Framed-Route not appearing on the client
Alexis Lacoste
alexislacoste2 at gmail.com
Fri Jun 3 12:34:51 UTC 2022
Good afternoon,
After I resolved the issue with the IP address not being present on the
client with Framed-IP-Address, I needed for the client to get a gateway to
the corresponding subnet.
Without that gateway, the client doesn't know where to go when it arrives
on the public interface.
I've looked at https://freeradius.org/rfc/rfc2865.html#Framed-Route and
took the example below without adding metric options.
test1.vpn Service-Type == Framed-User
Framed-IP-Address += 10.10.10.6,
Framed-Route += "172.16.10.0/24 172.16.10.254",
Framed-IP-Netmask += 255.255.255.0,
Fall-Through = Yes
I've also tried "172.16.10.0 172.16.10.254", "172.16.10.0/24 172.16.10.254
1 2 -1 3 400" but when doing ipconfig, there is no change nor route added
with route print.
Here are the radiusd -X log :
(1) Received Access-Request Id 110 from 127.0.0.1:39643 to 127.0.0.1:1812
length 169
(1) User-Name = "test1.vpn"
(1) NAS-Port-Type = Virtual
(1) Service-Type = Framed-User
(1) NAS-Port = 23
(1) NAS-Port-Id = "test1.vpn"
(1) NAS-IP-Address = X.X.X.220
(1) Called-Station-Id = "X.X.X.220[4500]"
(1) Calling-Station-Id = "X.X.X.211[4500]"
(1) Acct-Session-Id = "1654243660-23"
(1) EAP-Message = 0x0200000e0174657374312e76706e
(1) NAS-Identifier = "strongSwan"
(1) Message-Authenticator = 0xf9c61265bceb4790a3b47226f48e2c0e
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) files: users: Matched entry test1.vpn at line 3
(1) [files] = ok
(1) [preprocess] = ok
(1) [mschap] = noop
(1) eap: Peer sent EAP Response (code 2) ID 0 length 14
(1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Peer sent packet with method EAP Identity (1)
(1) eap: Calling submodule eap_md5 to process data
(1) eap_md5: Issuing MD5 Challenge
(1) eap: Sending EAP Request (code 1) ID 1 length 22
(1) eap: EAP session adding &reply:State = 0x1ee1c2c31ee0c6b6
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 110 from 127.0.0.1:1812 to 127.0.0.1:39643
length 0
(1) Framed-IP-Address = 10.10.10.6
(1) Framed-Route = "172.16.10.0/24 172.16.10.254"
(1) Framed-IP-Netmask = 255.255.255.0
(1) EAP-Message = 0x01010016041090b5fda5bb3dcbe908a3f3380788de98
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x1ee1c2c31ee0c6b67da4e0496fb672ca
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 111 from 127.0.0.1:39643 to 127.0.0.1:1812
length 179
(2) User-Name = "test1.vpn"
(2) NAS-Port-Type = Virtual
(2) Service-Type = Framed-User
(2) NAS-Port = 23
(2) NAS-Port-Id = "test1.vpn"
(2) NAS-IP-Address = X.X.X.220
(2) Called-Station-Id = "X.X.X.220[4500]"
(2) Calling-Station-Id = "X.X.X.211[4500]"
(2) Acct-Session-Id = "1654243660-23"
(2) EAP-Message = 0x020100060319
(2) NAS-Identifier = "strongSwan"
(2) State = 0x1ee1c2c31ee0c6b67da4e0496fb672ca
(2) Message-Authenticator = 0x7fb7e39123c77d8bf07ba2d89019a7f6
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) files: users: Matched entry test1.vpn at line 3
(2) [files] = ok
(2) [preprocess] = ok
(2) [mschap] = noop
(2) eap: Peer sent EAP Response (code 2) ID 1 length 6
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) [expiration] = noop
(2) [logintime] = noop
(2) } # authorize = updated
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x1ee1c2c31ee0c6b6
(2) eap: Finished EAP session with state 0x1ee1c2c31ee0c6b6
(2) eap: Previous EAP request found for state 0x1ee1c2c31ee0c6b6, released
from the list
(2) eap: Peer sent packet with method EAP NAK (3)
(2) eap: Found mutually acceptable type PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Initiating new TLS session
(2) eap_peap: [eaptls start] = request
(2) eap: Sending EAP Request (code 1) ID 2 length 6
(2) eap: EAP session adding &reply:State = 0x1ee1c2c31fe3dbb6
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 111 from 127.0.0.1:1812 to 127.0.0.1:39643
length 0
(2) Framed-IP-Address = 10.10.10.6
(2) Framed-Route = "172.16.10.0/24 172.16.10.254"
(2) Framed-IP-Netmask = 255.255.255.0
(2) EAP-Message = 0x010200061920
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x1ee1c2c31fe3dbb67da4e0496fb672ca
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 112 from 127.0.0.1:39643 to 127.0.0.1:1812
length 345
(3) User-Name = "test1.vpn"
(3) NAS-Port-Type = Virtual
(3) Service-Type = Framed-User
(3) NAS-Port = 23
(3) NAS-Port-Id = "test1.vpn"
(3) NAS-IP-Address = X.X.X.220
(3) Called-Station-Id = "X.X.X.220[4500]"
(3) Calling-Station-Id = "X.X.X.211[4500]"
(3) Acct-Session-Id = "1654243660-23"
(3) EAP-Message =
0x020200ac1980000000a2160303009d0100009903036299fd276a1f5725294c54bbe39e76a2b6b0fd113394be604d5a58554580473400002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(3) NAS-Identifier = "strongSwan"
(3) State = 0x1ee1c2c31fe3dbb67da4e0496fb672ca
(3) Message-Authenticator = 0xad9955152429f7011a592db314060109
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3) authorize {
(3) files: users: Matched entry test1.vpn at line 3
(3) [files] = ok
(3) [preprocess] = ok
(3) [mschap] = noop
(3) eap: Peer sent EAP Response (code 2) ID 2 length 172
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x1ee1c2c31fe3dbb6
(3) eap: Finished EAP session with state 0x1ee1c2c31fe3dbb6
