Freeradius Framed-IP-Address not working with strongswan
Alexis Lacoste
alexislacoste2 at gmail.com
Wed Jun 1 12:39:59 UTC 2022
Good morning,
It is my first time asking a question on the freeradius mailing list, i
excuse myself in advance of any error or bad interpretation.
I'm using a VPN named strongswan that communicates with a freeradius using
the eap-radius plugin. The radius is authenticated agaisn't a samba AD that
authentifies clients using ntlm_auth and mschapv2. It is working great.
Now, I want for the clients to get the IP address that I assign in the
users.conf file. What I did was to create an user named test1.vpn in the
LDAP, and use rightsourceip=%radius in the ipsec.conf file on strongswan. I
gave him a framed ip address like this :
"test1.vpn" Framed-IP-Address == 10.10.10.6
Fall-Through = Yes
The thing is, it doesn't work... It works great when, on the ipsec.conf
file I put rightsourceip=10.10.10.1. The client gets the right
framed-ip-address. But with %radius, I don't see the 10.10.10.6 ip address
in the radius log and it makes an error on the strongswan since the client
doesn't get a virtual IP address.
Here are the output of radiusd -X :
(0) Received Access-Request Id 211 from 172.16.10.111:47079 to
172.16.10.111:1812 length 168
(0) User-Name = "test1.vpn"
(0) NAS-Port-Type = Virtual
(0) Service-Type = Framed-User
(0) NAS-Port = 3
(0) NAS-Port-Id = "test1.vpn"
(0) NAS-IP-Address = X.X.X.X
(0) Called-Station-Id = "X.X.X.X[4500]"
(0) Calling-Station-Id = "X.X.X.X[4500]"
(0) Acct-Session-Id = "1654086146-3"
(0) EAP-Message = 0x0200000e0174657374312e76706e
(0) NAS-Identifier = "strongSwan"
(0) Message-Authenticator = 0xce4ddedff45a0a9bd69f9b913a963862
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) [files] = noop
(0) [preprocess] = ok
(0) [mschap] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 14
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 1 length 22
(0) eap: EAP session adding &reply:State = 0x6aa216d56aa312bf
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 211 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(0) EAP-Message = 0x010100160410ff5cd34168d97f580fbfdfa92f86b05a
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x6aa216d56aa312bf987ea9fae6cd4048
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 212 from 172.16.10.111:47079 to
172.16.10.111:1812 length 178
(1) User-Name = "test1.vpn"
(1) NAS-Port-Type = Virtual
(1) Service-Type = Framed-User
(1) NAS-Port = 3
(1) NAS-Port-Id = "test1.vpn"
(1) NAS-IP-Address = X.X.X.X
(1) Called-Station-Id = "X.X.X.X[4500]"
(1) Calling-Station-Id = "X.X.X.X[4500]"
(1) Acct-Session-Id = "1654086146-3"
(1) EAP-Message = 0x020100060319
(1) NAS-Identifier = "strongSwan"
(1) State = 0x6aa216d56aa312bf987ea9fae6cd4048
(1) Message-Authenticator = 0x031a4fe55f8ec1ee08d13034d8164e22
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) [files] = noop
(1) [preprocess] = ok
(1) [mschap] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [expiration] = noop
(1) [logintime] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x6aa216d56aa312bf
(1) eap: Finished EAP session with state 0x6aa216d56aa312bf
(1) eap: Previous EAP request found for state 0x6aa216d56aa312bf, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0x6aa216d56ba00fbf
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 212 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(1) EAP-Message = 0x010200061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x6aa216d56ba00fbf987ea9fae6cd4048
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 213 from 172.16.10.111:47079 to
172.16.10.111:1812 length 344
(2) User-Name = "test1.vpn"
(2) NAS-Port-Type = Virtual
(2) Service-Type = Framed-User
(2) NAS-Port = 3
(2) NAS-Port-Id = "test1.vpn"
(2) NAS-IP-Address = X.X.X.X
(2) Called-Station-Id = "X.X.X.X[4500]"
(2) Calling-Station-Id = "X.X.X.X[4500]"
(2) Acct-Session-Id = "1654086146-3"
(2) EAP-Message =
0x020200ac1980000000a2160303009d01000099030362975ce3469633ee61d0332929a35ae076af708048f1d1b8d8055196ee255f0700002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(2) NAS-Identifier = "strongSwan"
(2) State = 0x6aa216d56ba00fbf987ea9fae6cd4048
(2) Message-Authenticator = 0x1380eb13af2c8eec169fe4a8c0f7947c
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) [files] = noop
(2) [preprocess] = ok
(2) [mschap] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 172
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x6aa216d56ba00fbf
(2) eap: Finished EAP session with state 0x6aa216d56ba00fbf
(2) eap: Previous EAP request found for state 0x6aa216d56ba00fbf, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 162 bytes
(2) eap_peap: Got complete TLS record (162 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv TLS 1.3 [length 009d]
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send TLS 1.2 [length 003d]
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: >>> send TLS 1.2 [length 0a0e]
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: >>> send TLS 1.2 [length 024d]
