FreeRADIUS (packetfence) - Azure AD - Authentication - Regarding
P.Thirunavukkarasu
drthiruna at tanuvas.org.in
Wed Mar 16 12:05:04 UTC 2022
Hi all,
I learned a lot with the support of the users mailing list
My environment is FreeRADIUS (Packetfence) running with the Azure AD
Configured the Azure AD for the application packetfence.
This is the O/P of the the FreeRADIUS server
---------------------
} # policy rewrite_called_station_id = updated
(0) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) {
(0) EXPAND %{client:shortname}
(0) --> 172.16.20.210/32
(0) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) -> FALSE
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = updated
(0) } # policy filter_username = updated
(0) policy filter_password {
(0) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(0) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) -> FALSE
(0) } # policy filter_password = updated
(0) [preprocess] = ok
(0) [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "tanuvas.edu.in" for User-Name = "@
tanuvas.edu.in"
(0) suffix: Found realm "tanuvas.edu.in"
(0) suffix: Adding Stripped-User-Name = ""
(0) suffix: Adding Realm = "tanuvas.edu.in"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
(0) ntdomain: Request already has destination realm set. Ignoring
(0) [ntdomain] = noop
(0) eap: Peer sent EAP Response (code 2) ID 2 length 20
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: (TLS) Initiating new session
(0) eap: Sending EAP Request (code 1) ID 3 length 6
(0) eap: EAP session adding &reply:State = 0xc7239dc8c720845a
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(0) session-state: Saving cached attributes
(0) Framed-MTU = 994
(0) Sent Access-Challenge Id 61 from 172.16.11.10:1812 to
172.16.20.210:57049 length 64
(0) EAP-Message = 0x010300061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xc7239dc8c720845ac7ab04a38861e476
(0) Finished request
Thread 1 waiting to be assigned a request
Threads: total/active/spare threads = 3/0/3
Waking up in 0.3 seconds.
Thread 2 got semaphore
Thread 2 handling request 1, (1 handled so far)
(1) Received Access-Request Id 62 from 172.16.20.210:57049 to
172.16.11.10:1812 length 221
(1) User-Name = "@tanuvas.edu.in"
(1) NAS-IP-Address = 172.16.20.210
(1) NAS-Port = 0
(1) NAS-Identifier = "172.16.20.101"
(1) NAS-Port-Type = Wireless-802.11
(1) Calling-Station-Id = "706655fca6f1"
(1) Called-Station-Id = "b83a5ac71008"
(1) Service-Type = Framed-User
(1) Framed-MTU = 1100
(1) EAP-Message = 0x020300060315
(1) State = 0xc7239dc8c720845ac7ab04a38861e476
(1) Aruba-Essid-Name = "TANUVAS"
(1) Aruba-Location-Id = "CECONDS"
(1) Aruba-AP-Group = "MVC_AcademicAP_VC"
(1) Aruba-Device-Type = "NOFP"
(1) Message-Authenticator = 0xbcc9ecdc45d8912c7c26adf13026d1c9
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 994
(1) # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(1) authorize {
(1) policy packetfence-nas-ip-address {
(1) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){
(1) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE
(1) } # policy packetfence-nas-ip-address = notfound
(1) update {
(1) EXPAND %{Packet-Src-IP-Address}
(1) --> 172.16.20.210
(1) &request:FreeRADIUS-Client-IP-Address := 172.16.20.210
(1) EXPAND %{Packet-Dst-IP-Address}
(1) --> 172.16.11.10
(1) &request:PacketFence-Radius-Ip := 172.16.11.10
(1) &control:PacketFence-RPC-Server = 127.0.0.1
(1) &control:PacketFence-RPC-Port = 7070
(1) &control:PacketFence-RPC-User =
(1) &control:PacketFence-RPC-Pass = ''
(1) &control:PacketFence-RPC-Proto = http
(1) EXPAND %l
(1) --> 1647449682
(1) &control:Tmp-Integer-0 := 1647449682
(1) &control:PacketFence-Request-Time := 0
(1) } # update = noop
(1) policy packetfence-set-realm-if-machine {
(1) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) {
(1) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> FALSE
(1) } # policy packetfence-set-realm-if-machine = noop
(1) policy packetfence-balanced-key-policy {
(1) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~
/^(.*)(.)$/i)) {
(1) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~
/^(.*)(.)$/i)) -> FALSE
(1) else {
(1) update {
(1) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}}
(1) --> 676ae0f0be13d41f008250df0c25be53
(1) &request:PacketFence-KeyBalanced :=
676ae0f0be13d41f008250df0c25be53
(1) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}}
(1) --> 676ae0f0be13d41f008250df0c25be53
(1) &control:Load-Balance-Key := 676ae0f0be13d41f008250df0c25be53
(1) } # update = noop
(1) } # else = noop
(1) } # policy packetfence-balanced-key-policy = noop
(1) policy packetfence-set-tenant-id {
(1) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){
(1) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE
(1) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(1) EXPAND %{%{control:PacketFence-Tenant-Id}:-0}
(1) --> 0
(1) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE
(1) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(1) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
{
(1) EXPAND %{request:Called-Station-Id}
(1) --> b83a5ac71008
(1) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
-> TRUE
(1) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
{
(1) update control {
rlm_sql (sql): Reserved connection (2)
rlm_sql (sql): Released connection (2)
(1) EXPAND %{User-Name}
(1) --> @tanuvas.edu.in
(1) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (1)
(1) Executing select query: SELECT IFNULL((SELECT tenant_id
FROM radius_nas WHERE nasname = 'b8:3a:5a:c7:10:08'), 0)
rlm_sql (sql): Released connection (1)
(1) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM
radius_nas WHERE nasname = '%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}'), 0)}
(1) --> 0
(1) &PacketFence-Tenant-Id = 0
(1) } # update control = noop
(1) } # if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
= noop
(1) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(1) EXPAND %{%{control:PacketFence-Tenant-Id}:-0}
(1) --> 0
(1) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE
(1) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(1) update control {
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
(1) EXPAND %{User-Name}
(1) --> @tanuvas.edu.in
(1) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (2)
(1) Executing select query: SELECT IFNULL((SELECT tenant_id
FROM radius_nas WHERE nasname = '172.16.20.210'), 0)
rlm_sql (sql): Released connection (2)
(1) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM
radius_nas WHERE nasname = '%{NAS-IP-Address}'), 0)}
(1) --> 1
(1) &PacketFence-Tenant-Id = 1
(1) } # update control = noop
(1) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") =
noop
(1) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop
(1) if ( &control:PacketFence-Tenant-Id == 0 ) {
(1) if ( &control:PacketFence-Tenant-Id == 0 ) -> TRUE
(1) if ( &control:PacketFence-Tenant-Id == 0 ) {
(1) update control {
rlm_sql (sql): Reserved connection (1)
rlm_sql (sql): Released connection (1)
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
(1) EXPAND %{User-Name}
(1) --> @tanuvas.edu.in
(1) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (2)
(1) Executing select query: SELECT IFNULL((SELECT tenant_id from
radius_nas WHERE start_ip <= INET_ATON('172.16.20.210') and
INET_ATON('172.16.20.210') <= end_ip order by range_length limit 1), 1)
rlm_sql (sql): Released connection (2)
(1) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id from radius_nas
WHERE start_ip <= INET_ATON('%{NAS-IP-Address}') and
INET_ATON('%{NAS-IP-Address}') <= end_ip order by range_length limit 1), 1)}
(1) --> 1
(1) &PacketFence-Tenant-Id := 1
(1) } # update control = noop
(1) } # if ( &control:PacketFence-Tenant-Id == 0 ) = noop
(1) } # policy packetfence-set-tenant-id = noop
(1) policy rewrite_calling_station_id {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(1) update request {
(1) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(1) --> 70:66:55:fc:a6:f1
(1) &Calling-Station-Id := 70:66:55:fc:a6:f1
(1) } # update request = noop
(1) [updated] = updated
(1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy rewrite_calling_station_id = updated
(1) policy rewrite_called_station_id {
(1) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(1) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
-> TRUE
(1) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(1) update request {
(1) &Called-Station-Id !* ANY
(1) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(1) --> b8:3a:5a:c7:10:08
(1) &Called-Station-Id := b8:3a:5a:c7:10:08
(1) } # update request = noop
(1) if ("%{8}") {
(1) EXPAND %{8}
(1) -->
(1) if ("%{8}") -> FALSE
(1) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) {
(1) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) -> FALSE
(1) elsif (Aruba-Essid-Name) {
(1) elsif (Aruba-Essid-Name) -> TRUE
(1) elsif (Aruba-Essid-Name) {
(1) update request {
(1) EXPAND %{Aruba-Essid-Name}
(1) --> TANUVAS
(1) &Called-Station-SSID := TANUVAS
(1) } # update request = noop
(1) } # elsif (Aruba-Essid-Name) = noop
(1) ... skipping elsif: Preceding "if" was taken
(1) [updated] = updated
(1) } # if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
= updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy rewrite_called_station_id = updated
(1) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) {
(1) EXPAND %{client:shortname}
(1) --> 172.16.20.210/32
(1) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) -> FALSE
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = updated
(1) } # policy filter_username = updated
(1) policy filter_password {
(1) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(1) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) -> FALSE
(1) } # policy filter_password = updated
(1) [preprocess] = ok
(1) [mschap] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "tanuvas.edu.in" for User-Name = "@
tanuvas.edu.in"
(1) suffix: Found realm "tanuvas.edu.in"
(1) suffix: Adding Stripped-User-Name = ""
(1) suffix: Adding Realm = "tanuvas.edu.in"
(1) suffix: Authentication realm is LOCAL
(1) [suffix] = ok
(1) ntdomain: Request already has destination realm set. Ignoring
(1) [ntdomain] = noop
(1) eap: Peer sent EAP Response (code 2) ID 3 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) if ( !EAP-Message && "%{%{Control:Auth-type}:-No-MS_CHAP}" !=
"MS-CHAP") {
(1) if ( !EAP-Message && "%{%{Control:Auth-type}:-No-MS_CHAP}" !=
"MS-CHAP") -> FALSE
(1) if ("%{%{Control:Auth-type}:-No-MS_CHAP}" == "MS-CHAP") {
(1) EXPAND %{%{Control:Auth-type}:-No-MS_CHAP}
(1) --> eap
(1) if ("%{%{Control:Auth-type}:-No-MS_CHAP}" == "MS-CHAP") -> FALSE
(1) policy packetfence-eap-mac-policy {
(1) if ( &EAP-Type ) {
(1) if ( &EAP-Type ) -> TRUE
(1) if ( &EAP-Type ) {
(1) if (&User-Name && (&User-Name =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(1) if (&User-Name && (&User-Name =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> FALSE
(1) } # if ( &EAP-Type ) = updated
(1) [noop] = noop
(1) } # policy packetfence-eap-mac-policy = updated
(1)
* pap: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(1) pap:
WARNING: !!! Ignoring control:User-Password. Update your !!!(1)
pap: WARNING: !!! configuration so that the "known good" clear text !!!(1)
pap: WARNING: !!! password is in Cleartext-Password and NOT in
!!!(1) pap: WARNING: !!! User-Password.
!!!(1) pap: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!*
Not doing PAP as Auth-Type is already set.
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(1) authenticate {
(1) eap: Expiring EAP session with state 0xc7239dc8c720845a
(1) eap: Finished EAP session with state 0xc7239dc8c720845a
(1) eap: Previous EAP request found for state 0xc7239dc8c720845a, released
from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: (TLS) Initiating new session
(1) eap: Sending EAP Request (code 1) ID 4 length 6
(1) eap: EAP session adding &reply:State = 0xc7239dc8c627885a
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(1) session-state: Saving cached attributes
(1) Framed-MTU = 994
(1) Sent Access-Challenge Id 62 from 172.16.11.10:1812 to
172.16.20.210:57049 length 64
(1) EAP-Message = 0x010400061520
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xc7239dc8c627885ac7ab04a38861e476
(1) Finished request
Thread 2 waiting to be assigned a request
Waking up in 0.2 seconds.
