Add TLS version to logs with linelog
dominic.stalder at unibe.ch
dominic.stalder at unibe.ch
Wed Apr 17 11:06:42 UTC 2024
Hi Matthew
Sorry about that. I did re-configure the linelog file (/etc/freeradius/3.0/mods-available/linelog) like this:
linelog 802.1x_authz_log {
filename = ${logdir}/authz.log
reference = "sp.%{%{reply:Packet-Type}:-format}"
sp {
Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})"
#Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] SID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})"
}
}
And somehow (I really don't know why), it seems to work know:
(11) Received Access-Request Id 55 from 130.92.42.20:56958 to 130.92.10.33:1812 length 443
(11) User-Name = "dominic.stalder at unibe.ch"
(11) Service-Type = Framed-User
(11) Cisco-AVPair = "service-type=Framed"
(11) Framed-MTU = 1485
(11) EAP-Message = 0x0201001d01646f6d696e69632e7374616c64657240756e6962652e6368
(11) Message-Authenticator = 0x694ebad2a4029567ecc08fd124414d26
(11) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(11) Cisco-AVPair = "method=dot1x"
(11) Cisco-AVPair = "client-iif-id=2500003624"
(11) Cisco-AVPair = "vlan-id=1876"
(11) NAS-IP-Address = 130.92.42.20
(11) NAS-Port-Id = "capwap_9180059e"
(11) NAS-Port-Type = Wireless-802.11
(11) NAS-Port = 4219
(11) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(11) Cisco-AVPair = "wlan-profile-name=eduroamV2"
(11) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(11) Calling-Station-Id = "6a-05-bd-e0-f2-80"
(11) Airespace-Wlan-Id = 98
(11) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11) authorize {
(11) policy rewrite_called_station_id {
(11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(11) update request {
(11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(11) --> 3C-51-0E-72-2A-00
(11) &Called-Station-Id := 3C-51-0E-72-2A-00
(11) } # update request = noop
(11) if ("%{8}") {
(11) EXPAND %{8}
(11) --> eduroam
(11) if ("%{8}") -> TRUE
(11) if ("%{8}") {
(11) update request {
(11) EXPAND %{8}
(11) --> eduroam
(11) &Called-Station-SSID := eduroam
(11) } # update request = noop
(11) } # if ("%{8}") = noop
(11) [updated] = updated
(11) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(11) ... skipping else: Preceding "if" was taken
(11) } # policy rewrite_called_station_id = updated
(11) policy rewrite_calling_station_id {
(11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(11) update request {
(11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(11) --> 6A-05-BD-E0-F2-80
(11) &Calling-Station-Id := 6A-05-BD-E0-F2-80
(11) } # update request = noop
(11) [updated] = updated
(11) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(11) ... skipping else: Preceding "if" was taken
(11) } # policy rewrite_calling_station_id = updated
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /@\./) {
(11) if (&User-Name =~ /@\./) -> FALSE
(11) } # if (&User-Name) = updated
(11) } # policy filter_username = updated
(11) suffix: Checking for suffix after "@"
(11) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(11) suffix: Found realm "UNIBE.CH"
(11) suffix: Adding Stripped-User-Name = "dominic.stalder"
(11) suffix: Adding Realm = "UNIBE.CH"
(11) suffix: Authentication realm is LOCAL
(11) [suffix] = ok
(11) update request {
(11) EXPAND %{toupper:%{Realm}}
(11) --> UNIBE.CH
(11) Realm := UNIBE.CH
(11) } # update request = noop
(11) if (NAS-Port-Type =~ /Wireless-802\.11/i){
(11) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(11) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(11) policy deny_no_realm {
(11) if (User-Name && (User-Name !~ /@/)) {
(11) if (User-Name && (User-Name !~ /@/)) -> FALSE
(11) } # policy deny_no_realm = updated
(11) switch &control:Called-Station-SSID {
(11) } # switch &control:Called-Station-SSID = updated
(11) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(11) eap: Peer sent EAP Response (code 2) ID 1 length 29
(11) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11) Auth-Type eap {
(11) eap: Peer sent packet with method EAP Identity (1)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: (TLS) Initiating new session
(11) eap: Sending EAP Request (code 1) ID 2 length 6
(11) eap: EAP session adding &reply:State = 0x1de92fd31deb361c
(11) [eap] = handled
(11) if (handled && (Response-Packet-Type == Access-Challenge)) {
(11) EXPAND Response-Packet-Type
(11) --> Access-Challenge
(11) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(11) if (handled && (Response-Packet-Type == Access-Challenge)) {
(11) attr_filter.access_challenge: EXPAND %{User-Name}
(11) attr_filter.access_challenge: --> dominic.stalder at unibe.ch
(11) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(11) [attr_filter.access_challenge.post-auth] = updated
(11) [handled] = handled
(11) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(11) } # Auth-Type eap = handled
(11) Using Post-Auth-Type Challenge
(11) Post-Auth-Type sub-section not found. Ignoring.
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11) session-state: Saving cached attributes
(11) Framed-MTU = 1014
(11) Sent Access-Challenge Id 55 from 130.92.10.33:1812 to 130.92.42.20:56958 length 64
(11) EAP-Message = 0x010200061920
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) State = 0x1de92fd31deb361c7d7fc55a3903ba57
(11) Finished request
Waking up in 4.9 seconds.
(12) Received Access-Request Id 63 from 130.92.42.20:56958 to 130.92.10.33:1812 length 593
(12) User-Name = "dominic.stalder at unibe.ch"
(12) Service-Type = Framed-User
(12) Cisco-AVPair = "service-type=Framed"
(12) Framed-MTU = 1485
(12) EAP-Message = 0x020200a119800000009716030100920100008e0303661faab7c8f9e6c7d0b52b2ff41e68b74cec609bc8e752d9be7ef0bbfdb3d86600002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
(12) Message-Authenticator = 0xc7079924fb998ffe2063c4354d944773
(12) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(12) Cisco-AVPair = "method=dot1x"
(12) Cisco-AVPair = "client-iif-id=2500003624"
(12) Cisco-AVPair = "vlan-id=1876"
(12) NAS-IP-Address = 130.92.42.20
(12) NAS-Port-Id = "capwap_9180059e"
(12) NAS-Port-Type = Wireless-802.11
(12) NAS-Port = 4219
(12) State = 0x1de92fd31deb361c7d7fc55a3903ba57
(12) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(12) Cisco-AVPair = "wlan-profile-name=eduroamV2"
(12) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(12) Calling-Station-Id = "6a-05-bd-e0-f2-80"
(12) Airespace-Wlan-Id = 98
(12) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(12) Restoring &session-state
(12) &session-state:Framed-MTU = 1014
(12) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(12) authorize {
(12) policy rewrite_called_station_id {
(12) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(12) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(12) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(12) update request {
(12) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(12) --> 3C-51-0E-72-2A-00
(12) &Called-Station-Id := 3C-51-0E-72-2A-00
(12) } # update request = noop
(12) if ("%{8}") {
(12) EXPAND %{8}
(12) --> eduroam
(12) if ("%{8}") -> TRUE
(12) if ("%{8}") {
(12) update request {
(12) EXPAND %{8}
(12) --> eduroam
(12) &Called-Station-SSID := eduroam
(12) } # update request = noop
(12) } # if ("%{8}") = noop
(12) [updated] = updated
(12) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(12) ... skipping else: Preceding "if" was taken
(12) } # policy rewrite_called_station_id = updated
(12) policy rewrite_calling_station_id {
(12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(12) update request {
(12) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(12) --> 6A-05-BD-E0-F2-80
(12) &Calling-Station-Id := 6A-05-BD-E0-F2-80
(12) } # update request = noop
(12) [updated] = updated
(12) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(12) ... skipping else: Preceding "if" was taken
(12) } # policy rewrite_calling_station_id = updated
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /@\./) {
(12) if (&User-Name =~ /@\./) -> FALSE
(12) } # if (&User-Name) = updated
(12) } # policy filter_username = updated
(12) suffix: Checking for suffix after "@"
(12) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(12) suffix: Found realm "UNIBE.CH"
(12) suffix: Adding Stripped-User-Name = "dominic.stalder"
(12) suffix: Adding Realm = "UNIBE.CH"
(12) suffix: Authentication realm is LOCAL
(12) [suffix] = ok
(12) update request {
(12) EXPAND %{toupper:%{Realm}}
(12) --> UNIBE.CH
(12) Realm := UNIBE.CH
(12) } # update request = noop
(12) if (NAS-Port-Type =~ /Wireless-802\.11/i){
(12) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(12) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(12) policy deny_no_realm {
(12) if (User-Name && (User-Name !~ /@/)) {
(12) if (User-Name && (User-Name !~ /@/)) -> FALSE
(12) } # policy deny_no_realm = updated
(12) switch &control:Called-Station-SSID {
(12) } # switch &control:Called-Station-SSID = updated
(12) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(12) eap: Peer sent EAP Response (code 2) ID 2 length 161
(12) eap: Continuing tunnel setup
(12) [eap] = ok
(12) } # authorize = ok
(12) Found Auth-Type = eap
(12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(12) Auth-Type eap {
(12) eap: Expiring EAP session with state 0x1de92fd31deb361c
(12) eap: Finished EAP session with state 0x1de92fd31deb361c
(12) eap: Previous EAP request found for state 0x1de92fd31deb361c, released from the list
(12) eap: Peer sent packet with method EAP PEAP (25)
(12) eap: Calling submodule eap_peap to process data
(12) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes
(12) eap_peap: (TLS) EAP Got all data (151 bytes)
(12) eap_peap: (TLS) Handshake state - before SSL initialization
(12) eap_peap: (TLS) Handshake state - Server before SSL initialization
(12) eap_peap: (TLS) Handshake state - Server before SSL initialization
(12) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
(12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client hello
(12) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHello
(12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server hello
(12) eap_peap: (TLS) send TLS 1.2 Handshake, Certificate
(12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write certificate
(12) eap_peap: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(12) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done
(12) eap_peap: (TLS) Server : Need to read more data: SSLv3/TLS write server done
(12) eap_peap: (TLS) In Handshake Phase
(12) eap: Sending EAP Request (code 1) ID 3 length 1024
(12) eap: EAP session adding &reply:State = 0x1de92fd31cea361c
(12) [eap] = handled
(12) if (handled && (Response-Packet-Type == Access-Challenge)) {
(12) EXPAND Response-Packet-Type
(12) --> Access-Challenge
(12) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(12) if (handled && (Response-Packet-Type == Access-Challenge)) {
(12) attr_filter.access_challenge: EXPAND %{User-Name}
(12) attr_filter.access_challenge: --> dominic.stalder at unibe.ch
(12) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(12) [attr_filter.access_challenge.post-auth] = updated
(12) [handled] = handled
(12) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(12) } # Auth-Type eap = handled
(12) Using Post-Auth-Type Challenge
(12) Post-Auth-Type sub-section not found. Ignoring.
(12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(12) session-state: Saving cached attributes
(12) Framed-MTU = 1014
(12) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(12) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(12) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(12) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(12) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(12) Sent Access-Challenge Id 63 from 130.92.10.33:1812 to 130.92.42.20:56958 length 1090
(12) EAP-Message = 0x0103040019c000000e28160303003d0200003903039593c2bffb75e41c6f75008fc939ee87ad9af380f3c4f4a2444f574e4752440100c030000011ff01000100000b000403000102001700001603030c860b000c82000c7f0006f0308206ec308205d4a003020102021003b3054211bcb9b12dfd56f8887e7bb5300d06092a864886f70d01010b0500305c310b300906035504061302555331163014060355040a0c0d44696769436572742c20496e633135303306035504030c2c44696769436572742051756f566164697320544c53204943412051756f566164697320526f6f742043412032301e170d3233313130393030303030305a170d3234313130383233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) State = 0x1de92fd31cea361c7d7fc55a3903ba57
(12) Finished request
Waking up in 4.9 seconds.
