Add TLS version to logs with linelog in FreeRADIUS 3.2.4
Dominic Stalder
dominic.stalder at bluewin.ch
Fri Dec 13 13:33:35 UTC 2024
Hi guys
I was finally able to find some time to test and debug it (again).
As suggested, I added „debug_all" in the post-auth section before anything else:
post-auth {
debug_all
if (Service-Type == Call-Check) {
MAC_auth_log
} else {
802.1x_auth_log
}
...
}
See full debug output at the end...
I can see multiple places, where "TLS-Session-Cipher-Suite“ and "TLS-Session-Version“ are referenced:
(357) Using Post-Auth-Type Challenge
(357) Post-Auth-Type sub-section not found. Ignoring.
(357) # Executing group from file /etc/freeradius/sites-enabled/default
(357) session-state: Saving cached attributes
...
(357) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(357) TLS-Session-Version = "TLS 1.2"
(358) Restoring &session-state
(358) &session-state:Framed-MTU = 1014
...
(358) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(358) &session-state:TLS-Session-Version = "TLS 1.2"
(345) Auth-Type eap {
(345) eap: Removing EAP session with state 0x0141131104460af2
(345) eap: Previous EAP request found for state 0x0141131104460af2, released from the list
(345) eap: Peer sent packet with method EAP PEAP (25)
(345) eap: Calling submodule eap_peap to process data
(345) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes
(345) eap_peap: (TLS) EAP Got all data (126 bytes)
(345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(345) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange
(345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange
(345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec
(345) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished
(345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished
(345) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec
(345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec
(345) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished
(345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished
(345) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully
(345) eap_peap: (TLS) PEAP - Connection Established
(345) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(345) eap_peap: TLS-Session-Version = "TLS 1.2"
But nonetheless, it is not logged afterwards:
(362) 802.1x_auth_log: EXPAND %t : AuthZ: (%I) %{reply:Packet-Type}: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown})
(362) 802.1x_auth_log: --> Fri Dec 13 14:05:05 2024 : AuthZ: (111) Access-Accept: [xyz at realm.com] TLS-Version=NULL TLS-Ciphers=NULL SSID=eduroam Calling-Station-Id=22-E0-73-F2-50-23 Called-Station-Id=60-B9-C0-04-C4-40:eduroam Filter-ID=staff VLAN=xyz Class=0x7374616666 (from client xyz.wifi.realm.com port 4211 operator-name Unknown)
What am I missing in this context?
Regards
Dominic
***
Full debug output:
(339) Received Access-Request Id 183 from 130.92.42.15:60533 to 130.92.10.33:1812 length 446
(339) User-Name = "xyz at realm.com"
(339) Service-Type = Framed-User
(339) Cisco-AVPair = "service-type=Framed"
(339) Framed-MTU = 1485
(339) EAP-Message = 0x0201001d01646f6d696e69632e7374616c64657240756e6962652e6368
(339) Message-Authenticator = 0x4c3f3cc9745bd26770b48c2b3b9875fb
(339) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(339) Cisco-AVPair = "method=dot1x"
(339) Cisco-AVPair = "client-iif-id=2499807523"
(339) Cisco-AVPair = "vlan-id=1876"
(339) NAS-IP-Address = 130.92.42.15
(339) NAS-Port-Type = Wireless-802.11
(339) NAS-Port = 4211
(339) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(339) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(339) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(339) Calling-Station-Id = "22-e0-73-f2-50-23"
(339) Airespace-Wlan-Id = 98
(339) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(339) WLAN-Group-Cipher = 1027076
(339) WLAN-Pairwise-Cipher = 1027076
(339) WLAN-AKM-Suite = 1027075
(339) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(339) authorize {
(339) policy rewrite_called_station_id {
(339) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(339) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(339) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(339) update request {
(339) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(339) --> 60-B9-C0-04-C4-40
(339) &Called-Station-Id := 60-B9-C0-04-C4-40
(339) } # update request = noop
(339) if ("%{8}") {
(339) EXPAND %{8}
(339) --> eduroam
(339) if ("%{8}") -> TRUE
(339) if ("%{8}") {
(339) update request {
(339) EXPAND %{8}
(339) --> eduroam
(339) &Called-Station-SSID := eduroam
(339) EXPAND %{Called-Station-Id}:%{8}
(339) --> 60-B9-C0-04-C4-40:eduroam
(339) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(339) } # update request = noop
(339) } # if ("%{8}") = noop
(339) [updated] = updated
(339) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(339) ... skipping else: Preceding "if" was taken
(339) } # policy rewrite_called_station_id = updated
(339) policy rewrite_calling_station_id {
(339) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(339) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(339) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(339) update request {
(339) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(339) --> 22-E0-73-F2-50-23
(339) &Calling-Station-Id := 22-E0-73-F2-50-23
(339) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(339) --> 22:E0:73:F2:50:23
(339) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(339) } # update request = noop
(339) [updated] = updated
(339) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(339) ... skipping else: Preceding "if" was taken
(339) } # policy rewrite_calling_station_id = updated
(339) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(339) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(339) if (Service-Type == Call-Check) {
(339) if (Service-Type == Call-Check) -> FALSE
(339) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(339) EXPAND Packet-Src-IP-Address
(339) --> 130.92.42.15
(339) EXPAND Packet-Src-IP-Address
(339) --> 130.92.42.15
(339) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(339) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(339) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(339) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(339) if (EAP-Message) {
(339) if (EAP-Message) -> TRUE
(339) if (EAP-Message) {
(339) policy filter_username {
(339) if (&User-Name) {
(339) if (&User-Name) -> TRUE
(339) if (&User-Name) {
(339) if (&User-Name =~ / /) {
(339) if (&User-Name =~ / /) -> FALSE
(339) if (&User-Name =~ /@[^@]*@/ ) {
(339) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(339) if (&User-Name =~ /\.\./ ) {
(339) if (&User-Name =~ /\.\./ ) -> FALSE
(339) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(339) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(339) if (&User-Name =~ /\.$/) {
(339) if (&User-Name =~ /\.$/) -> FALSE
(339) if (&User-Name =~ /@\./) {
(339) if (&User-Name =~ /@\./) -> FALSE
(339) } # if (&User-Name) = updated
(339) } # policy filter_username = updated
(339) suffix: Checking for suffix after "@"
(339) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(339) suffix: Found realm "REALM.COM"
(339) suffix: Adding Realm = "REALM.COM"
(339) suffix: Authentication realm is LOCAL
(339) [suffix] = ok
(339) policy deny_no_realm {
(339) if (User-Name && (User-Name !~ /@/)) {
(339) if (User-Name && (User-Name !~ /@/)) -> FALSE
(339) } # policy deny_no_realm = updated
(339) update request {
(339) EXPAND %{toupper:%{Realm}}
(339) --> REALM.COM
(339) Realm := REALM.COM
(339) } # update request = noop
(339) eap: Peer sent EAP Response (code 2) ID 1 length 29
(339) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(339) [eap] = ok
(339) } # if (EAP-Message) = ok
(339) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(339) } # authorize = updated
(339) Found Auth-Type = eap
(339) # Executing group from file /etc/freeradius/sites-enabled/default
(339) Auth-Type eap {
(339) eap: Peer sent packet with method EAP Identity (1)
(339) eap: Calling submodule eap_peap to process data
(339) eap_peap: (TLS) PEAP -Initiating new session
(339) eap: Sending EAP Request (code 1) ID 2 length 6
(339) eap: EAP session adding &reply:State = 0x0141131101430af2
(339) [eap] = handled
(339) if (handled && (Response-Packet-Type == Access-Challenge)) {
(339) EXPAND Response-Packet-Type
(339) --> Access-Challenge
(339) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(339) if (handled && (Response-Packet-Type == Access-Challenge)) {
(339) attr_filter.access_challenge: EXPAND %{User-Name}
(339) attr_filter.access_challenge: --> xyz at realm.com
(339) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(339) [attr_filter.access_challenge.post-auth] = updated
(339) [handled] = handled
(339) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(339) } # Auth-Type eap = handled
(339) Using Post-Auth-Type Challenge
(339) Post-Auth-Type sub-section not found. Ignoring.
(339) # Executing group from file /etc/freeradius/sites-enabled/default
(339) session-state: Saving cached attributes
(339) Framed-MTU = 1014
(339) Sent Access-Challenge Id 183 from 130.92.10.33:1812 to 130.92.42.15:60533 length 64
(339) EAP-Message = 0x010200061920
(339) Message-Authenticator = 0x00000000000000000000000000000000
(339) State = 0x0141131101430af2159d1101103ebc16
(339) Finished request
Waking up in 4.9 seconds.
(340) Received Access-Request Id 191 from 130.92.42.15:60533 to 130.92.10.33:1812 length 596
(340) User-Name = "xyz at realm.com"
(340) Service-Type = Framed-User
(340) Cisco-AVPair = "service-type=Framed"
(340) Framed-MTU = 1485
(340) EAP-Message = 0x020200a119800000009716030100920100008e0303675c30ff6a9b0b902f1e931a2758f15aa27a75704f9760726e5c03da301ba84800002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
(340) Message-Authenticator = 0x1bf88fb93027e9dd852deff1d387f443
(340) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(340) Cisco-AVPair = "method=dot1x"
(340) Cisco-AVPair = "client-iif-id=2499807523"
(340) Cisco-AVPair = "vlan-id=1876"
(340) NAS-IP-Address = 130.92.42.15
(340) NAS-Port-Type = Wireless-802.11
(340) NAS-Port = 4211
(340) State = 0x0141131101430af2159d1101103ebc16
(340) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(340) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(340) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(340) Calling-Station-Id = "22-e0-73-f2-50-23"
(340) Airespace-Wlan-Id = 98
(340) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(340) WLAN-Group-Cipher = 1027076
(340) WLAN-Pairwise-Cipher = 1027076
(340) WLAN-AKM-Suite = 1027075
(340) Restoring &session-state
(340) &session-state:Framed-MTU = 1014
(340) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(340) authorize {
(340) policy rewrite_called_station_id {
(340) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(340) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(340) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(340) update request {
(340) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(340) --> 60-B9-C0-04-C4-40
(340) &Called-Station-Id := 60-B9-C0-04-C4-40
(340) } # update request = noop
(340) if ("%{8}") {
(340) EXPAND %{8}
(340) --> eduroam
(340) if ("%{8}") -> TRUE
(340) if ("%{8}") {
(340) update request {
(340) EXPAND %{8}
(340) --> eduroam
(340) &Called-Station-SSID := eduroam
(340) EXPAND %{Called-Station-Id}:%{8}
(340) --> 60-B9-C0-04-C4-40:eduroam
(340) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(340) } # update request = noop
(340) } # if ("%{8}") = noop
(340) [updated] = updated
(340) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(340) ... skipping else: Preceding "if" was taken
(340) } # policy rewrite_called_station_id = updated
(340) policy rewrite_calling_station_id {
(340) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(340) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(340) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(340) update request {
(340) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(340) --> 22-E0-73-F2-50-23
(340) &Calling-Station-Id := 22-E0-73-F2-50-23
(340) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(340) --> 22:E0:73:F2:50:23
(340) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(340) } # update request = noop
(340) [updated] = updated
(340) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(340) ... skipping else: Preceding "if" was taken
(340) } # policy rewrite_calling_station_id = updated
(340) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(340) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(340) if (Service-Type == Call-Check) {
(340) if (Service-Type == Call-Check) -> FALSE
(340) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(340) EXPAND Packet-Src-IP-Address
(340) --> 130.92.42.15
(340) EXPAND Packet-Src-IP-Address
(340) --> 130.92.42.15
(340) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(340) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(340) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(340) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(340) if (EAP-Message) {
(340) if (EAP-Message) -> TRUE
(340) if (EAP-Message) {
(340) policy filter_username {
(340) if (&User-Name) {
(340) if (&User-Name) -> TRUE
(340) if (&User-Name) {
(340) if (&User-Name =~ / /) {
(340) if (&User-Name =~ / /) -> FALSE
(340) if (&User-Name =~ /@[^@]*@/ ) {
(340) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(340) if (&User-Name =~ /\.\./ ) {
(340) if (&User-Name =~ /\.\./ ) -> FALSE
(340) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(340) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(340) if (&User-Name =~ /\.$/) {
(340) if (&User-Name =~ /\.$/) -> FALSE
(340) if (&User-Name =~ /@\./) {
(340) if (&User-Name =~ /@\./) -> FALSE
(340) } # if (&User-Name) = updated
(340) } # policy filter_username = updated
(340) suffix: Checking for suffix after "@"
(340) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(340) suffix: Found realm "REALM.COM"
(340) suffix: Adding Realm = "REALM.COM"
(340) suffix: Authentication realm is LOCAL
(340) [suffix] = ok
(340) policy deny_no_realm {
(340) if (User-Name && (User-Name !~ /@/)) {
(340) if (User-Name && (User-Name !~ /@/)) -> FALSE
(340) } # policy deny_no_realm = updated
(340) update request {
(340) EXPAND %{toupper:%{Realm}}
(340) --> REALM.COM
(340) Realm := REALM.COM
(340) } # update request = noop
(340) eap: Peer sent EAP Response (code 2) ID 2 length 161
(340) eap: Continuing tunnel setup
(340) [eap] = ok
(340) } # if (EAP-Message) = ok
(340) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(340) } # authorize = updated
(340) Found Auth-Type = eap
(340) # Executing group from file /etc/freeradius/sites-enabled/default
(340) Auth-Type eap {
(340) eap: Removing EAP session with state 0x0141131101430af2
(340) eap: Previous EAP request found for state 0x0141131101430af2, released from the list
(340) eap: Peer sent packet with method EAP PEAP (25)
(340) eap: Calling submodule eap_peap to process data
(340) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes
(340) eap_peap: (TLS) EAP Got all data (151 bytes)
(340) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization
(340) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization
(340) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization
(340) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello
(340) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello
(340) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello
(340) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello
(340) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate
(340) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate
(340) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange
(340) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange
(340) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone
(340) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(340) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done
(340) eap_peap: (TLS) PEAP - In Handshake Phase
(340) eap: Sending EAP Request (code 1) ID 3 length 1024
(340) eap: EAP session adding &reply:State = 0x0141131100420af2
(340) [eap] = handled
(340) if (handled && (Response-Packet-Type == Access-Challenge)) {
(340) EXPAND Response-Packet-Type
(340) --> Access-Challenge
(340) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(340) if (handled && (Response-Packet-Type == Access-Challenge)) {
(340) attr_filter.access_challenge: EXPAND %{User-Name}
(340) attr_filter.access_challenge: --> xyz at realm.com
(340) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(340) [attr_filter.access_challenge.post-auth] = updated
(340) [handled] = handled
(340) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(340) } # Auth-Type eap = handled
(340) Using Post-Auth-Type Challenge
(340) Post-Auth-Type sub-section not found. Ignoring.
(340) # Executing group from file /etc/freeradius/sites-enabled/default
(340) session-state: Saving cached attributes
(340) Framed-MTU = 1014
(340) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(340) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(340) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(340) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(340) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(340) Sent Access-Challenge Id 191 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1090
(340) EAP-Message = 0x0103040019c000001135160303003d020000390303c6f0abbfc21ebae81584415260a08bae7625b694abcfc744444f574e4752440100c030000011ff01000100000b000403000102001700001603030f930b000f8f000f8c0007253082072130820609a003020102021006387c8dc0feba6f5f4a0c47e7c561cd300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3234303532393030303030305a170d3235303532383233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105
(340) Message-Authenticator = 0x00000000000000000000000000000000
(340) State = 0x0141131100420af2159d1101103ebc16
(340) Finished request
Waking up in 4.9 seconds.
