FR 3.0 doesn't return Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-Id in Access-Accept
Alex Zetaeffesse
fzetafs at gmail.com
Thu Jan 6 01:07:51 CET 2022
Hi,
I configured a user as follows in /etc/freeradius/3.0/users
# PEAP Cisco
cisco at realm.local Cleartext-password := realm123
Tunnel-Type=VLAN,
Tunnel-Medium-Type=IEEE-802,
Tunnel-Private-Group-Id = "VLAN103"
I see FR sends such attributes in the second Access-Challenge but not in
the Access-Accept.
Therefore our 9800 puts the client in the default VLAN.
Most probably it's a FR misconfiguration but I wouldn't know why and where
in the config to fix it.
I have attached the debugs from freeradius -X and the captures.
Hope somebody can point me in the right direction.
Alex
-------------- next part --------------
(0) Received Access-Request Id 28 from 192.168.40.112:59581 to 192.168.40.217:1812 length 409
(0) User-Name = "cisco at realm.local"
(0) Service-Type = Framed-User
(0) Cisco-AVPair = "service-type=Framed"
(0) Framed-MTU = 1485
(0) EAP-Message = 0x0201001601636973636f407265616c6d2e6c6f63616c
(0) Message-Authenticator = 0xcc70a7abf0a5eb8d0511f556bf18caa2
(0) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5"
(0) Cisco-AVPair = "method=dot1x"
(0) Cisco-AVPair = "client-iif-id=2147484066"
(0) Cisco-AVPair = "vlan-id=4089"
(0) NAS-IP-Address = 192.168.40.112
(0) NAS-Port-Id = "capwap_90000005"
(0) NAS-Port-Type = Wireless-802.11
(0) NAS-Port = 409013
(0) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID"
(0) Cisco-AVPair = "wlan-profile-name=BIC-ID"
(0) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID"
(0) Calling-Station-Id = "f4-8c-50-14-43-f3"
(0) Airespace-Wlan-Id = 2
(0) NAS-Identifier = "C9800-CL_2"
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "realm.local" for User-Name = "cisco at realm.local"
(0) suffix: No such realm "realm.local"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 22
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 2 length 22
(0) eap: EAP session adding &reply:State = 0x69ffbb4569fdbffe
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 28 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0
(0) EAP-Message = 0x01020016041081877306f68bb7522349a4493f9f3022
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x69ffbb4569fdbffe6a7d2cd7e6f69276
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 29 from 192.168.40.112:59581 to 192.168.40.217:1812 length 412
(1) User-Name = "cisco at realm.local"
(1) Service-Type = Framed-User
(1) Cisco-AVPair = "service-type=Framed"
(1) Framed-MTU = 1485
(1) EAP-Message = 0x02020007031915
(1) Message-Authenticator = 0xf614ce4452fd4eca69cd71d4c0d90889
(1) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5"
(1) Cisco-AVPair = "method=dot1x"
(1) Cisco-AVPair = "client-iif-id=2147484066"
(1) Cisco-AVPair = "vlan-id=4089"
(1) NAS-IP-Address = 192.168.40.112
(1) NAS-Port-Id = "capwap_90000005"
(1) NAS-Port-Type = Wireless-802.11
(1) NAS-Port = 409013
(1) State = 0x69ffbb4569fdbffe6a7d2cd7e6f69276
(1) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID"
(1) Cisco-AVPair = "wlan-profile-name=BIC-ID"
(1) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID"
(1) Calling-Station-Id = "f4-8c-50-14-43-f3"
(1) Airespace-Wlan-Id = 2
(1) NAS-Identifier = "C9800-CL_2"
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "realm.local" for User-Name = "cisco at realm.local"
(1) suffix: No such realm "realm.local"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 7
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) files: users: Matched entry cisco at realm.local at line 113
(1) [files] = ok
(1) [expiration] = noop
(1) [logintime] = noop
