Some clients not using EAP-TLS anymore
David le Roux
david.leroux at miller.co.uk
Tue Aug 9 13:53:14 UTC 2022
Hello,
I have a fairly new problem where some clients (Desktops/Laptops) have stopped using their certificates and using EAP and instead present their mac addresses. However this is a minority of clients and has only started to occur recently. The Radius server is configured to do both eap-tls and mac-based auth for clients that aren't compatible. Naturally we don't have mac addresses stored in authorized_macs for our EAP clients.
Furthermore the error is not consistent. Some clients throw errors in the logs but can continue to log in (they usually have a mix of successful EAP authentications and unsuccessful mac based auth). Some can log in after an ipconfig /release /renew. This occurs on a variety of access points (that is, different manufacturers) and nothing has changed on them or the radius server as far as I can tell.
Any ideas? I've attached a debug log with a few successful and unsuccessful requests.
Thanks,
David le Roux
FreeRADIUS Version 3.2.0
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including configuration file /etc/freeradius/3.0/mwanclients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/eap
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/3.0/sites-enabled/mh-site
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 120
cleanup_delay = 10
max_requests = 80000
postauth_client_lost = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client 127.0.0.1 {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "localhost"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
detail {
filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_files
# Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
files {
filename = "/etc/freeradius/3.0/mods-config/files/authorize"
acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
}
# Loading module "authorized_macs" from file /etc/freeradius/3.0/mods-enabled/files
files authorized_macs {
usersfile = "/etc/freeradius/3.0/authorized_macs"
key = "%{Calling-Station-ID}"
}
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expr
# Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_unix
# Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_eap
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "tls"
timer_expire = 600
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 80000
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_chap
# Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
instantiate {
}
# Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
# Instantiating module "authorized_macs" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/authorized_macs
# Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
# Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
# Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs/millerCA/RADIUS_CA/"
pem_file_type = yes
private_key_file = "/etc/freeradius/3.0/certs/radius.millerextra.com.key"
certificate_file = "/etc/freeradius/3.0/certs/radius.millerextra.com.pem"
dh_file = "/etc/freeradius/3.0/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = yes
check_all_crl = no
ca_path_reload_interval = 0
check_cert_cn = "%{%{Cert-CN}:-%{User-Name}}"
cipher_list = "DEFAULT"
cipher_server_preference = no
check_cert_issuer = "/C=GB/ST=Edinburgh/L=Edinburgh/O=Miller Group Ltd/OU=Group IT/CN=Intermediate CA"
reject_unknown_intermediate_ca = no
ecdh_curve = "prime256v1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
tls: Setting DH parameters from /etc/freeradius/3.0/certs/dh - this is no longer necessary.
tls: You should comment out the 'dh_file' configuration item.
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:336
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
server mh-site { # from file /etc/freeradius/3.0/sites-enabled/mh-site
# Loading authenticate {...}
Compiling Auth-Type EAP for attr Auth-Type
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
# Loading authorize {...}
# Loading post-proxy {...}
} # server mh-site
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = 10.10.251.2
port = 1812
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address 10.10.251.2 port 1812 bound to server mh-site
Listening on proxy address * port 34473
Ready to process requests
(10) Received Access-Request Id 72 from 10.35.80.11:1812 to 10.10.251.2:1812 length 353
(10) Framed-MTU = 1466
(10) NAS-IP-Address = 10.35.80.11
(10) NAS-Identifier = "ba-sw01"
(10) User-Name = "08-00-0f-82-60-2b"
(10) Service-Type = Call-Check
(10) Framed-Protocol = PPP
(10) NAS-Port = 39
(10) NAS-Port-Type = Ethernet
(10) NAS-Port-Id = "39"
(10) Called-Station-Id = "ec-9a-74-19-1f-19"
(10) Calling-Station-Id = "08-00-0f-82-60-2b"
(10) Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
(10) CHAP-Password = 0xfaa641782c5ee3ce1dd7a848d127e805fa
(10) Message-Authenticator = 0xc1f4a47df4d02594a7610daeae455561
(10) MS-RAS-Vendor = 11
(10) HP-Capability-Advert = 0x011a0000000b28
(10) HP-Capability-Advert = 0x011a0000000b2e
(10) HP-Capability-Advert = 0x011a0000000b30
(10) HP-Capability-Advert = 0x011a0000000b3d
(10) HP-Capability-Advert = 0x011a0000000b18
(10) HP-Capability-Advert = 0x011a0000000b19
(10) HP-Capability-Advert = 0x0138
(10) HP-Capability-Advert = 0x013a
(10) HP-Capability-Advert = 0x0140
(10) HP-Capability-Advert = 0x0141
(10) HP-Capability-Advert = 0x0151
(10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) chap: &control:Auth-Type := CHAP
(10) [chap] = ok
Not doing PAP as Auth-Type is already set.
(10) [pap] = noop
(10) eap: No EAP-Message, not doing EAP
(10) [eap] = noop
(10) files: users: Matched entry DEFAULT at line 167
(10) [files] = ok
(10) [expiration] = noop
(10) [logintime] = noop
(10) policy rewrite_calling_station_id {
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(10) update request {
(10) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(10) --> 08-00-0f-82-60-2b
(10) &Calling-Station-Id := 08-00-0f-82-60-2b
(10) } # update request = noop
(10) [updated] = updated
(10) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(10) ... skipping else: Preceding "if" was taken
(10) } # policy rewrite_calling_station_id = updated
(10) if (&User-Name =~ /^host\/(.*)$/) {
(10) if (&User-Name =~ /^host\/(.*)$/) -> FALSE
(10) if (!EAP-Message) {
(10) if (!EAP-Message) -> TRUE
(10) if (!EAP-Message) {
(10) authorized_macs: EXPAND %{Calling-Station-ID}
(10) authorized_macs: --> 08-00-0f-82-60-2b
(10) authorized_macs: users: Matched entry 08-00-0f-82-60-2b at line 599
(10) authorized_macs: EXPAND Device with MAC Address %{Calling-Station-Id} authorized for network access mil057-Derby-01
(10) authorized_macs: --> Device with MAC Address 08-00-0f-82-60-2b authorized for network access mil057-Derby-01
(10) [authorized_macs] = ok
(10) if (!ok) {
(10) if (!ok) -> FALSE
(10) else {
(10) update control {
(10) Auth-Type := Accept
(10) } # update control = noop
(10) } # else = noop
(10) } # if (!EAP-Message) = ok
(10) ... skipping else: Preceding "if" was taken
(10) } # authorize = updated
(10) Found Auth-Type = Accept
(10) Auth-Type = Accept, accepting the user
(10) Login OK: [08-00-0f-82-60-2b] (from client ba-sw01 port 39 cli 08-00-0f-82-60-2b)
(10) Sent Access-Accept Id 72 from 10.10.251.2:1812 to 10.35.80.11:1812 length 121
(10) Framed-Protocol = PPP
(10) Framed-Compression = Van-Jacobson-TCP-IP
(10) Reply-Message = "Device with MAC Address 08-00-0f-82-60-2b authorized for network access mil057-Derby-01"
(10) Finished request
Waking up in 7.7 seconds.
