help

Aravind Voonna aravind.voonna at gmail.com
Fri May 28 20:29:53 CEST 2021


Hello Saver, I am setting up freeradius on aws and using jumpcloud ldap
server for authorization. I am able to successfully test from Ruckus
wireless controller and radius sever with PAP protocol. I am struck when
user try to connect to SSID and it is getting fail(Based on logs able to
find the issue but unable to fix it). The below are the output
1. The first output Successful from wireless controller
2. The Second output is failing from the end user. The user using
EAP-EPAP-MS-CHAPV2 protocol.

The below logs shows Successful when tested from the wireless controller
Received Access-Request Id 24 from 10.101.0.11:48304 to 10.92.8.117:1812
length 98
(0) NAS-Port-Type = Virtual
(0) NAS-Port = 8443
(0) User-Name = "jbravo"
(0) NAS-IP-Address = 10.101.0.11
(0) User-Password = "test123"
(0) Message-Authenticator = 0xc1a60741181e7bc02db76b6f69ebc9e2
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@ [^@]*@/ ) {
(0) if (&User-Name =~ /@ [^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "jbravo", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap: --> (uid=jbravo)
(0) ldap: Performing search in
"o=605d181e43609a22cde87434,dc=jumpcloud,dc=com" with filter
"(uid=jbravo)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN
"uid=jbravo,ou=Users,o=605d181e43609a22cde87434,dc=jumpcloud,dc=com"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
(if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldap://ldap.jumpcloud.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = ok
(0) if ((ok || updated) && User-Password) {
(0) if ((ok || updated) && User-Password) -> TRUE
(0) if ((ok || updated) && User-Password) {
(0) update {
(0) control:Auth-Type := LDAP
(0) } # update = noop
(0) } # if ((ok || updated) && User-Password) = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password
is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = LDAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type LDAP {
rlm_ldap (ldap): Reserved connection (1)
(0) ldap: Login attempt by "jbravo"
(0) ldap: Using user DN from request
"uid=jbravo,ou=Users,o=605d181e43609a22cde87434,dc=jumpcloud,dc=com"
(0) ldap: Waiting for bind result...
(0) ldap: Bind successful
(0) ldap: Bind as user
"uid=jbravo,ou=Users,o=605d181e43609a22cde87434,dc=jumpcloud,dc=com" was
successful
rlm_ldap (ldap): Released connection (1)
(0) [ldap] = ok
(0) } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = noop
(0) Login OK: [jbravo/test123] (from client 10.101.0.11 port 8443)
(0) Sent Access-Accept Id 24 from 10.92.8.117:1812 to 10.101.0.11:48304
length 0
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 24 with timestamp +6
Ready to process requests
The below logs shows un Successful when tested from the End users.
(0) Received Access-Request Id 24 from 10.101.0.11:52709 to 10.92.8.117:1812
length 402
(0) Acct-Session-Id = "60AFFFDC-63EDA801"
(0) User-Name = "jbravo"
(0) NAS-IP-Address = 10.101.0.200
(0) NAS-Identifier = "34-FA-9F-1E-F3-9D"
(0) NAS-Port = 1
(0) Called-Station-Id = "34-FA-9F-1E-F3-9D:Test-SSID"
(0) Calling-Station-Id = "38-F9-D3-49-E4-A7"
(0) Location-Data = 0x313055531708466c6578706f7274
(0) Location-Data =
0x323055531628373630204d61726b6574205374726565742c2053616e204672616e636973636f2c20434120555341
(0) Service-Type = Framed-User
(0) Chargeable-User-Identity = 0x00
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = "CONNECT 802.11a/n"
(0) EAP-Message = 0x0200000b016a627261766f
(0) Ruckus-SSID = "Test-SSID"
(0) Ruckus-BSSID = 0x34fa9f1ef39d
(0) Ruckus-Location = "Flexport"
(0) Ruckus-VLAN-ID = 120
(0) Ruckus-SCG-CBlade-IP = 174391307
(0) Attr-26.25053.155 = 0x41646d696e697374726174696f6e20446f6d61696e
(0) Ruckus-Zone-Name = "Default Zone"
