MSCHAP DC Server Authentication winbind reply failed
Vertigo Altair
vertigo.altair at gmail.com
Tue Jun 22 09:29:12 CEST 2021
Thanks for your help, but when I run ntlm_auth and wbinfo manually, there
is no problem. Therefore I thought I might have misconfigured something on
the FreeRADIUS side.
On Tue, 22 Jun 2021 at 10:12, L.P.H. van Belle via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:
> I think you should fix your samba setup first.
>
> Your smb.conf is not correctly setup and without that being correctly
> ntlm_auth is not going to work in free radius
>
> Read :
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> And read :
>
> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
>
> For FreeRadius and auth only, RID (or autorid) setup is sufficient
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: Freeradius-Users
> > [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
> > ius.org] Namens Vertigo Altair
> > Verzonden: maandag 21 juni 2021 21:26
> > Aan: FreeRadius users mailing list
> > Onderwerp: MSCHAP DC Server Authentication winbind reply failed
> >
> > Hi FreeRADIUS!
> >
> > I'm trying to use FreeRADIUS with MSCHAP through a DC server.
> > However, I'm
> > getting an error like "winbind reply failed!"
> >
> > I'm running on OpenBSD 6.9.
> >
> >
> > FreeRADIUS version:
> >
> > # /usr/local/sbin/radiusd -v | head -1
> > radiusd: FreeRADIUS Version 3.0.21, for host
> > x86_64-unknown-openbsd6.9,
> > built on Apr 20 2021 at 05:14:02
> > #
> >
> >
> > My configuration is like that;
> >
> > =============
> >
> > # cat /etc/samba/smb.conf
> > [global]
> >
> > winbind use default domain = no
> > security = ads
> > netbios name = myhost
> > workgroup = MYWORKGROUP
> > realm = zz.example.com
> > password server = zz.example.com
> >
> > ==============
> >
> > I joined the DC server successfully;
> >
> > # net join -U myadmin
> > Using short domain name -- XX
> > Joined 'YY' to dns domain 'zz.example.com'
> > No DNS domain configured for myhost. Unable to perform DNS Update.
> >
> > =============
> > I can make challange based authentication with wbinfo;
> >
> > # wbinfo -a myuser%mypass
> > plaintext password authentication failed <<< FAIL
> > Could not authenticate user myuser%mypass with plaintext password
> > challenge/response password authentication succeeded
> > #
> >
> > ===============
> >
> > And also with ntlm_auth;
> >
> > # ntlm_auth --request-nt-key --username myuser
> > Password: myuser
> > NT_STATUS_OK: The operation completed successfully. (0x0)
> > #
> >
> > ==================
> >
> > I've created a user named "winbindd_priv" and added this user the
> > _freeradius group to access winbind privileged socket from FreeRADIUS
> >
> > # cat /etc/group |grep winbind
> > winbindd_priv:*:1000:_freeradius
> >
> > # ls -la /var/run/samba/winbindd*
> > -rw-r--r-- 1 root winbindd_priv 6 Jun 21 18:39
> > /var/run/samba/winbindd.pid
> >
> > /var/run/samba/winbindd:
> > srwxrwxrwx 1 root winbindd_priv 0 Jun 21 18:38 pipe
> > #
> >
> > ===================
> >
> > I couldn't see anything wrong there, I followed the official
> > documentation
> > properly. I'm getting "winbind reply failed!" error anyway.
> >
> > The full output from radiusd -X;
> >
> > ======================
> >
> >
> > (0) Received Access-Request Id 25 from 172.100.0.60:49947 to
> > 172.16.0.100:1812 length 338
> > (0) User-Name = "mypc-pc\\Administrator"
> > (0) NAS-Port = 20497
> > (0) Service-Type = Framed-User
> > (0) Framed-Protocol = PPP
> > (0) Calling-Station-Id = "44a8-42f7-952d"
> > (0) NAS-Identifier = "S5735_K6_SW1"
> > (0) NAS-Port-Type = Ethernet
> > (0) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> > (0) EAP-Message =
> > 0x02a3001c01626c6774656b2d70635c41646d696e6973747261746f72
> > (0) Message-Authenticator = 0x2da911933329aa455da04b910df9e08e
> > (0) Called-Station-Id = "44-67-47-26-F7-90"
> > (0) NAS-IP-Address = 172.100.0.60
> > (0) Framed-MTU = 1500
> > (0) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> > (0) Huawei-Startup-Stamp = 1589932873
> > (0) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> > (0) Huawei-Connect-ID = 45
> > (0) Huawei-Version = "Huawei S5735"
> > (0) Huawei-Product-ID = "S5735"
> > (0) Huawei-User-Mac = "\000\000\000\001"
> > (0) Huawei-Domain-Name = "default"
> > (0) # Executing section authorize from file
> > /mydir/etc/raddb/sites-enabled/default
> > (0) authorize {
> > (0) update {
> > (0) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> > --calledStationID='%{Called-Station-Id}'
> > --callingStationID='%{Calling-Station-Id}'
> > --connectInfo='%{Connect-Info}'
> > --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> > --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> > --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> > --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> > --tunnelMediumType='%{Tunnel-Medium-Type}'
> > --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> > --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> > --logging=true:
> > (0) EXPAND --username=%{User-Name}
> > (0) --> --username=mypc-pc\\Administrator
> > (0) EXPAND --calledStationID=%{Called-Station-Id}
> > (0) --> --calledStationID=44-67-47-26-F7-90
> > (0) EXPAND --callingStationID=%{Calling-Station-Id}
> > (0) --> --callingStationID=44a8-42f7-952d
> > (0) EXPAND --connectInfo=%{Connect-Info}
> > (0) --> --connectInfo=
> > (0) EXPAND --framedMTU=%{Framed-MTU}
> > (0) --> --framedMTU=1500
> > (0) EXPAND --framedProtocol=%{Framed-Protocol}
> > (0) --> --framedProtocol=PPP
> > (0) EXPAND --nasIdentifier=%{NAS-Identifier}
> > (0) --> --nasIdentifier=S5735_K6_SW1
> > (0) EXPAND --nasIPAddress=%{NAS-IP-Address}
> > (0) --> --nasIPAddress=172.100.0.60
> > (0) EXPAND --nasPort=%{NAS-Port}
> > (0) --> --nasPort=20497
> > (0) EXPAND --nasPortID=%{NAS-Port-Id}
> > (0) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> > (0) EXPAND --nasPortType=%{NAS-Port-Type}
> > (0) --> --nasPortType=Ethernet
> > (0) EXPAND --serviceType=%{Service-Type}
> > (0) --> --serviceType=Framed-User
> > (0) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> > (0) --> --tunnelMediumType=
> > (0) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> > (0) --> --tunnelPrivateGroupID=
> > (0) EXPAND --tunnelType=%{Tunnel-Type}
> > (0) --> --tunnelType=
> > (0) Program returned code (0) and output 'Reply-Message :=""'
> > (0) control::Reply-Message :=
> > (0) } # update = noop
> > (0) policy filter_username {
> > (0) if (&User-Name) {
> > (0) if (&User-Name) -> TRUE
> > (0) if (&User-Name) {
> > (0) if (&User-Name =~ / /) {
> > (0) if (&User-Name =~ / /) -> FALSE
> > (0) if (&User-Name =~ /@[^@]*@/ ) {
> > (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > (0) if (&User-Name =~ /\.\./ ) {
> > (0) if (&User-Name =~ /\.\./ ) -> FALSE
> > (0) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > (0) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) ->
> > FALSE
> > (0) if (&User-Name =~ /\.$/) {
> > (0) if (&User-Name =~ /\.$/) -> FALSE
> > (0) if (&User-Name =~ /@\./) {
> > (0) if (&User-Name =~ /@\./) -> FALSE
> > (0) } # if (&User-Name) = noop
> > (0) } # policy filter_username = noop
> > (0) [preprocess] = ok
> > (0) [mschap] = noop
> > (0) [digest] = noop
> > (0) suffix: Checking for suffix after "@"
> > (0) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> > looking up realm
> > NULL
> > (0) suffix: No such realm "NULL"
> > (0) [suffix] = noop
> > (0) eap: Peer sent EAP Response (code 2) ID 163 length 28
> > (0) eap: EAP-Identity reply, returning 'ok' so we can
> > short-circuit the
> > rest of authorize
> > (0) [eap] = ok
> > (0) } # authorize = ok
> > (0) Found Auth-Type = eap
> > (0) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (0) authenticate {
> > (0) eap: Peer sent packet with method EAP Identity (1)
> > (0) eap: Calling submodule eap_md5 to process data
> > (0) eap_md5: Issuing MD5 Challenge
> > (0) eap: Sending EAP Request (code 1) ID 164 length 22
> > (0) eap: EAP session adding &reply:State = 0x06df9fcc067b9baa
> > (0) [eap] = handled
> > (0) } # authenticate = handled
> > (0) Using Post-Auth-Type Challenge
> > (0) Post-Auth-Type sub-section not found. Ignoring.
> > (0) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (0) Sent Access-Challenge Id 25 from 172.16.0.100:1812 to
> > 172.100.0.60:49947 length
> > 0
> > (0) EAP-Message = 0x01a400160410fb53358fd5f5bb176cb25434be27dc38
> > (0) Message-Authenticator = 0x00000000000000000000000000000000
> > (0) State = 0x06df9fcc067b9baa43639075ca7d333a
> > (0) Finished request
> > Waking up in 4.9 seconds.