(3) eap: Previous EAP request found for state 0x1ee1c2c31fe3dbb6, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer indicated complete TLS record size will be 162 bytes
(3) eap_peap: Got complete TLS record (162 bytes)
(3) eap_peap: [eaptls verify] = length included
(3) eap_peap: (other): before SSL initialization
(3) eap_peap: TLS_accept: before SSL initialization
(3) eap_peap: TLS_accept: before SSL initialization
(3) eap_peap: <<< recv TLS 1.3 [length 009d]
(3) eap_peap: TLS_accept: SSLv3/TLS read client hello
(3) eap_peap: >>> send TLS 1.2 [length 003d]
(3) eap_peap: TLS_accept: SSLv3/TLS write server hello
(3) eap_peap: >>> send TLS 1.2 [length 0a0e]
(3) eap_peap: TLS_accept: SSLv3/TLS write certificate
(3) eap_peap: >>> send TLS 1.2 [length 024d]
(3) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(3) eap_peap: >>> send TLS 1.2 [length 0004]
(3) eap_peap: TLS_accept: SSLv3/TLS write server done
(3) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(3) eap_peap: TLS - In Handshake Phase
(3) eap_peap: TLS - got 3248 bytes of data
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 3 length 1004
(3) eap: EAP session adding &reply:State = 0x1ee1c2c31ce2dbb6
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 112 from 127.0.0.1:1812 to 127.0.0.1:39643
length 0
(3) Framed-IP-Address = 10.10.10.6
(3) Framed-Route = "172.16.10.0/24 172.16.10.254"
(3) Framed-IP-Netmask = 255.255.255.0
(3) EAP-Message =
0x010303ec19c000000cb0160303003d0200003903037e92fcf5e372d80e8182311960e59e09ca9458b54f8cfddf2cef5072b1abcc1e00c030000011ff01000100000b000403000102001700001603030a0e0b000a0a000a0700050930820505308202eda003020102020859501ffb058af674300d06092a864886f70d01010c05003018311630140603550403130d4c696e6b736f2056504e204341301e170d3232303532373134333135355a170d3332303532343134333135355a3018311630140603550403130d3137382e31382e36322e32323030820222300d06092a864886f70d01010105000382020f003082020a0282020100a78d1c2b41f372a12f579b055680a56749aa46f0ec6c0031b424589ca4371f4904485b011adfebb5de0b47cd85a6009f7ed0d2f8b2ed60d624322e67c6ac0d92f8044774570dddfb12512d3f354dce91b84bab8c1281abc72f7776fb0aaf3d30ad0daf0c69a07709007fb40f2aff69de1effcbe748cab7c6a889d7df5e92488e33
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x1ee1c2c31ce2dbb67da4e0496fb672ca
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 113 from 127.0.0.1:39643 to 127.0.0.1:1812
length 179
(4) User-Name = "test1.vpn"
(4) NAS-Port-Type = Virtual
(4) Service-Type = Framed-User
(4) NAS-Port = 23
(4) NAS-Port-Id = "test1.vpn"
(4) NAS-IP-Address = X.X.X.220
(4) Called-Station-Id = "X.X.X.220[4500]"
(4) Calling-Station-Id = "X.X.X.11[4500]"
(4) Acct-Session-Id = "1654243660-23"
(4) EAP-Message = 0x020300061900
(4) NAS-Identifier = "strongSwan"
(4) State = 0x1ee1c2c31ce2dbb67da4e0496fb672ca
(4) Message-Authenticator = 0xe9255862a72fdefe69d2869cdb9daa64
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4) authorize {
(4) files: users: Matched entry test1.vpn at line 3
(4) [files] = ok
(4) [preprocess] = ok
(4) [mschap] = noop
(4) eap: Peer sent EAP Response (code 2) ID 3 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x1ee1c2c31ce2dbb6
(4) eap: Finished EAP session with state 0x1ee1c2c31ce2dbb6
(4) eap: Previous EAP request found for state 0x1ee1c2c31ce2dbb6, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 4 length 1000
(4) eap: EAP session adding &reply:State = 0x1ee1c2c31de5dbb6
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 113 from 127.0.0.1:1812 to 127.0.0.1:39643
length 0
(4) Framed-IP-Address = 10.10.10.6
(4) Framed-Route = "172.16.10.0/24 172.16.10.254"
(4) Framed-IP-Netmask = 255.255.255.0
(4) EAP-Message =
0x010403e81940bebf80d34d5d2ffadfe99593245c430b0545f71e325611a471ac019a0eb1b4cc51be9e4c4c6d7173cf00d6b53abe40a709dc7013a54897189721d836b31ae0ba84666749f762e02ab0f7b47d56d4ed0985084c55389e67476016143a29513ce10e4f779ba0e79cfedc620ce3b17c114081e2081221b32789bb7a167feb276b90bd6e5ccf3963a97c3da2a7cc5bee2b19fa21a4aa2f4a0abb2699dbe10fdbd42e93a395609bab8aded14fe6829a91017a7553d91e662a960b104d715a882298b2b57a106b608d5cbf18a416f047f92f8d6edc4631a136a88a1316574dfd306656f721427222732b84808fb63b38afe9f956af9969f506dbed0be473b1004960514231c75a8daff60a37ffe26fc85dcfb077c45ef88166b71a0ede035f7c5d79a749f30c64f5ed4e03ed8436e8f08c1d460fc0bd260ec944f99d183119868e804a7f93de415baea77ff7a29672b674e735b9d9170afd483208bec971d40ec0cb8b901f37c69d44d5c4d88bb63f59744c508a
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x1ee1c2c31de5dbb67da4e0496fb672ca
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 114 from 127.0.0.1:39643 to 127.0.0.1:1812
length 179
(5) User-Name = "test1.vpn"
(5) NAS-Port-Type = Virtual
(5) Service-Type = Framed-User
(5) NAS-Port = 23
(5) NAS-Port-Id = "test1.vpn"
(5) NAS-IP-Address = X.X.X.220
(5) Called-Station-Id = "X.X.X.20[4500]"
(5) Calling-Station-Id = "X.X.X.211[4500]"
(5) Acct-Session-Id = "1654243660-23"
(5) EAP-Message = 0x020400061900
(5) NAS-Identifier = "strongSwan"
(5) State = 0x1ee1c2c31de5dbb67da4e0496fb672ca
(5) Message-Authenticator = 0xea650ae4362cd184b3f28cddf49ad01c
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5) authorize {
(5) files: users: Matched entry test1.vpn at line 3
(5) [files] = ok
(5) [preprocess] = ok
(5) [mschap] = noop