(1) pap: WARNING: Auth-Type already set. Not setting to PAP
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x69ffbb4569fdbffe
(1) eap: Finished EAP session with state 0x69ffbb4569fdbffe
(1) eap: Previous EAP request found for state 0x69ffbb4569fdbffe, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 3 length 6
(1) eap: EAP session adding &reply:State = 0x69ffbb4568fca2fe
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 29 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0
(1) Tunnel-Type = VLAN
(1) Tunnel-Medium-Type = IEEE-802
(1) Tunnel-Private-Group-Id = "VLAN103"
(1) EAP-Message = 0x010300061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x69ffbb4568fca2fe6a7d2cd7e6f69276
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 30 from 192.168.40.112:59581 to 192.168.40.217:1812 length 577
(2) User-Name = "cisco at realm.local"
(2) Service-Type = Framed-User
(2) Cisco-AVPair = "service-type=Framed"
(2) Framed-MTU = 1485
(2) EAP-Message = 0x020300ac1980000000a2160303009d01000099030361d6319cd2cbd0fb1b162e7bb3434ae396474b0eb88aa6dfee95caa3e971887700002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(2) Message-Authenticator = 0x3238a7c4ad698e860b0c56246a9807aa
(2) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5"
(2) Cisco-AVPair = "method=dot1x"
(2) Cisco-AVPair = "client-iif-id=2147484066"
(2) Cisco-AVPair = "vlan-id=4089"
(2) NAS-IP-Address = 192.168.40.112
(2) NAS-Port-Id = "capwap_90000005"
(2) NAS-Port-Type = Wireless-802.11
(2) NAS-Port = 409013
(2) State = 0x69ffbb4568fca2fe6a7d2cd7e6f69276
(2) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID"
(2) Cisco-AVPair = "wlan-profile-name=BIC-ID"
(2) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID"
(2) Calling-Station-Id = "f4-8c-50-14-43-f3"
(2) Airespace-Wlan-Id = 2
(2) NAS-Identifier = "C9800-CL_2"
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "realm.local" for User-Name = "cisco at realm.local"
(2) suffix: No such realm "realm.local"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 172
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x69ffbb4568fca2fe
(2) eap: Finished EAP session with state 0x69ffbb4568fca2fe
(2) eap: Previous EAP request found for state 0x69ffbb4568fca2fe, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 162 bytes
(2) eap_peap: Got complete TLS record (162 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv TLS 1.3 [length 009d]
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send TLS 1.2 [length 003d]
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: >>> send TLS 1.2 [length 0308]
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: >>> send TLS 1.2 [length 014d]
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: >>> send TLS 1.2 [length 0004]
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(2) eap_peap: TLS - In Handshake Phase
(2) eap_peap: TLS - got 1194 bytes of data
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 1004
(2) eap: EAP session adding &reply:State = 0x69ffbb456bfba2fe
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 30 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0
(2) EAP-Message = 0x010403ec19c0000004aa160303003d02000039030321207bb2e39cd4378c087247ab50871fdcff79dfe9efd7580df804f303b510a700c030000011ff01000100000b0004030001020017000016030303080b0003040003010002fe308202fa308201e2a003020102021473c7be2a43a7509dd38de3529948c80bf138ba5e300d06092a864886f70d01010b0500301f311d301b06035504030c14667265657261646975732e6269632e6c6f63616c301e170d3231313232373137313530355a170d3331313232353137313530355a301f311d301b06035504030c14667265657261646975732e6269632e6c6f63616c30820122300d06092a864886f70d01010105000382010f003082010a0282010100b91dc1a90ae651b793b264d42939b5572f31a0d76ae41541e6c7c91f7daf7779a67a6d01fb259d5731b97f692cd899411897be0bac23640cd749abe27a6a84ac2bfc536693628e68c14e44362d0ec2e6090a694430a1cfad6ef9869943661efd98aac123013767
