Post-auth (ldap) update if statement works w/ radtest, doesn't work with actual authentication

Toupin, Nick ntoupin at hopedaleschools.org
Tue Feb 1 18:16:01 UTC 2022


Hi,

Fairly new to Freeradius - been using Microsoft/NPS for years and now
trying to migrate to Freeradius.  I'm like 99% of the way to having what we
want configured, just stuck on this last part.  Seeing as it works with
radtest but doesn't work with an actual authentication, I'm assuming
there's something missing/different in my config that's specific to the
authentication type (PAP -> ldap) that radtest doesn't hit so the radtest
works.. more below including the debug.

*Some background info:*

   - Using Google LDAP to authenticate the radius using Google accounts

   - Built the setup using this guide/info:
   https://www.nasirhafeez.com/freeradius-with-google-g-suite-workspace-secure-ldap-for-wpa2-enterprise-wifi/

   - Added in a if statemenet under the /sites-enabled/default -> ldap ->
   update to check the user's DN in Google to grab their OU, if they match an
   OU within the statement they are given an update reply of '
   Tunnel-Private-Group-Id = "160"   '  with an else of
   '  Tunnel-Private-Group-Id = "180"   ' so X OU members get VLAN 160 and
   everyone else gets VLAN 180.

   - This is all fully working with radtest:

   radtest teststaff '******' xx.xxx.xx.xxx 0 '**************'
   Sent Access-Request Id 87 from 0.0.0.0:37520 to xx.xxx.xx.xxx:1812
   length 79
           User-Name = "teststaff"
           User-Password = "******"
           NAS-IP-Address = 127.0.1.1
           NAS-Port = 0
           Message-Authenticator = 0x00
           Cleartext-Password = "******"
   Received Access-Accept Id 87 from 50.116.62.250:1812 to 10.5.0.56:37520
   length 74
           Tunnel-Private-Group-Id:0 = "160"
           Reply-Message = "Matched to Staff for V160"

   - When trying with an actual Radius authentication the authentication
   goes through however the if statement fails so the user gets
    Tunnel-Private-Group-Id 180 no matter what -- freeradius debug notes
   'ERROR: Failed retrieving values required to evaluate condition'

*Below is the debug log with two requests, the first request is when doing
a radtest, the second is when doing an actual authentication.*