(11) Received Access-Request Id 222 from 10.225.23.1:59952 to 10.10.251.2:1812 length 1794
(11) User-Name = "host/mh302290.millerextra.com"
(11) NAS-IP-Address = 0.0.0.0
(11) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(11) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(11) NAS-Port-Type = Wireless-802.11
(11) Service-Type = Framed-User
(11) NAS-Port = 1
(11) Calling-Station-Id = "DC-21-5C-C3-72-47"
(11) Connect-Info = "CONNECT 0.00 Mbps / 802. / RSSI: 0 / Channel: 0"
(11) Acct-Session-Id = "9CDB98DC889BEB86"
(11) Acct-Multi-Session-Id = "2D0EF608C685F0CB"
(11) WLAN-Pairwise-Cipher = 1027076
(11) WLAN-Group-Cipher = 1027076
(11) WLAN-AKM-Suite = 1027073
(11) Framed-MTU = 1400
(11) EAP-Message = 0x029005d40dc000000cc91603030c910b000b3f000b3c00039b308203973082027fa0030201020202517b300d06092a864886f70d0101050500307d310b300906035504061302474231123010060355040813094564696e627572676831123010060355040713094564696e627572676831193017060355040a13104d696c6c65722047726f7570204c74643111300f060355040b130847726f7570204954311830160603550403130f496e7465726d656469617465204341301e170d3138303630373130343235305a170d3338303630323130343235305a308186310b300906035504061302474231123010060355040813094564696e627572676831123010060355040713094564696e627572676831193017060355040a13104d696c6c65722047726f7570204c74643111300f060355040b130847726f75702049543121301f060355040313186d683330323239302e6d696c6c657265787472612e636f6d30820122300d06092a864886f70d0101010500038201
(11) State = 0xf72b5a5df3bb57a9c1efd3e6da559108
(11) Message-Authenticator = 0xfd14e06d0d481d0ddcc791481667491c
(11) session-state: No cached attributes
(11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /@\./) {
(11) if (&User-Name =~ /@\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(11) pap: WARNING: Authentication will fail unless a "known good" password is available
(11) [pap] = noop
(11) eap: Peer sent EAP Response (code 2) ID 144 length 1492
(11) eap: No EAP Start, assuming it's an on-going EAP conversation
(11) [eap] = updated
(11) [files] = noop
(11) [expiration] = noop
(11) [logintime] = noop
(11) policy rewrite_calling_station_id {
(11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(11) update request {
(11) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(11) --> dc-21-5c-c3-72-47
(11) &Calling-Station-Id := dc-21-5c-c3-72-47
(11) } # update request = noop
(11) [updated] = updated
(11) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(11) ... skipping else: Preceding "if" was taken
(11) } # policy rewrite_calling_station_id = updated
(11) if (&User-Name =~ /^host\/(.*)$/) {
(11) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(11) if (&User-Name =~ /^host\/(.*)$/) {
(11) update request {
(11) EXPAND %{1}
(11) --> mh302290.millerextra.com
(11) &Cert-CN := mh302290.millerextra.com
(11) } # update request = noop
(11) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(11) if (!EAP-Message) {
(11) if (!EAP-Message) -> FALSE
(11) else {
(11) eap: Peer sent EAP Response (code 2) ID 144 length 1492
(11) eap: No EAP Start, assuming it's an on-going EAP conversation
(11) [eap] = updated
(11) } # else = updated
(11) } # authorize = updated
(11) Found Auth-Type = eap
(11) Found Auth-Type = eap
(11) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(11) Auth-Type EAP {
(11) eap: Expiring EAP session with state 0xdd940e92d9030376
(11) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0xf72b5a5df3bb57a9
(11) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(11) eap: Failed in handler
(11) [eap] = invalid
(11) } # Auth-Type EAP = invalid
(11) Failed to authenticate the user
(11) Using Post-Auth-Type Reject
(11) Post-Auth-Type sub-section not found. Ignoring.
(11) Login incorrect (Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'): [host/mh302290.millerextra.com] (from client MWAN-10.225.23.1 port 1 cli dc-21-5c-c3-72-47)
(11) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(11) Sending delayed response
(11) Sent Access-Reject Id 222 from 10.10.251.2:1812 to 10.225.23.1:59952 length 20
Waking up in 5.2 seconds.
(12) Received Access-Request Id 223 from 10.225.23.1:59952 to 10.10.251.2:1812 length 315
(12) User-Name = "host/mh302290.millerextra.com"
(12) NAS-IP-Address = 0.0.0.0
(12) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(12) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(12) NAS-Port-Type = Wireless-802.11
(12) Service-Type = Framed-User
(12) NAS-Port = 1
(12) Calling-Station-Id = "DC-21-5C-C3-72-47"
(12) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 43 / Channel: 44"
(12) Acct-Session-Id = "2658296537E87022"
(12) Acct-Multi-Session-Id = "998A54E28541EE6C"
(12) WLAN-Pairwise-Cipher = 1027076
(12) WLAN-Group-Cipher = 1027076
(12) WLAN-AKM-Suite = 1027073
(12) Framed-MTU = 1400
(12) EAP-Message = 0x02c4002201686f73742f6d683330323239302e6d696c6c657265787472612e636f6d
(12) Message-Authenticator = 0x5181770c1add38466ac200aa55ea74b1
(12) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /@\./) {
(12) if (&User-Name =~ /@\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) [chap] = noop
(12) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(12) pap: WARNING: Authentication will fail unless a "known good" password is available
(12) [pap] = noop
(12) eap: Peer sent EAP Response (code 2) ID 196 length 34
(12) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(12) [eap] = ok
(12) } # authorize = ok
(12) Found Auth-Type = eap
(12) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(12) Auth-Type EAP {
(12) eap: Peer sent packet with method EAP Identity (1)
(12) eap: Calling submodule eap_tls to process data
(12) eap_tls: (TLS) Initiating new session
(12) eap_tls: (TLS) Setting verify mode to require certificate from client
(12) eap: Sending EAP Request (code 1) ID 197 length 6
(12) eap: EAP session adding &reply:State = 0xaac2f7c8aa07faba
(12) [eap] = handled
(12) } # Auth-Type EAP = handled
(12) Using Post-Auth-Type Challenge
(12) Post-Auth-Type sub-section not found. Ignoring.
(12) session-state: Saving cached attributes
(12) Framed-MTU = 994
(12) Sent Access-Challenge Id 223 from 10.10.251.2:1812 to 10.225.23.1:59952 length 64
(12) EAP-Message = 0x01c500060d20
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) State = 0xaac2f7c8aa07fabaed78ca5277b3b026
(12) Finished request
Waking up in 4.0 seconds.