(13) Received Access-Request Id 71 from 130.92.42.20:56958 to 130.92.10.33:1812 length 438
(13) User-Name = "dominic.stalder at unibe.ch"
(13) Service-Type = Framed-User
(13) Cisco-AVPair = "service-type=Framed"
(13) Framed-MTU = 1485
(13) EAP-Message = 0x020300061900
(13) Message-Authenticator = 0x1ad7104e34710165cee7e703a1e285aa
(13) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(13) Cisco-AVPair = "method=dot1x"
(13) Cisco-AVPair = "client-iif-id=2500003624"
(13) Cisco-AVPair = "vlan-id=1876"
(13) NAS-IP-Address = 130.92.42.20
(13) NAS-Port-Id = "capwap_9180059e"
(13) NAS-Port-Type = Wireless-802.11
(13) NAS-Port = 4219
(13) State = 0x1de92fd31cea361c7d7fc55a3903ba57
(13) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(13) Cisco-AVPair = "wlan-profile-name=eduroamV2"
(13) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(13) Calling-Station-Id = "6a-05-bd-e0-f2-80"
(13) Airespace-Wlan-Id = 98
(13) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(13) Restoring &session-state
(13) &session-state:Framed-MTU = 1014
(13) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(13) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(13) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(13) authorize {
(13) policy rewrite_called_station_id {
(13) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(13) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(13) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(13) update request {
(13) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(13) --> 3C-51-0E-72-2A-00
(13) &Called-Station-Id := 3C-51-0E-72-2A-00
(13) } # update request = noop
(13) if ("%{8}") {
(13) EXPAND %{8}
(13) --> eduroam
(13) if ("%{8}") -> TRUE
(13) if ("%{8}") {
(13) update request {
(13) EXPAND %{8}
(13) --> eduroam
(13) &Called-Station-SSID := eduroam
(13) } # update request = noop
(13) } # if ("%{8}") = noop
(13) [updated] = updated
(13) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(13) ... skipping else: Preceding "if" was taken
(13) } # policy rewrite_called_station_id = updated
(13) policy rewrite_calling_station_id {
(13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(13) update request {
(13) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(13) --> 6A-05-BD-E0-F2-80
(13) &Calling-Station-Id := 6A-05-BD-E0-F2-80
(13) } # update request = noop
(13) [updated] = updated
(13) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(13) ... skipping else: Preceding "if" was taken
(13) } # policy rewrite_calling_station_id = updated
(13) policy filter_username {
(13) if (&User-Name) {
(13) if (&User-Name) -> TRUE
(13) if (&User-Name) {
(13) if (&User-Name =~ / /) {
(13) if (&User-Name =~ / /) -> FALSE
(13) if (&User-Name =~ /@[^@]*@/ ) {
(13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(13) if (&User-Name =~ /\.\./ ) {
(13) if (&User-Name =~ /\.\./ ) -> FALSE
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(13) if (&User-Name =~ /\.$/) {
(13) if (&User-Name =~ /\.$/) -> FALSE
(13) if (&User-Name =~ /@\./) {
(13) if (&User-Name =~ /@\./) -> FALSE
(13) } # if (&User-Name) = updated
(13) } # policy filter_username = updated
(13) suffix: Checking for suffix after "@"
(13) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(13) suffix: Found realm "UNIBE.CH"
(13) suffix: Adding Stripped-User-Name = "dominic.stalder"
(13) suffix: Adding Realm = "UNIBE.CH"
(13) suffix: Authentication realm is LOCAL
(13) [suffix] = ok
(13) update request {
(13) EXPAND %{toupper:%{Realm}}
(13) --> UNIBE.CH
(13) Realm := UNIBE.CH
(13) } # update request = noop
(13) if (NAS-Port-Type =~ /Wireless-802\.11/i){
(13) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(13) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(13) policy deny_no_realm {
(13) if (User-Name && (User-Name !~ /@/)) {
(13) if (User-Name && (User-Name !~ /@/)) -> FALSE
(13) } # policy deny_no_realm = updated
(13) switch &control:Called-Station-SSID {
(13) } # switch &control:Called-Station-SSID = updated
(13) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(13) eap: Peer sent EAP Response (code 2) ID 3 length 6
(13) eap: Continuing tunnel setup
(13) [eap] = ok
(13) } # authorize = ok
(13) Found Auth-Type = eap
(13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(13) Auth-Type eap {
(13) eap: Expiring EAP session with state 0x1de92fd31cea361c
(13) eap: Finished EAP session with state 0x1de92fd31cea361c
(13) eap: Previous EAP request found for state 0x1de92fd31cea361c, released from the list
(13) eap: Peer sent packet with method EAP PEAP (25)
(13) eap: Calling submodule eap_peap to process data
(13) eap_peap: (TLS) Peer ACKed our handshake fragment
(13) eap: Sending EAP Request (code 1) ID 4 length 1020
(13) eap: EAP session adding &reply:State = 0x1de92fd31fed361c
(13) [eap] = handled
(13) if (handled && (Response-Packet-Type == Access-Challenge)) {
(13) EXPAND Response-Packet-Type
(13) --> Access-Challenge
(13) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(13) if (handled && (Response-Packet-Type == Access-Challenge)) {
(13) attr_filter.access_challenge: EXPAND %{User-Name}
(13) attr_filter.access_challenge: --> dominic.stalder at unibe.ch
(13) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(13) [attr_filter.access_challenge.post-auth] = updated
(13) [handled] = handled
(13) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(13) } # Auth-Type eap = handled
(13) Using Post-Auth-Type Challenge
(13) Post-Auth-Type sub-section not found. Ignoring.
(13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(13) session-state: Saving cached attributes
(13) Framed-MTU = 1014
(13) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(13) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(13) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(13) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(13) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(13) Sent Access-Challenge Id 71 from 130.92.10.33:1812 to 130.92.42.20:56958 length 1086
(13) EAP-Message = 0x010403fc194061646973544c5349434151756f5661646973526f6f744341322e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727451756f5661646973544c5349434151756f5661646973526f6f744341322e637274300c0603551d130101ff040230003082017e060a2b06010401d6790204020482016e0482016a0168007700eecdd064d5db1acec55cb79db4cd13a23287467cbcecdec351485946711fb59b0000018bb41da9d8000004030048304602210096f259c2ee2c8db6a8f0ffc4dd56ae730dad06cdd15a9bdad058f1eb74fcebed022100ec4750255a870fbb409ab15ff79aca8e3ca0bb1b214f94dab4ef9687a1e82fb900760048b0e36bdaa647340fe56a02fa9d30eb1c5201cb56dd2c81d9bbbfab39d884730000018bb41d
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) State = 0x1de92fd31fed361c7d7fc55a3903ba57
(13) Finished request
Waking up in 4.9 seconds.
(14) Received Access-Request Id 79 from 130.92.42.20:56958 to 130.92.10.33:1812 length 438
(14) User-Name = "dominic.stalder at unibe.ch"
(14) Service-Type = Framed-User
(14) Cisco-AVPair = "service-type=Framed"
(14) Framed-MTU = 1485
(14) EAP-Message = 0x020400061900
(14) Message-Authenticator = 0xf31f29575e431c5f2f8a42e9fd12c70a
(14) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(14) Cisco-AVPair = "method=dot1x"
(14) Cisco-AVPair = "client-iif-id=2500003624"
(14) Cisco-AVPair = "vlan-id=1876"
(14) NAS-IP-Address = 130.92.42.20
(14) NAS-Port-Id = "capwap_9180059e"
(14) NAS-Port-Type = Wireless-802.11
(14) NAS-Port = 4219
(14) State = 0x1de92fd31fed361c7d7fc55a3903ba57
(14) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(14) Cisco-AVPair = "wlan-profile-name=eduroamV2"
(14) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(14) Calling-Station-Id = "6a-05-bd-e0-f2-80"
(14) Airespace-Wlan-Id = 98
(14) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(14) Restoring &session-state
(14) &session-state:Framed-MTU = 1014
(14) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(14) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(14) authorize {
(14) policy rewrite_called_station_id {
(14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(14) update request {
(14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(14) --> 3C-51-0E-72-2A-00
(14) &Called-Station-Id := 3C-51-0E-72-2A-00
(14) } # update request = noop
(14) if ("%{8}") {
(14) EXPAND %{8}
(14) --> eduroam
(14) if ("%{8}") -> TRUE
(14) if ("%{8}") {
(14) update request {
(14) EXPAND %{8}
(14) --> eduroam
(14) &Called-Station-SSID := eduroam
(14) } # update request = noop
(14) } # if ("%{8}") = noop
(14) [updated] = updated
(14) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(14) ... skipping else: Preceding "if" was taken
(14) } # policy rewrite_called_station_id = updated
(14) policy rewrite_calling_station_id {
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(14) update request {
(14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(14) --> 6A-05-BD-E0-F2-80
(14) &Calling-Station-Id := 6A-05-BD-E0-F2-80
(14) } # update request = noop
(14) [updated] = updated
(14) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(14) ... skipping else: Preceding "if" was taken
(14) } # policy rewrite_calling_station_id = updated
(14) policy filter_username {
(14) if (&User-Name) {
(14) if (&User-Name) -> TRUE
(14) if (&User-Name) {
(14) if (&User-Name =~ / /) {
(14) if (&User-Name =~ / /) -> FALSE
(14) if (&User-Name =~ /@[^@]*@/ ) {
(14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(14) if (&User-Name =~ /\.\./ ) {
(14) if (&User-Name =~ /\.\./ ) -> FALSE
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(14) if (&User-Name =~ /\.$/) {
(14) if (&User-Name =~ /\.$/) -> FALSE
(14) if (&User-Name =~ /@\./) {
(14) if (&User-Name =~ /@\./) -> FALSE
(14) } # if (&User-Name) = updated
(14) } # policy filter_username = updated
(14) suffix: Checking for suffix after "@"
(14) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(14) suffix: Found realm "UNIBE.CH"
(14) suffix: Adding Stripped-User-Name = "dominic.stalder"
(14) suffix: Adding Realm = "UNIBE.CH"
(14) suffix: Authentication realm is LOCAL
(14) [suffix] = ok
(14) update request {
(14) EXPAND %{toupper:%{Realm}}
(14) --> UNIBE.CH
(14) Realm := UNIBE.CH
(14) } # update request = noop
(14) if (NAS-Port-Type =~ /Wireless-802\.11/i){
(14) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(14) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(14) policy deny_no_realm {
(14) if (User-Name && (User-Name !~ /@/)) {
(14) if (User-Name && (User-Name !~ /@/)) -> FALSE
(14) } # policy deny_no_realm = updated
(14) switch &control:Called-Station-SSID {
(14) } # switch &control:Called-Station-SSID = updated
(14) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(14) eap: Peer sent EAP Response (code 2) ID 4 length 6
(14) eap: Continuing tunnel setup
(14) [eap] = ok
(14) } # authorize = ok
(14) Found Auth-Type = eap
(14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(14) Auth-Type eap {
(14) eap: Expiring EAP session with state 0x1de92fd31fed361c
(14) eap: Finished EAP session with state 0x1de92fd31fed361c
(14) eap: Previous EAP request found for state 0x1de92fd31fed361c, released from the list
(14) eap: Peer sent packet with method EAP PEAP (25)
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: (TLS) Peer ACKed our handshake fragment
(14) eap: Sending EAP Request (code 1) ID 5 length 1020
(14) eap: EAP session adding &reply:State = 0x1de92fd31eec361c
(14) [eap] = handled
(14) if (handled && (Response-Packet-Type == Access-Challenge)) {
(14) EXPAND Response-Packet-Type
(14) --> Access-Challenge
(14) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(14) if (handled && (Response-Packet-Type == Access-Challenge)) {
(14) attr_filter.access_challenge: EXPAND %{User-Name}
(14) attr_filter.access_challenge: --> dominic.stalder at unibe.ch
(14) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(14) [attr_filter.access_challenge.post-auth] = updated
(14) [handled] = handled
(14) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(14) } # Auth-Type eap = handled
(14) Using Post-Auth-Type Challenge
(14) Post-Auth-Type sub-section not found. Ignoring.