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: >>> send TLS 1.2 [length 0004]
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(2) eap_peap: TLS - In Handshake Phase
(2) eap_peap: TLS - got 3248 bytes of data
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1004
(2) eap: EAP session adding &reply:State = 0x6aa216d568a10fbf
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 213 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(2) EAP-Message =
0x010303ec19c000000cb0160303003d0200003903039f516795514d2124f963a729d1c1f5046a8ec1dc38e8620e0df6721d0ecd7bb400c030000011ff01000100000b000403000102001700001603030a0e0b000a0a000a0700050930820505308202eda003020102020859501ffb058af674300d06092a864886f70d01010c05003018311630140603550403130d4c696e6b736f2056504e204341301e170d3232303532373134333135355a170d3332303532343134333135355a3018311630140603550403130d3137382e31382e36322e32323030820222300d06092a864886f70d01010105000382020f003082020a0282020100a78d1c2b41f372a12f579b055680a56749aa46f0ec6c0031b424589ca4371f4904485b011adfebb5de0b47cd85a6009f7ed0d2f8b2ed60d624322e67c6ac0d92f8044774570dddfb12512d3f354dce91b84bab8c1281abc72f7776fb0aaf3d30ad0daf0c69a07709007fb40f2aff69de1effcbe748cab7c6a889d7df5e92488e33
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x6aa216d568a10fbf987ea9fae6cd4048
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 214 from 172.16.10.111:47079 to
172.16.10.111:1812 length 178
(3) User-Name = "test1.vpn"
(3) NAS-Port-Type = Virtual
(3) Service-Type = Framed-User
(3) NAS-Port = 3
(3) NAS-Port-Id = "test1.vpn"
(3) NAS-IP-Address = X.X.X.X
(3) Called-Station-Id = "X.X.X.X[4500]"
(3) Calling-Station-Id = "X.X.X.X[4500]"
(3) Acct-Session-Id = "1654086146-3"
(3) EAP-Message = 0x020300061900
(3) NAS-Identifier = "strongSwan"
(3) State = 0x6aa216d568a10fbf987ea9fae6cd4048
(3) Message-Authenticator = 0x8ec75da2a02763705c4be3fab6e7d4bd
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) [files] = noop
(3) [preprocess] = ok
(3) [mschap] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x6aa216d568a10fbf
(3) eap: Finished EAP session with state 0x6aa216d568a10fbf
(3) eap: Previous EAP request found for state 0x6aa216d568a10fbf, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 1000
(3) eap: EAP session adding &reply:State = 0x6aa216d569a60fbf
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 214 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(3) EAP-Message =
0x010403e81940bebf80d34d5d2ffadfe99593245c430b0545f71e325611a471ac019a0eb1b4cc51be9e4c4c6d7173cf00d6b53abe40a709dc7013a54897189721d836b31ae0ba84666749f762e02ab0f7b47d56d4ed0985084c55389e67476016143a29513ce10e4f779ba0e79cfedc620ce3b17c114081e2081221b32789bb7a167feb276b90bd6e5ccf3963a97c3da2a7cc5bee2b19fa21a4aa2f4a0abb2699dbe10fdbd42e93a395609bab8aded14fe6829a91017a7553d91e662a960b104d715a882298b2b57a106b608d5cbf18a416f047f92f8d6edc4631a136a88a1316574dfd306656f721427222732b84808fb63b38afe9f956af9969f506dbed0be473b1004960514231c75a8daff60a37ffe26fc85dcfb077c45ef88166b71a0ede035f7c5d79a749f30c64f5ed4e03ed8436e8f08c1d460fc0bd260ec944f99d183119868e804a7f93de415baea77ff7a29672b674e735b9d9170afd483208bec971d40ec0cb8b901f37c69d44d5c4d88bb63f59744c508a
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x6aa216d569a60fbf987ea9fae6cd4048
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 215 from 172.16.10.111:47079 to
172.16.10.111:1812 length 178
(4) User-Name = "test1.vpn"
(4) NAS-Port-Type = Virtual
(4) Service-Type = Framed-User
(4) NAS-Port = 3
(4) NAS-Port-Id = "test1.vpn"
(4) NAS-IP-Address = X.X.X.X
(4) Called-Station-Id = "X.X.X.X[4500]"
(4) Calling-Station-Id = "X.X.X.X[4500]"
(4) Acct-Session-Id = "1654086146-3"
(4) EAP-Message = 0x020400061900
(4) NAS-Identifier = "strongSwan"
(4) State = 0x6aa216d569a60fbf987ea9fae6cd4048
(4) Message-Authenticator = 0xe26fd6d586c478db00a6786eb735c999
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) [files] = noop
(4) [preprocess] = ok
(4) [mschap] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x6aa216d569a60fbf
(4) eap: Finished EAP session with state 0x6aa216d569a60fbf
(4) eap: Previous EAP request found for state 0x6aa216d569a60fbf, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 1000
(4) eap: EAP session adding &reply:State = 0x6aa216d56ea70fbf
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 215 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(4) EAP-Message =
0x010503e819407082cf40cfcee0f3f12cba3aef5822670128cd6f911798eef08198423886ccf7755c826cdcbe3a99ce66a9eae20d46d7161e7b750203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414add6132f6bb457e0c198d140aba7a264e4dc0d8d300d06092a864886f70d01010c05000382020100902e25abac2dddd6ca56f04588ea1f33d011b08f31e625c387b2230a2f9f378387f2929f02a0e839e8ba589f3fa07aa97df211ce02ce75ca2eeff80a09234bc54ce1cb8be75c16b2356d36c1d4ad6bde1b5c8921a1e03d412bfd280c3cabe5b734bd209d9f8182cf64fd4ecf87ab4e677b6c9c70d10f25f6f2772a611a31fcb3e74a800142a211c766841ad6540913ba8c7b39025308a651829d2dfac79d8dac002e21bf72bd73ccf17774b31e0cd3fde6c927cfea62ed17982d4203aa7ab706fc7883dde5321895ae65e63ff503804f12ff80a8075e0f1f9b169d8a1adae22d