(0) Ruckus-Wlan-Name = "Test-SSID"
(0) Message-Authenticator = 0x1bf0f80960b3b00bf9719408806d4923
(0) Event-Timestamp = "May 27 2021 20:23:57 UTC"
(0) Proxy-State = 0x3538
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@ [^@]*@/ ) {
(0) if (&User-Name =~ /@ [^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "jbravo", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 11
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 1 length 22
(0) eap: EAP session adding &reply:State = 0xf9bf494bf9be4d72
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 24 from 10.92.8.117:1812 to 10.101.0.11:52709
length 0
(0) EAP-Message = 0x01010016041077b76baf88936949dd8dd946f20208d7
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xf9bf494bf9be4d728434925772015f5c
(0) Proxy-State = 0x3538
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 114 from 10.101.0.11:52709 to
10.92.8.117:1812 length 417
(1) Acct-Session-Id = "60AFFFDC-63EDA801"
(1) User-Name = "jbravo"
(1) NAS-IP-Address = 10.101.0.200
(1) NAS-Identifier = "34-FA-9F-1E-F3-9D"
(1) NAS-Port = 1
(1) Called-Station-Id = "34-FA-9F-1E-F3-9D:Test-SSID"
(1) Calling-Station-Id = "38-F9-D3-49-E4-A7"
(1) Location-Data = 0x313055531708466c6578706f7274
(1) Location-Data =
0x323055531628373630204d61726b6574205374726565742c2053616e204672616e636973636f2c20434120555341
(1) Service-Type = Framed-User
(1) Chargeable-User-Identity = 0x00
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = "CONNECT 802.11a/n"
(1) EAP-Message = 0x020100080319152b
(1) State = 0xf9bf494bf9be4d728434925772015f5c
(1) Ruckus-SSID = "Test-SSID"
(1) Ruckus-BSSID = 0x34fa9f1ef39d
(1) Ruckus-Location = "Flexport"
(1) Ruckus-VLAN-ID = 120
(1) Ruckus-SCG-CBlade-IP = 174391307
(1) Attr-26.25053.155 = 0x41646d696e697374726174696f6e20446f6d61696e
(1) Ruckus-Zone-Name = "Default Zone"
(1) Ruckus-Wlan-Name = "Test-SSID"
(1) Message-Authenticator = 0x2643fdb096ce639704bee8f89e2b537f
(1) Event-Timestamp = "May 27 2021 20:23:57 UTC"
(1) Proxy-State = 0x3539
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@ [^@]*@/ ) {
(1) if (&User-Name =~ /@ [^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "jbravo", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 8
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) ldap: --> (uid=jbravo)
(1) ldap: Performing search in
"o=605d181e43609a22cde87434,dc=jumpcloud,dc=com" with filter
"(uid=jbravo)", scope "sub"
(1) ldap: Waiting for search result...
(1) ldap: User object found at DN
"uid=jbravo,ou=Users,o=605d181e43609a22cde87434,dc=jumpcloud,dc=com"
(1) ldap: Processing user attributes
(1) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute
(1) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
(if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldap://ldap.jumpcloud.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1) [ldap] = ok
(1) if ((ok || updated) && User-Password) {
(1) if ((ok || updated) && User-Password) -> FALSE
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: No "known good" password found for the user. Not setting
Auth-Type
(1) pap: WARNING: Authentication will fail unless a "known good" password
is available
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xf9bf494bf9be4d72
(1) eap: Finished EAP session with state 0xf9bf494bf9be4d72
(1) eap: Previous EAP request found for state 0xf9bf494bf9be4d72, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new EAP-TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0xf9bf494bf8bd5072
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 114 from 10.92.8.117:1812 to 10.101.0.11:52709
length 0
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xf9bf494bf8bd50728434925772015f5c
(1) Proxy-State = 0x3539
(1) Finished request
Waking up in 4.8 seconds.
