Resuming a user cached session with EAP-TTLS

florentvercourt at gmail.com florentvercourt at gmail.com
Mon Jan 23 15:32:42 UTC 2023


Hello everyone,

 

I’m working to set up a FreeRADIUS server in version 3.2 that is able to
perform fast-reauthentication of users by caching sessions.

I‘m using EAP-TTLS/PAP as authentication protocol, and my users are stored
in an LDAP. 

 

 

I would like to perform fast re-authentication of users once they have been
authenticated and allowed on the network as it’s explained in this radius
documentation article (link below).

 
<https://networkradius.com/articles/2020/12/10/design-blueprint-for-universi
ties.html>
https://networkradius.com/articles/2020/12/10/design-blueprint-for-universit
ies.html

 

 

I configured the « eap » module by enabling the cache of session, but it
seems sessions are only stored locally and, the ticket of the user sessions
is not forward to the supplicant to perform the re-authentication later on,
without having to go through all EAP-TTLS steps.

When I try to regain access to the network after being authenticated once,
all the EAP-TTLS steps are performed.

 

 

So I would like to know if I misunderstood the cache section and the way it
works in the « eap » module, or if there is a way to re-authenticate users
in a defined period of time by using the cache after they disconnect.

 

 

Also, Is it a good practice to send the total Length of the message in each
packet, or is it not recommended?

 

I configured « mods-enabled/eap » as follows :

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~

eap {

        default_eap_type = ttls

        timer_expire = 60

        ignore_unknown_eap_types = no

        cisco_accounting_username_bug = yes

        max_sessions = ${max_requests}

 

        tls-config tls-common {

                private_key_password = << secret >>

                private_key_file = ${certdir}/server.pem

                certificate_file = ${certdir}/server.pem

                ca_file = ${cadir}/ca.pem

 

        #       auto_chain = yes

        #       psk_identity = "test"

        #       psk_hexphrase = "036363823"

        #       psk_query = "%{sql:select hex(key) from psk_keys where keyid
= '%{TLS-PSK-Identity}'}"

        #       dh_file = ${certdir}/dh

        #       random_file = /dev/urandom

        #       fragment_size = 2048

 

                include_length = yes

 

        #       check_crl = yes

        #       check_all_crl = yes

        #       ca_path_reload_interval = 3600

 

                allow_expired_crl = no

                reject_unknown_intermediate_ca = yes

                cipher_list = "DEFAULT"

                # sigalgs_list = ""

                cipher_server_preference = no

                tls_min_version = "1.2"

                tls_max_version = "1.3"

                ecdh_curve = ""

 

                cache {

                        enable = yes

                        lifetime = 18 # hours

                        name = "EAP-test"

                        persist_dir = "${logdir}/tlscache"

 

                        store {

                                Tunnel-type,

                                Tunnel-medium-type,

                                Tunnel-Private-Group-Id

                        }

                }

 

                verify {

                #       skip_if_ocsp_ok = no

                }

 

                ocsp {

                        enable = no

                        override_cert_url = yes

                        url = " <http://127.0.0.1/ocsp/>
http://127.0.0.1/ocsp/"

                #       use_nonce = yes

                #       timeout = 0

                #       softfail = no

                }

 

        #       realm_dir = ${certdir}/realms/

        }

 

        ttls {

                tls = tls-common

                default_eap_type = mschapv2

                copy_request_to_tunnel = yes

                use_tunneled_reply = yes

                virtual_server = "inner-tunnel"

        #       include_length = yes

        }

}

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~

 

 

 

 

My server is running correctly, here the debug output:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~

FreeRADIUS Version 3.2.1

Copyright (C) 1999-2022 The FreeRADIUS server project and contributors

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License

For more information about these matters, see the file named COPYRIGHT

Starting - reading configuration files ...

including dictionary file /usr/share/freeradius/dictionary

including dictionary file /usr/share/freeradius/dictionary.dhcp

including dictionary file /usr/share/freeradius/dictionary.vqp

including dictionary file /etc/raddb/dictionary

including configuration file /etc/raddb/radiusd.conf

including configuration file /etc/raddb/proxy.conf

including configuration file /etc/raddb/clients.conf

including files in directory /etc/raddb/mods-enabled/

including configuration file /etc/raddb/mods-enabled/radutmp

including configuration file /etc/raddb/mods-enabled/dynamic_clients

including configuration file /etc/raddb/mods-enabled/files

including configuration file /etc/raddb/mods-enabled/detail.log

including configuration file /etc/raddb/mods-enabled/exec

including configuration file /etc/raddb/mods-enabled/attr_filter

including configuration file /etc/raddb/mods-enabled/preprocess

including configuration file /etc/raddb/mods-enabled/ntlm_auth

including configuration file /etc/raddb/mods-enabled/utf8

including configuration file /etc/raddb/mods-enabled/ldap_dauphine

including configuration file /etc/raddb/mods-enabled/chap

including configuration file /etc/raddb/mods-enabled/expr

including configuration file /etc/raddb/mods-enabled/unpack

including configuration file /etc/raddb/mods-enabled/unix

including configuration file /etc/raddb/mods-enabled/detail

including configuration file /etc/raddb/mods-enabled/logintime

including configuration file /etc/raddb/mods-enabled/totp

including configuration file /etc/raddb/mods-enabled/eap

including configuration file /etc/raddb/mods-enabled/passwd

including configuration file /etc/raddb/mods-enabled/pap

including configuration file /etc/raddb/mods-enabled/soh

including configuration file /etc/raddb/mods-enabled/realm

including configuration file /etc/raddb/mods-enabled/echo

including configuration file /etc/raddb/mods-enabled/date

including configuration file /etc/raddb/mods-enabled/always

including configuration file /etc/raddb/mods-enabled/sradutmp

including configuration file /etc/raddb/mods-enabled/expiration

including configuration file /etc/raddb/mods-enabled/mschap

including configuration file /etc/raddb/mods-enabled/linelog

including configuration file /etc/raddb/mods-enabled/replicate

including configuration file /etc/raddb/mods-enabled/digest

including files in directory /etc/raddb/policy.d/

including configuration file /etc/raddb/policy.d/canonicalization

including configuration file /etc/raddb/policy.d/cui

including configuration file /etc/raddb/policy.d/rfc7542

including configuration file /etc/raddb/policy.d/accounting

including configuration file /etc/raddb/policy.d/moonshot-targeted-ids

including configuration file /etc/raddb/policy.d/control

including configuration file /etc/raddb/policy.d/eap

including configuration file /etc/raddb/policy.d/dhcp

including configuration file /etc/raddb/policy.d/abfab-tr

including configuration file /etc/raddb/policy.d/debug

including configuration file /etc/raddb/policy.d/dauphine

including configuration file /etc/raddb/policy.d/filter

including configuration file /etc/raddb/policy.d/operator-name

including files in directory /etc/raddb/sites-enabled/

including configuration file /etc/raddb/sites-enabled/inner-tunnel

including configuration file /etc/raddb/sites-enabled/default

main {

security {

        allow_core_dumps = no

}

        name = "radiusd"

        prefix = "/usr"

        localstatedir = "/var"

        logdir = "/var/log/radius"

        run_dir = "/var/run/radiusd"

}

main {

        name = "radiusd"

        prefix = "/usr"

        localstatedir = "/var"

        sbindir = "/usr/sbin"

        logdir = "/var/log/radius"

        run_dir = "/var/run/radiusd"

        libdir = "/usr/lib64/freeradius"

        radacctdir = "/var/log/radius/radacct"

        hostname_lookups = no

        max_request_time = 30

        cleanup_delay = 4

        max_requests = 87040

        postauth_client_lost = no

        pidfile = "/var/run/radiusd/radiusd.pid"

        checkrad = "/usr/sbin/checkrad"

        debug_level = 0

        proxy_requests = yes

log {

        stripped_names = no

        auth = yes

        auth_badpass = yes

        auth_goodpass = no

        colourise = yes

        msg_denied = "You are already logged in - access denied"

}

resources {

}

security {

        max_attributes = 300

        reject_delay = 1.200000

        status_server = yes

        allow_vulnerable_openssl = "no"

}

}

radiusd: #### Loading Realms and Home Servers ####

proxy server {

        retry_delay = 5

        retry_count = 3

        default_fallback = no

        dead_time = 120

        wake_all_if_all_dead = no

}

home_server localhost {

        ipaddr = 127.0.0.1

        port = 1812

        type = "auth"

        secret = <<< secret >>>

        response_window = 20.000000

        response_timeouts = 1

        max_outstanding = 65536

        zombie_period = 40

        status_check = "status-server"

        ping_interval = 30

        check_interval = 30

        check_timeout = 4

        num_answers_to_alive = 3

        revive_interval = 120

  limit {

        max_connections = 16

        max_requests = 0

        lifetime = 0

        idle_timeout = 0

  }

  coa {

        irt = 2

        mrt = 16

        mrc = 5

        mrd = 30

  }

  recv_coa {

  }

}

home_server_pool my_auth_failover {

        type = fail-over

        home_server = localhost

}

realm example.com {

        auth_pool = my_auth_failover

}

realm LOCAL {

}

radiusd: #### Loading Clients ####

client localhost {

        ipaddr = 127.0.0.1

        require_message_authenticator = no

        secret = <<< secret >>>

        nas_type = "other"

        proto = "*"

  limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

  }

}

client swi-d1-p173-002 {

        ipaddr = 10.100.0.50

        require_message_authenticator = no

        secret = <<< secret >>>

  limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

  }

}

client edouard {

        ipaddr = 10.100.0.0/24

        require_message_authenticator = no

        secret = <<< secret >>>

        proto = "*"

  limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

  }

}

client micro-switch {

        ipaddr = 10.100.12.139

        require_message_authenticator = no

        secret = <<< secret >>>

        proto = "*"

  limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

  }

}

Debugger not attached

systemd watchdog is disabled

# Creating Auth-Type = mschap

# Creating Auth-Type = eap

# Creating Auth-Type = PAP

# Creating Auth-Type = CHAP

# Creating Auth-Type = MS-CHAP

# Creating Auth-Type = digest

# Creating Autz-Type = New-TLS-Connection

radiusd: #### Instantiating modules ####

modules {

  # Loaded module rlm_radutmp

  # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp

  radutmp {

        filename = "/var/log/radius/radutmp"

        username = "%{User-Name}"

        case_sensitive = yes

        check_with_nas = yes

        permissions = 384

        caller_id = yes

  }

  # Loaded module rlm_dynamic_clients

  # Loading module "dynamic_clients" from file
/etc/raddb/mods-enabled/dynamic_clients

  # Loaded module rlm_files

  # Loading module "files" from file /etc/raddb/mods-enabled/files

  files {

        filename = "/etc/raddb/mods-config/files/authorize"

        usersfile = "/etc/raddb/mods-config/files/authorize"

        acctusersfile = "/etc/raddb/mods-config/files/accounting"

        preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"

  }

  # Loaded module rlm_detail

  # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log

  detail auth_log {

        filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/auth-detail-%Y%m%d"

        header = "%t"

        permissions = 384

        locking = no

        escape_filenames = no

        log_packet_header = no

  }

  # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log

  detail reply_log {

        filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/reply-detail-%Y%m%d"

        header = "%t"

        permissions = 384

        locking = no

        escape_filenames = no

        log_packet_header = no

  }

  # Loading module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log

  detail pre_proxy_log {

        filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/pre-proxy-detail-%Y%m%d"

        header = "%t"

        permissions = 384

        locking = no

        escape_filenames = no

        log_packet_header = no

  }

  # Loading module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log

  detail post_proxy_log {

        filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/post-proxy-detail-%Y%m%d"

        header = "%t"

        permissions = 384

        locking = no

        escape_filenames = no

        log_packet_header = no

  }

  # Loaded module rlm_exec

  # Loading module "exec" from file /etc/raddb/mods-enabled/exec

  exec {

        wait = no

        input_pairs = "request"

        shell_escape = yes

        timeout = 10

  }

  # Loaded module rlm_attr_filter

  # Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.post-proxy {

        filename = "/etc/raddb/mods-config/attr_filter/post-proxy"

        key = "%{Realm}"

        relaxed = no

  }

  # Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.pre-proxy {

        filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"

        key = "%{Realm}"

        relaxed = no

  }

  # Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.access_reject {

        filename = "/etc/raddb/mods-config/attr_filter/access_reject"

        key = "%{User-Name}"

        relaxed = no

  }

  # Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.access_challenge {

        filename = "/etc/raddb/mods-config/attr_filter/access_challenge"

        key = "%{User-Name}"

        relaxed = no

  }

  # Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.accounting_response {

        filename = "/etc/raddb/mods-config/attr_filter/accounting_response"

        key = "%{User-Name}"

        relaxed = no

  }

  # Loading module "attr_filter.coa" from file
/etc/raddb/mods-enabled/attr_filter

  attr_filter attr_filter.coa {

        filename = "/etc/raddb/mods-config/attr_filter/coa"

        key = "%{User-Name}"

        relaxed = no

  }

  # Loaded module rlm_preprocess

  # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess

  preprocess {

        huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"

        hints = "/etc/raddb/mods-config/preprocess/hints"

        with_ascend_hack = no

        ascend_channels_per_line = 23

        with_ntdomain_hack = no

        with_specialix_jetstream_hack = no

        with_cisco_vsa_hack = no

        with_alvarion_vsa_hack = no

  }

  # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth

  exec ntlm_auth {

        wait = yes

        program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=%{mschap:User-Name} --password=%{User-Password}"

        shell_escape = yes

  }

  # Loaded module rlm_utf8

  # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8

  # Loaded module rlm_ldap

  # Loading module "ldap_dauphine" from file
/etc/raddb/mods-enabled/ldap_dauphine

  ldap ldap_dauphine {

        server = "ldap.dauphine.fr"

        port = 389

        identity = "uid=radius,ou=bindusers,dc=dauphine,dc=fr"

        password = <<< secret >>>

   sasl {

   }

   user {

        scope = "sub"

        access_positive = yes

    sasl {

    }

   }

   group {

        filter = "(objectClass=posixGroup)"

        scope = "sub"

        name_attribute = "cn"

        membership_attribute = "memberOf"

        cacheable_name = no

        cacheable_dn = no

        allow_dangling_group_ref = no

   }

   client {

        filter = "(objectClass=frClient)"

        scope = "sub"

        base_dn = "ou=people,dc=dauphine,dc=fr"

