Queue Statistics always showing 0
Ashraf Al-Basti
albasti at gmail.com
Wed Jan 25 06:00:14 UTC 2023
Hi Alan,
Is that mean Freeradius will show 0 in the Queue Statistics in both cases:
Full / Empty? this is what we are getting now.
Is there another way to check if the Queue full rather than checking the
logs?
Thanks
On Mon, Jan 23, 2023 at 6:39 PM <
freeradius-users-request at lists.freeradius.org> wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: Queue Statistics always showing 0 (Alan DeKok)
> 2. FR 3.0.26 and TLS 1.3 (Chris Howley)
> 3. Freeradius-server-3.0.25 docking mariadb error
> (=?gb18030?B?zfjC58qxtPo=?=)
> 4. Freeradius Google Secure LDAP EAP-GTC issues (Henning Kessler)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 23 Jan 2023 08:46:56 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: Queue Statistics always showing 0
> Message-ID: <4F2136FC-DB9C-418B-995D-2C499FF7BD82 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Jan 23, 2023, at 3:24 AM, Ashraf Al-Basti <albasti at gmail.com> wrote:
> > I'm trying to get Freeradius statistics but I can see that the Queue
> > statistics are always 0.
>
> That's a side effect of moving to the faster atomic queues. It''s more
> difficult to get accurate stats for the queue length.
>
> Plus, the queue starts are generally meaningless. Either everything is
> OK, and the queue length is zero, or things are going wrong, and the queue
> is full.
>
> There is very very few situations where the queue are partially full.
>
> Alan DeKok.
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 23 Jan 2023 14:18:56 +0000
> From: Chris Howley <C.P.Howley at leeds.ac.uk>
> To: "freeradius-users at lists.freeradius.org"
> <freeradius-users at lists.freeradius.org>
> Subject: FR 3.0.26 and TLS 1.3
> Message-ID:
> <
> AS4PR03MB823284ABA3422F7FBDAB898E8EC89 at AS4PR03MB8232.eurprd03.prod.outlook.com
> >
>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello Support team,
>
> I recently download the FR packages from your CentOS 7 repository, and I
> noticed that the 3.0.26 server was built with OpenSSL 1.0.2k (see below).
> Should the server be built with OpenSSL 1.1.1 to support TLS 1.3? Please
> excuse my ignorance if I've asked a stupid question.
>
> Thanks,
>
> Chris Howley
>
> Mon Jan 23 13:50:17 2023 : Debug: Server was built with:
> Mon Jan 23 13:50:17 2023 : Debug: accounting : yes
> Mon Jan 23 13:50:17 2023 : Debug: authentication : yes
> Mon Jan 23 13:50:17 2023 : Debug: ascend-binary-attributes : yes
> Mon Jan 23 13:50:17 2023 : Debug: coa : yes
> Mon Jan 23 13:50:17 2023 : Debug: control-socket : yes
> Mon Jan 23 13:50:17 2023 : Debug: detail : yes
> Mon Jan 23 13:50:17 2023 : Debug: dhcp : yes
> Mon Jan 23 13:50:17 2023 : Debug: dynamic-clients : yes
> Mon Jan 23 13:50:17 2023 : Debug: osfc2 : no
> Mon Jan 23 13:50:17 2023 : Debug: proxy : yes
> Mon Jan 23 13:50:17 2023 : Debug: regex-pcre : yes
> Mon Jan 23 13:50:17 2023 : Debug: regex-posix : no
> Mon Jan 23 13:50:17 2023 : Debug: regex-posix-extended : no
> Mon Jan 23 13:50:17 2023 : Debug: session-management : yes
> Mon Jan 23 13:50:17 2023 : Debug: stats : yes
> Mon Jan 23 13:50:17 2023 : Debug: systemd : yes
> Mon Jan 23 13:50:17 2023 : Debug: tcp : yes
> Mon Jan 23 13:50:17 2023 : Debug: threads : yes
> Mon Jan 23 13:50:17 2023 : Debug: tls : yes
> Mon Jan 23 13:50:17 2023 : Debug: unlang : yes
> Mon Jan 23 13:50:17 2023 : Debug: vmps : yes
> Mon Jan 23 13:50:17 2023 : Debug: developer : no
> Mon Jan 23 13:50:17 2023 : Debug: Server core libs:
> Mon Jan 23 13:50:17 2023 : Debug: freeradius-server : 3.0.26
> Mon Jan 23 13:50:17 2023 : Debug: talloc : 2.1.*
> Mon Jan 23 13:50:17 2023 : Debug: ssl : 1.0.2k
> release
> Mon Jan 23 13:50:17 2023 : Debug: pcre : 8.32
> 2012-11-30
> Mon Jan 23 13:50:17 2023 : Debug: Endianness:
> Mon Jan 23 13:50:17 2023 : Debug: little
> Mon Jan 23 13:50:17 2023 : Debug: Compilation flags:
> Mon Jan 23 13:50:17 2023 : Debug: cppflags :
> Mon Jan 23 13:50:17 2023 : Debug: cflags : -I. -Isrc -include
> src/freeradius-devel/autoconf.h -include src/freeradius-devel/build.h
> -include src/freeradius-devel/featur
> es.h -include src/freeradius-devel/radpaths.h -fno-strict-aliasing
> -Wno-date-time -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector-strong --param=s
> sp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wall -std=c99
> -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5
> -DNDEBUG -DIS_MODULE=1
> Mon Jan 23 13:50:17 2023 : Debug: ldflags : -Wl,--build-id
> Mon Jan 23 13:50:17 2023 : Debug: libs : -lcrypto -lssl -ltalloc
> -lpcre -lnsl -lresolv -ldl -lpthread -lreadline
> Mon Jan 23 13:50:17 2023 : Debug:
> Mon Jan 23 13:50:17 2023 : Info: FreeRADIUS Version 3.0.26
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 23 Jan 2023 22:29:20 +0800
> From: "=?gb18030?B?zfjC58qxtPo=?=" <1511815642 at qq.com>
> To: "=?gb18030?B?ZnJlZXJhZGl1cy11c2Vycw==?="
> <freeradius-users at lists.freeradius.org>
> Subject: Freeradius-server-3.0.25 docking mariadb error
> Message-ID: <tencent_7F1BF56F0ABA0721320788A7754655CCA108 at qq.com>
> Content-Type: text/plain; charset="gb18030"
>
> Hello,
> ezhangiso at ezhangiso-virtual-machine:/$ docker exec -it radius-test
> /bin/bash
> root at 4ff809b932fe:/# chgrp -h freerad /etc/freeradius/mods-available/sql
> root at 4ff809b932fe:/# chown -R freerad:freerad
> /etc/freeradius/mods-enabled/sql
> root at 4ff809b932fe:/# vi etc/freeradius/mods-available/sql
> root at 4ff809b932fe:/# vi /etc/freeradius/sites-available/default
> root at 4ff809b932fe:/# vi /etc/freeradius/sites-available/inner-tunnel
> root at 4ff809b932fe:/# vi radiusd.conf
> root at 4ff809b932fe:/# vi /etc/freeradius/radiusd.conf
> root at 4ff809b932fe:/# cat etc/freeradius/mods-available/sql
>
>
> dialect = "mysql"
> driver = "rlm_sql_mysql"
> sqlite {
> filename = "/tmp/freeradius.db"
> busy_timeout = 200
> bootstrap =
> "${modconfdir}/${..:name}/main/sqlite/schema.sql"
> }
>
>
> mysql {
>
> tls_required = no
> tls_check_cert = no
> tls_check_cert_cn = no
> }