(2) Received Access-Request Id 33 from 10.101.0.11:52709 to 10.92.8.117:1812
length 570
(2) Acct-Session-Id = "60AFFFDC-63EDA801"
(2) User-Name = "jbravo"
(2) NAS-IP-Address = 10.101.0.200
(2) NAS-Identifier = "34-FA-9F-1E-F3-9D"
(2) NAS-Port = 1
(2) Called-Station-Id = "34-FA-9F-1E-F3-9D:Test-SSID"
(2) Calling-Station-Id = "38-F9-D3-49-E4-A7"
(2) Location-Data = 0x313055531708466c6578706f7274
(2) Location-Data =
0x323055531628373630204d61726b6574205374726565742c2053616e204672616e636973636f2c20434120555341
(2) Service-Type = Framed-User
(2) Chargeable-User-Identity = 0x00
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = "CONNECT 802.11a/n"
(2) EAP-Message =
0x020200a119800000009716030100920100008e030360afff874559f23a4fe2eb589086b11fcf6123898607062be507bf6fbec6637c00002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00
(2) State = 0xf9bf494bf8bd50728434925772015f5c
(2) Ruckus-SSID = "Test-SSID"
(2) Ruckus-BSSID = 0x34fa9f1ef39d
(2) Ruckus-Location = "Flexport"
(2) Ruckus-VLAN-ID = 120
(2) Ruckus-SCG-CBlade-IP = 174391307
(2) Attr-26.25053.155 = 0x41646d696e697374726174696f6e20446f6d61696e
(2) Ruckus-Zone-Name = "Default Zone"
(2) Ruckus-Wlan-Name = "Test-SSID"
(2) Message-Authenticator = 0x2b5e7aadb650ab3d487a3f6ef7362b16
(2) Event-Timestamp = "May 27 2021 20:23:57 UTC"
(2) Proxy-State = 0x3630
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@ [^@]*@/ ) {
(2) if (&User-Name =~ /@ [^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "jbravo", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 161
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xf9bf494bf8bd5072
(2) eap: Finished EAP session with state 0xf9bf494bf8bd5072
(2) eap: Previous EAP request found for state 0xf9bf494bf8bd5072, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 151 bytes
(2) eap_peap: Got complete TLS record (151 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0092]
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send TLS 1.2 [length 003d]
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: >>> send TLS 1.2 [length 031d]
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: >>> send TLS 1.2 [length 014d]
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: >>> send TLS 1.2 [length 0004]
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(2) eap_peap: In SSL Handshake Phase
(2) eap_peap: In SSL Accept mode
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1004
(2) eap: EAP session adding &reply:State = 0xf9bf494bfbbc5072
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 33 from 10.92.8.117:1812 to 10.101.0.11:52709
length 0
(2) EAP-Message =
0x010303ec19c0000004bf160303003d02000039030327db8c0f6ee41fab75087da76489fc2d9bfc89e57d2944216132b1eaf5ab1f3300c030000011ff01000100000b00040300010200170000160303031d0b0003190003160003133082030f308201f7a00302010202143ca230b5bc4180f9d6a6723cb5
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xf9bf494bfbbc50728434925772015f5c
(2) Proxy-State = 0x3630
(2) Finished request
Waking up in 4.7 seconds.
(3) Received Access-Request Id 22 from 10.101.0.11:52709 to 10.92.8.117:1812
length 415
(3) Acct-Session-Id = "60AFFFDC-63EDA801"
(3) User-Name = "jbravo"
(3) NAS-IP-Address = 10.101.0.200
(3) NAS-Identifier = "34-FA-9F-1E-F3-9D"
(3) NAS-Port = 1
(3) Called-Station-Id = "34-FA-9F-1E-F3-9D:Test-SSID"
(3) Calling-Station-Id = "38-F9-D3-49-E4-A7"
(3) Location-Data = 0x313055531708466c6578706f7274
(3) Location-Data =
0x323055531628373630204d61726b6574205374726565742c2053616e204672616e636973636f2c20434120555341
(3) Service-Type = Framed-User
(3) Chargeable-User-Identity = 0x00
(3) NAS-Port-Type = Wireless-802.11
(3) Connect-Info = "CONNECT 802.11a/n"
(3) EAP-Message = 0x020300061900
(3) State = 0xf9bf494bfbbc50728434925772015f5c
(3) Ruckus-SSID = "Test-SSID"
(3) Ruckus-BSSID = 0x34fa9f1ef39d
(3) Ruckus-Location = "Flexport"
(3) Ruckus-VLAN-ID = 120
(3) Ruckus-SCG-CBlade-IP = 174391307
(3) Attr-26.25053.155 = 0x41646d696e697374726174696f6e20446f6d61696e
(3) Ruckus-Zone-Name = "Default Zone"
(3) Ruckus-Wlan-Name = "Test-SSID"
(3) Message-Authenticator = 0x29446b16c3fd7c269aebcd968068c141
(3) Event-Timestamp = "May 27 2021 20:23:57 UTC"
(3) Proxy-State = 0x3631
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@ [^@]*@/ ) {
(3) if (&User-Name =~ /@ [^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "jbravo", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xf9bf494bfbbc5072
(3) eap: Finished EAP session with state 0xf9bf494bfbbc5072
(3) eap: Previous EAP request found for state 0xf9bf494bfbbc5072, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 227
(3) eap: EAP session adding &reply:State = 0xf9bf494bfabb5072
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 22 from 10.92.8.117:1812 to 10.101.0.11:52709
length 0
(3) EAP-Message =
0x010400e3190043108c5e37fc5173a1eab3da1681e33c5ff2e6723860364c7ab878f9d2a5fc2e330717fa22a1db4a165c52675c18f002510d1c2a94ec228a7ce43690e58a3caae2ff74351d68680fda9ea37abea83ce32323150c45010b6fa2deeca32c20684dc1e1f9544b8e24fc846d013832fada5f10
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xf9bf494bfabb50728434925772015f5c
(3) Proxy-State = 0x3631
(3) Finished request
Waking up in 4.6 seconds.
