MSCHAP DC Server Authentication winbind reply failed
L.P.H. van Belle
belle at bazuin.nl
Tue Jun 22 09:33:17 CEST 2021
> Therefore I thought I might have misconfigured something on the FreeRADIUS side
yes, that is correct, your missing there parts also..
Both links how what you need. its mainly these 2.
ntlm auth = mschapv2-and-ntlmv2-only
and
ntlm_auth = "/path/to/ntlm_auth --allow-mschapv2 --request-nt-key
but please read the sites and follow the instructions in the radius config, then it will "just" work ;-)
Greetz,
Louis
Van: Vertigo Altair [mailto:vertigo.altair at gmail.com]
Verzonden: dinsdag 22 juni 2021 9:29
Aan: FreeRadius users mailing list
CC: L.P.H. van Belle
Onderwerp: Re: MSCHAP DC Server Authentication winbind reply failed
Thanks for your help, but when I run ntlm_auth and wbinfo manually, there is no problem. Therefore I thought I might have misconfigured something on the FreeRADIUS side.
On Tue, 22 Jun 2021 at 10:12, L.P.H. van Belle via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
I think you should fix your samba setup first.
Your smb.conf is not correctly setup and without that being correctly
ntlm_auth is not going to work in free radius
Read :
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
And read :
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
For FreeRadius and auth only, RID (or autorid) setup is sufficient
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users
> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
> ius.org] Namens Vertigo Altair
> Verzonden: maandag 21 juni 2021 21:26
> Aan: FreeRadius users mailing list
> Onderwerp: MSCHAP DC Server Authentication winbind reply failed
>
> Hi FreeRADIUS!
>
> I'm trying to use FreeRADIUS with MSCHAP through a DC server.
> However, I'm
> getting an error like "winbind reply failed!"
>
> I'm running on OpenBSD 6.9.
>
>
> FreeRADIUS version:
>
> # /usr/local/sbin/radiusd -v | head -1
> radiusd: FreeRADIUS Version 3.0.21, for host
> x86_64-unknown-openbsd6.9,
> built on Apr 20 2021 at 05:14:02
> #
>
>
> My configuration is like that;
>
> =============
>
> # cat /etc/samba/smb.conf
> [global]
>
> winbind use default domain = no
> security = ads
> netbios name = myhost
> workgroup = MYWORKGROUP
> realm = zz.example.com
> password server = zz.example.com
>
> ==============
>
> I joined the DC server successfully;
>
> # net join -U myadmin
> Using short domain name -- XX
> Joined 'YY' to dns domain 'zz.example.com'
> No DNS domain configured for myhost. Unable to perform DNS Update.
>
> =============
> I can make challange based authentication with wbinfo;
>
> # wbinfo -a myuser%mypass
> plaintext password authentication failed <<< FAIL
> Could not authenticate user myuser%mypass with plaintext password
> challenge/response password authentication succeeded
> #
>
> ===============
>
> And also with ntlm_auth;
>
> # ntlm_auth --request-nt-key --username myuser
> Password: myuser
> NT_STATUS_OK: The operation completed successfully. (0x0)
> #
>
> ==================
>
> I've created a user named "winbindd_priv" and added this user the
> _freeradius group to access winbind privileged socket from FreeRADIUS
>
> # cat /etc/group |grep winbind
> winbindd_priv:*:1000:_freeradius
>
> # ls -la /var/run/samba/winbindd*
> -rw-r--r-- 1 root winbindd_priv 6 Jun 21 18:39
> /var/run/samba/winbindd.pid
>
> /var/run/samba/winbindd:
> srwxrwxrwx 1 root winbindd_priv 0 Jun 21 18:38 pipe
> #
>
> ===================
>
> I couldn't see anything wrong there, I followed the official
> documentation
> properly. I'm getting "winbind reply failed!" error anyway.
>
> The full output from radiusd -X;
>
> ======================
>
>
> (0) Received Access-Request Id 25 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to
> MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 338
> (0) User-Name = "mypc-pc\\Administrator"
> (0) NAS-Port = 20497
> (0) Service-Type = Framed-User
> (0) Framed-Protocol = PPP
> (0) Calling-Station-Id = "44a8-42f7-952d"
> (0) NAS-Identifier = "S5735_K6_SW1"
> (0) NAS-Port-Type = Ethernet
> (0) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> (0) EAP-Message =
> 0x02a3001c01626c6774656b2d70635c41646d696e6973747261746f72
> (0) Message-Authenticator = 0x2da911933329aa455da04b910df9e08e
> (0) Called-Station-Id = "44-67-47-26-F7-90"
> (0) NAS-IP-Address = 172.100.0.60
> (0) Framed-MTU = 1500
> (0) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> (0) Huawei-Startup-Stamp = 1589932873
> (0) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> (0) Huawei-Connect-ID = 45
> (0) Huawei-Version = "Huawei S5735"
> (0) Huawei-Product-ID = "S5735"
> (0) Huawei-User-Mac = "\000\000\000\001"
> (0) Huawei-Domain-Name = "default"
> (0) # Executing section authorize from file
> /mydir/etc/raddb/sites-enabled/default
> (0) authorize {
> (0) update {
> (0) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> --calledStationID='%{Called-Station-Id}'
> --callingStationID='%{Calling-Station-Id}'
> --connectInfo='%{Connect-Info}'
> --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> --tunnelMediumType='%{Tunnel-Medium-Type}'
> --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> --logging=true:
> (0) EXPAND --username=%{User-Name}
> (0) --> --username=mypc-pc\\Administrator
> (0) EXPAND --calledStationID=%{Called-Station-Id}
> (0) --> --calledStationID=44-67-47-26-F7-90
> (0) EXPAND --callingStationID=%{Calling-Station-Id}
> (0) --> --callingStationID=44a8-42f7-952d
> (0) EXPAND --connectInfo=%{Connect-Info}
> (0) --> --connectInfo=
> (0) EXPAND --framedMTU=%{Framed-MTU}
> (0) --> --framedMTU=1500
> (0) EXPAND --framedProtocol=%{Framed-Protocol}
> (0) --> --framedProtocol=PPP
> (0) EXPAND --nasIdentifier=%{NAS-Identifier}
> (0) --> --nasIdentifier=S5735_K6_SW1
> (0) EXPAND --nasIPAddress=%{NAS-IP-Address}
> (0) --> --nasIPAddress=172.100.0.60
> (0) EXPAND --nasPort=%{NAS-Port}
> (0) --> --nasPort=20497
> (0) EXPAND --nasPortID=%{NAS-Port-Id}
> (0) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> (0) EXPAND --nasPortType=%{NAS-Port-Type}
> (0) --> --nasPortType=Ethernet
> (0) EXPAND --serviceType=%{Service-Type}
> (0) --> --serviceType=Framed-User
> (0) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> (0) --> --tunnelMediumType=
> (0) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> (0) --> --tunnelPrivateGroupID=
> (0) EXPAND --tunnelType=%{Tunnel-Type}
> (0) --> --tunnelType=
> (0) Program returned code (0) and output 'Reply-Message :=""'
> (0) control::Reply-Message :=
> (0) } # update = noop
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) ->
> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # if (&User-Name) = noop
> (0) } # policy filter_username = noop
> (0) [preprocess] = ok
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> looking up realm
> NULL
> (0) suffix: No such realm "NULL"
> (0) [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 163 length 28
> (0) eap: EAP-Identity reply, returning 'ok' so we can
> short-circuit the
> rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (0) authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_md5 to process data
> (0) eap_md5: Issuing MD5 Challenge
> (0) eap: Sending EAP Request (code 1) ID 164 length 22
> (0) eap: EAP session adding &reply:State = 0x06df9fcc067b9baa
> (0) [eap] = handled
> (0) } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) Post-Auth-Type sub-section not found. Ignoring.
> (0) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (0) Sent Access-Challenge Id 25 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to
> MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length
> 0
> (0) EAP-Message = 0x01a400160410fb53358fd5f5bb176cb25434be27dc38
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> (0) State = 0x06df9fcc067b9baa43639075ca7d333a
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 26 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to
> MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 340
> (1) User-Name = "mypc-pc\\Administrator"
> (1) NAS-Port = 20497
> (1) Service-Type = Framed-User
> (1) Framed-Protocol = PPP
> (1) Calling-Station-Id = "44a8-42f7-952d"
> (1) NAS-Identifier = "S5735_K6_SW1"
> (1) NAS-Port-Type = Ethernet
> (1) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> (1) State = 0x06df9fcc067b9baa43639075ca7d333a
> (1) EAP-Message = 0x02a400060319
> (1) Message-Authenticator = 0xf104c44a25c93bccb28f9f2e00f4333c
> (1) Called-Station-Id = "44-67-47-26-F7-90"
> (1) Login-IP-Host = 0.0.0.0
> (1) NAS-IP-Address = 172.100.0.60
> (1) Framed-MTU = 1500
> (1) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> (1) Huawei-Startup-Stamp = 1589932873
> (1) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> (1) Huawei-Connect-ID = 45
> (1) Huawei-Version = "Huawei S5735"
> (1) Huawei-Product-ID = "S5735"
> (1) Huawei-User-Mac = "\000\000\000\001"
> (1) Huawei-Domain-Name = "default"
> (1) session-state: No cached attributes
> (1) # Executing section authorize from file
> /mydir/etc/raddb/sites-enabled/default
> (1) authorize {
> (1) update {
> (1) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> --calledStationID='%{Called-Station-Id}'
> --callingStationID='%{Calling-Station-Id}'
> --connectInfo='%{Connect-Info}'
> --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> --tunnelMediumType='%{Tunnel-Medium-Type}'
> --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> --logging=true:
> (1) EXPAND --username=%{User-Name}
> (1) --> --username=mypc-pc\\Administrator
> (1) EXPAND --calledStationID=%{Called-Station-Id}
> (1) --> --calledStationID=44-67-47-26-F7-90
> (1) EXPAND --callingStationID=%{Calling-Station-Id}
> (1) --> --callingStationID=44a8-42f7-952d
> (1) EXPAND --connectInfo=%{Connect-Info}
> (1) --> --connectInfo=
> (1) EXPAND --framedMTU=%{Framed-MTU}
> (1) --> --framedMTU=1500
> (1) EXPAND --framedProtocol=%{Framed-Protocol}
> (1) --> --framedProtocol=PPP
> (1) EXPAND --nasIdentifier=%{NAS-Identifier}
> (1) --> --nasIdentifier=S5735_K6_SW1
> (1) EXPAND --nasIPAddress=%{NAS-IP-Address}
> (1) --> --nasIPAddress=172.100.0.60
> (1) EXPAND --nasPort=%{NAS-Port}
> (1) --> --nasPort=20497
> (1) EXPAND --nasPortID=%{NAS-Port-Id}
> (1) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> (1) EXPAND --nasPortType=%{NAS-Port-Type}
> (1) --> --nasPortType=Ethernet
> (1) EXPAND --serviceType=%{Service-Type}
> (1) --> --serviceType=Framed-User
> (1) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> (1) --> --tunnelMediumType=
> (1) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> (1) --> --tunnelPrivateGroupID=
> (1) EXPAND --tunnelType=%{Tunnel-Type}
> (1) --> --tunnelType=
> (1) Program returned code (0) and output 'Reply-Message :=""'
> (1) control::Reply-Message :=
> (1) } # update = noop
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) ->
> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /@\./) {
> (1) if (&User-Name =~ /@\./) -> FALSE
> (1) } # if (&User-Name) = noop
> (1) } # policy filter_username = noop
> (1) [preprocess] = ok
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> looking up realm
> NULL
> (1) suffix: No such realm "NULL"
> (1) [suffix] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 164 length 6
> (1) eap: No EAP Start, assuming it's an on-going EAP conversation
> (1) [eap] = updated
> (1) [expiration] = noop
> (1) [logintime] = noop
> Not doing PAP as Auth-Type is already set.