> warnings = auto
> }
>
>
> postgresql {
>
>
> send_application_name = yes
> }
>
>
> #
> mongo {
> appname = "freeradius"
>
>
> tls {
> certificate_file = /path/to/file
> certificate_password = "password"
> ca_file = /path/to/file
> ca_dir = /path/to/directory
> crl_file = /path/to/file
> weak_cert_validation = false
> allow_invalid_hostname = false
>
>
> server = "10.0.8.31"
> port = 3306
> login = "radius"
> password = "radius"
>
>
> radius_db = "radius"
> acct_table1 = "radacct"
> acct_table2 = "radacct"
> postauth_table = "radpostauth"
> authcheck_table = "radcheck"
> groupcheck_table = "radgroupcheck"
> authreply_table = "radreply"
> groupreply_table = "radgroupreply"
> usergroup_table = "radusergroup"
>
>
> delete_stale_sessions = yes
>
>
> pool {
> start = ${thread[pool].start_servers}
> min = ${thread[pool].min_spare_servers}
> max = ${thread[pool].max_servers}
> uses = 0
> retry_delay = 30
> lifetime = 0
> idle_timeout = 60
> client_table = "nas"
> group_attribute = "SQL-Group"
> $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf
> }
> root at 4ff809b932fe:/# cat /etc/freeradius/radiusd.conf
>
>
> prefix = /usr
> exec_prefix = /usr
> sysconfdir = /etc
> localstatedir = /var
> sbindir = ${exec_prefix}/sbin
> logdir = /var/log/freeradius
> raddbdir = /etc/freeradius
> radacctdir = ${logdir}/radacct
>
>
> name = freeradius
>
>
> confdir = ${raddbdir}
> modconfdir = ${confdir}/mods-config
> certdir = ${confdir}/certs
> cadir = ${confdir}/certs
> run_dir = ${localstatedir}/run/${name}
>
>
> db_dir = ${raddbdir}
>
>
> libdir = /usr/lib/freeradius
>
>
> pidfile = ${run_dir}/${name}.pid
>
>
> correct_escapes = true
> max_request_time = 30
> cleanup_delay = 5
> hostname_lookups = no
> log {
> destination = files
> colourise = yes
> file = ${logdir}/radius.log
> syslog_facility = daemon
> stripped_names = no
> auth = no
> auth_badpass = no
> auth_goodpass = no
> msg_denied = "You are already logged in - access denied"
> }
> checkrad = ${sbindir}/checkrad
> ENV {
> }
>
>
> security {
> user = freerad
> group = freerad
> allow_core_dumps = no
> max_attributes = 200
> reject_delay = 1
> status_server = yes
> }
>
>
> proxy_requests = yes
> $INCLUDE proxy.conf
> $INCLUDE clients.conf
> thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
> modules {
> $INCLUDE mods-enabled/sql
>
>
> $INCLUDE mods-enabled/
> }
>
>
> policy {
> $INCLUDE policy.d/
> }
>
>
> $INCLUDE sites-enabled/
>
>
> root at 4ff809b932fe:/# apt install mariadb-client
>
>
> root at 4ff809b932fe:/# mysql -h 10.0.8.31 -uradius -p radius
> Enter password:
> Reading table information for completion of table and column names
> You can turn off this feature to get a quicker startup with -A
>
>
> Welcome to the MariaDB monitor. Commands end with ; or \g.
> Your MariaDB connection id is 3
> Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal mariadb.org binary
> distribution
>
>
> Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
>
>
> Type 'help;' or '\h' for help. Type '\c' to clear the current input
> statement.
>
>
> MariaDB [radius]> show tables;
> +------------------+
> | Tables_in_radius |
> +------------------+
> | nas |
> | radacct |
> | radcheck |
> | radgroupcheck |
> | radgroupreply |
> | radpostauth |
> | radreply |
> | radusergroup |
> +------------------+
> 8 rows in set (0.00 sec)
>
>
> MariaDB [radius]> exit
> Bye
> root at 4ff809b932fe:/# exit
> exit
> ezhangiso at ezhangiso-virtual-machine:/$ docker commit radius-test
> radius-mariadb
> sha256:1b5a68d2c3c3aaf70be72f8dcbfda27a7cf63e7ba448f412b73bd5f0d8aef63b
> ezhangiso at ezhangiso-virtual-machine:/$ docker stop radius-test
> radius-test
> ezhangiso at ezhangiso-virtual-machine:/$ docker run --rm --name myradius -t
> -p1812-1813:1812-1813/udp radius-mariadb -X
> FreeRADIUS Version 3.0.25
> Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License
> For more information about these matters, see the file named COPYRIGHT
> Starting - reading configuration files ...
> including dictionary file /usr/share/freeradius/dictionary
> including dictionary file /usr/share/freeradius/dictionary.dhcp
> including dictionary file /usr/share/freeradius/dictionary.vqp
> including dictionary file /etc/freeradius/dictionary
> including configuration file /etc/freeradius/radiusd.conf
> including configuration file /etc/freeradius/proxy.conf
> including configuration file /etc/freeradius/clients.conf
> including configuration file /etc/freeradius/mods-enabled/sql
> /etc/freeradius/mods-enabled/sql[365]: Reference "${dialect}" not found
> Errors reading or parsing /etc/freeradius/radiusd.conf
> ezhangiso at ezhangiso-virtual-machine:/$
>
>
> Can anyone shed some light on this and point me in the right direction what
> else should I do?
>
> ------------------------------
>
> Message: 4
> Date: Mon, 23 Jan 2023 15:38:42 +0100
> From: Henning Kessler <maillist at henningkessler.de>
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius Google Secure LDAP EAP-GTC issues
> Message-ID: <54ECCD6B-D2B4-4F67-9E5A-89EB44B2EBE3 at henningkessler.de>
> Content-Type: text/plain; charset=utf-8
>
> Hello,
>
> I followed this tutorial (
> https://www.nasirhafeez.com/wp-comments-post.php) for testing purposes
> several times and it worked flawlessly. several month later I wanted to put
> it in production and it stop working.
>
> This is my setup: 2 Raspberry PIs with freeradius 3.0.12 (allready tried
> the Backport version 3.2.1 as well) Unifi AC HD AccessPoints and as clients
> macOS and iOS devices (tried macOS versions 11.7 to 13.1) for testing I
> tried an Ubuntu client as well.
>
> Binding to Google LDAP works without any issues (radtest results in
> Access-Accept) I even see that the Radius server sends an ?Access-Accept?
> to the clients but shortly after the client starts another Access-Request
> an that fails with:
>
> (9) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> 0x864de94f8144fc95
> (9) eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> (9) eap: Failed in handler
>
> Any idea what is happening here?