(4) Received Access-Request Id 15 from 10.101.0.11:52709 to 10.92.8.117:1812
length 545
(4) Acct-Session-Id = "60AFFFDC-63EDA801"
(4) User-Name = "jbravo"
(4) NAS-IP-Address = 10.101.0.200
(4) NAS-Identifier = "34-FA-9F-1E-F3-9D"
(4) NAS-Port = 1
(4) Called-Station-Id = "34-FA-9F-1E-F3-9D:Test-SSID"
(4) Calling-Station-Id = "38-F9-D3-49-E4-A7"
(4) Location-Data = 0x313055531708466c6578706f7274
(4) Location-Data =
0x323055531628373630204d61726b6574205374726565742c2053616e204672616e636973636f2c20434120555341
(4) Service-Type = Framed-User
(4) Chargeable-User-Identity = 0x00
(4) NAS-Port-Type = Wireless-802.11
(4) Connect-Info = "CONNECT 802.11a/n"
(4) EAP-Message =
0x0204008819800000007e16030300461000004241046adff3f70658dacfa5fb7077bfa6de6c4b8dfb03c7af28f644517b3cd892a3bc4bcf98ffab473240e01e0825efd4121a571286bfff3fa4c4533656d66ca6f59c1403030001011603030028fceea2d46915019fef16258537f3489befc01ab1f735a9
(4) State = 0xf9bf494bfabb50728434925772015f5c
(4) Ruckus-SSID = "Test-SSID"
(4) Ruckus-BSSID = 0x34fa9f1ef39d
(4) Ruckus-Location = "Flexport"
(4) Ruckus-VLAN-ID = 120
(4) Ruckus-SCG-CBlade-IP = 174391307
(4) Attr-26.25053.155 = 0x41646d696e697374726174696f6e20446f6d61696e
(4) Ruckus-Zone-Name = "Default Zone"
(4) Ruckus-Wlan-Name = "Test-SSID"
(4) Message-Authenticator = 0x090fbde536e5b852dd9be889d43a8ae5
(4) Event-Timestamp = "May 27 2021 20:23:58 UTC"
(4) Proxy-State = 0x3632
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@ [^@]*@/ ) {
(4) if (&User-Name =~ /@ [^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "jbravo", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 136
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xf9bf494bfabb5072
(4) eap: Finished EAP session with state 0xf9bf494bfabb5072
(4) eap: Previous EAP request found for state 0xf9bf494bfabb5072, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(4) eap_peap: Got complete TLS record (126 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: TLS_accept: SSLv3/TLS write server done
(4) eap_peap: <<< recv TLS 1.2 [length 0046]
(4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(4) eap_peap: <<< recv TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: SSLv3/TLS read finished
(4) eap_peap: >>> send TLS 1.2 [length 0001]
(4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(4) eap_peap: >>> send TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: SSLv3/TLS write finished
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: SSL Connection Established
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 57
(4) eap: EAP session adding &reply:State = 0xf9bf494bfdba5072
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 15 from 10.92.8.117:1812 to 10.101.0.11:52709
length 0
(4) EAP-Message =
0x010500391900140303000101160303002844d27775faa9562ee90f3dc59b42d509f8ba7db956978a9b8f06854def617762d2bd1315ee4f2fad
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xf9bf494bfdba50728434925772015f5c
(4) Proxy-State = 0x3632
(4) Finished request
Waking up in 4.4 seconds.
