Add TLS version to logs with linelog

dominic.stalder at unibe.ch dominic.stalder at unibe.ch
Wed Apr 17 11:06:42 UTC 2024


Hi Matthew

Sorry about that. I did re-configure the linelog file (/etc/freeradius/3.0/mods-available/linelog) like this:

linelog 802.1x_authz_log {
   filename = ${logdir}/authz.log
   reference = "sp.%{%{reply:Packet-Type}:-format}"

   sp {
      Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})"

      #Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] SID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})"
   }
}

And somehow (I really don't know why), it seems to work know:

(11) Received Access-Request Id 55 from 130.92.42.20:56958 to 130.92.10.33:1812 length 443
(11)   User-Name = "dominic.stalder at unibe.ch"
(11)   Service-Type = Framed-User
(11)   Cisco-AVPair = "service-type=Framed"
(11)   Framed-MTU = 1485
(11)   EAP-Message = 0x0201001d01646f6d696e69632e7374616c64657240756e6962652e6368
(11)   Message-Authenticator = 0x694ebad2a4029567ecc08fd124414d26
(11)   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(11)   Cisco-AVPair = "method=dot1x"
(11)   Cisco-AVPair = "client-iif-id=2500003624"
(11)   Cisco-AVPair = "vlan-id=1876"
(11)   NAS-IP-Address = 130.92.42.20
(11)   NAS-Port-Id = "capwap_9180059e"
(11)   NAS-Port-Type = Wireless-802.11
(11)   NAS-Port = 4219
(11)   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(11)   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(11)   Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(11)   Calling-Station-Id = "6a-05-bd-e0-f2-80"
(11)   Airespace-Wlan-Id = 98
(11)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(11) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11)   authorize {
(11)     policy rewrite_called_station_id {
(11)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(11)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(11)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(11)         update request {
(11)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(11)              --> 3C-51-0E-72-2A-00
(11)           &Called-Station-Id := 3C-51-0E-72-2A-00
(11)         } # update request = noop
(11)         if ("%{8}") {
(11)         EXPAND %{8}
(11)            --> eduroam
(11)         if ("%{8}")  -> TRUE
(11)         if ("%{8}")  {
(11)           update request {
(11)             EXPAND %{8}
(11)                --> eduroam
(11)             &Called-Station-SSID := eduroam
(11)           } # update request = noop
(11)         } # if ("%{8}")  = noop
(11)         [updated] = updated
(11)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(11)       ... skipping else: Preceding "if" was taken
(11)     } # policy rewrite_called_station_id = updated
(11)     policy rewrite_calling_station_id {
(11)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(11)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(11)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(11)         update request {
(11)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(11)              --> 6A-05-BD-E0-F2-80
(11)           &Calling-Station-Id := 6A-05-BD-E0-F2-80
(11)         } # update request = noop
(11)         [updated] = updated
(11)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(11)       ... skipping else: Preceding "if" was taken
(11)     } # policy rewrite_calling_station_id = updated
(11)     policy filter_username {
(11)       if (&User-Name) {
(11)       if (&User-Name)  -> TRUE
(11)       if (&User-Name)  {
(11)         if (&User-Name =~ / /) {
(11)         if (&User-Name =~ / /)  -> FALSE
(11)         if (&User-Name =~ /@[^@]*@/ ) {
(11)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(11)         if (&User-Name =~ /\.\./ ) {
(11)         if (&User-Name =~ /\.\./ )  -> FALSE
(11)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(11)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(11)         if (&User-Name =~ /\.$/)  {
(11)         if (&User-Name =~ /\.$/)   -> FALSE
(11)         if (&User-Name =~ /@\./)  {
(11)         if (&User-Name =~ /@\./)   -> FALSE
(11)       } # if (&User-Name)  = updated
(11)     } # policy filter_username = updated
(11) suffix: Checking for suffix after "@"
(11) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(11) suffix: Found realm "UNIBE.CH"
(11) suffix: Adding Stripped-User-Name = "dominic.stalder"
(11) suffix: Adding Realm = "UNIBE.CH"
(11) suffix: Authentication realm is LOCAL
(11)     [suffix] = ok
(11)     update request {
(11)       EXPAND %{toupper:%{Realm}}
(11)          --> UNIBE.CH
(11)       Realm := UNIBE.CH
(11)     } # update request = noop
(11)     if (NAS-Port-Type =~ /Wireless-802\.11/i){
(11)     if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(11)     if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(11)       policy deny_no_realm {
(11)         if (User-Name && (User-Name !~ /@/)) {
(11)         if (User-Name && (User-Name !~ /@/))  -> FALSE
(11)       } # policy deny_no_realm = updated
(11)       switch &control:Called-Station-SSID {
(11)       } # switch &control:Called-Station-SSID = updated
(11)     } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(11) eap: Peer sent EAP Response (code 2) ID 1 length 29
(11) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(11)     [eap] = ok
(11)   } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11)   Auth-Type eap {
(11) eap: Peer sent packet with method EAP Identity (1)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: (TLS) Initiating new session
(11) eap: Sending EAP Request (code 1) ID 2 length 6
(11) eap: EAP session adding &reply:State = 0x1de92fd31deb361c
(11)     [eap] = handled
(11)     if (handled && (Response-Packet-Type == Access-Challenge)) {
(11)     EXPAND Response-Packet-Type
(11)        --> Access-Challenge
(11)     if (handled && (Response-Packet-Type == Access-Challenge))  -> TRUE
(11)     if (handled && (Response-Packet-Type == Access-Challenge))  {
(11) attr_filter.access_challenge: EXPAND %{User-Name}
(11) attr_filter.access_challenge:    --> dominic.stalder at unibe.ch
(11) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(11)       [attr_filter.access_challenge.post-auth] = updated
(11)       [handled] = handled
(11)     } # if (handled && (Response-Packet-Type == Access-Challenge))  = handled
(11)   } # Auth-Type eap = handled
(11) Using Post-Auth-Type Challenge
(11) Post-Auth-Type sub-section not found.  Ignoring.
(11) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11) session-state: Saving cached attributes
(11)   Framed-MTU = 1014
(11) Sent Access-Challenge Id 55 from 130.92.10.33:1812 to 130.92.42.20:56958 length 64
(11)   EAP-Message = 0x010200061920
(11)   Message-Authenticator = 0x00000000000000000000000000000000
(11)   State = 0x1de92fd31deb361c7d7fc55a3903ba57
(11) Finished request
Waking up in 4.9 seconds.
(12) Received Access-Request Id 63 from 130.92.42.20:56958 to 130.92.10.33:1812 length 593
(12)   User-Name = "dominic.stalder at unibe.ch"
(12)   Service-Type = Framed-User
(12)   Cisco-AVPair = "service-type=Framed"
(12)   Framed-MTU = 1485
(12)   EAP-Message = 0x020200a119800000009716030100920100008e0303661faab7c8f9e6c7d0b52b2ff41e68b74cec609bc8e752d9be7ef0bbfdb3d86600002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
(12)   Message-Authenticator = 0xc7079924fb998ffe2063c4354d944773
(12)   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(12)   Cisco-AVPair = "method=dot1x"
(12)   Cisco-AVPair = "client-iif-id=2500003624"
(12)   Cisco-AVPair = "vlan-id=1876"
(12)   NAS-IP-Address = 130.92.42.20
(12)   NAS-Port-Id = "capwap_9180059e"
(12)   NAS-Port-Type = Wireless-802.11
(12)   NAS-Port = 4219
(12)   State = 0x1de92fd31deb361c7d7fc55a3903ba57
(12)   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(12)   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(12)   Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(12)   Calling-Station-Id = "6a-05-bd-e0-f2-80"
(12)   Airespace-Wlan-Id = 98
(12)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(12) Restoring &session-state
(12)   &session-state:Framed-MTU = 1014
(12) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(12)   authorize {
(12)     policy rewrite_called_station_id {
(12)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(12)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(12)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(12)         update request {
(12)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(12)              --> 3C-51-0E-72-2A-00
(12)           &Called-Station-Id := 3C-51-0E-72-2A-00
(12)         } # update request = noop
(12)         if ("%{8}") {
(12)         EXPAND %{8}
(12)            --> eduroam
(12)         if ("%{8}")  -> TRUE
(12)         if ("%{8}")  {
(12)           update request {
(12)             EXPAND %{8}
(12)                --> eduroam
(12)             &Called-Station-SSID := eduroam
(12)           } # update request = noop
(12)         } # if ("%{8}")  = noop
(12)         [updated] = updated
(12)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(12)       ... skipping else: Preceding "if" was taken
(12)     } # policy rewrite_called_station_id = updated
(12)     policy rewrite_calling_station_id {
(12)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(12)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(12)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(12)         update request {
(12)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(12)              --> 6A-05-BD-E0-F2-80
(12)           &Calling-Station-Id := 6A-05-BD-E0-F2-80
(12)         } # update request = noop
(12)         [updated] = updated
(12)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(12)       ... skipping else: Preceding "if" was taken
(12)     } # policy rewrite_calling_station_id = updated
(12)     policy filter_username {
(12)       if (&User-Name) {
(12)       if (&User-Name)  -> TRUE
(12)       if (&User-Name)  {
(12)         if (&User-Name =~ / /) {
(12)         if (&User-Name =~ / /)  -> FALSE
(12)         if (&User-Name =~ /@[^@]*@/ ) {
(12)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(12)         if (&User-Name =~ /\.\./ ) {
(12)         if (&User-Name =~ /\.\./ )  -> FALSE
(12)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(12)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(12)         if (&User-Name =~ /\.$/)  {
(12)         if (&User-Name =~ /\.$/)   -> FALSE
(12)         if (&User-Name =~ /@\./)  {
(12)         if (&User-Name =~ /@\./)   -> FALSE
(12)       } # if (&User-Name)  = updated
(12)     } # policy filter_username = updated
(12) suffix: Checking for suffix after "@"
(12) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(12) suffix: Found realm "UNIBE.CH"
(12) suffix: Adding Stripped-User-Name = "dominic.stalder"
(12) suffix: Adding Realm = "UNIBE.CH"
(12) suffix: Authentication realm is LOCAL
(12)     [suffix] = ok
(12)     update request {
(12)       EXPAND %{toupper:%{Realm}}
(12)          --> UNIBE.CH
(12)       Realm := UNIBE.CH
(12)     } # update request = noop
(12)     if (NAS-Port-Type =~ /Wireless-802\.11/i){
(12)     if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(12)     if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(12)       policy deny_no_realm {
(12)         if (User-Name && (User-Name !~ /@/)) {
(12)         if (User-Name && (User-Name !~ /@/))  -> FALSE
(12)       } # policy deny_no_realm = updated
(12)       switch &control:Called-Station-SSID {
(12)       } # switch &control:Called-Station-SSID = updated
(12)     } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(12) eap: Peer sent EAP Response (code 2) ID 2 length 161
(12) eap: Continuing tunnel setup
(12)     [eap] = ok
(12)   } # authorize = ok
(12) Found Auth-Type = eap
(12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(12)   Auth-Type eap {
(12) eap: Expiring EAP session with state 0x1de92fd31deb361c
(12) eap: Finished EAP session with state 0x1de92fd31deb361c
(12) eap: Previous EAP request found for state 0x1de92fd31deb361c, released from the list
(12) eap: Peer sent packet with method EAP PEAP (25)
(12) eap: Calling submodule eap_peap to process data
(12) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes
(12) eap_peap: (TLS) EAP Got all data (151 bytes)
(12) eap_peap: (TLS) Handshake state - before SSL initialization
(12) eap_peap: (TLS) Handshake state - Server before SSL initialization
(12) eap_peap: (TLS) Handshake state - Server before SSL initialization
(12) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello
(12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client hello
(12) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHello
(12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server hello
(12) eap_peap: (TLS) send TLS 1.2 Handshake, Certificate
(12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write certificate
(12) eap_peap: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(12) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(12) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done
(12) eap_peap: (TLS) Server : Need to read more data: SSLv3/TLS write server done
(12) eap_peap: (TLS) In Handshake Phase
(12) eap: Sending EAP Request (code 1) ID 3 length 1024
(12) eap: EAP session adding &reply:State = 0x1de92fd31cea361c
(12)     [eap] = handled
(12)     if (handled && (Response-Packet-Type == Access-Challenge)) {
(12)     EXPAND Response-Packet-Type
(12)        --> Access-Challenge
(12)     if (handled && (Response-Packet-Type == Access-Challenge))  -> TRUE
