EAP-TEAP not doing 2nd inner Method
Martin B.
martinbiniek at googlemail.com
Mon Dec 9 12:40:05 UTC 2024
>
> My point is still that having two certificates on the same machine isn't
> any more secure than having one certificate.
...
> It's really an illusion of extra security.
Yes, and I agree with you on that.
For me, it was never about the 'extra security' that this protocol was
supposed to provide (by checking two certificates from the same device),
but rather about detecting missing certificates.
Depending on whether a) certificate 1 and 2 are present, b) only
certificate 1 is present, or c) only certificate 2 is present, or d) no
certificate is present, I want to be able to perform different actions.
For example:
a) grant access to the internal network
b) move device into a special network segment where the missing
certificates can be automatically deployed, then do re-auth
c) grant access to the internal network
d) reject access to the internal network
Or in other words, when a user is logged into a new machine where he does
not yet have a certificate installed (but is necessary, for example to know
what ressources this user is allowed to access), I need to trust the
machine first before I move it into the special network segment (and deploy
the certificate of the user).
Even though it might be possible to achieve this through other means, I
think it would be most elegant if everything could be done in one go,
without having to manually create a custom configuration on the server.
However, when you look at EAP-TEAP and see how strictly the server must
adhere to the client's requirements for the protocol to work, a custom
configuration might be the easiest way (at least for now, until the
protocol is revised and all implementations comply with the updates).
Well that's wrong.
>
> I've pushed a fix.
(19) eap_teap: &session-state:FreeRADIUS-EAP-TEAP-TLV-Identity-Type set so
continuing EAP sequence/chaining
(19) eap_teap: Sending EAP-Identity
(19) eap_teap: Deleting &session-state:FreeRADIUS-EAP-TEAP-Identity-Type +=
User
(19) eap: Sending EAP Request (code 1) ID 21 length 136
It looks like the Identity-Types do not get deleted properly which causes
the server to request a 3rd EAP-Identity.
...
(11) Received Access-Request Id 21 from 10.78.1.215:1645 to 10.78.5.223:1645
length 1565
(11) User-Name = "anonymous"
(11) Service-Type = Framed-User
(11) Cisco-AVPair = "service-type=Framed"
(11) Framed-MTU = 1500
(11) Called-Station-Id = "00-3C-10-AB-A2-8A"
(11) Calling-Station-Id = "C8-F7-50-08-DD-9F"
(11) EAP-Message =
0x020c05113701170303050600000000000000069f579bea2bacde30f0ad4f2610f69af0af23d55182c0de886f4ba80b2df6b90333e31c70125f832faa72134a887629c8352330aef0d47c37f82981f46c16bd835b9a74c91132a1c61a244be1ee7d36cc7cfc0db44d8cbd1acba9495ac1b68755a222d9918ccf4cb5fc603c877c89614e05330b300892cdb11a9ed1ee46ea26d45b878b381b9b04f173a5b7a2c39760a04c2291f289b9398e58bda1edf4aacb84ee5d2cd3ca2f7e44306c05de283a00957890c92fbdd2cd1c17445ee897cc648e51172bad959f3ce7b964e69a0d22e17a6676dae0772931d1e64f156cc7acf65744bbdcfe288f89ebe9721b7ff65b2796cef46dce843e769c167f718d71ef6bc6b8c1b022f80229447ce8c0ee79c6d5fb85e01cb55f5117097856aef9388eacc0ce85d46c6a9565d0af7e095476dd708ded7cf3e712fce5be91f3cb32db041dc3a6e238c4a57b51260434cdf4b30d87a84c5e6d273fcbd95d4c80b0c73513ef731b878602
(11) Message-Authenticator = 0x5f1e260cb4e160e1b999722211a9e137
(11) Cisco-AVPair = "audit-session-id=0A4E01D70000076141A84F5D"
(11) Cisco-AVPair = "method=dot1x"
(11) NAS-IP-Address = 10.78.1.215
(11) NAS-Port-Id = "GigabitEthernet1/0/10"
(11) NAS-Port-Type = Ethernet
(11) NAS-Port = 50110
(11) State = 0xf1839162fb8fa61b96c8936992ec3e02
(11) Restoring &session-state
(11) &session-state:Framed-MTU = 984
(11) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(11) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(11) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3
Handshake, ClientHello"
(11) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHello"
(11) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Certificate"
(11) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerKeyExchange"
(11) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHelloDone"
(11) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, ClientKeyExchange"
(11) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, Finished"
(11) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(11) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Finished"
(11) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(11) &session-state:TLS-Session-Version = "TLS 1.2"
(11) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /@\./) {
(11) if (&User-Name =~ /@\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) [digest] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) eap: Peer sent EAP Response (code 2) ID 12 length 1297
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(11) authenticate {
(11) eap: Removing EAP session with state 0xf1839162fb8fa61b
(11) eap: Previous EAP request found for state 0xf1839162fb8fa61b, released
from the list
(11) eap: Peer sent packet with method EAP TEAP (55)
(11) eap: Calling submodule eap_teap to process data
(11) eap_teap: Authenticate
(11) eap_teap: (TLS) EAP Done initial handshake
(11) eap_teap: Session established. Proceeding to decode tunneled
attributes
(11) eap_teap: Got Tunneled TEAP TLVs
(11) eap_teap: FreeRADIUS-EAP-TEAP-EAP-Payload =
0x020c04ea0d80000004e016030304a80b0003770003740003713082036d30820255a003020102020103300d06092a864886f70d01010b05003068310b3009060355040613024445310f300d06035504070c06426f6368756d312f302d060355040a0c2649534c20496e7465726e65742053696368657268656974736c6f6573756e67656e20476d62483117301506035504030c0e6d617274696e2d746573742d6361301e170d3234313132393038303335335a170d3334313132373038303335335a3073310b3009060355040613024445310f300d06035504070c06426f6368756d312f302d060355040a0c2649534c20496e7465726e65742053696368657268656974736c6f6573756e67656e20476d62483122302006035504030c196d617274696e2d746573742d636f6d70757465722d6365727430820122300d06092a864886f70d01010105000382010f003082010a0282010100d655edad1c3325d390026e37183e66270c52a3a3d7
(11) eap_teap: Processing received EAP Payload
(11) eap_teap: Got tunneled request
(11) eap_teap: EAP-Message =
0x020c04ea0d80000004e016030304a80b0003770003740003713082036d30820255a003020102020103300d06092a864886f70d01010b05003068310b3009060355040613024445310f300d06035504070c06426f6368756d312f302d060355040a0c2649534c20496e7465726e65742053696368657268656974736c6f6573756e67656e20476d62483117301506035504030c0e6d617274696e2d746573742d6361301e170d3234313132393038303335335a170d3334313132373038303335335a3073310b3009060355040613024445310f300d06035504070c06426f6368756d312f302d060355040a0c2649534c20496e7465726e65742053696368657268656974736c6f6573756e67656e20476d62483122302006035504030c196d617274696e2d746573742d636f6d70757465722d6365727430820122300d06092a864886f70d01010105000382010f003082010a0282010100d655edad1c3325d390026e37183e66270c52a3a3d70399110622d792fd6899
(11) eap_teap: AUTHENTICATION
(11) Virtual server inner-tunnel received request
(11) EAP-Message =
0x020c04ea0d80000004e016030304a80b0003770003740003713082036d30820255a003020102020103300d06092a864886f70d01010b05003068310b3009060355040613024445310f300d06035504070c06426f6368756d312f302d060355040a0c2649534c20496e7465726e65742053696368657268656974736c6f6573756e67656e20476d62483117301506035504030c0e6d617274696e2d746573742d6361301e170d3234313132393038303335335a170d3334313132373038303335335a3073310b3009060355040613024445310f300d06035504070c06426f6368756d312f302d060355040a0c2649534c20496e7465726e65742053696368657268656974736c6f6573756e67656e20476d62483122302006035504030c196d617274696e2d746573742d636f6d70757465722d6365727430820122300d06092a864886f70d01010105000382010f003082010a0282010100d655edad1c3325d390026e37183e66270c52a3a3d70399110622d792fd6899
(11) FreeRADIUS-Proxied-To = 127.0.0.1
(11) User-Name = "host/martin-test-computer-cert"
(11) State = 0x3159eea93555e326e9acec5eed45ae3d
(11) server inner-tunnel {
(11) Restoring &session-state
(11) &session-state:Framed-MTU = 921
(11) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(11) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(11) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(11) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(11) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(11) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(11) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(11) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(11) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(11) authorize {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /@\./) {
(11) if (&User-Name =~ /@\./) -> FALSE
(11) } # if (&User-Name) = notfound
(11) } # policy filter_username = notfound
(11) [chap] = noop
(11) [mschap] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "host/martin-test-computer-cert",
looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) update control {
(11) &Proxy-To-Realm := LOCAL
(11) } # update control = noop
(11) eap: Peer sent EAP Response (code 2) ID 12 length 1258
(11) eap: No EAP Start, assuming it's an on-going EAP conversation
(11) [eap] = updated
(11) [files] = noop
(11) [expiration] = noop
(11) [logintime] = noop
(11) [pap] = noop
(11) } # authorize = updated
(11) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
(11) Found Auth-Type = eap
(11) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(11) authenticate {
(11) eap: Removing EAP session with state 0x3159eea93555e326
(11) eap: Previous EAP request found for state 0x3159eea93555e326, released
from the list
(11) eap: Peer sent packet with method EAP TLS (13)
(11) eap: Calling submodule eap_tls to process data
(11) eap_tls: (TLS) EAP Peer says that the final record size will be 1248
bytes
(11) eap_tls: (TLS) EAP Got all data (1248 bytes)
(11) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server
done
(11) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Certificate
(11) eap_tls: (TLS) TLS - Creating attributes from 2 certificate in chain
(11) eap_tls: TLS-Cert-Serial :=
"6837d2898be29a5a56edbd7008ad02b855b72ecc"
(11) eap_tls: TLS-Cert-Expiration := "341119130951Z"
(11) eap_tls: TLS-Cert-Valid-Since := "241121130951Z"
(11) eap_tls: TLS-Cert-Subject :=
"/C=DE/L=Bochum/O=Test/CN=martin-test-ca"
(11) eap_tls: TLS-Cert-Issuer := "/C=DE/L=Bochum/O=Test/CN=martin-test-ca"
(11) eap_tls: TLS-Cert-Common-Name := "martin-test-ca"
(11) eap_tls: (TLS) TLS - Creating attributes from 1 certificate in chain
(11) eap_tls: TLS-Client-Cert-Serial := "03"
(11) eap_tls: TLS-Client-Cert-Expiration := "341127080353Z"
(11) eap_tls: TLS-Client-Cert-Valid-Since := "241129080353Z"
(11) eap_tls: TLS-Client-Cert-Subject :=
"/C=DE/L=Bochum/O=Test/CN=martin-test-computer-cert"
(11) eap_tls: TLS-Client-Cert-Issuer :=
"/C=DE/L=Bochum/O=Test/CN=martin-test-ca"
(11) eap_tls: TLS-Client-Cert-Common-Name := "martin-test-computer-cert"
(11) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web
Client Authentication"
(11) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
(11) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client
certificate
(11) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange
(11) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client
key exchange
(11) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify
(11) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read
certificate verify
(11) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read change
cipher spec
(11) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Finished
(11) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read finished
(11) eap_tls: (TLS) TLS - send TLS 1.2 ChangeCipherSpec
(11) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write change
cipher spec
(11) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, Finished
(11) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write finished
(11) eap_tls: (TLS) TLS - Handshake state - SSL negotiation finished
successfully
(11) eap_tls: (TLS) TLS - Connection Established
(11) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) eap_tls: TLS-Session-Version = "TLS 1.2"
(11) eap: Sending EAP Request (code 1) ID 13 length 61
(11) eap: EAP session adding &reply:State = 0x3159eea93454e326
(11) [eap] = handled
(11) } # authenticate = handled
(11) Using Post-Auth-Type Challenge
(11) Post-Auth-Type sub-section not found. Ignoring.