(5) Received Access-Request Id 28 from 10.101.0.11:52709 to 10.92.8.117:1812
length 415
(5) Acct-Session-Id = "60AFFFDC-63EDA801"
(5) User-Name = "jbravo"
(5) NAS-IP-Address = 10.101.0.200
(5) NAS-Identifier = "34-FA-9F-1E-F3-9D"
(5) NAS-Port = 1
(5) Called-Station-Id = "34-FA-9F-1E-F3-9D:Test-SSID"
(5) Calling-Station-Id = "38-F9-D3-49-E4-A7"
(5) Location-Data = 0x313055531708466c6578706f7274
(5) Location-Data =
0x323055531628373630204d61726b6574205374726565742c2053616e204672616e636973636f2c20434120555341
(5) Service-Type = Framed-User
(5) Chargeable-User-Identity = 0x00
(5) NAS-Port-Type = Wireless-802.11
(5) Connect-Info = "CONNECT 802.11a/n"
(5) EAP-Message = 0x020500061900
(5) State = 0xf9bf494bfdba50728434925772015f5c
(5) Ruckus-SSID = "Test-SSID"
(5) Ruckus-BSSID = 0x34fa9f1ef39d
(5) Ruckus-Location = "Flexport"
(5) Ruckus-VLAN-ID = 120
(5) Ruckus-SCG-CBlade-IP = 174391307
(5) Attr-26.25053.155 = 0x41646d696e697374726174696f6e20446f6d61696e
(5) Ruckus-Zone-Name = "Default Zone"
(5) Ruckus-Wlan-Name = "Test-SSID"
(5) Message-Authenticator = 0x408947a0e4706e031992986fd472d3aa
(5) Event-Timestamp = "May 27 2021 20:23:58 UTC"
(5) Proxy-State = 0x3633
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@ [^@]*@/ ) {
(5) if (&User-Name =~ /@ [^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "jbravo", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xf9bf494bfdba5072
(5) eap: Finished EAP session with state 0xf9bf494bfdba5072
(5) eap: Previous EAP request found for state 0xf9bf494bfdba5072, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 6 length 40
(5) eap: EAP session adding &reply:State = 0xf9bf494bfcb95072
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 28 from 10.92.8.117:1812 to 10.101.0.11:52709
length 0
(5) EAP-Message =
0x010600281900170303001d44d27775faa9562f860a214332a8b88cb56b78b1dc45b513fc809cd0de
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xf9bf494bfcb950728434925772015f5c
(5) Proxy-State = 0x3633
(5) Finished request
Waking up in 4.3 seconds.
(6) Received Access-Request Id 246 from 10.101.0.11:52709 to
10.92.8.117:1812 length 451
(6) Acct-Session-Id = "60AFFFDC-63EDA801"
(6) User-Name = "jbravo"
(6) NAS-IP-Address = 10.101.0.200
(6) NAS-Identifier = "34-FA-9F-1E-F3-9D"
(6) NAS-Port = 1
(6) Called-Station-Id = "34-FA-9F-1E-F3-9D:Test-SSID"
(6) Calling-Station-Id = "38-F9-D3-49-E4-A7"
(6) Location-Data = 0x313055531708466c6578706f7274
(6) Location-Data =
0x323055531628373630204d61726b6574205374726565742c2053616e204672616e636973636f2c20434120555341
(6) Service-Type = Framed-User
(6) Chargeable-User-Identity = 0x00
(6) NAS-Port-Type = Wireless-802.11
(6) Connect-Info = "CONNECT 802.11a/n"
(6) EAP-Message =
0x0206002a1900170303001ffceea2d4691501a0215f206a094377d092a0b457d517ce021dabbf5a874639
(6) State = 0xf9bf494bfcb950728434925772015f5c
(6) Ruckus-SSID = "Test-SSID"
(6) Ruckus-BSSID = 0x34fa9f1ef39d
(6) Ruckus-Location = "Flexport"
(6) Ruckus-VLAN-ID = 120
(6) Ruckus-SCG-CBlade-IP = 174391307
(6) Attr-26.25053.155 = 0x41646d696e697374726174696f6e20446f6d61696e
(6) Ruckus-Zone-Name = "Default Zone"
(6) Ruckus-Wlan-Name = "Test-SSID"
(6) Message-Authenticator = 0xc155f5983b76b93cd094c25343ba3cba
(6) Event-Timestamp = "May 27 2021 20:23:58 UTC"
(6) Proxy-State = 0x3634
(6) session-state: No cached attributes
(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@ [^@]*@/ ) {
(6) if (&User-Name =~ /@ [^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "jbravo", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 42
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0xf9bf494bfcb95072
(6) eap: Finished EAP session with state 0xf9bf494bfcb95072
(6) eap: Previous EAP request found for state 0xf9bf494bfcb95072, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - jbravo
(6) eap_peap: Got inner identity 'jbravo'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x0206000b016a627261766f
(6) eap_peap: Setting User-Name to jbravo
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x0206000b016a627261766f
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "jbravo"
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x0206000b016a627261766f
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "jbravo"
(6) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(6) server inner-tunnel {
(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@ [^@]*@/ ) {
(6) if (&User-Name =~ /@ [^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "jbravo", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 11
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 43
(6) eap: EAP session adding &reply:State = 0x5142877d51459d3b
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message =
0x0107002b1a010700261064a3e73203b60a5e6a284e0cae57c6ff667265657261646975732d332e302e3136
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x5142877d51459d3bd1da68a4da6421df
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message =
0x0107002b1a010700261064a3e73203b60a5e6a284e0cae57c6ff667265657261646975732d332e302e3136
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x5142877d51459d3bd1da68a4da6421df
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message =
0x0107002b1a010700261064a3e73203b60a5e6a284e0cae57c6ff667265657261646975732d332e302e3136
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x5142877d51459d3bd1da68a4da6421df
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 74
(6) eap: EAP session adding &reply:State = 0xf9bf494bffb85072
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 246 from 10.92.8.117:1812 to 10.101.0.11:52709
length 0
(6) EAP-Message =
0x0107004a1900170303003f44d27775faa9563083be65c4a5fe6097f85bcc0bb900708c0b5715ce1728ce226d72b48d9e3fde97c1450e68cc03bf2bdd15662a74350183c4ee4d9b973751
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xf9bf494bffb850728434925772015f5c
(6) Proxy-State = 0x3634
(6) Finished request
Waking up in 4.2 seconds.