(13) Received Access-Request Id 224 from 10.225.23.1:59952 to 10.10.251.2:1812 length 465
(13) User-Name = "host/mh302290.millerextra.com"
(13) NAS-IP-Address = 0.0.0.0
(13) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(13) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(13) NAS-Port-Type = Wireless-802.11
(13) Service-Type = Framed-User
(13) NAS-Port = 1
(13) Calling-Station-Id = "DC-21-5C-C3-72-47"
(13) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 43 / Channel: 44"
(13) Acct-Session-Id = "2658296537E87022"
(13) Acct-Multi-Session-Id = "998A54E28541EE6C"
(13) WLAN-Pairwise-Cipher = 1027076
(13) WLAN-Group-Cipher = 1027076
(13) WLAN-AKM-Suite = 1027073
(13) Framed-MTU = 1400
(13) EAP-Message = 0x02c500a60d800000009c160303009701000093030362ebdf9c0af9efa6996f92ec7b67d43784dd9b91c9e727693384342d4b45e60a00002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d00170018000b00020100000d001400120401050102010403050302030202060106030023000000170000ff01000100
(13) State = 0xaac2f7c8aa07fabaed78ca5277b3b026
(13) Message-Authenticator = 0x429c1aebbd6926690dfe5c2b28211a0b
(13) Restoring &session-state
(13) &session-state:Framed-MTU = 994
(13) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(13) authorize {
(13) policy filter_username {
(13) if (&User-Name) {
(13) if (&User-Name) -> TRUE
(13) if (&User-Name) {
(13) if (&User-Name =~ / /) {
(13) if (&User-Name =~ / /) -> FALSE
(13) if (&User-Name =~ /@[^@]*@/ ) {
(13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(13) if (&User-Name =~ /\.\./ ) {
(13) if (&User-Name =~ /\.\./ ) -> FALSE
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(13) if (&User-Name =~ /\.$/) {
(13) if (&User-Name =~ /\.$/) -> FALSE
(13) if (&User-Name =~ /@\./) {
(13) if (&User-Name =~ /@\./) -> FALSE
(13) } # if (&User-Name) = notfound
(13) } # policy filter_username = notfound
(13) [preprocess] = ok
(13) [chap] = noop
(13) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(13) pap: WARNING: Authentication will fail unless a "known good" password is available
(13) [pap] = noop
(13) eap: Peer sent EAP Response (code 2) ID 197 length 166
(13) eap: No EAP Start, assuming it's an on-going EAP conversation
(13) [eap] = updated
(13) [files] = noop
(13) [expiration] = noop
(13) [logintime] = noop
(13) policy rewrite_calling_station_id {
(13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(13) update request {
(13) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(13) --> dc-21-5c-c3-72-47
(13) &Calling-Station-Id := dc-21-5c-c3-72-47
(13) } # update request = noop
(13) [updated] = updated
(13) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(13) ... skipping else: Preceding "if" was taken
(13) } # policy rewrite_calling_station_id = updated
(13) if (&User-Name =~ /^host\/(.*)$/) {
(13) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(13) if (&User-Name =~ /^host\/(.*)$/) {
(13) update request {
(13) EXPAND %{1}
(13) --> mh302290.millerextra.com
(13) &Cert-CN := mh302290.millerextra.com
(13) } # update request = noop
(13) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(13) if (!EAP-Message) {
(13) if (!EAP-Message) -> FALSE
(13) else {
(13) eap: Peer sent EAP Response (code 2) ID 197 length 166
(13) eap: No EAP Start, assuming it's an on-going EAP conversation
(13) [eap] = updated
(13) } # else = updated
(13) } # authorize = updated
(13) Found Auth-Type = eap
(13) Found Auth-Type = eap
(13) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(13) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(13) Auth-Type EAP {
(13) eap: Expiring EAP session with state 0xdd940e92d9030376
(13) eap: Finished EAP session with state 0xaac2f7c8aa07faba
(13) eap: Previous EAP request found for state 0xaac2f7c8aa07faba, released from the list
(13) eap: Peer sent packet with method EAP TLS (13)
(13) eap: Calling submodule eap_tls to process data
(13) eap_tls: (TLS) EAP Peer says that the final record size will be 156 bytes
(13) eap_tls: (TLS) EAP Got all data (156 bytes)
(13) eap_tls: (TLS) Handshake state - before SSL initialization
(13) eap_tls: (TLS) Handshake state - Server before SSL initialization
(13) eap_tls: (TLS) Handshake state - Server before SSL initialization
(13) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello
(13) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(13) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHello
(13) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(13) eap_tls: (TLS) send TLS 1.2 Handshake, Certificate
(13) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(13) eap_tls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(13) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(13) eap_tls: (TLS) send TLS 1.2 Handshake, CertificateRequest
(13) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate request
(13) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(13) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
(13) eap_tls: (TLS) Server : Need to read more data: SSLv3/TLS write server done
(13) eap_tls: (TLS) In Handshake Phase
(13) eap: Sending EAP Request (code 1) ID 198 length 1004
(13) eap: EAP session adding &reply:State = 0xaac2f7c8ab04faba
(13) [eap] = handled
(13) } # Auth-Type EAP = handled
(13) Using Post-Auth-Type Challenge
(13) Post-Auth-Type sub-section not found. Ignoring.
(13) session-state: Saving cached attributes
(13) Framed-MTU = 994
(13) Sent Access-Challenge Id 224 from 10.10.251.2:1812 to 10.225.23.1:59952 length 1068
(13) EAP-Message = 0x01c603ec0dc000000d32160303003d0200003903039eff704a58b440584b1e5d1c3536fa72c99ce7848b12bbf59b31accafebe51df00c030000011ff01000100000b000403000102001700001603030bd10b000bcd000bca000698308206943082057ca00302010202142a0a15f6668df41777abc4b01cc71913d3621cea300d06092a864886f70d0101050500302e3110300e060355040a14074d475f54524545311a3018060355040b13114f7267616e697a6174696f6e616c204341301e170d3231313231323139313130305a170d3336303230333233353830305a308184310b300906035504061302554b31123010060355040813094564696e627572676831123010060355040713094564696e627572676831193017060355040a13104d696c6c657220486f6d6573204c74643111300f060355040b1308486f6d6573204954311f301d060355040313167261646975732e6d696c6c657265787472612e636f6d30819f300d06092a864886f70d010101050003
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) State = 0xaac2f7c8ab04fabaed78ca5277b3b026
(13) Finished request
Waking up in 3.9 seconds.
(14) Received Access-Request Id 225 from 10.225.23.1:59952 to 10.10.251.2:1812 length 305
(14) User-Name = "host/mh302290.millerextra.com"
(14) NAS-IP-Address = 0.0.0.0
(14) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(14) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(14) NAS-Port-Type = Wireless-802.11
(14) Service-Type = Framed-User
(14) NAS-Port = 1
(14) Calling-Station-Id = "DC-21-5C-C3-72-47"
(14) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 42 / Channel: 44"
(14) Acct-Session-Id = "2658296537E87022"
(14) Acct-Multi-Session-Id = "998A54E28541EE6C"
(14) WLAN-Pairwise-Cipher = 1027076
(14) WLAN-Group-Cipher = 1027076
(14) WLAN-AKM-Suite = 1027073
(14) Framed-MTU = 1400
(14) EAP-Message = 0x02c600060d00
(14) State = 0xaac2f7c8ab04fabaed78ca5277b3b026
(14) Message-Authenticator = 0xcd1501bb910ecdbf44f6a27cd1f054c7
(14) Restoring &session-state
(14) &session-state:Framed-MTU = 994
(14) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(14) authorize {
(14) policy filter_username {
(14) if (&User-Name) {
(14) if (&User-Name) -> TRUE
(14) if (&User-Name) {
(14) if (&User-Name =~ / /) {
(14) if (&User-Name =~ / /) -> FALSE
(14) if (&User-Name =~ /@[^@]*@/ ) {
(14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(14) if (&User-Name =~ /\.\./ ) {
(14) if (&User-Name =~ /\.\./ ) -> FALSE
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(14) if (&User-Name =~ /\.$/) {
(14) if (&User-Name =~ /\.$/) -> FALSE
(14) if (&User-Name =~ /@\./) {
(14) if (&User-Name =~ /@\./) -> FALSE
(14) } # if (&User-Name) = notfound
(14) } # policy filter_username = notfound
(14) [preprocess] = ok
(14) [chap] = noop
(14) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(14) pap: WARNING: Authentication will fail unless a "known good" password is available
(14) [pap] = noop
(14) eap: Peer sent EAP Response (code 2) ID 198 length 6
(14) eap: No EAP Start, assuming it's an on-going EAP conversation
(14) [eap] = updated
(14) [files] = noop
(14) [expiration] = noop
(14) [logintime] = noop
(14) policy rewrite_calling_station_id {
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(14) update request {
(14) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(14) --> dc-21-5c-c3-72-47
(14) &Calling-Station-Id := dc-21-5c-c3-72-47
(14) } # update request = noop
(14) [updated] = updated
(14) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(14) ... skipping else: Preceding "if" was taken
(14) } # policy rewrite_calling_station_id = updated
(14) if (&User-Name =~ /^host\/(.*)$/) {
(14) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(14) if (&User-Name =~ /^host\/(.*)$/) {
(14) update request {
(14) EXPAND %{1}
(14) --> mh302290.millerextra.com
(14) &Cert-CN := mh302290.millerextra.com
(14) } # update request = noop
(14) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(14) if (!EAP-Message) {
(14) if (!EAP-Message) -> FALSE
(14) else {
(14) eap: Peer sent EAP Response (code 2) ID 198 length 6
(14) eap: No EAP Start, assuming it's an on-going EAP conversation
(14) [eap] = updated
(14) } # else = updated
(14) } # authorize = updated
(14) Found Auth-Type = eap
(14) Found Auth-Type = eap
(14) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(14) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(14) Auth-Type EAP {
(14) eap: Expiring EAP session with state 0xdd940e92d9030376
(14) eap: Finished EAP session with state 0xaac2f7c8ab04faba
(14) eap: Previous EAP request found for state 0xaac2f7c8ab04faba, released from the list
(14) eap: Peer sent packet with method EAP TLS (13)
(14) eap: Calling submodule eap_tls to process data
(14) eap_tls: (TLS) Peer ACKed our handshake fragment
(14) eap: Sending EAP Request (code 1) ID 199 length 1004
(14) eap: EAP session adding &reply:State = 0xaac2f7c8a805faba
(14) [eap] = handled
(14) } # Auth-Type EAP = handled
(14) Using Post-Auth-Type Challenge
(14) Post-Auth-Type sub-section not found. Ignoring.