Thread 3 got semaphore
Thread 3 handling request 2, (1 handled so far)
(2) Received Access-Request Id 63 from 172.16.20.210:57049 to
172.16.11.10:1812 length 387
(2) User-Name = "@tanuvas.edu.in"
(2) NAS-IP-Address = 172.16.20.210
(2) NAS-Port = 0
(2) NAS-Identifier = "172.16.20.101"
(2) NAS-Port-Type = Wireless-802.11
(2) Calling-Station-Id = "706655fca6f1"
(2) Called-Station-Id = "b83a5ac71008"
(2) Service-Type = Framed-User
(2) Framed-MTU = 1100
(2) EAP-Message =
0x020400ac1580000000a2160303009d0100009903036231ca9a72f5c07f0ade35438b2f397936b99ab972e37955c1a24cfce5ae3ef900002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(2) State = 0xc7239dc8c627885ac7ab04a38861e476
(2) Aruba-Essid-Name = "TANUVAS"
(2) Aruba-Location-Id = "CECONDS"
(2) Aruba-AP-Group = "MVC_AcademicAP_VC"
(2) Aruba-Device-Type = "NOFP"
(2) Message-Authenticator = 0x145b706d2f82d33aabdf94b983a619bf
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 994
(2) # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(2) authorize {
(2) policy packetfence-nas-ip-address {
(2) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){
(2) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE
(2) } # policy packetfence-nas-ip-address = notfound
(2) update {
(2) EXPAND %{Packet-Src-IP-Address}
(2) --> 172.16.20.210
(2) &request:FreeRADIUS-Client-IP-Address := 172.16.20.210
(2) EXPAND %{Packet-Dst-IP-Address}
(2) --> 172.16.11.10
(2) &request:PacketFence-Radius-Ip := 172.16.11.10
(2) &control:PacketFence-RPC-Server = 127.0.0.1
(2) &control:PacketFence-RPC-Port = 7070
(2) &control:PacketFence-RPC-User =
(2) &control:PacketFence-RPC-Pass = ''
(2) &control:PacketFence-RPC-Proto = http
(2) EXPAND %l
(2) --> 1647449682
(2) &control:Tmp-Integer-0 := 1647449682
(2) &control:PacketFence-Request-Time := 0
(2) } # update = noop
(2) policy packetfence-set-realm-if-machine {
(2) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) {
(2) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> FALSE
(2) } # policy packetfence-set-realm-if-machine = noop
(2) policy packetfence-balanced-key-policy {
(2) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~
/^(.*)(.)$/i)) {
(2) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~
/^(.*)(.)$/i)) -> FALSE
(2) else {
(2) update {
(2) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}}
(2) --> 676ae0f0be13d41f008250df0c25be53
(2) &request:PacketFence-KeyBalanced :=
676ae0f0be13d41f008250df0c25be53
(2) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}}
(2) --> 676ae0f0be13d41f008250df0c25be53
(2) &control:Load-Balance-Key := 676ae0f0be13d41f008250df0c25be53
(2) } # update = noop
(2) } # else = noop
(2) } # policy packetfence-balanced-key-policy = noop
(2) policy packetfence-set-tenant-id {
(2) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){
(2) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE
(2) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(2) EXPAND %{%{control:PacketFence-Tenant-Id}:-0}
(2) --> 0
(2) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE
(2) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(2) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
{
(2) EXPAND %{request:Called-Station-Id}
(2) --> b83a5ac71008
(2) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
-> TRUE
(2) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
{
(2) update control {
rlm_sql (sql): Reserved connection (1)
rlm_sql (sql): Released connection (1)
(2) EXPAND %{User-Name}
(2) --> @tanuvas.edu.in
(2) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (0)
(2) Executing select query: SELECT IFNULL((SELECT tenant_id
FROM radius_nas WHERE nasname = 'b8:3a:5a:c7:10:08'), 0)
rlm_sql (sql): Released connection (0)
(2) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM
radius_nas WHERE nasname = '%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}'), 0)}
(2) --> 0
(2) &PacketFence-Tenant-Id = 0
(2) } # update control = noop
(2) } # if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
= noop
(2) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(2) EXPAND %{%{control:PacketFence-Tenant-Id}:-0}
(2) --> 0
(2) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE
(2) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(2) update control {
rlm_sql (sql): Reserved connection (2)
rlm_sql (sql): Released connection (2)
(2) EXPAND %{User-Name}
(2) --> @tanuvas.edu.in
(2) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (1)
(2) Executing select query: SELECT IFNULL((SELECT tenant_id
FROM radius_nas WHERE nasname = '172.16.20.210'), 0)
rlm_sql (sql): Released connection (1)
(2) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM
radius_nas WHERE nasname = '%{NAS-IP-Address}'), 0)}
(2) --> 1
(2) &PacketFence-Tenant-Id = 1
(2) } # update control = noop
(2) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") =
noop
(2) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop
(2) if ( &control:PacketFence-Tenant-Id == 0 ) {
(2) if ( &control:PacketFence-Tenant-Id == 0 ) -> TRUE
(2) if ( &control:PacketFence-Tenant-Id == 0 ) {
(2) update control {
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
rlm_sql (sql): Reserved connection (2)
rlm_sql (sql): Released connection (2)
(2) EXPAND %{User-Name}
(2) --> @tanuvas.edu.in
(2) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (1)
(2) Executing select query: SELECT IFNULL((SELECT tenant_id from
radius_nas WHERE start_ip <= INET_ATON('172.16.20.210') and
INET_ATON('172.16.20.210') <= end_ip order by range_length limit 1), 1)
rlm_sql (sql): Released connection (1)
(2) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id from radius_nas
WHERE start_ip <= INET_ATON('%{NAS-IP-Address}') and
INET_ATON('%{NAS-IP-Address}') <= end_ip order by range_length limit 1), 1)}
(2) --> 1
(2) &PacketFence-Tenant-Id := 1
(2) } # update control = noop
(2) } # if ( &control:PacketFence-Tenant-Id == 0 ) = noop
(2) } # policy packetfence-set-tenant-id = noop
(2) policy rewrite_calling_station_id {
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(2) update request {
(2) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(2) --> 70:66:55:fc:a6:f1
(2) &Calling-Station-Id := 70:66:55:fc:a6:f1
(2) } # update request = noop
(2) [updated] = updated
(2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(2) ... skipping else: Preceding "if" was taken
(2) } # policy rewrite_calling_station_id = updated
(2) policy rewrite_called_station_id {
(2) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(2) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
-> TRUE
(2) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(2) update request {
(2) &Called-Station-Id !* ANY
(2) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(2) --> b8:3a:5a:c7:10:08
(2) &Called-Station-Id := b8:3a:5a:c7:10:08
(2) } # update request = noop
(2) if ("%{8}") {
(2) EXPAND %{8}
(2) -->
(2) if ("%{8}") -> FALSE
(2) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) {
(2) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) -> FALSE
(2) elsif (Aruba-Essid-Name) {
(2) elsif (Aruba-Essid-Name) -> TRUE
(2) elsif (Aruba-Essid-Name) {
(2) update request {
(2) EXPAND %{Aruba-Essid-Name}
(2) --> TANUVAS
(2) &Called-Station-SSID := TANUVAS
(2) } # update request = noop
(2) } # elsif (Aruba-Essid-Name) = noop
(2) ... skipping elsif: Preceding "if" was taken
(2) [updated] = updated
(2) } # if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
= updated
(2) ... skipping else: Preceding "if" was taken
(2) } # policy rewrite_called_station_id = updated
(2) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) {
(2) EXPAND %{client:shortname}
(2) --> 172.16.20.210/32
(2) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) -> FALSE
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = updated
(2) } # policy filter_username = updated
(2) policy filter_password {
(2) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(2) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) -> FALSE
(2) } # policy filter_password = updated
(2) [preprocess] = ok
(2) [mschap] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "tanuvas.edu.in" for User-Name = "@
tanuvas.edu.in"
(2) suffix: Found realm "tanuvas.edu.in"
(2) suffix: Adding Stripped-User-Name = ""
(2) suffix: Adding Realm = "tanuvas.edu.in"
(2) suffix: Authentication realm is LOCAL
(2) [suffix] = ok
(2) ntdomain: Request already has destination realm set. Ignoring
(2) [ntdomain] = noop
(2) eap: Peer sent EAP Response (code 2) ID 4 length 172
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(2) authenticate {
(2) eap: Expiring EAP session with state 0xc7239dc8c627885a
(2) eap: Finished EAP session with state 0xc7239dc8c627885a
(2) eap: Previous EAP request found for state 0xc7239dc8c627885a, released
from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: (TLS) EAP Peer says that the final record size will be 162
bytes
(2) eap_ttls: (TLS) EAP Got all data (162 bytes)
(2) eap_ttls: (TLS) Handshake state - before SSL initialization
(2) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(2) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(2) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
(2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(2) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello
(2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(2) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate
(2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(2) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(2) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(2) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
(2) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write server
done
(2) eap_ttls: (TLS) In Handshake Phase
(2) eap: Sending EAP Request (code 1) ID 5 length 1004
(2) eap: EAP session adding &reply:State = 0xc7239dc8c526885a
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(2) session-state: Saving cached attributes
(2) Framed-MTU = 994
(2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(2) Sent Access-Challenge Id 63 from 172.16.11.10:1812 to
172.16.20.210:57049 length 1068
(2) EAP-Message =
0x010503ec15c000000a8b160303003d0200003903032841295d51eab237d088feb0035e05f9749f13ac3d96eec57b778e02ccbb95d100c030000011ff01000100000b0004030001020017000016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232303232333135343635315a170d3237303232323135343635315a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xc7239dc8c526885ac7ab04a38861e476
(2) Finished request
Thread 3 waiting to be assigned a request
Waking up in 0.2 seconds.