(11) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(11) session-state: Saving cached attributes
(11) Framed-MTU = 921
(11) FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(11) FreeRADIUS-EAP-TEAP-Identity-Type += User
(11) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(11) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(11) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(11) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(11) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(11) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(11) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
Certificate"
(11) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
ClientKeyExchange"
(11) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
CertificateVerify"
(11) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
Finished"
(11) TLS-Session-Information = "(TLS) TLS - send TLS 1.2
ChangeCipherSpec"
(11) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Finished"
(11) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) TLS-Session-Version = "TLS 1.2"
(11) } # server inner-tunnel
(11) Virtual server sending reply
(11) EAP-Message =
0x010d003d0d800000003314030300010116030300280de4e2a47fba0a59715e2c4112940146b7bc6548161643d88861720ea68b31ea1e9a1daa8f87eed7
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) State = 0x3159eea93454e326e9acec5eed45ae3d
(11) eap_teap: Got tunneled Access-Challenge
(11) eap: Sending EAP Request (code 1) ID 13 length 100
(11) eap: EAP session adding &reply:State = 0xf1839162fa8ea61b
(11) [eap] = handled
(11) } # authenticate = handled
(11) Using Post-Auth-Type Challenge
(11) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(11) Challenge { ... } # empty sub-section is ignored
(11) session-state: Saving cached attributes
(11) Framed-MTU = 984
(11) FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(11) FreeRADIUS-EAP-TEAP-Identity-Type += User
(11) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3 Handshake,
ClientHello"
(11) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHello"
(11) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Certificate"
(11) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(11) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(11) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(11) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
Finished"
(11) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(11) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Finished"
(11) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(11) TLS-Session-Version = "TLS 1.2"
(11) Sent Access-Challenge Id 21 from 10.78.5.223:1645 to 10.78.1.215:1645
length 158
(11) EAP-Message =
0x010d0064370117030300592cdb0801a98d60e682ed812a2fa8a25830175fcec12543ffc71deda3e103bdd0b2b3ef258fc52ffad28c7fb2a836a91c056739fd656f70dbf8d67e108bed74b2151556ed50ad423467e319156501e60683627874fe35a98efe
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) State = 0xf1839162fa8ea61b96c8936992ec3e02
(11) Finished request
Waking up in 0.7 seconds.
(12) Received Access-Request Id 22 from 10.78.1.215:1645 to 10.78.5.223:1645
length 303
(12) User-Name = "anonymous"
(12) Service-Type = Framed-User
(12) Cisco-AVPair = "service-type=Framed"
(12) Framed-MTU = 1500
(12) Called-Station-Id = "00-3C-10-AB-A2-8A"
(12) Calling-Station-Id = "C8-F7-50-08-DD-9F"
(12) EAP-Message =
0x020d002d37011703030022000000000000000794cc55df8fcfb87f010f11671413352f59c835edffc7fcd3809a
(12) Message-Authenticator = 0x21875209691ca302adc9bf1b2df1c3d6
(12) Cisco-AVPair = "audit-session-id=0A4E01D70000076141A84F5D"
(12) Cisco-AVPair = "method=dot1x"
(12) NAS-IP-Address = 10.78.1.215
(12) NAS-Port-Id = "GigabitEthernet1/0/10"
(12) NAS-Port-Type = Ethernet
(12) NAS-Port = 50110
(12) State = 0xf1839162fa8ea61b96c8936992ec3e02
(12) Restoring &session-state
(12) &session-state:Framed-MTU = 984
(12) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(12) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(12) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3
Handshake, ClientHello"
(12) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHello"
(12) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Certificate"
(12) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerKeyExchange"
(12) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHelloDone"
(12) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, ClientKeyExchange"
(12) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, Finished"
(12) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(12) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Finished"
(12) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(12) &session-state:TLS-Session-Version = "TLS 1.2"
(12) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /@\./) {
(12) if (&User-Name =~ /@\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) [chap] = noop
(12) [mschap] = noop
(12) [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(12) suffix: No such realm "NULL"
(12) [suffix] = noop
(12) eap: Peer sent EAP Response (code 2) ID 13 length 45
(12) eap: Continuing tunnel setup
(12) [eap] = ok
(12) } # authorize = ok
(12) Found Auth-Type = eap
(12) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(12) authenticate {
(12) eap: Removing EAP session with state 0xf1839162fa8ea61b
(12) eap: Previous EAP request found for state 0xf1839162fa8ea61b, released
from the list
(12) eap: Peer sent packet with method EAP TEAP (55)
(12) eap: Calling submodule eap_teap to process data
(12) eap_teap: Authenticate
(12) eap_teap: (TLS) EAP Done initial handshake
(12) eap_teap: Session established. Proceeding to decode tunneled
attributes
(12) eap_teap: Got Tunneled TEAP TLVs
(12) eap_teap: FreeRADIUS-EAP-TEAP-EAP-Payload = 0x020d00060d00
(12) eap_teap: Processing received EAP Payload
(12) eap_teap: Got tunneled request
(12) eap_teap: EAP-Message = 0x020d00060d00
(12) eap_teap: AUTHENTICATION
(12) Virtual server inner-tunnel received request
(12) EAP-Message = 0x020d00060d00
(12) FreeRADIUS-Proxied-To = 127.0.0.1
(12) User-Name = "host/martin-test-computer-cert"
(12) State = 0x3159eea93454e326e9acec5eed45ae3d
(12) server inner-tunnel {
(12) Restoring &session-state
(12) &session-state:Framed-MTU = 921
(12) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(12) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(12) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(12) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(12) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(12) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(12) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(12) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(12) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2
Handshake, Certificate"
(12) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2
Handshake, ClientKeyExchange"
(12) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2
Handshake, CertificateVerify"
(12) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2
Handshake, Finished"
(12) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
ChangeCipherSpec"
(12) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Finished"
(12) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(12) &session-state:TLS-Session-Version = "TLS 1.2"
(12) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /@\./) {
(12) if (&User-Name =~ /@\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [chap] = noop
(12) [mschap] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "host/martin-test-computer-cert",
looking up realm NULL
(12) suffix: No such realm "NULL"
(12) [suffix] = noop
(12) update control {
(12) &Proxy-To-Realm := LOCAL
(12) } # update control = noop
(12) eap: Peer sent EAP Response (code 2) ID 13 length 6
(12) eap: No EAP Start, assuming it's an on-going EAP conversation
(12) [eap] = updated
(12) [files] = noop
(12) [expiration] = noop
(12) [logintime] = noop
(12) [pap] = noop
(12) } # authorize = updated
(12) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
(12) Found Auth-Type = eap
(12) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(12) authenticate {
(12) eap: Removing EAP session with state 0x3159eea93454e326
(12) eap: Previous EAP request found for state 0x3159eea93454e326, released
from the list
(12) eap: Peer sent packet with method EAP TLS (13)
(12) eap: Calling submodule eap_tls to process data
(12) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is
finished
(12) eap: Sending EAP Success (code 3) ID 13 length 4
(12) eap: Freeing handler
(12) [eap] = ok
(12) } # authenticate = ok
(12) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(12) post-auth {
(12) if (0) {
(12) if (0) -> FALSE
(12) } # post-auth = noop
(12) } # server inner-tunnel
(12) Virtual server sending reply
(12) MS-MPPE-Recv-Key =
0x90398293ffe7d4686d25df39d9d7f8dbaff39bf9c47587aeb308f35cc8b7fd52
(12) MS-MPPE-Send-Key =
0x06fbae3af81f344082a52c0539f130418d8e56d4e46eb749c445ea4717b562a2
(12) EAP-MSK =
0x90398293ffe7d4686d25df39d9d7f8dbaff39bf9c47587aeb308f35cc8b7fd5206fbae3af81f344082a52c0539f130418d8e56d4e46eb749c445ea4717b562a2
(12) EAP-EMSK =
0x2692dc24d293cba7da041a8176aeebfc333d983165a8edf70402f46bac5f4b3d9e3bc5e2bfb3e57f7d9bc0b83e2f9bf1be6170ed337da57fe0fe2804726f1fc8
(12) EAP-Session-Id =
0x0d56b03213e77a03f0671face51f905138a7cc2307b04e34418ab2efc3debc4625047952634b3033effe22cb01f13efe0881fad6aa88247cedbbaf973e7ceeadd4
(12) EAP-Message = 0x030d0004
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) User-Name = "host/martin-test-computer-cert"
(12) eap_teap: Got tunneled Access-Accept
(12) eap_teap: MSCHAP_MPPE_RECV_KEY [high MSK] - hexdump(len=32): 90 39 82
93 ff e7 d4 68 6d 25 df 39 d9 d7 f8 db af f3 9b f9 c4 75 87 ae b3 08 f3 5c
c8 b7 fd 52
(12) eap_teap: MSCHAP_MPPE_SEND_KEY [low MSK] - hexdump(len=32): 06 fb ae
3a f8 1f 34 40 82 a5 2c 05 39 f1 30 41 8d 8e 56 d4 e4 6e b7 49 c4 45 ea 47
17 b5 62 a2
(12) eap_teap: Sending Cryptobinding
(12) eap_teap: Updating ICMK (j = 1)
(12) eap_teap: IMSK from MSK - hexdump(len=32): 90 39 82 93 ff e7 d4 68 6d
25 df 39 d9 d7 f8 db af f3 9b f9 c4 75 87 ae b3 08 f3 5c c8 b7 fd 52
(12) eap_teap: MSK S-IMCK[j] - hexdump(len=40): ca 26 27 4d f4 5e e5 6a 5f
19 c2 18 8c 4e 86 4c af f9 21 fd 72 c3 b0 6d ad d3 2d 8b 14 92 9c 5c 50 a8
aa 62 e7 f7 1e 06
(12) eap_teap: MSK CMK[j] - hexdump(len=20): ba 72 fa d1 aa d6 f5 82 0f 7f
0c e7 b7 10 00 71 9f 5f bb 89
(12) eap_teap: IMSK from EMSK - hexdump(len=32): c1 81 b5 aa 5d c0 fa 41 b7
08 8e 34 13 d2 bd 91 dd 0a 57 22 20 d5 16 f2 d5 a2 84 e9 03 13 25 d8
(12) eap_teap: EMSK S-IMCK[j] - hexdump(len=40): f2 6f db b5 f6 32 71 ed 6c
9e f5 ba 39 f2 50 24 49 83 af 1c 42 11 1a fe 79 20 69 fb bc eb cf 2c 4e 8e
d6 48 5d 4b 01 61
(12) eap_teap: EMSK CMK[j] - hexdump(len=20): 9a 8c be 12 e7 8a e9 f0 80 82
1f 65 21 ea cd f3 e9 26 83 58
(12) eap_teap: BUFFER for Compound MAC calculation - hexdump(len=89): 80 0c
00 4c 00 01 01 30 6f 40 4b 69 46 2c 7f 4a 2c d5 c8 08 a5 43 41 32 a0 fa 16
fc c6 d2 91 8d d0 0b 2f 58 16 32 a0 0c 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 37 00 01 00 04 31 32 33 34
(12) eap_teap: &session-state:FreeRADIUS-EAP-TEAP-TLV-Identity-Type set so
continuing EAP sequence/chaining
(12) eap_teap: Sending EAP-Identity
(12) eap_teap: Deleting &session-state:FreeRADIUS-EAP-TEAP-Identity-Type +=
Machine
(12) eap: Sending EAP Request (code 1) ID 14 length 136
(12) eap: EAP session adding &reply:State = 0xf1839162fd8da61b
(12) [eap] = handled
(12) } # authenticate = handled
(12) Using Post-Auth-Type Challenge
(12) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(12) Challenge { ... } # empty sub-section is ignored
(12) session-state: Saving cached attributes
(12) Framed-MTU = 984
(12) FreeRADIUS-EAP-TEAP-Identity-Type += User
(12) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3 Handshake,
ClientHello"
(12) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHello"
(12) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Certificate"
(12) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(12) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(12) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(12) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
Finished"
(12) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(12) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Finished"
(12) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(12) TLS-Session-Version = "TLS 1.2"
(12) Sent Access-Challenge Id 22 from 10.78.5.223:1645 to 10.78.1.215:1645
length 194
(12) EAP-Message =
0x010e00883701170303007d2cdb0801a98d60e7e449cc583245e9ad25a54ff967291422f353ae05cfb57713516af5b827a96d93b13b4d9cc2554ec7956c16f6e81b99f15beb016ec73aa40561e56b2d7f12943a27fcd55b65f02f393693774cc4313882086d614315b699b174ecc5f7194092f6061ceb0b43c573ad56fb5e258fb0d65f4cf7e8d153
(12) Message-Authenticator = 0x00000000000000000000000000000000
(12) State = 0xf1839162fd8da61b96c8936992ec3e02
(12) Finished request
Waking up in 0.3 seconds.
(8) Cleaning up request packet ID 18 with timestamp +24 due to
cleanup_delay was reached
Waking up in 1.5 seconds.