(14) session-state: Saving cached attributes
(14) Framed-MTU = 994
(14) Sent Access-Challenge Id 225 from 10.10.251.2:1812 to 10.225.23.1:59952 length 1068
(14) EAP-Message = 0x01c703ec0dc000000d32040562e55da24e304c020102020100020200ff030d0080000000000000000000000003090080000000000000003012301002010002087fffffffffffffff0101003012301002010002087fffffffffffffff0101003082019a0603551d1f048201913082018d302ba029a0278625687474703a2f2f31302e32302e31322e34373a383032382f63726c2f43524c5f362e63726c303ba039a0378635687474703a2f2f484f454449464f4c4430332e6d696c6c657265787472612e636f6d3a383032382f63726c2f43524c5f362e63726c3055a053a051864f6c6461703a2f2f31302e32302e31322e34373a3338392f43524c5f362c43524c5f362532302d253230436f6e66696775726174696f6e2e43524c253230436f6e7461696e65722e53656375726974793065a063a061865f6c6461703a2f2f484f454449464f4c4430332e6d696c6c657265787472612e636f6d3a3338392f43524c5f362c43524c5f362532302d253230436f6e6669
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0xaac2f7c8a805fabaed78ca5277b3b026
(14) Finished request
Waking up in 3.8 seconds.
(15) Received Access-Request Id 226 from 10.225.23.1:59952 to 10.10.251.2:1812 length 305
(15) User-Name = "host/mh302290.millerextra.com"
(15) NAS-IP-Address = 0.0.0.0
(15) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(15) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(15) NAS-Port-Type = Wireless-802.11
(15) Service-Type = Framed-User
(15) NAS-Port = 1
(15) Calling-Station-Id = "DC-21-5C-C3-72-47"
(15) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 42 / Channel: 44"
(15) Acct-Session-Id = "2658296537E87022"
(15) Acct-Multi-Session-Id = "998A54E28541EE6C"
(15) WLAN-Pairwise-Cipher = 1027076
(15) WLAN-Group-Cipher = 1027076
(15) WLAN-AKM-Suite = 1027073
(15) Framed-MTU = 1400
(15) EAP-Message = 0x02c700060d00
(15) State = 0xaac2f7c8a805fabaed78ca5277b3b026
(15) Message-Authenticator = 0x86b56f67d5c598cadcb3cebe70c55884
(15) Restoring &session-state
(15) &session-state:Framed-MTU = 994
(15) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(15) authorize {
(15) policy filter_username {
(15) if (&User-Name) {
(15) if (&User-Name) -> TRUE
(15) if (&User-Name) {
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@[^@]*@/ ) {
(15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /@\./) {
(15) if (&User-Name =~ /@\./) -> FALSE
(15) } # if (&User-Name) = notfound
(15) } # policy filter_username = notfound
(15) [preprocess] = ok
(15) [chap] = noop
(15) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(15) pap: WARNING: Authentication will fail unless a "known good" password is available
(15) [pap] = noop
(15) eap: Peer sent EAP Response (code 2) ID 199 length 6
(15) eap: No EAP Start, assuming it's an on-going EAP conversation
(15) [eap] = updated
(15) [files] = noop
(15) [expiration] = noop
(15) [logintime] = noop
(15) policy rewrite_calling_station_id {
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(15) update request {
(15) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(15) --> dc-21-5c-c3-72-47
(15) &Calling-Station-Id := dc-21-5c-c3-72-47
(15) } # update request = noop
(15) [updated] = updated
(15) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(15) ... skipping else: Preceding "if" was taken
(15) } # policy rewrite_calling_station_id = updated
(15) if (&User-Name =~ /^host\/(.*)$/) {
(15) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(15) if (&User-Name =~ /^host\/(.*)$/) {
(15) update request {
(15) EXPAND %{1}
(15) --> mh302290.millerextra.com
(15) &Cert-CN := mh302290.millerextra.com
(15) } # update request = noop
(15) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(15) if (!EAP-Message) {
(15) if (!EAP-Message) -> FALSE
(15) else {
(15) eap: Peer sent EAP Response (code 2) ID 199 length 6
(15) eap: No EAP Start, assuming it's an on-going EAP conversation
(15) [eap] = updated
(15) } # else = updated
(15) } # authorize = updated
(15) Found Auth-Type = eap
(15) Found Auth-Type = eap
(15) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(15) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(15) Auth-Type EAP {
(15) eap: Expiring EAP session with state 0xdd940e92d9030376
(15) eap: Finished EAP session with state 0xaac2f7c8a805faba
(15) eap: Previous EAP request found for state 0xaac2f7c8a805faba, released from the list
(15) eap: Peer sent packet with method EAP TLS (13)
(15) eap: Calling submodule eap_tls to process data
(15) eap_tls: (TLS) Peer ACKed our handshake fragment
(15) eap: Sending EAP Request (code 1) ID 200 length 1004
(15) eap: EAP session adding &reply:State = 0xaac2f7c8a90afaba
(15) [eap] = handled
(15) } # Auth-Type EAP = handled
(15) Using Post-Auth-Type Challenge
(15) Post-Auth-Type sub-section not found. Ignoring.
(15) session-state: Saving cached attributes
(15) Framed-MTU = 994
(15) Sent Access-Challenge Id 226 from 10.10.251.2:1812 to 10.225.23.1:59952 length 1068
(15) EAP-Message = 0x01c803ec0dc000000d3282010a0282010100afe8c05b42d52935b536a6fa42812e4a2602f00f8af61dc80f06ad35a98240725575c871ace8f007660f658c267a5d3d05b6603cc0feabf83a564fc2eedae00f7e6fd174784ebd9cd137894f015925ed6a1773b4b61b37067144c02d147d5df187f71413edd100979a589a70d3e0a55eb0c0370741f5206707174ad5d330187c29d933c0109faae9d4951765ec353961265c61df4e388bfac27506a0f0e96794baa1aa529a57ba6f22c086f645e6dc3b3b84fa581e35b94303ea854780534e77b72a757031e2a7a60a14c6deb438bd8f8d2453081bd75c277ca9fe217f6475a198b07109366eff9a21aa651a48f8179b4c14dc73527d538b3de5ebc8b4b5e7eb0203010001a382022f3082022b301d0603551d0e0416041448b56e3c46f5fd7970b20617a23e566db474b156301f0603551d2304183016801448b56e3c46f5fd7970b20617a23e566db474b156300c0603551d13040530030101ff300b0603551d0f040403
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0xaac2f7c8a90afabaed78ca5277b3b026
(15) Finished request
Waking up in 3.7 seconds.
