Connect Users registered on a ldaps (azure ad ds with hashed passwords ) via a local freeradius server
Chris Nzengue - dejamobile externe
chris.nzengue at dejamobile.com
Mon Mar 13 17:50:58 UTC 2023
Dear Alan DeKok and Alan Buxey
Thank you for your answers.
Message to Alan Buxey:
i can't add "Auth-Type := LDAP" in the authorize section. i tried differents ways but i can only write a syntax like "Auth-Type := LDAP" in the auhentication section.
In the authentication section i have this:
Auth-Type LDAP {
ldap
}
Message to Alan DeKok:
I changed my default file and my inner-tunnel file to the default configuration. I also added/checked the module eap in the authtorize section. i changed and checked some elements steps by steps like recommended.
Unfortunaly my configuration still doesn't work.
my log:
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 54919
Listening on proxy address :: port 33469
Ready to process requests
(0) Received Access-Request Id 60 from 192.168.200.20:51098 to 192.168.10.124:1812 length 269
(0) User-Name = "chris.nzengue"
(0) Chargeable-User-Identity = 0x14
(0) Location-Capable = Civic-Location
(0) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(0) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(0) NAS-Port = 1
(0) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64"
(0) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015"
(0) NAS-IP-Address = 192.168.200.20
(0) NAS-Identifier = "Dejamobile"
(0) Airespace-Wlan-Id = 1
(0) Service-Type = Framed-User
(0) Framed-MTU = 1300
(0) NAS-Port-Type = Wireless-802.11
(0) EAP-Message = 0x020100120163687269732e6e7a656e677565
(0) Message-Authenticator = 0x152d6c9151ccc00eda8651079e743f0f
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 18
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: (TLS) Initiating new session
(0) eap: Sending EAP Request (code 1) ID 2 length 6
(0) eap: EAP session adding &reply:State = 0x3928d6d2392ac3c4
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0) Framed-MTU = 994
(0) Sent Access-Challenge Id 60 from 192.168.10.124:1812 to 192.168.200.20:51098 length 64
(0) EAP-Message = 0x010200061520
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x3928d6d2392ac3c470d72d9dc025396c
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 61 from 192.168.200.20:51098 to 192.168.10.124:1812 length 430
(1) User-Name = "chris.nzengue"
(1) Chargeable-User-Identity = 0x14
(1) Location-Capable = Civic-Location
(1) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(1) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(1) NAS-Port = 1
(1) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64"
(1) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015"
(1) NAS-IP-Address = 192.168.200.20
(1) NAS-Identifier = "Dejamobile"
(1) Airespace-Wlan-Id = 1
(1) Service-Type = Framed-User
(1) Framed-MTU = 1300
(1) NAS-Port-Type = Wireless-802.11
(1) EAP-Message = 0x020200a115800000009716030100920100008e0303640f5f3b217e84d6eb2bb1dc0e3862e4301609d5dd8156ea582ee9e9618ce89200002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
(1) State = 0x3928d6d2392ac3c470d72d9dc025396c
(1) Message-Authenticator = 0x5e4ed5f1554b77fb9eca516f0b622090
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 994
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 2 length 161
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0x3928d6d2392ac3c4
(1) eap: Finished EAP session with state 0x3928d6d2392ac3c4
(1) eap: Previous EAP request found for state 0x3928d6d2392ac3c4, released from the list
(1) eap: Peer sent packet with method EAP TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Authenticate
(1) eap_ttls: (TLS) EAP Peer says that the final record size will be 151 bytes
(1) eap_ttls: (TLS) EAP Got all data (151 bytes)
(1) eap_ttls: (TLS) Handshake state - before SSL initialization
(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(1) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(1) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(1) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(1) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(1) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
(1) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write server done
(1) eap_ttls: (TLS) In Handshake Phase
(1) eap: Sending EAP Request (code 1) ID 3 length 1004
(1) eap: EAP session adding &reply:State = 0x3928d6d2382bc3c4
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1) Framed-MTU = 994
(1) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(1) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(1) Sent Access-Challenge Id 61 from 192.168.10.124:1812 to 192.168.200.20:51098 length 1068
(1) EAP-Message = 0x010303ec15c0000004b1160303003d0200003903032f11de33c426afb2d9497c86e2a911e6b439474f3cb137da7395b16ee2b50b6f00c030000011ff01000100000b00040300010200170000160303030f0b00030b00030800030530820301308201e9a00302010202140ea85d3ec7ee7aec904f3547480a14d73c892031300d06092a864886f70d01010b050030173115301306035504030c0c726164697573736572766572301e170d3232313131363134303934355a170d3332313131333134303934355a30173115301306035504030c0c72616469757373657276657230820122300d06092a864886f70d01010105000382010f003082010a0282010100adda610f374fc54e2949f1d9a7ba9ad8abf1c24a9773f9ab5fa50b43fefd07a7c61da781fd53b4277cdbe46b9964548a4125a313d4d3df6ee6593fe9dba778843c02dfa1ebceeaf17370dd8604a60085efa9d7b78b0ad571a378b30074bbabef337174fdef87ab30482289f75f3661d0b972299e9aefab
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x3928d6d2382bc3c470d72d9dc025396c
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 62 from 192.168.200.20:51098 to 192.168.10.124:1812 length 275
(2) User-Name = "chris.nzengue"
(2) Chargeable-User-Identity = 0x14
(2) Location-Capable = Civic-Location
(2) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(2) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(2) NAS-Port = 1
(2) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64"
(2) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015"
(2) NAS-IP-Address = 192.168.200.20
(2) NAS-Identifier = "Dejamobile"
(2) Airespace-Wlan-Id = 1
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message = 0x020300061500
(2) State = 0x3928d6d2382bc3c470d72d9dc025396c
(2) Message-Authenticator = 0xf72e4e265499850d5d6421aded843c88
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 994
(2) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(2) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0x3928d6d2382bc3c4