Thread 1 got semaphore
Thread 1 handling request 3, (2 handled so far)
(3) Received Access-Request Id 64 from 172.16.20.210:57049 to
172.16.11.10:1812 length 221
(3) User-Name = "@tanuvas.edu.in"
(3) NAS-IP-Address = 172.16.20.210
(3) NAS-Port = 0
(3) NAS-Identifier = "172.16.20.101"
(3) NAS-Port-Type = Wireless-802.11
(3) Calling-Station-Id = "706655fca6f1"
(3) Called-Station-Id = "b83a5ac71008"
(3) Service-Type = Framed-User
(3) Framed-MTU = 1100
(3) EAP-Message = 0x020500061500
(3) State = 0xc7239dc8c526885ac7ab04a38861e476
(3) Aruba-Essid-Name = "TANUVAS"
(3) Aruba-Location-Id = "CECONDS"
(3) Aruba-AP-Group = "MVC_AcademicAP_VC"
(3) Aruba-Device-Type = "NOFP"
(3) Message-Authenticator = 0x43eb1f46e1ff7c7eae412bd848fe45e6
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 994
(3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(3) # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(3) authorize {
(3) policy packetfence-nas-ip-address {
(3) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){
(3) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE
(3) } # policy packetfence-nas-ip-address = notfound
(3) update {
(3) EXPAND %{Packet-Src-IP-Address}
(3) --> 172.16.20.210
(3) &request:FreeRADIUS-Client-IP-Address := 172.16.20.210
(3) EXPAND %{Packet-Dst-IP-Address}
(3) --> 172.16.11.10
(3) &request:PacketFence-Radius-Ip := 172.16.11.10
(3) &control:PacketFence-RPC-Server = 127.0.0.1
(3) &control:PacketFence-RPC-Port = 7070
(3) &control:PacketFence-RPC-User =
(3) &control:PacketFence-RPC-Pass = ''
(3) &control:PacketFence-RPC-Proto = http
(3) EXPAND %l
(3) --> 1647449682
(3) &control:Tmp-Integer-0 := 1647449682
(3) &control:PacketFence-Request-Time := 0
(3) } # update = noop
(3) policy packetfence-set-realm-if-machine {
(3) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) {
(3) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> FALSE
(3) } # policy packetfence-set-realm-if-machine = noop
(3) policy packetfence-balanced-key-policy {
(3) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~
/^(.*)(.)$/i)) {
(3) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~
/^(.*)(.)$/i)) -> FALSE
(3) else {
(3) update {
(3) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}}
(3) --> 676ae0f0be13d41f008250df0c25be53
(3) &request:PacketFence-KeyBalanced :=
676ae0f0be13d41f008250df0c25be53
(3) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}}
(3) --> 676ae0f0be13d41f008250df0c25be53
(3) &control:Load-Balance-Key := 676ae0f0be13d41f008250df0c25be53
(3) } # update = noop
(3) } # else = noop
(3) } # policy packetfence-balanced-key-policy = noop
(3) policy packetfence-set-tenant-id {
(3) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){
(3) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE
(3) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(3) EXPAND %{%{control:PacketFence-Tenant-Id}:-0}
(3) --> 0
(3) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE
(3) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(3) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
{
(3) EXPAND %{request:Called-Station-Id}
(3) --> b83a5ac71008
(3) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
-> TRUE
(3) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
{
(3) update control {
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
(3) EXPAND %{User-Name}
(3) --> @tanuvas.edu.in
(3) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (2)
(3) Executing select query: SELECT IFNULL((SELECT tenant_id
FROM radius_nas WHERE nasname = 'b8:3a:5a:c7:10:08'), 0)
rlm_sql (sql): Released connection (2)
(3) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM
radius_nas WHERE nasname = '%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}'), 0)}
(3) --> 0
(3) &PacketFence-Tenant-Id = 0
(3) } # update control = noop
(3) } # if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
= noop
(3) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(3) EXPAND %{%{control:PacketFence-Tenant-Id}:-0}
(3) --> 0
(3) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE
(3) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(3) update control {
rlm_sql (sql): Reserved connection (1)
rlm_sql (sql): Released connection (1)
(3) EXPAND %{User-Name}
(3) --> @tanuvas.edu.in
(3) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (0)
(3) Executing select query: SELECT IFNULL((SELECT tenant_id
FROM radius_nas WHERE nasname = '172.16.20.210'), 0)
rlm_sql (sql): Released connection (0)
(3) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM
radius_nas WHERE nasname = '%{NAS-IP-Address}'), 0)}
(3) --> 1
(3) &PacketFence-Tenant-Id = 1
(3) } # update control = noop
(3) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") =
noop
(3) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop
(3) if ( &control:PacketFence-Tenant-Id == 0 ) {
(3) if ( &control:PacketFence-Tenant-Id == 0 ) -> TRUE
(3) if ( &control:PacketFence-Tenant-Id == 0 ) {
(3) update control {
rlm_sql (sql): Reserved connection (2)
rlm_sql (sql): Released connection (2)
rlm_sql (sql): Reserved connection (1)
rlm_sql (sql): Released connection (1)
(3) EXPAND %{User-Name}
(3) --> @tanuvas.edu.in
(3) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (0)
(3) Executing select query: SELECT IFNULL((SELECT tenant_id from
radius_nas WHERE start_ip <= INET_ATON('172.16.20.210') and
INET_ATON('172.16.20.210') <= end_ip order by range_length limit 1), 1)
rlm_sql (sql): Released connection (0)
(3) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id from radius_nas
WHERE start_ip <= INET_ATON('%{NAS-IP-Address}') and
INET_ATON('%{NAS-IP-Address}') <= end_ip order by range_length limit 1), 1)}
(3) --> 1
(3) &PacketFence-Tenant-Id := 1
(3) } # update control = noop
(3) } # if ( &control:PacketFence-Tenant-Id == 0 ) = noop
(3) } # policy packetfence-set-tenant-id = noop
(3) policy rewrite_calling_station_id {
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(3) update request {
(3) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(3) --> 70:66:55:fc:a6:f1
(3) &Calling-Station-Id := 70:66:55:fc:a6:f1
(3) } # update request = noop
(3) [updated] = updated
(3) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(3) ... skipping else: Preceding "if" was taken
(3) } # policy rewrite_calling_station_id = updated
(3) policy rewrite_called_station_id {
(3) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(3) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
-> TRUE
(3) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(3) update request {
(3) &Called-Station-Id !* ANY
(3) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(3) --> b8:3a:5a:c7:10:08
(3) &Called-Station-Id := b8:3a:5a:c7:10:08
(3) } # update request = noop
(3) if ("%{8}") {
(3) EXPAND %{8}
(3) -->
(3) if ("%{8}") -> FALSE
(3) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) {
(3) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) -> FALSE
(3) elsif (Aruba-Essid-Name) {
(3) elsif (Aruba-Essid-Name) -> TRUE
(3) elsif (Aruba-Essid-Name) {
(3) update request {
(3) EXPAND %{Aruba-Essid-Name}
(3) --> TANUVAS
(3) &Called-Station-SSID := TANUVAS
(3) } # update request = noop
(3) } # elsif (Aruba-Essid-Name) = noop
(3) ... skipping elsif: Preceding "if" was taken
(3) [updated] = updated
(3) } # if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
= updated
(3) ... skipping else: Preceding "if" was taken
(3) } # policy rewrite_called_station_id = updated
(3) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) {
(3) EXPAND %{client:shortname}
(3) --> 172.16.20.210/32
(3) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) -> FALSE
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = updated
(3) } # policy filter_username = updated
(3) policy filter_password {
(3) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(3) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) -> FALSE
(3) } # policy filter_password = updated
(3) [preprocess] = ok
(3) [mschap] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "tanuvas.edu.in" for User-Name = "@
tanuvas.edu.in"
(3) suffix: Found realm "tanuvas.edu.in"
(3) suffix: Adding Stripped-User-Name = ""
(3) suffix: Adding Realm = "tanuvas.edu.in"
(3) suffix: Authentication realm is LOCAL
(3) [suffix] = ok
(3) ntdomain: Request already has destination realm set. Ignoring
(3) [ntdomain] = noop
(3) eap: Peer sent EAP Response (code 2) ID 5 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(3) authenticate {
(3) eap: Expiring EAP session with state 0xc7239dc8c526885a
(3) eap: Finished EAP session with state 0xc7239dc8c526885a
(3) eap: Previous EAP request found for state 0xc7239dc8c526885a, released
from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 6 length 1004
(3) eap: EAP session adding &reply:State = 0xc7239dc8c425885a
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(3) session-state: Saving cached attributes
(3) Framed-MTU = 994
(3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(3) Sent Access-Challenge Id 64 from 172.16.11.10:1812 to
172.16.20.210:57049 length 1068
(3) EAP-Message =
0x010603ec15c000000a8bc6c0465e8b9b1914ddac5ac4ae059c4943885a50b9993dd88a9b4f3086b66218cf8cf569d65fa4c6450c031c9cbc745dcdf3d766f8dc6d0e6b64439afa773b334255c4009f6591d212b3e222e50004fe308204fa308203e2a00302010202140141a16ddfd9fce3a7d1f13ab4552f2136efcca6300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3232303232333135343635315a170d3237303232323135343635315a308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d657768657265
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xc7239dc8c425885ac7ab04a38861e476
(3) Finished request
Thread 1 waiting to be assigned a request
Waking up in 0.1 seconds.
Thread 2 got semaphore
Thread 2 handling request 4, (2 handled so far)
(4) Received Access-Request Id 65 from 172.16.20.210:57049 to
172.16.11.10:1812 length 221
(4) User-Name = "@tanuvas.edu.in"
(4) NAS-IP-Address = 172.16.20.210
(4) NAS-Port = 0
(4) NAS-Identifier = "172.16.20.101"
(4) NAS-Port-Type = Wireless-802.11
(4) Calling-Station-Id = "706655fca6f1"
(4) Called-Station-Id = "b83a5ac71008"
(4) Service-Type = Framed-User
(4) Framed-MTU = 1100
(4) EAP-Message = 0x020600061500
(4) State = 0xc7239dc8c425885ac7ab04a38861e476
(4) Aruba-Essid-Name = "TANUVAS"
(4) Aruba-Location-Id = "CECONDS"
(4) Aruba-AP-Group = "MVC_AcademicAP_VC"
(4) Aruba-Device-Type = "NOFP"
(4) Message-Authenticator = 0xead7c4879b2f4265eda427f33bc83889
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 994
(4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(4) # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(4) authorize {
(4) policy packetfence-nas-ip-address {
(4) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){
(4) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE
(4) } # policy packetfence-nas-ip-address = notfound
(4) update {
(4) EXPAND %{Packet-Src-IP-Address}
(4) --> 172.16.20.210
(4) &request:FreeRADIUS-Client-IP-Address := 172.16.20.210
(4) EXPAND %{Packet-Dst-IP-Address}
(4) --> 172.16.11.10
(4) &request:PacketFence-Radius-Ip := 172.16.11.10
(4) &control:PacketFence-RPC-Server = 127.0.0.1
(4) &control:PacketFence-RPC-Port = 7070
(4) &control:PacketFence-RPC-User =
(4) &control:PacketFence-RPC-Pass = ''
(4) &control:PacketFence-RPC-Proto = http
(4) EXPAND %l
(4) --> 1647449682
(4) &control:Tmp-Integer-0 := 1647449682
(4) &control:PacketFence-Request-Time := 0
(4) } # update = noop
(4) policy packetfence-set-realm-if-machine {
(4) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) {
(4) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> FALSE
(4) } # policy packetfence-set-realm-if-machine = noop
(4) policy packetfence-balanced-key-policy {
(4) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~
/^(.*)(.)$/i)) {
(4) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~
/^(.*)(.)$/i)) -> FALSE
(4) else {
(4) update {
(4) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}}
(4) --> 676ae0f0be13d41f008250df0c25be53
(4) &request:PacketFence-KeyBalanced :=
676ae0f0be13d41f008250df0c25be53
(4) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}}
(4) --> 676ae0f0be13d41f008250df0c25be53
(4) &control:Load-Balance-Key := 676ae0f0be13d41f008250df0c25be53
(4) } # update = noop
(4) } # else = noop
(4) } # policy packetfence-balanced-key-policy = noop
(4) policy packetfence-set-tenant-id {
(4) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){
(4) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE
(4) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(4) EXPAND %{%{control:PacketFence-Tenant-Id}:-0}
(4) --> 0
(4) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE
(4) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(4) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
{
(4) EXPAND %{request:Called-Station-Id}
(4) --> b83a5ac71008
(4) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
-> TRUE
(4) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
{
(4) update control {
rlm_sql (sql): Reserved connection (2)
rlm_sql (sql): Released connection (2)
(4) EXPAND %{User-Name}
(4) --> @tanuvas.edu.in
(4) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (1)
(4) Executing select query: SELECT IFNULL((SELECT tenant_id
FROM radius_nas WHERE nasname = 'b8:3a:5a:c7:10:08'), 0)
rlm_sql (sql): Released connection (1)
(4) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM
radius_nas WHERE nasname = '%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}'), 0)}
(4) --> 0
(4) &PacketFence-Tenant-Id = 0
(4) } # update control = noop
(4) } # if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
= noop
(4) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(4) EXPAND %{%{control:PacketFence-Tenant-Id}:-0}
(4) --> 0
(4) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE
(4) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(4) update control {
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
(4) EXPAND %{User-Name}
(4) --> @tanuvas.edu.in
(4) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (2)
(4) Executing select query: SELECT IFNULL((SELECT tenant_id
FROM radius_nas WHERE nasname = '172.16.20.210'), 0)
rlm_sql (sql): Released connection (2)
(4) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM
radius_nas WHERE nasname = '%{NAS-IP-Address}'), 0)}
(4) --> 1
(4) &PacketFence-Tenant-Id = 1
(4) } # update control = noop
(4) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") =
noop
(4) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop
(4) if ( &control:PacketFence-Tenant-Id == 0 ) {
(4) if ( &control:PacketFence-Tenant-Id == 0 ) -> TRUE
(4) if ( &control:PacketFence-Tenant-Id == 0 ) {
(4) update control {
rlm_sql (sql): Reserved connection (1)
rlm_sql (sql): Released connection (1)
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
(4) EXPAND %{User-Name}
(4) --> @tanuvas.edu.in
(4) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (2)
(4) Executing select query: SELECT IFNULL((SELECT tenant_id from
radius_nas WHERE start_ip <= INET_ATON('172.16.20.210') and
INET_ATON('172.16.20.210') <= end_ip order by range_length limit 1), 1)
rlm_sql (sql): Released connection (2)
(4) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id from radius_nas
