EAP-TTLS not working on windows 11 for a wired usage
florentvercourt at gmail.com
florentvercourt at gmail.com
Mon Jul 25 16:50:28 UTC 2022
Hello everyone, and thank you for your future help in solving this problem.
I’m trying to implement, a FreeRADIUS server for a wired usage using
EAP-TTLS/PAP protocol, I’m authorizing my users based on their credentials
saved in the users file.
I’ve created my certificates (CA and server) following the recommended
guidelines.
When I test EAP-TTLS/PAP with eapol_test, i’ve got a success message, the
same goes when I authenticate on my laptop under Windows 11 OS, with
EAP-PEAP, while previously disabling « check the identity of the server… ».
And when I click on the connect button after sending my credentials, to
acknowledge my certificate is not safe, I succeed to connect.
But when I try to authenticate with EAP-TTLS/PAP, it fails when I click on «
connect », I don’t have any following response to my Access-Challenge
packets.
I know there is an article on wiki.freeradius about certificate
compatibility, but I’ve not been able to solve the problem even with it.
FreeRADIUS Version 3.0.20
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/date
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/digest
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/rfc7542
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipv4addr = 127.0.0.1
port = 1812
type = "auth"
proto = "udp"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "localhost"
proto = "udp"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client private-network-1 {
ipaddr = 10.101.0.20
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client swi-d1-p1-p173-001 {
ipv4addr = 10.100.0.16
require_message_authenticator = no
secret = <<< secret >>>
shortname = "swi_nico_p173"
nas_type = "cisco"
virtual_server = "serveur_eap_ttls_pap"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client swi-d1-p173-002 {
ipv4addr = 10.100.0.50
require_message_authenticator = no
secret = <<< secret >>>
shortname = "swi_said_edward_p173"
nas_type = "cisco"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client test-network {
ipaddr = 10.112.0.136
require_message_authenticator = no
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = digest
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_radutmp
# Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_detail
# Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_exec
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = yes
with_alvarion_vsa_hack = no
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_chap
# Loading module "chap" from file /etc/raddb/mods-enabled/chap
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_unix
# Loading module "unix" from file /etc/raddb/mods-enabled/unix
unix {
radwtmp = "/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loading module "detail" from file /etc/raddb/mods-enabled/detail
detail {
filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "ttls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
max_sessions = 16384
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /etc/raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
}
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /etc/raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference =
"Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
instantiate {
}
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail
output
# Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log
# Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
# Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
# Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs/server.key"
certificate_file = "/etc/raddb/certs/server.pem"
ca_file = "/etc/raddb/certs/ca.pem"
private_key_password = <<< secret >>>
dh_file = "/etc/raddb/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "PROFILE=SYSTEM"
cipher_server_preference = no
ecdh_curve = "prime256v1"
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = yes
override_cert_url = no
url = http://127.0.0.1/ocsp/
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = yes
}
# Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/raddb/sites-enabled/inner-tunnel:336
} # server inner-tunnel
server default { # from file /etc/raddb/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipv4addr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv4addr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on proxy address * port 56698
Ready to process requests
(0) Received Accounting-Request Id 60 from 10.100.0.50:1646 to
10.101.0.20:1813 length 285
(0) Acct-Session-Id = "0000006A"
(0) Cisco-AVPair = "audit-session-id=0A6400320000003BB2AB2641"
(0) User-Name = "test"
(0) Acct-Authentic = RADIUS
(0) Acct-Terminate-Cause = Lost-Carrier
(0) Cisco-AVPair = "disc-cause-ext=No Reason"
(0) Cisco-AVPair = "connect-progress=Call Up"
(0) Acct-Session-Time = 93
(0) Acct-Input-Octets = 14097
(0) Acct-Output-Octets = 19204
(0) Acct-Input-Packets = 127
(0) Acct-Output-Packets = 74
(0) Acct-Status-Type = Stop
(0) NAS-Port-Type = Ethernet
(0) NAS-Port = 50006
(0) NAS-Port-Id = "GigabitEthernet0/6"
(0) Called-Station-Id = "24-01-C7-8E-84-86"
(0) Calling-Station-Id = "74-78-27-1B-F2-78"
(0) Service-Type = Framed-User
(0) NAS-IP-Address = 10.100.0.50
(0) Acct-Delay-Time = 19
(0) # Executing section preacct from file /etc/raddb/sites-enabled/default
(0) preacct {
(0) [preprocess] = ok
(0) policy acct_unique {
(0) update request {
(0) &Tmp-String-9 := "ai:"
(0) } # update request = noop
(0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(0) EXPAND %{hex:&Class}
(0) -->
(0) EXPAND ^%{hex:&Tmp-String-9}
(0) --> ^61693a
(0) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(0) else {
(0) update request {
(0) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(0) --> 0391b84a0867b3fc2bafaf4741bd212a
(0) &Acct-Unique-Session-Id := 0391b84a0867b3fc2bafaf4741bd212a
(0) } # update request = noop
(0) } # else = noop
(0) } # policy acct_unique = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) [files] = noop
(0) } # preacct = ok
(0) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(0) accounting {
(0) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d
(0) detail: --> /var/log/radius/radacct/10.100.0.50/detail-20220725
(0) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.50/detail-20220725
(0) detail: EXPAND %t
(0) detail: --> Mon Jul 25 18:15:40 2022
(0) [detail] = ok
(0) [unix] = ok
(0) radutmp: EXPAND /var/log/radius/radutmp
(0) radutmp: --> /var/log/radius/radutmp
(0) radutmp: EXPAND %{User-Name}
(0) radutmp: --> test
(0) [radutmp] = ok
(0) sradutmp: EXPAND /var/log/radius/sradutmp
(0) sradutmp: --> /var/log/radius/sradutmp
(0) sradutmp: EXPAND %{User-Name}
(0) sradutmp: --> test
(0) [sradutmp] = ok
(0) [exec] = noop
(0) attr_filter.accounting_response: EXPAND %{User-Name}
(0) attr_filter.accounting_response: --> test
(0) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(0) [attr_filter.accounting_response] = updated
(0) } # accounting = updated
(0) Sent Accounting-Response Id 60 from 10.101.0.20:1813 to 10.100.0.50:1646
length 0
(0) Finished request
(0) Cleaning up request packet ID 60 with timestamp +3
Ready to process requests
(1) Received Access-Request Id 0 from 127.0.0.1:48058 to 127.0.0.1:1812
length 142
(1) User-Name = "anonymous_test"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) EAP-Message = 0x02a1001301616e6f6e796d6f75735f74657374
(1) Message-Authenticator = 0x63e0215c3759e15af3f8b2b777ce8370
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 161 length 19
(1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Auth-Type eap {
(1) eap: Peer sent packet with method EAP Identity (1)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Initiating new TLS session
(1) eap_ttls: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 162 length 6
(1) eap: EAP session adding &reply:State = 0x594837c159ea227a
(1) [eap] = handled
(1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(1) EXPAND Response-Packet-Type
(1) --> Access-Challenge
(1) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(1) attr_filter.access_challenge: EXPAND %{User-Name}
(1) attr_filter.access_challenge: --> anonymous_test
(1) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(1) [attr_filter.access_challenge.post-auth] = updated
(1) [handled] = handled
(1) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(1) } # Auth-Type eap = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(1) EAP-Message = 0x01a200061520
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x594837c159ea227a35f4296c6c550caa
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 1 from 127.0.0.1:48058 to 127.0.0.1:1812
length 343
(2) User-Name = "anonymous_test"
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = "02-00-00-00-00-01"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) EAP-Message =
0x02a200ca150016030100bf010000bb03037526679cd3ccd5346e9ffc32b3a61bc85036d03f
f978485f54af4c4c4713eef2000048c02cc030cca9cca8c0adc02bc02fc0acc023c027c00ac0
14c009c013009dc09d009cc09c003d003c0035002f009fccaac09f009ec09e006b0067003900
33c008c012000a001600ff0100004a000b000403000102000a000c000a001d0017001e001900
180016000000170000000d002600240403050306030807080808090804080a0805080b080604
01050106010303030102030201
(2) State = 0x594837c159ea227a35f4296c6c550caa
(2) Message-Authenticator = 0xa2ab78a30c2fd4c0b1e73fbaaa7c1007
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 162 length 202
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Auth-Type eap {
(2) eap: Expiring EAP session with state 0x594837c159ea227a
(2) eap: Finished EAP session with state 0x594837c159ea227a
(2) eap: Previous EAP request found for state 0x594837c159ea227a, released
from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Got final TLS record fragment (196 bytes)
(2) eap_ttls: WARNING: Total received TLS record fragments (196 bytes), does
not equal indicated TLS record length (0 bytes)
(2) eap_ttls: [eaptls verify] = ok
(2) eap_ttls: Done initial handshake
(2) eap_ttls: (other): before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: <<< recv TLS 1.3 [length 00bf]
(2) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(2) eap_ttls: >>> send TLS 1.2 [length 003d]
(2) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(2) eap_ttls: >>> send TLS 1.2 [length 08e9]
(2) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(2) eap_ttls: >>> send TLS 1.2 [length 014d]
(2) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
(2) eap_ttls: >>> send TLS 1.2 [length 0004]
(2) eap_ttls: TLS_accept: SSLv3/TLS write server done
(2) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(2) eap_ttls: TLS - In Handshake Phase
(2) eap_ttls: TLS - got 2699 bytes of data
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 163 length 1014
(2) eap: EAP session adding &reply:State = 0x594837c158eb227a
(2) [eap] = handled
(2) if (handled && (Response-Packet-Type == Access-Challenge)) {
(2) EXPAND Response-Packet-Type
(2) --> Access-Challenge
(2) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(2) if (handled && (Response-Packet-Type == Access-Challenge)) {
(2) attr_filter.access_challenge: EXPAND %{User-Name}
(2) attr_filter.access_challenge: --> anonymous_test
(2) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(2) [attr_filter.access_challenge.post-auth] = updated
(2) [handled] = handled
(2) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(2) } # Auth-Type eap = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(2) EAP-Message =
0x01a303f615c000000a8b160303003d020000390303ce7f5bed68f2bdab8d4c8b7ee830f975
965fb3242093f407d9b7f3798ed45b2000c030000011ff01000100000b000403000102001700
0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a86
4886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c457861
6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c
652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175
74686f72697479301e170d3232303630373133353631355a170d323230383036313335363135
5a307c310b3009060355040613024652310f300d06035504080c065261646975733115301306
0355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x594837c158eb227a35f4296c6c550caa
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 2 from 127.0.0.1:48058 to 127.0.0.1:1812
length 147
(3) User-Name = "anonymous_test"
(3) NAS-IP-Address = 127.0.0.1
(3) Calling-Station-Id = "02-00-00-00-00-01"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) EAP-Message = 0x02a300061500
(3) State = 0x594837c158eb227a35f4296c6c550caa
(3) Message-Authenticator = 0x0281d393c2571ae6091802af7143b0ed
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 163 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Auth-Type eap {
(3) eap: Expiring EAP session with state 0x594837c158eb227a
(3) eap: Finished EAP session with state 0x594837c158eb227a
(3) eap: Previous EAP request found for state 0x594837c158eb227a, released
from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer ACKed our handshake fragment
(3) eap_ttls: [eaptls verify] = request
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 164 length 1014
(3) eap: EAP session adding &reply:State = 0x594837c15bec227a
(3) [eap] = handled
(3) if (handled && (Response-Packet-Type == Access-Challenge)) {
(3) EXPAND Response-Packet-Type
(3) --> Access-Challenge
(3) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(3) if (handled && (Response-Packet-Type == Access-Challenge)) {
(3) attr_filter.access_challenge: EXPAND %{User-Name}
(3) attr_filter.access_challenge: --> anonymous_test
(3) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(3) [attr_filter.access_challenge.post-auth] = updated
(3) [handled] = handled
(3) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(3) } # Auth-Type eap = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(3) EAP-Message =
0x01a403f615c000000a8b2191b630136f9c3efec0d255f3b83b044d67821de971742e781d91
d550b267675e88e1945d729139f9b13cb3067ea7a8cf42f22afe3ad057afe04680c0484d0dd8
62dd0004fe308204fa308203e2a00302010202142612a65a56fe11648fbdca8d519264c57b3b
83f0300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06
035504080c065261646975733112301006035504070c09536f6d657768657265311530130603
55040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d69
6e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966
696361746520417574686f72697479301e170d3232303630373133353631355a170d32323038
30363133353631355a308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x594837c15bec227a35f4296c6c550caa
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 3 from 127.0.0.1:48058 to 127.0.0.1:1812
length 147
(4) User-Name = "anonymous_test"
(4) NAS-IP-Address = 127.0.0.1
(4) Calling-Station-Id = "02-00-00-00-00-01"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) EAP-Message = 0x02a400061500
(4) State = 0x594837c15bec227a35f4296c6c550caa
(4) Message-Authenticator = 0x12aad93ece4c588ec719216bbaecd7fb