(5) eap: Peer sent EAP Response (code 2) ID 4 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x1ee1c2c31de5dbb6
(5) eap: Finished EAP session with state 0x1ee1c2c31de5dbb6
(5) eap: Previous EAP request found for state 0x1ee1c2c31de5dbb6, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment
(5) eap_peap: [eaptls verify] = request
(5) eap_peap: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 5 length 1000
(5) eap: EAP session adding &reply:State = 0x1ee1c2c31ae4dbb6
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Sent Access-Challenge Id 114 from 127.0.0.1:1812 to 127.0.0.1:39643
length 0
(5) Framed-IP-Address = 10.10.10.6
(5) Framed-Route = "172.16.10.0/24 172.16.10.254"
(5) Framed-IP-Netmask = 255.255.255.0
(5) EAP-Message =
0x010503e819407082cf40cfcee0f3f12cba3aef5822670128cd6f911798eef08198423886ccf7755c826cdcbe3a99ce66a9eae20d46d7161e7b750203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414add6132f6bb457e0c198d140aba7a264e4dc0d8d300d06092a864886f70d01010c05000382020100902e25abac2dddd6ca56f04588ea1f33d011b08f31e625c387b2230a2f9f378387f2929f02a0e839e8ba589f3fa07aa97df211ce02ce75ca2eeff80a09234bc54ce1cb8be75c16b2356d36c1d4ad6bde1b5c8921a1e03d412bfd280c3cabe5b734bd209d9f8182cf64fd4ecf87ab4e677b6c9c70d10f25f6f2772a611a31fcb3e74a800142a211c766841ad6540913ba8c7b39025308a651829d2dfac79d8dac002e21bf72bd73ccf17774b31e0cd3fde6c927cfea62ed17982d4203aa7ab706fc7883dde5321895ae65e63ff503804f12ff80a8075e0f1f9b169d8a1adae22d
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x1ee1c2c31ae4dbb67da4e0496fb672ca
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 115 from 127.0.0.1:39643 to 127.0.0.1:1812
length 179
(6) User-Name = "test1.vpn"
(6) NAS-Port-Type = Virtual
(6) Service-Type = Framed-User
(6) NAS-Port = 23
(6) NAS-Port-Id = "test1.vpn"
(6) NAS-IP-Address = X.X.X.220
(6) Called-Station-Id = "X.X.X.220[4500]"
(6) Calling-Station-Id = "X.X.X.211[4500]"
(6) Acct-Session-Id = "1654243660-23"
(6) EAP-Message = 0x020500061900
(6) NAS-Identifier = "strongSwan"
(6) State = 0x1ee1c2c31ae4dbb67da4e0496fb672ca
(6) Message-Authenticator = 0x20f1a93bf98ff703c88607c5af6b39a3
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6) authorize {
(6) files: users: Matched entry test1.vpn at line 3
(6) [files] = ok
(6) [preprocess] = ok
(6) [mschap] = noop
(6) eap: Peer sent EAP Response (code 2) ID 5 length 6
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x1ee1c2c31ae4dbb6
(6) eap: Finished EAP session with state 0x1ee1c2c31ae4dbb6
(6) eap: Previous EAP request found for state 0x1ee1c2c31ae4dbb6, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment
(6) eap_peap: [eaptls verify] = request
(6) eap_peap: [eaptls process] = handled
(6) eap: Sending EAP Request (code 1) ID 6 length 272
(6) eap: EAP session adding &reply:State = 0x1ee1c2c31be7dbb6
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Sent Access-Challenge Id 115 from 127.0.0.1:1812 to 127.0.0.1:39643
length 0
(6) Framed-IP-Address = 10.10.10.6
(6) Framed-Route = "172.16.10.0/24 172.16.10.254"
(6) Framed-IP-Netmask = 255.255.255.0
(6) EAP-Message =
0x01060110190045bbfea2a25b7e8d465f85db19d2c6adfcb56236fac607577500c9b037a86352ccf4dc51670cd331c20645898a411eb323c8bc56990eaff47e887dbfcaebdf5fdc625ef603c8071df374c07b34eaea9ca7556fac9c0fef6682cb69e5d7b6f4339ca198964a982d1f0071688c2f4478c76680dc14d8b72345e7e8bfcd3489a6174dbc15fb90ca991335861b23d2954940d70e68a2225e0145878ac9e3572c8608ac1c761a4748e153c6fa88d7ee6a116013bbf2c53b46015cbd3791b5810a12a4e84d5c599b35cfe1f0117c1ddf5ad5cb7bee5fde466be44ef29bf99204ee193662f60e6f9732be198cbb1d05b7649587c1c721bbef2cd8bc55f07ef4d7746ae38316030300040e000000
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x1ee1c2c31be7dbb67da4e0496fb672ca
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 116 from 127.0.0.1:39643 to 127.0.0.1:1812
length 309
(7) User-Name = "test1.vpn"
(7) NAS-Port-Type = Virtual
(7) Service-Type = Framed-User
(7) NAS-Port = 23
(7) NAS-Port-Id = "test1.vpn"
(7) NAS-IP-Address = X.X.X.220
(7) Called-Station-Id = "X.X.X.220[4500]"
(7) Calling-Station-Id = "X.X.X.211[4500]"
(7) Acct-Session-Id = "1654243660-23"
(7) EAP-Message =
0x0206008819800000007e1603030046100000424104350848568eed83f107ec16f596aaac42de6ef55ab0b47108ddc32b1d0118178e819ea7f7fe7c22300f7a04817c3e3064a1d4124cf58a5d16433363f8b6c35c3b14030300010116030300280000000000000000d888cc0cad9ea9fd18e1a0e0812250561ed19861ad2fadbf6cfbc0e25c621fc2
(7) NAS-Identifier = "strongSwan"
(7) State = 0x1ee1c2c31be7dbb67da4e0496fb672ca
(7) Message-Authenticator = 0x182aa5d5b9286e3520dacd1462d67272
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7) authorize {
(7) files: users: Matched entry test1.vpn at line 3
(7) [files] = ok
(7) [preprocess] = ok
(7) [mschap] = noop
(7) eap: Peer sent EAP Response (code 2) ID 6 length 136
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x1ee1c2c31be7dbb6
(7) eap: Finished EAP session with state 0x1ee1c2c31be7dbb6
(7) eap: Previous EAP request found for state 0x1ee1c2c31be7dbb6, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(7) eap_peap: Got complete TLS record (126 bytes)
(7) eap_peap: [eaptls verify] = length included
(7) eap_peap: TLS_accept: SSLv3/TLS write server done
(7) eap_peap: <<< recv TLS 1.2 [length 0046]