> > (1) Received Access-Request Id 26 from 172.100.0.60:49947 to
> > 172.16.0.100:1812 length 340
> > (1) User-Name = "mypc-pc\\Administrator"
> > (1) NAS-Port = 20497
> > (1) Service-Type = Framed-User
> > (1) Framed-Protocol = PPP
> > (1) Calling-Station-Id = "44a8-42f7-952d"
> > (1) NAS-Identifier = "S5735_K6_SW1"
> > (1) NAS-Port-Type = Ethernet
> > (1) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> > (1) State = 0x06df9fcc067b9baa43639075ca7d333a
> > (1) EAP-Message = 0x02a400060319
> > (1) Message-Authenticator = 0xf104c44a25c93bccb28f9f2e00f4333c
> > (1) Called-Station-Id = "44-67-47-26-F7-90"
> > (1) Login-IP-Host = 0.0.0.0
> > (1) NAS-IP-Address = 172.100.0.60
> > (1) Framed-MTU = 1500
> > (1) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> > (1) Huawei-Startup-Stamp = 1589932873
> > (1) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> > (1) Huawei-Connect-ID = 45
> > (1) Huawei-Version = "Huawei S5735"
> > (1) Huawei-Product-ID = "S5735"
> > (1) Huawei-User-Mac = "\000\000\000\001"
> > (1) Huawei-Domain-Name = "default"
> > (1) session-state: No cached attributes
> > (1) # Executing section authorize from file
> > /mydir/etc/raddb/sites-enabled/default
> > (1) authorize {
> > (1) update {
> > (1) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> > --calledStationID='%{Called-Station-Id}'
> > --callingStationID='%{Calling-Station-Id}'
> > --connectInfo='%{Connect-Info}'
> > --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> > --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> > --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> > --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> > --tunnelMediumType='%{Tunnel-Medium-Type}'
> > --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> > --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> > --logging=true:
> > (1) EXPAND --username=%{User-Name}
> > (1) --> --username=mypc-pc\\Administrator
> > (1) EXPAND --calledStationID=%{Called-Station-Id}
> > (1) --> --calledStationID=44-67-47-26-F7-90
> > (1) EXPAND --callingStationID=%{Calling-Station-Id}
> > (1) --> --callingStationID=44a8-42f7-952d
> > (1) EXPAND --connectInfo=%{Connect-Info}
> > (1) --> --connectInfo=
> > (1) EXPAND --framedMTU=%{Framed-MTU}
> > (1) --> --framedMTU=1500
> > (1) EXPAND --framedProtocol=%{Framed-Protocol}
> > (1) --> --framedProtocol=PPP
> > (1) EXPAND --nasIdentifier=%{NAS-Identifier}
> > (1) --> --nasIdentifier=S5735_K6_SW1
> > (1) EXPAND --nasIPAddress=%{NAS-IP-Address}
> > (1) --> --nasIPAddress=172.100.0.60
> > (1) EXPAND --nasPort=%{NAS-Port}
> > (1) --> --nasPort=20497
> > (1) EXPAND --nasPortID=%{NAS-Port-Id}
> > (1) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> > (1) EXPAND --nasPortType=%{NAS-Port-Type}
> > (1) --> --nasPortType=Ethernet
> > (1) EXPAND --serviceType=%{Service-Type}
> > (1) --> --serviceType=Framed-User
> > (1) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> > (1) --> --tunnelMediumType=
> > (1) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> > (1) --> --tunnelPrivateGroupID=
> > (1) EXPAND --tunnelType=%{Tunnel-Type}
> > (1) --> --tunnelType=
> > (1) Program returned code (0) and output 'Reply-Message :=""'
> > (1) control::Reply-Message :=
> > (1) } # update = noop
> > (1) policy filter_username {
> > (1) if (&User-Name) {
> > (1) if (&User-Name) -> TRUE
> > (1) if (&User-Name) {
> > (1) if (&User-Name =~ / /) {
> > (1) if (&User-Name =~ / /) -> FALSE
> > (1) if (&User-Name =~ /@[^@]*@/ ) {
> > (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > (1) if (&User-Name =~ /\.\./ ) {
> > (1) if (&User-Name =~ /\.\./ ) -> FALSE
> > (1) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > (1) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) ->
> > FALSE
> > (1) if (&User-Name =~ /\.$/) {
> > (1) if (&User-Name =~ /\.$/) -> FALSE
> > (1) if (&User-Name =~ /@\./) {
> > (1) if (&User-Name =~ /@\./) -> FALSE
> > (1) } # if (&User-Name) = noop
> > (1) } # policy filter_username = noop
> > (1) [preprocess] = ok
> > (1) [mschap] = noop
> > (1) [digest] = noop
> > (1) suffix: Checking for suffix after "@"
> > (1) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> > looking up realm
> > NULL
> > (1) suffix: No such realm "NULL"
> > (1) [suffix] = noop
> > (1) eap: Peer sent EAP Response (code 2) ID 164 length 6
> > (1) eap: No EAP Start, assuming it's an on-going EAP conversation
> > (1) [eap] = updated
> > (1) [expiration] = noop
> > (1) [logintime] = noop
> > Not doing PAP as Auth-Type is already set.
> > (1) [pap] = noop
> > (1) } # authorize = updated
> > (1) Found Auth-Type = eap
> > (1) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (1) authenticate {
> > (1) eap: Expiring EAP session with state 0x06df9fcc067b9baa
> > (1) eap: Finished EAP session with state 0x06df9fcc067b9baa
> > (1) eap: Previous EAP request found for state
> > 0x06df9fcc067b9baa, released
> > from the list
> > (1) eap: Peer sent packet with method EAP NAK (3)
> > (1) eap: Found mutually acceptable type PEAP (25)
> > (1) eap: Calling submodule eap_peap to process data
> > (1) eap_peap: Initiating new TLS session
> > (1) eap_peap: [eaptls start] = request
> > (1) eap: Sending EAP Request (code 1) ID 165 length 6
> > (1) eap: EAP session adding &reply:State = 0x06df9fcc077a86aa
> > (1) [eap] = handled
> > (1) } # authenticate = handled
> > (1) Using Post-Auth-Type Challenge
> > (1) Post-Auth-Type sub-section not found. Ignoring.
> > (1) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (1) Sent Access-Challenge Id 26 from 172.16.0.100:1812 to
> > 172.100.0.60:49947 length
> > 0
> > (1) EAP-Message = 0x01a500061920
> > (1) Message-Authenticator = 0x00000000000000000000000000000000
> > (1) State = 0x06df9fcc077a86aa43639075ca7d333a
> > (1) Finished request
> > Waking up in 4.9 seconds.
> > (2) Received Access-Request Id 27 from 172.100.0.60:49947 to
> > 172.16.0.100:1812 length 447
> > (2) User-Name = "mypc-pc\\Administrator"
> > (2) NAS-Port = 20497
> > (2) Service-Type = Framed-User
> > (2) Framed-Protocol = PPP
> > (2) Calling-Station-Id = "44a8-42f7-952d"
> > (2) NAS-Identifier = "S5735_K6_SW1"
> > (2) NAS-Port-Type = Ethernet
> > (2) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> > (2) State = 0x06df9fcc077a86aa43639075ca7d333a
> > (2) EAP-Message =
> > 0x02a5007119800000006716030100620100005e030160d0e32a6722bce315
> > 95a5e36c093697851bb230673e9d56c34961448f20d9c300001cc014c01300
> > 3900330035002fc00ac00900380032000a00130005000401000019000a0006
> > 000400170018000b0002010000170000ff01000100
> > (2) Message-Authenticator = 0x8e36104449de451d2f46716428d8d1d0
> > (2) Called-Station-Id = "44-67-47-26-F7-90"
> > (2) Login-IP-Host = 0.0.0.0
> > (2) NAS-IP-Address = 172.100.0.60
> > (2) Framed-MTU = 1500
> > (2) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> > (2) Huawei-Startup-Stamp = 1589932873
> > (2) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> > (2) Huawei-Connect-ID = 45
> > (2) Huawei-Version = "Huawei S5735"
> > (2) Huawei-Product-ID = "S5735"
> > (2) Huawei-User-Mac = "\000\000\000\001"
> > (2) Huawei-Domain-Name = "default"
> > (2) session-state: No cached attributes
> > (2) # Executing section authorize from file
> > /mydir/etc/raddb/sites-enabled/default
> > (2) authorize {
> > (2) update {
> > (2) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> > --calledStationID='%{Called-Station-Id}'
> > --callingStationID='%{Calling-Station-Id}'
> > --connectInfo='%{Connect-Info}'
> > --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> > --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> > --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> > --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> > --tunnelMediumType='%{Tunnel-Medium-Type}'
> > --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> > --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> > --logging=true:
> > (2) EXPAND --username=%{User-Name}
> > (2) --> --username=mypc-pc\\Administrator
> > (2) EXPAND --calledStationID=%{Called-Station-Id}
> > (2) --> --calledStationID=44-67-47-26-F7-90
> > (2) EXPAND --callingStationID=%{Calling-Station-Id}
> > (2) --> --callingStationID=44a8-42f7-952d
> > (2) EXPAND --connectInfo=%{Connect-Info}
> > (2) --> --connectInfo=
> > (2) EXPAND --framedMTU=%{Framed-MTU}
> > (2) --> --framedMTU=1500
> > (2) EXPAND --framedProtocol=%{Framed-Protocol}
> > (2) --> --framedProtocol=PPP
> > (2) EXPAND --nasIdentifier=%{NAS-Identifier}
> > (2) --> --nasIdentifier=S5735_K6_SW1
> > (2) EXPAND --nasIPAddress=%{NAS-IP-Address}
> > (2) --> --nasIPAddress=172.100.0.60
> > (2) EXPAND --nasPort=%{NAS-Port}
> > (2) --> --nasPort=20497
> > (2) EXPAND --nasPortID=%{NAS-Port-Id}
> > (2) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> > (2) EXPAND --nasPortType=%{NAS-Port-Type}
> > (2) --> --nasPortType=Ethernet
> > (2) EXPAND --serviceType=%{Service-Type}
> > (2) --> --serviceType=Framed-User
> > (2) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> > (2) --> --tunnelMediumType=
> > (2) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> > (2) --> --tunnelPrivateGroupID=
> > (2) EXPAND --tunnelType=%{Tunnel-Type}
> > (2) --> --tunnelType=
> > (2) Program returned code (0) and output 'Reply-Message :=""'
> > (2) control::Reply-Message :=
> > (2) } # update = noop
> > (2) policy filter_username {
> > (2) if (&User-Name) {
> > (2) if (&User-Name) -> TRUE
> > (2) if (&User-Name) {
> > (2) if (&User-Name =~ / /) {
> > (2) if (&User-Name =~ / /) -> FALSE
> > (2) if (&User-Name =~ /@[^@]*@/ ) {
> > (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > (2) if (&User-Name =~ /\.\./ ) {
> > (2) if (&User-Name =~ /\.\./ ) -> FALSE
> > (2) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > (2) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) ->
> > FALSE
> > (2) if (&User-Name =~ /\.$/) {
> > (2) if (&User-Name =~ /\.$/) -> FALSE
> > (2) if (&User-Name =~ /@\./) {
> > (2) if (&User-Name =~ /@\./) -> FALSE
> > (2) } # if (&User-Name) = noop
> > (2) } # policy filter_username = noop
> > (2) [preprocess] = ok
> > (2) [mschap] = noop
> > (2) [digest] = noop
> > (2) suffix: Checking for suffix after "@"
> > (2) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> > looking up realm
> > NULL
> > (2) suffix: No such realm "NULL"
> > (2) [suffix] = noop
> > (2) eap: Peer sent EAP Response (code 2) ID 165 length 113
> > (2) eap: Continuing tunnel setup
> > (2) [eap] = ok
> > (2) } # authorize = ok
> > (2) Found Auth-Type = eap
> > (2) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (2) authenticate {
> > (2) eap: Expiring EAP session with state 0x06df9fcc077a86aa
> > (2) eap: Finished EAP session with state 0x06df9fcc077a86aa
> > (2) eap: Previous EAP request found for state
> > 0x06df9fcc077a86aa, released
> > from the list
> > (2) eap: Peer sent packet with method EAP PEAP (25)
> > (2) eap: Calling submodule eap_peap to process data
> > (2) eap_peap: Continuing EAP-TLS
> > (2) eap_peap: Peer indicated complete TLS record size will be
> > 103 bytes
> > (2) eap_peap: Got complete TLS record (103 bytes)
> > (2) eap_peap: [eaptls verify] = length included
> > (2) eap_peap: (other): before accept initialization
> > (2) eap_peap: <<< recv UNKNOWN TLS VERSION '0304' [length 0062]
> > (2) eap_peap: TLS_accept: SSLv3 read client hello A
> > (2) eap_peap: >>> send TLS 1.0 Handshake [length 0037], ServerHello
> > (2) eap_peap: TLS_accept: SSLv3 write server hello A
> > (2) eap_peap: >>> send TLS 1.0 Handshake [length 08e5], Certificate
> > (2) eap_peap: TLS_accept: SSLv3 write certificate A
> > (2) eap_peap: >>> send TLS 1.0 Handshake [length 014b],
> > ServerKeyExchange
> > (2) eap_peap: TLS_accept: SSLv3 write key exchange A
> > (2) eap_peap: >>> send TLS 1.0 Handshake [length 0004],
> > ServerHelloDone
> > (2) eap_peap: TLS_accept: SSLv3 write server done A
> > (2) eap_peap: TLS_accept: SSLv3 flush data
> > (2) eap_peap: TLS_accept: SSLv3 read client certificate A
> > (2) eap_peap: TLS_accept: Need to read more data: SSLv3 read
> > client key
> > exchange A
> > (2) eap_peap: TLS - In Handshake Phase
> > (2) eap_peap: TLS - got 2687 bytes of data
> > (2) eap_peap: [eaptls process] = handled
> > (2) eap: Sending EAP Request (code 1) ID 166 length 1004
> > (2) eap: EAP session adding &reply:State = 0x06df9fcc047986aa
> > (2) [eap] = handled
> > (2) } # authenticate = handled
> > (2) Using Post-Auth-Type Challenge
> > (2) Post-Auth-Type sub-section not found. Ignoring.