(2) eap: Finished EAP session with state 0x3928d6d2382bc3c4
(2) eap: Previous EAP request found for state 0x3928d6d2382bc3c4, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: (TLS) Peer ACKed our handshake fragment
(2) eap: Sending EAP Request (code 1) ID 4 length 217
(2) eap: EAP session adding &reply:State = 0x3928d6d23b2cc3c4
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 994
(2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(2) Sent Access-Challenge Id 62 from 192.168.10.124:1812 to 192.168.200.20:51098 length 275
(2) EAP-Message = 0x010400d91580000004b1bf0b7836f57013f68d84f283d18386c495f55bf6aefb9ffe13fa9ec4dc7558c1d64614cbfe1b150c6c5557eca368492d9f0703e9df123c9afa1ad66d2270997a6d9dd2108d864e63548e04e8822559864fa2763023bff6c9482116a090880534024828465510f207f1e82753981e4edfe992d2e34946f371c7b4e9ff950bffe7921daf41e7b35adcd3ed7b38ef2beb6e6c5b5797a3d3e3dcdf5e5935cb22cbbb074171beac78ba5516e39b7028280ceb40c91e5f05209cd8114a47e7c216237261cfbde7bf6b16030300040e000000
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x3928d6d23b2cc3c470d72d9dc025396c
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 63 from 192.168.200.20:51098 to 192.168.10.124:1812 length 405
(3) User-Name = "chris.nzengue"
(3) Chargeable-User-Identity = 0x14
(3) Location-Capable = Civic-Location
(3) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(3) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(3) NAS-Port = 1
(3) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64"
(3) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015"
(3) NAS-IP-Address = 192.168.200.20
(3) NAS-Identifier = "Dejamobile"
(3) Airespace-Wlan-Id = 1
(3) Service-Type = Framed-User
(3) Framed-MTU = 1300
(3) NAS-Port-Type = Wireless-802.11
(3) EAP-Message = 0x0204008815800000007e1603030046100000424104533ca32d47edc703e275388f1effbc8eb436405d6aa3738351c3fba56c00973994a438ee6f424fb5509e7f5f9941b6eeec7e1df3979458f10c6214296159cf5914030300010116030300287faf547f2d6fb7d3c55e5be7259a0f1cd3caafd860197082b595fe088774085dc4325485792a77bb
(3) State = 0x3928d6d23b2cc3c470d72d9dc025396c
(3) Message-Authenticator = 0x79689f3375c63ab53647785b94456026
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 994
(3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 136
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0x3928d6d23b2cc3c4
(3) eap: Finished EAP session with state 0x3928d6d23b2cc3c4
(3) eap: Previous EAP request found for state 0x3928d6d23b2cc3c4, released from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: (TLS) EAP Peer says that the final record size will be 126 bytes
(3) eap_ttls: (TLS) EAP Got all data (126 bytes)
(3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
(3) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange
(3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
(3) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished
(3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished
(3) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec
(3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
(3) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished
(3) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished
(3) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully
(3) eap_ttls: (TLS) Connection Established
(3) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(3) eap_ttls: TLS-Session-Version = "TLS 1.2"
(3) eap: Sending EAP Request (code 1) ID 5 length 61
(3) eap: EAP session adding &reply:State = 0x3928d6d23a2dc3c4
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3) Framed-MTU = 994
(3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(3) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(3) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(3) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(3) TLS-Session-Version = "TLS 1.2"
(3) Sent Access-Challenge Id 63 from 192.168.10.124:1812 to 192.168.200.20:51098 length 119
(3) EAP-Message = 0x0105003d158000000033140303000101160303002860d606d18ea71d16b3c68c4ae06da363a94b18bae53e6c81c1d6858d6f02f6d40be4b094449db2d7
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x3928d6d23a2dc3c470d72d9dc025396c
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 64 from 192.168.200.20:51098 to 192.168.10.124:1812 length 336
(4) User-Name = "chris.nzengue"
(4) Chargeable-User-Identity = 0x14
(4) Location-Capable = Civic-Location
(4) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(4) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(4) NAS-Port = 1
(4) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64"
(4) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015"
(4) NAS-IP-Address = 192.168.200.20
(4) NAS-Identifier = "Dejamobile"
(4) Airespace-Wlan-Id = 1
(4) Service-Type = Framed-User
(4) Framed-MTU = 1300
(4) NAS-Port-Type = Wireless-802.11
(4) EAP-Message = 0x0205004315800000003917030300347faf547f2d6fb7d49a7c5eecbf2f091d6fa4b0d4f764f0d8b00b14a40df28858de23dccc5fcc4980690298cf1097a44b39977dcd
(4) State = 0x3928d6d23a2dc3c470d72d9dc025396c
(4) Message-Authenticator = 0x7231f57f1ffe824ddc3ef6e4618cda9b
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 994
(4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(4) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4) &session-state:TLS-Session-Version = "TLS 1.2"
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 5 length 67
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x3928d6d23a2dc3c4
(4) eap: Finished EAP session with state 0x3928d6d23a2dc3c4
(4) eap: Previous EAP request found for state 0x3928d6d23a2dc3c4, released from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: (TLS) EAP Peer says that the final record size will be 57 bytes
(4) eap_ttls: (TLS) EAP Got all data (57 bytes)
(4) eap_ttls: Session established. Proceeding to decode tunneled attributes
(4) eap_ttls: Got tunneled request
(4) eap_ttls: EAP-Message = 0x020000120163687269732e6e7a656e677565
(4) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(4) eap_ttls: Got tunneled identity of chris.nzengue
(4) eap_ttls: Setting default EAP type for tunneled EAP session
(4) eap_ttls: Sending tunneled request
(4) Virtual server inner-tunnel received request
(4) EAP-Message = 0x020000120163687269732e6e7a656e677565
(4) FreeRADIUS-Proxied-To = 127.0.0.1
(4) User-Name = "chris.nzengue"
(4) WARNING: Outer and inner identities are the same. User privacy is compromised.