(13) Received Access-Request Id 23 from 10.78.1.215:1645 to 10.78.5.223:1645
length 424
(13) User-Name = "anonymous"
(13) Service-Type = Framed-User
(13) Cisco-AVPair = "service-type=Framed"
(13) Framed-MTU = 1500
(13) Called-Station-Id = "00-3C-10-AB-A2-8A"
(13) Calling-Station-Id = "C8-F7-50-08-DD-9F"
(13) EAP-Message =
0x020e00a63701170303009b0000000000000008b31ff602569c0cc5f862fcb9fe5610b84ff1b342715b9b020f66ad8d37cc453fdf277f88e7ef4f662629a2403153ce266bff427ea330c52aa37620e7a4813f669813a8b16674716dbd03f1be1b018d77f6b4393e63770caa8f0ca1578a761ded89f381d34b9e2d1e46fd5a81b83611a4729bd2bcdcfab57676be633b561eecfe5ad7eb31448a002ff67e438b4170fd084268a7
(13) Message-Authenticator = 0x32c80fcc32b134e983510e9c3a673373
(13) Cisco-AVPair = "audit-session-id=0A4E01D70000076141A84F5D"
(13) Cisco-AVPair = "method=dot1x"
(13) NAS-IP-Address = 10.78.1.215
(13) NAS-Port-Id = "GigabitEthernet1/0/10"
(13) NAS-Port-Type = Ethernet
(13) NAS-Port = 50110
(13) State = 0xf1839162fd8da61b96c8936992ec3e02
(13) Restoring &session-state
(13) &session-state:Framed-MTU = 984
(13) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(13) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3
Handshake, ClientHello"
(13) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHello"
(13) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Certificate"
(13) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerKeyExchange"
(13) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHelloDone"
(13) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, ClientKeyExchange"
(13) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, Finished"
(13) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(13) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Finished"
(13) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(13) &session-state:TLS-Session-Version = "TLS 1.2"
(13) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(13) authorize {
(13) policy filter_username {
(13) if (&User-Name) {
(13) if (&User-Name) -> TRUE
(13) if (&User-Name) {
(13) if (&User-Name =~ / /) {
(13) if (&User-Name =~ / /) -> FALSE
(13) if (&User-Name =~ /@[^@]*@/ ) {
(13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(13) if (&User-Name =~ /\.\./ ) {
(13) if (&User-Name =~ /\.\./ ) -> FALSE
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(13) if (&User-Name =~ /\.$/) {
(13) if (&User-Name =~ /\.$/) -> FALSE
(13) if (&User-Name =~ /@\./) {
(13) if (&User-Name =~ /@\./) -> FALSE
(13) } # if (&User-Name) = notfound
(13) } # policy filter_username = notfound
(13) [preprocess] = ok
(13) [chap] = noop
(13) [mschap] = noop
(13) [digest] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(13) suffix: No such realm "NULL"
(13) [suffix] = noop
(13) eap: Peer sent EAP Response (code 2) ID 14 length 166
(13) eap: Continuing tunnel setup
(13) [eap] = ok
(13) } # authorize = ok
(13) Found Auth-Type = eap
(13) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(13) authenticate {
(13) eap: Removing EAP session with state 0xf1839162fd8da61b
(13) eap: Previous EAP request found for state 0xf1839162fd8da61b, released
from the list
(13) eap: Peer sent packet with method EAP TEAP (55)
(13) eap: Calling submodule eap_teap to process data
(13) eap_teap: Authenticate
(13) eap_teap: (TLS) EAP Done initial handshake
(13) eap_teap: Session established. Proceeding to decode tunneled
attributes
(13) eap_teap: Got Tunneled TEAP TLVs
(13) eap_teap: FreeRADIUS-EAP-TEAP-Crypto-Binding =
0x000101216f404b69462c7f4a2cd5c808a5434132a0fa16fcc6d2918dd00b2f581632a00d00000000000000000000000000000000000000005633dd8113633dc65e5f8f8a685938bd17469cd0
(13) eap_teap: FreeRADIUS-EAP-TEAP-Intermediate-Result = Success
(13) eap_teap: FreeRADIUS-EAP-TEAP-Identity-Type = Machine
(13) eap_teap: FreeRADIUS-EAP-TEAP-EAP-Payload =
0x020e002301686f73742f6d617274696e2d746573742d636f6d70757465722d63657274
(13) eap_teap: BUFFER for Compound MAC calculation - hexdump(len=89): 80 0c
00 4c 00 01 01 21 6f 40 4b 69 46 2c 7f 4a 2c d5 c8 08 a5 43 41 32 a0 fa 16
fc c6 d2 91 8d d0 0b 2f 58 16 32 a0 0d 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 37 00 01 00 04 31 32 33 34
(13) eap_teap: S-IMCK[j] - hexdump(len=40): ca 26 27 4d f4 5e e5 6a 5f 19
c2 18 8c 4e 86 4c af f9 21 fd 72 c3 b0 6d ad d3 2d 8b 14 92 9c 5c 50 a8 aa
62 e7 f7 1e 06
(13) eap_teap: Derived key (MSK) - hexdump(len=64): 42 1d 8d 06 ed 17 a1 d6
d2 b7 3d c2 4c 41 69 8e 53 cd bf e4 34 4e 64 43 01 b9 e0 ba e7 37 37 1d 65
b1 ba 82 b0 4e a8 10 43 c3 6f e8 59 97 c6 11 17 06 e2 d1 f2 32 21 35 13 77
96 91 ac 2a 96 06
(13) eap_teap: Derived key (EMSK) - hexdump(len=64): 72 04 64 8d 34 92 c3
b3 0a fc f3 a7 bf 7d 42 7e 68 4f 5b 85 84 ef e9 a1 73 55 16 c7 33 3e 96 df
6d 84 10 c1 14 8f 00 fd 0d 4b 4a 83 84 8b ba a8 28 66 2a 41 45 9b c9 de e9
af c6 b3 95 2f d7 7b
(13) eap_teap: WARNING: We requested
&session-state:FreeRADIUS-EAP-TEAP-TLV-Identity-Type = User
(13) eap_teap: WARNING: But the supplicant returned
FreeRADIUS-EAP-TEAP-TLV-Identity-Type = 2
(13) eap_teap: WARNING: Authentication will likely fail.
(13) eap_teap: Processing received EAP Payload
(13) eap_teap: Got tunneled request
(13) eap_teap: EAP-Message =
0x020e002301686f73742f6d617274696e2d746573742d636f6d70757465722d63657274
(13) eap_teap: FreeRADIUS-EAP-TEAP-Identity-Type = Machine
(13) eap_teap: Got tunneled identity of host/martin-test-computer-cert
(13) eap_teap: AUTHENTICATION
(13) Virtual server inner-tunnel received request
(13) EAP-Message =
0x020e002301686f73742f6d617274696e2d746573742d636f6d70757465722d63657274
(13) FreeRADIUS-EAP-TEAP-Identity-Type = Machine
(13) FreeRADIUS-Proxied-To = 127.0.0.1
(13) User-Name = "host/martin-test-computer-cert"
(13) server inner-tunnel {
(13) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(13) authorize {
(13) policy filter_username {
(13) if (&User-Name) {
(13) if (&User-Name) -> TRUE
(13) if (&User-Name) {
(13) if (&User-Name =~ / /) {
(13) if (&User-Name =~ / /) -> FALSE
(13) if (&User-Name =~ /@[^@]*@/ ) {
(13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(13) if (&User-Name =~ /\.\./ ) {
(13) if (&User-Name =~ /\.\./ ) -> FALSE
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(13) if (&User-Name =~ /\.$/) {
(13) if (&User-Name =~ /\.$/) -> FALSE
(13) if (&User-Name =~ /@\./) {
(13) if (&User-Name =~ /@\./) -> FALSE
(13) } # if (&User-Name) = notfound
(13) } # policy filter_username = notfound
(13) [chap] = noop
(13) [mschap] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "host/martin-test-computer-cert",
looking up realm NULL
(13) suffix: No such realm "NULL"
(13) [suffix] = noop
(13) update control {
(13) &Proxy-To-Realm := LOCAL
(13) } # update control = noop
(13) eap: Peer sent EAP Response (code 2) ID 14 length 35
(13) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(13) [eap] = ok
(13) } # authorize = ok
(13) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
(13) Found Auth-Type = eap
(13) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(13) authenticate {
(13) eap: Peer sent packet with method EAP Identity (1)
(13) eap: Calling submodule eap_teap to process data
(13) eap_teap: (TLS) TEAP -Initiating new session
(13) eap_teap: Setting &session-state:FreeRADIUS-EAP-TEAP-Identity-Type =
Machine
(13) eap_teap: Followed by &session-state:FreeRADIUS-EAP-TEAP-Identity-Type
+= User
(13) eap: Sending EAP Request (code 1) ID 15 length 18
(13) eap: EAP session adding &reply:State = 0xe43e2451e4311355
(13) [eap] = handled
(13) } # authenticate = handled
(13) Using Post-Auth-Type Challenge
(13) Post-Auth-Type sub-section not found. Ignoring.
(13) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(13) session-state: Saving cached attributes
(13) Framed-MTU = 921
(13) FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(13) FreeRADIUS-EAP-TEAP-Identity-Type += User
(13) } # server inner-tunnel
(13) Virtual server sending reply
(13) EAP-Message = 0x010f00123731000000080001000431323334
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) State = 0xe43e2451e43113552321261b277b04ec
(13) eap_teap: Got tunneled Access-Challenge
(13) eap: Sending EAP Request (code 1) ID 15 length 57
(13) eap: EAP session adding &reply:State = 0xf1839162fc8ca61b
(13) [eap] = handled
(13) } # authenticate = handled
(13) Using Post-Auth-Type Challenge
(13) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(13) Challenge { ... } # empty sub-section is ignored
(13) session-state: Saving cached attributes
(13) Framed-MTU = 984
(13) FreeRADIUS-EAP-TEAP-Identity-Type += User
(13) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3 Handshake,
ClientHello"
(13) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHello"
(13) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Certificate"
(13) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(13) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(13) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(13) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
Finished"
(13) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(13) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Finished"
(13) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(13) TLS-Session-Version = "TLS 1.2"
(13) Sent Access-Challenge Id 23 from 10.78.5.223:1645 to 10.78.1.215:1645
length 115
(13) EAP-Message =
0x010f00393701170303002e2cdb0801a98d60e866fc782735140c2f90d2142d881f60fb0ac021b89996b848a630b7e36ba76ea7b76bfc6a12e8
(13) Message-Authenticator = 0x00000000000000000000000000000000
(13) State = 0xf1839162fc8ca61b96c8936992ec3e02
(13) Finished request
Waking up in 0.5 seconds.
(9) Cleaning up request packet ID 19 with timestamp +25 due to
cleanup_delay was reached
Waking up in 1.1 seconds.
(14) Received Access-Request Id 24 from 10.78.1.215:1645 to 10.78.5.223:1645
length 303
(14) User-Name = "anonymous"
(14) Service-Type = Framed-User
(14) Cisco-AVPair = "service-type=Framed"
(14) Framed-MTU = 1500
(14) Called-Station-Id = "00-3C-10-AB-A2-8A"
(14) Calling-Station-Id = "C8-F7-50-08-DD-9F"
(14) EAP-Message =
0x020f002d37011703030022000000000000000913a851e9de9a1194cbdcaeea6b08b6193ea5dcb3ef1ec978831f
(14) Message-Authenticator = 0x82f4bf484711a03569e9b46466a49966
(14) Cisco-AVPair = "audit-session-id=0A4E01D70000076141A84F5D"
(14) Cisco-AVPair = "method=dot1x"
(14) NAS-IP-Address = 10.78.1.215
(14) NAS-Port-Id = "GigabitEthernet1/0/10"
(14) NAS-Port-Type = Ethernet
(14) NAS-Port = 50110
(14) State = 0xf1839162fc8ca61b96c8936992ec3e02
(14) Restoring &session-state
(14) &session-state:Framed-MTU = 984
(14) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(14) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3
Handshake, ClientHello"
(14) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHello"
(14) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Certificate"
(14) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerKeyExchange"
(14) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHelloDone"
(14) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, ClientKeyExchange"
(14) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, Finished"
(14) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(14) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Finished"
(14) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(14) &session-state:TLS-Session-Version = "TLS 1.2"
(14) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(14) authorize {
(14) policy filter_username {
(14) if (&User-Name) {
(14) if (&User-Name) -> TRUE
(14) if (&User-Name) {
(14) if (&User-Name =~ / /) {
(14) if (&User-Name =~ / /) -> FALSE
(14) if (&User-Name =~ /@[^@]*@/ ) {
(14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(14) if (&User-Name =~ /\.\./ ) {
(14) if (&User-Name =~ /\.\./ ) -> FALSE
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(14) if (&User-Name =~ /\.$/) {
(14) if (&User-Name =~ /\.$/) -> FALSE
(14) if (&User-Name =~ /@\./) {
(14) if (&User-Name =~ /@\./) -> FALSE
(14) } # if (&User-Name) = notfound
(14) } # policy filter_username = notfound
(14) [preprocess] = ok
(14) [chap] = noop
(14) [mschap] = noop
(14) [digest] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(14) suffix: No such realm "NULL"
(14) [suffix] = noop
(14) eap: Peer sent EAP Response (code 2) ID 15 length 45
(14) eap: Continuing tunnel setup
(14) [eap] = ok
(14) } # authorize = ok
(14) Found Auth-Type = eap
(14) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(14) authenticate {
(14) eap: Removing EAP session with state 0xf1839162fc8ca61b
(14) eap: Previous EAP request found for state 0xf1839162fc8ca61b, released
from the list
(14) eap: Peer sent packet with method EAP TEAP (55)
(14) eap: Calling submodule eap_teap to process data
(14) eap_teap: Authenticate
(14) eap_teap: (TLS) EAP Done initial handshake
(14) eap_teap: Session established. Proceeding to decode tunneled
attributes
(14) eap_teap: Got Tunneled TEAP TLVs
(14) eap_teap: FreeRADIUS-EAP-TEAP-EAP-Payload = 0x020f0006030d
(14) eap_teap: Processing received EAP Payload
(14) eap_teap: Got tunneled request
(14) eap_teap: EAP-Message = 0x020f0006030d
(14) eap_teap: AUTHENTICATION
(14) Virtual server inner-tunnel received request
(14) EAP-Message = 0x020f0006030d
(14) FreeRADIUS-Proxied-To = 127.0.0.1
(14) User-Name = "host/martin-test-computer-cert"
(14) State = 0xe43e2451e43113552321261b277b04ec
(14) server inner-tunnel {
(14) Restoring &session-state
(14) &session-state:Framed-MTU = 921
(14) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(14) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(14) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(14) authorize {
(14) policy filter_username {
(14) if (&User-Name) {
(14) if (&User-Name) -> TRUE
(14) if (&User-Name) {
(14) if (&User-Name =~ / /) {
(14) if (&User-Name =~ / /) -> FALSE
(14) if (&User-Name =~ /@[^@]*@/ ) {
(14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(14) if (&User-Name =~ /\.\./ ) {
(14) if (&User-Name =~ /\.\./ ) -> FALSE
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(14) if (&User-Name =~ /\.$/) {
(14) if (&User-Name =~ /\.$/) -> FALSE
(14) if (&User-Name =~ /@\./) {
(14) if (&User-Name =~ /@\./) -> FALSE
(14) } # if (&User-Name) = notfound
(14) } # policy filter_username = notfound
(14) [chap] = noop
(14) [mschap] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: No '@' in User-Name = "host/martin-test-computer-cert",
looking up realm NULL
(14) suffix: No such realm "NULL"
(14) [suffix] = noop
(14) update control {
(14) &Proxy-To-Realm := LOCAL
(14) } # update control = noop
(14) eap: Peer sent EAP Response (code 2) ID 15 length 6
(14) eap: No EAP Start, assuming it's an on-going EAP conversation
(14) [eap] = updated
(14) [files] = noop
(14) [expiration] = noop
(14) [logintime] = noop
(14) [pap] = noop
(14) } # authorize = updated
(14) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
(14) Found Auth-Type = eap
(14) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(14) authenticate {
(14) eap: Removing EAP session with state 0xe43e2451e4311355
(14) eap: Previous EAP request found for state 0xe43e2451e4311355, released
from the list
(14) eap: Peer sent packet with method EAP NAK (3)
(14) eap: Found mutually acceptable type TLS (13)
(14) eap: Calling submodule eap_tls to process data
(14) eap_tls: (TLS) TLS -Initiating new session
(14) eap_tls: (TLS) TLS - Setting verify mode to require certificate from
client
(14) eap: Sending EAP Request (code 1) ID 16 length 6
(14) eap: EAP session adding &reply:State = 0xe43e2451e52e2955
(14) [eap] = handled
(14) } # authenticate = handled
(14) Using Post-Auth-Type Challenge
(14) Post-Auth-Type sub-section not found. Ignoring.
