Freeradius Google Secure LDAP EAP-GTC issues
Henning Kessler
maillist at henningkessler.de
Mon Jan 23 14:38:42 UTC 2023
Hello,
I followed this tutorial (https://www.nasirhafeez.com/wp-comments-post.php) for testing purposes several times and it worked flawlessly. several month later I wanted to put it in production and it stop working.
This is my setup: 2 Raspberry PIs with freeradius 3.0.12 (allready tried the Backport version 3.2.1 as well) Unifi AC HD AccessPoints and as clients macOS and iOS devices (tried macOS versions 11.7 to 13.1) for testing I tried an Ubuntu client as well.
Binding to Google LDAP works without any issues (radtest results in Access-Accept) I even see that the Radius server sends an “Access-Accept” to the clients but shortly after the client starts another Access-Request an that fails with:
(9) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x864de94f8144fc95
(9) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(9) eap: Failed in handler
Any idea what is happening here?
Here the full output of a test with freeradius -X
Ready to process requests
(0) Received Access-Request Id 18 from 10.100.2.39:54686 to 10.100.1.65:1812 length 253
(0) User-Name = "klaus.mustermann"
(0) NAS-IP-Address = 10.100.2.39
(0) NAS-Identifier = "8283c219e7f9"
(0) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(0) Connect-Info = "CONNECT 0Mbps 802.11b"
(0) Acct-Session-Id = "690B866461ACEC60"
(0) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(0) Mobility-Domain-Id = 46476
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027075
(0) Framed-MTU = 1400
(0) EAP-Message = 0x02670015016b6c6175732e6d75737465726d616e6e
(0) Message-Authenticator = 0x8d4fe3c9b693e2d71ed16670b1d148a8
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 103 length 21
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: (TLS) Initiating new session
(0) eap: Sending EAP Request (code 1) ID 104 length 6
(0) eap: EAP session adding &reply:State = 0x33754777331d52c5
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0) Framed-MTU = 994
(0) Sent Access-Challenge Id 18 from 10.100.1.65:1812 to 10.100.2.39:54686 length 64
(0) EAP-Message = 0x016800061520
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x33754777331d52c5d9592c39c6f43193
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 19 from 10.100.2.39:54686 to 10.100.1.65:1812 length 411
(1) User-Name = "klaus.mustermann"
(1) NAS-IP-Address = 10.100.2.39
(1) NAS-Identifier = "8283c219e7f9"
(1) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(1) Connect-Info = "CONNECT 0Mbps 802.11b"
(1) Acct-Session-Id = "690B866461ACEC60"
(1) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(1) Mobility-Domain-Id = 46476
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027075
(1) Framed-MTU = 1400
(1) EAP-Message = 0x026800a115800000009716030100920100008e030363ce9a00af0158c4304b8191e349a5c4d7e344c71cf9ceb42fc1dc05eee1d4ea00002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
(1) State = 0x33754777331d52c5d9592c39c6f43193
(1) Message-Authenticator = 0xaf2835db2d901930a1abf923e81f8d4b
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 994
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 104 length 161
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x33754777331d52c5
(1) eap: Finished EAP session with state 0x33754777331d52c5
(1) eap: Previous EAP request found for state 0x33754777331d52c5, released from the list
(1) eap: Peer sent packet with method EAP TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Authenticate
(1) eap_ttls: (TLS) EAP Peer says that the final record size will be 151 bytes
(1) eap_ttls: (TLS) EAP Got all data (151 bytes)
(1) eap_ttls: (TLS) Handshake state - before SSL initialization
(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(1) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(1) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
(1) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write server done
(1) eap_ttls: (TLS) In Handshake Phase
(1) eap: Sending EAP Request (code 1) ID 105 length 1004
(1) eap: EAP session adding &reply:State = 0x33754777321c52c5
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1) Framed-MTU = 994
(1) Sent Access-Challenge Id 19 from 10.100.1.65:1812 to 10.100.2.39:54686 length 1068
(1) EAP-Message = 0x016903ec15c000001151160303003d02000039030333251bb0257a7e942419ced1c14e2115f3355723303c682158f6d50e662be4da00c030000011ff01000100000b000403000102001700001603030eaf0b000eab000ea800071930820715308204fda0030201020208651e057cf4b3407c300d06092a864886f70d01010b05003081bd310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479312630240603550403131d42756464796272616e6420496e7465726d656469617465204341203034311f301d06092a864886f70d010901161069744062756464796272616e642e6465301e170d3233303130323030303030305a170d3235303430353233353935395a3081bb310b3009060355040613024445310f300d0603
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x33754777321c52c5d9592c39c6f43193
(1) Finished request
Waking up in 4.8 seconds.