>
> Here the full output of a test with freeradius -X
>
> Ready to process requests
> (0) Received Access-Request Id 18 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 253
> (0) User-Name = "klaus.mustermann"
> (0) NAS-IP-Address = 10.100.2.39
> (0) NAS-Identifier = "8283c219e7f9"
> (0) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (0) NAS-Port-Type = Wireless-802.11
> (0) Service-Type = Framed-User
> (0) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (0) Connect-Info = "CONNECT 0Mbps 802.11b"
> (0) Acct-Session-Id = "690B866461ACEC60"
> (0) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (0) Mobility-Domain-Id = 46476
> (0) WLAN-Pairwise-Cipher = 1027076
> (0) WLAN-Group-Cipher = 1027076
> (0) WLAN-AKM-Suite = 1027075
> (0) Framed-MTU = 1400
> (0) EAP-Message = 0x02670015016b6c6175732e6d75737465726d616e6e
> (0) Message-Authenticator = 0x8d4fe3c9b693e2d71ed16670b1d148a8
> (0) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0) [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 103 length 21
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_ttls to process data
> (0) eap_ttls: (TLS) Initiating new session
> (0) eap: Sending EAP Request (code 1) ID 104 length 6
> (0) eap: EAP session adding &reply:State = 0x33754777331d52c5
> (0) [eap] = handled
> (0) } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0) Challenge { ... } # empty sub-section is ignored
> (0) session-state: Saving cached attributes
> (0) Framed-MTU = 994
> (0) Sent Access-Challenge Id 18 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 64
> (0) EAP-Message = 0x016800061520
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> (0) State = 0x33754777331d52c5d9592c39c6f43193
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 19 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 411
> (1) User-Name = "klaus.mustermann"
> (1) NAS-IP-Address = 10.100.2.39
> (1) NAS-Identifier = "8283c219e7f9"
> (1) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (1) NAS-Port-Type = Wireless-802.11
> (1) Service-Type = Framed-User
> (1) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (1) Connect-Info = "CONNECT 0Mbps 802.11b"
> (1) Acct-Session-Id = "690B866461ACEC60"
> (1) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (1) Mobility-Domain-Id = 46476
> (1) WLAN-Pairwise-Cipher = 1027076
> (1) WLAN-Group-Cipher = 1027076
> (1) WLAN-AKM-Suite = 1027075
> (1) Framed-MTU = 1400
> (1) EAP-Message =
> 0x026800a115800000009716030100920100008e030363ce9a00af0158c4304b8191e349a5c4d7e344c71cf9ceb42fc1dc05eee1d4ea00002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
> (1) State = 0x33754777331d52c5d9592c39c6f43193
> (1) Message-Authenticator = 0xaf2835db2d901930a1abf923e81f8d4b
> (1) Restoring &session-state
> (1) &session-state:Framed-MTU = 994
> (1) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (1) authorize {
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /@\./) {
> (1) if (&User-Name =~ /@\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (1) suffix: No such realm "NULL"
> (1) [suffix] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 104 length 161
> (1) eap: Continuing tunnel setup
> (1) [eap] = ok
> (1) } # authorize = ok
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1) authenticate {
> (1) eap: Expiring EAP session with state 0x33754777331d52c5
> (1) eap: Finished EAP session with state 0x33754777331d52c5
> (1) eap: Previous EAP request found for state 0x33754777331d52c5, released
> from the list
> (1) eap: Peer sent packet with method EAP TTLS (21)
> (1) eap: Calling submodule eap_ttls to process data
> (1) eap_ttls: Authenticate
> (1) eap_ttls: (TLS) EAP Peer says that the final record size will be 151
> bytes
> (1) eap_ttls: (TLS) EAP Got all data (151 bytes)
> (1) eap_ttls: (TLS) Handshake state - before SSL initialization
> (1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
> (1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
> (1) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
> (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello
> (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello
> (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello
> (1) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate
> (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate
> (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
> (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
> (1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
> (1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
> (1) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write
> server done
> (1) eap_ttls: (TLS) In Handshake Phase
> (1) eap: Sending EAP Request (code 1) ID 105 length 1004
> (1) eap: EAP session adding &reply:State = 0x33754777321c52c5
> (1) [eap] = handled
> (1) } # authenticate = handled
> (1) Using Post-Auth-Type Challenge
> (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (1) Challenge { ... } # empty sub-section is ignored
> (1) session-state: Saving cached attributes
> (1) Framed-MTU = 994
> (1) Sent Access-Challenge Id 19 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 1068
> (1) EAP-Message =
> 0x016903ec15c000001151160303003d02000039030333251bb0257a7e942419ced1c14e2115f3355723303c682158f6d50e662be4da00c030000011ff01000100000b000403000102001700001603030eaf0b000eab000ea800071930820715308204fda0030201020208651e057cf4b3407c300d06092a864886f70d01010b05003081bd310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479312630240603550403131d42756464796272616e6420496e7465726d656469617465204341203034311f301d06092a864886f70d010901161069744062756464796272616e642e6465301e170d3233303130323030303030305a170d3235303430353233353935395a3081bb310b3009060355040613024445310f300d0603
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> (1) State = 0x33754777321c52c5d9592c39c6f43193
> (1) Finished request
> Waking up in 4.8 seconds.
> (2) Received Access-Request Id 20 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 256
> (2) User-Name = "klaus.mustermann"
> (2) NAS-IP-Address = 10.100.2.39
> (2) NAS-Identifier = "8283c219e7f9"
> (2) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (2) NAS-Port-Type = Wireless-802.11
> (2) Service-Type = Framed-User
> (2) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (2) Connect-Info = "CONNECT 0Mbps 802.11b"
> (2) Acct-Session-Id = "690B866461ACEC60"
> (2) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (2) Mobility-Domain-Id = 46476
> (2) WLAN-Pairwise-Cipher = 1027076
> (2) WLAN-Group-Cipher = 1027076
> (2) WLAN-AKM-Suite = 1027075
> (2) Framed-MTU = 1400
> (2) EAP-Message = 0x026900061500
> (2) State = 0x33754777321c52c5d9592c39c6f43193
> (2) Message-Authenticator = 0x61c34e69e7f5f253a9fdf8868c0f8826
> (2) Restoring &session-state
> (2) &session-state:Framed-MTU = 994
> (2) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (2) authorize {
> (2) policy filter_username {
> (2) if (&User-Name) {
> (2) if (&User-Name) -> TRUE
> (2) if (&User-Name) {
> (2) if (&User-Name =~ / /) {
> (2) if (&User-Name =~ / /) -> FALSE
> (2) if (&User-Name =~ /@[^@]*@/ ) {
> (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (2) if (&User-Name =~ /\.\./ ) {
> (2) if (&User-Name =~ /\.\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (2) if (&User-Name =~ /\.$/) {
> (2) if (&User-Name =~ /\.$/) -> FALSE
> (2) if (&User-Name =~ /@\./) {
> (2) if (&User-Name =~ /@\./) -> FALSE
> (2) } # if (&User-Name) = notfound
> (2) } # policy filter_username = notfound
> (2) [preprocess] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (2) suffix: No such realm "NULL"
> (2) [suffix] = noop
> (2) eap: Peer sent EAP Response (code 2) ID 105 length 6
> (2) eap: Continuing tunnel setup
> (2) [eap] = ok
> (2) } # authorize = ok
> (2) Found Auth-Type = eap
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2) authenticate {
> (2) eap: Expiring EAP session with state 0x33754777321c52c5
> (2) eap: Finished EAP session with state 0x33754777321c52c5
> (2) eap: Previous EAP request found for state 0x33754777321c52c5, released
> from the list
> (2) eap: Peer sent packet with method EAP TTLS (21)
> (2) eap: Calling submodule eap_ttls to process data
> (2) eap_ttls: Authenticate
> (2) eap_ttls: (TLS) Peer ACKed our handshake fragment
> (2) eap: Sending EAP Request (code 1) ID 106 length 1004
> (2) eap: EAP session adding &reply:State = 0x33754777311f52c5
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2) Challenge { ... } # empty sub-section is ignored
> (2) session-state: Saving cached attributes
> (2) Framed-MTU = 994
> (2) Sent Access-Challenge Id 20 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 1068
> (2) EAP-Message =
> 0x016a03ec15c000001151634a5ca32fca591c963a10e1e4fc909ecc4cf2f3259d2cc70fde28bea17fe514687c8e2ceb902a9d47fde53d01733845bba3e9d6a95f90195118e26a7a98ef957393cd519e06e02ec652ceb9fef0ef8e67a1dc250203010001a382011730820113300c0603551d130101ff04023000301d0603551d0e041604140d3fc210b4abae8368f6656c2f4182ded3cba973301f0603551d23041830168014bb50e659b6554824eb10703f59de33b5ab10d343300e0603551d0f0101ff0404030203e830130603551d25040c300a06082b0601050507030130260603551d11041f301d821b6265723072616430342e696e742e62756464796272616e642e646530430603551d1f0101ff043930373035a033a031862f687474703a2f2f63726c2e62756464796272616e642e64653a383038302f696e746572636130345f63726c2e70656d301106096086480186f8420101040403020640301e06096086480186f842010d0411160f7863612063657274
> (2) Message-Authenticator = 0x00000000000000000000000000000000
> (2) State = 0x33754777311f52c5d9592c39c6f43193
> (2) Finished request
> Waking up in 4.8 seconds.