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x6aa216d56ea70fbf987ea9fae6cd4048
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 216 from 172.16.10.111:47079 to
172.16.10.111:1812 length 178
(5) User-Name = "test1.vpn"
(5) NAS-Port-Type = Virtual
(5) Service-Type = Framed-User
(5) NAS-Port = 3
(5) NAS-Port-Id = "test1.vpn"
(5) NAS-IP-Address = X.X.X.X
(5) Called-Station-Id = "X.X.X.X[4500]"
(5) Calling-Station-Id = "X.X.X.X[4500]"
(5) Acct-Session-Id = "1654086146-3"
(5) EAP-Message = 0x020500061900
(5) NAS-Identifier = "strongSwan"
(5) State = 0x6aa216d56ea70fbf987ea9fae6cd4048
(5) Message-Authenticator = 0xeffc14397e2e2698bbe4717d2ad673d3
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) [files] = noop
(5) [preprocess] = ok
(5) [mschap] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x6aa216d56ea70fbf
(5) eap: Finished EAP session with state 0x6aa216d56ea70fbf
(5) eap: Previous EAP request found for state 0x6aa216d56ea70fbf, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment
(5) eap_peap: [eaptls verify] = request
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 6 length 272
(5) eap: EAP session adding &reply:State = 0x6aa216d56fa40fbf
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Sent Access-Challenge Id 216 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(5) EAP-Message =
0x010601101900b95388bf01bc568759d1bcedf399ac35756b2d9ec895c9bbf292cf9cda06422caa91d5ca45ab2b398afb223f946eb59b87855cc7785d21da7388857fe19c71cfddf3e529084da9fbaa5256780b893e76c7627c04a7a8cc73ab61b513a14673f7409dcdf0964badc5cc38b57011876d1ad8bd7a15435aefd05db948107f67da21e45679981950d18eafb02569be67a55b948744cf534598eac71778266dc937c43fd0bb64298d3b30f62299eca9de35fe60517131a19d76ea51648aec407756961b287dcb87e5e9a2674bc24af93f9777d57fa2d31759dc351d2821f731bad747e1231da13f909929fb1ed79ddbf9a1352606b860a0180fe6363d117e2bb45eb1f616030300040e000000
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x6aa216d56fa40fbf987ea9fae6cd4048
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 217 from 172.16.10.111:47079 to
172.16.10.111:1812 length 308
(6) User-Name = "test1.vpn"
(6) NAS-Port-Type = Virtual
(6) Service-Type = Framed-User
(6) NAS-Port = 3
(6) NAS-Port-Id = "test1.vpn"
(6) NAS-IP-Address = X.X.X.X
(6) Called-Station-Id = "X.X.X.X[4500]"
(6) Calling-Station-Id = "X.X.X.X[4500]"
(6) Acct-Session-Id = "1654086146-3"
(6) EAP-Message =
0x0206008819800000007e160303004610000042410402341187576763b91077af4fe0f7c05ab045f71ae0111bc7115da8543b730178500de82d67b06be13e3090850e22f014616bbe165f8e789c65e9796cde9ba77d14030300010116030300280000000000000000ef71b7cb6cc71ec0faa37e0680343b19996d8a7578f2057c965f450002579e68
(6) NAS-Identifier = "strongSwan"
(6) State = 0x6aa216d56fa40fbf987ea9fae6cd4048
(6) Message-Authenticator = 0x7083d87098fb258fbf0258463f6b3dd1
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) [files] = noop
(6) [preprocess] = ok
(6) [mschap] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 136
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x6aa216d56fa40fbf
(6) eap: Finished EAP session with state 0x6aa216d56fa40fbf
(6) eap: Previous EAP request found for state 0x6aa216d56fa40fbf, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(6) eap_peap: Got complete TLS record (126 bytes)
(6) eap_peap: [eaptls verify] = length included
(6) eap_peap: TLS_accept: SSLv3/TLS write server done
(6) eap_peap: <<< recv TLS 1.2 [length 0046]
(6) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(6) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(6) eap_peap: <<< recv TLS 1.2 [length 0010]
(6) eap_peap: TLS_accept: SSLv3/TLS read finished
(6) eap_peap: >>> send TLS 1.2 [length 0001]
(6) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(6) eap_peap: >>> send TLS 1.2 [length 0010]
(6) eap_peap: TLS_accept: SSLv3/TLS write finished
(6) eap_peap: (other): SSL negotiation finished successfully
(6) eap_peap: TLS - Connection Established
(6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) eap_peap: TLS-Session-Version = "TLS 1.2"
(6) eap_peap: TLS - got 51 bytes of data
(6) eap_peap: [eaptls process] = handled
(6) eap: Sending EAP Request (code 1) ID 7 length 57
(6) eap: EAP session adding &reply:State = 0x6aa216d56ca50fbf
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) session-state: Saving cached attributes
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 217 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(6) EAP-Message =
0x0107003919001403030001011603030028af9cbe4ad48a36eff3a6bdf4ef810aa3e994e6a355bb852f5ca35e72b2783ab141de53d1460b8f14
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x6aa216d56ca50fbf987ea9fae6cd4048
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 218 from 172.16.10.111:47079 to
172.16.10.111:1812 length 178
(7) User-Name = "test1.vpn"
(7) NAS-Port-Type = Virtual
(7) Service-Type = Framed-User
(7) NAS-Port = 3
(7) NAS-Port-Id = "test1.vpn"
(7) NAS-IP-Address = X.X.X.X
(7) Called-Station-Id = "X.X.X.X[4500]"