(2) Received Access-Request Id 20 from 10.100.2.39:54686 to 10.100.1.65:1812 length 256
(2) User-Name = "klaus.mustermann"
(2) NAS-IP-Address = 10.100.2.39
(2) NAS-Identifier = "8283c219e7f9"
(2) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(2) Connect-Info = "CONNECT 0Mbps 802.11b"
(2) Acct-Session-Id = "690B866461ACEC60"
(2) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(2) Mobility-Domain-Id = 46476
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027076
(2) WLAN-AKM-Suite = 1027075
(2) Framed-MTU = 1400
(2) EAP-Message = 0x026900061500
(2) State = 0x33754777321c52c5d9592c39c6f43193
(2) Message-Authenticator = 0x61c34e69e7f5f253a9fdf8868c0f8826
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 994
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 105 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x33754777321c52c5
(2) eap: Finished EAP session with state 0x33754777321c52c5
(2) eap: Previous EAP request found for state 0x33754777321c52c5, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: (TLS) Peer ACKed our handshake fragment
(2) eap: Sending EAP Request (code 1) ID 106 length 1004
(2) eap: EAP session adding &reply:State = 0x33754777311f52c5
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 994
(2) Sent Access-Challenge Id 20 from 10.100.1.65:1812 to 10.100.2.39:54686 length 1068
(2) EAP-Message = 0x016a03ec15c000001151634a5ca32fca591c963a10e1e4fc909ecc4cf2f3259d2cc70fde28bea17fe514687c8e2ceb902a9d47fde53d01733845bba3e9d6a95f90195118e26a7a98ef957393cd519e06e02ec652ceb9fef0ef8e67a1dc250203010001a382011730820113300c0603551d130101ff04023000301d0603551d0e041604140d3fc210b4abae8368f6656c2f4182ded3cba973301f0603551d23041830168014bb50e659b6554824eb10703f59de33b5ab10d343300e0603551d0f0101ff0404030203e830130603551d25040c300a06082b0601050507030130260603551d11041f301d821b6265723072616430342e696e742e62756464796272616e642e646530430603551d1f0101ff043930373035a033a031862f687474703a2f2f63726c2e62756464796272616e642e64653a383038302f696e746572636130345f63726c2e70656d301106096086480186f8420101040403020640301e06096086480186f842010d0411160f7863612063657274
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x33754777311f52c5d9592c39c6f43193
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 21 from 10.100.2.39:54686 to 10.100.1.65:1812 length 256
(3) User-Name = "klaus.mustermann"
(3) NAS-IP-Address = 10.100.2.39
(3) NAS-Identifier = "8283c219e7f9"
(3) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(3) Connect-Info = "CONNECT 0Mbps 802.11b"
(3) Acct-Session-Id = "690B866461ACEC60"
(3) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(3) Mobility-Domain-Id = 46476
(3) WLAN-Pairwise-Cipher = 1027076
(3) WLAN-Group-Cipher = 1027076
(3) WLAN-AKM-Suite = 1027075
(3) Framed-MTU = 1400
(3) EAP-Message = 0x026a00061500
(3) State = 0x33754777311f52c5d9592c39c6f43193
(3) Message-Authenticator = 0xc8e04779851766a986a21ceea4790d00
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 994
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 106 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x33754777311f52c5
(3) eap: Finished EAP session with state 0x33754777311f52c5
(3) eap: Previous EAP request found for state 0x33754777311f52c5, released from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 107 length 1004
(3) eap: EAP session adding &reply:State = 0x33754777301e52c5
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3) Framed-MTU = 994
(3) Sent Access-Challenge Id 21 from 10.100.1.65:1812 to 10.100.2.39:54686 length 1068
(3) EAP-Message = 0x016b03ec15c0000011516e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479311b30190603550403131242756464796272616e6420526f6f74204341311f301d06092a864886f70d010901161069744062756464796272616e642e6465301e170d3231303432333131353030305a170d3331303432333131353030305a3081bd310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479312630240603550403131d42756464796272616e6420496e7465726d656469617465204341203034311f301d06092a864886f70d010901161069744062756464796272616e642e646530820222300d06092a
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x33754777301e52c5d9592c39c6f43193
(3) Finished request
Waking up in 4.8 seconds.