> (1) [pap] = noop
> (1) } # authorize = updated
> (1) Found Auth-Type = eap
> (1) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (1) authenticate {
> (1) eap: Expiring EAP session with state 0x06df9fcc067b9baa
> (1) eap: Finished EAP session with state 0x06df9fcc067b9baa
> (1) eap: Previous EAP request found for state
> 0x06df9fcc067b9baa, released
> from the list
> (1) eap: Peer sent packet with method EAP NAK (3)
> (1) eap: Found mutually acceptable type PEAP (25)
> (1) eap: Calling submodule eap_peap to process data
> (1) eap_peap: Initiating new TLS session
> (1) eap_peap: [eaptls start] = request
> (1) eap: Sending EAP Request (code 1) ID 165 length 6
> (1) eap: EAP session adding &reply:State = 0x06df9fcc077a86aa
> (1) [eap] = handled
> (1) } # authenticate = handled
> (1) Using Post-Auth-Type Challenge
> (1) Post-Auth-Type sub-section not found. Ignoring.
> (1) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (1) Sent Access-Challenge Id 26 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to
> MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length
> 0
> (1) EAP-Message = 0x01a500061920
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> (1) State = 0x06df9fcc077a86aa43639075ca7d333a
> (1) Finished request
> Waking up in 4.9 seconds.
> (2) Received Access-Request Id 27 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to
> MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 447
> (2) User-Name = "mypc-pc\\Administrator"
> (2) NAS-Port = 20497
> (2) Service-Type = Framed-User
> (2) Framed-Protocol = PPP
> (2) Calling-Station-Id = "44a8-42f7-952d"
> (2) NAS-Identifier = "S5735_K6_SW1"
> (2) NAS-Port-Type = Ethernet
> (2) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> (2) State = 0x06df9fcc077a86aa43639075ca7d333a
> (2) EAP-Message =
> 0x02a5007119800000006716030100620100005e030160d0e32a6722bce315
> 95a5e36c093697851bb230673e9d56c34961448f20d9c300001cc014c01300
> 3900330035002fc00ac00900380032000a00130005000401000019000a0006
> 000400170018000b0002010000170000ff01000100
> (2) Message-Authenticator = 0x8e36104449de451d2f46716428d8d1d0
> (2) Called-Station-Id = "44-67-47-26-F7-90"
> (2) Login-IP-Host = 0.0.0.0
> (2) NAS-IP-Address = 172.100.0.60
> (2) Framed-MTU = 1500
> (2) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> (2) Huawei-Startup-Stamp = 1589932873
> (2) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> (2) Huawei-Connect-ID = 45
> (2) Huawei-Version = "Huawei S5735"
> (2) Huawei-Product-ID = "S5735"
> (2) Huawei-User-Mac = "\000\000\000\001"
> (2) Huawei-Domain-Name = "default"
> (2) session-state: No cached attributes
> (2) # Executing section authorize from file
> /mydir/etc/raddb/sites-enabled/default
> (2) authorize {
> (2) update {
> (2) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> --calledStationID='%{Called-Station-Id}'
> --callingStationID='%{Calling-Station-Id}'
> --connectInfo='%{Connect-Info}'
> --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> --tunnelMediumType='%{Tunnel-Medium-Type}'
> --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> --logging=true:
> (2) EXPAND --username=%{User-Name}
> (2) --> --username=mypc-pc\\Administrator
> (2) EXPAND --calledStationID=%{Called-Station-Id}
> (2) --> --calledStationID=44-67-47-26-F7-90
> (2) EXPAND --callingStationID=%{Calling-Station-Id}
> (2) --> --callingStationID=44a8-42f7-952d
> (2) EXPAND --connectInfo=%{Connect-Info}
> (2) --> --connectInfo=
> (2) EXPAND --framedMTU=%{Framed-MTU}
> (2) --> --framedMTU=1500
> (2) EXPAND --framedProtocol=%{Framed-Protocol}
> (2) --> --framedProtocol=PPP
> (2) EXPAND --nasIdentifier=%{NAS-Identifier}
> (2) --> --nasIdentifier=S5735_K6_SW1
> (2) EXPAND --nasIPAddress=%{NAS-IP-Address}
> (2) --> --nasIPAddress=172.100.0.60
> (2) EXPAND --nasPort=%{NAS-Port}
> (2) --> --nasPort=20497
> (2) EXPAND --nasPortID=%{NAS-Port-Id}
> (2) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> (2) EXPAND --nasPortType=%{NAS-Port-Type}
> (2) --> --nasPortType=Ethernet
> (2) EXPAND --serviceType=%{Service-Type}
> (2) --> --serviceType=Framed-User
> (2) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> (2) --> --tunnelMediumType=
> (2) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> (2) --> --tunnelPrivateGroupID=
> (2) EXPAND --tunnelType=%{Tunnel-Type}
> (2) --> --tunnelType=
> (2) Program returned code (0) and output 'Reply-Message :=""'
> (2) control::Reply-Message :=
> (2) } # update = noop
> (2) policy filter_username {
> (2) if (&User-Name) {
> (2) if (&User-Name) -> TRUE
> (2) if (&User-Name) {
> (2) if (&User-Name =~ / /) {
> (2) if (&User-Name =~ / /) -> FALSE
> (2) if (&User-Name =~ /@[^@]*@/ ) {
> (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (2) if (&User-Name =~ /\.\./ ) {
> (2) if (&User-Name =~ /\.\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) {
> (2) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) ->
> FALSE
> (2) if (&User-Name =~ /\.$/) {
> (2) if (&User-Name =~ /\.$/) -> FALSE
> (2) if (&User-Name =~ /@\./) {
> (2) if (&User-Name =~ /@\./) -> FALSE
> (2) } # if (&User-Name) = noop
> (2) } # policy filter_username = noop
> (2) [preprocess] = ok
> (2) [mschap] = noop
> (2) [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> looking up realm
> NULL
> (2) suffix: No such realm "NULL"
> (2) [suffix] = noop
> (2) eap: Peer sent EAP Response (code 2) ID 165 length 113
> (2) eap: Continuing tunnel setup
> (2) [eap] = ok
> (2) } # authorize = ok
> (2) Found Auth-Type = eap
> (2) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (2) authenticate {
> (2) eap: Expiring EAP session with state 0x06df9fcc077a86aa
> (2) eap: Finished EAP session with state 0x06df9fcc077a86aa
> (2) eap: Previous EAP request found for state
> 0x06df9fcc077a86aa, released
> from the list
> (2) eap: Peer sent packet with method EAP PEAP (25)
> (2) eap: Calling submodule eap_peap to process data
> (2) eap_peap: Continuing EAP-TLS
> (2) eap_peap: Peer indicated complete TLS record size will be
> 103 bytes
> (2) eap_peap: Got complete TLS record (103 bytes)
> (2) eap_peap: [eaptls verify] = length included
> (2) eap_peap: (other): before accept initialization
> (2) eap_peap: <<< recv UNKNOWN TLS VERSION '0304' [length 0062]
> (2) eap_peap: TLS_accept: SSLv3 read client hello A
> (2) eap_peap: >>> send TLS 1.0 Handshake [length 0037], ServerHello
> (2) eap_peap: TLS_accept: SSLv3 write server hello A
> (2) eap_peap: >>> send TLS 1.0 Handshake [length 08e5], Certificate
> (2) eap_peap: TLS_accept: SSLv3 write certificate A
> (2) eap_peap: >>> send TLS 1.0 Handshake [length 014b],
> ServerKeyExchange
> (2) eap_peap: TLS_accept: SSLv3 write key exchange A
> (2) eap_peap: >>> send TLS 1.0 Handshake [length 0004],
> ServerHelloDone
> (2) eap_peap: TLS_accept: SSLv3 write server done A
> (2) eap_peap: TLS_accept: SSLv3 flush data
> (2) eap_peap: TLS_accept: SSLv3 read client certificate A
> (2) eap_peap: TLS_accept: Need to read more data: SSLv3 read
> client key
> exchange A
> (2) eap_peap: TLS - In Handshake Phase
> (2) eap_peap: TLS - got 2687 bytes of data
> (2) eap_peap: [eaptls process] = handled
> (2) eap: Sending EAP Request (code 1) ID 166 length 1004
> (2) eap: EAP session adding &reply:State = 0x06df9fcc047986aa
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) Post-Auth-Type sub-section not found. Ignoring.