(7) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(7) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(7) eap_peap: <<< recv TLS 1.2 [length 0010]
(7) eap_peap: TLS_accept: SSLv3/TLS read finished
(7) eap_peap: >>> send TLS 1.2 [length 0001]
(7) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(7) eap_peap: >>> send TLS 1.2 [length 0010]
(7) eap_peap: TLS_accept: SSLv3/TLS write finished
(7) eap_peap: (other): SSL negotiation finished successfully
(7) eap_peap: TLS - Connection Established
(7) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) eap_peap: TLS-Session-Version = "TLS 1.2"
(7) eap_peap: TLS - got 51 bytes of data
(7) eap_peap: [eaptls process] = handled
(7) eap: Sending EAP Request (code 1) ID 7 length 57
(7) eap: EAP session adding &reply:State = 0x1ee1c2c318e6dbb6
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) session-state: Saving cached attributes
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 116 from 127.0.0.1:1812 to 127.0.0.1:39643
length 0
(7) Framed-IP-Address = 10.10.10.6
(7) Framed-Route = "172.16.10.0/24 172.16.10.254"
(7) Framed-IP-Netmask = 255.255.255.0
(7) EAP-Message =
0x01070039190014030300010116030300289e5cd13943bc517eff9a9cf4bcdb9fa2988a382c89f04e68524617ba480dfc733454c4394c3cda2d
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x1ee1c2c318e6dbb67da4e0496fb672ca
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 117 from 127.0.0.1:39643 to 127.0.0.1:1812
length 179
(8) User-Name = "test1.vpn"
(8) NAS-Port-Type = Virtual
(8) Service-Type = Framed-User
(8) NAS-Port = 23
(8) NAS-Port-Id = "test1.vpn"
(8) NAS-IP-Address = X.X.X.220
(8) Called-Station-Id = "X.X.X.220[4500]"
(8) Calling-Station-Id = "X.X.X.211[4500]"
(8) Acct-Session-Id = "1654243660-23"
(8) EAP-Message = 0x020700061900
(8) NAS-Identifier = "strongSwan"
(8) State = 0x1ee1c2c318e6dbb67da4e0496fb672ca
(8) Message-Authenticator = 0x87ca357171c042c52eae09a2fdad8fd4
(8) Restoring &session-state
(8) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8) authorize {
(8) files: users: Matched entry test1.vpn at line 3
(8) [files] = ok
(8) [preprocess] = ok
(8) [mschap] = noop
(8) eap: Peer sent EAP Response (code 2) ID 7 length 6
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x1ee1c2c318e6dbb6
(8) eap: Finished EAP session with state 0x1ee1c2c318e6dbb6
(8) eap: Previous EAP request found for state 0x1ee1c2c318e6dbb6, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(8) eap_peap: [eaptls verify] = success
(8) eap_peap: [eaptls process] = success
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state TUNNEL ESTABLISHED
(8) eap: Sending EAP Request (code 1) ID 8 length 40
(8) eap: EAP session adding &reply:State = 0x1ee1c2c319e9dbb6
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8) session-state: Saving cached attributes
(8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) TLS-Session-Version = "TLS 1.2"
(8) Sent Access-Challenge Id 117 from 127.0.0.1:1812 to 127.0.0.1:39643
length 0
(8) Framed-IP-Address = 10.10.10.6
(8) Framed-Route = "172.16.10.0/24 172.16.10.254"
(8) Framed-IP-Netmask = 255.255.255.0
(8) EAP-Message =
0x010800281900170303001d9e5cd13943bc517f1ca9c374ef3b22325c3209c2e3d6adb4d0ef3ace0c
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x1ee1c2c319e9dbb67da4e0496fb672ca
(8) Finished request
Waking up in 4.9 seconds.
(9) Received Access-Request Id 118 from 127.0.0.1:39643 to 127.0.0.1:1812
length 218
(9) User-Name = "test1.vpn"
(9) NAS-Port-Type = Virtual
(9) Service-Type = Framed-User
(9) NAS-Port = 23
(9) NAS-Port-Id = "test1.vpn"
(9) NAS-IP-Address = X.X.X.220
(9) Called-Station-Id = "X.X.X.220[4500]"
(9) Calling-Station-Id = "X.X.X.211[4500]"
(9) Acct-Session-Id = "1654243660-23"
(9) EAP-Message =
0x0208002d190017030300220000000000000001477baf4933f3c4877115c28e5e2c234662d5e7dc19c58d0ff202
(9) NAS-Identifier = "strongSwan"
(9) State = 0x1ee1c2c319e9dbb67da4e0496fb672ca
(9) Message-Authenticator = 0x8fb59e4cd4bfb6499fd57e90219e1015
(9) Restoring &session-state
(9) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9) authorize {
(9) files: users: Matched entry test1.vpn at line 3
(9) [files] = ok
(9) [preprocess] = ok
(9) [mschap] = noop
(9) eap: Peer sent EAP Response (code 2) ID 8 length 45
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x1ee1c2c319e9dbb6
(9) eap: Finished EAP session with state 0x1ee1c2c319e9dbb6
(9) eap: Previous EAP request found for state 0x1ee1c2c319e9dbb6, released
from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(9) eap_peap: Identity - test1.vpn
(9) eap_peap: Got inner identity 'test1.vpn'
(9) eap_peap: Setting default EAP type for tunneled EAP session
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x0208000e0174657374312e76706e
(9) eap_peap: Setting User-Name to test1.vpn
(9) eap_peap: Sending tunneled request to inner-tunnel
(9) eap_peap: EAP-Message = 0x0208000e0174657374312e76706e
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "test1.vpn"
(9) Virtual server inner-tunnel received request
(9) EAP-Message = 0x0208000e0174657374312e76706e
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "test1.vpn"
(9) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(9) server inner-tunnel {
(9) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [mschap] = noop
(9) eap: Peer sent EAP Response (code 2) ID 8 length 14
