User-Name := denisson.magalhaes
(11055) EXPAND %{3}
(11055) -->
(11055) &Stripped-User-Domain =
(11055) } # update request = noop
(11055) [updated] = updated
(11055) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(11055) ... skipping else: Preceding "if" was taken
(11055) } # policy split_username_nai = updated
(11055) [chap] = noop
(11055) [mschap] = noop
(11055) suffix: Checking for suffix after "@"
(11055) suffix: No '@' in User-Name = "denisson.magalhaes", looking up realm NULL
(11055) suffix: No such realm "NULL"
(11055) [suffix] = noop
(11055) update control {
(11055) &Proxy-To-Realm := LOCAL
(11055) } # update control = noop
(11055) eap: Peer sent EAP Response (code 2) ID 7 length 77
(11055) eap: No EAP Start, assuming it's an on-going EAP conversation
(11055) [eap] = updated
(11055) files: users: Matched entry DEFAULT at line 90
(11055) [files] = ok
(11055) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(11055) sql: --> denisson.magalhaes
(11055) sql: SQL-User-Name set to 'denisson.magalhaes'
(11055) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(11055) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'denisson.magalhaes' ORDER BY id
(11055) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'denisson.magalhaes' ORDER BY id
(11055) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(11055) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='denisson.magalhaes' ORDER BY priority
(11055) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='denisson.magalhaes' ORDER BY priority
(11055) sql: User not found in any groups
(11055) [sql] = notfound
(11055) [expiration] = noop
(11055) [logintime] = noop
(11055) [pap] = noop
(11055) } # authorize = updated
(11055) Found Auth-Type = eap
(11055) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11055) authenticate {
(11055) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11055) eap: Finished EAP session with state 0x42859db4428287cc
(11055) eap: Previous EAP request found for state 0x42859db4428287cc, released from the list
(11055) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(11055) eap: Calling submodule eap_mschapv2 to process data
(11055) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11055) eap_mschapv2: authenticate {
(11055) mschap: Creating challenge hash with username: denisson.magalhaes
(11055) mschap: Client is using MS-CHAPv2
(11055) mschap: EXPAND %{mschap:User-Name}
(11055) mschap: --> denisson.magalhaes
(11055) mschap: ERROR: No NT-Domain was found in the User-Name
(11055) mschap: EXPAND %{mschap:NT-Domain}
(11055) mschap: -->
(11055) mschap: sending authentication request user='denisson.magalhaes' domain=''
(11055) mschap: Authenticated successfully
(11055) mschap: Adding MS-CHAPv2 MPPE keys
(11055) [mschap] = ok
(11055) } # authenticate = ok
(11055) MSCHAP Success
(11055) eap: Sending EAP Request (code 1) ID 8 length 51
(11055) eap: EAP session adding &reply:State = 0x42859db4438d87cc
(11055) [eap] = handled
(11055) } # authenticate = handled
(11055) } # server inner-tunnel
(11055) Virtual server sending reply
(11055) Idle-Timeout = 300
(11055) EAP-Message = 0x010800331a0307002e533d39463737433846384146344239334537444145393234433131363335374242303144424430433334
(11055) Message-Authenticator = 0x00000000000000000000000000000000
(11055) State = 0x42859db4438d87cc3b9481c4f9ea1542
(11055) eap_peap: Got tunneled reply code 11
(11055) eap_peap: Idle-Timeout = 300
(11055) eap_peap: EAP-Message = 0x010800331a0307002e533d39463737433846384146344239334537444145393234433131363335374242303144424430433334
(11055) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(11055) eap_peap: State = 0x42859db4438d87cc3b9481c4f9ea1542
(11055) eap_peap: Got tunneled reply RADIUS code 11
(11055) eap_peap: Idle-Timeout = 300
(11055) eap_peap: EAP-Message = 0x010800331a0307002e533d39463737433846384146344239334537444145393234433131363335374242303144424430433334
(11055) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(11055) eap_peap: State = 0x42859db4438d87cc3b9481c4f9ea1542
(11055) eap_peap: Got tunneled Access-Challenge
(11055) eap: Sending EAP Request (code 1) ID 8 length 82
(11055) eap: EAP session adding &reply:State = 0xbb52a0a1bc5ab9af
(11055) [eap] = handled
(11055) } # authenticate = handled
(11055) Using Post-Auth-Type Challenge
(11055) Post-Auth-Type sub-section not found. Ignoring.