(14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(14) session-state: Saving cached attributes
(14) Framed-MTU = 1014
(14) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(14) Sent Access-Challenge Id 79 from 130.92.10.33:1812 to 130.92.42.20:56958 length 1086
(14) EAP-Message = 0x010503fc194031163014060355040a0c0d44696769436572742c20496e633135303306035504030c2c44696769436572742051756f566164697320544c53204943412051756f566164697320526f6f74204341203230820122300d06092a864886f70d01010105000382010f003082010a0282010100c0276cfa8594d3ff27e084f9510e22adc882540fd8f499b54cbcc5b972f391772e189d184b507780746820ef2412d8cf26c4fd40b80087714fa2b7372e50b230e6fd4d52159fd7f6a740204fbc6b2b9ef3cfaaca04c0aacff4cc0782710db7d2c3bd4361c67e2bff6d60a99b67ed4d447a1371c375cb8feb080d0f6e136b285ff5eeecd4f4bb743a1c87c6bbb4e3449d3304a8cd0ac8d131252afbdb7942262839da4e8079d268c67c2ecbe68fd34f0bcb8c040f53f7b182deef3e7d4fd6a5c5caa877ee530d3fc5fee7cdd62d6030035d7f46f58d544349a7435d9a7c3352f33be3cec9d7a223c9bb023fbe528fb42146c1685cb8e89996197c9b39f013199902
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0x1de92fd31eec361c7d7fc55a3903ba57
(14) Finished request
Waking up in 4.9 seconds.
(15) Received Access-Request Id 87 from 130.92.42.20:56958 to 130.92.10.33:1812 length 438
(15) User-Name = "dominic.stalder at unibe.ch"
(15) Service-Type = Framed-User
(15) Cisco-AVPair = "service-type=Framed"
(15) Framed-MTU = 1485
(15) EAP-Message = 0x020500061900
(15) Message-Authenticator = 0xf18ed8d8c98adb93b8213140f59a8378
(15) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(15) Cisco-AVPair = "method=dot1x"
(15) Cisco-AVPair = "client-iif-id=2500003624"
(15) Cisco-AVPair = "vlan-id=1876"
(15) NAS-IP-Address = 130.92.42.20
(15) NAS-Port-Id = "capwap_9180059e"
(15) NAS-Port-Type = Wireless-802.11
(15) NAS-Port = 4219
(15) State = 0x1de92fd31eec361c7d7fc55a3903ba57
(15) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(15) Cisco-AVPair = "wlan-profile-name=eduroamV2"
(15) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(15) Calling-Station-Id = "6a-05-bd-e0-f2-80"
(15) Airespace-Wlan-Id = 98
(15) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(15) Restoring &session-state
(15) &session-state:Framed-MTU = 1014
(15) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(15) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(15) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(15) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(15) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(15) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(15) authorize {
(15) policy rewrite_called_station_id {
(15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(15) update request {
(15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(15) --> 3C-51-0E-72-2A-00
(15) &Called-Station-Id := 3C-51-0E-72-2A-00
(15) } # update request = noop
(15) if ("%{8}") {
(15) EXPAND %{8}
(15) --> eduroam
(15) if ("%{8}") -> TRUE
(15) if ("%{8}") {
(15) update request {
(15) EXPAND %{8}
(15) --> eduroam
(15) &Called-Station-SSID := eduroam
(15) } # update request = noop
(15) } # if ("%{8}") = noop
(15) [updated] = updated
(15) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(15) ... skipping else: Preceding "if" was taken
(15) } # policy rewrite_called_station_id = updated
(15) policy rewrite_calling_station_id {
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(15) update request {
(15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(15) --> 6A-05-BD-E0-F2-80
(15) &Calling-Station-Id := 6A-05-BD-E0-F2-80
(15) } # update request = noop
(15) [updated] = updated
(15) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(15) ... skipping else: Preceding "if" was taken
(15) } # policy rewrite_calling_station_id = updated
(15) policy filter_username {
(15) if (&User-Name) {
(15) if (&User-Name) -> TRUE
(15) if (&User-Name) {
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@[^@]*@/ ) {
(15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /@\./) {
(15) if (&User-Name =~ /@\./) -> FALSE
(15) } # if (&User-Name) = updated
(15) } # policy filter_username = updated
(15) suffix: Checking for suffix after "@"
(15) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(15) suffix: Found realm "UNIBE.CH"
(15) suffix: Adding Stripped-User-Name = "dominic.stalder"
(15) suffix: Adding Realm = "UNIBE.CH"
(15) suffix: Authentication realm is LOCAL
(15) [suffix] = ok
(15) update request {
(15) EXPAND %{toupper:%{Realm}}
(15) --> UNIBE.CH
(15) Realm := UNIBE.CH
(15) } # update request = noop
(15) if (NAS-Port-Type =~ /Wireless-802\.11/i){
(15) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(15) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(15) policy deny_no_realm {
(15) if (User-Name && (User-Name !~ /@/)) {
(15) if (User-Name && (User-Name !~ /@/)) -> FALSE
(15) } # policy deny_no_realm = updated
(15) switch &control:Called-Station-SSID {
(15) } # switch &control:Called-Station-SSID = updated
(15) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(15) eap: Peer sent EAP Response (code 2) ID 5 length 6
(15) eap: Continuing tunnel setup
(15) [eap] = ok
(15) } # authorize = ok
(15) Found Auth-Type = eap
(15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(15) Auth-Type eap {
(15) eap: Expiring EAP session with state 0x1de92fd31eec361c
(15) eap: Finished EAP session with state 0x1de92fd31eec361c
(15) eap: Previous EAP request found for state 0x1de92fd31eec361c, released from the list
(15) eap: Peer sent packet with method EAP PEAP (25)
(15) eap: Calling submodule eap_peap to process data
(15) eap_peap: (TLS) Peer ACKed our handshake fragment
(15) eap: Sending EAP Request (code 1) ID 6 length 588
(15) eap: EAP session adding &reply:State = 0x1de92fd319ef361c
(15) [eap] = handled
(15) if (handled && (Response-Packet-Type == Access-Challenge)) {
(15) EXPAND Response-Packet-Type
(15) --> Access-Challenge
(15) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(15) if (handled && (Response-Packet-Type == Access-Challenge)) {
(15) attr_filter.access_challenge: EXPAND %{User-Name}
(15) attr_filter.access_challenge: --> dominic.stalder at unibe.ch
(15) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(15) [attr_filter.access_challenge.post-auth] = updated
(15) [handled] = handled
(15) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(15) } # Auth-Type eap = handled
(15) Using Post-Auth-Type Challenge
(15) Post-Auth-Type sub-section not found. Ignoring.
(15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(15) session-state: Saving cached attributes
(15) Framed-MTU = 1014
(15) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(15) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(15) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(15) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(15) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(15) Sent Access-Challenge Id 87 from 130.92.10.33:1812 to 130.92.42.20:56958 length 650
(15) EAP-Message = 0x0106024c190092dd4a3f6f4a476dce8054dcc67a57c7efffd02a530da7129206cf2d59743367135e3238837f3915851242955fc5b8517786f16d34b6872189b4e3e01005c5f9436cb4341721ddd33be24eaa920f8bd7f3f06b48f9c1de57460ad46f66e46a65c749cf786d0afadbc0812eae6da881a6a3e7dbc8aac3d8f3443ae4f1614e4c9f4f80f9c26e35d5d67994f3f07db48ec18f369b282e7b0d9178f3ca6dc74bd4f9d0b11385dbe0add5465a8a07ebdd590a7145f7d9deb1436636202d59496850bfdf3427f97f2b0989a6eec0f8d7444ce5e69cd0b5460ae57efc0e259c16227376bc8774a255010d721f9ec9160303014d0c0001490300174104e24dea9bac02fa89350a2a9907808663b23db0dcffb0c3942c4e3e768589e14a53ad8a938b48a08546b6adcc29bfa64a726170e0b8b2c2b499690ec9d5d59b300401010049a41dd7d2618931e2d16fa22e869397478ff177fc2301eef652e6042defcf82f60897df4af82c6bb00a12f52a239964f55de72b
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0x1de92fd319ef361c7d7fc55a3903ba57
(15) Finished request
Waking up in 4.9 seconds.