(12)     if (handled && (Response-Packet-Type == Access-Challenge))  {
(12) attr_filter.access_challenge: EXPAND %{User-Name}
(12) attr_filter.access_challenge:    --> dominic.stalder at unibe.ch
(12) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(12)       [attr_filter.access_challenge.post-auth] = updated
(12)       [handled] = handled
(12)     } # if (handled && (Response-Packet-Type == Access-Challenge))  = handled
(12)   } # Auth-Type eap = handled
(12) Using Post-Auth-Type Challenge
(12) Post-Auth-Type sub-section not found.  Ignoring.
(12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(12) session-state: Saving cached attributes
(12)   Framed-MTU = 1014
(12)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(12)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(12)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(12)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(12)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(12) Sent Access-Challenge Id 63 from 130.92.10.33:1812 to 130.92.42.20:56958 length 1090
(12)   EAP-Message = 0x0103040019c000000e28160303003d0200003903039593c2bffb75e41c6f75008fc939ee87ad9af380f3c4f4a2444f574e4752440100c030000011ff01000100000b000403000102001700001603030c860b000c82000c7f0006f0308206ec308205d4a003020102021003b3054211bcb9b12dfd56f8887e7bb5300d06092a864886f70d01010b0500305c310b300906035504061302555331163014060355040a0c0d44696769436572742c20496e633135303306035504030c2c44696769436572742051756f566164697320544c53204943412051756f566164697320526f6f742043412032301e170d3233313130393030303030305a170d3234313130383233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01
(12)   Message-Authenticator = 0x00000000000000000000000000000000
(12)   State = 0x1de92fd31cea361c7d7fc55a3903ba57
(12) Finished request
Waking up in 4.9 seconds.
(13) Received Access-Request Id 71 from 130.92.42.20:56958 to 130.92.10.33:1812 length 438
(13)   User-Name = "dominic.stalder at unibe.ch"
(13)   Service-Type = Framed-User
(13)   Cisco-AVPair = "service-type=Framed"
(13)   Framed-MTU = 1485
(13)   EAP-Message = 0x020300061900
(13)   Message-Authenticator = 0x1ad7104e34710165cee7e703a1e285aa
(13)   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(13)   Cisco-AVPair = "method=dot1x"
(13)   Cisco-AVPair = "client-iif-id=2500003624"
(13)   Cisco-AVPair = "vlan-id=1876"
(13)   NAS-IP-Address = 130.92.42.20
(13)   NAS-Port-Id = "capwap_9180059e"
(13)   NAS-Port-Type = Wireless-802.11
(13)   NAS-Port = 4219
(13)   State = 0x1de92fd31cea361c7d7fc55a3903ba57
(13)   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(13)   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(13)   Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(13)   Calling-Station-Id = "6a-05-bd-e0-f2-80"
(13)   Airespace-Wlan-Id = 98
(13)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(13) Restoring &session-state
(13)   &session-state:Framed-MTU = 1014
(13)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(13)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(13)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(13)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(13)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(13) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(13)   authorize {
(13)     policy rewrite_called_station_id {
(13)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(13)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(13)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(13)         update request {
(13)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(13)              --> 3C-51-0E-72-2A-00
(13)           &Called-Station-Id := 3C-51-0E-72-2A-00
(13)         } # update request = noop
(13)         if ("%{8}") {
(13)         EXPAND %{8}
(13)            --> eduroam
(13)         if ("%{8}")  -> TRUE
(13)         if ("%{8}")  {
(13)           update request {
(13)             EXPAND %{8}
(13)                --> eduroam
(13)             &Called-Station-SSID := eduroam
(13)           } # update request = noop
(13)         } # if ("%{8}")  = noop
(13)         [updated] = updated
(13)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(13)       ... skipping else: Preceding "if" was taken
(13)     } # policy rewrite_called_station_id = updated
(13)     policy rewrite_calling_station_id {
(13)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(13)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(13)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(13)         update request {
(13)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(13)              --> 6A-05-BD-E0-F2-80
(13)           &Calling-Station-Id := 6A-05-BD-E0-F2-80
(13)         } # update request = noop
(13)         [updated] = updated
(13)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(13)       ... skipping else: Preceding "if" was taken
(13)     } # policy rewrite_calling_station_id = updated
(13)     policy filter_username {
(13)       if (&User-Name) {
(13)       if (&User-Name)  -> TRUE
(13)       if (&User-Name)  {
(13)         if (&User-Name =~ / /) {
(13)         if (&User-Name =~ / /)  -> FALSE
(13)         if (&User-Name =~ /@[^@]*@/ ) {
(13)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(13)         if (&User-Name =~ /\.\./ ) {
(13)         if (&User-Name =~ /\.\./ )  -> FALSE
(13)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(13)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(13)         if (&User-Name =~ /\.$/)  {
(13)         if (&User-Name =~ /\.$/)   -> FALSE
(13)         if (&User-Name =~ /@\./)  {
(13)         if (&User-Name =~ /@\./)   -> FALSE
(13)       } # if (&User-Name)  = updated
(13)     } # policy filter_username = updated
(13) suffix: Checking for suffix after "@"
(13) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(13) suffix: Found realm "UNIBE.CH"
(13) suffix: Adding Stripped-User-Name = "dominic.stalder"
(13) suffix: Adding Realm = "UNIBE.CH"
(13) suffix: Authentication realm is LOCAL
(13)     [suffix] = ok
(13)     update request {
(13)       EXPAND %{toupper:%{Realm}}
(13)          --> UNIBE.CH
(13)       Realm := UNIBE.CH
(13)     } # update request = noop
(13)     if (NAS-Port-Type =~ /Wireless-802\.11/i){
(13)     if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(13)     if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(13)       policy deny_no_realm {
(13)         if (User-Name && (User-Name !~ /@/)) {
(13)         if (User-Name && (User-Name !~ /@/))  -> FALSE
(13)       } # policy deny_no_realm = updated
(13)       switch &control:Called-Station-SSID {
(13)       } # switch &control:Called-Station-SSID = updated
(13)     } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(13) eap: Peer sent EAP Response (code 2) ID 3 length 6
(13) eap: Continuing tunnel setup
(13)     [eap] = ok
(13)   } # authorize = ok
(13) Found Auth-Type = eap
(13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(13)   Auth-Type eap {
(13) eap: Expiring EAP session with state 0x1de92fd31cea361c
(13) eap: Finished EAP session with state 0x1de92fd31cea361c
(13) eap: Previous EAP request found for state 0x1de92fd31cea361c, released from the list
(13) eap: Peer sent packet with method EAP PEAP (25)
(13) eap: Calling submodule eap_peap to process data
(13) eap_peap: (TLS) Peer ACKed our handshake fragment
(13) eap: Sending EAP Request (code 1) ID 4 length 1020
(13) eap: EAP session adding &reply:State = 0x1de92fd31fed361c
(13)     [eap] = handled
(13)     if (handled && (Response-Packet-Type == Access-Challenge)) {
(13)     EXPAND Response-Packet-Type
(13)        --> Access-Challenge
(13)     if (handled && (Response-Packet-Type == Access-Challenge))  -> TRUE
(13)     if (handled && (Response-Packet-Type == Access-Challenge))  {
(13) attr_filter.access_challenge: EXPAND %{User-Name}
(13) attr_filter.access_challenge:    --> dominic.stalder at unibe.ch
(13) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(13)       [attr_filter.access_challenge.post-auth] = updated
(13)       [handled] = handled
(13)     } # if (handled && (Response-Packet-Type == Access-Challenge))  = handled
(13)   } # Auth-Type eap = handled
(13) Using Post-Auth-Type Challenge
(13) Post-Auth-Type sub-section not found.  Ignoring.
(13) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(13) session-state: Saving cached attributes
(13)   Framed-MTU = 1014
(13)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(13)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(13)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(13)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(13)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(13) Sent Access-Challenge Id 71 from 130.92.10.33:1812 to 130.92.42.20:56958 length 1086
(13)   EAP-Message = 0x010403fc194061646973544c5349434151756f5661646973526f6f744341322e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727451756f5661646973544c5349434151756f5661646973526f6f744341322e637274300c0603551d130101ff040230003082017e060a2b06010401d6790204020482016e0482016a0168007700eecdd064d5db1acec55cb79db4cd13a23287467cbcecdec351485946711fb59b0000018bb41da9d8000004030048304602210096f259c2ee2c8db6a8f0ffc4dd56ae730dad06cdd15a9bdad058f1eb74fcebed022100ec4750255a870fbb409ab15ff79aca8e3ca0bb1b214f94dab4ef9687a1e82fb900760048b0e36bdaa647340fe56a02fa9d30eb1c5201cb56dd2c81d9bbbfab39d884730000018bb41d
(13)   Message-Authenticator = 0x00000000000000000000000000000000
(13)   State = 0x1de92fd31fed361c7d7fc55a3903ba57
(13) Finished request
Waking up in 4.9 seconds.
(14) Received Access-Request Id 79 from 130.92.42.20:56958 to 130.92.10.33:1812 length 438
(14)   User-Name = "dominic.stalder at unibe.ch"
(14)   Service-Type = Framed-User
(14)   Cisco-AVPair = "service-type=Framed"
(14)   Framed-MTU = 1485
(14)   EAP-Message = 0x020400061900
(14)   Message-Authenticator = 0xf31f29575e431c5f2f8a42e9fd12c70a
(14)   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(14)   Cisco-AVPair = "method=dot1x"
(14)   Cisco-AVPair = "client-iif-id=2500003624"
(14)   Cisco-AVPair = "vlan-id=1876"
(14)   NAS-IP-Address = 130.92.42.20
(14)   NAS-Port-Id = "capwap_9180059e"
(14)   NAS-Port-Type = Wireless-802.11
(14)   NAS-Port = 4219
(14)   State = 0x1de92fd31fed361c7d7fc55a3903ba57
(14)   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(14)   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(14)   Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(14)   Calling-Station-Id = "6a-05-bd-e0-f2-80"
(14)   Airespace-Wlan-Id = 98
(14)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(14) Restoring &session-state
(14)   &session-state:Framed-MTU = 1014
(14)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(14)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(14)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(14)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(14)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(14) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(14)   authorize {
(14)     policy rewrite_called_station_id {
(14)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(14)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(14)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(14)         update request {
(14)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(14)              --> 3C-51-0E-72-2A-00
(14)           &Called-Station-Id := 3C-51-0E-72-2A-00
(14)         } # update request = noop
(14)         if ("%{8}") {
(14)         EXPAND %{8}
(14)            --> eduroam
(14)         if ("%{8}")  -> TRUE
(14)         if ("%{8}")  {
(14)           update request {
(14)             EXPAND %{8}
(14)                --> eduroam
(14)             &Called-Station-SSID := eduroam
(14)           } # update request = noop
(14)         } # if ("%{8}")  = noop
(14)         [updated] = updated
(14)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(14)       ... skipping else: Preceding "if" was taken
(14)     } # policy rewrite_called_station_id = updated
(14)     policy rewrite_calling_station_id {
(14)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(14)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(14)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(14)         update request {
(14)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(14)              --> 6A-05-BD-E0-F2-80
(14)           &Calling-Station-Id := 6A-05-BD-E0-F2-80
(14)         } # update request = noop
(14)         [updated] = updated
(14)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(14)       ... skipping else: Preceding "if" was taken
(14)     } # policy rewrite_calling_station_id = updated
(14)     policy filter_username {
(14)       if (&User-Name) {
(14)       if (&User-Name)  -> TRUE
(14)       if (&User-Name)  {
(14)         if (&User-Name =~ / /) {
(14)         if (&User-Name =~ / /)  -> FALSE
(14)         if (&User-Name =~ /@[^@]*@/ ) {
(14)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(14)         if (&User-Name =~ /\.\./ ) {
(14)         if (&User-Name =~ /\.\./ )  -> FALSE
(14)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(14)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(14)         if (&User-Name =~ /\.$/)  {
(14)         if (&User-Name =~ /\.$/)   -> FALSE
(14)         if (&User-Name =~ /@\./)  {
(14)         if (&User-Name =~ /@\./)   -> FALSE
(14)       } # if (&User-Name)  = updated
(14)     } # policy filter_username = updated
(14) suffix: Checking for suffix after "@"
(14) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(14) suffix: Found realm "UNIBE.CH"
(14) suffix: Adding Stripped-User-Name = "dominic.stalder"