   }

   profile {

   }

   options {

        ldap_debug = 40

        chase_referrals = yes

        rebind = yes

        net_timeout = 1

        res_timeout = 20

        srv_timelimit = 20

        idle = 60

        probes = 3

        interval = 3

   }

   tls {

        start_tls = no

        require_cert = "never"

   }

  }

Creating attribute ldap_dauphine-LDAP-Group

  # Loaded module rlm_chap

  # Loading module "chap" from file /etc/raddb/mods-enabled/chap

  # Loaded module rlm_expr

  # Loading module "expr" from file /etc/raddb/mods-enabled/expr

  expr {

        safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"

  }

  # Loaded module rlm_unpack

  # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack

  # Loaded module rlm_unix

  # Loading module "unix" from file /etc/raddb/mods-enabled/unix

  unix {

        radwtmp = "/var/log/radius/radwtmp"

  }

Creating attribute Unix-Group

  # Loading module "detail" from file /etc/raddb/mods-enabled/detail

  detail {

        filename =
"/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addre
ss}}/detail-%Y%m%d"

        header = "%t"

        permissions = 384

        locking = no

        escape_filenames = no

        log_packet_header = no

  }

  # Loaded module rlm_logintime

  # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime

  logintime {

        minimum_timeout = 60

  }

  # Loaded module rlm_totp

  # Loading module "totp" from file /etc/raddb/mods-enabled/totp

  # Loaded module rlm_eap

  # Loading module "eap" from file /etc/raddb/mods-enabled/eap

  eap {

        default_eap_type = "ttls"

        timer_expire = 60

        ignore_unknown_eap_types = no

        cisco_accounting_username_bug = yes

        max_sessions = 87040

  }

  # Loaded module rlm_passwd

  # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd

  passwd etc_passwd {

        filename = "/etc/passwd"

        format = "*User-Name:Crypt-Password:"

        delimiter = ":"

        ignore_nislike = no

        ignore_empty = yes

        allow_multiple_keys = no

        hash_size = 100

  }

  # Loaded module rlm_pap

  # Loading module "pap" from file /etc/raddb/mods-enabled/pap

  pap {

        normalise = yes

  }

  # Loaded module rlm_soh

  # Loading module "soh" from file /etc/raddb/mods-enabled/soh

  soh {

        dhcp = yes

  }

  # Loaded module rlm_realm

  # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm

  realm IPASS {

        format = "prefix"

        delimiter = "/"

        ignore_default = no

        ignore_null = no

  }

  # Loading module "suffix" from file /etc/raddb/mods-enabled/realm

  realm suffix {

        format = "suffix"

        delimiter = "@"

        ignore_default = no

        ignore_null = no

  }

  # Loading module "bangpath" from file /etc/raddb/mods-enabled/realm

  realm bangpath {

        format = "prefix"

        delimiter = "!"

        ignore_default = no

        ignore_null = no

  }

  # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm

  realm realmpercent {

        format = "suffix"

        delimiter = "%"

        ignore_default = no

        ignore_null = no

  }

  # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm

  realm ntdomain {

        format = "prefix"

        delimiter = "\\"

        ignore_default = no

        ignore_null = no

  }

  # Loading module "echo" from file /etc/raddb/mods-enabled/echo

  exec echo {

        wait = yes

        program = "/bin/echo %{User-Name}"

        input_pairs = "request"

        output_pairs = "reply"

        shell_escape = yes

  }

  # Loaded module rlm_date

  # Loading module "date" from file /etc/raddb/mods-enabled/date

  date {

        format = "%b %e %Y %H:%M:%S %Z"

        utc = no

  }

  # Loading module "wispr2date" from file /etc/raddb/mods-enabled/date

  date wispr2date {

        format = "%Y-%m-%dT%H:%M:%S"

        utc = no

  }

  # Loaded module rlm_always

  # Loading module "reject" from file /etc/raddb/mods-enabled/always

  always reject {

        rcode = "reject"

        simulcount = 0

        mpp = no

  }

  # Loading module "fail" from file /etc/raddb/mods-enabled/always

  always fail {

        rcode = "fail"

        simulcount = 0

        mpp = no

  }

  # Loading module "ok" from file /etc/raddb/mods-enabled/always

  always ok {

        rcode = "ok"

        simulcount = 0

        mpp = no

  }

  # Loading module "handled" from file /etc/raddb/mods-enabled/always

  always handled {

        rcode = "handled"

        simulcount = 0

        mpp = no

  }

  # Loading module "invalid" from file /etc/raddb/mods-enabled/always

  always invalid {

        rcode = "invalid"

        simulcount = 0

        mpp = no

  }

  # Loading module "userlock" from file /etc/raddb/mods-enabled/always

  always userlock {

        rcode = "userlock"

        simulcount = 0

        mpp = no

  }

  # Loading module "notfound" from file /etc/raddb/mods-enabled/always

  always notfound {

        rcode = "notfound"

        simulcount = 0

        mpp = no

  }

  # Loading module "noop" from file /etc/raddb/mods-enabled/always

  always noop {

        rcode = "noop"

        simulcount = 0

        mpp = no

  }

  # Loading module "updated" from file /etc/raddb/mods-enabled/always

  always updated {

        rcode = "updated"

        simulcount = 0

        mpp = no

 }

  # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp

  radutmp sradutmp {

        filename = "/var/log/radius/sradutmp"

        username = "%{User-Name}"

        case_sensitive = yes

        check_with_nas = yes

        permissions = 420

        caller_id = no

  }

  # Loaded module rlm_expiration

  # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration

  # Loaded module rlm_mschap

  # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap

  mschap {

        use_mppe = yes

        require_encryption = no

        require_strong = no

        with_ntdomain_hack = yes

   passchange {

   }

        allow_retry = yes

        winbind_retry_with_normalised_username = no

  }

  # Loaded module rlm_linelog

  # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog

  linelog {

        filename = "/var/log/radius/linelog"

        escape_filenames = no

        syslog_severity = "info"

        permissions = 384

        format = "This is a log message for %{User-Name}"

        reference = "messages.%{%{reply:Packet-Type}:-default}"

  }

  # Loading module "log_accounting" from file
/etc/raddb/mods-enabled/linelog

  linelog log_accounting {

        filename = "/var/log/radius/linelog-accounting"

        escape_filenames = no

        syslog_severity = "info"

        permissions = 384

        format = ""

        reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"

  }

  # Loaded module rlm_replicate

  # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate

  # Loaded module rlm_digest

  # Loading module "digest" from file /etc/raddb/mods-enabled/digest

  instantiate {

  }

  # Instantiating module "files" from file /etc/raddb/mods-enabled/files

reading pairlist file /etc/raddb/mods-config/files/authorize

reading pairlist file /etc/raddb/mods-config/files/authorize

reading pairlist file /etc/raddb/mods-config/files/accounting

reading pairlist file /etc/raddb/mods-config/files/pre-proxy

  # Instantiating module "auth_log" from file
/etc/raddb/mods-enabled/detail.log

rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail
output

  # Instantiating module "reply_log" from file
/etc/raddb/mods-enabled/detail.log

  # Instantiating module "pre_proxy_log" from file
/etc/raddb/mods-enabled/detail.log

  # Instantiating module "post_proxy_log" from file
/etc/raddb/mods-enabled/detail.log

  # Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy

  # Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy

  # Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject

  # Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge

  # Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response

  # Instantiating module "attr_filter.coa" from file
/etc/raddb/mods-enabled/attr_filter

reading pairlist file /etc/raddb/mods-config/attr_filter/coa

  # Instantiating module "preprocess" from file
/etc/raddb/mods-enabled/preprocess

reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups

reading pairlist file /etc/raddb/mods-config/preprocess/hints

  # Instantiating module "ldap_dauphine" from file
/etc/raddb/mods-enabled/ldap_dauphine

rlm_ldap: libldap vendor: OpenLDAP, version: 20459

   accounting {

        reference = "%{tolower:type.%{Acct-Status-Type}}"

   }

   post-auth {

        reference = "."

   }

rlm_ldap (ldap_dauphine): Initialising connection pool

   pool {

        start = 5

        min = 4

        max = 46

        spare = 3

        uses = 0

        lifetime = 0

        cleanup_interval = 30

        idle_timeout = 60

        retry_delay = 1

        spread = no

   }

rlm_ldap (ldap_dauphine): Opening additional connection (0), 1 of 46 pending
slots used

rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389

rlm_ldap (ldap_dauphine): Waiting for bind result...

rlm_ldap (ldap_dauphine): Bind successful

rlm_ldap (ldap_dauphine): Opening additional connection (1), 1 of 45 pending
slots used

rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389

rlm_ldap (ldap_dauphine): Waiting for bind result...

rlm_ldap (ldap_dauphine): Bind successful

rlm_ldap (ldap_dauphine): Opening additional connection (2), 1 of 44 pending
slots used

rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389

rlm_ldap (ldap_dauphine): Waiting for bind result...

rlm_ldap (ldap_dauphine): Bind successful

rlm_ldap (ldap_dauphine): Opening additional connection (3), 1 of 43 pending
slots used

rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389

rlm_ldap (ldap_dauphine): Waiting for bind result...

rlm_ldap (ldap_dauphine): Bind successful

rlm_ldap (ldap_dauphine): Opening additional connection (4), 1 of 42 pending
slots used

rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389

rlm_ldap (ldap_dauphine): Waiting for bind result...

rlm_ldap (ldap_dauphine): Bind successful

  # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail

  # Instantiating module "logintime" from file
/etc/raddb/mods-enabled/logintime

  # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap

   # Linked to sub-module rlm_eap_ttls

   ttls {

        tls = "tls-common"

        default_eap_type = "mschapv2"

        copy_request_to_tunnel = yes

        use_tunneled_reply = yes

        virtual_server = "inner-tunnel"

        include_length = yes

        require_client_cert = no

   }

   tls-config tls-common {

        verify_depth = 0

        ca_path = "/etc/raddb/certs"

        pem_file_type = yes

        private_key_file = "/etc/raddb/certs/server.pem"

        certificate_file = "/etc/raddb/certs/server.pem"

        ca_file = "/etc/raddb/certs/ca.pem"

        private_key_password = <<< secret >>>

        fragment_size = 1024

        include_length = yes

        auto_chain = yes

        check_crl = no

        check_all_crl = no

        ca_path_reload_interval = 0

        allow_expired_crl = no

        cipher_list = "DEFAULT"

        cipher_server_preference = no

        reject_unknown_intermediate_ca = yes

        ecdh_curve = ""

        tls_max_version = "1.3"

        tls_min_version = "1.2"

    cache {

        enable = yes

        lifetime = 18

        name = "EAP-test"

        max_entries = 255

        persist_dir = "/var/log/radius/tlscache"

    }

    verify {

        skip_if_ocsp_ok = no

    }

    ocsp {

        enable = no

        override_cert_url = yes

        url = " <http://127.0.0.1/ocsp/> http://127.0.0.1/ocsp/"

        use_nonce = yes

        timeout = 0

        softfail = no

    }

   }

  # Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd

rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no

  # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap

  # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm

  # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm

  # Instantiating module "bangpath" from file /etc/raddb/mods-enabled/realm

  # Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm

  # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm

  # Instantiating module "reject" from file /etc/raddb/mods-enabled/always

  # Instantiating module "fail" from file /etc/raddb/mods-enabled/always

  # Instantiating module "ok" from file /etc/raddb/mods-enabled/always

  # Instantiating module "handled" from file /etc/raddb/mods-enabled/always

  # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always

  # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always

  # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always

  # Instantiating module "noop" from file /etc/raddb/mods-enabled/always

  # Instantiating module "updated" from file /etc/raddb/mods-enabled/always

  # Instantiating module "expiration" from file
/etc/raddb/mods-enabled/expiration

  # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap

rlm_mschap (mschap): using internal authentication

  # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog

  # Instantiating module "log_accounting" from file
/etc/raddb/mods-enabled/linelog

} # modules

radiusd: #### Loading Virtual Servers ####

server { # from file /etc/raddb/radiusd.conf

} # server

server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel

# Loading authenticate {...}

Compiling Auth-Type PAP for attr Auth-Type

Compiling Auth-Type CHAP for attr Auth-Type

Compiling Auth-Type MS-CHAP for attr Auth-Type

# Loading authorize {...}

Ignoring "sql" (see raddb/mods-available/README.rst)