FreeRADIUS Version 3.0.20
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/ldap
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file
/etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/rfc7542
including configuration file /etc/freeradius/3.0/policy.d/filter
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
main {
 security {
  user = "freerad"
  group = "freerad"
  allow_core_dumps = no
 }
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
 log {
  stripped_names = no
  auth = no
  auth_badpass = no
  auth_goodpass = no
  colourise = yes
  msg_denied = "You are already logged in - access denied"
 }
 resources {
 }
 security {
  max_attributes = 200
  reject_delay = 1.000000
  status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
  retry_delay = 5
  retry_count = 3
  default_fallback = no
  dead_time = 120
  wake_all_if_all_dead = no
 }
 home_server localhost {
  ipaddr = 127.0.0.1
  port = 1812
  type = "auth"
  secret = <<< secret >>>
  response_window = 20.000000
  response_timeouts = 1
  max_outstanding = 65536
  zombie_period = 40
  status_check = "status-server"
  ping_interval = 30
  check_interval = 30
  check_timeout = 4
  num_answers_to_alive = 3
  revive_interval = 120
  limit {
  max_connections = 16
  max_requests = 0
  lifetime = 0
  idle_timeout = 0
  }
  coa {
  irt = 2
  mrt = 16
  mrc = 5
  mrd = 30
  }
 }
 home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
 }
 realm example.com {
auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
 realm DOMAIN.org {
 }
radiusd: #### Loading Clients ####
 client localhost {
  ipaddr = 127.0.0.1
  require_message_authenticator = no
  secret = <<< secret >>>
  nas_type = "other"
  proto = "*"
  limit {
  max_connections = 16
  lifetime = 0
  idle_timeout = 30
  }
 }
 client localhost_ipv6 {
  ipv6addr = ::1
  require_message_authenticator = no
  secret = <<< secret >>>
  limit {
  max_connections = 16
  lifetime = 0
  idle_timeout = 30
  }
 }
 client mist {
  ipaddr = 10.5.0.0/22
  require_message_authenticator = no
  secret = <<< secret >>>
  limit {
  max_connections = 16
  lifetime = 0
  idle_timeout = 30
  }
 }
 client mist2 {
  ipaddr = xxx.xx.xxx.xxx/32
  require_message_authenticator = no
  secret = <<< secret >>>
  limit {
  max_connections = 16
  lifetime = 0
  idle_timeout = 30
  }
 }
Debugger not attached
systemd watchdog is disabled
 # Creating Auth-Type = mschap
 # Creating Auth-Type = digest
 # Creating Auth-Type = ldap
 # Creating Auth-Type = eap
 # Creating Auth-Type = PAP
 # Creating Auth-Type = CHAP
 # Creating Auth-Type = MS-CHAP
radiusd: #### Instantiating modules ####
 modules {
  # Loaded module rlm_eap
  # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
  eap {
  default_eap_type = "ttls"
  timer_expire = 60
  ignore_unknown_eap_types = no
  cisco_accounting_username_bug = no
  max_sessions = 16384
  }
  # Loaded module rlm_always
  # Loading module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
  always reject {
  rcode = "reject"
  simulcount = 0
  mpp = no
  }
  # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
  always fail {
  rcode = "fail"
  simulcount = 0
  mpp = no
  }
  # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
  always ok {
  rcode = "ok"
  simulcount = 0
  mpp = no
  }
  # Loading module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
  always handled {
  rcode = "handled"
  simulcount = 0
  mpp = no
  }
  # Loading module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
  always invalid {
  rcode = "invalid"
  simulcount = 0
  mpp = no
  }
  # Loading module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
  always userlock {
  rcode = "userlock"
  simulcount = 0
  mpp = no
  }
  # Loading module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
  always notfound {
  rcode = "notfound"
  simulcount = 0
  mpp = no
  }
  # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
  always noop {
  rcode = "noop"
  simulcount = 0
  mpp = no
  }
  # Loading module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
  always updated {
  rcode = "updated"
  simulcount = 0
  mpp = no
  }
  # Loaded module rlm_files
  # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
  files {
  filename = "/etc/freeradius/3.0/mods-config/files/authorize"
  acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
  preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
  }
  # Loaded module rlm_chap
  # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
  # Loaded module rlm_digest
  # Loading module "digest" from file
/etc/freeradius/3.0/mods-enabled/digest
  # Loaded module rlm_expiration
  # Loading module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
  # Loaded module rlm_radutmp
  # Loading module "sradutmp" from file
/etc/freeradius/3.0/mods-enabled/sradutmp
  radutmp sradutmp {
  filename = "/var/log/freeradius/sradutmp"
  username = "%{User-Name}"
  case_sensitive = yes
  check_with_nas = yes
  permissions = 420
  caller_id = no
  }
  # Loaded module rlm_attr_filter
  # Loading module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.post-proxy {
  filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
  key = "%{Realm}"
  relaxed = no
  }
  # Loading module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.pre-proxy {
  filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
  key = "%{Realm}"
  relaxed = no
  }
  # Loading module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.access_reject {
  filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
  key = "%{User-Name}"
  relaxed = no
  }
  # Loading module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.access_challenge {
  filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
  key = "%{User-Name}"