(16) Received Access-Request Id 227 from 10.225.23.1:59952 to 10.10.251.2:1812 length 305
(16) User-Name = "host/mh302290.millerextra.com"
(16) NAS-IP-Address = 0.0.0.0
(16) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(16) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(16) NAS-Port-Type = Wireless-802.11
(16) Service-Type = Framed-User
(16) NAS-Port = 1
(16) Calling-Station-Id = "DC-21-5C-C3-72-47"
(16) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 42 / Channel: 44"
(16) Acct-Session-Id = "2658296537E87022"
(16) Acct-Multi-Session-Id = "998A54E28541EE6C"
(16) WLAN-Pairwise-Cipher = 1027076
(16) WLAN-Group-Cipher = 1027076
(16) WLAN-AKM-Suite = 1027073
(16) Framed-MTU = 1400
(16) EAP-Message = 0x02c800060d00
(16) State = 0xaac2f7c8a90afabaed78ca5277b3b026
(16) Message-Authenticator = 0xc01149efd82fc9c07cad6bd237559ece
(16) Restoring &session-state
(16) &session-state:Framed-MTU = 994
(16) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(16) authorize {
(16) policy filter_username {
(16) if (&User-Name) {
(16) if (&User-Name) -> TRUE
(16) if (&User-Name) {
(16) if (&User-Name =~ / /) {
(16) if (&User-Name =~ / /) -> FALSE
(16) if (&User-Name =~ /@[^@]*@/ ) {
(16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(16) if (&User-Name =~ /\.\./ ) {
(16) if (&User-Name =~ /\.\./ ) -> FALSE
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(16) if (&User-Name =~ /\.$/) {
(16) if (&User-Name =~ /\.$/) -> FALSE
(16) if (&User-Name =~ /@\./) {
(16) if (&User-Name =~ /@\./) -> FALSE
(16) } # if (&User-Name) = notfound
(16) } # policy filter_username = notfound
(16) [preprocess] = ok
(16) [chap] = noop
(16) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(16) pap: WARNING: Authentication will fail unless a "known good" password is available
(16) [pap] = noop
(16) eap: Peer sent EAP Response (code 2) ID 200 length 6
(16) eap: No EAP Start, assuming it's an on-going EAP conversation
(16) [eap] = updated
(16) [files] = noop
(16) [expiration] = noop
(16) [logintime] = noop
(16) policy rewrite_calling_station_id {
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(16) update request {
(16) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(16) --> dc-21-5c-c3-72-47
(16) &Calling-Station-Id := dc-21-5c-c3-72-47
(16) } # update request = noop
(16) [updated] = updated
(16) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(16) ... skipping else: Preceding "if" was taken
(16) } # policy rewrite_calling_station_id = updated
(16) if (&User-Name =~ /^host\/(.*)$/) {
(16) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(16) if (&User-Name =~ /^host\/(.*)$/) {
(16) update request {
(16) EXPAND %{1}
(16) --> mh302290.millerextra.com
(16) &Cert-CN := mh302290.millerextra.com
(16) } # update request = noop
(16) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(16) if (!EAP-Message) {
(16) if (!EAP-Message) -> FALSE
(16) else {
(16) eap: Peer sent EAP Response (code 2) ID 200 length 6
(16) eap: No EAP Start, assuming it's an on-going EAP conversation
(16) [eap] = updated
(16) } # else = updated
(16) } # authorize = updated
(16) Found Auth-Type = eap
(16) Found Auth-Type = eap
(16) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(16) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(16) Auth-Type EAP {
(16) eap: Expiring EAP session with state 0xdd940e92d9030376
(16) eap: Finished EAP session with state 0xaac2f7c8a90afaba
(16) eap: Previous EAP request found for state 0xaac2f7c8a90afaba, released from the list
(16) eap: Peer sent packet with method EAP TLS (13)
(16) eap: Calling submodule eap_tls to process data
(16) eap_tls: (TLS) Peer ACKed our handshake fragment
(16) eap: Sending EAP Request (code 1) ID 201 length 406
(16) eap: EAP session adding &reply:State = 0xaac2f7c8ae0bfaba
(16) [eap] = handled
(16) } # Auth-Type EAP = handled
(16) Using Post-Auth-Type Challenge
(16) Post-Auth-Type sub-section not found. Ignoring.
(16) session-state: Saving cached attributes
(16) Framed-MTU = 994
(16) Sent Access-Challenge Id 227 from 10.10.251.2:1812 to 10.225.23.1:59952 length 466
(16) EAP-Message = 0x01c901960d8000000d32ef53f57a455c108febd3d77c85c7bba183e2970232e0a57c48ef3374523b4c3d7b5fff7028ea28fc53476f1a9f3ba2f57bde6f4b4aa65bd0db7debe7ef052e234409f02dd108b426cc8e7cddc82f501e73f03bdf3875d2cada085de5e9af2bf7ebab413d24b073f44f694df44bad07691a3616030300cd0c0000c90300174104bf7fa3292066dc49f258a82260857a24a5deb2245ebde7def3735117c97082722d5eab3e86d2efe52e20b0d0e3347317ebff940709132426e71ae78ea7405747040100801f931ade0b5bcd12c4f8f36dd8cbb396f372a28eb6e9fbf10a5993ecc7664767e8cd8ed5502b79990b370cdfa818f1c795c76cc9e5b68f823e13cdca16e54ff21d8c9211ca09df258fdab61843edbc3d660cba9a2c856ecaf3e53977810ed983f403100d4030f7d83ad1372b612fb684cc732206ed9a52fc62eac49278358c06160303003a0d00003603010240002e040305030603080708080809080a080b08040805080604010501
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0xaac2f7c8ae0bfabaed78ca5277b3b026
(16) Finished request
Waking up in 3.6 seconds.
(17) Received Access-Request Id 228 from 10.225.23.1:59952 to 10.10.251.2:1812 length 1801
(17) User-Name = "host/mh302290.millerextra.com"
(17) NAS-IP-Address = 0.0.0.0
(17) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(17) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(17) NAS-Port-Type = Wireless-802.11
(17) Service-Type = Framed-User
(17) NAS-Port = 1
(17) Calling-Station-Id = "DC-21-5C-C3-72-47"
(17) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 42 / Channel: 44"
(17) Acct-Session-Id = "2658296537E87022"
(17) Acct-Multi-Session-Id = "998A54E28541EE6C"
(17) WLAN-Pairwise-Cipher = 1027076
(17) WLAN-Group-Cipher = 1027076
(17) WLAN-AKM-Suite = 1027073
(17) Framed-MTU = 1400
(17) EAP-Message = 0x02c905d40dc000000cc91603030c910b000b3f000b3c00039b308203973082027fa0030201020202517b300d06092a864886f70d0101050500307d310b300906035504061302474231123010060355040813094564696e627572676831123010060355040713094564696e627572676831193017060355040a13104d696c6c65722047726f7570204c74643111300f060355040b130847726f7570204954311830160603550403130f496e7465726d656469617465204341301e170d3138303630373130343235305a170d3338303630323130343235305a308186310b300906035504061302474231123010060355040813094564696e627572676831123010060355040713094564696e627572676831193017060355040a13104d696c6c65722047726f7570204c74643111300f060355040b130847726f75702049543121301f060355040313186d683330323239302e6d696c6c657265787472612e636f6d30820122300d06092a864886f70d0101010500038201
(17) State = 0xaac2f7c8ae0bfabaed78ca5277b3b026
(17) Message-Authenticator = 0x217b4ea05047c4bcc41c987c8fc5f8af
(17) Restoring &session-state
(17) &session-state:Framed-MTU = 994
(17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(17) authorize {
(17) policy filter_username {
(17) if (&User-Name) {
(17) if (&User-Name) -> TRUE
(17) if (&User-Name) {
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@[^@]*@/ ) {
(17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /@\./) {
(17) if (&User-Name =~ /@\./) -> FALSE
(17) } # if (&User-Name) = notfound
(17) } # policy filter_username = notfound
(17) [preprocess] = ok
(17) [chap] = noop
(17) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(17) pap: WARNING: Authentication will fail unless a "known good" password is available
(17) [pap] = noop
(17) eap: Peer sent EAP Response (code 2) ID 201 length 1492
(17) eap: No EAP Start, assuming it's an on-going EAP conversation
(17) [eap] = updated
(17) [files] = noop
(17) [expiration] = noop
(17) [logintime] = noop
(17) policy rewrite_calling_station_id {
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(17) update request {
(17) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(17) --> dc-21-5c-c3-72-47
(17) &Calling-Station-Id := dc-21-5c-c3-72-47
(17) } # update request = noop
(17) [updated] = updated
(17) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(17) ... skipping else: Preceding "if" was taken
(17) } # policy rewrite_calling_station_id = updated
(17) if (&User-Name =~ /^host\/(.*)$/) {
(17) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(17) if (&User-Name =~ /^host\/(.*)$/) {
(17) update request {
(17) EXPAND %{1}
(17) --> mh302290.millerextra.com
(17) &Cert-CN := mh302290.millerextra.com
(17) } # update request = noop
(17) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(17) if (!EAP-Message) {
(17) if (!EAP-Message) -> FALSE
(17) else {
(17) eap: Peer sent EAP Response (code 2) ID 201 length 1492
(17) eap: No EAP Start, assuming it's an on-going EAP conversation
(17) [eap] = updated
(17) } # else = updated
(17) } # authorize = updated
(17) Found Auth-Type = eap
(17) Found Auth-Type = eap
(17) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(17) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(17) Auth-Type EAP {
(17) eap: Expiring EAP session with state 0xdd940e92d9030376
(17) eap: Finished EAP session with state 0xaac2f7c8ae0bfaba
(17) eap: Previous EAP request found for state 0xaac2f7c8ae0bfaba, released from the list
(17) eap: Peer sent packet with method EAP TLS (13)
(17) eap: Calling submodule eap_tls to process data
(17) eap_tls: (TLS) EAP Peer says that the final record size will be 3273 bytes
(17) eap_tls: (TLS) EAP Expecting 3 fragments
(17) eap_tls: (TLS) EAP Got first TLS fragment (1482 bytes). Peer says more fragments will follow
(17) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data.