(341) Received Access-Request Id 199 from 130.92.42.15:60533 to 130.92.10.33:1812 length 441
(341) User-Name = "xyz at realm.com"
(341) Service-Type = Framed-User
(341) Cisco-AVPair = "service-type=Framed"
(341) Framed-MTU = 1485
(341) EAP-Message = 0x020300061900
(341) Message-Authenticator = 0xae5eb8ba2e18ea67433ce94f73ea9d45
(341) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(341) Cisco-AVPair = "method=dot1x"
(341) Cisco-AVPair = "client-iif-id=2499807523"
(341) Cisco-AVPair = "vlan-id=1876"
(341) NAS-IP-Address = 130.92.42.15
(341) NAS-Port-Type = Wireless-802.11
(341) NAS-Port = 4211
(341) State = 0x0141131100420af2159d1101103ebc16
(341) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(341) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(341) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(341) Calling-Station-Id = "22-e0-73-f2-50-23"
(341) Airespace-Wlan-Id = 98
(341) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(341) WLAN-Group-Cipher = 1027076
(341) WLAN-Pairwise-Cipher = 1027076
(341) WLAN-AKM-Suite = 1027075
(341) Restoring &session-state
(341) &session-state:Framed-MTU = 1014
(341) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(341) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(341) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(341) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(341) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(341) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(341) authorize {
(341) policy rewrite_called_station_id {
(341) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(341) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(341) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(341) update request {
(341) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(341) --> 60-B9-C0-04-C4-40
(341) &Called-Station-Id := 60-B9-C0-04-C4-40
(341) } # update request = noop
(341) if ("%{8}") {
(341) EXPAND %{8}
(341) --> eduroam
(341) if ("%{8}") -> TRUE
(341) if ("%{8}") {
(341) update request {
(341) EXPAND %{8}
(341) --> eduroam
(341) &Called-Station-SSID := eduroam
(341) EXPAND %{Called-Station-Id}:%{8}
(341) --> 60-B9-C0-04-C4-40:eduroam
(341) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(341) } # update request = noop
(341) } # if ("%{8}") = noop
(341) [updated] = updated
(341) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(341) ... skipping else: Preceding "if" was taken
(341) } # policy rewrite_called_station_id = updated
(341) policy rewrite_calling_station_id {
(341) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(341) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(341) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(341) update request {
(341) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(341) --> 22-E0-73-F2-50-23
(341) &Calling-Station-Id := 22-E0-73-F2-50-23
(341) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(341) --> 22:E0:73:F2:50:23
(341) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(341) } # update request = noop
(341) [updated] = updated
(341) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(341) ... skipping else: Preceding "if" was taken
(341) } # policy rewrite_calling_station_id = updated
(341) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(341) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(341) if (Service-Type == Call-Check) {
(341) if (Service-Type == Call-Check) -> FALSE
(341) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(341) EXPAND Packet-Src-IP-Address
(341) --> 130.92.42.15
(341) EXPAND Packet-Src-IP-Address
(341) --> 130.92.42.15
(341) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(341) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(341) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(341) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(341) if (EAP-Message) {
(341) if (EAP-Message) -> TRUE
(341) if (EAP-Message) {
(341) policy filter_username {
(341) if (&User-Name) {
(341) if (&User-Name) -> TRUE
(341) if (&User-Name) {
(341) if (&User-Name =~ / /) {
(341) if (&User-Name =~ / /) -> FALSE
(341) if (&User-Name =~ /@[^@]*@/ ) {
(341) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(341) if (&User-Name =~ /\.\./ ) {
(341) if (&User-Name =~ /\.\./ ) -> FALSE
(341) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(341) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(341) if (&User-Name =~ /\.$/) {
(341) if (&User-Name =~ /\.$/) -> FALSE
(341) if (&User-Name =~ /@\./) {
(341) if (&User-Name =~ /@\./) -> FALSE
(341) } # if (&User-Name) = updated
(341) } # policy filter_username = updated
(341) suffix: Checking for suffix after "@"
(341) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(341) suffix: Found realm "REALM.COM"
(341) suffix: Adding Realm = "REALM.COM"
(341) suffix: Authentication realm is LOCAL
(341) [suffix] = ok
(341) policy deny_no_realm {
(341) if (User-Name && (User-Name !~ /@/)) {
(341) if (User-Name && (User-Name !~ /@/)) -> FALSE
(341) } # policy deny_no_realm = updated
(341) update request {
(341) EXPAND %{toupper:%{Realm}}
(341) --> REALM.COM
(341) Realm := REALM.COM
(341) } # update request = noop
(341) eap: Peer sent EAP Response (code 2) ID 3 length 6
(341) eap: Continuing tunnel setup
(341) [eap] = ok
(341) } # if (EAP-Message) = ok
(341) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(341) } # authorize = updated
(341) Found Auth-Type = eap
(341) # Executing group from file /etc/freeradius/sites-enabled/default
(341) Auth-Type eap {
(341) eap: Removing EAP session with state 0x0141131100420af2
(341) eap: Previous EAP request found for state 0x0141131100420af2, released from the list
(341) eap: Peer sent packet with method EAP PEAP (25)
(341) eap: Calling submodule eap_peap to process data
(341) eap_peap: (TLS) Peer ACKed our handshake fragment
(341) eap: Sending EAP Request (code 1) ID 4 length 1020
(341) eap: EAP session adding &reply:State = 0x0141131103450af2
(341) [eap] = handled
(341) if (handled && (Response-Packet-Type == Access-Challenge)) {
(341) EXPAND Response-Packet-Type
(341) --> Access-Challenge
(341) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(341) if (handled && (Response-Packet-Type == Access-Challenge)) {
(341) attr_filter.access_challenge: EXPAND %{User-Name}
(341) attr_filter.access_challenge: --> xyz at realm.com
(341) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(341) [attr_filter.access_challenge.post-auth] = updated
(341) [handled] = handled
(341) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(341) } # Auth-Type eap = handled
(341) Using Post-Auth-Type Challenge
(341) Post-Auth-Type sub-section not found. Ignoring.
(341) # Executing group from file /etc/freeradius/sites-enabled/default
(341) session-state: Saving cached attributes
(341) Framed-MTU = 1014
(341) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(341) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(341) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(341) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(341) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(341) Sent Access-Challenge Id 199 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086
(341) EAP-Message = 0x010403fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040230003082017f060a2b06010401d6790204020482016f0482016b01690077004e75a3275c9a10c3385b6cd4df3f52eb1df0e08e1b8d69c0b1fa64b1629a39df0000018fc49a2e690000040300483046022100c3703d534899e5150ee51285759f020d6d69574d1db223e7a6fba90105e34a98022100a96786ea2924a95667b25b5efae9fb8e9b5e2b8494
(341) Message-Authenticator = 0x00000000000000000000000000000000
(341) State = 0x0141131103450af2159d1101103ebc16
(341) Finished request
Waking up in 4.9 seconds.
(342) Received Access-Request Id 207 from 130.92.42.15:60533 to 130.92.10.33:1812 length 441
(342) User-Name = "xyz at realm.com"
(342) Service-Type = Framed-User
(342) Cisco-AVPair = "service-type=Framed"
(342) Framed-MTU = 1485
(342) EAP-Message = 0x020400061900
(342) Message-Authenticator = 0xa739713798de7cce72a754080e2e64f5
(342) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(342) Cisco-AVPair = "method=dot1x"
(342) Cisco-AVPair = "client-iif-id=2499807523"
(342) Cisco-AVPair = "vlan-id=1876"
(342) NAS-IP-Address = 130.92.42.15
(342) NAS-Port-Type = Wireless-802.11
(342) NAS-Port = 4211
(342) State = 0x0141131103450af2159d1101103ebc16
(342) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(342) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(342) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(342) Calling-Station-Id = "22-e0-73-f2-50-23"
(342) Airespace-Wlan-Id = 98
(342) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(342) WLAN-Group-Cipher = 1027076
(342) WLAN-Pairwise-Cipher = 1027076
(342) WLAN-AKM-Suite = 1027075
(342) Restoring &session-state
(342) &session-state:Framed-MTU = 1014
(342) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(342) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(342) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(342) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(342) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(342) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(342) authorize {
(342) policy rewrite_called_station_id {
(342) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(342) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(342) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(342) update request {
(342) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(342) --> 60-B9-C0-04-C4-40
(342) &Called-Station-Id := 60-B9-C0-04-C4-40
(342) } # update request = noop
(342) if ("%{8}") {
(342) EXPAND %{8}
(342) --> eduroam
(342) if ("%{8}") -> TRUE
(342) if ("%{8}") {
(342) update request {
(342) EXPAND %{8}
(342) --> eduroam
(342) &Called-Station-SSID := eduroam
(342) EXPAND %{Called-Station-Id}:%{8}
(342) --> 60-B9-C0-04-C4-40:eduroam
(342) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(342) } # update request = noop
(342) } # if ("%{8}") = noop
(342) [updated] = updated
(342) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(342) ... skipping else: Preceding "if" was taken
(342) } # policy rewrite_called_station_id = updated
(342) policy rewrite_calling_station_id {
(342) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(342) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(342) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(342) update request {
(342) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(342) --> 22-E0-73-F2-50-23
(342) &Calling-Station-Id := 22-E0-73-F2-50-23
(342) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(342) --> 22:E0:73:F2:50:23
(342) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(342) } # update request = noop
(342) [updated] = updated
(342) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(342) ... skipping else: Preceding "if" was taken
(342) } # policy rewrite_calling_station_id = updated
(342) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(342) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(342) if (Service-Type == Call-Check) {
(342) if (Service-Type == Call-Check) -> FALSE
(342) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(342) EXPAND Packet-Src-IP-Address
(342) --> 130.92.42.15
(342) EXPAND Packet-Src-IP-Address
(342) --> 130.92.42.15
(342) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(342) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(342) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(342) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(342) if (EAP-Message) {
(342) if (EAP-Message) -> TRUE
(342) if (EAP-Message) {
(342) policy filter_username {
(342) if (&User-Name) {
(342) if (&User-Name) -> TRUE
(342) if (&User-Name) {
(342) if (&User-Name =~ / /) {
(342) if (&User-Name =~ / /) -> FALSE
(342) if (&User-Name =~ /@[^@]*@/ ) {
(342) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(342) if (&User-Name =~ /\.\./ ) {
(342) if (&User-Name =~ /\.\./ ) -> FALSE
(342) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(342) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(342) if (&User-Name =~ /\.$/) {
(342) if (&User-Name =~ /\.$/) -> FALSE
(342) if (&User-Name =~ /@\./) {
(342) if (&User-Name =~ /@\./) -> FALSE
(342) } # if (&User-Name) = updated
(342) } # policy filter_username = updated
(342) suffix: Checking for suffix after "@"
(342) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(342) suffix: Found realm "REALM.COM"
(342) suffix: Adding Realm = "REALM.COM"
(342) suffix: Authentication realm is LOCAL
(342) [suffix] = ok
(342) policy deny_no_realm {
(342) if (User-Name && (User-Name !~ /@/)) {
(342) if (User-Name && (User-Name !~ /@/)) -> FALSE
(342) } # policy deny_no_realm = updated
(342) update request {
(342) EXPAND %{toupper:%{Realm}}
(342) --> REALM.COM
(342) Realm := REALM.COM
(342) } # update request = noop
(342) eap: Peer sent EAP Response (code 2) ID 4 length 6
(342) eap: Continuing tunnel setup
(342) [eap] = ok
(342) } # if (EAP-Message) = ok
(342) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(342) } # authorize = updated
(342) Found Auth-Type = eap
(342) # Executing group from file /etc/freeradius/sites-enabled/default
(342) Auth-Type eap {
(342) eap: Removing EAP session with state 0x0141131103450af2
(342) eap: Previous EAP request found for state 0x0141131103450af2, released from the list
(342) eap: Peer sent packet with method EAP PEAP (25)
(342) eap: Calling submodule eap_peap to process data
(342) eap_peap: (TLS) Peer ACKed our handshake fragment
(342) eap: Sending EAP Request (code 1) ID 5 length 1020
(342) eap: EAP session adding &reply:State = 0x0141131102440af2
(342) [eap] = handled
(342) if (handled && (Response-Packet-Type == Access-Challenge)) {
(342) EXPAND Response-Packet-Type
(342) --> Access-Challenge
(342) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(342) if (handled && (Response-Packet-Type == Access-Challenge)) {
(342) attr_filter.access_challenge: EXPAND %{User-Name}
(342) attr_filter.access_challenge: --> xyz at realm.com
(342) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(342) [attr_filter.access_challenge.post-auth] = updated
(342) [handled] = handled
(342) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(342) } # Auth-Type eap = handled
(342) Using Post-Auth-Type Challenge
(342) Post-Auth-Type sub-section not found. Ignoring.
(342) # Executing group from file /etc/freeradius/sites-enabled/default
(342) session-state: Saving cached attributes
(342) Framed-MTU = 1014
(342) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(342) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(342) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(342) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(342) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(342) Sent Access-Challenge Id 207 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086
(342) EAP-Message = 0x010503fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d
(342) Message-Authenticator = 0x00000000000000000000000000000000
(342) State = 0x0141131102440af2159d1101103ebc16
(342) Finished request
Waking up in 4.9 seconds.