> (3) Received Access-Request Id 21 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 256
> (3) User-Name = "klaus.mustermann"
> (3) NAS-IP-Address = 10.100.2.39
> (3) NAS-Identifier = "8283c219e7f9"
> (3) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (3) NAS-Port-Type = Wireless-802.11
> (3) Service-Type = Framed-User
> (3) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (3) Connect-Info = "CONNECT 0Mbps 802.11b"
> (3) Acct-Session-Id = "690B866461ACEC60"
> (3) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (3) Mobility-Domain-Id = 46476
> (3) WLAN-Pairwise-Cipher = 1027076
> (3) WLAN-Group-Cipher = 1027076
> (3) WLAN-AKM-Suite = 1027075
> (3) Framed-MTU = 1400
> (3) EAP-Message = 0x026a00061500
> (3) State = 0x33754777311f52c5d9592c39c6f43193
> (3) Message-Authenticator = 0xc8e04779851766a986a21ceea4790d00
> (3) Restoring &session-state
> (3) &session-state:Framed-MTU = 994
> (3) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (3) authorize {
> (3) policy filter_username {
> (3) if (&User-Name) {
> (3) if (&User-Name) -> TRUE
> (3) if (&User-Name) {
> (3) if (&User-Name =~ / /) {
> (3) if (&User-Name =~ / /) -> FALSE
> (3) if (&User-Name =~ /@[^@]*@/ ) {
> (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (3) if (&User-Name =~ /\.\./ ) {
> (3) if (&User-Name =~ /\.\./ ) -> FALSE
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (3) if (&User-Name =~ /\.$/) {
> (3) if (&User-Name =~ /\.$/) -> FALSE
> (3) if (&User-Name =~ /@\./) {
> (3) if (&User-Name =~ /@\./) -> FALSE
> (3) } # if (&User-Name) = notfound
> (3) } # policy filter_username = notfound
> (3) [preprocess] = ok
> (3) [chap] = noop
> (3) [mschap] = noop
> (3) [digest] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (3) suffix: No such realm "NULL"
> (3) [suffix] = noop
> (3) eap: Peer sent EAP Response (code 2) ID 106 length 6
> (3) eap: Continuing tunnel setup
> (3) [eap] = ok
> (3) } # authorize = ok
> (3) Found Auth-Type = eap
> (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (3) authenticate {
> (3) eap: Expiring EAP session with state 0x33754777311f52c5
> (3) eap: Finished EAP session with state 0x33754777311f52c5
> (3) eap: Previous EAP request found for state 0x33754777311f52c5, released
> from the list
> (3) eap: Peer sent packet with method EAP TTLS (21)
> (3) eap: Calling submodule eap_ttls to process data
> (3) eap_ttls: Authenticate
> (3) eap_ttls: (TLS) Peer ACKed our handshake fragment
> (3) eap: Sending EAP Request (code 1) ID 107 length 1004
> (3) eap: EAP session adding &reply:State = 0x33754777301e52c5
> (3) [eap] = handled
> (3) } # authenticate = handled
> (3) Using Post-Auth-Type Challenge
> (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (3) Challenge { ... } # empty sub-section is ignored
> (3) session-state: Saving cached attributes
> (3) Framed-MTU = 994
> (3) Sent Access-Challenge Id 21 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 1068
> (3) EAP-Message =
> 0x016b03ec15c0000011516e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479311b30190603550403131242756464796272616e6420526f6f74204341311f301d06092a864886f70d010901161069744062756464796272616e642e6465301e170d3231303432333131353030305a170d3331303432333131353030305a3081bd310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479312630240603550403131d42756464796272616e6420496e7465726d656469617465204341203034311f301d06092a864886f70d010901161069744062756464796272616e642e646530820222300d06092a
> (3) Message-Authenticator = 0x00000000000000000000000000000000
> (3) State = 0x33754777301e52c5d9592c39c6f43193
> (3) Finished request
> Waking up in 4.8 seconds.
> (4) Received Access-Request Id 22 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 256
> (4) User-Name = "klaus.mustermann"
> (4) NAS-IP-Address = 10.100.2.39
> (4) NAS-Identifier = "8283c219e7f9"
> (4) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (4) NAS-Port-Type = Wireless-802.11
> (4) Service-Type = Framed-User
> (4) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (4) Connect-Info = "CONNECT 0Mbps 802.11b"
> (4) Acct-Session-Id = "690B866461ACEC60"
> (4) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (4) Mobility-Domain-Id = 46476
> (4) WLAN-Pairwise-Cipher = 1027076
> (4) WLAN-Group-Cipher = 1027076
> (4) WLAN-AKM-Suite = 1027075
> (4) Framed-MTU = 1400
> (4) EAP-Message = 0x026b00061500
> (4) State = 0x33754777301e52c5d9592c39c6f43193
> (4) Message-Authenticator = 0x8ebe69d74f104b81490506fbfd4fcc22
> (4) Restoring &session-state
> (4) &session-state:Framed-MTU = 994
> (4) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (4) authorize {
> (4) policy filter_username {
> (4) if (&User-Name) {
> (4) if (&User-Name) -> TRUE
> (4) if (&User-Name) {
> (4) if (&User-Name =~ / /) {
> (4) if (&User-Name =~ / /) -> FALSE
> (4) if (&User-Name =~ /@[^@]*@/ ) {
> (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (4) if (&User-Name =~ /\.\./ ) {
> (4) if (&User-Name =~ /\.\./ ) -> FALSE
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (4) if (&User-Name =~ /\.$/) {
> (4) if (&User-Name =~ /\.$/) -> FALSE
> (4) if (&User-Name =~ /@\./) {
> (4) if (&User-Name =~ /@\./) -> FALSE
> (4) } # if (&User-Name) = notfound
> (4) } # policy filter_username = notfound
> (4) [preprocess] = ok
> (4) [chap] = noop
> (4) [mschap] = noop
> (4) [digest] = noop
> (4) suffix: Checking for suffix after "@"
> (4) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (4) suffix: No such realm "NULL"
> (4) [suffix] = noop
> (4) eap: Peer sent EAP Response (code 2) ID 107 length 6
> (4) eap: Continuing tunnel setup
> (4) [eap] = ok
> (4) } # authorize = ok
> (4) Found Auth-Type = eap
> (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (4) authenticate {
> (4) eap: Expiring EAP session with state 0x33754777301e52c5
> (4) eap: Finished EAP session with state 0x33754777301e52c5
> (4) eap: Previous EAP request found for state 0x33754777301e52c5, released
> from the list
> (4) eap: Peer sent packet with method EAP TTLS (21)
> (4) eap: Calling submodule eap_ttls to process data
> (4) eap_ttls: Authenticate
> (4) eap_ttls: (TLS) Peer ACKed our handshake fragment
> (4) eap: Sending EAP Request (code 1) ID 108 length 1004
> (4) eap: EAP session adding &reply:State = 0x33754777371952c5
> (4) [eap] = handled
> (4) } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (4) Challenge { ... } # empty sub-section is ignored
> (4) session-state: Saving cached attributes
> (4) Framed-MTU = 994
> (4) Sent Access-Challenge Id 22 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 1068
> (4) EAP-Message =
> 0x016c03ec15c00000115155040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31183016060355040a130f42756464796272616e6420476d624831293027060355040b132042756464796272616e6420436572746966696361746520417574686f72697479311b30190603550403131242756464796272616e6420526f6f74204341311f301d06092a864886f70d010901161069744062756464796272616e642e64658209009ce5d9f001129991300e0603551d0f0101ff04040302018630400603551d1f0101ff043630343032a030a02e862c687474703a2f2f63726c2e62756464796272616e642e64653a383038302f726f6f7463615f63726c2e70656d301106096086480186f8420101040403020007301e06096086480186f842010d0411160f786361206365727469666963617465300d06092a864886f70d01010b0500038202010014ba00b7b369be8d469dc9fe7cb4ea2b8b69f5ddf664529e7cfa7e5c23
> (4) Message-Authenticator = 0x00000000000000000000000000000000
> (4) State = 0x33754777371952c5d9592c39c6f43193
> (4) Finished request
> Waking up in 4.7 seconds.