  relaxed = no
  }
  # Loading module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.accounting_response {
  filename =
"/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
  key = "%{User-Name}"
  relaxed = no
  }
  # Loaded module rlm_pap
  # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
  pap {
  normalise = yes
  }
  # Loaded module rlm_detail
  # Loading module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
  detail {
  filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loaded module rlm_preprocess
  # Loading module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
  preprocess {
  huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
  hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
  with_ascend_hack = no
  ascend_channels_per_line = 23
  with_ntdomain_hack = no
  with_specialix_jetstream_hack = no
  with_cisco_vsa_hack = no
  with_alvarion_vsa_hack = no
  }
  # Loaded module rlm_replicate
  # Loading module "replicate" from file
/etc/freeradius/3.0/mods-enabled/replicate
  # Loaded module rlm_exec
  # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
  exec echo {
  wait = yes
  program = "/bin/echo %{User-Name}"
  input_pairs = "request"
  output_pairs = "reply"
  shell_escape = yes
  }
  # Loaded module rlm_passwd
  # Loading module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
  passwd etc_passwd {
  filename = "/etc/passwd"
  format = "*User-Name:Crypt-Password:"
  delimiter = ":"
  ignore_nislike = no
  ignore_empty = yes
  allow_multiple_keys = no
  hash_size = 100
  }
  # Loaded module rlm_expr
  # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
  expr {
  safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  }
  # Loaded module rlm_unix
  # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
  unix {
  radwtmp = "/var/log/freeradius/radwtmp"
  }
Creating attribute Unix-Group
  # Loaded module rlm_cache
  # Loading module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
  cache cache_eap {
  driver = "rlm_cache_rbtree"
  key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
  ttl = 15
  max_entries = 0
  epoch = 0
  add_stats = no
  }
  # Loaded module rlm_ldap
  # Loading module "ldap" from file /etc/freeradius/3.0/mods-enabled/ldap
  ldap {
  server = "ldaps://ldap.google.com"
  port = 636
  identity = "Inexperien"
  password = <<< secret >>>
   sasl {
   }
  user_dn = "LDAP-UserDn"
   user {
    scope = "sub"
    access_positive = yes
    sasl {
    }
   }
   group {
    filter = "(objectClass=posixGroup)"
    scope = "sub"
    name_attribute = "cn"
    membership_attribute = "memberOf"
    cacheable_name = no
    cacheable_dn = no
    allow_dangling_group_ref = no
   }
   client {
    filter = "(objectClass=radiusClient)"
    scope = "sub"
    base_dn = "dc=DOMAIN,dc=org"
   }
   profile {
   }
   options {
    ldap_debug = 40
    chase_referrals = yes
    rebind = yes
    net_timeout = 1
    res_timeout = 10
    srv_timelimit = 3
    idle = 60
    probes = 3
    interval = 3
   }
   tls {
    certificate_file = "/etc/freeradius/3.0/certs/ldap-client.crt"
    private_key_file = "/etc/freeradius/3.0/certs/ldap-client.key"
    start_tls = no
    require_cert = "allow"
   }
  }
Creating attribute LDAP-Group
  # Loaded module rlm_unpack
  # Loading module "unpack" from file
/etc/freeradius/3.0/mods-enabled/unpack
  # Loaded module rlm_linelog
  # Loading module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
  linelog {
  filename = "/var/log/freeradius/linelog"
  escape_filenames = no
  syslog_severity = "info"
  permissions = 384
  format = "This is a log message for %{User-Name}"
  reference = "messages.%{%{reply:Packet-Type}:-default}"
  }
  # Loading module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
  linelog log_accounting {
  filename = "/var/log/freeradius/linelog-accounting"
  escape_filenames = no
  syslog_severity = "info"
  permissions = 384
  format = ""
  reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  }
  # Loading module "radutmp" from file
/etc/freeradius/3.0/mods-enabled/radutmp
  radutmp {
  filename = "/var/log/freeradius/radutmp"
  username = "%{User-Name}"
  case_sensitive = yes
  check_with_nas = yes
  permissions = 384
  caller_id = yes
  }
  # Loading module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
  detail auth_log {
  filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loading module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
  detail reply_log {
  filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loading module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
  detail pre_proxy_log {
  filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loading module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
  detail post_proxy_log {
  filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loaded module rlm_utf8
  # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
  # Loading module "ntlm_auth" from file
/etc/freeradius/3.0/mods-enabled/ntlm_auth
  exec ntlm_auth {
  wait = yes
  program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"
  shell_escape = yes
  }
  # Loaded module rlm_logintime
  # Loading module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
  logintime {
  minimum_timeout = 60
  }
  # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
  exec {
  wait = no
  input_pairs = "request"
  shell_escape = yes
  timeout = 10
  }
  # Loaded module rlm_dynamic_clients
  # Loading module "dynamic_clients" from file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
  # Loaded module rlm_realm
  # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
  realm IPASS {
  format = "prefix"
  delimiter = "/"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