> (2) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (2) Sent Access-Challenge Id 27 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to
> MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length
> 0
> (2) EAP-Message =
> 0x01a603ec19c000000a7f16030100370200003303011069fa543cddfebbc2
> a59de247700b31bea216c1570e4080444f574e4752440000c01400000bff01
> 000100000b0002010016030108e50b0008e10008de0003e8308203e4308202
> cca003020102020101300d06092a864886f70d01010b0500308196310b3009
> 060355040613025452310e300c06035504080c05495a4d4952310d300b0603
> 5504070c0455524c4131173015060355040a0c0e5061727461204e6574776f
> 726b733120301e06092a864886f70d0109011611696e666f4070617274612e
> 636f6d2e7472312d302b06035504030c245061727461204e6574776f726b73
> 20436572746966696361746520417574686f72697479301e170d3230303333
> 313131323930385a170d3330303332393131323930385a308182310b300906
> 0355040613025452310e300c06035504080c05495a4d495231173015060355
> 040a0c0e5061727461204e6574776f726b733128302606035504030c1f506172746120
> (2) Message-Authenticator = 0x00000000000000000000000000000000
> (2) State = 0x06df9fcc047986aa43639075ca7d333a
> (2) Finished request
> Waking up in 4.7 seconds.
> (3) Received Access-Request Id 28 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to
> MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 340
> (3) User-Name = "mypc-pc\\Administrator"
> (3) NAS-Port = 20497
> (3) Service-Type = Framed-User
> (3) Framed-Protocol = PPP
> (3) Calling-Station-Id = "44a8-42f7-952d"
> (3) NAS-Identifier = "S5735_K6_SW1"
> (3) NAS-Port-Type = Ethernet
> (3) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> (3) State = 0x06df9fcc047986aa43639075ca7d333a
> (3) EAP-Message = 0x02a600061900
> (3) Message-Authenticator = 0xcc4d6c36e5459879cc826325ec4d747a
> (3) Called-Station-Id = "44-67-47-26-F7-90"
> (3) Login-IP-Host = 0.0.0.0
> (3) NAS-IP-Address = 172.100.0.60
> (3) Framed-MTU = 1500
> (3) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> (3) Huawei-Startup-Stamp = 1589932873
> (3) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> (3) Huawei-Connect-ID = 45
> (3) Huawei-Version = "Huawei S5735"
> (3) Huawei-Product-ID = "S5735"
> (3) Huawei-User-Mac = "\000\000\000\001"
> (3) Huawei-Domain-Name = "default"
> (3) session-state: No cached attributes
> (3) # Executing section authorize from file
> /mydir/etc/raddb/sites-enabled/default
> (3) authorize {
> (3) update {
> (3) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> --calledStationID='%{Called-Station-Id}'
> --callingStationID='%{Calling-Station-Id}'
> --connectInfo='%{Connect-Info}'
> --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> --tunnelMediumType='%{Tunnel-Medium-Type}'
> --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> --logging=true:
> (3) EXPAND --username=%{User-Name}
> (3) --> --username=mypc-pc\\Administrator
> (3) EXPAND --calledStationID=%{Called-Station-Id}
> (3) --> --calledStationID=44-67-47-26-F7-90
> (3) EXPAND --callingStationID=%{Calling-Station-Id}
> (3) --> --callingStationID=44a8-42f7-952d
> (3) EXPAND --connectInfo=%{Connect-Info}
> (3) --> --connectInfo=
> (3) EXPAND --framedMTU=%{Framed-MTU}
> (3) --> --framedMTU=1500
> (3) EXPAND --framedProtocol=%{Framed-Protocol}
> (3) --> --framedProtocol=PPP
> (3) EXPAND --nasIdentifier=%{NAS-Identifier}
> (3) --> --nasIdentifier=S5735_K6_SW1
> (3) EXPAND --nasIPAddress=%{NAS-IP-Address}
> (3) --> --nasIPAddress=172.100.0.60
> (3) EXPAND --nasPort=%{NAS-Port}
> (3) --> --nasPort=20497
> (3) EXPAND --nasPortID=%{NAS-Port-Id}
> (3) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> (3) EXPAND --nasPortType=%{NAS-Port-Type}
> (3) --> --nasPortType=Ethernet
> (3) EXPAND --serviceType=%{Service-Type}
> (3) --> --serviceType=Framed-User
> (3) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> (3) --> --tunnelMediumType=
> (3) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> (3) --> --tunnelPrivateGroupID=
> (3) EXPAND --tunnelType=%{Tunnel-Type}
> (3) --> --tunnelType=
> (3) Program returned code (0) and output 'Reply-Message :=""'
> (3) control::Reply-Message :=
> (3) } # update = noop
> (3) policy filter_username {
> (3) if (&User-Name) {
> (3) if (&User-Name) -> TRUE
> (3) if (&User-Name) {
> (3) if (&User-Name =~ / /) {
> (3) if (&User-Name =~ / /) -> FALSE
> (3) if (&User-Name =~ /@[^@]*@/ ) {
> (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (3) if (&User-Name =~ /\.\./ ) {
> (3) if (&User-Name =~ /\.\./ ) -> FALSE
> (3) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) {
> (3) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) ->
> FALSE
> (3) if (&User-Name =~ /\.$/) {
> (3) if (&User-Name =~ /\.$/) -> FALSE
> (3) if (&User-Name =~ /@\./) {
> (3) if (&User-Name =~ /@\./) -> FALSE
> (3) } # if (&User-Name) = noop
> (3) } # policy filter_username = noop
> (3) [preprocess] = ok
> (3) [mschap] = noop
> (3) [digest] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> looking up realm
> NULL
> (3) suffix: No such realm "NULL"
> (3) [suffix] = noop
> (3) eap: Peer sent EAP Response (code 2) ID 166 length 6
> (3) eap: Continuing tunnel setup
> (3) [eap] = ok
> (3) } # authorize = ok
> (3) Found Auth-Type = eap
> (3) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (3) authenticate {
> (3) eap: Expiring EAP session with state 0x06df9fcc047986aa
> (3) eap: Finished EAP session with state 0x06df9fcc047986aa
> (3) eap: Previous EAP request found for state
> 0x06df9fcc047986aa, released
> from the list
> (3) eap: Peer sent packet with method EAP PEAP (25)
> (3) eap: Calling submodule eap_peap to process data
> (3) eap_peap: Continuing EAP-TLS
> (3) eap_peap: Peer ACKed our handshake fragment
> (3) eap_peap: [eaptls verify] = request
> (3) eap_peap: [eaptls process] = handled
> (3) eap: Sending EAP Request (code 1) ID 167 length 1000
> (3) eap: EAP session adding &reply:State = 0x06df9fcc057886aa
> (3) [eap] = handled
> (3) } # authenticate = handled
> (3) Using Post-Auth-Type Challenge
> (3) Post-Auth-Type sub-section not found. Ignoring.
> (3) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (3) Sent Access-Challenge Id 28 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to
> MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length
> 0
> (3) EAP-Message =
> 0x01a703e81940a73b4534fb54764797d56b51f469ff2e5a5feaf506057dbd
> fd6af543dfe986febe19c807b89244404cb9503c4a449efd5e8a9e68f31f0f
> a9b20107d112dde99fabadb55f609fefb8f0cfb09e1bb696330c0004f03082
> 04ec308203d4a0030201020209008917e4729c9d3b3d300d06092a864886f7
> 0d01010b0500308196310b3009060355040613025452310e300c0603550408
> 0c05495a4d4952310d300b06035504070c0455524c4131173015060355040a
> 0c0e5061727461204e6574776f726b733120301e06092a864886f70d010901
> 1611696e666f4070617274612e636f6d2e7472312d302b06035504030c2450
> 61727461204e6574776f726b7320436572746966696361746520417574686f
> 72697479301e170d3230303333313131323930385a170d3330303332393131
> 323930385a308196310b3009060355040613025452310e300c06035504080c
> 05495a4d4952310d300b06035504070c0455524c4131173015060355040a0c0e506172
> (3) Message-Authenticator = 0x00000000000000000000000000000000
> (3) State = 0x06df9fcc057886aa43639075ca7d333a
> (3) Finished request
> Waking up in 4.7 seconds.