(17) eap: Sending EAP Request (code 1) ID 202 length 6
(17) eap: EAP session adding &reply:State = 0xaac2f7c8af08faba
(17) [eap] = handled
(17) } # Auth-Type EAP = handled
(17) Using Post-Auth-Type Challenge
(17) Post-Auth-Type sub-section not found. Ignoring.
(17) session-state: Saving cached attributes
(17) Framed-MTU = 994
(17) Sent Access-Challenge Id 228 from 10.10.251.2:1812 to 10.225.23.1:59952 length 64
(17) EAP-Message = 0x01ca00060d00
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0xaac2f7c8af08fabaed78ca5277b3b026
(17) Finished request
Waking up in 3.4 seconds.
(18) Received Access-Request Id 229 from 10.225.23.1:59952 to 10.10.251.2:1812 length 1801
(18) User-Name = "host/mh302290.millerextra.com"
(18) NAS-IP-Address = 0.0.0.0
(18) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(18) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(18) NAS-Port-Type = Wireless-802.11
(18) Service-Type = Framed-User
(18) NAS-Port = 1
(18) Calling-Station-Id = "DC-21-5C-C3-72-47"
(18) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 41 / Channel: 44"
(18) Acct-Session-Id = "2658296537E87022"
(18) Acct-Multi-Session-Id = "998A54E28541EE6C"
(18) WLAN-Pairwise-Cipher = 1027076
(18) WLAN-Group-Cipher = 1027076
(18) WLAN-AKM-Suite = 1027073
(18) Framed-MTU = 1400
(18) EAP-Message = 0x02ca05d40d40f8580e1512af194151c08a331626b9a252b1b2007b0203010001a382044c30820448301d0603551d0e04160414c18fac9dce5109e9dc9968453ec6579592e055db301f0603551d2304183016801448b56e3c46f5fd7970b20617a23e566db474b156300b0603551d0f0404030201b6300c0603551d13040530030101ff308201cc060b6086480186f83701090401048201bb308201b7040201000101ff131d4e6f76656c6c2053656375726974792041747472696275746528746d291643687474703a2f2f646576656c6f7065722e6e6f76656c6c2e636f6d2f7265706f7369746f72792f617474726962757465732f6365727461747472735f7631302e68746d30820148a01a0101003008300602010102010030083006020101020100020100a11a0101003008300602010102010030083006020101020100020100a2060201000101ffa3820104a058020102020200ff020100030d0080000000000000000000000003090080000000000000003018
(18) State = 0xaac2f7c8af08fabaed78ca5277b3b026
(18) Message-Authenticator = 0x4ab1f39280efc838f54bcfb846c85e1a
(18) Restoring &session-state
(18) &session-state:Framed-MTU = 994
(18) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(18) authorize {
(18) policy filter_username {
(18) if (&User-Name) {
(18) if (&User-Name) -> TRUE
(18) if (&User-Name) {
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@[^@]*@/ ) {
(18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /@\./) {
(18) if (&User-Name =~ /@\./) -> FALSE
(18) } # if (&User-Name) = notfound
(18) } # policy filter_username = notfound
(18) [preprocess] = ok
(18) [chap] = noop
(18) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(18) pap: WARNING: Authentication will fail unless a "known good" password is available
(18) [pap] = noop
(18) eap: Peer sent EAP Response (code 2) ID 202 length 1492
(18) eap: No EAP Start, assuming it's an on-going EAP conversation
(18) [eap] = updated
(18) [files] = noop
(18) [expiration] = noop
(18) [logintime] = noop
(18) policy rewrite_calling_station_id {
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(18) update request {
(18) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(18) --> dc-21-5c-c3-72-47
(18) &Calling-Station-Id := dc-21-5c-c3-72-47
(18) } # update request = noop
(18) [updated] = updated
(18) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(18) ... skipping else: Preceding "if" was taken
(18) } # policy rewrite_calling_station_id = updated
(18) if (&User-Name =~ /^host\/(.*)$/) {
(18) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(18) if (&User-Name =~ /^host\/(.*)$/) {
(18) update request {
(18) EXPAND %{1}
(18) --> mh302290.millerextra.com
(18) &Cert-CN := mh302290.millerextra.com
(18) } # update request = noop
(18) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(18) if (!EAP-Message) {
(18) if (!EAP-Message) -> FALSE
(18) else {
(18) eap: Peer sent EAP Response (code 2) ID 202 length 1492
(18) eap: No EAP Start, assuming it's an on-going EAP conversation
(18) [eap] = updated
(18) } # else = updated
(18) } # authorize = updated
(18) Found Auth-Type = eap
(18) Found Auth-Type = eap
(18) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(18) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(18) Auth-Type EAP {
(18) eap: Expiring EAP session with state 0xdd940e92d9030376
(18) eap: Finished EAP session with state 0xaac2f7c8af08faba
(18) eap: Previous EAP request found for state 0xaac2f7c8af08faba, released from the list
(18) eap: Peer sent packet with method EAP TLS (13)
(18) eap: Calling submodule eap_tls to process data
(18) eap_tls: (TLS) EAP Got additional fragment (1486 bytes). Peer says more fragments will follow
(18) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data.
(18) eap: Sending EAP Request (code 1) ID 203 length 6
(18) eap: EAP session adding &reply:State = 0xaac2f7c8ac09faba
(18) [eap] = handled
(18) } # Auth-Type EAP = handled
(18) Using Post-Auth-Type Challenge
(18) Post-Auth-Type sub-section not found. Ignoring.
(18) session-state: Saving cached attributes
(18) Framed-MTU = 994
(18) Sent Access-Challenge Id 229 from 10.10.251.2:1812 to 10.225.23.1:59952 length 64
(18) EAP-Message = 0x01cb00060d00
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0xaac2f7c8ac09fabaed78ca5277b3b026
(18) Finished request
Waking up in 3.3 seconds.
