check user device mac address without doing mac-auth

Eby Mani eby_km at yahoo.com
Tue Apr 4 10:11:50 UTC 2023


 Thanks Alan,
> You can add some "unlang" to the "authorize" section. If you see the sample configuration for sites-available/default, for the difference between "authorize" and "authentication", the location for the rules should be fairly clear.

Have tried adding the following in /sites-enabled/default bottom of "authoriztion { } section", inside "preacct { preprocess } section" and inside "post-auth { } section", any device can connect.


if("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) {
 ok
 }
 else {
 reject
 }

Removed Calling-Station-Id from radcheck, any device can connect with login credentials. When Calling-Station-Id attribute is used in radcheck, only the the device mac-addr in radcheck can connect, without "unlang", adding more than 1 mac-addr in radcheck is not working.

mysql> select * from radcheck;
+----+----------+--------------------+----+----------+
| id | username | attribute | op | value |
+----+----------+--------------------+----+----------+
| 1 | testing | Cleartext-Password | := | password |
+----+----------+--------------------+----+----------+
1 row in set (0.00 sec)

mysql> select * from macaddrlist;
+----+----------+--------------+----------+----------+
| id | username | macaddr1 | macaddr2 | macaddr3 |
+----+----------+--------------+----------+----------+
| 1 | testing | 1002b52c096b | NULL | NULL |
+----+----------+--------------+----------+----------+
1 row in set (0.00 sec)