> (4) Received Access-Request Id 29 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to
> MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 340
> (4) User-Name = "mypc-pc\\Administrator"
> (4) NAS-Port = 20497
> (4) Service-Type = Framed-User
> (4) Framed-Protocol = PPP
> (4) Calling-Station-Id = "44a8-42f7-952d"
> (4) NAS-Identifier = "S5735_K6_SW1"
> (4) NAS-Port-Type = Ethernet
> (4) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> (4) State = 0x06df9fcc057886aa43639075ca7d333a
> (4) EAP-Message = 0x02a700061900
> (4) Message-Authenticator = 0x345bff17c216eb76264d2dd1836dced4
> (4) Called-Station-Id = "44-67-47-26-F7-90"
> (4) Login-IP-Host = 0.0.0.0
> (4) NAS-IP-Address = 172.100.0.60
> (4) Framed-MTU = 1500
> (4) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> (4) Huawei-Startup-Stamp = 1589932873
> (4) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> (4) Huawei-Connect-ID = 45
> (4) Huawei-Version = "Huawei S5735"
> (4) Huawei-Product-ID = "S5735"
> (4) Huawei-User-Mac = "\000\000\000\001"
> (4) Huawei-Domain-Name = "default"
> (4) session-state: No cached attributes
> (4) # Executing section authorize from file
> /mydir/etc/raddb/sites-enabled/default
> (4) authorize {
> (4) update {
> (4) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> --calledStationID='%{Called-Station-Id}'
> --callingStationID='%{Calling-Station-Id}'
> --connectInfo='%{Connect-Info}'
> --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> --tunnelMediumType='%{Tunnel-Medium-Type}'
> --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> --logging=true:
> (4) EXPAND --username=%{User-Name}
> (4) --> --username=mypc-pc\\Administrator
> (4) EXPAND --calledStationID=%{Called-Station-Id}
> (4) --> --calledStationID=44-67-47-26-F7-90
> (4) EXPAND --callingStationID=%{Calling-Station-Id}
> (4) --> --callingStationID=44a8-42f7-952d
> (4) EXPAND --connectInfo=%{Connect-Info}
> (4) --> --connectInfo=
> (4) EXPAND --framedMTU=%{Framed-MTU}
> (4) --> --framedMTU=1500
> (4) EXPAND --framedProtocol=%{Framed-Protocol}
> (4) --> --framedProtocol=PPP
> (4) EXPAND --nasIdentifier=%{NAS-Identifier}
> (4) --> --nasIdentifier=S5735_K6_SW1
> (4) EXPAND --nasIPAddress=%{NAS-IP-Address}
> (4) --> --nasIPAddress=172.100.0.60
> (4) EXPAND --nasPort=%{NAS-Port}
> (4) --> --nasPort=20497
> (4) EXPAND --nasPortID=%{NAS-Port-Id}
> (4) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> (4) EXPAND --nasPortType=%{NAS-Port-Type}
> (4) --> --nasPortType=Ethernet
> (4) EXPAND --serviceType=%{Service-Type}
> (4) --> --serviceType=Framed-User
> (4) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> (4) --> --tunnelMediumType=
> (4) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> (4) --> --tunnelPrivateGroupID=
> (4) EXPAND --tunnelType=%{Tunnel-Type}
> (4) --> --tunnelType=
> (4) Program returned code (0) and output 'Reply-Message :=""'
> (4) control::Reply-Message :=
> (4) } # update = noop
> (4) policy filter_username {
> (4) if (&User-Name) {
> (4) if (&User-Name) -> TRUE
> (4) if (&User-Name) {
> (4) if (&User-Name =~ / /) {
> (4) if (&User-Name =~ / /) -> FALSE
> (4) if (&User-Name =~ /@[^@]*@/ ) {
> (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (4) if (&User-Name =~ /\.\./ ) {
> (4) if (&User-Name =~ /\.\./ ) -> FALSE
> (4) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) {
> (4) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) ->
> FALSE
> (4) if (&User-Name =~ /\.$/) {
> (4) if (&User-Name =~ /\.$/) -> FALSE
> (4) if (&User-Name =~ /@\./) {
> (4) if (&User-Name =~ /@\./) -> FALSE
> (4) } # if (&User-Name) = noop
> (4) } # policy filter_username = noop
> (4) [preprocess] = ok
> (4) [mschap] = noop
> (4) [digest] = noop
> (4) suffix: Checking for suffix after "@"
> (4) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> looking up realm
> NULL
> (4) suffix: No such realm "NULL"
> (4) [suffix] = noop
> (4) eap: Peer sent EAP Response (code 2) ID 167 length 6
> (4) eap: Continuing tunnel setup
> (4) [eap] = ok
> (4) } # authorize = ok
> (4) Found Auth-Type = eap
> (4) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (4) authenticate {
> (4) eap: Expiring EAP session with state 0x06df9fcc057886aa
> (4) eap: Finished EAP session with state 0x06df9fcc057886aa
> (4) eap: Previous EAP request found for state
> 0x06df9fcc057886aa, released
> from the list
> (4) eap: Peer sent packet with method EAP PEAP (25)
> (4) eap: Calling submodule eap_peap to process data
> (4) eap_peap: Continuing EAP-TLS
> (4) eap_peap: Peer ACKed our handshake fragment
> (4) eap_peap: [eaptls verify] = request
> (4) eap_peap: [eaptls process] = handled
> (4) eap: Sending EAP Request (code 1) ID 168 length 705
> (4) eap: EAP session adding &reply:State = 0x06df9fcc027786aa
> (4) [eap] = handled
> (4) } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) Post-Auth-Type sub-section not found. Ignoring.
> (4) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (4) Sent Access-Challenge Id 29 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to
> MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length
> 0
> (4) EAP-Message =
> 0x01a802c11900e4729c9d3b3d300f0603551d130101ff040530030101ff30
> 350603551d1f042e302c302aa028a0268624687474703a2f2f7777772e7061
> 7274612e636f6d2e74722f70617274615f63612e63726c300d06092a864886
> f70d01010b0500038201010002a7a685fd8c45441aa4e88edd20fe072c2d6d
> c2fdf1a70bdfbb4e4d6e447ef63fb83535d1eb1a9b7eb0d8fc177cbe833bcd
> 8ca72116ebd550b12ab279f5298beb6a8f7e58f38e9943d51a2b9a415f0f7b
> 6cb3e284f54c181f57eea3ec231ccea3f982602d46374234e262a8a5709816
> 56b6e991155da7983b5edddd89239eec5c82cbc176541e5e32f2e1fcf783f1
> 62fbd7de96dbaadafd0e8f56d5f72f4de5ac1254656c6ba349ed7ae5202dfd
> 20b3dc5e576bbba43c2f10d1b66b764038601b2e23a27a7a3b4b13e4d58343
> df004dbd21908c71c0d563f18eec86d5a74bf7b192d4da4ffa036e75462374
> 8cdfe9ee000c02a3ee75574fa594e9055132d03e160301014b0c0001470300174104a0
> (4) Message-Authenticator = 0x00000000000000000000000000000000
> (4) State = 0x06df9fcc027786aa43639075ca7d333a
> (4) Finished request
> Waking up in 4.6 seconds.
> (5) Received Access-Request Id 30 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to
> MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 478
> (5) User-Name = "mypc-pc\\Administrator"
> (5) NAS-Port = 20497
> (5) Service-Type = Framed-User
> (5) Framed-Protocol = PPP
> (5) Calling-Station-Id = "44a8-42f7-952d"
> (5) NAS-Identifier = "S5735_K6_SW1"
> (5) NAS-Port-Type = Ethernet
> (5) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> (5) State = 0x06df9fcc027786aa43639075ca7d333a
> (5) EAP-Message =
> 0x02a800901980000000861603010046100000424104c7b577ecf031abd558
> 556c730dea6a62961ef24e63b87df106b9981a6899f04e68a480a2b306f8f1
> 99787ac538d19bc572f82e277133f9ebbdbd8b3b4d17866e14030100010116
> 030100301e14570b074715b54215c474e30f4ab9f9bfadb1590f0331598dae
> f254ac64514ddef71c035306cdc1fea1cbdd58dcce
> (5) Message-Authenticator = 0x68db217c9425678c6ba8dba10a9679e9
> (5) Called-Station-Id = "44-67-47-26-F7-90"
> (5) Login-IP-Host = 0.0.0.0
> (5) NAS-IP-Address = 172.100.0.60
> (5) Framed-MTU = 1500
> (5) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> (5) Huawei-Startup-Stamp = 1589932873
> (5) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> (5) Huawei-Connect-ID = 45
> (5) Huawei-Version = "Huawei S5735"
> (5) Huawei-Product-ID = "S5735"
> (5) Huawei-User-Mac = "\000\000\000\001"
> (5) Huawei-Domain-Name = "default"
> (5) session-state: No cached attributes
> (5) # Executing section authorize from file
> /mydir/etc/raddb/sites-enabled/default
> (5) authorize {
> (5) update {
> (5) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> --calledStationID='%{Called-Station-Id}'
> --callingStationID='%{Calling-Station-Id}'
> --connectInfo='%{Connect-Info}'
> --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> --tunnelMediumType='%{Tunnel-Medium-Type}'
> --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> --logging=true:
> (5) EXPAND --username=%{User-Name}
> (5) --> --username=mypc-pc\\Administrator
> (5) EXPAND --calledStationID=%{Called-Station-Id}
> (5) --> --calledStationID=44-67-47-26-F7-90
> (5) EXPAND --callingStationID=%{Calling-Station-Id}
> (5) --> --callingStationID=44a8-42f7-952d
> (5) EXPAND --connectInfo=%{Connect-Info}
> (5) --> --connectInfo=
> (5) EXPAND --framedMTU=%{Framed-MTU}
> (5) --> --framedMTU=1500
> (5) EXPAND --framedProtocol=%{Framed-Protocol}
> (5) --> --framedProtocol=PPP
> (5) EXPAND --nasIdentifier=%{NAS-Identifier}
> (5) --> --nasIdentifier=S5735_K6_SW1
> (5) EXPAND --nasIPAddress=%{NAS-IP-Address}
> (5) --> --nasIPAddress=172.100.0.60
> (5) EXPAND --nasPort=%{NAS-Port}
> (5) --> --nasPort=20497
> (5) EXPAND --nasPortID=%{NAS-Port-Id}
> (5) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> (5) EXPAND --nasPortType=%{NAS-Port-Type}
> (5) --> --nasPortType=Ethernet
> (5) EXPAND --serviceType=%{Service-Type}
> (5) --> --serviceType=Framed-User
> (5) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> (5) --> --tunnelMediumType=
> (5) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> (5) --> --tunnelPrivateGroupID=
> (5) EXPAND --tunnelType=%{Tunnel-Type}
> (5) --> --tunnelType=
> (5) Program returned code (0) and output 'Reply-Message :=""'
> (5) control::Reply-Message :=
> (5) } # update = noop
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) ->
> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /@\./) {
> (5) if (&User-Name =~ /@\./) -> FALSE
> (5) } # if (&User-Name) = noop
> (5) } # policy filter_username = noop
> (5) [preprocess] = ok
> (5) [mschap] = noop
> (5) [digest] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> looking up realm
> NULL
> (5) suffix: No such realm "NULL"
> (5) [suffix] = noop
> (5) eap: Peer sent EAP Response (code 2) ID 168 length 144
> (5) eap: Continuing tunnel setup
> (5) [eap] = ok
> (5) } # authorize = ok
> (5) Found Auth-Type = eap
> (5) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (5) authenticate {
> (5) eap: Expiring EAP session with state 0x06df9fcc027786aa
> (5) eap: Finished EAP session with state 0x06df9fcc027786aa
> (5) eap: Previous EAP request found for state
> 0x06df9fcc027786aa, released
> from the list
> (5) eap: Peer sent packet with method EAP PEAP (25)
> (5) eap: Calling submodule eap_peap to process data
> (5) eap_peap: Continuing EAP-TLS
> (5) eap_peap: Peer indicated complete TLS record size will be
> 134 bytes
> (5) eap_peap: Got complete TLS record (134 bytes)
> (5) eap_peap: [eaptls verify] = length included
> (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0046],
> ClientKeyExchange
> (5) eap_peap: TLS_accept: SSLv3 read client key exchange A
> (5) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
> (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
> (5) eap_peap: TLS_accept: SSLv3 read finished A
> (5) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
> (5) eap_peap: TLS_accept: SSLv3 write change cipher spec A
> (5) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
> (5) eap_peap: TLS_accept: SSLv3 write finished A
> (5) eap_peap: TLS_accept: SSLv3 flush data
> (5) eap_peap: (other): SSL negotiation finished successfully
> (5) eap_peap: TLS - Connection Established
> (5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> (5) eap_peap: TLS-Session-Version = "TLS 1.0"
> (5) eap_peap: TLS - got 59 bytes of data
> (5) eap_peap: [eaptls process] = handled
> (5) eap: Sending EAP Request (code 1) ID 169 length 65
> (5) eap: EAP session adding &reply:State = 0x06df9fcc037686aa
> (5) [eap] = handled
> (5) } # authenticate = handled
> (5) Using Post-Auth-Type Challenge
> (5) Post-Auth-Type sub-section not found. Ignoring.