(19) Received Access-Request Id 230 from 10.225.23.1:59952 to 10.10.251.2:1812 length 612
(19) User-Name = "host/mh302290.millerextra.com"
(19) NAS-IP-Address = 0.0.0.0
(19) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(19) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(19) NAS-Port-Type = Wireless-802.11
(19) Service-Type = Framed-User
(19) NAS-Port = 1
(19) Calling-Station-Id = "DC-21-5C-C3-72-47"
(19) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 41 / Channel: 44"
(19) Acct-Session-Id = "2658296537E87022"
(19) Acct-Multi-Session-Id = "998A54E28541EE6C"
(19) WLAN-Pairwise-Cipher = 1027076
(19) WLAN-Group-Cipher = 1027076
(19) WLAN-AKM-Suite = 1027073
(19) Framed-MTU = 1400
(19) EAP-Message = 0x02cb01370d0097684bd0417747e114dab87febd255035aa8dc9dd23d7e86022a8ad8fbced6ed3675b699a1a7126336c21024c705feadf9521b9707a08c12d462d9df139472cb578bddc9c56d52c45f8206d8e8207ad0d4a9d87a7f6ecb85694f99d9439ef638859102f2a4191debba3d0a35609568100021c3909487ccf3bf50a322f54125a79321d8145797b72b9f45c8555ba63bdd3c40e92ad88cb41095763645cfe278d1da06d2af103bb59a5e759b827d32d2b813085b465929d62d11e012e75ef5ec8009b8652f936c02ae7cd74f6a55fbd978b97e0dfb5df7de284ce3f09accfb55714216ddfd182b6df87dc4355e8b8f74addb6d3bd5a08cff8ac6492a61f9bb1403030001011603030028000000000000000019ab5ae7931cb1a19f7b6c7b0d353eb126ebbc01066007473ad8f49eef3fe040
(19) State = 0xaac2f7c8ac09fabaed78ca5277b3b026
(19) Message-Authenticator = 0x9ad0e6dd3ad8d8bfe60fcbf1d4877c4e
(19) Restoring &session-state
(19) &session-state:Framed-MTU = 994
(19) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /@\./) {
(19) if (&User-Name =~ /@\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [preprocess] = ok
(19) [chap] = noop
(19) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(19) pap: WARNING: Authentication will fail unless a "known good" password is available
(19) [pap] = noop
(19) eap: Peer sent EAP Response (code 2) ID 203 length 311
(19) eap: No EAP Start, assuming it's an on-going EAP conversation
(19) [eap] = updated
(19) [files] = noop
(19) [expiration] = noop
(19) [logintime] = noop
(19) policy rewrite_calling_station_id {
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(19) update request {
(19) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(19) --> dc-21-5c-c3-72-47
(19) &Calling-Station-Id := dc-21-5c-c3-72-47
(19) } # update request = noop
(19) [updated] = updated
(19) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(19) ... skipping else: Preceding "if" was taken
(19) } # policy rewrite_calling_station_id = updated
(19) if (&User-Name =~ /^host\/(.*)$/) {
(19) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(19) if (&User-Name =~ /^host\/(.*)$/) {
(19) update request {
(19) EXPAND %{1}
(19) --> mh302290.millerextra.com
(19) &Cert-CN := mh302290.millerextra.com
(19) } # update request = noop
(19) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(19) if (!EAP-Message) {
(19) if (!EAP-Message) -> FALSE
(19) else {
(19) eap: Peer sent EAP Response (code 2) ID 203 length 311
(19) eap: No EAP Start, assuming it's an on-going EAP conversation
(19) [eap] = updated
(19) } # else = updated
(19) } # authorize = updated
(19) Found Auth-Type = eap
(19) Found Auth-Type = eap
(19) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(19) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(19) Auth-Type EAP {
(19) eap: Expiring EAP session with state 0xdd940e92d9030376
(19) eap: Finished EAP session with state 0xaac2f7c8ac09faba
(19) eap: Previous EAP request found for state 0xaac2f7c8ac09faba, released from the list
(19) eap: Peer sent packet with method EAP TLS (13)
(19) eap: Calling submodule eap_tls to process data
(19) eap_tls: (TLS) EAP Got final fragment (305 bytes)
(19) eap_tls: (TLS) EAP Done initial handshake
(19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
(19) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate
(19) eap_tls: (TLS) Creating attributes from TLS-Client-Cert-Serial certificate
(19) eap_tls: (TLS) Creating attributes from server certificate
(19) eap_tls: TLS-Cert-Expiration := "360203235800Z"
(19) eap_tls: TLS-Cert-Valid-Since := "111215110200Z"
(19) eap_tls: TLS-Cert-Subject := "/C=GB/ST=Edinburgh/L=Edinburgh/O=Miller Group Ltd/OU=Group IT/CN=Intermediate CA"
(19) eap_tls: TLS-Cert-Issuer := "/O=MG_TREE/OU=Organizational CA"
(19) eap_tls: TLS-Cert-Common-Name := "Intermediate CA"
(19) eap_tls: (TLS) Creating attributes from client certificate
(19) eap_tls: TLS-Client-Cert-Serial := "517b"
(19) eap_tls: TLS-Client-Cert-Expiration := "380602104250Z"
(19) eap_tls: TLS-Client-Cert-Valid-Since := "180607104250Z"
(19) eap_tls: TLS-Client-Cert-Subject := "/C=GB/ST=Edinburgh/L=Edinburgh/O=Miller Group Ltd/OU=Group IT/CN=mh302290.millerextra.com"
(19) eap_tls: TLS-Client-Cert-Issuer := "/C=GB/ST=Edinburgh/L=Edinburgh/O=Miller Group Ltd/OU=Group IT/CN=Intermediate CA"
(19) eap_tls: TLS-Client-Cert-Common-Name := "mh302290.millerextra.com"
(19) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(19) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
Certificate chain - 1 cert(s) untrusted
(TLS) untrusted certificate with depth [1] subject name /C=GB/ST=Edinburgh/L=Edinburgh/O=Miller Group Ltd/OU=Group IT/CN=Intermediate CA
(TLS) untrusted certificate with depth [0] subject name /C=GB/ST=Edinburgh/L=Edinburgh/O=Miller Group Ltd/OU=Group IT/CN=mh302290.millerextra.com
(19) eap_tls: EXPAND %{%{Cert-CN}:-%{User-Name}}
(19) eap_tls: --> mh302290.millerextra.com
(19) eap_tls: checking certificate CN (mh302290.millerextra.com) with xlat'ed value (mh302290.millerextra.com)
(19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client certificate
(19) eap_tls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange
(19) eap_tls: (TLS) recv TLS 1.2 Handshake, CertificateVerify
(19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read certificate verify
(19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
(19) eap_tls: (TLS) recv TLS 1.2 Handshake, Finished
(19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read finished
(19) eap_tls: (TLS) send TLS 1.2 ChangeCipherSpec
(19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
(19) eap_tls: (TLS) send TLS 1.2 Handshake, Finished
(19) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write finished
(19) eap_tls: (TLS) Handshake state - SSL negotiation finished successfully
(19) eap_tls: (TLS) Connection Established
(19) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(19) eap_tls: TLS-Session-Version = "TLS 1.2"
(19) eap: Sending EAP Request (code 1) ID 204 length 61
(19) eap: EAP session adding &reply:State = 0xaac2f7c8ad0efaba
(19) [eap] = handled
(19) } # Auth-Type EAP = handled
(19) Using Post-Auth-Type Challenge
(19) Post-Auth-Type sub-section not found. Ignoring.
(19) session-state: Saving cached attributes
(19) Framed-MTU = 994
(19) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(19) TLS-Session-Version = "TLS 1.2"
(19) Sent Access-Challenge Id 230 from 10.10.251.2:1812 to 10.225.23.1:59952 length 119
(19) EAP-Message = 0x01cc003d0d800000003314030300010116030300289fb66e19904cea77ce871c25754eba9282fba3ca777ca309c7283b774b8249df0d1ee5035915786f
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0xaac2f7c8ad0efabaed78ca5277b3b026
(19) Finished request
Waking up in 3.3 seconds.