(16) Received Access-Request Id 95 from 130.92.42.20:56958 to 130.92.10.33:1812 length 568
(16) User-Name = "dominic.stalder at unibe.ch"
(16) Service-Type = Framed-User
(16) Cisco-AVPair = "service-type=Framed"
(16) Framed-MTU = 1485
(16) EAP-Message = 0x0206008819800000007e16030300461000004241044b18bc5103fb19b4b172d827bebc8fb6e5a89caa86ecd2d2af20d96592e46b5ede6df542983d8a4b7d178b59644148f098333e0333f58ba0bac27972d54d107014030300010116030300280eb44ab0540a84b463a92404ef78c91d26aa51ff96e86301c8d7ddbf9e12724aa933f1a64c868dea
(16) Message-Authenticator = 0xdbfc267b0e764874e63c61f643fb722e
(16) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(16) Cisco-AVPair = "method=dot1x"
(16) Cisco-AVPair = "client-iif-id=2500003624"
(16) Cisco-AVPair = "vlan-id=1876"
(16) NAS-IP-Address = 130.92.42.20
(16) NAS-Port-Id = "capwap_9180059e"
(16) NAS-Port-Type = Wireless-802.11
(16) NAS-Port = 4219
(16) State = 0x1de92fd319ef361c7d7fc55a3903ba57
(16) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(16) Cisco-AVPair = "wlan-profile-name=eduroamV2"
(16) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(16) Calling-Station-Id = "6a-05-bd-e0-f2-80"
(16) Airespace-Wlan-Id = 98
(16) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(16) Restoring &session-state
(16) &session-state:Framed-MTU = 1014
(16) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(16) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(16) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(16) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(16) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(16) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(16) authorize {
(16) policy rewrite_called_station_id {
(16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(16) update request {
(16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(16) --> 3C-51-0E-72-2A-00
(16) &Called-Station-Id := 3C-51-0E-72-2A-00
(16) } # update request = noop
(16) if ("%{8}") {
(16) EXPAND %{8}
(16) --> eduroam
(16) if ("%{8}") -> TRUE
(16) if ("%{8}") {
(16) update request {
(16) EXPAND %{8}
(16) --> eduroam
(16) &Called-Station-SSID := eduroam
(16) } # update request = noop
(16) } # if ("%{8}") = noop
(16) [updated] = updated
(16) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(16) ... skipping else: Preceding "if" was taken
(16) } # policy rewrite_called_station_id = updated
(16) policy rewrite_calling_station_id {
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(16) update request {
(16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(16) --> 6A-05-BD-E0-F2-80
(16) &Calling-Station-Id := 6A-05-BD-E0-F2-80
(16) } # update request = noop
(16) [updated] = updated
(16) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(16) ... skipping else: Preceding "if" was taken
(16) } # policy rewrite_calling_station_id = updated
(16) policy filter_username {
(16) if (&User-Name) {
(16) if (&User-Name) -> TRUE
(16) if (&User-Name) {
(16) if (&User-Name =~ / /) {
(16) if (&User-Name =~ / /) -> FALSE
(16) if (&User-Name =~ /@[^@]*@/ ) {
(16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(16) if (&User-Name =~ /\.\./ ) {
(16) if (&User-Name =~ /\.\./ ) -> FALSE
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(16) if (&User-Name =~ /\.$/) {
(16) if (&User-Name =~ /\.$/) -> FALSE
(16) if (&User-Name =~ /@\./) {
(16) if (&User-Name =~ /@\./) -> FALSE
(16) } # if (&User-Name) = updated
(16) } # policy filter_username = updated
(16) suffix: Checking for suffix after "@"
(16) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(16) suffix: Found realm "UNIBE.CH"
(16) suffix: Adding Stripped-User-Name = "dominic.stalder"
(16) suffix: Adding Realm = "UNIBE.CH"
(16) suffix: Authentication realm is LOCAL
(16) [suffix] = ok
(16) update request {
(16) EXPAND %{toupper:%{Realm}}
(16) --> UNIBE.CH
(16) Realm := UNIBE.CH
(16) } # update request = noop
(16) if (NAS-Port-Type =~ /Wireless-802\.11/i){
(16) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(16) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(16) policy deny_no_realm {
(16) if (User-Name && (User-Name !~ /@/)) {
(16) if (User-Name && (User-Name !~ /@/)) -> FALSE
(16) } # policy deny_no_realm = updated
(16) switch &control:Called-Station-SSID {
(16) } # switch &control:Called-Station-SSID = updated
(16) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(16) eap: Peer sent EAP Response (code 2) ID 6 length 136
(16) eap: Continuing tunnel setup
(16) [eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = eap
(16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(16) Auth-Type eap {
(16) eap: Expiring EAP session with state 0x1de92fd319ef361c
(16) eap: Finished EAP session with state 0x1de92fd319ef361c
(16) eap: Previous EAP request found for state 0x1de92fd319ef361c, released from the list
(16) eap: Peer sent packet with method EAP PEAP (25)
(16) eap: Calling submodule eap_peap to process data
(16) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes
(16) eap_peap: (TLS) EAP Got all data (126 bytes)
(16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done
(16) eap_peap: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client key exchange
(16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
(16) eap_peap: (TLS) recv TLS 1.2 Handshake, Finished
(16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read finished
(16) eap_peap: (TLS) send TLS 1.2 ChangeCipherSpec
(16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
(16) eap_peap: (TLS) send TLS 1.2 Handshake, Finished
(16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write finished
(16) eap_peap: (TLS) Handshake state - SSL negotiation finished successfully
(16) eap_peap: (TLS) Connection Established
(16) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(16) eap_peap: TLS-Session-Version = "TLS 1.2"
(16) eap: Sending EAP Request (code 1) ID 7 length 57
(16) eap: EAP session adding &reply:State = 0x1de92fd318ee361c
(16) [eap] = handled
(16) if (handled && (Response-Packet-Type == Access-Challenge)) {
(16) EXPAND Response-Packet-Type
(16) --> Access-Challenge
(16) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(16) if (handled && (Response-Packet-Type == Access-Challenge)) {
(16) attr_filter.access_challenge: EXPAND %{User-Name}
(16) attr_filter.access_challenge: --> dominic.stalder at unibe.ch
(16) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(16) [attr_filter.access_challenge.post-auth] = updated
(16) [handled] = handled
(16) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(16) } # Auth-Type eap = handled
(16) Using Post-Auth-Type Challenge
(16) Post-Auth-Type sub-section not found. Ignoring.
(16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(16) session-state: Saving cached attributes
(16) Framed-MTU = 1014
(16) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(16) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(16) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(16) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(16) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(16) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(16) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(16) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(16) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(16) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(16) TLS-Session-Version = "TLS 1.2"
(16) Sent Access-Challenge Id 95 from 130.92.10.33:1812 to 130.92.42.20:56958 length 115
(16) EAP-Message = 0x0107003919001403030001011603030028ee81289b38b966971e6a8bb4192ebcb8c0668f81a560a0e83c8f2f358c5048da4e4502dad8f52a42
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0x1de92fd318ee361c7d7fc55a3903ba57
(16) Finished request
Waking up in 4.8 seconds.
(17) Received Access-Request Id 103 from 130.92.42.20:56958 to 130.92.10.33:1812 length 438
(17) User-Name = "dominic.stalder at unibe.ch"
(17) Service-Type = Framed-User
(17) Cisco-AVPair = "service-type=Framed"
(17) Framed-MTU = 1485
(17) EAP-Message = 0x020700061900
(17) Message-Authenticator = 0x93382dc058a6fc411428994f06077c45
(17) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(17) Cisco-AVPair = "method=dot1x"
(17) Cisco-AVPair = "client-iif-id=2500003624"
(17) Cisco-AVPair = "vlan-id=1876"
(17) NAS-IP-Address = 130.92.42.20
(17) NAS-Port-Id = "capwap_9180059e"
(17) NAS-Port-Type = Wireless-802.11
(17) NAS-Port = 4219
(17) State = 0x1de92fd318ee361c7d7fc55a3903ba57
(17) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(17) Cisco-AVPair = "wlan-profile-name=eduroamV2"
(17) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(17) Calling-Station-Id = "6a-05-bd-e0-f2-80"
(17) Airespace-Wlan-Id = 98
(17) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(17) Restoring &session-state
(17) &session-state:Framed-MTU = 1014
(17) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(17) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(17) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(17) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(17) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(17) &session-state:TLS-Session-Version = "TLS 1.2"
(17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(17) authorize {
(17) policy rewrite_called_station_id {
(17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(17) update request {
(17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(17) --> 3C-51-0E-72-2A-00
(17) &Called-Station-Id := 3C-51-0E-72-2A-00
(17) } # update request = noop
(17) if ("%{8}") {
(17) EXPAND %{8}
(17) --> eduroam
(17) if ("%{8}") -> TRUE
(17) if ("%{8}") {
(17) update request {
(17) EXPAND %{8}
(17) --> eduroam
(17) &Called-Station-SSID := eduroam
(17) } # update request = noop
(17) } # if ("%{8}") = noop
(17) [updated] = updated
(17) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(17) ... skipping else: Preceding "if" was taken
(17) } # policy rewrite_called_station_id = updated
(17) policy rewrite_calling_station_id {
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(17) update request {
(17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(17) --> 6A-05-BD-E0-F2-80
(17) &Calling-Station-Id := 6A-05-BD-E0-F2-80
(17) } # update request = noop
(17) [updated] = updated
(17) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(17) ... skipping else: Preceding "if" was taken
(17) } # policy rewrite_calling_station_id = updated
(17) policy filter_username {
(17) if (&User-Name) {
(17) if (&User-Name) -> TRUE
(17) if (&User-Name) {
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@[^@]*@/ ) {
(17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /@\./) {
(17) if (&User-Name =~ /@\./) -> FALSE
(17) } # if (&User-Name) = updated
(17) } # policy filter_username = updated
(17) suffix: Checking for suffix after "@"
(17) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(17) suffix: Found realm "UNIBE.CH"
(17) suffix: Adding Stripped-User-Name = "dominic.stalder"
(17) suffix: Adding Realm = "UNIBE.CH"
(17) suffix: Authentication realm is LOCAL
(17) [suffix] = ok
(17) update request {
(17) EXPAND %{toupper:%{Realm}}
(17) --> UNIBE.CH
(17) Realm := UNIBE.CH
(17) } # update request = noop
(17) if (NAS-Port-Type =~ /Wireless-802\.11/i){
(17) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(17) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(17) policy deny_no_realm {
(17) if (User-Name && (User-Name !~ /@/)) {
(17) if (User-Name && (User-Name !~ /@/)) -> FALSE
(17) } # policy deny_no_realm = updated
(17) switch &control:Called-Station-SSID {
(17) } # switch &control:Called-Station-SSID = updated
(17) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(17) eap: Peer sent EAP Response (code 2) ID 7 length 6
(17) eap: Continuing tunnel setup
(17) [eap] = ok
(17) } # authorize = ok
(17) Found Auth-Type = eap
(17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(17) Auth-Type eap {
(17) eap: Expiring EAP session with state 0x1de92fd318ee361c
(17) eap: Finished EAP session with state 0x1de92fd318ee361c
(17) eap: Previous EAP request found for state 0x1de92fd318ee361c, released from the list
(17) eap: Peer sent packet with method EAP PEAP (25)
(17) eap: Calling submodule eap_peap to process data
(17) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished
(17) eap_peap: Session established. Decoding tunneled attributes
(17) eap_peap: PEAP state TUNNEL ESTABLISHED
(17) eap: Sending EAP Request (code 1) ID 8 length 40
(17) eap: EAP session adding &reply:State = 0x1de92fd31be1361c
(17) [eap] = handled
(17) if (handled && (Response-Packet-Type == Access-Challenge)) {
(17) EXPAND Response-Packet-Type
(17) --> Access-Challenge
(17) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(17) if (handled && (Response-Packet-Type == Access-Challenge)) {
(17) attr_filter.access_challenge: EXPAND %{User-Name}
(17) attr_filter.access_challenge: --> dominic.stalder at unibe.ch
(17) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(17) [attr_filter.access_challenge.post-auth] = updated
(17) [handled] = handled
(17) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(17) } # Auth-Type eap = handled
(17) Using Post-Auth-Type Challenge
(17) Post-Auth-Type sub-section not found. Ignoring.
(17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(17) session-state: Saving cached attributes
(17) Framed-MTU = 1014
(17) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(17) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(17) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(17) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(17) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(17) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(17) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(17) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(17) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(17) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(17) TLS-Session-Version = "TLS 1.2"
(17) Sent Access-Challenge Id 103 from 130.92.10.33:1812 to 130.92.42.20:56958 length 98
(17) EAP-Message = 0x010800281900170303001dee81289b38b966986346a9c5260f98ec8918724d9885a5054c41aac2f6
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0x1de92fd31be1361c7d7fc55a3903ba57
(17) Finished request
Waking up in 4.8 seconds.