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 164 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Auth-Type eap {
(4) eap: Expiring EAP session with state 0x594837c15bec227a
(4) eap: Finished EAP session with state 0x594837c15bec227a
(4) eap: Previous EAP request found for state 0x594837c15bec227a, released
from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: Peer ACKed our handshake fragment
(4) eap_ttls: [eaptls verify] = request
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 165 length 701
(4) eap: EAP session adding &reply:State = 0x594837c15aed227a
(4) [eap] = handled
(4) if (handled && (Response-Packet-Type == Access-Challenge)) {
(4) EXPAND Response-Packet-Type
(4) --> Access-Challenge
(4) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(4) if (handled && (Response-Packet-Type == Access-Challenge)) {
(4) attr_filter.access_challenge: EXPAND %{User-Name}
(4) attr_filter.access_challenge: --> anonymous_test
(4) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(4) [attr_filter.access_challenge.post-auth] = updated
(4) [handled] = handled
(4) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(4) } # Auth-Type eap = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(4) EAP-Message =
0x01a502bd158000000a8b1d130101ff040530030101ff30360603551d1f042f302d302ba029
a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e
63726c300d06092a864886f70d01010b050003820101008834a7e636cc1b2ca1fb50f0241d14
2dea0f64ab2a18f737a1c61001f253baa32022d21b23e2d32ef93967a914fb7435030effabac
df1f473b35bfd23a886c4fbc7d6c194afd9160e340612d83f81e694c5813983a691a9ed83ee4
5ad98a879609630093e2ada4eb67dcafd2543577b94229d604cde33e0314dba26abd7d5674f5
7a3c465449fea9cd762ad1d4a39a0101a207c17e107c4bcc95024237ad91815bf140b75eb973
4ad9615781be60643011fc9718e8acffb9dc4ce9d051c3ea5712dc6aa7ba1d9d2ba8df6c3bdb
c7942c0d7f01c8fddbe6182cf8880f339a038ed8f0c7b579d87e4a30f42c1c978f36c070d759
b33199019e7d482f8786044516160303014d0c000149030017410489b770c1cc2ded
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x594837c15aed227a35f4296c6c550caa
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 4 from 127.0.0.1:48058 to 127.0.0.1:1812
length 273
(5) User-Name = "anonymous_test"
(5) NAS-IP-Address = 127.0.0.1
(5) Calling-Station-Id = "02-00-00-00-00-01"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) EAP-Message =
0x02a500841500160303004610000042410490f5fd271b8155492b8cd225df9a917c58da15b7
53f67fd3321719ee5bc61ec5d7dcc4344910224de589c074295c7725827083aa2533f613f392
603ac84822891403030001011603030028297482347c2337f8e1cd6ab9e31cc6bcb3d37932cb
7cf4dbf7e728729f98c928414c9b895270d9c5
(5) State = 0x594837c15aed227a35f4296c6c550caa
(5) Message-Authenticator = 0xdbe58d4e8258b430621002f6a1cde860
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 165 length 132
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Auth-Type eap {
(5) eap: Expiring EAP session with state 0x594837c15aed227a
(5) eap: Finished EAP session with state 0x594837c15aed227a
(5) eap: Previous EAP request found for state 0x594837c15aed227a, released
from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: TLS_accept: SSLv3/TLS write server done
(5) eap_ttls: <<< recv TLS 1.2 [length 0046]
(5) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(5) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(5) eap_ttls: <<< recv TLS 1.2 [length 0010]
(5) eap_ttls: TLS_accept: SSLv3/TLS read finished
(5) eap_ttls: >>> send TLS 1.2 [length 0001]
(5) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(5) eap_ttls: >>> send TLS 1.2 [length 0010]
(5) eap_ttls: TLS_accept: SSLv3/TLS write finished
(5) eap_ttls: (other): SSL negotiation finished successfully
(5) eap_ttls: TLS - Connection Established
(5) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) eap_ttls: TLS-Session-Version = "TLS 1.2"
(5) eap_ttls: TLS - got 51 bytes of data
(5) eap_ttls: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 166 length 61
(5) eap: EAP session adding &reply:State = 0x594837c15dee227a
(5) [eap] = handled
(5) if (handled && (Response-Packet-Type == Access-Challenge)) {
(5) EXPAND Response-Packet-Type
(5) --> Access-Challenge
(5) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(5) if (handled && (Response-Packet-Type == Access-Challenge)) {
(5) attr_filter.access_challenge: EXPAND %{User-Name}
(5) attr_filter.access_challenge: --> anonymous_test
(5) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(5) [attr_filter.access_challenge.post-auth] = updated
(5) [handled] = handled
(5) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(5) } # Auth-Type eap = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:48058 length
0
(5) EAP-Message =
0x01a6003d158000000033140303000101160303002868a7ea5e693524f968d02ec14fd7cb5a
629fbd3ff3d28e4a1fee62533733003052e86c7f2303bc2c
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x594837c15dee227a35f4296c6c550caa
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 5 from 127.0.0.1:48058 to 127.0.0.1:1812
length 212
(6) User-Name = "anonymous_test"
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) EAP-Message =
0x02a600471500170303003c297482347c2337f99ae8244b354c6918951f0f3bde4cd3a1631f
568103bb1527d53de82d2d036cc96b994d91266bfc523eab035954577cc893219d7c
(6) State = 0x594837c15dee227a35f4296c6c550caa
(6) Message-Authenticator = 0x6aa1c90905881534f18620852003faf3
(6) Restoring &session-state
(6) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "anonymous_test", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 166 length 71
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Auth-Type eap {
(6) eap: Expiring EAP session with state 0x594837c15dee227a
(6) eap: Finished EAP session with state 0x594837c15dee227a
(6) eap: Previous EAP request found for state 0x594837c15dee227a, released
from the list
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: Continuing EAP-TLS
(6) eap_ttls: [eaptls verify] = ok
(6) eap_ttls: Done initial handshake
(6) eap_ttls: [eaptls process] = ok
(6) eap_ttls: Session established. Proceeding to decode tunneled attributes
(6) eap_ttls: Got tunneled request
(6) eap_ttls: User-Name = "test"
(6) eap_ttls: User-Password = "testing"
(6) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_ttls: Sending tunneled request
(6) Virtual server inner-tunnel received request
(6) User-Name = "test"
(6) User-Password = "testing"
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) Event-Timestamp = "Jul 25 2022 18:15:48 CEST"
(6) server inner-tunnel {
(6) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "test", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: No EAP-Message, not doing EAP
(6) [eap] = noop
(6) files: users: Matched entry test at line 1
(6) files: EXPAND tu as reussi avec %{Auth-Type} et en etant %{User-Name}
(6) files: --> tu as reussi avec et en etant test
(6) [files] = ok
(6) [expiration] = noop
(6) [logintime] = noop
(6) [pap] = updated
(6) } # authorize = updated
(6) Found Auth-Type = PAP
(6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6) Auth-Type PAP {
(6) pap: Login attempt with password
(6) pap: Comparing with "known good" Cleartext-Password
(6) pap: User authenticated successfully
(6) [pap] = ok
(6) } # Auth-Type PAP = ok
(6) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(6) post-auth {
(6) if (0) {
(6) if (0) -> FALSE
(6) } # post-auth = noop
(6) Login OK: [test] (from client localhost port 0 cli 02-00-00-00-00-01
via TLS tunnel)
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) Reply-Message = "tu as reussi avec et en etant test"
(6) eap_ttls: Got tunneled Access-Accept
(6) eap: Sending EAP Success (code 3) ID 166 length 4
(6) eap: Freeing handler
(6) [eap] = ok
(6) if (handled && (Response-Packet-Type == Access-Challenge)) {
(6) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(6) } # Auth-Type eap = ok
(6) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(6) post-auth {
(6) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(6) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(6) update {
(6) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(6) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(6) } # update = noop
(6) [exec] = noop
(6) policy remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message) {
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else {
(6) [noop] = noop
(6) } # else = noop
(6) } # policy remove_reply_message_if_eap = noop
(6) } # post-auth = noop
(6) Login OK: [anonymous_test] (from client localhost port 0 cli
02-00-00-00-00-01)
(6) Sent Access-Accept Id 5 from 127.0.0.1:1812 to 127.0.0.1:48058 length 0
(6) MS-MPPE-Recv-Key =
0xe14135f14a872f650673a7f048b96e42d97e94269c4c9c764cc8957057a9f70a
(6) MS-MPPE-Send-Key =
0x196c96bc3d4308ae0bd2fe7ba2292a4008232c68960bbc67658a13bb966e74fd
(6) EAP-Message = 0x03a60004
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) User-Name = "anonymous_test"
(6) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 0 with timestamp +11
(2) Cleaning up request packet ID 1 with timestamp +11
(3) Cleaning up request packet ID 2 with timestamp +11
(4) Cleaning up request packet ID 3 with timestamp +11
(5) Cleaning up request packet ID 4 with timestamp +11
(6) Cleaning up request packet ID 5 with timestamp +11
Ready to process requests
(7) Received Access-Request Id 181 from 10.100.0.50:1645 to 10.101.0.20:1812
length 204
(7) User-Name = "anonymous"
(7) Service-Type = Framed-User
(7) Framed-MTU = 1500
(7) Called-Station-Id = "24-01-C7-8E-84-86"
(7) Calling-Station-Id = "74-78-27-1B-F2-78"
(7) EAP-Message = 0x0201000e01616e6f6e796d6f7573
(7) Message-Authenticator = 0x55c09e83405ccf67b9c08d1e70ac4b1d
(7) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(7) NAS-Port-Type = Ethernet
(7) NAS-Port = 50006
(7) NAS-Port-Id = "GigabitEthernet0/6"
(7) NAS-IP-Address = 10.100.0.50
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 1 length 14
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Auth-Type eap {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_ttls to process data
(7) eap_ttls: Initiating new TLS session
(7) eap_ttls: [eaptls start] = request
(7) eap: Sending EAP Request (code 1) ID 2 length 6
(7) eap: EAP session adding &reply:State = 0x1aff00fb1afd150b
(7) [eap] = handled
(7) if (handled && (Response-Packet-Type == Access-Challenge)) {
(7) EXPAND Response-Packet-Type
(7) --> Access-Challenge
(7) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(7) if (handled && (Response-Packet-Type == Access-Challenge)) {
(7) attr_filter.access_challenge: EXPAND %{User-Name}
(7) attr_filter.access_challenge: --> anonymous
(7) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(7) [attr_filter.access_challenge.post-auth] = updated
(7) [handled] = handled
(7) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(7) } # Auth-Type eap = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) Sent Access-Challenge Id 181 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(7) EAP-Message = 0x010200061520
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x1aff00fb1afd150bdec157b3b6aa7742
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 182 from 10.100.0.50:1645 to 10.101.0.20:1812
length 380
(8) User-Name = "anonymous"
(8) Service-Type = Framed-User
(8) Framed-MTU = 1500
(8) Called-Station-Id = "24-01-C7-8E-84-86"
(8) Calling-Station-Id = "74-78-27-1B-F2-78"
(8) EAP-Message =
0x020200ac1580000000a2160303009d01000099030362dec1cb4de29748aa3f666036d19548
5065509be2151045e5ff5ad25a8dc96f00002ac02cc02bc030c02f009f009ec024c023c028c0
27c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a
00080006001d00170018000b00020100000d001a001808040805080604010501020104030503
02030202060106030023000000170000ff01000100
(8) Message-Authenticator = 0xf4be43381cba5bcb881815edb82aaedc
(8) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(8) NAS-Port-Type = Ethernet
(8) NAS-Port = 50006
(8) NAS-Port-Id = "GigabitEthernet0/6"
(8) State = 0x1aff00fb1afd150bdec157b3b6aa7742
(8) NAS-IP-Address = 10.100.0.50
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 2 length 172
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Auth-Type eap {
(8) eap: Expiring EAP session with state 0x1aff00fb1afd150b
(8) eap: Finished EAP session with state 0x1aff00fb1afd150b
(8) eap: Previous EAP request found for state 0x1aff00fb1afd150b, released
from the list
(8) eap: Peer sent packet with method EAP TTLS (21)
(8) eap: Calling submodule eap_ttls to process data
(8) eap_ttls: Authenticate
(8) eap_ttls: Continuing EAP-TLS
(8) eap_ttls: Peer indicated complete TLS record size will be 162 bytes
(8) eap_ttls: Got complete TLS record (162 bytes)
(8) eap_ttls: [eaptls verify] = length included
(8) eap_ttls: (other): before SSL initialization
(8) eap_ttls: TLS_accept: before SSL initialization
(8) eap_ttls: TLS_accept: before SSL initialization
(8) eap_ttls: <<< recv TLS 1.3 [length 009d]
(8) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(8) eap_ttls: >>> send TLS 1.2 [length 003d]
(8) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(8) eap_ttls: >>> send TLS 1.2 [length 08e9]
(8) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(8) eap_ttls: >>> send TLS 1.2 [length 014d]
(8) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
(8) eap_ttls: >>> send TLS 1.2 [length 0004]
(8) eap_ttls: TLS_accept: SSLv3/TLS write server done
(8) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(8) eap_ttls: TLS - In Handshake Phase
(8) eap_ttls: TLS - got 2699 bytes of data
(8) eap_ttls: [eaptls process] = handled
(8) eap: Sending EAP Request (code 1) ID 3 length 1014
(8) eap: EAP session adding &reply:State = 0x1aff00fb1bfc150b
(8) [eap] = handled
(8) if (handled && (Response-Packet-Type == Access-Challenge)) {
(8) EXPAND Response-Packet-Type
(8) --> Access-Challenge
(8) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(8) if (handled && (Response-Packet-Type == Access-Challenge)) {
(8) attr_filter.access_challenge: EXPAND %{User-Name}
(8) attr_filter.access_challenge: --> anonymous
(8) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(8) [attr_filter.access_challenge.post-auth] = updated
(8) [handled] = handled
(8) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(8) } # Auth-Type eap = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) Sent Access-Challenge Id 182 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(8) EAP-Message =
0x010303f615c000000a8b160303003d020000390303dc012d9023dc1e70f151f05ebf2e358c
66de5ac2dc909c71b3ff934c6deeb0bb00c030000011ff01000100000b000403000102001700
0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a86
4886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c457861
6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c
652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175
74686f72697479301e170d3232303630373133353631355a170d323230383036313335363135
5a307c310b3009060355040613024652310f300d06035504080c065261646975733115301306
0355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x1aff00fb1bfc150bdec157b3b6aa7742
(8) Finished request
Waking up in 4.9 seconds.