WHERE start_ip <= INET_ATON('%{NAS-IP-Address}') and
INET_ATON('%{NAS-IP-Address}') <= end_ip order by range_length limit 1), 1)}
(4) --> 1
(4) &PacketFence-Tenant-Id := 1
(4) } # update control = noop
(4) } # if ( &control:PacketFence-Tenant-Id == 0 ) = noop
(4) } # policy packetfence-set-tenant-id = noop
(4) policy rewrite_calling_station_id {
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(4) update request {
(4) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(4) --> 70:66:55:fc:a6:f1
(4) &Calling-Station-Id := 70:66:55:fc:a6:f1
(4) } # update request = noop
(4) [updated] = updated
(4) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(4) ... skipping else: Preceding "if" was taken
(4) } # policy rewrite_calling_station_id = updated
(4) policy rewrite_called_station_id {
(4) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(4) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
-> TRUE
(4) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(4) update request {
(4) &Called-Station-Id !* ANY
(4) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(4) --> b8:3a:5a:c7:10:08
(4) &Called-Station-Id := b8:3a:5a:c7:10:08
(4) } # update request = noop
(4) if ("%{8}") {
(4) EXPAND %{8}
(4) -->
(4) if ("%{8}") -> FALSE
(4) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) {
(4) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) -> FALSE
(4) elsif (Aruba-Essid-Name) {
(4) elsif (Aruba-Essid-Name) -> TRUE
(4) elsif (Aruba-Essid-Name) {
(4) update request {
(4) EXPAND %{Aruba-Essid-Name}
(4) --> TANUVAS
(4) &Called-Station-SSID := TANUVAS
(4) } # update request = noop
(4) } # elsif (Aruba-Essid-Name) = noop
(4) ... skipping elsif: Preceding "if" was taken
(4) [updated] = updated
(4) } # if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
= updated
(4) ... skipping else: Preceding "if" was taken
(4) } # policy rewrite_called_station_id = updated
(4) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) {
(4) EXPAND %{client:shortname}
(4) --> 172.16.20.210/32
(4) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) -> FALSE
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = updated
(4) } # policy filter_username = updated
(4) policy filter_password {
(4) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(4) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) -> FALSE
(4) } # policy filter_password = updated
(4) [preprocess] = ok
(4) [mschap] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "tanuvas.edu.in" for User-Name = "@
tanuvas.edu.in"
(4) suffix: Found realm "tanuvas.edu.in"
(4) suffix: Adding Stripped-User-Name = ""
(4) suffix: Adding Realm = "tanuvas.edu.in"
(4) suffix: Authentication realm is LOCAL
(4) [suffix] = ok
(4) ntdomain: Request already has destination realm set. Ignoring
(4) [ntdomain] = noop
(4) eap: Peer sent EAP Response (code 2) ID 6 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(4) authenticate {
(4) eap: Expiring EAP session with state 0xc7239dc8c425885a
(4) eap: Finished EAP session with state 0xc7239dc8c425885a
(4) eap: Previous EAP request found for state 0xc7239dc8c425885a, released
from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: (TLS) Peer ACKed our handshake fragment
(4) eap: Sending EAP Request (code 1) ID 7 length 721
(4) eap: EAP session adding &reply:State = 0xc7239dc8c324885a
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(4) session-state: Saving cached attributes
(4) Framed-MTU = 994
(4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(4) Sent Access-Challenge Id 65 from 172.16.11.10:1812 to
172.16.20.210:57049 length 783
(4) EAP-Message =
0x010702d1158000000a8bd9fce3a7d1f13ab4552f2136efcca6300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101007d3559bea4e88af5447e8015ba0c5dd35f625272cbcf8fe8ceb746a6a64f4d54c4314cefa8222f53e87356da0cf679f75a8ce780c6d6b77fbc9b8cbfb6634f29020ae42a235f229e90d9fdaae0a84effd08a6be10b5c1b48460c855dae766dfb6ca602c579acd5e2c335b18117745367df7ce9be5297e53881ae94f3bb926dca3c3b041264187636d2097562a5b60adc05e759bbe0caad844f3aeb2e2ee543273b2d4e9b3e27625441d77d8f77ac8d787551311a1e692c63ceee11a0087d4c416ef248147201980b214b85ec85bc74c5b000a748231281f8c06806b42a2d46b13e7a8265fa75f36eb36e18353ca442a0e0f8d2500e327aa2490114142f1f310716
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xc7239dc8c324885ac7ab04a38861e476
(4) Finished request
Thread 2 waiting to be assigned a request
Waking up in 0.1 seconds.
Thread 3 got semaphore
Thread 3 handling request 5, (2 handled so far)
(5) Received Access-Request Id 66 from 172.16.20.210:57049 to
172.16.11.10:1812 length 351
(5) User-Name = "@tanuvas.edu.in"
(5) NAS-IP-Address = 172.16.20.210
(5) NAS-Port = 0
(5) NAS-Identifier = "172.16.20.101"
(5) NAS-Port-Type = Wireless-802.11
(5) Calling-Station-Id = "706655fca6f1"
(5) Called-Station-Id = "b83a5ac71008"
(5) Service-Type = Framed-User
(5) Framed-MTU = 1100
(5) EAP-Message =
0x0207008815800000007e1603030046100000424104c4dd5151d2477fc7b889af09a48bc315a77aee2bc39f8058883c0d7dad0f9935eb1bc5ca46dd3b93f80ad04cae257662de9c199d16ce622e7880007f6dc6d138140303000101160303002800000000000000001e22c3cf379434e69dd52d8f6a8ea0c084f0b6f35efcb916f01b52d96bf8246c
(5) State = 0xc7239dc8c324885ac7ab04a38861e476
(5) Aruba-Essid-Name = "TANUVAS"
(5) Aruba-Location-Id = "CECONDS"
(5) Aruba-AP-Group = "MVC_AcademicAP_VC"
(5) Aruba-Device-Type = "NOFP"
(5) Message-Authenticator = 0xb275fc254168c0bf148aaafcb1979511
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(5) # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(5) authorize {
(5) policy packetfence-nas-ip-address {
(5) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){
(5) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE
(5) } # policy packetfence-nas-ip-address = notfound
(5) update {
(5) EXPAND %{Packet-Src-IP-Address}
(5) --> 172.16.20.210
(5) &request:FreeRADIUS-Client-IP-Address := 172.16.20.210
(5) EXPAND %{Packet-Dst-IP-Address}
(5) --> 172.16.11.10
(5) &request:PacketFence-Radius-Ip := 172.16.11.10
(5) &control:PacketFence-RPC-Server = 127.0.0.1
(5) &control:PacketFence-RPC-Port = 7070
(5) &control:PacketFence-RPC-User =
(5) &control:PacketFence-RPC-Pass = ''
(5) &control:PacketFence-RPC-Proto = http
(5) EXPAND %l
(5) --> 1647449682
(5) &control:Tmp-Integer-0 := 1647449682
(5) &control:PacketFence-Request-Time := 0
(5) } # update = noop
(5) policy packetfence-set-realm-if-machine {
(5) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) {
(5) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> FALSE
(5) } # policy packetfence-set-realm-if-machine = noop
(5) policy packetfence-balanced-key-policy {
(5) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~
/^(.*)(.)$/i)) {
(5) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~
/^(.*)(.)$/i)) -> FALSE
(5) else {
(5) update {
(5) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}}
(5) --> 676ae0f0be13d41f008250df0c25be53
(5) &request:PacketFence-KeyBalanced :=
676ae0f0be13d41f008250df0c25be53
(5) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}}
(5) --> 676ae0f0be13d41f008250df0c25be53
(5) &control:Load-Balance-Key := 676ae0f0be13d41f008250df0c25be53
(5) } # update = noop
(5) } # else = noop
(5) } # policy packetfence-balanced-key-policy = noop
(5) policy packetfence-set-tenant-id {
(5) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){
(5) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE
(5) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(5) EXPAND %{%{control:PacketFence-Tenant-Id}:-0}
(5) --> 0
(5) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE
(5) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(5) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
{
(5) EXPAND %{request:Called-Station-Id}
(5) --> b83a5ac71008
(5) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
-> TRUE
(5) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
{
(5) update control {
rlm_sql (sql): Reserved connection (1)
rlm_sql (sql): Released connection (1)
(5) EXPAND %{User-Name}
(5) --> @tanuvas.edu.in
(5) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (0)
(5) Executing select query: SELECT IFNULL((SELECT tenant_id
FROM radius_nas WHERE nasname = 'b8:3a:5a:c7:10:08'), 0)
rlm_sql (sql): Released connection (0)
(5) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM
radius_nas WHERE nasname = '%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}'), 0)}
(5) --> 0
(5) &PacketFence-Tenant-Id = 0
(5) } # update control = noop
(5) } # if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
= noop
(5) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(5) EXPAND %{%{control:PacketFence-Tenant-Id}:-0}
(5) --> 0
(5) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE
(5) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(5) update control {
rlm_sql (sql): Reserved connection (2)
rlm_sql (sql): Released connection (2)
(5) EXPAND %{User-Name}
(5) --> @tanuvas.edu.in
(5) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (1)
(5) Executing select query: SELECT IFNULL((SELECT tenant_id
FROM radius_nas WHERE nasname = '172.16.20.210'), 0)
rlm_sql (sql): Released connection (1)
(5) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM
radius_nas WHERE nasname = '%{NAS-IP-Address}'), 0)}
(5) --> 1
(5) &PacketFence-Tenant-Id = 1
(5) } # update control = noop
(5) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") =
noop
(5) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop
(5) if ( &control:PacketFence-Tenant-Id == 0 ) {
(5) if ( &control:PacketFence-Tenant-Id == 0 ) -> TRUE
(5) if ( &control:PacketFence-Tenant-Id == 0 ) {
(5) update control {
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
rlm_sql (sql): Reserved connection (2)
rlm_sql (sql): Released connection (2)
(5) EXPAND %{User-Name}
(5) --> @tanuvas.edu.in
(5) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (1)
(5) Executing select query: SELECT IFNULL((SELECT tenant_id from
radius_nas WHERE start_ip <= INET_ATON('172.16.20.210') and
INET_ATON('172.16.20.210') <= end_ip order by range_length limit 1), 1)
rlm_sql (sql): Released connection (1)
(5) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id from radius_nas
WHERE start_ip <= INET_ATON('%{NAS-IP-Address}') and
INET_ATON('%{NAS-IP-Address}') <= end_ip order by range_length limit 1), 1)}
(5) --> 1
(5) &PacketFence-Tenant-Id := 1
(5) } # update control = noop
(5) } # if ( &control:PacketFence-Tenant-Id == 0 ) = noop
(5) } # policy packetfence-set-tenant-id = noop
(5) policy rewrite_calling_station_id {
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(5) update request {
(5) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(5) --> 70:66:55:fc:a6:f1
(5) &Calling-Station-Id := 70:66:55:fc:a6:f1
(5) } # update request = noop
(5) [updated] = updated
(5) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(5) ... skipping else: Preceding "if" was taken
(5) } # policy rewrite_calling_station_id = updated
(5) policy rewrite_called_station_id {
(5) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(5) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
-> TRUE
(5) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(5) update request {
(5) &Called-Station-Id !* ANY
(5) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(5) --> b8:3a:5a:c7:10:08
(5) &Called-Station-Id := b8:3a:5a:c7:10:08
(5) } # update request = noop
(5) if ("%{8}") {
(5) EXPAND %{8}
(5) -->
(5) if ("%{8}") -> FALSE
(5) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) {
(5) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) -> FALSE
(5) elsif (Aruba-Essid-Name) {
(5) elsif (Aruba-Essid-Name) -> TRUE
(5) elsif (Aruba-Essid-Name) {
(5) update request {
(5) EXPAND %{Aruba-Essid-Name}
(5) --> TANUVAS
(5) &Called-Station-SSID := TANUVAS
(5) } # update request = noop
(5) } # elsif (Aruba-Essid-Name) = noop
(5) ... skipping elsif: Preceding "if" was taken
(5) [updated] = updated
(5) } # if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
= updated
(5) ... skipping else: Preceding "if" was taken
(5) } # policy rewrite_called_station_id = updated
(5) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) {
(5) EXPAND %{client:shortname}
(5) --> 172.16.20.210/32
(5) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) -> FALSE
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = updated
(5) } # policy filter_username = updated
(5) policy filter_password {
(5) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(5) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) -> FALSE
(5) } # policy filter_password = updated
(5) [preprocess] = ok
(5) [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "tanuvas.edu.in" for User-Name = "@
tanuvas.edu.in"
(5) suffix: Found realm "tanuvas.edu.in"
(5) suffix: Adding Stripped-User-Name = ""
(5) suffix: Adding Realm = "tanuvas.edu.in"
(5) suffix: Authentication realm is LOCAL
(5) [suffix] = ok
(5) ntdomain: Request already has destination realm set. Ignoring
(5) [ntdomain] = noop
(5) eap: Peer sent EAP Response (code 2) ID 7 length 136
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(5) authenticate {
(5) eap: Expiring EAP session with state 0xc7239dc8c324885a
(5) eap: Finished EAP session with state 0xc7239dc8c324885a
(5) eap: Previous EAP request found for state 0xc7239dc8c324885a, released
from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: (TLS) EAP Peer says that the final record size will be 126
bytes
(5) eap_ttls: (TLS) EAP Got all data (126 bytes)
(5) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
(5) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(5) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key
exchange
(5) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher
spec
(5) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished
(5) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished
(5) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec
(5) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher
spec
(5) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished
(5) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished
(5) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully
(5) eap_ttls: (TLS) Connection Established
(5) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) eap_ttls: TLS-Session-Version = "TLS 1.2"
(5) eap: Sending EAP Request (code 1) ID 8 length 61
(5) eap: EAP session adding &reply:State = 0xc7239dc8c22b885a
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(5) session-state: Saving cached attributes
(5) Framed-MTU = 994
(5) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerKeyExchange"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
ServerHelloDone"
(5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake,
ClientKeyExchange"
(5) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 66 from 172.16.11.10:1812 to
172.16.20.210:57049 length 119
(5) EAP-Message =
0x0108003d15800000003314030300010116030300283855ef975928a19d03d3a260ac0e925065588253e7a88e732f42724b673faa0f609197353425f0e6
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xc7239dc8c22b885ac7ab04a38861e476
(5) Finished request
Thread 3 waiting to be assigned a request
Waking up in 4.4 seconds.