# Loading session {...}

# Loading post-proxy {...}

# Loading post-auth {...}

# Skipping contents of 'if' as it is always 'false' --
/etc/raddb/sites-enabled/inner-tunnel:336

Compiling Post-Auth-Type REJECT for attr Post-Auth-Type

} # server inner-tunnel

server default { # from file /etc/raddb/sites-enabled/default

# Loading authenticate {...}

Compiling Auth-Type PAP for attr Auth-Type

Compiling Auth-Type CHAP for attr Auth-Type

Compiling Auth-Type MS-CHAP for attr Auth-Type

# Loading authorize {...}

Compiling Autz-Type New-TLS-Connection for attr Autz-Type

# Loading preacct {...}

# Loading accounting {...}

# Loading post-proxy {...}

# Loading post-auth {...}

Compiling Post-Auth-Type REJECT for attr Post-Auth-Type

Compiling Post-Auth-Type Challenge for attr Post-Auth-Type

Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type

} # server default

radiusd: #### Opening IP addresses and Ports ####

listen {

        type = "auth"

        ipaddr = 127.0.0.1

        port = 18120

}

listen {

        type = "auth"

        ipaddr = *

        port = 0

   limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

   }

}

listen {

        type = "acct"

        ipaddr = *

        port = 0

   limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

   }

}

listen {

        type = "auth"

        ipv6addr = ::

        port = 0

   limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

   }

}

listen {

        type = "acct"

        ipv6addr = ::

        port = 0

   limit {

        max_connections = 16

        lifetime = 0

        idle_timeout = 30

   }

}

Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel

Listening on auth address * port 1812 bound to server default

Listening on acct address * port 1813 bound to server default

Listening on auth address :: port 1812 bound to server default

Listening on acct address :: port 1813 bound to server default

Listening on proxy address * port 53058

Listening on proxy address :: port 55734

Ready to process requests

(0) Received Access-Request Id 116 from 10.100.0.16:1645 to 10.101.0.20:1812
length 257

(0)   User-Name = "anonymous"

(0)   Service-Type = Framed-User

(0)   Cisco-AVPair = "service-type=Framed"

(0)   Framed-MTU = 1500

(0)   Called-Station-Id = "1C-1D-86-68-F0-05"

(0)   Calling-Station-Id = "10-65-30-0F-CF-AD"

(0)   EAP-Message = 0x0201000e01616e6f6e796d6f7573

(0)   Message-Authenticator = 0x27170bf1dd6f1899c3a48f0953367396

(0)   Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"

(0)   Cisco-AVPair = "method=dot1x"

(0)   Framed-IP-Address = 10.111.0.176

(0)   NAS-IP-Address = 10.100.0.16

(0)   NAS-Port-Id = "GigabitEthernet0/5"

(0)   NAS-Port-Type = Ethernet

(0)   NAS-Port = 50105

(0) # Executing section authorize from file /etc/raddb/sites-enabled/default

(0)   authorize {

(0)     policy filter_username {

(0)       if (&User-Name) {

(0)       if (&User-Name)  -> TRUE

(0)       if (&User-Name)  {

(0)         if (&User-Name =~ / /) {

(0)         if (&User-Name =~ / /)  -> FALSE

(0)         if (&User-Name =~ /@[^@]*@/ ) {

(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(0)         if (&User-Name =~ /\.\./ ) {

(0)         if (&User-Name =~ /\.\./ )  -> FALSE

(0)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))  {

(0)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))   -> FALSE

(0)         if (&User-Name =~ /\.$/)  {

(0)         if (&User-Name =~ /\.$/)   -> FALSE

(0)         if (&User-Name =~  <mailto:/@\./> /@\./)  {

(0)         if (&User-Name =~  <mailto:/@\./> /@\./)   -> FALSE

(0)       } # if (&User-Name)  = notfound

(0)     } # policy filter_username = notfound

(0)     [preprocess] = ok

(0)     [chap] = noop

(0)     [mschap] = noop

(0)     [digest] = noop

(0) suffix: Checking for suffix after "@"

(0) suffix: No '@' in User-Name = "anonymous", looking up realm NULL

(0) suffix: No such realm "NULL"

(0)     [suffix] = noop

(0) eap: Peer sent EAP Response (code 2) ID 1 length 14

(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize

(0)     [eap] = ok

(0)   } # authorize = ok

(0) Found Auth-Type = eap

(0) # Executing group from file /etc/raddb/sites-enabled/default

(0)   authenticate {

(0) eap: Peer sent packet with method EAP Identity (1)

(0) eap: Calling submodule eap_ttls to process data

(0) eap_ttls: (TLS) Initiating new session

(0) eap: Sending EAP Request (code 1) ID 2 length 6

(0) eap: EAP session adding &reply:State = 0xfe02921efe00877b

(0)     [eap] = handled

(0)   } # authenticate = handled

(0) Using Post-Auth-Type Challenge

(0) # Executing group from file /etc/raddb/sites-enabled/default

(0)   Challenge { ... } # empty sub-section is ignored

(0) session-state: Saving cached attributes

(0)   Framed-MTU = 1014

(0) Sent Access-Challenge Id 116 from 10.101.0.20:1812 to 10.100.0.16:1645
length 64

(0)   EAP-Message = 0x010200061520

(0)   Message-Authenticator = 0x00000000000000000000000000000000

(0)   State = 0xfe02921efe00877b6bacf72413ed26ad

(0) Finished request

Waking up in 3.9 seconds.

(1) Received Access-Request Id 117 from 10.100.0.16:1645 to 10.101.0.20:1812
length 524

(1)   User-Name = "anonymous"

(1)   Service-Type = Framed-User

(1)   Cisco-AVPair = "service-type=Framed"

(1)   Framed-MTU = 1500

(1)   Called-Station-Id = "1C-1D-86-68-F0-05"

(1)   Calling-Station-Id = "10-65-30-0F-CF-AD"

(1)   EAP-Message =
0x020201051580000000fb16030100f6010000f20303dc99e42d66e577ee8d0af140d8e46d9f
bd48e63536874e0c314774ec014347f8200953178c2f5495c71a18fe2ad8eec676bf5e2d7044
5c63bd3d080835a5e946df002813021301c02cc02bc030c02fc024c023c028c027c00ac009c0
14c013009d009c003d003c0035002f01000081000500050100000000002b0009080304030303
020301000d001a00180804080508060401050102010403050302030202060106030023000000
0a00080006001d00170018003300260024001d00201bb4781d453e1b91b923da8a0c73f42f6c
6247d2477723266ac7c98181928a0c0031000000170000ff01000100002d00020101

(1)   Message-Authenticator = 0x54b5e0c7cd28c4feae286e5b226d376c

(1)   Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"

(1)   Cisco-AVPair = "method=dot1x"

(1)   Framed-IP-Address = 10.111.0.176

(1)   NAS-IP-Address = 10.100.0.16

(1)   NAS-Port-Id = "GigabitEthernet0/5"

(1)   NAS-Port-Type = Ethernet

(1)   NAS-Port = 50105

(1)   State = 0xfe02921efe00877b6bacf72413ed26ad

(1) Restoring &session-state

(1)   &session-state:Framed-MTU = 1014

(1) # Executing section authorize from file /etc/raddb/sites-enabled/default

(1)   authorize {

(1)     policy filter_username {

(1)       if (&User-Name) {

(1)       if (&User-Name)  -> TRUE

(1)       if (&User-Name)  {

(1)         if (&User-Name =~ / /) {

(1)         if (&User-Name =~ / /)  -> FALSE

(1)         if (&User-Name =~ /@[^@]*@/ ) {

(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(1)         if (&User-Name =~ /\.\./ ) {

(1)         if (&User-Name =~ /\.\./ )  -> FALSE

(1)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))  {

(1)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))   -> FALSE

(1)         if (&User-Name =~ /\.$/)  {

(1)         if (&User-Name =~ /\.$/)   -> FALSE

(1)         if (&User-Name =~  <mailto:/@\./> /@\./)  {

(1)         if (&User-Name =~  <mailto:/@\./> /@\./)   -> FALSE

(1)       } # if (&User-Name)  = notfound

(1)     } # policy filter_username = notfound

(1)     [preprocess] = ok

(1)     [chap] = noop

(1)     [mschap] = noop

(1)     [digest] = noop

(1) suffix: Checking for suffix after "@"

(1) suffix: No '@' in User-Name = "anonymous", looking up realm NULL

(1) suffix: No such realm "NULL"

(1)     [suffix] = noop

(1) eap: Peer sent EAP Response (code 2) ID 2 length 261

(1) eap: Continuing tunnel setup

(1)     [eap] = ok

(1)   } # authorize = ok

(1) Found Auth-Type = eap

(1) # Executing group from file /etc/raddb/sites-enabled/default

(1)   authenticate {

(1) eap: Expiring EAP session with state 0xfe02921efe00877b

(1) eap: Finished EAP session with state 0xfe02921efe00877b

(1) eap: Previous EAP request found for state 0xfe02921efe00877b, released
from the list

(1) eap: Peer sent packet with method EAP TTLS (21)

(1) eap: Calling submodule eap_ttls to process data

(1) eap_ttls: Authenticate

(1) eap_ttls: (TLS) EAP Peer says that the final record size will be 251
bytes

(1) eap_ttls: (TLS) EAP Got all data (251 bytes)

(1) eap_ttls: (TLS) Handshake state - before SSL initialization

(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization

(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization

(1) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello

(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello

(1) eap_ttls: (TLS) send TLS 1.3 Handshake, ServerHello

(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello

(1) eap_ttls: (TLS) send TLS 1.3 ChangeCipherSpec

(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher
spec

(1) eap_ttls: (TLS) send TLS 1.3 Handshake, EncryptedExtensions

(1) eap_ttls: (TLS) Handshake state - Server TLSv1.3 write encrypted
extensions

(1) eap_ttls: (TLS) send TLS 1.3 Handshake, Certificate

(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate

(1) eap_ttls: (TLS) send TLS 1.3 Handshake, CertificateVerify

(1) eap_ttls: (TLS) Handshake state - Server TLSv1.3 write server
certificate verify

(1) eap_ttls: (TLS) send TLS 1.3 Handshake, Finished

(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished

(1) eap_ttls: (TLS) Handshake state - Server TLSv1.3 early data

(1) eap_ttls: (TLS) Server : Need to read more data: TLSv1.3 early data

(1) eap_ttls: (TLS) In Handshake Phase

(1) eap: Sending EAP Request (code 1) ID 3 length 1024

(1) eap: EAP session adding &reply:State = 0xfe02921eff01877b

(1)     [eap] = handled

(1)   } # authenticate = handled

(1) Using Post-Auth-Type Challenge

(1) # Executing group from file /etc/raddb/sites-enabled/default

(1)   Challenge { ... } # empty sub-section is ignored

(1) session-state: Saving cached attributes

(1)   Framed-MTU = 1014

(1)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"

(1)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"

(1)   TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"

(1)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"

(1)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"

(1)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"

(1)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"

(1) Sent Access-Challenge Id 117 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1090

(1)   EAP-Message =
0x0103040015c000000bc9160303007a02000076030381b4a004b35335db2ff66ef5edd6ed4b
0688d9c0e4b6b25d1fa302772e2e70a7200953178c2f5495c71a18fe2ad8eec676bf5e2d7044
5c63bd3d080835a5e946df130200002e002b0002030400330024001d0020f318ac027b747f50
9768c85d7ebfbc626224cea3d101c5d59810fb7e8c7fa85f140303000101170303001785ca5e
cb5f681c5af67a7fc28a2fe530799654b00fbad617030309bb26eb9d4a9031efc383c91f348e
e4e7deccc759b1548cb9ecc402aa7cb28bf575845e8c778f9525b43b7cd39402e5dd4b927834
65dbbe6a004358cabbc564eb15bbfa5871bd052c486f5138a93aaf8e2e3e4a2c88ab777cd29c
5e15fa4a258b3f24acaba90931ab6fb035f9970bef74b4102569f5bfe7e2f458a6459abb5d35
a2251ba80f0d117c8f705b1ab369c351e7c0ee8342b9454f8f5d6dad9d2dad63734adf14c0d4
058d35368c6010c4cf9716fd1931c3ac6f3ece235eb1cd3d213ec253275e194b0d2f

(1)   Message-Authenticator = 0x00000000000000000000000000000000

(1)   State = 0xfe02921eff01877b6bacf72413ed26ad

(1) Finished request

Waking up in 3.9 seconds.