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x69ffbb456bfba2fe6a7d2cd7e6f69276
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 31 from 192.168.40.112:59581 to 192.168.40.217:1812 length 411
(3) User-Name = "cisco at realm.local"
(3) Service-Type = Framed-User
(3) Cisco-AVPair = "service-type=Framed"
(3) Framed-MTU = 1485
(3) EAP-Message = 0x020400061900
(3) Message-Authenticator = 0x7542cbb7475ae9af882d8f0469e5118e
(3) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5"
(3) Cisco-AVPair = "method=dot1x"
(3) Cisco-AVPair = "client-iif-id=2147484066"
(3) Cisco-AVPair = "vlan-id=4089"
(3) NAS-IP-Address = 192.168.40.112
(3) NAS-Port-Id = "capwap_90000005"
(3) NAS-Port-Type = Wireless-802.11
(3) NAS-Port = 409013
(3) State = 0x69ffbb456bfba2fe6a7d2cd7e6f69276
(3) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID"
(3) Cisco-AVPair = "wlan-profile-name=BIC-ID"
(3) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID"
(3) Calling-Station-Id = "f4-8c-50-14-43-f3"
(3) Airespace-Wlan-Id = 2
(3) NAS-Identifier = "C9800-CL_2"
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "realm.local" for User-Name = "cisco at realm.local"
(3) suffix: No such realm "realm.local"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x69ffbb456bfba2fe
(3) eap: Finished EAP session with state 0x69ffbb456bfba2fe
(3) eap: Previous EAP request found for state 0x69ffbb456bfba2fe, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 5 length 206
(3) eap: EAP session adding &reply:State = 0x69ffbb456afaa2fe
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 31 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0
(3) EAP-Message = 0x010500ce1900cc97474b5f44416c31aec0609d7470c6bee3fdb9a425b6012fb8042d8db76a897823db26ea4e22d82eb773338c61622423e2040653564c5ba6fbb299da3620f1c68f98e6667b3233c7c8b64ddf93175a5b143df7c40cd11cf59310deee3c32ce955b63115c59927e7a85d3baf4ee06a394c03b070cf693e964554d50254b5b11d2612dbe1fc360b083b2296fed5f8a92a38044a6f3b288f84446e5ca707c0316ee50dc12fda4fe84d716516ba9905abcf6578f2c8d2d5033006b1adb6ca87b16030300040e000000
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x69ffbb456afaa2fe6a7d2cd7e6f69276
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 32 from 192.168.40.112:59581 to 192.168.40.217:1812 length 541
(4) User-Name = "cisco at realm.local"
(4) Service-Type = Framed-User
(4) Cisco-AVPair = "service-type=Framed"
(4) Framed-MTU = 1485
(4) EAP-Message = 0x0205008819800000007e1603030046100000424104baa7118f396441cf2fd189d2821dd644720ccf07ceddec566c64fada826c68a55677b1e8dab7714949ea56132d2bf2fa931b3ae44bb2aeee068e8f12e61c645a140303000101160303002800000000000000007b9f0a23e6702883dc76902e7de25bf7e26680c71ec99cc066550bc69e5f8b1e
(4) Message-Authenticator = 0x81efab1ca41ca8f01b5c840b28ed7cab
(4) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5"
(4) Cisco-AVPair = "method=dot1x"
(4) Cisco-AVPair = "client-iif-id=2147484066"
(4) Cisco-AVPair = "vlan-id=4089"
(4) NAS-IP-Address = 192.168.40.112
(4) NAS-Port-Id = "capwap_90000005"
(4) NAS-Port-Type = Wireless-802.11
(4) NAS-Port = 409013
(4) State = 0x69ffbb456afaa2fe6a7d2cd7e6f69276
(4) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID"
(4) Cisco-AVPair = "wlan-profile-name=BIC-ID"
(4) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID"
(4) Calling-Station-Id = "f4-8c-50-14-43-f3"
(4) Airespace-Wlan-Id = 2
(4) NAS-Identifier = "C9800-CL_2"
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "realm.local" for User-Name = "cisco at realm.local"