(9) Received Access-Request Id 183 from 10.100.0.50:1645 to 10.101.0.20:1812
length 214
(9) User-Name = "anonymous"
(9) Service-Type = Framed-User
(9) Framed-MTU = 1500
(9) Called-Station-Id = "24-01-C7-8E-84-86"
(9) Calling-Station-Id = "74-78-27-1B-F2-78"
(9) EAP-Message = 0x020300061500
(9) Message-Authenticator = 0x27fa8829f5e4cbd6c0703ff10396bd50
(9) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(9) NAS-Port-Type = Ethernet
(9) NAS-Port = 50006
(9) NAS-Port-Id = "GigabitEthernet0/6"
(9) State = 0x1aff00fb1bfc150bdec157b3b6aa7742
(9) NAS-IP-Address = 10.100.0.50
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 3 length 6
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) Auth-Type eap {
(9) eap: Expiring EAP session with state 0x1aff00fb1bfc150b
(9) eap: Finished EAP session with state 0x1aff00fb1bfc150b
(9) eap: Previous EAP request found for state 0x1aff00fb1bfc150b, released
from the list
(9) eap: Peer sent packet with method EAP TTLS (21)
(9) eap: Calling submodule eap_ttls to process data
(9) eap_ttls: Authenticate
(9) eap_ttls: Continuing EAP-TLS
(9) eap_ttls: Peer ACKed our handshake fragment
(9) eap_ttls: [eaptls verify] = request
(9) eap_ttls: [eaptls process] = handled
(9) eap: Sending EAP Request (code 1) ID 4 length 1014
(9) eap: EAP session adding &reply:State = 0x1aff00fb18fb150b
(9) [eap] = handled
(9) if (handled && (Response-Packet-Type == Access-Challenge)) {
(9) EXPAND Response-Packet-Type
(9) --> Access-Challenge
(9) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(9) if (handled && (Response-Packet-Type == Access-Challenge)) {
(9) attr_filter.access_challenge: EXPAND %{User-Name}
(9) attr_filter.access_challenge: --> anonymous
(9) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(9) [attr_filter.access_challenge.post-auth] = updated
(9) [handled] = handled
(9) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(9) } # Auth-Type eap = handled
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) Challenge { ... } # empty sub-section is ignored
(9) Sent Access-Challenge Id 183 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(9) EAP-Message =
0x010403f615c000000a8b2191b630136f9c3efec0d255f3b83b044d67821de971742e781d91
d550b267675e88e1945d729139f9b13cb3067ea7a8cf42f22afe3ad057afe04680c0484d0dd8
62dd0004fe308204fa308203e2a00302010202142612a65a56fe11648fbdca8d519264c57b3b
83f0300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06
035504080c065261646975733112301006035504070c09536f6d657768657265311530130603
55040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d69
6e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966
696361746520417574686f72697479301e170d3232303630373133353631355a170d32323038
30363133353631355a308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x1aff00fb18fb150bdec157b3b6aa7742
(9) Finished request
Waking up in 4.9 seconds.
(10) Received Access-Request Id 184 from 10.100.0.50:1645 to
10.101.0.20:1812 length 214
(10) User-Name = "anonymous"
(10) Service-Type = Framed-User
(10) Framed-MTU = 1500
(10) Called-Station-Id = "24-01-C7-8E-84-86"
(10) Calling-Station-Id = "74-78-27-1B-F2-78"
(10) EAP-Message = 0x020400061500
(10) Message-Authenticator = 0xc343c114dc97c30f335f153612ee98ba
(10) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(10) NAS-Port-Type = Ethernet
(10) NAS-Port = 50006
(10) NAS-Port-Id = "GigabitEthernet0/6"
(10) State = 0x1aff00fb18fb150bdec157b3b6aa7742
(10) NAS-IP-Address = 10.100.0.50
(10) session-state: No cached attributes
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 4 length 6
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) Auth-Type eap {
(10) eap: Expiring EAP session with state 0x1aff00fb18fb150b
(10) eap: Finished EAP session with state 0x1aff00fb18fb150b
(10) eap: Previous EAP request found for state 0x1aff00fb18fb150b, released
from the list
(10) eap: Peer sent packet with method EAP TTLS (21)
(10) eap: Calling submodule eap_ttls to process data
(10) eap_ttls: Authenticate
(10) eap_ttls: Continuing EAP-TLS
(10) eap_ttls: Peer ACKed our handshake fragment
(10) eap_ttls: [eaptls verify] = request
(10) eap_ttls: [eaptls process] = handled
(10) eap: Sending EAP Request (code 1) ID 5 length 701
(10) eap: EAP session adding &reply:State = 0x1aff00fb19fa150b
(10) [eap] = handled
(10) if (handled && (Response-Packet-Type == Access-Challenge)) {
(10) EXPAND Response-Packet-Type
(10) --> Access-Challenge
(10) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(10) if (handled && (Response-Packet-Type == Access-Challenge)) {
(10) attr_filter.access_challenge: EXPAND %{User-Name}
(10) attr_filter.access_challenge: --> anonymous
(10) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(10) [attr_filter.access_challenge.post-auth] = updated
(10) [handled] = handled
(10) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(10) } # Auth-Type eap = handled
(10) Using Post-Auth-Type Challenge
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) Challenge { ... } # empty sub-section is ignored
(10) Sent Access-Challenge Id 184 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(10) EAP-Message =
0x010502bd158000000a8b1d130101ff040530030101ff30360603551d1f042f302d302ba029
a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e
63726c300d06092a864886f70d01010b050003820101008834a7e636cc1b2ca1fb50f0241d14
2dea0f64ab2a18f737a1c61001f253baa32022d21b23e2d32ef93967a914fb7435030effabac
df1f473b35bfd23a886c4fbc7d6c194afd9160e340612d83f81e694c5813983a691a9ed83ee4
5ad98a879609630093e2ada4eb67dcafd2543577b94229d604cde33e0314dba26abd7d5674f5
7a3c465449fea9cd762ad1d4a39a0101a207c17e107c4bcc95024237ad91815bf140b75eb973
4ad9615781be60643011fc9718e8acffb9dc4ce9d051c3ea5712dc6aa7ba1d9d2ba8df6c3bdb
c7942c0d7f01c8fddbe6182cf8880f339a038ed8f0c7b579d87e4a30f42c1c978f36c070d759
b33199019e7d482f8786044516160303014d0c0001490300174104ea71ea5eb3ce16
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0x1aff00fb19fa150bdec157b3b6aa7742
(10) Finished request
Waking up in 4.8 seconds.
(11) Received Access-Request Id 185 from 10.100.0.50:1645 to
10.101.0.20:1812 length 344
(11) User-Name = "anonymous"
(11) Service-Type = Framed-User
(11) Framed-MTU = 1500
(11) Called-Station-Id = "24-01-C7-8E-84-86"
(11) Calling-Station-Id = "74-78-27-1B-F2-78"
(11) EAP-Message =
0x0205008815800000007e16030300461000004241041bafe37c8a64c35895a588b20bcfdef3
d2b1464ce4d5ae1c8e8e920de9406dc98f4a94b63bcd85a4cbbe35b06823f7cb4f7f6b7cb9ba
6c3f93273bbad00a32a214030300010116030300280000000000000000b2756332a6d5dece72
43e156997beb79b6e0890ac8bdf90da6ada1e3a02371ce
(11) Message-Authenticator = 0x12631f913feb4471ab0fca288c0638f1
(11) Cisco-AVPair = "audit-session-id=0A6400320000003DB2AD4898"
(11) NAS-Port-Type = Ethernet
(11) NAS-Port = 50006
(11) NAS-Port-Id = "GigabitEthernet0/6"
(11) State = 0x1aff00fb19fa150bdec157b3b6aa7742
(11) NAS-IP-Address = 10.100.0.50
(11) session-state: No cached attributes
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /@\./) {
(11) if (&User-Name =~ /@\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) [digest] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) eap: Peer sent EAP Response (code 2) ID 5 length 136
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) Auth-Type eap {
(11) eap: Expiring EAP session with state 0x1aff00fb19fa150b
(11) eap: Finished EAP session with state 0x1aff00fb19fa150b
(11) eap: Previous EAP request found for state 0x1aff00fb19fa150b, released
from the list
(11) eap: Peer sent packet with method EAP TTLS (21)
(11) eap: Calling submodule eap_ttls to process data
(11) eap_ttls: Authenticate
(11) eap_ttls: Continuing EAP-TLS
(11) eap_ttls: Peer indicated complete TLS record size will be 126 bytes
(11) eap_ttls: Got complete TLS record (126 bytes)
(11) eap_ttls: [eaptls verify] = length included
(11) eap_ttls: TLS_accept: SSLv3/TLS write server done
(11) eap_ttls: <<< recv TLS 1.2 [length 0046]
(11) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(11) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(11) eap_ttls: <<< recv TLS 1.2 [length 0010]
(11) eap_ttls: TLS_accept: SSLv3/TLS read finished
(11) eap_ttls: >>> send TLS 1.2 [length 0001]
(11) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(11) eap_ttls: >>> send TLS 1.2 [length 0010]
(11) eap_ttls: TLS_accept: SSLv3/TLS write finished
(11) eap_ttls: (other): SSL negotiation finished successfully
(11) eap_ttls: TLS - Connection Established
(11) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) eap_ttls: TLS-Session-Version = "TLS 1.2"
(11) eap_ttls: TLS - got 51 bytes of data
(11) eap_ttls: [eaptls process] = handled
(11) eap: Sending EAP Request (code 1) ID 6 length 61
(11) eap: EAP session adding &reply:State = 0x1aff00fb1ef9150b
(11) [eap] = handled
(11) if (handled && (Response-Packet-Type == Access-Challenge)) {
(11) EXPAND Response-Packet-Type
(11) --> Access-Challenge
(11) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(11) if (handled && (Response-Packet-Type == Access-Challenge)) {
(11) attr_filter.access_challenge: EXPAND %{User-Name}
(11) attr_filter.access_challenge: --> anonymous
(11) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(11) [attr_filter.access_challenge.post-auth] = updated
(11) [handled] = handled
(11) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(11) } # Auth-Type eap = handled
(11) Using Post-Auth-Type Challenge
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) Challenge { ... } # empty sub-section is ignored
(11) session-state: Saving cached attributes
(11) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) TLS-Session-Version = "TLS 1.2"
(11) Sent Access-Challenge Id 185 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(11) EAP-Message =
0x0106003d158000000033140303000101160303002890e19eed4974783059ef0d676e70aab3
470cc68cadd1254943ddd9bbe1307ceed06dc7a28a15b4b1
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) State = 0x1aff00fb1ef9150bdec157b3b6aa7742
(11) Finished request
Waking up in 4.8 seconds.