Waking up in 0.3 seconds.
Thread 1 got semaphore
Thread 1 handling request 6, (3 handled so far)
(6) Received Access-Request Id 67 from 172.16.20.210:57049 to
172.16.11.10:1812 length 306
(6) User-Name = "@tanuvas.edu.in"
(6) NAS-IP-Address = 172.16.20.210
(6) NAS-Port = 0
(6) NAS-Identifier = "172.16.20.101"
(6) NAS-Port-Type = Wireless-802.11
(6) Calling-Station-Id = "706655fca6f1"
(6) Called-Station-Id = "b83a5ac71008"
(6) Service-Type = Framed-User
(6) Framed-MTU = 1100
(6) EAP-Message =
0x0208005b158000000051170303004c000000000000000140aaec26e769e54b6155a3c1048c4ff2b9398f03fb1076c83982c34bbfeca12cb54843909f0c70fb51b301cd4542c5b6911ffb2e17d33c910e9e4fe6caf1b8fe03d93321
(6) State = 0xc7239dc8c22b885ac7ab04a38861e476
(6) Aruba-Essid-Name = "TANUVAS"
(6) Aruba-Location-Id = "CECONDS"
(6) Aruba-AP-Group = "MVC_AcademicAP_VC"
(6) Aruba-Device-Type = "NOFP"
(6) Message-Authenticator = 0x169466c3949f358044792e7fbf909c5c
(6) Restoring &session-state
(6) &session-state:Framed-MTU = 994
(6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"
(6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, ClientKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
Handshake, Finished"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
ChangeCipherSpec"
(6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Finished"
(6) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
(6) authorize {
(6) policy packetfence-nas-ip-address {
(6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){
(6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE
(6) } # policy packetfence-nas-ip-address = notfound
(6) update {
(6) EXPAND %{Packet-Src-IP-Address}
(6) --> 172.16.20.210
(6) &request:FreeRADIUS-Client-IP-Address := 172.16.20.210
(6) EXPAND %{Packet-Dst-IP-Address}
(6) --> 172.16.11.10
(6) &request:PacketFence-Radius-Ip := 172.16.11.10
(6) &control:PacketFence-RPC-Server = 127.0.0.1
(6) &control:PacketFence-RPC-Port = 7070
(6) &control:PacketFence-RPC-User =
(6) &control:PacketFence-RPC-Pass = ''
(6) &control:PacketFence-RPC-Proto = http
(6) EXPAND %l
(6) --> 1647449684
(6) &control:Tmp-Integer-0 := 1647449684
(6) &control:PacketFence-Request-Time := 0
(6) } # update = noop
(6) policy packetfence-set-realm-if-machine {
(6) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) {
(6) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> FALSE
(6) } # policy packetfence-set-realm-if-machine = noop
(6) policy packetfence-balanced-key-policy {
(6) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~
/^(.*)(.)$/i)) {
(6) if (&PacketFence-KeyBalanced && (&PacketFence-KeyBalanced =~
/^(.*)(.)$/i)) -> FALSE
(6) else {
(6) update {
(6) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}}
(6) --> 676ae0f0be13d41f008250df0c25be53
(6) &request:PacketFence-KeyBalanced :=
676ae0f0be13d41f008250df0c25be53
(6) EXPAND %{md5:%{Calling-Station-Id}%{User-Name}}
(6) --> 676ae0f0be13d41f008250df0c25be53
(6) &control:Load-Balance-Key := 676ae0f0be13d41f008250df0c25be53
(6) } # update = noop
(6) } # else = noop
(6) } # policy packetfence-balanced-key-policy = noop
(6) policy packetfence-set-tenant-id {
(6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){
(6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE
(6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(6) EXPAND %{%{control:PacketFence-Tenant-Id}:-0}
(6) --> 0
(6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE
(6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(6) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
{
(6) EXPAND %{request:Called-Station-Id}
(6) --> b83a5ac71008
(6) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
-> TRUE
(6) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
{
(6) update control {
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
Need more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (3), 1 of 61 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX socket,
server version 10.5.15-MariaDB-1:10.5.15+maria~bullseye, protocol version 10
(6) EXPAND %{User-Name}
(6) --> @tanuvas.edu.in
(6) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (2)
(6) Executing select query: SELECT IFNULL((SELECT tenant_id
FROM radius_nas WHERE nasname = 'b8:3a:5a:c7:10:08'), 0)
rlm_sql (sql): Released connection (2)
(6) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM
radius_nas WHERE nasname = '%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}'), 0)}
(6) --> 0
(6) &PacketFence-Tenant-Id = 0
(6) } # update control = noop
(6) } # if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
= noop
(6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(6) EXPAND %{%{control:PacketFence-Tenant-Id}:-0}
(6) --> 0
(6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE
(6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(6) update control {
rlm_sql (sql): Reserved connection (1)
rlm_sql (sql): Released connection (1)
(6) EXPAND %{User-Name}
(6) --> @tanuvas.edu.in
(6) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (0)
(6) Executing select query: SELECT IFNULL((SELECT tenant_id
FROM radius_nas WHERE nasname = '172.16.20.210'), 0)
rlm_sql (sql): Released connection (0)
(6) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM
radius_nas WHERE nasname = '%{NAS-IP-Address}'), 0)}
(6) --> 1
(6) &PacketFence-Tenant-Id = 1
(6) } # update control = noop
(6) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") =
noop
(6) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") = noop
(6) if ( &control:PacketFence-Tenant-Id == 0 ) {
(6) if ( &control:PacketFence-Tenant-Id == 0 ) -> TRUE
(6) if ( &control:PacketFence-Tenant-Id == 0 ) {
(6) update control {
rlm_sql (sql): Reserved connection (3)
rlm_sql (sql): Released connection (3)
rlm_sql (sql): Reserved connection (2)
rlm_sql (sql): Released connection (2)
(6) EXPAND %{User-Name}
(6) --> @tanuvas.edu.in
(6) SQL-User-Name set to '@tanuvas.edu.in'
rlm_sql (sql): Reserved connection (1)
(6) Executing select query: SELECT IFNULL((SELECT tenant_id from
radius_nas WHERE start_ip <= INET_ATON('172.16.20.210') and
INET_ATON('172.16.20.210') <= end_ip order by range_length limit 1), 1)
rlm_sql (sql): Released connection (1)
(6) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id from radius_nas
WHERE start_ip <= INET_ATON('%{NAS-IP-Address}') and
INET_ATON('%{NAS-IP-Address}') <= end_ip order by range_length limit 1), 1)}
(6) --> 1
(6) &PacketFence-Tenant-Id := 1
(6) } # update control = noop
(6) } # if ( &control:PacketFence-Tenant-Id == 0 ) = noop
(6) } # policy packetfence-set-tenant-id = noop
(6) policy rewrite_calling_station_id {
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(6) update request {
(6) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(6) --> 70:66:55:fc:a6:f1
(6) &Calling-Station-Id := 70:66:55:fc:a6:f1
(6) } # update request = noop
(6) [updated] = updated
(6) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(6) ... skipping else: Preceding "if" was taken
(6) } # policy rewrite_calling_station_id = updated
(6) policy rewrite_called_station_id {
(6) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(6) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
-> TRUE
(6) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(6) update request {
(6) &Called-Station-Id !* ANY
(6) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(6) --> b8:3a:5a:c7:10:08
(6) &Called-Station-Id := b8:3a:5a:c7:10:08
(6) } # update request = noop
(6) if ("%{8}") {
(6) EXPAND %{8}
(6) -->
(6) if ("%{8}") -> FALSE
(6) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) {
(6) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) -> FALSE
(6) elsif (Aruba-Essid-Name) {
(6) elsif (Aruba-Essid-Name) -> TRUE
(6) elsif (Aruba-Essid-Name) {
(6) update request {
(6) EXPAND %{Aruba-Essid-Name}
(6) --> TANUVAS
(6) &Called-Station-SSID := TANUVAS
(6) } # update request = noop
(6) } # elsif (Aruba-Essid-Name) = noop
(6) ... skipping elsif: Preceding "if" was taken
(6) [updated] = updated
(6) } # if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
= updated
(6) ... skipping else: Preceding "if" was taken
(6) } # policy rewrite_called_station_id = updated
(6) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) {
(6) EXPAND %{client:shortname}
(6) --> 172.16.20.210/32
(6) if ( "%{client:shortname}" =~ /eduroam_tlrs/ ) -> FALSE
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = updated
(6) } # policy filter_username = updated
(6) policy filter_password {
(6) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) {
(6) if (&User-Password && (&User-Password !=
"%{string:User-Password}")) -> FALSE
(6) } # policy filter_password = updated
(6) [preprocess] = ok
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "tanuvas.edu.in" for User-Name = "@
tanuvas.edu.in"
(6) suffix: Found realm "tanuvas.edu.in"
(6) suffix: Adding Stripped-User-Name = ""
(6) suffix: Adding Realm = "tanuvas.edu.in"
(6) suffix: Authentication realm is LOCAL
(6) [suffix] = ok
(6) ntdomain: Request already has destination realm set. Ignoring
(6) [ntdomain] = noop
(6) eap: Peer sent EAP Response (code 2) ID 8 length 91
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(6) authenticate {
(6) eap: Expiring EAP session with state 0xc7239dc8c22b885a
(6) eap: Finished EAP session with state 0xc7239dc8c22b885a
(6) eap: Previous EAP request found for state 0xc7239dc8c22b885a, released
from the list
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: (TLS) EAP Peer says that the final record size will be 81
bytes
(6) eap_ttls: (TLS) EAP Got all data (81 bytes)
(6) eap_ttls: Session established. Proceeding to decode tunneled attributes
(6) eap_ttls: Got tunneled request
(6) eap_ttls: User-Name = "MTP19003 at tanuvas.edu.in"
(6) eap_ttls: User-Password = "Tanuvas at 2020"
(6) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_ttls: Sending tunneled request
(6) Virtual server packetfence-tunnel received request
(6) User-Name = "MTP19003 at tanuvas.edu.in"
(6) User-Password = "Tanuvas at 2020"
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) NAS-IP-Address = 172.16.20.210