(14) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(14) session-state: Saving cached attributes
(14) Framed-MTU = 921
(14) FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(14) FreeRADIUS-EAP-TEAP-Identity-Type += User
(14) } # server inner-tunnel
(14) Virtual server sending reply
(14) EAP-Message = 0x011000060d20
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0xe43e2451e52e29552321261b277b04ec
(14) eap_teap: Got tunneled Access-Challenge
(14) eap: Sending EAP Request (code 1) ID 16 length 45
(14) eap: EAP session adding &reply:State = 0xf1839162ff93a61b
(14) [eap] = handled
(14) } # authenticate = handled
(14) Using Post-Auth-Type Challenge
(14) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(14) Challenge { ... } # empty sub-section is ignored
(14) session-state: Saving cached attributes
(14) Framed-MTU = 984
(14) FreeRADIUS-EAP-TEAP-Identity-Type += User
(14) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3 Handshake,
ClientHello"
(14) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHello"
(14) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Certificate"
(14) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(14) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(14) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(14) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
Finished"
(14) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(14) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Finished"
(14) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(14) TLS-Session-Version = "TLS 1.2"
(14) Sent Access-Challenge Id 24 from 10.78.5.223:1645 to 10.78.1.215:1645
length 103
(14) EAP-Message =
0x0110002d370117030300222cdb0801a98d60e963e6a30c782759f3df78804d5d6acdd2f3799e8bc1fddb9dc805
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0xf1839162ff93a61b96c8936992ec3e02
(14) Finished request
Waking up in 0.3 seconds.
(10) Cleaning up request packet ID 20 with timestamp +27 due to
cleanup_delay was reached
Waking up in 1.5 seconds.
(15) Received Access-Request Id 25 from 10.78.1.215:1645 to 10.78.5.223:1645
length 566
(15) User-Name = "anonymous"
(15) Service-Type = Framed-User
(15) Cisco-AVPair = "service-type=Framed"
(15) Framed-MTU = 1500
(15) Called-Station-Id = "00-3C-10-AB-A2-8A"
(15) Calling-Station-Id = "C8-F7-50-08-DD-9F"
(15) EAP-Message =
0x0210013237011703030127000000000000000a5d7ff5bec612a94d42ff357d2b91a013fd1eaa0552fe6db8a5f4b02a40e83aae64b324e57eddb2a48d9aa62c9fee0a0798f1b3e23f50b1561c772f2ebe47172dbe98aae13c54619f969a6cd4486fecd78926032656fbb549a36e788070b845ba90911b091d096090d5bb8f11c82e75258ad73a20551d58b99930abc6e9e8aa4bd1253f408034ad4ca6602383096e46e4b5e37049bb4769f649852990704a223358fe753848f897a7297563811ee166066a548c9d62296460d74cf60424648b4d9f740a66ba852101c259b8eb9bdacbcc748e072b71863d92f6ab2ef8eeb32759453fe1cf865df4c9bb189570eb0d27ebe0ce7abd17ef6591ef72bb0e91df9aa8732a540ce5ccee7f7327547858261de3a42e0f6ee70d1dd45c3a1bae747dab
(15) Message-Authenticator = 0xa9d2d98c0281fc69df60be28fb48cb05
(15) Cisco-AVPair = "audit-session-id=0A4E01D70000076141A84F5D"
(15) Cisco-AVPair = "method=dot1x"
(15) NAS-IP-Address = 10.78.1.215
(15) NAS-Port-Id = "GigabitEthernet1/0/10"
(15) NAS-Port-Type = Ethernet
(15) NAS-Port = 50110
(15) State = 0xf1839162ff93a61b96c8936992ec3e02
(15) Restoring &session-state
(15) &session-state:Framed-MTU = 984
(15) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(15) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3
Handshake, ClientHello"
(15) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHello"
(15) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Certificate"
(15) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerKeyExchange"
(15) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHelloDone"
(15) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, ClientKeyExchange"
(15) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, Finished"
(15) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(15) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Finished"
(15) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(15) &session-state:TLS-Session-Version = "TLS 1.2"
(15) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(15) authorize {
(15) policy filter_username {
(15) if (&User-Name) {
(15) if (&User-Name) -> TRUE
(15) if (&User-Name) {
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@[^@]*@/ ) {
(15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /@\./) {
(15) if (&User-Name =~ /@\./) -> FALSE
(15) } # if (&User-Name) = notfound
(15) } # policy filter_username = notfound
(15) [preprocess] = ok
(15) [chap] = noop
(15) [mschap] = noop
(15) [digest] = noop
(15) suffix: Checking for suffix after "@"
(15) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(15) suffix: No such realm "NULL"
(15) [suffix] = noop
(15) eap: Peer sent EAP Response (code 2) ID 16 length 306
(15) eap: Continuing tunnel setup
(15) [eap] = ok
(15) } # authorize = ok
(15) Found Auth-Type = eap
(15) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(15) authenticate {
(15) eap: Removing EAP session with state 0xf1839162ff93a61b
(15) eap: Previous EAP request found for state 0xf1839162ff93a61b, released
from the list
(15) eap: Peer sent packet with method EAP TEAP (55)
(15) eap: Calling submodule eap_teap to process data
(15) eap_teap: Authenticate
(15) eap_teap: (TLS) EAP Done initial handshake
(15) eap_teap: Session established. Proceeding to decode tunneled
attributes
(15) eap_teap: Got Tunneled TEAP TLVs
(15) eap_teap: FreeRADIUS-EAP-TEAP-EAP-Payload =
0x0210010b0d800000010116030100fc010000f803037dec241f58df06dd5087fa80763176077327817dbfa437d835c54a1bca01dbe420985956341443ec04f55a304808f423ff6cc2f304b7d4183860a93494809a5b9e002813021301c02cc02bc030c02fc024c023c028c027c00ac009c014c013009d009c003d003c0035002f01000087000500050100000000002b0009080304030303020301000d001a001808040805080604010501020104030503020302020601060300230000000a00080006001d00170018000b00020100003300260024001d0020b2ef0bfb1c90ded03f71a6c6e6de9b39e48333cffe8d41f0709b6620b2333b5c0031000000170000ff01000100002d00020101
(15) eap_teap: Processing received EAP Payload
(15) eap_teap: Got tunneled request
(15) eap_teap: EAP-Message =
0x0210010b0d800000010116030100fc010000f803037dec241f58df06dd5087fa80763176077327817dbfa437d835c54a1bca01dbe420985956341443ec04f55a304808f423ff6cc2f304b7d4183860a93494809a5b9e002813021301c02cc02bc030c02fc024c023c028c027c00ac009c014c013009d009c003d003c0035002f01000087000500050100000000002b0009080304030303020301000d001a001808040805080604010501020104030503020302020601060300230000000a00080006001d00170018000b00020100003300260024001d0020b2ef0bfb1c90ded03f71a6c6e6de9b39e48333cffe8d41f0709b6620b2333b5c0031000000170000ff01000100002d00020101
(15) eap_teap: AUTHENTICATION
(15) Virtual server inner-tunnel received request
(15) EAP-Message =
0x0210010b0d800000010116030100fc010000f803037dec241f58df06dd5087fa80763176077327817dbfa437d835c54a1bca01dbe420985956341443ec04f55a304808f423ff6cc2f304b7d4183860a93494809a5b9e002813021301c02cc02bc030c02fc024c023c028c027c00ac009c014c013009d009c003d003c0035002f01000087000500050100000000002b0009080304030303020301000d001a001808040805080604010501020104030503020302020601060300230000000a00080006001d00170018000b00020100003300260024001d0020b2ef0bfb1c90ded03f71a6c6e6de9b39e48333cffe8d41f0709b6620b2333b5c0031000000170000ff01000100002d00020101
(15) FreeRADIUS-Proxied-To = 127.0.0.1
(15) User-Name = "host/martin-test-computer-cert"
(15) State = 0xe43e2451e52e29552321261b277b04ec
(15) server inner-tunnel {
(15) Restoring &session-state
(15) &session-state:Framed-MTU = 921
(15) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(15) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(15) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(15) authorize {
(15) policy filter_username {
(15) if (&User-Name) {
(15) if (&User-Name) -> TRUE
(15) if (&User-Name) {
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@[^@]*@/ ) {
(15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /@\./) {
(15) if (&User-Name =~ /@\./) -> FALSE
(15) } # if (&User-Name) = notfound
(15) } # policy filter_username = notfound
(15) [chap] = noop
(15) [mschap] = noop
(15) suffix: Checking for suffix after "@"
(15) suffix: No '@' in User-Name = "host/martin-test-computer-cert",
looking up realm NULL
(15) suffix: No such realm "NULL"
(15) [suffix] = noop
(15) update control {
(15) &Proxy-To-Realm := LOCAL
(15) } # update control = noop
(15) eap: Peer sent EAP Response (code 2) ID 16 length 267
(15) eap: No EAP Start, assuming it's an on-going EAP conversation
(15) [eap] = updated
(15) [files] = noop
(15) [expiration] = noop
(15) [logintime] = noop
(15) [pap] = noop
(15) } # authorize = updated
(15) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
(15) Found Auth-Type = eap
(15) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(15) authenticate {
(15) eap: Removing EAP session with state 0xe43e2451e52e2955
(15) eap: Previous EAP request found for state 0xe43e2451e52e2955, released
from the list
(15) eap: Peer sent packet with method EAP TLS (13)
(15) eap: Calling submodule eap_tls to process data
(15) eap_tls: (TLS) EAP Peer says that the final record size will be 257
bytes
(15) eap_tls: (TLS) EAP Got all data (257 bytes)
(15) eap_tls: (TLS) TLS - Handshake state - before SSL initialization
(15) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization
(15) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization
(15) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello
(15) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client
hello
(15) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerHello
(15) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server
hello
(15) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, Certificate
(15) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write
certificate
(15) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange
(15) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write key
exchange
(15) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, CertificateRequest
(15) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write
certificate request
(15) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone
(15) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server
done
(15) eap_tls: (TLS) TLS - Server : Need to read more data: SSLv3/TLS write
server done
(15) eap_tls: (TLS) TLS - In Handshake Phase
(15) eap: Sending EAP Request (code 1) ID 17 length 927
(15) eap: EAP session adding &reply:State = 0xe43e2451e62f2955
(15) [eap] = handled
(15) } # authenticate = handled
(15) Using Post-Auth-Type Challenge
(15) Post-Auth-Type sub-section not found. Ignoring.