(11055) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11055) Sent Access-Challenge Id 146 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11055) EAP-Message = 0x01080052190017030300478995cd8a764926570ee0b4bf6e9b90dd0bdaa8f1f13a3d44bceb60b3d4c779cd0e31ebfbe40fa16df76e27769cdfcc6b9f3fefc910c56308bef902dc01e91b87251ed4fa655992
(11055) Message-Authenticator = 0x00000000000000000000000000000000
(11055) State = 0xbb52a0a1bc5ab9afa6d420c8f1230505
(11055) Finished request
(11056) Received Access-Request Id 147 from 10.34.27.220:3489 to 10.34.242.3:1812 length 194
(11056) User-Name = "mpdft"
(11056) NAS-IP-Address = 10.34.27.220
(11056) NAS-Port = 2
(11056) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11056) Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11056) Framed-MTU = 1400
(11056) NAS-Port-Type = Wireless-802.11
(11056) Connect-Info = "CONNECT 54Mbps 802.11g"
(11056) EAP-Message = 0x020800251900170303001a00000000000000030c71fdcc8d24f633a88e6aa816fe57085c9a
(11056) State = 0xbb52a0a1bc5ab9afa6d420c8f1230505
(11056) Message-Authenticator = 0xef807e88c37c705c6ec3fa5bbcc830e6
(11056) session-state: No cached attributes
(11056) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11056) authorize {
(11056) policy filter_username {
(11056) if (&User-Name) {
(11056) if (&User-Name) -> TRUE
(11056) if (&User-Name) {
(11056) if (&User-Name != "%{tolower:%{User-Name}}") {
(11056) EXPAND %{tolower:%{User-Name}}
(11056) --> mpdft
(11056) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(11056) if (&User-Name =~ /\// ) {
(11056) if (&User-Name =~ /\// ) -> FALSE
(11056) if (&User-Name =~ / /) {
(11056) if (&User-Name =~ / /) -> FALSE
(11056) if (&User-Name =~ /@[^@]*@/ ) {
(11056) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11056) if (&User-Name =~ /\.\./ ) {
(11056) if (&User-Name =~ /\.\./ ) -> FALSE
(11056) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11056) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11056) if (&User-Name =~ /\.$/) {
(11056) if (&User-Name =~ /\.$/) -> FALSE
(11056) if (&User-Name =~ /@\./) {
(11056) if (&User-Name =~ /@\./) -> FALSE
(11056) } # if (&User-Name) = notfound
(11056) } # policy filter_username = notfound
(11056) policy split_username_nai {
(11056) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11056) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(11056) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11056) update request {
(11056) EXPAND %{1}
(11056) --> mpdft
(11056) &Stripped-User-Name := mpdft
(11056) EXPAND %{3}
(11056) -->
(11056) &Stripped-User-Domain =
(11056) } # update request = noop
(11056) [updated] = updated
(11056) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(11056) ... skipping else: Preceding "if" was taken
(11056) } # policy split_username_nai = updated
(11056) [preprocess] = ok
(11056) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11056) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11056) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11056) auth_log: EXPAND %t
(11056) auth_log: --> Wed Jun 24 15:00:27 2020
(11056) [auth_log] = ok
(11056) [chap] = noop
(11056) [mschap] = noop
(11056) [digest] = noop
(11056) suffix: Checking for suffix after "@"
(11056) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11056) suffix: No such realm "NULL"
(11056) [suffix] = noop
(11056) eap: Peer sent EAP Response (code 2) ID 8 length 37
(11056) eap: Continuing tunnel setup
(11056) [eap] = ok
(11056) } # authorize = ok
(11056) Found Auth-Type = eap
(11056) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11056) authenticate {
(11056) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11056) eap: Finished EAP session with state 0xbb52a0a1bc5ab9af
(11056) eap: Previous EAP request found for state 0xbb52a0a1bc5ab9af, released from the list
(11056) eap: Peer sent packet with method EAP PEAP (25)
(11056) eap: Calling submodule eap_peap to process data
(11056) eap_peap: Continuing EAP-TLS
(11056) eap_peap: [eaptls verify] = ok