(343) Received Access-Request Id 215 from 130.92.42.15:60533 to 130.92.10.33:1812 length 441
(343) User-Name = "xyz at realm.com"
(343) Service-Type = Framed-User
(343) Cisco-AVPair = "service-type=Framed"
(343) Framed-MTU = 1485
(343) EAP-Message = 0x020500061900
(343) Message-Authenticator = 0x020e5248e9fa82c011bcabd01a028762
(343) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(343) Cisco-AVPair = "method=dot1x"
(343) Cisco-AVPair = "client-iif-id=2499807523"
(343) Cisco-AVPair = "vlan-id=1876"
(343) NAS-IP-Address = 130.92.42.15
(343) NAS-Port-Type = Wireless-802.11
(343) NAS-Port = 4211
(343) State = 0x0141131102440af2159d1101103ebc16
(343) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(343) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(343) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(343) Calling-Station-Id = "22-e0-73-f2-50-23"
(343) Airespace-Wlan-Id = 98
(343) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(343) WLAN-Group-Cipher = 1027076
(343) WLAN-Pairwise-Cipher = 1027076
(343) WLAN-AKM-Suite = 1027075
(343) Restoring &session-state
(343) &session-state:Framed-MTU = 1014
(343) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(343) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(343) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(343) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(343) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(343) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(343) authorize {
(343) policy rewrite_called_station_id {
(343) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(343) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(343) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(343) update request {
(343) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(343) --> 60-B9-C0-04-C4-40
(343) &Called-Station-Id := 60-B9-C0-04-C4-40
(343) } # update request = noop
(343) if ("%{8}") {
(343) EXPAND %{8}
(343) --> eduroam
(343) if ("%{8}") -> TRUE
(343) if ("%{8}") {
(343) update request {
(343) EXPAND %{8}
(343) --> eduroam
(343) &Called-Station-SSID := eduroam
(343) EXPAND %{Called-Station-Id}:%{8}
(343) --> 60-B9-C0-04-C4-40:eduroam
(343) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(343) } # update request = noop
(343) } # if ("%{8}") = noop
(343) [updated] = updated
(343) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(343) ... skipping else: Preceding "if" was taken
(343) } # policy rewrite_called_station_id = updated
(343) policy rewrite_calling_station_id {
(343) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(343) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(343) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(343) update request {
(343) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(343) --> 22-E0-73-F2-50-23
(343) &Calling-Station-Id := 22-E0-73-F2-50-23
(343) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(343) --> 22:E0:73:F2:50:23
(343) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(343) } # update request = noop
(343) [updated] = updated
(343) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(343) ... skipping else: Preceding "if" was taken
(343) } # policy rewrite_calling_station_id = updated
(343) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(343) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(343) if (Service-Type == Call-Check) {
(343) if (Service-Type == Call-Check) -> FALSE
(343) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(343) EXPAND Packet-Src-IP-Address
(343) --> 130.92.42.15
(343) EXPAND Packet-Src-IP-Address
(343) --> 130.92.42.15
(343) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(343) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(343) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(343) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(343) if (EAP-Message) {
(343) if (EAP-Message) -> TRUE
(343) if (EAP-Message) {
(343) policy filter_username {
(343) if (&User-Name) {
(343) if (&User-Name) -> TRUE
(343) if (&User-Name) {
(343) if (&User-Name =~ / /) {
(343) if (&User-Name =~ / /) -> FALSE
(343) if (&User-Name =~ /@[^@]*@/ ) {
(343) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(343) if (&User-Name =~ /\.\./ ) {
(343) if (&User-Name =~ /\.\./ ) -> FALSE
(343) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(343) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(343) if (&User-Name =~ /\.$/) {
(343) if (&User-Name =~ /\.$/) -> FALSE
(343) if (&User-Name =~ /@\./) {
(343) if (&User-Name =~ /@\./) -> FALSE
(343) } # if (&User-Name) = updated
(343) } # policy filter_username = updated
(343) suffix: Checking for suffix after "@"
(343) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(343) suffix: Found realm "REALM.COM"
(343) suffix: Adding Realm = "REALM.COM"
(343) suffix: Authentication realm is LOCAL
(343) [suffix] = ok
(343) policy deny_no_realm {
(343) if (User-Name && (User-Name !~ /@/)) {
(343) if (User-Name && (User-Name !~ /@/)) -> FALSE
(343) } # policy deny_no_realm = updated
(343) update request {
(343) EXPAND %{toupper:%{Realm}}
(343) --> REALM.COM
(343) Realm := REALM.COM
(343) } # update request = noop
(343) eap: Peer sent EAP Response (code 2) ID 5 length 6
(343) eap: Continuing tunnel setup
(343) [eap] = ok
(343) } # if (EAP-Message) = ok
(343) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(343) } # authorize = updated
(343) Found Auth-Type = eap
(343) # Executing group from file /etc/freeradius/sites-enabled/default
(343) Auth-Type eap {
(343) eap: Removing EAP session with state 0x0141131102440af2
(343) eap: Previous EAP request found for state 0x0141131102440af2, released from the list
(343) eap: Peer sent packet with method EAP PEAP (25)
(343) eap: Calling submodule eap_peap to process data
(343) eap_peap: (TLS) Peer ACKed our handshake fragment
(343) eap: Sending EAP Request (code 1) ID 6 length 1020
(343) eap: EAP session adding &reply:State = 0x0141131105470af2
(343) [eap] = handled
(343) if (handled && (Response-Packet-Type == Access-Challenge)) {
(343) EXPAND Response-Packet-Type
(343) --> Access-Challenge
(343) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(343) if (handled && (Response-Packet-Type == Access-Challenge)) {
(343) attr_filter.access_challenge: EXPAND %{User-Name}
(343) attr_filter.access_challenge: --> xyz at realm.com
(343) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(343) [attr_filter.access_challenge.post-auth] = updated
(343) [handled] = handled
(343) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(343) } # Auth-Type eap = handled
(343) Using Post-Auth-Type Challenge
(343) Post-Auth-Type sub-section not found. Ignoring.
(343) # Executing group from file /etc/freeradius/sites-enabled/default
(343) session-state: Saving cached attributes
(343) Framed-MTU = 1014
(343) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(343) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(343) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(343) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(343) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(343) Sent Access-Challenge Id 215 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086
(343) EAP-Message = 0x010603fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261
(343) Message-Authenticator = 0x00000000000000000000000000000000
(343) State = 0x0141131105470af2159d1101103ebc16
(343) Finished request
Waking up in 4.9 seconds.
(344) Received Access-Request Id 223 from 130.92.42.15:60533 to 130.92.10.33:1812 length 441
(344) User-Name = "xyz at realm.com"
(344) Service-Type = Framed-User
(344) Cisco-AVPair = "service-type=Framed"
(344) Framed-MTU = 1485
(344) EAP-Message = 0x020600061900
(344) Message-Authenticator = 0x394892b01209a11839df9ea01ffeffc0
(344) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(344) Cisco-AVPair = "method=dot1x"
(344) Cisco-AVPair = "client-iif-id=2499807523"
(344) Cisco-AVPair = "vlan-id=1876"
(344) NAS-IP-Address = 130.92.42.15
(344) NAS-Port-Type = Wireless-802.11
(344) NAS-Port = 4211
(344) State = 0x0141131105470af2159d1101103ebc16
(344) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(344) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(344) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(344) Calling-Station-Id = "22-e0-73-f2-50-23"
(344) Airespace-Wlan-Id = 98
(344) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(344) WLAN-Group-Cipher = 1027076
(344) WLAN-Pairwise-Cipher = 1027076
(344) WLAN-AKM-Suite = 1027075
(344) Restoring &session-state
(344) &session-state:Framed-MTU = 1014
(344) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(344) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(344) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(344) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(344) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(344) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(344) authorize {
(344) policy rewrite_called_station_id {
(344) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(344) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(344) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(344) update request {
(344) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(344) --> 60-B9-C0-04-C4-40
(344) &Called-Station-Id := 60-B9-C0-04-C4-40
(344) } # update request = noop
(344) if ("%{8}") {
(344) EXPAND %{8}
(344) --> eduroam
(344) if ("%{8}") -> TRUE
(344) if ("%{8}") {
(344) update request {
(344) EXPAND %{8}
(344) --> eduroam
(344) &Called-Station-SSID := eduroam
(344) EXPAND %{Called-Station-Id}:%{8}
(344) --> 60-B9-C0-04-C4-40:eduroam
(344) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(344) } # update request = noop
(344) } # if ("%{8}") = noop
(344) [updated] = updated
(344) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(344) ... skipping else: Preceding "if" was taken
(344) } # policy rewrite_called_station_id = updated
(344) policy rewrite_calling_station_id {
(344) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(344) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(344) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(344) update request {
(344) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(344) --> 22-E0-73-F2-50-23
(344) &Calling-Station-Id := 22-E0-73-F2-50-23
(344) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(344) --> 22:E0:73:F2:50:23
(344) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(344) } # update request = noop
(344) [updated] = updated
(344) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(344) ... skipping else: Preceding "if" was taken
(344) } # policy rewrite_calling_station_id = updated
(344) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(344) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(344) if (Service-Type == Call-Check) {
(344) if (Service-Type == Call-Check) -> FALSE
(344) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(344) EXPAND Packet-Src-IP-Address
(344) --> 130.92.42.15
(344) EXPAND Packet-Src-IP-Address
(344) --> 130.92.42.15
(344) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(344) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(344) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(344) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(344) if (EAP-Message) {
(344) if (EAP-Message) -> TRUE
(344) if (EAP-Message) {
(344) policy filter_username {
(344) if (&User-Name) {
(344) if (&User-Name) -> TRUE
(344) if (&User-Name) {
(344) if (&User-Name =~ / /) {
(344) if (&User-Name =~ / /) -> FALSE
(344) if (&User-Name =~ /@[^@]*@/ ) {
(344) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(344) if (&User-Name =~ /\.\./ ) {
(344) if (&User-Name =~ /\.\./ ) -> FALSE
(344) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(344) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(344) if (&User-Name =~ /\.$/) {
(344) if (&User-Name =~ /\.$/) -> FALSE
(344) if (&User-Name =~ /@\./) {
(344) if (&User-Name =~ /@\./) -> FALSE
(344) } # if (&User-Name) = updated
(344) } # policy filter_username = updated
(344) suffix: Checking for suffix after "@"
(344) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(344) suffix: Found realm "REALM.COM"
(344) suffix: Adding Realm = "REALM.COM"
(344) suffix: Authentication realm is LOCAL
(344) [suffix] = ok
(344) policy deny_no_realm {
(344) if (User-Name && (User-Name !~ /@/)) {
(344) if (User-Name && (User-Name !~ /@/)) -> FALSE
(344) } # policy deny_no_realm = updated
(344) update request {
(344) EXPAND %{toupper:%{Realm}}
(344) --> REALM.COM
(344) Realm := REALM.COM
(344) } # update request = noop
(344) eap: Peer sent EAP Response (code 2) ID 6 length 6
(344) eap: Continuing tunnel setup
(344) [eap] = ok
(344) } # if (EAP-Message) = ok
(344) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(344) } # authorize = updated
(344) Found Auth-Type = eap
(344) # Executing group from file /etc/freeradius/sites-enabled/default
(344) Auth-Type eap {
(344) eap: Removing EAP session with state 0x0141131105470af2
(344) eap: Previous EAP request found for state 0x0141131105470af2, released from the list
(344) eap: Peer sent packet with method EAP PEAP (25)
(344) eap: Calling submodule eap_peap to process data
(344) eap_peap: (TLS) Peer ACKed our handshake fragment
(344) eap: Sending EAP Request (code 1) ID 7 length 355
(344) eap: EAP session adding &reply:State = 0x0141131104460af2
(344) [eap] = handled
(344) if (handled && (Response-Packet-Type == Access-Challenge)) {
(344) EXPAND Response-Packet-Type
(344) --> Access-Challenge
(344) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(344) if (handled && (Response-Packet-Type == Access-Challenge)) {
(344) attr_filter.access_challenge: EXPAND %{User-Name}
(344) attr_filter.access_challenge: --> xyz at realm.com
(344) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(344) [attr_filter.access_challenge.post-auth] = updated
(344) [handled] = handled
(344) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(344) } # Auth-Type eap = handled
(344) Using Post-Auth-Type Challenge
(344) Post-Auth-Type sub-section not found. Ignoring.
(344) # Executing group from file /etc/freeradius/sites-enabled/default
(344) session-state: Saving cached attributes
(344) Framed-MTU = 1014
(344) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(344) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(344) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(344) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(344) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(344) Sent Access-Challenge Id 223 from 130.92.10.33:1812 to 130.92.42.15:60533 length 415
(344) EAP-Message = 0x01070163190032b6160303014d0c000149030017410421b4816cdaa0edb2a7ee262c3b373cc7a69aeef94dc7c93d1498397a2f41152a1064075835b63105e3604c9282cfc3638bce1eef1b4f930102c7539dd714fb2e040101006fe58b29c51045ad338888932385ae6a78a1b5a392198df18af907424975763b6bf96876d3609e2538dd16e910ab32539bb337a659539ecdd3f7ca99acc6a1de17ec69fbd64da47839a7e265d4286311067bbefdeb333d87844c916e53bb5cfe26aea3bae7d58ffe17330ccdf61e8b2f425b30128275d5c5a39a84a5d01c2f569dfce9c341f402ef2635f02a2ccd901ee27231c291fe3cfbed92207fefd60eaec7aa7fb54f182d9ef86eff5ed32ecb762e50c366639a23665d5991bfbfc83f27ff21df56cd9af3e5dece4e42956217eaf080218422733ceef848877e3b4f2299df15dfc25a4f5b435f510229d83f4e91828ec3bdf2ee28578ffeb0a39d8d459216030300040e000000
(344) Message-Authenticator = 0x00000000000000000000000000000000
(344) State = 0x0141131104460af2159d1101103ebc16
(344) Finished request
Waking up in 4.9 seconds.
(345) Received Access-Request Id 231 from 130.92.42.15:60533 to 130.92.10.33:1812 length 571
(345) User-Name = "xyz at realm.com"
(345) Service-Type = Framed-User
(345) Cisco-AVPair = "service-type=Framed"
(345) Framed-MTU = 1485
(345) EAP-Message = 0x0207008819800000007e1603030046100000424104b76edd3264c4b2f971dabd1fb7c02951f64b4ce9fbae8a473198e5810e39a81e2c73c6755d1f1b31ee93a7df1d1b521c9aab988df46c0d334544c1703cffa02514030300010116030300289fbd8407fe6333ba5788a04d42ae35912e9ff891a0be9b8ab3744847434c371ca199fdb89ae2abbb
(345) Message-Authenticator = 0xecc16c9bab6fe8444f01d6d5b0dfc951
(345) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(345) Cisco-AVPair = "method=dot1x"
(345) Cisco-AVPair = "client-iif-id=2499807523"
(345) Cisco-AVPair = "vlan-id=1876"
(345) NAS-IP-Address = 130.92.42.15
(345) NAS-Port-Type = Wireless-802.11
(345) NAS-Port = 4211
(345) State = 0x0141131104460af2159d1101103ebc16
(345) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(345) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(345) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(345) Calling-Station-Id = "22-e0-73-f2-50-23"
(345) Airespace-Wlan-Id = 98
(345) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(345) WLAN-Group-Cipher = 1027076
(345) WLAN-Pairwise-Cipher = 1027076
(345) WLAN-AKM-Suite = 1027075
(345) Restoring &session-state
(345) &session-state:Framed-MTU = 1014
(345) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(345) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(345) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(345) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(345) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(345) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(345) authorize {
(345) policy rewrite_called_station_id {
(345) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(345) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(345) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(345) update request {
(345) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(345) --> 60-B9-C0-04-C4-40
(345) &Called-Station-Id := 60-B9-C0-04-C4-40
(345) } # update request = noop
(345) if ("%{8}") {
(345) EXPAND %{8}
(345) --> eduroam
(345) if ("%{8}") -> TRUE
(345) if ("%{8}") {
(345) update request {
(345) EXPAND %{8}
(345) --> eduroam
(345) &Called-Station-SSID := eduroam
(345) EXPAND %{Called-Station-Id}:%{8}
(345) --> 60-B9-C0-04-C4-40:eduroam
(345) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(345) } # update request = noop
(345) } # if ("%{8}") = noop
(345) [updated] = updated
(345) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(345) ... skipping else: Preceding "if" was taken
(345) } # policy rewrite_called_station_id = updated
(345) policy rewrite_calling_station_id {
(345) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(345) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(345) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(345) update request {
(345) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(345) --> 22-E0-73-F2-50-23
(345) &Calling-Station-Id := 22-E0-73-F2-50-23
(345) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(345) --> 22:E0:73:F2:50:23
(345) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(345) } # update request = noop
(345) [updated] = updated
(345) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(345) ... skipping else: Preceding "if" was taken
(345) } # policy rewrite_calling_station_id = updated
(345) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(345) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(345) if (Service-Type == Call-Check) {
(345) if (Service-Type == Call-Check) -> FALSE
(345) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(345) EXPAND Packet-Src-IP-Address
(345) --> 130.92.42.15
(345) EXPAND Packet-Src-IP-Address
(345) --> 130.92.42.15
(345) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(345) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(345) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(345) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(345) if (EAP-Message) {
(345) if (EAP-Message) -> TRUE
(345) if (EAP-Message) {
(345) policy filter_username {
(345) if (&User-Name) {
(345) if (&User-Name) -> TRUE
(345) if (&User-Name) {
(345) if (&User-Name =~ / /) {
(345) if (&User-Name =~ / /) -> FALSE
(345) if (&User-Name =~ /@[^@]*@/ ) {
(345) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(345) if (&User-Name =~ /\.\./ ) {
(345) if (&User-Name =~ /\.\./ ) -> FALSE
(345) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(345) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(345) if (&User-Name =~ /\.$/) {
(345) if (&User-Name =~ /\.$/) -> FALSE
(345) if (&User-Name =~ /@\./) {
(345) if (&User-Name =~ /@\./) -> FALSE
(345) } # if (&User-Name) = updated
(345) } # policy filter_username = updated
(345) suffix: Checking for suffix after "@"
(345) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(345) suffix: Found realm "REALM.COM"
(345) suffix: Adding Realm = "REALM.COM"
(345) suffix: Authentication realm is LOCAL
(345) [suffix] = ok
(345) policy deny_no_realm {
(345) if (User-Name && (User-Name !~ /@/)) {
(345) if (User-Name && (User-Name !~ /@/)) -> FALSE
(345) } # policy deny_no_realm = updated
(345) update request {
(345) EXPAND %{toupper:%{Realm}}
(345) --> REALM.COM
(345) Realm := REALM.COM
(345) } # update request = noop
(345) eap: Peer sent EAP Response (code 2) ID 7 length 136
(345) eap: Continuing tunnel setup
(345) [eap] = ok
(345) } # if (EAP-Message) = ok
(345) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(345) } # authorize = updated
(345) Found Auth-Type = eap
(345) # Executing group from file /etc/freeradius/sites-enabled/default
(345) Auth-Type eap {
(345) eap: Removing EAP session with state 0x0141131104460af2
(345) eap: Previous EAP request found for state 0x0141131104460af2, released from the list
(345) eap: Peer sent packet with method EAP PEAP (25)
(345) eap: Calling submodule eap_peap to process data
(345) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes
(345) eap_peap: (TLS) EAP Got all data (126 bytes)
(345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(345) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange
(345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange
(345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec
(345) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished
(345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished
(345) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec
(345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec
(345) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished
(345) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished
(345) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully
(345) eap_peap: (TLS) PEAP - Connection Established
(345) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(345) eap_peap: TLS-Session-Version = "TLS 1.2"
(345) eap: Sending EAP Request (code 1) ID 8 length 57
(345) eap: EAP session adding &reply:State = 0x0141131107490af2
(345) [eap] = handled
(345) if (handled && (Response-Packet-Type == Access-Challenge)) {
(345) EXPAND Response-Packet-Type
(345) --> Access-Challenge
(345) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(345) if (handled && (Response-Packet-Type == Access-Challenge)) {
(345) attr_filter.access_challenge: EXPAND %{User-Name}
(345) attr_filter.access_challenge: --> xyz at realm.com
(345) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(345) [attr_filter.access_challenge.post-auth] = updated
(345) [handled] = handled
(345) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(345) } # Auth-Type eap = handled
(345) Using Post-Auth-Type Challenge
(345) Post-Auth-Type sub-section not found. Ignoring.