(14) suffix: Adding Realm = "UNIBE.CH"
(14) suffix: Authentication realm is LOCAL
(14)     [suffix] = ok
(14)     update request {
(14)       EXPAND %{toupper:%{Realm}}
(14)          --> UNIBE.CH
(14)       Realm := UNIBE.CH
(14)     } # update request = noop
(14)     if (NAS-Port-Type =~ /Wireless-802\.11/i){
(14)     if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(14)     if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(14)       policy deny_no_realm {
(14)         if (User-Name && (User-Name !~ /@/)) {
(14)         if (User-Name && (User-Name !~ /@/))  -> FALSE
(14)       } # policy deny_no_realm = updated
(14)       switch &control:Called-Station-SSID {
(14)       } # switch &control:Called-Station-SSID = updated
(14)     } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(14) eap: Peer sent EAP Response (code 2) ID 4 length 6
(14) eap: Continuing tunnel setup
(14)     [eap] = ok
(14)   } # authorize = ok
(14) Found Auth-Type = eap
(14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(14)   Auth-Type eap {
(14) eap: Expiring EAP session with state 0x1de92fd31fed361c
(14) eap: Finished EAP session with state 0x1de92fd31fed361c
(14) eap: Previous EAP request found for state 0x1de92fd31fed361c, released from the list
(14) eap: Peer sent packet with method EAP PEAP (25)
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: (TLS) Peer ACKed our handshake fragment
(14) eap: Sending EAP Request (code 1) ID 5 length 1020
(14) eap: EAP session adding &reply:State = 0x1de92fd31eec361c
(14)     [eap] = handled
(14)     if (handled && (Response-Packet-Type == Access-Challenge)) {
(14)     EXPAND Response-Packet-Type
(14)        --> Access-Challenge
(14)     if (handled && (Response-Packet-Type == Access-Challenge))  -> TRUE
(14)     if (handled && (Response-Packet-Type == Access-Challenge))  {
(14) attr_filter.access_challenge: EXPAND %{User-Name}
(14) attr_filter.access_challenge:    --> dominic.stalder at unibe.ch
(14) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(14)       [attr_filter.access_challenge.post-auth] = updated
(14)       [handled] = handled
(14)     } # if (handled && (Response-Packet-Type == Access-Challenge))  = handled
(14)   } # Auth-Type eap = handled
(14) Using Post-Auth-Type Challenge
(14) Post-Auth-Type sub-section not found.  Ignoring.
(14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(14) session-state: Saving cached attributes
(14)   Framed-MTU = 1014
(14)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(14)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(14)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(14)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(14)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(14) Sent Access-Challenge Id 79 from 130.92.10.33:1812 to 130.92.42.20:56958 length 1086
(14)   EAP-Message = 0x010503fc194031163014060355040a0c0d44696769436572742c20496e633135303306035504030c2c44696769436572742051756f566164697320544c53204943412051756f566164697320526f6f74204341203230820122300d06092a864886f70d01010105000382010f003082010a0282010100c0276cfa8594d3ff27e084f9510e22adc882540fd8f499b54cbcc5b972f391772e189d184b507780746820ef2412d8cf26c4fd40b80087714fa2b7372e50b230e6fd4d52159fd7f6a740204fbc6b2b9ef3cfaaca04c0aacff4cc0782710db7d2c3bd4361c67e2bff6d60a99b67ed4d447a1371c375cb8feb080d0f6e136b285ff5eeecd4f4bb743a1c87c6bbb4e3449d3304a8cd0ac8d131252afbdb7942262839da4e8079d268c67c2ecbe68fd34f0bcb8c040f53f7b182deef3e7d4fd6a5c5caa877ee530d3fc5fee7cdd62d6030035d7f46f58d544349a7435d9a7c3352f33be3cec9d7a223c9bb023fbe528fb42146c1685cb8e89996197c9b39f013199902
(14)   Message-Authenticator = 0x00000000000000000000000000000000
(14)   State = 0x1de92fd31eec361c7d7fc55a3903ba57
(14) Finished request
Waking up in 4.9 seconds.
(15) Received Access-Request Id 87 from 130.92.42.20:56958 to 130.92.10.33:1812 length 438
(15)   User-Name = "dominic.stalder at unibe.ch"
(15)   Service-Type = Framed-User
(15)   Cisco-AVPair = "service-type=Framed"
(15)   Framed-MTU = 1485
(15)   EAP-Message = 0x020500061900
(15)   Message-Authenticator = 0xf18ed8d8c98adb93b8213140f59a8378
(15)   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(15)   Cisco-AVPair = "method=dot1x"
(15)   Cisco-AVPair = "client-iif-id=2500003624"
(15)   Cisco-AVPair = "vlan-id=1876"
(15)   NAS-IP-Address = 130.92.42.20
(15)   NAS-Port-Id = "capwap_9180059e"
(15)   NAS-Port-Type = Wireless-802.11
(15)   NAS-Port = 4219
(15)   State = 0x1de92fd31eec361c7d7fc55a3903ba57
(15)   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(15)   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(15)   Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(15)   Calling-Station-Id = "6a-05-bd-e0-f2-80"
(15)   Airespace-Wlan-Id = 98
(15)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(15) Restoring &session-state
(15)   &session-state:Framed-MTU = 1014
(15)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(15)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(15)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(15)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(15)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(15) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(15)   authorize {
(15)     policy rewrite_called_station_id {
(15)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(15)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(15)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(15)         update request {
(15)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(15)              --> 3C-51-0E-72-2A-00
(15)           &Called-Station-Id := 3C-51-0E-72-2A-00
(15)         } # update request = noop
(15)         if ("%{8}") {
(15)         EXPAND %{8}
(15)            --> eduroam
(15)         if ("%{8}")  -> TRUE
(15)         if ("%{8}")  {
(15)           update request {
(15)             EXPAND %{8}
(15)                --> eduroam
(15)             &Called-Station-SSID := eduroam
(15)           } # update request = noop
(15)         } # if ("%{8}")  = noop
(15)         [updated] = updated
(15)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(15)       ... skipping else: Preceding "if" was taken
(15)     } # policy rewrite_called_station_id = updated
(15)     policy rewrite_calling_station_id {
(15)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(15)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(15)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(15)         update request {
(15)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(15)              --> 6A-05-BD-E0-F2-80
(15)           &Calling-Station-Id := 6A-05-BD-E0-F2-80
(15)         } # update request = noop
(15)         [updated] = updated
(15)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(15)       ... skipping else: Preceding "if" was taken
(15)     } # policy rewrite_calling_station_id = updated
(15)     policy filter_username {
(15)       if (&User-Name) {
(15)       if (&User-Name)  -> TRUE
(15)       if (&User-Name)  {
(15)         if (&User-Name =~ / /) {
(15)         if (&User-Name =~ / /)  -> FALSE
(15)         if (&User-Name =~ /@[^@]*@/ ) {
(15)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(15)         if (&User-Name =~ /\.\./ ) {
(15)         if (&User-Name =~ /\.\./ )  -> FALSE
(15)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(15)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(15)         if (&User-Name =~ /\.$/)  {
(15)         if (&User-Name =~ /\.$/)   -> FALSE
(15)         if (&User-Name =~ /@\./)  {
(15)         if (&User-Name =~ /@\./)   -> FALSE
(15)       } # if (&User-Name)  = updated
(15)     } # policy filter_username = updated
(15) suffix: Checking for suffix after "@"
(15) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(15) suffix: Found realm "UNIBE.CH"
(15) suffix: Adding Stripped-User-Name = "dominic.stalder"
(15) suffix: Adding Realm = "UNIBE.CH"
(15) suffix: Authentication realm is LOCAL
(15)     [suffix] = ok
(15)     update request {
(15)       EXPAND %{toupper:%{Realm}}
(15)          --> UNIBE.CH
(15)       Realm := UNIBE.CH
(15)     } # update request = noop
(15)     if (NAS-Port-Type =~ /Wireless-802\.11/i){
(15)     if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(15)     if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(15)       policy deny_no_realm {
(15)         if (User-Name && (User-Name !~ /@/)) {
(15)         if (User-Name && (User-Name !~ /@/))  -> FALSE
(15)       } # policy deny_no_realm = updated
(15)       switch &control:Called-Station-SSID {
(15)       } # switch &control:Called-Station-SSID = updated
(15)     } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(15) eap: Peer sent EAP Response (code 2) ID 5 length 6
(15) eap: Continuing tunnel setup
(15)     [eap] = ok
(15)   } # authorize = ok
(15) Found Auth-Type = eap
(15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(15)   Auth-Type eap {
(15) eap: Expiring EAP session with state 0x1de92fd31eec361c
(15) eap: Finished EAP session with state 0x1de92fd31eec361c
(15) eap: Previous EAP request found for state 0x1de92fd31eec361c, released from the list
(15) eap: Peer sent packet with method EAP PEAP (25)
(15) eap: Calling submodule eap_peap to process data
(15) eap_peap: (TLS) Peer ACKed our handshake fragment
(15) eap: Sending EAP Request (code 1) ID 6 length 588
(15) eap: EAP session adding &reply:State = 0x1de92fd319ef361c
(15)     [eap] = handled
(15)     if (handled && (Response-Packet-Type == Access-Challenge)) {
(15)     EXPAND Response-Packet-Type
(15)        --> Access-Challenge
(15)     if (handled && (Response-Packet-Type == Access-Challenge))  -> TRUE
(15)     if (handled && (Response-Packet-Type == Access-Challenge))  {
(15) attr_filter.access_challenge: EXPAND %{User-Name}
(15) attr_filter.access_challenge:    --> dominic.stalder at unibe.ch
(15) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(15)       [attr_filter.access_challenge.post-auth] = updated
(15)       [handled] = handled
(15)     } # if (handled && (Response-Packet-Type == Access-Challenge))  = handled
(15)   } # Auth-Type eap = handled
(15) Using Post-Auth-Type Challenge
(15) Post-Auth-Type sub-section not found.  Ignoring.
(15) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(15) session-state: Saving cached attributes
(15)   Framed-MTU = 1014
(15)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(15)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(15)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(15)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(15)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(15) Sent Access-Challenge Id 87 from 130.92.10.33:1812 to 130.92.42.20:56958 length 650
(15)   EAP-Message = 0x0106024c190092dd4a3f6f4a476dce8054dcc67a57c7efffd02a530da7129206cf2d59743367135e3238837f3915851242955fc5b8517786f16d34b6872189b4e3e01005c5f9436cb4341721ddd33be24eaa920f8bd7f3f06b48f9c1de57460ad46f66e46a65c749cf786d0afadbc0812eae6da881a6a3e7dbc8aac3d8f3443ae4f1614e4c9f4f80f9c26e35d5d67994f3f07db48ec18f369b282e7b0d9178f3ca6dc74bd4f9d0b11385dbe0add5465a8a07ebdd590a7145f7d9deb1436636202d59496850bfdf3427f97f2b0989a6eec0f8d7444ce5e69cd0b5460ae57efc0e259c16227376bc8774a255010d721f9ec9160303014d0c0001490300174104e24dea9bac02fa89350a2a9907808663b23db0dcffb0c3942c4e3e768589e14a53ad8a938b48a08546b6adcc29bfa64a726170e0b8b2c2b499690ec9d5d59b300401010049a41dd7d2618931e2d16fa22e869397478ff177fc2301eef652e6042defcf82f60897df4af82c6bb00a12f52a239964f55de72b
(15)   Message-Authenticator = 0x00000000000000000000000000000000
(15)   State = 0x1de92fd319ef361c7d7fc55a3903ba57
(15) Finished request
Waking up in 4.9 seconds.
(16) Received Access-Request Id 95 from 130.92.42.20:56958 to 130.92.10.33:1812 length 568
(16)   User-Name = "dominic.stalder at unibe.ch"
(16)   Service-Type = Framed-User
(16)   Cisco-AVPair = "service-type=Framed"
(16)   Framed-MTU = 1485
(16)   EAP-Message = 0x0206008819800000007e16030300461000004241044b18bc5103fb19b4b172d827bebc8fb6e5a89caa86ecd2d2af20d96592e46b5ede6df542983d8a4b7d178b59644148f098333e0333f58ba0bac27972d54d107014030300010116030300280eb44ab0540a84b463a92404ef78c91d26aa51ff96e86301c8d7ddbf9e12724aa933f1a64c868dea
(16)   Message-Authenticator = 0xdbfc267b0e764874e63c61f643fb722e
(16)   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(16)   Cisco-AVPair = "method=dot1x"
(16)   Cisco-AVPair = "client-iif-id=2500003624"
(16)   Cisco-AVPair = "vlan-id=1876"
(16)   NAS-IP-Address = 130.92.42.20
(16)   NAS-Port-Id = "capwap_9180059e"
(16)   NAS-Port-Type = Wireless-802.11
(16)   NAS-Port = 4219
(16)   State = 0x1de92fd319ef361c7d7fc55a3903ba57
(16)   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(16)   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(16)   Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(16)   Calling-Station-Id = "6a-05-bd-e0-f2-80"
(16)   Airespace-Wlan-Id = 98
(16)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(16) Restoring &session-state
(16)   &session-state:Framed-MTU = 1014
(16)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(16)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(16)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(16)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(16)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(16) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(16)   authorize {
(16)     policy rewrite_called_station_id {
(16)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(16)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(16)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(16)         update request {