(11056) eap_peap: Done initial handshake
(11056) eap_peap: [eaptls process] = ok
(11056) eap_peap: Session established. Decoding tunneled attributes
(11056) eap_peap: PEAP state phase2
(11056) eap_peap: EAP method MSCHAPv2 (26)
(11056) eap_peap: Got tunneled request
(11056) eap_peap: EAP-Message = 0x020800061a03
(11056) eap_peap: Setting User-Name to denisson.magalhaes
(11056) eap_peap: Sending tunneled request to inner-tunnel
(11056) eap_peap: EAP-Message = 0x020800061a03
(11056) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(11056) eap_peap: User-Name = "denisson.magalhaes"
(11056) eap_peap: State = 0x42859db4438d87cc3b9481c4f9ea1542
(11056) Virtual server inner-tunnel received request
(11056) EAP-Message = 0x020800061a03
(11056) FreeRADIUS-Proxied-To = 127.0.0.1
(11056) User-Name = "denisson.magalhaes"
(11056) State = 0x42859db4438d87cc3b9481c4f9ea1542
(11056) WARNING: Outer User-Name is not anonymized. User privacy is compromised.
(11056) server inner-tunnel {
(11056) session-state: No cached attributes
(11056) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11056) authorize {
(11056) policy filter_username {
(11056) if (&User-Name) {
(11056) if (&User-Name) -> TRUE
(11056) if (&User-Name) {
(11056) if (&User-Name != "%{tolower:%{User-Name}}") {
(11056) EXPAND %{tolower:%{User-Name}}
(11056) --> denisson.magalhaes
(11056) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(11056) if (&User-Name =~ /\// ) {
(11056) if (&User-Name =~ /\// ) -> FALSE
(11056) if (&User-Name =~ / /) {
(11056) if (&User-Name =~ / /) -> FALSE
(11056) if (&User-Name =~ /@[^@]*@/ ) {
(11056) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11056) if (&User-Name =~ /\.\./ ) {
(11056) if (&User-Name =~ /\.\./ ) -> FALSE
(11056) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11056) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11056) if (&User-Name =~ /\.$/) {
(11056) if (&User-Name =~ /\.$/) -> FALSE
(11056) if (&User-Name =~ /@\./) {
(11056) if (&User-Name =~ /@\./) -> FALSE
(11056) } # if (&User-Name) = notfound
(11056) } # policy filter_username = notfound
(11056) policy split_username_nai {
(11056) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11056) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(11056) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11056) update request {
(11056) EXPAND %{1}
(11056) --> denisson.magalhaes
(11056) &Stripped-User-Name := denisson.magalhaes
(11056) EXPAND %{3}
(11056) -->
(11056) &Stripped-User-Domain =
(11056) } # update request = noop
(11056) [updated] = updated
(11056) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(11056) ... skipping else: Preceding "if" was taken
(11056) } # policy split_username_nai = updated
(11056) [chap] = noop
(11056) [mschap] = noop
(11056) suffix: Checking for suffix after "@"
(11056) suffix: No '@' in User-Name = "denisson.magalhaes", looking up realm NULL
(11056) suffix: No such realm "NULL"
(11056) [suffix] = noop
(11056) update control {
(11056) &Proxy-To-Realm := LOCAL
(11056) } # update control = noop
(11056) eap: Peer sent EAP Response (code 2) ID 8 length 6
(11056) eap: No EAP Start, assuming it's an on-going EAP conversation
(11056) [eap] = updated
(11056) files: users: Matched entry DEFAULT at line 90
(11056) [files] = ok
(11056) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(11056) sql: --> denisson.magalhaes
(11056) sql: SQL-User-Name set to 'denisson.magalhaes'
(11056) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(11056) sql: --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'denisson.magalhaes' ORDER BY id
(11056) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'denisson.magalhaes' ORDER BY id
(11056) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(11056) sql: --> SELECT GroupName FROM radusergroup WHERE UserName='denisson.magalhaes' ORDER BY priority
(11056) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='denisson.magalhaes' ORDER BY priority
(11056) sql: User not found in any groups
(11056) [sql] = notfound