(6) NAS-Port = 0
(6) NAS-Identifier = "172.16.20.101"
(6) NAS-Port-Type = Wireless-802.11
(6) Calling-Station-Id := "70:66:55:fc:a6:f1"
(6) Service-Type = Framed-User
(6) Framed-MTU = 1100
(6) Aruba-Essid-Name = "TANUVAS"
(6) Aruba-Location-Id = "CECONDS"
(6) Aruba-AP-Group = "MVC_AcademicAP_VC"
(6) Aruba-Device-Type = "NOFP"
(6) PacketFence-Radius-Ip := "172.16.11.10"
(6) PacketFence-KeyBalanced := "676ae0f0be13d41f008250df0c25be53"
(6) Called-Station-Id := "b8:3a:5a:c7:10:08"
(6) Event-Timestamp = "Mar 16 2022 22:24:44 IST"
(6) server packetfence-tunnel {
(6) # Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
(6) authorize {
(6) if ( outer.EAP-Type == TTLS) {
(6) if ( outer.EAP-Type == TTLS) -> TRUE
(6) if ( outer.EAP-Type == TTLS) {
(6) update request {
(6) &EAP-Type := TTLS
(6) } # update request = noop
(6) } # if ( outer.EAP-Type == TTLS) = noop
(6) policy packetfence-set-realm-if-machine {
(6) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) {
(6) if (User-Name =~ /host\/([a-z0-9_-]*)[\.](.*)/i) -> FALSE
(6) } # policy packetfence-set-realm-if-machine = noop
(6) policy packetfence-set-tenant-id {
(6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){
(6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE
(6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(6) EXPAND %{%{control:PacketFence-Tenant-Id}:-0}
(6) --> 0
(6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE
(6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(6) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
{
(6) EXPAND %{request:Called-Station-Id}
(6) --> b8:3a:5a:c7:10:08
(6) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
-> TRUE
(6) if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
{
(6) update control {
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
(6) EXPAND %{User-Name}
(6) --> MTP19003 at tanuvas.edu.in
(6) SQL-User-Name set to 'MTP19003 at tanuvas.edu.in'
rlm_sql (sql): Reserved connection (3)
(6) Executing select query: SELECT IFNULL((SELECT tenant_id
FROM radius_nas WHERE nasname = 'b8:3a:5a:c7:10:08'), 0)
rlm_sql (sql): Released connection (3)
(6) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM
radius_nas WHERE nasname = '%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}'), 0)}
(6) --> 0
(6) &PacketFence-Tenant-Id = 0
(6) } # update control = noop
(6) } # if ("%{request:Called-Station-Id}" =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})/i)
= noop
(6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(6) EXPAND %{%{control:PacketFence-Tenant-Id}:-0}
(6) --> 0
(6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> TRUE
(6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(6) update control {
rlm_sql (sql): Reserved connection (2)
rlm_sql (sql): Released connection (2)
(6) EXPAND %{User-Name}
(6) --> MTP19003 at tanuvas.edu.in
(6) SQL-User-Name set to 'MTP19003 at tanuvas.edu.in'
rlm_sql (sql): Reserved connection (1)
(6) Executing select query: SELECT IFNULL((SELECT tenant_id
FROM radius_nas WHERE nasname = '172.16.20.210'), 0)
rlm_sql (sql): Released connection (1)
(6) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id FROM
radius_nas WHERE nasname = '%{NAS-IP-Address}'), 0)}
(6) --> 1
(6) &PacketFence-Tenant-Id = 1
(6) } # update control = noop
(6) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") =
noop
(6) } # if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") =
noop
(6) if ( &control:PacketFence-Tenant-Id == 0 ) {
(6) if ( &control:PacketFence-Tenant-Id == 0 ) -> TRUE
(6) if ( &control:PacketFence-Tenant-Id == 0 ) {
(6) update control {
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Released connection (0)
rlm_sql (sql): Reserved connection (3)
rlm_sql (sql): Released connection (3)
(6) EXPAND %{User-Name}
(6) --> MTP19003 at tanuvas.edu.in
(6) SQL-User-Name set to 'MTP19003 at tanuvas.edu.in'
rlm_sql (sql): Reserved connection (2)
(6) Executing select query: SELECT IFNULL((SELECT tenant_id
from radius_nas WHERE start_ip <= INET_ATON('172.16.20.210') and
INET_ATON('172.16.20.210') <= end_ip order by range_length limit 1), 1)
rlm_sql (sql): Released connection (2)
(6) EXPAND %{sql: SELECT IFNULL((SELECT tenant_id from
radius_nas WHERE start_ip <= INET_ATON('%{NAS-IP-Address}') and
INET_ATON('%{NAS-IP-Address}') <= end_ip order by range_length limit 1), 1)}
(6) --> 1
(6) &PacketFence-Tenant-Id := 1
(6) } # update control = noop
(6) } # if ( &control:PacketFence-Tenant-Id == 0 ) = noop
(6) } # policy packetfence-set-tenant-id = noop
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = noop
(6) } # policy filter_username = noop
(6) update {
(6) EXPAND %{outer.request:User-Name}
(6) --> @tanuvas.edu.in
(6) &request:PacketFence-Outer-User := @tanuvas.edu.in
(6) } # update = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "tanuvas.edu.in" for User-Name = "
MTP19003 at tanuvas.edu.in"
(6) suffix: Found realm "tanuvas.edu.in"
(6) suffix: Adding Stripped-User-Name = "MTP19003"
(6) suffix: Adding Realm = "tanuvas.edu.in"
(6) suffix: Authentication realm is LOCAL
(6) [suffix] = ok
(6) ntdomain: Request already has destination realm set. Ignoring
(6) [ntdomain] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: No EAP-Message, not doing EAP
(6) [eap] = noop
(6) if (Realm =~ /^tanuvas.org.in$/) {
(6) if (Realm =~ /^tanuvas.org.in$/) -> FALSE
(6) if (Realm =~ /^tanuvas.edu.in$/) {
(6) if (Realm =~ /^tanuvas.edu.in$/) -> TRUE
(6) if (Realm =~ /^tanuvas.edu.in$/) {
(6) policy oauth2.authorize {
(6) if (&Realm && &User-Password &&
"%{config:realm[%{Realm}].oauth2.discovery}") {
(6) EXPAND realm[tanuvas.edu.in].oauth2.discovery
(6) --> realm[tanuvas.edu.in].oauth2.discovery
(6) EXPAND %{config:realm[%{Realm}].oauth2.discovery}
(6) --> https://login.microsoftonline.com/%{Realm}/v2.0
(6) if (&Realm && &User-Password &&
"%{config:realm[%{Realm}].oauth2.discovery}") -> TRUE
(6) if (&Realm && &User-Password &&
"%{config:realm[%{Realm}].oauth2.discovery}") {
(6) oauth2_perl: $RAD_REQUEST{'User-Name'} = &request:User-Name -> '
MTP19003 at tanuvas.edu.in'
(6) oauth2_perl: $RAD_REQUEST{'User-Password'} = &request:User-Password
-> 'Tanuvas at 2020'
(6) oauth2_perl: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address
-> '172.16.20.210'
(6) oauth2_perl: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '0'
(6) oauth2_perl: $RAD_REQUEST{'Service-Type'} = &request:Service-Type ->
'Framed-User'
(6) oauth2_perl: $RAD_REQUEST{'Framed-MTU'} = &request:Framed-MTU ->
'1100'
(6) oauth2_perl: $RAD_REQUEST{'Called-Station-Id'} =
&request:Called-Station-Id -> 'b8:3a:5a:c7:10:08'
(6) oauth2_perl: $RAD_REQUEST{'Calling-Station-Id'} =
&request:Calling-Station-Id -> '70:66:55:fc:a6:f1'
(6) oauth2_perl: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier
-> '172.16.20.101'
(6) oauth2_perl: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type
-> 'Wireless-802.11'
(6) oauth2_perl: $RAD_REQUEST{'Event-Timestamp'} =
&request:Event-Timestamp -> 'Mar 16 2022 22:24:44 IST'
(6) oauth2_perl: $RAD_REQUEST{'Aruba-Essid-Name'} =
&request:Aruba-Essid-Name -> 'TANUVAS'
(6) oauth2_perl: $RAD_REQUEST{'Aruba-Location-Id'} =
&request:Aruba-Location-Id -> 'CECONDS'
(6) oauth2_perl: $RAD_REQUEST{'Aruba-AP-Group'} = &request:Aruba-AP-Group
-> 'MVC_AcademicAP_VC'
(6) oauth2_perl: $RAD_REQUEST{'Aruba-Device-Type'} =
&request:Aruba-Device-Type -> 'NOFP'
(6) oauth2_perl: $RAD_REQUEST{'FreeRADIUS-Proxied-To'} =
&request:FreeRADIUS-Proxied-To -> '127.0.0.1'
(6) oauth2_perl: $RAD_REQUEST{'EAP-Type'} = &request:EAP-Type -> 'TTLS'
(6) oauth2_perl: $RAD_REQUEST{'Stripped-User-Name'} =
&request:Stripped-User-Name -> 'MTP19003'
(6) oauth2_perl: $RAD_REQUEST{'Realm'} = &request:Realm -> 'tanuvas.edu.in
'
(6) oauth2_perl: $RAD_REQUEST{'SQL-User-Name'} = &request:SQL-User-Name
-> 'MTP19003 at tanuvas.edu.in'
(6) oauth2_perl: $RAD_REQUEST{'PacketFence-KeyBalanced'} =
&request:PacketFence-KeyBalanced -> '676ae0f0be13d41f008250df0c25be53'
(6) oauth2_perl: $RAD_REQUEST{'PacketFence-Radius-Ip'} =
&request:PacketFence-Radius-Ip -> '172.16.11.10'
(6) oauth2_perl: $RAD_REQUEST{'PacketFence-Outer-User'} =
&request:PacketFence-Outer-User -> '@tanuvas.edu.in'
(6) oauth2_perl: $RAD_CHECK{'Proxy-To-Realm'} = &control:Proxy-To-Realm
-> 'LOCAL'
(6) oauth2_perl: $RAD_CHECK{'PacketFence-Tenant-Id'} =
&control:PacketFence-Tenant-Id -> '1'
(6) oauth2_perl: $RAD_CONFIG{'Proxy-To-Realm'} = &control:Proxy-To-Realm
-> 'LOCAL'
(6) oauth2_perl: $RAD_CONFIG{'PacketFence-Tenant-Id'} =
&control:PacketFence-Tenant-Id -> '1'
rlm_perl: oauth2 authorize
(6) oauth2_perl: EXPAND realm[tanuvas.edu.in].oauth2.discovery
(6) oauth2_perl: --> realm[tanuvas.edu.in].oauth2.discovery
(6) oauth2_perl: EXPAND %{config:realm[tanuvas.edu.in].oauth2.discovery}
(6) oauth2_perl: --> https://login.microsoftonline.com/%{Realm}/v2.0
(6) oauth2_perl: EXPAND https://login.microsoftonline.com/%{Realm}/v2.0
(6) oauth2_perl: -->
https://login.microsoftonline.com/tanuvas.edu.in/v2.0
(6) oauth2_perl: EXPAND realm[tanuvas.edu.in].oauth2.client_id
(6) oauth2_perl: --> realm[tanuvas.edu.in].oauth2.client_id
(6) oauth2_perl: EXPAND %{config:realm[tanuvas.edu.in].oauth2.client_id}
(6) oauth2_perl: --> 06f29276-f381-4e8b-8618-e62e701ec2a7
(6) oauth2_perl: EXPAND realm[tanuvas.edu.in].oauth2.client_secret
(6) oauth2_perl: --> realm[tanuvas.edu.in].oauth2.client_secret
(6) oauth2_perl: EXPAND %{config:realm[tanuvas.edu.in].oauth2.client_secret}
(6) oauth2_perl: --> b43401d0-0a12-42fd-a27d-32437248d01b
rlm_perl: oauth2 worker (tanuvas.edu.in): supervisor started (tid=1)
rlm_perl: oauth2 worker (tanuvas.edu.in): fetching discovery document
Waking up in 0.4 seconds.
rlm_perl: oauth2 worker (tanuvas.edu.in): started (tid=2)
rlm_perl: oauth2 worker (tanuvas.edu.in): sync
rlm_perl: oauth2 worker (tanuvas.edu.in): sync users
rlm_perl: oauth2 worker (tanuvas.edu.in): users page
rlm_perl: oauth2 worker (tanuvas.edu.in): fetching token
rlm_perl: oauth2 worker (tanuvas.edu.in): token failed: 401 Unauthorized
Waking up in 0.7 seconds.