(16)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(16)              --> 3C-51-0E-72-2A-00
(16)           &Called-Station-Id := 3C-51-0E-72-2A-00
(16)         } # update request = noop
(16)         if ("%{8}") {
(16)         EXPAND %{8}
(16)            --> eduroam
(16)         if ("%{8}")  -> TRUE
(16)         if ("%{8}")  {
(16)           update request {
(16)             EXPAND %{8}
(16)                --> eduroam
(16)             &Called-Station-SSID := eduroam
(16)           } # update request = noop
(16)         } # if ("%{8}")  = noop
(16)         [updated] = updated
(16)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(16)       ... skipping else: Preceding "if" was taken
(16)     } # policy rewrite_called_station_id = updated
(16)     policy rewrite_calling_station_id {
(16)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(16)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(16)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(16)         update request {
(16)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(16)              --> 6A-05-BD-E0-F2-80
(16)           &Calling-Station-Id := 6A-05-BD-E0-F2-80
(16)         } # update request = noop
(16)         [updated] = updated
(16)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(16)       ... skipping else: Preceding "if" was taken
(16)     } # policy rewrite_calling_station_id = updated
(16)     policy filter_username {
(16)       if (&User-Name) {
(16)       if (&User-Name)  -> TRUE
(16)       if (&User-Name)  {
(16)         if (&User-Name =~ / /) {
(16)         if (&User-Name =~ / /)  -> FALSE
(16)         if (&User-Name =~ /@[^@]*@/ ) {
(16)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(16)         if (&User-Name =~ /\.\./ ) {
(16)         if (&User-Name =~ /\.\./ )  -> FALSE
(16)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(16)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(16)         if (&User-Name =~ /\.$/)  {
(16)         if (&User-Name =~ /\.$/)   -> FALSE
(16)         if (&User-Name =~ /@\./)  {
(16)         if (&User-Name =~ /@\./)   -> FALSE
(16)       } # if (&User-Name)  = updated
(16)     } # policy filter_username = updated
(16) suffix: Checking for suffix after "@"
(16) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(16) suffix: Found realm "UNIBE.CH"
(16) suffix: Adding Stripped-User-Name = "dominic.stalder"
(16) suffix: Adding Realm = "UNIBE.CH"
(16) suffix: Authentication realm is LOCAL
(16)     [suffix] = ok
(16)     update request {
(16)       EXPAND %{toupper:%{Realm}}
(16)          --> UNIBE.CH
(16)       Realm := UNIBE.CH
(16)     } # update request = noop
(16)     if (NAS-Port-Type =~ /Wireless-802\.11/i){
(16)     if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(16)     if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(16)       policy deny_no_realm {
(16)         if (User-Name && (User-Name !~ /@/)) {
(16)         if (User-Name && (User-Name !~ /@/))  -> FALSE
(16)       } # policy deny_no_realm = updated
(16)       switch &control:Called-Station-SSID {
(16)       } # switch &control:Called-Station-SSID = updated
(16)     } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(16) eap: Peer sent EAP Response (code 2) ID 6 length 136
(16) eap: Continuing tunnel setup
(16)     [eap] = ok
(16)   } # authorize = ok
(16) Found Auth-Type = eap
(16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(16)   Auth-Type eap {
(16) eap: Expiring EAP session with state 0x1de92fd319ef361c
(16) eap: Finished EAP session with state 0x1de92fd319ef361c
(16) eap: Previous EAP request found for state 0x1de92fd319ef361c, released from the list
(16) eap: Peer sent packet with method EAP PEAP (25)
(16) eap: Calling submodule eap_peap to process data
(16) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes
(16) eap_peap: (TLS) EAP Got all data (126 bytes)
(16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done
(16) eap_peap: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client key exchange
(16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
(16) eap_peap: (TLS) recv TLS 1.2 Handshake, Finished
(16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read finished
(16) eap_peap: (TLS) send TLS 1.2 ChangeCipherSpec
(16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
(16) eap_peap: (TLS) send TLS 1.2 Handshake, Finished
(16) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write finished
(16) eap_peap: (TLS) Handshake state - SSL negotiation finished successfully
(16) eap_peap: (TLS) Connection Established
(16) eap_peap:   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(16) eap_peap:   TLS-Session-Version = "TLS 1.2"
(16) eap: Sending EAP Request (code 1) ID 7 length 57
(16) eap: EAP session adding &reply:State = 0x1de92fd318ee361c
(16)     [eap] = handled
(16)     if (handled && (Response-Packet-Type == Access-Challenge)) {
(16)     EXPAND Response-Packet-Type
(16)        --> Access-Challenge
(16)     if (handled && (Response-Packet-Type == Access-Challenge))  -> TRUE
(16)     if (handled && (Response-Packet-Type == Access-Challenge))  {
(16) attr_filter.access_challenge: EXPAND %{User-Name}
(16) attr_filter.access_challenge:    --> dominic.stalder at unibe.ch
(16) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(16)       [attr_filter.access_challenge.post-auth] = updated
(16)       [handled] = handled
(16)     } # if (handled && (Response-Packet-Type == Access-Challenge))  = handled
(16)   } # Auth-Type eap = handled
(16) Using Post-Auth-Type Challenge
(16) Post-Auth-Type sub-section not found.  Ignoring.
(16) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(16) session-state: Saving cached attributes
(16)   Framed-MTU = 1014
(16)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(16)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(16)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(16)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(16)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(16)   TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(16)   TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(16)   TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(16)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(16)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(16)   TLS-Session-Version = "TLS 1.2"
(16) Sent Access-Challenge Id 95 from 130.92.10.33:1812 to 130.92.42.20:56958 length 115
(16)   EAP-Message = 0x0107003919001403030001011603030028ee81289b38b966971e6a8bb4192ebcb8c0668f81a560a0e83c8f2f358c5048da4e4502dad8f52a42
(16)   Message-Authenticator = 0x00000000000000000000000000000000
(16)   State = 0x1de92fd318ee361c7d7fc55a3903ba57
(16) Finished request
Waking up in 4.8 seconds.
(17) Received Access-Request Id 103 from 130.92.42.20:56958 to 130.92.10.33:1812 length 438
(17)   User-Name = "dominic.stalder at unibe.ch"
(17)   Service-Type = Framed-User
(17)   Cisco-AVPair = "service-type=Framed"
(17)   Framed-MTU = 1485
(17)   EAP-Message = 0x020700061900
(17)   Message-Authenticator = 0x93382dc058a6fc411428994f06077c45
(17)   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(17)   Cisco-AVPair = "method=dot1x"
(17)   Cisco-AVPair = "client-iif-id=2500003624"
(17)   Cisco-AVPair = "vlan-id=1876"
(17)   NAS-IP-Address = 130.92.42.20
(17)   NAS-Port-Id = "capwap_9180059e"
(17)   NAS-Port-Type = Wireless-802.11
(17)   NAS-Port = 4219
(17)   State = 0x1de92fd318ee361c7d7fc55a3903ba57
(17)   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(17)   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(17)   Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(17)   Calling-Station-Id = "6a-05-bd-e0-f2-80"
(17)   Airespace-Wlan-Id = 98
(17)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(17) Restoring &session-state
(17)   &session-state:Framed-MTU = 1014
(17)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(17)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(17)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(17)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(17)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(17)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(17)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(17)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(17)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(17)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(17)   &session-state:TLS-Session-Version = "TLS 1.2"
(17) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(17)   authorize {
(17)     policy rewrite_called_station_id {
(17)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(17)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(17)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(17)         update request {
(17)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(17)              --> 3C-51-0E-72-2A-00
(17)           &Called-Station-Id := 3C-51-0E-72-2A-00
(17)         } # update request = noop
(17)         if ("%{8}") {
(17)         EXPAND %{8}
(17)            --> eduroam
(17)         if ("%{8}")  -> TRUE
(17)         if ("%{8}")  {
(17)           update request {
(17)             EXPAND %{8}
(17)                --> eduroam
(17)             &Called-Station-SSID := eduroam
(17)           } # update request = noop
(17)         } # if ("%{8}")  = noop
(17)         [updated] = updated
(17)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(17)       ... skipping else: Preceding "if" was taken
(17)     } # policy rewrite_called_station_id = updated
(17)     policy rewrite_calling_station_id {
(17)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(17)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(17)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(17)         update request {
(17)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(17)              --> 6A-05-BD-E0-F2-80
(17)           &Calling-Station-Id := 6A-05-BD-E0-F2-80
(17)         } # update request = noop
(17)         [updated] = updated
(17)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(17)       ... skipping else: Preceding "if" was taken
(17)     } # policy rewrite_calling_station_id = updated
(17)     policy filter_username {
(17)       if (&User-Name) {
(17)       if (&User-Name)  -> TRUE
(17)       if (&User-Name)  {
(17)         if (&User-Name =~ / /) {
(17)         if (&User-Name =~ / /)  -> FALSE
(17)         if (&User-Name =~ /@[^@]*@/ ) {
(17)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(17)         if (&User-Name =~ /\.\./ ) {
(17)         if (&User-Name =~ /\.\./ )  -> FALSE
(17)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(17)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(17)         if (&User-Name =~ /\.$/)  {
(17)         if (&User-Name =~ /\.$/)   -> FALSE
(17)         if (&User-Name =~ /@\./)  {
(17)         if (&User-Name =~ /@\./)   -> FALSE
(17)       } # if (&User-Name)  = updated
(17)     } # policy filter_username = updated
(17) suffix: Checking for suffix after "@"
(17) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(17) suffix: Found realm "UNIBE.CH"
(17) suffix: Adding Stripped-User-Name = "dominic.stalder"
(17) suffix: Adding Realm = "UNIBE.CH"
(17) suffix: Authentication realm is LOCAL
(17)     [suffix] = ok
(17)     update request {
(17)       EXPAND %{toupper:%{Realm}}
(17)          --> UNIBE.CH
(17)       Realm := UNIBE.CH
(17)     } # update request = noop
(17)     if (NAS-Port-Type =~ /Wireless-802\.11/i){
(17)     if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(17)     if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(17)       policy deny_no_realm {
(17)         if (User-Name && (User-Name !~ /@/)) {
(17)         if (User-Name && (User-Name !~ /@/))  -> FALSE
(17)       } # policy deny_no_realm = updated
(17)       switch &control:Called-Station-SSID {
(17)       } # switch &control:Called-Station-SSID = updated
(17)     } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(17) eap: Peer sent EAP Response (code 2) ID 7 length 6
(17) eap: Continuing tunnel setup
(17)     [eap] = ok
(17)   } # authorize = ok
(17) Found Auth-Type = eap
(17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(17)   Auth-Type eap {
(17) eap: Expiring EAP session with state 0x1de92fd318ee361c
(17) eap: Finished EAP session with state 0x1de92fd318ee361c
(17) eap: Previous EAP request found for state 0x1de92fd318ee361c, released from the list
(17) eap: Peer sent packet with method EAP PEAP (25)
(17) eap: Calling submodule eap_peap to process data
(17) eap_peap: (TLS) Peer ACKed our handshake fragment.  handshake is finished
(17) eap_peap: Session established.  Decoding tunneled attributes
(17) eap_peap: PEAP state TUNNEL ESTABLISHED
(17) eap: Sending EAP Request (code 1) ID 8 length 40
(17) eap: EAP session adding &reply:State = 0x1de92fd31be1361c
(17)     [eap] = handled
(17)     if (handled && (Response-Packet-Type == Access-Challenge)) {
(17)     EXPAND Response-Packet-Type
(17)        --> Access-Challenge
(17)     if (handled && (Response-Packet-Type == Access-Challenge))  -> TRUE
(17)     if (handled && (Response-Packet-Type == Access-Challenge))  {
(17) attr_filter.access_challenge: EXPAND %{User-Name}
(17) attr_filter.access_challenge:    --> dominic.stalder at unibe.ch
(17) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(17)       [attr_filter.access_challenge.post-auth] = updated
(17)       [handled] = handled
(17)     } # if (handled && (Response-Packet-Type == Access-Challenge))  = handled
(17)   } # Auth-Type eap = handled
(17) Using Post-Auth-Type Challenge