(345) # Executing group from file /etc/freeradius/sites-enabled/default
(345) session-state: Saving cached attributes
(345) Framed-MTU = 1014
(345) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(345) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(345) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(345) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(345) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(345) TLS-Session-Version = "TLS 1.2"
(345) Sent Access-Challenge Id 231 from 130.92.10.33:1812 to 130.92.42.15:60533 length 115
(345) EAP-Message = 0x01080039190014030300010116030300288d6a1785e1a19b35bff8fec8a4a31fbf0d467203a7ab9d2d33327214fc49606596ea813ecf081d92
(345) Message-Authenticator = 0x00000000000000000000000000000000
(345) State = 0x0141131107490af2159d1101103ebc16
(345) Finished request
Waking up in 4.9 seconds.
(346) Received Access-Request Id 239 from 130.92.42.15:60533 to 130.92.10.33:1812 length 441
(346) User-Name = "xyz at realm.com"
(346) Service-Type = Framed-User
(346) Cisco-AVPair = "service-type=Framed"
(346) Framed-MTU = 1485
(346) EAP-Message = 0x020800061900
(346) Message-Authenticator = 0x12c8eb6838048f2a905991bcda9d9973
(346) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(346) Cisco-AVPair = "method=dot1x"
(346) Cisco-AVPair = "client-iif-id=2499807523"
(346) Cisco-AVPair = "vlan-id=1876"
(346) NAS-IP-Address = 130.92.42.15
(346) NAS-Port-Type = Wireless-802.11
(346) NAS-Port = 4211
(346) State = 0x0141131107490af2159d1101103ebc16
(346) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(346) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(346) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(346) Calling-Station-Id = "22-e0-73-f2-50-23"
(346) Airespace-Wlan-Id = 98
(346) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(346) WLAN-Group-Cipher = 1027076
(346) WLAN-Pairwise-Cipher = 1027076
(346) WLAN-AKM-Suite = 1027075
(346) Restoring &session-state
(346) &session-state:Framed-MTU = 1014
(346) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(346) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(346) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(346) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(346) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(346) &session-state:TLS-Session-Version = "TLS 1.2"
(346) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(346) authorize {
(346) policy rewrite_called_station_id {
(346) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(346) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(346) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(346) update request {
(346) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(346) --> 60-B9-C0-04-C4-40
(346) &Called-Station-Id := 60-B9-C0-04-C4-40
(346) } # update request = noop
(346) if ("%{8}") {
(346) EXPAND %{8}
(346) --> eduroam
(346) if ("%{8}") -> TRUE
(346) if ("%{8}") {
(346) update request {
(346) EXPAND %{8}
(346) --> eduroam
(346) &Called-Station-SSID := eduroam
(346) EXPAND %{Called-Station-Id}:%{8}
(346) --> 60-B9-C0-04-C4-40:eduroam
(346) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(346) } # update request = noop
(346) } # if ("%{8}") = noop
(346) [updated] = updated
(346) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(346) ... skipping else: Preceding "if" was taken
(346) } # policy rewrite_called_station_id = updated
(346) policy rewrite_calling_station_id {
(346) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(346) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(346) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(346) update request {
(346) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(346) --> 22-E0-73-F2-50-23
(346) &Calling-Station-Id := 22-E0-73-F2-50-23
(346) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(346) --> 22:E0:73:F2:50:23
(346) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(346) } # update request = noop
(346) [updated] = updated
(346) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(346) ... skipping else: Preceding "if" was taken
(346) } # policy rewrite_calling_station_id = updated
(346) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(346) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(346) if (Service-Type == Call-Check) {
(346) if (Service-Type == Call-Check) -> FALSE
(346) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(346) EXPAND Packet-Src-IP-Address
(346) --> 130.92.42.15
(346) EXPAND Packet-Src-IP-Address
(346) --> 130.92.42.15
(346) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(346) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(346) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(346) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(346) if (EAP-Message) {
(346) if (EAP-Message) -> TRUE
(346) if (EAP-Message) {
(346) policy filter_username {
(346) if (&User-Name) {
(346) if (&User-Name) -> TRUE
(346) if (&User-Name) {
(346) if (&User-Name =~ / /) {
(346) if (&User-Name =~ / /) -> FALSE
(346) if (&User-Name =~ /@[^@]*@/ ) {
(346) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(346) if (&User-Name =~ /\.\./ ) {
(346) if (&User-Name =~ /\.\./ ) -> FALSE
(346) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(346) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(346) if (&User-Name =~ /\.$/) {
(346) if (&User-Name =~ /\.$/) -> FALSE
(346) if (&User-Name =~ /@\./) {
(346) if (&User-Name =~ /@\./) -> FALSE
(346) } # if (&User-Name) = updated
(346) } # policy filter_username = updated
(346) suffix: Checking for suffix after "@"
(346) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(346) suffix: Found realm "REALM.COM"
(346) suffix: Adding Realm = "REALM.COM"
(346) suffix: Authentication realm is LOCAL
(346) [suffix] = ok
(346) policy deny_no_realm {
(346) if (User-Name && (User-Name !~ /@/)) {
(346) if (User-Name && (User-Name !~ /@/)) -> FALSE
(346) } # policy deny_no_realm = updated
(346) update request {
(346) EXPAND %{toupper:%{Realm}}
(346) --> REALM.COM
(346) Realm := REALM.COM
(346) } # update request = noop
(346) eap: Peer sent EAP Response (code 2) ID 8 length 6
(346) eap: Continuing tunnel setup
(346) [eap] = ok
(346) } # if (EAP-Message) = ok
(346) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(346) } # authorize = updated
(346) Found Auth-Type = eap
(346) # Executing group from file /etc/freeradius/sites-enabled/default
(346) Auth-Type eap {
(346) eap: Removing EAP session with state 0x0141131107490af2
(346) eap: Previous EAP request found for state 0x0141131107490af2, released from the list
(346) eap: Peer sent packet with method EAP PEAP (25)
(346) eap: Calling submodule eap_peap to process data
(346) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished
(346) eap_peap: Session established. Decoding tunneled attributes
(346) eap_peap: PEAP state TUNNEL ESTABLISHED
(346) eap: Sending EAP Request (code 1) ID 9 length 40
(346) eap: EAP session adding &reply:State = 0x0141131106480af2
(346) [eap] = handled
(346) if (handled && (Response-Packet-Type == Access-Challenge)) {
(346) EXPAND Response-Packet-Type
(346) --> Access-Challenge
(346) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(346) if (handled && (Response-Packet-Type == Access-Challenge)) {
(346) attr_filter.access_challenge: EXPAND %{User-Name}
(346) attr_filter.access_challenge: --> xyz at realm.com
(346) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(346) [attr_filter.access_challenge.post-auth] = updated
(346) [handled] = handled
(346) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(346) } # Auth-Type eap = handled
(346) Using Post-Auth-Type Challenge
(346) Post-Auth-Type sub-section not found. Ignoring.
(346) # Executing group from file /etc/freeradius/sites-enabled/default
(346) session-state: Saving cached attributes
(346) Framed-MTU = 1014
(346) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(346) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(346) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(346) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(346) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(346) TLS-Session-Version = "TLS 1.2"
(346) Sent Access-Challenge Id 239 from 130.92.10.33:1812 to 130.92.42.15:60533 length 98
(346) EAP-Message = 0x010900281900170303001d8d6a1785e1a19b362ccd5b26197e5b168640ab6ed2e41351d039e42e6d
(346) Message-Authenticator = 0x00000000000000000000000000000000
(346) State = 0x0141131106480af2159d1101103ebc16
(346) Finished request
Waking up in 4.9 seconds.
(347) Received Access-Request Id 247 from 130.92.42.15:60533 to 130.92.10.33:1812 length 495
(347) User-Name = "xyz at realm.com"
(347) Service-Type = Framed-User
(347) Cisco-AVPair = "service-type=Framed"
(347) Framed-MTU = 1485
(347) EAP-Message = 0x0209003c190017030300319fbd8407fe6333bb244303616d5739594b13084b45f58810139d95bebfe0725dc0e87e9ce011682f4a68abecc457950423
(347) Message-Authenticator = 0xf21f9a5269c36daa7990d70408a1880d
(347) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(347) Cisco-AVPair = "method=dot1x"
(347) Cisco-AVPair = "client-iif-id=2499807523"
(347) Cisco-AVPair = "vlan-id=1876"
(347) NAS-IP-Address = 130.92.42.15
(347) NAS-Port-Type = Wireless-802.11
(347) NAS-Port = 4211
(347) State = 0x0141131106480af2159d1101103ebc16
(347) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(347) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(347) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(347) Calling-Station-Id = "22-e0-73-f2-50-23"
(347) Airespace-Wlan-Id = 98
(347) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(347) WLAN-Group-Cipher = 1027076
(347) WLAN-Pairwise-Cipher = 1027076
(347) WLAN-AKM-Suite = 1027075
(347) Restoring &session-state
(347) &session-state:Framed-MTU = 1014
(347) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(347) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(347) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(347) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(347) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(347) &session-state:TLS-Session-Version = "TLS 1.2"
(347) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(347) authorize {
(347) policy rewrite_called_station_id {
(347) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(347) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(347) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(347) update request {
(347) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(347) --> 60-B9-C0-04-C4-40
(347) &Called-Station-Id := 60-B9-C0-04-C4-40
(347) } # update request = noop
(347) if ("%{8}") {
(347) EXPAND %{8}
(347) --> eduroam
(347) if ("%{8}") -> TRUE
(347) if ("%{8}") {
(347) update request {
(347) EXPAND %{8}
(347) --> eduroam
(347) &Called-Station-SSID := eduroam
(347) EXPAND %{Called-Station-Id}:%{8}
(347) --> 60-B9-C0-04-C4-40:eduroam
(347) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(347) } # update request = noop
(347) } # if ("%{8}") = noop
(347) [updated] = updated
(347) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(347) ... skipping else: Preceding "if" was taken
(347) } # policy rewrite_called_station_id = updated
(347) policy rewrite_calling_station_id {
(347) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(347) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(347) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(347) update request {
(347) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(347) --> 22-E0-73-F2-50-23
(347) &Calling-Station-Id := 22-E0-73-F2-50-23
(347) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(347) --> 22:E0:73:F2:50:23
(347) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(347) } # update request = noop
(347) [updated] = updated
(347) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(347) ... skipping else: Preceding "if" was taken
(347) } # policy rewrite_calling_station_id = updated
(347) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(347) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(347) if (Service-Type == Call-Check) {
(347) if (Service-Type == Call-Check) -> FALSE
(347) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(347) EXPAND Packet-Src-IP-Address
(347) --> 130.92.42.15
(347) EXPAND Packet-Src-IP-Address
(347) --> 130.92.42.15
(347) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(347) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(347) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(347) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(347) if (EAP-Message) {
(347) if (EAP-Message) -> TRUE
(347) if (EAP-Message) {
(347) policy filter_username {
(347) if (&User-Name) {
(347) if (&User-Name) -> TRUE
(347) if (&User-Name) {
(347) if (&User-Name =~ / /) {
(347) if (&User-Name =~ / /) -> FALSE
(347) if (&User-Name =~ /@[^@]*@/ ) {
(347) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(347) if (&User-Name =~ /\.\./ ) {
(347) if (&User-Name =~ /\.\./ ) -> FALSE
(347) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(347) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(347) if (&User-Name =~ /\.$/) {
(347) if (&User-Name =~ /\.$/) -> FALSE
(347) if (&User-Name =~ /@\./) {
(347) if (&User-Name =~ /@\./) -> FALSE
(347) } # if (&User-Name) = updated
(347) } # policy filter_username = updated
(347) suffix: Checking for suffix after "@"
(347) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(347) suffix: Found realm "REALM.COM"
(347) suffix: Adding Realm = "REALM.COM"
(347) suffix: Authentication realm is LOCAL
(347) [suffix] = ok
(347) policy deny_no_realm {
(347) if (User-Name && (User-Name !~ /@/)) {
(347) if (User-Name && (User-Name !~ /@/)) -> FALSE
(347) } # policy deny_no_realm = updated
(347) update request {
(347) EXPAND %{toupper:%{Realm}}
(347) --> REALM.COM
(347) Realm := REALM.COM
(347) } # update request = noop
(347) eap: Peer sent EAP Response (code 2) ID 9 length 60
(347) eap: Continuing tunnel setup
(347) [eap] = ok
(347) } # if (EAP-Message) = ok
(347) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(347) } # authorize = updated
(347) Found Auth-Type = eap
(347) # Executing group from file /etc/freeradius/sites-enabled/default
(347) Auth-Type eap {
(347) eap: Removing EAP session with state 0x0141131106480af2
(347) eap: Previous EAP request found for state 0x0141131106480af2, released from the list
(347) eap: Peer sent packet with method EAP PEAP (25)
(347) eap: Calling submodule eap_peap to process data
(347) eap_peap: (TLS) EAP Done initial handshake
(347) eap_peap: Session established. Decoding tunneled attributes
(347) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(347) eap_peap: Identity - xyz at realm.com
(347) eap_peap: Got inner identity 'xyz at realm.com'
(347) eap_peap: Setting default EAP type for tunneled EAP session
(347) eap_peap: Got tunneled request
(347) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368
(347) eap_peap: Setting User-Name to xyz at realm.com
(347) eap_peap: Sending tunneled request to proxy-inner-tunnel
(347) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368
(347) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(347) eap_peap: User-Name = "xyz at realm.com"
(347) eap_peap: Service-Type = Framed-User
(347) eap_peap: Cisco-AVPair = "service-type=Framed"
(347) eap_peap: Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(347) eap_peap: Cisco-AVPair = "method=dot1x"
(347) eap_peap: Cisco-AVPair = "client-iif-id=2499807523"
(347) eap_peap: Cisco-AVPair = "vlan-id=1876"
(347) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(347) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(347) eap_peap: Framed-MTU = 1485
(347) eap_peap: NAS-IP-Address = 130.92.42.15
(347) eap_peap: NAS-Port-Type = Wireless-802.11
(347) eap_peap: NAS-Port = 4211
(347) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(347) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23"
(347) eap_peap: Airespace-Wlan-Id = 98
(347) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(347) eap_peap: WLAN-Group-Cipher = 1027076
(347) eap_peap: WLAN-Pairwise-Cipher = 1027076
(347) eap_peap: WLAN-AKM-Suite = 1027075
(347) Virtual server proxy-inner-tunnel received request
(347) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368
(347) FreeRADIUS-Proxied-To = 127.0.0.1
(347) User-Name = "xyz at realm.com"
(347) Service-Type = Framed-User
(347) Cisco-AVPair = "service-type=Framed"
(347) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(347) Cisco-AVPair = "method=dot1x"
(347) Cisco-AVPair = "client-iif-id=2499807523"
(347) Cisco-AVPair = "vlan-id=1876"
(347) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(347) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(347) Framed-MTU = 1485
(347) NAS-IP-Address = 130.92.42.15
(347) NAS-Port-Type = Wireless-802.11
(347) NAS-Port = 4211
(347) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(347) Calling-Station-Id := "22-E0-73-F2-50-23"
(347) Airespace-Wlan-Id = 98
(347) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(347) WLAN-Group-Cipher = 1027076
(347) WLAN-Pairwise-Cipher = 1027076
(347) WLAN-AKM-Suite = 1027075
(347) WARNING: Outer and inner identities are the same. User privacy is compromised.