> > (2) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (2) Sent Access-Challenge Id 27 from 172.16.0.100:1812 to
> > 172.100.0.60:49947 length
> > 0
> > (2) EAP-Message =
> > 0x01a603ec19c000000a7f16030100370200003303011069fa543cddfebbc2
> > a59de247700b31bea216c1570e4080444f574e4752440000c01400000bff01
> > 000100000b0002010016030108e50b0008e10008de0003e8308203e4308202
> > cca003020102020101300d06092a864886f70d01010b0500308196310b3009
> > 060355040613025452310e300c06035504080c05495a4d4952310d300b0603
> > 5504070c0455524c4131173015060355040a0c0e5061727461204e6574776f
> > 726b733120301e06092a864886f70d0109011611696e666f4070617274612e
> > 636f6d2e7472312d302b06035504030c245061727461204e6574776f726b73
> > 20436572746966696361746520417574686f72697479301e170d3230303333
> > 313131323930385a170d3330303332393131323930385a308182310b300906
> > 0355040613025452310e300c06035504080c05495a4d495231173015060355
> > 040a0c0e5061727461204e6574776f726b733128302606035504030c1f506172746120
> > (2) Message-Authenticator = 0x00000000000000000000000000000000
> > (2) State = 0x06df9fcc047986aa43639075ca7d333a
> > (2) Finished request
> > Waking up in 4.7 seconds.
> > (3) Received Access-Request Id 28 from 172.100.0.60:49947 to
> > 172.16.0.100:1812 length 340
> > (3) User-Name = "mypc-pc\\Administrator"
> > (3) NAS-Port = 20497
> > (3) Service-Type = Framed-User
> > (3) Framed-Protocol = PPP
> > (3) Calling-Station-Id = "44a8-42f7-952d"
> > (3) NAS-Identifier = "S5735_K6_SW1"
> > (3) NAS-Port-Type = Ethernet
> > (3) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> > (3) State = 0x06df9fcc047986aa43639075ca7d333a
> > (3) EAP-Message = 0x02a600061900
> > (3) Message-Authenticator = 0xcc4d6c36e5459879cc826325ec4d747a
> > (3) Called-Station-Id = "44-67-47-26-F7-90"
> > (3) Login-IP-Host = 0.0.0.0
> > (3) NAS-IP-Address = 172.100.0.60
> > (3) Framed-MTU = 1500
> > (3) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> > (3) Huawei-Startup-Stamp = 1589932873
> > (3) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> > (3) Huawei-Connect-ID = 45
> > (3) Huawei-Version = "Huawei S5735"
> > (3) Huawei-Product-ID = "S5735"
> > (3) Huawei-User-Mac = "\000\000\000\001"
> > (3) Huawei-Domain-Name = "default"
> > (3) session-state: No cached attributes
> > (3) # Executing section authorize from file
> > /mydir/etc/raddb/sites-enabled/default
> > (3) authorize {
> > (3) update {
> > (3) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> > --calledStationID='%{Called-Station-Id}'
> > --callingStationID='%{Calling-Station-Id}'
> > --connectInfo='%{Connect-Info}'
> > --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> > --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> > --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> > --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> > --tunnelMediumType='%{Tunnel-Medium-Type}'
> > --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> > --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> > --logging=true:
> > (3) EXPAND --username=%{User-Name}
> > (3) --> --username=mypc-pc\\Administrator
> > (3) EXPAND --calledStationID=%{Called-Station-Id}
> > (3) --> --calledStationID=44-67-47-26-F7-90
> > (3) EXPAND --callingStationID=%{Calling-Station-Id}
> > (3) --> --callingStationID=44a8-42f7-952d
> > (3) EXPAND --connectInfo=%{Connect-Info}
> > (3) --> --connectInfo=
> > (3) EXPAND --framedMTU=%{Framed-MTU}
> > (3) --> --framedMTU=1500
> > (3) EXPAND --framedProtocol=%{Framed-Protocol}
> > (3) --> --framedProtocol=PPP
> > (3) EXPAND --nasIdentifier=%{NAS-Identifier}
> > (3) --> --nasIdentifier=S5735_K6_SW1
> > (3) EXPAND --nasIPAddress=%{NAS-IP-Address}
> > (3) --> --nasIPAddress=172.100.0.60
> > (3) EXPAND --nasPort=%{NAS-Port}
> > (3) --> --nasPort=20497
> > (3) EXPAND --nasPortID=%{NAS-Port-Id}
> > (3) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> > (3) EXPAND --nasPortType=%{NAS-Port-Type}
> > (3) --> --nasPortType=Ethernet
> > (3) EXPAND --serviceType=%{Service-Type}
> > (3) --> --serviceType=Framed-User
> > (3) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> > (3) --> --tunnelMediumType=
> > (3) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> > (3) --> --tunnelPrivateGroupID=
> > (3) EXPAND --tunnelType=%{Tunnel-Type}
> > (3) --> --tunnelType=
> > (3) Program returned code (0) and output 'Reply-Message :=""'
> > (3) control::Reply-Message :=
> > (3) } # update = noop
> > (3) policy filter_username {
> > (3) if (&User-Name) {
> > (3) if (&User-Name) -> TRUE
> > (3) if (&User-Name) {
> > (3) if (&User-Name =~ / /) {
> > (3) if (&User-Name =~ / /) -> FALSE
> > (3) if (&User-Name =~ /@[^@]*@/ ) {
> > (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > (3) if (&User-Name =~ /\.\./ ) {
> > (3) if (&User-Name =~ /\.\./ ) -> FALSE
> > (3) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > (3) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) ->
> > FALSE
> > (3) if (&User-Name =~ /\.$/) {
> > (3) if (&User-Name =~ /\.$/) -> FALSE
> > (3) if (&User-Name =~ /@\./) {
> > (3) if (&User-Name =~ /@\./) -> FALSE
> > (3) } # if (&User-Name) = noop
> > (3) } # policy filter_username = noop
> > (3) [preprocess] = ok
> > (3) [mschap] = noop
> > (3) [digest] = noop
> > (3) suffix: Checking for suffix after "@"
> > (3) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> > looking up realm
> > NULL
> > (3) suffix: No such realm "NULL"
> > (3) [suffix] = noop
> > (3) eap: Peer sent EAP Response (code 2) ID 166 length 6
> > (3) eap: Continuing tunnel setup
> > (3) [eap] = ok
> > (3) } # authorize = ok
> > (3) Found Auth-Type = eap
> > (3) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (3) authenticate {
> > (3) eap: Expiring EAP session with state 0x06df9fcc047986aa
> > (3) eap: Finished EAP session with state 0x06df9fcc047986aa
> > (3) eap: Previous EAP request found for state
> > 0x06df9fcc047986aa, released
> > from the list
> > (3) eap: Peer sent packet with method EAP PEAP (25)
> > (3) eap: Calling submodule eap_peap to process data
> > (3) eap_peap: Continuing EAP-TLS
> > (3) eap_peap: Peer ACKed our handshake fragment
> > (3) eap_peap: [eaptls verify] = request
> > (3) eap_peap: [eaptls process] = handled
> > (3) eap: Sending EAP Request (code 1) ID 167 length 1000
> > (3) eap: EAP session adding &reply:State = 0x06df9fcc057886aa
> > (3) [eap] = handled
> > (3) } # authenticate = handled
> > (3) Using Post-Auth-Type Challenge
> > (3) Post-Auth-Type sub-section not found. Ignoring.
> > (3) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (3) Sent Access-Challenge Id 28 from 172.16.0.100:1812 to
> > 172.100.0.60:49947 length
> > 0
> > (3) EAP-Message =
> > 0x01a703e81940a73b4534fb54764797d56b51f469ff2e5a5feaf506057dbd
> > fd6af543dfe986febe19c807b89244404cb9503c4a449efd5e8a9e68f31f0f
> > a9b20107d112dde99fabadb55f609fefb8f0cfb09e1bb696330c0004f03082
> > 04ec308203d4a0030201020209008917e4729c9d3b3d300d06092a864886f7
> > 0d01010b0500308196310b3009060355040613025452310e300c0603550408
> > 0c05495a4d4952310d300b06035504070c0455524c4131173015060355040a
> > 0c0e5061727461204e6574776f726b733120301e06092a864886f70d010901
> > 1611696e666f4070617274612e636f6d2e7472312d302b06035504030c2450
> > 61727461204e6574776f726b7320436572746966696361746520417574686f
> > 72697479301e170d3230303333313131323930385a170d3330303332393131
> > 323930385a308196310b3009060355040613025452310e300c06035504080c
> > 05495a4d4952310d300b06035504070c0455524c4131173015060355040a0c0e506172
> > (3) Message-Authenticator = 0x00000000000000000000000000000000
> > (3) State = 0x06df9fcc057886aa43639075ca7d333a
> > (3) Finished request
> > Waking up in 4.7 seconds.