(7) Calling-Station-Id = "X.X.X.X[4500]"
(7) Acct-Session-Id = "1654086146-3"
(7) EAP-Message = 0x020700061900
(7) NAS-Identifier = "strongSwan"
(7) State = 0x6aa216d56ca50fbf987ea9fae6cd4048
(7) Message-Authenticator = 0x839536bbc3f30d7434ad9d19cc1c99dd
(7) Restoring &session-state
(7) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) [files] = noop
(7) [preprocess] = ok
(7) [mschap] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 6
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x6aa216d56ca50fbf
(7) eap: Finished EAP session with state 0x6aa216d56ca50fbf
(7) eap: Previous EAP request found for state 0x6aa216d56ca50fbf, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(7) eap_peap: [eaptls verify] = success
(7) eap_peap: [eaptls process] = success
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state TUNNEL ESTABLISHED
(7) eap: Sending EAP Request (code 1) ID 8 length 40
(7) eap: EAP session adding &reply:State = 0x6aa216d56daa0fbf
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) session-state: Saving cached attributes
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 218 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(7) EAP-Message =
0x010800281900170303001daf9cbe4ad48a36f0f7e90ea4889d1ec61bd088cf1fa3b7c7d6b699dddb
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x6aa216d56daa0fbf987ea9fae6cd4048
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 219 from 172.16.10.111:47079 to
172.16.10.111:1812 length 217
(8) User-Name = "test1.vpn"
(8) NAS-Port-Type = Virtual
(8) Service-Type = Framed-User
(8) NAS-Port = 3
(8) NAS-Port-Id = "test1.vpn"
(8) NAS-IP-Address = X.X.X.X
(8) Called-Station-Id = "X.X.X.X[4500]"
(8) Calling-Station-Id = "X.X.X.X[4500]"
(8) Acct-Session-Id = "1654086146-3"
(8) EAP-Message =
0x0208002d190017030300220000000000000001153f9416a443657a5ff5eae96e278c16f1ea3e471bf3e6745738
(8) NAS-Identifier = "strongSwan"
(8) State = 0x6aa216d56daa0fbf987ea9fae6cd4048
(8) Message-Authenticator = 0xa4ddd3745d4a15c98227f8f81b897453
(8) Restoring &session-state
(8) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) [files] = noop
(8) [preprocess] = ok
(8) [mschap] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 45
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x6aa216d56daa0fbf
(8) eap: Finished EAP session with state 0x6aa216d56daa0fbf
(8) eap: Previous EAP request found for state 0x6aa216d56daa0fbf, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(8) eap_peap: Identity - test1.vpn
(8) eap_peap: Got inner identity 'test1.vpn'
(8) eap_peap: Setting default EAP type for tunneled EAP session
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x0208000e0174657374312e76706e
(8) eap_peap: Setting User-Name to test1.vpn
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x0208000e0174657374312e76706e
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "test1.vpn"
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x0208000e0174657374312e76706e
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "test1.vpn"
(8) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(8) server inner-tunnel {
(8) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [mschap] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 14
(8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Peer sent packet with method EAP Identity (1)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: Issuing Challenge
(8) eap: Sending EAP Request (code 1) ID 9 length 43
(8) eap: EAP session adding &reply:State = 0xb5af7c78b5a66689
(8) [eap] = handled
(8) } # authenticate = handled
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message =
0x0109002b1a010900261087f1a89e580f82fb8741755cf9725926667265657261646975732d332e302e3230
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xb5af7c78b5a66689306ef54310c66f70
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap: EAP-Message =
0x0109002b1a010900261087f1a89e580f82fb8741755cf9725926667265657261646975732d332e302e3230
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xb5af7c78b5a66689306ef54310c66f70
(8) eap_peap: Got tunneled reply RADIUS code 11
(8) eap_peap: EAP-Message =
0x0109002b1a010900261087f1a89e580f82fb8741755cf9725926667265657261646975732d332e302e3230
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: State = 0xb5af7c78b5a66689306ef54310c66f70
(8) eap_peap: Got tunneled Access-Challenge
(8) eap: Sending EAP Request (code 1) ID 9 length 74
(8) eap: EAP session adding &reply:State = 0x6aa216d562ab0fbf
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) session-state: Saving cached attributes
(8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) TLS-Session-Version = "TLS 1.2"
(8) Sent Access-Challenge Id 219 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(8) EAP-Message =
0x0109004a1900170303003faf9cbe4ad48a36f1d629f5421ac4bd1824440e73056b065a53331c3e0a92dc863006c61a4e3c5b2fd79ec0d2a0560e60915e009f9a35362e1cae48cd0ced91
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x6aa216d562ab0fbf987ea9fae6cd4048
(8) Finished request
Waking up in 4.9 seconds.