(347) server proxy-inner-tunnel {
(347) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(347) authorize {
(347) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) {
(347) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(347) if (!NAS-Port-Type){
(347) if (!NAS-Port-Type) -> FALSE
(347) update control {
(347) &Proxy-To-Realm := REALM-NPS-DEV
(347) } # update control = noop
(347) } # authorize = noop
(347) } # server proxy-inner-tunnel
(347) Virtual server sending reply
(347) eap_peap: Got tunneled reply code 0
(347) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(347) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(347) [eap] = handled
(347) if (handled && (Response-Packet-Type == Access-Challenge)) {
(347) EXPAND Response-Packet-Type
(347) -->
(347) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(347) } # Auth-Type eap = handled
(347) Starting proxy to home server 130.92.14.27 port 1812
(347) server default {
(347) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(347) pre-proxy {
(347) attr_filter.pre-proxy: EXPAND %{Realm}
(347) attr_filter.pre-proxy: --> REALM.COM
(347) attr_filter.pre-proxy: Matched entry DEFAULT at line 58
(347) [attr_filter.pre-proxy] = updated
(347) } # pre-proxy = updated
(347) }
(347) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000
(347) Sent Access-Request Id 91 from 0.0.0.0:37193 to 130.92.14.27:1812 length 196
(347) Operator-Name := "1realm.com"
(347) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368
(347) User-Name = "xyz at realm.com"
(347) NAS-IP-Address = 130.92.42.15
(347) NAS-Port-Type = Wireless-802.11
(347) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(347) Calling-Station-Id := "22-E0-73-F2-50-23"
(347) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(347) Message-Authenticator = 0x
(347) Proxy-State = 0x323437
Waking up in 0.3 seconds.
(347) Clearing existing &reply: attributes
(347) Received Access-Challenge Id 91 from 130.92.14.27:1812 to 130.92.10.33:37193 length 128
(347) Proxy-State = 0x323437
(347) Session-Timeout = 60
(347) EAP-Message = 0x010a00271a010a00221032f04e97ca648dea298bc54b39d784b74141492d4e50532d4544555632
(347) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549
(347) Message-Authenticator = 0xaa8be9fdea2b630c7400322f91ea39ca
(347) server default {
(347) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(347) post-proxy {
(347) attr_filter.post-proxy: EXPAND %{Realm}
(347) attr_filter.post-proxy: --> REALM.COM
(347) attr_filter.post-proxy: Matched entry REALM.COM at line 102
(347) [attr_filter.post-proxy] = updated
(347) eap: Doing post-proxy callback
(347) eap: Passing reply from proxy back into the tunnel
(347) eap: Got tunneled reply RADIUS code 11
(347) eap: Tunnel-Type := VLAN
(347) eap: Tunnel-Medium-Type := IEEE-802
(347) eap: Proxy-State = 0x323437
(347) eap: EAP-Message = 0x010a00271a010a00221032f04e97ca648dea298bc54b39d784b74141492d4e50532d4544555632
(347) eap: State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549
(347) eap: Message-Authenticator = 0xaa8be9fdea2b630c7400322f91ea39ca
(347) eap: Got tunneled Access-Challenge
(347) eap: Reply was handled
(347) eap: Sending EAP Request (code 1) ID 10 length 70
(347) eap: EAP session adding &reply:State = 0x01411311094b0af2
(347) [eap] = ok
(347) } # post-proxy = updated
(347) }
(347) session-state: Saving cached attributes
(347) Framed-MTU = 1014
(347) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(347) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(347) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(347) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(347) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(347) TLS-Session-Version = "TLS 1.2"
(347) Using Post-Auth-Type Challenge
(347) Post-Auth-Type sub-section not found. Ignoring.
(347) # Executing group from file /etc/freeradius/sites-enabled/default
(347) Sent Access-Challenge Id 247 from 130.92.10.33:1812 to 130.92.42.15:60533 length 128
(347) EAP-Message = 0x010a00461900170303003b8d6a1785e1a19b37d483644693f104a84978c79786ed2017cad5c263338a244716a02d702b4c15fb010aa386a8a1fd7beabedc25d128d0afb3766c
(347) Message-Authenticator = 0x00000000000000000000000000000000
(347) State = 0x01411311094b0af2159d1101103ebc16
(347) Finished request
Waking up in 4.8 seconds.
(348) Received Access-Request Id 255 from 130.92.42.15:60533 to 130.92.10.33:1812 length 549
(348) User-Name = "xyz at realm.com"
(348) Service-Type = Framed-User
(348) Cisco-AVPair = "service-type=Framed"
(348) Framed-MTU = 1485
(348) EAP-Message = 0x020a0072190017030300679fbd8407fe6333bca7d44d76b3ef3a225ccf9afdd164fe3f7aca7a7d0792abb9534fccfd07c307bee27d438c8396764c73587b33e49063fb07b7d02e49397b5732d6f62ab9934ca0d4414429928983334962453caa57e0e30107e514cab265c4f4f195780b48d8
(348) Message-Authenticator = 0x25e0d4d954b8d943b65166834e832a36
(348) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(348) Cisco-AVPair = "method=dot1x"
(348) Cisco-AVPair = "client-iif-id=2499807523"
(348) Cisco-AVPair = "vlan-id=1876"
(348) NAS-IP-Address = 130.92.42.15
(348) NAS-Port-Type = Wireless-802.11
(348) NAS-Port = 4211
(348) State = 0x01411311094b0af2159d1101103ebc16
(348) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(348) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(348) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(348) Calling-Station-Id = "22-e0-73-f2-50-23"
(348) Airespace-Wlan-Id = 98
(348) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(348) WLAN-Group-Cipher = 1027076
(348) WLAN-Pairwise-Cipher = 1027076
(348) WLAN-AKM-Suite = 1027075
(348) session-state: No cached attributes
(348) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(348) authorize {
(348) policy rewrite_called_station_id {
(348) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(348) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(348) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(348) update request {
(348) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(348) --> 60-B9-C0-04-C4-40
(348) &Called-Station-Id := 60-B9-C0-04-C4-40
(348) } # update request = noop
(348) if ("%{8}") {
(348) EXPAND %{8}
(348) --> eduroam
(348) if ("%{8}") -> TRUE
(348) if ("%{8}") {
(348) update request {
(348) EXPAND %{8}
(348) --> eduroam
(348) &Called-Station-SSID := eduroam
(348) EXPAND %{Called-Station-Id}:%{8}
(348) --> 60-B9-C0-04-C4-40:eduroam
(348) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(348) } # update request = noop
(348) } # if ("%{8}") = noop
(348) [updated] = updated
(348) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(348) ... skipping else: Preceding "if" was taken
(348) } # policy rewrite_called_station_id = updated
(348) policy rewrite_calling_station_id {
(348) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(348) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(348) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(348) update request {
(348) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(348) --> 22-E0-73-F2-50-23
(348) &Calling-Station-Id := 22-E0-73-F2-50-23
(348) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(348) --> 22:E0:73:F2:50:23
(348) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(348) } # update request = noop
(348) [updated] = updated
(348) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(348) ... skipping else: Preceding "if" was taken
(348) } # policy rewrite_calling_station_id = updated
(348) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(348) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(348) if (Service-Type == Call-Check) {
(348) if (Service-Type == Call-Check) -> FALSE
(348) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(348) EXPAND Packet-Src-IP-Address
(348) --> 130.92.42.15
(348) EXPAND Packet-Src-IP-Address
(348) --> 130.92.42.15
(348) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(348) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(348) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(348) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(348) if (EAP-Message) {
(348) if (EAP-Message) -> TRUE
(348) if (EAP-Message) {
(348) policy filter_username {
(348) if (&User-Name) {
(348) if (&User-Name) -> TRUE
(348) if (&User-Name) {
(348) if (&User-Name =~ / /) {
(348) if (&User-Name =~ / /) -> FALSE
(348) if (&User-Name =~ /@[^@]*@/ ) {
(348) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(348) if (&User-Name =~ /\.\./ ) {
(348) if (&User-Name =~ /\.\./ ) -> FALSE
(348) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(348) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(348) if (&User-Name =~ /\.$/) {
(348) if (&User-Name =~ /\.$/) -> FALSE
(348) if (&User-Name =~ /@\./) {
(348) if (&User-Name =~ /@\./) -> FALSE
(348) } # if (&User-Name) = updated
(348) } # policy filter_username = updated
(348) suffix: Checking for suffix after "@"
(348) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(348) suffix: Found realm "REALM.COM"
(348) suffix: Adding Realm = "REALM.COM"
(348) suffix: Authentication realm is LOCAL
(348) [suffix] = ok
(348) policy deny_no_realm {
(348) if (User-Name && (User-Name !~ /@/)) {
(348) if (User-Name && (User-Name !~ /@/)) -> FALSE
(348) } # policy deny_no_realm = updated
(348) update request {
(348) EXPAND %{toupper:%{Realm}}
(348) --> REALM.COM
(348) Realm := REALM.COM
(348) } # update request = noop
(348) eap: Peer sent EAP Response (code 2) ID 10 length 114
(348) eap: Continuing tunnel setup
(348) [eap] = ok
(348) } # if (EAP-Message) = ok
(348) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(348) } # authorize = updated
(348) Found Auth-Type = eap
(348) # Executing group from file /etc/freeradius/sites-enabled/default
(348) Auth-Type eap {
(348) eap: Removing EAP session with state 0x01411311094b0af2
(348) eap: Previous EAP request found for state 0x01411311094b0af2, released from the list
(348) eap: Peer sent packet with method EAP PEAP (25)
(348) eap: Calling submodule eap_peap to process data
(348) eap_peap: (TLS) EAP Done initial handshake
(348) eap_peap: Session established. Decoding tunneled attributes
(348) eap_peap: PEAP state phase2
(348) eap_peap: EAP method MSCHAPv2 (26)
(348) eap_peap: Got tunneled request
(348) eap_peap: EAP-Message = 0x020a00531a020a004e310d961707cae581d64e5fbe54214237cb0000000000000000f89f7589746337a97c26dd2f4e42764f3e8e3d829307316600646f6d696e69632e7374616c64657240756e6962652e6368
(348) eap_peap: Setting User-Name to xyz at realm.com
(348) eap_peap: Sending tunneled request to proxy-inner-tunnel
(348) eap_peap: EAP-Message = 0x020a00531a020a004e310d961707cae581d64e5fbe54214237cb0000000000000000f89f7589746337a97c26dd2f4e42764f3e8e3d829307316600646f6d696e69632e7374616c64657240756e6962652e6368
(348) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(348) eap_peap: User-Name = "xyz at realm.com"
(348) eap_peap: State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549
(348) eap_peap: Service-Type = Framed-User
(348) eap_peap: Cisco-AVPair = "service-type=Framed"
(348) eap_peap: Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(348) eap_peap: Cisco-AVPair = "method=dot1x"
(348) eap_peap: Cisco-AVPair = "client-iif-id=2499807523"
(348) eap_peap: Cisco-AVPair = "vlan-id=1876"
(348) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(348) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(348) eap_peap: Framed-MTU = 1485
(348) eap_peap: NAS-IP-Address = 130.92.42.15
(348) eap_peap: NAS-Port-Type = Wireless-802.11
(348) eap_peap: NAS-Port = 4211
(348) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(348) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23"
(348) eap_peap: Airespace-Wlan-Id = 98
(348) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(348) eap_peap: WLAN-Group-Cipher = 1027076
(348) eap_peap: WLAN-Pairwise-Cipher = 1027076
(348) eap_peap: WLAN-AKM-Suite = 1027075
(348) Virtual server proxy-inner-tunnel received request
(348) EAP-Message = 0x020a00531a020a004e310d961707cae581d64e5fbe54214237cb0000000000000000f89f7589746337a97c26dd2f4e42764f3e8e3d829307316600646f6d696e69632e7374616c64657240756e6962652e6368
(348) FreeRADIUS-Proxied-To = 127.0.0.1
(348) User-Name = "xyz at realm.com"
(348) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549
(348) Service-Type = Framed-User
(348) Cisco-AVPair = "service-type=Framed"
(348) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(348) Cisco-AVPair = "method=dot1x"
(348) Cisco-AVPair = "client-iif-id=2499807523"
(348) Cisco-AVPair = "vlan-id=1876"
(348) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(348) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(348) Framed-MTU = 1485
(348) NAS-IP-Address = 130.92.42.15
(348) NAS-Port-Type = Wireless-802.11
(348) NAS-Port = 4211
(348) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(348) Calling-Station-Id := "22-E0-73-F2-50-23"
(348) Airespace-Wlan-Id = 98
(348) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(348) WLAN-Group-Cipher = 1027076
(348) WLAN-Pairwise-Cipher = 1027076
(348) WLAN-AKM-Suite = 1027075
(348) WARNING: Outer and inner identities are the same. User privacy is compromised.