  realm suffix {
  format = "suffix"
  delimiter = "@"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "bangpath" from file
/etc/freeradius/3.0/mods-enabled/realm
  realm bangpath {
  format = "prefix"
  delimiter = "!"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
  realm realmpercent {
  format = "suffix"
  delimiter = "%"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
  realm ntdomain {
  format = "prefix"
  delimiter = "\\"
  ignore_default = no
  ignore_null = no
  }
  # Loaded module rlm_mschap
  # Loading module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
  mschap {
  use_mppe = yes
  require_encryption = no
  require_strong = no
  with_ntdomain_hack = yes
   passchange {
   }
  allow_retry = yes
  winbind_retry_with_normalised_username = no
  }
  # Loaded module rlm_soh
  # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
  soh {
  dhcp = yes
  }
  instantiate {
  }
  # Instantiating module "eap" from file
/etc/freeradius/3.0/mods-enabled/eap
   # Linked to sub-module rlm_eap_md5
   # Linked to sub-module rlm_eap_leap
   # Linked to sub-module rlm_eap_gtc
   gtc {
    challenge = "Password: "
    auth_type = "PAP"
   }
   # Linked to sub-module rlm_eap_tls
   tls {
    tls = "tls-common"
   }
   tls-config tls-common {
    verify_depth = 0
    ca_path = "/etc/freeradius/3.0/certs"
    pem_file_type = yes
    private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
    certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
    ca_file = "/etc/ssl/certs/ca-certificates.crt"
    private_key_password = <<< secret >>>
    dh_file = "/etc/freeradius/3.0/certs/dh"
    fragment_size = 1024
    include_length = yes
    auto_chain = yes
    check_crl = no
    check_all_crl = no
    cipher_list = "DEFAULT"
    cipher_server_preference = no
    ecdh_curve = "prime256v1"
    disable_tlsv1 = yes
    disable_tlsv1_1 = yes
    tls_max_version = "1.2"
    tls_min_version = "1.2"
    cache {
    enable = no
    lifetime = 24
    max_entries = 255
    }
    verify {
    skip_if_ocsp_ok = no
    }
    ocsp {
    enable = no
    override_cert_url = yes
    url = "http://127.0.0.1/ocsp/"
    use_nonce = yes
    timeout = 0
    softfail = no
    }
   }
Please use tls_min_version and tls_max_version instead of disable_tlsv1
Please use tls_min_version and tls_max_version instead of disable_tlsv1_2
   # Linked to sub-module rlm_eap_ttls
   ttls {
    tls = "tls-common"
    default_eap_type = "gtc"
    copy_request_to_tunnel = yes
    use_tunneled_reply = yes
    virtual_server = "inner-tunnel"
    include_length = yes
    require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_peap
   peap {
    tls = "tls-common"
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    proxy_tunneled_request_as_eap = yes
    virtual_server = "inner-tunnel"
    soh = no
    require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_mschapv2
   mschapv2 {
    with_ntdomain_hack = no
    send_error = no
   }
  # Instantiating module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "ok" from file
/etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "files" from file
/etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
  # Instantiating module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
  # Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
  # Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
  # Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_reject
  # Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_challenge
  # Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/accounting_response
  # Instantiating module "pap" from file
/etc/freeradius/3.0/mods-enabled/pap
  # Instantiating module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
  # Instantiating module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
  # Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  # Instantiating module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
  # Instantiating module "ldap" from file
/etc/freeradius/3.0/mods-enabled/ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20449
   accounting {
    reference = "%{tolower:type.%{Acct-Status-Type}}"
   }
   post-auth {
    reference = "."
   }
rlm_ldap (ldap): Initialising connection pool
   pool {
    start = 5
    min = 3
    max = 32
    spare = 10
    uses = 0
    lifetime = 0
    cleanup_interval = 30
    idle_timeout = 60
    retry_delay = 30
    spread = no
   }
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots
used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots
used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots
used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots
used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
  # Instantiating module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
  # Instantiating module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
  # Instantiating module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
  # Instantiating module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
  # Instantiating module "IPASS" from file
/etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "bangpath" from file
/etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "mschap" from file
/etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
 } # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
 # Loading authenticate {...}
 # Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
 # Loading preacct {...}
 # Loading accounting {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
} # server default
server inner-tunnel { # from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading session {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
  type = "auth"