> > (4) Received Access-Request Id 29 from 172.100.0.60:49947 to
> > 172.16.0.100:1812 length 340
> > (4) User-Name = "mypc-pc\\Administrator"
> > (4) NAS-Port = 20497
> > (4) Service-Type = Framed-User
> > (4) Framed-Protocol = PPP
> > (4) Calling-Station-Id = "44a8-42f7-952d"
> > (4) NAS-Identifier = "S5735_K6_SW1"
> > (4) NAS-Port-Type = Ethernet
> > (4) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> > (4) State = 0x06df9fcc057886aa43639075ca7d333a
> > (4) EAP-Message = 0x02a700061900
> > (4) Message-Authenticator = 0x345bff17c216eb76264d2dd1836dced4
> > (4) Called-Station-Id = "44-67-47-26-F7-90"
> > (4) Login-IP-Host = 0.0.0.0
> > (4) NAS-IP-Address = 172.100.0.60
> > (4) Framed-MTU = 1500
> > (4) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> > (4) Huawei-Startup-Stamp = 1589932873
> > (4) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> > (4) Huawei-Connect-ID = 45
> > (4) Huawei-Version = "Huawei S5735"
> > (4) Huawei-Product-ID = "S5735"
> > (4) Huawei-User-Mac = "\000\000\000\001"
> > (4) Huawei-Domain-Name = "default"
> > (4) session-state: No cached attributes
> > (4) # Executing section authorize from file
> > /mydir/etc/raddb/sites-enabled/default
> > (4) authorize {
> > (4) update {
> > (4) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> > --calledStationID='%{Called-Station-Id}'
> > --callingStationID='%{Calling-Station-Id}'
> > --connectInfo='%{Connect-Info}'
> > --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> > --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> > --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> > --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> > --tunnelMediumType='%{Tunnel-Medium-Type}'
> > --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> > --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> > --logging=true:
> > (4) EXPAND --username=%{User-Name}
> > (4) --> --username=mypc-pc\\Administrator
> > (4) EXPAND --calledStationID=%{Called-Station-Id}
> > (4) --> --calledStationID=44-67-47-26-F7-90
> > (4) EXPAND --callingStationID=%{Calling-Station-Id}
> > (4) --> --callingStationID=44a8-42f7-952d
> > (4) EXPAND --connectInfo=%{Connect-Info}
> > (4) --> --connectInfo=
> > (4) EXPAND --framedMTU=%{Framed-MTU}
> > (4) --> --framedMTU=1500
> > (4) EXPAND --framedProtocol=%{Framed-Protocol}
> > (4) --> --framedProtocol=PPP
> > (4) EXPAND --nasIdentifier=%{NAS-Identifier}
> > (4) --> --nasIdentifier=S5735_K6_SW1
> > (4) EXPAND --nasIPAddress=%{NAS-IP-Address}
> > (4) --> --nasIPAddress=172.100.0.60
> > (4) EXPAND --nasPort=%{NAS-Port}
> > (4) --> --nasPort=20497
> > (4) EXPAND --nasPortID=%{NAS-Port-Id}
> > (4) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> > (4) EXPAND --nasPortType=%{NAS-Port-Type}
> > (4) --> --nasPortType=Ethernet
> > (4) EXPAND --serviceType=%{Service-Type}
> > (4) --> --serviceType=Framed-User
> > (4) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> > (4) --> --tunnelMediumType=
> > (4) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> > (4) --> --tunnelPrivateGroupID=
> > (4) EXPAND --tunnelType=%{Tunnel-Type}
> > (4) --> --tunnelType=
> > (4) Program returned code (0) and output 'Reply-Message :=""'
> > (4) control::Reply-Message :=
> > (4) } # update = noop
> > (4) policy filter_username {
> > (4) if (&User-Name) {
> > (4) if (&User-Name) -> TRUE
> > (4) if (&User-Name) {
> > (4) if (&User-Name =~ / /) {
> > (4) if (&User-Name =~ / /) -> FALSE
> > (4) if (&User-Name =~ /@[^@]*@/ ) {
> > (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > (4) if (&User-Name =~ /\.\./ ) {
> > (4) if (&User-Name =~ /\.\./ ) -> FALSE
> > (4) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > (4) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) ->
> > FALSE
> > (4) if (&User-Name =~ /\.$/) {
> > (4) if (&User-Name =~ /\.$/) -> FALSE
> > (4) if (&User-Name =~ /@\./) {
> > (4) if (&User-Name =~ /@\./) -> FALSE
> > (4) } # if (&User-Name) = noop
> > (4) } # policy filter_username = noop
> > (4) [preprocess] = ok
> > (4) [mschap] = noop
> > (4) [digest] = noop
> > (4) suffix: Checking for suffix after "@"
> > (4) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> > looking up realm
> > NULL
> > (4) suffix: No such realm "NULL"
> > (4) [suffix] = noop
> > (4) eap: Peer sent EAP Response (code 2) ID 167 length 6
> > (4) eap: Continuing tunnel setup
> > (4) [eap] = ok
> > (4) } # authorize = ok
> > (4) Found Auth-Type = eap
> > (4) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (4) authenticate {
> > (4) eap: Expiring EAP session with state 0x06df9fcc057886aa
> > (4) eap: Finished EAP session with state 0x06df9fcc057886aa
> > (4) eap: Previous EAP request found for state
> > 0x06df9fcc057886aa, released
> > from the list
> > (4) eap: Peer sent packet with method EAP PEAP (25)
> > (4) eap: Calling submodule eap_peap to process data
> > (4) eap_peap: Continuing EAP-TLS
> > (4) eap_peap: Peer ACKed our handshake fragment
> > (4) eap_peap: [eaptls verify] = request
> > (4) eap_peap: [eaptls process] = handled
> > (4) eap: Sending EAP Request (code 1) ID 168 length 705
> > (4) eap: EAP session adding &reply:State = 0x06df9fcc027786aa
> > (4) [eap] = handled
> > (4) } # authenticate = handled
> > (4) Using Post-Auth-Type Challenge
> > (4) Post-Auth-Type sub-section not found. Ignoring.
> > (4) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (4) Sent Access-Challenge Id 29 from 172.16.0.100:1812 to
> > 172.100.0.60:49947 length
> > 0
> > (4) EAP-Message =
> > 0x01a802c11900e4729c9d3b3d300f0603551d130101ff040530030101ff30
> > 350603551d1f042e302c302aa028a0268624687474703a2f2f7777772e7061
> > 7274612e636f6d2e74722f70617274615f63612e63726c300d06092a864886
> > f70d01010b0500038201010002a7a685fd8c45441aa4e88edd20fe072c2d6d
> > c2fdf1a70bdfbb4e4d6e447ef63fb83535d1eb1a9b7eb0d8fc177cbe833bcd
> > 8ca72116ebd550b12ab279f5298beb6a8f7e58f38e9943d51a2b9a415f0f7b
> > 6cb3e284f54c181f57eea3ec231ccea3f982602d46374234e262a8a5709816
> > 56b6e991155da7983b5edddd89239eec5c82cbc176541e5e32f2e1fcf783f1
> > 62fbd7de96dbaadafd0e8f56d5f72f4de5ac1254656c6ba349ed7ae5202dfd
> > 20b3dc5e576bbba43c2f10d1b66b764038601b2e23a27a7a3b4b13e4d58343
> > df004dbd21908c71c0d563f18eec86d5a74bf7b192d4da4ffa036e75462374
> > 8cdfe9ee000c02a3ee75574fa594e9055132d03e160301014b0c0001470300174104a0
> > (4) Message-Authenticator = 0x00000000000000000000000000000000
> > (4) State = 0x06df9fcc027786aa43639075ca7d333a
> > (4) Finished request
> > Waking up in 4.6 seconds.
> > (5) Received Access-Request Id 30 from 172.100.0.60:49947 to
> > 172.16.0.100:1812 length 478
> > (5) User-Name = "mypc-pc\\Administrator"
> > (5) NAS-Port = 20497
> > (5) Service-Type = Framed-User
> > (5) Framed-Protocol = PPP
> > (5) Calling-Station-Id = "44a8-42f7-952d"
> > (5) NAS-Identifier = "S5735_K6_SW1"
> > (5) NAS-Port-Type = Ethernet
> > (5) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> > (5) State = 0x06df9fcc027786aa43639075ca7d333a
> > (5) EAP-Message =
> > 0x02a800901980000000861603010046100000424104c7b577ecf031abd558
> > 556c730dea6a62961ef24e63b87df106b9981a6899f04e68a480a2b306f8f1
> > 99787ac538d19bc572f82e277133f9ebbdbd8b3b4d17866e14030100010116
> > 030100301e14570b074715b54215c474e30f4ab9f9bfadb1590f0331598dae
> > f254ac64514ddef71c035306cdc1fea1cbdd58dcce
> > (5) Message-Authenticator = 0x68db217c9425678c6ba8dba10a9679e9
> > (5) Called-Station-Id = "44-67-47-26-F7-90"
> > (5) Login-IP-Host = 0.0.0.0
> > (5) NAS-IP-Address = 172.100.0.60
> > (5) Framed-MTU = 1500
> > (5) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> > (5) Huawei-Startup-Stamp = 1589932873
> > (5) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> > (5) Huawei-Connect-ID = 45
> > (5) Huawei-Version = "Huawei S5735"
> > (5) Huawei-Product-ID = "S5735"
> > (5) Huawei-User-Mac = "\000\000\000\001"
> > (5) Huawei-Domain-Name = "default"
> > (5) session-state: No cached attributes
> > (5) # Executing section authorize from file
> > /mydir/etc/raddb/sites-enabled/default
> > (5) authorize {
> > (5) update {
> > (5) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> > --calledStationID='%{Called-Station-Id}'
> > --callingStationID='%{Calling-Station-Id}'
> > --connectInfo='%{Connect-Info}'
> > --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> > --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> > --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> > --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> > --tunnelMediumType='%{Tunnel-Medium-Type}'
> > --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> > --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> > --logging=true:
> > (5) EXPAND --username=%{User-Name}
> > (5) --> --username=mypc-pc\\Administrator
> > (5) EXPAND --calledStationID=%{Called-Station-Id}
> > (5) --> --calledStationID=44-67-47-26-F7-90
> > (5) EXPAND --callingStationID=%{Calling-Station-Id}
> > (5) --> --callingStationID=44a8-42f7-952d
> > (5) EXPAND --connectInfo=%{Connect-Info}
> > (5) --> --connectInfo=
> > (5) EXPAND --framedMTU=%{Framed-MTU}
> > (5) --> --framedMTU=1500
> > (5) EXPAND --framedProtocol=%{Framed-Protocol}
> > (5) --> --framedProtocol=PPP
> > (5) EXPAND --nasIdentifier=%{NAS-Identifier}
> > (5) --> --nasIdentifier=S5735_K6_SW1
> > (5) EXPAND --nasIPAddress=%{NAS-IP-Address}
> > (5) --> --nasIPAddress=172.100.0.60
> > (5) EXPAND --nasPort=%{NAS-Port}
> > (5) --> --nasPort=20497
> > (5) EXPAND --nasPortID=%{NAS-Port-Id}
> > (5) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> > (5) EXPAND --nasPortType=%{NAS-Port-Type}
> > (5) --> --nasPortType=Ethernet
> > (5) EXPAND --serviceType=%{Service-Type}
> > (5) --> --serviceType=Framed-User
> > (5) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> > (5) --> --tunnelMediumType=
> > (5) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> > (5) --> --tunnelPrivateGroupID=
> > (5) EXPAND --tunnelType=%{Tunnel-Type}
> > (5) --> --tunnelType=
> > (5) Program returned code (0) and output 'Reply-Message :=""'
> > (5) control::Reply-Message :=
> > (5) } # update = noop
> > (5) policy filter_username {
> > (5) if (&User-Name) {
> > (5) if (&User-Name) -> TRUE
> > (5) if (&User-Name) {
> > (5) if (&User-Name =~ / /) {
> > (5) if (&User-Name =~ / /) -> FALSE
> > (5) if (&User-Name =~ /@[^@]*@/ ) {
> > (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > (5) if (&User-Name =~ /\.\./ ) {
> > (5) if (&User-Name =~ /\.\./ ) -> FALSE
> > (5) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > (5) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) ->
> > FALSE
> > (5) if (&User-Name =~ /\.$/) {
> > (5) if (&User-Name =~ /\.$/) -> FALSE
> > (5) if (&User-Name =~ /@\./) {
> > (5) if (&User-Name =~ /@\./) -> FALSE
> > (5) } # if (&User-Name) = noop
> > (5) } # policy filter_username = noop
> > (5) [preprocess] = ok
> > (5) [mschap] = noop
> > (5) [digest] = noop
> > (5) suffix: Checking for suffix after "@"
> > (5) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> > looking up realm
> > NULL
> > (5) suffix: No such realm "NULL"
> > (5) [suffix] = noop
> > (5) eap: Peer sent EAP Response (code 2) ID 168 length 144
> > (5) eap: Continuing tunnel setup
> > (5) [eap] = ok
> > (5) } # authorize = ok
> > (5) Found Auth-Type = eap
> > (5) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (5) authenticate {
> > (5) eap: Expiring EAP session with state 0x06df9fcc027786aa
> > (5) eap: Finished EAP session with state 0x06df9fcc027786aa
> > (5) eap: Previous EAP request found for state
> > 0x06df9fcc027786aa, released
> > from the list
> > (5) eap: Peer sent packet with method EAP PEAP (25)
> > (5) eap: Calling submodule eap_peap to process data
> > (5) eap_peap: Continuing EAP-TLS
> > (5) eap_peap: Peer indicated complete TLS record size will be
> > 134 bytes
> > (5) eap_peap: Got complete TLS record (134 bytes)
> > (5) eap_peap: [eaptls verify] = length included
> > (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0046],
> > ClientKeyExchange
> > (5) eap_peap: TLS_accept: SSLv3 read client key exchange A
> > (5) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
> > (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
> > (5) eap_peap: TLS_accept: SSLv3 read finished A
> > (5) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
> > (5) eap_peap: TLS_accept: SSLv3 write change cipher spec A
> > (5) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
> > (5) eap_peap: TLS_accept: SSLv3 write finished A
> > (5) eap_peap: TLS_accept: SSLv3 flush data
> > (5) eap_peap: (other): SSL negotiation finished successfully
> > (5) eap_peap: TLS - Connection Established
> > (5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> > (5) eap_peap: TLS-Session-Version = "TLS 1.0"
> > (5) eap_peap: TLS - got 59 bytes of data
> > (5) eap_peap: [eaptls process] = handled
> > (5) eap: Sending EAP Request (code 1) ID 169 length 65
> > (5) eap: EAP session adding &reply:State = 0x06df9fcc037686aa
> > (5) [eap] = handled
> > (5) } # authenticate = handled
> > (5) Using Post-Auth-Type Challenge
> > (5) Post-Auth-Type sub-section not found. Ignoring.