(7) Cleaning up request packet ID 181 with timestamp +35
(8) Cleaning up request packet ID 182 with timestamp +35
(9) Cleaning up request packet ID 183 with timestamp +35
(10) Cleaning up request packet ID 184 with timestamp +35
(11) Cleaning up request packet ID 185 with timestamp +35
Ready to process requests
(12) Received Access-Request Id 186 from 10.100.0.50:1645 to
10.101.0.20:1812 length 194
(12) User-Name = "test"
(12) Service-Type = Framed-User
(12) Framed-MTU = 1500
(12) Called-Station-Id = "24-01-C7-8E-84-86"
(12) Calling-Station-Id = "74-78-27-1B-F2-78"
(12) EAP-Message = 0x020100090174657374
(12) Message-Authenticator = 0x5064878bed8665909256b735e175b2d4
(12) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(12) NAS-Port-Type = Ethernet
(12) NAS-Port = 50006
(12) NAS-Port-Id = "GigabitEthernet0/6"
(12) NAS-IP-Address = 10.100.0.50
(12) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /@\./) {
(12) if (&User-Name =~ /@\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) [chap] = noop
(12) [mschap] = noop
(12) [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "test", looking up realm NULL
(12) suffix: No such realm "NULL"
(12) [suffix] = noop
(12) eap: Peer sent EAP Response (code 2) ID 1 length 9
(12) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(12) [eap] = ok
(12) } # authorize = ok
(12) Found Auth-Type = eap
(12) # Executing group from file /etc/raddb/sites-enabled/default
(12) Auth-Type eap {
(12) eap: Peer sent packet with method EAP Identity (1)
(12) eap: Calling submodule eap_ttls to process data
(12) eap_ttls: Initiating new TLS session
(12) eap_ttls: [eaptls start] = request
(12) eap: Sending EAP Request (code 1) ID 2 length 6
(12) eap: EAP session adding &reply:State = 0x5709dc2c570bc95d
(12) [eap] = handled
(12) if (handled && (Response-Packet-Type == Access-Challenge)) {
(12) EXPAND Response-Packet-Type
(12) --> Access-Challenge
(12) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(12) if (handled && (Response-Packet-Type == Access-Challenge)) {
(12) attr_filter.access_challenge: EXPAND %{User-Name}
(12) attr_filter.access_challenge: --> test
(12) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(12) [attr_filter.access_challenge.post-auth] = updated
(12) [handled] = handled
(12) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(12) } # Auth-Type eap = handled
(12) Using Post-Auth-Type Challenge
(12) # Executing group from file /etc/raddb/sites-enabled/default
(12) Challenge { ... } # empty sub-section is ignored
(12) Sent Access-Challenge Id 186 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(12) EAP-Message = 0x010200061520
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) State = 0x5709dc2c570bc95d080b76220813d0d4
(12) Finished request
Waking up in 4.9 seconds.
(13) Received Access-Request Id 187 from 10.100.0.50:1645 to
10.101.0.20:1812 length 209
(13) User-Name = "test"
(13) Service-Type = Framed-User
(13) Framed-MTU = 1500
(13) Called-Station-Id = "24-01-C7-8E-84-86"
(13) Calling-Station-Id = "74-78-27-1B-F2-78"
(13) EAP-Message = 0x020200060319
(13) Message-Authenticator = 0xde3e82b04cacf9575f36bb5d7da5a570
(13) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(13) NAS-Port-Type = Ethernet
(13) NAS-Port = 50006
(13) NAS-Port-Id = "GigabitEthernet0/6"
(13) State = 0x5709dc2c570bc95d080b76220813d0d4
(13) NAS-IP-Address = 10.100.0.50
(13) session-state: No cached attributes
(13) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(13) authorize {
(13) policy filter_username {
(13) if (&User-Name) {
(13) if (&User-Name) -> TRUE
(13) if (&User-Name) {
(13) if (&User-Name =~ / /) {
(13) if (&User-Name =~ / /) -> FALSE
(13) if (&User-Name =~ /@[^@]*@/ ) {
(13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(13) if (&User-Name =~ /\.\./ ) {
(13) if (&User-Name =~ /\.\./ ) -> FALSE
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(13) if (&User-Name =~ /\.$/) {
(13) if (&User-Name =~ /\.$/) -> FALSE
(13) if (&User-Name =~ /@\./) {
(13) if (&User-Name =~ /@\./) -> FALSE
(13) } # if (&User-Name) = notfound
(13) } # policy filter_username = notfound
(13) [preprocess] = ok
(13) [chap] = noop
(13) [mschap] = noop
(13) [digest] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "test", looking up realm NULL
(13) suffix: No such realm "NULL"
(13) [suffix] = noop
(13) eap: Peer sent EAP Response (code 2) ID 2 length 6
(13) eap: No EAP Start, assuming it's an on-going EAP conversation
(13) [eap] = updated
(13) } # authorize = updated
(13) Found Auth-Type = eap
(13) # Executing group from file /etc/raddb/sites-enabled/default
(13) Auth-Type eap {
(13) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(13) eap: Finished EAP session with state 0x5709dc2c570bc95d
(13) eap: Previous EAP request found for state 0x5709dc2c570bc95d, released
from the list
(13) eap: Peer sent packet with method EAP NAK (3)
(13) eap: Found mutually acceptable type PEAP (25)
(13) eap: Calling submodule eap_peap to process data
(13) eap_peap: Initiating new TLS session
(13) eap_peap: [eaptls start] = request
(13) eap: Sending EAP Request (code 1) ID 3 length 6
(13) eap: EAP session adding &reply:State = 0x5709dc2c560ac55d
(13) [eap] = handled
(13) if (handled && (Response-Packet-Type == Access-Challenge)) {
(13) EXPAND Response-Packet-Type
(13) --> Access-Challenge
(13) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(13) if (handled && (Response-Packet-Type == Access-Challenge)) {
(13) attr_filter.access_challenge: EXPAND %{User-Name}
(13) attr_filter.access_challenge: --> test
(13) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(13) [attr_filter.access_challenge.post-auth] = updated
(13) [handled] = handled
(13) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(13) } # Auth-Type eap = handled
(13) Using Post-Auth-Type Challenge
(13) # Executing group from file /etc/raddb/sites-enabled/default
(13) Challenge { ... } # empty sub-section is ignored
(13) Sent Access-Challenge Id 187 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(13) EAP-Message = 0x010300061920
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) State = 0x5709dc2c560ac55d080b76220813d0d4
(13) Finished request
Waking up in 4.9 seconds.
(14) Received Access-Request Id 188 from 10.100.0.50:1645 to
10.101.0.20:1812 length 375
(14) User-Name = "test"
(14) Service-Type = Framed-User
(14) Framed-MTU = 1500
(14) Called-Station-Id = "24-01-C7-8E-84-86"
(14) Calling-Station-Id = "74-78-27-1B-F2-78"
(14) EAP-Message =
0x020300ac1980000000a2160303009d01000099030362dec1e8bb336220b36115a2f152d4ff
bda23da4d62a4b3a3dd2d90243cfb65500002ac02cc02bc030c02f009f009ec024c023c028c0
27c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a
00080006001d00170018000b00020100000d001a001808040805080604010501020104030503
02030202060106030023000000170000ff01000100
(14) Message-Authenticator = 0x723199c45f61b638f39acfd1af4ef706
(14) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(14) NAS-Port-Type = Ethernet
(14) NAS-Port = 50006
(14) NAS-Port-Id = "GigabitEthernet0/6"
(14) State = 0x5709dc2c560ac55d080b76220813d0d4
(14) NAS-IP-Address = 10.100.0.50
(14) session-state: No cached attributes
(14) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(14) authorize {
(14) policy filter_username {
(14) if (&User-Name) {
(14) if (&User-Name) -> TRUE
(14) if (&User-Name) {
(14) if (&User-Name =~ / /) {
(14) if (&User-Name =~ / /) -> FALSE
(14) if (&User-Name =~ /@[^@]*@/ ) {
(14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(14) if (&User-Name =~ /\.\./ ) {
(14) if (&User-Name =~ /\.\./ ) -> FALSE
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(14) if (&User-Name =~ /\.$/) {
(14) if (&User-Name =~ /\.$/) -> FALSE
(14) if (&User-Name =~ /@\./) {
(14) if (&User-Name =~ /@\./) -> FALSE
(14) } # if (&User-Name) = notfound
(14) } # policy filter_username = notfound
(14) [preprocess] = ok
(14) [chap] = noop
(14) [mschap] = noop
(14) [digest] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: No '@' in User-Name = "test", looking up realm NULL
(14) suffix: No such realm "NULL"
(14) [suffix] = noop
(14) eap: Peer sent EAP Response (code 2) ID 3 length 172
(14) eap: Continuing tunnel setup
(14) [eap] = ok
(14) } # authorize = ok
(14) Found Auth-Type = eap
(14) # Executing group from file /etc/raddb/sites-enabled/default
(14) Auth-Type eap {
(14) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(14) eap: Finished EAP session with state 0x5709dc2c560ac55d
(14) eap: Previous EAP request found for state 0x5709dc2c560ac55d, released
from the list
(14) eap: Peer sent packet with method EAP PEAP (25)
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: Continuing EAP-TLS
(14) eap_peap: Peer indicated complete TLS record size will be 162 bytes
(14) eap_peap: Got complete TLS record (162 bytes)
(14) eap_peap: [eaptls verify] = length included
(14) eap_peap: (other): before SSL initialization
(14) eap_peap: TLS_accept: before SSL initialization
(14) eap_peap: TLS_accept: before SSL initialization
(14) eap_peap: <<< recv TLS 1.3 [length 009d]
(14) eap_peap: TLS_accept: SSLv3/TLS read client hello
(14) eap_peap: >>> send TLS 1.2 [length 003d]
(14) eap_peap: TLS_accept: SSLv3/TLS write server hello
(14) eap_peap: >>> send TLS 1.2 [length 08e9]
(14) eap_peap: TLS_accept: SSLv3/TLS write certificate
(14) eap_peap: >>> send TLS 1.2 [length 014d]
(14) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(14) eap_peap: >>> send TLS 1.2 [length 0004]
(14) eap_peap: TLS_accept: SSLv3/TLS write server done
(14) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(14) eap_peap: TLS - In Handshake Phase
(14) eap_peap: TLS - got 2699 bytes of data
(14) eap_peap: [eaptls process] = handled
(14) eap: Sending EAP Request (code 1) ID 4 length 1014
(14) eap: EAP session adding &reply:State = 0x5709dc2c550dc55d
(14) [eap] = handled
(14) if (handled && (Response-Packet-Type == Access-Challenge)) {
(14) EXPAND Response-Packet-Type
(14) --> Access-Challenge
(14) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(14) if (handled && (Response-Packet-Type == Access-Challenge)) {
(14) attr_filter.access_challenge: EXPAND %{User-Name}
(14) attr_filter.access_challenge: --> test
(14) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(14) [attr_filter.access_challenge.post-auth] = updated
(14) [handled] = handled
(14) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(14) } # Auth-Type eap = handled
(14) Using Post-Auth-Type Challenge
(14) # Executing group from file /etc/raddb/sites-enabled/default
(14) Challenge { ... } # empty sub-section is ignored
(14) Sent Access-Challenge Id 188 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(14) EAP-Message =
0x010403f619c000000a8b160303003d020000390303e63773a6f4e7998fe2174245b1361d9d
6235d691817e1c0537491a129c815c5e00c030000011ff01000100000b000403000102001700
0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a86
4886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261
646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c457861
6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c
652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175
74686f72697479301e170d3232303630373133353631355a170d323230383036313335363135
5a307c310b3009060355040613024652310f300d06035504080c065261646975733115301306
0355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0x5709dc2c550dc55d080b76220813d0d4
(14) Finished request
Waking up in 4.9 seconds.