(9) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Peer sent packet with method EAP Identity (1)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap_mschapv2: Issuing Challenge
(9) eap: Sending EAP Request (code 1) ID 9 length 43
(9) eap: EAP session adding &reply:State = 0x77d61e8777df0400
(9) [eap] = handled
(9) } # authenticate = handled
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) EAP-Message =
0x0109002b1a0109002610f3f955ef73c249d34cc08653d38cf2e1667265657261646975732d332e302e3230
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x77d61e8777df0400aa8dafc0f122a1ae
(9) eap_peap: Got tunneled reply code 11
(9) eap_peap: EAP-Message =
0x0109002b1a0109002610f3f955ef73c249d34cc08653d38cf2e1667265657261646975732d332e302e3230
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: State = 0x77d61e8777df0400aa8dafc0f122a1ae
(9) eap_peap: Got tunneled reply RADIUS code 11
(9) eap_peap: EAP-Message =
0x0109002b1a0109002610f3f955ef73c249d34cc08653d38cf2e1667265657261646975732d332e302e3230
(9) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_peap: State = 0x77d61e8777df0400aa8dafc0f122a1ae
(9) eap_peap: Got tunneled Access-Challenge
(9) eap: Sending EAP Request (code 1) ID 9 length 74
(9) eap: EAP session adding &reply:State = 0x1ee1c2c316e8dbb6
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) session-state: Saving cached attributes
(9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) TLS-Session-Version = "TLS 1.2"
(9) Sent Access-Challenge Id 118 from 127.0.0.1:1812 to 127.0.0.1:39643
length 0
(9) Framed-IP-Address = 10.10.10.6
(9) Framed-Route = "172.16.10.0/24 172.16.10.254"
(9) Framed-IP-Netmask = 255.255.255.0
(9) EAP-Message =
0x0109004a1900170303003f9e5cd13943bc51807d6489913fdb112a1ac5f51887be8e53c2db8b26c3e19c0680cc9e3070e835df3c6fed3a82ea228f01962130d389d61ed1461f8d86452c
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x1ee1c2c316e8dbb67da4e0496fb672ca
(9) Finished request
Waking up in 4.9 seconds.
(10) Received Access-Request Id 119 from 127.0.0.1:39643 to 127.0.0.1:1812
length 272
(10) User-Name = "test1.vpn"
(10) NAS-Port-Type = Virtual
(10) Service-Type = Framed-User
(10) NAS-Port = 23
(10) NAS-Port-Id = "test1.vpn"
(10) NAS-IP-Address = X.X.X.220
(10) Called-Station-Id = "X.X.X.220[4500]"
(10) Calling-Station-Id = "X.X.X.211[4500]"
(10) Acct-Session-Id = "1654243660-23"
(10) EAP-Message =
0x02090063190017030300580000000000000002a2cc1798c3785a7dd9aec21bf28e16fc97365825b7ac6559c3134aff1f443e5e1680ad67a304ace789531e464b1afdcd3b20c0d5dafd9a0b1a9cfcc164adf2d449a8662c460150ee7a9b98a035ee7285
(10) NAS-Identifier = "strongSwan"
(10) State = 0x1ee1c2c316e8dbb67da4e0496fb672ca
(10) Message-Authenticator = 0x825d8ace59e7de2fe46bf97ee5bf0b3e
(10) Restoring &session-state
(10) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(10) &session-state:TLS-Session-Version = "TLS 1.2"
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(10) authorize {
(10) files: users: Matched entry test1.vpn at line 3
(10) [files] = ok
(10) [preprocess] = ok
(10) [mschap] = noop
(10) eap: Peer sent EAP Response (code 2) ID 9 length 99
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0x77d61e8777df0400
(10) eap: Finished EAP session with state 0x1ee1c2c316e8dbb6
(10) eap: Previous EAP request found for state 0x1ee1c2c316e8dbb6, released
from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state phase2
(10) eap_peap: EAP method MSCHAPv2 (26)
(10) eap_peap: Got tunneled request
(10) eap_peap: EAP-Message =
0x020900441a0209003f3142e5d9b195ccee99d43e70b16db5d6f50000000000000000ec7383cd297a92e7054e42ca28029f0abf7a912249fb42e40074657374312e76706e
(10) eap_peap: Setting User-Name to test1.vpn
(10) eap_peap: Sending tunneled request to inner-tunnel
(10) eap_peap: EAP-Message =
0x020900441a0209003f3142e5d9b195ccee99d43e70b16db5d6f50000000000000000ec7383cd297a92e7054e42ca28029f0abf7a912249fb42e40074657374312e76706e
(10) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(10) eap_peap: User-Name = "test1.vpn"
(10) eap_peap: State = 0x77d61e8777df0400aa8dafc0f122a1ae
(10) Virtual server inner-tunnel received request
(10) EAP-Message =
0x020900441a0209003f3142e5d9b195ccee99d43e70b16db5d6f50000000000000000ec7383cd297a92e7054e42ca28029f0abf7a912249fb42e40074657374312e76706e
(10) FreeRADIUS-Proxied-To = 127.0.0.1
(10) User-Name = "test1.vpn"
(10) State = 0x77d61e8777df0400aa8dafc0f122a1ae
(10) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(10) server inner-tunnel {
(10) session-state: No cached attributes
(10) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [mschap] = noop
(10) eap: Peer sent EAP Response (code 2) ID 9 length 68
(10) eap: No EAP Start, assuming it's an on-going EAP conversation
(10) [eap] = updated
(10) [files] = noop
(10) [expiration] = noop
(10) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(10) [pap] = noop
(10) } # authorize = updated
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(10) authenticate {
(10) eap: Expiring EAP session with state 0x77d61e8777df0400
(10) eap: Finished EAP session with state 0x77d61e8777df0400
(10) eap: Previous EAP request found for state 0x77d61e8777df0400, released
from the list
(10) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(10) eap: Calling submodule eap_mschapv2 to process data