(15) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(15) session-state: Saving cached attributes
(15) Framed-MTU = 921
(15) FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(15) FreeRADIUS-EAP-TEAP-Identity-Type += User
(15) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(15) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(15) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(15) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(15) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(15) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(15) } # server inner-tunnel
(15) Virtual server sending reply
(15) EAP-Message =
0x0111039f0dc000000a15160303003d0200003903036fefcc562bd7f85fb4375b8d352916e6ca8a0341102364e84b2490bda2e2d8a100c030000011ff01000100000b0004030001020017000016030307f40b0007f00007ed0003ac308203a830820290a003020102020105300d06092a864886f70d01010b05003068310b3009060355040613024445310f300d06035504070c06426f6368756d312f302d060355040a0c2649534c20496e7465726e65742053696368657268656974736c6f6573756e67656e20476d62483117301506035504030c0e6d617274696e2d746573742d6361301e170d3234313230323135333931365a170d3334313133303135333931365a307c310b3009060355040613024445310f300d06035504070c06426f6368756d312f302d060355040a0c2649534c20496e7465726e65742053696368657268656974736c6f6573756e67656e20476d6248312b302906035504030c226d617274696e2d746573742d7261646975732d73657276
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0xe43e2451e62f29552321261b277b04ec
(15) eap_teap: Got tunneled Access-Challenge
(15) eap: Sending EAP Request (code 1) ID 17 length 966
(15) eap: EAP session adding &reply:State = 0xf1839162fe92a61b
(15) [eap] = handled
(15) } # authenticate = handled
(15) Using Post-Auth-Type Challenge
(15) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(15) Challenge { ... } # empty sub-section is ignored
(15) session-state: Saving cached attributes
(15) Framed-MTU = 984
(15) FreeRADIUS-EAP-TEAP-Identity-Type += User
(15) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3 Handshake,
ClientHello"
(15) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHello"
(15) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Certificate"
(15) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(15) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(15) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(15) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
Finished"
(15) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(15) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Finished"
(15) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(15) TLS-Session-Version = "TLS 1.2"
(15) Sent Access-Challenge Id 25 from 10.78.5.223:1645 to 10.78.1.215:1645
length 1030
(15) EAP-Message =
0x011103c6370117030303bb2cdb0801a98d60ea641a3751d0b3ea9aedac82ae43c48ca56ab01be635865049060f88bc59bf4d7a5a6c74e07fd27452c899ad47e9e11b9ebf7fa55dff13ecda1d892c90f0af46f0620ba88723852730fab07cad72f2deced5a57c40eaab16ec65146c98e855124092ef24cdd682de9f7e45e8f09abc509adb5be53d833317f24237c19d2ac3469e949c8958182da4c26dbaa179f2c08b13a13afaf6c45050fd4c3b4ff7330cbf296ef940d1d4e3f826d0827e0d64f05561879173d8ea6505d897f58e886e13759dff0fb1efd85aaaa3299c55498f5109b7b0c5a350f6484be164c104f8644f3765a86113361d7e604cedbb1ba4bef1864eb16262426a16b8db02ee7927378b343e3d2770e7b429f2782e25407f8db1299b1a20b9f2a157cd18c722a23fd6b6729052707c6ed482473c3fbfd872a822117f83138b6e21c89b5efe4a6e1b34291474002853694fc850892218294df09e658a55ca838aec9eed085b6cbf79bf1d013909f20bd4
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0xf1839162fe92a61b96c8936992ec3e02
(15) Finished request
Waking up in 1.1 seconds.
(16) Received Access-Request Id 26 from 10.78.1.215:1645 to 10.78.5.223:1645
length 303
(16) User-Name = "anonymous"
(16) Service-Type = Framed-User
(16) Cisco-AVPair = "service-type=Framed"
(16) Framed-MTU = 1500
(16) Called-Station-Id = "00-3C-10-AB-A2-8A"
(16) Calling-Station-Id = "C8-F7-50-08-DD-9F"
(16) EAP-Message =
0x0211002d37011703030022000000000000000b7be460bbd4f6bb9c32a578718c1b190102cbc483409d7049b111
(16) Message-Authenticator = 0x209f6115a8a9d4f735d413f29f64ac92
(16) Cisco-AVPair = "audit-session-id=0A4E01D70000076141A84F5D"
(16) Cisco-AVPair = "method=dot1x"
(16) NAS-IP-Address = 10.78.1.215
(16) NAS-Port-Id = "GigabitEthernet1/0/10"
(16) NAS-Port-Type = Ethernet
(16) NAS-Port = 50110
(16) State = 0xf1839162fe92a61b96c8936992ec3e02
(16) Restoring &session-state
(16) &session-state:Framed-MTU = 984
(16) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(16) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3
Handshake, ClientHello"
(16) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHello"
(16) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Certificate"
(16) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerKeyExchange"
(16) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHelloDone"
(16) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, ClientKeyExchange"
(16) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, Finished"
(16) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(16) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Finished"
(16) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(16) &session-state:TLS-Session-Version = "TLS 1.2"
(16) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(16) authorize {
(16) policy filter_username {
(16) if (&User-Name) {
(16) if (&User-Name) -> TRUE
(16) if (&User-Name) {
(16) if (&User-Name =~ / /) {
(16) if (&User-Name =~ / /) -> FALSE
(16) if (&User-Name =~ /@[^@]*@/ ) {
(16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(16) if (&User-Name =~ /\.\./ ) {
(16) if (&User-Name =~ /\.\./ ) -> FALSE
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(16) if (&User-Name =~ /\.$/) {
(16) if (&User-Name =~ /\.$/) -> FALSE
(16) if (&User-Name =~ /@\./) {
(16) if (&User-Name =~ /@\./) -> FALSE
(16) } # if (&User-Name) = notfound
(16) } # policy filter_username = notfound
(16) [preprocess] = ok
(16) [chap] = noop
(16) [mschap] = noop
(16) [digest] = noop
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(16) suffix: No such realm "NULL"
(16) [suffix] = noop
(16) eap: Peer sent EAP Response (code 2) ID 17 length 45
(16) eap: Continuing tunnel setup
(16) [eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = eap
(16) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(16) authenticate {
(16) eap: Removing EAP session with state 0xf1839162fe92a61b
(16) eap: Previous EAP request found for state 0xf1839162fe92a61b, released
from the list
(16) eap: Peer sent packet with method EAP TEAP (55)
(16) eap: Calling submodule eap_teap to process data
(16) eap_teap: Authenticate
(16) eap_teap: (TLS) EAP Done initial handshake
(16) eap_teap: Session established. Proceeding to decode tunneled
attributes
(16) eap_teap: Got Tunneled TEAP TLVs
(16) eap_teap: FreeRADIUS-EAP-TEAP-EAP-Payload = 0x021100060d00
(16) eap_teap: Processing received EAP Payload
(16) eap_teap: Got tunneled request
(16) eap_teap: EAP-Message = 0x021100060d00
(16) eap_teap: AUTHENTICATION
(16) Virtual server inner-tunnel received request
(16) EAP-Message = 0x021100060d00
(16) FreeRADIUS-Proxied-To = 127.0.0.1
(16) User-Name = "host/martin-test-computer-cert"
(16) State = 0xe43e2451e62f29552321261b277b04ec
(16) server inner-tunnel {
(16) Restoring &session-state
(16) &session-state:Framed-MTU = 921
(16) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(16) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(16) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(16) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(16) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(16) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(16) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(16) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(16) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(16) authorize {
(16) policy filter_username {
(16) if (&User-Name) {
(16) if (&User-Name) -> TRUE
(16) if (&User-Name) {
(16) if (&User-Name =~ / /) {
(16) if (&User-Name =~ / /) -> FALSE
(16) if (&User-Name =~ /@[^@]*@/ ) {
(16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(16) if (&User-Name =~ /\.\./ ) {
(16) if (&User-Name =~ /\.\./ ) -> FALSE
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(16) if (&User-Name =~ /\.$/) {
(16) if (&User-Name =~ /\.$/) -> FALSE
(16) if (&User-Name =~ /@\./) {
(16) if (&User-Name =~ /@\./) -> FALSE
(16) } # if (&User-Name) = notfound
(16) } # policy filter_username = notfound
(16) [chap] = noop
(16) [mschap] = noop
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "host/martin-test-computer-cert",
looking up realm NULL
(16) suffix: No such realm "NULL"
(16) [suffix] = noop
(16) update control {
(16) &Proxy-To-Realm := LOCAL
(16) } # update control = noop
(16) eap: Peer sent EAP Response (code 2) ID 17 length 6
(16) eap: No EAP Start, assuming it's an on-going EAP conversation
(16) [eap] = updated
(16) [files] = noop
(16) [expiration] = noop
(16) [logintime] = noop
(16) [pap] = noop
(16) } # authorize = updated
(16) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
(16) Found Auth-Type = eap
(16) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(16) authenticate {
(16) eap: Removing EAP session with state 0xe43e2451e62f2955
(16) eap: Previous EAP request found for state 0xe43e2451e62f2955, released
from the list
(16) eap: Peer sent packet with method EAP TLS (13)
(16) eap: Calling submodule eap_tls to process data
(16) eap_tls: (TLS) Peer ACKed our handshake fragment
(16) eap: Sending EAP Request (code 1) ID 18 length 927
(16) eap: EAP session adding &reply:State = 0xe43e2451e72c2955
(16) [eap] = handled
(16) } # authenticate = handled
(16) Using Post-Auth-Type Challenge
(16) Post-Auth-Type sub-section not found. Ignoring.
(16) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(16) session-state: Saving cached attributes
(16) Framed-MTU = 921
(16) FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(16) FreeRADIUS-EAP-TEAP-Identity-Type += User
(16) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(16) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(16) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(16) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(16) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(16) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(16) } # server inner-tunnel
(16) Virtual server sending reply
(16) EAP-Message =
0x0112039f0dc000000a157d26fcfa591289fe0edfa8155639a543130ed8a6962f70647126878cf733836caa89c0268887485318012cca1d5ef88acfacb48eb6f3f345c4c8e5b927da63424e24c5394b7024725e8f9514edfd4ea11b2bbd6fff95bcba6081b3679fa0b5d58c8d0351edf51bfd00043b308204373082031fa00302010202146837d2898be29a5a56edbd7008ad02b855b72ecc300d06092a864886f70d01010b05003068310b3009060355040613024445310f300d06035504070c06426f6368756d312f302d060355040a0c2649534c20496e7465726e65742053696368657268656974736c6f6573756e67656e20476d62483117301506035504030c0e6d617274696e2d746573742d6361301e170d3234313132313133303935315a170d3334313131393133303935315a3068310b3009060355040613024445310f300d06035504070c06426f6368756d312f302d060355040a0c2649534c20496e7465726e65742053696368657268656974736c6f65
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0xe43e2451e72c29552321261b277b04ec
(16) eap_teap: Got tunneled Access-Challenge
(16) eap: Sending EAP Request (code 1) ID 18 length 966
(16) eap: EAP session adding &reply:State = 0xf1839162e191a61b
(16) [eap] = handled
(16) } # authenticate = handled
(16) Using Post-Auth-Type Challenge
(16) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(16) Challenge { ... } # empty sub-section is ignored
(16) session-state: Saving cached attributes
(16) Framed-MTU = 984
(16) FreeRADIUS-EAP-TEAP-Identity-Type += User
(16) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3 Handshake,
ClientHello"
(16) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHello"
(16) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Certificate"
(16) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(16) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(16) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(16) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
Finished"
(16) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(16) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Finished"
(16) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(16) TLS-Session-Version = "TLS 1.2"
(16) Sent Access-Challenge Id 26 from 10.78.5.223:1645 to 10.78.1.215:1645
length 1030
(16) EAP-Message =
0x011203c6370117030303bb2cdb0801a98d60eb59f204af5bb10b5643cb729288817f4fe52d96ff183f519e21ce10904b9eab0f005d3fa42dc707abfc079eeabf2096ecf8efe20a0a4ae73f503977ec2d1e72dbda177e26117288a5db656c8a7e2fd6ecffca49e3099ec58f1e6244d4c2453311efb69d6927c9ef61eb18084b0e65efda658812fb62d9fb19e4f7df42b5e8af0e5e33469f84673740ac95d9736253d97cbdcaebeefbf1faae0619a3bae9a94ef87c90ff7001e9bb56b1c08fe830b229e500657258f72e642b5bc5179dc76137632bcb99263981f35d0966fd6ad572fe341707af570faefd91c7c2cad643db913bd6aabe15be2e1b922718d501ec97902f9f67fe7e0828b35b8eaa4192ca7149b3cfda34d0ceb8d07dfc2462d0878e5a4b8881753ff2d92414af60ff7597cfb5e712ab55ca396563cb6f519718a1741da503417ef811f172100768c6e1addbc37b2ae74cbc79962abd8166a808c033a9bcb1dcf612e721044eb6b8be7fc239f1f274dfdc7e
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0xf1839162e191a61b96c8936992ec3e02
(16) Finished request
Waking up in 0.5 seconds.