mysql>



debug output
################################################################################################
detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.909128 sec
(17) Received Access-Request Id 5 from 10.225.251.10:56766 to 172.16.2.4:1812 length 184
(17) User-Name = "testing"
(17) NAS-IP-Address = 10.225.251.10
(17) NAS-Port = 0
(17) NAS-Identifier = "172.16.6.63"
(17) NAS-Port-Type = Wireless-802.11
(17) Calling-Station-Id = "f894c2addb53"
(17) Called-Station-Id = "removed"
(17) Service-Type = Login-User
(17) Framed-MTU = 1100
(17) EAP-Message = 0x0202000c0174657374696e67
(17) Aruba-Essid-Name = "wtf"
(17) Aruba-Location-Id = "Building-A"
(17) Aruba-AP-Group = "Cluster"
(17) Message-Authenticator = 0x23e7c95a6d11b0eefbfc4986de4ee921
(17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(17) authorize {
(17) policy filter_username {
(17) if (&User-Name) {
(17) if (&User-Name) -> TRUE
(17) if (&User-Name) {
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@[^@]*@/ ) {
(17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /@\./) {
(17) if (&User-Name =~ /@\./) -> FALSE
(17) } # if (&User-Name) = notfound
(17) } # policy filter_username = notfound
(17) [preprocess] = ok
(17) [chap] = noop
(17) [mschap] = noop
(17) [digest] = noop
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "testing", looking up realm NULL
(17) suffix: No such realm "NULL"
(17) [suffix] = noop
(17) eap: Peer sent EAP Response (code 2) ID 2 length 12
(17) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(17) [eap] = ok
(17) } # authorize = ok
(17) Found Auth-Type = eap
(17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(17) authenticate {
(17) eap: Peer sent packet with method EAP Identity (1)
(17) eap: Calling submodule eap_peap to process data
(17) eap_peap: Initiating new EAP-TLS session
(17) eap_peap: [eaptls start] = request
(17) eap: Sending EAP Request (code 1) ID 3 length 6
(17) eap: EAP session adding &reply:State = 0x735d7f17735e66c6
(17) [eap] = handled
(17) } # authenticate = handled
(17) Using Post-Auth-Type Challenge
(17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(17) Challenge { ... } # empty sub-section is ignored
(17) Sent Access-Challenge Id 5 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0
(17) EAP-Message = 0x010300061920
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0x735d7f17735e66c6a880ae3bd9d49d0e
(17) Finished request
Waking up in 4.9 seconds.
(18) Received Access-Request Id 6 from 10.225.251.10:56766 to 172.16.2.4:1812 length 362
(18) User-Name = "testing"
(18) NAS-IP-Address = 10.225.251.10
(18) NAS-Port = 0
(18) NAS-Identifier = "172.16.6.63"
(18) NAS-Port-Type = Wireless-802.11
(18) Calling-Station-Id = "f894c2addb53"
(18) Called-Station-Id = "removed"
(18) Service-Type = Login-User
(18) Framed-MTU = 1100
(18) EAP-Message = 0x020300ac1980000000a2160303009d010000990303642bdf14a9bfdb6161357fc070503ec4d997eed1d0309e2acef37c8b7f4b122900002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d
(18) State = 0x735d7f17735e66c6a880ae3bd9d49d0e
(18) Aruba-Essid-Name = "wtf"
(18) Aruba-Location-Id = "Building-A"
(18) Aruba-AP-Group = "Cluster"
(18) Message-Authenticator = 0x76908f7c21e3f826fc836b0caab67eb3
(18) session-state: No cached attributes
(18) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(18) authorize {
(18) policy filter_username {
(18) if (&User-Name) {
(18) if (&User-Name) -> TRUE
(18) if (&User-Name) {
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@[^@]*@/ ) {
(18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /@\./) {
(18) if (&User-Name =~ /@\./) -> FALSE
(18) } # if (&User-Name) = notfound
(18) } # policy filter_username = notfound
(18) [preprocess] = ok
(18) [chap] = noop
(18) [mschap] = noop
(18) [digest] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "testing", looking up realm NULL
(18) suffix: No such realm "NULL"
(18) [suffix] = noop
(18) eap: Peer sent EAP Response (code 2) ID 3 length 172
(18) eap: Continuing tunnel setup
(18) [eap] = ok
(18) } # authorize = ok
(18) Found Auth-Type = eap
(18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(18) authenticate {
(18) eap: Expiring EAP session with state 0x735d7f17735e66c6
(18) eap: Finished EAP session with state 0x735d7f17735e66c6
(18) eap: Previous EAP request found for state 0x735d7f17735e66c6, released from the list
(18) eap: Peer sent packet with method EAP PEAP (25)
(18) eap: Calling submodule eap_peap to process data
(18) eap_peap: Continuing EAP-TLS
(18) eap_peap: Peer indicated complete TLS record size will be 162 bytes
(18) eap_peap: Got complete TLS record (162 bytes)
(18) eap_peap: [eaptls verify] = length included
(18) eap_peap: (other): before SSL initialization
(18) eap_peap: TLS_accept: before SSL initialization
(18) eap_peap: TLS_accept: before SSL initialization
(18) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 009d]
(18) eap_peap: TLS_accept: SSLv3/TLS read client hello
(18) eap_peap: >>> send TLS 1.2 [length 003d]
(18) eap_peap: TLS_accept: SSLv3/TLS write server hello
(18) eap_peap: >>> send TLS 1.2 [length 02ed]
(18) eap_peap: TLS_accept: SSLv3/TLS write certificate
(18) eap_peap: >>> send TLS 1.2 [length 014d]
(18) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(18) eap_peap: >>> send TLS 1.2 [length 0004]
(18) eap_peap: TLS_accept: SSLv3/TLS write server done
(18) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(18) eap_peap: In SSL Handshake Phase
(18) eap_peap: In SSL Accept mode
(18) eap_peap: [eaptls process] = handled
(18) eap: Sending EAP Request (code 1) ID 4 length 1004
(18) eap: EAP session adding &reply:State = 0x735d7f17725966c6
(18) [eap] = handled
(18) } # authenticate = handled
(18) Using Post-Auth-Type Challenge
(18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(18) Challenge { ... } # empty sub-section is ignored
(18) Sent Access-Challenge Id 6 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0
(18) EAP-Message = 0x010403ec19c00000048f160303003d020000390303cb62284a7188ef72f890ca8edff8ba19c759c47607fe6b34444f574e4752440100c030000011ff01000100000b0004030001020017000016030302ed0b0002e90002e60002e3308202df308201c7a00302010202144332d5c60c9f4d943c5616923e
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0x735d7f17725966c6a880ae3bd9d49d0e
(18) Finished request
Waking up in 4.9 seconds.
(19) Received Access-Request Id 7 from 10.225.251.10:56766 to 172.16.2.4:1812 length 196
(19) User-Name = "testing"
(19) NAS-IP-Address = 10.225.251.10
(19) NAS-Port = 0
(19) NAS-Identifier = "172.16.6.63"
(19) NAS-Port-Type = Wireless-802.11
(19) Calling-Station-Id = "f894c2addb53"
(19) Called-Station-Id = "removed"
(19) Service-Type = Login-User
(19) Framed-MTU = 1100
(19) EAP-Message = 0x020400061900
(19) State = 0x735d7f17725966c6a880ae3bd9d49d0e
(19) Aruba-Essid-Name = "wtf"
(19) Aruba-Location-Id = "Building-A"
(19) Aruba-AP-Group = "Cluster"
(19) Message-Authenticator = 0xad236167427d138b918fee7d9e1602bd
(19) session-state: No cached attributes
(19) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /@\./) {
(19) if (&User-Name =~ /@\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [preprocess] = ok
(19) [chap] = noop
(19) [mschap] = noop
(19) [digest] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "testing", looking up realm NULL
(19) suffix: No such realm "NULL"
(19) [suffix] = noop
(19) eap: Peer sent EAP Response (code 2) ID 4 length 6
(19) eap: Continuing tunnel setup
(19) [eap] = ok
(19) } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(19) authenticate {
(19) eap: Expiring EAP session with state 0x735d7f17725966c6
(19) eap: Finished EAP session with state 0x735d7f17725966c6
(19) eap: Previous EAP request found for state 0x735d7f17725966c6, released from the list
(19) eap: Peer sent packet with method EAP PEAP (25)
(19) eap: Calling submodule eap_peap to process data
(19) eap_peap: Continuing EAP-TLS
(19) eap_peap: Peer ACKed our handshake fragment
(19) eap_peap: [eaptls verify] = request
(19) eap_peap: [eaptls process] = handled
(19) eap: Sending EAP Request (code 1) ID 5 length 179
(19) eap: EAP session adding &reply:State = 0x735d7f17715866c6
(19) [eap] = handled
(19) } # authenticate = handled
(19) Using Post-Auth-Type Challenge
(19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(19) Challenge { ... } # empty sub-section is ignored
(19) Sent Access-Challenge Id 7 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0
(19) EAP-Message = 0x010500b31900da3145a6f9eecf76845fb83242f5aadd813424fce1c90e8b12600da59dde36fdaf1d7bf5fa62e7423780336ab99ab603af42f2074076fde75e9540e506163484354d638af9269b1c3ca911c400886a443197ae1b7f67cec1ab2354b9dd9ef9691bcabfbc4b17be8750cdc934028e8228ce
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0x735d7f17715866c6a880ae3bd9d49d0e
(19) Finished request
Waking up in 4.9 seconds.
(20) Received Access-Request Id 8 from 10.225.251.10:56766 to 172.16.2.4:1812 length 326
(20) User-Name = "testing"