(4) server inner-tunnel {
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [chap] = noop
(4) [mschap] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) update control {
(4) &Proxy-To-Realm := LOCAL
(4) } # update control = noop
(4) eap: Peer sent EAP Response (code 2) ID 0 length 18
(4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(4) authenticate {
(4) eap: Peer sent packet with method EAP Identity (1)
(4) eap: Calling submodule eap_md5 to process data
(4) eap_md5: Issuing MD5 Challenge
(4) eap: Sending EAP Request (code 1) ID 1 length 22
(4) eap: EAP session adding &reply:State = 0x106ef3d5106ff7e6
(4) [eap] = handled
(4) } # authenticate = handled
(4) } # server inner-tunnel
(4) Virtual server sending reply
(4) EAP-Message = 0x010100160410a7b40954aa2a2708b16d9fcb7ef44fc8
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x106ef3d5106ff7e6264667ace5f7b4d2
(4) eap_ttls: Got tunneled Access-Challenge
(4) eap: Sending EAP Request (code 1) ID 6 length 71
(4) eap: EAP session adding &reply:State = 0x3928d6d23d2ec3c4
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) Framed-MTU = 994
(4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(4) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(4) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(4) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4) TLS-Session-Version = "TLS 1.2"
(4) Sent Access-Challenge Id 64 from 192.168.10.124:1812 to 192.168.200.20:51098 length 129
(4) EAP-Message = 0x0106004715800000003d170303003860d606d18ea71d17d954a1cc464eeb9c3042d45f159a59b49ae258e5511653994c15478a525d0883f7bf3a4cbf95ab1215fe9b9d3a4dbcd3
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x3928d6d23d2ec3c470d72d9dc025396c
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 65 from 192.168.200.20:51098 to 192.168.10.124:1812 length 352
(5) User-Name = "chris.nzengue"
(5) Chargeable-User-Identity = 0x14
(5) Location-Capable = Civic-Location
(5) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(5) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(5) NAS-Port = 1
(5) Cisco-AVPair = "audit-session-id=14c8a8c000008a27065f0f64"
(5) Acct-Session-Id = "640f5efa/98:5a:eb:8e:1c:5c/36015"
(5) NAS-IP-Address = 192.168.200.20
(5) NAS-Identifier = "Dejamobile"
(5) Airespace-Wlan-Id = 1
(5) Service-Type = Framed-User
(5) Framed-MTU = 1300
(5) NAS-Port-Type = Wireless-802.11
(5) EAP-Message = 0x0206005315800000004917030300447faf547f2d6fb7d5abcaaf1c210b8e0187dbcb790c3e36ba59060260fad4e263465a94afa3ccef5d7e76f84d6f46d3d30998f3c80c52a22e54de4e5c2a807294a4aca3db
(5) State = 0x3928d6d23d2ec3c470d72d9dc025396c
(5) Message-Authenticator = 0xa69f949d8589b0539d6e70fbcc826bc6
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(5) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) &session-state:TLS-Session-Version = "TLS 1.2"
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 6 length 83
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x106ef3d5106ff7e6
(5) eap: Finished EAP session with state 0x3928d6d23d2ec3c4
(5) eap: Previous EAP request found for state 0x3928d6d23d2ec3c4, released from the list
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: (TLS) EAP Peer says that the final record size will be 73 bytes
(5) eap_ttls: (TLS) EAP Got all data (73 bytes)
(5) eap_ttls: Session established. Proceeding to decode tunneled attributes
(5) eap_ttls: Got tunneled request
(5) eap_ttls: EAP-Message = 0x020100230410400fe50041a6197c7046c3839f170c2e63687269732e6e7a656e677565
(5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(5) eap_ttls: Sending tunneled request
(5) Virtual server inner-tunnel received request
(5) EAP-Message = 0x020100230410400fe50041a6197c7046c3839f170c2e63687269732e6e7a656e677565
(5) FreeRADIUS-Proxied-To = 127.0.0.1
(5) User-Name = "chris.nzengue"
(5) State = 0x106ef3d5106ff7e6264667ace5f7b4d2
(5) WARNING: Outer and inner identities are the same. User privacy is compromised.
(5) server inner-tunnel {
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [chap] = noop
(5) [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) update control {
(5) &Proxy-To-Realm := LOCAL
(5) } # update control = noop
(5) eap: Peer sent EAP Response (code 2) ID 1 length 35
(5) eap: No EAP Start, assuming it's an on-going EAP conversation
(5) [eap] = updated
(5) files: Searching for user in group "AADDC Users"
rlm_ldap (ldap): Reserved connection (0)
(5) files: EXPAND (&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))
(5) files: --> (&(objectClass=user)(sAMAccountName=chris.nzengue))
(5) files: Performing search in "ou=AADDC Users,dc=dejamobile,dc=com" with filter "(&(objectClass=user)(sAMAccountName=chris.nzengue))", scope "sub"
(5) files: Waiting for search result...
(5) files: User object found at DN "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com"
(5) files: Checking user object's memberOf attributes
(5) files: Performing unfiltered search in "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com", scope "base"
(5) files: Waiting for search result...
(5) files: Processing memberOf value "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" as a DN
(5) files: Resolving group DN "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" to group name
(5) files: Performing unfiltered search in "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com", scope "base"
(5) files: Waiting for search result...
(5) files: Group DN "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "SSL_VPN_SSO"
(5) files: Processing memberOf value "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" as a DN
(5) files: Resolving group DN "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" to group name
(5) files: Performing unfiltered search in "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com", scope "base"
(5) files: Waiting for search result...