(4) suffix: No such realm "realm.local"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 5 length 136
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x69ffbb456afaa2fe
(4) eap: Finished EAP session with state 0x69ffbb456afaa2fe
(4) eap: Previous EAP request found for state 0x69ffbb456afaa2fe, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(4) eap_peap: Got complete TLS record (126 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: TLS_accept: SSLv3/TLS write server done
(4) eap_peap: <<< recv TLS 1.2 [length 0046]
(4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(4) eap_peap: <<< recv TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: SSLv3/TLS read finished
(4) eap_peap: >>> send TLS 1.2 [length 0001]
(4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(4) eap_peap: >>> send TLS 1.2 [length 0010]
(4) eap_peap: TLS_accept: SSLv3/TLS write finished
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: TLS - Connection Established
(4) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4) eap_peap: TLS-Session-Version = "TLS 1.2"
(4) eap_peap: TLS - got 51 bytes of data
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 6 length 57
(4) eap: EAP session adding &reply:State = 0x69ffbb456df9a2fe
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4) TLS-Session-Version = "TLS 1.2"
(4) Sent Access-Challenge Id 32 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0
(4) EAP-Message = 0x0106003919001403030001011603030028afde6b0c8f2caa24d0a417e99eced6fc11bafc57f2fd97ea7d8d0f4ef1bfb511e48557b2262946b7
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x69ffbb456df9a2fe6a7d2cd7e6f69276
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 33 from 192.168.40.112:59581 to 192.168.40.217:1812 length 411
(5) User-Name = "cisco at realm.local"
(5) Service-Type = Framed-User
(5) Cisco-AVPair = "service-type=Framed"
(5) Framed-MTU = 1485
(5) EAP-Message = 0x020600061900
(5) Message-Authenticator = 0x7aafcbb2e81e6d34220a9f23af4ea990
(5) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5"
(5) Cisco-AVPair = "method=dot1x"
(5) Cisco-AVPair = "client-iif-id=2147484066"
(5) Cisco-AVPair = "vlan-id=4089"
(5) NAS-IP-Address = 192.168.40.112
(5) NAS-Port-Id = "capwap_90000005"
(5) NAS-Port-Type = Wireless-802.11
(5) NAS-Port = 409013
(5) State = 0x69ffbb456df9a2fe6a7d2cd7e6f69276
(5) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID"
(5) Cisco-AVPair = "wlan-profile-name=BIC-ID"
(5) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID"
(5) Calling-Station-Id = "f4-8c-50-14-43-f3"
(5) Airespace-Wlan-Id = 2
(5) NAS-Identifier = "C9800-CL_2"
(5) Restoring &session-state
(5) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) &session-state:TLS-Session-Version = "TLS 1.2"
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "realm.local" for User-Name = "cisco at realm.local"
(5) suffix: No such realm "realm.local"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 6 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x69ffbb456df9a2fe
(5) eap: Finished EAP session with state 0x69ffbb456df9a2fe
(5) eap: Previous EAP request found for state 0x69ffbb456df9a2fe, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 7 length 40
(5) eap: EAP session adding &reply:State = 0x69ffbb456cf8a2fe
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 33 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0
(5) EAP-Message = 0x010700281900170303001dafde6b0c8f2caa25b31aa81dee7af33454e8c969291254df27326d219e
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x69ffbb456cf8a2fe6a7d2cd7e6f69276
(5) Finished request
Waking up in 3.2 seconds.