  ipaddr = *
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "acct"
  ipaddr = *
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "auth"
  ipv6addr = ::
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "acct"
  ipv6addr = ::
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "auth"
  ipaddr = 127.0.0.1
  port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 36589
Listening on proxy address :: port 60490
Ready to process requests
(0) Received Access-Request Id 87 from xxx.xx.xxx.xxx:13712 to
xx.xxx.xx.xxx:1812 length 79
(0)   User-Name = "teststaff"
(0)   User-Password = "******"
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0xe5e2619bb370086f773ea2c7b45d5edd
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "teststaff", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=teststaff)
(0) ldap: Performing search in "dc=DOMAIN,dc=org" with filter
"(uid=teststaff)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "uid=teststaff,ou=Testing,ou=Elementary
Staff,ou=Elementary School,ou=Users,dc=DOMAIN,dc=org"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
(if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password
is available
(0)     [pap] = noop
(0)     if (User-Password) {
(0)     if (User-Password)  -> TRUE
(0)     if (User-Password)  {
(0)       update control {
(0)         Auth-Type := ldap
(0)       } # update control = noop
(0)     } # if (User-Password)  = noop
(0)   } # authorize = ok
(0) Found Auth-Type = ldap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
rlm_ldap (ldap): Reserved connection (1)
(0) ldap: Login attempt by "teststaff"
(0) ldap: Using user DN from request
"uid=teststaff,ou=Testing,ou=Elementary Staff,ou=Elementary
School,ou=Users,dc=DOMAIN,dc=org"
(0) ldap: Waiting for bind result...
(0) ldap: Bind successful
(0) ldap: Bind as user "uid=teststaff,ou=Testing,ou=Elementary
Staff,ou=Elementary School,ou=Users,dc=DOMAIN,dc=org" was successful
rlm_ldap (ldap): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots
used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
(0)     [ldap] = ok
(0)   } # authenticate = ok
(0) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(0)   post-auth {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name))  -> FALSE
(0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     if (&control:LDAP-UserDN =~ /,ou=District Staff/) ||
(&control:LDAP-UserDN =~ /,ou=High School Staff/) || (&control:LDAP-UserDN
=~ /,ou=Elementary Staff/) {
(0)     if (&control:LDAP-UserDN =~ /,ou=District Staff/) ||
(&control:LDAP-UserDN =~ /,ou=High School Staff/) || (&control:LDAP-UserDN
=~ /,ou=Elementary Staff/)  -> TRUE
(0)     if (&control:LDAP-UserDN =~ /,ou=District Staff/) ||
(&control:LDAP-UserDN =~ /,ou=High School Staff/) || (&control:LDAP-UserDN
=~ /,ou=Elementary Staff/)  {
(0)       update reply {
(0)         Tunnel-Private-Group-Id = "160"
(0)         Reply-Message += "Matched to Staff for V160"
(0)       } # update reply = noop
(0)     } # if (&control:LDAP-UserDN =~ /,ou=District Staff/) ||
(&control:LDAP-UserDN =~ /,ou=High School Staff/) || (&control:LDAP-UserDN
=~ /,ou=Elementary Staff/)  = noop
(0)     ... skipping else: Preceding "if" was taken
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 87 from xx.xxx.xx.xxx:1812 to
xxx.xx.xxx.xxx:13712 length 0
(0)   Tunnel-Private-Group-Id = "160"
(0)   Reply-Message += "Matched to Staff for V160"
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 87 with timestamp +5
Ready to process requests
(1) Received Access-Request Id 143 from xxx.xx.xxx.xxx:56820 to
xx.xxx.xx.xxx:1812 length 214
(1)   User-Name = "teststaff"
(1)   Called-Station-Id = "xx-xx-xx-xx-xx-xx:HPS-GTest"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Service-Type = Framed-User
(1)   Calling-Station-Id = "**-**-**-**-**-**"
(1)   Connect-Info = "CONNECT 0Mbps 802.11b"
(1)   Acct-Session-Id = "7BAF649AFEC3B895"
(1)   Acct-Multi-Session-Id = "6C93D73ED82AE35F"
(1)   WLAN-Pairwise-Cipher = 1027076
(1)   WLAN-Group-Cipher = 1027076
(1)   WLAN-AKM-Suite = 1027073
(1)   Framed-MTU = 1200
(1)   EAP-Message = 0x0281000e01746573747374616666
(1)   NAS-IP-Address = 10.5.2.15
(1)   Message-Authenticator = 0xde8785c18439ff9bdd600e24beae0f1e
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "teststaff", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 129 length 14
(1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Peer sent packet with method EAP Identity (1)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Initiating new TLS session
(1) eap_ttls: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 130 length 6
(1) eap: EAP session adding &reply:State = 0xa2cec59ca24cd0ba
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 143 from xx.xxx.xx.xxx:1812 to
xxx.xx.xxx.xxx:56820 length 0
(1)   EAP-Message = 0x018200061520
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0xa2cec59ca24cd0baa513150d3bcdb7a0
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 144 from xxx.xx.xxx.xxx:56820 to
xx.xxx.xx.xxx:1812 length 414
(2)   User-Name = "teststaff"
(2)   Called-Station-Id = "xx-xx-xx-xx-xx-xx:HPS-GTest"
(2)   NAS-Port-Type = Wireless-802.11
(2)   Service-Type = Framed-User
(2)   Calling-Station-Id = "**-**-**-**-**-**"
(2)   Connect-Info = "CONNECT 0Mbps 802.11b"
(2)   Acct-Session-Id = "7BAF649AFEC3B895"
(2)   Acct-Multi-Session-Id = "6C93D73ED82AE35F"
(2)   WLAN-Pairwise-Cipher = 1027076
(2)   WLAN-Group-Cipher = 1027076
(2)   WLAN-AKM-Suite = 1027073
(2)   Framed-MTU = 1200
(2)   EAP-Message =
0x028200c4150016030100b9010000b5030396d5174fcc89754350934dda9735ba838b7379f4e3f2581424f73be33913bcf2000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b000403000102000a000c000a001d0017001e001900180016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602