(20) NAS-IP-Address = 10.225.251.10
(20) NAS-Port = 0
(20) NAS-Identifier = "172.16.6.63"
(20) NAS-Port-Type = Wireless-802.11
(20) Calling-Station-Id = "f894c2addb53"
(20) Called-Station-Id = "removed"
(20) Service-Type = Login-User
(20) Framed-MTU = 1100
(20) EAP-Message = 0x0205008819800000007e16030300461000004241044e9e061bc42f5cee3b1c557f06e3dec5721a615dd2f79ca82ce3e7038da4006571019eeb6c12895e0e38c65c1ce9771b723011ba85fff25e0ffed61b7cbc448114030300010116030300280000000000000000f9b65095f49b130430f1568b453bdb
(20) State = 0x735d7f17715866c6a880ae3bd9d49d0e
(20) Aruba-Essid-Name = "wtf"
(20) Aruba-Location-Id = "Building-A"
(20) Aruba-AP-Group = "Cluster"
(20) Message-Authenticator = 0x840d1e263f5c62c55398933cbacd6a37
(20) session-state: No cached attributes
(20) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(20) authorize {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /@\./) {
(20) if (&User-Name =~ /@\./) -> FALSE
(20) } # if (&User-Name) = notfound
(20) } # policy filter_username = notfound
(20) [preprocess] = ok
(20) [chap] = noop
(20) [mschap] = noop
(20) [digest] = noop
(20) suffix: Checking for suffix after "@"
(20) suffix: No '@' in User-Name = "testing", looking up realm NULL
(20) suffix: No such realm "NULL"
(20) [suffix] = noop
(20) eap: Peer sent EAP Response (code 2) ID 5 length 136
(20) eap: Continuing tunnel setup
(20) [eap] = ok
(20) } # authorize = ok
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(20) authenticate {
(20) eap: Expiring EAP session with state 0x735d7f17715866c6
(20) eap: Finished EAP session with state 0x735d7f17715866c6
(20) eap: Previous EAP request found for state 0x735d7f17715866c6, released from the list
(20) eap: Peer sent packet with method EAP PEAP (25)
(20) eap: Calling submodule eap_peap to process data
(20) eap_peap: Continuing EAP-TLS
(20) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(20) eap_peap: Got complete TLS record (126 bytes)
(20) eap_peap: [eaptls verify] = length included
(20) eap_peap: TLS_accept: SSLv3/TLS write server done
(20) eap_peap: <<< recv TLS 1.2 [length 0046]
(20) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(20) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(20) eap_peap: <<< recv TLS 1.2 [length 0010]
(20) eap_peap: TLS_accept: SSLv3/TLS read finished
(20) eap_peap: >>> send TLS 1.2 [length 0001]
(20) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(20) eap_peap: >>> send TLS 1.2 [length 0010]
(20) eap_peap: TLS_accept: SSLv3/TLS write finished
(20) eap_peap: (other): SSL negotiation finished successfully
(20) eap_peap: SSL Connection Established
(20) eap_peap: [eaptls process] = handled
(20) eap: Sending EAP Request (code 1) ID 6 length 57
(20) eap: EAP session adding &reply:State = 0x735d7f17705b66c6
(20) [eap] = handled
(20) } # authenticate = handled
(20) Using Post-Auth-Type Challenge
(20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(20) Challenge { ... } # empty sub-section is ignored
(20) Sent Access-Challenge Id 8 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0
(20) EAP-Message = 0x010600391900140303000101160303002806d33c56b068f0a1972df6aa137cc47d7b1a80a3ad56963b9608cb6d86532b0aca677b843c484752
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0x735d7f17705b66c6a880ae3bd9d49d0e
(20) Finished request
Waking up in 4.9 seconds.
detail (/var/log/freeradius/radacct/detail): Polling for detail file
detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 1.087135 sec
(21) Received Access-Request Id 9 from 10.225.251.10:56766 to 172.16.2.4:1812 length 196
(21) User-Name = "testing"
(21) NAS-IP-Address = 10.225.251.10
(21) NAS-Port = 0
(21) NAS-Identifier = "172.16.6.63"
(21) NAS-Port-Type = Wireless-802.11
(21) Calling-Station-Id = "f894c2addb53"
(21) Called-Station-Id = "removed"
(21) Service-Type = Login-User
(21) Framed-MTU = 1100
(21) EAP-Message = 0x020600061900
(21) State = 0x735d7f17705b66c6a880ae3bd9d49d0e
(21) Aruba-Essid-Name = "wtf"
(21) Aruba-Location-Id = "Building-A"
(21) Aruba-AP-Group = "Cluster"
(21) Message-Authenticator = 0x2583cd16db50296cdb698d43f7162083
(21) session-state: No cached attributes
(21) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(21) authorize {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /@\./) {
(21) if (&User-Name =~ /@\./) -> FALSE
(21) } # if (&User-Name) = notfound
(21) } # policy filter_username = notfound
(21) [preprocess] = ok
(21) [chap] = noop
(21) [mschap] = noop
(21) [digest] = noop
(21) suffix: Checking for suffix after "@"
(21) suffix: No '@' in User-Name = "testing", looking up realm NULL
(21) suffix: No such realm "NULL"
(21) [suffix] = noop
(21) eap: Peer sent EAP Response (code 2) ID 6 length 6
(21) eap: Continuing tunnel setup
(21) [eap] = ok
(21) } # authorize = ok
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(21) authenticate {
(21) eap: Expiring EAP session with state 0x735d7f17705b66c6
(21) eap: Finished EAP session with state 0x735d7f17705b66c6
(21) eap: Previous EAP request found for state 0x735d7f17705b66c6, released from the list
(21) eap: Peer sent packet with method EAP PEAP (25)
(21) eap: Calling submodule eap_peap to process data
(21) eap_peap: Continuing EAP-TLS
(21) eap_peap: Peer ACKed our handshake fragment. handshake is finished
(21) eap_peap: [eaptls verify] = success
(21) eap_peap: [eaptls process] = success
(21) eap_peap: Session established. Decoding tunneled attributes
(21) eap_peap: PEAP state TUNNEL ESTABLISHED
(21) eap: Sending EAP Request (code 1) ID 7 length 40
(21) eap: EAP session adding &reply:State = 0x735d7f17775a66c6
(21) [eap] = handled
(21) } # authenticate = handled
(21) Using Post-Auth-Type Challenge
(21) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(21) Challenge { ... } # empty sub-section is ignored
(21) Sent Access-Challenge Id 9 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0
(21) EAP-Message = 0x010700281900170303001d06d33c56b068f0a2a3812d5b58620e2fa7b76dbd9d21b511548082e319
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) State = 0x735d7f17775a66c6a880ae3bd9d49d0e
(21) Finished request
Waking up in 3.6 seconds.
(22) Received Access-Request Id 10 from 10.225.251.10:56766 to 172.16.2.4:1812 length 233
(22) User-Name = "testing"
(22) NAS-IP-Address = 10.225.251.10
(22) NAS-Port = 0
(22) NAS-Identifier = "172.16.6.63"
(22) NAS-Port-Type = Wireless-802.11
(22) Calling-Station-Id = "f894c2addb53"
(22) Called-Station-Id = "removed"
(22) Service-Type = Login-User
(22) Framed-MTU = 1100
(22) EAP-Message = 0x0207002b190017030300200000000000000001b938010a38000c8411e999e607c654e50f81975d795f502a
(22) State = 0x735d7f17775a66c6a880ae3bd9d49d0e
(22) Aruba-Essid-Name = "wtf"
(22) Aruba-Location-Id = "Building-A"
(22) Aruba-AP-Group = "Cluster"
(22) Message-Authenticator = 0x1cbbe970e0da43786de14a129aaf8233
(22) session-state: No cached attributes
(22) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(22) authorize {
(22) policy filter_username {
(22) if (&User-Name) {
(22) if (&User-Name) -> TRUE
(22) if (&User-Name) {
(22) if (&User-Name =~ / /) {
(22) if (&User-Name =~ / /) -> FALSE
(22) if (&User-Name =~ /@[^@]*@/ ) {
(22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(22) if (&User-Name =~ /\.\./ ) {
(22) if (&User-Name =~ /\.\./ ) -> FALSE
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(22) if (&User-Name =~ /\.$/) {
(22) if (&User-Name =~ /\.$/) -> FALSE
(22) if (&User-Name =~ /@\./) {
(22) if (&User-Name =~ /@\./) -> FALSE
(22) } # if (&User-Name) = notfound
(22) } # policy filter_username = notfound
(22) [preprocess] = ok
(22) [chap] = noop
(22) [mschap] = noop
(22) [digest] = noop
(22) suffix: Checking for suffix after "@"
(22) suffix: No '@' in User-Name = "testing", looking up realm NULL
(22) suffix: No such realm "NULL"
(22) [suffix] = noop
(22) eap: Peer sent EAP Response (code 2) ID 7 length 43
(22) eap: Continuing tunnel setup
(22) [eap] = ok
(22) } # authorize = ok
(22) Found Auth-Type = eap
(22) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(22) authenticate {
(22) eap: Expiring EAP session with state 0x735d7f17775a66c6
(22) eap: Finished EAP session with state 0x735d7f17775a66c6
(22) eap: Previous EAP request found for state 0x735d7f17775a66c6, released from the list
(22) eap: Peer sent packet with method EAP PEAP (25)
(22) eap: Calling submodule eap_peap to process data
(22) eap_peap: Continuing EAP-TLS
(22) eap_peap: [eaptls verify] = ok
(22) eap_peap: Done initial handshake
(22) eap_peap: [eaptls process] = ok
(22) eap_peap: Session established. Decoding tunneled attributes
(22) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(22) eap_peap: Identity - testing
(22) eap_peap: Got inner identity 'testing'
(22) eap_peap: Setting default EAP type for tunneled EAP session
(22) eap_peap: Got tunneled request
(22) eap_peap: EAP-Message = 0x0207000c0174657374696e67
(22) eap_peap: Setting User-Name to testing
(22) eap_peap: Sending tunneled request to inner-tunnel