(4) Received Access-Request Id 22 from 10.100.2.39:54686 to 10.100.1.65:1812 length 256
(4) User-Name = "klaus.mustermann"
(4) NAS-IP-Address = 10.100.2.39
(4) NAS-Identifier = "8283c219e7f9"
(4) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(4) Connect-Info = "CONNECT 0Mbps 802.11b"
(4) Acct-Session-Id = "690B866461ACEC60"
(4) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(4) Mobility-Domain-Id = 46476
(4) WLAN-Pairwise-Cipher = 1027076
(4) WLAN-Group-Cipher = 1027076
(4) WLAN-AKM-Suite = 1027075
(4) Framed-MTU = 1400
(4) EAP-Message = 0x026b00061500
(4) State = 0x33754777301e52c5d9592c39c6f43193
(4) Message-Authenticator = 0x8ebe69d74f104b81490506fbfd4fcc22
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 994
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 107 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x33754777301e52c5
(4) eap: Finished EAP session with state 0x33754777301e52c5
(4) eap: Previous EAP request found for state 0x33754777301e52c5, released from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: (TLS) Peer ACKed our handshake fragment
(4) eap: Sending EAP Request (code 1) ID 108 length 1004
(4) eap: EAP session adding &reply:State = 0x33754777371952c5
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) Framed-MTU = 994
(4) Sent Access-Challenge Id 22 from 10.100.1.65:1812 to 10.100.2.39:54686 length 1068
(4) EAP-Message = 0x016c03ec15c00000115155040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479311b30190603550403131242756464796272616e6420526f6f74204341311f301d06092a864886f70d010901161069744062756464796272616e642e64658209009ce5d9f001129991300e0603551d0f0101ff04040302018630400603551d1f0101ff043630343032a030a02e862c687474703a2f2f63726c2e62756464796272616e642e64653a383038302f726f6f7463615f63726c2e70656d301106096086480186f8420101040403020007301e06096086480186f842010d0411160f786361206365727469666963617465300d06092a864886f70d01010b0500038202010014ba00b7b369be8d469dc9fe7cb4ea2b8b69f5ddf664529e7cfa7e5c23
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x33754777371952c5d9592c39c6f43193
(4) Finished request
Waking up in 4.7 seconds.