(2) Received Access-Request Id 118 from 10.100.0.16:1645 to 10.101.0.20:1812
length 267

(2)   User-Name = "anonymous"

(2)   Service-Type = Framed-User

(2)   Cisco-AVPair = "service-type=Framed"

(2)   Framed-MTU = 1500

(2)   Called-Station-Id = "1C-1D-86-68-F0-05"

(2)   Calling-Station-Id = "10-65-30-0F-CF-AD"

(2)   EAP-Message = 0x020300061500

(2)   Message-Authenticator = 0x3f9ce0a2d3b32ad8e5a8134f48355378

(2)   Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"

(2)   Cisco-AVPair = "method=dot1x"

(2)   Framed-IP-Address = 10.111.0.176

(2)   NAS-IP-Address = 10.100.0.16

(2)   NAS-Port-Id = "GigabitEthernet0/5"

(2)   NAS-Port-Type = Ethernet

(2)   NAS-Port = 50105

(2)   State = 0xfe02921eff01877b6bacf72413ed26ad

(2) Restoring &session-state

(2)   &session-state:Framed-MTU = 1014

(2)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"

(2)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"

(2)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"

(2)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"

(2)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"

(2)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"

(2)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"

(2) # Executing section authorize from file /etc/raddb/sites-enabled/default

(2)   authorize {

(2)     policy filter_username {

(2)       if (&User-Name) {

(2)       if (&User-Name)  -> TRUE

(2)       if (&User-Name)  {

(2)         if (&User-Name =~ / /) {

(2)         if (&User-Name =~ / /)  -> FALSE

(2)         if (&User-Name =~ /@[^@]*@/ ) {

(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(2)         if (&User-Name =~ /\.\./ ) {

(2)         if (&User-Name =~ /\.\./ )  -> FALSE

(2)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))  {

(2)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))   -> FALSE

(2)         if (&User-Name =~ /\.$/)  {

(2)         if (&User-Name =~ /\.$/)   -> FALSE

(2)         if (&User-Name =~  <mailto:/@\./> /@\./)  {

(2)         if (&User-Name =~  <mailto:/@\./> /@\./)   -> FALSE

(2)       } # if (&User-Name)  = notfound

(2)     } # policy filter_username = notfound

(2)     [preprocess] = ok

(2)     [chap] = noop

(2)     [mschap] = noop

(2)     [digest] = noop

(2) suffix: Checking for suffix after "@"

(2) suffix: No '@' in User-Name = "anonymous", looking up realm NULL

(2) suffix: No such realm "NULL"

(2)     [suffix] = noop

(2) eap: Peer sent EAP Response (code 2) ID 3 length 6

(2) eap: Continuing tunnel setup

(2)     [eap] = ok

(2)   } # authorize = ok

(2) Found Auth-Type = eap

(2) # Executing group from file /etc/raddb/sites-enabled/default

(2)   authenticate {

(2) eap: Expiring EAP session with state 0xfe02921eff01877b

(2) eap: Finished EAP session with state 0xfe02921eff01877b

(2) eap: Previous EAP request found for state 0xfe02921eff01877b, released
from the list

(2) eap: Peer sent packet with method EAP TTLS (21)

(2) eap: Calling submodule eap_ttls to process data

(2) eap_ttls: Authenticate

(2) eap_ttls: (TLS) Peer ACKed our handshake fragment

(2) eap: Sending EAP Request (code 1) ID 4 length 1024

(2) eap: EAP session adding &reply:State = 0xfe02921efc06877b

(2)     [eap] = handled

(2)   } # authenticate = handled

(2) Using Post-Auth-Type Challenge

(2) # Executing group from file /etc/raddb/sites-enabled/default

(2)   Challenge { ... } # empty sub-section is ignored

(2) session-state: Saving cached attributes

(2)   Framed-MTU = 1014

(2)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"

(2)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"

(2)   TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"

(2)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"

(2)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"

(2)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"

(2)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"

(2) Sent Access-Challenge Id 118 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1090

(2)   EAP-Message =
0x0104040015c000000bc9f1f4cf437af91b16d0f14a5c21719a9941f3395ad50388ec984a29
ce4e144f5a3dd4bc07b977eadc2f10a7b1cd069f9d114704a6f1e618c66300a6ea8b6f82b06c
ac295225ddf9017c89f15555a5ec94e9299848d0194b29c5da68d837d7b216ba43eaa97be09c
774e2db93d5fe39afa11a3e0c131dc321ca3f802cf07085c067f5867ce2550d051171e4b8264
f9175382685ebe6f1d214b5772fe68eaf70a4a12f9f383afb826cfc71e3bbf79a7f9ce255bef
3c21983d5be1f1bc693c6848ef321c673d7343a1802ee3f83ae50da149d82e4ef7f575de1fe0
352dbae96a0051973f6a7a2a0a80c6bbab36bb123f4fcc5fea36f8bec44250a219f6c7dd0735
a29e011952a29d233ec78238801850eebab6662c239241c8908b0eff03836df40d9e2bad16be
5fe7d420490f2eb891dc413275ffa816aa7fe801f914463ae8000a38c5a7b42faa849ca6e8d9
71f715ee26f6193aa3ac30366599a17df457869a3a28df4d1eadea3c73a2fab17e2d

(2)   Message-Authenticator = 0x00000000000000000000000000000000

(2)   State = 0xfe02921efc06877b6bacf72413ed26ad

(2) Finished request

Waking up in 3.9 seconds.

(3) Received Access-Request Id 119 from 10.100.0.16:1645 to 10.101.0.20:1812
length 267

(3)   User-Name = "anonymous"

(3)   Service-Type = Framed-User

(3)   Cisco-AVPair = "service-type=Framed"

(3)   Framed-MTU = 1500

(3)   Called-Station-Id = "1C-1D-86-68-F0-05"

(3)   Calling-Station-Id = "10-65-30-0F-CF-AD"

(3)   EAP-Message = 0x020400061500

(3)   Message-Authenticator = 0x69f837d9849e72401c77e51a5f9d3053

(3)   Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"

(3)   Cisco-AVPair = "method=dot1x"

(3)   Framed-IP-Address = 10.111.0.176

(3)   NAS-IP-Address = 10.100.0.16

(3)   NAS-Port-Id = "GigabitEthernet0/5"

(3)   NAS-Port-Type = Ethernet

(3)   NAS-Port = 50105

(3)   State = 0xfe02921efc06877b6bacf72413ed26ad

(3) Restoring &session-state

(3)   &session-state:Framed-MTU = 1014

(3)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"

(3)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"

(3)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"

(3)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"

(3)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"

(3)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"

(3)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"

(3) # Executing section authorize from file /etc/raddb/sites-enabled/default

(3)   authorize {

(3)     policy filter_username {

(3)       if (&User-Name) {

(3)       if (&User-Name)  -> TRUE

(3)       if (&User-Name)  {

(3)         if (&User-Name =~ / /) {

(3)         if (&User-Name =~ / /)  -> FALSE

(3)         if (&User-Name =~ /@[^@]*@/ ) {

(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(3)         if (&User-Name =~ /\.\./ ) {

(3)         if (&User-Name =~ /\.\./ )  -> FALSE

(3)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))  {

(3)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))   -> FALSE

(3)         if (&User-Name =~ /\.$/)  {

(3)         if (&User-Name =~ /\.$/)   -> FALSE

(3)         if (&User-Name =~  <mailto:/@\./> /@\./)  {

(3)         if (&User-Name =~  <mailto:/@\./> /@\./)   -> FALSE

(3)       } # if (&User-Name)  = notfound

(3)     } # policy filter_username = notfound

(3)     [preprocess] = ok

(3)     [chap] = noop

(3)     [mschap] = noop

(3)     [digest] = noop

(3) suffix: Checking for suffix after "@"

(3) suffix: No '@' in User-Name = "anonymous", looking up realm NULL

(3) suffix: No such realm "NULL"

(3)     [suffix] = noop

(3) eap: Peer sent EAP Response (code 2) ID 4 length 6

(3) eap: Continuing tunnel setup

(3)     [eap] = ok

(3)   } # authorize = ok

(3) Found Auth-Type = eap

(3) # Executing group from file /etc/raddb/sites-enabled/default

(3)   authenticate {

(3) eap: Expiring EAP session with state 0xfe02921efc06877b

(3) eap: Finished EAP session with state 0xfe02921efc06877b

(3) eap: Previous EAP request found for state 0xfe02921efc06877b, released
from the list

(3) eap: Peer sent packet with method EAP TTLS (21)

(3) eap: Calling submodule eap_ttls to process data

(3) eap_ttls: Authenticate

(3) eap_ttls: (TLS) Peer ACKed our handshake fragment

(3) eap: Sending EAP Request (code 1) ID 5 length 999

(3) eap: EAP session adding &reply:State = 0xfe02921efd07877b

(3)     [eap] = handled

(3)   } # authenticate = handled

(3) Using Post-Auth-Type Challenge

(3) # Executing group from file /etc/raddb/sites-enabled/default

(3)   Challenge { ... } # empty sub-section is ignored

(3) session-state: Saving cached attributes

(3)   Framed-MTU = 1014

(3)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"

(3)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"

(3)   TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"

(3)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"

(3)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"

(3)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"

(3)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"

(3) Sent Access-Challenge Id 119 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1063

(3)   EAP-Message =
0x010503e7158000000bc9f5b05c15f0ae9d80fb7f6549d2607f8b5803a43a84d194ee02c4ff
dc1e216fae66ecd0d89074b891785d67a9bae09ce967fecfc613537288353725672f2e209d69
42d313fc34155e5a1361cbb00085efe5b876c96ac364462384d580ebe80c95e147f3e77ba66a
df5cfb428ce85b694743e7b2b22a99ab41751031bd9aa4f45d275ab0e4f375b15b8ad7f1209b
f76ef703dbf6d78f04a56f4b2d34f6b61c8004e349338537f7c910178b25cb6addcb065b82d5
e0da810945b8605bc494ac81bb11e7f155156167dcf0d0246fbedb680253cd7e47fdf723b745
662ee142b8bf74c428944ca83349109da7b79e9bb74095ddceb897378009e96e6b591e378505
d39c60ef91f4679e04d5829aa6ea68b9fb9505703848b0c11485de27079f0a1aa72e9f7b6b94
4746d799c2415d39a4191d2e77a5b4ecab793498b835320b6b1bca58f379d94647489eb3d485
3c4eaae4be67b427adaa4b7237bf1c671e8e4159b93a049b92862af259194eba680b

(3)   Message-Authenticator = 0x00000000000000000000000000000000

(3)   State = 0xfe02921efd07877b6bacf72413ed26ad

(3) Finished request

Waking up in 3.9 seconds.

(4) Received Access-Request Id 120 from 10.100.0.16:1645 to 10.101.0.20:1812
length 421

(4)   User-Name = "anonymous"

(4)   Service-Type = Framed-User

(4)   Cisco-AVPair = "service-type=Framed"

(4)   Framed-MTU = 1500

(4)   Called-Station-Id = "1C-1D-86-68-F0-05"

(4)   Calling-Station-Id = "10-65-30-0F-CF-AD"

(4)   EAP-Message =
0x020500a01580000000961403030001011703030045727b7c7d139d0382232c4013124229c0
8693d0974531dbcdd3d59d210afebe1097bfc7468da2024832126365069720b2095b8049e735
9005ed64d22f9734a04ad09224a78017030300416625c5d7d0c92d892ae205010a224bd2a610
1de65acd878a2736a836174366497e0d2acbfd4a28dfd93984adcd98dc20e1b02a7f88255e01
d3b6fa21ee31b5b70e

(4)   Message-Authenticator = 0x068f3eb81cbe86211779105adf4e14fe

(4)   Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"

(4)   Cisco-AVPair = "method=dot1x"

(4)   Framed-IP-Address = 10.111.0.176

(4)   NAS-IP-Address = 10.100.0.16

(4)   NAS-Port-Id = "GigabitEthernet0/5"

(4)   NAS-Port-Type = Ethernet

(4)   NAS-Port = 50105

(4)   State = 0xfe02921efd07877b6bacf72413ed26ad

(4) Restoring &session-state

(4)   &session-state:Framed-MTU = 1014

(4)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"

(4)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"

(4)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"

(4)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"

(4)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"

(4)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"

(4)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"

(4) # Executing section authorize from file /etc/raddb/sites-enabled/default

(4)   authorize {

(4)     policy filter_username {

(4)       if (&User-Name) {

(4)       if (&User-Name)  -> TRUE

(4)       if (&User-Name)  {

(4)         if (&User-Name =~ / /) {

(4)         if (&User-Name =~ / /)  -> FALSE

(4)         if (&User-Name =~ /@[^@]*@/ ) {

(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(4)         if (&User-Name =~ /\.\./ ) {

(4)         if (&User-Name =~ /\.\./ )  -> FALSE

(4)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))  {

(4)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))   -> FALSE

(4)         if (&User-Name =~ /\.$/)  {

(4)         if (&User-Name =~ /\.$/)   -> FALSE

(4)         if (&User-Name =~  <mailto:/@\./> /@\./)  {

(4)         if (&User-Name =~  <mailto:/@\./> /@\./)   -> FALSE

(4)       } # if (&User-Name)  = notfound

(4)     } # policy filter_username = notfound

(4)     [preprocess] = ok

(4)     [chap] = noop

(4)     [mschap] = noop

(4)     [digest] = noop

(4) suffix: Checking for suffix after "@"

(4) suffix: No '@' in User-Name = "anonymous", looking up realm NULL

(4) suffix: No such realm "NULL"

(4)     [suffix] = noop

(4) eap: Peer sent EAP Response (code 2) ID 5 length 160

(4) eap: Continuing tunnel setup

(4)     [eap] = ok

(4)   } # authorize = ok

(4) Found Auth-Type = eap

(4) # Executing group from file /etc/raddb/sites-enabled/default

(4)   authenticate {

(4) eap: Expiring EAP session with state 0xfe02921efd07877b

(4) eap: Finished EAP session with state 0xfe02921efd07877b

(4) eap: Previous EAP request found for state 0xfe02921efd07877b, released
from the list

(4) eap: Peer sent packet with method EAP TTLS (21)

(4) eap: Calling submodule eap_ttls to process data

(4) eap_ttls: Authenticate

(4) eap_ttls: (TLS) EAP Peer says that the final record size will be 150
bytes

(4) eap_ttls: (TLS) EAP Got all data (150 bytes)

(4) eap_ttls: (TLS) Handshake state - Server TLSv1.3 early data

(4) eap_ttls: (TLS) recv TLS 1.3 Handshake, Finished

(4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished

(4) eap_ttls: (TLS) Handshake state - SSLv3/TLS write session ticket

(4) eap_ttls: Serialising session
8faab009e995e9bb9401cf4dcda4009e1a4574e7652198df76d40a3f89ecafb2, and
storing in cache

(4) eap_ttls: WARNING: (TLS) Wrote session
8faab009e995e9bb9401cf4dcda4009e1a4574e7652198df76d40a3f89ecafb2 to
/var/log/radius/tlscache/8faab009e995e9bb9401cf4dcda4009e1a4574e7652198df76d
40a3f89ecafb2.asn1 (141 bytes)