(17) Post-Auth-Type sub-section not found.  Ignoring.
(17) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(17) session-state: Saving cached attributes
(17)   Framed-MTU = 1014
(17)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(17)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(17)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(17)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(17)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(17)   TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(17)   TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(17)   TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(17)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(17)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(17)   TLS-Session-Version = "TLS 1.2"
(17) Sent Access-Challenge Id 103 from 130.92.10.33:1812 to 130.92.42.20:56958 length 98
(17)   EAP-Message = 0x010800281900170303001dee81289b38b966986346a9c5260f98ec8918724d9885a5054c41aac2f6
(17)   Message-Authenticator = 0x00000000000000000000000000000000
(17)   State = 0x1de92fd31be1361c7d7fc55a3903ba57
(17) Finished request
Waking up in 4.8 seconds.
(18) Received Access-Request Id 111 from 130.92.42.20:56958 to 130.92.10.33:1812 length 492
(18)   User-Name = "dominic.stalder at unibe.ch"
(18)   Service-Type = Framed-User
(18)   Cisco-AVPair = "service-type=Framed"
(18)   Framed-MTU = 1485
(18)   EAP-Message = 0x0208003c190017030300310eb44ab0540a84b5ba10d71cb3cafd821018d4f9504190b41636a547d19a561c7362bf3cc1b8af6ff924ab0511352a4b3b
(18)   Message-Authenticator = 0x852d8279186eef24f4927cf9cbb3522b
(18)   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(18)   Cisco-AVPair = "method=dot1x"
(18)   Cisco-AVPair = "client-iif-id=2500003624"
(18)   Cisco-AVPair = "vlan-id=1876"
(18)   NAS-IP-Address = 130.92.42.20
(18)   NAS-Port-Id = "capwap_9180059e"
(18)   NAS-Port-Type = Wireless-802.11
(18)   NAS-Port = 4219
(18)   State = 0x1de92fd31be1361c7d7fc55a3903ba57
(18)   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(18)   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(18)   Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(18)   Calling-Station-Id = "6a-05-bd-e0-f2-80"
(18)   Airespace-Wlan-Id = 98
(18)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(18) Restoring &session-state
(18)   &session-state:Framed-MTU = 1014
(18)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(18)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(18)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(18)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(18)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(18)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(18)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(18)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(18)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(18)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(18)   &session-state:TLS-Session-Version = "TLS 1.2"
(18) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(18)   authorize {
(18)     policy rewrite_called_station_id {
(18)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(18)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(18)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(18)         update request {
(18)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(18)              --> 3C-51-0E-72-2A-00
(18)           &Called-Station-Id := 3C-51-0E-72-2A-00
(18)         } # update request = noop
(18)         if ("%{8}") {
(18)         EXPAND %{8}
(18)            --> eduroam
(18)         if ("%{8}")  -> TRUE
(18)         if ("%{8}")  {
(18)           update request {
(18)             EXPAND %{8}
(18)                --> eduroam
(18)             &Called-Station-SSID := eduroam
(18)           } # update request = noop
(18)         } # if ("%{8}")  = noop
(18)         [updated] = updated
(18)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(18)       ... skipping else: Preceding "if" was taken
(18)     } # policy rewrite_called_station_id = updated
(18)     policy rewrite_calling_station_id {
(18)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(18)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(18)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(18)         update request {
(18)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(18)              --> 6A-05-BD-E0-F2-80
(18)           &Calling-Station-Id := 6A-05-BD-E0-F2-80
(18)         } # update request = noop
(18)         [updated] = updated
(18)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(18)       ... skipping else: Preceding "if" was taken
(18)     } # policy rewrite_calling_station_id = updated
(18)     policy filter_username {
(18)       if (&User-Name) {
(18)       if (&User-Name)  -> TRUE
(18)       if (&User-Name)  {
(18)         if (&User-Name =~ / /) {
(18)         if (&User-Name =~ / /)  -> FALSE
(18)         if (&User-Name =~ /@[^@]*@/ ) {
(18)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(18)         if (&User-Name =~ /\.\./ ) {
(18)         if (&User-Name =~ /\.\./ )  -> FALSE
(18)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(18)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(18)         if (&User-Name =~ /\.$/)  {
(18)         if (&User-Name =~ /\.$/)   -> FALSE
(18)         if (&User-Name =~ /@\./)  {
(18)         if (&User-Name =~ /@\./)   -> FALSE
(18)       } # if (&User-Name)  = updated
(18)     } # policy filter_username = updated
(18) suffix: Checking for suffix after "@"
(18) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(18) suffix: Found realm "UNIBE.CH"
(18) suffix: Adding Stripped-User-Name = "dominic.stalder"
(18) suffix: Adding Realm = "UNIBE.CH"
(18) suffix: Authentication realm is LOCAL
(18)     [suffix] = ok
(18)     update request {
(18)       EXPAND %{toupper:%{Realm}}
(18)          --> UNIBE.CH
(18)       Realm := UNIBE.CH
(18)     } # update request = noop
(18)     if (NAS-Port-Type =~ /Wireless-802\.11/i){
(18)     if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(18)     if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(18)       policy deny_no_realm {
(18)         if (User-Name && (User-Name !~ /@/)) {
(18)         if (User-Name && (User-Name !~ /@/))  -> FALSE
(18)       } # policy deny_no_realm = updated
(18)       switch &control:Called-Station-SSID {
(18)       } # switch &control:Called-Station-SSID = updated
(18)     } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(18) eap: Peer sent EAP Response (code 2) ID 8 length 60
(18) eap: Continuing tunnel setup
(18)     [eap] = ok
(18)   } # authorize = ok
(18) Found Auth-Type = eap
(18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(18)   Auth-Type eap {
(18) eap: Expiring EAP session with state 0x1de92fd31be1361c
(18) eap: Finished EAP session with state 0x1de92fd31be1361c
(18) eap: Previous EAP request found for state 0x1de92fd31be1361c, released from the list
(18) eap: Peer sent packet with method EAP PEAP (25)
(18) eap: Calling submodule eap_peap to process data
(18) eap_peap: (TLS) EAP Done initial handshake
(18) eap_peap: Session established.  Decoding tunneled attributes
(18) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(18) eap_peap: Identity - dominic.stalder at unibe.ch
(18) eap_peap: Got inner identity 'dominic.stalder at unibe.ch'
(18) eap_peap: Setting default EAP type for tunneled EAP session
(18) eap_peap: Got tunneled request
(18) eap_peap:   EAP-Message = 0x0208001d01646f6d696e69632e7374616c64657240756e6962652e6368
(18) eap_peap: Setting User-Name to dominic.stalder at unibe.ch
(18) eap_peap: Sending tunneled request to proxy-inner-tunnel
(18) eap_peap:   EAP-Message = 0x0208001d01646f6d696e69632e7374616c64657240756e6962652e6368
(18) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(18) eap_peap:   User-Name = "dominic.stalder at unibe.ch"
(18) eap_peap:   Service-Type = Framed-User
(18) eap_peap:   Cisco-AVPair = "service-type=Framed"
(18) eap_peap:   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(18) eap_peap:   Cisco-AVPair = "method=dot1x"
(18) eap_peap:   Cisco-AVPair = "client-iif-id=2500003624"
(18) eap_peap:   Cisco-AVPair = "vlan-id=1876"
(18) eap_peap:   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(18) eap_peap:   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(18) eap_peap:   Framed-MTU = 1485
(18) eap_peap:   NAS-IP-Address = 130.92.42.20
(18) eap_peap:   NAS-Port-Id = "capwap_9180059e"
(18) eap_peap:   NAS-Port-Type = Wireless-802.11
(18) eap_peap:   NAS-Port = 4219
(18) eap_peap:   Called-Station-Id := "3C-51-0E-72-2A-00"
(18) eap_peap:   Calling-Station-Id := "6A-05-BD-E0-F2-80"
(18) eap_peap:   Airespace-Wlan-Id = 98
(18) eap_peap:   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(18) Virtual server proxy-inner-tunnel received request
(18)   EAP-Message = 0x0208001d01646f6d696e69632e7374616c64657240756e6962652e6368
(18)   FreeRADIUS-Proxied-To = 127.0.0.1
(18)   User-Name = "dominic.stalder at unibe.ch"
(18)   Service-Type = Framed-User
(18)   Cisco-AVPair = "service-type=Framed"
(18)   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(18)   Cisco-AVPair = "method=dot1x"
(18)   Cisco-AVPair = "client-iif-id=2500003624"
(18)   Cisco-AVPair = "vlan-id=1876"
(18)   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(18)   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(18)   Framed-MTU = 1485
(18)   NAS-IP-Address = 130.92.42.20
(18)   NAS-Port-Id = "capwap_9180059e"
(18)   NAS-Port-Type = Wireless-802.11
(18)   NAS-Port = 4219
(18)   Called-Station-Id := "3C-51-0E-72-2A-00"
(18)   Calling-Station-Id := "6A-05-BD-E0-F2-80"
(18)   Airespace-Wlan-Id = 98
(18)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(18) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(18) server proxy-inner-tunnel {
(18)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel
(18)     authorize {
(18)       if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/){
(18)       if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(18)       if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/){
(18)       if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/) -> FALSE
(18)       if (!NAS-Port-Type){
(18)       if (!NAS-Port-Type) -> FALSE
(18)       update control {
(18)         &Proxy-To-Realm := NPS-DEV
(18)       } # update control = noop
(18)     } # authorize = noop
(18) } # server proxy-inner-tunnel
(18) Virtual server sending reply
(18) eap_peap: Got tunneled reply code 0
(18) eap_peap: Tunnelled authentication will be proxied to NPS-DEV
(18) eap: WARNING: Tunneled session will be proxied.  Not doing EAP
(18)     [eap] = handled
(18)     if (handled && (Response-Packet-Type == Access-Challenge)) {
(18)     EXPAND Response-Packet-Type
(18)        -->
(18)     if (handled && (Response-Packet-Type == Access-Challenge))  -> FALSE
(18)   } # Auth-Type eap = handled
(18) Starting proxy to home server 130.92.14.27 port 1812
(18) server default {
(18)   # Executing section pre-proxy from file /etc/freeradius/3.0/sites-enabled/default
(18)     pre-proxy {
(18) attr_filter.pre-proxy: EXPAND %{Realm}
(18) attr_filter.pre-proxy:    --> UNIBE.CH
(18) attr_filter.pre-proxy: Matched entry DEFAULT at line 58
(18)       [attr_filter.pre-proxy] = updated
(18)     } # pre-proxy = updated
(18) }
(18) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000
(18) Sent Access-Request Id 3 from 0.0.0.0:41351 to 130.92.14.27:1812 length 188
(18)   Operator-Name := "1unibe.ch"
(18)   EAP-Message = 0x0208001d01646f6d696e69632e7374616c64657240756e6962652e6368
(18)   User-Name = "dominic.stalder at unibe.ch"
(18)   NAS-IP-Address = 130.92.42.20
(18)   NAS-Port-Type = Wireless-802.11
(18)   Called-Station-Id := "3C-51-0E-72-2A-00"
(18)   Calling-Station-Id := "6A-05-BD-E0-F2-80"
(18)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(18)   Message-Authenticator = 0x
(18)   Proxy-State = 0x313131
Waking up in 0.3 seconds.
(18) Clearing existing &reply: attributes
(18) Received Access-Challenge Id 3 from 130.92.14.27:1812 to 130.92.10.33:41351 length 128
(18)   Proxy-State = 0x313131
(18)   Session-Timeout = 60
(18)   EAP-Message = 0x010900271a010900221025092d03febd7f1db20ee0eb3a6f3f604141492d4e50532d4544555632
(18)   State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(18)   Message-Authenticator = 0x6010087d40d157005d3540778ed46280
(18) server default {
(18)   # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default
(18)     post-proxy {
(18) attr_filter.post-proxy: EXPAND %{Realm}
(18) attr_filter.post-proxy:    --> UNIBE.CH
(18) attr_filter.post-proxy: Matched entry UNIBE.CH at line 121
(18)       [attr_filter.post-proxy] = updated
(18) eap: Doing post-proxy callback
(18) eap: Passing reply from proxy back into the tunnel
(18) eap: Got tunneled reply RADIUS code 11
(18) eap:   Tunnel-Type := VLAN
(18) eap:   Tunnel-Medium-Type := IEEE-802
(18) eap:   Proxy-State = 0x313131
(18) eap:   EAP-Message = 0x010900271a010900221025092d03febd7f1db20ee0eb3a6f3f604141492d4e50532d4544555632
(18) eap:   State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(18) eap:   Message-Authenticator = 0x6010087d40d157005d3540778ed46280
(18) eap: Got tunneled Access-Challenge
(18) eap: Reply was handled
(18) eap: Sending EAP Request (code 1) ID 9 length 70
(18) eap: EAP session adding &reply:State = 0x1de92fd31ae0361c
(18)       [eap] = ok
(18)     } # post-proxy = updated
(18) }
(18) session-state: Saving cached attributes
(18)   Framed-MTU = 1014