(5) files: Group DN "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "DejaTeam"
(5) files: Processing memberOf value "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" as a DN
(5) files: Resolving group DN "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" to group name
(5) files: Performing unfiltered search in "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com", scope "base"
(5) files: Waiting for search result...
(5) files: Group DN "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "deja-developpeur"
rlm_ldap (ldap): Released connection (0)
Need more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
rlm_ldap (ldap): Connecting to ldaps://aadds.dejamobile.com:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(5) files: User is not a member of "AADDC Users"
(5) [files] = noop
rlm_ldap (ldap): Reserved connection (1)
(5) ldap: EXPAND (&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))
(5) ldap: --> (&(objectClass=user)(sAMAccountName=chris.nzengue))
(5) ldap: Performing search in "ou=AADDC Users,dc=dejamobile,dc=com" with filter "(&(objectClass=user)(sAMAccountName=chris.nzengue))", scope "sub"
(5) ldap: Waiting for search result...
(5) ldap: User object found at DN "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com"
(5) ldap: Processing user attributes
(5) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(5) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (1)
(5) [ldap] = ok
(5) [expiration] = noop
(5) [logintime] = noop
(5) [pap] = noop
(5) } # authorize = updated
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) authenticate {
(5) eap: Expiring EAP session with state 0x106ef3d5106ff7e6
(5) eap: Finished EAP session with state 0x106ef3d5106ff7e6
(5) eap: Previous EAP request found for state 0x106ef3d5106ff7e6, released from the list
(5) eap: Peer sent packet with method EAP MD5 (4)
(5) eap: Calling submodule eap_md5 to process data
(5) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5 authentication
(5) eap: ERROR: Failed continuing EAP MD5 (4) session. EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 1 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(5) Post-Auth-Type REJECT {
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject: --> chris.nzengue
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) update outer.session-state {
(5) &Module-Failure-Message := &request:Module-Failure-Message -> 'eap_md5: Cleartext-Password is required for EAP-MD5 authentication'
(5) } # update outer.session-state = noop
(5) } # Post-Auth-Type REJECT = updated
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5) EAP-Message = 0x04010004
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) eap_ttls: Got tunneled Access-Reject
(5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 6 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Post-Auth-Type REJECT {
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject: --> chris.nzengue
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) [eap] = noop
(5) policy remove_reply_message_if_eap {
(5) if (&reply:EAP-Message && &reply:Reply-Message) {
(5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(5) else {
(5) [noop] = noop
(5) } # else = noop
(5) } # policy remove_reply_message_if_eap = noop
(5) } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1.000000 seconds
Waking up in 0.1 seconds.
Waking up in 0.8 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 65 from 192.168.10.124:1812 to 192.168.200.20:51098 length 44
(5) EAP-Message = 0x04060004
(5) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
(0) Cleaning up request packet ID 60 with timestamp +22 due to cleanup_delay was reached
(1) Cleaning up request packet ID 61 with timestamp +22 due to cleanup_delay was reached
(2) Cleaning up request packet ID 62 with timestamp +22 due to cleanup_delay was reached
(3) Cleaning up request packet ID 63 with timestamp +22 due to cleanup_delay was reached
(4) Cleaning up request packet ID 64 with timestamp +22 due to cleanup_delay was reached
Waking up in 0.2 seconds.
(5) Cleaning up request packet ID 65 with timestamp +22 due to cleanup_delay was reached
Ready to process requests
(6) Received Access-Request Id 66 from 192.168.200.20:51098 to 192.168.10.124:1812 length 269
(6) User-Name = "chris.nzengue"
(6) Chargeable-User-Identity = 0x14
(6) Location-Capable = Civic-Location
(6) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(6) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(6) NAS-Port = 1
(6) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64"
(6) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017"
(6) NAS-IP-Address = 192.168.200.20
(6) NAS-Identifier = "Dejamobile"
(6) Airespace-Wlan-Id = 1
(6) Service-Type = Framed-User
(6) Framed-MTU = 1300
(6) NAS-Port-Type = Wireless-802.11
(6) EAP-Message = 0x020100120163687269732e6e7a656e677565
(6) Message-Authenticator = 0x04716ca8efc66c87deb829afd564835e
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 1 length 18
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: (TLS) Initiating new session
(6) eap: Sending EAP Request (code 1) ID 2 length 6
(6) eap: EAP session adding &reply:State = 0xb06a93a4b06886f8
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6) Framed-MTU = 994
(6) Sent Access-Challenge Id 66 from 192.168.10.124:1812 to 192.168.200.20:51098 length 64
(6) EAP-Message = 0x010200061520
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xb06a93a4b06886f8af54277185111954
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 67 from 192.168.200.20:51098 to 192.168.10.124:1812 length 430
(7) User-Name = "chris.nzengue"
(7) Chargeable-User-Identity = 0x14
(7) Location-Capable = Civic-Location