(11) Cleaning up request packet ID 21 with timestamp +28 due to
cleanup_delay was reached
Waking up in 0.3 seconds.
(12) Cleaning up request packet ID 22 with timestamp +28 due to
cleanup_delay was reached
Waking up in 1.3 seconds.
(17) Received Access-Request Id 27 from 10.78.1.215:1645 to 10.78.5.223:1645
length 303
(17) User-Name = "anonymous"
(17) Service-Type = Framed-User
(17) Cisco-AVPair = "service-type=Framed"
(17) Framed-MTU = 1500
(17) Called-Station-Id = "00-3C-10-AB-A2-8A"
(17) Calling-Station-Id = "C8-F7-50-08-DD-9F"
(17) EAP-Message =
0x0212002d37011703030022000000000000000ce9a4edd5602651e4c70c1ef53c1a59907b2ba5862125ed555256
(17) Message-Authenticator = 0x93ede412e45d2d649fd8be1ff45ae6a5
(17) Cisco-AVPair = "audit-session-id=0A4E01D70000076141A84F5D"
(17) Cisco-AVPair = "method=dot1x"
(17) NAS-IP-Address = 10.78.1.215
(17) NAS-Port-Id = "GigabitEthernet1/0/10"
(17) NAS-Port-Type = Ethernet
(17) NAS-Port = 50110
(17) State = 0xf1839162e191a61b96c8936992ec3e02
(17) Restoring &session-state
(17) &session-state:Framed-MTU = 984
(17) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(17) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3
Handshake, ClientHello"
(17) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHello"
(17) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Certificate"
(17) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerKeyExchange"
(17) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHelloDone"
(17) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, ClientKeyExchange"
(17) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, Finished"
(17) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(17) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Finished"
(17) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(17) &session-state:TLS-Session-Version = "TLS 1.2"
(17) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(17) authorize {
(17) policy filter_username {
(17) if (&User-Name) {
(17) if (&User-Name) -> TRUE
(17) if (&User-Name) {
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@[^@]*@/ ) {
(17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /@\./) {
(17) if (&User-Name =~ /@\./) -> FALSE
(17) } # if (&User-Name) = notfound
(17) } # policy filter_username = notfound
(17) [preprocess] = ok
(17) [chap] = noop
(17) [mschap] = noop
(17) [digest] = noop
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(17) suffix: No such realm "NULL"
(17) [suffix] = noop
(17) eap: Peer sent EAP Response (code 2) ID 18 length 45
(17) eap: Continuing tunnel setup
(17) [eap] = ok
(17) } # authorize = ok
(17) Found Auth-Type = eap
(17) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(17) authenticate {
(17) eap: Removing EAP session with state 0xf1839162e191a61b
(17) eap: Previous EAP request found for state 0xf1839162e191a61b, released
from the list
(17) eap: Peer sent packet with method EAP TEAP (55)
(17) eap: Calling submodule eap_teap to process data
(17) eap_teap: Authenticate
(17) eap_teap: (TLS) EAP Done initial handshake
(17) eap_teap: Session established. Proceeding to decode tunneled
attributes
(17) eap_teap: Got Tunneled TEAP TLVs
(17) eap_teap: FreeRADIUS-EAP-TEAP-EAP-Payload = 0x021200060d00
(17) eap_teap: Processing received EAP Payload
(17) eap_teap: Got tunneled request
(17) eap_teap: EAP-Message = 0x021200060d00
(17) eap_teap: AUTHENTICATION
(17) Virtual server inner-tunnel received request
(17) EAP-Message = 0x021200060d00
(17) FreeRADIUS-Proxied-To = 127.0.0.1
(17) User-Name = "host/martin-test-computer-cert"
(17) State = 0xe43e2451e72c29552321261b277b04ec
(17) server inner-tunnel {
(17) Restoring &session-state
(17) &session-state:Framed-MTU = 921
(17) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(17) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(17) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(17) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(17) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(17) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(17) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(17) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(17) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(17) authorize {
(17) policy filter_username {
(17) if (&User-Name) {
(17) if (&User-Name) -> TRUE
(17) if (&User-Name) {
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@[^@]*@/ ) {
(17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /@\./) {
(17) if (&User-Name =~ /@\./) -> FALSE
(17) } # if (&User-Name) = notfound
(17) } # policy filter_username = notfound
(17) [chap] = noop
(17) [mschap] = noop
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "host/martin-test-computer-cert",
looking up realm NULL
(17) suffix: No such realm "NULL"
(17) [suffix] = noop
(17) update control {
(17) &Proxy-To-Realm := LOCAL
(17) } # update control = noop
(17) eap: Peer sent EAP Response (code 2) ID 18 length 6
(17) eap: No EAP Start, assuming it's an on-going EAP conversation
(17) [eap] = updated
(17) [files] = noop
(17) [expiration] = noop
(17) [logintime] = noop
(17) [pap] = noop
(17) } # authorize = updated
(17) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
(17) Found Auth-Type = eap
(17) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(17) authenticate {
(17) eap: Removing EAP session with state 0xe43e2451e72c2955
(17) eap: Previous EAP request found for state 0xe43e2451e72c2955, released
from the list
(17) eap: Peer sent packet with method EAP TLS (13)
(17) eap: Calling submodule eap_tls to process data
(17) eap_tls: (TLS) Peer ACKed our handshake fragment
(17) eap: Sending EAP Request (code 1) ID 19 length 757
(17) eap: EAP session adding &reply:State = 0xe43e2451e02d2955
(17) [eap] = handled
(17) } # authenticate = handled
(17) Using Post-Auth-Type Challenge
(17) Post-Auth-Type sub-section not found. Ignoring.
(17) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(17) session-state: Saving cached attributes
(17) Framed-MTU = 921
(17) FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(17) FreeRADIUS-EAP-TEAP-Identity-Type += User
(17) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(17) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(17) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(17) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(17) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(17) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(17) } # server inner-tunnel
(17) Virtual server sending reply
(17) EAP-Message =
0x011302f50d8000000a15092a864886f70d01010b05000382010100a43c58ca1352e1fc9445dd9ee39ba4a0370294fe7a392d7bde81a15eafa50faffeecfbd46a398281481534dac317909896a890db1c9bc2a92dd6643cb38884b99bf6bb9e29b89ec05a184fee40f636cffb530e6729aa18f65d4efbefc8c6f642f083d24fee5b1557e2fbbdd8db665c1ec5c7c0478e2355bf3fef88cc0908228a0b37560dd68abfba7b8e1b8bd76223b49cf84a80d90025c3ae17296c51dd9630a0f8af67b987416ee02f0ed7615ece56169a552aed5426af82497468570c9bc062edccfbac033364c1d6b55075552fe9c6f7fcb955415423fef9ba221ec3cda5939a6965aa3e49dcfda0c1a0b4712ba554c245396805304b4c14d252d9f84575160303012c0c00012803001d20e68ed7dad80bd0e1916f77d2c6f40bed8e0d759272de0015fa56a844f94cae36080401006455f4e816edb349d6d14ab242c82b4128ebe1ad014c830acd52131b05a0ef7376eba46dae69ad489106e5
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0xe43e2451e02d29552321261b277b04ec
(17) eap_teap: Got tunneled Access-Challenge
(17) eap: Sending EAP Request (code 1) ID 19 length 796
(17) eap: EAP session adding &reply:State = 0xf1839162e090a61b
(17) [eap] = handled
(17) } # authenticate = handled
(17) Using Post-Auth-Type Challenge
(17) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(17) Challenge { ... } # empty sub-section is ignored
(17) session-state: Saving cached attributes
(17) Framed-MTU = 984
(17) FreeRADIUS-EAP-TEAP-Identity-Type += User
(17) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3 Handshake,
ClientHello"
(17) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHello"
(17) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Certificate"
(17) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(17) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(17) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(17) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
Finished"
(17) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(17) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Finished"
(17) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(17) TLS-Session-Version = "TLS 1.2"
(17) Sent Access-Challenge Id 27 from 10.78.5.223:1645 to 10.78.1.215:1645
length 860
(17) EAP-Message =
0x0113031c370117030303112cdb0801a98d60ecab23d74037e882e49d65d45ff02560fe30e3f8f701f1b55131fdb84a91c3f7372533a1706f15ae602c12a4eb86f8a0ec363c45370454cd1150044dc0de0123b67c2f45455bcc32df1835d0bdf50a629e3ec39adb6f9312d0f1557497abb8acab607437c8f211e44a0796fb9d8b4a3e9236c1f5f0e8b596e70e81c954c95514fc502f8b0b09abc1dfb24a27a97d5a0d71cd74d4e480b69aa8e01c08ede45379d2d432ff39c99a64e2919648eaf9b38f797e2f4c3adca077c335c00a1fe9e360fae36ef6fb3fd6610c4c238d6513ffc50bce2b3e271197a8cf0bc95667ab289a52b33c0e5dd315cde8204b21e8c5ad92a31124c949d13b12e34b202af71eac59cadf4c91b6c20af3a23333b3cc5d44c68f5ebf73d7bfc0e58e4a1571812ed0966c4a65286d155f5c40c8cb3f4da2a5c70a0f97ac187402dd94a6d15db0fc7e2a58635bcb053bebd0792078fe9a419ea5fc70b2c86e76cacc72e517982bdcb63c4f7acba916
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0xf1839162e090a61b96c8936992ec3e02
(17) Finished request
Waking up in 0.7 seconds.
(13) Cleaning up request packet ID 23 with timestamp +30 due to
cleanup_delay was reached
Waking up in 1.3 seconds.