(10) eap_mschapv2: # Executing group from file
/etc/raddb/sites-enabled/inner-tunnel
(10) eap_mschapv2: authenticate {
(10) mschap: Creating challenge hash with username: test1.vpn
(10) mschap: Client is using MS-CHAPv2
(10) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
--allow-mschapv2 --username=%{mschap:User-Name} --domain=BRANCHET
--challenge=%{mschap:Challenge:-01} --nt-response=%{mschap:NT-Response:-00}:
(10) mschap: EXPAND --username=%{mschap:User-Name}
(10) mschap: --> --username=test1.vpn
(10) mschap: Creating challenge hash with username: test1.vpn
(10) mschap: EXPAND --challenge=%{mschap:Challenge:-01}
(10) mschap: --> --challenge=6bdb0d44a5236820
(10) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(10) mschap: -->
--nt-response=ec7383cd297a92e7054e42ca28029f0abf7a912249fb42e4
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
added interface ens3 ip=172.16.10.111 bcast=172.16.10.255
netmask=255.255.255.0
added interface ens4 ip=X.X.X.220 bcast=X.X.X.223 netmask=255.255.255.224
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
added interface ens3 ip=172.16.10.111 bcast=172.16.10.255
netmask=255.255.255.0
added interface ens4 ip=X.X.X.220 bcast=X.X.X.223 netmask=255.255.255.224
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
added interface ens3 ip=172.16.10.111 bcast=172.16.10.255
netmask=255.255.255.0
added interface ens4 ip=X.X.X.220 bcast=X.X.X.223 netmask=255.255.255.224
(10) mschap: Program returned code (0) and output 'NT_KEY:
6F5564CE191F31EAC91AE7DAFA4E36FE'
(10) mschap: Adding MS-CHAPv2 MPPE keys
(10) eap_mschapv2: [mschap] = ok
(10) eap_mschapv2: } # authenticate = ok
(10) eap_mschapv2: MSCHAP Success
(10) eap: Sending EAP Request (code 1) ID 10 length 51
(10) eap: EAP session adding &reply:State = 0x77d61e8776dc0400
(10) [eap] = handled
(10) } # authenticate = handled
(10) } # server inner-tunnel
(10) Virtual server sending reply
(10) EAP-Message =
0x010a00331a0309002e533d41324131423732333038393939463532333138453331383439443931413235433841353138444246
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0x77d61e8776dc0400aa8dafc0f122a1ae
(10) eap_peap: Got tunneled reply code 11
(10) eap_peap: EAP-Message =
0x010a00331a0309002e533d41324131423732333038393939463532333138453331383439443931413235433841353138444246
(10) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(10) eap_peap: State = 0x77d61e8776dc0400aa8dafc0f122a1ae
(10) eap_peap: Got tunneled reply RADIUS code 11
(10) eap_peap: EAP-Message =
0x010a00331a0309002e533d41324131423732333038393939463532333138453331383439443931413235433841353138444246
(10) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(10) eap_peap: State = 0x77d61e8776dc0400aa8dafc0f122a1ae
(10) eap_peap: Got tunneled Access-Challenge
(10) eap: Sending EAP Request (code 1) ID 10 length 82
(10) eap: EAP session adding &reply:State = 0x1ee1c2c317ebdbb6
(10) [eap] = handled
(10) } # authenticate = handled
(10) Using Post-Auth-Type Challenge
(10) Post-Auth-Type sub-section not found. Ignoring.
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) session-state: Saving cached attributes
(10) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(10) TLS-Session-Version = "TLS 1.2"
(10) Sent Access-Challenge Id 119 from 127.0.0.1:1812 to 127.0.0.1:39643
length 0
(10) Framed-IP-Address = 10.10.10.6
(10) Framed-Route = "172.16.10.0/24 172.16.10.254"
(10) Framed-IP-Netmask = 255.255.255.0
(10) EAP-Message =
0x010a0052190017030300479e5cd13943bc518136eddfd30e4a130aa1b816b1a5bac0aed321dc3a80883d878486214198fedbabf9630e53826282e5335243a14ea3b0d33e6ee214eaee656c5d9324da46c6d2
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0x1ee1c2c317ebdbb67da4e0496fb672ca
(10) Finished request
Waking up in 4.7 seconds.
(11) Received Access-Request Id 120 from 127.0.0.1:39643 to 127.0.0.1:1812
length 210
(11) User-Name = "test1.vpn"
(11) NAS-Port-Type = Virtual
(11) Service-Type = Framed-User
(11) NAS-Port = 23
(11) NAS-Port-Id = "test1.vpn"
(11) NAS-IP-Address = X.X.X.220
(11) Called-Station-Id = "X.X.X.220[4500]"
(11) Calling-Station-Id = "X.X.X.211[4500]"
(11) Acct-Session-Id = "1654243660-23"
(11) EAP-Message =
0x020a00251900170303001a0000000000000003b2b96f8f71d71744735da3f7898a5dba681b
(11) NAS-Identifier = "strongSwan"
(11) State = 0x1ee1c2c317ebdbb67da4e0496fb672ca
(11) Message-Authenticator = 0x288e9dc84922a54c0cc6ea5663be4b40
(11) Restoring &session-state
(11) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(11) &session-state:TLS-Session-Version = "TLS 1.2"
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(11) authorize {
(11) files: users: Matched entry test1.vpn at line 3
(11) [files] = ok
(11) [preprocess] = ok
(11) [mschap] = noop
(11) eap: Peer sent EAP Response (code 2) ID 10 length 37
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) authenticate {
(11) eap: Expiring EAP session with state 0x77d61e8776dc0400
(11) eap: Finished EAP session with state 0x1ee1c2c317ebdbb6
(11) eap: Previous EAP request found for state 0x1ee1c2c317ebdbb6, released
from the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: Continuing EAP-TLS
(11) eap_peap: [eaptls verify] = ok
(11) eap_peap: Done initial handshake
(11) eap_peap: [eaptls process] = ok