(22) eap_peap: EAP-Message = 0x0207000c0174657374696e67
(22) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(22) eap_peap: User-Name = "testing"
(22) eap_peap: NAS-IP-Address = 10.225.251.10
(22) eap_peap: NAS-Port = 0
(22) eap_peap: NAS-Identifier = "172.16.6.63"
(22) eap_peap: NAS-Port-Type = Wireless-802.11
(22) eap_peap: Calling-Station-Id = "f894c2addb53"
(22) eap_peap: Called-Station-Id = "removed"
(22) eap_peap: Service-Type = Login-User
(22) eap_peap: Framed-MTU = 1100
(22) eap_peap: Aruba-Essid-Name = "wtf"
(22) eap_peap: Aruba-Location-Id = "Building-A"
(22) eap_peap: Aruba-AP-Group = "Cluster"
(22) eap_peap: Event-Timestamp = "Apr 4 2023 13:55:58 IST"
(22) Virtual server inner-tunnel received request
(22) EAP-Message = 0x0207000c0174657374696e67
(22) FreeRADIUS-Proxied-To = 127.0.0.1
(22) User-Name = "testing"
(22) NAS-IP-Address = 10.225.251.10
(22) NAS-Port = 0
(22) NAS-Identifier = "172.16.6.63"
(22) NAS-Port-Type = Wireless-802.11
(22) Calling-Station-Id = "f894c2addb53"
(22) Called-Station-Id = "removed"
(22) Service-Type = Login-User
(22) Framed-MTU = 1100
(22) Aruba-Essid-Name = "wtf"
(22) Aruba-Location-Id = "Building-A"
(22) Aruba-AP-Group = "Cluster"
(22) Event-Timestamp = "Apr 4 2023 13:55:58 IST"
(22) WARNING: Outer and inner identities are the same. User privacy is compromised.
(22) server inner-tunnel {
(22) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(22) authorize {
(22) policy filter_username {
(22) if (&User-Name) {
(22) if (&User-Name) -> TRUE
(22) if (&User-Name) {
(22) if (&User-Name =~ / /) {
(22) if (&User-Name =~ / /) -> FALSE
(22) if (&User-Name =~ /@[^@]*@/ ) {
(22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(22) if (&User-Name =~ /\.\./ ) {
(22) if (&User-Name =~ /\.\./ ) -> FALSE
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(22) if (&User-Name =~ /\.$/) {
(22) if (&User-Name =~ /\.$/) -> FALSE
(22) if (&User-Name =~ /@\./) {
(22) if (&User-Name =~ /@\./) -> FALSE
(22) } # if (&User-Name) = notfound
(22) } # policy filter_username = notfound
(22) [chap] = noop
(22) [mschap] = noop
(22) suffix: Checking for suffix after "@"
(22) suffix: No '@' in User-Name = "testing", looking up realm NULL
(22) suffix: No such realm "NULL"
(22) [suffix] = noop
(22) update control {
(22) &Proxy-To-Realm := LOCAL
(22) } # update control = noop
(22) eap: Peer sent EAP Response (code 2) ID 7 length 12
(22) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(22) [eap] = ok
(22) } # authorize = ok
(22) Found Auth-Type = eap
(22) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(22) authenticate {
(22) eap: Peer sent packet with method EAP Identity (1)
(22) eap: Calling submodule eap_mschapv2 to process data
(22) eap_mschapv2: Issuing Challenge
(22) eap: Sending EAP Request (code 1) ID 8 length 43
(22) eap: EAP session adding &reply:State = 0xd7f01aa1d7f80035
(22) [eap] = handled
(22) } # authenticate = handled
(22) } # server inner-tunnel
(22) Virtual server sending reply
(22) EAP-Message = 0x0108002b1a0108002610cbd17d90df71474e7d5e8b5bbf06ed71667265657261646975732d332e302e3136
(22) Message-Authenticator = 0x00000000000000000000000000000000
(22) State = 0xd7f01aa1d7f8003560e7eeb4345077d1
(22) eap_peap: Got tunneled reply code 11
(22) eap_peap: EAP-Message = 0x0108002b1a0108002610cbd17d90df71474e7d5e8b5bbf06ed71667265657261646975732d332e302e3136
(22) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(22) eap_peap: State = 0xd7f01aa1d7f8003560e7eeb4345077d1
(22) eap_peap: Got tunneled reply RADIUS code 11
(22) eap_peap: EAP-Message = 0x0108002b1a0108002610cbd17d90df71474e7d5e8b5bbf06ed71667265657261646975732d332e302e3136
(22) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(22) eap_peap: State = 0xd7f01aa1d7f8003560e7eeb4345077d1
(22) eap_peap: Got tunneled Access-Challenge
(22) eap: Sending EAP Request (code 1) ID 8 length 74
(22) eap: EAP session adding &reply:State = 0x735d7f17765566c6
(22) [eap] = handled
(22) } # authenticate = handled
(22) Using Post-Auth-Type Challenge
(22) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(22) Challenge { ... } # empty sub-section is ignored
(22) Sent Access-Challenge Id 10 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0
(22) EAP-Message = 0x0108004a1900170303003f06d33c56b068f0a3ecc1d3f5acb003ba8437eefefbad68f6ac6df379a757d2dd7acaf62aa3d766d59e2a42d6977997a88d1fe5fc5eced657eae7281da1b925
(22) Message-Authenticator = 0x00000000000000000000000000000000
(22) State = 0x735d7f17765566c6a880ae3bd9d49d0e
(22) Finished request
Waking up in 3.5 seconds.
(23) Received Access-Request Id 11 from 10.225.251.10:56766 to 172.16.2.4:1812 length 287
(23) User-Name = "testing"
(23) NAS-IP-Address = 10.225.251.10
(23) NAS-Port = 0
(23) NAS-Identifier = "172.16.6.63"
(23) NAS-Port-Type = Wireless-802.11
(23) Calling-Station-Id = "f894c2addb53"
(23) Called-Station-Id = "removed"
(23) Service-Type = Login-User
(23) Framed-MTU = 1100
(23) EAP-Message = 0x02080061190017030300560000000000000002f67a35ebc3b7ad310d98bdf6cf074035404cd137adc04c29c54705daabe0543d231628833f03d43a3c94fb544bce6c975b3bffbdd4be9989a6766cea342a3969a0b1ccb7d614a0c997d1da0bc543
(23) State = 0x735d7f17765566c6a880ae3bd9d49d0e
(23) Aruba-Essid-Name = "wtf"
(23) Aruba-Location-Id = "Building-A"
(23) Aruba-AP-Group = "Cluster"
(23) Message-Authenticator = 0xd3638e2d2a956e562ef28fdd6e96048c
(23) session-state: No cached attributes
(23) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(23) authorize {
(23) policy filter_username {
(23) if (&User-Name) {
(23) if (&User-Name) -> TRUE
(23) if (&User-Name) {
(23) if (&User-Name =~ / /) {
(23) if (&User-Name =~ / /) -> FALSE
(23) if (&User-Name =~ /@[^@]*@/ ) {
(23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(23) if (&User-Name =~ /\.\./ ) {
(23) if (&User-Name =~ /\.\./ ) -> FALSE
(23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(23) if (&User-Name =~ /\.$/) {
(23) if (&User-Name =~ /\.$/) -> FALSE
(23) if (&User-Name =~ /@\./) {
(23) if (&User-Name =~ /@\./) -> FALSE
(23) } # if (&User-Name) = notfound
(23) } # policy filter_username = notfound
(23) [preprocess] = ok
(23) [chap] = noop
(23) [mschap] = noop
(23) [digest] = noop
(23) suffix: Checking for suffix after "@"
(23) suffix: No '@' in User-Name = "testing", looking up realm NULL
(23) suffix: No such realm "NULL"
(23) [suffix] = noop
(23) eap: Peer sent EAP Response (code 2) ID 8 length 97
(23) eap: Continuing tunnel setup
(23) [eap] = ok
(23) } # authorize = ok
(23) Found Auth-Type = eap
(23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(23) authenticate {
(23) eap: Expiring EAP session with state 0xd7f01aa1d7f80035
(23) eap: Finished EAP session with state 0x735d7f17765566c6
(23) eap: Previous EAP request found for state 0x735d7f17765566c6, released from the list
(23) eap: Peer sent packet with method EAP PEAP (25)
(23) eap: Calling submodule eap_peap to process data
(23) eap_peap: Continuing EAP-TLS
(23) eap_peap: [eaptls verify] = ok
(23) eap_peap: Done initial handshake
(23) eap_peap: [eaptls process] = ok
(23) eap_peap: Session established. Decoding tunneled attributes
(23) eap_peap: PEAP state phase2
(23) eap_peap: EAP method MSCHAPv2 (26)
(23) eap_peap: Got tunneled request
(23) eap_peap: EAP-Message = 0x020800421a0208003d3117e01e43f7d4bd928573267e76d4d87d0000000000000000200d9d030b1520e53a1034429bdf782af348f5f025188bd50074657374696e67
(23) eap_peap: Setting User-Name to testing
(23) eap_peap: Sending tunneled request to inner-tunnel
(23) eap_peap: EAP-Message = 0x020800421a0208003d3117e01e43f7d4bd928573267e76d4d87d0000000000000000200d9d030b1520e53a1034429bdf782af348f5f025188bd50074657374696e67
(23) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(23) eap_peap: User-Name = "testing"
(23) eap_peap: State = 0xd7f01aa1d7f8003560e7eeb4345077d1
(23) eap_peap: NAS-IP-Address = 10.225.251.10
(23) eap_peap: NAS-Port = 0
(23) eap_peap: NAS-Identifier = "172.16.6.63"
(23) eap_peap: NAS-Port-Type = Wireless-802.11
(23) eap_peap: Calling-Station-Id = "f894c2addb53"
(23) eap_peap: Called-Station-Id = "removed"
(23) eap_peap: Service-Type = Login-User
(23) eap_peap: Framed-MTU = 1100
(23) eap_peap: Aruba-Essid-Name = "wtf"
(23) eap_peap: Aruba-Location-Id = "Building-A"
(23) eap_peap: Aruba-AP-Group = "Cluster"
(23) eap_peap: Event-Timestamp = "Apr 4 2023 13:55:58 IST"
(23) Virtual server inner-tunnel received request
(23) EAP-Message = 0x020800421a0208003d3117e01e43f7d4bd928573267e76d4d87d0000000000000000200d9d030b1520e53a1034429bdf782af348f5f025188bd50074657374696e67
(23) FreeRADIUS-Proxied-To = 127.0.0.1
(23) User-Name = "testing"
(23) State = 0xd7f01aa1d7f8003560e7eeb4345077d1
(23) NAS-IP-Address = 10.225.251.10
(23) NAS-Port = 0
(23) NAS-Identifier = "172.16.6.63"
(23) NAS-Port-Type = Wireless-802.11
(23) Calling-Station-Id = "f894c2addb53"
(23) Called-Station-Id = "removed"
(23) Service-Type = Login-User
(23) Framed-MTU = 1100
(23) Aruba-Essid-Name = "wtf"