(4) eap_ttls: (TLS) send TLS 1.3 Handshake, NewSessionTicket

(4) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write session ticket

(4) eap_ttls: (TLS) recv TLS 1.3 Handshake, NewSessionTicket

(4) eap_ttls: Session established.  Proceeding to decode tunneled attributes

(4) eap_ttls: Got tunneled request

(4) eap_ttls:   User-Name = "fvercourt"

(4) eap_ttls:   User-Password = "xC#8z7p6DDB8?a67ctQ7"

(4) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1

(4) eap_ttls: Sending tunneled request

(4) Virtual server inner-tunnel received request

(4)   User-Name = "<< user_name >>"

(4)   User-Password = "<< secret >>"

(4)   FreeRADIUS-Proxied-To = 127.0.0.1

(4)   Service-Type = Framed-User

(4)   Cisco-AVPair = "service-type=Framed"

(4)   Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"

(4)   Cisco-AVPair = "method=dot1x"

(4)   Framed-MTU = 1500

(4)   Called-Station-Id = "1C-1D-86-68-F0-05"

(4)   Calling-Station-Id = "10-65-30-0F-CF-AD"

(4)   Framed-IP-Address = 10.111.0.176

(4)   NAS-IP-Address = 10.100.0.16

(4)   NAS-Port-Id = "GigabitEthernet0/5"

(4)   NAS-Port-Type = Ethernet

(4)   NAS-Port = 50105

(4)   Event-Timestamp = "Jan 23 2023 15:48:30 CET"

(4) server inner-tunnel {

(4)   # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel

(4)     authorize {

(4)       policy filter_username {

(4)         if (&User-Name) {

(4)         if (&User-Name)  -> TRUE

(4)         if (&User-Name)  {

(4)           if (&User-Name =~ / /) {

(4)           if (&User-Name =~ / /)  -> FALSE

(4)           if (&User-Name =~ /@[^@]*@/ ) {

(4)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(4)           if (&User-Name =~ /\.\./ ) {

(4)           if (&User-Name =~ /\.\./ )  -> FALSE

(4)           if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))  {

(4)           if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))   -> FALSE

(4)           if (&User-Name =~ /\.$/)  {

(4)           if (&User-Name =~ /\.$/)   -> FALSE

(4)           if (&User-Name =~  <mailto:/@\./> /@\./)  {

(4)           if (&User-Name =~  <mailto:/@\./> /@\./)   -> FALSE

(4)         } # if (&User-Name)  = notfound

(4)       } # policy filter_username = notfound

(4)       [chap] = noop

(4)       [mschap] = noop

(4) suffix: Checking for suffix after "@"

(4) suffix: No '@' in User-Name = "<< user_name >>", looking up realm NULL

(4) suffix: No such realm "NULL"

(4)       [suffix] = noop

(4)       update control {

(4)         &Proxy-To-Realm := LOCAL

(4)       } # update control = noop

(4) eap: No EAP-Message, not doing EAP

(4)       [eap] = noop

(4)       [files] = noop

rlm_ldap (ldap_dauphine): Reserved connection (0)

(4) ldap_dauphine: EXPAND
(|(supannAliasLogin=%{%{Stripped-User-Name}:-%{User-Name}})
(mail=%{%{Stripped-User-Name}:-%{User-Name}})
(mail=%{%{Stripped-User-Name}:-%{User-Name}}@dauphine.fr))

(4) ldap_dauphine:    --> (|(supannAliasLogin="<< user_name >>") (mail="<<
user_name >>") (mail=<<@dauphine.fr))

(4) ldap_dauphine: Performing search in "ou=people,dc=dauphine,dc=fr" with
filter "(|(supannAliasLogin="<< user_name >>") (mail="<< user_name >>")
(mail="<< user_name >>"@dauphine.fr))", scope "sub"

(4) ldap_dauphine: Waiting for search result...

ber_get_next failed, errno=0.

rlm_ldap (ldap_dauphine): Reconnecting (0)

rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389

rlm_ldap (ldap_dauphine): Waiting for bind result...

rlm_ldap (ldap_dauphine): Bind successful

(4) ldap_dauphine: WARNING: Search failed: Can't contact LDAP server. Got
new socket, retrying...

(4) ldap_dauphine: Waiting for search result...

(4) ldap_dauphine: User object found at DN
"uid=00061572,ou=people,dc=dauphine,dc=fr"

(4) ldap_dauphine: Processing user attributes

(4) ldap_dauphine: control:Password-With-Header += '<< Password_HASH >>’

rlm_ldap (ldap_dauphine): Released connection (0)

rlm_ldap (ldap_dauphine): Closing connection (1) - Too many unused
connections.

(4)       [ldap_dauphine] = updated

(4)       [expiration] = noop

(4)       [logintime] = noop

(4) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password

(4) pap: Removing &control:Password-With-Header

(4) pap: Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24
bytes

(4)       [pap] = updated

(4)     } # authorize = updated

(4)   Found Auth-Type = PAP

(4)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel

(4)     Auth-Type PAP {

(4) pap: Login attempt with password

(4) pap: Comparing with "known-good" SSHA-Password

(4) pap: User authenticated successfully

(4)       [pap] = ok

(4)     } # Auth-Type PAP = ok

(4)   # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel

(4)     post-auth {

(4)       if (0) {

(4)       if (0)  -> FALSE

(4)     } # post-auth = noop

(4)   Login OK: [<< user_name >>] (from client edouard port 50105 cli
10-65-30-0F-CF-AD via TLS tunnel)

(4) } # server inner-tunnel

(4) Virtual server sending reply

(4) eap_ttls: Got tunneled Access-Accept

(4) eap_ttls: (TLS) cache - Setting up attributes for session resumption

(4) eap_ttls:     caching EAP-Type = TTLS

(4) eap_ttls: Saving session
8faab009e995e9bb9401cf4dcda4009e1a4574e7652198df76d40a3f89ecafb2 in the disk
cache

(4) eap: Sending EAP Success (code 3) ID 5 length 4

(4) eap: Freeing handler

(4)     [eap] = ok

(4)   } # authenticate = ok

(4) # Executing section post-auth from file /etc/raddb/sites-enabled/default

(4)   post-auth {

(4)     update reply {

(4)       Tunnel-type = VLAN

(4)       Tunnel-medium-type = IEEE-802

(4)       Tunnel-Private-Group-Id = 333

(4)     } # update reply = noop

(4)     if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {

(4)     if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name))  -> FALSE

(4)     update {

(4)       &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014

(4)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
ClientHello'

(4)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
ServerHello'

(4)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3
ChangeCipherSpec'

(4)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
EncryptedExtensions'

(4)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
Certificate'

(4)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
CertificateVerify'

(4)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
Finished'

(4)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
Finished'

(4)       &reply::TLS-Cache-Filename += &session-state:TLS-Cache-Filename[*]
->
'/var/log/radius/tlscache/8faab009e995e9bb9401cf4dcda4009e1a4574e7652198df76
d40a3f89ecafb2.asn1'

(4)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
NewSessionTicket'

(4)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
NewSessionTicket'

(4)     } # update = noop

(4)     [exec] = noop

(4)     policy remove_reply_message_if_eap {

(4)       if (&reply:EAP-Message && &reply:Reply-Message) {

(4)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(4)       else {

(4)         [noop] = noop

(4)       } # else = noop

(4)     } # policy remove_reply_message_if_eap = noop

(4)     if (EAP-Key-Name && &reply:EAP-Session-Id) {

(4)     if (EAP-Key-Name && &reply:EAP-Session-Id)  -> FALSE

(4)   } # post-auth = noop

(4) Login OK: [anonymous] (from client edouard port 50105 cli
10-65-30-0F-CF-AD)

(4) Sent Access-Accept Id 120 from 10.101.0.20:1812 to 10.100.0.16:1645
length 195

(4)   MS-MPPE-Recv-Key =
0xe8f069d02ca53749e572b46431b26292c44bba7742a8dc2ee298bf2d0204bab3

(4)   MS-MPPE-Send-Key =
0x3b4174e10b09e1b4bb95d18de1176dcec746aa5097fe8932cbfa6ea96149f368

(4)   EAP-Message = 0x03050004

(4)   Message-Authenticator = 0x00000000000000000000000000000000

(4)   User-Name = "anonymous"

(4)   Tunnel-Type = VLAN

(4)   Tunnel-Medium-Type = IEEE-802

(4)   Tunnel-Private-Group-Id = "333"

(4)   Framed-MTU += 1014

(4) Finished request

Waking up in 2.0 seconds.

(5) Received Accounting-Request Id 77 from 10.100.0.16:1646 to
10.101.0.20:1813 length 229

(5)   Framed-IP-Address = 10.111.0.176

(5)   User-Name = "anonymous"

(5)   Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"

(5)   Cisco-AVPair = "vlan-id=333"

(5)   Cisco-AVPair = "method=dot1x"

(5)   Called-Station-Id = "1C-1D-86-68-F0-05"

(5)   Calling-Station-Id = "10-65-30-0F-CF-AD"

(5)   NAS-IP-Address = 10.100.0.16

(5)   NAS-Port-Id = "GigabitEthernet0/5"

(5)   NAS-Port-Type = Ethernet

(5)   NAS-Port = 50105

(5)   Acct-Session-Id = "0000007E"

(5)   Acct-Status-Type = Start

(5)   Event-Timestamp = "Jan 23 2023 15:48:31 CET"

(5)   Acct-Delay-Time = 0

(5) # Executing section preacct from file /etc/raddb/sites-enabled/default

(5)   preacct {

(5)     [preprocess] = ok

(5)     policy acct_unique {

(5)       update request {

(5)         &Tmp-String-9 := "ai:"

(5)       } # update request = noop

(5)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {

(5)       EXPAND %{hex:&Class}

(5)          -->

(5)       EXPAND ^%{hex:&Tmp-String-9}

(5)          --> ^61693a

(5)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE

(5)       else {

(5)         update request {

(5)           EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}

(5)              --> 26336d4848cc85848291b9aff73b07c4

(5)           &Acct-Unique-Session-Id := 26336d4848cc85848291b9aff73b07c4

(5)         } # update request = noop

(5)       } # else = noop

(5)       update request {

(5)         &Tmp-String-9 !* ANY

(5)       } # update request = noop

(5)     } # policy acct_unique = noop

(5) suffix: Checking for suffix after "@"

(5) suffix: No '@' in User-Name = "anonymous", looking up realm NULL

(5) suffix: No such realm "NULL"

(5)     [suffix] = noop

(5)     [files] = noop

(5)   } # preacct = ok

(5) # Executing section accounting from file
/etc/raddb/sites-enabled/default

(5)   accounting {

(5) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d

(5) detail:    --> /var/log/radius/radacct/10.100.0.16/detail-20230123

(5) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.16/detail-20230123

(5) detail: EXPAND %t

(5) detail:    --> Mon Jan 23 15:48:31 2023

(5)     [detail] = ok

(5)     [unix] = ok

(5)     [exec] = noop

(5) attr_filter.accounting_response: EXPAND %{User-Name}

(5) attr_filter.accounting_response:    --> anonymous

(5) attr_filter.accounting_response: Matched entry DEFAULT at line 12

(5)     [attr_filter.accounting_response] = updated

(5)   } # accounting = updated

(5) Sent Accounting-Response Id 77 from 10.101.0.20:1813 to 10.100.0.16:1646
length 20

(5) Finished request

(5) Cleaning up request packet ID 77 with timestamp +46 due to done

Waking up in 1.0 seconds.

(0) Cleaning up request packet ID 116 with timestamp +43 due to
cleanup_delay was reached

(1) Cleaning up request packet ID 117 with timestamp +43 due to
cleanup_delay was reached

(2) Cleaning up request packet ID 118 with timestamp +43 due to
cleanup_delay was reached

(3) Cleaning up request packet ID 119 with timestamp +43 due to
cleanup_delay was reached

Waking up in 1.8 seconds.