> (5) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (5) session-state: Saving cached attributes
> (5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> (5) TLS-Session-Version = "TLS 1.0"
> (5) Sent Access-Challenge Id 30 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to
> MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length
> 0
> (5) EAP-Message =
> 0x01a90041190014030100010116030100302fe125fbf82aa49c3614c980ad
> be6cec3d9fcfee716e1ad42f33b3e8d99e997248e974d389d973a61f8d6f2facc5e492
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> (5) State = 0x06df9fcc037686aa43639075ca7d333a
> (5) Finished request
> Waking up in 4.6 seconds.
> (6) Received Access-Request Id 31 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to
> MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 340
> (6) User-Name = "mypc-pc\\Administrator"
> (6) NAS-Port = 20497
> (6) Service-Type = Framed-User
> (6) Framed-Protocol = PPP
> (6) Calling-Station-Id = "44a8-42f7-952d"
> (6) NAS-Identifier = "S5735_K6_SW1"
> (6) NAS-Port-Type = Ethernet
> (6) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> (6) State = 0x06df9fcc037686aa43639075ca7d333a
> (6) EAP-Message = 0x02a900061900
> (6) Message-Authenticator = 0x6eae2e14353af6bdf3490d21f430dfbe
> (6) Called-Station-Id = "44-67-47-26-F7-90"
> (6) Login-IP-Host = 0.0.0.0
> (6) NAS-IP-Address = 172.100.0.60
> (6) Framed-MTU = 1500
> (6) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> (6) Huawei-Startup-Stamp = 1589932873
> (6) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> (6) Huawei-Connect-ID = 45
> (6) Huawei-Version = "Huawei S5735"
> (6) Huawei-Product-ID = "S5735"
> (6) Huawei-User-Mac = "\000\000\000\001"
> (6) Huawei-Domain-Name = "default"
> (6) Restoring &session-state
> (6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> (6) &session-state:TLS-Session-Version = "TLS 1.0"
> (6) # Executing section authorize from file
> /mydir/etc/raddb/sites-enabled/default
> (6) authorize {
> (6) update {
> (6) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> --calledStationID='%{Called-Station-Id}'
> --callingStationID='%{Calling-Station-Id}'
> --connectInfo='%{Connect-Info}'
> --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> --tunnelMediumType='%{Tunnel-Medium-Type}'
> --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> --logging=true:
> (6) EXPAND --username=%{User-Name}
> (6) --> --username=mypc-pc\\Administrator
> (6) EXPAND --calledStationID=%{Called-Station-Id}
> (6) --> --calledStationID=44-67-47-26-F7-90
> (6) EXPAND --callingStationID=%{Calling-Station-Id}
> (6) --> --callingStationID=44a8-42f7-952d
> (6) EXPAND --connectInfo=%{Connect-Info}
> (6) --> --connectInfo=
> (6) EXPAND --framedMTU=%{Framed-MTU}
> (6) --> --framedMTU=1500
> (6) EXPAND --framedProtocol=%{Framed-Protocol}
> (6) --> --framedProtocol=PPP
> (6) EXPAND --nasIdentifier=%{NAS-Identifier}
> (6) --> --nasIdentifier=S5735_K6_SW1
> (6) EXPAND --nasIPAddress=%{NAS-IP-Address}
> (6) --> --nasIPAddress=172.100.0.60
> (6) EXPAND --nasPort=%{NAS-Port}
> (6) --> --nasPort=20497
> (6) EXPAND --nasPortID=%{NAS-Port-Id}
> (6) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> (6) EXPAND --nasPortType=%{NAS-Port-Type}
> (6) --> --nasPortType=Ethernet
> (6) EXPAND --serviceType=%{Service-Type}
> (6) --> --serviceType=Framed-User
> (6) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> (6) --> --tunnelMediumType=
> (6) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> (6) --> --tunnelPrivateGroupID=
> (6) EXPAND --tunnelType=%{Tunnel-Type}
> (6) --> --tunnelType=
> (6) Program returned code (0) and output 'Reply-Message :=""'
> (6) control::Reply-Message :=
> (6) } # update = noop
> (6) policy filter_username {
> (6) if (&User-Name) {
> (6) if (&User-Name) -> TRUE
> (6) if (&User-Name) {
> (6) if (&User-Name =~ / /) {
> (6) if (&User-Name =~ / /) -> FALSE
> (6) if (&User-Name =~ /@[^@]*@/ ) {
> (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (6) if (&User-Name =~ /\.\./ ) {
> (6) if (&User-Name =~ /\.\./ ) -> FALSE
> (6) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) {
> (6) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) ->
> FALSE
> (6) if (&User-Name =~ /\.$/) {
> (6) if (&User-Name =~ /\.$/) -> FALSE
> (6) if (&User-Name =~ /@\./) {
> (6) if (&User-Name =~ /@\./) -> FALSE
> (6) } # if (&User-Name) = noop
> (6) } # policy filter_username = noop
> (6) [preprocess] = ok
> (6) [mschap] = noop
> (6) [digest] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> looking up realm
> NULL
> (6) suffix: No such realm "NULL"
> (6) [suffix] = noop
> (6) eap: Peer sent EAP Response (code 2) ID 169 length 6
> (6) eap: Continuing tunnel setup
> (6) [eap] = ok
> (6) } # authorize = ok
> (6) Found Auth-Type = eap
> (6) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (6) authenticate {
> (6) eap: Expiring EAP session with state 0x06df9fcc037686aa
> (6) eap: Finished EAP session with state 0x06df9fcc037686aa
> (6) eap: Previous EAP request found for state
> 0x06df9fcc037686aa, released
> from the list
> (6) eap: Peer sent packet with method EAP PEAP (25)
> (6) eap: Calling submodule eap_peap to process data
> (6) eap_peap: Continuing EAP-TLS
> (6) eap_peap: Peer ACKed our handshake fragment. handshake
> is finished
> (6) eap_peap: [eaptls verify] = success
> (6) eap_peap: [eaptls process] = success
> (6) eap_peap: Session established. Decoding tunneled attributes
> (6) eap_peap: PEAP state TUNNEL ESTABLISHED
> (6) eap: Sending EAP Request (code 1) ID 170 length 43
> (6) eap: EAP session adding &reply:State = 0x06df9fcc007586aa
> (6) [eap] = handled
> (6) } # authenticate = handled
> (6) Using Post-Auth-Type Challenge
> (6) Post-Auth-Type sub-section not found. Ignoring.
> (6) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (6) session-state: Saving cached attributes
> (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> (6) TLS-Session-Version = "TLS 1.0"
> (6) Sent Access-Challenge Id 31 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to
> MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length
> 0
> (6) EAP-Message =
> 0x01aa002b1900170301002039839b1c2d3257209fb27a7353e9e75e31a406
> 708676f7c33e1183170f61d947
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> (6) State = 0x06df9fcc007586aa43639075ca7d333a
> (6) Finished request
> Waking up in 4.5 seconds.