> > (5) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (5) session-state: Saving cached attributes
> > (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> > (5) TLS-Session-Version = "TLS 1.0"
> > (5) Sent Access-Challenge Id 30 from 172.16.0.100:1812 to
> > 172.100.0.60:49947 length
> > 0
> > (5) EAP-Message =
> > 0x01a90041190014030100010116030100302fe125fbf82aa49c3614c980ad
> > be6cec3d9fcfee716e1ad42f33b3e8d99e997248e974d389d973a61f8d6f2facc5e492
> > (5) Message-Authenticator = 0x00000000000000000000000000000000
> > (5) State = 0x06df9fcc037686aa43639075ca7d333a
> > (5) Finished request
> > Waking up in 4.6 seconds.
> > (6) Received Access-Request Id 31 from 172.100.0.60:49947 to
> > 172.16.0.100:1812 length 340
> > (6) User-Name = "mypc-pc\\Administrator"
> > (6) NAS-Port = 20497
> > (6) Service-Type = Framed-User
> > (6) Framed-Protocol = PPP
> > (6) Calling-Station-Id = "44a8-42f7-952d"
> > (6) NAS-Identifier = "S5735_K6_SW1"
> > (6) NAS-Port-Type = Ethernet
> > (6) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> > (6) State = 0x06df9fcc037686aa43639075ca7d333a
> > (6) EAP-Message = 0x02a900061900
> > (6) Message-Authenticator = 0x6eae2e14353af6bdf3490d21f430dfbe
> > (6) Called-Station-Id = "44-67-47-26-F7-90"
> > (6) Login-IP-Host = 0.0.0.0
> > (6) NAS-IP-Address = 172.100.0.60
> > (6) Framed-MTU = 1500
> > (6) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> > (6) Huawei-Startup-Stamp = 1589932873
> > (6) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> > (6) Huawei-Connect-ID = 45
> > (6) Huawei-Version = "Huawei S5735"
> > (6) Huawei-Product-ID = "S5735"
> > (6) Huawei-User-Mac = "\000\000\000\001"
> > (6) Huawei-Domain-Name = "default"
> > (6) Restoring &session-state
> > (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> > (6) &session-state:TLS-Session-Version = "TLS 1.0"
> > (6) # Executing section authorize from file
> > /mydir/etc/raddb/sites-enabled/default
> > (6) authorize {
> > (6) update {
> > (6) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> > --calledStationID='%{Called-Station-Id}'
> > --callingStationID='%{Calling-Station-Id}'
> > --connectInfo='%{Connect-Info}'
> > --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> > --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> > --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> > --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> > --tunnelMediumType='%{Tunnel-Medium-Type}'
> > --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> > --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> > --logging=true:
> > (6) EXPAND --username=%{User-Name}
> > (6) --> --username=mypc-pc\\Administrator
> > (6) EXPAND --calledStationID=%{Called-Station-Id}
> > (6) --> --calledStationID=44-67-47-26-F7-90
> > (6) EXPAND --callingStationID=%{Calling-Station-Id}
> > (6) --> --callingStationID=44a8-42f7-952d
> > (6) EXPAND --connectInfo=%{Connect-Info}
> > (6) --> --connectInfo=
> > (6) EXPAND --framedMTU=%{Framed-MTU}
> > (6) --> --framedMTU=1500
> > (6) EXPAND --framedProtocol=%{Framed-Protocol}
> > (6) --> --framedProtocol=PPP
> > (6) EXPAND --nasIdentifier=%{NAS-Identifier}
> > (6) --> --nasIdentifier=S5735_K6_SW1
> > (6) EXPAND --nasIPAddress=%{NAS-IP-Address}
> > (6) --> --nasIPAddress=172.100.0.60
> > (6) EXPAND --nasPort=%{NAS-Port}
> > (6) --> --nasPort=20497
> > (6) EXPAND --nasPortID=%{NAS-Port-Id}
> > (6) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> > (6) EXPAND --nasPortType=%{NAS-Port-Type}
> > (6) --> --nasPortType=Ethernet
> > (6) EXPAND --serviceType=%{Service-Type}
> > (6) --> --serviceType=Framed-User
> > (6) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> > (6) --> --tunnelMediumType=
> > (6) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> > (6) --> --tunnelPrivateGroupID=
> > (6) EXPAND --tunnelType=%{Tunnel-Type}
> > (6) --> --tunnelType=
> > (6) Program returned code (0) and output 'Reply-Message :=""'
> > (6) control::Reply-Message :=
> > (6) } # update = noop
> > (6) policy filter_username {
> > (6) if (&User-Name) {
> > (6) if (&User-Name) -> TRUE
> > (6) if (&User-Name) {
> > (6) if (&User-Name =~ / /) {
> > (6) if (&User-Name =~ / /) -> FALSE
> > (6) if (&User-Name =~ /@[^@]*@/ ) {
> > (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > (6) if (&User-Name =~ /\.\./ ) {
> > (6) if (&User-Name =~ /\.\./ ) -> FALSE
> > (6) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > (6) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) ->
> > FALSE
> > (6) if (&User-Name =~ /\.$/) {
> > (6) if (&User-Name =~ /\.$/) -> FALSE
> > (6) if (&User-Name =~ /@\./) {
> > (6) if (&User-Name =~ /@\./) -> FALSE
> > (6) } # if (&User-Name) = noop
> > (6) } # policy filter_username = noop
> > (6) [preprocess] = ok
> > (6) [mschap] = noop
> > (6) [digest] = noop
> > (6) suffix: Checking for suffix after "@"
> > (6) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> > looking up realm
> > NULL
> > (6) suffix: No such realm "NULL"
> > (6) [suffix] = noop
> > (6) eap: Peer sent EAP Response (code 2) ID 169 length 6
> > (6) eap: Continuing tunnel setup
> > (6) [eap] = ok
> > (6) } # authorize = ok
> > (6) Found Auth-Type = eap
> > (6) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (6) authenticate {
> > (6) eap: Expiring EAP session with state 0x06df9fcc037686aa
> > (6) eap: Finished EAP session with state 0x06df9fcc037686aa
> > (6) eap: Previous EAP request found for state
> > 0x06df9fcc037686aa, released
> > from the list
> > (6) eap: Peer sent packet with method EAP PEAP (25)
> > (6) eap: Calling submodule eap_peap to process data
> > (6) eap_peap: Continuing EAP-TLS
> > (6) eap_peap: Peer ACKed our handshake fragment. handshake
> > is finished
> > (6) eap_peap: [eaptls verify] = success
> > (6) eap_peap: [eaptls process] = success
> > (6) eap_peap: Session established. Decoding tunneled attributes
> > (6) eap_peap: PEAP state TUNNEL ESTABLISHED
> > (6) eap: Sending EAP Request (code 1) ID 170 length 43
> > (6) eap: EAP session adding &reply:State = 0x06df9fcc007586aa
> > (6) [eap] = handled
> > (6) } # authenticate = handled
> > (6) Using Post-Auth-Type Challenge
> > (6) Post-Auth-Type sub-section not found. Ignoring.
> > (6) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (6) session-state: Saving cached attributes
> > (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> > (6) TLS-Session-Version = "TLS 1.0"
> > (6) Sent Access-Challenge Id 31 from 172.16.0.100:1812 to
> > 172.100.0.60:49947 length
> > 0
> > (6) EAP-Message =
> > 0x01aa002b1900170301002039839b1c2d3257209fb27a7353e9e75e31a406
> > 708676f7c33e1183170f61d947
> > (6) Message-Authenticator = 0x00000000000000000000000000000000
> > (6) State = 0x06df9fcc007586aa43639075ca7d333a
> > (6) Finished request
> > Waking up in 4.5 seconds.