(15) Received Access-Request Id 189 from 10.100.0.50:1645 to
10.101.0.20:1812 length 209
(15) User-Name = "test"
(15) Service-Type = Framed-User
(15) Framed-MTU = 1500
(15) Called-Station-Id = "24-01-C7-8E-84-86"
(15) Calling-Station-Id = "74-78-27-1B-F2-78"
(15) EAP-Message = 0x020400061900
(15) Message-Authenticator = 0x5c6dceb7d89b74812695116e8c825b77
(15) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(15) NAS-Port-Type = Ethernet
(15) NAS-Port = 50006
(15) NAS-Port-Id = "GigabitEthernet0/6"
(15) State = 0x5709dc2c550dc55d080b76220813d0d4
(15) NAS-IP-Address = 10.100.0.50
(15) session-state: No cached attributes
(15) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(15) authorize {
(15) policy filter_username {
(15) if (&User-Name) {
(15) if (&User-Name) -> TRUE
(15) if (&User-Name) {
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@[^@]*@/ ) {
(15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /@\./) {
(15) if (&User-Name =~ /@\./) -> FALSE
(15) } # if (&User-Name) = notfound
(15) } # policy filter_username = notfound
(15) [preprocess] = ok
(15) [chap] = noop
(15) [mschap] = noop
(15) [digest] = noop
(15) suffix: Checking for suffix after "@"
(15) suffix: No '@' in User-Name = "test", looking up realm NULL
(15) suffix: No such realm "NULL"
(15) [suffix] = noop
(15) eap: Peer sent EAP Response (code 2) ID 4 length 6
(15) eap: Continuing tunnel setup
(15) [eap] = ok
(15) } # authorize = ok
(15) Found Auth-Type = eap
(15) # Executing group from file /etc/raddb/sites-enabled/default
(15) Auth-Type eap {
(15) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(15) eap: Finished EAP session with state 0x5709dc2c550dc55d
(15) eap: Previous EAP request found for state 0x5709dc2c550dc55d, released
from the list
(15) eap: Peer sent packet with method EAP PEAP (25)
(15) eap: Calling submodule eap_peap to process data
(15) eap_peap: Continuing EAP-TLS
(15) eap_peap: Peer ACKed our handshake fragment
(15) eap_peap: [eaptls verify] = request
(15) eap_peap: [eaptls process] = handled
(15) eap: Sending EAP Request (code 1) ID 5 length 1010
(15) eap: EAP session adding &reply:State = 0x5709dc2c540cc55d
(15) [eap] = handled
(15) if (handled && (Response-Packet-Type == Access-Challenge)) {
(15) EXPAND Response-Packet-Type
(15) --> Access-Challenge
(15) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(15) if (handled && (Response-Packet-Type == Access-Challenge)) {
(15) attr_filter.access_challenge: EXPAND %{User-Name}
(15) attr_filter.access_challenge: --> test
(15) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(15) [attr_filter.access_challenge.post-auth] = updated
(15) [handled] = handled
(15) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(15) } # Auth-Type eap = handled
(15) Using Post-Auth-Type Challenge
(15) # Executing group from file /etc/raddb/sites-enabled/default
(15) Challenge { ... } # empty sub-section is ignored
(15) Sent Access-Challenge Id 189 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(15) EAP-Message =
0x010503f219402191b630136f9c3efec0d255f3b83b044d67821de971742e781d91d550b267
675e88e1945d729139f9b13cb3067ea7a8cf42f22afe3ad057afe04680c0484d0dd862dd0004
fe308204fa308203e2a00302010202142612a65a56fe11648fbdca8d519264c57b3b83f0300d
06092a864886f70d01010b0500308193310b3009060355040613024652310f300d0603550408
0c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c
0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578
616d706c652e6f72673126302406035504030c1d4578616d706c652043657274696669636174
6520417574686f72697479301e170d3232303630373133353631355a170d3232303830363133
353631355a308193310b3009060355040613024652310f300d06035504080c06526164697573
3112301006035504070c09536f6d65776865726531153013060355040a0c0c457861
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0x5709dc2c540cc55d080b76220813d0d4
(15) Finished request
Waking up in 4.9 seconds.
(16) Received Access-Request Id 190 from 10.100.0.50:1645 to
10.101.0.20:1812 length 209
(16) User-Name = "test"
(16) Service-Type = Framed-User
(16) Framed-MTU = 1500
(16) Called-Station-Id = "24-01-C7-8E-84-86"
(16) Calling-Station-Id = "74-78-27-1B-F2-78"
(16) EAP-Message = 0x020500061900
(16) Message-Authenticator = 0x338407f535f332f0091f8b6a8546c39a
(16) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(16) NAS-Port-Type = Ethernet
(16) NAS-Port = 50006
(16) NAS-Port-Id = "GigabitEthernet0/6"
(16) State = 0x5709dc2c540cc55d080b76220813d0d4
(16) NAS-IP-Address = 10.100.0.50
(16) session-state: No cached attributes
(16) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(16) authorize {
(16) policy filter_username {
(16) if (&User-Name) {
(16) if (&User-Name) -> TRUE
(16) if (&User-Name) {
(16) if (&User-Name =~ / /) {
(16) if (&User-Name =~ / /) -> FALSE
(16) if (&User-Name =~ /@[^@]*@/ ) {
(16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(16) if (&User-Name =~ /\.\./ ) {
(16) if (&User-Name =~ /\.\./ ) -> FALSE
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(16) if (&User-Name =~ /\.$/) {
(16) if (&User-Name =~ /\.$/) -> FALSE
(16) if (&User-Name =~ /@\./) {
(16) if (&User-Name =~ /@\./) -> FALSE
(16) } # if (&User-Name) = notfound
(16) } # policy filter_username = notfound
(16) [preprocess] = ok
(16) [chap] = noop
(16) [mschap] = noop
(16) [digest] = noop
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "test", looking up realm NULL
(16) suffix: No such realm "NULL"
(16) [suffix] = noop
(16) eap: Peer sent EAP Response (code 2) ID 5 length 6
(16) eap: Continuing tunnel setup
(16) [eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = eap
(16) # Executing group from file /etc/raddb/sites-enabled/default
(16) Auth-Type eap {
(16) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(16) eap: Finished EAP session with state 0x5709dc2c540cc55d
(16) eap: Previous EAP request found for state 0x5709dc2c540cc55d, released
from the list
(16) eap: Peer sent packet with method EAP PEAP (25)
(16) eap: Calling submodule eap_peap to process data
(16) eap_peap: Continuing EAP-TLS
(16) eap_peap: Peer ACKed our handshake fragment
(16) eap_peap: [eaptls verify] = request
(16) eap_peap: [eaptls process] = handled
(16) eap: Sending EAP Request (code 1) ID 6 length 697
(16) eap: EAP session adding &reply:State = 0x5709dc2c530fc55d
(16) [eap] = handled
(16) if (handled && (Response-Packet-Type == Access-Challenge)) {
(16) EXPAND Response-Packet-Type
(16) --> Access-Challenge
(16) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(16) if (handled && (Response-Packet-Type == Access-Challenge)) {
(16) attr_filter.access_challenge: EXPAND %{User-Name}
(16) attr_filter.access_challenge: --> test
(16) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(16) [attr_filter.access_challenge.post-auth] = updated
(16) [handled] = handled
(16) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(16) } # Auth-Type eap = handled
(16) Using Post-Auth-Type Challenge
(16) # Executing group from file /etc/raddb/sites-enabled/default
(16) Challenge { ... } # empty sub-section is ignored
(16) Sent Access-Challenge Id 190 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(16) EAP-Message =
0x010602b919001d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625
687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c30
0d06092a864886f70d01010b050003820101008834a7e636cc1b2ca1fb50f0241d142dea0f64
ab2a18f737a1c61001f253baa32022d21b23e2d32ef93967a914fb7435030effabacdf1f473b
35bfd23a886c4fbc7d6c194afd9160e340612d83f81e694c5813983a691a9ed83ee45ad98a87
9609630093e2ada4eb67dcafd2543577b94229d604cde33e0314dba26abd7d5674f57a3c4654
49fea9cd762ad1d4a39a0101a207c17e107c4bcc95024237ad91815bf140b75eb9734ad96157
81be60643011fc9718e8acffb9dc4ce9d051c3ea5712dc6aa7ba1d9d2ba8df6c3bdbc7942c0d
7f01c8fddbe6182cf8880f339a038ed8f0c7b579d87e4a30f42c1c978f36c070d759b3319901
9e7d482f8786044516160303014d0c00014903001741045122cc6a47b169b7a16ff1
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0x5709dc2c530fc55d080b76220813d0d4
(16) Finished request
Waking up in 4.8 seconds.