(348) server proxy-inner-tunnel {
(348) session-state: No cached attributes
(348) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(348) authorize {
(348) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) {
(348) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(348) if (!NAS-Port-Type){
(348) if (!NAS-Port-Type) -> FALSE
(348) update control {
(348) &Proxy-To-Realm := REALM-NPS-DEV
(348) } # update control = noop
(348) } # authorize = noop
(348) } # server proxy-inner-tunnel
(348) Virtual server sending reply
(348) eap_peap: Got tunneled reply code 0
(348) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(348) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(348) [eap] = handled
(348) if (handled && (Response-Packet-Type == Access-Challenge)) {
(348) EXPAND Response-Packet-Type
(348) -->
(348) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(348) } # Auth-Type eap = handled
(348) Starting proxy to home server 130.92.14.27 port 1812
(348) server default {
(348) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(348) pre-proxy {
(348) attr_filter.pre-proxy: EXPAND %{Realm}
(348) attr_filter.pre-proxy: --> REALM.COM
(348) attr_filter.pre-proxy: Matched entry DEFAULT at line 58
(348) [attr_filter.pre-proxy] = updated
(348) } # pre-proxy = updated
(348) }
(348) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000
(348) Sent Access-Request Id 92 from 0.0.0.0:37193 to 130.92.14.27:1812 length 288
(348) Operator-Name := "1realm.com"
(348) EAP-Message = 0x020a00531a020a004e310d961707cae581d64e5fbe54214237cb0000000000000000f89f7589746337a97c26dd2f4e42764f3e8e3d829307316600646f6d696e69632e7374616c64657240756e6962652e6368
(348) User-Name = "xyz at realm.com"
(348) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549
(348) NAS-IP-Address = 130.92.42.15
(348) NAS-Port-Type = Wireless-802.11
(348) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(348) Calling-Station-Id := "22-E0-73-F2-50-23"
(348) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(348) Message-Authenticator = 0x
(348) Proxy-State = 0x323535
Waking up in 0.3 seconds.
(348) Clearing existing &reply: attributes
(348) Received Access-Challenge Id 92 from 130.92.14.27:1812 to 130.92.10.33:37193 length 140
(348) Proxy-State = 0x323535
(348) Session-Timeout = 60
(348) EAP-Message = 0x010b00331a030a002e533d37383335434645373334433338443739423442384342424437343139463043373744463844463443
(348) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549
(348) Message-Authenticator = 0xf518d1ae53d8771e9e2f854b1cefcea4
(348) server default {
(348) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(348) post-proxy {
(348) attr_filter.post-proxy: EXPAND %{Realm}
(348) attr_filter.post-proxy: --> REALM.COM
(348) attr_filter.post-proxy: Matched entry REALM.COM at line 102
(348) [attr_filter.post-proxy] = updated
(348) eap: Doing post-proxy callback
(348) eap: Passing reply from proxy back into the tunnel
(348) eap: Got tunneled reply RADIUS code 11
(348) eap: Tunnel-Type := VLAN
(348) eap: Tunnel-Medium-Type := IEEE-802
(348) eap: Proxy-State = 0x323535
(348) eap: EAP-Message = 0x010b00331a030a002e533d37383335434645373334433338443739423442384342424437343139463043373744463844463443
(348) eap: State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549
(348) eap: Message-Authenticator = 0xf518d1ae53d8771e9e2f854b1cefcea4
(348) eap: Got tunneled Access-Challenge
(348) eap: Reply was handled
(348) eap: Sending EAP Request (code 1) ID 11 length 82
(348) eap: EAP session adding &reply:State = 0x01411311084a0af2
(348) [eap] = ok
(348) } # post-proxy = updated
(348) }
(348) Using Post-Auth-Type Challenge
(348) Post-Auth-Type sub-section not found. Ignoring.
(348) # Executing group from file /etc/freeradius/sites-enabled/default
(348) Sent Access-Challenge Id 255 from 130.92.10.33:1812 to 130.92.42.15:60533 length 140
(348) EAP-Message = 0x010b0052190017030300478d6a1785e1a19b384663d2dc91a1711cef1cb261daa2d4f19a156ca5f8155de69d5c25047974eebe1486ff1d7ad9a76afc7779361d7f5154712c2ec1f6e23de87e74b5a4458758
(348) Message-Authenticator = 0x00000000000000000000000000000000
(348) State = 0x01411311084a0af2159d1101103ebc16
(348) Finished request
Waking up in 4.8 seconds.
(349) Received Access-Request Id 7 from 130.92.42.15:60533 to 130.92.10.33:1812 length 472
(349) User-Name = "xyz at realm.com"
(349) Service-Type = Framed-User
(349) Cisco-AVPair = "service-type=Framed"
(349) Framed-MTU = 1485
(349) EAP-Message = 0x020b00251900170303001a9fbd8407fe6333bdb6025139e3938bde3390d04c688d35ac81f6
(349) Message-Authenticator = 0xc8367c81169c032270223b7b0ea1ee2a
(349) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(349) Cisco-AVPair = "method=dot1x"
(349) Cisco-AVPair = "client-iif-id=2499807523"
(349) Cisco-AVPair = "vlan-id=1876"
(349) NAS-IP-Address = 130.92.42.15
(349) NAS-Port-Type = Wireless-802.11
(349) NAS-Port = 4211
(349) State = 0x01411311084a0af2159d1101103ebc16
(349) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(349) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(349) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(349) Calling-Station-Id = "22-e0-73-f2-50-23"
(349) Airespace-Wlan-Id = 98
(349) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(349) WLAN-Group-Cipher = 1027076
(349) WLAN-Pairwise-Cipher = 1027076
(349) WLAN-AKM-Suite = 1027075
(349) session-state: No cached attributes
(349) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(349) authorize {
(349) policy rewrite_called_station_id {
(349) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(349) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(349) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(349) update request {
(349) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(349) --> 60-B9-C0-04-C4-40
(349) &Called-Station-Id := 60-B9-C0-04-C4-40
(349) } # update request = noop
(349) if ("%{8}") {
(349) EXPAND %{8}
(349) --> eduroam
(349) if ("%{8}") -> TRUE
(349) if ("%{8}") {
(349) update request {
(349) EXPAND %{8}
(349) --> eduroam
(349) &Called-Station-SSID := eduroam
(349) EXPAND %{Called-Station-Id}:%{8}
(349) --> 60-B9-C0-04-C4-40:eduroam
(349) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(349) } # update request = noop
(349) } # if ("%{8}") = noop
(349) [updated] = updated
(349) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(349) ... skipping else: Preceding "if" was taken
(349) } # policy rewrite_called_station_id = updated
(349) policy rewrite_calling_station_id {
(349) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(349) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(349) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(349) update request {
(349) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(349) --> 22-E0-73-F2-50-23
(349) &Calling-Station-Id := 22-E0-73-F2-50-23
(349) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(349) --> 22:E0:73:F2:50:23
(349) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(349) } # update request = noop
(349) [updated] = updated
(349) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(349) ... skipping else: Preceding "if" was taken
(349) } # policy rewrite_calling_station_id = updated
(349) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(349) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(349) if (Service-Type == Call-Check) {
(349) if (Service-Type == Call-Check) -> FALSE
(349) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(349) EXPAND Packet-Src-IP-Address
(349) --> 130.92.42.15
(349) EXPAND Packet-Src-IP-Address
(349) --> 130.92.42.15
(349) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(349) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(349) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(349) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(349) if (EAP-Message) {
(349) if (EAP-Message) -> TRUE
(349) if (EAP-Message) {
(349) policy filter_username {
(349) if (&User-Name) {
(349) if (&User-Name) -> TRUE
(349) if (&User-Name) {
(349) if (&User-Name =~ / /) {
(349) if (&User-Name =~ / /) -> FALSE
(349) if (&User-Name =~ /@[^@]*@/ ) {
(349) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(349) if (&User-Name =~ /\.\./ ) {
(349) if (&User-Name =~ /\.\./ ) -> FALSE
(349) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(349) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(349) if (&User-Name =~ /\.$/) {
(349) if (&User-Name =~ /\.$/) -> FALSE
(349) if (&User-Name =~ /@\./) {
(349) if (&User-Name =~ /@\./) -> FALSE
(349) } # if (&User-Name) = updated
(349) } # policy filter_username = updated
(349) suffix: Checking for suffix after "@"
(349) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(349) suffix: Found realm "REALM.COM"
(349) suffix: Adding Realm = "REALM.COM"
(349) suffix: Authentication realm is LOCAL
(349) [suffix] = ok
(349) policy deny_no_realm {
(349) if (User-Name && (User-Name !~ /@/)) {
(349) if (User-Name && (User-Name !~ /@/)) -> FALSE
(349) } # policy deny_no_realm = updated
(349) update request {
(349) EXPAND %{toupper:%{Realm}}
(349) --> REALM.COM
(349) Realm := REALM.COM
(349) } # update request = noop
(349) eap: Peer sent EAP Response (code 2) ID 11 length 37
(349) eap: Continuing tunnel setup
(349) [eap] = ok
(349) } # if (EAP-Message) = ok
(349) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(349) } # authorize = updated
(349) Found Auth-Type = eap
(349) # Executing group from file /etc/freeradius/sites-enabled/default
(349) Auth-Type eap {
(349) eap: Removing EAP session with state 0x01411311084a0af2
(349) eap: Previous EAP request found for state 0x01411311084a0af2, released from the list
(349) eap: Peer sent packet with method EAP PEAP (25)
(349) eap: Calling submodule eap_peap to process data
(349) eap_peap: (TLS) EAP Done initial handshake
(349) eap_peap: Session established. Decoding tunneled attributes
(349) eap_peap: PEAP state phase2
(349) eap_peap: EAP method MSCHAPv2 (26)
(349) eap_peap: Got tunneled request
(349) eap_peap: EAP-Message = 0x020b00061a03
(349) eap_peap: Setting User-Name to xyz at realm.com
(349) eap_peap: Sending tunneled request to proxy-inner-tunnel
(349) eap_peap: EAP-Message = 0x020b00061a03
(349) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(349) eap_peap: User-Name = "xyz at realm.com"
(349) eap_peap: State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549
(349) eap_peap: Service-Type = Framed-User
(349) eap_peap: Cisco-AVPair = "service-type=Framed"
(349) eap_peap: Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(349) eap_peap: Cisco-AVPair = "method=dot1x"
(349) eap_peap: Cisco-AVPair = "client-iif-id=2499807523"
(349) eap_peap: Cisco-AVPair = "vlan-id=1876"
(349) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(349) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(349) eap_peap: Framed-MTU = 1485
(349) eap_peap: NAS-IP-Address = 130.92.42.15
(349) eap_peap: NAS-Port-Type = Wireless-802.11
(349) eap_peap: NAS-Port = 4211
(349) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(349) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23"
(349) eap_peap: Airespace-Wlan-Id = 98
(349) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(349) eap_peap: WLAN-Group-Cipher = 1027076
(349) eap_peap: WLAN-Pairwise-Cipher = 1027076
(349) eap_peap: WLAN-AKM-Suite = 1027075
(349) Virtual server proxy-inner-tunnel received request
(349) EAP-Message = 0x020b00061a03
(349) FreeRADIUS-Proxied-To = 127.0.0.1
(349) User-Name = "xyz at realm.com"
(349) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549
(349) Service-Type = Framed-User
(349) Cisco-AVPair = "service-type=Framed"
(349) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(349) Cisco-AVPair = "method=dot1x"
(349) Cisco-AVPair = "client-iif-id=2499807523"
(349) Cisco-AVPair = "vlan-id=1876"
(349) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(349) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(349) Framed-MTU = 1485
(349) NAS-IP-Address = 130.92.42.15
(349) NAS-Port-Type = Wireless-802.11
(349) NAS-Port = 4211
(349) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(349) Calling-Station-Id := "22-E0-73-F2-50-23"
(349) Airespace-Wlan-Id = 98
(349) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(349) WLAN-Group-Cipher = 1027076
(349) WLAN-Pairwise-Cipher = 1027076
(349) WLAN-AKM-Suite = 1027075
(349) WARNING: Outer and inner identities are the same. User privacy is compromised.
(349) server proxy-inner-tunnel {
(349) session-state: No cached attributes
(349) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(349) authorize {
(349) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) {
(349) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(349) if (!NAS-Port-Type){
(349) if (!NAS-Port-Type) -> FALSE
(349) update control {
(349) &Proxy-To-Realm := REALM-NPS-DEV
(349) } # update control = noop
(349) } # authorize = noop
(349) } # server proxy-inner-tunnel
(349) Virtual server sending reply
(349) eap_peap: Got tunneled reply code 0
(349) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(349) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(349) [eap] = handled
(349) if (handled && (Response-Packet-Type == Access-Challenge)) {
(349) EXPAND Response-Packet-Type
(349) -->
(349) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(349) } # Auth-Type eap = handled
(349) Starting proxy to home server 130.92.14.27 port 1812
(349) server default {
(349) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(349) pre-proxy {
(349) attr_filter.pre-proxy: EXPAND %{Realm}
(349) attr_filter.pre-proxy: --> REALM.COM
(349) attr_filter.pre-proxy: Matched entry DEFAULT at line 58
(349) [attr_filter.pre-proxy] = updated
(349) } # pre-proxy = updated
(349) }
(349) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000
(349) Sent Access-Request Id 93 from 0.0.0.0:37193 to 130.92.14.27:1812 length 209
(349) Operator-Name := "1realm.com"
(349) EAP-Message = 0x020b00061a03
(349) User-Name = "xyz at realm.com"
(349) State = 0x225b02b60000013700010200825c0e1b000000000000000000000000000000043a975549
(349) NAS-IP-Address = 130.92.42.15
(349) NAS-Port-Type = Wireless-802.11
(349) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(349) Calling-Station-Id := "22-E0-73-F2-50-23"
(349) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(349) Message-Authenticator = 0x
(349) Proxy-State = 0x37
Waking up in 0.3 seconds.
(349) Clearing existing &reply: attributes
(349) Received Access-Accept Id 93 from 130.92.14.27:1812 to 130.92.10.33:37193 length 287
(349) Proxy-State = 0x37
(349) Class = 0x7374616666
(349) Filter-Id = "staff"
(349) Framed-Protocol = PPP
(349) Service-Type = Framed-User
(349) Tunnel-Medium-Type:0 = IEEE-802
(349) Tunnel-Private-Group-Id:0 = "1874"
(349) Tunnel-Type:0 = VLAN
(349) EAP-Message = 0x030b0004
(349) Class = 0x568605d30000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9601
(349) MS-CHAP-Domain = "\001CAMPUS"
(349) MS-MPPE-Send-Key = 0xd687deeb2f77eb638babd3daa38b43f3
(349) MS-MPPE-Recv-Key = 0x9fa8f6207d3942e543a85d7ab15ac0ca
(349) MS-CHAP2-Success = 0x01533d37383335434645373334433338443739423442384342424437343139463043373744463844463443
(349) Message-Authenticator = 0xeaadc26a981ab8b1ea5cb2b537eb0a18
(349) server default {
(349) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(349) post-proxy {
(349) attr_filter.post-proxy: EXPAND %{Realm}
(349) attr_filter.post-proxy: --> REALM.COM
(349) attr_filter.post-proxy: Matched entry REALM.COM at line 102
(349) [attr_filter.post-proxy] = updated
(349) eap: Doing post-proxy callback
(349) eap: Passing reply from proxy back into the tunnel
(349) eap: Got tunneled reply RADIUS code 2
(349) eap: Tunnel-Type := VLAN
(349) eap: Tunnel-Medium-Type := IEEE-802
(349) eap: Proxy-State = 0x37
(349) eap: Class = 0x7374616666
(349) eap: Filter-Id = "staff"
(349) eap: Tunnel-Private-Group-Id:0 = "1874"
(349) eap: EAP-Message = 0x030b0004
(349) eap: Class = 0x568605d30000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9601
(349) eap: MS-MPPE-Send-Key = 0xd687deeb2f77eb638babd3daa38b43f3
(349) eap: MS-MPPE-Recv-Key = 0x9fa8f6207d3942e543a85d7ab15ac0ca
(349) eap: Message-Authenticator = 0xeaadc26a981ab8b1ea5cb2b537eb0a18
(349) eap: Tunneled authentication was successful
(349) eap: SUCCESS
(349) eap: Saving tunneled attributes for later
(349) eap: Reply was handled
(349) eap: Sending EAP Request (code 1) ID 12 length 46
(349) eap: EAP session adding &reply:State = 0x014113110b4d0af2
(349) [eap] = ok
(349) } # post-proxy = updated
(349) }
(349) Using Post-Auth-Type Challenge
(349) Post-Auth-Type sub-section not found. Ignoring.