(18) Received Access-Request Id 111 from 130.92.42.20:56958 to 130.92.10.33:1812 length 492
(18) User-Name = "dominic.stalder at unibe.ch"
(18) Service-Type = Framed-User
(18) Cisco-AVPair = "service-type=Framed"
(18) Framed-MTU = 1485
(18) EAP-Message = 0x0208003c190017030300310eb44ab0540a84b5ba10d71cb3cafd821018d4f9504190b41636a547d19a561c7362bf3cc1b8af6ff924ab0511352a4b3b
(18) Message-Authenticator = 0x852d8279186eef24f4927cf9cbb3522b
(18) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(18) Cisco-AVPair = "method=dot1x"
(18) Cisco-AVPair = "client-iif-id=2500003624"
(18) Cisco-AVPair = "vlan-id=1876"
(18) NAS-IP-Address = 130.92.42.20
(18) NAS-Port-Id = "capwap_9180059e"
(18) NAS-Port-Type = Wireless-802.11
(18) NAS-Port = 4219
(18) State = 0x1de92fd31be1361c7d7fc55a3903ba57
(18) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(18) Cisco-AVPair = "wlan-profile-name=eduroamV2"
(18) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(18) Calling-Station-Id = "6a-05-bd-e0-f2-80"
(18) Airespace-Wlan-Id = 98
(18) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(18) Restoring &session-state
(18) &session-state:Framed-MTU = 1014
(18) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(18) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(18) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(18) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(18) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(18) &session-state:TLS-Session-Version = "TLS 1.2"
(18) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(18) authorize {
(18) policy rewrite_called_station_id {
(18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(18) update request {
(18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(18) --> 3C-51-0E-72-2A-00
(18) &Called-Station-Id := 3C-51-0E-72-2A-00
(18) } # update request = noop
(18) if ("%{8}") {
(18) EXPAND %{8}
(18) --> eduroam
(18) if ("%{8}") -> TRUE
(18) if ("%{8}") {
(18) update request {
(18) EXPAND %{8}
(18) --> eduroam
(18) &Called-Station-SSID := eduroam
(18) } # update request = noop
(18) } # if ("%{8}") = noop
(18) [updated] = updated
(18) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(18) ... skipping else: Preceding "if" was taken
(18) } # policy rewrite_called_station_id = updated
(18) policy rewrite_calling_station_id {
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(18) update request {
(18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(18) --> 6A-05-BD-E0-F2-80
(18) &Calling-Station-Id := 6A-05-BD-E0-F2-80
(18) } # update request = noop
(18) [updated] = updated
(18) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(18) ... skipping else: Preceding "if" was taken
(18) } # policy rewrite_calling_station_id = updated
(18) policy filter_username {
(18) if (&User-Name) {
(18) if (&User-Name) -> TRUE
(18) if (&User-Name) {
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@[^@]*@/ ) {
(18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /@\./) {
(18) if (&User-Name =~ /@\./) -> FALSE
(18) } # if (&User-Name) = updated
(18) } # policy filter_username = updated
(18) suffix: Checking for suffix after "@"
(18) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(18) suffix: Found realm "UNIBE.CH"
(18) suffix: Adding Stripped-User-Name = "dominic.stalder"
(18) suffix: Adding Realm = "UNIBE.CH"
(18) suffix: Authentication realm is LOCAL
(18) [suffix] = ok
(18) update request {
(18) EXPAND %{toupper:%{Realm}}
(18) --> UNIBE.CH
(18) Realm := UNIBE.CH
(18) } # update request = noop
(18) if (NAS-Port-Type =~ /Wireless-802\.11/i){
(18) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(18) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(18) policy deny_no_realm {
(18) if (User-Name && (User-Name !~ /@/)) {
(18) if (User-Name && (User-Name !~ /@/)) -> FALSE
(18) } # policy deny_no_realm = updated
(18) switch &control:Called-Station-SSID {
(18) } # switch &control:Called-Station-SSID = updated
(18) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(18) eap: Peer sent EAP Response (code 2) ID 8 length 60
(18) eap: Continuing tunnel setup
(18) [eap] = ok
(18) } # authorize = ok
(18) Found Auth-Type = eap
(18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(18) Auth-Type eap {
(18) eap: Expiring EAP session with state 0x1de92fd31be1361c
(18) eap: Finished EAP session with state 0x1de92fd31be1361c
(18) eap: Previous EAP request found for state 0x1de92fd31be1361c, released from the list
(18) eap: Peer sent packet with method EAP PEAP (25)
(18) eap: Calling submodule eap_peap to process data
(18) eap_peap: (TLS) EAP Done initial handshake
(18) eap_peap: Session established. Decoding tunneled attributes
(18) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(18) eap_peap: Identity - dominic.stalder at unibe.ch
(18) eap_peap: Got inner identity 'dominic.stalder at unibe.ch'
(18) eap_peap: Setting default EAP type for tunneled EAP session
(18) eap_peap: Got tunneled request
(18) eap_peap: EAP-Message = 0x0208001d01646f6d696e69632e7374616c64657240756e6962652e6368
(18) eap_peap: Setting User-Name to dominic.stalder at unibe.ch
(18) eap_peap: Sending tunneled request to proxy-inner-tunnel
(18) eap_peap: EAP-Message = 0x0208001d01646f6d696e69632e7374616c64657240756e6962652e6368
(18) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(18) eap_peap: User-Name = "dominic.stalder at unibe.ch"
(18) eap_peap: Service-Type = Framed-User
(18) eap_peap: Cisco-AVPair = "service-type=Framed"
(18) eap_peap: Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(18) eap_peap: Cisco-AVPair = "method=dot1x"
(18) eap_peap: Cisco-AVPair = "client-iif-id=2500003624"
(18) eap_peap: Cisco-AVPair = "vlan-id=1876"
(18) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(18) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroamV2"
(18) eap_peap: Framed-MTU = 1485
(18) eap_peap: NAS-IP-Address = 130.92.42.20
(18) eap_peap: NAS-Port-Id = "capwap_9180059e"
(18) eap_peap: NAS-Port-Type = Wireless-802.11
(18) eap_peap: NAS-Port = 4219
(18) eap_peap: Called-Station-Id := "3C-51-0E-72-2A-00"
(18) eap_peap: Calling-Station-Id := "6A-05-BD-E0-F2-80"
(18) eap_peap: Airespace-Wlan-Id = 98
(18) eap_peap: NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(18) Virtual server proxy-inner-tunnel received request
(18) EAP-Message = 0x0208001d01646f6d696e69632e7374616c64657240756e6962652e6368
(18) FreeRADIUS-Proxied-To = 127.0.0.1
(18) User-Name = "dominic.stalder at unibe.ch"
(18) Service-Type = Framed-User
(18) Cisco-AVPair = "service-type=Framed"
(18) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(18) Cisco-AVPair = "method=dot1x"
(18) Cisco-AVPair = "client-iif-id=2500003624"
(18) Cisco-AVPair = "vlan-id=1876"
(18) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(18) Cisco-AVPair = "wlan-profile-name=eduroamV2"
(18) Framed-MTU = 1485
(18) NAS-IP-Address = 130.92.42.20
(18) NAS-Port-Id = "capwap_9180059e"
(18) NAS-Port-Type = Wireless-802.11
(18) NAS-Port = 4219
(18) Called-Station-Id := "3C-51-0E-72-2A-00"
(18) Calling-Station-Id := "6A-05-BD-E0-F2-80"
(18) Airespace-Wlan-Id = 98
(18) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(18) WARNING: Outer and inner identities are the same. User privacy is compromised.
(18) server proxy-inner-tunnel {
(18) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel
(18) authorize {
(18) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/){
(18) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(18) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/){
(18) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/) -> FALSE
(18) if (!NAS-Port-Type){
(18) if (!NAS-Port-Type) -> FALSE
(18) update control {
(18) &Proxy-To-Realm := NPS-DEV
(18) } # update control = noop
(18) } # authorize = noop
(18) } # server proxy-inner-tunnel
(18) Virtual server sending reply
(18) eap_peap: Got tunneled reply code 0
(18) eap_peap: Tunnelled authentication will be proxied to NPS-DEV
(18) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(18) [eap] = handled
(18) if (handled && (Response-Packet-Type == Access-Challenge)) {
(18) EXPAND Response-Packet-Type
(18) -->
(18) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(18) } # Auth-Type eap = handled
(18) Starting proxy to home server 130.92.14.27 port 1812
(18) server default {
(18) # Executing section pre-proxy from file /etc/freeradius/3.0/sites-enabled/default
(18) pre-proxy {
(18) attr_filter.pre-proxy: EXPAND %{Realm}
(18) attr_filter.pre-proxy: --> UNIBE.CH
(18) attr_filter.pre-proxy: Matched entry DEFAULT at line 58
(18) [attr_filter.pre-proxy] = updated
(18) } # pre-proxy = updated
(18) }
(18) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000
(18) Sent Access-Request Id 3 from 0.0.0.0:41351 to 130.92.14.27:1812 length 188
(18) Operator-Name := "1unibe.ch"
(18) EAP-Message = 0x0208001d01646f6d696e69632e7374616c64657240756e6962652e6368
(18) User-Name = "dominic.stalder at unibe.ch"
(18) NAS-IP-Address = 130.92.42.20
(18) NAS-Port-Type = Wireless-802.11
(18) Called-Station-Id := "3C-51-0E-72-2A-00"
(18) Calling-Station-Id := "6A-05-BD-E0-F2-80"
(18) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(18) Message-Authenticator = 0x
(18) Proxy-State = 0x313131
Waking up in 0.3 seconds.
(18) Clearing existing &reply: attributes
(18) Received Access-Challenge Id 3 from 130.92.14.27:1812 to 130.92.10.33:41351 length 128
(18) Proxy-State = 0x313131
(18) Session-Timeout = 60
(18) EAP-Message = 0x010900271a010900221025092d03febd7f1db20ee0eb3a6f3f604141492d4e50532d4544555632
(18) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(18) Message-Authenticator = 0x6010087d40d157005d3540778ed46280
(18) server default {
(18) # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default
(18) post-proxy {
(18) attr_filter.post-proxy: EXPAND %{Realm}
(18) attr_filter.post-proxy: --> UNIBE.CH
(18) attr_filter.post-proxy: Matched entry UNIBE.CH at line 121
(18) [attr_filter.post-proxy] = updated
(18) eap: Doing post-proxy callback
(18) eap: Passing reply from proxy back into the tunnel
(18) eap: Got tunneled reply RADIUS code 11
(18) eap: Tunnel-Type := VLAN
(18) eap: Tunnel-Medium-Type := IEEE-802
(18) eap: Proxy-State = 0x313131
(18) eap: EAP-Message = 0x010900271a010900221025092d03febd7f1db20ee0eb3a6f3f604141492d4e50532d4544555632
(18) eap: State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(18) eap: Message-Authenticator = 0x6010087d40d157005d3540778ed46280
(18) eap: Got tunneled Access-Challenge
(18) eap: Reply was handled
(18) eap: Sending EAP Request (code 1) ID 9 length 70
(18) eap: EAP session adding &reply:State = 0x1de92fd31ae0361c
(18) [eap] = ok
(18) } # post-proxy = updated
(18) }
(18) session-state: Saving cached attributes
(18) Framed-MTU = 1014
(18) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(18) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(18) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(18) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(18) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(18) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(18) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(18) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(18) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(18) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(18) TLS-Session-Version = "TLS 1.2"
(18) Using Post-Auth-Type Challenge
(18) Post-Auth-Type sub-section not found. Ignoring.
(18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(18) Sent Access-Challenge Id 111 from 130.92.10.33:1812 to 130.92.42.20:56958 length 128
(18) EAP-Message = 0x010900461900170303003bee81289b38b96699838bacf9ab8471d9a0c0522c8f7b32d458a0fded96c04c4a3ee53c690abbbdd4ab41013b7988b57e521af8dc7bcd467b297af9
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0x1de92fd31ae0361c7d7fc55a3903ba57
(18) Finished request
Waking up in 4.8 seconds.