(11056) [expiration] = noop
(11056) [logintime] = noop
(11056) [pap] = noop
(11056) } # authorize = updated
(11056) Found Auth-Type = eap
(11056) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11056) authenticate {
(11056) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11056) eap: Finished EAP session with state 0x42859db4438d87cc
(11056) eap: Previous EAP request found for state 0x42859db4438d87cc, released from the list
(11056) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(11056) eap: Calling submodule eap_mschapv2 to process data
(11056) eap: Sending EAP Success (code 3) ID 8 length 4
(11056) eap: Freeing handler
(11056) [eap] = ok
(11056) } # authenticate = ok
(11056) # Executing section session from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11056) session {
(11056) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(11056) sql: --> denisson.magalhaes
(11056) sql: SQL-User-Name set to 'denisson.magalhaes'
(11056) sql: EXPAND SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL
(11056) sql: --> SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='denisson.magalhaes' AND CallingStationId<>'A8-16-D0-C6-45-D3' AND AcctStopTime IS NULL
(11056) sql: Executing select query: SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='denisson.magalhaes' AND CallingStationId<>'A8-16-D0-C6-45-D3' AND AcctStopTime IS NULL
(11056) [sql] = ok
(11056) } # session = ok
(11056) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11056) post-auth {
(11056) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail
(11056) reply_log: --> /var/log/freeradius/radacct/10.34.27.220/reply-detail
(11056) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail expands to /var/log/freeradius/radacct/10.34.27.220/reply-detail
(11056) reply_log: EXPAND %t
(11056) reply_log: --> Wed Jun 24 15:00:27 2020
(11056) [reply_log] = ok
(11056) update outer.session-state {
(11056) User-Name := &request:User-Name -> 'denisson.magalhaes'
(11056) } # update outer.session-state = noop
(11056) } # post-auth = ok
(11056) Login OK: [denisson.magalhaes] (from client AP-SD1-A07-Q01 port 0 via TLS tunnel)
(11056) } # server inner-tunnel
(11056) Virtual server sending reply
(11056) Idle-Timeout = 300
(11056) MS-MPPE-Encryption-Policy = Encryption-Allowed
(11056) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(11056) MS-MPPE-Send-Key = 0x6e195124f599fe1fae1ed036f5c66547
(11056) MS-MPPE-Recv-Key = 0x1595c5858cee7d4fefedf94fa1423200
(11056) EAP-Message = 0x03080004
(11056) Message-Authenticator = 0x00000000000000000000000000000000
(11056) Stripped-User-Name := "denisson.magalhaes"
(11056) eap_peap: Got tunneled reply code 2
(11056) eap_peap: Idle-Timeout = 300
(11056) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(11056) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(11056) eap_peap: MS-MPPE-Send-Key = 0x6e195124f599fe1fae1ed036f5c66547
(11056) eap_peap: MS-MPPE-Recv-Key = 0x1595c5858cee7d4fefedf94fa1423200
(11056) eap_peap: EAP-Message = 0x03080004
(11056) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(11056) eap_peap: Stripped-User-Name := "denisson.magalhaes"
(11056) eap_peap: Got tunneled reply RADIUS code 2
(11056) eap_peap: Idle-Timeout = 300
(11056) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(11056) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(11056) eap_peap: MS-MPPE-Send-Key = 0x6e195124f599fe1fae1ed036f5c66547
(11056) eap_peap: MS-MPPE-Recv-Key = 0x1595c5858cee7d4fefedf94fa1423200
(11056) eap_peap: EAP-Message = 0x03080004
(11056) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(11056) eap_peap: Stripped-User-Name := "denisson.magalhaes"
(11056) eap_peap: Tunneled authentication was successful
(11056) eap_peap: SUCCESS
(11056) eap: Sending EAP Request (code 1) ID 9 length 46
(11056) eap: EAP session adding &reply:State = 0xbb52a0a1b35bb9af
(11056) [eap] = handled
(11056) } # authenticate = handled
(11056) Using Post-Auth-Type Challenge
(11056) Post-Auth-Type sub-section not found. Ignoring.