(11) eap_peap: Session established. Decoding tunneled attributes
(11) eap_peap: PEAP state phase2
(11) eap_peap: EAP method MSCHAPv2 (26)
(11) eap_peap: Got tunneled request
(11) eap_peap: EAP-Message = 0x020a00061a03
(11) eap_peap: Setting User-Name to test1.vpn
(11) eap_peap: Sending tunneled request to inner-tunnel
(11) eap_peap: EAP-Message = 0x020a00061a03
(11) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(11) eap_peap: User-Name = "test1.vpn"
(11) eap_peap: State = 0x77d61e8776dc0400aa8dafc0f122a1ae
(11) Virtual server inner-tunnel received request
(11) EAP-Message = 0x020a00061a03
(11) FreeRADIUS-Proxied-To = 127.0.0.1
(11) User-Name = "test1.vpn"
(11) State = 0x77d61e8776dc0400aa8dafc0f122a1ae
(11) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(11) server inner-tunnel {
(11) session-state: No cached attributes
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /@\./) {
(11) if (&User-Name =~ /@\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [mschap] = noop
(11) eap: Peer sent EAP Response (code 2) ID 10 length 6
(11) eap: No EAP Start, assuming it's an on-going EAP conversation
(11) [eap] = updated
(11) [files] = noop
(11) [expiration] = noop
(11) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(11) [pap] = noop
(11) } # authorize = updated
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(11) authenticate {
(11) eap: Expiring EAP session with state 0x77d61e8776dc0400
(11) eap: Finished EAP session with state 0x77d61e8776dc0400
(11) eap: Previous EAP request found for state 0x77d61e8776dc0400, released
from the list
(11) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(11) eap: Calling submodule eap_mschapv2 to process data
(11) eap: Sending EAP Success (code 3) ID 10 length 4
(11) eap: Freeing handler
(11) [eap] = ok
(11) } # authenticate = ok
(11) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(11) post-auth {
(11) update {
(11) &outer.session-state::MS-MPPE-Encryption-Policy +=
&reply:MS-MPPE-Encryption-Policy[*] -> Encryption-Allowed
(11) &outer.session-state::MS-MPPE-Encryption-Types +=
&reply:MS-MPPE-Encryption-Types[*] -> RC4-40or128-bit-Allowed
(11) &outer.session-state::MS-MPPE-Send-Key +=
&reply:MS-MPPE-Send-Key[*] -> 0xc95e91e5d6d75a41ddedeb1d410b74dc
(11) &outer.session-state::MS-MPPE-Recv-Key +=
&reply:MS-MPPE-Recv-Key[*] -> 0xf03d8d652f0906ecde38699a80de028f
(11) &outer.session-state::EAP-Message += &reply:EAP-Message[*] ->
0x030a0004
(11) &outer.session-state::Message-Authenticator +=
&reply:Message-Authenticator[*] -> 0x00000000000000000000000000000000
(11) &outer.session-state::User-Name += &reply:User-Name[*] ->
'test1.vpn'
(11) } # update = noop
(11) update outer.session-state {
(11) MS-MPPE-Encryption-Policy !* ANY
(11) MS-MPPE-Encryption-Types !* ANY
(11) MS-MPPE-Send-Key !* ANY
(11) MS-MPPE-Recv-Key !* ANY
(11) Message-Authenticator !* ANY
(11) EAP-Message !* ANY
(11) Proxy-State !* ANY
(11) } # update outer.session-state = noop
(11) } # post-auth = noop
(11) } # server inner-tunnel
(11) Virtual server sending reply
(11) MS-MPPE-Encryption-Policy = Encryption-Allowed
(11) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(11) MS-MPPE-Send-Key = 0xc95e91e5d6d75a41ddedeb1d410b74dc
(11) MS-MPPE-Recv-Key = 0xf03d8d652f0906ecde38699a80de028f
(11) EAP-Message = 0x030a0004
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) User-Name = "test1.vpn"
(11) eap_peap: Got tunneled reply code 2
(11) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(11) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(11) eap_peap: MS-MPPE-Send-Key = 0xc95e91e5d6d75a41ddedeb1d410b74dc
(11) eap_peap: MS-MPPE-Recv-Key = 0xf03d8d652f0906ecde38699a80de028f
(11) eap_peap: EAP-Message = 0x030a0004
(11) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(11) eap_peap: User-Name = "test1.vpn"
(11) eap_peap: Got tunneled reply RADIUS code 2
(11) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(11) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(11) eap_peap: MS-MPPE-Send-Key = 0xc95e91e5d6d75a41ddedeb1d410b74dc
(11) eap_peap: MS-MPPE-Recv-Key = 0xf03d8d652f0906ecde38699a80de028f
(11) eap_peap: EAP-Message = 0x030a0004
(11) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(11) eap_peap: User-Name = "test1.vpn"
(11) eap_peap: Tunneled authentication was successful
(11) eap_peap: SUCCESS
(11) eap: Sending EAP Request (code 1) ID 11 length 46
(11) eap: EAP session adding &reply:State = 0x1ee1c2c314eadbb6
(11) [eap] = handled
(11) } # authenticate = handled
(11) Using Post-Auth-Type Challenge
(11) Post-Auth-Type sub-section not found. Ignoring.
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) session-state: Saving cached attributes
(11) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) TLS-Session-Version = "TLS 1.2"
(11) User-Name += "test1.vpn"
(11) Sent Access-Challenge Id 120 from 127.0.0.1:1812 to 127.0.0.1:39643
length 0
(11) Framed-IP-Address = 10.10.10.6
(11) Framed-Route = "172.16.10.0/24 172.16.10.254"
(11) Framed-IP-Netmask = 255.255.255.0
(11) EAP-Message =
0x010b002e190017030300239e5cd13943bc51823fdd3ad50610c08ffcf4ce231dbd6edc1d417a43078e4963389339
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) State = 0x1ee1c2c314eadbb67da4e0496fb672ca
(11) Finished request
Waking up in 4.7 seconds.