(6) Received Access-Request Id 34 from 192.168.40.112:59581 to 192.168.40.217:1812 length 458
(6) User-Name = "cisco at realm.local"
(6) Service-Type = Framed-User
(6) Cisco-AVPair = "service-type=Framed"
(6) Framed-MTU = 1485
(6) EAP-Message = 0x020700351900170303002a0000000000000001d5eb87810d5de75a8cdc8d7735c14c41c3db899d4526c73e9849fe8de64100985096
(6) Message-Authenticator = 0x35ba063270477c7b69cb19b6b7ce04f5
(6) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5"
(6) Cisco-AVPair = "method=dot1x"
(6) Cisco-AVPair = "client-iif-id=2147484066"
(6) Cisco-AVPair = "vlan-id=4089"
(6) NAS-IP-Address = 192.168.40.112
(6) NAS-Port-Id = "capwap_90000005"
(6) NAS-Port-Type = Wireless-802.11
(6) NAS-Port = 409013
(6) State = 0x69ffbb456cf8a2fe6a7d2cd7e6f69276
(6) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID"
(6) Cisco-AVPair = "wlan-profile-name=BIC-ID"
(6) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID"
(6) Calling-Station-Id = "f4-8c-50-14-43-f3"
(6) Airespace-Wlan-Id = 2
(6) NAS-Identifier = "C9800-CL_2"
(6) Restoring &session-state
(6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "realm.local" for User-Name = "cisco at realm.local"
(6) suffix: No such realm "realm.local"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 7 length 53
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x69ffbb456cf8a2fe
(6) eap: Finished EAP session with state 0x69ffbb456cf8a2fe
(6) eap: Previous EAP request found for state 0x69ffbb456cf8a2fe, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - cisco at realm.local
(6) eap_peap: Got inner identity 'cisco at realm.local'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x0207001601636973636f407265616c6d2e6c6f63616c
(6) eap_peap: Setting User-Name to cisco at realm.local
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x0207001601636973636f407265616c6d2e6c6f63616c
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "cisco at realm.local"
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x0207001601636973636f407265616c6d2e6c6f63616c
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "cisco at realm.local"
(6) WARNING: Outer and inner identities are the same. User privacy is compromised.
(6) server inner-tunnel {
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "realm.local" for User-Name = "cisco at realm.local"
(6) suffix: No such realm "realm.local"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 7 length 22
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 8 length 43
(6) eap: EAP session adding &reply:State = 0x85f7067f85ff1c9f
(6) [eap] = handled
(6) } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message = 0x0108002b1a010800261090ccac236dcc33d4e7fd0ed1223b5434667265657261646975732d332e302e3231
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x85f7067f85ff1c9f83906193b9684ff0
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message = 0x0108002b1a010800261090ccac236dcc33d4e7fd0ed1223b5434667265657261646975732d332e302e3231
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x85f7067f85ff1c9f83906193b9684ff0
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message = 0x0108002b1a010800261090ccac236dcc33d4e7fd0ed1223b5434667265657261646975732d332e302e3231
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x85f7067f85ff1c9f83906193b9684ff0
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 8 length 74
(6) eap: EAP session adding &reply:State = 0x69ffbb456ff7a2fe
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 34 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0
(6) EAP-Message = 0x0108004a1900170303003fafde6b0c8f2caa2694671da306b47fcca4d3df193d0c0b04172584b6bbef777d0069b213ca83bf1dfc92f8fd3a7a96b15903047c9399d2117570338e5fa81e
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x69ffbb456ff7a2fe6a7d2cd7e6f69276
(6) Finished request
Waking up in 3.2 seconds.
(7) Received Access-Request Id 35 from 192.168.40.112:59581 to 192.168.40.217:1812 length 512
(7) User-Name = "cisco at realm.local"
(7) Service-Type = Framed-User
(7) Cisco-AVPair = "service-type=Framed"
(7) Framed-MTU = 1485
(7) EAP-Message = 0x0208006b190017030300600000000000000002e120170fae9375cf077730954790feff797cf77a365ff964d6d10323a90cd4407a7193009e8854e2f66b412046286e4a9d7dc2fc05c044a0ff31bda8258428c501426118674825d6851d3fc7ab3d3c5ec8568f2565dfca18
(7) Message-Authenticator = 0xf405c5841dfd48b1b8501c01496b7c08
(7) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5"
(7) Cisco-AVPair = "method=dot1x"
(7) Cisco-AVPair = "client-iif-id=2147484066"
(7) Cisco-AVPair = "vlan-id=4089"
(7) NAS-IP-Address = 192.168.40.112
(7) NAS-Port-Id = "capwap_90000005"
(7) NAS-Port-Type = Wireless-802.11