> > (7) Received Access-Request Id 32 from 172.100.0.60:49947 to
> > 172.16.0.100:1812 length 393
> > (7) User-Name = "mypc-pc\\Administrator"
> > (7) NAS-Port = 20497
> > (7) Service-Type = Framed-User
> > (7) Framed-Protocol = PPP
> > (7) Calling-Station-Id = "44a8-42f7-952d"
> > (7) NAS-Identifier = "S5735_K6_SW1"
> > (7) NAS-Port-Type = Ethernet
> > (7) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> > (7) State = 0x06df9fcc007586aa43639075ca7d333a
> > (7) EAP-Message =
> > 0x02aa003b190017030100303d5c35ae730f2e2172de89948e051cb0b22703
> > 3be363ddea1c384cc141c1593d7ed0251c4ca849138cfdebf0e810852a
> > (7) Message-Authenticator = 0x1a8ae85940fcefdcbc7a0528828a0c77
> > (7) Called-Station-Id = "44-67-47-26-F7-90"
> > (7) Login-IP-Host = 0.0.0.0
> > (7) NAS-IP-Address = 172.100.0.60
> > (7) Framed-MTU = 1500
> > (7) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> > (7) Huawei-Startup-Stamp = 1589932873
> > (7) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> > (7) Huawei-Connect-ID = 45
> > (7) Huawei-Version = "Huawei S5735"
> > (7) Huawei-Product-ID = "S5735"
> > (7) Huawei-User-Mac = "\000\000\000\001"
> > (7) Huawei-Domain-Name = "default"
> > (7) Restoring &session-state
> > (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> > (7) &session-state:TLS-Session-Version = "TLS 1.0"
> > (7) # Executing section authorize from file
> > /mydir/etc/raddb/sites-enabled/default
> > (7) authorize {
> > (7) update {
> > (7) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> > --calledStationID='%{Called-Station-Id}'
> > --callingStationID='%{Calling-Station-Id}'
> > --connectInfo='%{Connect-Info}'
> > --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> > --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> > --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> > --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> > --tunnelMediumType='%{Tunnel-Medium-Type}'
> > --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> > --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> > --logging=true:
> > (7) EXPAND --username=%{User-Name}
> > (7) --> --username=mypc-pc\\Administrator
> > (7) EXPAND --calledStationID=%{Called-Station-Id}
> > (7) --> --calledStationID=44-67-47-26-F7-90
> > (7) EXPAND --callingStationID=%{Calling-Station-Id}
> > (7) --> --callingStationID=44a8-42f7-952d
> > (7) EXPAND --connectInfo=%{Connect-Info}
> > (7) --> --connectInfo=
> > (7) EXPAND --framedMTU=%{Framed-MTU}
> > (7) --> --framedMTU=1500
> > (7) EXPAND --framedProtocol=%{Framed-Protocol}
> > (7) --> --framedProtocol=PPP
> > (7) EXPAND --nasIdentifier=%{NAS-Identifier}
> > (7) --> --nasIdentifier=S5735_K6_SW1
> > (7) EXPAND --nasIPAddress=%{NAS-IP-Address}
> > (7) --> --nasIPAddress=172.100.0.60
> > (7) EXPAND --nasPort=%{NAS-Port}
> > (7) --> --nasPort=20497
> > (7) EXPAND --nasPortID=%{NAS-Port-Id}
> > (7) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> > (7) EXPAND --nasPortType=%{NAS-Port-Type}
> > (7) --> --nasPortType=Ethernet
> > (7) EXPAND --serviceType=%{Service-Type}
> > (7) --> --serviceType=Framed-User
> > (7) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> > (7) --> --tunnelMediumType=
> > (7) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> > (7) --> --tunnelPrivateGroupID=
> > (7) EXPAND --tunnelType=%{Tunnel-Type}
> > (7) --> --tunnelType=
> > (7) Program returned code (0) and output 'Reply-Message :=""'
> > (7) control::Reply-Message :=
> > (7) } # update = noop
> > (7) policy filter_username {
> > (7) if (&User-Name) {
> > (7) if (&User-Name) -> TRUE
> > (7) if (&User-Name) {
> > (7) if (&User-Name =~ / /) {
> > (7) if (&User-Name =~ / /) -> FALSE
> > (7) if (&User-Name =~ /@[^@]*@/ ) {
> > (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > (7) if (&User-Name =~ /\.\./ ) {
> > (7) if (&User-Name =~ /\.\./ ) -> FALSE
> > (7) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > (7) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) ->
> > FALSE
> > (7) if (&User-Name =~ /\.$/) {
> > (7) if (&User-Name =~ /\.$/) -> FALSE
> > (7) if (&User-Name =~ /@\./) {
> > (7) if (&User-Name =~ /@\./) -> FALSE
> > (7) } # if (&User-Name) = noop
> > (7) } # policy filter_username = noop
> > (7) [preprocess] = ok
> > (7) [mschap] = noop
> > (7) [digest] = noop
> > (7) suffix: Checking for suffix after "@"
> > (7) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> > looking up realm
> > NULL
> > (7) suffix: No such realm "NULL"
> > (7) [suffix] = noop
> > (7) eap: Peer sent EAP Response (code 2) ID 170 length 59
> > (7) eap: Continuing tunnel setup
> > (7) [eap] = ok
> > (7) } # authorize = ok
> > (7) Found Auth-Type = eap
> > (7) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (7) authenticate {
> > (7) eap: Expiring EAP session with state 0x06df9fcc007586aa
> > (7) eap: Finished EAP session with state 0x06df9fcc007586aa
> > (7) eap: Previous EAP request found for state
> > 0x06df9fcc007586aa, released
> > from the list
> > (7) eap: Peer sent packet with method EAP PEAP (25)
> > (7) eap: Calling submodule eap_peap to process data
> > (7) eap_peap: Continuing EAP-TLS
> > (7) eap_peap: [eaptls verify] = ok
> > (7) eap_peap: Done initial handshake
> > (7) eap_peap: [eaptls process] = ok
> > (7) eap_peap: Session established. Decoding tunneled attributes
> > (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
> > (7) eap_peap: Identity - mypc-pc\Administrator
> > (7) eap_peap: Got inner identity 'mypc-pc\Administrator'
> > (7) eap_peap: Setting default EAP type for tunneled EAP session
> > (7) eap_peap: Got tunneled request
> > (7) eap_peap: EAP-Message =
> > 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72
> > (7) eap_peap: Setting User-Name to mypc-pc\Administrator
> > (7) eap_peap: Sending tunneled request to inner-tunnel
> > (7) eap_peap: EAP-Message =
> > 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72
> > (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> > (7) eap_peap: User-Name = "mypc-pc\\Administrator"
> > (7) Virtual server inner-tunnel received request
> > (7) EAP-Message =
> > 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72
> > (7) FreeRADIUS-Proxied-To = 127.0.0.1
> > (7) User-Name = "mypc-pc\\Administrator"
> > (7) WARNING: Outer and inner identities are the same. User privacy is
> > compromised.
> > (7) server inner-tunnel {
> > (7) # Executing section authorize from file
> > /mydir/etc/raddb/sites-enabled/inner-tunnel
> > (7) authorize {
> > (7) update {
> > (7) Executing: /mydir/sbin/myprog-nac
> > --username='%{User-Name}'
> > --verify=true --control=false:
> > (7) EXPAND --username=%{User-Name}
> > (7) --> --username=mypc-pc\\Administrator
> > (7) Program returned code (0) and output
> > 'Idle-Timeout := "30"'
> > (7) reply::Idle-Timeout := 30
> > (7) } # update = noop
> > (7) policy filter_username {
> > (7) if (&User-Name) {
> > (7) if (&User-Name) -> TRUE
> > (7) if (&User-Name) {
> > (7) if (&User-Name =~ / /) {
> > (7) if (&User-Name =~ / /) -> FALSE
> > (7) if (&User-Name =~ /@[^@]*@/ ) {
> > (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > (7) if (&User-Name =~ /\.\./ ) {
> > (7) if (&User-Name =~ /\.\./ ) -> FALSE
> > (7) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > (7) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/))
> > -> FALSE
> > (7) if (&User-Name =~ /\.$/) {
> > (7) if (&User-Name =~ /\.$/) -> FALSE
> > (7) if (&User-Name =~ /@\./) {
> > (7) if (&User-Name =~ /@\./) -> FALSE
> > (7) } # if (&User-Name) = noop
> > (7) } # policy filter_username = noop
> > (7) [chap] = noop
> > (7) [mschap] = noop
> > (7) suffix: Checking for suffix after "@"
> > (7) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> > looking up realm
> > NULL
> > (7) suffix: No such realm "NULL"
> > (7) [suffix] = noop
> > (7) update control {
> > (7) &Proxy-To-Realm := LOCAL
> > (7) } # update control = noop
> > (7) eap: Peer sent EAP Response (code 2) ID 170 length 28
> > (7) eap: EAP-Identity reply, returning 'ok' so we can
> > short-circuit the
> > rest of authorize
> > (7) [eap] = ok
> > (7) [files] = noop
> > (7) [expiration] = noop
> > (7) [logintime] = noop
> > (7) [pap] = noop
> > (7) } # authorize = ok
> > (7) Found Auth-Type = eap
> > (7) # Executing group from file
> > /mydir/etc/raddb/sites-enabled/inner-tunnel
> > (7) authenticate {
> > (7) eap: Peer sent packet with method EAP Identity (1)
> > (7) eap: Calling submodule eap_mschapv2 to process data
> > (7) eap_mschapv2: Issuing Challenge
> > (7) eap: Sending EAP Request (code 1) ID 171 length 43
> > (7) eap: EAP session adding &reply:State = 0xb29197b0b23a8d1a
> > (7) [eap] = handled
> > (7) } # authenticate = handled
> > (7) } # server inner-tunnel
> > (7) Virtual server sending reply
> > (7) Idle-Timeout := 30
> > (7) EAP-Message =
> > 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b66726565
> > 7261646975732d332e302e3231
> > (7) Message-Authenticator = 0x00000000000000000000000000000000
> > (7) State = 0xb29197b0b23a8d1abd34b414c2a4601c
> > (7) eap_peap: Got tunneled reply code 11
> > (7) eap_peap: Idle-Timeout := 30
> > (7) eap_peap: EAP-Message =
> > 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b66726565
> > 7261646975732d332e302e3231
> > (7) eap_peap: Message-Authenticator =
> > 0x00000000000000000000000000000000
> > (7) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c
> > (7) eap_peap: Got tunneled reply RADIUS code 11
> > (7) eap_peap: Idle-Timeout := 30
> > (7) eap_peap: EAP-Message =
> > 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b66726565
> > 7261646975732d332e302e3231
> > (7) eap_peap: Message-Authenticator =
> > 0x00000000000000000000000000000000
> > (7) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c
> > (7) eap_peap: Got tunneled Access-Challenge
> > (7) eap: Sending EAP Request (code 1) ID 171 length 75
> > (7) eap: EAP session adding &reply:State = 0x06df9fcc017486aa
> > (7) [eap] = handled
> > (7) } # authenticate = handled
> > (7) Using Post-Auth-Type Challenge
> > (7) Post-Auth-Type sub-section not found. Ignoring.
> > (7) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (7) session-state: Saving cached attributes
> > (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> > (7) TLS-Session-Version = "TLS 1.0"
> > (7) Sent Access-Challenge Id 32 from 172.16.0.100:1812 to
> > 172.100.0.60:49947 length
> > 0
> > (7) EAP-Message =
> > 0x01ab004b19001703010040f117bdd7e2a2d6530a0eebaac5f17a0b3e5846
> > e1278f4367eeb28499b7d4f60485adaa834a12a2f5fc22b2e4a7b75b2fd584
> > 277bbb9e717bf568d0b7c39b9b21
> > (7) Message-Authenticator = 0x00000000000000000000000000000000
> > (7) State = 0x06df9fcc017486aa43639075ca7d333a
> > (7) Finished request
> > Waking up in 4.5 seconds.