(23) Aruba-Location-Id = "Building-A"
(23) Aruba-AP-Group = "Cluster"
(23) Event-Timestamp = "Apr 4 2023 13:55:58 IST"
(23) WARNING: Outer and inner identities are the same. User privacy is compromised.
(23) server inner-tunnel {
(23) session-state: No cached attributes
(23) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(23) authorize {
(23) policy filter_username {
(23) if (&User-Name) {
(23) if (&User-Name) -> TRUE
(23) if (&User-Name) {
(23) if (&User-Name =~ / /) {
(23) if (&User-Name =~ / /) -> FALSE
(23) if (&User-Name =~ /@[^@]*@/ ) {
(23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(23) if (&User-Name =~ /\.\./ ) {
(23) if (&User-Name =~ /\.\./ ) -> FALSE
(23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(23) if (&User-Name =~ /\.$/) {
(23) if (&User-Name =~ /\.$/) -> FALSE
(23) if (&User-Name =~ /@\./) {
(23) if (&User-Name =~ /@\./) -> FALSE
(23) } # if (&User-Name) = notfound
(23) } # policy filter_username = notfound
(23) [chap] = noop
(23) [mschap] = noop
(23) suffix: Checking for suffix after "@"
(23) suffix: No '@' in User-Name = "testing", looking up realm NULL
(23) suffix: No such realm "NULL"
(23) [suffix] = noop
(23) update control {
(23) &Proxy-To-Realm := LOCAL
(23) } # update control = noop
(23) eap: Peer sent EAP Response (code 2) ID 8 length 66
(23) eap: No EAP Start, assuming it's an on-going EAP conversation
(23) [eap] = updated
(23) [files] = noop
(23) sql: EXPAND %{User-Name}
(23) sql: --> testing
(23) sql: SQL-User-Name set to 'testing'
rlm_sql (sql): Reserved connection (12)
(23) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(23) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing' ORDER BY id
(23) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing' ORDER BY id
(23) sql: User found in radcheck table
(23) sql: Conditional check items matched, merging assignment check items
(23) sql: Cleartext-Password := "password"
(23) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(23) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing' ORDER BY id
(23) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing' ORDER BY id
(23) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(23) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testing' ORDER BY priority
(23) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testing' ORDER BY priority
(23) sql: User found in the group table
(23) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(23) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Low_Access' ORDER BY id
(23) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Low_Access' ORDER BY id
(23) sql: Group "Low_Access": Conditional check items matched
(23) sql: Group "Low_Access": Merging assignment check items
(23) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(23) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Low_Access' ORDER BY id
(23) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Low_Access' ORDER BY id
(23) sql: Group "Low_Access": Merging reply items
(23) sql: Class = 0x6c6f775f616363657373
rlm_sql (sql): Released connection (12)
Need 7 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (15), 1 of 29 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.41-0ubuntu0.18.04.1, protocol version 10
(23) [sql] = ok
(23) [expiration] = noop
(23) [logintime] = noop
(23) pap: WARNING: Auth-Type already set. Not setting to PAP
(23) [pap] = noop
(23) } # authorize = updated
(23) Found Auth-Type = eap
(23) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(23) authenticate {
(23) eap: Expiring EAP session with state 0xd7f01aa1d7f80035
(23) eap: Finished EAP session with state 0xd7f01aa1d7f80035
(23) eap: Previous EAP request found for state 0xd7f01aa1d7f80035, released from the list
(23) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(23) eap: Calling submodule eap_mschapv2 to process data
(23) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(23) eap_mschapv2: authenticate {
(23) mschap: Found Cleartext-Password, hashing to create NT-Password
(23) mschap: Found Cleartext-Password, hashing to create LM-Password
(23) mschap: Creating challenge hash with username: testing
(23) mschap: Client is using MS-CHAPv2
(23) mschap: Adding MS-CHAPv2 MPPE keys
(23) [mschap] = ok
(23) } # authenticate = ok
(23) MSCHAP Success
(23) eap: Sending EAP Request (code 1) ID 9 length 51
(23) eap: EAP session adding &reply:State = 0xd7f01aa1d6f90035
(23) [eap] = handled
(23) } # authenticate = handled
(23) } # server inner-tunnel
(23) Virtual server sending reply
(23) Class = 0x6c6f775f616363657373
(23) EAP-Message = 0x010900331a0308002e533d31434533453246424232393134423330334345363142393732323431414345433032333541463438
(23) Message-Authenticator = 0x00000000000000000000000000000000
(23) State = 0xd7f01aa1d6f9003560e7eeb4345077d1
(23) eap_peap: Got tunneled reply code 11
(23) eap_peap: Class = 0x6c6f775f616363657373
(23) eap_peap: EAP-Message = 0x010900331a0308002e533d31434533453246424232393134423330334345363142393732323431414345433032333541463438
(23) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(23) eap_peap: State = 0xd7f01aa1d6f9003560e7eeb4345077d1
(23) eap_peap: Got tunneled reply RADIUS code 11
(23) eap_peap: Class = 0x6c6f775f616363657373
(23) eap_peap: EAP-Message = 0x010900331a0308002e533d31434533453246424232393134423330334345363142393732323431414345433032333541463438
(23) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(23) eap_peap: State = 0xd7f01aa1d6f9003560e7eeb4345077d1
(23) eap_peap: Got tunneled Access-Challenge
(23) eap: Sending EAP Request (code 1) ID 9 length 82
(23) eap: EAP session adding &reply:State = 0x735d7f17755466c6
(23) [eap] = handled
(23) } # authenticate = handled
(23) Using Post-Auth-Type Challenge
(23) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(23) Challenge { ... } # empty sub-section is ignored
(23) Sent Access-Challenge Id 11 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0
(23) EAP-Message = 0x010900521900170303004706d33c56b068f0a48a90632e83818189836884d7619ce09535f33ad67f220c4165c88520856f26b9ac072beb94f7b4240467b4cd9ee012c265dc6bc981c202aad513d7fb082d4a
(23) Message-Authenticator = 0x00000000000000000000000000000000
(23) State = 0x735d7f17755466c6a880ae3bd9d49d0e
(23) Finished request
Waking up in 3.5 seconds.
(24) Received Access-Request Id 12 from 10.225.251.10:56766 to 172.16.2.4:1812 length 227
(24) User-Name = "testing"
(24) NAS-IP-Address = 10.225.251.10
(24) NAS-Port = 0
(24) NAS-Identifier = "172.16.6.63"
(24) NAS-Port-Type = Wireless-802.11
(24) Calling-Station-Id = "f894c2addb53"
(24) Called-Station-Id = "removed"
(24) Service-Type = Login-User
(24) Framed-MTU = 1100
(24) EAP-Message = 0x020900251900170303001a0000000000000003d2de70e52a1738dba84235714d303de39473
(24) State = 0x735d7f17755466c6a880ae3bd9d49d0e
(24) Aruba-Essid-Name = "wtf"
(24) Aruba-Location-Id = "Building-A"
(24) Aruba-AP-Group = "Cluster"
(24) Message-Authenticator = 0xa4b05d75d7d707c345231bb97de889cf
(24) session-state: No cached attributes
(24) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(24) authorize {
(24) policy filter_username {
(24) if (&User-Name) {
(24) if (&User-Name) -> TRUE
(24) if (&User-Name) {
(24) if (&User-Name =~ / /) {
(24) if (&User-Name =~ / /) -> FALSE
(24) if (&User-Name =~ /@[^@]*@/ ) {
(24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(24) if (&User-Name =~ /\.\./ ) {
(24) if (&User-Name =~ /\.\./ ) -> FALSE
(24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(24) if (&User-Name =~ /\.$/) {
(24) if (&User-Name =~ /\.$/) -> FALSE
(24) if (&User-Name =~ /@\./) {
(24) if (&User-Name =~ /@\./) -> FALSE
(24) } # if (&User-Name) = notfound
(24) } # policy filter_username = notfound
(24) [preprocess] = ok
(24) [chap] = noop
(24) [mschap] = noop
(24) [digest] = noop
(24) suffix: Checking for suffix after "@"
(24) suffix: No '@' in User-Name = "testing", looking up realm NULL
(24) suffix: No such realm "NULL"
(24) [suffix] = noop
(24) eap: Peer sent EAP Response (code 2) ID 9 length 37
(24) eap: Continuing tunnel setup
(24) [eap] = ok
(24) } # authorize = ok
(24) Found Auth-Type = eap
(24) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(24) authenticate {
(24) eap: Expiring EAP session with state 0xd7f01aa1d6f90035
(24) eap: Finished EAP session with state 0x735d7f17755466c6
(24) eap: Previous EAP request found for state 0x735d7f17755466c6, released from the list
(24) eap: Peer sent packet with method EAP PEAP (25)
(24) eap: Calling submodule eap_peap to process data
(24) eap_peap: Continuing EAP-TLS
(24) eap_peap: [eaptls verify] = ok
(24) eap_peap: Done initial handshake
(24) eap_peap: [eaptls process] = ok
(24) eap_peap: Session established. Decoding tunneled attributes
(24) eap_peap: PEAP state phase2
(24) eap_peap: EAP method MSCHAPv2 (26)
(24) eap_peap: Got tunneled request
(24) eap_peap: EAP-Message = 0x020900061a03
(24) eap_peap: Setting User-Name to testing
(24) eap_peap: Sending tunneled request to inner-tunnel