(5) Received Access-Request Id 23 from 10.100.2.39:54686 to 10.100.1.65:1812 length 256
(5) User-Name = "klaus.mustermann"
(5) NAS-IP-Address = 10.100.2.39
(5) NAS-Identifier = "8283c219e7f9"
(5) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(5) Connect-Info = "CONNECT 0Mbps 802.11b"
(5) Acct-Session-Id = "690B866461ACEC60"
(5) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(5) Mobility-Domain-Id = 46476
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027076
(5) WLAN-AKM-Suite = 1027075
(5) Framed-MTU = 1400
(5) EAP-Message = 0x026c00061500
(5) State = 0x33754777371952c5d9592c39c6f43193
(5) Message-Authenticator = 0x2954664567eb90b58df983559fafc7ef
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 108 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x33754777371952c5
(5) eap: Finished EAP session with state 0x33754777371952c5
(5) eap: Previous EAP request found for state 0x33754777371952c5, released from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: (TLS) Peer ACKed our handshake fragment
(5) eap: Sending EAP Request (code 1) ID 109 length 467
(5) eap: EAP session adding &reply:State = 0x33754777361852c5
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) Framed-MTU = 994
(5) Sent Access-Challenge Id 23 from 10.100.1.65:1812 to 10.100.2.39:54686 length 527
(5) EAP-Message = 0x016d01d3158000001151c7ae0d9a4018dc0ce7aab22f77890b68228d8c81607a7cd59e58e5b314f938dfe8d81ca660735e53afd3f6eb0939e78859296a954ea1d3046dbcf4333aa72aaad39f3f152ab2b3a2ed59dc1bfdbc773787acbba803d0201cda94c46c440afa65d844464271d2a2dcb7e409ff9c9c30a411ea245b8c2424110ac5191f2c594afe070d15b670dd08c238fd3b672b5bbed9bc7141c3b6e95b61bb78889da5182b33b0883e08339b927b4fd0ef118175f30d3e232be2fc5c92ef1eae2a30a21ba88a0477b8a0a89b903ea37327d4b41dc15ac604f4c057eff9a454748056d6b919f4756ee70de3878196b23441f9252252e5ee8bebe2519a11cb9967ff91ce3d43a9f3e3e39e82277f7bc39200d0e9d8178afdf2b479684b66ee8b2c6b6d258d172684d801780ede278d3c6bbce36875649bc181dcecd10a2ecc83bc920f0b97cf3f2b51a234b69f88e884f5c248fb1062aba73cb402765bf2005825f8379389178cafae7ad9723c0f9e3f63b375c2
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x33754777361852c5d9592c39c6f43193
(5) Finished request
Waking up in 4.7 seconds.
(6) Received Access-Request Id 24 from 10.100.2.39:54686 to 10.100.1.65:1812 length 386
(6) User-Name = "klaus.mustermann"
(6) NAS-IP-Address = 10.100.2.39
(6) NAS-Identifier = "8283c219e7f9"
(6) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(6) Connect-Info = "CONNECT 0Mbps 802.11b"
(6) Acct-Session-Id = "690B866461ACEC60"
(6) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(6) Mobility-Domain-Id = 46476
(6) WLAN-Pairwise-Cipher = 1027076
(6) WLAN-Group-Cipher = 1027076
(6) WLAN-AKM-Suite = 1027075
(6) Framed-MTU = 1400
(6) EAP-Message = 0x026d008815800000007e16030300461000004241041bdfa74e961e11ce04aae11e59adff899c7e45c93c23a868913c8e6dbc6b61c8c93027484c43331a120609e34bb63d4a01335611c152662eda522aa015747d24140303000101160303002896671043239b41663014b73a88eb2b056a398cc8c31e8c6f1940273f2cc64b884907fe10b3c697de
(6) State = 0x33754777361852c5d9592c39c6f43193
(6) Message-Authenticator = 0x02f8f3ac8779506b6dc11ac581eb8a01
(6) Restoring &session-state
(6) &session-state:Framed-MTU = 994
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 109 length 136
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x33754777361852c5
(6) eap: Finished EAP session with state 0x33754777361852c5
(6) eap: Previous EAP request found for state 0x33754777361852c5, released from the list
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: (TLS) EAP Peer says that the final record size will be 126 bytes
(6) eap_ttls: (TLS) EAP Got all data (126 bytes)
(6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
(6) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange
(6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
(6) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished
(6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished
(6) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec
(6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
(6) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished
(6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished
(6) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully
(6) eap_ttls: (TLS) Connection Established
(6) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) eap_ttls: TLS-Session-Version = "TLS 1.2"
(6) eap: Sending EAP Request (code 1) ID 110 length 61
(6) eap: EAP session adding &reply:State = 0x33754777351b52c5
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6) Framed-MTU = 994
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 24 from 10.100.1.65:1812 to 10.100.2.39:54686 length 119
(6) EAP-Message = 0x016e003d1580000000331403030001011603030028c5e315035630988a3b83c13d63026f7f68b51fc4cae498e85bec63a7b3beba6177951acbd7c9e48e
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x33754777351b52c5d9592c39c6f43193
(6) Finished request
Waking up in 4.7 seconds.