(11056) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11056) session-state: Saving cached attributes
(11056) User-Name := "denisson.magalhaes"
(11056) Sent Access-Challenge Id 147 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11056) EAP-Message = 0x0109002e190017030300238995cd8a7649265810e5b3e27abcad75ff296090e62e67146c82208d190ceeacb5d460
(11056) Message-Authenticator = 0x00000000000000000000000000000000
(11056) State = 0xbb52a0a1b35bb9afa6d420c8f1230505
(11056) Finished request
(11057) Received Access-Request Id 148 from 10.34.27.220:3489 to 10.34.242.3:1812 length 203
(11057) User-Name = "mpdft"
(11057) NAS-IP-Address = 10.34.27.220
(11057) NAS-Port = 2
(11057) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11057) Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11057) Framed-MTU = 1400
(11057) NAS-Port-Type = Wireless-802.11
(11057) Connect-Info = "CONNECT 54Mbps 802.11g"
(11057) EAP-Message = 0x0209002e1900170303002300000000000000042a5735c1019043f4750eb742ccd3d54f92363af7bf12b2cdada0db
(11057) State = 0xbb52a0a1b35bb9afa6d420c8f1230505
(11057) Message-Authenticator = 0xb335bdc2af14c15b83e0f5d023601714
(11057) Restoring &session-state
(11057) &session-state:User-Name := "denisson.magalhaes"
(11057) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11057) authorize {
(11057) policy filter_username {
(11057) if (&User-Name) {
(11057) if (&User-Name) -> TRUE
(11057) if (&User-Name) {
(11057) if (&User-Name != "%{tolower:%{User-Name}}") {
(11057) EXPAND %{tolower:%{User-Name}}
(11057) --> mpdft
(11057) if (&User-Name != "%{tolower:%{User-Name}}") -> FALSE
(11057) if (&User-Name =~ /\// ) {
(11057) if (&User-Name =~ /\// ) -> FALSE
(11057) if (&User-Name =~ / /) {
(11057) if (&User-Name =~ / /) -> FALSE
(11057) if (&User-Name =~ /@[^@]*@/ ) {
(11057) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11057) if (&User-Name =~ /\.\./ ) {
(11057) if (&User-Name =~ /\.\./ ) -> FALSE
(11057) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11057) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11057) if (&User-Name =~ /\.$/) {
(11057) if (&User-Name =~ /\.$/) -> FALSE
(11057) if (&User-Name =~ /@\./) {
(11057) if (&User-Name =~ /@\./) -> FALSE
(11057) } # if (&User-Name) = notfound
(11057) } # policy filter_username = notfound
(11057) policy split_username_nai {
(11057) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11057) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(11057) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11057) update request {
(11057) EXPAND %{1}
(11057) --> mpdft
(11057) &Stripped-User-Name := mpdft
(11057) EXPAND %{3}
(11057) -->
(11057) &Stripped-User-Domain =
(11057) } # update request = noop
(11057) [updated] = updated
(11057) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(11057) ... skipping else: Preceding "if" was taken
(11057) } # policy split_username_nai = updated
(11057) [preprocess] = ok
(11057) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11057) auth_log: --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11057) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11057) auth_log: EXPAND %t
(11057) auth_log: --> Wed Jun 24 15:00:27 2020
(11057) [auth_log] = ok
(11057) [chap] = noop
(11057) [mschap] = noop
(11057) [digest] = noop
(11057) suffix: Checking for suffix after "@"
(11057) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11057) suffix: No such realm "NULL"
(11057) [suffix] = noop
(11057) eap: Peer sent EAP Response (code 2) ID 9 length 46
(11057) eap: Continuing tunnel setup
(11057) [eap] = ok
(11057) } # authorize = ok
(11057) Found Auth-Type = eap
(11057) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11057) authenticate {
(11057) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11057) eap: Finished EAP session with state 0xbb52a0a1b35bb9af