(7) NAS-Port = 409013
(7) State = 0x69ffbb456ff7a2fe6a7d2cd7e6f69276
(7) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID"
(7) Cisco-AVPair = "wlan-profile-name=BIC-ID"
(7) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID"
(7) Calling-Station-Id = "f4-8c-50-14-43-f3"
(7) Airespace-Wlan-Id = 2
(7) NAS-Identifier = "C9800-CL_2"
(7) Restoring &session-state
(7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "realm.local" for User-Name = "cisco at realm.local"
(7) suffix: No such realm "realm.local"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 8 length 107
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x85f7067f85ff1c9f
(7) eap: Finished EAP session with state 0x69ffbb456ff7a2fe
(7) eap: Previous EAP request found for state 0x69ffbb456ff7a2fe, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x0208004c1a0208004731639eca51b08fef2d6a1df9f8b138b4e600000000000000002c5effbee3a7947602c0494950e86559f2b7acacb8e9cbc000636973636f407265616c6d2e6c6f63616c
(7) eap_peap: Setting User-Name to cisco at realm.local
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x0208004c1a0208004731639eca51b08fef2d6a1df9f8b138b4e600000000000000002c5effbee3a7947602c0494950e86559f2b7acacb8e9cbc000636973636f407265616c6d2e6c6f63616c
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "cisco at realm.local"
(7) eap_peap: State = 0x85f7067f85ff1c9f83906193b9684ff0
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x0208004c1a0208004731639eca51b08fef2d6a1df9f8b138b4e600000000000000002c5effbee3a7947602c0494950e86559f2b7acacb8e9cbc000636973636f407265616c6d2e6c6f63616c
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "cisco at realm.local"
(7) State = 0x85f7067f85ff1c9f83906193b9684ff0
(7) WARNING: Outer and inner identities are the same. User privacy is compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "realm.local" for User-Name = "cisco at realm.local"
(7) suffix: No such realm "realm.local"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 8 length 76
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) files: users: Matched entry cisco at realm.local at line 113
(7) [files] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) pap: WARNING: Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Expiring EAP session with state 0x85f7067f85ff1c9f
(7) eap: Finished EAP session with state 0x85f7067f85ff1c9f
(7) eap: Previous EAP request found for state 0x85f7067f85ff1c9f, released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) eap_mschapv2: authenticate {
(7) mschap: Found Cleartext-Password, hashing to create NT-Password
(7) mschap: Creating challenge hash with username: cisco at realm.local
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Adding MS-CHAPv2 MPPE keys
(7) eap_mschapv2: [mschap] = ok
(7) eap_mschapv2: } # authenticate = ok
(7) eap_mschapv2: MSCHAP Success
(7) eap: Sending EAP Request (code 1) ID 9 length 51
(7) eap: EAP session adding &reply:State = 0x85f7067f84fe1c9f
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) Tunnel-Type = VLAN
(7) Tunnel-Medium-Type = IEEE-802
(7) Tunnel-Private-Group-Id = "VLAN103"
(7) EAP-Message = 0x010900331a0308002e533d31303933434134323646324432314546344139314444343038464537434543464233324131383437
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x85f7067f84fe1c9f83906193b9684ff0
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: Tunnel-Type = VLAN
(7) eap_peap: Tunnel-Medium-Type = IEEE-802
(7) eap_peap: Tunnel-Private-Group-Id = "VLAN103"
(7) eap_peap: EAP-Message = 0x010900331a0308002e533d31303933434134323646324432314546344139314444343038464537434543464233324131383437
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x85f7067f84fe1c9f83906193b9684ff0
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: Tunnel-Type = VLAN
(7) eap_peap: Tunnel-Medium-Type = IEEE-802
(7) eap_peap: Tunnel-Private-Group-Id = "VLAN103"
(7) eap_peap: EAP-Message = 0x010900331a0308002e533d31303933434134323646324432314546344139314444343038464537434543464233324131383437
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x85f7067f84fe1c9f83906193b9684ff0
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 9 length 82
(7) eap: EAP session adding &reply:State = 0x69ffbb456ef6a2fe
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 35 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0
(7) EAP-Message = 0x0109005219001703030047afde6b0c8f2caa2789ce40eca88fca198bffc01cf49578ffa9f006b7e491bdb7cef543f68885555e175969f74514c25b408fe2e59bc8928abad11ad2c107a40aacd1e8b7c9d581
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x69ffbb456ef6a2fe6a7d2cd7e6f69276
(7) Finished request
Waking up in 3.2 seconds.