(18)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(18)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(18)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(18)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(18)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(18)   TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(18)   TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(18)   TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(18)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(18)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(18)   TLS-Session-Version = "TLS 1.2"
(18) Using Post-Auth-Type Challenge
(18) Post-Auth-Type sub-section not found.  Ignoring.
(18) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(18) Sent Access-Challenge Id 111 from 130.92.10.33:1812 to 130.92.42.20:56958 length 128
(18)   EAP-Message = 0x010900461900170303003bee81289b38b96699838bacf9ab8471d9a0c0522c8f7b32d458a0fded96c04c4a3ee53c690abbbdd4ab41013b7988b57e521af8dc7bcd467b297af9
(18)   Message-Authenticator = 0x00000000000000000000000000000000
(18)   State = 0x1de92fd31ae0361c7d7fc55a3903ba57
(18) Finished request
Waking up in 4.8 seconds.
(19) Received Access-Request Id 119 from 130.92.42.20:56958 to 130.92.10.33:1812 length 546
(19)   User-Name = "dominic.stalder at unibe.ch"
(19)   Service-Type = Framed-User
(19)   Cisco-AVPair = "service-type=Framed"
(19)   Framed-MTU = 1485
(19)   EAP-Message = 0x02090072190017030300670eb44ab0540a84b6c847c1e4cd47b9f36e37fc528705aed180287420c6730fc360d9458c0c4df8b8eccc6529f567f80b13cffefbfcaa6155a88b3ceb96c7958abf1e8b86ec337c25d154d8ab4915b9daebdcf7b1ac0fa7c2ffbfee5c6b880cbc458625358dfc7c
(19)   Message-Authenticator = 0xb41636b5706cfcd2a98e05828ea1a1e0
(19)   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(19)   Cisco-AVPair = "method=dot1x"
(19)   Cisco-AVPair = "client-iif-id=2500003624"
(19)   Cisco-AVPair = "vlan-id=1876"
(19)   NAS-IP-Address = 130.92.42.20
(19)   NAS-Port-Id = "capwap_9180059e"
(19)   NAS-Port-Type = Wireless-802.11
(19)   NAS-Port = 4219
(19)   State = 0x1de92fd31ae0361c7d7fc55a3903ba57
(19)   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(19)   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(19)   Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(19)   Calling-Station-Id = "6a-05-bd-e0-f2-80"
(19)   Airespace-Wlan-Id = 98
(19)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(19) Restoring &session-state
(19)   &session-state:Framed-MTU = 1014
(19)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(19)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(19)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(19)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(19)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(19)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(19)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(19)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(19)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(19)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(19)   &session-state:TLS-Session-Version = "TLS 1.2"
(19) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(19)   authorize {
(19)     policy rewrite_called_station_id {
(19)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(19)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(19)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(19)         update request {
(19)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(19)              --> 3C-51-0E-72-2A-00
(19)           &Called-Station-Id := 3C-51-0E-72-2A-00
(19)         } # update request = noop
(19)         if ("%{8}") {
(19)         EXPAND %{8}
(19)            --> eduroam
(19)         if ("%{8}")  -> TRUE
(19)         if ("%{8}")  {
(19)           update request {
(19)             EXPAND %{8}
(19)                --> eduroam
(19)             &Called-Station-SSID := eduroam
(19)           } # update request = noop
(19)         } # if ("%{8}")  = noop
(19)         [updated] = updated
(19)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(19)       ... skipping else: Preceding "if" was taken
(19)     } # policy rewrite_called_station_id = updated
(19)     policy rewrite_calling_station_id {
(19)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(19)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(19)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(19)         update request {
(19)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(19)              --> 6A-05-BD-E0-F2-80
(19)           &Calling-Station-Id := 6A-05-BD-E0-F2-80
(19)         } # update request = noop
(19)         [updated] = updated
(19)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(19)       ... skipping else: Preceding "if" was taken
(19)     } # policy rewrite_calling_station_id = updated
(19)     policy filter_username {
(19)       if (&User-Name) {
(19)       if (&User-Name)  -> TRUE
(19)       if (&User-Name)  {
(19)         if (&User-Name =~ / /) {
(19)         if (&User-Name =~ / /)  -> FALSE
(19)         if (&User-Name =~ /@[^@]*@/ ) {
(19)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(19)         if (&User-Name =~ /\.\./ ) {
(19)         if (&User-Name =~ /\.\./ )  -> FALSE
(19)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(19)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(19)         if (&User-Name =~ /\.$/)  {
(19)         if (&User-Name =~ /\.$/)   -> FALSE
(19)         if (&User-Name =~ /@\./)  {
(19)         if (&User-Name =~ /@\./)   -> FALSE
(19)       } # if (&User-Name)  = updated
(19)     } # policy filter_username = updated
(19) suffix: Checking for suffix after "@"
(19) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(19) suffix: Found realm "UNIBE.CH"
(19) suffix: Adding Stripped-User-Name = "dominic.stalder"
(19) suffix: Adding Realm = "UNIBE.CH"
(19) suffix: Authentication realm is LOCAL
(19)     [suffix] = ok
(19)     update request {
(19)       EXPAND %{toupper:%{Realm}}
(19)          --> UNIBE.CH
(19)       Realm := UNIBE.CH
(19)     } # update request = noop
(19)     if (NAS-Port-Type =~ /Wireless-802\.11/i){
(19)     if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(19)     if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(19)       policy deny_no_realm {
(19)         if (User-Name && (User-Name !~ /@/)) {
(19)         if (User-Name && (User-Name !~ /@/))  -> FALSE
(19)       } # policy deny_no_realm = updated
(19)       switch &control:Called-Station-SSID {
(19)       } # switch &control:Called-Station-SSID = updated
(19)     } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(19) eap: Peer sent EAP Response (code 2) ID 9 length 114
(19) eap: Continuing tunnel setup
(19)     [eap] = ok
(19)   } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(19)   Auth-Type eap {
(19) eap: Expiring EAP session with state 0x1de92fd31ae0361c
(19) eap: Finished EAP session with state 0x1de92fd31ae0361c
(19) eap: Previous EAP request found for state 0x1de92fd31ae0361c, released from the list
(19) eap: Peer sent packet with method EAP PEAP (25)
(19) eap: Calling submodule eap_peap to process data
(19) eap_peap: (TLS) EAP Done initial handshake
(19) eap_peap: Session established.  Decoding tunneled attributes
(19) eap_peap: PEAP state phase2
(19) eap_peap: EAP method MSCHAPv2 (26)
(19) eap_peap: Got tunneled request
(19) eap_peap:   EAP-Message = 0x020900531a0209004e31f8df00678240ef3ee8236075b6bd71420000000000000000266a6646c0548abfe0d4e43e6b91a25bc6a1d51f971701a500646f6d696e69632e7374616c64657240756e6962652e6368
(19) eap_peap: Setting User-Name to dominic.stalder at unibe.ch
(19) eap_peap: Sending tunneled request to proxy-inner-tunnel
(19) eap_peap:   EAP-Message = 0x020900531a0209004e31f8df00678240ef3ee8236075b6bd71420000000000000000266a6646c0548abfe0d4e43e6b91a25bc6a1d51f971701a500646f6d696e69632e7374616c64657240756e6962652e6368
(19) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(19) eap_peap:   User-Name = "dominic.stalder at unibe.ch"
(19) eap_peap:   State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(19) eap_peap:   Service-Type = Framed-User
(19) eap_peap:   Cisco-AVPair = "service-type=Framed"
(19) eap_peap:   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(19) eap_peap:   Cisco-AVPair = "method=dot1x"
(19) eap_peap:   Cisco-AVPair = "client-iif-id=2500003624"
(19) eap_peap:   Cisco-AVPair = "vlan-id=1876"
(19) eap_peap:   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(19) eap_peap:   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(19) eap_peap:   Framed-MTU = 1485
(19) eap_peap:   NAS-IP-Address = 130.92.42.20
(19) eap_peap:   NAS-Port-Id = "capwap_9180059e"
(19) eap_peap:   NAS-Port-Type = Wireless-802.11
(19) eap_peap:   NAS-Port = 4219
(19) eap_peap:   Called-Station-Id := "3C-51-0E-72-2A-00"
(19) eap_peap:   Calling-Station-Id := "6A-05-BD-E0-F2-80"
(19) eap_peap:   Airespace-Wlan-Id = 98
(19) eap_peap:   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(19) Virtual server proxy-inner-tunnel received request
(19)   EAP-Message = 0x020900531a0209004e31f8df00678240ef3ee8236075b6bd71420000000000000000266a6646c0548abfe0d4e43e6b91a25bc6a1d51f971701a500646f6d696e69632e7374616c64657240756e6962652e6368
(19)   FreeRADIUS-Proxied-To = 127.0.0.1
(19)   User-Name = "dominic.stalder at unibe.ch"
(19)   State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(19)   Service-Type = Framed-User
(19)   Cisco-AVPair = "service-type=Framed"
(19)   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(19)   Cisco-AVPair = "method=dot1x"
(19)   Cisco-AVPair = "client-iif-id=2500003624"
(19)   Cisco-AVPair = "vlan-id=1876"
(19)   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(19)   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(19)   Framed-MTU = 1485
(19)   NAS-IP-Address = 130.92.42.20
(19)   NAS-Port-Id = "capwap_9180059e"
(19)   NAS-Port-Type = Wireless-802.11
(19)   NAS-Port = 4219
(19)   Called-Station-Id := "3C-51-0E-72-2A-00"
(19)   Calling-Station-Id := "6A-05-BD-E0-F2-80"
(19)   Airespace-Wlan-Id = 98
(19)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(19) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(19) server proxy-inner-tunnel {
(19)   session-state: No cached attributes
(19)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel
(19)     authorize {
(19)       if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/){
(19)       if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(19)       if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/){
(19)       if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/) -> FALSE
(19)       if (!NAS-Port-Type){
(19)       if (!NAS-Port-Type) -> FALSE
(19)       update control {
(19)         &Proxy-To-Realm := NPS-DEV
(19)       } # update control = noop
(19)     } # authorize = noop
(19) } # server proxy-inner-tunnel
(19) Virtual server sending reply
(19) eap_peap: Got tunneled reply code 0
(19) eap_peap: Tunnelled authentication will be proxied to NPS-DEV
(19) eap: WARNING: Tunneled session will be proxied.  Not doing EAP
(19)     [eap] = handled
(19)     if (handled && (Response-Packet-Type == Access-Challenge)) {
(19)     EXPAND Response-Packet-Type
(19)        -->
(19)     if (handled && (Response-Packet-Type == Access-Challenge))  -> FALSE
(19)   } # Auth-Type eap = handled
(19) Starting proxy to home server 130.92.14.27 port 1812
(19) server default {
(19)   # Executing section pre-proxy from file /etc/freeradius/3.0/sites-enabled/default
(19)     pre-proxy {
(19) attr_filter.pre-proxy: EXPAND %{Realm}
(19) attr_filter.pre-proxy:    --> UNIBE.CH
(19) attr_filter.pre-proxy: Matched entry DEFAULT at line 58
(19)       [attr_filter.pre-proxy] = updated
(19)     } # pre-proxy = updated
(19) }
(19) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000
(19) Sent Access-Request Id 80 from 0.0.0.0:41351 to 130.92.14.27:1812 length 280
(19)   Operator-Name := "1unibe.ch"
(19)   EAP-Message = 0x020900531a0209004e31f8df00678240ef3ee8236075b6bd71420000000000000000266a6646c0548abfe0d4e43e6b91a25bc6a1d51f971701a500646f6d696e69632e7374616c64657240756e6962652e6368
(19)   User-Name = "dominic.stalder at unibe.ch"
(19)   State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(19)   NAS-IP-Address = 130.92.42.20
(19)   NAS-Port-Type = Wireless-802.11
(19)   Called-Station-Id := "3C-51-0E-72-2A-00"
(19)   Calling-Station-Id := "6A-05-BD-E0-F2-80"
(19)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(19)   Message-Authenticator = 0x
(19)   Proxy-State = 0x313139
Waking up in 0.3 seconds.
(19) Clearing existing &reply: attributes
(19) Received Access-Challenge Id 80 from 130.92.14.27:1812 to 130.92.10.33:41351 length 140
(19)   Proxy-State = 0x313139
(19)   Session-Timeout = 60
(19)   EAP-Message = 0x010a00331a0309002e533d31304136344538394431443745423543444337394130373934343732333343414144393842353734
(19)   State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(19)   Message-Authenticator = 0x8fe2c05842f247418bddf150ece42063
(19) server default {
(19)   # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default
(19)     post-proxy {
(19) attr_filter.post-proxy: EXPAND %{Realm}
(19) attr_filter.post-proxy:    --> UNIBE.CH
(19) attr_filter.post-proxy: Matched entry UNIBE.CH at line 121
(19)       [attr_filter.post-proxy] = updated
(19) eap: Doing post-proxy callback
(19) eap: Passing reply from proxy back into the tunnel
(19) eap: Got tunneled reply RADIUS code 11
(19) eap:   Tunnel-Type := VLAN
(19) eap:   Tunnel-Medium-Type := IEEE-802
(19) eap:   Proxy-State = 0x313139
(19) eap:   EAP-Message = 0x010a00331a0309002e533d31304136344538394431443745423543444337394130373934343732333343414144393842353734