(19) Received Access-Request Id 119 from 130.92.42.20:56958 to 130.92.10.33:1812 length 546
(19) User-Name = "dominic.stalder at unibe.ch"
(19) Service-Type = Framed-User
(19) Cisco-AVPair = "service-type=Framed"
(19) Framed-MTU = 1485
(19) EAP-Message = 0x02090072190017030300670eb44ab0540a84b6c847c1e4cd47b9f36e37fc528705aed180287420c6730fc360d9458c0c4df8b8eccc6529f567f80b13cffefbfcaa6155a88b3ceb96c7958abf1e8b86ec337c25d154d8ab4915b9daebdcf7b1ac0fa7c2ffbfee5c6b880cbc458625358dfc7c
(19) Message-Authenticator = 0xb41636b5706cfcd2a98e05828ea1a1e0
(19) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(19) Cisco-AVPair = "method=dot1x"
(19) Cisco-AVPair = "client-iif-id=2500003624"
(19) Cisco-AVPair = "vlan-id=1876"
(19) NAS-IP-Address = 130.92.42.20
(19) NAS-Port-Id = "capwap_9180059e"
(19) NAS-Port-Type = Wireless-802.11
(19) NAS-Port = 4219
(19) State = 0x1de92fd31ae0361c7d7fc55a3903ba57
(19) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(19) Cisco-AVPair = "wlan-profile-name=eduroamV2"
(19) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(19) Calling-Station-Id = "6a-05-bd-e0-f2-80"
(19) Airespace-Wlan-Id = 98
(19) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(19) Restoring &session-state
(19) &session-state:Framed-MTU = 1014
(19) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(19) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(19) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(19) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(19) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(19) &session-state:TLS-Session-Version = "TLS 1.2"
(19) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(19) authorize {
(19) policy rewrite_called_station_id {
(19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(19) update request {
(19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(19) --> 3C-51-0E-72-2A-00
(19) &Called-Station-Id := 3C-51-0E-72-2A-00
(19) } # update request = noop
(19) if ("%{8}") {
(19) EXPAND %{8}
(19) --> eduroam
(19) if ("%{8}") -> TRUE
(19) if ("%{8}") {
(19) update request {
(19) EXPAND %{8}
(19) --> eduroam
(19) &Called-Station-SSID := eduroam
(19) } # update request = noop
(19) } # if ("%{8}") = noop
(19) [updated] = updated
(19) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(19) ... skipping else: Preceding "if" was taken
(19) } # policy rewrite_called_station_id = updated
(19) policy rewrite_calling_station_id {
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(19) update request {
(19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(19) --> 6A-05-BD-E0-F2-80
(19) &Calling-Station-Id := 6A-05-BD-E0-F2-80
(19) } # update request = noop
(19) [updated] = updated
(19) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(19) ... skipping else: Preceding "if" was taken
(19) } # policy rewrite_calling_station_id = updated
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /@\./) {
(19) if (&User-Name =~ /@\./) -> FALSE
(19) } # if (&User-Name) = updated
(19) } # policy filter_username = updated
(19) suffix: Checking for suffix after "@"
(19) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(19) suffix: Found realm "UNIBE.CH"
(19) suffix: Adding Stripped-User-Name = "dominic.stalder"
(19) suffix: Adding Realm = "UNIBE.CH"
(19) suffix: Authentication realm is LOCAL
(19) [suffix] = ok
(19) update request {
(19) EXPAND %{toupper:%{Realm}}
(19) --> UNIBE.CH
(19) Realm := UNIBE.CH
(19) } # update request = noop
(19) if (NAS-Port-Type =~ /Wireless-802\.11/i){
(19) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(19) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(19) policy deny_no_realm {
(19) if (User-Name && (User-Name !~ /@/)) {
(19) if (User-Name && (User-Name !~ /@/)) -> FALSE
(19) } # policy deny_no_realm = updated
(19) switch &control:Called-Station-SSID {
(19) } # switch &control:Called-Station-SSID = updated
(19) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(19) eap: Peer sent EAP Response (code 2) ID 9 length 114
(19) eap: Continuing tunnel setup
(19) [eap] = ok
(19) } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(19) Auth-Type eap {
(19) eap: Expiring EAP session with state 0x1de92fd31ae0361c
(19) eap: Finished EAP session with state 0x1de92fd31ae0361c
(19) eap: Previous EAP request found for state 0x1de92fd31ae0361c, released from the list
(19) eap: Peer sent packet with method EAP PEAP (25)
(19) eap: Calling submodule eap_peap to process data
(19) eap_peap: (TLS) EAP Done initial handshake
(19) eap_peap: Session established. Decoding tunneled attributes
(19) eap_peap: PEAP state phase2
(19) eap_peap: EAP method MSCHAPv2 (26)
(19) eap_peap: Got tunneled request
(19) eap_peap: EAP-Message = 0x020900531a0209004e31f8df00678240ef3ee8236075b6bd71420000000000000000266a6646c0548abfe0d4e43e6b91a25bc6a1d51f971701a500646f6d696e69632e7374616c64657240756e6962652e6368
(19) eap_peap: Setting User-Name to dominic.stalder at unibe.ch
(19) eap_peap: Sending tunneled request to proxy-inner-tunnel
(19) eap_peap: EAP-Message = 0x020900531a0209004e31f8df00678240ef3ee8236075b6bd71420000000000000000266a6646c0548abfe0d4e43e6b91a25bc6a1d51f971701a500646f6d696e69632e7374616c64657240756e6962652e6368
(19) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(19) eap_peap: User-Name = "dominic.stalder at unibe.ch"
(19) eap_peap: State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(19) eap_peap: Service-Type = Framed-User
(19) eap_peap: Cisco-AVPair = "service-type=Framed"
(19) eap_peap: Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(19) eap_peap: Cisco-AVPair = "method=dot1x"
(19) eap_peap: Cisco-AVPair = "client-iif-id=2500003624"
(19) eap_peap: Cisco-AVPair = "vlan-id=1876"
(19) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(19) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroamV2"
(19) eap_peap: Framed-MTU = 1485
(19) eap_peap: NAS-IP-Address = 130.92.42.20
(19) eap_peap: NAS-Port-Id = "capwap_9180059e"
(19) eap_peap: NAS-Port-Type = Wireless-802.11
(19) eap_peap: NAS-Port = 4219
(19) eap_peap: Called-Station-Id := "3C-51-0E-72-2A-00"
(19) eap_peap: Calling-Station-Id := "6A-05-BD-E0-F2-80"
(19) eap_peap: Airespace-Wlan-Id = 98
(19) eap_peap: NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(19) Virtual server proxy-inner-tunnel received request
(19) EAP-Message = 0x020900531a0209004e31f8df00678240ef3ee8236075b6bd71420000000000000000266a6646c0548abfe0d4e43e6b91a25bc6a1d51f971701a500646f6d696e69632e7374616c64657240756e6962652e6368
(19) FreeRADIUS-Proxied-To = 127.0.0.1
(19) User-Name = "dominic.stalder at unibe.ch"
(19) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(19) Service-Type = Framed-User
(19) Cisco-AVPair = "service-type=Framed"
(19) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(19) Cisco-AVPair = "method=dot1x"
(19) Cisco-AVPair = "client-iif-id=2500003624"
(19) Cisco-AVPair = "vlan-id=1876"
(19) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(19) Cisco-AVPair = "wlan-profile-name=eduroamV2"
(19) Framed-MTU = 1485
(19) NAS-IP-Address = 130.92.42.20
(19) NAS-Port-Id = "capwap_9180059e"
(19) NAS-Port-Type = Wireless-802.11
(19) NAS-Port = 4219
(19) Called-Station-Id := "3C-51-0E-72-2A-00"
(19) Calling-Station-Id := "6A-05-BD-E0-F2-80"
(19) Airespace-Wlan-Id = 98
(19) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(19) WARNING: Outer and inner identities are the same. User privacy is compromised.
(19) server proxy-inner-tunnel {
(19) session-state: No cached attributes
(19) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel
(19) authorize {
(19) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/){
(19) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(19) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/){
(19) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/) -> FALSE
(19) if (!NAS-Port-Type){
(19) if (!NAS-Port-Type) -> FALSE
(19) update control {
(19) &Proxy-To-Realm := NPS-DEV
(19) } # update control = noop
(19) } # authorize = noop
(19) } # server proxy-inner-tunnel
(19) Virtual server sending reply
(19) eap_peap: Got tunneled reply code 0
(19) eap_peap: Tunnelled authentication will be proxied to NPS-DEV
(19) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(19) [eap] = handled
(19) if (handled && (Response-Packet-Type == Access-Challenge)) {
(19) EXPAND Response-Packet-Type
(19) -->
(19) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(19) } # Auth-Type eap = handled
(19) Starting proxy to home server 130.92.14.27 port 1812
(19) server default {
(19) # Executing section pre-proxy from file /etc/freeradius/3.0/sites-enabled/default
(19) pre-proxy {
(19) attr_filter.pre-proxy: EXPAND %{Realm}
(19) attr_filter.pre-proxy: --> UNIBE.CH
(19) attr_filter.pre-proxy: Matched entry DEFAULT at line 58
(19) [attr_filter.pre-proxy] = updated
(19) } # pre-proxy = updated
(19) }
(19) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000
(19) Sent Access-Request Id 80 from 0.0.0.0:41351 to 130.92.14.27:1812 length 280
(19) Operator-Name := "1unibe.ch"
(19) EAP-Message = 0x020900531a0209004e31f8df00678240ef3ee8236075b6bd71420000000000000000266a6646c0548abfe0d4e43e6b91a25bc6a1d51f971701a500646f6d696e69632e7374616c64657240756e6962652e6368
(19) User-Name = "dominic.stalder at unibe.ch"
(19) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(19) NAS-IP-Address = 130.92.42.20
(19) NAS-Port-Type = Wireless-802.11
(19) Called-Station-Id := "3C-51-0E-72-2A-00"
(19) Calling-Station-Id := "6A-05-BD-E0-F2-80"
(19) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(19) Message-Authenticator = 0x
(19) Proxy-State = 0x313139
Waking up in 0.3 seconds.
(19) Clearing existing &reply: attributes
(19) Received Access-Challenge Id 80 from 130.92.14.27:1812 to 130.92.10.33:41351 length 140
(19) Proxy-State = 0x313139
(19) Session-Timeout = 60
(19) EAP-Message = 0x010a00331a0309002e533d31304136344538394431443745423543444337394130373934343732333343414144393842353734
(19) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(19) Message-Authenticator = 0x8fe2c05842f247418bddf150ece42063
(19) server default {
(19) # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default
(19) post-proxy {
(19) attr_filter.post-proxy: EXPAND %{Realm}
(19) attr_filter.post-proxy: --> UNIBE.CH
(19) attr_filter.post-proxy: Matched entry UNIBE.CH at line 121
(19) [attr_filter.post-proxy] = updated
(19) eap: Doing post-proxy callback
(19) eap: Passing reply from proxy back into the tunnel
(19) eap: Got tunneled reply RADIUS code 11
(19) eap: Tunnel-Type := VLAN
(19) eap: Tunnel-Medium-Type := IEEE-802
(19) eap: Proxy-State = 0x313139
(19) eap: EAP-Message = 0x010a00331a0309002e533d31304136344538394431443745423543444337394130373934343732333343414144393842353734
(19) eap: State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(19) eap: Message-Authenticator = 0x8fe2c05842f247418bddf150ece42063
(19) eap: Got tunneled Access-Challenge
(19) eap: Reply was handled
(19) eap: Sending EAP Request (code 1) ID 10 length 82
(19) eap: EAP session adding &reply:State = 0x1de92fd315e3361c
(19) [eap] = ok
(19) } # post-proxy = updated
(19) }
(19) session-state: Saving cached attributes
(19) Framed-MTU = 1014
(19) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(19) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(19) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(19) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(19) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(19) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(19) TLS-Session-Version = "TLS 1.2"
(19) Using Post-Auth-Type Challenge
(19) Post-Auth-Type sub-section not found. Ignoring.