(7) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(7) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(7) NAS-Port = 1
(7) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64"
(7) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017"
(7) NAS-IP-Address = 192.168.200.20
(7) NAS-Identifier = "Dejamobile"
(7) Airespace-Wlan-Id = 1
(7) Service-Type = Framed-User
(7) Framed-MTU = 1300
(7) NAS-Port-Type = Wireless-802.11
(7) EAP-Message = 0x020200a115800000009716030100920100008e0303640f5f507ddda497f89309a6801f714fc625ee51897918a136b390ed62ba730300002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
(7) State = 0xb06a93a4b06886f8af54277185111954
(7) Message-Authenticator = 0xc24227a2378efffbc3b1075a04b6469a
(7) Restoring &session-state
(7) &session-state:Framed-MTU = 994
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 2 length 161
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0xb06a93a4b06886f8
(7) eap: Finished EAP session with state 0xb06a93a4b06886f8
(7) eap: Previous EAP request found for state 0xb06a93a4b06886f8, released from the list
(7) eap: Peer sent packet with method EAP TTLS (21)
(7) eap: Calling submodule eap_ttls to process data
(7) eap_ttls: Authenticate
(7) eap_ttls: (TLS) EAP Peer says that the final record size will be 151 bytes
(7) eap_ttls: (TLS) EAP Got all data (151 bytes)
(7) eap_ttls: (TLS) Handshake state - before SSL initialization
(7) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(7) eap_ttls: (TLS) Handshake state - Server before SSL initialization
(7) eap_ttls: (TLS) recv TLS 1.3 Handshake, ClientHello
(7) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(7) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHello
(7) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(7) eap_ttls: (TLS) send TLS 1.2 Handshake, Certificate
(7) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(7) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(7) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(7) eap_ttls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(7) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
(7) eap_ttls: (TLS) Server : Need to read more data: SSLv3/TLS write server done
(7) eap_ttls: (TLS) In Handshake Phase
(7) eap: Sending EAP Request (code 1) ID 3 length 1004
(7) eap: EAP session adding &reply:State = 0xb06a93a4b16986f8
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) Framed-MTU = 994
(7) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(7) Sent Access-Challenge Id 67 from 192.168.10.124:1812 to 192.168.200.20:51098 length 1068
(7) EAP-Message = 0x010303ec15c0000004b1160303003d020000390303026be732868da5ade139a288a53f8dac55c2b3e393564573fe037abee2d494cb00c030000011ff01000100000b00040300010200170000160303030f0b00030b00030800030530820301308201e9a00302010202140ea85d3ec7ee7aec904f3547480a14d73c892031300d06092a864886f70d01010b050030173115301306035504030c0c726164697573736572766572301e170d3232313131363134303934355a170d3332313131333134303934355a30173115301306035504030c0c72616469757373657276657230820122300d06092a864886f70d01010105000382010f003082010a0282010100adda610f374fc54e2949f1d9a7ba9ad8abf1c24a9773f9ab5fa50b43fefd07a7c61da781fd53b4277cdbe46b9964548a4125a313d4d3df6ee6593fe9dba778843c02dfa1ebceeaf17370dd8604a60085efa9d7b78b0ad571a378b30074bbabef337174fdef87ab30482289f75f3661d0b972299e9aefab
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xb06a93a4b16986f8af54277185111954
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 68 from 192.168.200.20:51098 to 192.168.10.124:1812 length 275
(8) User-Name = "chris.nzengue"
(8) Chargeable-User-Identity = 0x14
(8) Location-Capable = Civic-Location
(8) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(8) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(8) NAS-Port = 1
(8) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64"
(8) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017"
(8) NAS-IP-Address = 192.168.200.20
(8) NAS-Identifier = "Dejamobile"
(8) Airespace-Wlan-Id = 1
(8) Service-Type = Framed-User
(8) Framed-MTU = 1300
(8) NAS-Port-Type = Wireless-802.11
(8) EAP-Message = 0x020300061500
(8) State = 0xb06a93a4b16986f8af54277185111954
(8) Message-Authenticator = 0x0aa15d8721da3796d573e74f7cb9d80a
(8) Restoring &session-state
(8) &session-state:Framed-MTU = 994
(8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 3 length 6
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0xb06a93a4b16986f8
(8) eap: Finished EAP session with state 0xb06a93a4b16986f8
(8) eap: Previous EAP request found for state 0xb06a93a4b16986f8, released from the list
(8) eap: Peer sent packet with method EAP TTLS (21)
(8) eap: Calling submodule eap_ttls to process data
(8) eap_ttls: Authenticate
(8) eap_ttls: (TLS) Peer ACKed our handshake fragment
(8) eap: Sending EAP Request (code 1) ID 4 length 217
(8) eap: EAP session adding &reply:State = 0xb06a93a4b26e86f8
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) session-state: Saving cached attributes
(8) Framed-MTU = 994
(8) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(8) Sent Access-Challenge Id 68 from 192.168.10.124:1812 to 192.168.200.20:51098 length 275
(8) EAP-Message = 0x010400d91580000004b10097f501404446d75765f353e00ba11a38c9d8b03b8130c97ab3f461a973c837c7278ca05260132dc7ffc2d9c69d6278f4caec292bbf3aff547982a6b646b89840697c34aea050230143a6f341d6e4f77d711e272bc2e5ba7f44ea03b6b7c479aa6c67a5be51d58da3f67d07e01d59ca0f334c88390e756a0c203664a2f49a9669863b039ae7aa5358457baf93418877a8fabc3f4441c6453431c6d573e831809067d2470dcbfa6812a24a9e445579080900d3582d14ad2eb69fcbadfae89ee4884679ac77d716030300040e000000
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xb06a93a4b26e86f8af54277185111954
(8) Finished request
Waking up in 4.9 seconds.