(7) Received Access-Request Id 25 from 10.100.2.39:54686 to 10.100.1.65:1812 length 321
(7) User-Name = "klaus.mustermann"
(7) NAS-IP-Address = 10.100.2.39
(7) NAS-Identifier = "8283c219e7f9"
(7) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(7) Connect-Info = "CONNECT 0Mbps 802.11b"
(7) Acct-Session-Id = "690B866461ACEC60"
(7) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(7) Mobility-Domain-Id = 46476
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027076
(7) WLAN-AKM-Suite = 1027075
(7) Framed-MTU = 1400
(7) EAP-Message = 0x026e004715800000003d170303003896671043239b4167e00afbeca8b555b120c23769698d81a6b5a879ecc3c8fd3cd740dc135bdef5fcadd7fda6a166609e4d7957502348d9f3
(7) State = 0x33754777351b52c5d9592c39c6f43193
(7) Message-Authenticator = 0xa8b841519028def71e27cfef249be756
(7) Restoring &session-state
(7) &session-state:Framed-MTU = 994
(7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 110 length 71
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x33754777351b52c5
(7) eap: Finished EAP session with state 0x33754777351b52c5
(7) eap: Previous EAP request found for state 0x33754777351b52c5, released from the list
(7) eap: Peer sent packet with method EAP TTLS (21)
(7) eap: Calling submodule eap_ttls to process data
(7) eap_ttls: Authenticate
(7) eap_ttls: (TLS) EAP Peer says that the final record size will be 61 bytes
(7) eap_ttls: (TLS) EAP Got all data (61 bytes)
(7) eap_ttls: Session established. Proceeding to decode tunneled attributes
(7) eap_ttls: Got tunneled request
(7) eap_ttls: EAP-Message = 0x02000015016b6c6175732e6d75737465726d616e6e
(7) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_ttls: Got tunneled identity of klaus.mustermann
(7) eap_ttls: Setting default EAP type for tunneled EAP session
(7) eap_ttls: Sending tunneled request
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x02000015016b6c6175732e6d75737465726d616e6e
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "klaus.mustermann"
(7) WARNING: Outer and inner identities are the same. User privacy is compromised.
(7) server inner-tunnel {
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 0 length 21
(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_gtc to process data
(7) eap_gtc: EXPAND Password:
(7) eap_gtc: --> Password:
(7) eap: Sending EAP Request (code 1) ID 1 length 15
(7) eap: EAP session adding &reply:State = 0xb4a2b867b4a3bebf
(7) [eap] = handled
(7) } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x0101000f0650617373776f72643a20
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xb4a2b867b4a3bebfd5edaac839855c28
(7) eap_ttls: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 111 length 63
(7) eap: EAP session adding &reply:State = 0x33754777341a52c5
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) Framed-MTU = 994
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 25 from 10.100.1.65:1812 to 10.100.2.39:54686 length 121
(7) EAP-Message = 0x016f003f1580000000351703030030c5e315035630988b4ad830befda4dba2a51fa8f9388f8da63a7ea11b76e432bbb988ecf99f49e2ebe5cd501621aec81b
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x33754777341a52c5d9592c39c6f43193
(7) Finished request
Waking up in 4.6 seconds.