(11057) eap: Previous EAP request found for state 0xbb52a0a1b35bb9af, released from the list
(11057) eap: Peer sent packet with method EAP PEAP (25)
(11057) eap: Calling submodule eap_peap to process data
(11057) eap_peap: Continuing EAP-TLS
(11057) eap_peap: [eaptls verify] = ok
(11057) eap_peap: Done initial handshake
(11057) eap_peap: [eaptls process] = ok
(11057) eap_peap: Session established. Decoding tunneled attributes
(11057) eap_peap: PEAP state send tlv success
(11057) eap_peap: Received EAP-TLV response
(11057) eap_peap: Success
(11057) eap: Sending EAP Success (code 3) ID 9 length 4
(11057) eap: Freeing handler
(11057) [eap] = ok
(11057) } # authenticate = ok
(11057) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(11057) post-auth {
(11057) update {
(11057) &reply::User-Name += &session-state:User-Name[*] -> 'denisson.magalhaes'
(11057) } # update = noop
(11057) sql: EXPAND .query
(11057) sql: --> .query
(11057) sql: Using query template 'query'
(11057) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(11057) sql: --> mpdft
(11057) sql: SQL-User-Name set to 'mpdft'
(11057) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{SQL-User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{%{integer:Event-Timestamp}:-NOW()}))
(11057) sql: --> INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('mpdft', 'Chap-Password', 'Access-Accept', '5C-D9-98-14-22-88:MPDFT', 'A8-16-D0-C6-45-D3', TO_TIMESTAMP(1593021627))
(11057) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('mpdft', 'Chap-Password', 'Access-Accept', '5C-D9-98-14-22-88:MPDFT', 'A8-16-D0-C6-45-D3', TO_TIMESTAMP(1593021627))
(11057) sql: SQL query returned: success
(11057) sql: 1 record(s) updated
(11057) [sql] = ok
(11057) [exec] = noop
(11057) policy remove_reply_message_if_eap {
(11057) if (&reply:EAP-Message && &reply:Reply-Message) {
(11057) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11057) else {
(11057) [noop] = noop
(11057) } # else = noop
(11057) } # policy remove_reply_message_if_eap = noop
(11057) } # post-auth = ok
(11057) Login OK: [mpdft] (from client AP-SD1-A07-Q01 port 2 cli A8-16-D0-C6-45-D3)
(11057) Sent Access-Accept Id 148 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11057) MS-MPPE-Recv-Key = 0xbafc3f0b8b2ee70c827cea2182df7129b67364884f6e0fa5221f8dbbd5ce911c
(11057) MS-MPPE-Send-Key = 0x70a6a9086da56a737960ddfdc624c60cd5cbcf5de4e547b0691b74df50815224
(11057) EAP-Message = 0x03090004
(11057) Message-Authenticator = 0x00000000000000000000000000000000
(11057) User-Name += "denisson.magalhaes"
(11057) Finished request
(11058) Received Accounting-Request Id 149 from 10.34.27.220:3491 to 10.34.242.3:1813 length 144
(11058) Acct-Session-Id = "38D550D0-00000013"
(11058) Acct-Status-Type = Start
(11058) Acct-Authentic = RADIUS
(11058) User-Name = "mpdft"
(11058) NAS-IP-Address = 10.34.27.220
(11058) NAS-Port = 2
(11058) Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11058) Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11058) NAS-Port-Type = Wireless-802.11
(11058) Connect-Info = "CONNECT 54Mbps 802.11g"
(11058) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(11058) preacct {
(11058) [preprocess] = ok
(11058) policy split_username_nai {
(11058) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11058) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) -> TRUE
(11058) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11058) update request {
(11058) EXPAND %{1}
(11058) --> mpdft
(11058) &Stripped-User-Name := mpdft
(11058) EXPAND %{3}
(11058) -->
(11058) &Stripped-User-Domain =
(11058) } # update request = noop
(11058) [updated] = updated
(11058) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) = updated
(11058) ... skipping else: Preceding "if" was taken
(11058) } # policy split_username_nai = updated
(11058) update request {