(9) Received Access-Request Id 69 from 192.168.200.20:51098 to 192.168.10.124:1812 length 405
(9) User-Name = "chris.nzengue"
(9) Chargeable-User-Identity = 0x14
(9) Location-Capable = Civic-Location
(9) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(9) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(9) NAS-Port = 1
(9) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64"
(9) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017"
(9) NAS-IP-Address = 192.168.200.20
(9) NAS-Identifier = "Dejamobile"
(9) Airespace-Wlan-Id = 1
(9) Service-Type = Framed-User
(9) Framed-MTU = 1300
(9) NAS-Port-Type = Wireless-802.11
(9) EAP-Message = 0x0204008815800000007e1603030046100000424104bcb05e9ba5ebc01969e6451ca2dd8ad3047d264fb49a0aaae1334245f3ee007cd0571e406182d4db73c00ef12beaecdfeeed8ba828f08f1da11b3823a09027061403030001011603030028055c825a7cda76658bf919b822b00a85ba2962186168f0200f034e6a59d44623e1dcb6961e119655
(9) State = 0xb06a93a4b26e86f8af54277185111954
(9) Message-Authenticator = 0xd05333313b7f97d9f662c7176758ee93
(9) Restoring &session-state
(9) &session-state:Framed-MTU = 994
(9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 4 length 136
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0xb06a93a4b26e86f8
(9) eap: Finished EAP session with state 0xb06a93a4b26e86f8
(9) eap: Previous EAP request found for state 0xb06a93a4b26e86f8, released from the list
(9) eap: Peer sent packet with method EAP TTLS (21)
(9) eap: Calling submodule eap_ttls to process data
(9) eap_ttls: Authenticate
(9) eap_ttls: (TLS) EAP Peer says that the final record size will be 126 bytes
(9) eap_ttls: (TLS) EAP Got all data (126 bytes)
(9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write server done
(9) eap_ttls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange
(9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
(9) eap_ttls: (TLS) recv TLS 1.2 Handshake, Finished
(9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS read finished
(9) eap_ttls: (TLS) send TLS 1.2 ChangeCipherSpec
(9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
(9) eap_ttls: (TLS) send TLS 1.2 Handshake, Finished
(9) eap_ttls: (TLS) Handshake state - Server SSLv3/TLS write finished
(9) eap_ttls: (TLS) Handshake state - SSL negotiation finished successfully
(9) eap_ttls: (TLS) Connection Established
(9) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) eap_ttls: TLS-Session-Version = "TLS 1.2"
(9) eap: Sending EAP Request (code 1) ID 5 length 61
(9) eap: EAP session adding &reply:State = 0xb06a93a4b36f86f8
(9) [eap] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(9) Challenge { ... } # empty sub-section is ignored
(9) session-state: Saving cached attributes
(9) Framed-MTU = 994
(9) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(9) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(9) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(9) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(9) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) TLS-Session-Version = "TLS 1.2"
(9) Sent Access-Challenge Id 69 from 192.168.10.124:1812 to 192.168.200.20:51098 length 119
(9) EAP-Message = 0x0105003d1580000000331403030001011603030028d24fc42abd6c93595bca05ae4f609d15cc9e9d1390c6ebadf69d8306c02f665f730329bbc16fba9b
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xb06a93a4b36f86f8af54277185111954
(9) Finished request
Waking up in 4.9 seconds.
(10) Received Access-Request Id 70 from 192.168.200.20:51098 to 192.168.10.124:1812 length 336
(10) User-Name = "chris.nzengue"
(10) Chargeable-User-Identity = 0x14
(10) Location-Capable = Civic-Location
(10) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(10) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(10) NAS-Port = 1
(10) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64"
(10) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017"
(10) NAS-IP-Address = 192.168.200.20
(10) NAS-Identifier = "Dejamobile"
(10) Airespace-Wlan-Id = 1
(10) Service-Type = Framed-User
(10) Framed-MTU = 1300
(10) NAS-Port-Type = Wireless-802.11
(10) EAP-Message = 0x020500431580000000391703030034055c825a7cda7666218232272050e9269e4ece33975dec65f19718088ca239cb67788e727536ddf614279eaea1b61c1441a4726b
(10) State = 0xb06a93a4b36f86f8af54277185111954
(10) Message-Authenticator = 0xb6621b928cfd197b4a86cdad6c58c6f9
(10) Restoring &session-state
(10) &session-state:Framed-MTU = 994
(10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(10) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(10) &session-state:TLS-Session-Version = "TLS 1.2"
(10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [preprocess] = ok
(10) [chap] = noop
(10) [mschap] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 5 length 67
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(10) authenticate {
(10) eap: Expiring EAP session with state 0xb06a93a4b36f86f8
(10) eap: Finished EAP session with state 0xb06a93a4b36f86f8
(10) eap: Previous EAP request found for state 0xb06a93a4b36f86f8, released from the list
(10) eap: Peer sent packet with method EAP TTLS (21)
(10) eap: Calling submodule eap_ttls to process data
(10) eap_ttls: Authenticate
(10) eap_ttls: (TLS) EAP Peer says that the final record size will be 57 bytes
(10) eap_ttls: (TLS) EAP Got all data (57 bytes)
(10) eap_ttls: Session established. Proceeding to decode tunneled attributes
(10) eap_ttls: Got tunneled request
(10) eap_ttls: EAP-Message = 0x020000120163687269732e6e7a656e677565
(10) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(10) eap_ttls: Got tunneled identity of chris.nzengue
(10) eap_ttls: Setting default EAP type for tunneled EAP session
(10) eap_ttls: Sending tunneled request
(10) Virtual server inner-tunnel received request
(10) EAP-Message = 0x020000120163687269732e6e7a656e677565
(10) FreeRADIUS-Proxied-To = 127.0.0.1
(10) User-Name = "chris.nzengue"
(10) WARNING: Outer and inner identities are the same. User privacy is compromised.