(2)   State = 0xa2cec59ca24cd0baa513150d3bcdb7a0
(2)   NAS-IP-Address = 10.5.2.15
(2)   Message-Authenticator = 0xda3090b6942a5a265b3e85efd06852a2
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "teststaff", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 130 length 196
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0xa2cec59ca24cd0ba
(2) eap: Finished EAP session with state 0xa2cec59ca24cd0ba
(2) eap: Previous EAP request found for state 0xa2cec59ca24cd0ba, released
from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Got final TLS record fragment (190 bytes)
(2) eap_ttls: WARNING: Total received TLS record fragments (190 bytes),
does not equal indicated TLS record length (0 bytes)
(2) eap_ttls: [eaptls verify] = ok
(2) eap_ttls: Done initial handshake
(2) eap_ttls: (other): before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: <<< recv TLS 1.3  [length 00b9]
(2) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(2) eap_ttls: >>> send TLS 1.2  [length 003d]
(2) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(2) eap_ttls: >>> send TLS 1.2  [length 02e7]
(2) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(2) eap_ttls: >>> send TLS 1.2  [length 014d]
(2) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
(2) eap_ttls: >>> send TLS 1.2  [length 0004]
(2) eap_ttls: TLS_accept: SSLv3/TLS write server done
(2) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(2) eap_ttls: TLS - In Handshake Phase
(2) eap_ttls: TLS - got 1161 bytes of data
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 131 length 1004
(2) eap: EAP session adding &reply:State = 0xa2cec59ca34dd0ba
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 144 from xx.xxx.xx.xxx:1812 to
xxx.xx.xxx.xxx:56820 length 0
(2)   EAP-Message =
0x018303ec15c000000489160303003d0200003903030c36369cf955e4e4f08f101b2a466672e0178a2188dd2e9d0908d956dcc19b8200c030000011ff01000100000b0004030001020017000016030302e70b0002e30002e00002dd308202d9308201c1a0030201020214714e2676414f44526c5496deb73e056f0d20e5ed300d06092a864886f70d01010b050030143112301006035504030c096c6f63616c686f7374301e170d3232303131383139313735395a170d3332303131363139313735395a30143112301006035504030c096c6f63616c686f737430820122300d06092a864886f70d01010105000382010f003082010a0282010100d7e02493ee9fdfb75c773f36acd796c6ef7fa58d1f2ebb00c0763f6ea099ea3d6405d1eb9af367160a4df04a2f31f61d00d261fe57443c0d3cd08d6cf4322bc9fe2ff7d630ca7034b6678d415ce1bccadceab85240877089176fe1f123bf468b766670f5b6816d42356f3f92b0561f3dce1c488bae56c95fde371a369d
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0xa2cec59ca34dd0baa513150d3bcdb7a0
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 145 from xxx.xx.xxx.xxx:56820 to
xx.xxx.xx.xxx:1812 length 224
(3)   User-Name = "teststaff"
(3)   Called-Station-Id = "xx-xx-xx-xx-xx-xx:HPS-GTest"
(3)   NAS-Port-Type = Wireless-802.11
(3)   Service-Type = Framed-User
(3)   Calling-Station-Id = "**-**-**-**-**-**"
(3)   Connect-Info = "CONNECT 0Mbps 802.11b"
(3)   Acct-Session-Id = "7BAF649AFEC3B895"
(3)   Acct-Multi-Session-Id = "6C93D73ED82AE35F"
(3)   WLAN-Pairwise-Cipher = 1027076
(3)   WLAN-Group-Cipher = 1027076
(3)   WLAN-AKM-Suite = 1027073
(3)   Framed-MTU = 1200
(3)   EAP-Message = 0x028300061500
(3)   State = 0xa2cec59ca34dd0baa513150d3bcdb7a0
(3)   NAS-IP-Address = 10.5.2.15
(3)   Message-Authenticator = 0x23c8cb070fc40241a6a1e05c55d7fbfb
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "teststaff", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 131 length 6
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0xa2cec59ca34dd0ba
(3) eap: Finished EAP session with state 0xa2cec59ca34dd0ba
(3) eap: Previous EAP request found for state 0xa2cec59ca34dd0ba, released
from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer ACKed our handshake fragment
(3) eap_ttls: [eaptls verify] = request
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 132 length 177
(3) eap: EAP session adding &reply:State = 0xa2cec59ca04ad0ba
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 145 from xx.xxx.xx.xxx:1812 to
xxx.xx.xxx.xxx:56820 length 0
(3)   EAP-Message =
0x018400b11580000004891f8bbc2c9dc19895d7faebe903fb3cfef01855ef61952b73795b9663c608514aeb27a650442f855c972c4888fc57a44c9986d47ff035e8cb82cb76c0749f7b8228350b23ed7877615bc202774b67d3403e293153760d6f4f9e4db4e6781ed4c929a2eebb5476048e0f97aea8866801e65b3ab1efca2ce5d325181c46a5af3fbbcd2a807960dc29ebeef5cbb94810f37325694c968184eeeff24be21f28d916030300040e000000
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0xa2cec59ca04ad0baa513150d3bcdb7a0
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 146 from xxx.xx.xxx.xxx:56820 to
xx.xxx.xx.xxx:1812 length 350
(4)   User-Name = "teststaff"
(4)   Called-Station-Id = "xx-xx-xx-xx-xx-xx:HPS-GTest"
(4)   NAS-Port-Type = Wireless-802.11
(4)   Service-Type = Framed-User
(4)   Calling-Station-Id = "**-**-**-**-**-**"
(4)   Connect-Info = "CONNECT 0Mbps 802.11b"
(4)   Acct-Session-Id = "7BAF649AFEC3B895"
(4)   Acct-Multi-Session-Id = "6C93D73ED82AE35F"
(4)   WLAN-Pairwise-Cipher = 1027076
(4)   WLAN-Group-Cipher = 1027076
(4)   WLAN-AKM-Suite = 1027073
(4)   Framed-MTU = 1200
(4)   EAP-Message =
0x02840084150016030300461000004241040b8b9a0554ba26166d0c8f8490c6b50c9c17c16d70c9f3cc0303489f2e52fa42be3109cab09024344987329de760580adf9cf0503a2ce8a5ccdae8fe611a1fce14030300010116030300287b67bd5957d3579d95ab3862240ffe75ddd818058143f514c573ddb7d3ad2ffbcbbf7b408810fe6a
(4)   State = 0xa2cec59ca04ad0baa513150d3bcdb7a0
(4)   NAS-IP-Address = 10.5.2.15
(4)   Message-Authenticator = 0x660d368e50d4e4f2cf55721a8aa58572
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "teststaff", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 132 length 132