(8) Received Access-Request Id 26 from 10.100.2.39:54686 to 10.100.1.65:1812 length 317
(8) User-Name = "klaus.mustermann"
(8) NAS-IP-Address = 10.100.2.39
(8) NAS-Identifier = "8283c219e7f9"
(8) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(8) Connect-Info = "CONNECT 0Mbps 802.11b"
(8) Acct-Session-Id = "690B866461ACEC60"
(8) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(8) Mobility-Domain-Id = 46476
(8) WLAN-Pairwise-Cipher = 1027076
(8) WLAN-Group-Cipher = 1027076
(8) WLAN-AKM-Suite = 1027075
(8) Framed-MTU = 1400
(8) EAP-Message = 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7
(8) State = 0x33754777341a52c5d9592c39c6f43193
(8) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a
(8) Restoring &session-state
(8) &session-state:Framed-MTU = 994
(8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 111 length 67
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0xb4a2b867b4a3bebf
(8) eap: Finished EAP session with state 0x33754777341a52c5
(8) eap: Previous EAP request found for state 0x33754777341a52c5, released from the list
(8) eap: Peer sent packet with method EAP TTLS (21)
(8) eap: Calling submodule eap_ttls to process data
(8) eap_ttls: Authenticate
(8) eap_ttls: (TLS) EAP Peer says that the final record size will be 57 bytes
(8) eap_ttls: (TLS) EAP Got all data (57 bytes)
(8) eap_ttls: Session established. Proceeding to decode tunneled attributes
(8) eap_ttls: Got tunneled request
(8) eap_ttls: EAP-Message = 0x0201001306736167616e382e53697a61626c65
(8) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_ttls: Sending tunneled request
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x0201001306736167616e382e53697a61626c65
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "klaus.mustermann"
(8) State = 0xb4a2b867b4a3bebfd5edaac839855c28
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 1 length 19
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap: --> (uid=klaus.mustermann)
(8) ldap: Performing search in "dc=pretendco,dc=de" with filter "(uid=klaus.mustermann)", scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: User object found at DN "uid=klaus.mustermann,ou=Standard Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de"
(8) ldap: Processing user attributes
(8) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed, errno=11.
rlm_ldap (ldap): Bind successful
(8) [ldap] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) [pap] = noop
(8) if (User-Password) {
(8) if (User-Password) -> FALSE
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0xb4a2b867b4a3bebf
(8) eap: Finished EAP session with state 0xb4a2b867b4a3bebf
(8) eap: Previous EAP request found for state 0xb4a2b867b4a3bebf, released from the list
(8) eap: Peer sent packet with method EAP GTC (6)
(8) eap: Calling submodule eap_gtc to process data
(8) eap_gtc: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) eap_gtc: Auth-Type PAP {
rlm_ldap (ldap): Reserved connection (1)
(8) ldap: Login attempt by "klaus.mustermann"
(8) ldap: Using user DN from request "uid=klaus.mustermann,ou=Standard Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de"
(8) ldap: Waiting for bind result...
(8) ldap: Bind successful
(8) ldap: Bind as user "uid=klaus.mustermann,ou=Standard Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de" was successful
rlm_ldap (ldap): Released connection (1)
Need more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
rlm_ldap (ldap): Waiting for bind result...
ber_get_next failed, errno=11.
rlm_ldap (ldap): Bind successful
(8) eap_gtc: [ldap] = ok
(8) eap_gtc: } # Auth-Type PAP = ok
(8) eap: Sending EAP Success (code 3) ID 1 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) post-auth {
(8) if (0) {
(8) if (0) -> FALSE
(8) } # post-auth = noop
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message = 0x03010004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "klaus.mustermann"
(8) eap_ttls: Got tunneled Access-Accept
(8) eap: Sending EAP Success (code 3) ID 111 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(8) post-auth {
(8) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(8) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(8) update {
(8) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
(8) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(8) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(8) } # update = noop
(8) [exec] = noop
(8) policy remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message) {
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else {
(8) [noop] = noop
(8) } # else = noop
(8) } # policy remove_reply_message_if_eap = noop
(8) } # post-auth = noop
(8) Sent Access-Accept Id 26 from 10.100.1.65:1812 to 10.100.2.39:54686 length 184
(8) MS-MPPE-Recv-Key = 0xeb472d316fdc874c9b4fab09804dffb9627d034a793910ca0f276473f2db3e62
(8) MS-MPPE-Send-Key = 0x3cde6513ea1f92c64ee3d938a85980091ecccdeb288c640f958a8f0d4324af64
(8) EAP-Message = 0x036f0004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "klaus.mustermann"
(8) Framed-MTU += 994
(8) Finished request
Waking up in 1.1 seconds.