(19) eap:   State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(19) eap:   Message-Authenticator = 0x8fe2c05842f247418bddf150ece42063
(19) eap: Got tunneled Access-Challenge
(19) eap: Reply was handled
(19) eap: Sending EAP Request (code 1) ID 10 length 82
(19) eap: EAP session adding &reply:State = 0x1de92fd315e3361c
(19)       [eap] = ok
(19)     } # post-proxy = updated
(19) }
(19) session-state: Saving cached attributes
(19)   Framed-MTU = 1014
(19)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(19)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(19)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(19)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(19)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(19)   TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(19)   TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(19)   TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(19)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(19)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(19)   TLS-Session-Version = "TLS 1.2"
(19) Using Post-Auth-Type Challenge
(19) Post-Auth-Type sub-section not found.  Ignoring.
(19) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(19) Sent Access-Challenge Id 119 from 130.92.10.33:1812 to 130.92.42.20:56958 length 140
(19)   EAP-Message = 0x010a005219001703030047ee81289b38b9669adba1fab65405736dbbfcb27f2717a52264a47659030722d29939aea776b86fec481bda6d4c07a1e792afe6d888bca68031b6b939f2c2be7faeef6adc05a6e3
(19)   Message-Authenticator = 0x00000000000000000000000000000000
(19)   State = 0x1de92fd315e3361c7d7fc55a3903ba57
(19) Finished request
Waking up in 4.8 seconds.
(20) Received Access-Request Id 127 from 130.92.42.20:56958 to 130.92.10.33:1812 length 469
(20)   User-Name = "dominic.stalder at unibe.ch"
(20)   Service-Type = Framed-User
(20)   Cisco-AVPair = "service-type=Framed"
(20)   Framed-MTU = 1485
(20)   EAP-Message = 0x020a00251900170303001a0eb44ab0540a84b7c31a7ba33522878ffe2eeebc82ccb08cf952
(20)   Message-Authenticator = 0xbad5ba1b57de86e7ebe12ecfcafd37ea
(20)   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(20)   Cisco-AVPair = "method=dot1x"
(20)   Cisco-AVPair = "client-iif-id=2500003624"
(20)   Cisco-AVPair = "vlan-id=1876"
(20)   NAS-IP-Address = 130.92.42.20
(20)   NAS-Port-Id = "capwap_9180059e"
(20)   NAS-Port-Type = Wireless-802.11
(20)   NAS-Port = 4219
(20)   State = 0x1de92fd315e3361c7d7fc55a3903ba57
(20)   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(20)   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(20)   Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(20)   Calling-Station-Id = "6a-05-bd-e0-f2-80"
(20)   Airespace-Wlan-Id = 98
(20)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(20) Restoring &session-state
(20)   &session-state:Framed-MTU = 1014
(20)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(20)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(20)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(20)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(20)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(20)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(20)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(20)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(20)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(20)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(20)   &session-state:TLS-Session-Version = "TLS 1.2"
(20) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(20)   authorize {
(20)     policy rewrite_called_station_id {
(20)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(20)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(20)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(20)         update request {
(20)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(20)              --> 3C-51-0E-72-2A-00
(20)           &Called-Station-Id := 3C-51-0E-72-2A-00
(20)         } # update request = noop
(20)         if ("%{8}") {
(20)         EXPAND %{8}
(20)            --> eduroam
(20)         if ("%{8}")  -> TRUE
(20)         if ("%{8}")  {
(20)           update request {
(20)             EXPAND %{8}
(20)                --> eduroam
(20)             &Called-Station-SSID := eduroam
(20)           } # update request = noop
(20)         } # if ("%{8}")  = noop
(20)         [updated] = updated
(20)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(20)       ... skipping else: Preceding "if" was taken
(20)     } # policy rewrite_called_station_id = updated
(20)     policy rewrite_calling_station_id {
(20)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(20)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(20)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(20)         update request {
(20)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(20)              --> 6A-05-BD-E0-F2-80
(20)           &Calling-Station-Id := 6A-05-BD-E0-F2-80
(20)         } # update request = noop
(20)         [updated] = updated
(20)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(20)       ... skipping else: Preceding "if" was taken
(20)     } # policy rewrite_calling_station_id = updated
(20)     policy filter_username {
(20)       if (&User-Name) {
(20)       if (&User-Name)  -> TRUE
(20)       if (&User-Name)  {
(20)         if (&User-Name =~ / /) {
(20)         if (&User-Name =~ / /)  -> FALSE
(20)         if (&User-Name =~ /@[^@]*@/ ) {
(20)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(20)         if (&User-Name =~ /\.\./ ) {
(20)         if (&User-Name =~ /\.\./ )  -> FALSE
(20)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(20)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(20)         if (&User-Name =~ /\.$/)  {
(20)         if (&User-Name =~ /\.$/)   -> FALSE
(20)         if (&User-Name =~ /@\./)  {
(20)         if (&User-Name =~ /@\./)   -> FALSE
(20)       } # if (&User-Name)  = updated
(20)     } # policy filter_username = updated
(20) suffix: Checking for suffix after "@"
(20) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(20) suffix: Found realm "UNIBE.CH"
(20) suffix: Adding Stripped-User-Name = "dominic.stalder"
(20) suffix: Adding Realm = "UNIBE.CH"
(20) suffix: Authentication realm is LOCAL
(20)     [suffix] = ok
(20)     update request {
(20)       EXPAND %{toupper:%{Realm}}
(20)          --> UNIBE.CH
(20)       Realm := UNIBE.CH
(20)     } # update request = noop
(20)     if (NAS-Port-Type =~ /Wireless-802\.11/i){
(20)     if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(20)     if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(20)       policy deny_no_realm {
(20)         if (User-Name && (User-Name !~ /@/)) {
(20)         if (User-Name && (User-Name !~ /@/))  -> FALSE
(20)       } # policy deny_no_realm = updated
(20)       switch &control:Called-Station-SSID {
(20)       } # switch &control:Called-Station-SSID = updated
(20)     } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(20) eap: Peer sent EAP Response (code 2) ID 10 length 37
(20) eap: Continuing tunnel setup
(20)     [eap] = ok
(20)   } # authorize = ok
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(20)   Auth-Type eap {
(20) eap: Expiring EAP session with state 0x1de92fd315e3361c
(20) eap: Finished EAP session with state 0x1de92fd315e3361c
(20) eap: Previous EAP request found for state 0x1de92fd315e3361c, released from the list
(20) eap: Peer sent packet with method EAP PEAP (25)
(20) eap: Calling submodule eap_peap to process data
(20) eap_peap: (TLS) EAP Done initial handshake
(20) eap_peap: Session established.  Decoding tunneled attributes
(20) eap_peap: PEAP state phase2
(20) eap_peap: EAP method MSCHAPv2 (26)
(20) eap_peap: Got tunneled request
(20) eap_peap:   EAP-Message = 0x020a00061a03
(20) eap_peap: Setting User-Name to dominic.stalder at unibe.ch
(20) eap_peap: Sending tunneled request to proxy-inner-tunnel
(20) eap_peap:   EAP-Message = 0x020a00061a03
(20) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(20) eap_peap:   User-Name = "dominic.stalder at unibe.ch"
(20) eap_peap:   State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(20) eap_peap:   Service-Type = Framed-User
(20) eap_peap:   Cisco-AVPair = "service-type=Framed"
(20) eap_peap:   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(20) eap_peap:   Cisco-AVPair = "method=dot1x"
(20) eap_peap:   Cisco-AVPair = "client-iif-id=2500003624"
(20) eap_peap:   Cisco-AVPair = "vlan-id=1876"
(20) eap_peap:   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(20) eap_peap:   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(20) eap_peap:   Framed-MTU = 1485
(20) eap_peap:   NAS-IP-Address = 130.92.42.20
(20) eap_peap:   NAS-Port-Id = "capwap_9180059e"
(20) eap_peap:   NAS-Port-Type = Wireless-802.11
(20) eap_peap:   NAS-Port = 4219
(20) eap_peap:   Called-Station-Id := "3C-51-0E-72-2A-00"
(20) eap_peap:   Calling-Station-Id := "6A-05-BD-E0-F2-80"
(20) eap_peap:   Airespace-Wlan-Id = 98
(20) eap_peap:   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(20) Virtual server proxy-inner-tunnel received request
(20)   EAP-Message = 0x020a00061a03
(20)   FreeRADIUS-Proxied-To = 127.0.0.1
(20)   User-Name = "dominic.stalder at unibe.ch"
(20)   State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(20)   Service-Type = Framed-User
(20)   Cisco-AVPair = "service-type=Framed"
(20)   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(20)   Cisco-AVPair = "method=dot1x"
(20)   Cisco-AVPair = "client-iif-id=2500003624"
(20)   Cisco-AVPair = "vlan-id=1876"
(20)   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(20)   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(20)   Framed-MTU = 1485
(20)   NAS-IP-Address = 130.92.42.20
(20)   NAS-Port-Id = "capwap_9180059e"
(20)   NAS-Port-Type = Wireless-802.11
(20)   NAS-Port = 4219
(20)   Called-Station-Id := "3C-51-0E-72-2A-00"
(20)   Calling-Station-Id := "6A-05-BD-E0-F2-80"
(20)   Airespace-Wlan-Id = 98
(20)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(20) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(20) server proxy-inner-tunnel {
(20)   session-state: No cached attributes
(20)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel
(20)     authorize {
(20)       if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/){
(20)       if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(20)       if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/){
(20)       if (User-Name =~ /^([\w]{1,20})@((campus\.unibe\.ch)|(unibe\.ch))/) -> FALSE
(20)       if (!NAS-Port-Type){
(20)       if (!NAS-Port-Type) -> FALSE
(20)       update control {
(20)         &Proxy-To-Realm := NPS-DEV
(20)       } # update control = noop
(20)     } # authorize = noop
(20) } # server proxy-inner-tunnel
(20) Virtual server sending reply
(20) eap_peap: Got tunneled reply code 0
(20) eap_peap: Tunnelled authentication will be proxied to NPS-DEV
(20) eap: WARNING: Tunneled session will be proxied.  Not doing EAP
(20)     [eap] = handled
(20)     if (handled && (Response-Packet-Type == Access-Challenge)) {
(20)     EXPAND Response-Packet-Type
(20)        -->
(20)     if (handled && (Response-Packet-Type == Access-Challenge))  -> FALSE
(20)   } # Auth-Type eap = handled
(20) Starting proxy to home server 130.92.14.27 port 1812
(20) server default {
(20)   # Executing section pre-proxy from file /etc/freeradius/3.0/sites-enabled/default
(20)     pre-proxy {
(20) attr_filter.pre-proxy: EXPAND %{Realm}
(20) attr_filter.pre-proxy:    --> UNIBE.CH
(20) attr_filter.pre-proxy: Matched entry DEFAULT at line 58
(20)       [attr_filter.pre-proxy] = updated
(20)     } # pre-proxy = updated
(20) }
(20) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000
(20) Sent Access-Request Id 107 from 0.0.0.0:41351 to 130.92.14.27:1812 length 203
(20)   Operator-Name := "1unibe.ch"
(20)   EAP-Message = 0x020a00061a03
(20)   User-Name = "dominic.stalder at unibe.ch"
(20)   State = 0x1fe101cf0000013700010200825c0e1b00000000000000000000000000000004014d0139
(20)   NAS-IP-Address = 130.92.42.20
(20)   NAS-Port-Type = Wireless-802.11
(20)   Called-Station-Id := "3C-51-0E-72-2A-00"
(20)   Calling-Station-Id := "6A-05-BD-E0-F2-80"
(20)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(20)   Message-Authenticator = 0x
(20)   Proxy-State = 0x313237
Waking up in 0.3 seconds.
(20) Clearing existing &reply: attributes
(20) Received Access-Accept Id 107 from 130.92.14.27:1812 to 130.92.10.33:41351 length 289
(20)   Proxy-State = 0x313237
(20)   Class = "staff"
(20)   Filter-Id = "staff"
(20)   Framed-Protocol = PPP
(20)   Service-Type = Framed-User
(20)   Tunnel-Medium-Type:0 = IEEE-802
(20)   Tunnel-Private-Group-Id:0 = "1874"
(20)   Tunnel-Type:0 = VLAN
(20)   EAP-Message = 0x030a0004
(20)   Class = "Z8\006\275\000\000\0017\000\001\002\000\202\\\016\033\000\000\000\000\000\000\000\000\000\000\000\000\001\332\177ZSC\303\361\000\000\000\000\000G9\374"
(20)   MS-CHAP-Domain = "\001CAMPUS"
(20)   MS-MPPE-Send-Key = 0x4da623cf76bcf255c5d52f7ba82488a0
(20)   MS-MPPE-Recv-Key = 0xa8148861904eab68c776ff971b7a06ae
(20)   MS-CHAP2-Success = 0x01533d31304136344538394431443745423543444337394130373934343732333343414144393842353734
(20)   Message-Authenticator = 0x62374c9831706e64b8f2a66d9de2e4af
(20) server default {
(20)   # Executing section post-proxy from file /etc/freeradius/3.0/sites-enabled/default
(20)     post-proxy {
(20) attr_filter.post-proxy: EXPAND %{Realm}
(20) attr_filter.post-proxy:    --> UNIBE.CH
(20) attr_filter.post-proxy: Matched entry UNIBE.CH at line 121