(7) Received Access-Request Id 13 from 10.101.0.11:52709 to 10.92.8.117:1812
length 505
(7) Acct-Session-Id = "60AFFFDC-63EDA801"
(7) User-Name = "jbravo"
(7) NAS-IP-Address = 10.101.0.200
(7) NAS-Identifier = "34-FA-9F-1E-F3-9D"
(7) NAS-Port = 1
(7) Called-Station-Id = "34-FA-9F-1E-F3-9D:Test-SSID"
(7) Calling-Station-Id = "38-F9-D3-49-E4-A7"
(7) Location-Data = 0x313055531708466c6578706f7274
(7) Location-Data =
0x323055531628373630204d61726b6574205374726565742c2053616e204672616e636973636f2c20434120555341
(7) Service-Type = Framed-User
(7) Chargeable-User-Identity = 0x00
(7) NAS-Port-Type = Wireless-802.11
(7) Connect-Info = "CONNECT 802.11a/n"
(7) EAP-Message =
0x0207006019001703030055fceea2d4691501a1420d27eba2857973934506cbf68a3331771c94b497d83ed6cac928f0c4c6d96c101904ac2006409f84425776da4f7490a56477ced0121f87f5deccdafbbfd831f8a4158de7e5b929aa65fce0ff
(7) State = 0xf9bf494bffb850728434925772015f5c
(7) Ruckus-SSID = "Test-SSID"
(7) Ruckus-BSSID = 0x34fa9f1ef39d
(7) Ruckus-Location = "Flexport"
(7) Ruckus-VLAN-ID = 120
(7) Ruckus-SCG-CBlade-IP = 174391307
(7) Attr-26.25053.155 = 0x41646d696e697374726174696f6e20446f6d61696e
(7) Ruckus-Zone-Name = "Default Zone"
(7) Ruckus-Wlan-Name = "Test-SSID"
(7) Message-Authenticator = 0x381e04b0e75ba71bc96bf8ff666637f9
(7) Event-Timestamp = "May 27 2021 20:23:58 UTC"
(7) Proxy-State = 0x3635
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@ [^@]*@/ ) {
(7) if (&User-Name =~ /@ [^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "jbravo", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 96
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x5142877d51459d3b
(7) eap: Finished EAP session with state 0xf9bf494bffb85072
(7) eap: Previous EAP request found for state 0xf9bf494bffb85072, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message =
0x020700411a0207003c31bc81337089bbc2b31b3a7539bb08f38b0000000000000000bbeaf4504cbbfdc66d26cdd91abada9c56c5dc800abb1c62006a627261766f
(7) eap_peap: Setting User-Name to jbravo
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message =
0x020700411a0207003c31bc81337089bbc2b31b3a7539bb08f38b0000000000000000bbeaf4504cbbfdc66d26cdd91abada9c56c5dc800abb1c62006a627261766f
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "jbravo"
(7) eap_peap: State = 0x5142877d51459d3bd1da68a4da6421df
(7) Virtual server inner-tunnel received request
(7) EAP-Message =
0x020700411a0207003c31bc81337089bbc2b31b3a7539bb08f38b0000000000000000bbeaf4504cbbfdc66d26cdd91abada9c56c5dc800abb1c62006a627261766f
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "jbravo"
(7) State = 0x5142877d51459d3bd1da68a4da6421df
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@ [^@]*@/ ) {
(7) if (&User-Name =~ /@ [^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "jbravo", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 65
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
rlm_ldap (ldap): Reserved connection (1)
(7) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap: --> (uid=jbravo)
(7) ldap: Performing search in
"o=605d181e43609a22cde87434,dc=jumpcloud,dc=com" with filter
"(uid=jbravo)", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN
"uid=jbravo,ou=Users,o=605d181e43609a22cde87434,dc=jumpcloud,dc=com"
(7) ldap: Processing user attributes
(7) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute
(7) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
(if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots
used
rlm_ldap (ldap): Connecting to ldap://ldap.jumpcloud.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(7) [ldap] = ok
(7) if ((ok || updated) && User-Password) {
(7) if ((ok || updated) && User-Password) -> FALSE
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x5142877d51459d3b
(7) eap: Finished EAP session with state 0x5142877d51459d3b
(7) eap: Previous EAP request found for state 0x5142877d51459d3b, released