(18) Received Access-Request Id 28 from 10.78.1.215:1645 to 10.78.5.223:1645
length 1565
(18) User-Name = "anonymous"
(18) Service-Type = Framed-User
(18) Cisco-AVPair = "service-type=Framed"
(18) Framed-MTU = 1500
(18) Called-Station-Id = "00-3C-10-AB-A2-8A"
(18) Calling-Station-Id = "C8-F7-50-08-DD-9F"
(18) EAP-Message =
0x0213051137011703030506000000000000000dc67cab36337d81e97867cf6f574b2907b014baa9a26c23590712837472fb7d46648c21fe7fdb640d147a8d47beb65ec1ca2c20a4b5346a2b71055ccdfd7e02005cb1442f2d7c41a3aca93e32b45951913db05b4db986e8534c32c616f83798cd093e8d72e0678481942bdb617f21f2672abd7afc9fa191a6ad82bc797ac919ca91225f4f0524f557ddee992d60e11e088bd0780c439fa1f071f4689706cd5bd6ead0c166f558e3d206eed6bead2c79d73f97cc3e26479dc482027fc692d0ac35685614f204c3f3d1a0e6c875cfcfe2d7b2c8c6e27f482f99ef30740f86a590f212efb95ac7a537bffef29dbb4032e05c03d3ecc499def57db89293ff7b2dddf2ed11803be98f80f3c09ca90768577c23333dac6217bcc7734d078a5f5decd7c1f1faf3a3e4fadb2594f19c175393ecec777787559cdfbd1c7a23f268b4d094eae7a41f3bdb468822cc626eb8ab917d13a5b9641f56fb5e2d74e27689269a8655275838b9
(18) Message-Authenticator = 0xcc2724fc1f4b2c620591327e16a5948b
(18) Cisco-AVPair = "audit-session-id=0A4E01D70000076141A84F5D"
(18) Cisco-AVPair = "method=dot1x"
(18) NAS-IP-Address = 10.78.1.215
(18) NAS-Port-Id = "GigabitEthernet1/0/10"
(18) NAS-Port-Type = Ethernet
(18) NAS-Port = 50110
(18) State = 0xf1839162e090a61b96c8936992ec3e02
(18) Restoring &session-state
(18) &session-state:Framed-MTU = 984
(18) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(18) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3
Handshake, ClientHello"
(18) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHello"
(18) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Certificate"
(18) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerKeyExchange"
(18) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHelloDone"
(18) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, ClientKeyExchange"
(18) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, Finished"
(18) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(18) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Finished"
(18) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(18) &session-state:TLS-Session-Version = "TLS 1.2"
(18) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(18) authorize {
(18) policy filter_username {
(18) if (&User-Name) {
(18) if (&User-Name) -> TRUE
(18) if (&User-Name) {
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@[^@]*@/ ) {
(18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /@\./) {
(18) if (&User-Name =~ /@\./) -> FALSE
(18) } # if (&User-Name) = notfound
(18) } # policy filter_username = notfound
(18) [preprocess] = ok
(18) [chap] = noop
(18) [mschap] = noop
(18) [digest] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(18) suffix: No such realm "NULL"
(18) [suffix] = noop
(18) eap: Peer sent EAP Response (code 2) ID 19 length 1297
(18) eap: Continuing tunnel setup
(18) [eap] = ok
(18) } # authorize = ok
(18) Found Auth-Type = eap
(18) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(18) authenticate {
(18) eap: Removing EAP session with state 0xf1839162e090a61b
(18) eap: Previous EAP request found for state 0xf1839162e090a61b, released
from the list
(18) eap: Peer sent packet with method EAP TEAP (55)
(18) eap: Calling submodule eap_teap to process data
(18) eap_teap: Authenticate
(18) eap_teap: (TLS) EAP Done initial handshake
(18) eap_teap: Session established. Proceeding to decode tunneled
attributes
(18) eap_teap: Got Tunneled TEAP TLVs
(18) eap_teap: FreeRADIUS-EAP-TEAP-EAP-Payload =
0x021304ea0d80000004e016030304a80b0003770003740003713082036d30820255a003020102020103300d06092a864886f70d01010b05003068310b3009060355040613024445310f300d06035504070c06426f6368756d312f302d060355040a0c2649534c20496e7465726e65742053696368657268656974736c6f6573756e67656e20476d62483117301506035504030c0e6d617274696e2d746573742d6361301e170d3234313132393038303335335a170d3334313132373038303335335a3073310b3009060355040613024445310f300d06035504070c06426f6368756d312f302d060355040a0c2649534c20496e7465726e65742053696368657268656974736c6f6573756e67656e20476d62483122302006035504030c196d617274696e2d746573742d636f6d70757465722d6365727430820122300d06092a864886f70d01010105000382010f003082010a0282010100d655edad1c3325d390026e37183e66270c52a3a3d7
(18) eap_teap: Processing received EAP Payload
(18) eap_teap: Got tunneled request
(18) eap_teap: EAP-Message =
0x021304ea0d80000004e016030304a80b0003770003740003713082036d30820255a003020102020103300d06092a864886f70d01010b05003068310b3009060355040613024445310f300d06035504070c06426f6368756d312f302d060355040a0c2649534c20496e7465726e65742053696368657268656974736c6f6573756e67656e20476d62483117301506035504030c0e6d617274696e2d746573742d6361301e170d3234313132393038303335335a170d3334313132373038303335335a3073310b3009060355040613024445310f300d06035504070c06426f6368756d312f302d060355040a0c2649534c20496e7465726e65742053696368657268656974736c6f6573756e67656e20476d62483122302006035504030c196d617274696e2d746573742d636f6d70757465722d6365727430820122300d06092a864886f70d01010105000382010f003082010a0282010100d655edad1c3325d390026e37183e66270c52a3a3d70399110622d792fd6899
(18) eap_teap: AUTHENTICATION
(18) Virtual server inner-tunnel received request
(18) EAP-Message =
0x021304ea0d80000004e016030304a80b0003770003740003713082036d30820255a003020102020103300d06092a864886f70d01010b05003068310b3009060355040613024445310f300d06035504070c06426f6368756d312f302d060355040a0c2649534c20496e7465726e65742053696368657268656974736c6f6573756e67656e20476d62483117301506035504030c0e6d617274696e2d746573742d6361301e170d3234313132393038303335335a170d3334313132373038303335335a3073310b3009060355040613024445310f300d06035504070c06426f6368756d312f302d060355040a0c2649534c20496e7465726e65742053696368657268656974736c6f6573756e67656e20476d62483122302006035504030c196d617274696e2d746573742d636f6d70757465722d6365727430820122300d06092a864886f70d01010105000382010f003082010a0282010100d655edad1c3325d390026e37183e66270c52a3a3d70399110622d792fd6899
(18) FreeRADIUS-Proxied-To = 127.0.0.1
(18) User-Name = "host/martin-test-computer-cert"
(18) State = 0xe43e2451e02d29552321261b277b04ec
(18) server inner-tunnel {
(18) Restoring &session-state
(18) &session-state:Framed-MTU = 921
(18) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(18) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(18) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(18) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(18) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(18) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(18) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(18) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(18) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(18) authorize {
(18) policy filter_username {
(18) if (&User-Name) {
(18) if (&User-Name) -> TRUE
(18) if (&User-Name) {
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@[^@]*@/ ) {
(18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /@\./) {
(18) if (&User-Name =~ /@\./) -> FALSE
(18) } # if (&User-Name) = notfound
(18) } # policy filter_username = notfound
(18) [chap] = noop
(18) [mschap] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "host/martin-test-computer-cert",
looking up realm NULL
(18) suffix: No such realm "NULL"
(18) [suffix] = noop
(18) update control {
(18) &Proxy-To-Realm := LOCAL
(18) } # update control = noop
(18) eap: Peer sent EAP Response (code 2) ID 19 length 1258
(18) eap: No EAP Start, assuming it's an on-going EAP conversation
(18) [eap] = updated
(18) [files] = noop
(18) [expiration] = noop
(18) [logintime] = noop
(18) [pap] = noop
(18) } # authorize = updated
(18) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
(18) Found Auth-Type = eap
(18) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(18) authenticate {
(18) eap: Removing EAP session with state 0xe43e2451e02d2955
(18) eap: Previous EAP request found for state 0xe43e2451e02d2955, released
from the list
(18) eap: Peer sent packet with method EAP TLS (13)
(18) eap: Calling submodule eap_tls to process data
(18) eap_tls: (TLS) EAP Peer says that the final record size will be 1248
bytes
(18) eap_tls: (TLS) EAP Got all data (1248 bytes)
(18) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server
done
(18) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Certificate
(18) eap_tls: (TLS) TLS - Creating attributes from 2 certificate in chain
(18) eap_tls: TLS-Cert-Serial :=
"6837d2898be29a5a56edbd7008ad02b855b72ecc"
(18) eap_tls: TLS-Cert-Expiration := "341119130951Z"
(18) eap_tls: TLS-Cert-Valid-Since := "241121130951Z"
(18) eap_tls: TLS-Cert-Subject :=
"/C=DE/L=Bochum/O=Test/CN=martin-test-ca"
(18) eap_tls: TLS-Cert-Issuer := "/C=DE/L=Bochum/O=Test/CN=martin-test-ca"
(18) eap_tls: TLS-Cert-Common-Name := "martin-test-ca"
(18) eap_tls: (TLS) TLS - Creating attributes from 1 certificate in chain
(18) eap_tls: TLS-Client-Cert-Serial := "03"
(18) eap_tls: TLS-Client-Cert-Expiration := "341127080353Z"
(18) eap_tls: TLS-Client-Cert-Valid-Since := "241129080353Z"
(18) eap_tls: TLS-Client-Cert-Subject :=
"/C=DE/L=Bochum/O=Test/CN=martin-test-computer-cert"
(18) eap_tls: TLS-Client-Cert-Issuer :=
"/C=DE/L=Bochum/O=Test/CN=martin-test-ca"
(18) eap_tls: TLS-Client-Cert-Common-Name := "martin-test-computer-cert"
(18) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web
Client Authentication"
(18) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
(18) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client
certificate
(18) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange
(18) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client
key exchange
(18) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify
(18) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read
certificate verify
(18) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read change
cipher spec
(18) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Finished
(18) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read finished
(18) eap_tls: (TLS) TLS - send TLS 1.2 ChangeCipherSpec
(18) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write change
cipher spec
(18) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, Finished
(18) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write finished
(18) eap_tls: (TLS) TLS - Handshake state - SSL negotiation finished
successfully
(18) eap_tls: (TLS) TLS - Connection Established
(18) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(18) eap_tls: TLS-Session-Version = "TLS 1.2"
(18) eap: Sending EAP Request (code 1) ID 20 length 61
(18) eap: EAP session adding &reply:State = 0xe43e2451e12a2955
(18) [eap] = handled
(18) } # authenticate = handled
(18) Using Post-Auth-Type Challenge
(18) Post-Auth-Type sub-section not found. Ignoring.
(18) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(18) session-state: Saving cached attributes
(18) Framed-MTU = 921
(18) FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(18) FreeRADIUS-EAP-TEAP-Identity-Type += User
(18) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(18) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(18) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(18) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(18) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(18) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(18) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
Certificate"
(18) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
ClientKeyExchange"
(18) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
CertificateVerify"
(18) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
Finished"
(18) TLS-Session-Information = "(TLS) TLS - send TLS 1.2
ChangeCipherSpec"
(18) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Finished"
(18) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(18) TLS-Session-Version = "TLS 1.2"
(18) } # server inner-tunnel
(18) Virtual server sending reply
(18) EAP-Message =
0x0114003d0d80000000331403030001011603030028203da7ac68294a7279c4eeee87b7bc1ad5716faaa065514d8e65a72f0585d560b118566afc46d869
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0xe43e2451e12a29552321261b277b04ec
(18) eap_teap: Got tunneled Access-Challenge
(18) eap: Sending EAP Request (code 1) ID 20 length 100
(18) eap: EAP session adding &reply:State = 0xf1839162e397a61b
(18) [eap] = handled
(18) } # authenticate = handled
(18) Using Post-Auth-Type Challenge
(18) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(18) Challenge { ... } # empty sub-section is ignored
(18) session-state: Saving cached attributes
(18) Framed-MTU = 984
(18) FreeRADIUS-EAP-TEAP-Identity-Type += User
(18) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3 Handshake,
ClientHello"
(18) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHello"
(18) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Certificate"
(18) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(18) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(18) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(18) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
Finished"
(18) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(18) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Finished"
(18) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(18) TLS-Session-Version = "TLS 1.2"
(18) Sent Access-Challenge Id 28 from 10.78.5.223:1645 to 10.78.1.215:1645
length 158
(18) EAP-Message =
0x01140064370117030300592cdb0801a98d60ed63ec85bc53ce52079a44cc74ff1fd68114dd344a6dc3a50546e3a7855a69df174cff03ee5e8af908546a78e4114240d88873096c9fdb7144a4faa12c22d7bf1393568355f1fd3d34845c393f0dc212b993
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0xf1839162e397a61b96c8936992ec3e02
(18) Finished request
Waking up in 0.5 seconds.
(14) Cleaning up request packet ID 24 with timestamp +31 due to
cleanup_delay was reached
Waking up in 0.6 seconds.