(10) server inner-tunnel {
(10) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(10) authorize {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = notfound
(10) } # policy filter_username = notfound
(10) [chap] = noop
(10) [mschap] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(10) suffix: No such realm "NULL"
(10) [suffix] = noop
(10) update control {
(10) &Proxy-To-Realm := LOCAL
(10) } # update control = noop
(10) eap: Peer sent EAP Response (code 2) ID 0 length 18
(10) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(10) [eap] = ok
(10) } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(10) authenticate {
(10) eap: Peer sent packet with method EAP Identity (1)
(10) eap: Calling submodule eap_md5 to process data
(10) eap_md5: Issuing MD5 Challenge
(10) eap: Sending EAP Request (code 1) ID 1 length 22
(10) eap: EAP session adding &reply:State = 0x4402aae04403aead
(10) [eap] = handled
(10) } # authenticate = handled
(10) } # server inner-tunnel
(10) Virtual server sending reply
(10) EAP-Message = 0x0101001604102159bde60b2e60420dd98342dac2e574
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0x4402aae04403aead50a58e9ebcef6551
(10) eap_ttls: Got tunneled Access-Challenge
(10) eap: Sending EAP Request (code 1) ID 6 length 71
(10) eap: EAP session adding &reply:State = 0xb06a93a4b46c86f8
(10) [eap] = handled
(10) } # authenticate = handled
(10) Using Post-Auth-Type Challenge
(10) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(10) Challenge { ... } # empty sub-section is ignored
(10) session-state: Saving cached attributes
(10) Framed-MTU = 994
(10) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(10) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(10) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(10) TLS-Session-Version = "TLS 1.2"
(10) Sent Access-Challenge Id 70 from 192.168.10.124:1812 to 192.168.200.20:51098 length 129
(10) EAP-Message = 0x0106004715800000003d1703030038d24fc42abd6c935a2809ce7be46cc5d28f9e549f3edb4ca54df04a5f174a5c1cdd6f37b0d9fbc84103a89bdcdfb38565a66a5bc2dfb19654
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0xb06a93a4b46c86f8af54277185111954
(10) Finished request
Waking up in 4.9 seconds.
(11) Received Access-Request Id 71 from 192.168.200.20:51098 to 192.168.10.124:1812 length 352
(11) User-Name = "chris.nzengue"
(11) Chargeable-User-Identity = 0x14
(11) Location-Capable = Civic-Location
(11) Calling-Station-Id = "98-5a-eb-8e-1c-5c"
(11) Called-Station-Id = "00-fc-ba-e1-8f-a0:radius_test"
(11) NAS-Port = 1
(11) Cisco-AVPair = "audit-session-id=14c8a8c000008a29505f0f64"
(11) Acct-Session-Id = "640f5f48/98:5a:eb:8e:1c:5c/36017"
(11) NAS-IP-Address = 192.168.200.20
(11) NAS-Identifier = "Dejamobile"
(11) Airespace-Wlan-Id = 1
(11) Service-Type = Framed-User
(11) Framed-MTU = 1300
(11) NAS-Port-Type = Wireless-802.11
(11) EAP-Message = 0x020600531580000000491703030044055c825a7cda7667c7154a803cd94615441be6ab0d2222f75f36d997c204e0545d45ab5925417126f12750a01296cd1c296d4dc91bf7d63e7573fa858f504a3c9b0fdf50
(11) State = 0xb06a93a4b46c86f8af54277185111954
(11) Message-Authenticator = 0xbc7275f34cf240da340a2c24f6b95a75
(11) Restoring &session-state
(11) &session-state:Framed-MTU = 994
(11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) &session-state:TLS-Session-Version = "TLS 1.2"
(11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /@\./) {
(11) if (&User-Name =~ /@\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) eap: Peer sent EAP Response (code 2) ID 6 length 83
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11) authenticate {
(11) eap: Expiring EAP session with state 0x4402aae04403aead
(11) eap: Finished EAP session with state 0xb06a93a4b46c86f8
(11) eap: Previous EAP request found for state 0xb06a93a4b46c86f8, released from the list
(11) eap: Peer sent packet with method EAP TTLS (21)
(11) eap: Calling submodule eap_ttls to process data
(11) eap_ttls: Authenticate
(11) eap_ttls: (TLS) EAP Peer says that the final record size will be 73 bytes
(11) eap_ttls: (TLS) EAP Got all data (73 bytes)
(11) eap_ttls: Session established. Proceeding to decode tunneled attributes
(11) eap_ttls: Got tunneled request
(11) eap_ttls: EAP-Message = 0x020100230410c7fd95c7eb515678451ac8a352b9078363687269732e6e7a656e677565
(11) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(11) eap_ttls: Sending tunneled request
(11) Virtual server inner-tunnel received request
(11) EAP-Message = 0x020100230410c7fd95c7eb515678451ac8a352b9078363687269732e6e7a656e677565
(11) FreeRADIUS-Proxied-To = 127.0.0.1
(11) User-Name = "chris.nzengue"
(11) State = 0x4402aae04403aead50a58e9ebcef6551
(11) WARNING: Outer and inner identities are the same. User privacy is compromised.
(11) server inner-tunnel {
(11) session-state: No cached attributes
(11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /@\./) {
(11) if (&User-Name =~ /@\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [chap] = noop
(11) [mschap] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "chris.nzengue", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) update control {
(11) &Proxy-To-Realm := LOCAL
(11) } # update control = noop
(11) eap: Peer sent EAP Response (code 2) ID 1 length 35
(11) eap: No EAP Start, assuming it's an on-going EAP conversation
(11) [eap] = updated
(11) files: Searching for user in group "AADDC Users"
rlm_ldap (ldap): Reserved connection (2)
(11) files: EXPAND (&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))
(11) files: --> (&(objectClass=user)(sAMAccountName=chris.nzengue))
(11) files: Performing search in "ou=AADDC Users,dc=dejamobile,dc=com" with filter "(&(objectClass=user)(sAMAccountName=chris.nzengue))", scope "sub"
(11) files: Waiting for search result...
(11) files: User object found at DN "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com"
(11) files: Checking user object's memberOf attributes
(11) files: Performing unfiltered search in "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com", scope "base"
(11) files: Waiting for search result...
(11) files: Processing memberOf value "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" as a DN
(11) files: Resolving group DN "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" to group name
(11) files: Performing unfiltered search in "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com", scope "base"
(11) files: Waiting for search result...
(11) files: Group DN "CN=SSL_VPN_SSO,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "SSL_VPN_SSO"
(11) files: Processing memberOf value "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" as a DN
(11) files: Resolving group DN "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" to group name
(11) files: Performing unfiltered search in "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com", scope "base"
(11) files: Waiting for search result...