from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) eap_mschapv2: authenticate {
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
NT-Password
(7) mschap: WARNING: No Cleartext-Password configured. Cannot create
LM-Password
(7) mschap: Creating challenge hash with username: jbravo
(7) mschap: Client is using MS-CHAPv2
(7) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(7) mschap: ERROR: MS-CHAP2-Response is incorrect
(7) [mschap] = reject
(7) } # authenticate = reject
(7) eap: Sending EAP Failure (code 4) ID 7 length 4
(7) eap: Freeing handler
(7) [eap] = reject
(7) } # authenticate = reject
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject: --> jbravo
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7) [attr_filter.access_reject] = updated
(7) update outer.session-state {
(7) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap:
FAILED: No NT/LM-Password. Cannot perform authentication'
(7) } # update outer.session-state = noop
(7) } # Post-Auth-Type REJECT = updated
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) MS-CHAP-Error = "\007E=691 R=1 C=d9508c1d006920be86d71572e179b79d V=3
M=Authentication rejected"
(7) EAP-Message = 0x04070004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Got tunneled reply code 3
(7) eap_peap: MS-CHAP-Error = "\007E=691 R=1
C=d9508c1d006920be86d71572e179b79d V=3 M=Authentication rejected"
(7) eap_peap: EAP-Message = 0x04070004
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Got tunneled reply RADIUS code 3
(7) eap_peap: MS-CHAP-Error = "\007E=691 R=1
C=d9508c1d006920be86d71572e179b79d V=3 M=Authentication rejected"
(7) eap_peap: EAP-Message = 0x04070004
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: Tunneled authentication was rejected
(7) eap_peap: FAILURE
(7) eap: Sending EAP Request (code 1) ID 8 length 46
(7) eap: EAP session adding &reply:State = 0xf9bf494bfeb75072
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) Module-Failure-Message := "mschap: FAILED: No NT/LM-Password. Cannot
perform authentication"
(7) Sent Access-Challenge Id 13 from 10.92.8.117:1812 to 10.101.0.11:52709
length 0
(7) EAP-Message =
0x0108002e1900170303002344d27775faa956313f2966d9d96073e4fcd307c85f8a982c8da2272f49b17679a2f207
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xf9bf494bfeb750728434925772015f5c
(7) Proxy-State = 0x3635
(7) Finished request
Waking up in 4.1 seconds.
([image: 😎] Received Access-Request Id 230 from 10.101.0.11:52709 to
10.92.8.117:1812 length 455
([image: 😎] Acct-Session-Id = "60AFFFDC-63EDA801"
([image: 😎] User-Name = "jbravo"
([image: 😎] NAS-IP-Address = 10.101.0.200
([image: 😎] NAS-Identifier = "34-FA-9F-1E-F3-9D"
([image: 😎] NAS-Port = 1
([image: 😎] Called-Station-Id = "34-FA-9F-1E-F3-9D:Test-SSID"
([image: 😎] Calling-Station-Id = "38-F9-D3-49-E4-A7"
([image: 😎] Location-Data = 0x313055531708466c6578706f7274
([image: 😎] Location-Data =
0x323055531628373630204d61726b6574205374726565742c2053616e204672616e636973636f2c20434120555341
([image: 😎] Service-Type = Framed-User
([image: 😎] Chargeable-User-Identity = 0x00
([image: 😎] NAS-Port-Type = Wireless-802.11
([image: 😎] Connect-Info = "CONNECT 802.11a/n"
([image: 😎] EAP-Message =
0x0208002e19001703030023fceea2d4691501a20ff900ac9ad31d7825db7d504078b003ff3b13dd143cfbfc596087
([image: 😎] State = 0xf9bf494bfeb750728434925772015f5c
([image: 😎] Ruckus-SSID = "Test-SSID"
([image: 😎] Ruckus-BSSID = 0x34fa9f1ef39d
([image: 😎] Ruckus-Location = "Flexport"
([image: 😎] Ruckus-VLAN-ID = 120
([image: 😎] Ruckus-SCG-CBlade-IP = 174391307
([image: 😎] Attr-26.25053.155 =
0x41646d696e697374726174696f6e20446f6d61696e
([image: 😎] Ruckus-Zone-Name = "Default Zone"
([image: 😎] Ruckus-Wlan-Name = "Test-SSID"
([image: 😎] Message-Authenticator = 0x8c8011a8a3ff2640ac0c0dc915695f42
([image: 😎] Event-Timestamp = "May 27 2021 20:23:58 UTC"
([image: 😎] Proxy-State = 0x3636
([image: 😎] Restoring &session-state