(8) Received Access-Request Id 36 from 192.168.40.112:59581 to 192.168.40.217:1812 length 442
(8) User-Name = "cisco at realm.local"
(8) Service-Type = Framed-User
(8) Cisco-AVPair = "service-type=Framed"
(8) Framed-MTU = 1485
(8) EAP-Message = 0x020900251900170303001a0000000000000003529f0b568ec5b5429114dd6165b63ae1dd21
(8) Message-Authenticator = 0x241237b53db4eb481286a4e80d68ee08
(8) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5"
(8) Cisco-AVPair = "method=dot1x"
(8) Cisco-AVPair = "client-iif-id=2147484066"
(8) Cisco-AVPair = "vlan-id=4089"
(8) NAS-IP-Address = 192.168.40.112
(8) NAS-Port-Id = "capwap_90000005"
(8) NAS-Port-Type = Wireless-802.11
(8) NAS-Port = 409013
(8) State = 0x69ffbb456ef6a2fe6a7d2cd7e6f69276
(8) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID"
(8) Cisco-AVPair = "wlan-profile-name=BIC-ID"
(8) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID"
(8) Calling-Station-Id = "f4-8c-50-14-43-f3"
(8) Airespace-Wlan-Id = 2
(8) NAS-Identifier = "C9800-CL_2"
(8) Restoring &session-state
(8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: Looking up realm "realm.local" for User-Name = "cisco at realm.local"
(8) suffix: No such realm "realm.local"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 37
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x85f7067f84fe1c9f
(8) eap: Finished EAP session with state 0x69ffbb456ef6a2fe
(8) eap: Previous EAP request found for state 0x69ffbb456ef6a2fe, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x020900061a03
(8) eap_peap: Setting User-Name to cisco at realm.local
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x020900061a03
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "cisco at realm.local"
(8) eap_peap: State = 0x85f7067f84fe1c9f83906193b9684ff0
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020900061a03
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "cisco at realm.local"
(8) State = 0x85f7067f84fe1c9f83906193b9684ff0
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: Looking up realm "realm.local" for User-Name = "cisco at realm.local"
(8) suffix: No such realm "realm.local"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 9 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) files: users: Matched entry cisco at realm.local at line 113
(8) [files] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x85f7067f84fe1c9f
(8) eap: Finished EAP session with state 0x85f7067f84fe1c9f
(8) eap: Previous EAP request found for state 0x85f7067f84fe1c9f, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 9 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) post-auth {
(8) if (0) {
(8) if (0) -> FALSE
(8) } # post-auth = noop
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) Tunnel-Type = VLAN
(8) Tunnel-Medium-Type = IEEE-802
(8) Tunnel-Private-Group-Id = "VLAN103"
(8) MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) MS-MPPE-Send-Key = 0x48f68d9a78552a273c9cdeaa9eb452de
(8) MS-MPPE-Recv-Key = 0x0ce82b533532b2d6fd9f78f8241c691e
(8) EAP-Message = 0x03090004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "cisco at realm.local"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: Tunnel-Type = VLAN
(8) eap_peap: Tunnel-Medium-Type = IEEE-802
(8) eap_peap: Tunnel-Private-Group-Id = "VLAN103"
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0x48f68d9a78552a273c9cdeaa9eb452de
(8) eap_peap: MS-MPPE-Recv-Key = 0x0ce82b533532b2d6fd9f78f8241c691e
(8) eap_peap: EAP-Message = 0x03090004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "cisco at realm.local"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: Tunnel-Type = VLAN
(8) eap_peap: Tunnel-Medium-Type = IEEE-802
(8) eap_peap: Tunnel-Private-Group-Id = "VLAN103"
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0x48f68d9a78552a273c9cdeaa9eb452de
(8) eap_peap: MS-MPPE-Recv-Key = 0x0ce82b533532b2d6fd9f78f8241c691e
(8) eap_peap: EAP-Message = 0x03090004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "cisco at realm.local"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap: Sending EAP Request (code 1) ID 10 length 46
(8) eap: EAP session adding &reply:State = 0x69ffbb4561f5a2fe
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) session-state: Saving cached attributes
(8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) TLS-Session-Version = "TLS 1.2"
(8) Sent Access-Challenge Id 36 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0
(8) EAP-Message = 0x010a002e19001703030023afde6b0c8f2caa28669cacf54a63b5ca6a2a0dcb3d1cd13cc4b3a24722d4f405ef8b1d
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x69ffbb4561f5a2fe6a7d2cd7e6f69276
(8) Finished request
Waking up in 3.1 seconds.