(17) Received Access-Request Id 191 from 10.100.0.50:1645 to
10.101.0.20:1812 length 339
(17) User-Name = "test"
(17) Service-Type = Framed-User
(17) Framed-MTU = 1500
(17) Called-Station-Id = "24-01-C7-8E-84-86"
(17) Calling-Station-Id = "74-78-27-1B-F2-78"
(17) EAP-Message =
0x0206008819800000007e160303004610000042410446771ce3728af651ce38b33f2dbad2de
2ec1398220b2deca4e147610a28845f811a15650a23e9c2d6cda8703a81d827e6d5c3335a7ad
ed1f9348bed6398856db140303000101160303002800000000000000006467b41f8f49082292
2783c45df9e0ab3f5f3ee2d6b27ac824a0291d83fc0cbb
(17) Message-Authenticator = 0x9881bcce42caeb449d1792b76c542650
(17) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(17) NAS-Port-Type = Ethernet
(17) NAS-Port = 50006
(17) NAS-Port-Id = "GigabitEthernet0/6"
(17) State = 0x5709dc2c530fc55d080b76220813d0d4
(17) NAS-IP-Address = 10.100.0.50
(17) session-state: No cached attributes
(17) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(17) authorize {
(17) policy filter_username {
(17) if (&User-Name) {
(17) if (&User-Name) -> TRUE
(17) if (&User-Name) {
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@[^@]*@/ ) {
(17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /@\./) {
(17) if (&User-Name =~ /@\./) -> FALSE
(17) } # if (&User-Name) = notfound
(17) } # policy filter_username = notfound
(17) [preprocess] = ok
(17) [chap] = noop
(17) [mschap] = noop
(17) [digest] = noop
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "test", looking up realm NULL
(17) suffix: No such realm "NULL"
(17) [suffix] = noop
(17) eap: Peer sent EAP Response (code 2) ID 6 length 136
(17) eap: Continuing tunnel setup
(17) [eap] = ok
(17) } # authorize = ok
(17) Found Auth-Type = eap
(17) # Executing group from file /etc/raddb/sites-enabled/default
(17) Auth-Type eap {
(17) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(17) eap: Finished EAP session with state 0x5709dc2c530fc55d
(17) eap: Previous EAP request found for state 0x5709dc2c530fc55d, released
from the list
(17) eap: Peer sent packet with method EAP PEAP (25)
(17) eap: Calling submodule eap_peap to process data
(17) eap_peap: Continuing EAP-TLS
(17) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(17) eap_peap: Got complete TLS record (126 bytes)
(17) eap_peap: [eaptls verify] = length included
(17) eap_peap: TLS_accept: SSLv3/TLS write server done
(17) eap_peap: <<< recv TLS 1.2 [length 0046]
(17) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(17) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(17) eap_peap: <<< recv TLS 1.2 [length 0010]
(17) eap_peap: TLS_accept: SSLv3/TLS read finished
(17) eap_peap: >>> send TLS 1.2 [length 0001]
(17) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(17) eap_peap: >>> send TLS 1.2 [length 0010]
(17) eap_peap: TLS_accept: SSLv3/TLS write finished
(17) eap_peap: (other): SSL negotiation finished successfully
(17) eap_peap: TLS - Connection Established
(17) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(17) eap_peap: TLS-Session-Version = "TLS 1.2"
(17) eap_peap: TLS - got 51 bytes of data
(17) eap_peap: [eaptls process] = handled
(17) eap: Sending EAP Request (code 1) ID 7 length 57
(17) eap: EAP session adding &reply:State = 0x5709dc2c520ec55d
(17) [eap] = handled
(17) if (handled && (Response-Packet-Type == Access-Challenge)) {
(17) EXPAND Response-Packet-Type
(17) --> Access-Challenge
(17) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(17) if (handled && (Response-Packet-Type == Access-Challenge)) {
(17) attr_filter.access_challenge: EXPAND %{User-Name}
(17) attr_filter.access_challenge: --> test
(17) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(17) [attr_filter.access_challenge.post-auth] = updated
(17) [handled] = handled
(17) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(17) } # Auth-Type eap = handled
(17) Using Post-Auth-Type Challenge
(17) # Executing group from file /etc/raddb/sites-enabled/default
(17) Challenge { ... } # empty sub-section is ignored
(17) session-state: Saving cached attributes
(17) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(17) TLS-Session-Version = "TLS 1.2"
(17) Sent Access-Challenge Id 191 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(17) EAP-Message =
0x01070039190014030300010116030300285bc3632e6b443560a1c7f7fcfd4d4dce83eb70b6
a001d27389578382a78d0283e43c7e8969d6f3ba
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0x5709dc2c520ec55d080b76220813d0d4
(17) Finished request
Waking up in 4.8 seconds.
(18) Received Access-Request Id 192 from 10.100.0.50:1645 to
10.101.0.20:1812 length 209
(18) User-Name = "test"
(18) Service-Type = Framed-User
(18) Framed-MTU = 1500
(18) Called-Station-Id = "24-01-C7-8E-84-86"
(18) Calling-Station-Id = "74-78-27-1B-F2-78"
(18) EAP-Message = 0x020700061900
(18) Message-Authenticator = 0x33689c92606612b6d8b208e12717fd08
(18) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(18) NAS-Port-Type = Ethernet
(18) NAS-Port = 50006
(18) NAS-Port-Id = "GigabitEthernet0/6"
(18) State = 0x5709dc2c520ec55d080b76220813d0d4
(18) NAS-IP-Address = 10.100.0.50
(18) Restoring &session-state
(18) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(18) &session-state:TLS-Session-Version = "TLS 1.2"
(18) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(18) authorize {
(18) policy filter_username {
(18) if (&User-Name) {
(18) if (&User-Name) -> TRUE
(18) if (&User-Name) {
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@[^@]*@/ ) {
(18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /@\./) {
(18) if (&User-Name =~ /@\./) -> FALSE
(18) } # if (&User-Name) = notfound
(18) } # policy filter_username = notfound
(18) [preprocess] = ok
(18) [chap] = noop
(18) [mschap] = noop
(18) [digest] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "test", looking up realm NULL
(18) suffix: No such realm "NULL"
(18) [suffix] = noop
(18) eap: Peer sent EAP Response (code 2) ID 7 length 6
(18) eap: Continuing tunnel setup
(18) [eap] = ok
(18) } # authorize = ok
(18) Found Auth-Type = eap
(18) # Executing group from file /etc/raddb/sites-enabled/default
(18) Auth-Type eap {
(18) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(18) eap: Finished EAP session with state 0x5709dc2c520ec55d
(18) eap: Previous EAP request found for state 0x5709dc2c520ec55d, released
from the list
(18) eap: Peer sent packet with method EAP PEAP (25)
(18) eap: Calling submodule eap_peap to process data
(18) eap_peap: Continuing EAP-TLS
(18) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(18) eap_peap: [eaptls verify] = success
(18) eap_peap: [eaptls process] = success
(18) eap_peap: Session established. Decoding tunneled attributes
(18) eap_peap: PEAP state TUNNEL ESTABLISHED
(18) eap: Sending EAP Request (code 1) ID 8 length 40
(18) eap: EAP session adding &reply:State = 0x5709dc2c5101c55d
(18) [eap] = handled
(18) if (handled && (Response-Packet-Type == Access-Challenge)) {
(18) EXPAND Response-Packet-Type
(18) --> Access-Challenge
(18) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(18) if (handled && (Response-Packet-Type == Access-Challenge)) {
(18) attr_filter.access_challenge: EXPAND %{User-Name}
(18) attr_filter.access_challenge: --> test
(18) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(18) [attr_filter.access_challenge.post-auth] = updated
(18) [handled] = handled
(18) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(18) } # Auth-Type eap = handled
(18) Using Post-Auth-Type Challenge
(18) # Executing group from file /etc/raddb/sites-enabled/default
(18) Challenge { ... } # empty sub-section is ignored
(18) session-state: Saving cached attributes
(18) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(18) TLS-Session-Version = "TLS 1.2"
(18) Sent Access-Challenge Id 192 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(18) EAP-Message =
0x010800281900170303001d5bc3632e6b443561fcf82593fda17abbf449f59d02196666fae6
9cf929
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0x5709dc2c5101c55d080b76220813d0d4
(18) Finished request
Waking up in 2.1 seconds.
(19) Received Access-Request Id 193 from 10.100.0.50:1645 to
10.101.0.20:1812 length 243
(19) User-Name = "test"
(19) Service-Type = Framed-User
(19) Framed-MTU = 1500
(19) Called-Station-Id = "24-01-C7-8E-84-86"
(19) Calling-Station-Id = "74-78-27-1B-F2-78"
(19) EAP-Message =
0x020800281900170303001d0000000000000001f4b75ef3c9c70e7de845b7ad53435ce649bc
e97bd6
(19) Message-Authenticator = 0xdd6a472f02ab76bc724223ac8592f303
(19) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(19) NAS-Port-Type = Ethernet
(19) NAS-Port = 50006
(19) NAS-Port-Id = "GigabitEthernet0/6"
(19) State = 0x5709dc2c5101c55d080b76220813d0d4
(19) NAS-IP-Address = 10.100.0.50
(19) Restoring &session-state
(19) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(19) &session-state:TLS-Session-Version = "TLS 1.2"
(19) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /@\./) {
(19) if (&User-Name =~ /@\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [preprocess] = ok
(19) [chap] = noop
(19) [mschap] = noop
(19) [digest] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "test", looking up realm NULL
(19) suffix: No such realm "NULL"
(19) [suffix] = noop
(19) eap: Peer sent EAP Response (code 2) ID 8 length 40
(19) eap: Continuing tunnel setup
(19) [eap] = ok
(19) } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) Auth-Type eap {
(19) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(19) eap: Finished EAP session with state 0x5709dc2c5101c55d
(19) eap: Previous EAP request found for state 0x5709dc2c5101c55d, released
from the list
(19) eap: Peer sent packet with method EAP PEAP (25)
(19) eap: Calling submodule eap_peap to process data
(19) eap_peap: Continuing EAP-TLS
(19) eap_peap: [eaptls verify] = ok
(19) eap_peap: Done initial handshake
(19) eap_peap: [eaptls process] = ok
(19) eap_peap: Session established. Decoding tunneled attributes
(19) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(19) eap_peap: Identity - test
(19) eap_peap: Got inner identity 'test'
(19) eap_peap: Setting default EAP type for tunneled EAP session
(19) eap_peap: Got tunneled request
(19) eap_peap: EAP-Message = 0x020800090174657374
(19) eap_peap: Setting User-Name to test
(19) eap_peap: Sending tunneled request to inner-tunnel
(19) eap_peap: EAP-Message = 0x020800090174657374
(19) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(19) eap_peap: User-Name = "test"
(19) Virtual server inner-tunnel received request
(19) EAP-Message = 0x020800090174657374
(19) FreeRADIUS-Proxied-To = 127.0.0.1
(19) User-Name = "test"
(19) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(19) server inner-tunnel {
(19) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /@\./) {
(19) if (&User-Name =~ /@\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [chap] = noop
(19) [mschap] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "test", looking up realm NULL
(19) suffix: No such realm "NULL"
(19) [suffix] = noop
(19) update control {
(19) &Proxy-To-Realm := LOCAL
(19) } # update control = noop
(19) eap: Peer sent EAP Response (code 2) ID 8 length 9
(19) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(19) [eap] = ok
(19) } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(19) authenticate {
(19) eap: Peer sent packet with method EAP Identity (1)
(19) eap: Calling submodule eap_mschapv2 to process data
(19) eap_mschapv2: Issuing Challenge
(19) eap: Sending EAP Request (code 1) ID 9 length 43
(19) eap: EAP session adding &reply:State = 0xc8f1f8bdc8f8e24d
(19) [eap] = handled
(19) } # authenticate = handled
(19) } # server inner-tunnel
(19) Virtual server sending reply
(19) EAP-Message =
0x0109002b1a0109002610a8aea7b97f9ff88acc6d299565ea3e33667265657261646975732d
332e302e3230
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0xc8f1f8bdc8f8e24d226d055121876240
(19) eap_peap: Got tunneled reply code 11
(19) eap_peap: EAP-Message =
0x0109002b1a0109002610a8aea7b97f9ff88acc6d299565ea3e33667265657261646975732d
332e302e3230
(19) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(19) eap_peap: State = 0xc8f1f8bdc8f8e24d226d055121876240
(19) eap_peap: Got tunneled reply RADIUS code 11
(19) eap_peap: EAP-Message =
0x0109002b1a0109002610a8aea7b97f9ff88acc6d299565ea3e33667265657261646975732d
332e302e3230
(19) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(19) eap_peap: State = 0xc8f1f8bdc8f8e24d226d055121876240
(19) eap_peap: Got tunneled Access-Challenge
(19) eap: Sending EAP Request (code 1) ID 9 length 74
(19) eap: EAP session adding &reply:State = 0x5709dc2c5000c55d
(19) [eap] = handled
(19) if (handled && (Response-Packet-Type == Access-Challenge)) {
(19) EXPAND Response-Packet-Type
(19) --> Access-Challenge
(19) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(19) if (handled && (Response-Packet-Type == Access-Challenge)) {
(19) attr_filter.access_challenge: EXPAND %{User-Name}
(19) attr_filter.access_challenge: --> test
(19) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(19) [attr_filter.access_challenge.post-auth] = updated
(19) [handled] = handled
(19) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(19) } # Auth-Type eap = handled
(19) Using Post-Auth-Type Challenge
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) Challenge { ... } # empty sub-section is ignored
(19) session-state: Saving cached attributes
(19) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(19) TLS-Session-Version = "TLS 1.2"
(19) Sent Access-Challenge Id 193 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(19) EAP-Message =
0x0109004a1900170303003f5bc3632e6b4435625e5c5051af7c363be95d4ee4f3f3b7ac445d
1ecac6abc90cb5263d48732e332fae270276b7d924f672cc1b74d6916b68c2e03e7ebe1975
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0x5709dc2c5000c55d080b76220813d0d4
(19) Finished request
Waking up in 2.0 seconds.