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0xa2cec59ca04ad0ba
(4) eap: Finished EAP session with state 0xa2cec59ca04ad0ba
(4) eap: Previous EAP request found for state 0xa2cec59ca04ad0ba, released
from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: [eaptls verify] = ok
(4) eap_ttls: Done initial handshake
(4) eap_ttls: TLS_accept: SSLv3/TLS write server done
(4) eap_ttls: <<< recv TLS 1.2  [length 0046]
(4) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(4) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(4) eap_ttls: <<< recv TLS 1.2  [length 0010]
(4) eap_ttls: TLS_accept: SSLv3/TLS read finished
(4) eap_ttls: >>> send TLS 1.2  [length 0001]
(4) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(4) eap_ttls: >>> send TLS 1.2  [length 0010]
(4) eap_ttls: TLS_accept: SSLv3/TLS write finished
(4) eap_ttls: (other): SSL negotiation finished successfully
(4) eap_ttls: TLS - Connection Established
(4) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4) eap_ttls: TLS-Session-Version = "TLS 1.2"
(4) eap_ttls: TLS - got 51 bytes of data
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 133 length 61
(4) eap: EAP session adding &reply:State = 0xa2cec59ca14bd0ba
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4)   TLS-Session-Version = "TLS 1.2"
(4) Sent Access-Challenge Id 146 from xx.xxx.xx.xxx:1812 to
xxx.xx.xxx.xxx:56820 length 0
(4)   EAP-Message =
0x0185003d1580000000331403030001011603030028c4cc384ad38aff78ab0137e1d398483cdc2c8e00ca2e900f51edc241095f10468ff74fd4dfc8cc25
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0xa2cec59ca14bd0baa513150d3bcdb7a0
(4) Finished request
Waking up in 4.8 seconds.
(5) Received Access-Request Id 147 from xxx.xx.xxx.xxx:56820 to
xx.xxx.xx.xxx:1812 length 297
(5)   User-Name = "teststaff"
(5)   Called-Station-Id = "xx-xx-xx-xx-xx-xx:HPS-GTest"
(5)   NAS-Port-Type = Wireless-802.11
(5)   Service-Type = Framed-User
(5)   Calling-Station-Id = "**-**-**-**-**-**"
(5)   Connect-Info = "CONNECT 0Mbps 802.11b"
(5)   Acct-Session-Id = "7BAF649AFEC3B895"
(5)   Acct-Multi-Session-Id = "6C93D73ED82AE35F"
(5)   WLAN-Pairwise-Cipher = 1027076
(5)   WLAN-Group-Cipher = 1027076
(5)   WLAN-AKM-Suite = 1027073
(5)   Framed-MTU = 1200
(5)   EAP-Message =
0x0285004f150017030300447b67bd5957d3579e4a6ae9ab03e6525da9c897419634b4ae93549f99fdae11665d8e30100c514edbb2fbaf150bb12b27ee3a01355159a5f41a44e1b5c53133b1da251cea
(5)   State = 0xa2cec59ca14bd0baa513150d3bcdb7a0
(5)   NAS-IP-Address = 10.5.2.15
(5)   Message-Authenticator = 0xbe47116d7c5387923e6e8655f6385868
(5) Restoring &session-state
(5)   &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(5)   &session-state:TLS-Session-Version = "TLS 1.2"
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "teststaff", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 133 length 79
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0xa2cec59ca14bd0ba
(5) eap: Finished EAP session with state 0xa2cec59ca14bd0ba
(5) eap: Previous EAP request found for state 0xa2cec59ca14bd0ba, released
from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: [eaptls process] = ok
(5) eap_ttls: Session established.  Proceeding to decode tunneled attributes
(5) eap_ttls: Got tunneled request
(5) eap_ttls:   User-Name = "teststaff"
(5) eap_ttls:   User-Password = "******"
(5) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
(5) eap_ttls: Sending tunneled request
(5) Virtual server inner-tunnel received request
(5)   User-Name = "teststaff"
(5)   User-Password = "******"
(5)   FreeRADIUS-Proxied-To = 127.0.0.1
(5)   Called-Station-Id = "xx-xx-xx-xx-xx-xx:HPS-GTest"
(5)   NAS-Port-Type = Wireless-802.11
(5)   Service-Type = Framed-User
(5)   Calling-Station-Id = "**-**-**-**-**-**"
(5)   Connect-Info = "CONNECT 0Mbps 802.11b"
(5)   Acct-Session-Id = "7BAF649AFEC3B895"
(5)   Acct-Multi-Session-Id = "6C93D73ED82AE35F"
(5)   WLAN-Pairwise-Cipher = 1027076
(5)   WLAN-Group-Cipher = 1027076
(5)   WLAN-AKM-Suite = 1027073
(5)   Framed-MTU = 1200
(5)   NAS-IP-Address = 10.5.2.15
(5)   Event-Timestamp = "Feb  1 2022 17:50:04 UTC"
(5) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(5) server inner-tunnel {
(5)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5)     authorize {
(5)       policy filter_username {
(5)         if (&User-Name) {
(5)         if (&User-Name)  -> TRUE
(5)         if (&User-Name)  {
(5)           if (&User-Name =~ / /) {
(5)           if (&User-Name =~ / /)  -> FALSE
(5)           if (&User-Name =~ /@[^@]*@/ ) {
(5)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)           if (&User-Name =~ /\.\./ ) {
(5)           if (&User-Name =~ /\.\./ )  -> FALSE
(5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(5)           if (&User-Name =~ /\.$/)  {
(5)           if (&User-Name =~ /\.$/)   -> FALSE
(5)           if (&User-Name =~ /@\./)  {
(5)           if (&User-Name =~ /@\./)   -> FALSE
(5)         } # if (&User-Name)  = notfound
(5)       } # policy filter_username = notfound
(5)       [chap] = noop
(5)       [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "teststaff", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)       [suffix] = noop
(5)       update control {
(5)         &Proxy-To-Realm := LOCAL
(5)       } # update control = noop
(5) eap: No EAP-Message, not doing EAP
(5)       [eap] = noop
(5)       [files] = noop
rlm_ldap (ldap): Reserved connection (2)
(5) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(5) ldap:    --> (uid=teststaff)
(5) ldap: Performing search in "dc=DOMAIN,dc=org" with filter
"(uid=teststaff)", scope "sub"
(5) ldap: Waiting for search result...
(5) ldap: User object found at DN "uid=teststaff,ou=Testing,ou=Elementary
Staff,ou=Elementary School,ou=Users,dc=DOMAIN,dc=org"