(20) Received Access-Request Id 231 from 10.225.23.1:59952 to 10.10.251.2:1812 length 305
(20) User-Name = "host/mh302290.millerextra.com"
(20) NAS-IP-Address = 0.0.0.0
(20) NAS-Identifier = "E0-55-3D-89-23-20:vap1"
(20) Called-Station-Id = "E2-55-6D-89-23-21:mhstaff"
(20) NAS-Port-Type = Wireless-802.11
(20) Service-Type = Framed-User
(20) NAS-Port = 1
(20) Calling-Station-Id = "DC-21-5C-C3-72-47"
(20) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 41 / Channel: 44"
(20) Acct-Session-Id = "2658296537E87022"
(20) Acct-Multi-Session-Id = "998A54E28541EE6C"
(20) WLAN-Pairwise-Cipher = 1027076
(20) WLAN-Group-Cipher = 1027076
(20) WLAN-AKM-Suite = 1027073
(20) Framed-MTU = 1400
(20) EAP-Message = 0x02cc00060d00
(20) State = 0xaac2f7c8ad0efabaed78ca5277b3b026
(20) Message-Authenticator = 0xf00b72196a381c05f74df8e1bae5bc7c
(20) Restoring &session-state
(20) &session-state:Framed-MTU = 994
(20) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(20) &session-state:TLS-Session-Version = "TLS 1.2"
(20) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(20) authorize {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /@\./) {
(20) if (&User-Name =~ /@\./) -> FALSE
(20) } # if (&User-Name) = notfound
(20) } # policy filter_username = notfound
(20) [preprocess] = ok
(20) [chap] = noop
(20) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(20) pap: WARNING: Authentication will fail unless a "known good" password is available
(20) [pap] = noop
(20) eap: Peer sent EAP Response (code 2) ID 204 length 6
(20) eap: No EAP Start, assuming it's an on-going EAP conversation
(20) [eap] = updated
(20) [files] = noop
(20) [expiration] = noop
(20) [logintime] = noop
(20) policy rewrite_calling_station_id {
(20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(20) update request {
(20) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(20) --> dc-21-5c-c3-72-47
(20) &Calling-Station-Id := dc-21-5c-c3-72-47
(20) } # update request = noop
(20) [updated] = updated
(20) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(20) ... skipping else: Preceding "if" was taken
(20) } # policy rewrite_calling_station_id = updated
(20) if (&User-Name =~ /^host\/(.*)$/) {
(20) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(20) if (&User-Name =~ /^host\/(.*)$/) {
(20) update request {
(20) EXPAND %{1}
(20) --> mh302290.millerextra.com
(20) &Cert-CN := mh302290.millerextra.com
(20) } # update request = noop
(20) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(20) if (!EAP-Message) {
(20) if (!EAP-Message) -> FALSE
(20) else {
(20) eap: Peer sent EAP Response (code 2) ID 204 length 6
(20) eap: No EAP Start, assuming it's an on-going EAP conversation
(20) [eap] = updated
(20) } # else = updated
(20) } # authorize = updated
(20) Found Auth-Type = eap
(20) Found Auth-Type = eap
(20) ERROR: Warning: Found 2 auth-types on request for user 'host/mh302290.millerextra.com'
(20) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(20) Auth-Type EAP {
(20) eap: Expiring EAP session with state 0xdd940e92d9030376
(20) eap: Finished EAP session with state 0xaac2f7c8ad0efaba
(20) eap: Previous EAP request found for state 0xaac2f7c8ad0efaba, released from the list
(20) eap: Peer sent packet with method EAP TLS (13)
(20) eap: Calling submodule eap_tls to process data
(20) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished
(20) eap: Sending EAP Success (code 3) ID 204 length 4
(20) eap: Freeing handler
(20) [eap] = ok
(20) } # Auth-Type EAP = ok
(20) Login OK: [host/mh302290.millerextra.com] (from client MWAN-10.225.23.1 port 1 cli dc-21-5c-c3-72-47)
(20) Sent Access-Accept Id 231 from 10.10.251.2:1812 to 10.225.23.1:59952 length 191
(20) MS-MPPE-Recv-Key = 0x5174a1fa6f9c95751d175f374296fbf6f2601dd7812286091c0a9299caa1d901
(20) MS-MPPE-Send-Key = 0x17b4077c5d99af4f534b6f6318b07a9eb29945b6a3221eced94cbcbf8a8011c1
(20) EAP-Message = 0x03cc0004
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) User-Name = "host/mh302290.millerextra.com"
(20) Finished request
Waking up in 3.2 seconds.
(21) Received Access-Request Id 197 from 10.20.80.11:3279 to 10.10.251.2:1812 length 219
(21) User-Name = "b4-45-06-c1-79-98"
(21) User-Password = "b4-45-06-c1-79-98"
(21) NAS-IP-Address = 10.20.80.11
(21) NAS-Identifier = "ed-sw-1f01"
(21) NAS-Port = 16863283
(21) NAS-Port-Id = "slot=1;subslot=0;port=21;vlanid=51"
(21) NAS-Port-Type = Ethernet
(21) Service-Type = Call-Check
(21) Framed-Protocol = PPP
(21) Calling-Station-Id = "B4-45-06-C1-79-98"
(21) Acct-Session-Id = "122070415033a1a010"
(21) Attr-26.43.230 = 0x4769676162697445746865726e6574312f302f3231
(21) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(21) authorize {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /@\./) {
(21) if (&User-Name =~ /@\./) -> FALSE
(21) } # if (&User-Name) = notfound
(21) } # policy filter_username = notfound
(21) [preprocess] = ok
(21) [chap] = noop
(21) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(21) pap: WARNING: Authentication will fail unless a "known good" password is available
(21) [pap] = noop
(21) eap: No EAP-Message, not doing EAP
(21) [eap] = noop
(21) files: users: Matched entry DEFAULT at line 167
(21) [files] = ok
(21) [expiration] = noop
(21) [logintime] = noop
(21) policy rewrite_calling_station_id {
(21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(21) update request {
(21) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(21) --> b4-45-06-c1-79-98
(21) &Calling-Station-Id := b4-45-06-c1-79-98
(21) } # update request = noop
(21) [updated] = updated
(21) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(21) ... skipping else: Preceding "if" was taken
(21) } # policy rewrite_calling_station_id = updated
(21) if (&User-Name =~ /^host\/(.*)$/) {
(21) if (&User-Name =~ /^host\/(.*)$/) -> FALSE
(21) if (!EAP-Message) {
(21) if (!EAP-Message) -> TRUE
(21) if (!EAP-Message) {
(21) authorized_macs: EXPAND %{Calling-Station-ID}
(21) authorized_macs: --> b4-45-06-c1-79-98
(21) [authorized_macs] = noop
(21) if (!ok) {
(21) if (!ok) -> TRUE
(21) if (!ok) {
(21) [reject] = reject
(21) } # if (!ok) = reject
(21) } # if (!EAP-Message) = reject
(21) } # authorize = reject
(21) Invalid user: [b4-45-06-c1-79-98] (from client ed-sw-1f01 port 16863283 cli b4-45-06-c1-79-98)
(21) Using Post-Auth-Type Reject
(21) Post-Auth-Type sub-section not found. Ignoring.
(21) Login incorrect: [b4-45-06-c1-79-98] (from client ed-sw-1f01 port 16863283 cli b4-45-06-c1-79-98)
(21) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(21) Sending delayed response
(21) Sent Access-Reject Id 197 from 10.10.251.2:1812 to 10.20.80.11:3279 length 32
(21) Framed-Protocol = PPP
(21) Framed-Compression = Van-Jacobson-TCP-IP
Waking up in 0.3 seconds.
(0) Cleaning up request packet ID 34 with timestamp +0 due to cleanup_delay was reached
________________________________
Miller Homes Limited Registered in Scotland - SC255429
2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH
Disclaimer: The Information in this e-mail is confidential and for use by the addressee(s) only. It may also be privileged. If you are not the intended recipient please notify us immediately on +44 (0) 870 336 5000 and delete the message from your computer: you may not copy or forward it, or use or disclose its contents to any other person. We do not accept any liability or responsibility for: (1) changes made to this email after it was sent, or (2) viruses transmitted through this email or any attachment.
Miller Homes Limited <https://www.millerhomes.co.uk>
More information about the Freeradius-Users
mailing list