(9) Received Access-Request Id 220 from 172.16.10.111:47079 to
172.16.10.111:1812 length 271
(9) User-Name = "test1.vpn"
(9) NAS-Port-Type = Virtual
(9) Service-Type = Framed-User
(9) NAS-Port = 3
(9) NAS-Port-Id = "test1.vpn"
(9) NAS-IP-Address = X.X.X.X
(9) Called-Station-Id = "X.X.X.X[4500]"
(9) Calling-Station-Id = "X.X.X.X[4500]"
(9) Acct-Session-Id = "1654086146-3"
(9) EAP-Message =
0x02090063190017030300580000000000000002f0c4c37ddbcba1c1e20a93357294aea5ad42b3ee3213a8669f1a63385ed6ca36ac718fa232c6b16b8cb665c475065e3efe5c09616bc2fe15fbef55fbc01bcd59a69df14f9e98a138ad31732fa8a60845
(9) NAS-Identifier = "strongSwan"
(9) State = 0x6aa216d562ab0fbf987ea9fae6cd4048
(9) Message-Authenticator = 0x224b063c7046c016feef7eead14ad30e
(9) Restoring &session-state
(9) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) [files] = noop
(9) [preprocess] = ok
(9) [mschap] = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 99
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0xb5af7c78b5a66689
(9) eap: Finished EAP session with state 0x6aa216d562ab0fbf
(9) eap: Previous EAP request found for state 0x6aa216d562ab0fbf, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message =
0x020900441a0209003f31048bd0d906cf0bc9dc125a8b6a3a065f00000000000000009b2a6af5d7787c8c36e1b09356339ba3ec6a8acbf2be654b0074657374312e76706e
(9) eap_peap: Setting User-Name to test1.vpn
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message =
0x020900441a0209003f31048bd0d906cf0bc9dc125a8b6a3a065f00000000000000009b2a6af5d7787c8c36e1b09356339ba3ec6a8acbf2be654b0074657374312e76706e
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "test1.vpn"
(9) eap_peap: State = 0xb5af7c78b5a66689306ef54310c66f70
(9) Virtual server inner-tunnel received request
(9) EAP-Message =
0x020900441a0209003f31048bd0d906cf0bc9dc125a8b6a3a065f00000000000000009b2a6af5d7787c8c36e1b09356339ba3ec6a8acbf2be654b0074657374312e76706e
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "test1.vpn"
(9) State = 0xb5af7c78b5a66689306ef54310c66f70
(9) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(9) server inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [mschap] = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 68
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) [files] = noop
(9) [expiration] = noop
(9) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Expiring EAP session with state 0xb5af7c78b5a66689
(9) eap: Finished EAP session with state 0xb5af7c78b5a66689
(9) eap: Previous EAP request found for state 0xb5af7c78b5a66689, released
from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(9) eap_mschapv2: authenticate {
(9) mschap: Creating challenge hash with username: test1.vpn
(9) mschap: Client is using MS-CHAPv2
(9) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2
--username=%{mschap:User-Name} --domain=BRANCHET
--challenge=%{mschap:Challenge:-01} --nt-response=%{mschap:NT-Response:-00}:
(9) mschap: EXPAND --username=%{mschap:User-Name}
(9) mschap: --> --username=test1.vpn
(9) mschap: Creating challenge hash with username: test1.vpn
(9) mschap: EXPAND --challenge=%{mschap:Challenge:-01}
(9) mschap: --> --challenge=578147340978c207
(9) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(9) mschap: -->
--nt-response=9b2a6af5d7787c8c36e1b09356339ba3ec6a8acbf2be654b
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
added interface ens3 ip=172.16.10.111 bcast=172.16.10.255
netmask=255.255.255.0
added interface ens4 ip=X.X.X.X bcast=X.X.X.X netmask=255.255.255.224
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
added interface ens3 ip=172.16.10.111 bcast=172.16.10.255
netmask=255.255.255.0
added interface ens4 ip=X.X.X.X bcast=X.X.X.X netmask=255.255.255.224
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
added interface ens3 ip=172.16.10.111 bcast=172.16.10.255
netmask=255.255.255.0
added interface ens4 ip=X.X.X.X bcast=X.X.X.X netmask=255.255.255.224
(9) mschap: Program returned code (0) and output 'NT_KEY:
6F5564CE191F31EAC91AE7DAFA4E36FE'
(9) mschap: Adding MS-CHAPv2 MPPE keys
(9) eap_mschapv2: [mschap] = ok
(9) eap_mschapv2: } # authenticate = ok
(9) eap_mschapv2: MSCHAP Success
(9) eap: Sending EAP Request (code 1) ID 10 length 51
(9) eap: EAP session adding &reply:State = 0xb5af7c78b4a56689
(9) [eap] = handled
(9) } # authenticate = handled
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) EAP-Message =
0x010a00331a0309002e533d46383132373533393846324338373131353643444443333330463841323639363744364137373436