(4) Cleaning up request packet ID 120 with timestamp +45 due to
cleanup_delay was reached

Ready to process requests

(6) Received Accounting-Request Id 78 from 10.100.0.16:1646 to
10.101.0.20:1813 length 265

(6)   Framed-IP-Address = 10.111.0.176

(6)   User-Name = "anonymous"

(6)   Cisco-AVPair = "audit-session-id=0A64001000000150077A4C0A"

(6)   Cisco-AVPair = "vlan-id=333"

(6)   Cisco-AVPair = "method=dot1x"

(6)   Called-Station-Id = "1C-1D-86-68-F0-05"

(6)   Calling-Station-Id = "10-65-30-0F-CF-AD"

(6)   NAS-IP-Address = 10.100.0.16

(6)   NAS-Port-Id = "GigabitEthernet0/5"

(6)   NAS-Port-Type = Ethernet

(6)   NAS-Port = 50105

(6)   Acct-Session-Id = "0000007E"

(6)   Acct-Terminate-Cause = Lost-Carrier

(6)   Acct-Status-Type = Stop

(6)   Event-Timestamp = "Jan 23 2023 15:51:31 CET"

(6)   Acct-Session-Time = 180

(6)   Acct-Input-Octets = 20194364

(6)   Acct-Output-Octets = 1261011568

(6)   Acct-Input-Packets = 184950

(6)   Acct-Output-Packets = 899478

(6)   Acct-Delay-Time = 0

(6) # Executing section preacct from file /etc/raddb/sites-enabled/default

(6)   preacct {

(6)     [preprocess] = ok

(6)     policy acct_unique {

(6)       update request {

(6)         &Tmp-String-9 := "ai:"

(6)       } # update request = noop

(6)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {

(6)       EXPAND %{hex:&Class}

(6)          -->

(6)       EXPAND ^%{hex:&Tmp-String-9}

(6)          --> ^61693a

(6)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE

(6)       else {

(6)         update request {

(6)           EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}

(6)              --> 26336d4848cc85848291b9aff73b07c4

(6)           &Acct-Unique-Session-Id := 26336d4848cc85848291b9aff73b07c4

(6)         } # update request = noop

(6)       } # else = noop

(6)       update request {

(6)         &Tmp-String-9 !* ANY

(6)       } # update request = noop

(6)     } # policy acct_unique = noop

(6) suffix: Checking for suffix after "@"

(6) suffix: No '@' in User-Name = "anonymous", looking up realm NULL

(6) suffix: No such realm "NULL"

(6)     [suffix] = noop

(6)     [files] = noop

(6)   } # preacct = ok

(6) # Executing section accounting from file
/etc/raddb/sites-enabled/default

(6)   accounting {

(6) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d

(6) detail:    --> /var/log/radius/radacct/10.100.0.16/detail-20230123

(6) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.16/detail-20230123

(6) detail: EXPAND %t

(6) detail:    --> Mon Jan 23 15:51:31 2023

(6)     [detail] = ok

(6)     [unix] = ok

(6)     [exec] = noop

(6) attr_filter.accounting_response: EXPAND %{User-Name}

(6) attr_filter.accounting_response:    --> anonymous

(6) attr_filter.accounting_response: Matched entry DEFAULT at line 12

(6)     [attr_filter.accounting_response] = updated

(6)   } # accounting = updated

(6) Sent Accounting-Response Id 78 from 10.101.0.20:1813 to 10.100.0.16:1646
length 20

(6) Finished request

(6) Cleaning up request packet ID 78 with timestamp +226 due to done

Ready to process requests

(7) Received Access-Request Id 121 from 10.100.0.16:1645 to 10.101.0.20:1812
length 257

(7)   User-Name = "anonymous"

(7)   Service-Type = Framed-User

(7)   Cisco-AVPair = "service-type=Framed"

(7)   Framed-MTU = 1500

(7)   Called-Station-Id = "1C-1D-86-68-F0-05"

(7)   Calling-Station-Id = "10-65-30-0F-CF-AD"

(7)   EAP-Message = 0x0201000e01616e6f6e796d6f7573

(7)   Message-Authenticator = 0x95fbe1a2b99598e655d08d4d335dc5bd

(7)   Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"

(7)   Cisco-AVPair = "method=dot1x"

(7)   Framed-IP-Address = 10.111.0.176

(7)   NAS-IP-Address = 10.100.0.16

(7)   NAS-Port-Id = "GigabitEthernet0/5"

(7)   NAS-Port-Type = Ethernet

(7)   NAS-Port = 50105

(7) # Executing section authorize from file /etc/raddb/sites-enabled/default

(7)   authorize {

(7)     policy filter_username {

(7)       if (&User-Name) {

(7)       if (&User-Name)  -> TRUE

(7)       if (&User-Name)  {

(7)         if (&User-Name =~ / /) {

(7)         if (&User-Name =~ / /)  -> FALSE

(7)         if (&User-Name =~ /@[^@]*@/ ) {

(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(7)         if (&User-Name =~ /\.\./ ) {

(7)         if (&User-Name =~ /\.\./ )  -> FALSE

(7)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))  {

(7)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))   -> FALSE

(7)         if (&User-Name =~ /\.$/)  {

(7)         if (&User-Name =~ /\.$/)   -> FALSE

(7)         if (&User-Name =~  <mailto:/@\./> /@\./)  {

(7)         if (&User-Name =~  <mailto:/@\./> /@\./)   -> FALSE

(7)       } # if (&User-Name)  = notfound

(7)     } # policy filter_username = notfound

(7)     [preprocess] = ok

(7)     [chap] = noop

(7)     [mschap] = noop

(7)     [digest] = noop

(7) suffix: Checking for suffix after "@"

(7) suffix: No '@' in User-Name = "anonymous", looking up realm NULL

(7) suffix: No such realm "NULL"

(7)     [suffix] = noop

(7) eap: Peer sent EAP Response (code 2) ID 1 length 14

(7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest
of authorize

(7)     [eap] = ok

(7)   } # authorize = ok

(7) Found Auth-Type = eap

(7) # Executing group from file /etc/raddb/sites-enabled/default

(7)   authenticate {

(7) eap: Peer sent packet with method EAP Identity (1)

(7) eap: Calling submodule eap_ttls to process data

(7) eap_ttls: (TLS) Initiating new session

(7) eap: Sending EAP Request (code 1) ID 2 length 6

(7) eap: EAP session adding &reply:State = 0xbb455463bb474125

(7)     [eap] = handled

(7)   } # authenticate = handled

(7) Using Post-Auth-Type Challenge

(7) # Executing group from file /etc/raddb/sites-enabled/default

(7)   Challenge { ... } # empty sub-section is ignored

(7) session-state: Saving cached attributes

(7)   Framed-MTU = 1014

(7) Sent Access-Challenge Id 121 from 10.101.0.20:1812 to 10.100.0.16:1645
length 64

(7)   EAP-Message = 0x010200061520

(7)   Message-Authenticator = 0x00000000000000000000000000000000

(7)   State = 0xbb455463bb4741259c77a610d5caea1f

(7) Finished request

Waking up in 3.9 seconds.

(8) Received Access-Request Id 122 from 10.100.0.16:1645 to 10.101.0.20:1812
length 524

(8)   User-Name = "anonymous"

(8)   Service-Type = Framed-User

(8)   Cisco-AVPair = "service-type=Framed"

(8)   Framed-MTU = 1500

(8)   Called-Station-Id = "1C-1D-86-68-F0-05"

(8)   Calling-Station-Id = "10-65-30-0F-CF-AD"

(8)   EAP-Message =
0x020201051580000000fb16030100f6010000f20303bc7cb74fc4e656b719b2b4aea42da3dc
ab905197e53228b91170245440171b25202eca8734fde773de82eb9ce9b5a54084c899da401f
baecdf67e065ff118c5026002813021301c02cc02bc030c02fc024c023c028c027c00ac009c0
14c013009d009c003d003c0035002f01000081000500050100000000002b0009080304030303
020301000d001a00180804080508060401050102010403050302030202060106030023000000
0a00080006001d00170018003300260024001d002045478a7ec1699508b4546bde4c1692e625
2630658b936ae3289d11ba3ce90d380031000000170000ff01000100002d00020101

(8)   Message-Authenticator = 0xe1a588f3c4720ed8de29e1e948d11116

(8)   Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"

(8)   Cisco-AVPair = "method=dot1x"

(8)   Framed-IP-Address = 10.111.0.176

(8)   NAS-IP-Address = 10.100.0.16

(8)   NAS-Port-Id = "GigabitEthernet0/5"

(8)   NAS-Port-Type = Ethernet

(8)   NAS-Port = 50105

(8)   State = 0xbb455463bb4741259c77a610d5caea1f

(8) Restoring &session-state

(8)   &session-state:Framed-MTU = 1014

(8) # Executing section authorize from file /etc/raddb/sites-enabled/default

(8)   authorize {

(8)     policy filter_username {

(8)       if (&User-Name) {

(8)       if (&User-Name)  -> TRUE

(8)       if (&User-Name)  {

(8)         if (&User-Name =~ / /) {

(8)         if (&User-Name =~ / /)  -> FALSE

(8)         if (&User-Name =~ /@[^@]*@/ ) {

(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(8)         if (&User-Name =~ /\.\./ ) {

(8)         if (&User-Name =~ /\.\./ )  -> FALSE

(8)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))  {

(8)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))   -> FALSE

(8)         if (&User-Name =~ /\.$/)  {

(8)         if (&User-Name =~ /\.$/)   -> FALSE

(8)         if (&User-Name =~  <mailto:/@\./> /@\./)  {

(8)         if (&User-Name =~  <mailto:/@\./> /@\./)   -> FALSE

(8)       } # if (&User-Name)  = notfound

(8)     } # policy filter_username = notfound

(8)     [preprocess] = ok

(8)     [chap] = noop

(8)     [mschap] = noop

(8)     [digest] = noop

(8) suffix: Checking for suffix after "@"

(8) suffix: No '@' in User-Name = "anonymous", looking up realm NULL

(8) suffix: No such realm "NULL"

(8)     [suffix] = noop

(8) eap: Peer sent EAP Response (code 2) ID 2 length 261

(8) eap: Continuing tunnel setup

(8)     [eap] = ok

(8)   } # authorize = ok

(8) Found Auth-Type = eap

(8) # Executing group from file /etc/raddb/sites-enabled/default

(8)   authenticate {

(8) eap: Expiring EAP session with state 0xbb455463bb474125

(8) eap: Finished EAP session with state 0xbb455463bb474125

(8) eap: Previous EAP request found for state 0xbb455463bb474125, released
from the list

(8) eap: Peer sent packet with method EAP TTLS (21)

(8) eap: Calling submodule eap_ttls to process data

(8) eap_ttls: Authenticate

(8) eap_ttls: (TLS) EAP Peer says that the final record size will be 251
bytes

(8) eap_ttls: (TLS) EAP Got all data (251 bytes)

(8) eap_ttls: (TLS) Handshake state - before SSL initialization

(8) eap_ttls: (TLS) Handshake state - Server before SSL initialization

(8) eap_ttls: (TLS) Handshake state - Server before SSL initialization

(8) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello

(8) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello

(8) eap_ttls: (TLS) send TLS 1.3 Handshake, ServerHello

(8) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello

(8) eap_ttls: (TLS) send TLS 1.3 ChangeCipherSpec

(8) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher
spec

(8) eap_ttls: (TLS) send TLS 1.3 Handshake, EncryptedExtensions

(8) eap_ttls: (TLS) Handshake state - Server TLSv1.3 write encrypted
extensions

(8) eap_ttls: (TLS) send TLS 1.3 Handshake, Certificate

(8) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate

(8) eap_ttls: (TLS) send TLS 1.3 Handshake, CertificateVerify

(8) eap_ttls: (TLS) Handshake state - Server TLSv1.3 write server
certificate verify

(8) eap_ttls: (TLS) send TLS 1.3 Handshake, Finished

(8) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished

(8) eap_ttls: (TLS) Handshake state - Server TLSv1.3 early data

(8) eap_ttls: (TLS) Server : Need to read more data: TLSv1.3 early data

(8) eap_ttls: (TLS) In Handshake Phase

(8) eap: Sending EAP Request (code 1) ID 3 length 1024

(8) eap: EAP session adding &reply:State = 0xbb455463ba464125

(8)     [eap] = handled

(8)   } # authenticate = handled

(8) Using Post-Auth-Type Challenge

(8) # Executing group from file /etc/raddb/sites-enabled/default

(8)   Challenge { ... } # empty sub-section is ignored

(8) session-state: Saving cached attributes

(8)   Framed-MTU = 1014

(8)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"

(8)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"

(8)   TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"

(8)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"

(8)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"

(8)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"

(8)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"

(8) Sent Access-Challenge Id 122 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1090

(8)   EAP-Message =
0x0103040015c000000bc9160303007a020000760303770024854f0856f5a9aa4433bd168a8c
1663b8864fab363383e1f0c48b01e4c5202eca8734fde773de82eb9ce9b5a54084c899da401f
baecdf67e065ff118c5026130200002e002b0002030400330024001d0020eb1d7c9a661dbb80
87e6e503dfec301a45369a25fa9e9629450e499e45c4c83714030300010117030300175e2aa3
5daab2e2c1e777265f7c05aaf59a9952866a99f317030309bbfd1f007754fa0dd33e6f75f2a6
5b42c25bec9b25dd1385f3a3751f06bac475df736093e7dbd5e54646bc9172c7a865d05a646b
6a0d973b82988ad50faf2223fdb02451847eef9ac19930e0928e8d3dd7573d7d7396f914d0f6
df7253e91a634fd678e75694d26b0322e162d7c496eae3cb1cee84e9af371b2b682666ef8f46
f3667c806a8b470d8e6988a41f9df82a3740a325d9d7f7c7d49a8d4eeb15c3dbe8d799dfc39f
588fdc75380c1bd5657c77c0610440293c69e81f37a27ca086579651f458ab6eb3de

(8)   Message-Authenticator = 0x00000000000000000000000000000000

(8)   State = 0xbb455463ba4641259c77a610d5caea1f

(8) Finished request

Waking up in 3.9 seconds.