(19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(19) Sent Access-Challenge Id 119 from 130.92.10.33:1812 to 130.92.42.20:56958 length 140
(19) EAP-Message = 0x010a005219001703030047ee81289b38b9669adba1fab65405736dbbfcb27f2717a52264a47659030722d29939aea776b86fec481bda6d4c07a1e792afe6d888bca68031b6b939f2c2be7faeef6adc05a6e3
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0x1de92fd315e3361c7d7fc55a3903ba57
(19) Finished request
Waking up in 4.8 seconds.
(20) Received Access-Request Id 127 from 130.92.42.20:56958 to 130.92.10.33:1812 length 469
(20) User-Name = "dominic.stalder at unibe.ch"
(20) Service-Type = Framed-User
(20) Cisco-AVPair = "service-type=Framed"
(20) Framed-MTU = 1485
(20) EAP-Message = 0x020a00251900170303001a0eb44ab0540a84b7c31a7ba33522878ffe2eeebc82ccb08cf952
(20) Message-Authenticator = 0xbad5ba1b57de86e7ebe12ecfcafd37ea
(20) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(20) Cisco-AVPair = "method=dot1x"
(20) Cisco-AVPair = "client-iif-id=2500003624"
(20) Cisco-AVPair = "vlan-id=1876"
(20) NAS-IP-Address = 130.92.42.20
(20) NAS-Port-Id = "capwap_9180059e"
(20) NAS-Port-Type = Wireless-802.11
(20) NAS-Port = 4219
(20) State = 0x1de92fd315e3361c7d7fc55a3903ba57
(20) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(20) Cisco-AVPair = "wlan-profile-name=eduroamV2"
(20) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(20) Calling-Station-Id = "6a-05-bd-e0-f2-80"
(20) Airespace-Wlan-Id = 98
(20) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(20) Restoring &session-state
(20) &session-state:Framed-MTU = 1014
(20) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(20) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(20) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(20) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(20) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(20) &session-state:TLS-Session-Version = "TLS 1.2"
(20) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(20) authorize {
(20) policy rewrite_called_station_id {
(20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(20) update request {
(20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(20) --> 3C-51-0E-72-2A-00
(20) &Called-Station-Id := 3C-51-0E-72-2A-00
(20) } # update request = noop
(20) if ("%{8}") {
(20) EXPAND %{8}
(20) --> eduroam
(20) if ("%{8}") -> TRUE
(20) if ("%{8}") {
(20) update request {
(20) EXPAND %{8}
(20) --> eduroam
(20) &Called-Station-SSID := eduroam
(20) } # update request = noop
(20) } # if ("%{8}") = noop
(20) [updated] = updated
(20) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(20) ... skipping else: Preceding "if" was taken
(20) } # policy rewrite_called_station_id = updated
(20) policy rewrite_calling_station_id {
(20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(20) update request {
(20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(20) --> 6A-05-BD-E0-F2-80
(20) &Calling-Station-Id := 6A-05-BD-E0-F2-80
(20) } # update request = noop
(20) [updated] = updated
(20) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(20) ... skipping else: Preceding "if" was taken
(20) } # policy rewrite_calling_station_id = updated
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /@\./) {
(20) if (&User-Name =~ /@\./) -> FALSE
(20) } # if (&User-Name) = updated
(20) } # policy filter_username = updated
(20) suffix: Checking for suffix after "@"
(20) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(20) suffix: Found realm "UNIBE.CH"
(20) suffix: Adding Stripped-User-Name = "dominic.stalder"
(20) suffix: Adding Realm = "UNIBE.CH"
(20) suffix: Authentication realm is LOCAL
(20) [suffix] = ok
(20) update request {
(20) EXPAND %{toupper:%{Realm}}
(20) --> UNIBE.CH
(20) Realm := UNIBE.CH
(20) } # update request = noop
(20) if (NAS-Port-Type =~ /Wireless-802\.11/i){
(20) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(20) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(20) policy deny_no_realm {
(20) if (User-Name && (User-Name !~ /@/)) {
(20) if (User-Name && (User-Name !~ /@/)) -> FALSE
(20) } # policy deny_no_realm = updated
(20) switch &control:Called-Station-SSID {
(20) } # switch &control:Called-Station-SSID = updated
(20) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(20) eap: Peer sent EAP Response (code 2) ID 10 length 37
(20) eap: Continuing tunnel setup
(20) [eap] = ok
(20) } # authorize = ok
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(20) Auth-Type eap {
(20) eap: Expiring EAP session with state 0x1de92fd315e3361c
(20) eap: Finished EAP session with state 0x1de92fd315e3361c
(20) eap: Previous EAP request found for state 0x1de92fd315e3361c, released from the list
(20) eap: Peer sent packet with method EAP PEAP (25)
(20) eap: Calling submodule eap_peap to process data
(20) eap_peap: (TLS) EAP Done initial handshake
(20) eap_peap: Session established. Decoding tunneled attributes
(20) eap_peap: PEAP state phase2
(20) eap_peap: EAP method MSCHAPv2 (26)
(20) eap_peap: Got tunneled request
(20) eap_peap: EAP-Message = 0x020a00061a03
(20) eap_peap: Setting User-Name to dominic.stalder at unibe.ch
(20) eap_peap: Sending tunneled request to proxy-inner-tunnel
(20) eap_peap: EAP-Message = 0x020a00061a03
(20) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(20) eap_peap: User-Name = "dominic.stalder at unibe.ch"
(20) eap_peap: State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(20) eap_peap: Service-Type = Framed-User
(20) eap_peap: Cisco-AVPair = "service-type=Framed"
(20) eap_peap: Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(20) eap_peap: Cisco-AVPair = "method=dot1x"
(20) eap_peap: Cisco-AVPair = "client-iif-id=2500003624"
(20) eap_peap: Cisco-AVPair = "vlan-id=1876"
(20) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(20) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroamV2"
(20) eap_peap: Framed-MTU = 1485
(20) eap_peap: NAS-IP-Address = 130.92.42.20
(20) eap_peap: NAS-Port-Id = "capwap_9180059e"
(20) eap_peap: NAS-Port-Type = Wireless-802.11
(20) eap_peap: NAS-Port = 4219
(20) eap_peap: Called-Station-Id := "3C-51-0E-72-2A-00"
(20) eap_peap: Calling-Station-Id := "6A-05-BD-E0-F2-80"
(20) eap_peap: Airespace-Wlan-Id = 98
(20) eap_peap: NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(20) Virtual server proxy-inner-tunnel received request
(20) EAP-Message = 0x020a00061a03
(20) FreeRADIUS-Proxied-To = 127.0.0.1
(20) User-Name = "dominic.stalder at unibe.ch"
(20) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(20) Service-Type = Framed-User
(20) Cisco-AVPair = "service-type=Framed"
(20) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(20) Cisco-AVPair = "method=dot1x"
(20) Cisco-AVPair = "client-iif-id=2500003624"
(20) Cisco-AVPair = "vlan-id=1876"
(20) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(20) Cisco-AVPair = "wlan-profile-name=eduroamV2"
(20) Framed-MTU = 1485
(20) NAS-IP-Address = 130.92.42.20
(20) NAS-Port-Id = "capwap_9180059e"
(20) NAS-Port-Type = Wireless-802.11
(20) NAS-Port = 4219
(20) Called-Station-Id := "3C-51-0E-72-2A-00"
(20) Calling-Station-Id := "6A-05-BD-E0-F2-80"
(20) Airespace-Wlan-Id = 98
(20) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(20) WARNING: Outer and inner identities are the same. User privacy is compromised.
(20) server proxy-inner-tunnel {
(20) session-state: No cached attributes
(20) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel
(20) authorize {
(20) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/){
(20) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(20) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/){
(20) if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/) -> FALSE
(20) if (!NAS-Port-Type){
(20) if (!NAS-Port-Type) -> FALSE
(20) update control {
(20) &Proxy-To-Realm := NPS-DEV
(20) } # update control = noop
(20) } # authorize = noop
(20) } # server proxy-inner-tunnel
(20) Virtual server sending reply
(20) eap_peap: Got tunneled reply code 0
(20) eap_peap: Tunnelled authentication will be proxied to NPS-DEV
(20) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(20) [eap] = handled
(20) if (handled && (Response-Packet-Type == Access-Challenge)) {
(20) EXPAND Response-Packet-Type
(20) -->
(20) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(20) } # Auth-Type eap = handled
(20) Starting proxy to home server 130.92.14.27 port 1812
(20) server default {
(20) # Executing section pre-proxy from file /etc/freeradius/3.0/sites-enabled/default
(20) pre-proxy {
(20) attr_filter.pre-proxy: EXPAND %{Realm}
(20) attr_filter.pre-proxy: --> UNIBE.CH
(20) attr_filter.pre-proxy: Matched entry DEFAULT at line 58
(20) [attr_filter.pre-proxy] = updated
(20) } # pre-proxy = updated
(20) }
(20) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000
(20) Sent Access-Request Id 107 from 0.0.0.0:41351 to 130.92.14.27:1812 length 203
(20) Operator-Name := "1unibe.ch"
(20) EAP-Message = 0x020a00061a03
(20) User-Name = "dominic.stalder at unibe.ch"
(20) State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(20) NAS-IP-Address = 130.92.42.20
(20) NAS-Port-Type = Wireless-802.11
(20) Called-Station-Id := "3C-51-0E-72-2A-00"
(20) Calling-Station-Id := "6A-05-BD-E0-F2-80"
(20) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(20) Message-Authenticator = 0x
(20) Proxy-State = 0x313237
Waking up in 0.3 seconds.