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xb5af7c78b4a56689306ef54310c66f70
(9) eap_peap: Got tunneled reply code 11
(9) eap_peap: EAP-Message =
0x010a00331a0309002e533d46383132373533393846324338373131353643444443333330463841323639363744364137373436
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: State = 0xb5af7c78b4a56689306ef54310c66f70
(9) eap_peap: Got tunneled reply RADIUS code 11
(9) eap_peap: EAP-Message =
0x010a00331a0309002e533d46383132373533393846324338373131353643444443333330463841323639363744364137373436
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: State = 0xb5af7c78b4a56689306ef54310c66f70
(9) eap_peap: Got tunneled Access-Challenge
(9) eap: Sending EAP Request (code 1) ID 10 length 82
(9) eap: EAP session adding &reply:State = 0x6aa216d563a80fbf
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) session-state: Saving cached attributes
(9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) TLS-Session-Version = "TLS 1.2"
(9) Sent Access-Challenge Id 220 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(9) EAP-Message =
0x010a005219001703030047af9cbe4ad48a36f200cc2406e608e52bf7ca0116a6a6ad1c82837ff257670d9493de1d036022b1d203ec1b0ae8eafe1f394197f42c44488b5c18f803c8044e550e72240fd51805
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x6aa216d563a80fbf987ea9fae6cd4048
(9) Finished request
Waking up in 4.7 seconds.
(10) Received Access-Request Id 221 from 172.16.10.111:47079 to
172.16.10.111:1812 length 209
(10) User-Name = "test1.vpn"
(10) NAS-Port-Type = Virtual
(10) Service-Type = Framed-User
(10) NAS-Port = 3
(10) NAS-Port-Id = "test1.vpn"
(10) NAS-IP-Address = X.X.X.X
(10) Called-Station-Id = "X.X.X.X[4500]"
(10) Calling-Station-Id = "X.X.X.X[4500]"
(10) Acct-Session-Id = "1654086146-3"
(10) EAP-Message =
0x020a00251900170303001a00000000000000036997b7ebc43aa9f223d249567570b31c76a8
(10) NAS-Identifier = "strongSwan"
(10) State = 0x6aa216d563a80fbf987ea9fae6cd4048
(10) Message-Authenticator = 0xa363ba931cbea130a76c5684496de326
(10) Restoring &session-state
(10) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(10) &session-state:TLS-Session-Version = "TLS 1.2"
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(10) authorize {
(10) [files] = noop
(10) [preprocess] = ok
(10) [mschap] = noop
(10) eap: Peer sent EAP Response (code 2) ID 10 length 37
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0xb5af7c78b4a56689
(10) eap: Finished EAP session with state 0x6aa216d563a80fbf
(10) eap: Previous EAP request found for state 0x6aa216d563a80fbf, released
from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state phase2
(10) eap_peap: EAP method MSCHAPv2 (26)
(10) eap_peap: Got tunneled request
(10) eap_peap: EAP-Message = 0x020a00061a03
(10) eap_peap: Setting User-Name to test1.vpn
(10) eap_peap: Sending tunneled request to inner-tunnel
(10) eap_peap: EAP-Message = 0x020a00061a03
(10) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(10) eap_peap: User-Name = "test1.vpn"
(10) eap_peap: State = 0xb5af7c78b4a56689306ef54310c66f70
(10) Virtual server inner-tunnel received request
(10) EAP-Message = 0x020a00061a03
(10) FreeRADIUS-Proxied-To = 127.0.0.1
(10) User-Name = "test1.vpn"
(10) State = 0xb5af7c78b4a56689306ef54310c66f70
(10) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(10) server inner-tunnel {
(10) session-state: No cached attributes
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [mschap] = noop
(10) eap: Peer sent EAP Response (code 2) ID 10 length 6
(10) eap: No EAP Start, assuming it's an on-going EAP conversation
(10) [eap] = updated
(10) [files] = noop
(10) [expiration] = noop
(10) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(10) [pap] = noop
(10) } # authorize = updated
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(10) authenticate {
(10) eap: Expiring EAP session with state 0xb5af7c78b4a56689
(10) eap: Finished EAP session with state 0xb5af7c78b4a56689
(10) eap: Previous EAP request found for state 0xb5af7c78b4a56689, released
from the list
(10) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(10) eap: Calling submodule eap_mschapv2 to process data
(10) eap: Sending EAP Success (code 3) ID 10 length 4
(10) eap: Freeing handler
(10) [eap] = ok
(10) } # authenticate = ok
(10) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(10) } # server inner-tunnel
(10) Virtual server sending reply
(10) MS-MPPE-Encryption-Policy = Encryption-Allowed