(349) # Executing group from file /etc/freeradius/sites-enabled/default
(349) Sent Access-Challenge Id 7 from 130.92.10.33:1812 to 130.92.42.15:60533 length 104
(349) EAP-Message = 0x010c002e190017030300238d6a1785e1a19b39b83c8d767db1a51679cc1ecabf6acedb8a2758d5b5f3203674984e
(349) Message-Authenticator = 0x00000000000000000000000000000000
(349) State = 0x014113110b4d0af2159d1101103ebc16
(349) Finished request
Waking up in 4.8 seconds.
(350) Received Access-Request Id 15 from 130.92.42.15:60533 to 130.92.10.33:1812 length 481
(350) User-Name = "xyz at realm.com"
(350) Service-Type = Framed-User
(350) Cisco-AVPair = "service-type=Framed"
(350) Framed-MTU = 1485
(350) EAP-Message = 0x020c002e190017030300239fbd8407fe6333be27f0732df0c86c2ae6b5faef72ecb9b63dfaadc83292179e360244
(350) Message-Authenticator = 0x2cc88f99728922a86d6615ad0bd7525c
(350) Cisco-AVPair = "audit-session-id=142A5C820037733BC01D7C58"
(350) Cisco-AVPair = "method=dot1x"
(350) Cisco-AVPair = "client-iif-id=2499807523"
(350) Cisco-AVPair = "vlan-id=1876"
(350) NAS-IP-Address = 130.92.42.15
(350) NAS-Port-Type = Wireless-802.11
(350) NAS-Port = 4211
(350) State = 0x014113110b4d0af2159d1101103ebc16
(350) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(350) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(350) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(350) Calling-Station-Id = "22-e0-73-f2-50-23"
(350) Airespace-Wlan-Id = 98
(350) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(350) WLAN-Group-Cipher = 1027076
(350) WLAN-Pairwise-Cipher = 1027076
(350) WLAN-AKM-Suite = 1027075
(350) session-state: No cached attributes
(350) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(350) authorize {
(350) policy rewrite_called_station_id {
(350) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(350) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(350) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(350) update request {
(350) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(350) --> 60-B9-C0-04-C4-40
(350) &Called-Station-Id := 60-B9-C0-04-C4-40
(350) } # update request = noop
(350) if ("%{8}") {
(350) EXPAND %{8}
(350) --> eduroam
(350) if ("%{8}") -> TRUE
(350) if ("%{8}") {
(350) update request {
(350) EXPAND %{8}
(350) --> eduroam
(350) &Called-Station-SSID := eduroam
(350) EXPAND %{Called-Station-Id}:%{8}
(350) --> 60-B9-C0-04-C4-40:eduroam
(350) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(350) } # update request = noop
(350) } # if ("%{8}") = noop
(350) [updated] = updated
(350) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(350) ... skipping else: Preceding "if" was taken
(350) } # policy rewrite_called_station_id = updated
(350) policy rewrite_calling_station_id {
(350) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(350) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(350) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(350) update request {
(350) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(350) --> 22-E0-73-F2-50-23
(350) &Calling-Station-Id := 22-E0-73-F2-50-23
(350) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(350) --> 22:E0:73:F2:50:23
(350) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(350) } # update request = noop
(350) [updated] = updated
(350) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(350) ... skipping else: Preceding "if" was taken
(350) } # policy rewrite_calling_station_id = updated
(350) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(350) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(350) if (Service-Type == Call-Check) {
(350) if (Service-Type == Call-Check) -> FALSE
(350) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(350) EXPAND Packet-Src-IP-Address
(350) --> 130.92.42.15
(350) EXPAND Packet-Src-IP-Address
(350) --> 130.92.42.15
(350) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(350) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(350) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(350) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(350) if (EAP-Message) {
(350) if (EAP-Message) -> TRUE
(350) if (EAP-Message) {
(350) policy filter_username {
(350) if (&User-Name) {
(350) if (&User-Name) -> TRUE
(350) if (&User-Name) {
(350) if (&User-Name =~ / /) {
(350) if (&User-Name =~ / /) -> FALSE
(350) if (&User-Name =~ /@[^@]*@/ ) {
(350) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(350) if (&User-Name =~ /\.\./ ) {
(350) if (&User-Name =~ /\.\./ ) -> FALSE
(350) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(350) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(350) if (&User-Name =~ /\.$/) {
(350) if (&User-Name =~ /\.$/) -> FALSE
(350) if (&User-Name =~ /@\./) {
(350) if (&User-Name =~ /@\./) -> FALSE
(350) } # if (&User-Name) = updated
(350) } # policy filter_username = updated
(350) suffix: Checking for suffix after "@"
(350) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(350) suffix: Found realm "REALM.COM"
(350) suffix: Adding Realm = "REALM.COM"
(350) suffix: Authentication realm is LOCAL
(350) [suffix] = ok
(350) policy deny_no_realm {
(350) if (User-Name && (User-Name !~ /@/)) {
(350) if (User-Name && (User-Name !~ /@/)) -> FALSE
(350) } # policy deny_no_realm = updated
(350) update request {
(350) EXPAND %{toupper:%{Realm}}
(350) --> REALM.COM
(350) Realm := REALM.COM
(350) } # update request = noop
(350) eap: Peer sent EAP Response (code 2) ID 12 length 46
(350) eap: Continuing tunnel setup
(350) [eap] = ok
(350) } # if (EAP-Message) = ok
(350) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(350) } # authorize = updated
(350) Found Auth-Type = eap
(350) # Executing group from file /etc/freeradius/sites-enabled/default
(350) Auth-Type eap {
(350) eap: Removing EAP session with state 0x014113110b4d0af2
(350) eap: Previous EAP request found for state 0x014113110b4d0af2, released from the list
(350) eap: Peer sent packet with method EAP PEAP (25)
(350) eap: Calling submodule eap_peap to process data
(350) eap_peap: (TLS) EAP Done initial handshake
(350) eap_peap: Session established. Decoding tunneled attributes
(350) eap_peap: PEAP state send tlv success
(350) eap_peap: Received EAP-TLV response
(350) eap_peap: Success
(350) eap_peap: Using saved attributes from the original Access-Accept
(350) eap_peap: Tunnel-Type := VLAN
(350) eap_peap: Tunnel-Medium-Type := IEEE-802
(350) eap_peap: Class = 0x7374616666
(350) eap_peap: Filter-Id = "staff"
(350) eap_peap: Tunnel-Private-Group-Id:0 = "1874"
(350) eap_peap: Class = 0x568605d30000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9601
(350) eap: Sending EAP Success (code 3) ID 12 length 4
(350) eap: Freeing handler
(350) [eap] = ok
(350) if (handled && (Response-Packet-Type == Access-Challenge)) {
(350) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(350) } # Auth-Type eap = ok
(350) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(350) post-auth {
(350) policy debug_all {
(350) policy debug_control {
(350) if ("%{debug_attr:control:}" == '') {
(350) Attributes matching "control:"
(350) &control:Auth-Type = eap
(350) EXPAND %{debug_attr:control:}
(350) -->
(350) if ("%{debug_attr:control:}" == '') -> TRUE
(350) if ("%{debug_attr:control:}" == '') {
(350) [noop] = noop
(350) } # if ("%{debug_attr:control:}" == '') = noop
(350) } # policy debug_control = noop
(350) policy debug_request {
(350) if ("%{debug_attr:request:}" == '') {
(350) Attributes matching "request:"
(350) &request:User-Name = xyz at realm.com
(350) &request:Service-Type = Framed-User
(350) &request:Cisco-AVPair = service-type=Framed
(350) &request:Framed-MTU = 1485
(350) &request:EAP-Message = 0x020c002e190017030300239fbd8407fe6333be27f0732df0c86c2ae6b5faef72ecb9b63dfaadc83292179e360244
(350) &request:Message-Authenticator = 0x2cc88f99728922a86d6615ad0bd7525c
(350) &request:Cisco-AVPair = audit-session-id=142A5C820037733BC01D7C58
(350) &request:Cisco-AVPair = method=dot1x
(350) &request:Cisco-AVPair = client-iif-id=2499807523
(350) &request:Cisco-AVPair = vlan-id=1876
(350) &request:NAS-IP-Address = 130.92.42.15
(350) &request:NAS-Port-Type = Wireless-802.11
(350) &request:NAS-Port = 4211
(350) &request:State = 0x014113110b4d0af2159d1101103ebc16
(350) &request:Cisco-AVPair = cisco-wlan-ssid=eduroam
(350) &request:Cisco-AVPair = wlan-profile-name=eduroam-DEV
(350) &request:Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(350) &request:Calling-Station-Id := 22-E0-73-F2-50-23
(350) &request:Airespace-Wlan-Id = 98
(350) &request:NAS-Identifier = 60-b9-c0-04-c4-40:eduroam
(350) &request:WLAN-Group-Cipher = 1027076
(350) &request:WLAN-Pairwise-Cipher = 1027076
(350) &request:WLAN-AKM-Suite = 1027075
(350) &request:Called-Station-SSID := eduroam
(350) &request:locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(350) &request:Realm := REALM.COM
(350) &request:EAP-Type = PEAP
(350) EXPAND %{debug_attr:request:}
(350) -->
(350) if ("%{debug_attr:request:}" == '') -> TRUE
(350) if ("%{debug_attr:request:}" == '') {
(350) [noop] = noop
(350) } # if ("%{debug_attr:request:}" == '') = noop
(350) } # policy debug_request = noop
(350) policy debug_coa {
(350) if ("%{debug_attr:coa:}" == '') {
(350) Attributes matching "coa:"
(350) WARNING: List "coa" is not available
(350) EXPAND %{debug_attr:coa:}
(350) -->
(350) if ("%{debug_attr:coa:}" == '') -> TRUE
(350) if ("%{debug_attr:coa:}" == '') {
(350) [noop] = noop
(350) } # if ("%{debug_attr:coa:}" == '') = noop
(350) } # policy debug_coa = noop
(350) policy debug_reply {
(350) if ("%{debug_attr:reply:}" == '') {
(350) Attributes matching "reply:"
(350) &reply:Tunnel-Type:-128 := VLAN
(350) &reply:Tunnel-Medium-Type:-128 := IEEE-802
(350) &reply:Class = 0x7374616666
(350) &reply:Filter-Id = staff
(350) &reply:Tunnel-Private-Group-Id:0 = 1874
(350) &reply:Class = 0x568605d30000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9601
(350) &reply:MS-MPPE-Recv-Key = 0x30de94917d8e20cc27f44672a6f87fbb2196e8fd25f350356e6f5afe6d404ac5
(350) &reply:MS-MPPE-Send-Key = 0x65b71e153439623a162abad3bb04ce3ea34d1116d2c3524d0f8680d6aa6e93a9
(350) &reply:EAP-MSK = 0x30de94917d8e20cc27f44672a6f87fbb2196e8fd25f350356e6f5afe6d404ac565b71e153439623a162abad3bb04ce3ea34d1116d2c3524d0f8680d6aa6e93a9
(350) &reply:EAP-EMSK = 0x2700c8fa3f3c22ec78878753bbf46ce60a211bc408dc33d44079d7dccd51489c9d10b38d2e6a303da3766e1e2b7e38ec4b6e4b344c6be00360f6ae6b255b4236
(350) &reply:EAP-Session-Id = 0x19675c30ff6a9b0b902f1e931a2758f15aa27a75704f9760726e5c03da301ba848c6f0abbfc21ebae81584415260a08bae7625b694abcfc744444f574e47524401
(350) &reply:EAP-Message = 0x030c0004
(350) &reply:Message-Authenticator = 0x00000000000000000000000000000000
(350) &reply:User-Name = xyz at realm.com
(350) EXPAND %{debug_attr:reply:}
(350) -->
(350) if ("%{debug_attr:reply:}" == '') -> TRUE
(350) if ("%{debug_attr:reply:}" == '') {
(350) [noop] = noop
(350) } # if ("%{debug_attr:reply:}" == '') = noop
(350) } # policy debug_reply = noop
(350) policy debug_session_state {
(350) if ("%{debug_attr:session-state:}" == '') {
(350) Attributes matching "session-state:"
(350) EXPAND %{debug_attr:session-state:}
(350) -->
(350) if ("%{debug_attr:session-state:}" == '') -> TRUE
(350) if ("%{debug_attr:session-state:}" == '') {
(350) [noop] = noop
(350) } # if ("%{debug_attr:session-state:}" == '') = noop
(350) } # policy debug_session_state = noop
(350) } # policy debug_all = noop
(350) update {
(350) No attributes updated for RHS &session-state
(350) } # update = noop
(350) if (Service-Type == Call-Check) {
(350) if (Service-Type == Call-Check) -> FALSE
(350) else {
(350) 802.1x_auth_log: EXPAND %t : AuthZ: (%I) %{reply:Packet-Type}: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown})
(350) 802.1x_auth_log: --> Fri Dec 13 14:05:04 2024 : AuthZ: (15) Access-Accept: [xyz at realm.com] TLS-Version=NULL TLS-Ciphers=NULL SSID=eduroam Calling-Station-Id=22-E0-73-F2-50-23 Called-Station-Id=60-B9-C0-04-C4-40:eduroam Filter-ID=staff VLAN=1874 Class=0x7374616666 (from client xyz.wifi.realm.com port 4211 operator-name Unknown)
(350) 802.1x_auth_log: EXPAND /var/log/freeradius/802.1x_auth.log
(350) 802.1x_auth_log: --> /var/log/freeradius/802.1x_auth.log
(350) [802.1x_auth_log] = ok
(350) } # else = ok
(350) policy remove_reply_message_if_eap {
(350) if (&reply:EAP-Message && &reply:Reply-Message) {
(350) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(350) else {
(350) [noop] = noop
(350) } # else = noop
(350) } # policy remove_reply_message_if_eap = noop
(350) } # post-auth = ok
(350) Login OK: [xyz at realm.com] (from client xyz.wifi.realm.com port 4211 cli 22-E0-73-F2-50-23)
(350) Sent Access-Accept Id 15 from 130.92.10.33:1812 to 130.92.42.15:60533 length 264
(350) Tunnel-Type := VLAN
(350) Tunnel-Medium-Type := IEEE-802
(350) Class = 0x7374616666
(350) Filter-Id = "staff"
(350) Tunnel-Private-Group-Id:0 = "1874"
(350) Class = 0x568605d30000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9601
(350) MS-MPPE-Recv-Key = 0x30de94917d8e20cc27f44672a6f87fbb2196e8fd25f350356e6f5afe6d404ac5
(350) MS-MPPE-Send-Key = 0x65b71e153439623a162abad3bb04ce3ea34d1116d2c3524d0f8680d6aa6e93a9
(350) EAP-Message = 0x030c0004
(350) Message-Authenticator = 0x00000000000000000000000000000000
(350) User-Name = "xyz at realm.com"
(350) Finished request
Waking up in 4.8 seconds.