(5) ldap: Processing user attributes
(5) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute
(5) ldap: WARNING: PAP authentication will *NOT* work with Active Directory
(if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (2)
Need 3 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (7), 1 of 25 pending slots
used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
(5)       [ldap] = ok
(5)       [expiration] = noop
(5)       [logintime] = noop
(5)       [pap] = noop
(5)       if (User-Password) {
(5)       if (User-Password)  -> TRUE
(5)       if (User-Password)  {
(5)         update control {
(5)           Auth-Type := ldap
(5)         } # update control = noop
(5)       } # if (User-Password)  = noop
(5)     } # authorize = ok
(5)   Found Auth-Type = ldap
(5)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5)     authenticate {
rlm_ldap (ldap): Reserved connection (3)
(5) ldap: Login attempt by "teststaff"
(5) ldap: Using user DN from request
"uid=teststaff,ou=Testing,ou=Elementary Staff,ou=Elementary
School,ou=Users,dc=DOMAIN,dc=org"
(5) ldap: Waiting for bind result...
(5) ldap: Bind successful
(5) ldap: Bind as user "uid=teststaff,ou=Testing,ou=Elementary
Staff,ou=Elementary School,ou=Users,dc=DOMAIN,dc=org" was successful
rlm_ldap (ldap): Released connection (3)
Need 2 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (8), 1 of 24 pending slots
used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed.
rlm_ldap (ldap): Bind successful
(5)       [ldap] = ok
(5)     } # authenticate = ok
(5)   # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5)     post-auth {
(5)       if (1) {
(5)       if (1)  -> TRUE
(5)       if (1)  {
(5)         update reply {
(5)           User-Name !* ANY
(5)           Message-Authenticator !* ANY
(5)           EAP-Message !* ANY
(5)           Proxy-State !* ANY
(5)           MS-MPPE-Encryption-Types !* ANY
(5)           MS-MPPE-Encryption-Policy !* ANY
(5)           MS-MPPE-Send-Key !* ANY
(5)           MS-MPPE-Recv-Key !* ANY
(5)         } # update reply = noop
(5)         update {
(5)           No attributes updated for RHS &reply:
(5)           No attributes updated for RHS Tunnel-Private-Group-Id[*]
(5)         } # update = noop
(5)       } # if (1)  = noop
(5)     } # post-auth = noop
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5) eap_ttls: Got tunneled Access-Accept
(5) eap: Sending EAP Success (code 3) ID 133 length 4
(5) eap: Freeing handler
(5)     [eap] = ok
(5)   } # authenticate = ok
(5) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(5)   post-auth {
(5)     if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(5)     if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name))  -> FALSE
(5)     update {
(5)       &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(5)       &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(5)     } # update = noop
(5)     if (&control:LDAP-UserDN =~ /,ou=District Staff/) ||
(&control:LDAP-UserDN =~ /,ou=High School Staff/) || (&control:LDAP-UserDN
=~ /,ou=Elementary Staff/) {
(5)     ERROR: Failed retrieving values required to evaluate condition
(5)     else {
(5)       update reply {
(5)         Tunnel-Private-Group-Id = "180"
(5)       } # update reply = noop
(5)     } # else = noop
(5)     [exec] = noop
(5)     policy remove_reply_message_if_eap {
(5)       if (&reply:EAP-Message && &reply:Reply-Message) {
(5)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(5)       else {
(5)         [noop] = noop
(5)       } # else = noop
(5)     } # policy remove_reply_message_if_eap = noop
(5)   } # post-auth = noop
(5) Sent Access-Accept Id 147 from xx.xxx.xx.xxx:1812 to
xxx.xx.xxx.xxx:56820 length 0
(5)   MS-MPPE-Recv-Key =
0xa107a762471fee4871d11ab936184c5cb8a0af457be8f91698ada4e266007a0d
(5)   MS-MPPE-Send-Key =
0xbfc140a4da9bf14e67cebb2db4d1bd9115b9b2f6831acec281f610a0636c8f33
(5)   EAP-Message = 0x03850004
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   User-Name = "teststaff"
(5)   Tunnel-Private-Group-Id = "180"
(5) Finished request
Waking up in 1.6 seconds.
(1) Cleaning up request packet ID 143 with timestamp +23
(2) Cleaning up request packet ID 144 with timestamp +23
(3) Cleaning up request packet ID 145 with timestamp +23
(4) Cleaning up request packet ID 146 with timestamp +23
Waking up in 3.1 seconds.
(5) Cleaning up request packet ID 147 with timestamp +23
Ready to process requests

--
Nicholas Toupin
Technology Director
Hopedale Public Schools
Phone: 508-488-5510

-- 

Please be considerate:  Only print this email if absolutely necessary.  
Saving resources allows more direct services to students.


When writing or 
responding please remember that the Secretary of State's Office has 
determined that email is a public record.


This communication may contain 
privileged or other confidential information.  If you are not the intended 
recipient, or believe that you have received this communication in error, 
please do not print, copy retransmit, disseminate, or otherwise use the 
information.  Also, please indicate to the sender that you have received 
this email in error, and delete the copy you received.



The Hopedale 
Public Schools do not discriminate on the basis of race, color, religion, 
national origin, sex, gender identity, sexual orientation, age, genetic 
information, ancestry, military status, disability, pregnancy or pregnancy 
related condition.  The following person has been designated to handle 
inquiries regarding the nondiscrimination policies:  Superintendent of 
Schools, 25 Adin St., Hopedale, MA 01747

All electronic messages are 
archived in conformance with Massachusetts and federal public records laws.


More information about the Freeradius-Users mailing list