(10) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(10) MS-MPPE-Send-Key = 0x38f00ae461f810993896a387f0103cae
(10) MS-MPPE-Recv-Key = 0xb9343e513345bafd0f237fec4de02f9d
(10) EAP-Message = 0x030a0004
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) User-Name = "test1.vpn"
(10) eap_peap: Got tunneled reply code 2
(10) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(10) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(10) eap_peap: MS-MPPE-Send-Key = 0x38f00ae461f810993896a387f0103cae
(10) eap_peap: MS-MPPE-Recv-Key = 0xb9343e513345bafd0f237fec4de02f9d
(10) eap_peap: EAP-Message = 0x030a0004
(10) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(10) eap_peap: User-Name = "test1.vpn"
(10) eap_peap: Got tunneled reply RADIUS code 2
(10) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(10) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(10) eap_peap: MS-MPPE-Send-Key = 0x38f00ae461f810993896a387f0103cae
(10) eap_peap: MS-MPPE-Recv-Key = 0xb9343e513345bafd0f237fec4de02f9d
(10) eap_peap: EAP-Message = 0x030a0004
(10) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(10) eap_peap: User-Name = "test1.vpn"
(10) eap_peap: Tunneled authentication was successful
(10) eap_peap: SUCCESS
(10) eap: Sending EAP Request (code 1) ID 11 length 46
(10) eap: EAP session adding &reply:State = 0x6aa216d560a90fbf
(10) [eap] = handled
(10) } # authenticate = handled
(10) Using Post-Auth-Type Challenge
(10) Post-Auth-Type sub-section not found. Ignoring.
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) session-state: Saving cached attributes
(10) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(10) TLS-Session-Version = "TLS 1.2"
(10) Sent Access-Challenge Id 221 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(10) EAP-Message =
0x010b002e19001703030023af9cbe4ad48a36f35cb384eb93f8c567b161c1bd7d269ba5882c40b425d5243b03aaad
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0x6aa216d560a90fbf987ea9fae6cd4048
(10) Finished request
Waking up in 4.7 seconds.
(11) Received Access-Request Id 222 from 172.16.10.111:47079 to
172.16.10.111:1812 length 218
(11) User-Name = "test1.vpn"
(11) NAS-Port-Type = Virtual
(11) Service-Type = Framed-User
(11) NAS-Port = 3
(11) NAS-Port-Id = "test1.vpn"
(11) NAS-IP-Address =X.X.X.X
(11) Called-Station-Id = "X.X.X.X[4500]"
(11) Calling-Station-Id = "X.X.X.X[4500]"
(11) Acct-Session-Id = "1654086146-3"
(11) EAP-Message =
0x020b002e190017030300230000000000000004c7753a144d7875cf1f9f774ec59202fa053603eb1b3e706bb2e274
(11) NAS-Identifier = "strongSwan"
(11) State = 0x6aa216d560a90fbf987ea9fae6cd4048
(11) Message-Authenticator = 0x167bcc052f0017f11a83525b00cf4925
(11) Restoring &session-state
(11) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(11) &session-state:TLS-Session-Version = "TLS 1.2"
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(11) authorize {
(11) [files] = noop
(11) [preprocess] = ok
(11) [mschap] = noop
(11) eap: Peer sent EAP Response (code 2) ID 11 length 46
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) authenticate {
(11) eap: Expiring EAP session with state 0x6aa216d560a90fbf
(11) eap: Finished EAP session with state 0x6aa216d560a90fbf
(11) eap: Previous EAP request found for state 0x6aa216d560a90fbf, released
from the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: Continuing EAP-TLS
(11) eap_peap: [eaptls verify] = ok
(11) eap_peap: Done initial handshake
(11) eap_peap: [eaptls process] = ok
(11) eap_peap: Session established. Decoding tunneled attributes
(11) eap_peap: PEAP state send tlv success
(11) eap_peap: Received EAP-TLV response
(11) eap_peap: Success
(11) eap: Sending EAP Success (code 3) ID 11 length 4
(11) eap: Freeing handler
(11) [eap] = ok
(11) } # authenticate = ok
(11) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(11) post-auth {
(11) policy remove_reply_message_if_eap {
(11) if (&reply:EAP-Message && &reply:Reply-Message) {
(11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11) else {
(11) [noop] = noop
(11) } # else = noop
(11) } # policy remove_reply_message_if_eap = noop
(11) } # post-auth = noop
(11) Sent Access-Accept Id 222 from 172.16.10.111:1812 to
172.16.10.111:47079 length 0
(11) MS-MPPE-Recv-Key =
0xfbbfa1eb5d9e5f987d2f628b5ff6b79a3640ff3a061dd1feaf86725d22d772f4
(11) MS-MPPE-Send-Key =
0x8417c69e87eaf761ea94f5348adb9f0d5101b513fe918c81a5953b73997c04a6
(11) EAP-Message = 0x030b0004
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) User-Name = "test1.vpn"
(11) Finished request
Waking up in 4.7 seconds.