(11) files: Group DN "CN=DejaTeam,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "DejaTeam"
(11) files: Processing memberOf value "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" as a DN
(11) files: Resolving group DN "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" to group name
(11) files: Performing unfiltered search in "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com", scope "base"
(11) files: Waiting for search result...
(11) files: Group DN "CN=deja-developpeur,OU=AADDC Users,DC=dejamobile,DC=com" resolves to name "deja-developpeur"
rlm_ldap (ldap): Released connection (2)
Need more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
rlm_ldap (ldap): Connecting to ldaps://aadds.dejamobile.com:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(11) files: User is not a member of "AADDC Users"
(11) [files] = noop
rlm_ldap (ldap): Reserved connection (3)
(11) ldap: EXPAND (&(objectClass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))
(11) ldap: --> (&(objectClass=user)(sAMAccountName=chris.nzengue))
(11) ldap: Performing search in "ou=AADDC Users,dc=dejamobile,dc=com" with filter "(&(objectClass=user)(sAMAccountName=chris.nzengue))", scope "sub"
(11) ldap: Waiting for search result...
(11) ldap: User object found at DN "CN=Chris Nzengue - dejamobile externe,OU=AADDC Users,DC=dejamobile,DC=com"
(11) ldap: Processing user attributes
(11) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(11) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (3)
(11) [ldap] = ok
(11) [expiration] = noop
(11) [logintime] = noop
(11) [pap] = noop
(11) } # authorize = updated
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11) authenticate {
(11) eap: Expiring EAP session with state 0x4402aae04403aead
(11) eap: Finished EAP session with state 0x4402aae04403aead
(11) eap: Previous EAP request found for state 0x4402aae04403aead, released from the list
(11) eap: Peer sent packet with method EAP MD5 (4)
(11) eap: Calling submodule eap_md5 to process data
(11) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5 authentication
(11) eap: ERROR: Failed continuing EAP MD5 (4) session. EAP sub-module failed
(11) eap: Sending EAP Failure (code 4) ID 1 length 4
(11) eap: Failed in EAP select
(11) [eap] = invalid
(11) } # authenticate = invalid
(11) Failed to authenticate the user
(11) Using Post-Auth-Type Reject
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11) Post-Auth-Type REJECT {
(11) attr_filter.access_reject: EXPAND %{User-Name}
(11) attr_filter.access_reject: --> chris.nzengue
(11) attr_filter.access_reject: Matched entry DEFAULT at line 11
(11) [attr_filter.access_reject] = updated
(11) update outer.session-state {
(11) &Module-Failure-Message := &request:Module-Failure-Message -> 'eap_md5: Cleartext-Password is required for EAP-MD5 authentication'
(11) } # update outer.session-state = noop
(11) } # Post-Auth-Type REJECT = updated
(11) } # server inner-tunnel
(11) Virtual server sending reply
(11) EAP-Message = 0x04010004
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) eap_ttls: Got tunneled Access-Reject
(11) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(11) eap: Sending EAP Failure (code 4) ID 6 length 4
(11) eap: Failed in EAP select
(11) [eap] = invalid
(11) } # authenticate = invalid
(11) Failed to authenticate the user
(11) Using Post-Auth-Type Reject
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11) Post-Auth-Type REJECT {
(11) attr_filter.access_reject: EXPAND %{User-Name}
(11) attr_filter.access_reject: --> chris.nzengue
(11) attr_filter.access_reject: Matched entry DEFAULT at line 11
(11) [attr_filter.access_reject] = updated
(11) [eap] = noop
(11) policy remove_reply_message_if_eap {
(11) if (&reply:EAP-Message && &reply:Reply-Message) {
(11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11) else {
(11) [noop] = noop
(11) } # else = noop
(11) } # policy remove_reply_message_if_eap = noop
(11) } # Post-Auth-Type REJECT = updated
(11) Delaying response for 1.000000 seconds
Waking up in 0.1 seconds.
Waking up in 0.8 seconds.
(11) Sending delayed response
(11) Sent Access-Reject Id 71 from 192.168.10.124:1812 to 192.168.200.20:51098 length 44
(11) EAP-Message = 0x04060004
(11) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
(6) Cleaning up request packet ID 66 with timestamp +42 due to cleanup_delay was reached
(7) Cleaning up request packet ID 67 with timestamp +42 due to cleanup_delay was reached
(8) Cleaning up request packet ID 68 with timestamp +42 due to cleanup_delay was reached
(9) Cleaning up request packet ID 69 with timestamp +43 due to cleanup_delay was reached
(10) Cleaning up request packet ID 70 with timestamp +43 due to cleanup_delay was reached
Waking up in 0.2 seconds.
(11) Cleaning up request packet ID 71 with timestamp +43 due to cleanup_delay was reached
Ready to process requests
Chris Nzengue
Stagiaire DEVOPS
DEVOPS internship
Fixe / Office: +33(2)14747500
chris.nzengue at dejamobile.com<mailto:%7BE-mail%7D>
[cid:logo-500x500_8c612466-939f-4f99-8d85-3affb0831c87.png]
[cid:SocialLink_Linkedin_32x32_44e008ea-1b1a-4fa0-b32f-2c845382148a.png] <https://www.linkedin.com/company/dejamobile/> [cid:SocialLink_Twitter_32x32_082f5645-c4de-4011-bd63-3d63208f4a3e.png] <https://twitter.com/dejamobile>
<https://www.linkedin.com/company/dejamobile/><https://www.linkedin.com/company/dejamobile/>[cid:mpe23mail_8ab29f82-07d3-4119-943b-776a4cea5fb3.png]<https://www.merchantpaymentsecosystem.com/>
More information about the Freeradius-Users
mailing list