> > (8) Received Access-Request Id 33 from 172.100.0.60:49947 to
> > 172.16.0.100:1812 length 441
> > (8) User-Name = "mypc-pc\\Administrator"
> > (8) NAS-Port = 20497
> > (8) Service-Type = Framed-User
> > (8) Framed-Protocol = PPP
> > (8) Calling-Station-Id = "44a8-42f7-952d"
> > (8) NAS-Identifier = "S5735_K6_SW1"
> > (8) NAS-Port-Type = Ethernet
> > (8) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> > (8) State = 0x06df9fcc017486aa43639075ca7d333a
> > (8) EAP-Message =
> > 0x02ab006b1900170301006030a260cec76b817616c8446e917733d195ea67
> > fcb4cba7ea0c15873eccb189ac0c0482c8d146ae81eaf880b90364036ca514
> > b87389987c4879b1e21d8c032b74a3adf543509c62b5cc1e85d7f556043d22
> > e8f68156c08b94226c0358519793f0
> > (8) Message-Authenticator = 0x99f47b6e04e6c7df9ba0bad3ad23a0dc
> > (8) Called-Station-Id = "44-67-47-26-F7-90"
> > (8) Login-IP-Host = 0.0.0.0
> > (8) NAS-IP-Address = 172.100.0.60
> > (8) Framed-MTU = 1500
> > (8) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> > (8) Huawei-Startup-Stamp = 1589932873
> > (8) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> > (8) Huawei-Connect-ID = 45
> > (8) Huawei-Version = "Huawei S5735"
> > (8) Huawei-Product-ID = "S5735"
> > (8) Huawei-User-Mac = "\000\000\000\001"
> > (8) Huawei-Domain-Name = "default"
> > (8) Restoring &session-state
> > (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> > (8) &session-state:TLS-Session-Version = "TLS 1.0"
> > (8) # Executing section authorize from file
> > /mydir/etc/raddb/sites-enabled/default
> > (8) authorize {
> > (8) update {
> > (8) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> > --calledStationID='%{Called-Station-Id}'
> > --callingStationID='%{Calling-Station-Id}'
> > --connectInfo='%{Connect-Info}'
> > --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> > --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> > --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> > --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> > --tunnelMediumType='%{Tunnel-Medium-Type}'
> > --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> > --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> > --logging=true:
> > (8) EXPAND --username=%{User-Name}
> > (8) --> --username=mypc-pc\\Administrator
> > (8) EXPAND --calledStationID=%{Called-Station-Id}
> > (8) --> --calledStationID=44-67-47-26-F7-90
> > (8) EXPAND --callingStationID=%{Calling-Station-Id}
> > (8) --> --callingStationID=44a8-42f7-952d
> > (8) EXPAND --connectInfo=%{Connect-Info}
> > (8) --> --connectInfo=
> > (8) EXPAND --framedMTU=%{Framed-MTU}
> > (8) --> --framedMTU=1500
> > (8) EXPAND --framedProtocol=%{Framed-Protocol}
> > (8) --> --framedProtocol=PPP
> > (8) EXPAND --nasIdentifier=%{NAS-Identifier}
> > (8) --> --nasIdentifier=S5735_K6_SW1
> > (8) EXPAND --nasIPAddress=%{NAS-IP-Address}
> > (8) --> --nasIPAddress=172.100.0.60
> > (8) EXPAND --nasPort=%{NAS-Port}
> > (8) --> --nasPort=20497
> > (8) EXPAND --nasPortID=%{NAS-Port-Id}
> > (8) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> > (8) EXPAND --nasPortType=%{NAS-Port-Type}
> > (8) --> --nasPortType=Ethernet
> > (8) EXPAND --serviceType=%{Service-Type}
> > (8) --> --serviceType=Framed-User
> > (8) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> > (8) --> --tunnelMediumType=
> > (8) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> > (8) --> --tunnelPrivateGroupID=
> > (8) EXPAND --tunnelType=%{Tunnel-Type}
> > (8) --> --tunnelType=
> > (8) Program returned code (0) and output 'Reply-Message :=""'
> > (8) control::Reply-Message :=
> > (8) } # update = noop
> > (8) policy filter_username {
> > (8) if (&User-Name) {
> > (8) if (&User-Name) -> TRUE
> > (8) if (&User-Name) {
> > (8) if (&User-Name =~ / /) {
> > (8) if (&User-Name =~ / /) -> FALSE
> > (8) if (&User-Name =~ /@[^@]*@/ ) {
> > (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > (8) if (&User-Name =~ /\.\./ ) {
> > (8) if (&User-Name =~ /\.\./ ) -> FALSE
> > (8) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > (8) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) ->
> > FALSE
> > (8) if (&User-Name =~ /\.$/) {
> > (8) if (&User-Name =~ /\.$/) -> FALSE
> > (8) if (&User-Name =~ /@\./) {
> > (8) if (&User-Name =~ /@\./) -> FALSE
> > (8) } # if (&User-Name) = noop
> > (8) } # policy filter_username = noop
> > (8) [preprocess] = ok
> > (8) [mschap] = noop
> > (8) [digest] = noop
> > (8) suffix: Checking for suffix after "@"
> > (8) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> > looking up realm
> > NULL
> > (8) suffix: No such realm "NULL"
> > (8) [suffix] = noop
> > (8) eap: Peer sent EAP Response (code 2) ID 171 length 107
> > (8) eap: Continuing tunnel setup
> > (8) [eap] = ok
> > (8) } # authorize = ok
> > (8) Found Auth-Type = eap
> > (8) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (8) authenticate {
> > (8) eap: Expiring EAP session with state 0xb29197b0b23a8d1a
> > (8) eap: Finished EAP session with state 0x06df9fcc017486aa
> > (8) eap: Previous EAP request found for state
> > 0x06df9fcc017486aa, released
> > from the list
> > (8) eap: Peer sent packet with method EAP PEAP (25)
> > (8) eap: Calling submodule eap_peap to process data
> > (8) eap_peap: Continuing EAP-TLS
> > (8) eap_peap: [eaptls verify] = ok
> > (8) eap_peap: Done initial handshake
> > (8) eap_peap: [eaptls process] = ok
> > (8) eap_peap: Session established. Decoding tunneled attributes
> > (8) eap_peap: PEAP state phase2
> > (8) eap_peap: EAP method MSCHAPv2 (26)
> > (8) eap_peap: Got tunneled request
> > (8) eap_peap: EAP-Message =
> > 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f00000000
> > 00000000a380d06457734f2b4a8f544de51831e2a54853305befeb55004164
> > 6d696e6973747261746f72
> > (8) eap_peap: Setting User-Name to mypc-pc\Administrator
> > (8) eap_peap: Sending tunneled request to inner-tunnel
> > (8) eap_peap: EAP-Message =
> > 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f00000000
> > 00000000a380d06457734f2b4a8f544de51831e2a54853305befeb55004164
> > 6d696e6973747261746f72
> > (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> > (8) eap_peap: User-Name = "mypc-pc\\Administrator"
> > (8) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c
> > (8) Virtual server inner-tunnel received request
> > (8) EAP-Message =
> > 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f00000000
> > 00000000a380d06457734f2b4a8f544de51831e2a54853305befeb55004164
> > 6d696e6973747261746f72
> > (8) FreeRADIUS-Proxied-To = 127.0.0.1
> > (8) User-Name = "mypc-pc\\Administrator"
> > (8) State = 0xb29197b0b23a8d1abd34b414c2a4601c
> > (8) WARNING: Outer and inner identities are the same. User privacy is
> > compromised.
> > (8) server inner-tunnel {
> > (8) session-state: No cached attributes
> > (8) # Executing section authorize from file
> > /mydir/etc/raddb/sites-enabled/inner-tunnel
> > (8) authorize {
> > (8) update {
> > (8) Executing: /mydir/sbin/myprog-nac
> > --username='%{User-Name}'
> > --verify=true --control=false:
> > (8) EXPAND --username=%{User-Name}
> > (8) --> --username=mypc-pc\\Administrator
> > (8) Program returned code (0) and output
> > 'Idle-Timeout := "30"'
> > (8) reply::Idle-Timeout := 30
> > (8) } # update = noop
> > (8) policy filter_username {
> > (8) if (&User-Name) {
> > (8) if (&User-Name) -> TRUE
> > (8) if (&User-Name) {
> > (8) if (&User-Name =~ / /) {
> > (8) if (&User-Name =~ / /) -> FALSE
> > (8) if (&User-Name =~ /@[^@]*@/ ) {
> > (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > (8) if (&User-Name =~ /\.\./ ) {
> > (8) if (&User-Name =~ /\.\./ ) -> FALSE
> > (8) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > (8) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/))
> > -> FALSE
> > (8) if (&User-Name =~ /\.$/) {
> > (8) if (&User-Name =~ /\.$/) -> FALSE
> > (8) if (&User-Name =~ /@\./) {
> > (8) if (&User-Name =~ /@\./) -> FALSE
> > (8) } # if (&User-Name) = noop
> > (8) } # policy filter_username = noop
> > (8) [chap] = noop
> > (8) [mschap] = noop
> > (8) suffix: Checking for suffix after "@"
> > (8) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> > looking up realm
> > NULL
> > (8) suffix: No such realm "NULL"
> > (8) [suffix] = noop
> > (8) update control {
> > (8) &Proxy-To-Realm := LOCAL
> > (8) } # update control = noop
> > (8) eap: Peer sent EAP Response (code 2) ID 171 length 72
> > (8) eap: No EAP Start, assuming it's an on-going EAP conversation
> > (8) [eap] = updated
> > (8) [files] = noop
> > (8) [expiration] = noop
> > (8) [logintime] = noop
> > (8) [pap] = noop
> > (8) } # authorize = updated
> > (8) Found Auth-Type = eap
> > (8) # Executing group from file
> > /mydir/etc/raddb/sites-enabled/inner-tunnel
> > (8) authenticate {
> > (8) eap: Expiring EAP session with state 0xb29197b0b23a8d1a
> > (8) eap: Finished EAP session with state 0xb29197b0b23a8d1a
> > (8) eap: Previous EAP request found for state
> > 0xb29197b0b23a8d1a, released
> > from the list
> > (8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> > (8) eap: Calling submodule eap_mschapv2 to process data
> > (8) eap_mschapv2: # Executing group from file
> > /mydir/etc/raddb/sites-enabled/inner-tunnel
> > (8) eap_mschapv2: authenticate {
> > (8) mschap: WARNING: User-Name (mypc-pc\Administrator) is not
> > the same as
> > MS-CHAP Name (Administrator) from EAP-MSCHAPv2
> > (8) mschap: Creating challenge hash with username: Administrator
> > (8) mschap: Client is using MS-CHAPv2
> > (8) mschap: Executing: /usr/local/bin/ntlm_auth --request-nt-key
> > --username=%{%{mschap:User-Name}:-00}
> > --challenge=%{%{mschap:Challenge}:-00}
> > --nt-response=%{%{mschap:NT-Response}:-00}:
> > (8) mschap: EXPAND --username=%{%{mschap:User-Name}:-00}
> > (8) mschap: --> --username=Administrator
> > (8) mschap: WARNING: User-Name (mypc-pc\Administrator) is not
> > the same as
> > MS-CHAP Name (Administrator) from EAP-MSCHAPv2
> > (8) mschap: Creating challenge hash with username: Administrator
> > (8) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> > (8) mschap: --> --challenge=54f8ede55f4a4abb
> > (8) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> > (8) mschap: -->
> > --nt-response=a380d06457734f2b4a8f544de51831e2a54853305befeb55
> > (8) mschap: ERROR: Program returned code (1) and output
> > 'Reading winbind
> > reply failed! (0xc0000001)'
> > (8) mschap: ERROR: Reading winbind reply failed! (0xc0000001)
> > (8) mschap: Authentication failed
> > (8) eap_mschapv2: [mschap] = fail
> > (8) eap_mschapv2: } # authenticate = fail
> > (8) eap: Sending EAP Failure (code 4) ID 171 length 4
> > (8) eap: Freeing handler
> > (8) [eap] = reject
> > (8) } # authenticate = reject
> > (8) Failed to authenticate the user
> > (8) Using Post-Auth-Type Reject
> > (8) # Executing group from file
> > /mydir/etc/raddb/sites-enabled/inner-tunnel
> > (8) Post-Auth-Type REJECT {
> > (8) attr_filter.access_reject: EXPAND %{User-Name}
> > (8) attr_filter.access_reject: --> mypc-pc\\Administrator
> > (8) attr_filter.access_reject: Matched entry DEFAULT at line 11
> > (8) [attr_filter.access_reject] = updated
> > (8) update outer.session-state {
> > (8) &Module-Failure-Message :=
> > &request:Module-Failure-Message ->
> > 'mschap: Program returned code (1) and output \'Reading winbind reply
> > failed! (0xc0000001)\''
> > (8) } # update outer.session-state = noop
> > (8) } # Post-Auth-Type REJECT = updated
> > (8) } # server inner-tunnel
> > (8) Virtual server sending reply
> > (8) MS-CHAP-Error = "\253E=691 R=1
> > C=be33295ca3e819f0d59751ac4be850ab V=3
> > M=Authentication failed"
> > (8) EAP-Message = 0x04ab0004
> > (8) Message-Authenticator = 0x00000000000000000000000000000000
> > (8) eap_peap: Got tunneled reply code 3
> > (8) eap_peap: MS-CHAP-Error = "\253E=691 R=1
> > C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed"
> > (8) eap_peap: EAP-Message = 0x04ab0004
> > (8) eap_peap: Message-Authenticator =
> > 0x00000000000000000000000000000000
> > (8) eap_peap: Got tunneled reply RADIUS code 3
> > (8) eap_peap: MS-CHAP-Error = "\253E=691 R=1
> > C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed"
> > (8) eap_peap: EAP-Message = 0x04ab0004
> > (8) eap_peap: Message-Authenticator =
> > 0x00000000000000000000000000000000
> > (8) eap_peap: Tunneled authentication was rejected
> > (8) eap_peap: FAILURE
> > (8) eap: Sending EAP Request (code 1) ID 172 length 43
> > (8) eap: EAP session adding &reply:State = 0x06df9fcc0e7386aa
> > (8) [eap] = handled
> > (8) } # authenticate = handled
> > (8) Using Post-Auth-Type Challenge
> > (8) Post-Auth-Type sub-section not found. Ignoring.