(9) Received Access-Request Id 123 from 10.100.0.16:1645 to 10.101.0.20:1812
length 267

(9)   User-Name = "anonymous"

(9)   Service-Type = Framed-User

(9)   Cisco-AVPair = "service-type=Framed"

(9)   Framed-MTU = 1500

(9)   Called-Station-Id = "1C-1D-86-68-F0-05"

(9)   Calling-Station-Id = "10-65-30-0F-CF-AD"

(9)   EAP-Message = 0x020300061500

(9)   Message-Authenticator = 0x2230b850fae1f735dff59252f552a475

(9)   Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"

(9)   Cisco-AVPair = "method=dot1x"

(9)   Framed-IP-Address = 10.111.0.176

(9)   NAS-IP-Address = 10.100.0.16

(9)   NAS-Port-Id = "GigabitEthernet0/5"

(9)   NAS-Port-Type = Ethernet

(9)   NAS-Port = 50105

(9)   State = 0xbb455463ba4641259c77a610d5caea1f

(9) Restoring &session-state

(9)   &session-state:Framed-MTU = 1014

(9)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"

(9)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"

(9)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"

(9)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"

(9)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"

(9)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"

(9)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"

(9) # Executing section authorize from file /etc/raddb/sites-enabled/default

(9)   authorize {

(9)     policy filter_username {

(9)       if (&User-Name) {

(9)       if (&User-Name)  -> TRUE

(9)       if (&User-Name)  {

(9)         if (&User-Name =~ / /) {

(9)         if (&User-Name =~ / /)  -> FALSE

(9)         if (&User-Name =~ /@[^@]*@/ ) {

(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(9)         if (&User-Name =~ /\.\./ ) {

(9)         if (&User-Name =~ /\.\./ )  -> FALSE

(9)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))  {

(9)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))   -> FALSE

(9)         if (&User-Name =~ /\.$/)  {

(9)         if (&User-Name =~ /\.$/)   -> FALSE

(9)         if (&User-Name =~  <mailto:/@\./> /@\./)  {

(9)         if (&User-Name =~  <mailto:/@\./> /@\./)   -> FALSE

(9)       } # if (&User-Name)  = notfound

(9)     } # policy filter_username = notfound

(9)     [preprocess] = ok

(9)     [chap] = noop

(9)     [mschap] = noop

(9)     [digest] = noop

(9) suffix: Checking for suffix after "@"

(9) suffix: No '@' in User-Name = "anonymous", looking up realm NULL

(9) suffix: No such realm "NULL"

(9)     [suffix] = noop

(9) eap: Peer sent EAP Response (code 2) ID 3 length 6

(9) eap: Continuing tunnel setup

(9)     [eap] = ok

(9)   } # authorize = ok

(9) Found Auth-Type = eap

(9) # Executing group from file /etc/raddb/sites-enabled/default

(9)   authenticate {

(9) eap: Expiring EAP session with state 0xbb455463ba464125

(9) eap: Finished EAP session with state 0xbb455463ba464125

(9) eap: Previous EAP request found for state 0xbb455463ba464125, released
from the list

(9) eap: Peer sent packet with method EAP TTLS (21)

(9) eap: Calling submodule eap_ttls to process data

(9) eap_ttls: Authenticate

(9) eap_ttls: (TLS) Peer ACKed our handshake fragment

(9) eap: Sending EAP Request (code 1) ID 4 length 1024

(9) eap: EAP session adding &reply:State = 0xbb455463b9414125

(9)     [eap] = handled

(9)   } # authenticate = handled

(9) Using Post-Auth-Type Challenge

(9) # Executing group from file /etc/raddb/sites-enabled/default

(9)   Challenge { ... } # empty sub-section is ignored

(9) session-state: Saving cached attributes

(9)   Framed-MTU = 1014

(9)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"

(9)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"

(9)   TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"

(9)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"

(9)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"

(9)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"

(9)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"

(9) Sent Access-Challenge Id 123 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1090

(9)   EAP-Message =
0x0104040015c000000bc95c6adce2df0918de28872f44b0532fc184381223951f6a6203a1f9
1e2282872f2ca960a9866f1e84e8a30448781f7ce81fc0a4f3786e6e58161ad9b35f33bd2cef
6cf972c7458b0dae8ef799b2596063c40f67d54a62f8dc0ca06649343a758b17e9e77044f57f
fd239786df3da73c6cab18965541976d7fa1653efeb62c5048bcc0de713371ed2528ebb50726
f0ed6dfb32c53a898d2f2d0d315210e4ed8dd33d3d69cbd223d95cbc5f86dddf78f1ac963f50
2f2a910e7922a444c8a58e125b4eaf95e9b3075122cfe83a0e088176d072dd9fbaec52ad93da
3e90725c2835a74c4dd5a649f180526e16c22b7890f498b7112439af08e3e0e36c1d431ff635
5c12d6426de65021aca7dffe91316af2e526b6e2da8b881f9daf49f2bc66d370d9a909b36a0c
610f8ea9a995e0380ef9fc5c2f208ea20079e2c5ef1adef8b7fc55e68ff6296572a736248a2f
ddb9c4bc3cc343f6bfb33321cae0b2fcd0c4dfdba8392eefd789782343155bb333c9

(9)   Message-Authenticator = 0x00000000000000000000000000000000

(9)   State = 0xbb455463b94141259c77a610d5caea1f

(9) Finished request

Waking up in 3.9 seconds.

(10) Received Access-Request Id 124 from 10.100.0.16:1645 to
10.101.0.20:1812 length 267

(10)   User-Name = "anonymous"

(10)   Service-Type = Framed-User

(10)   Cisco-AVPair = "service-type=Framed"

(10)   Framed-MTU = 1500

(10)   Called-Station-Id = "1C-1D-86-68-F0-05"

(10)   Calling-Station-Id = "10-65-30-0F-CF-AD"

(10)   EAP-Message = 0x020400061500

(10)   Message-Authenticator = 0xcf01c3ce8e8c77c72ffbd3cb7f4df406

(10)   Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"

(10)   Cisco-AVPair = "method=dot1x"

(10)   Framed-IP-Address = 10.111.0.176

(10)   NAS-IP-Address = 10.100.0.16

(10)   NAS-Port-Id = "GigabitEthernet0/5"

(10)   NAS-Port-Type = Ethernet

(10)   NAS-Port = 50105

(10)   State = 0xbb455463b94141259c77a610d5caea1f

(10) Restoring &session-state

(10)   &session-state:Framed-MTU = 1014

(10)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"

(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"

(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"

(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"

(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"

(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"

(10)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"

(10) # Executing section authorize from file
/etc/raddb/sites-enabled/default

(10)   authorize {

(10)     policy filter_username {

(10)       if (&User-Name) {

(10)       if (&User-Name)  -> TRUE

(10)       if (&User-Name)  {

(10)         if (&User-Name =~ / /) {

(10)         if (&User-Name =~ / /)  -> FALSE

(10)         if (&User-Name =~ /@[^@]*@/ ) {

(10)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(10)         if (&User-Name =~ /\.\./ ) {

(10)         if (&User-Name =~ /\.\./ )  -> FALSE

(10)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))  {

(10)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))   -> FALSE

(10)         if (&User-Name =~ /\.$/)  {

(10)         if (&User-Name =~ /\.$/)   -> FALSE

(10)         if (&User-Name =~  <mailto:/@\./> /@\./)  {

(10)         if (&User-Name =~  <mailto:/@\./> /@\./)   -> FALSE

(10)       } # if (&User-Name)  = notfound

(10)     } # policy filter_username = notfound

(10)     [preprocess] = ok

(10)     [chap] = noop

(10)     [mschap] = noop

(10)     [digest] = noop

(10) suffix: Checking for suffix after "@"

(10) suffix: No '@' in User-Name = "anonymous", looking up realm NULL

(10) suffix: No such realm "NULL"

(10)     [suffix] = noop

(10) eap: Peer sent EAP Response (code 2) ID 4 length 6

(10) eap: Continuing tunnel setup

(10)     [eap] = ok

(10)   } # authorize = ok

(10) Found Auth-Type = eap

(10) # Executing group from file /etc/raddb/sites-enabled/default

(10)   authenticate {

(10) eap: Expiring EAP session with state 0xbb455463b9414125

(10) eap: Finished EAP session with state 0xbb455463b9414125

(10) eap: Previous EAP request found for state 0xbb455463b9414125, released
from the list

(10) eap: Peer sent packet with method EAP TTLS (21)

(10) eap: Calling submodule eap_ttls to process data

(10) eap_ttls: Authenticate

(10) eap_ttls: (TLS) Peer ACKed our handshake fragment

(10) eap: Sending EAP Request (code 1) ID 5 length 999

(10) eap: EAP session adding &reply:State = 0xbb455463b8404125

(10)     [eap] = handled

(10)   } # authenticate = handled

(10) Using Post-Auth-Type Challenge

(10) # Executing group from file /etc/raddb/sites-enabled/default

(10)   Challenge { ... } # empty sub-section is ignored

(10) session-state: Saving cached attributes

(10)   Framed-MTU = 1014

(10)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"

(10)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, ServerHello"

(10)   TLS-Session-Information = "(TLS) send TLS 1.3 ChangeCipherSpec"

(10)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
EncryptedExtensions"

(10)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Certificate"

(10)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake,
CertificateVerify"

(10)   TLS-Session-Information = "(TLS) send TLS 1.3 Handshake, Finished"

(10) Sent Access-Challenge Id 124 from 10.101.0.20:1812 to 10.100.0.16:1645
length 1063

(10)   EAP-Message =
0x010503e7158000000bc9d9ab09bcb961adae0a3f7517ba8cf219156a8645871001f01b9a48
1a98d7386ebede08d1235a47d1c068dee101bd2c8e568fb55e4f110b1ce27fd37b16cecc3944
274430f835717ae26145c0f6d748240d91650e9fac6ecd002cc723efda237b47b0ee041ec63a
686b92e664de819d2b9e5439f4f9de7a2cc4eda2057c7447dad43fc1aaad003b665e9a463bdd
07ca61b3edae4139d7f80977c247a45697ca33aae4c8ea6d03e021804be9eeed4cc433334fd6
25c62a5e7859f52fecc302ac83a6058bac46d982e98f1d0773a26be0cbe62271b45f50c9353d
a5d6c1fb28ee5aa127845a83030875fd6028e63194c03640150d5388df8887ca0f87b1311b02
243a67abc28794570e167eff0e4bce726ce8c373cb52a4fc9df5d65649cd1c9eba97adf15ac8
d5d27608ccab68ed4181e085f7c53c373395f6f707807f46effe7b929d31a5b696fbe78ab29e
e9de654a8c9b895a464fe35cddaba5607efbb4eae4ee6cd03f0534307ab9fbbfae14

(10)   Message-Authenticator = 0x00000000000000000000000000000000

(10)   State = 0xbb455463b84041259c77a610d5caea1f

(10) Finished request

Waking up in 3.9 seconds.

(11) Received Access-Request Id 125 from 10.100.0.16:1645 to
10.101.0.20:1812 length 421

(11)   User-Name = "anonymous"

(11)   Service-Type = Framed-User

(11)   Cisco-AVPair = "service-type=Framed"

(11)   Framed-MTU = 1500

(11)   Called-Station-Id = "1C-1D-86-68-F0-05"

(11)   Calling-Station-Id = "10-65-30-0F-CF-AD"

(11)   EAP-Message =
0x020500a0158000000096140303000101170303004518b03cdd7a3d877bd60d15b6c2d39bab
0896169fa3a2785f9e9c7d9ce2bdf71a87f5a05131f4e1d69945506abd38566012c910e16c52
13ad8f23f8a05a0ad3f3e8f7f93604170303004108be289a7c3651f4ccd6edf31fc1cc525c81
7e1950bf1645734a55231d01342bfb85f7c5a84cbdec624146ace4253f22f1605faba5d4ba6c
154c38ff03b80de5a2

(11)   Message-Authenticator = 0xe7411a65948c81a8068f05ec25501b56

(11)   Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"

(11)   Cisco-AVPair = "method=dot1x"

(11)   Framed-IP-Address = 10.111.0.176

(11)   NAS-IP-Address = 10.100.0.16

(11)   NAS-Port-Id = "GigabitEthernet0/5"

(11)   NAS-Port-Type = Ethernet

(11)   NAS-Port = 50105

(11)   State = 0xbb455463b84041259c77a610d5caea1f

(11) Restoring &session-state

(11)   &session-state:Framed-MTU = 1014

(11)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"

(11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, ServerHello"

(11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
ChangeCipherSpec"

(11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, EncryptedExtensions"

(11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Certificate"

(11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, CertificateVerify"

(11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.3
Handshake, Finished"

(11) # Executing section authorize from file
/etc/raddb/sites-enabled/default

(11)   authorize {

(11)     policy filter_username {

(11)       if (&User-Name) {

(11)       if (&User-Name)  -> TRUE

(11)       if (&User-Name)  {

(11)         if (&User-Name =~ / /) {

(11)         if (&User-Name =~ / /)  -> FALSE

(11)         if (&User-Name =~ /@[^@]*@/ ) {

(11)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(11)         if (&User-Name =~ /\.\./ ) {

(11)         if (&User-Name =~ /\.\./ )  -> FALSE

(11)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))  {

(11)         if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))   -> FALSE

(11)         if (&User-Name =~ /\.$/)  {

(11)         if (&User-Name =~ /\.$/)   -> FALSE

(11)         if (&User-Name =~  <mailto:/@\./> /@\./)  {

(11)         if (&User-Name =~  <mailto:/@\./> /@\./)   -> FALSE

(11)       } # if (&User-Name)  = notfound

(11)     } # policy filter_username = notfound

(11)     [preprocess] = ok

(11)     [chap] = noop

(11)     [mschap] = noop

(11)     [digest] = noop

(11) suffix: Checking for suffix after "@"

(11) suffix: No '@' in User-Name = "anonymous", looking up realm NULL

(11) suffix: No such realm "NULL"

(11)     [suffix] = noop

(11) eap: Peer sent EAP Response (code 2) ID 5 length 160

(11) eap: Continuing tunnel setup

(11)     [eap] = ok

(11)   } # authorize = ok

(11) Found Auth-Type = eap

(11) # Executing group from file /etc/raddb/sites-enabled/default

(11)   authenticate {

(11) eap: Expiring EAP session with state 0xbb455463b8404125

(11) eap: Finished EAP session with state 0xbb455463b8404125

(11) eap: Previous EAP request found for state 0xbb455463b8404125, released
from the list

(11) eap: Peer sent packet with method EAP TTLS (21)

(11) eap: Calling submodule eap_ttls to process data

(11) eap_ttls: Authenticate

(11) eap_ttls: (TLS) EAP Peer says that the final record size will be 150
bytes

(11) eap_ttls: (TLS) EAP Got all data (150 bytes)