> (5) Received Access-Request Id 23 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 256
> (5) User-Name = "klaus.mustermann"
> (5) NAS-IP-Address = 10.100.2.39
> (5) NAS-Identifier = "8283c219e7f9"
> (5) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (5) NAS-Port-Type = Wireless-802.11
> (5) Service-Type = Framed-User
> (5) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (5) Connect-Info = "CONNECT 0Mbps 802.11b"
> (5) Acct-Session-Id = "690B866461ACEC60"
> (5) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (5) Mobility-Domain-Id = 46476
> (5) WLAN-Pairwise-Cipher = 1027076
> (5) WLAN-Group-Cipher = 1027076
> (5) WLAN-AKM-Suite = 1027075
> (5) Framed-MTU = 1400
> (5) EAP-Message = 0x026c00061500
> (5) State = 0x33754777371952c5d9592c39c6f43193
> (5) Message-Authenticator = 0x2954664567eb90b58df983559fafc7ef
> (5) Restoring &session-state
> (5) &session-state:Framed-MTU = 994
> (5) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (5) authorize {
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /@\./) {
> (5) if (&User-Name =~ /@\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) [preprocess] = ok
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) [digest] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (5) suffix: No such realm "NULL"
> (5) [suffix] = noop
> (5) eap: Peer sent EAP Response (code 2) ID 108 length 6
> (5) eap: Continuing tunnel setup
> (5) [eap] = ok
> (5) } # authorize = ok
> (5) Found Auth-Type = eap
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5) authenticate {
> (5) eap: Expiring EAP session with state 0x33754777371952c5
> (5) eap: Finished EAP session with state 0x33754777371952c5
> (5) eap: Previous EAP request found for state 0x33754777371952c5, released
> from the list
> (5) eap: Peer sent packet with method EAP TTLS (21)
> (5) eap: Calling submodule eap_ttls to process data
> (5) eap_ttls: Authenticate
> (5) eap_ttls: (TLS) Peer ACKed our handshake fragment
> (5) eap: Sending EAP Request (code 1) ID 109 length 467
> (5) eap: EAP session adding &reply:State = 0x33754777361852c5
> (5) [eap] = handled
> (5) } # authenticate = handled
> (5) Using Post-Auth-Type Challenge
> (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (5) Challenge { ... } # empty sub-section is ignored
> (5) session-state: Saving cached attributes
> (5) Framed-MTU = 994
> (5) Sent Access-Challenge Id 23 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 527
> (5) EAP-Message =
> 0x016d01d3158000001151c7ae0d9a4018dc0ce7aab22f77890b68228d8c81607a7cd59e58e5b314f938dfe8d81ca660735e53afd3f6eb0939e78859296a954ea1d3046dbcf4333aa72aaad39f3f152ab2b3a2ed59dc1bfdbc773787acbba803d0201cda94c46c440afa65d844464271d2a2dcb7e409ff9c9c30a411ea245b8c2424110ac5191f2c594afe070d15b670dd08c238fd3b672b5bbed9bc7141c3b6e95b61bb78889da5182b33b0883e08339b927b4fd0ef118175f30d3e232be2fc5c92ef1eae2a30a21ba88a0477b8a0a89b903ea37327d4b41dc15ac604f4c057eff9a454748056d6b919f4756ee70de3878196b23441f9252252e5ee8bebe2519a11cb9967ff91ce3d43a9f3e3e39e82277f7bc39200d0e9d8178afdf2b479684b66ee8b2c6b6d258d172684d801780ede278d3c6bbce36875649bc181dcecd10a2ecc83bc920f0b97cf3f2b51a234b69f88e884f5c248fb1062aba73cb402765bf2005825f8379389178cafae7ad9723c0f9e3f63b375c2
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> (5) State = 0x33754777361852c5d9592c39c6f43193
> (5) Finished request
> Waking up in 4.7 seconds.
> (6) Received Access-Request Id 24 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 386
> (6) User-Name = "klaus.mustermann"
> (6) NAS-IP-Address = 10.100.2.39
> (6) NAS-Identifier = "8283c219e7f9"
> (6) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (6) NAS-Port-Type = Wireless-802.11
> (6) Service-Type = Framed-User
> (6) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (6) Connect-Info = "CONNECT 0Mbps 802.11b"
> (6) Acct-Session-Id = "690B866461ACEC60"
> (6) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (6) Mobility-Domain-Id = 46476
> (6) WLAN-Pairwise-Cipher = 1027076
> (6) WLAN-Group-Cipher = 1027076
> (6) WLAN-AKM-Suite = 1027075
> (6) Framed-MTU = 1400
> (6) EAP-Message =
> 0x026d008815800000007e16030300461000004241041bdfa74e961e11ce04aae11e59adff899c7e45c93c23a868913c8e6dbc6b61c8c93027484c43331a120609e34bb63d4a01335611c152662eda522aa015747d24140303000101160303002896671043239b41663014b73a88eb2b056a398cc8c31e8c6f1940273f2cc64b884907fe10b3c697de
> (6) State = 0x33754777361852c5d9592c39c6f43193
> (6) Message-Authenticator = 0x02f8f3ac8779506b6dc11ac581eb8a01
> (6) Restoring &session-state
> (6) &session-state:Framed-MTU = 994
> (6) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (6) authorize {
> (6) policy filter_username {
> (6) if (&User-Name) {
> (6) if (&User-Name) -> TRUE
> (6) if (&User-Name) {
> (6) if (&User-Name =~ / /) {
> (6) if (&User-Name =~ / /) -> FALSE
> (6) if (&User-Name =~ /@[^@]*@/ ) {
> (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (6) if (&User-Name =~ /\.\./ ) {
> (6) if (&User-Name =~ /\.\./ ) -> FALSE
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (6) if (&User-Name =~ /\.$/) {
> (6) if (&User-Name =~ /\.$/) -> FALSE
> (6) if (&User-Name =~ /@\./) {
> (6) if (&User-Name =~ /@\./) -> FALSE
> (6) } # if (&User-Name) = notfound
> (6) } # policy filter_username = notfound
> (6) [preprocess] = ok
> (6) [chap] = noop
> (6) [mschap] = noop
> (6) [digest] = noop
> (6) suffix: Checking for suffix after "@"
> (6) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (6) suffix: No such realm "NULL"
> (6) [suffix] = noop
> (6) eap: Peer sent EAP Response (code 2) ID 109 length 136
> (6) eap: Continuing tunnel setup
> (6) [eap] = ok
> (6) } # authorize = ok
> (6) Found Auth-Type = eap
> (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (6) authenticate {
> (6) eap: Expiring EAP session with state 0x33754777361852c5
> (6) eap: Finished EAP session with state 0x33754777361852c5
> (6) eap: Previous EAP request found for state 0x33754777361852c5, released
> from the list
> (6) eap: Peer sent packet with method EAP TTLS (21)
> (6) eap: Calling submodule eap_ttls to process data
> (6) eap_ttls: Authenticate
> (6) eap_ttls: (TLS) EAP Peer says that the final record size will be 126
> bytes
> (6) eap_ttls: (TLS) EAP Got all data (126 bytes)
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
> (6) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key
> exchange
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher
> spec
> (6) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished
> (6) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher
> spec
> (6) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished
> (6) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished
> (6) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully
> (6) eap_ttls: (TLS) Connection Established
> (6) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> (6) eap_ttls: TLS-Session-Version = "TLS 1.2"
> (6) eap: Sending EAP Request (code 1) ID 110 length 61
> (6) eap: EAP session adding &reply:State = 0x33754777351b52c5
> (6) [eap] = handled
> (6) } # authenticate = handled
> (6) Using Post-Auth-Type Challenge
> (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (6) Challenge { ... } # empty sub-section is ignored
> (6) session-state: Saving cached attributes
> (6) Framed-MTU = 994
> (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> (6) TLS-Session-Version = "TLS 1.2"
> (6) Sent Access-Challenge Id 24 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 119
> (6) EAP-Message =
> 0x016e003d1580000000331403030001011603030028c5e315035630988a3b83c13d63026f7f68b51fc4cae498e85bec63a7b3beba6177951acbd7c9e48e
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> (6) State = 0x33754777351b52c5d9592c39c6f43193
> (6) Finished request
> Waking up in 4.7 seconds.