Use of uninitialized value $v in concatenation (.) or string at
/usr/local/pf/lib_perl/lib/perl5/Net/HTTP/Methods.pm line 167.
rlm_perl: oauth2 worker (tanuvas.edu.in): users failed: 400 Bad Request
rlm_perl: oauth2 worker (tanuvas.edu.in): sync groups
rlm_perl: oauth2 worker (tanuvas.edu.in): groups page
rlm_perl: oauth2 worker (tanuvas.edu.in): fetching token
rlm_perl: oauth2 worker (tanuvas.edu.in): token failed: 401 Unauthorized
rlm_perl: oauth2 worker (tanuvas.edu.in): groups failed: 500 Can't connect
to graph.microsoft.com:443 (SSL connect attempt failed error:27069065:OCSP
routines:OCSP_basic_verify:certificate verify error)
Thread 2 terminated abnormally: token (tanuvas.edu.in): 500 Can't connect
to graph.microsoft.com:443 (SSL connect attempt failed error:27069065:OCSP
routines:OCSP_basic_verify:certificate verify error) at
/usr/local/pf/raddb/mods-config/perl/oauth2.pm line 191.
rlm_perl: oauth2 worker (tanuvas.edu.in): died, sleeping for 0 seconds
rlm_perl: oauth2 worker (tanuvas.edu.in): started (tid=3)
rlm_perl: oauth2 worker (tanuvas.edu.in): sync
rlm_perl: oauth2 worker (tanuvas.edu.in): sync users
rlm_perl: oauth2 worker (tanuvas.edu.in): users page
rlm_perl: oauth2 worker (tanuvas.edu.in): fetching token
Waking up in 1.1 seconds.
rlm_perl: oauth2 worker (tanuvas.edu.in): token failed: 401 Unauthorized
Use of uninitialized value $v in concatenation (.) or string at
/usr/local/pf/lib_perl/lib/perl5/Net/HTTP/Methods.pm line 167.
rlm_perl: oauth2 worker (tanuvas.edu.in): users failed: 400 Bad Request
rlm_perl: oauth2 worker (tanuvas.edu.in): sync groups
rlm_perl: oauth2 worker (tanuvas.edu.in): groups page
rlm_perl: oauth2 worker (tanuvas.edu.in): fetching token
rlm_perl: oauth2 worker (tanuvas.edu.in): token failed: 401 Unauthorized
Use of uninitialized value $v in concatenation (.) or string at
/usr/local/pf/lib_perl/lib/perl5/Net/HTTP/Methods.pm line 167.
rlm_perl: oauth2 worker (tanuvas.edu.in): groups failed: 400 Bad Request
rlm_perl: oauth2 worker (tanuvas.edu.in): apply
(6) oauth2_perl: &request:Stripped-User-Name =
$RAD_REQUEST{'Stripped-User-Name'} -> 'MTP19003'
(6) oauth2_perl: &request:Calling-Station-Id =
$RAD_REQUEST{'Calling-Station-Id'} -> '70:66:55:fc:a6:f1'
(6) oauth2_perl: &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1100'
(6) oauth2_perl: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'}
-> '172.16.20.101'
(6) oauth2_perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> '
MTP19003 at tanuvas.edu.in'
(6) oauth2_perl: &request:Service-Type = $RAD_REQUEST{'Service-Type'} ->
'Framed-User'
(6) oauth2_perl: &request:EAP-Type = $RAD_REQUEST{'EAP-Type'} -> 'TTLS'
(6) oauth2_perl: &request:Called-Station-Id =
$RAD_REQUEST{'Called-Station-Id'} -> 'b8:3a:5a:c7:10:08'
(6) oauth2_perl: &request:SQL-User-Name = $RAD_REQUEST{'SQL-User-Name'} -> '
MTP19003 at tanuvas.edu.in'
(6) oauth2_perl: &request:PacketFence-Outer-User =
$RAD_REQUEST{'PacketFence-Outer-User'} -> '@tanuvas.edu.in'
(6) oauth2_perl: &request:Aruba-Device-Type =
$RAD_REQUEST{'Aruba-Device-Type'} -> 'NOFP'
(6) oauth2_perl: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} ->
'Wireless-802.11'
(6) oauth2_perl: &request:FreeRADIUS-Proxied-To =
$RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> '127.0.0.1'
(6) oauth2_perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'}
-> 'Mar 16 2022 22:24:44 IST'
(6) oauth2_perl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '0'
(6) oauth2_perl: &request:PacketFence-Radius-Ip =
$RAD_REQUEST{'PacketFence-Radius-Ip'} -> '172.16.11.10'
(6) oauth2_perl: &request:PacketFence-KeyBalanced =
$RAD_REQUEST{'PacketFence-KeyBalanced'} ->
'676ae0f0be13d41f008250df0c25be53'
(6) oauth2_perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'}
-> '172.16.20.210'
(6) oauth2_perl: &request:Aruba-Location-Id =
$RAD_REQUEST{'Aruba-Location-Id'} -> 'CECONDS'
(6) oauth2_perl: &request:Aruba-AP-Group = $RAD_REQUEST{'Aruba-AP-Group'}
-> 'MVC_AcademicAP_VC'
(6) oauth2_perl: &request:User-Password = $RAD_REQUEST{'User-Password'} ->
'Tanuvas at 2020'
(6) oauth2_perl: &request:Realm = $RAD_REQUEST{'Realm'} -> 'tanuvas.edu.in'
(6) oauth2_perl: &request:Aruba-Essid-Name =
$RAD_REQUEST{'Aruba-Essid-Name'} -> 'TANUVAS'
(6) oauth2_perl: &control:PacketFence-Tenant-Id =
$RAD_CHECK{'PacketFence-Tenant-Id'} -> '1'
(6) oauth2_perl: &control:Proxy-To-Realm = $RAD_CHECK{'Proxy-To-Realm'} ->
'LOCAL'
(6) [oauth2_perl] = notfound
(6) if (updated &&
"%{config:realm[%{Realm}].oauth2.cache_password}" =~ /^(yes)?$/i) {
(6) if (updated &&
"%{config:realm[%{Realm}].oauth2.cache_password}" =~ /^(yes)?$/i) -> FALSE
(6) } # if (&Realm && &User-Password &&
"%{config:realm[%{Realm}].oauth2.discovery}") = notfound
(6) ... skipping else: Preceding "if" was taken
(6) } # policy oauth2.authorize = notfound
(6) } # if (Realm =~ /^tanuvas.edu.in$/) = notfound
(6) policy rewrite_called_station_id {
(6) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(6) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
-> TRUE
(6) if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
{
(6) update request {
(6) &Called-Station-Id !* ANY
(6) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(6) --> b8:3a:5a:c7:10:08
(6) &Called-Station-Id := b8:3a:5a:c7:10:08
(6) } # update request = noop
(6) if ("%{8}") {
(6) EXPAND %{8}
(6) -->
(6) if ("%{8}") -> FALSE
(6) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) {
(6) elsif ( (Colubris-AVPair) && "%{Colubris-AVPair}" =~
/^ssid=(.*)$/i) -> FALSE
(6) elsif (Aruba-Essid-Name) {
(6) elsif (Aruba-Essid-Name) -> TRUE
(6) elsif (Aruba-Essid-Name) {
(6) update request {
(6) EXPAND %{Aruba-Essid-Name}
(6) --> TANUVAS
(6) &Called-Station-SSID := TANUVAS
(6) } # update request = noop
(6) } # elsif (Aruba-Essid-Name) = noop
(6) ... skipping elsif: Preceding "if" was taken
(6) [updated] = updated
(6) } # if ((&Called-Station-Id) && (&Called-Station-Id =~
/^1?:?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$/i))
= updated
(6) ... skipping else: Preceding "if" was taken
(6) } # policy rewrite_called_station_id = updated
(6) [pap] = noop
(6) } # authorize = updated
(6) WARNING: You set Proxy-To-Realm = local, but it is a LOCAL realm!
Cancelling proxy request.