> (7) Received Access-Request Id 32 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to
> MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 393
> (7) User-Name = "mypc-pc\\Administrator"
> (7) NAS-Port = 20497
> (7) Service-Type = Framed-User
> (7) Framed-Protocol = PPP
> (7) Calling-Station-Id = "44a8-42f7-952d"
> (7) NAS-Identifier = "S5735_K6_SW1"
> (7) NAS-Port-Type = Ethernet
> (7) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> (7) State = 0x06df9fcc007586aa43639075ca7d333a
> (7) EAP-Message =
> 0x02aa003b190017030100303d5c35ae730f2e2172de89948e051cb0b22703
> 3be363ddea1c384cc141c1593d7ed0251c4ca849138cfdebf0e810852a
> (7) Message-Authenticator = 0x1a8ae85940fcefdcbc7a0528828a0c77
> (7) Called-Station-Id = "44-67-47-26-F7-90"
> (7) Login-IP-Host = 0.0.0.0
> (7) NAS-IP-Address = 172.100.0.60
> (7) Framed-MTU = 1500
> (7) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> (7) Huawei-Startup-Stamp = 1589932873
> (7) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> (7) Huawei-Connect-ID = 45
> (7) Huawei-Version = "Huawei S5735"
> (7) Huawei-Product-ID = "S5735"
> (7) Huawei-User-Mac = "\000\000\000\001"
> (7) Huawei-Domain-Name = "default"
> (7) Restoring &session-state
> (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> (7) &session-state:TLS-Session-Version = "TLS 1.0"
> (7) # Executing section authorize from file
> /mydir/etc/raddb/sites-enabled/default
> (7) authorize {
> (7) update {
> (7) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> --calledStationID='%{Called-Station-Id}'
> --callingStationID='%{Calling-Station-Id}'
> --connectInfo='%{Connect-Info}'
> --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> --tunnelMediumType='%{Tunnel-Medium-Type}'
> --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> --logging=true:
> (7) EXPAND --username=%{User-Name}
> (7) --> --username=mypc-pc\\Administrator
> (7) EXPAND --calledStationID=%{Called-Station-Id}
> (7) --> --calledStationID=44-67-47-26-F7-90
> (7) EXPAND --callingStationID=%{Calling-Station-Id}
> (7) --> --callingStationID=44a8-42f7-952d
> (7) EXPAND --connectInfo=%{Connect-Info}
> (7) --> --connectInfo=
> (7) EXPAND --framedMTU=%{Framed-MTU}
> (7) --> --framedMTU=1500
> (7) EXPAND --framedProtocol=%{Framed-Protocol}
> (7) --> --framedProtocol=PPP
> (7) EXPAND --nasIdentifier=%{NAS-Identifier}
> (7) --> --nasIdentifier=S5735_K6_SW1
> (7) EXPAND --nasIPAddress=%{NAS-IP-Address}
> (7) --> --nasIPAddress=172.100.0.60
> (7) EXPAND --nasPort=%{NAS-Port}
> (7) --> --nasPort=20497
> (7) EXPAND --nasPortID=%{NAS-Port-Id}
> (7) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> (7) EXPAND --nasPortType=%{NAS-Port-Type}
> (7) --> --nasPortType=Ethernet
> (7) EXPAND --serviceType=%{Service-Type}
> (7) --> --serviceType=Framed-User
> (7) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> (7) --> --tunnelMediumType=
> (7) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> (7) --> --tunnelPrivateGroupID=
> (7) EXPAND --tunnelType=%{Tunnel-Type}
> (7) --> --tunnelType=
> (7) Program returned code (0) and output 'Reply-Message :=""'
> (7) control::Reply-Message :=
> (7) } # update = noop
> (7) policy filter_username {
> (7) if (&User-Name) {
> (7) if (&User-Name) -> TRUE
> (7) if (&User-Name) {
> (7) if (&User-Name =~ / /) {
> (7) if (&User-Name =~ / /) -> FALSE
> (7) if (&User-Name =~ /@[^@]*@/ ) {
> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) ->
> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /@\./) {
> (7) if (&User-Name =~ /@\./) -> FALSE
> (7) } # if (&User-Name) = noop
> (7) } # policy filter_username = noop
> (7) [preprocess] = ok
> (7) [mschap] = noop
> (7) [digest] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> looking up realm
> NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) eap: Peer sent EAP Response (code 2) ID 170 length 59
> (7) eap: Continuing tunnel setup
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (7) authenticate {
> (7) eap: Expiring EAP session with state 0x06df9fcc007586aa
> (7) eap: Finished EAP session with state 0x06df9fcc007586aa
> (7) eap: Previous EAP request found for state
> 0x06df9fcc007586aa, released
> from the list
> (7) eap: Peer sent packet with method EAP PEAP (25)
> (7) eap: Calling submodule eap_peap to process data
> (7) eap_peap: Continuing EAP-TLS
> (7) eap_peap: [eaptls verify] = ok
> (7) eap_peap: Done initial handshake
> (7) eap_peap: [eaptls process] = ok
> (7) eap_peap: Session established. Decoding tunneled attributes
> (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
> (7) eap_peap: Identity - mypc-pc\Administrator
> (7) eap_peap: Got inner identity 'mypc-pc\Administrator'
> (7) eap_peap: Setting default EAP type for tunneled EAP session
> (7) eap_peap: Got tunneled request
> (7) eap_peap: EAP-Message =
> 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72
> (7) eap_peap: Setting User-Name to mypc-pc\Administrator
> (7) eap_peap: Sending tunneled request to inner-tunnel
> (7) eap_peap: EAP-Message =
> 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72
> (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (7) eap_peap: User-Name = "mypc-pc\\Administrator"
> (7) Virtual server inner-tunnel received request
> (7) EAP-Message =
> 0x02aa001c01626c6774656b2d70635c41646d696e6973747261746f72
> (7) FreeRADIUS-Proxied-To = 127.0.0.1
> (7) User-Name = "mypc-pc\\Administrator"
> (7) WARNING: Outer and inner identities are the same. User privacy is
> compromised.
> (7) server inner-tunnel {
> (7) # Executing section authorize from file
> /mydir/etc/raddb/sites-enabled/inner-tunnel
> (7) authorize {
> (7) update {
> (7) Executing: /mydir/sbin/myprog-nac
> --username='%{User-Name}'
> --verify=true --control=false:
> (7) EXPAND --username=%{User-Name}
> (7) --> --username=mypc-pc\\Administrator
> (7) Program returned code (0) and output
> 'Idle-Timeout := "30"'
> (7) reply::Idle-Timeout := 30
> (7) } # update = noop
> (7) policy filter_username {
> (7) if (&User-Name) {
> (7) if (&User-Name) -> TRUE
> (7) if (&User-Name) {
> (7) if (&User-Name =~ / /) {
> (7) if (&User-Name =~ / /) -> FALSE
> (7) if (&User-Name =~ /@[^@]*@/ ) {
> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/))
> -> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /@\./) {
> (7) if (&User-Name =~ /@\./) -> FALSE
> (7) } # if (&User-Name) = noop
> (7) } # policy filter_username = noop
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> looking up realm
> NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) update control {
> (7) &Proxy-To-Realm := LOCAL
> (7) } # update control = noop
> (7) eap: Peer sent EAP Response (code 2) ID 170 length 28
> (7) eap: EAP-Identity reply, returning 'ok' so we can
> short-circuit the
> rest of authorize
> (7) [eap] = ok
> (7) [files] = noop
> (7) [expiration] = noop
> (7) [logintime] = noop
> (7) [pap] = noop
> (7) } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file
> /mydir/etc/raddb/sites-enabled/inner-tunnel
> (7) authenticate {
> (7) eap: Peer sent packet with method EAP Identity (1)
> (7) eap: Calling submodule eap_mschapv2 to process data
> (7) eap_mschapv2: Issuing Challenge
> (7) eap: Sending EAP Request (code 1) ID 171 length 43
> (7) eap: EAP session adding &reply:State = 0xb29197b0b23a8d1a
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) } # server inner-tunnel
> (7) Virtual server sending reply
> (7) Idle-Timeout := 30
> (7) EAP-Message =
> 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b66726565
> 7261646975732d332e302e3231
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0xb29197b0b23a8d1abd34b414c2a4601c
> (7) eap_peap: Got tunneled reply code 11
> (7) eap_peap: Idle-Timeout := 30
> (7) eap_peap: EAP-Message =
> 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b66726565
> 7261646975732d332e302e3231
> (7) eap_peap: Message-Authenticator =
> 0x00000000000000000000000000000000
> (7) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c
> (7) eap_peap: Got tunneled reply RADIUS code 11
> (7) eap_peap: Idle-Timeout := 30
> (7) eap_peap: EAP-Message =
> 0x01ab002b1a01ab00261007ecd1ba566d66c76e7aa95ce127214b66726565
> 7261646975732d332e302e3231
> (7) eap_peap: Message-Authenticator =
> 0x00000000000000000000000000000000
> (7) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c
> (7) eap_peap: Got tunneled Access-Challenge
> (7) eap: Sending EAP Request (code 1) ID 171 length 75
> (7) eap: EAP session adding &reply:State = 0x06df9fcc017486aa
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) Using Post-Auth-Type Challenge
> (7) Post-Auth-Type sub-section not found. Ignoring.
> (7) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (7) session-state: Saving cached attributes
> (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> (7) TLS-Session-Version = "TLS 1.0"
> (7) Sent Access-Challenge Id 32 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to
> MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length
> 0
> (7) EAP-Message =
> 0x01ab004b19001703010040f117bdd7e2a2d6530a0eebaac5f17a0b3e5846
> e1278f4367eeb28499b7d4f60485adaa834a12a2f5fc22b2e4a7b75b2fd584
> 277bbb9e717bf568d0b7c39b9b21
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0x06df9fcc017486aa43639075ca7d333a
> (7) Finished request
> Waking up in 4.5 seconds.