(24) eap_peap: EAP-Message = 0x020900061a03
(24) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(24) eap_peap: User-Name = "testing"
(24) eap_peap: State = 0xd7f01aa1d6f9003560e7eeb4345077d1
(24) eap_peap: NAS-IP-Address = 10.225.251.10
(24) eap_peap: NAS-Port = 0
(24) eap_peap: NAS-Identifier = "172.16.6.63"
(24) eap_peap: NAS-Port-Type = Wireless-802.11
(24) eap_peap: Calling-Station-Id = "f894c2addb53"
(24) eap_peap: Called-Station-Id = "removed"
(24) eap_peap: Service-Type = Login-User
(24) eap_peap: Framed-MTU = 1100
(24) eap_peap: Aruba-Essid-Name = "wtf"
(24) eap_peap: Aruba-Location-Id = "Building-A"
(24) eap_peap: Aruba-AP-Group = "Cluster"
(24) eap_peap: Event-Timestamp = "Apr 4 2023 13:55:58 IST"
(24) Virtual server inner-tunnel received request
(24) EAP-Message = 0x020900061a03
(24) FreeRADIUS-Proxied-To = 127.0.0.1
(24) User-Name = "testing"
(24) State = 0xd7f01aa1d6f9003560e7eeb4345077d1
(24) NAS-IP-Address = 10.225.251.10
(24) NAS-Port = 0
(24) NAS-Identifier = "172.16.6.63"
(24) NAS-Port-Type = Wireless-802.11
(24) Calling-Station-Id = "f894c2addb53"
(24) Called-Station-Id = "removed"
(24) Service-Type = Login-User
(24) Framed-MTU = 1100
(24) Aruba-Essid-Name = "wtf"
(24) Aruba-Location-Id = "Building-A"
(24) Aruba-AP-Group = "Cluster"
(24) Event-Timestamp = "Apr 4 2023 13:55:58 IST"
(24) WARNING: Outer and inner identities are the same. User privacy is compromised.
(24) server inner-tunnel {
(24) session-state: No cached attributes
(24) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(24) authorize {
(24) policy filter_username {
(24) if (&User-Name) {
(24) if (&User-Name) -> TRUE
(24) if (&User-Name) {
(24) if (&User-Name =~ / /) {
(24) if (&User-Name =~ / /) -> FALSE
(24) if (&User-Name =~ /@[^@]*@/ ) {
(24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(24) if (&User-Name =~ /\.\./ ) {
(24) if (&User-Name =~ /\.\./ ) -> FALSE
(24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(24) if (&User-Name =~ /\.$/) {
(24) if (&User-Name =~ /\.$/) -> FALSE
(24) if (&User-Name =~ /@\./) {
(24) if (&User-Name =~ /@\./) -> FALSE
(24) } # if (&User-Name) = notfound
(24) } # policy filter_username = notfound
(24) [chap] = noop
(24) [mschap] = noop
(24) suffix: Checking for suffix after "@"
(24) suffix: No '@' in User-Name = "testing", looking up realm NULL
(24) suffix: No such realm "NULL"
(24) [suffix] = noop
(24) update control {
(24) &Proxy-To-Realm := LOCAL
(24) } # update control = noop
(24) eap: Peer sent EAP Response (code 2) ID 9 length 6
(24) eap: No EAP Start, assuming it's an on-going EAP conversation
(24) [eap] = updated
(24) [files] = noop
(24) sql: EXPAND %{User-Name}
(24) sql: --> testing
(24) sql: SQL-User-Name set to 'testing'
rlm_sql (sql): Reserved connection (13)
(24) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(24) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing' ORDER BY id
(24) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testing' ORDER BY id
(24) sql: User found in radcheck table
(24) sql: Conditional check items matched, merging assignment check items
(24) sql: Cleartext-Password := "password"
(24) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(24) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing' ORDER BY id
(24) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'testing' ORDER BY id
(24) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(24) sql: --> SELECT groupname FROM radusergroup WHERE username = 'testing' ORDER BY priority
(24) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testing' ORDER BY priority
(24) sql: User found in the group table
(24) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id
(24) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Low_Access' ORDER BY id
(24) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Low_Access' ORDER BY id
(24) sql: Group "Low_Access": Conditional check items matched
(24) sql: Group "Low_Access": Merging assignment check items
(24) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id
(24) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Low_Access' ORDER BY id
(24) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Low_Access' ORDER BY id
(24) sql: Group "Low_Access": Merging reply items
(24) sql: Class = 0x6c6f775f616363657373
rlm_sql (sql): Released connection (13)
(24) [sql] = ok
(24) [expiration] = noop
(24) [logintime] = noop
(24) pap: WARNING: Auth-Type already set. Not setting to PAP
(24) [pap] = noop
(24) } # authorize = updated
(24) Found Auth-Type = eap
(24) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(24) authenticate {
(24) eap: Expiring EAP session with state 0xd7f01aa1d6f90035
(24) eap: Finished EAP session with state 0xd7f01aa1d6f90035
(24) eap: Previous EAP request found for state 0xd7f01aa1d6f90035, released from the list
(24) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(24) eap: Calling submodule eap_mschapv2 to process data
(24) eap: Sending EAP Success (code 3) ID 9 length 4
(24) eap: Freeing handler
(24) [eap] = ok
(24) } # authenticate = ok
(24) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(24) post-auth {
(24) sql: EXPAND .query
(24) sql: --> .query
(24) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (14)
(24) sql: EXPAND %{User-Name}
(24) sql: --> testing
(24) sql: SQL-User-Name set to 'testing'
(24) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(24) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', '', 'Access-Accept', '2023-04-04 13:55:58')
(24) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', '', 'Access-Accept', '2023-04-04 13:55:58')
(24) sql: SQL query returned: success
(24) sql: 1 record(s) updated
rlm_sql (sql): Released connection (14)
(24) [sql] = ok
(24) if (1) {
(24) if (1) -> TRUE
(24) if (1) {
(24) update reply {
(24) User-Name !* ANY
(24) Message-Authenticator !* ANY
(24) EAP-Message !* ANY
(24) Proxy-State !* ANY
(24) MS-MPPE-Encryption-Types !* ANY
(24) MS-MPPE-Encryption-Policy !* ANY
(24) MS-MPPE-Send-Key !* ANY
(24) MS-MPPE-Recv-Key !* ANY
(24) } # update reply = noop
(24) update {
(24) &outer.session-state::Class += &reply:Class[*] -> 0x6c6f775f616363657373
(24) } # update = noop
(24) } # if (1) = noop
(24) } # post-auth = ok
(24) } # server inner-tunnel
(24) Virtual server sending reply
(24) Class = 0x6c6f775f616363657373
(24) eap_peap: Got tunneled reply code 2
(24) eap_peap: Class = 0x6c6f775f616363657373
(24) eap_peap: Got tunneled reply RADIUS code 2
(24) eap_peap: Class = 0x6c6f775f616363657373
(24) eap_peap: Tunneled authentication was successful
(24) eap_peap: SUCCESS
(24) eap_peap: Saving tunneled attributes for later
(24) eap: Sending EAP Request (code 1) ID 10 length 46
(24) eap: EAP session adding &reply:State = 0x735d7f17745766c6
(24) [eap] = handled
(24) } # authenticate = handled
(24) Using Post-Auth-Type Challenge
(24) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(24) Challenge { ... } # empty sub-section is ignored
(24) session-state: Saving cached attributes
(24) Class += 0x6c6f775f616363657373
(24) Sent Access-Challenge Id 12 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0
(24) EAP-Message = 0x010a002e1900170303002306d33c56b068f0a5ff5724e4971e20cb7fe2cf9f068b66fb14fcd7892634f657f8bf51
(24) Message-Authenticator = 0x00000000000000000000000000000000
(24) State = 0x735d7f17745766c6a880ae3bd9d49d0e
(24) Finished request
Waking up in 3.4 seconds.
(25) Received Access-Request Id 13 from 10.225.251.10:56766 to 172.16.2.4:1812 length 236
(25) User-Name = "testing"
(25) NAS-IP-Address = 10.225.251.10
(25) NAS-Port = 0
(25) NAS-Identifier = "172.16.6.63"
(25) NAS-Port-Type = Wireless-802.11
(25) Calling-Station-Id = "f894c2addb53"
(25) Called-Station-Id = "removed"
(25) Service-Type = Login-User
(25) Framed-MTU = 1100
(25) EAP-Message = 0x020a002e190017030300230000000000000004e9eef28e29c4b401eadf07a8810dcfb57ef2afa013eba59fe7a695
(25) State = 0x735d7f17745766c6a880ae3bd9d49d0e
(25) Aruba-Essid-Name = "wtf"
(25) Aruba-Location-Id = "Building-A"
(25) Aruba-AP-Group = "Cluster"
(25) Message-Authenticator = 0x5171d1f2ada81cca1aceb3fe0b8a7500
(25) Restoring &session-state
(25) &session-state:Class += 0x6c6f775f616363657373
(25) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(25) authorize {
(25) policy filter_username {
(25) if (&User-Name) {
(25) if (&User-Name) -> TRUE
(25) if (&User-Name) {
(25) if (&User-Name =~ / /) {
(25) if (&User-Name =~ / /) -> FALSE
(25) if (&User-Name =~ /@[^@]*@/ ) {
(25) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(25) if (&User-Name =~ /\.\./ ) {
(25) if (&User-Name =~ /\.\./ ) -> FALSE
(25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(25) if (&User-Name =~ /\.$/) {
(25) if (&User-Name =~ /\.$/) -> FALSE
(25) if (&User-Name =~ /@\./) {
(25) if (&User-Name =~ /@\./) -> FALSE
(25) } # if (&User-Name) = notfound
(25) } # policy filter_username = notfound
(25) [preprocess] = ok
(25) [chap] = noop
(25) [mschap] = noop