(11058) EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}
(11058) --> 1593021627
(11058) FreeRADIUS-Acct-Session-Start-Time = Jun 24 2020 15:00:27 -03
(11058) } # update request = noop
(11058) policy acct_unique {
(11058) update request {
(11058) Tmp-String-9 := "ai:"
(11058) } # update request = noop
(11058) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(11058) EXPAND %{hex:&Class}
(11058) -->
(11058) EXPAND ^%{hex:&Tmp-String-9}
(11058) --> ^61693a
(11058) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(11058) else {
(11058) update request {
(11058) EXPAND %{Acct-Session-ID}
(11058) --> 38D550D0-00000013
(11058) &Acct-Unique-Session-Id := 38D550D0-00000013
(11058) EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(11058) --> mpdft
(11058) &Acct-Unique-Session-Id := mpdft
(11058) EXPAND %{md5:%{%{Stripped-User-Name}:-%{User-Name}},%{Acct-Session-ID},%{Calling-Station-Id}}
(11058) --> 1c92c41b581f7829c15ebabed38f906d
(11058) &Acct-Unique-Session-Id := 1c92c41b581f7829c15ebabed38f906d
(11058) } # update request = noop
(11058) } # else = noop
(11058) } # policy acct_unique = noop
(11058) suffix: Checking for suffix after "@"
(11058) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11058) suffix: No such realm "NULL"
(11058) [suffix] = noop
(11058) files: acct_users: Matched entry DEFAULT at line 22
(11058) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(11058) files: --> mpdft
(11058) [files] = ok
(11058) } # preacct = updated
(11058) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(11058) accounting {
(11058) log_accounting: EXPAND Accounting-Request.%{%{Acct-Status-Type}:-unknown}
(11058) log_accounting: --> Accounting-Request.Start
(11058) log_accounting: EXPAND %{date:Event-Timestamp} Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})
(11058) log_accounting: --> Wed, 24-06-2020 15:00:27 Connect: [mpdft] (did 5C-D9-98-14-22-88:MPDFT cli A8-16-D0-C6-45-D3 port 2 ip )
(11058) log_accounting: EXPAND /var/log/freeradius/linelog-accounting
(11058) log_accounting: --> /var/log/freeradius/linelog-accounting
(11058) [log_accounting] = ok
(11058) sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query}
(11058) sql: --> type.start.query
(11058) sql: Using query template 'query'
(11058) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(11058) sql: --> mpdft
(11058) sql: SQL-User-Name set to 'mpdft'
(11058) sql: EXPAND INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)
(11058) sql: --> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('38D550D0-00000013', '1c92c41b581f7829c15ebabed38f906d', 'mpdft', NULLIF('', ''), '10.34.27.220', NULLIF('2', ''), 'Wireless-802.11', TO_TIMESTAMP(1593021627), TO_TIMESTAMP(1593021627), NULL, 0, 'RADIUS', 'CONNECT 54Mbps 802.11g', NULL, 0, 0, '5C-D9-98-14-22-88:MPDFT', 'A8-16-D0-C6-45-D3', NULL, '', '', NULLIF('', '')::inet)
(11058) sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('38D550D0-00000013', '1c92c41b581f7829c15ebabed38f906d', 'mpdft', NULLIF('', ''), '10.34.27.220', NULLIF('2', ''), 'Wireless-802.11', TO_TIMESTAMP(1593021627), TO_TIMESTAMP(1593021627), NULL, 0, 'RADIUS', 'CONNECT 54Mbps 802.11g', NULL, 0, 0, '5C-D9-98-14-22-88:MPDFT', 'A8-16-D0-C6-45-D3', NULL, '', '', NULLIF('', '')::inet)
(11058) sql: SQL query returned: success
(11058) sql: 1 record(s) updated
(11058) [sql] = ok
(11058) if (&request:Acct-Status-Type == start) {
(11058) if (&request:Acct-Status-Type == start) -> TRUE
(11058) if (&request:Acct-Status-Type == start) {
(11058) EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(11058) --> mpdft
(11058) SQL-User-Name set to 'mpdft'
(11058) Executing query: UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(1593021627), AcctUpdateTime = TO_TIMESTAMP(1593021627), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = 'CONNECT 54Mbps 802.11g' WHERE UserName = 'mpdft' AND AcctUniqueId <> '1c92c41b581f7829c15ebabed38f906d' AND CallingStationId = 'A8-16-D0-C6-45-D3' AND AcctStopTime IS NULL