(12) Received Access-Request Id 121 from 127.0.0.1:39643 to 127.0.0.1:1812
length 219
(12) User-Name = "test1.vpn"
(12) NAS-Port-Type = Virtual
(12) Service-Type = Framed-User
(12) NAS-Port = 23
(12) NAS-Port-Id = "test1.vpn"
(12) NAS-IP-Address = X.X.X.220
(12) Called-Station-Id = "X.X.X.220[4500]"
(12) Calling-Station-Id = "X.X.X.211[4500]"
(12) Acct-Session-Id = "1654243660-23"
(12) EAP-Message =
0x020b002e19001703030023000000000000000416d278d66d7f8798a444c0449219eac44a56f078d7d9eaa2278d64
(12) NAS-Identifier = "strongSwan"
(12) State = 0x1ee1c2c314eadbb67da4e0496fb672ca
(12) Message-Authenticator = 0x397229ba90bc10f99d8795270a93e542
(12) Restoring &session-state
(12) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(12) &session-state:TLS-Session-Version = "TLS 1.2"
(12) &session-state:User-Name += "test1.vpn"
(12) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(12) authorize {
(12) files: users: Matched entry test1.vpn at line 3
(12) [files] = ok
(12) [preprocess] = ok
(12) [mschap] = noop
(12) eap: Peer sent EAP Response (code 2) ID 11 length 46
(12) eap: Continuing tunnel setup
(12) [eap] = ok
(12) } # authorize = ok
(12) Found Auth-Type = eap
(12) # Executing group from file /etc/raddb/sites-enabled/default
(12) authenticate {
(12) eap: Expiring EAP session with state 0x1ee1c2c314eadbb6
(12) eap: Finished EAP session with state 0x1ee1c2c314eadbb6
(12) eap: Previous EAP request found for state 0x1ee1c2c314eadbb6, released
from the list
(12) eap: Peer sent packet with method EAP PEAP (25)
(12) eap: Calling submodule eap_peap to process data
(12) eap_peap: Continuing EAP-TLS
(12) eap_peap: [eaptls verify] = ok
(12) eap_peap: Done initial handshake
(12) eap_peap: [eaptls process] = ok
(12) eap_peap: Session established. Decoding tunneled attributes
(12) eap_peap: PEAP state send tlv success
(12) eap_peap: Received EAP-TLV response
(12) eap_peap: Success
(12) eap: Sending EAP Success (code 3) ID 11 length 4
(12) eap: Freeing handler
(12) [eap] = ok
(12) } # authenticate = ok
(12) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(12) post-auth {
(12) files: postauth_users: Matched entry test1.vpn at line 3
(12) [files] = ok
(12) policy remove_reply_message_if_eap {
(12) if (&reply:EAP-Message && &reply:Reply-Message) {
(12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(12) else {
(12) [noop] = noop
(12) } # else = noop
(12) } # policy remove_reply_message_if_eap = noop
(12) policy insert_acct_class {
(12) update reply {
(12) EXPAND
ai:%{md5:%t,%I,%{Packet-Src-Port},%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}},%{NAS-IP-Address},%{Calling-Station-ID},%{User-Name}}
(12) --> ai:e32f591f5372c47a6a9a75e86e6ff479
(12) &Class =
0x61693a6533326635393166353337326334376136613961373565383665366666343739
(12) } # update reply = noop
(12) } # policy insert_acct_class = noop
(12) } # post-auth = ok
(12) Sent Access-Accept Id 121 from 127.0.0.1:1812 to 127.0.0.1:39643
length 0
(12) Framed-IP-Address = 10.10.10.6
(12) Framed-Route = "172.16.10.0/24 172.16.10.254"
(12) Framed-IP-Netmask = 255.255.255.0
(12) MS-MPPE-Recv-Key =
0xd06fc9235d3e1bd45c16b64e88bae2f24f7827762e3039aa2c5ce5a0e71ab007
(12) MS-MPPE-Send-Key =
0xe228cae63f7c4328f95359e408fcd2cbebd6d7a7ec99129f458e08aca4e755dc
(12) EAP-Message = 0x030b0004
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) User-Name = "test1.vpn"
(12) Framed-IP-Address = 10.10.10.6
(12) Framed-Route = "172.16.10.0/24 172.16.10.254"
(12) Framed-IP-Netmask = 255.255.255.0
(12) Class =
0x61693a6533326635393166353337326334376136613961373565383665366666343739
(12) Finished request
Waking up in 4.7 seconds.
(13) Received Accounting-Request Id 122 from 127.0.0.1:36435 to
127.0.0.1:1813 length 147
(13) Acct-Status-Type = Start
(13) Acct-Session-Id = "1654243660-23"
(13) NAS-Port-Type = Virtual
(13) Service-Type = Framed-User
(13) NAS-Port = 23
(13) NAS-Port-Id = "test1.vpn"
(13) NAS-IP-Address = X.X.X.220
(13) Called-Station-Id = "X.X.X.220[4500]"
(13) Calling-Station-Id = "X.X.X.211[4500]"
(13) User-Name = "test1.vpn"
(13) Framed-IP-Address = 10.10.10.6
(13) NAS-Identifier = "strongSwan"
(13) # Executing section preacct from file /etc/raddb/sites-enabled/default
(13) preacct {
(13) [files] = noop
(13) [preprocess] = ok
(13) policy acct_unique {
(13) update request {
(13) &Tmp-String-9 := "ai:"
(13) } # update request = noop
(13) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(13) EXPAND %{hex:&Class}
(13) -->
(13) EXPAND ^%{hex:&Tmp-String-9}
(13) --> ^61693a
(13) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(13) else {
(13) update request {
(13) EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(13) --> 4d5814ca5bc08a27b81676d0ab0f9f3e
(13) &Acct-Unique-Session-Id := 4d5814ca5bc08a27b81676d0ab0f9f3e
(13) } # update request = noop
(13) } # else = noop
(13) } # policy acct_unique = noop
(13) } # preacct = ok
(13) # Executing section accounting from file
/etc/raddb/sites-enabled/default
(13) accounting {
(13) attr_filter.accounting_response: EXPAND %{User-Name}
(13) attr_filter.accounting_response: --> test1.vpn
(13) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(13) [attr_filter.accounting_response] = updated
(13) } # accounting = updated
(13) Sent Accounting-Response Id 122 from 127.0.0.1:1813 to 127.0.0.1:36435
length 0
(13) Finished request
(13) Cleaning up request packet ID 122 with timestamp +147
At the twelve packet we can clearly see the framed IP route and even
before. It is seen in the Access-Accept packet but not in the
Accouting-Request.
My guess is that i am missing an option in the sites-enabled/default. I
remembered about my issue with the option use_tunneled_yes so I put the two
update block at the post-auth part of the inner tunnel by following this
doc :
https://networkradius.com/doc/3.0.10/raddb/sites-available/inner-tunnel.html.
It may be irrelevant to the issue.
Thanks in advance for any tips or lead,
Best regards.
More information about the Freeradius-Users
mailing list