(25) [digest] = noop
(25) suffix: Checking for suffix after "@"
(25) suffix: No '@' in User-Name = "testing", looking up realm NULL
(25) suffix: No such realm "NULL"
(25) [suffix] = noop
(25) eap: Peer sent EAP Response (code 2) ID 10 length 46
(25) eap: Continuing tunnel setup
(25) [eap] = ok
(25) } # authorize = ok
(25) Found Auth-Type = eap
(25) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(25) authenticate {
(25) eap: Expiring EAP session with state 0x735d7f17745766c6
(25) eap: Finished EAP session with state 0x735d7f17745766c6
(25) eap: Previous EAP request found for state 0x735d7f17745766c6, released from the list
(25) eap: Peer sent packet with method EAP PEAP (25)
(25) eap: Calling submodule eap_peap to process data
(25) eap_peap: Continuing EAP-TLS
(25) eap_peap: [eaptls verify] = ok
(25) eap_peap: Done initial handshake
(25) eap_peap: [eaptls process] = ok
(25) eap_peap: Session established. Decoding tunneled attributes
(25) eap_peap: PEAP state send tlv success
(25) eap_peap: Received EAP-TLV response
(25) eap_peap: Success
(25) eap_peap: Using saved attributes from the original Access-Accept
(25) eap_peap: Class = 0x6c6f775f616363657373
(25) eap: Sending EAP Success (code 3) ID 10 length 4
(25) eap: Freeing handler
(25) [eap] = ok
(25) } # authenticate = ok
(25) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(25) post-auth {
(25) update {
(25) &reply::Class += &session-state:Class[*] -> 0x6c6f775f616363657373
(25) } # update = noop
(25) sql: EXPAND .query
(25) sql: --> .query
(25) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (12)
(25) sql: EXPAND %{User-Name}
(25) sql: --> testing
(25) sql: SQL-User-Name set to 'testing'
(25) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(25) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', '', 'Access-Accept', '2023-04-04 13:55:58')
(25) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'testing', '', 'Access-Accept', '2023-04-04 13:55:58')
(25) sql: SQL query returned: success
(25) sql: 1 record(s) updated
rlm_sql (sql): Released connection (12)
(25) [sql] = ok
(25) [exec] = noop
(25) policy remove_reply_message_if_eap {
(25) if (&reply:EAP-Message && &reply:Reply-Message) {
(25) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(25) else {
(25) [noop] = noop
(25) } # else = noop
(25) } # policy remove_reply_message_if_eap = noop
(25) } # post-auth = ok
(25) Sent Access-Accept Id 13 from 172.16.2.4:1812 to 10.225.251.10:56766 length 0
(25) Class = 0x6c6f775f616363657373
(25) MS-MPPE-Recv-Key = 0xcc45ee952a3ff5f4b509a0d3c77ca487b6b86fbecfc91e8f7a4594ca3057a3c8
(25) MS-MPPE-Send-Key = 0x201b8d504ad2e64f9f8498c6b8187edbaf3221f7681eca7b12d0c885fb1c7782
(25) EAP-Message = 0x030a0004
(25) Message-Authenticator = 0x00000000000000000000000000000000
(25) User-Name = "testing"
(25) Class += 0x6c6f775f616363657373
(25) Finished request
Waking up in 3.4 seconds.
detail (/var/log/freeradius/radacct/detail): Polling for detail file
detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.784712 sec
detail (/var/log/freeradius/radacct/detail): Polling for detail file
detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.975185 sec
(26) Received Accounting-Request Id 14 from 10.225.251.10:56766 to 172.16.2.4:1813 length 227
(26) Acct-Status-Type = Start
(26) NAS-IP-Address = 10.225.251.10
(26) User-Name = "testing"
(26) NAS-Port = 0
(26) NAS-Port-Type = Wireless-802.11
(26) Calling-Station-Id = "f894c2addb53"
(26) Called-Station-Id = "removed"
(26) Framed-IP-Address = 10.225.251.21
(26) Acct-Multi-Session-Id = "F894C2ADDB53-1680596739"
(26) Acct-Session-Id = "F05C1986E787-F894C2ADDB53-642BDF17-BE9CA"
(26) Acct-Delay-Time = 0
(26) Aruba-Essid-Name = "wtf"
(26) Aruba-Location-Id = "Building-A"
(26) Aruba-User-Vlan = 51
(26) Class = 0x6c6f775f616363657373
(26) Acct-Authentic = 0
(26) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(26) preacct {
(26) [preprocess] = ok
(26) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) {
(26) EXPAND %{User-Name}
(26) --> testing
(26) SQL-User-Name set to 'testing'
rlm_sql (sql): Reserved connection (15)
(26) Executing select query: SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='testing' AND (macaddrlist.macaddr1='f894c2addb53' OR macaddrlist.macaddr2='f894c2addb53')
rlm_sql (sql): Released connection (15)
Need 6 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (16), 1 of 28 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.41-0ubuntu0.18.04.1, protocol version 10
(26) EXPAND %{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }
(26) --> 0
(26) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) -> TRUE
(26) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) {
(26) [ok] = ok
(26) } # if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) = ok
(26) ... skipping else: Preceding "if" was taken
(26) policy acct_unique {
(26) update request {
(26) &Tmp-String-9 := "ai:"
(26) } # update request = noop
(26) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(26) EXPAND %{hex:&Class}
(26) --> 6c6f775f616363657373
(26) EXPAND ^%{hex:&Tmp-String-9}
(26) --> ^61693a
(26) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(26) else {
(26) update request {
(26) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(26) --> cdbb232bc69b751f19684df63248fe05
(26) &Acct-Unique-Session-Id := cdbb232bc69b751f19684df63248fe05
(26) } # update request = noop
(26) } # else = noop
(26) } # policy acct_unique = noop
(26) suffix: Checking for suffix after "@"
(26) suffix: No '@' in User-Name = "testing", looking up realm NULL
(26) suffix: No such realm "NULL"
(26) [suffix] = noop
(26) [files] = noop
(26) } # preacct = ok
(26) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(26) accounting {
(26) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(26) detail: --> /var/log/freeradius/radacct/10.225.251.10/detail-20230404
(26) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.225.251.10/detail-20230404
(26) detail: EXPAND %t
(26) detail: --> Tue Apr 4 13:55:59 2023
(26) [detail] = ok
(26) [unix] = ok
(26) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(26) sql: --> type.start.query
(26) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (13)
(26) sql: EXPAND %{User-Name}
(26) sql: --> testing
(26) sql: SQL-User-Name set to 'testing'
(26) sql: EXPAND INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', FROM_UNIXTIME(%{integer:Event-Timestamp}), FROM_UNIXTIME(%{integer:Event-Timestamp}), NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}')
(26) sql: --> INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('F05C1986E787-F894C2ADDB53-642BDF17-BE9CA', 'cdbb232bc69b751f19684df63248fe05', 'testing', '', '10.225.251.10', '0', 'Wireless-802.11', FROM_UNIXTIME(1680596759), FROM_UNIXTIME(1680596759), NULL, '0', '0', '', '', '0', '0', 'removed', 'f894c2addb53', '', '', '', '10.225.251.21')
(26) sql: Executing query: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress) VALUES ('F05C1986E787-F894C2ADDB53-642BDF17-BE9CA', 'cdbb232bc69b751f19684df63248fe05', 'testing', '', '10.225.251.10', '0', 'Wireless-802.11', FROM_UNIXTIME(1680596759), FROM_UNIXTIME(1680596759), NULL, '0', '0', '', '', '0', '0', 'removed', 'f894c2addb53', '', '', '', '10.225.251.21')
(26) sql: SQL query returned: success
(26) sql: 1 record(s) updated
rlm_sql (sql): Released connection (13)
(26) [sql] = ok
(26) [exec] = noop
(26) attr_filter.accounting_response: EXPAND %{User-Name}
(26) attr_filter.accounting_response: --> testing
(26) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(26) [attr_filter.accounting_response] = updated
(26) } # accounting = updated
(26) Sent Accounting-Response Id 14 from 172.16.2.4:1813 to 10.225.251.10:56766 length 0
(26) Finished request
(26) Cleaning up request packet ID 14 with timestamp +529
Waking up in 2.0 seconds.
detail (/var/log/freeradius/radacct/detail): Polling for detail file
detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 1.118670 sec
detail (/var/log/freeradius/radacct/detail): Polling for detail file
detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.834735 sec
(17) Cleaning up request packet ID 5 with timestamp +526
(18) Cleaning up request packet ID 6 with timestamp +526
(19) Cleaning up request packet ID 7 with timestamp +526
(20) Cleaning up request packet ID 8 with timestamp +526
Waking up in 1.2 seconds.
detail (/var/log/freeradius/radacct/detail): Polling for detail file
detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 1.084496 sec
(21) Cleaning up request packet ID 9 with timestamp +528
(22) Cleaning up request packet ID 10 with timestamp +528
(23) Cleaning up request packet ID 11 with timestamp +528
(24) Cleaning up request packet ID 12 with timestamp +528
(25) Cleaning up request packet ID 13 with timestamp +528
Ready to process requests
detail (/var/log/freeradius/radacct/detail): Polling for detail file
detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.996618 sec

detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.833356 sec
detail (/var/log/freeradius/radacct/detail): Polling for detail file
detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 0.774564 sec
(27) Received Accounting-Request Id 15 from 10.225.251.10:56766 to 172.16.2.4:1813 length 257
(27) Acct-Status-Type = Stop
(27) NAS-IP-Address = 10.225.251.10
(27) User-Name = "testing"
(27) NAS-Port = 0
(27) NAS-Port-Type = Wireless-802.11
(27) Calling-Station-Id = "f894c2addb53"
(27) Called-Station-Id = "removed"
(27) Framed-IP-Address = 10.225.251.21
(27) Acct-Multi-Session-Id = "F894C2ADDB53-1680596739"
(27) Acct-Session-Id = "F05C1986E787-F894C2ADDB53-642BDF17-BE9CA"
(27) Acct-Delay-Time = 0
(27) Aruba-Essid-Name = "wtf"
(27) Aruba-Location-Id = "Building-A"
(27) Aruba-User-Vlan = 51
(27) Class = 0x6c6f775f616363657373
(27) Acct-Input-Octets = 186004
(27) Acct-Output-Octets = 97394
(27) Acct-Input-Packets = 1019
(27) Acct-Output-Packets = 430
(27) Acct-Terminate-Cause = Idle-Timeout
(27) Acct-Session-Time = 35
(27) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(27) preacct {
(27) [preprocess] = ok
(27) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) {
(27) EXPAND %{User-Name}
(27) --> testing
(27) SQL-User-Name set to 'testing'
rlm_sql (sql): Reserved connection (14)
(27) Executing select query: SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='testing' AND (macaddrlist.macaddr1='f894c2addb53' OR macaddrlist.macaddr2='f894c2addb53')
rlm_sql (sql): Released connection (14)
Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (17), 1 of 27 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.41-0ubuntu0.18.04.1, protocol version 10
(27) EXPAND %{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }
(27) --> 0
(27) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) -> TRUE
(27) if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) {
(27) [ok] = ok
(27) } # if ("%{sql:SELECT COUNT(*) FROM macaddrlist WHERE macaddrlist.username ='%{User-Name}' AND (macaddrlist.macaddr1='%{Calling-Station-Id}' OR macaddrlist.macaddr2='%{Calling-Station-Id}') }" ) = ok
(27) ... skipping else: Preceding "if" was taken
(27) policy acct_unique {
(27) update request {
(27) &Tmp-String-9 := "ai:"
(27) } # update request = noop
(27) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(27) EXPAND %{hex:&Class}
(27) --> 6c6f775f616363657373
(27) EXPAND ^%{hex:&Tmp-String-9}
(27) --> ^61693a
(27) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(27) else {
(27) update request {
(27) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(27) --> cdbb232bc69b751f19684df63248fe05
(27) &Acct-Unique-Session-Id := cdbb232bc69b751f19684df63248fe05
(27) } # update request = noop
(27) } # else = noop
(27) } # policy acct_unique = noop
(27) suffix: Checking for suffix after "@"
(27) suffix: No '@' in User-Name = "testing", looking up realm NULL
(27) suffix: No such realm "NULL"
(27) [suffix] = noop
(27) [files] = noop
(27) } # preacct = ok
(27) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(27) accounting {
(27) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(27) detail: --> /var/log/freeradius/radacct/10.225.251.10/detail-20230404
(27) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.225.251.10/detail-20230404
(27) detail: EXPAND %t
(27) detail: --> Tue Apr 4 13:56:34 2023
(27) [detail] = ok
(27) [unix] = ok
(27) sql: EXPAND %{tolower:type.%{Acct-Status-Type}.query}
(27) sql: --> type.stop.query
(27) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (12)
(27) sql: EXPAND %{User-Name}
(27) sql: --> testing
(27) sql: SQL-User-Name set to 'testing'
(27) sql: EXPAND UPDATE radacct SET acctstoptime = FROM_UNIXTIME(%{integer:Event-Timestamp}), acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'
(27) sql: --> UPDATE radacct SET acctstoptime = FROM_UNIXTIME(1680596794), acctsessiontime = 35, acctinputoctets = '0' << 32 | '186004', acctoutputoctets = '0' << 32 | '97394', acctterminatecause = 'Idle-Timeout', connectinfo_stop = '' WHERE AcctUniqueId = 'cdbb232bc69b751f19684df63248fe05'
(27) sql: Executing query: UPDATE radacct SET acctstoptime = FROM_UNIXTIME(1680596794), acctsessiontime = 35, acctinputoctets = '0' << 32 | '186004', acctoutputoctets = '0' << 32 | '97394', acctterminatecause = 'Idle-Timeout', connectinfo_stop = '' WHERE AcctUniqueId = 'cdbb232bc69b751f19684df63248fe05'
rlm_sql_mysql: Rows matched: 1 Changed: 1 Warnings: 0
(27) sql: SQL query returned: success
(27) sql: 1 record(s) updated
rlm_sql (sql): Released connection (12)
(27) [sql] = ok
(27) [exec] = noop
(27) attr_filter.accounting_response: EXPAND %{User-Name}
(27) attr_filter.accounting_response: --> testing
(27) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(27) [attr_filter.accounting_response] = updated
(27) } # accounting = updated
(27) Sent Accounting-Response Id 15 from 172.16.2.4:1813 to 10.225.251.10:56766 length 0
(27) Finished request
(27) Cleaning up request packet ID 15 with timestamp +564
Ready to process requests
detail (/var/log/freeradius/radacct/detail): Polling for detail file
detail (/var/log/freeradius/radacct/detail): Detail listener state unopened waiting 1.212151 sec


Thanks,     On Tuesday, 4 April, 2023, 12:39:51 am IST, Alan DeKok <aland at deployingradius.com> wrote:  
 
 On Apr 3, 2023, at 1:10 PM, Eby Mani via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> My bad, have used "==" operator with "users" file.

  That's good.

> The following in radcheck is working, is it possible to add multiple mac-addr values ?. I tried adding 3rd row with different mac-addr, it did not work.

  Please read the SQL module documentation.  See the wiki for "rlm_sql".  The documentation describes how the module works, and what needs to go into SQL.

  You can't just add things to SQL and expect FreeRADIUS to understand what you mean.

>> What you want is s policy which says:
>> 
>> if user is X and MAC is not Y
>> reject
> 
> Where to add this query ?. 
> 
> In sites-enabled/default, under authenticate {} or authorize {} section or somewhere else ?.

  You can add some "unlang" to the "authorize" section.  If you see the sample configuration for sites-available/default, for the difference between "authorize" and "authentication", the location for the rules should be fairly clear.

  You can't just put the SQL query into a virtual server, though.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  


More information about the Freeradius-Users mailing list