(20) Received Access-Request Id 194 from 10.100.0.50:1645 to
10.101.0.20:1812 length 297
(20) User-Name = "test"
(20) Service-Type = Framed-User
(20) Framed-MTU = 1500
(20) Called-Station-Id = "24-01-C7-8E-84-86"
(20) Calling-Station-Id = "74-78-27-1B-F2-78"
(20) EAP-Message =
0x0209005e19001703030053000000000000000267df274f7aba3c388821a73daf611375d9d7
2eef18a2029801924010afde0f8c56c84035beb392c5d720651c2253091340fa76a3f6a37152
3b42fb59bacd4ff5ff77aa734d8f4abc3bfe4c
(20) Message-Authenticator = 0xdd9df03d48297b3c9942e21f2b832e07
(20) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(20) NAS-Port-Type = Ethernet
(20) NAS-Port = 50006
(20) NAS-Port-Id = "GigabitEthernet0/6"
(20) State = 0x5709dc2c5000c55d080b76220813d0d4
(20) NAS-IP-Address = 10.100.0.50
(20) Restoring &session-state
(20) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(20) &session-state:TLS-Session-Version = "TLS 1.2"
(20) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(20) authorize {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /@\./) {
(20) if (&User-Name =~ /@\./) -> FALSE
(20) } # if (&User-Name) = notfound
(20) } # policy filter_username = notfound
(20) [preprocess] = ok
(20) [chap] = noop
(20) [mschap] = noop
(20) [digest] = noop
(20) suffix: Checking for suffix after "@"
(20) suffix: No '@' in User-Name = "test", looking up realm NULL
(20) suffix: No such realm "NULL"
(20) [suffix] = noop
(20) eap: Peer sent EAP Response (code 2) ID 9 length 94
(20) eap: Continuing tunnel setup
(20) [eap] = ok
(20) } # authorize = ok
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/raddb/sites-enabled/default
(20) Auth-Type eap {
(20) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(20) eap: Finished EAP session with state 0x5709dc2c5000c55d
(20) eap: Previous EAP request found for state 0x5709dc2c5000c55d, released
from the list
(20) eap: Peer sent packet with method EAP PEAP (25)
(20) eap: Calling submodule eap_peap to process data
(20) eap_peap: Continuing EAP-TLS
(20) eap_peap: [eaptls verify] = ok
(20) eap_peap: Done initial handshake
(20) eap_peap: [eaptls process] = ok
(20) eap_peap: Session established. Decoding tunneled attributes
(20) eap_peap: PEAP state phase2
(20) eap_peap: EAP method MSCHAPv2 (26)
(20) eap_peap: Got tunneled request
(20) eap_peap: EAP-Message =
0x0209003f1a0209003a31f90a4533756415a1b4ea82f294876b6100000000000000009e08d5
2c72cd923feca32b6ac7eeece3627638836e7d19f60074657374
(20) eap_peap: Setting User-Name to test
(20) eap_peap: Sending tunneled request to inner-tunnel
(20) eap_peap: EAP-Message =
0x0209003f1a0209003a31f90a4533756415a1b4ea82f294876b6100000000000000009e08d5
2c72cd923feca32b6ac7eeece3627638836e7d19f60074657374
(20) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(20) eap_peap: User-Name = "test"
(20) eap_peap: State = 0xc8f1f8bdc8f8e24d226d055121876240
(20) Virtual server inner-tunnel received request
(20) EAP-Message =
0x0209003f1a0209003a31f90a4533756415a1b4ea82f294876b6100000000000000009e08d5
2c72cd923feca32b6ac7eeece3627638836e7d19f60074657374
(20) FreeRADIUS-Proxied-To = 127.0.0.1
(20) User-Name = "test"
(20) State = 0xc8f1f8bdc8f8e24d226d055121876240
(20) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(20) server inner-tunnel {
(20) session-state: No cached attributes
(20) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(20) authorize {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /@\./) {
(20) if (&User-Name =~ /@\./) -> FALSE
(20) } # if (&User-Name) = notfound
(20) } # policy filter_username = notfound
(20) [chap] = noop
(20) [mschap] = noop
(20) suffix: Checking for suffix after "@"
(20) suffix: No '@' in User-Name = "test", looking up realm NULL
(20) suffix: No such realm "NULL"
(20) [suffix] = noop
(20) update control {
(20) &Proxy-To-Realm := LOCAL
(20) } # update control = noop
(20) eap: Peer sent EAP Response (code 2) ID 9 length 63
(20) eap: No EAP Start, assuming it's an on-going EAP conversation
(20) [eap] = updated
(20) files: users: Matched entry test at line 1
(20) files: EXPAND tu as reussi avec %{Auth-Type} et en etant %{User-Name}
(20) files: --> tu as reussi avec et en etant test
(20) [files] = ok
(20) [expiration] = noop
(20) [logintime] = noop
(20) pap: WARNING: Auth-Type already set. Not setting to PAP
(20) [pap] = noop
(20) } # authorize = updated
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(20) authenticate {
(20) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(20) eap: Finished EAP session with state 0xc8f1f8bdc8f8e24d
(20) eap: Previous EAP request found for state 0xc8f1f8bdc8f8e24d, released
from the list
(20) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(20) eap: Calling submodule eap_mschapv2 to process data
(20) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(20) eap_mschapv2: authenticate {
(20) mschap: Found Cleartext-Password, hashing to create NT-Password
(20) mschap: Creating challenge hash with username: test
(20) mschap: Client is using MS-CHAPv2
(20) mschap: Adding MS-CHAPv2 MPPE keys
(20) eap_mschapv2: [mschap] = ok
(20) eap_mschapv2: } # authenticate = ok
(20) eap_mschapv2: MSCHAP Success
(20) eap: Sending EAP Request (code 1) ID 10 length 51
(20) eap: EAP session adding &reply:State = 0xc8f1f8bdc9fbe24d
(20) [eap] = handled
(20) } # authenticate = handled
(20) } # server inner-tunnel
(20) Virtual server sending reply
(20) Reply-Message = "tu as reussi avec et en etant test"
(20) EAP-Message =
0x010a00331a0309002e533d4231333644304637383233454339313739434339373332454336
3034393136433231333534313235
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0xc8f1f8bdc9fbe24d226d055121876240
(20) eap_peap: Got tunneled reply code 11
(20) eap_peap: Reply-Message = "tu as reussi avec et en etant test"
(20) eap_peap: EAP-Message =
0x010a00331a0309002e533d4231333644304637383233454339313739434339373332454336
3034393136433231333534313235
(20) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(20) eap_peap: State = 0xc8f1f8bdc9fbe24d226d055121876240
(20) eap_peap: Got tunneled reply RADIUS code 11
(20) eap_peap: Reply-Message = "tu as reussi avec et en etant test"
(20) eap_peap: EAP-Message =
0x010a00331a0309002e533d4231333644304637383233454339313739434339373332454336
3034393136433231333534313235
(20) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(20) eap_peap: State = 0xc8f1f8bdc9fbe24d226d055121876240
(20) eap_peap: Got tunneled Access-Challenge
(20) eap: Sending EAP Request (code 1) ID 10 length 82
(20) eap: EAP session adding &reply:State = 0x5709dc2c5f03c55d
(20) [eap] = handled
(20) if (handled && (Response-Packet-Type == Access-Challenge)) {
(20) EXPAND Response-Packet-Type
(20) --> Access-Challenge
(20) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(20) if (handled && (Response-Packet-Type == Access-Challenge)) {
(20) attr_filter.access_challenge: EXPAND %{User-Name}
(20) attr_filter.access_challenge: --> test
(20) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(20) [attr_filter.access_challenge.post-auth] = updated
(20) [handled] = handled
(20) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(20) } # Auth-Type eap = handled
(20) Using Post-Auth-Type Challenge
(20) # Executing group from file /etc/raddb/sites-enabled/default
(20) Challenge { ... } # empty sub-section is ignored
(20) session-state: Saving cached attributes
(20) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(20) TLS-Session-Version = "TLS 1.2"
(20) Sent Access-Challenge Id 194 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(20) EAP-Message =
0x010a0052190017030300475bc3632e6b443563bfdb8a34b1d033e80abaed0886740e922409
cc823028e6c31f02665c568a46c5f021df9853700a6be0d1b2248b9520ffad2833cdfccb681b
bfefac58b6c6e8
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0x5709dc2c5f03c55d080b76220813d0d4
(20) Finished request
Waking up in 2.0 seconds.
(21) Received Access-Request Id 195 from 10.100.0.50:1645 to
10.101.0.20:1812 length 240
(21) User-Name = "test"
(21) Service-Type = Framed-User
(21) Framed-MTU = 1500
(21) Called-Station-Id = "24-01-C7-8E-84-86"
(21) Calling-Station-Id = "74-78-27-1B-F2-78"
(21) EAP-Message =
0x020a00251900170303001a0000000000000003b7e4977bb2c798f1390f20f4c06d08798279
(21) Message-Authenticator = 0xc450ef4dd19f37f7ff7136f788d710b0
(21) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(21) NAS-Port-Type = Ethernet
(21) NAS-Port = 50006
(21) NAS-Port-Id = "GigabitEthernet0/6"
(21) State = 0x5709dc2c5f03c55d080b76220813d0d4
(21) NAS-IP-Address = 10.100.0.50
(21) Restoring &session-state
(21) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(21) &session-state:TLS-Session-Version = "TLS 1.2"
(21) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(21) authorize {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /@\./) {
(21) if (&User-Name =~ /@\./) -> FALSE
(21) } # if (&User-Name) = notfound
(21) } # policy filter_username = notfound
(21) [preprocess] = ok
(21) [chap] = noop
(21) [mschap] = noop
(21) [digest] = noop
(21) suffix: Checking for suffix after "@"
(21) suffix: No '@' in User-Name = "test", looking up realm NULL
(21) suffix: No such realm "NULL"
(21) [suffix] = noop
(21) eap: Peer sent EAP Response (code 2) ID 10 length 37
(21) eap: Continuing tunnel setup
(21) [eap] = ok
(21) } # authorize = ok
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) Auth-Type eap {
(21) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(21) eap: Finished EAP session with state 0x5709dc2c5f03c55d
(21) eap: Previous EAP request found for state 0x5709dc2c5f03c55d, released
from the list
(21) eap: Peer sent packet with method EAP PEAP (25)
(21) eap: Calling submodule eap_peap to process data
(21) eap_peap: Continuing EAP-TLS
(21) eap_peap: [eaptls verify] = ok
(21) eap_peap: Done initial handshake
(21) eap_peap: [eaptls process] = ok
(21) eap_peap: Session established. Decoding tunneled attributes
(21) eap_peap: PEAP state phase2
(21) eap_peap: EAP method MSCHAPv2 (26)
(21) eap_peap: Got tunneled request
(21) eap_peap: EAP-Message = 0x020a00061a03
(21) eap_peap: Setting User-Name to test
(21) eap_peap: Sending tunneled request to inner-tunnel
(21) eap_peap: EAP-Message = 0x020a00061a03
(21) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(21) eap_peap: User-Name = "test"
(21) eap_peap: State = 0xc8f1f8bdc9fbe24d226d055121876240
(21) Virtual server inner-tunnel received request
(21) EAP-Message = 0x020a00061a03
(21) FreeRADIUS-Proxied-To = 127.0.0.1
(21) User-Name = "test"
(21) State = 0xc8f1f8bdc9fbe24d226d055121876240
(21) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(21) server inner-tunnel {
(21) session-state: No cached attributes
(21) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(21) authorize {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /@\./) {
(21) if (&User-Name =~ /@\./) -> FALSE
(21) } # if (&User-Name) = notfound
(21) } # policy filter_username = notfound
(21) [chap] = noop
(21) [mschap] = noop
(21) suffix: Checking for suffix after "@"
(21) suffix: No '@' in User-Name = "test", looking up realm NULL
(21) suffix: No such realm "NULL"
(21) [suffix] = noop
(21) update control {
(21) &Proxy-To-Realm := LOCAL
(21) } # update control = noop
(21) eap: Peer sent EAP Response (code 2) ID 10 length 6
(21) eap: No EAP Start, assuming it's an on-going EAP conversation
(21) [eap] = updated
(21) files: users: Matched entry test at line 1