(12) Received Accounting-Request Id 223 from 172.16.10.111:42384 to
172.16.10.111:1813 length 140
(12) Acct-Status-Type = Start
(12) Acct-Session-Id = "1654086146-3"
(12) NAS-Port-Type = Virtual
(12) Service-Type = Framed-User
(12) NAS-Port = 3
(12) NAS-Port-Id = "test1.vpn"
(12) NAS-IP-Address =X.X.X.X
(12) Called-Station-Id = "X.X.X.X[4500]"
(12) Calling-Station-Id = "X.X.X.X[4500]"
(12) User-Name = "test1.vpn"
(12) NAS-Identifier = "strongSwan"
(12) # Executing section preacct from file /etc/raddb/sites-enabled/default
(12) preacct {
(12) [files] = noop
(12) [preprocess] = ok
(12) policy acct_unique {
(12) update request {
(12) &Tmp-String-9 := "ai:"
(12) } # update request = noop
(12) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(12) EXPAND %{hex:&Class}
(12) -->
(12) EXPAND ^%{hex:&Tmp-String-9}
(12) --> ^61693a
(12) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(12) else {
(12) update request {
(12) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(12) --> a6b8d5646c70fd58db892395d8013f10
(12) &Acct-Unique-Session-Id := a6b8d5646c70fd58db892395d8013f10
(12) } # update request = noop
(12) } # else = noop
(12) } # policy acct_unique = noop
(12) } # preacct = ok
(12) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(12) accounting {
(12) attr_filter.accounting_response: EXPAND %{User-Name}
(12) attr_filter.accounting_response: --> test1.vpn
(12) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(12) [attr_filter.accounting_response] = updated
(12) } # accounting = updated
(12) Sent Accounting-Response Id 223 from 172.16.10.111:1813 to
172.16.10.111:42384 length 0
(12) Finished request
(12) Cleaning up request packet ID 223 with timestamp +6
Waking up in 4.7 seconds.
(13) Received Accounting-Request Id 224 from 172.16.10.111:42384 to
172.16.10.111:1813 length 176
(13) Acct-Status-Type = Stop
(13) Acct-Session-Id = "1654086146-3"
(13) NAS-Port-Type = Virtual
(13) Service-Type = Framed-User
(13) NAS-Port = 3
(13) NAS-Port-Id = "test1.vpn"
(13) NAS-IP-Address =X.X.X.X
(13) Called-Station-Id = "X.X.X.X[4500]"
(13) Calling-Station-Id = "X.X.X.X[4500]"
(13) User-Name = "test1.vpn"
(13) Acct-Output-Octets = 0
(13) Acct-Output-Packets = 0
(13) Acct-Input-Octets = 0
(13) Acct-Input-Packets = 0
(13) Acct-Session-Time = 0
(13) Acct-Terminate-Cause = User-Request
(13) NAS-Identifier = "strongSwan"
(13) # Executing section preacct from file /etc/raddb/sites-enabled/default
(13) preacct {
(13) [files] = noop
(13) [preprocess] = ok
(13) policy acct_unique {
(13) update request {
(13) &Tmp-String-9 := "ai:"
(13) } # update request = noop
(13) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(13) EXPAND %{hex:&Class}
(13) -->
(13) EXPAND ^%{hex:&Tmp-String-9}
(13) --> ^61693a
(13) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(13) else {
(13) update request {
(13) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(13) --> a6b8d5646c70fd58db892395d8013f10
(13) &Acct-Unique-Session-Id := a6b8d5646c70fd58db892395d8013f10
(13) } # update request = noop
(13) } # else = noop
(13) } # policy acct_unique = noop
(13) } # preacct = ok
(13) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(13) accounting {
(13) attr_filter.accounting_response: EXPAND %{User-Name}
(13) attr_filter.accounting_response: --> test1.vpn
(13) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(13) [attr_filter.accounting_response] = updated
(13) } # accounting = updated
(13) Sent Accounting-Response Id 224 from 172.16.10.111:1813 to
172.16.10.111:42384 length 0
(13) Finished request
(13) Cleaning up request packet ID 224 with timestamp +6
Waking up in 4.7 seconds.
(0) Cleaning up request packet ID 211 with timestamp +5
(1) Cleaning up request packet ID 212 with timestamp +5
(2) Cleaning up request packet ID 213 with timestamp +5
(3) Cleaning up request packet ID 214 with timestamp +5
(4) Cleaning up request packet ID 215 with timestamp +5
(5) Cleaning up request packet ID 216 with timestamp +5
(6) Cleaning up request packet ID 217 with timestamp +5
(7) Cleaning up request packet ID 218 with timestamp +5
(8) Cleaning up request packet ID 219 with timestamp +5
Waking up in 0.1 seconds.
(9) Cleaning up request packet ID 220 with timestamp +5
(10) Cleaning up request packet ID 221 with timestamp +6
(11) Cleaning up request packet ID 222 with timestamp +6
Ready to process requests
I replaced the public IP address with X.X.X.X.
Thanks in advance for any tips, or leads. Have a wonderful day.
More information about the Freeradius-Users
mailing list