> (8) Received Access-Request Id 33 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to
> MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 441
> (8) User-Name = "mypc-pc\\Administrator"
> (8) NAS-Port = 20497
> (8) Service-Type = Framed-User
> (8) Framed-Protocol = PPP
> (8) Calling-Station-Id = "44a8-42f7-952d"
> (8) NAS-Identifier = "S5735_K6_SW1"
> (8) NAS-Port-Type = Ethernet
> (8) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> (8) State = 0x06df9fcc017486aa43639075ca7d333a
> (8) EAP-Message =
> 0x02ab006b1900170301006030a260cec76b817616c8446e917733d195ea67
> fcb4cba7ea0c15873eccb189ac0c0482c8d146ae81eaf880b90364036ca514
> b87389987c4879b1e21d8c032b74a3adf543509c62b5cc1e85d7f556043d22
> e8f68156c08b94226c0358519793f0
> (8) Message-Authenticator = 0x99f47b6e04e6c7df9ba0bad3ad23a0dc
> (8) Called-Station-Id = "44-67-47-26-F7-90"
> (8) Login-IP-Host = 0.0.0.0
> (8) NAS-IP-Address = 172.100.0.60
> (8) Framed-MTU = 1500
> (8) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> (8) Huawei-Startup-Stamp = 1589932873
> (8) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> (8) Huawei-Connect-ID = 45
> (8) Huawei-Version = "Huawei S5735"
> (8) Huawei-Product-ID = "S5735"
> (8) Huawei-User-Mac = "\000\000\000\001"
> (8) Huawei-Domain-Name = "default"
> (8) Restoring &session-state
> (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> (8) &session-state:TLS-Session-Version = "TLS 1.0"
> (8) # Executing section authorize from file
> /mydir/etc/raddb/sites-enabled/default
> (8) authorize {
> (8) update {
> (8) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> --calledStationID='%{Called-Station-Id}'
> --callingStationID='%{Calling-Station-Id}'
> --connectInfo='%{Connect-Info}'
> --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> --tunnelMediumType='%{Tunnel-Medium-Type}'
> --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> --logging=true:
> (8) EXPAND --username=%{User-Name}
> (8) --> --username=mypc-pc\\Administrator
> (8) EXPAND --calledStationID=%{Called-Station-Id}
> (8) --> --calledStationID=44-67-47-26-F7-90
> (8) EXPAND --callingStationID=%{Calling-Station-Id}
> (8) --> --callingStationID=44a8-42f7-952d
> (8) EXPAND --connectInfo=%{Connect-Info}
> (8) --> --connectInfo=
> (8) EXPAND --framedMTU=%{Framed-MTU}
> (8) --> --framedMTU=1500
> (8) EXPAND --framedProtocol=%{Framed-Protocol}
> (8) --> --framedProtocol=PPP
> (8) EXPAND --nasIdentifier=%{NAS-Identifier}
> (8) --> --nasIdentifier=S5735_K6_SW1
> (8) EXPAND --nasIPAddress=%{NAS-IP-Address}
> (8) --> --nasIPAddress=172.100.0.60
> (8) EXPAND --nasPort=%{NAS-Port}
> (8) --> --nasPort=20497
> (8) EXPAND --nasPortID=%{NAS-Port-Id}
> (8) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> (8) EXPAND --nasPortType=%{NAS-Port-Type}
> (8) --> --nasPortType=Ethernet
> (8) EXPAND --serviceType=%{Service-Type}
> (8) --> --serviceType=Framed-User
> (8) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> (8) --> --tunnelMediumType=
> (8) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> (8) --> --tunnelPrivateGroupID=
> (8) EXPAND --tunnelType=%{Tunnel-Type}
> (8) --> --tunnelType=
> (8) Program returned code (0) and output 'Reply-Message :=""'
> (8) control::Reply-Message :=
> (8) } # update = noop
> (8) policy filter_username {
> (8) if (&User-Name) {
> (8) if (&User-Name) -> TRUE
> (8) if (&User-Name) {
> (8) if (&User-Name =~ / /) {
> (8) if (&User-Name =~ / /) -> FALSE
> (8) if (&User-Name =~ /@[^@]*@/ ) {
> (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (8) if (&User-Name =~ /\.\./ ) {
> (8) if (&User-Name =~ /\.\./ ) -> FALSE
> (8) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) {
> (8) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) ->
> FALSE
> (8) if (&User-Name =~ /\.$/) {
> (8) if (&User-Name =~ /\.$/) -> FALSE
> (8) if (&User-Name =~ /@\./) {
> (8) if (&User-Name =~ /@\./) -> FALSE
> (8) } # if (&User-Name) = noop
> (8) } # policy filter_username = noop
> (8) [preprocess] = ok
> (8) [mschap] = noop
> (8) [digest] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> looking up realm
> NULL
> (8) suffix: No such realm "NULL"
> (8) [suffix] = noop
> (8) eap: Peer sent EAP Response (code 2) ID 171 length 107
> (8) eap: Continuing tunnel setup
> (8) [eap] = ok
> (8) } # authorize = ok
> (8) Found Auth-Type = eap
> (8) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (8) authenticate {
> (8) eap: Expiring EAP session with state 0xb29197b0b23a8d1a
> (8) eap: Finished EAP session with state 0x06df9fcc017486aa
> (8) eap: Previous EAP request found for state
> 0x06df9fcc017486aa, released
> from the list
> (8) eap: Peer sent packet with method EAP PEAP (25)
> (8) eap: Calling submodule eap_peap to process data
> (8) eap_peap: Continuing EAP-TLS
> (8) eap_peap: [eaptls verify] = ok
> (8) eap_peap: Done initial handshake
> (8) eap_peap: [eaptls process] = ok
> (8) eap_peap: Session established. Decoding tunneled attributes
> (8) eap_peap: PEAP state phase2
> (8) eap_peap: EAP method MSCHAPv2 (26)
> (8) eap_peap: Got tunneled request
> (8) eap_peap: EAP-Message =
> 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f00000000
> 00000000a380d06457734f2b4a8f544de51831e2a54853305befeb55004164
> 6d696e6973747261746f72
> (8) eap_peap: Setting User-Name to mypc-pc\Administrator
> (8) eap_peap: Sending tunneled request to inner-tunnel
> (8) eap_peap: EAP-Message =
> 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f00000000
> 00000000a380d06457734f2b4a8f544de51831e2a54853305befeb55004164
> 6d696e6973747261746f72
> (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (8) eap_peap: User-Name = "mypc-pc\\Administrator"
> (8) eap_peap: State = 0xb29197b0b23a8d1abd34b414c2a4601c
> (8) Virtual server inner-tunnel received request
> (8) EAP-Message =
> 0x02ab00481a02ab00433195ac524fdd05d06d75f4001a40fbac5f00000000
> 00000000a380d06457734f2b4a8f544de51831e2a54853305befeb55004164
> 6d696e6973747261746f72
> (8) FreeRADIUS-Proxied-To = 127.0.0.1
> (8) User-Name = "mypc-pc\\Administrator"
> (8) State = 0xb29197b0b23a8d1abd34b414c2a4601c
> (8) WARNING: Outer and inner identities are the same. User privacy is
> compromised.
> (8) server inner-tunnel {
> (8) session-state: No cached attributes
> (8) # Executing section authorize from file
> /mydir/etc/raddb/sites-enabled/inner-tunnel
> (8) authorize {
> (8) update {
> (8) Executing: /mydir/sbin/myprog-nac
> --username='%{User-Name}'
> --verify=true --control=false:
> (8) EXPAND --username=%{User-Name}
> (8) --> --username=mypc-pc\\Administrator
> (8) Program returned code (0) and output
> 'Idle-Timeout := "30"'
> (8) reply::Idle-Timeout := 30
> (8) } # update = noop
> (8) policy filter_username {
> (8) if (&User-Name) {
> (8) if (&User-Name) -> TRUE
> (8) if (&User-Name) {
> (8) if (&User-Name =~ / /) {
> (8) if (&User-Name =~ / /) -> FALSE
> (8) if (&User-Name =~ /@[^@]*@/ ) {
> (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (8) if (&User-Name =~ /\.\./ ) {
> (8) if (&User-Name =~ /\.\./ ) -> FALSE
> (8) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) {
> (8) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/))
> -> FALSE
> (8) if (&User-Name =~ /\.$/) {
> (8) if (&User-Name =~ /\.$/) -> FALSE
> (8) if (&User-Name =~ /@\./) {
> (8) if (&User-Name =~ /@\./) -> FALSE
> (8) } # if (&User-Name) = noop
> (8) } # policy filter_username = noop
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> looking up realm
> NULL
> (8) suffix: No such realm "NULL"
> (8) [suffix] = noop
> (8) update control {
> (8) &Proxy-To-Realm := LOCAL
> (8) } # update control = noop
> (8) eap: Peer sent EAP Response (code 2) ID 171 length 72
> (8) eap: No EAP Start, assuming it's an on-going EAP conversation
> (8) [eap] = updated
> (8) [files] = noop
> (8) [expiration] = noop
> (8) [logintime] = noop
> (8) [pap] = noop
> (8) } # authorize = updated
> (8) Found Auth-Type = eap
> (8) # Executing group from file
> /mydir/etc/raddb/sites-enabled/inner-tunnel
> (8) authenticate {
> (8) eap: Expiring EAP session with state 0xb29197b0b23a8d1a
> (8) eap: Finished EAP session with state 0xb29197b0b23a8d1a
> (8) eap: Previous EAP request found for state
> 0xb29197b0b23a8d1a, released
> from the list
> (8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
> (8) eap: Calling submodule eap_mschapv2 to process data
> (8) eap_mschapv2: # Executing group from file
> /mydir/etc/raddb/sites-enabled/inner-tunnel
> (8) eap_mschapv2: authenticate {
> (8) mschap: WARNING: User-Name (mypc-pc\Administrator) is not
> the same as
> MS-CHAP Name (Administrator) from EAP-MSCHAPv2
> (8) mschap: Creating challenge hash with username: Administrator
> (8) mschap: Client is using MS-CHAPv2
> (8) mschap: Executing: /usr/local/bin/ntlm_auth --request-nt-key
> --username=%{%{mschap:User-Name}:-00}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> (8) mschap: EXPAND --username=%{%{mschap:User-Name}:-00}
> (8) mschap: --> --username=Administrator
> (8) mschap: WARNING: User-Name (mypc-pc\Administrator) is not
> the same as
> MS-CHAP Name (Administrator) from EAP-MSCHAPv2
> (8) mschap: Creating challenge hash with username: Administrator
> (8) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (8) mschap: --> --challenge=54f8ede55f4a4abb
> (8) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (8) mschap: -->
> --nt-response=a380d06457734f2b4a8f544de51831e2a54853305befeb55
> (8) mschap: ERROR: Program returned code (1) and output
> 'Reading winbind
> reply failed! (0xc0000001)'
> (8) mschap: ERROR: Reading winbind reply failed! (0xc0000001)
> (8) mschap: Authentication failed
> (8) eap_mschapv2: [mschap] = fail
> (8) eap_mschapv2: } # authenticate = fail
> (8) eap: Sending EAP Failure (code 4) ID 171 length 4
> (8) eap: Freeing handler
> (8) [eap] = reject
> (8) } # authenticate = reject
> (8) Failed to authenticate the user
> (8) Using Post-Auth-Type Reject
> (8) # Executing group from file
> /mydir/etc/raddb/sites-enabled/inner-tunnel
> (8) Post-Auth-Type REJECT {
> (8) attr_filter.access_reject: EXPAND %{User-Name}
> (8) attr_filter.access_reject: --> mypc-pc\\Administrator
> (8) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (8) [attr_filter.access_reject] = updated
> (8) update outer.session-state {
> (8) &Module-Failure-Message :=
> &request:Module-Failure-Message ->
> 'mschap: Program returned code (1) and output \'Reading winbind reply
> failed! (0xc0000001)\''
> (8) } # update outer.session-state = noop
> (8) } # Post-Auth-Type REJECT = updated
> (8) } # server inner-tunnel
> (8) Virtual server sending reply
> (8) MS-CHAP-Error = "\253E=691 R=1
> C=be33295ca3e819f0d59751ac4be850ab V=3
> M=Authentication failed"
> (8) EAP-Message = 0x04ab0004
> (8) Message-Authenticator = 0x00000000000000000000000000000000
> (8) eap_peap: Got tunneled reply code 3
> (8) eap_peap: MS-CHAP-Error = "\253E=691 R=1
> C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed"
> (8) eap_peap: EAP-Message = 0x04ab0004
> (8) eap_peap: Message-Authenticator =
> 0x00000000000000000000000000000000
> (8) eap_peap: Got tunneled reply RADIUS code 3
> (8) eap_peap: MS-CHAP-Error = "\253E=691 R=1
> C=be33295ca3e819f0d59751ac4be850ab V=3 M=Authentication failed"
> (8) eap_peap: EAP-Message = 0x04ab0004
> (8) eap_peap: Message-Authenticator =
> 0x00000000000000000000000000000000
> (8) eap_peap: Tunneled authentication was rejected
> (8) eap_peap: FAILURE
> (8) eap: Sending EAP Request (code 1) ID 172 length 43
> (8) eap: EAP session adding &reply:State = 0x06df9fcc0e7386aa
> (8) [eap] = handled
> (8) } # authenticate = handled
> (8) Using Post-Auth-Type Challenge
> (8) Post-Auth-Type sub-section not found. Ignoring.