(20) Clearing existing &reply: attributes
(20) Received Access-Accept Id 107 from 130.92.14.27:1812 to 130.92.10.33:41351 length 289
(20) Proxy-State = 0x313237
(20) Class = "staff"
(20) Filter-Id = "staff"
(20) Framed-Protocol = PPP
(20) Service-Type = Framed-User
(20) Tunnel-Medium-Type:0 = IEEE-802
(20) Tunnel-Private-Group-Id:0 = "1874"
(20) Tunnel-Type:0 = VLAN
(20) EAP-Message = 0x030a0004
(20) Class = "Z8\006\275\000\000\0017\000\001\002\000\202\\\016\033\000\000\000\000\000\000\000\000\000\000\000\000\001\332\177ZSC\303\361\000\000\000\000\000G9\374"
(20) MS-CHAP-Domain = "\001CAMPUS"
(20) MS-MPPE-Send-Key = 0x4da623cf76bcf255c5d52f7ba82488a0
(20) MS-MPPE-Recv-Key = 0xa8148861904eab68c776ff971b7a06ae
(20) MS-CHAP2-Success = 0x01533d31304136344538394431443745423543444337394130373934343732333343414144393842353734
(20) Message-Authenticator = 0x62374c9831706e64b8f2a66d9de2e4af
(20) server default {
(20) # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default
(20) post-proxy {
(20) attr_filter.post-proxy: EXPAND %{Realm}
(20) attr_filter.post-proxy: --> UNIBE.CH
(20) attr_filter.post-proxy: Matched entry UNIBE.CH at line 121
(20) [attr_filter.post-proxy] = updated
(20) eap: Doing post-proxy callback
(20) eap: Passing reply from proxy back into the tunnel
(20) eap: Got tunneled reply RADIUS code 2
(20) eap: Tunnel-Type := VLAN
(20) eap: Tunnel-Medium-Type := IEEE-802
(20) eap: Proxy-State = 0x313237
(20) eap: Class = "staff"
(20) eap: Filter-Id = "staff"
(20) eap: Tunnel-Private-Group-Id:0 = "1874"
(20) eap: EAP-Message = 0x030a0004
(20) eap: Class = "Z8\006\275\000\000\0017\000\001\002\000\202\\\016\033\000\000\000\000\000\000\000\000\000\000\000\000\001\332\177ZSC\303\361\000\000\000\000\000G9\374"
(20) eap: MS-MPPE-Send-Key = 0x4da623cf76bcf255c5d52f7ba82488a0
(20) eap: MS-MPPE-Recv-Key = 0xa8148861904eab68c776ff971b7a06ae
(20) eap: Message-Authenticator = 0x62374c9831706e64b8f2a66d9de2e4af
(20) eap: Tunneled authentication was successful
(20) eap: SUCCESS
(20) eap: Saving tunneled attributes for later
(20) eap: Reply was handled
(20) eap: Sending EAP Request (code 1) ID 11 length 46
(20) eap: EAP session adding &reply:State = 0x1de92fd314e2361c
(20) [eap] = ok
(20) } # post-proxy = updated
(20) }
(20) session-state: Saving cached attributes
(20) Framed-MTU = 1014
(20) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(20) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(20) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(20) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(20) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(20) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(20) TLS-Session-Version = "TLS 1.2"
(20) Using Post-Auth-Type Challenge
(20) Post-Auth-Type sub-section not found. Ignoring.
(20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(20) Sent Access-Challenge Id 127 from 130.92.10.33:1812 to 130.92.42.20:56958 length 104
(20) EAP-Message = 0x010b002e19001703030023ee81289b38b9669bfa1166346ea479e73ee4d39cc73b0e97a63d2f4face2bc55c99f2f
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0x1de92fd314e2361c7d7fc55a3903ba57
(20) Finished request
Waking up in 4.8 seconds.
(21) Received Access-Request Id 135 from 130.92.42.20:56958 to 130.92.10.33:1812 length 478
(21) User-Name = "dominic.stalder at unibe.ch"
(21) Service-Type = Framed-User
(21) Cisco-AVPair = "service-type=Framed"
(21) Framed-MTU = 1485
(21) EAP-Message = 0x020b002e190017030300230eb44ab0540a84b8149c5ba395783899c1e875d9932d9debabc348893b31b12bd0f358
(21) Message-Authenticator = 0x3f983eae845159512b2c2a6dcc8a6e62
(21) Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(21) Cisco-AVPair = "method=dot1x"
(21) Cisco-AVPair = "client-iif-id=2500003624"
(21) Cisco-AVPair = "vlan-id=1876"
(21) NAS-IP-Address = 130.92.42.20
(21) NAS-Port-Id = "capwap_9180059e"
(21) NAS-Port-Type = Wireless-802.11
(21) NAS-Port = 4219
(21) State = 0x1de92fd314e2361c7d7fc55a3903ba57
(21) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(21) Cisco-AVPair = "wlan-profile-name=eduroamV2"
(21) Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(21) Calling-Station-Id = "6a-05-bd-e0-f2-80"
(21) Airespace-Wlan-Id = 98
(21) NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(21) Restoring &session-state
(21) &session-state:Framed-MTU = 1014
(21) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(21) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(21) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(21) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(21) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(21) &session-state:TLS-Session-Version = "TLS 1.2"
(21) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(21) authorize {
(21) policy rewrite_called_station_id {
(21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(21) update request {
(21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(21) --> 3C-51-0E-72-2A-00
(21) &Called-Station-Id := 3C-51-0E-72-2A-00
(21) } # update request = noop
(21) if ("%{8}") {
(21) EXPAND %{8}
(21) --> eduroam
(21) if ("%{8}") -> TRUE
(21) if ("%{8}") {
(21) update request {
(21) EXPAND %{8}
(21) --> eduroam
(21) &Called-Station-SSID := eduroam
(21) } # update request = noop
(21) } # if ("%{8}") = noop
(21) [updated] = updated
(21) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(21) ... skipping else: Preceding "if" was taken
(21) } # policy rewrite_called_station_id = updated
(21) policy rewrite_calling_station_id {
(21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(21) update request {
(21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(21) --> 6A-05-BD-E0-F2-80
(21) &Calling-Station-Id := 6A-05-BD-E0-F2-80
(21) } # update request = noop
(21) [updated] = updated
(21) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(21) ... skipping else: Preceding "if" was taken
(21) } # policy rewrite_calling_station_id = updated
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /@\./) {
(21) if (&User-Name =~ /@\./) -> FALSE
(21) } # if (&User-Name) = updated
(21) } # policy filter_username = updated
(21) suffix: Checking for suffix after "@"
(21) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(21) suffix: Found realm "UNIBE.CH"
(21) suffix: Adding Stripped-User-Name = "dominic.stalder"
(21) suffix: Adding Realm = "UNIBE.CH"
(21) suffix: Authentication realm is LOCAL
(21) [suffix] = ok
(21) update request {
(21) EXPAND %{toupper:%{Realm}}
(21) --> UNIBE.CH
(21) Realm := UNIBE.CH
(21) } # update request = noop
(21) if (NAS-Port-Type =~ /Wireless-802\.11/i){
(21) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(21) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(21) policy deny_no_realm {
(21) if (User-Name && (User-Name !~ /@/)) {
(21) if (User-Name && (User-Name !~ /@/)) -> FALSE
(21) } # policy deny_no_realm = updated
(21) switch &control:Called-Station-SSID {
(21) } # switch &control:Called-Station-SSID = updated
(21) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(21) eap: Peer sent EAP Response (code 2) ID 11 length 46
(21) eap: Continuing tunnel setup
(21) [eap] = ok
(21) } # authorize = ok
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(21) Auth-Type eap {
(21) eap: Expiring EAP session with state 0x1de92fd314e2361c
(21) eap: Finished EAP session with state 0x1de92fd314e2361c
(21) eap: Previous EAP request found for state 0x1de92fd314e2361c, released from the list
(21) eap: Peer sent packet with method EAP PEAP (25)
(21) eap: Calling submodule eap_peap to process data
(21) eap_peap: (TLS) EAP Done initial handshake
(21) eap_peap: Session established. Decoding tunneled attributes
(21) eap_peap: PEAP state send tlv success
(21) eap_peap: Received EAP-TLV response
(21) eap_peap: Success
(21) eap_peap: Using saved attributes from the original Access-Accept
(21) eap_peap: Tunnel-Type := VLAN
(21) eap_peap: Tunnel-Medium-Type := IEEE-802
(21) eap_peap: Class = "staff"
(21) eap_peap: Filter-Id = "staff"
(21) eap_peap: Tunnel-Private-Group-Id:0 = "1874"
(21) eap_peap: Class = "Z8\006\275\000\000\0017\000\001\002\000\202\\\016\033\000\000\000\000\000\000\000\000\000\000\000\000\001\332\177ZSC\303\361\000\000\000\000\000G9\374"
(21) eap: Sending EAP Success (code 3) ID 11 length 4
(21) eap: Freeing handler
(21) [eap] = ok
(21) if (handled && (Response-Packet-Type == Access-Challenge)) {
(21) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(21) } # Auth-Type eap = ok
(21) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(21) post-auth {
(21) update {
(21) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014
(21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello'
(21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello'
(21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate'
(21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange'
(21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone'
(21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange'
(21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished'
(21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec'
(21) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished'
(21) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(21) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(21) } # update = noop
(21) if (EAP-Message) {
(21) if (EAP-Message) -> TRUE
(21) if (EAP-Message) {
(21) 802.1x_authz_log: EXPAND sp.%{%{reply:Packet-Type}:-format}
(21) 802.1x_authz_log: --> sp.Access-Accept
(21) 802.1x_authz_log: EXPAND %t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})
(21) 802.1x_authz_log: --> Wed Apr 17 12:55:51 2024 : AuthZ: (135) Access-Accept: [dominic.stalder at unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80)
(21) 802.1x_authz_log: EXPAND /var/log/freeradius/authz.log
(21) 802.1x_authz_log: --> /var/log/freeradius/authz.log
(21) [802.1x_authz_log] = ok
(21) } # if (EAP-Message) = ok
(21) policy remove_reply_message_if_eap {
(21) if (&reply:EAP-Message && &reply:Reply-Message) {
(21) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(21) else {
(21) [noop] = noop
(21) } # else = noop
(21) } # policy remove_reply_message_if_eap = noop
(21) } # post-auth = ok
(21) Login OK: [dominic.stalder at unibe.ch] (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80)
(21) Sent Access-Accept Id 135 from 130.92.10.33:1812 to 130.92.42.20:56958 length 270
(21) Tunnel-Type := VLAN
(21) Tunnel-Medium-Type := IEEE-802
(21) Class = "staff"
(21) Filter-Id = "staff"
(21) Tunnel-Private-Group-Id:0 = "1874"
(21) Class = "Z8\006\275\000\000\0017\000\001\002\000\202\\\016\033\000\000\000\000\000\000\000\000\000\000\000\000\001\332\177ZSC\303\361\000\000\000\000\000G9\374"
(21) MS-MPPE-Recv-Key = 0x683a26deb424ef81dda94ff52b54b2a7025ac4e6e5b331f264948cdcd9c529a3
(21) MS-MPPE-Send-Key = 0x5e2a7f4ec95429b176dd4235ea7c5ab7beecd50d27ed463169c0cd1fc751e3f6
(21) EAP-Message = 0x030b0004
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) User-Name = "dominic.stalder at unibe.ch"
(21) Framed-MTU += 1014
(21) Finished request
Waking up in 4.8 seconds.
(11) Cleaning up request packet ID 55 with timestamp +32 due to cleanup_delay was reached
(12) Cleaning up request packet ID 63 with timestamp +32 due to cleanup_delay was reached
(13) Cleaning up request packet ID 71 with timestamp +32 due to cleanup_delay was reached
(14) Cleaning up request packet ID 79 with timestamp +32 due to cleanup_delay was reached
(15) Cleaning up request packet ID 87 with timestamp +32 due to cleanup_delay was reached
(16) Cleaning up request packet ID 95 with timestamp +32 due to cleanup_delay was reached
(17) Cleaning up request packet ID 103 with timestamp +32 due to cleanup_delay was reached
(18) Cleaning up request packet ID 111 with timestamp +32 due to cleanup_delay was reached
(19) Cleaning up request packet ID 119 with timestamp +32 due to cleanup_delay was reached
(20) Cleaning up request packet ID 127 with timestamp +32 due to cleanup_delay was reached
(21) Cleaning up request packet ID 135 with timestamp +32 due to cleanup_delay was reached
Ready to process requests
Output in /var/log/freeradius/authz.log:
Wed Apr 17 12:55:51 2024 : AuthZ: (135) Access-Accept: [dominic.stalder at unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80)
As written above, I am sorry "that it works", more so that I don't know why it is working now, because in my opinion I did not really change any thing than before lunch time...
But do we somehow need to close this "discussion" an mark it as resovled or how does this work? __
Anyhow, thank you so much for helping out!
Best reards
Dominic
More information about the Freeradius-Users
mailing list