([image: 😎] &session-state:Module-Failure-Message := "mschap: FAILED: No
NT/LM-Password. Cannot perform authentication"
([image: 😎] # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
([image: 😎] authorize {
([image: 😎] policy filter_username {
([image: 😎] if (&User-Name) {
([image: 😎] if (&User-Name) -> TRUE
([image: 😎] if (&User-Name) {
([image: 😎] if (&User-Name =~ / /) {
([image: 😎] if (&User-Name =~ / /) -> FALSE
([image: 😎] if (&User-Name =~ /@ [^@]*@/ ) {
([image: 😎] if (&User-Name =~ /@ [^@]*@/ ) -> FALSE
([image: 😎] if (&User-Name =~ /\.\./ ) {
([image: 😎] if (&User-Name =~ /\.\./ ) -> FALSE
([image: 😎] if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
([image: 😎] if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
([image: 😎] if (&User-Name =~ /\.$/) {
([image: 😎] if (&User-Name =~ /\.$/) -> FALSE
([image: 😎] if (&User-Name =~ /@\./) {
([image: 😎] if (&User-Name =~ /@\./) -> FALSE
([image: 😎] } # if (&User-Name) = notfound
([image: 😎] } # policy filter_username = notfound
([image: 😎] [preprocess] = ok
([image: 😎] [chap] = noop
([image: 😎] [mschap] = noop
([image: 😎] [digest] = noop
([image: 😎] suffix: Checking for suffix after "@"
([image: 😎] suffix: No '@' in User-Name = "jbravo", looking up realm NULL
([image: 😎] suffix: No such realm "NULL"
([image: 😎] [suffix] = noop
([image: 😎] eap: Peer sent EAP Response (code 2) ID 8 length 46
([image: 😎] eap: Continuing tunnel setup
([image: 😎] [eap] = ok
([image: 😎] } # authorize = ok
([image: 😎] Found Auth-Type = eap
([image: 😎] # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
([image: 😎] authenticate {
([image: 😎] eap: Expiring EAP session with state 0xf9bf494bfeb75072
([image: 😎] eap: Finished EAP session with state 0xf9bf494bfeb75072
([image: 😎] eap: Previous EAP request found for state 0xf9bf494bfeb75072,
released from the list
([image: 😎] eap: Peer sent packet with method EAP PEAP (25)
([image: 😎] eap: Calling submodule eap_peap to process data
([image: 😎] eap_peap: Continuing EAP-TLS
([image: 😎] eap_peap: [eaptls verify] = ok
([image: 😎] eap_peap: Done initial handshake
([image: 😎] eap_peap: [eaptls process] = ok
([image: 😎] eap_peap: Session established. Decoding tunneled attributes
([image: 😎] eap_peap: PEAP state send tlv failure
([image: 😎] eap_peap: Received EAP-TLV response
([image: 😎] eap_peap: ERROR: The users session was previously rejected:
returning reject (again.)
([image: 😎] eap_peap: This means you need to read the PREVIOUS messages in
the debug output
([image: 😎] eap_peap: to find out the reason why the user was rejected
([image: 😎] eap_peap: Look for "reject" or "fail". Those earlier messages
will tell you
([image: 😎] eap_peap: what went wrong, and how to fix the problem
([image: 😎] eap: ERROR: Failed continuing EAP PEAP (25) session. EAP
sub-module failed
([image: 😎] eap: Sending EAP Failure (code 4) ID 8 length 4
([image: 😎] eap: Failed in EAP select
([image: 😎] [eap] = invalid
([image: 😎] } # authenticate = invalid
([image: 😎] Failed to authenticate the user
([image: 😎] Using Post-Auth-Type Reject
([image: 😎] # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
([image: 😎] Post-Auth-Type REJECT {
([image: 😎] attr_filter.access_reject: EXPAND %{User-Name}
([image: 😎] attr_filter.access_reject: --> jbravo
([image: 😎] attr_filter.access_reject: Matched entry DEFAULT at line 11
([image: 😎] [attr_filter.access_reject] = updated
([image: 😎] [eap] = noop
([image: 😎] policy remove_reply_message_if_eap {
([image: 😎] if (&reply:EAP-Message && &reply:Reply-Message) {
([image: 😎] if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
([image: 😎] else {
([image: 😎] [noop] = noop
([image: 😎] } # else = noop
([image: 😎] } # policy remove_reply_message_if_eap = noop
([image: 😎] } # Post-Auth-Type REJECT = updated
([image: 😎] Delaying response for 1.000000 seconds


More information about the Freeradius-Users mailing list