(11) eap_ttls: (TLS) Handshake state - Server TLSv1.3 early data

(11) eap_ttls: (TLS) recv TLS 1.3 Handshake, Finished

(11) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished

(11) eap_ttls: (TLS) Handshake state - SSLv3/TLS write session ticket

(11) eap_ttls: Serialising session
630d327a8dd0ab555038688964549f6090d80b50941ec0460f30dc622db74911, and
storing in cache

(11) eap_ttls: WARNING: (TLS) Wrote session
630d327a8dd0ab555038688964549f6090d80b50941ec0460f30dc622db74911 to
/var/log/radius/tlscache/630d327a8dd0ab555038688964549f6090d80b50941ec0460f3
0dc622db74911.asn1 (140 bytes)

(11) eap_ttls: (TLS) send TLS 1.3 Handshake, NewSessionTicket

(11) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write session ticket

(11) eap_ttls: (TLS) recv TLS 1.3 Handshake, NewSessionTicket

(11) eap_ttls: Session established.  Proceeding to decode tunneled
attributes

(11) eap_ttls: Got tunneled request

(11) eap_ttls:   User-Name = "fvercourt"

(11) eap_ttls:   User-Password = "xC#8z7p6DDB8?a67ctQ7"

(11) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1

(11) eap_ttls: Sending tunneled request

(11) Virtual server inner-tunnel received request

(11)   User-Name = "<< user_name >>"

(11)   User-Password = "<< secret >>"

(11)   FreeRADIUS-Proxied-To = 127.0.0.1

(11)   Service-Type = Framed-User

(11)   Cisco-AVPair = "service-type=Framed"

(11)   Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"

(11)   Cisco-AVPair = "method=dot1x"

(11)   Framed-MTU = 1500

(11)   Called-Station-Id = "1C-1D-86-68-F0-05"

(11)   Calling-Station-Id = "10-65-30-0F-CF-AD"

(11)   Framed-IP-Address = 10.111.0.176

(11)   NAS-IP-Address = 10.100.0.16

(11)   NAS-Port-Id = "GigabitEthernet0/5"

(11)   NAS-Port-Type = Ethernet

(11)   NAS-Port = 50105

(11)   Event-Timestamp = "Jan 23 2023 15:52:03 CET"

(11) server inner-tunnel {

(11)   # Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel

(11)     authorize {

(11)       policy filter_username {

(11)         if (&User-Name) {

(11)         if (&User-Name)  -> TRUE

(11)         if (&User-Name)  {

(11)           if (&User-Name =~ / /) {

(11)           if (&User-Name =~ / /)  -> FALSE

(11)           if (&User-Name =~ /@[^@]*@/ ) {

(11)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(11)           if (&User-Name =~ /\.\./ ) {

(11)           if (&User-Name =~ /\.\./ )  -> FALSE

(11)           if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))  {

(11)           if ((&User-Name =~ /@/) && (&User-Name !~
<mailto:/@(.+)\.(.+)$/)> /@(.+)\.(.+)$/))   -> FALSE

(11)           if (&User-Name =~ /\.$/)  {

(11)           if (&User-Name =~ /\.$/)   -> FALSE

(11)           if (&User-Name =~  <mailto:/@\./> /@\./)  {

(11)           if (&User-Name =~  <mailto:/@\./> /@\./)   -> FALSE

(11)         } # if (&User-Name)  = notfound

(11)       } # policy filter_username = notfound

(11)       [chap] = noop

(11)       [mschap] = noop

(11) suffix: Checking for suffix after "@"

(11) suffix: No '@' in User-Name = "<< user_name >>", looking up realm NULL

(11) suffix: No such realm "NULL"

(11)       [suffix] = noop

(11)       update control {

(11)         &Proxy-To-Realm := LOCAL

(11)       } # update control = noop

(11) eap: No EAP-Message, not doing EAP

(11)       [eap] = noop

(11)       [files] = noop

rlm_ldap (ldap_dauphine): Reserved connection (2)

(11) ldap_dauphine: EXPAND
(|(supannAliasLogin=%{%{Stripped-User-Name}:-%{User-Name}})
(mail=%{%{Stripped-User-Name}:-%{User-Name}})
(mail=%{%{Stripped-User-Name}:-%{User-Name}}@dauphine.fr))

(11) ldap_dauphine:    --> (|(supannAliasLogin="<< user_name >>") (mail="<<
user_name >>") (mail="<< user_name >>"@dauphine.fr))

(11) ldap_dauphine: Performing search in "ou=people,dc=dauphine,dc=fr" with
filter "(|(supannAliasLogin="<< user_name >>") (mail="<< user_name >>")
(mail="<< user_name >>"@dauphine.fr))", scope "sub"

(11) ldap_dauphine: Waiting for search result...

rlm_ldap (ldap_dauphine): Reconnecting (2)

rlm_ldap (ldap_dauphine): Connecting to ldap://ldap.dauphine.fr:389

rlm_ldap (ldap_dauphine): Waiting for bind result...

rlm_ldap (ldap_dauphine): Bind successful

(11) ldap_dauphine: WARNING: Search failed: Can't contact LDAP server. Got
new socket, retrying...

(11) ldap_dauphine: Waiting for search result...

(11) ldap_dauphine: User object found at DN
"uid=00061572,ou=people,dc=dauphine,dc=fr"

(11) ldap_dauphine: Processing user attributes

(11) ldap_dauphine: control:Password-With-Header += '<< passord_HASH >>’

rlm_ldap (ldap_dauphine): Released connection (2)

rlm_ldap (ldap_dauphine): You probably need to lower "min"

rlm_ldap (ldap_dauphine): Closing expired connection (4) - Hit idle_timeout
limit

rlm_ldap (ldap_dauphine): You probably need to lower "min"

rlm_ldap (ldap_dauphine): Closing expired connection (3) - Hit idle_timeout
limit

rlm_ldap (ldap_dauphine): You probably need to lower "min"

rlm_ldap (ldap_dauphine): Closing expired connection (0) - Hit idle_timeout
limit

(11)       [ldap_dauphine] = updated

(11)       [expiration] = noop

(11)       [logintime] = noop

(11) pap: Converted: &control:Password-With-Header ->
&control:SSHA1-Password

(11) pap: Removing &control:Password-With-Header

(11) pap: Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24
bytes

(11)       [pap] = updated

(11)     } # authorize = updated

(11)   Found Auth-Type = PAP

(11)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel

(11)     Auth-Type PAP {

(11) pap: Login attempt with password

(11) pap: Comparing with "known-good" SSHA-Password

(11) pap: User authenticated successfully

(11)       [pap] = ok

(11)     } # Auth-Type PAP = ok

(11)   # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel

(11)     post-auth {

(11)       if (0) {

(11)       if (0)  -> FALSE

(11)     } # post-auth = noop

(11)   Login OK: ["<< user_name >>"] (from client edouard port 50105 cli
10-65-30-0F-CF-AD via TLS tunnel)

(11) } # server inner-tunnel

(11) Virtual server sending reply

(11) eap_ttls: Got tunneled Access-Accept

(11) eap_ttls: (TLS) cache - Setting up attributes for session resumption

(11) eap_ttls:     caching EAP-Type = TTLS

(11) eap_ttls: Saving session
630d327a8dd0ab555038688964549f6090d80b50941ec0460f30dc622db74911 in the disk
cache

(11) eap: Sending EAP Success (code 3) ID 5 length 4

(11) eap: Freeing handler

(11)     [eap] = ok

(11)   } # authenticate = ok

(11) # Executing section post-auth from file
/etc/raddb/sites-enabled/default

(11)   post-auth {

(11)     update reply {

(11)       Tunnel-type = VLAN

(11)       Tunnel-medium-type = IEEE-802

(11)       Tunnel-Private-Group-Id = 333

(11)     } # update reply = noop

(11)     if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {

(11)     if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name))  -> FALSE

(11)     update {

(11)       &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014

(11)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
ClientHello'

(11)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
ServerHello'

(11)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3
ChangeCipherSpec'

(11)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
EncryptedExtensions'

(11)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
Certificate'

(11)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
CertificateVerify'

(11)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
Finished'

(11)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
Finished'

(11)       &reply::TLS-Cache-Filename +=
&session-state:TLS-Cache-Filename[*] ->
'/var/log/radius/tlscache/630d327a8dd0ab555038688964549f6090d80b50941ec0460f
30dc622db74911.asn1'

(11)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.3 Handshake,
NewSessionTicket'

(11)       &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake,
NewSessionTicket'

(11)     } # update = noop

(11)     [exec] = noop

(11)     policy remove_reply_message_if_eap {

(11)       if (&reply:EAP-Message && &reply:Reply-Message) {

(11)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(11)       else {

(11)         [noop] = noop

(11)       } # else = noop

(11)     } # policy remove_reply_message_if_eap = noop

(11)     if (EAP-Key-Name && &reply:EAP-Session-Id) {

(11)     if (EAP-Key-Name && &reply:EAP-Session-Id)  -> FALSE

(11)   } # post-auth = noop

(11) Login OK: [anonymous] (from client edouard port 50105 cli
10-65-30-0F-CF-AD)

(11) Sent Access-Accept Id 125 from 10.101.0.20:1812 to 10.100.0.16:1645
length 195

(11)   MS-MPPE-Recv-Key =
0x971459cad430f53406113b465e8c9823c41fc43a70860e1a4e13d42ebb1bb5df

(11)   MS-MPPE-Send-Key =
0x689cf83adf94820be1e34f1507c3856aa88dd9f210d177af62a82344aea19fc9

(11)   EAP-Message = 0x03050004

(11)   Message-Authenticator = 0x00000000000000000000000000000000

(11)   User-Name = "anonymous"

(11)   Tunnel-Type = VLAN

(11)   Tunnel-Medium-Type = IEEE-802

(11)   Tunnel-Private-Group-Id = "333"

(11)   Framed-MTU += 1014

(11) Finished request

Waking up in 3.9 seconds.

(12) Received Accounting-Request Id 79 from 10.100.0.16:1646 to
10.101.0.20:1813 length 229

(12)   Framed-IP-Address = 10.111.0.176

(12)   User-Name = "anonymous"

(12)   Cisco-AVPair = "audit-session-id=0A64001000000151077D98D2"

(12)   Cisco-AVPair = "vlan-id=333"

(12)   Cisco-AVPair = "method=dot1x"

(12)   Called-Station-Id = "1C-1D-86-68-F0-05"

(12)   Calling-Station-Id = "10-65-30-0F-CF-AD"

(12)   NAS-IP-Address = 10.100.0.16

(12)   NAS-Port-Id = "GigabitEthernet0/5"

(12)   NAS-Port-Type = Ethernet

(12)   NAS-Port = 50105

(12)   Acct-Session-Id = "0000007F"

(12)   Acct-Status-Type = Start

(12)   Event-Timestamp = "Jan 23 2023 15:52:04 CET"

(12)   Acct-Delay-Time = 0

(12) # Executing section preacct from file /etc/raddb/sites-enabled/default

(12)   preacct {

(12)     [preprocess] = ok

(12)     policy acct_unique {

(12)       update request {

(12)         &Tmp-String-9 := "ai:"

(12)       } # update request = noop

(12)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {

(12)       EXPAND %{hex:&Class}

(12)          -->

(12)       EXPAND ^%{hex:&Tmp-String-9}

(12)          --> ^61693a

(12)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE

(12)       else {

(12)         update request {

(12)           EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Addres
s}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}

(12)              --> 7fa8680a9de8af271866a0b2a998c629

(12)           &Acct-Unique-Session-Id := 7fa8680a9de8af271866a0b2a998c629

(12)         } # update request = noop

(12)       } # else = noop

(12)       update request {

(12)         &Tmp-String-9 !* ANY

(12)       } # update request = noop

(12)     } # policy acct_unique = noop

(12) suffix: Checking for suffix after "@"

(12) suffix: No '@' in User-Name = "anonymous", looking up realm NULL

(12) suffix: No such realm "NULL"

(12)     [suffix] = noop

(12)     [files] = noop

(12)   } # preacct = ok

(12) # Executing section accounting from file
/etc/raddb/sites-enabled/default

(12)   accounting {

(12) detail: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d

(12) detail:    --> /var/log/radius/radacct/10.100.0.16/detail-20230123

(12) detail:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/detail-%Y%m%d expands to
/var/log/radius/radacct/10.100.0.16/detail-20230123

(12) detail: EXPAND %t

(12) detail:    --> Mon Jan 23 15:52:04 2023

(12)     [detail] = ok

(12)     [unix] = ok

(12)     [exec] = noop

(12) attr_filter.accounting_response: EXPAND %{User-Name}

(12) attr_filter.accounting_response:    --> anonymous

(12) attr_filter.accounting_response: Matched entry DEFAULT at line 12

(12)     [attr_filter.accounting_response] = updated

(12)   } # accounting = updated

(12) Sent Accounting-Response Id 79 from 10.101.0.20:1813 to
10.100.0.16:1646 length 20

(12) Finished request

(12) Cleaning up request packet ID 79 with timestamp +259 due to done

Waking up in 2.8 seconds.

(7) Cleaning up request packet ID 121 with timestamp +258 due to
cleanup_delay was reached

(8) Cleaning up request packet ID 122 with timestamp +258 due to
cleanup_delay was reached

(9) Cleaning up request packet ID 123 with timestamp +258 due to
cleanup_delay was reached

(10) Cleaning up request packet ID 124 with timestamp +258 due to
cleanup_delay was reached

(11) Cleaning up request packet ID 125 with timestamp +258 due to
cleanup_delay was reached

 

 

 

Thank you all for your help and advice,

Florent VERCOURT

 

 

 



More information about the Freeradius-Users mailing list