> (7) Received Access-Request Id 25 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 321
> (7) User-Name = "klaus.mustermann"
> (7) NAS-IP-Address = 10.100.2.39
> (7) NAS-Identifier = "8283c219e7f9"
> (7) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (7) NAS-Port-Type = Wireless-802.11
> (7) Service-Type = Framed-User
> (7) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (7) Connect-Info = "CONNECT 0Mbps 802.11b"
> (7) Acct-Session-Id = "690B866461ACEC60"
> (7) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (7) Mobility-Domain-Id = 46476
> (7) WLAN-Pairwise-Cipher = 1027076
> (7) WLAN-Group-Cipher = 1027076
> (7) WLAN-AKM-Suite = 1027075
> (7) Framed-MTU = 1400
> (7) EAP-Message =
> 0x026e004715800000003d170303003896671043239b4167e00afbeca8b555b120c23769698d81a6b5a879ecc3c8fd3cd740dc135bdef5fcadd7fda6a166609e4d7957502348d9f3
> (7) State = 0x33754777351b52c5d9592c39c6f43193
> (7) Message-Authenticator = 0xa8b841519028def71e27cfef249be756
> (7) Restoring &session-state
> (7) &session-state:Framed-MTU = 994
> (7) &session-state:TLS-Session-Cipher-Suite =
> "ECDHE-RSA-AES256-GCM-SHA384"
> (7) &session-state:TLS-Session-Version = "TLS 1.2"
> (7) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (7) authorize {
> (7) policy filter_username {
> (7) if (&User-Name) {
> (7) if (&User-Name) -> TRUE
> (7) if (&User-Name) {
> (7) if (&User-Name =~ / /) {
> (7) if (&User-Name =~ / /) -> FALSE
> (7) if (&User-Name =~ /@[^@]*@/ ) {
> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /@\./) {
> (7) if (&User-Name =~ /@\./) -> FALSE
> (7) } # if (&User-Name) = notfound
> (7) } # policy filter_username = notfound
> (7) [preprocess] = ok
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) [digest] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) eap: Peer sent EAP Response (code 2) ID 110 length 71
> (7) eap: Continuing tunnel setup
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (7) authenticate {
> (7) eap: Expiring EAP session with state 0x33754777351b52c5
> (7) eap: Finished EAP session with state 0x33754777351b52c5
> (7) eap: Previous EAP request found for state 0x33754777351b52c5, released
> from the list
> (7) eap: Peer sent packet with method EAP TTLS (21)
> (7) eap: Calling submodule eap_ttls to process data
> (7) eap_ttls: Authenticate
> (7) eap_ttls: (TLS) EAP Peer says that the final record size will be 61
> bytes
> (7) eap_ttls: (TLS) EAP Got all data (61 bytes)
> (7) eap_ttls: Session established. Proceeding to decode tunneled
> attributes
> (7) eap_ttls: Got tunneled request
> (7) eap_ttls: EAP-Message = 0x02000015016b6c6175732e6d75737465726d616e6e
> (7) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
> (7) eap_ttls: Got tunneled identity of klaus.mustermann
> (7) eap_ttls: Setting default EAP type for tunneled EAP session
> (7) eap_ttls: Sending tunneled request
> (7) Virtual server inner-tunnel received request
> (7) EAP-Message = 0x02000015016b6c6175732e6d75737465726d616e6e
> (7) FreeRADIUS-Proxied-To = 127.0.0.1
> (7) User-Name = "klaus.mustermann"
> (7) WARNING: Outer and inner identities are the same. User privacy is
> compromised.
> (7) server inner-tunnel {
> (7) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (7) authorize {
> (7) policy filter_username {
> (7) if (&User-Name) {
> (7) if (&User-Name) -> TRUE
> (7) if (&User-Name) {
> (7) if (&User-Name =~ / /) {
> (7) if (&User-Name =~ / /) -> FALSE
> (7) if (&User-Name =~ /@[^@]*@/ ) {
> (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (7) if (&User-Name =~ /\.\./ ) {
> (7) if (&User-Name =~ /\.\./ ) -> FALSE
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (7) if (&User-Name =~ /\.$/) {
> (7) if (&User-Name =~ /\.$/) -> FALSE
> (7) if (&User-Name =~ /@\./) {
> (7) if (&User-Name =~ /@\./) -> FALSE
> (7) } # if (&User-Name) = notfound
> (7) } # policy filter_username = notfound
> (7) [chap] = noop
> (7) [mschap] = noop
> (7) suffix: Checking for suffix after "@"
> (7) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (7) suffix: No such realm "NULL"
> (7) [suffix] = noop
> (7) update control {
> (7) &Proxy-To-Realm := LOCAL
> (7) } # update control = noop
> (7) eap: Peer sent EAP Response (code 2) ID 0 length 21
> (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (7) authenticate {
> (7) eap: Peer sent packet with method EAP Identity (1)
> (7) eap: Calling submodule eap_gtc to process data
> (7) eap_gtc: EXPAND Password:
> (7) eap_gtc: --> Password:
> (7) eap: Sending EAP Request (code 1) ID 1 length 15
> (7) eap: EAP session adding &reply:State = 0xb4a2b867b4a3bebf
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) } # server inner-tunnel
> (7) Virtual server sending reply
> (7) EAP-Message = 0x0101000f0650617373776f72643a20
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0xb4a2b867b4a3bebfd5edaac839855c28
> (7) eap_ttls: Got tunneled Access-Challenge
> (7) eap: Sending EAP Request (code 1) ID 111 length 63
> (7) eap: EAP session adding &reply:State = 0x33754777341a52c5
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) Using Post-Auth-Type Challenge
> (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (7) Challenge { ... } # empty sub-section is ignored
> (7) session-state: Saving cached attributes
> (7) Framed-MTU = 994
> (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> (7) TLS-Session-Version = "TLS 1.2"
> (7) Sent Access-Challenge Id 25 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 121
> (7) EAP-Message =
> 0x016f003f1580000000351703030030c5e315035630988b4ad830befda4dba2a51fa8f9388f8da63a7ea11b76e432bbb988ecf99f49e2ebe5cd501621aec81b
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0x33754777341a52c5d9592c39c6f43193
> (7) Finished request
> Waking up in 4.6 seconds.
> (8) Received Access-Request Id 26 from 10.100.2.39:54686 to
> 10.100.1.65:1812 length 317
> (8) User-Name = "klaus.mustermann"
> (8) NAS-IP-Address = 10.100.2.39
> (8) NAS-Identifier = "8283c219e7f9"
> (8) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (8) NAS-Port-Type = Wireless-802.11
> (8) Service-Type = Framed-User
> (8) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (8) Connect-Info = "CONNECT 0Mbps 802.11b"
> (8) Acct-Session-Id = "690B866461ACEC60"
> (8) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (8) Mobility-Domain-Id = 46476
> (8) WLAN-Pairwise-Cipher = 1027076
> (8) WLAN-Group-Cipher = 1027076
> (8) WLAN-AKM-Suite = 1027075
> (8) Framed-MTU = 1400
> (8) EAP-Message =
> 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7
> (8) State = 0x33754777341a52c5d9592c39c6f43193
> (8) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a
> (8) Restoring &session-state
> (8) &session-state:Framed-MTU = 994
> (8) &session-state:TLS-Session-Cipher-Suite =
> "ECDHE-RSA-AES256-GCM-SHA384"
> (8) &session-state:TLS-Session-Version = "TLS 1.2"
> (8) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (8) authorize {
> (8) policy filter_username {
> (8) if (&User-Name) {
> (8) if (&User-Name) -> TRUE
> (8) if (&User-Name) {
> (8) if (&User-Name =~ / /) {
> (8) if (&User-Name =~ / /) -> FALSE
> (8) if (&User-Name =~ /@[^@]*@/ ) {
> (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (8) if (&User-Name =~ /\.\./ ) {
> (8) if (&User-Name =~ /\.\./ ) -> FALSE
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (8) if (&User-Name =~ /\.$/) {
> (8) if (&User-Name =~ /\.$/) -> FALSE
> (8) if (&User-Name =~ /@\./) {
> (8) if (&User-Name =~ /@\./) -> FALSE
> (8) } # if (&User-Name) = notfound
> (8) } # policy filter_username = notfound
> (8) [preprocess] = ok
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) [digest] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (8) suffix: No such realm "NULL"
> (8) [suffix] = noop
> (8) eap: Peer sent EAP Response (code 2) ID 111 length 67
> (8) eap: Continuing tunnel setup
> (8) [eap] = ok
> (8) } # authorize = ok
> (8) Found Auth-Type = eap
> (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (8) authenticate {
> (8) eap: Expiring EAP session with state 0xb4a2b867b4a3bebf
> (8) eap: Finished EAP session with state 0x33754777341a52c5
> (8) eap: Previous EAP request found for state 0x33754777341a52c5, released
> from the list
> (8) eap: Peer sent packet with method EAP TTLS (21)
> (8) eap: Calling submodule eap_ttls to process data
> (8) eap_ttls: Authenticate
> (8) eap_ttls: (TLS) EAP Peer says that the final record size will be 57
> bytes
> (8) eap_ttls: (TLS) EAP Got all data (57 bytes)
> (8) eap_ttls: Session established. Proceeding to decode tunneled
> attributes
> (8) eap_ttls: Got tunneled request
> (8) eap_ttls: EAP-Message = 0x0201001306736167616e382e53697a61626c65
> (8) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
> (8) eap_ttls: Sending tunneled request
> (8) Virtual server inner-tunnel received request
> (8) EAP-Message = 0x0201001306736167616e382e53697a61626c65
> (8) FreeRADIUS-Proxied-To = 127.0.0.1
> (8) User-Name = "klaus.mustermann"
> (8) State = 0xb4a2b867b4a3bebfd5edaac839855c28
> (8) WARNING: Outer and inner identities are the same. User privacy is
> compromised.