(6) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(6) Failed to authenticate the user
(6) Using Post-Auth-Type Reject
(6) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence-tunnel
(6) Post-Auth-Type REJECT {
(6) policy packetfence-set-tenant-id {
(6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){
(6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE
(6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(6) EXPAND %{%{control:PacketFence-Tenant-Id}:-0}
(6) --> 1
(6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> FALSE
(6) if ( &control:PacketFence-Tenant-Id == 0 ) {
(6) if ( &control:PacketFence-Tenant-Id == 0 ) -> FALSE
(6) } # policy packetfence-set-tenant-id = noop
(6) update {
(6) &request:User-Password := "******"
(6) } # update = noop
(6) policy packetfence-audit-log-reject {
(6) if (&User-Name && (&User-Name == "dummy")) {
(6) if (&User-Name && (&User-Name == "dummy")) -> FALSE
(6) else {
(6) policy request-timing {
(6) if ("%{%{control:PacketFence-Request-Time}:-0}" != 0) {
(6) EXPAND %{%{control:PacketFence-Request-Time}:-0}
(6) --> 0
(6) if ("%{%{control:PacketFence-Request-Time}:-0}" != 0) ->
FALSE
(6) } # policy request-timing = noop
(6) sql_reject: EXPAND type.reject.query
(6) sql_reject: --> type.reject.query
(6) sql_reject: Using query template 'query'
rlm_sql (sql): Reserved connection (1)
(6) sql_reject: EXPAND %{User-Name}
(6) sql_reject: --> MTP19003 at tanuvas.edu.in
(6) sql_reject: SQL-User-Name set to 'MTP19003 at tanuvas.edu.in'
(6) sql_reject: EXPAND INSERT INTO radius_audit_log ( mac,
ip, computer_name, user_name, stripped_user_name, realm,
event_type, switch_id, switch_mac, switch_ip_address,
radius_source_ip_address, called_station_id, calling_station_id,
nas_port_type, ssid, nas_port_id, ifindex,
nas_port, connection_type, nas_ip_address, nas_identifier,
auth_status, reason, auth_type, eap_type,
role, node_status, profile, source, auto_reg, is_phone,
pf_domain, uuid, radius_request, radius_reply,
request_time, tenant_id, radius_ip) VALUES (
'%{request:Calling-Station-Id}', '%{request:Framed-IP-Address}',
'%{%{control:PacketFence-Computer-Name}:-N/A}', '%{request:User-Name}',
'%{request:Stripped-User-Name}', '%{request:Realm}',
'Radius-Access-Request',
'%{%{control:PacketFence-Switch-Id}:-N/A}',
'%{%{control:PacketFence-Switch-Mac}:-N/A}',
'%{%{control:PacketFence-Switch-Ip-Address}:-N/A}',
'%{Packet-Src-IP-Address}', '%{request:Called-Station-Id}',
'%{request:Calling-Station-Id}', '%{request:NAS-Port-Type}',
'%{request:Called-Station-SSID}', '%{request:NAS-Port-Id}',
'%{%{control:PacketFence-IfIndex}:-N/A}', '%{request:NAS-Port}',
'%{%{control:PacketFence-Connection-Type}:-N/A}',
'%{request:NAS-IP-Address}', '%{request:NAS-Identifier}', 'Reject',
'%{request:Module-Failure-Message}', '%{control:Auth-Type}',
'%{request:EAP-Type}',
'%{%{control:PacketFence-Role}:-N/A}',
'%{%{control:PacketFence-Status}:-N/A}',
'%{%{control:PacketFence-Profile}:-N/A}',
'%{%{control:PacketFence-Source}:-N/A}',
'%{%{control:PacketFence-AutoReg}:-0}',
'%{%{control:PacketFence-IsPhone}:-0}',
'%{request:PacketFence-Domain}', '',
'%{pairs:&request:[*]}','%{pairs:&reply:[*]}',
'%{%{control:PacketFence-Request-Time}:-0}',
'%{control:PacketFence-Tenant-Id}', '%{request:PacketFence-Radius-Ip}')
rlm_perl: oauth2 worker (tanuvas.edu.in): syncing in 27 seconds
(6) sql_reject: --> INSERT INTO radius_audit_log ( mac,
ip, computer_name, user_name, stripped_user_name, realm,
event_type, switch_id, switch_mac, switch_ip_address,
radius_source_ip_address, called_station_id, calling_station_id,
nas_port_type, ssid, nas_port_id, ifindex,
nas_port, connection_type, nas_ip_address, nas_identifier,
auth_status, reason, auth_type, eap_type,
role, node_status, profile, source, auto_reg, is_phone,
pf_domain, uuid, radius_request, radius_reply,
request_time, tenant_id, radius_ip) VALUES (
'70:66:55:fc:a6:f1', '', 'N/A', 'MTP19003 at tanuvas.edu.in',
'MTP19003', 'tanuvas.edu.in', 'Radius-Access-Request',
'N/A', 'N/A', 'N/A', '172.16.20.210', 'b8:3a:5a:c7:10:08',
'70:66:55:fc:a6:f1', 'Wireless-802.11', 'TANUVAS', '',
'N/A', '0', 'N/A', '172.16.20.210',
'172.16.20.101', 'Reject', 'No Auth-Type found: rejecting
the user via Post-Auth-Type =3D Reject', '', 'TTLS', 'N/A',
'N/A', 'N/A', 'N/A', '0', '0', '', '',
'Stripped-User-Name =3D =22MTP19003=22, Calling-Station-Id =3D
=2270:66:55:fc:a6:f1=22, Framed-MTU =3D 1100, NAS-Identifier =3D
=22172.16.20.101=22, User-Name =3D =22MTP19003 at tanuvas.edu.in=22,
Service-Type =3D Framed-User, EAP-Type =3D TTLS, PacketFence-Outer-User =3D
=22 at tanuvas.edu.in=22, Aruba-Device-Type =3D =22NOFP=22, NAS-Port-Type =3D
Wireless-802.11, FreeRADIUS-Proxied-To =3D 127.0.0.1, Event-Timestamp =3D
=22Mar 16 2022 22:24:44 IST=22, NAS-Port =3D 0, PacketFence-Radius-Ip =3D
=22172.16.11.10=22, PacketFence-KeyBalanced =3D
=22676ae0f0be13d41f008250df0c25be53=22, NAS-IP-Address =3D 172.16.20.210,
Aruba-Location-Id =3D =22CECONDS=22, Aruba-AP-Group =3D
=22MVC_AcademicAP_VC=22, User-Password =3D =22=2A=2A=2A=2A=2A=2A=22, Realm
=3D =22tanuvas.edu.in=22, Aruba-Essid-Name =3D =22TANUVAS=22,
Called-Station-Id =3D =22b8:3a:5a:c7:10:08=22, Called-Station-SSID =3D
=22TANUVAS=22, Module-Failure-Message =3D =22No Auth-Type found: rejecting
the user via Post-Auth-Type =3D Reject=22, SQL-User-Name =3D =
22MTP19003 at tanuvas.edu.in=22','', '0', '1', '172.16.11.10')
(6) sql_reject: Executing query: INSERT INTO radius_audit_log
( mac, ip, computer_name, user_name, stripped_user_name,
realm, event_type, switch_id, switch_mac,
switch_ip_address, radius_source_ip_address,
called_station_id, calling_station_id, nas_port_type, ssid,
nas_port_id, ifindex, nas_port, connection_type,
nas_ip_address, nas_identifier, auth_status, reason,
auth_type, eap_type, role, node_status, profile,
source, auto_reg, is_phone, pf_domain, uuid,
radius_request, radius_reply, request_time, tenant_id,
radius_ip) VALUES ( '70:66:55:fc:a6:f1', '',
'N/A', 'MTP19003 at tanuvas.edu.in', 'MTP19003', 'tanuvas.edu.in',
'Radius-Access-Request', 'N/A', 'N/A', 'N/A',
'172.16.20.210', 'b8:3a:5a:c7:10:08', '70:66:55:fc:a6:f1',
'Wireless-802.11', 'TANUVAS', '', 'N/A', '0', 'N/A',
'172.16.20.210', '172.16.20.101', 'Reject', 'No
Auth-Type found: rejecting the user via Post-Auth-Type =3D Reject', '',
'TTLS', 'N/A', 'N/A', 'N/A', 'N/A', '0', '0',
'', '', 'Stripped-User-Name =3D =22MTP19003=22,
Calling-Station-Id =3D =2270:66:55:fc:a6:f1=22, Framed-MTU =3D 1100,
NAS-Identifier =3D =22172.16.20.101=22, User-Name =3D =
22MTP19003 at tanuvas.edu.in=22, Service-Type =3D Framed-User, EAP-Type =3D
TTLS, PacketFence-Outer-User =3D =22 at tanuvas.edu.in=22, Aruba-Device-Type
=3D =22NOFP=22, NAS-Port-Type =3D Wireless-802.11, FreeRADIUS-Proxied-To
=3D 127.0.0.1, Event-Timestamp =3D =22Mar 16 2022 22:24:44 IST=22, NAS-Port
=3D 0, PacketFence-Radius-Ip =3D =22172.16.11.10=22,
PacketFence-KeyBalanced =3D =22676ae0f0be13d41f008250df0c25be53=22,
NAS-IP-Address =3D 172.16.20.210, Aruba-Location-Id =3D =22CECONDS=22,
Aruba-AP-Group =3D =22MVC_AcademicAP_VC=22, User-Password =3D
=22=2A=2A=2A=2A=2A=2A=22, Realm =3D =22tanuvas.edu.in=22, Aruba-Essid-Name
=3D =22TANUVAS=22, Called-Station-Id =3D =22b8:3a:5a:c7:10:08=22,
Called-Station-SSID =3D =22TANUVAS=22, Module-Failure-Message =3D =22No
Auth-Type found: rejecting the user via Post-Auth-Type =3D Reject=22,
SQL-User-Name =3D =22MTP19003 at tanuvas.edu.in=22','', '0', '1',
'172.16.11.10')
(6) sql_reject: SQL query returned: success
(6) sql_reject: 1 record(s) updated
rlm_sql (sql): Released connection (1)
Need more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (4), 1 of 60 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'pf' on Localhost via UNIX socket,
server version 10.5.15-MariaDB-1:10.5.15+maria~bullseye, protocol version 10
(6) [sql_reject] = ok
(6) } # else = ok
(6) } # policy packetfence-audit-log-reject = ok
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject: --> MTP19003 at tanuvas.edu.in
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6) [attr_filter.access_reject] = updated
(6) update outer.session-state {
(6) *&Module-Failure-Message := &request:Module-Failure-Message ->
'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject'*
(6) } # update outer.session-state = noop
(6) } # Post-Auth-Type REJECT = updated
(6) *Login incorrect (No Auth-Type found: rejecting the user via
Post-Auth-Type = Reject): [MTP19003 at tanuvas.edu.in
<MTP19003 at tanuvas.edu.in>] (from client 172.16.20.210/32
<http://172.16.20.210/32> port 0 cli 70:66:55:fc:a6:f1 via TLS tunnel)*
(6) } # server packetfence-tunnel
(6) Virtual server sending reply
(6) eap_ttls: Got tunneled Access-Reject
(6) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module
failed
(6) eap: Sending EAP Failure (code 4) ID 8 length 4
(6) eap: Failed in EAP select
(6) [eap] = invalid
(6) } # authenticate = invalid
(6) Failed to authenticate the user
(6) Using Post-Auth-Type Reject
(6) # Executing group from file
/usr/local/pf/raddb/sites-enabled/packetfence
(6) Post-Auth-Type REJECT {
(6) policy packetfence-set-tenant-id {
(6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0"){
(6) if (!NAS-IP-Address || NAS-IP-Address == "0.0.0.0") -> FALSE
(6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") {
(6) EXPAND %{%{control:PacketFence-Tenant-Id}:-0}
(6) --> 1
(6) if ( "%{%{control:PacketFence-Tenant-Id}:-0}" == "0") -> FALSE
(6) if ( &control:PacketFence-Tenant-Id == 0 ) {
(6) if ( &control:PacketFence-Tenant-Id == 0 ) -> FALSE
(6) } # policy packetfence-set-tenant-id = noop
(6) update {
(6) &request:User-Password := "******"
(6) } # update = noop
(6) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) {
(6) if (! EAP-Type || (EAP-Type != TTLS && EAP-Type != PEAP) ) ->
FALSE
(6) if ("%{%{control:PacketFence-Proxied-From}:-False}" == "True") {
(6) EXPAND %{%{control:PacketFence-Proxied-From}:-False}
(6) --> False
(6) if ("%{%{control:PacketFence-Proxied-From}:-False}" == "True") ->
FALSE
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject: --> @tanuvas.edu.in
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6) [attr_filter.access_reject] = updated
(6) attr_filter.packetfence_post_auth: EXPAND %{User-Name}
(6) attr_filter.packetfence_post_auth: --> @tanuvas.edu.in
(6) attr_filter.packetfence_post_auth: Matched entry DEFAULT at line 10
(6) [attr_filter.packetfence_post_auth] = updated
(6) [eap] = noop
(6) policy remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message) {
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else {
(6) [noop] = noop
(6) } # else = noop
(6) } # policy remove_reply_message_if_eap = noop
(6) linelog: EXPAND messages.%{%{reply:Packet-Type}:-default}
(6) linelog: --> messages.Access-Reject
(6) linelog: EXPAND [mac:%{Calling-Station-Id}] Rejected user: %{User-Name}
(6) linelog: --> [mac:70:66:55:fc:a6:f1] Rejected user: @tanuvas.edu.in
(6) [linelog] = ok
(6) } # Post-Auth-Type REJECT = updated
(6) *Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP
sub-module failed): [@tanuvas.edu.in <http://tanuvas.edu.in>] (from client
172.16.20.210/32 <http://172.16.20.210/32> port 0 cli 70:66:55:fc:a6:f1)*
(6) Delaying response for 1.000000 seconds
Thread 1 waiting to be assigned a request
(0) Cleaning up request packet ID 61 with timestamp +42
(1) Cleaning up request packet ID 62 with timestamp +42
(2) Cleaning up request packet ID 63 with timestamp +42
(3) Cleaning up request packet ID 64 with timestamp +42
(4) Cleaning up request packet ID 65 with timestamp +42
(5) Cleaning up request packet ID 66 with timestamp +42
Waking up in 0.5 seconds.
(6) Sending delayed response
(6) Sent Access-Reject Id 67 from 172.16.11.10:1812 to 172.16.20.210:57049
length 44
(6) EAP-Message = 0x04080004
(6) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(6) Cleaning up request packet ID 67 with timestamp +44
Ready to process requests
The user could not connect with his Azure AD credentials
Can anyone help me to resovle the issue?
Regards,
Thirunavukkarasu
More information about the Freeradius-Users
mailing list