> > (8) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (8) session-state: Saving cached attributes
> > (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> > (8) TLS-Session-Version = "TLS 1.0"
> > (8) Module-Failure-Message := "mschap: Program returned code (1) and
> > output 'Reading winbind reply failed! (0xc0000001)'"
> > (8) Sent Access-Challenge Id 33 from 172.16.0.100:1812 to
> > 172.100.0.60:49947 length
> > 0
> > (8) EAP-Message =
> > 0x01ac002b1900170301002026931b104878a5280e9a66fdc3cfdebbdb1f82
> > 46a377c0748067abbfc703e7f7
> > (8) Message-Authenticator = 0x00000000000000000000000000000000
> > (8) State = 0x06df9fcc0e7386aa43639075ca7d333a
> > (8) Finished request
> > Waking up in 4.3 seconds.
> > (9) Received Access-Request Id 34 from 172.100.0.60:49947 to
> > 172.16.0.100:1812 length 377
> > (9) User-Name = "mypc-pc\\Administrator"
> > (9) NAS-Port = 20497
> > (9) Service-Type = Framed-User
> > (9) Framed-Protocol = PPP
> > (9) Calling-Station-Id = "44a8-42f7-952d"
> > (9) NAS-Identifier = "S5735_K6_SW1"
> > (9) NAS-Port-Type = Ethernet
> > (9) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> > (9) State = 0x06df9fcc0e7386aa43639075ca7d333a
> > (9) EAP-Message =
> > 0x02ac002b1900170301002002a19fd10d3999b09ff706b3c9a2e1b6f1de66
> > 1047ec0e47760dd1c38e3479ce
> > (9) Message-Authenticator = 0x9991289c6858191d73f190917ff6d23e
> > (9) Called-Station-Id = "44-67-47-26-F7-90"
> > (9) Login-IP-Host = 0.0.0.0
> > (9) NAS-IP-Address = 172.100.0.60
> > (9) Framed-MTU = 1500
> > (9) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> > (9) Huawei-Startup-Stamp = 1589932873
> > (9) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> > (9) Huawei-Connect-ID = 45
> > (9) Huawei-Version = "Huawei S5735"
> > (9) Huawei-Product-ID = "S5735"
> > (9) Huawei-User-Mac = "\000\000\000\001"
> > (9) Huawei-Domain-Name = "default"
> > (9) Restoring &session-state
> > (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> > (9) &session-state:TLS-Session-Version = "TLS 1.0"
> > (9) &session-state:Module-Failure-Message := "mschap:
> > Program returned
> > code (1) and output 'Reading winbind reply failed! (0xc0000001)'"
> > (9) # Executing section authorize from file
> > /mydir/etc/raddb/sites-enabled/default
> > (9) authorize {
> > (9) update {
> > (9) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> > --calledStationID='%{Called-Station-Id}'
> > --callingStationID='%{Calling-Station-Id}'
> > --connectInfo='%{Connect-Info}'
> > --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> > --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> > --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> > --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> > --tunnelMediumType='%{Tunnel-Medium-Type}'
> > --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> > --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> > --logging=true:
> > (9) EXPAND --username=%{User-Name}
> > (9) --> --username=mypc-pc\\Administrator
> > (9) EXPAND --calledStationID=%{Called-Station-Id}
> > (9) --> --calledStationID=44-67-47-26-F7-90
> > (9) EXPAND --callingStationID=%{Calling-Station-Id}
> > (9) --> --callingStationID=44a8-42f7-952d
> > (9) EXPAND --connectInfo=%{Connect-Info}
> > (9) --> --connectInfo=
> > (9) EXPAND --framedMTU=%{Framed-MTU}
> > (9) --> --framedMTU=1500
> > (9) EXPAND --framedProtocol=%{Framed-Protocol}
> > (9) --> --framedProtocol=PPP
> > (9) EXPAND --nasIdentifier=%{NAS-Identifier}
> > (9) --> --nasIdentifier=S5735_K6_SW1
> > (9) EXPAND --nasIPAddress=%{NAS-IP-Address}
> > (9) --> --nasIPAddress=172.100.0.60
> > (9) EXPAND --nasPort=%{NAS-Port}
> > (9) --> --nasPort=20497
> > (9) EXPAND --nasPortID=%{NAS-Port-Id}
> > (9) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> > (9) EXPAND --nasPortType=%{NAS-Port-Type}
> > (9) --> --nasPortType=Ethernet
> > (9) EXPAND --serviceType=%{Service-Type}
> > (9) --> --serviceType=Framed-User
> > (9) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> > (9) --> --tunnelMediumType=
> > (9) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> > (9) --> --tunnelPrivateGroupID=
> > (9) EXPAND --tunnelType=%{Tunnel-Type}
> > (9) --> --tunnelType=
> > (9) Program returned code (0) and output 'Reply-Message :=""'
> > (9) control::Reply-Message :=
> > (9) } # update = noop
> > (9) policy filter_username {
> > (9) if (&User-Name) {
> > (9) if (&User-Name) -> TRUE
> > (9) if (&User-Name) {
> > (9) if (&User-Name =~ / /) {
> > (9) if (&User-Name =~ / /) -> FALSE
> > (9) if (&User-Name =~ /@[^@]*@/ ) {
> > (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > (9) if (&User-Name =~ /\.\./ ) {
> > (9) if (&User-Name =~ /\.\./ ) -> FALSE
> > (9) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > (9) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) ->
> > FALSE
> > (9) if (&User-Name =~ /\.$/) {
> > (9) if (&User-Name =~ /\.$/) -> FALSE
> > (9) if (&User-Name =~ /@\./) {
> > (9) if (&User-Name =~ /@\./) -> FALSE
> > (9) } # if (&User-Name) = noop
> > (9) } # policy filter_username = noop
> > (9) [preprocess] = ok
> > (9) [mschap] = noop
> > (9) [digest] = noop
> > (9) suffix: Checking for suffix after "@"
> > (9) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> > looking up realm
> > NULL
> > (9) suffix: No such realm "NULL"
> > (9) [suffix] = noop
> > (9) eap: Peer sent EAP Response (code 2) ID 172 length 43
> > (9) eap: Continuing tunnel setup
> > (9) [eap] = ok
> > (9) } # authorize = ok
> > (9) Found Auth-Type = eap
> > (9) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (9) authenticate {
> > (9) eap: Expiring EAP session with state 0x06df9fcc0e7386aa
> > (9) eap: Finished EAP session with state 0x06df9fcc0e7386aa
> > (9) eap: Previous EAP request found for state
> > 0x06df9fcc0e7386aa, released
> > from the list
> > (9) eap: Peer sent packet with method EAP PEAP (25)
> > (9) eap: Calling submodule eap_peap to process data
> > (9) eap_peap: Continuing EAP-TLS
> > (9) eap_peap: [eaptls verify] = ok
> > (9) eap_peap: Done initial handshake
> > (9) eap_peap: [eaptls process] = ok
> > (9) eap_peap: Session established. Decoding tunneled attributes
> > (9) eap_peap: PEAP state send tlv failure
> > (9) eap_peap: Received EAP-TLV response
> > (9) eap_peap: ERROR: The users session was previously
> > rejected: returning
> > reject (again.)
> > (9) eap_peap: This means you need to read the PREVIOUS
> > messages in the
> > debug output
> > (9) eap_peap: to find out the reason why the user was rejected
> > (9) eap_peap: Look for "reject" or "fail". Those earlier
> > messages will
> > tell you
> > (9) eap_peap: what went wrong, and how to fix the problem
> > (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP
> > sub-module
> > failed
> > (9) eap: Sending EAP Failure (code 4) ID 172 length 4
> > (9) eap: Failed in EAP select
> > (9) [eap] = invalid
> > (9) } # authenticate = invalid
> > (9) Failed to authenticate the user
> > (9) Using Post-Auth-Type Reject
> > (9) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> > (9) Post-Auth-Type REJECT {
> > (9) attr_filter.access_reject: EXPAND %{User-Name}
> > (9) attr_filter.access_reject: --> mypc-pc\\Administrator
> > (9) attr_filter.access_reject: Matched entry DEFAULT at line 11
> > (9) [attr_filter.access_reject] = updated
> > (9) [eap] = noop
> > (9) policy remove_reply_message_if_eap {
> > (9) if (&reply:EAP-Message && &reply:Reply-Message) {
> > (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> > (9) else {
> > (9) [noop] = noop
> > (9) } # else = noop
> > (9) } # policy remove_reply_message_if_eap = noop
> > (9) } # Post-Auth-Type REJECT = updated
> > (9) Delaying response for 1.000000 seconds
> > Waking up in 0.3 seconds.
> > Waking up in 0.6 seconds.
> > (9) Sending delayed response
> > (9) Sent Access-Reject Id 34 from 172.16.0.100:1812 to
> > 172.100.0.60:49947 length
> > 44
> > (9) EAP-Message = 0x04ac0004
> > (9) Message-Authenticator = 0x00000000000000000000000000000000
> > Waking up in 3.3 seconds.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list