(11058) SQL query affected no rows
(11058) EXPAND %{sql:UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = '%{Connect-Info}' WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' AND CallingStationId = '%{Calling-Station-Id}' AND AcctStopTime IS NULL}
(11058) -->
(11058) } # if (&request:Acct-Status-Type == start) = ok
(11058) [exec] = noop
(11058) attr_filter.accounting_response: EXPAND %{User-Name}
(11058) attr_filter.accounting_response: --> mpdft
(11058) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(11058) [attr_filter.accounting_response] = updated
(11058) } # accounting = updated
(11058) Sent Accounting-Response Id 149 from 10.34.242.3:1813 to 10.34.27.220:3491 length 0
(11058) Finished request
(11058) Cleaning up request packet ID 149 with timestamp +2547
(11048) Cleaning up request packet ID 139 with timestamp +2547
(11049) Cleaning up request packet ID 140 with timestamp +2547
(11050) Cleaning up request packet ID 141 with timestamp +2547
(11051) Cleaning up request packet ID 142 with timestamp +2547
(11052) Cleaning up request packet ID 143 with timestamp +2547
(11053) Cleaning up request packet ID 144 with timestamp +2547
(11054) Cleaning up request packet ID 145 with timestamp +2547
(11055) Cleaning up request packet ID 146 with timestamp +2547
(11056) Cleaning up request packet ID 147 with timestamp +2547
(11057) Cleaning up request packet ID 148 with timestamp +2547
============== MY INNER-TUNNEL VS ============
root at vp2-seg-008:/var/log/freeradius# grep -vE "#|^$" /etc/freeradius/3.0/sites-enabled/inner-tunnel | less
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
filter_username
split_username_nai
chap
mschap
suffix
update control {
&Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
sql
-ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
eap
}
session {
sql
}
post-auth {
reply_log
Post-Auth-Type REJECT {
attr_filter.access_reject
update outer.session-state {
&Module-Failure-Message := &request:Module-Failure-Message
}
}
update outer.session-state {
User-Name := &request:User-Name
}
}
pre-proxy {
pre_proxy_log
}
post-proxy {
filter_username
split_username_nai
post_proxy_log
eap
}
============== MY DEFAULT VS ============
root at vp2-seg-008:/var/log/freeradius# grep -vE "#|^$" /etc/freeradius/3.0/sites-enabled/default
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
listen {
type = auth
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
filter_username
split_username_nai
preprocess
auth_log
chap
mschap
digest
suffix
eap {
ok = return
}
files
sql
-ldap
expiration
logintime
if (ok) {
update control {
MS-CHAP-Use-NTLM-Auth := No
}
}
pap
}
authenticate {
Auth-Type NTLM_AUTH {
ntlm_auth
}
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
eap
}
preacct {
preprocess
split_username_nai
update request {
FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
}
acct_unique
suffix
files
}
accounting {
log_accounting
sql
if (&request:Acct-Status-Type == start) {
%{sql:UPDATE radacct \
SET \
AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), \
AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), \
AcctTerminateCause = 'Stalled-session', \
ConnectInfo_stop = '%{Connect-Info}' \
WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' \
AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' \
AND CallingStationId = '%{Calling-Station-Id}' \
AND AcctStopTime IS NULL}
}
exec
attr_filter.accounting_response
Acct-Type Status-Server {
}
}
session {
sql
}
post-auth {
update {
&reply: += &session-state:
}
sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
}
pre-proxy {
}
post-proxy {
filter_username
split_username_nai
eap
}
}
More information about the Freeradius-Users
mailing list