(9) Received Access-Request Id 37 from 192.168.40.112:59581 to 192.168.40.217:1812 length 451
(9) User-Name = "cisco at realm.local"
(9) Service-Type = Framed-User
(9) Cisco-AVPair = "service-type=Framed"
(9) Framed-MTU = 1485
(9) EAP-Message = 0x020a002e19001703030023000000000000000457f6f94d1249e6b3256fd60896a545650ae2cf1c51f0acb8bc3e4b
(9) Message-Authenticator = 0x05539f420ac52f583d7fb5d96e223bbe
(9) Cisco-AVPair = "audit-session-id=000000000000000B2CAE6EE5"
(9) Cisco-AVPair = "method=dot1x"
(9) Cisco-AVPair = "client-iif-id=2147484066"
(9) Cisco-AVPair = "vlan-id=4089"
(9) NAS-IP-Address = 192.168.40.112
(9) NAS-Port-Id = "capwap_90000005"
(9) NAS-Port-Type = Wireless-802.11
(9) NAS-Port = 409013
(9) State = 0x69ffbb4561f5a2fe6a7d2cd7e6f69276
(9) Cisco-AVPair = "cisco-wlan-ssid=BIC-ID"
(9) Cisco-AVPair = "wlan-profile-name=BIC-ID"
(9) Called-Station-Id = "a8-9d-21-89-df-d0:BIC-ID"
(9) Calling-Station-Id = "f4-8c-50-14-43-f3"
(9) Airespace-Wlan-Id = 2
(9) NAS-Identifier = "C9800-CL_2"
(9) Restoring &session-state
(9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: Looking up realm "realm.local" for User-Name = "cisco at realm.local"
(9) suffix: No such realm "realm.local"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 10 length 46
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x69ffbb4561f5a2fe
(9) eap: Finished EAP session with state 0x69ffbb4561f5a2fe
(9) eap: Previous EAP request found for state 0x69ffbb4561f5a2fe, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap: Sending EAP Success (code 3) ID 10 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(9) post-auth {
(9) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(9) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(9) update {
(9) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(9) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(9) } # update = noop
(9) [exec] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # post-auth = noop
(9) Sent Access-Accept Id 37 from 192.168.40.217:1812 to 192.168.40.112:59581 length 0
(9) MS-MPPE-Recv-Key = 0x409edb6b2e8a373530fd9dc88f1b98579e3422813735a69438935c6fe27507e1
(9) MS-MPPE-Send-Key = 0xc473c971393fbd08f4f2d3aa1af2adfc4db0f7d201d77115fdeae876c3a35b88
(9) EAP-Message = 0x030a0004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = "cisco at realm.local"
(9) Finished request
Waking up in 3.1 seconds.
(0) Cleaning up request packet ID 28 with timestamp +6
(1) Cleaning up request packet ID 29 with timestamp +6
(2) Cleaning up request packet ID 30 with timestamp +6
(3) Cleaning up request packet ID 31 with timestamp +6
(4) Cleaning up request packet ID 32 with timestamp +6
Waking up in 1.7 seconds.
(5) Cleaning up request packet ID 33 with timestamp +8
(6) Cleaning up request packet ID 34 with timestamp +8
(7) Cleaning up request packet ID 35 with timestamp +8
(8) Cleaning up request packet ID 36 with timestamp +8
(9) Cleaning up request packet ID 37 with timestamp +8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fr06_2.pcap
Type: application/octet-stream
Size: 8073 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220106/d27d5dcb/attachment-0001.obj>
More information about the Freeradius-Users
mailing list