> (8) server inner-tunnel {
> (8) session-state: No cached attributes
> (8) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (8) authorize {
> (8) policy filter_username {
> (8) if (&User-Name) {
> (8) if (&User-Name) -> TRUE
> (8) if (&User-Name) {
> (8) if (&User-Name =~ / /) {
> (8) if (&User-Name =~ / /) -> FALSE
> (8) if (&User-Name =~ /@[^@]*@/ ) {
> (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (8) if (&User-Name =~ /\.\./ ) {
> (8) if (&User-Name =~ /\.\./ ) -> FALSE
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (8) if (&User-Name =~ /\.$/) {
> (8) if (&User-Name =~ /\.$/) -> FALSE
> (8) if (&User-Name =~ /@\./) {
> (8) if (&User-Name =~ /@\./) -> FALSE
> (8) } # if (&User-Name) = notfound
> (8) } # policy filter_username = notfound
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (8) suffix: No such realm "NULL"
> (8) [suffix] = noop
> (8) update control {
> (8) &Proxy-To-Realm := LOCAL
> (8) } # update control = noop
> (8) eap: Peer sent EAP Response (code 2) ID 1 length 19
> (8) eap: No EAP Start, assuming it's an on-going EAP conversation
> (8) [eap] = updated
> (8) [files] = noop
> rlm_ldap (ldap): Reserved connection (0)
> (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (8) ldap: --> (uid=klaus.mustermann)
> (8) ldap: Performing search in "dc=pretendco,dc=de" with filter
> "(uid=klaus.mustermann)", scope "sub"
> (8) ldap: Waiting for search result...
> (8) ldap: User object found at DN "uid=klaus.mustermann,ou=Standard
> Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de"
> (8) ldap: Processing user attributes
> (8) ldap: WARNING: No "known good" password added. Ensure the admin user
> has permission to read the password attribute
> (8) ldap: WARNING: PAP authentication will *NOT* work with Active
> Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Released connection (0)
> Need more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
> used
> rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
> rlm_ldap (ldap): Waiting for bind result...
> ber_get_next failed, errno=11.
> rlm_ldap (ldap): Bind successful
> (8) [ldap] = ok
> (8) [expiration] = noop
> (8) [logintime] = noop
> (8) [pap] = noop
> (8) if (User-Password) {
> (8) if (User-Password) -> FALSE
> (8) } # authorize = updated
> (8) Found Auth-Type = eap
> (8) # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (8) authenticate {
> (8) eap: Expiring EAP session with state 0xb4a2b867b4a3bebf
> (8) eap: Finished EAP session with state 0xb4a2b867b4a3bebf
> (8) eap: Previous EAP request found for state 0xb4a2b867b4a3bebf, released
> from the list
> (8) eap: Peer sent packet with method EAP GTC (6)
> (8) eap: Calling submodule eap_gtc to process data
> (8) eap_gtc: # Executing group from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (8) eap_gtc: Auth-Type PAP {
> rlm_ldap (ldap): Reserved connection (1)
> (8) ldap: Login attempt by "klaus.mustermann"
> (8) ldap: Using user DN from request "uid=klaus.mustermann,ou=Standard
> Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de"
> (8) ldap: Waiting for bind result...
> (8) ldap: Bind successful
> (8) ldap: Bind as user "uid=klaus.mustermann,ou=Standard
> Mitarbeiter,ou=Mitarbeiter,ou=Users,dc=pretendco,dc=de" was successful
> rlm_ldap (ldap): Released connection (1)
> Need more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots
> used
> rlm_ldap (ldap): Connecting to ldaps://ldap.google.com:636
> rlm_ldap (ldap): Waiting for bind result...
> ber_get_next failed, errno=11.
> rlm_ldap (ldap): Bind successful
> (8) eap_gtc: [ldap] = ok
> (8) eap_gtc: } # Auth-Type PAP = ok
> (8) eap: Sending EAP Success (code 3) ID 1 length 4
> (8) eap: Freeing handler
> (8) [eap] = ok
> (8) } # authenticate = ok
> (8) # Executing section post-auth from file
> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (8) post-auth {
> (8) if (0) {
> (8) if (0) -> FALSE
> (8) } # post-auth = noop
> (8) } # server inner-tunnel
> (8) Virtual server sending reply
> (8) EAP-Message = 0x03010004
> (8) Message-Authenticator = 0x00000000000000000000000000000000
> (8) User-Name = "klaus.mustermann"
> (8) eap_ttls: Got tunneled Access-Accept
> (8) eap: Sending EAP Success (code 3) ID 111 length 4
> (8) eap: Freeing handler
> (8) [eap] = ok
> (8) } # authenticate = ok
> (8) # Executing section post-auth from file
> /etc/freeradius/3.0/sites-enabled/default
> (8) post-auth {
> (8) if (session-state:User-Name && reply:User-Name &&
> request:User-Name && (reply:User-Name == request:User-Name)) {
> (8) if (session-state:User-Name && reply:User-Name &&
> request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
> (8) update {
> (8) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
> (8) &reply::TLS-Session-Cipher-Suite +=
> &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
> (8) &reply::TLS-Session-Version +=
> &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
> (8) } # update = noop
> (8) [exec] = noop
> (8) policy remove_reply_message_if_eap {
> (8) if (&reply:EAP-Message && &reply:Reply-Message) {
> (8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (8) else {
> (8) [noop] = noop
> (8) } # else = noop
> (8) } # policy remove_reply_message_if_eap = noop
> (8) } # post-auth = noop
> (8) Sent Access-Accept Id 26 from 10.100.1.65:1812 to 10.100.2.39:54686
> length 184
> (8) MS-MPPE-Recv-Key =
> 0xeb472d316fdc874c9b4fab09804dffb9627d034a793910ca0f276473f2db3e62
> (8) MS-MPPE-Send-Key =
> 0x3cde6513ea1f92c64ee3d938a85980091ecccdeb288c640f958a8f0d4324af64
> (8) EAP-Message = 0x036f0004
> (8) Message-Authenticator = 0x00000000000000000000000000000000
> (8) User-Name = "klaus.mustermann"
> (8) Framed-MTU += 994
> (8) Finished request
> Waking up in 1.1 seconds.