> (8) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (8) session-state: Saving cached attributes
> (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> (8) TLS-Session-Version = "TLS 1.0"
> (8) Module-Failure-Message := "mschap: Program returned code (1) and
> output 'Reading winbind reply failed! (0xc0000001)'"
> (8) Sent Access-Challenge Id 33 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to
> MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length
> 0
> (8) EAP-Message =
> 0x01ac002b1900170301002026931b104878a5280e9a66fdc3cfdebbdb1f82
> 46a377c0748067abbfc703e7f7
> (8) Message-Authenticator = 0x00000000000000000000000000000000
> (8) State = 0x06df9fcc0e7386aa43639075ca7d333a
> (8) Finished request
> Waking up in 4.3 seconds.
> (9) Received Access-Request Id 34 from MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 to
> MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 length 377
> (9) User-Name = "mypc-pc\\Administrator"
> (9) NAS-Port = 20497
> (9) Service-Type = Framed-User
> (9) Framed-Protocol = PPP
> (9) Calling-Station-Id = "44a8-42f7-952d"
> (9) NAS-Identifier = "S5735_K6_SW1"
> (9) NAS-Port-Type = Ethernet
> (9) NAS-Port-Id = "slot=0;subslot=0;port=5;vlanid=17"
> (9) State = 0x06df9fcc0e7386aa43639075ca7d333a
> (9) EAP-Message =
> 0x02ac002b1900170301002002a19fd10d3999b09ff706b3c9a2e1b6f1de66
> 1047ec0e47760dd1c38e3479ce
> (9) Message-Authenticator = 0x9991289c6858191d73f190917ff6d23e
> (9) Called-Station-Id = "44-67-47-26-F7-90"
> (9) Login-IP-Host = 0.0.0.0
> (9) NAS-IP-Address = 172.100.0.60
> (9) Framed-MTU = 1500
> (9) Acct-Session-Id = "S5735_K00005000000017bcb85b000002d"
> (9) Huawei-Startup-Stamp = 1589932873
> (9) Huawei-IPHost-Addr = "255.255.255.255 44:a8:42:f7:95:2d"
> (9) Huawei-Connect-ID = 45
> (9) Huawei-Version = "Huawei S5735"
> (9) Huawei-Product-ID = "S5735"
> (9) Huawei-User-Mac = "\000\000\000\001"
> (9) Huawei-Domain-Name = "default"
> (9) Restoring &session-state
> (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-SHA"
> (9) &session-state:TLS-Session-Version = "TLS 1.0"
> (9) &session-state:Module-Failure-Message := "mschap:
> Program returned
> code (1) and output 'Reading winbind reply failed! (0xc0000001)'"
> (9) # Executing section authorize from file
> /mydir/etc/raddb/sites-enabled/default
> (9) authorize {
> (9) update {
> (9) Executing: /mydir/sbin/myprog-nac --username='%{User-Name}'
> --calledStationID='%{Called-Station-Id}'
> --callingStationID='%{Calling-Station-Id}'
> --connectInfo='%{Connect-Info}'
> --framedMTU='%{Framed-MTU}' --framedProtocol='%{Framed-Protocol}'
> --nasIdentifier='%{NAS-Identifier}' --nasIPAddress='%{NAS-IP-Address}'
> --nasPort='%{NAS-Port}' --nasPortID='%{NAS-Port-Id}'
> --nasPortType='%{NAS-Port-Type}' --serviceType='%{Service-Type}'
> --tunnelMediumType='%{Tunnel-Medium-Type}'
> --tunnelPrivateGroupID='%{Tunnel-Private-Group-ID}'
> --tunnelType='%{Tunnel-Type}' --control=false --verify=false
> --logging=true:
> (9) EXPAND --username=%{User-Name}
> (9) --> --username=mypc-pc\\Administrator
> (9) EXPAND --calledStationID=%{Called-Station-Id}
> (9) --> --calledStationID=44-67-47-26-F7-90
> (9) EXPAND --callingStationID=%{Calling-Station-Id}
> (9) --> --callingStationID=44a8-42f7-952d
> (9) EXPAND --connectInfo=%{Connect-Info}
> (9) --> --connectInfo=
> (9) EXPAND --framedMTU=%{Framed-MTU}
> (9) --> --framedMTU=1500
> (9) EXPAND --framedProtocol=%{Framed-Protocol}
> (9) --> --framedProtocol=PPP
> (9) EXPAND --nasIdentifier=%{NAS-Identifier}
> (9) --> --nasIdentifier=S5735_K6_SW1
> (9) EXPAND --nasIPAddress=%{NAS-IP-Address}
> (9) --> --nasIPAddress=172.100.0.60
> (9) EXPAND --nasPort=%{NAS-Port}
> (9) --> --nasPort=20497
> (9) EXPAND --nasPortID=%{NAS-Port-Id}
> (9) --> --nasPortID=slot=0;subslot=0;port=5;vlanid=17
> (9) EXPAND --nasPortType=%{NAS-Port-Type}
> (9) --> --nasPortType=Ethernet
> (9) EXPAND --serviceType=%{Service-Type}
> (9) --> --serviceType=Framed-User
> (9) EXPAND --tunnelMediumType=%{Tunnel-Medium-Type}
> (9) --> --tunnelMediumType=
> (9) EXPAND --tunnelPrivateGroupID=%{Tunnel-Private-Group-ID}
> (9) --> --tunnelPrivateGroupID=
> (9) EXPAND --tunnelType=%{Tunnel-Type}
> (9) --> --tunnelType=
> (9) Program returned code (0) and output 'Reply-Message :=""'
> (9) control::Reply-Message :=
> (9) } # update = noop
> (9) policy filter_username {
> (9) if (&User-Name) {
> (9) if (&User-Name) -> TRUE
> (9) if (&User-Name) {
> (9) if (&User-Name =~ / /) {
> (9) if (&User-Name =~ / /) -> FALSE
> (9) if (&User-Name =~ /@[^@]*@/ ) {
> (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (9) if (&User-Name =~ /\.\./ ) {
> (9) if (&User-Name =~ /\.\./ ) -> FALSE
> (9) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) {
> (9) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) ->
> FALSE
> (9) if (&User-Name =~ /\.$/) {
> (9) if (&User-Name =~ /\.$/) -> FALSE
> (9) if (&User-Name =~ /@\./) {
> (9) if (&User-Name =~ /@\./) -> FALSE
> (9) } # if (&User-Name) = noop
> (9) } # policy filter_username = noop
> (9) [preprocess] = ok
> (9) [mschap] = noop
> (9) [digest] = noop
> (9) suffix: Checking for suffix after "@"
> (9) suffix: No '@' in User-Name = "mypc-pc\Administrator",
> looking up realm
> NULL
> (9) suffix: No such realm "NULL"
> (9) [suffix] = noop
> (9) eap: Peer sent EAP Response (code 2) ID 172 length 43
> (9) eap: Continuing tunnel setup
> (9) [eap] = ok
> (9) } # authorize = ok
> (9) Found Auth-Type = eap
> (9) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (9) authenticate {
> (9) eap: Expiring EAP session with state 0x06df9fcc0e7386aa
> (9) eap: Finished EAP session with state 0x06df9fcc0e7386aa
> (9) eap: Previous EAP request found for state
> 0x06df9fcc0e7386aa, released
> from the list
> (9) eap: Peer sent packet with method EAP PEAP (25)
> (9) eap: Calling submodule eap_peap to process data
> (9) eap_peap: Continuing EAP-TLS
> (9) eap_peap: [eaptls verify] = ok
> (9) eap_peap: Done initial handshake
> (9) eap_peap: [eaptls process] = ok
> (9) eap_peap: Session established. Decoding tunneled attributes
> (9) eap_peap: PEAP state send tlv failure
> (9) eap_peap: Received EAP-TLV response
> (9) eap_peap: ERROR: The users session was previously
> rejected: returning
> reject (again.)
> (9) eap_peap: This means you need to read the PREVIOUS
> messages in the
> debug output
> (9) eap_peap: to find out the reason why the user was rejected
> (9) eap_peap: Look for "reject" or "fail". Those earlier
> messages will
> tell you
> (9) eap_peap: what went wrong, and how to fix the problem
> (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP
> sub-module
> failed
> (9) eap: Sending EAP Failure (code 4) ID 172 length 4
> (9) eap: Failed in EAP select
> (9) [eap] = invalid
> (9) } # authenticate = invalid
> (9) Failed to authenticate the user
> (9) Using Post-Auth-Type Reject
> (9) # Executing group from file /mydir/etc/raddb/sites-enabled/default
> (9) Post-Auth-Type REJECT {
> (9) attr_filter.access_reject: EXPAND %{User-Name}
> (9) attr_filter.access_reject: --> mypc-pc\\Administrator
> (9) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (9) [attr_filter.access_reject] = updated
> (9) [eap] = noop
> (9) policy remove_reply_message_if_eap {
> (9) if (&reply:EAP-Message && &reply:Reply-Message) {
> (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (9) else {
> (9) [noop] = noop
> (9) } # else = noop
> (9) } # policy remove_reply_message_if_eap = noop
> (9) } # Post-Auth-Type REJECT = updated
> (9) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (9) Sending delayed response
> (9) Sent Access-Reject Id 34 from MailScanner warning: numerical links are often malicious: 172.16.0.100:1812 to
> MailScanner warning: numerical links are often malicious: 172.100.0.60:49947 length
> 44
> (9) EAP-Message = 0x04ac0004
> (9) Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.3 seconds.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list