(21) files: EXPAND tu as reussi avec %{Auth-Type} et en etant %{User-Name}
(21) files: --> tu as reussi avec et en etant test
(21) [files] = ok
(21) [expiration] = noop
(21) [logintime] = noop
(21) pap: WARNING: Auth-Type already set. Not setting to PAP
(21) [pap] = noop
(21) } # authorize = updated
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(21) authenticate {
(21) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(21) eap: Finished EAP session with state 0xc8f1f8bdc9fbe24d
(21) eap: Previous EAP request found for state 0xc8f1f8bdc9fbe24d, released
from the list
(21) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(21) eap: Calling submodule eap_mschapv2 to process data
(21) eap: Sending EAP Success (code 3) ID 10 length 4
(21) eap: Freeing handler
(21) [eap] = ok
(21) } # authenticate = ok
(21) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(21) post-auth {
(21) if (0) {
(21) if (0) -> FALSE
(21) } # post-auth = noop
(21) Login OK: [test] (from client swi_said_edward_p173 port 0 via TLS
tunnel)
(21) } # server inner-tunnel
(21) Virtual server sending reply
(21) Reply-Message = "tu as reussi avec et en etant test"
(21) MS-MPPE-Encryption-Policy = Encryption-Allowed
(21) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(21) MS-MPPE-Send-Key = 0x81238317805f6b67fec93e45b3692a81
(21) MS-MPPE-Recv-Key = 0xca79e92c0f2a71aedddd4dce55d7b4bc
(21) EAP-Message = 0x030a0004
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) User-Name = "test"
(21) eap_peap: Got tunneled reply code 2
(21) eap_peap: Reply-Message = "tu as reussi avec et en etant test"
(21) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(21) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(21) eap_peap: MS-MPPE-Send-Key = 0x81238317805f6b67fec93e45b3692a81
(21) eap_peap: MS-MPPE-Recv-Key = 0xca79e92c0f2a71aedddd4dce55d7b4bc
(21) eap_peap: EAP-Message = 0x030a0004
(21) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(21) eap_peap: User-Name = "test"
(21) eap_peap: Got tunneled reply RADIUS code 2
(21) eap_peap: Reply-Message = "tu as reussi avec et en etant test"
(21) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(21) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(21) eap_peap: MS-MPPE-Send-Key = 0x81238317805f6b67fec93e45b3692a81
(21) eap_peap: MS-MPPE-Recv-Key = 0xca79e92c0f2a71aedddd4dce55d7b4bc
(21) eap_peap: EAP-Message = 0x030a0004
(21) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(21) eap_peap: User-Name = "test"
(21) eap_peap: Tunneled authentication was successful
(21) eap_peap: SUCCESS
(21) eap: Sending EAP Request (code 1) ID 11 length 46
(21) eap: EAP session adding &reply:State = 0x5709dc2c5e02c55d
(21) [eap] = handled
(21) if (handled && (Response-Packet-Type == Access-Challenge)) {
(21) EXPAND Response-Packet-Type
(21) --> Access-Challenge
(21) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(21) if (handled && (Response-Packet-Type == Access-Challenge)) {
(21) attr_filter.access_challenge: EXPAND %{User-Name}
(21) attr_filter.access_challenge: --> test
(21) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(21) [attr_filter.access_challenge.post-auth] = updated
(21) [handled] = handled
(21) } # if (handled && (Response-Packet-Type == Access-Challenge)) =
handled
(21) } # Auth-Type eap = handled
(21) Using Post-Auth-Type Challenge
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) Challenge { ... } # empty sub-section is ignored
(21) session-state: Saving cached attributes
(21) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(21) TLS-Session-Version = "TLS 1.2"
(21) Sent Access-Challenge Id 195 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(21) EAP-Message =
0x010b002e190017030300235bc3632e6b443564d2723008ae0ef670403b61176bfb8668e1ff
44cb3c02f7217871f0
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) State = 0x5709dc2c5e02c55d080b76220813d0d4
(21) Finished request
Waking up in 2.0 seconds.
(22) Received Access-Request Id 196 from 10.100.0.50:1645 to
10.101.0.20:1812 length 249
(22) User-Name = "test"
(22) Service-Type = Framed-User
(22) Framed-MTU = 1500
(22) Called-Station-Id = "24-01-C7-8E-84-86"
(22) Calling-Station-Id = "74-78-27-1B-F2-78"
(22) EAP-Message =
0x020b002e19001703030023000000000000000445fbfc432839d0f47cc453ff5500e022d602
41ef8e33106eda0936
(22) Message-Authenticator = 0x7ca959931442315cd10d49eb490df5db
(22) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(22) NAS-Port-Type = Ethernet
(22) NAS-Port = 50006
(22) NAS-Port-Id = "GigabitEthernet0/6"
(22) State = 0x5709dc2c5e02c55d080b76220813d0d4
(22) NAS-IP-Address = 10.100.0.50
(22) Restoring &session-state
(22) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(22) &session-state:TLS-Session-Version = "TLS 1.2"
(22) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(22) authorize {
(22) policy filter_username {
(22) if (&User-Name) {
(22) if (&User-Name) -> TRUE
(22) if (&User-Name) {
(22) if (&User-Name =~ / /) {
(22) if (&User-Name =~ / /) -> FALSE
(22) if (&User-Name =~ /@[^@]*@/ ) {
(22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(22) if (&User-Name =~ /\.\./ ) {
(22) if (&User-Name =~ /\.\./ ) -> FALSE
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(22) if (&User-Name =~ /\.$/) {
(22) if (&User-Name =~ /\.$/) -> FALSE
(22) if (&User-Name =~ /@\./) {
(22) if (&User-Name =~ /@\./) -> FALSE
(22) } # if (&User-Name) = notfound
(22) } # policy filter_username = notfound
(22) [preprocess] = ok
(22) [chap] = noop
(22) [mschap] = noop
(22) [digest] = noop
(22) suffix: Checking for suffix after "@"
(22) suffix: No '@' in User-Name = "test", looking up realm NULL
(22) suffix: No such realm "NULL"
(22) [suffix] = noop
(22) eap: Peer sent EAP Response (code 2) ID 11 length 46
(22) eap: Continuing tunnel setup
(22) [eap] = ok
(22) } # authorize = ok
(22) Found Auth-Type = eap
(22) # Executing group from file /etc/raddb/sites-enabled/default
(22) Auth-Type eap {
(22) eap: Expiring EAP session with state 0x1aff00fb1ef9150b
(22) eap: Finished EAP session with state 0x5709dc2c5e02c55d
(22) eap: Previous EAP request found for state 0x5709dc2c5e02c55d, released
from the list
(22) eap: Peer sent packet with method EAP PEAP (25)
(22) eap: Calling submodule eap_peap to process data
(22) eap_peap: Continuing EAP-TLS
(22) eap_peap: [eaptls verify] = ok
(22) eap_peap: Done initial handshake
(22) eap_peap: [eaptls process] = ok
(22) eap_peap: Session established. Decoding tunneled attributes
(22) eap_peap: PEAP state send tlv success
(22) eap_peap: Received EAP-TLV response
(22) eap_peap: Success
(22) eap: Sending EAP Success (code 3) ID 11 length 4
(22) eap: Freeing handler
(22) [eap] = ok
(22) if (handled && (Response-Packet-Type == Access-Challenge)) {
(22) if (handled && (Response-Packet-Type == Access-Challenge)) ->
FALSE
(22) } # Auth-Type eap = ok
(22) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(22) post-auth {
(22) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(22) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(22) update {
(22) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(22) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(22) } # update = noop
(22) [exec] = noop
(22) policy remove_reply_message_if_eap {
(22) if (&reply:EAP-Message && &reply:Reply-Message) {
(22) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(22) else {
(22) [noop] = noop
(22) } # else = noop
(22) } # policy remove_reply_message_if_eap = noop
(22) } # post-auth = noop
(22) Login OK: [test] (from client swi_said_edward_p173 port 50006 cli
74-78-27-1B-F2-78)
(22) Sent Access-Accept Id 196 from 10.101.0.20:1812 to 10.100.0.50:1645
length 0
(22) MS-MPPE-Recv-Key =
0xb3963e8d4a98a9a2b83fc3463f4aee62e926bbe31e9fab554887fbef5efce59d
(22) MS-MPPE-Send-Key =
0xe659945053c03ec5ae6b8b0ceef6fa83d90c3718f2a69f013f86f3870e5349ed
(22) EAP-Message = 0x030b0004
(22) Message-Authenticator = 0x00000000000000000000000000000000
(22) User-Name = "test"
(22) Finished request
Waking up in 2.0 seconds.
(23) Received Accounting-Request Id 61 from 10.100.0.50:1646 to
10.101.0.20:1813 length 217
(23) Acct-Session-Id = "0000006D"
(23) Cisco-AVPair = "audit-session-id=0A6400320000003EB2ADB5C7"
(23) User-Name = "test"
(23) Cisco-AVPair = "connect-progress=Call Up"
(23) Acct-Authentic = RADIUS
(23) Acct-Status-Type = Start
(23) NAS-Port-Type = Ethernet
(23) NAS-Port = 50006
(23) NAS-Port-Id = "GigabitEthernet0/6"
(23) Called-Station-Id = "24-01-C7-8E-84-86"
(23) Calling-Station-Id = "74-78-27-1B-F2-78"
(23) Service-Type = Framed-User
(23) NAS-IP-Address = 10.100.0.50
(23) Acct-Delay-Time = 0
(23) # Executing section preacct from file /etc/raddb/sites-enabled/default
(23) preacct {
(23) [preprocess] = ok
(23) policy acct_unique {
(23) update request {
(23) &Tmp-String-9 := "ai:"
(23) } # update request = noop
(23) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(23) EXPAND %{hex:&Class}
(23) -->
(23) EXPAND ^%{hex:&Tmp-String-9}
(23) --> ^61693a
(23) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(23) else {
(23) update request {
(23) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(23) --> ec3bf2e33c3293d656fc4362227660f2
(23) &Acct-Unique-Session-Id := ec3bf2e33c3293d656fc4362227660f2
(23) } # update request = noop
(23) } # else = noop
(23) } # policy acct_unique = noop
(23) suffix: Checking for suffix after "@"
(23) suffix: No '@' in User-Name = "test", looking up realm NULL
(23) suffix: No such realm "NULL"
(23) [suffix] = noop
(23) [files] = noop
(23) } # preacct = ok
(23) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(23) accounting {
(23) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d
(23) detail: --> /var/log/radius/radacct/10.100.0.50/detail-20220725
(23) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.50/detail-20220725
(23) detail: EXPAND %t
(23) detail: --> Mon Jul 25 18:16:45 2022
(23) [detail] = ok
(23) [unix] = ok
(23) radutmp: EXPAND /var/log/radius/radutmp
(23) radutmp: --> /var/log/radius/radutmp
(23) radutmp: EXPAND %{User-Name}
(23) radutmp: --> test
(23) [radutmp] = ok
(23) sradutmp: EXPAND /var/log/radius/sradutmp
(23) sradutmp: --> /var/log/radius/sradutmp
(23) sradutmp: EXPAND %{User-Name}
(23) sradutmp: --> test
(23) [sradutmp] = ok
(23) [exec] = noop
(23) attr_filter.accounting_response: EXPAND %{User-Name}
(23) attr_filter.accounting_response: --> test
(23) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(23) [attr_filter.accounting_response] = updated
(23) } # accounting = updated
(23) Sent Accounting-Response Id 61 from 10.101.0.20:1813 to
10.100.0.50:1646 length 0
(23) Finished request
(23) Cleaning up request packet ID 61 with timestamp +68
Waking up in 0.8 seconds.
(12) Cleaning up request packet ID 186 with timestamp +64
(13) Cleaning up request packet ID 187 with timestamp +64
(14) Cleaning up request packet ID 188 with timestamp +64
(15) Cleaning up request packet ID 189 with timestamp +64
(16) Cleaning up request packet ID 190 with timestamp +64
(17) Cleaning up request packet ID 191 with timestamp +64
Waking up in 2.7 seconds.
(18) Cleaning up request packet ID 192 with timestamp +67
(19) Cleaning up request packet ID 193 with timestamp +67
(20) Cleaning up request packet ID 194 with timestamp +67
(21) Cleaning up request packet ID 195 with timestamp +67
(22) Cleaning up request packet ID 196 with timestamp +67
Ready to process requests
More information about the Freeradius-Users
mailing list