(9) Received Access-Request Id 26 from 10.100.2.39:38737 to 10.100.1.65:1812 length 317
(9) User-Name = "klaus.mustermann"
(9) NAS-IP-Address = 10.100.2.39
(9) NAS-Identifier = "8283c219e7f9"
(9) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(9) Connect-Info = "CONNECT 0Mbps 802.11b"
(9) Acct-Session-Id = "690B866461ACEC60"
(9) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(9) Mobility-Domain-Id = 46476
(9) WLAN-Pairwise-Cipher = 1027076
(9) WLAN-Group-Cipher = 1027076
(9) WLAN-AKM-Suite = 1027075
(9) Framed-MTU = 1400
(9) EAP-Message = 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7
(9) State = 0x33754777341a52c5d9592c39c6f43193
(9) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 111 length 67
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9) authenticate {
(9) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x33754777341a52c5
(9) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(9) eap: Failed in handler
(9) [eap] = invalid
(9) } # authenticate = invalid
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9) Post-Auth-Type REJECT {
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject: --> klaus.mustermann
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9) [attr_filter.access_reject] = updated
(9) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x33754777341a52c5
(9) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(9) eap: Failed to get handler, probably already removed, not inserting EAP-Failure
(9) [eap] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # Post-Auth-Type REJECT = updated
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(10) Received Access-Request Id 26 from 10.100.2.39:45497 to 10.100.1.65:1812 length 317
(10) User-Name = "klaus.mustermann"
(10) NAS-IP-Address = 10.100.2.39
(10) NAS-Identifier = "8283c219e7f9"
(10) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
(10) NAS-Port-Type = Wireless-802.11
(10) Service-Type = Framed-User
(10) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
(10) Connect-Info = "CONNECT 0Mbps 802.11b"
(10) Acct-Session-Id = "690B866461ACEC60"
(10) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
(10) Mobility-Domain-Id = 46476
(10) WLAN-Pairwise-Cipher = 1027076
(10) WLAN-Group-Cipher = 1027076
(10) WLAN-AKM-Suite = 1027075
(10) Framed-MTU = 1400
(10) EAP-Message = 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7
(10) State = 0x33754777341a52c5d9592c39c6f43193
(10) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a
(10) session-state: No cached attributes
(10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 111 length 67
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(10) authenticate {
(10) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x33754777341a52c5
(10) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(10) eap: Failed in handler
(10) [eap] = invalid
(10) } # authenticate = invalid
(10) Failed to authenticate the user
(10) Using Post-Auth-Type Reject
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(10) Post-Auth-Type REJECT {
(10) attr_filter.access_reject: EXPAND %{User-Name}
(10) attr_filter.access_reject: --> klaus.mustermann
(10) attr_filter.access_reject: Matched entry DEFAULT at line 11
(10) [attr_filter.access_reject] = updated
(10) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x33754777341a52c5
(10) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(10) eap: Failed to get handler, probably already removed, not inserting EAP-Failure
(10) [eap] = noop
(10) policy remove_reply_message_if_eap {
(10) if (&reply:EAP-Message && &reply:Reply-Message) {
(10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(10) else {
(10) [noop] = noop
(10) } # else = noop
(10) } # policy remove_reply_message_if_eap = noop
(10) } # Post-Auth-Type REJECT = updated
(10) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.2 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 26 from 10.100.1.65:1812 to 10.100.2.39:38737 length 20
Waking up in 0.1 seconds.
(0) Cleaning up request packet ID 18 with timestamp +35 due to cleanup_delay was reached
Waking up in 0.1 seconds.
(1) Cleaning up request packet ID 19 with timestamp +35 due to cleanup_delay was reached
(2) Cleaning up request packet ID 20 with timestamp +35 due to cleanup_delay was reached
(3) Cleaning up request packet ID 21 with timestamp +35 due to cleanup_delay was reached
(4) Cleaning up request packet ID 22 with timestamp +35 due to cleanup_delay was reached
(5) Cleaning up request packet ID 23 with timestamp +35 due to cleanup_delay was reached
(6) Cleaning up request packet ID 24 with timestamp +35 due to cleanup_delay was reached
(7) Cleaning up request packet ID 25 with timestamp +35 due to cleanup_delay was reached
(10) Sending delayed response
(10) Sent Access-Reject Id 26 from 10.100.1.65:1812 to 10.100.2.39:45497 length 20
Any Idea what I am doing wrong here?
Regards
Henning
More information about the Freeradius-Users
mailing list