(19) Received Access-Request Id 29 from 10.78.1.215:1645 to 10.78.5.223:1645
length 303
(19) User-Name = "anonymous"
(19) Service-Type = Framed-User
(19) Cisco-AVPair = "service-type=Framed"
(19) Framed-MTU = 1500
(19) Called-Station-Id = "00-3C-10-AB-A2-8A"
(19) Calling-Station-Id = "C8-F7-50-08-DD-9F"
(19) EAP-Message =
0x0214002d37011703030022000000000000000ea5514ae51e24d707b5510733e5a59b9439522bcd204603cd72c3
(19) Message-Authenticator = 0xa40e9157e6bd3932c2e7533e48520b76
(19) Cisco-AVPair = "audit-session-id=0A4E01D70000076141A84F5D"
(19) Cisco-AVPair = "method=dot1x"
(19) NAS-IP-Address = 10.78.1.215
(19) NAS-Port-Id = "GigabitEthernet1/0/10"
(19) NAS-Port-Type = Ethernet
(19) NAS-Port = 50110
(19) State = 0xf1839162e397a61b96c8936992ec3e02
(19) Restoring &session-state
(19) &session-state:Framed-MTU = 984
(19) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(19) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3
Handshake, ClientHello"
(19) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHello"
(19) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Certificate"
(19) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerKeyExchange"
(19) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHelloDone"
(19) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, ClientKeyExchange"
(19) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, Finished"
(19) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(19) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Finished"
(19) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(19) &session-state:TLS-Session-Version = "TLS 1.2"
(19) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /@\./) {
(19) if (&User-Name =~ /@\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [preprocess] = ok
(19) [chap] = noop
(19) [mschap] = noop
(19) [digest] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(19) suffix: No such realm "NULL"
(19) [suffix] = noop
(19) eap: Peer sent EAP Response (code 2) ID 20 length 45
(19) eap: Continuing tunnel setup
(19) [eap] = ok
(19) } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(19) authenticate {
(19) eap: Removing EAP session with state 0xf1839162e397a61b
(19) eap: Previous EAP request found for state 0xf1839162e397a61b, released
from the list
(19) eap: Peer sent packet with method EAP TEAP (55)
(19) eap: Calling submodule eap_teap to process data
(19) eap_teap: Authenticate
(19) eap_teap: (TLS) EAP Done initial handshake
(19) eap_teap: Session established. Proceeding to decode tunneled
attributes
(19) eap_teap: Got Tunneled TEAP TLVs
(19) eap_teap: FreeRADIUS-EAP-TEAP-EAP-Payload = 0x021400060d00
(19) eap_teap: Processing received EAP Payload
(19) eap_teap: Got tunneled request
(19) eap_teap: EAP-Message = 0x021400060d00
(19) eap_teap: AUTHENTICATION
(19) Virtual server inner-tunnel received request
(19) EAP-Message = 0x021400060d00
(19) FreeRADIUS-Proxied-To = 127.0.0.1
(19) User-Name = "host/martin-test-computer-cert"
(19) State = 0xe43e2451e12a29552321261b277b04ec
(19) server inner-tunnel {
(19) Restoring &session-state
(19) &session-state:Framed-MTU = 921
(19) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type := Machine
(19) &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += User
(19) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(19) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(19) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(19) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(19) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(19) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(19) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2
Handshake, Certificate"
(19) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2
Handshake, ClientKeyExchange"
(19) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2
Handshake, CertificateVerify"
(19) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2
Handshake, Finished"
(19) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
ChangeCipherSpec"
(19) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Finished"
(19) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(19) &session-state:TLS-Session-Version = "TLS 1.2"
(19) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(19) authorize {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /@\./) {
(19) if (&User-Name =~ /@\./) -> FALSE
(19) } # if (&User-Name) = notfound
(19) } # policy filter_username = notfound
(19) [chap] = noop
(19) [mschap] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "host/martin-test-computer-cert",
looking up realm NULL
(19) suffix: No such realm "NULL"
(19) [suffix] = noop
(19) update control {
(19) &Proxy-To-Realm := LOCAL
(19) } # update control = noop
(19) eap: Peer sent EAP Response (code 2) ID 20 length 6
(19) eap: No EAP Start, assuming it's an on-going EAP conversation
(19) [eap] = updated
(19) [files] = noop
(19) [expiration] = noop
(19) [logintime] = noop
(19) [pap] = noop
(19) } # authorize = updated
(19) WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
(19) Found Auth-Type = eap
(19) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(19) authenticate {
(19) eap: Removing EAP session with state 0xe43e2451e12a2955
(19) eap: Previous EAP request found for state 0xe43e2451e12a2955, released
from the list
(19) eap: Peer sent packet with method EAP TLS (13)
(19) eap: Calling submodule eap_tls to process data
(19) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is
finished
(19) eap: Sending EAP Success (code 3) ID 20 length 4
(19) eap: Freeing handler
(19) [eap] = ok
(19) } # authenticate = ok
(19) # Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(19) post-auth {
(19) if (0) {
(19) if (0) -> FALSE
(19) } # post-auth = noop
(19) } # server inner-tunnel
(19) Virtual server sending reply
(19) MS-MPPE-Recv-Key =
0xf429d744c38f4c888b16edc50625d44becd3ea0c7b817150c28cec26072c010b
(19) MS-MPPE-Send-Key =
0x8f505530935896fc4199ea910649350854a0f2affba47a9215fab6c8fde967f4
(19) EAP-MSK =
0xf429d744c38f4c888b16edc50625d44becd3ea0c7b817150c28cec26072c010b8f505530935896fc4199ea910649350854a0f2affba47a9215fab6c8fde967f4
(19) EAP-EMSK =
0xc1d1b87cb08f1979e8a3ec7b255e721c454cec9867f1a769df1f4bb5cb821743c389d15b5e79f22906dc7e057c255ab12e1990254d22289d165f10e989b6703d
(19) EAP-Session-Id =
0x0d7dec241f58df06dd5087fa80763176077327817dbfa437d835c54a1bca01dbe46fefcc562bd7f85fb4375b8d352916e6ca8a0341102364e84b2490bda2e2d8a1
(19) EAP-Message = 0x03140004
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) User-Name = "host/martin-test-computer-cert"
(19) eap_teap: Got tunneled Access-Accept
(19) eap_teap: MSCHAP_MPPE_RECV_KEY [high MSK] - hexdump(len=32): f4 29 d7
44 c3 8f 4c 88 8b 16 ed c5 06 25 d4 4b ec d3 ea 0c 7b 81 71 50 c2 8c ec 26
07 2c 01 0b
(19) eap_teap: MSCHAP_MPPE_SEND_KEY [low MSK] - hexdump(len=32): 8f 50 55
30 93 58 96 fc 41 99 ea 91 06 49 35 08 54 a0 f2 af fb a4 7a 92 15 fa b6 c8
fd e9 67 f4
(19) eap_teap: Sending Cryptobinding
(19) eap_teap: Updating ICMK (j = 2)
(19) eap_teap: IMSK from MSK - hexdump(len=32): f4 29 d7 44 c3 8f 4c 88 8b
16 ed c5 06 25 d4 4b ec d3 ea 0c 7b 81 71 50 c2 8c ec 26 07 2c 01 0b
(19) eap_teap: MSK S-IMCK[j] - hexdump(len=40): 54 fc df fe 58 5f c6 90 61
70 87 63 69 ef ba 81 1c c9 ad c1 54 ac 79 64 b3 9e 3e 4d a0 d3 30 6e ad cd
0e 58 ad ac ab 03
(19) eap_teap: MSK CMK[j] - hexdump(len=20): d5 47 f0 2a 0d 72 dc 58 a7 8c
ce 0f ee e6 58 77 27 ed b8 df
(19) eap_teap: IMSK from EMSK - hexdump(len=32): 18 74 ab a8 c2 38 13 84 ac
d8 ba 66 7c 56 77 dd 7a 23 09 07 98 05 0d 0e 8a 08 fd 9a e4 f9 9c f8
(19) eap_teap: EMSK S-IMCK[j] - hexdump(len=40): b1 52 42 e7 4d ba 1c 3e f0
e9 e8 94 b2 35 8b 07 d5 bf f6 f6 fd 44 f9 c2 de b0 a1 dd 6e d6 8d dd 73 87
73 16 94 ba a9 9f
(19) eap_teap: EMSK CMK[j] - hexdump(len=20): 9b f1 91 16 c0 30 cc 06 4d 66
1a 17 24 1e ec a7 8e 37 ae 8d
(19) eap_teap: BUFFER for Compound MAC calculation - hexdump(len=89): 80 0c
00 4c 00 01 01 30 95 e0 9e a1 4f 92 a4 b6 ca c4 a1 59 45 9d 98 53 03 ad 5b
a4 92 a0 34 98 cf b6 ef 3e 41 eb e3 da 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 37 00 01 00 04 31 32 33 34
(19) eap_teap: &session-state:FreeRADIUS-EAP-TEAP-TLV-Identity-Type set so
continuing EAP sequence/chaining
(19) eap_teap: Sending EAP-Identity
(19) eap_teap: Deleting &session-state:FreeRADIUS-EAP-TEAP-Identity-Type +=
User
(19) eap: Sending EAP Request (code 1) ID 21 length 136
(19) eap: EAP session adding &reply:State = 0xf1839162e296a61b
(19) [eap] = handled
(19) } # authenticate = handled
(19) Using Post-Auth-Type Challenge
(19) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(19) Challenge { ... } # empty sub-section is ignored
(19) session-state: Saving cached attributes
(19) Framed-MTU = 984
(19) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3 Handshake,
ClientHello"
(19) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHello"
(19) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Certificate"
(19) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(19) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(19) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(19) TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2 Handshake,
Finished"
(19) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(19) TLS-Session-Information = "(TLS) TEAP - send TLS 1.2 Handshake,
Finished"
(19) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(19) TLS-Session-Version = "TLS 1.2"
(19) Sent Access-Challenge Id 29 from 10.78.5.223:1645 to 10.78.1.215:1645
length 194
(19) EAP-Message =
0x011500883701170303007d2cdb0801a98d60eed95dd43b6a0b17a0a79619628c68198c5e23d858d9cc76c4b99abcaf59f10661429635c51d419c9a7de025e39776fdeca4ab6f91321f482bbfc64d6572007716f76d4b82f042ff9ed384011ee30499bdad83c40f9f9fb72c7b0d198840d42cec18495723f039e4d5df344a72cf95b19dd6023868c7
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0xf1839162e296a61b96c8936992ec3e02
(19) Finished request
(15) Cleaning up request packet ID 25 with timestamp +32 due to
cleanup_delay was reached
Waking up in 0.5 seconds.
(16) Cleaning up request packet ID 26 with timestamp +32 due to
cleanup_delay was reached
Waking up in 1.6 seconds.
(20) Received Access-Request Id 30 from 10.78.1.215:1645 to 10.78.5.223:1645
length 393
(20) User-Name = "anonymous"
(20) Service-Type = Framed-User
(20) Cisco-AVPair = "service-type=Framed"
(20) Framed-MTU = 1500
(20) Called-Station-Id = "00-3C-10-AB-A2-8A"
(20) Calling-Station-Id = "C8-F7-50-08-DD-9F"
(20) EAP-Message =
0x021500873701170303007c000000000000000f28723c2f5a16660e33f295edad06dff7c4e18ede02a5a149e310a3527336deec6a2848410f42a3a30c6fa6f9d4f65e47a87937ac583a8aaa8cf78d16916230bee715a1b761622e2add3f601f5af9376f2040d15e8c044612f4170a5d749eb0e3038883666ef6fa50345c454a94ab20c983cc4274
(20) Message-Authenticator = 0xba4894e3992278c469398f650ce5a24d
(20) Cisco-AVPair = "audit-session-id=0A4E01D70000076141A84F5D"
(20) Cisco-AVPair = "method=dot1x"
(20) NAS-IP-Address = 10.78.1.215
(20) NAS-Port-Id = "GigabitEthernet1/0/10"
(20) NAS-Port-Type = Ethernet
(20) NAS-Port = 50110
(20) State = 0xf1839162e296a61b96c8936992ec3e02
(20) Restoring &session-state
(20) &session-state:Framed-MTU = 984
(20) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.3
Handshake, ClientHello"
(20) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHello"
(20) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Certificate"
(20) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerKeyExchange"
(20) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, ServerHelloDone"
(20) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, ClientKeyExchange"
(20) &session-state:TLS-Session-Information = "(TLS) TEAP - recv TLS 1.2
Handshake, Finished"
(20) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
ChangeCipherSpec"
(20) &session-state:TLS-Session-Information = "(TLS) TEAP - send TLS 1.2
Handshake, Finished"
(20) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(20) &session-state:TLS-Session-Version = "TLS 1.2"
(20) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(20) authorize {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /@\./) {
(20) if (&User-Name =~ /@\./) -> FALSE
(20) } # if (&User-Name) = notfound
(20) } # policy filter_username = notfound
(20) [preprocess] = ok
(20) [chap] = noop
(20) [mschap] = noop
(20) [digest] = noop
(20) suffix: Checking for suffix after "@"
(20) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(20) suffix: No such realm "NULL"
(20) [suffix] = noop
(20) eap: Peer sent EAP Response (code 2) ID 21 length 135
(20) eap: Continuing tunnel setup
(20) [eap] = ok
(20) } # authorize = ok
(20) Found Auth-Type = eap
(20) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(20) authenticate {
(20) eap: Removing EAP session with state 0xf1839162e296a61b
(20) eap: Previous EAP request found for state 0xf1839162e296a61b, released
from the list
(20) eap: Peer sent packet with method EAP TEAP (55)
(20) eap: Calling submodule eap_teap to process data
(20) eap_teap: Authenticate
(20) eap_teap: (TLS) EAP Done initial handshake
(20) eap_teap: Session established. Proceeding to decode tunneled
attributes
(20) eap_teap: EAP-TEAP TLV Status indicates failure. Rejecting request.
(20) eap: ERROR: Failed continuing EAP TEAP (55) session. EAP sub-module
failed
(20) eap: Sending EAP Failure (code 4) ID 21 length 4
(20) eap: Failed in EAP select
(20) [eap] = invalid
(20) } # authenticate = invalid
(20) Failed to authenticate the user
(20) Using Post-Auth-Type Reject
(20) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(20) Post-Auth-Type REJECT {
(20) attr_filter.access_reject: EXPAND %{User-Name}
(20) attr_filter.access_reject: --> anonymous
(20) attr_filter.access_reject: Matched entry DEFAULT at line 11
(20) [attr_filter.access_reject] = updated
(20) [eap] = noop
(20) policy remove_reply_message_if_eap {
(20) if (&reply:EAP-Message && &reply:Reply-Message) {
(20) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(20) else {
(20) [noop] = noop
(20) } # else = noop
(20) } # policy remove_reply_message_if_eap = noop
(20) } # Post-Auth-Type REJECT = updated
(20) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.4 seconds.
(17) Cleaning up request packet ID 27 with timestamp +34 due to
cleanup_delay was reached
Waking up in 0.1 seconds.
(20) Sending delayed response
(20) Sent Access-Reject Id 30 from 10.78.5.223:1645 to 10.78.1.215:1645
length 44
(20) EAP-Message = 0x04150004
(20) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1.3 seconds.
(18) Cleaning up request packet ID 28 with timestamp +36 due to
cleanup_delay was reached
Waking up in 1.1 seconds.
(19) Cleaning up request packet ID 29 with timestamp +37 due to
cleanup_delay was reached
Waking up in 1.5 seconds.
(20) Cleaning up request packet ID 30 with timestamp +38 due to
cleanup_delay was reached
Ready to process requests
More information about the Freeradius-Users
mailing list