(20)       [attr_filter.post-proxy] = updated
(20) eap: Doing post-proxy callback
(20) eap: Passing reply from proxy back into the tunnel
(20) eap: Got tunneled reply RADIUS code 2
(20) eap:   Tunnel-Type := VLAN
(20) eap:   Tunnel-Medium-Type := IEEE-802
(20) eap:   Proxy-State = 0x313237
(20) eap:   Class = "staff"
(20) eap:   Filter-Id = "staff"
(20) eap:   Tunnel-Private-Group-Id:0 = "1874"
(20) eap:   EAP-Message = 0x030a0004
(20) eap:   Class = "Z8\006\275\000\000\0017\000\001\002\000\202\\\016\033\000\000\000\000\000\000\000\000\000\000\000\000\001\332\177ZSC\303\361\000\000\000\000\000G9\374"
(20) eap:   MS-MPPE-Send-Key = 0x4da623cf76bcf255c5d52f7ba82488a0
(20) eap:   MS-MPPE-Recv-Key = 0xa8148861904eab68c776ff971b7a06ae
(20) eap:   Message-Authenticator = 0x62374c9831706e64b8f2a66d9de2e4af
(20) eap: Tunneled authentication was successful
(20) eap: SUCCESS
(20) eap: Saving tunneled attributes for later
(20) eap: Reply was handled
(20) eap: Sending EAP Request (code 1) ID 11 length 46
(20) eap: EAP session adding &reply:State = 0x1de92fd314e2361c
(20)       [eap] = ok
(20)     } # post-proxy = updated
(20) }
(20) session-state: Saving cached attributes
(20)   Framed-MTU = 1014
(20)   TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(20)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(20)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(20)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(20)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(20)   TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(20)   TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(20)   TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(20)   TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(20)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(20)   TLS-Session-Version = "TLS 1.2"
(20) Using Post-Auth-Type Challenge
(20) Post-Auth-Type sub-section not found.  Ignoring.
(20) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(20) Sent Access-Challenge Id 127 from 130.92.10.33:1812 to 130.92.42.20:56958 length 104
(20)   EAP-Message = 0x010b002e19001703030023ee81289b38b9669bfa1166346ea479e73ee4d39cc73b0e97a63d2f4face2bc55c99f2f
(20)   Message-Authenticator = 0x00000000000000000000000000000000
(20)   State = 0x1de92fd314e2361c7d7fc55a3903ba57
(20) Finished request
Waking up in 4.8 seconds.
(21) Received Access-Request Id 135 from 130.92.42.20:56958 to 130.92.10.33:1812 length 478
(21)   User-Name = "dominic.stalder at unibe.ch"
(21)   Service-Type = Framed-User
(21)   Cisco-AVPair = "service-type=Framed"
(21)   Framed-MTU = 1485
(21)   EAP-Message = 0x020b002e190017030300230eb44ab0540a84b8149c5ba395783899c1e875d9932d9debabc348893b31b12bd0f358
(21)   Message-Authenticator = 0x3f983eae845159512b2c2a6dcc8a6e62
(21)   Cisco-AVPair = "audit-session-id=142A5C8200001E16EBB2DCC0"
(21)   Cisco-AVPair = "method=dot1x"
(21)   Cisco-AVPair = "client-iif-id=2500003624"
(21)   Cisco-AVPair = "vlan-id=1876"
(21)   NAS-IP-Address = 130.92.42.20
(21)   NAS-Port-Id = "capwap_9180059e"
(21)   NAS-Port-Type = Wireless-802.11
(21)   NAS-Port = 4219
(21)   State = 0x1de92fd314e2361c7d7fc55a3903ba57
(21)   Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(21)   Cisco-AVPair = "wlan-profile-name=eduroamV2"
(21)   Called-Station-Id = "3c-51-0e-72-2a-00:eduroam"
(21)   Calling-Station-Id = "6a-05-bd-e0-f2-80"
(21)   Airespace-Wlan-Id = 98
(21)   NAS-Identifier = "3c-51-0e-72-2a-00:eduroam"
(21) Restoring &session-state
(21)   &session-state:Framed-MTU = 1014
(21)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(21)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(21)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(21)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(21)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(21)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(21)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(21)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(21)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(21)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(21)   &session-state:TLS-Session-Version = "TLS 1.2"
(21) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(21)   authorize {
(21)     policy rewrite_called_station_id {
(21)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(21)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  -> TRUE
(21)       if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  {
(21)         update request {
(21)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(21)              --> 3C-51-0E-72-2A-00
(21)           &Called-Station-Id := 3C-51-0E-72-2A-00
(21)         } # update request = noop
(21)         if ("%{8}") {
(21)         EXPAND %{8}
(21)            --> eduroam
(21)         if ("%{8}")  -> TRUE
(21)         if ("%{8}")  {
(21)           update request {
(21)             EXPAND %{8}
(21)                --> eduroam
(21)             &Called-Station-SSID := eduroam
(21)           } # update request = noop
(21)         } # if ("%{8}")  = noop
(21)         [updated] = updated
(21)       } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i))  = updated
(21)       ... skipping else: Preceding "if" was taken
(21)     } # policy rewrite_called_station_id = updated
(21)     policy rewrite_calling_station_id {
(21)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(21)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(21)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(21)         update request {
(21)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(21)              --> 6A-05-BD-E0-F2-80
(21)           &Calling-Station-Id := 6A-05-BD-E0-F2-80
(21)         } # update request = noop
(21)         [updated] = updated
(21)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(21)       ... skipping else: Preceding "if" was taken
(21)     } # policy rewrite_calling_station_id = updated
(21)     policy filter_username {
(21)       if (&User-Name) {
(21)       if (&User-Name)  -> TRUE
(21)       if (&User-Name)  {
(21)         if (&User-Name =~ / /) {
(21)         if (&User-Name =~ / /)  -> FALSE
(21)         if (&User-Name =~ /@[^@]*@/ ) {
(21)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(21)         if (&User-Name =~ /\.\./ ) {
(21)         if (&User-Name =~ /\.\./ )  -> FALSE
(21)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(21)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(21)         if (&User-Name =~ /\.$/)  {
(21)         if (&User-Name =~ /\.$/)   -> FALSE
(21)         if (&User-Name =~ /@\./)  {
(21)         if (&User-Name =~ /@\./)   -> FALSE
(21)       } # if (&User-Name)  = updated
(21)     } # policy filter_username = updated
(21) suffix: Checking for suffix after "@"
(21) suffix: Looking up realm "unibe.ch" for User-Name = "dominic.stalder at unibe.ch"
(21) suffix: Found realm "UNIBE.CH"
(21) suffix: Adding Stripped-User-Name = "dominic.stalder"
(21) suffix: Adding Realm = "UNIBE.CH"
(21) suffix: Authentication realm is LOCAL
(21)     [suffix] = ok
(21)     update request {
(21)       EXPAND %{toupper:%{Realm}}
(21)          --> UNIBE.CH
(21)       Realm := UNIBE.CH
(21)     } # update request = noop
(21)     if (NAS-Port-Type =~ /Wireless-802\.11/i){
(21)     if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(21)     if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(21)       policy deny_no_realm {
(21)         if (User-Name && (User-Name !~ /@/)) {
(21)         if (User-Name && (User-Name !~ /@/))  -> FALSE
(21)       } # policy deny_no_realm = updated
(21)       switch &control:Called-Station-SSID {
(21)       } # switch &control:Called-Station-SSID = updated
(21)     } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = updated
(21) eap: Peer sent EAP Response (code 2) ID 11 length 46
(21) eap: Continuing tunnel setup
(21)     [eap] = ok
(21)   } # authorize = ok
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(21)   Auth-Type eap {
(21) eap: Expiring EAP session with state 0x1de92fd314e2361c
(21) eap: Finished EAP session with state 0x1de92fd314e2361c
(21) eap: Previous EAP request found for state 0x1de92fd314e2361c, released from the list
(21) eap: Peer sent packet with method EAP PEAP (25)
(21) eap: Calling submodule eap_peap to process data
(21) eap_peap: (TLS) EAP Done initial handshake
(21) eap_peap: Session established.  Decoding tunneled attributes
(21) eap_peap: PEAP state send tlv success
(21) eap_peap: Received EAP-TLV response
(21) eap_peap: Success
(21) eap_peap: Using saved attributes from the original Access-Accept
(21) eap_peap:   Tunnel-Type := VLAN
(21) eap_peap:   Tunnel-Medium-Type := IEEE-802
(21) eap_peap:   Class = "staff"
(21) eap_peap:   Filter-Id = "staff"
(21) eap_peap:   Tunnel-Private-Group-Id:0 = "1874"
(21) eap_peap:   Class = "Z8\006\275\000\000\0017\000\001\002\000\202\\\016\033\000\000\000\000\000\000\000\000\000\000\000\000\001\332\177ZSC\303\361\000\000\000\000\000G9\374"
(21) eap: Sending EAP Success (code 3) ID 11 length 4
(21) eap: Freeing handler
(21)     [eap] = ok
(21)     if (handled && (Response-Packet-Type == Access-Challenge)) {
(21)     if (handled && (Response-Packet-Type == Access-Challenge))  -> FALSE
(21)   } # Auth-Type eap = ok
(21) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(21)   post-auth {
(21)     update {
(21)       &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014
(21)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello'
(21)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello'
(21)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate'
(21)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange'
(21)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone'
(21)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange'
(21)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished'
(21)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec'
(21)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished'
(21)       &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(21)       &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(21)     } # update = noop
(21)     if (EAP-Message) {
(21)     if (EAP-Message)  -> TRUE
(21)     if (EAP-Message)  {
(21) 802.1x_authz_log: EXPAND sp.%{%{reply:Packet-Type}:-format}
(21) 802.1x_authz_log:    --> sp.Access-Accept
(21) 802.1x_authz_log: EXPAND %t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})
(21) 802.1x_authz_log:    --> Wed Apr 17 12:55:51 2024 : AuthZ: (135) Access-Accept: [dominic.stalder at unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80)
(21) 802.1x_authz_log: EXPAND /var/log/freeradius/authz.log
(21) 802.1x_authz_log:    --> /var/log/freeradius/authz.log
(21)       [802.1x_authz_log] = ok
(21)     } # if (EAP-Message)  = ok
(21)     policy remove_reply_message_if_eap {
(21)       if (&reply:EAP-Message && &reply:Reply-Message) {
(21)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(21)       else {
(21)         [noop] = noop
(21)       } # else = noop
(21)     } # policy remove_reply_message_if_eap = noop
(21)   } # post-auth = ok
(21) Login OK: [dominic.stalder at unibe.ch] (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80)
(21) Sent Access-Accept Id 135 from 130.92.10.33:1812 to 130.92.42.20:56958 length 270
(21)   Tunnel-Type := VLAN
(21)   Tunnel-Medium-Type := IEEE-802
(21)   Class = "staff"
(21)   Filter-Id = "staff"
(21)   Tunnel-Private-Group-Id:0 = "1874"
(21)   Class = "Z8\006\275\000\000\0017\000\001\002\000\202\\\016\033\000\000\000\000\000\000\000\000\000\000\000\000\001\332\177ZSC\303\361\000\000\000\000\000G9\374"
(21)   MS-MPPE-Recv-Key = 0x683a26deb424ef81dda94ff52b54b2a7025ac4e6e5b331f264948cdcd9c529a3
(21)   MS-MPPE-Send-Key = 0x5e2a7f4ec95429b176dd4235ea7c5ab7beecd50d27ed463169c0cd1fc751e3f6
(21)   EAP-Message = 0x030b0004
(21)   Message-Authenticator = 0x00000000000000000000000000000000
(21)   User-Name = "dominic.stalder at unibe.ch"
(21)   Framed-MTU += 1014
(21) Finished request
Waking up in 4.8 seconds.
(11) Cleaning up request packet ID 55 with timestamp +32 due to cleanup_delay was reached
(12) Cleaning up request packet ID 63 with timestamp +32 due to cleanup_delay was reached
(13) Cleaning up request packet ID 71 with timestamp +32 due to cleanup_delay was reached
(14) Cleaning up request packet ID 79 with timestamp +32 due to cleanup_delay was reached
(15) Cleaning up request packet ID 87 with timestamp +32 due to cleanup_delay was reached
(16) Cleaning up request packet ID 95 with timestamp +32 due to cleanup_delay was reached
(17) Cleaning up request packet ID 103 with timestamp +32 due to cleanup_delay was reached
(18) Cleaning up request packet ID 111 with timestamp +32 due to cleanup_delay was reached
(19) Cleaning up request packet ID 119 with timestamp +32 due to cleanup_delay was reached
(20) Cleaning up request packet ID 127 with timestamp +32 due to cleanup_delay was reached
(21) Cleaning up request packet ID 135 with timestamp +32 due to cleanup_delay was reached
Ready to process requests

Output in /var/log/freeradius/authz.log:

Wed Apr 17 12:55:51 2024 : AuthZ: (135) Access-Accept: [dominic.stalder at unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80)

As written above, I am sorry "that it works", more so that I don't know why it is working now, because in my opinion I did not really change any thing than before lunch time...

But do we somehow need to close this "discussion" an mark it as resovled or how does this work? __

Anyhow, thank you so much for helping out!

Best reards
Dominic



More information about the Freeradius-Users mailing list