> (9) Received Access-Request Id 26 from 10.100.2.39:38737 to
> 10.100.1.65:1812 length 317
> (9) User-Name = "klaus.mustermann"
> (9) NAS-IP-Address = 10.100.2.39
> (9) NAS-Identifier = "8283c219e7f9"
> (9) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (9) NAS-Port-Type = Wireless-802.11
> (9) Service-Type = Framed-User
> (9) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (9) Connect-Info = "CONNECT 0Mbps 802.11b"
> (9) Acct-Session-Id = "690B866461ACEC60"
> (9) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (9) Mobility-Domain-Id = 46476
> (9) WLAN-Pairwise-Cipher = 1027076
> (9) WLAN-Group-Cipher = 1027076
> (9) WLAN-AKM-Suite = 1027075
> (9) Framed-MTU = 1400
> (9) EAP-Message =
> 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7
> (9) State = 0x33754777341a52c5d9592c39c6f43193
> (9) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a
> (9) session-state: No cached attributes
> (9) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (9) authorize {
> (9) policy filter_username {
> (9) if (&User-Name) {
> (9) if (&User-Name) -> TRUE
> (9) if (&User-Name) {
> (9) if (&User-Name =~ / /) {
> (9) if (&User-Name =~ / /) -> FALSE
> (9) if (&User-Name =~ /@[^@]*@/ ) {
> (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (9) if (&User-Name =~ /\.\./ ) {
> (9) if (&User-Name =~ /\.\./ ) -> FALSE
> (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (9) if (&User-Name =~ /\.$/) {
> (9) if (&User-Name =~ /\.$/) -> FALSE
> (9) if (&User-Name =~ /@\./) {
> (9) if (&User-Name =~ /@\./) -> FALSE
> (9) } # if (&User-Name) = notfound
> (9) } # policy filter_username = notfound
> (9) [preprocess] = ok
> (9) [chap] = noop
> (9) [mschap] = noop
> (9) [digest] = noop
> (9) suffix: Checking for suffix after "@"
> (9) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm NULL
> (9) suffix: No such realm "NULL"
> (9) [suffix] = noop
> (9) eap: Peer sent EAP Response (code 2) ID 111 length 67
> (9) eap: Continuing tunnel setup
> (9) [eap] = ok
> (9) } # authorize = ok
> (9) Found Auth-Type = eap
> (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (9) authenticate {
> (9) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> 0x33754777341a52c5
> (9) eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> (9) eap: Failed in handler
> (9) [eap] = invalid
> (9) } # authenticate = invalid
> (9) Failed to authenticate the user
> (9) Using Post-Auth-Type Reject
> (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (9) Post-Auth-Type REJECT {
> (9) attr_filter.access_reject: EXPAND %{User-Name}
> (9) attr_filter.access_reject: --> klaus.mustermann
> (9) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (9) [attr_filter.access_reject] = updated
> (9) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> 0x33754777341a52c5
> (9) eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> (9) eap: Failed to get handler, probably already removed, not inserting
> EAP-Failure
> (9) [eap] = noop
> (9) policy remove_reply_message_if_eap {
> (9) if (&reply:EAP-Message && &reply:Reply-Message) {
> (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (9) else {
> (9) [noop] = noop
> (9) } # else = noop
> (9) } # policy remove_reply_message_if_eap = noop
> (9) } # Post-Auth-Type REJECT = updated
> (9) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (10) Received Access-Request Id 26 from 10.100.2.39:45497 to
> 10.100.1.65:1812 length 317
> (10) User-Name = "klaus.mustermann"
> (10) NAS-IP-Address = 10.100.2.39
> (10) NAS-Identifier = "8283c219e7f9"
> (10) Called-Station-Id = "82-83-C2-19-E7-F9:pretendco_int"
> (10) NAS-Port-Type = Wireless-802.11
> (10) Service-Type = Framed-User
> (10) Calling-Station-Id = "F8-4D-89-6D-CB-AE"
> (10) Connect-Info = "CONNECT 0Mbps 802.11b"
> (10) Acct-Session-Id = "690B866461ACEC60"
> (10) Acct-Multi-Session-Id = "3EA4011978DCDC0A"
> (10) Mobility-Domain-Id = 46476
> (10) WLAN-Pairwise-Cipher = 1027076
> (10) WLAN-Group-Cipher = 1027076
> (10) WLAN-AKM-Suite = 1027075
> (10) Framed-MTU = 1400
> (10) EAP-Message =
> 0x026f0043158000000039170303003496671043239b41683128359379c1a6a7ff944f84eb0b3f626e65ecb31042ebf597e0b5314226e2bcea13a41d6e380c98153d5dd7
> (10) State = 0x33754777341a52c5d9592c39c6f43193
> (10) Message-Authenticator = 0xe468605d47fb0bba1b52f632f0e1589a
> (10) session-state: No cached attributes
> (10) # Executing section authorize from file
> /etc/freeradius/3.0/sites-enabled/default
> (10) authorize {
> (10) policy filter_username {
> (10) if (&User-Name) {
> (10) if (&User-Name) -> TRUE
> (10) if (&User-Name) {
> (10) if (&User-Name =~ / /) {
> (10) if (&User-Name =~ / /) -> FALSE
> (10) if (&User-Name =~ /@[^@]*@/ ) {
> (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (10) if (&User-Name =~ /\.\./ ) {
> (10) if (&User-Name =~ /\.\./ ) -> FALSE
> (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (10) if (&User-Name =~ /\.$/) {
> (10) if (&User-Name =~ /\.$/) -> FALSE
> (10) if (&User-Name =~ /@\./) {
> (10) if (&User-Name =~ /@\./) -> FALSE
> (10) } # if (&User-Name) = notfound
> (10) } # policy filter_username = notfound
> (10) [preprocess] = ok
> (10) [chap] = noop
> (10) [mschap] = noop
> (10) [digest] = noop
> (10) suffix: Checking for suffix after "@"
> (10) suffix: No '@' in User-Name = "klaus.mustermann", looking up realm
> NULL
> (10) suffix: No such realm "NULL"
> (10) [suffix] = noop
> (10) eap: Peer sent EAP Response (code 2) ID 111 length 67
> (10) eap: Continuing tunnel setup
> (10) [eap] = ok
> (10) } # authorize = ok
> (10) Found Auth-Type = eap
> (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (10) authenticate {
> (10) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> 0x33754777341a52c5
> (10) eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> (10) eap: Failed in handler
> (10) [eap] = invalid
> (10) } # authenticate = invalid
> (10) Failed to authenticate the user
> (10) Using Post-Auth-Type Reject
> (10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (10) Post-Auth-Type REJECT {
> (10) attr_filter.access_reject: EXPAND %{User-Name}
> (10) attr_filter.access_reject: --> klaus.mustermann
> (10) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (10) [attr_filter.access_reject] = updated
> (10) eap: ERROR: rlm_eap (EAP): No EAP session matching state
> 0x33754777341a52c5
> (10) eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> (10) eap: Failed to get handler, probably already removed, not inserting
> EAP-Failure
> (10) [eap] = noop
> (10) policy remove_reply_message_if_eap {
> (10) if (&reply:EAP-Message && &reply:Reply-Message) {
> (10) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (10) else {
> (10) [noop] = noop
> (10) } # else = noop
> (10) } # policy remove_reply_message_if_eap = noop
> (10) } # Post-Auth-Type REJECT = updated
> (10) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.2 seconds.
> (9) Sending delayed response
> (9) Sent Access-Reject Id 26 from 10.100.1.65:1812 to 10.100.2.39:38737
> length 20
> Waking up in 0.1 seconds.
> (0) Cleaning up request packet ID 18 with timestamp +35 due to
> cleanup_delay was reached
> Waking up in 0.1 seconds.
> (1) Cleaning up request packet ID 19 with timestamp +35 due to
> cleanup_delay was reached
> (2) Cleaning up request packet ID 20 with timestamp +35 due to
> cleanup_delay was reached
> (3) Cleaning up request packet ID 21 with timestamp +35 due to
> cleanup_delay was reached
> (4) Cleaning up request packet ID 22 with timestamp +35 due to
> cleanup_delay was reached
> (5) Cleaning up request packet ID 23 with timestamp +35 due to
> cleanup_delay was reached
> (6) Cleaning up request packet ID 24 with timestamp +35 due to
> cleanup_delay was reached
> (7) Cleaning up request packet ID 25 with timestamp +35 due to
> cleanup_delay was reached
> (10) Sending delayed response
> (10) Sent Access-Reject Id 26 from 10.100.1.65:1812 to 10.100.2.39:45497
> length 20
>
> Any Idea what I am doing wrong here?
>
> Regards
>
>
> Henning
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 213, Issue 21
> *************************************************
>
--
Best regards,
Ashraf Al-Basti
More information about the Freeradius-Users
mailing list