(351) Received Access-Request Id 23 from 130.92.42.15:60533 to 130.92.10.33:1812 length 445
(351) User-Name = "xyz at realm.com"
(351) Service-Type = Framed-User
(351) Cisco-AVPair = "service-type=Framed"
(351) Framed-MTU = 1485
(351) EAP-Message = 0x0201001d01646f6d696e69632e7374616c64657240756e6962652e6368
(351) Message-Authenticator = 0x2933cb4d659e4203d7e8cbc1e21e548d
(351) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(351) Cisco-AVPair = "method=dot1x"
(351) Cisco-AVPair = "client-iif-id=201332865"
(351) Cisco-AVPair = "vlan-id=1876"
(351) NAS-IP-Address = 130.92.42.15
(351) NAS-Port-Type = Wireless-802.11
(351) NAS-Port = 4211
(351) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(351) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(351) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(351) Calling-Station-Id = "22-e0-73-f2-50-23"
(351) Airespace-Wlan-Id = 98
(351) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(351) WLAN-Group-Cipher = 1027076
(351) WLAN-Pairwise-Cipher = 1027076
(351) WLAN-AKM-Suite = 1027075
(351) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(351) authorize {
(351) policy rewrite_called_station_id {
(351) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(351) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(351) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(351) update request {
(351) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(351) --> 60-B9-C0-04-C4-40
(351) &Called-Station-Id := 60-B9-C0-04-C4-40
(351) } # update request = noop
(351) if ("%{8}") {
(351) EXPAND %{8}
(351) --> eduroam
(351) if ("%{8}") -> TRUE
(351) if ("%{8}") {
(351) update request {
(351) EXPAND %{8}
(351) --> eduroam
(351) &Called-Station-SSID := eduroam
(351) EXPAND %{Called-Station-Id}:%{8}
(351) --> 60-B9-C0-04-C4-40:eduroam
(351) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(351) } # update request = noop
(351) } # if ("%{8}") = noop
(351) [updated] = updated
(351) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(351) ... skipping else: Preceding "if" was taken
(351) } # policy rewrite_called_station_id = updated
(351) policy rewrite_calling_station_id {
(351) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(351) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(351) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(351) update request {
(351) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(351) --> 22-E0-73-F2-50-23
(351) &Calling-Station-Id := 22-E0-73-F2-50-23
(351) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(351) --> 22:E0:73:F2:50:23
(351) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(351) } # update request = noop
(351) [updated] = updated
(351) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(351) ... skipping else: Preceding "if" was taken
(351) } # policy rewrite_calling_station_id = updated
(351) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(351) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(351) if (Service-Type == Call-Check) {
(351) if (Service-Type == Call-Check) -> FALSE
(351) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(351) EXPAND Packet-Src-IP-Address
(351) --> 130.92.42.15
(351) EXPAND Packet-Src-IP-Address
(351) --> 130.92.42.15
(351) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(351) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(351) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(351) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(351) if (EAP-Message) {
(351) if (EAP-Message) -> TRUE
(351) if (EAP-Message) {
(351) policy filter_username {
(351) if (&User-Name) {
(351) if (&User-Name) -> TRUE
(351) if (&User-Name) {
(351) if (&User-Name =~ / /) {
(351) if (&User-Name =~ / /) -> FALSE
(351) if (&User-Name =~ /@[^@]*@/ ) {
(351) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(351) if (&User-Name =~ /\.\./ ) {
(351) if (&User-Name =~ /\.\./ ) -> FALSE
(351) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(351) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(351) if (&User-Name =~ /\.$/) {
(351) if (&User-Name =~ /\.$/) -> FALSE
(351) if (&User-Name =~ /@\./) {
(351) if (&User-Name =~ /@\./) -> FALSE
(351) } # if (&User-Name) = updated
(351) } # policy filter_username = updated
(351) suffix: Checking for suffix after "@"
(351) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(351) suffix: Found realm "REALM.COM"
(351) suffix: Adding Realm = "REALM.COM"
(351) suffix: Authentication realm is LOCAL
(351) [suffix] = ok
(351) policy deny_no_realm {
(351) if (User-Name && (User-Name !~ /@/)) {
(351) if (User-Name && (User-Name !~ /@/)) -> FALSE
(351) } # policy deny_no_realm = updated
(351) update request {
(351) EXPAND %{toupper:%{Realm}}
(351) --> REALM.COM
(351) Realm := REALM.COM
(351) } # update request = noop
(351) eap: Peer sent EAP Response (code 2) ID 1 length 29
(351) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(351) [eap] = ok
(351) } # if (EAP-Message) = ok
(351) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(351) } # authorize = updated
(351) Found Auth-Type = eap
(351) # Executing group from file /etc/freeradius/sites-enabled/default
(351) Auth-Type eap {
(351) eap: Peer sent packet with method EAP Identity (1)
(351) eap: Calling submodule eap_peap to process data
(351) eap_peap: (TLS) PEAP -Initiating new session
(351) eap: Sending EAP Request (code 1) ID 2 length 6
(351) eap: EAP session adding &reply:State = 0xceec9f67ceee86c2
(351) [eap] = handled
(351) if (handled && (Response-Packet-Type == Access-Challenge)) {
(351) EXPAND Response-Packet-Type
(351) --> Access-Challenge
(351) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(351) if (handled && (Response-Packet-Type == Access-Challenge)) {
(351) attr_filter.access_challenge: EXPAND %{User-Name}
(351) attr_filter.access_challenge: --> xyz at realm.com
(351) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(351) [attr_filter.access_challenge.post-auth] = updated
(351) [handled] = handled
(351) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(351) } # Auth-Type eap = handled
(351) Using Post-Auth-Type Challenge
(351) Post-Auth-Type sub-section not found. Ignoring.
(351) # Executing group from file /etc/freeradius/sites-enabled/default
(351) session-state: Saving cached attributes
(351) Framed-MTU = 1014
(351) Sent Access-Challenge Id 23 from 130.92.10.33:1812 to 130.92.42.15:60533 length 64
(351) EAP-Message = 0x010200061920
(351) Message-Authenticator = 0x00000000000000000000000000000000
(351) State = 0xceec9f67ceee86c299469da09cee92a1
(351) Finished request
Waking up in 3.9 seconds.
(352) Received Access-Request Id 31 from 130.92.42.15:60533 to 130.92.10.33:1812 length 595
(352) User-Name = "xyz at realm.com"
(352) Service-Type = Framed-User
(352) Cisco-AVPair = "service-type=Framed"
(352) Framed-MTU = 1485
(352) EAP-Message = 0x020200a119800000009716030100920100008e0303675c3100dd1c7cdf9f74db6337b13313e75950e07ca8a60ec8a656c84cedb59700002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
(352) Message-Authenticator = 0xd7069ec703e1171145ae6fb6ecf1d5a8
(352) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(352) Cisco-AVPair = "method=dot1x"
(352) Cisco-AVPair = "client-iif-id=201332865"
(352) Cisco-AVPair = "vlan-id=1876"
(352) NAS-IP-Address = 130.92.42.15
(352) NAS-Port-Type = Wireless-802.11
(352) NAS-Port = 4211
(352) State = 0xceec9f67ceee86c299469da09cee92a1
(352) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(352) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(352) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(352) Calling-Station-Id = "22-e0-73-f2-50-23"
(352) Airespace-Wlan-Id = 98
(352) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(352) WLAN-Group-Cipher = 1027076
(352) WLAN-Pairwise-Cipher = 1027076
(352) WLAN-AKM-Suite = 1027075
(352) Restoring &session-state
(352) &session-state:Framed-MTU = 1014
(352) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(352) authorize {
(352) policy rewrite_called_station_id {
(352) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(352) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(352) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(352) update request {
(352) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(352) --> 60-B9-C0-04-C4-40
(352) &Called-Station-Id := 60-B9-C0-04-C4-40
(352) } # update request = noop
(352) if ("%{8}") {
(352) EXPAND %{8}
(352) --> eduroam
(352) if ("%{8}") -> TRUE
(352) if ("%{8}") {
(352) update request {
(352) EXPAND %{8}
(352) --> eduroam
(352) &Called-Station-SSID := eduroam
(352) EXPAND %{Called-Station-Id}:%{8}
(352) --> 60-B9-C0-04-C4-40:eduroam
(352) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(352) } # update request = noop
(352) } # if ("%{8}") = noop
(352) [updated] = updated
(352) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(352) ... skipping else: Preceding "if" was taken
(352) } # policy rewrite_called_station_id = updated
(352) policy rewrite_calling_station_id {
(352) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(352) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(352) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(352) update request {
(352) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(352) --> 22-E0-73-F2-50-23
(352) &Calling-Station-Id := 22-E0-73-F2-50-23
(352) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(352) --> 22:E0:73:F2:50:23
(352) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(352) } # update request = noop
(352) [updated] = updated
(352) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(352) ... skipping else: Preceding "if" was taken
(352) } # policy rewrite_calling_station_id = updated
(352) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(352) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(352) if (Service-Type == Call-Check) {
(352) if (Service-Type == Call-Check) -> FALSE
(352) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(352) EXPAND Packet-Src-IP-Address
(352) --> 130.92.42.15
(352) EXPAND Packet-Src-IP-Address
(352) --> 130.92.42.15
(352) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(352) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(352) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(352) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(352) if (EAP-Message) {
(352) if (EAP-Message) -> TRUE
(352) if (EAP-Message) {
(352) policy filter_username {
(352) if (&User-Name) {
(352) if (&User-Name) -> TRUE
(352) if (&User-Name) {
(352) if (&User-Name =~ / /) {
(352) if (&User-Name =~ / /) -> FALSE
(352) if (&User-Name =~ /@[^@]*@/ ) {
(352) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(352) if (&User-Name =~ /\.\./ ) {
(352) if (&User-Name =~ /\.\./ ) -> FALSE
(352) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(352) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(352) if (&User-Name =~ /\.$/) {
(352) if (&User-Name =~ /\.$/) -> FALSE
(352) if (&User-Name =~ /@\./) {
(352) if (&User-Name =~ /@\./) -> FALSE
(352) } # if (&User-Name) = updated
(352) } # policy filter_username = updated
(352) suffix: Checking for suffix after "@"
(352) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(352) suffix: Found realm "REALM.COM"
(352) suffix: Adding Realm = "REALM.COM"
(352) suffix: Authentication realm is LOCAL
(352) [suffix] = ok
(352) policy deny_no_realm {
(352) if (User-Name && (User-Name !~ /@/)) {
(352) if (User-Name && (User-Name !~ /@/)) -> FALSE
(352) } # policy deny_no_realm = updated
(352) update request {
(352) EXPAND %{toupper:%{Realm}}
(352) --> REALM.COM
(352) Realm := REALM.COM
(352) } # update request = noop
(352) eap: Peer sent EAP Response (code 2) ID 2 length 161
(352) eap: Continuing tunnel setup
(352) [eap] = ok
(352) } # if (EAP-Message) = ok
(352) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(352) } # authorize = updated
(352) Found Auth-Type = eap
(352) # Executing group from file /etc/freeradius/sites-enabled/default
(352) Auth-Type eap {
(352) eap: Removing EAP session with state 0xceec9f67ceee86c2
(352) eap: Previous EAP request found for state 0xceec9f67ceee86c2, released from the list
(352) eap: Peer sent packet with method EAP PEAP (25)
(352) eap: Calling submodule eap_peap to process data
(352) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes
(352) eap_peap: (TLS) EAP Got all data (151 bytes)
(352) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization
(352) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization
(352) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization
(352) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello
(352) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello
(352) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello
(352) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello
(352) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate
(352) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate
(352) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange
(352) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange
(352) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone
(352) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(352) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done
(352) eap_peap: (TLS) PEAP - In Handshake Phase
(352) eap: Sending EAP Request (code 1) ID 3 length 1024
(352) eap: EAP session adding &reply:State = 0xceec9f67cfef86c2
(352) [eap] = handled
(352) if (handled && (Response-Packet-Type == Access-Challenge)) {
(352) EXPAND Response-Packet-Type
(352) --> Access-Challenge
(352) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(352) if (handled && (Response-Packet-Type == Access-Challenge)) {
(352) attr_filter.access_challenge: EXPAND %{User-Name}
(352) attr_filter.access_challenge: --> xyz at realm.com
(352) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(352) [attr_filter.access_challenge.post-auth] = updated
(352) [handled] = handled
(352) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(352) } # Auth-Type eap = handled
(352) Using Post-Auth-Type Challenge
(352) Post-Auth-Type sub-section not found. Ignoring.
(352) # Executing group from file /etc/freeradius/sites-enabled/default
(352) session-state: Saving cached attributes
(352) Framed-MTU = 1014
(352) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(352) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(352) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(352) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(352) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(352) Sent Access-Challenge Id 31 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1090
(352) EAP-Message = 0x0103040019c000001135160303003d020000390303a19642b1ba520223bc61e483ac418e3f44e0800ee85d2526444f574e4752440100c030000011ff01000100000b000403000102001700001603030f930b000f8f000f8c0007253082072130820609a003020102021006387c8dc0feba6f5f4a0c47e7c561cd300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3234303532393030303030305a170d3235303532383233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105
(352) Message-Authenticator = 0x00000000000000000000000000000000
(352) State = 0xceec9f67cfef86c299469da09cee92a1
(352) Finished request
Waking up in 3.9 seconds.
(353) Received Access-Request Id 39 from 130.92.42.15:60533 to 130.92.10.33:1812 length 440
(353) User-Name = "xyz at realm.com"
(353) Service-Type = Framed-User
(353) Cisco-AVPair = "service-type=Framed"
(353) Framed-MTU = 1485
(353) EAP-Message = 0x020300061900
(353) Message-Authenticator = 0xf3796f124c3546a4fff1a4495bc4bc3c
(353) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(353) Cisco-AVPair = "method=dot1x"
(353) Cisco-AVPair = "client-iif-id=201332865"
(353) Cisco-AVPair = "vlan-id=1876"
(353) NAS-IP-Address = 130.92.42.15
(353) NAS-Port-Type = Wireless-802.11
(353) NAS-Port = 4211
(353) State = 0xceec9f67cfef86c299469da09cee92a1
(353) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(353) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(353) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(353) Calling-Station-Id = "22-e0-73-f2-50-23"
(353) Airespace-Wlan-Id = 98
(353) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(353) WLAN-Group-Cipher = 1027076
(353) WLAN-Pairwise-Cipher = 1027076
(353) WLAN-AKM-Suite = 1027075
(353) Restoring &session-state
(353) &session-state:Framed-MTU = 1014
(353) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(353) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(353) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(353) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(353) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(353) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(353) authorize {
(353) policy rewrite_called_station_id {
(353) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(353) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(353) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(353) update request {
(353) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(353) --> 60-B9-C0-04-C4-40
(353) &Called-Station-Id := 60-B9-C0-04-C4-40
(353) } # update request = noop
(353) if ("%{8}") {
(353) EXPAND %{8}
(353) --> eduroam
(353) if ("%{8}") -> TRUE
(353) if ("%{8}") {
(353) update request {
(353) EXPAND %{8}
(353) --> eduroam
(353) &Called-Station-SSID := eduroam
(353) EXPAND %{Called-Station-Id}:%{8}
(353) --> 60-B9-C0-04-C4-40:eduroam
(353) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(353) } # update request = noop
(353) } # if ("%{8}") = noop
(353) [updated] = updated
(353) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(353) ... skipping else: Preceding "if" was taken
(353) } # policy rewrite_called_station_id = updated
(353) policy rewrite_calling_station_id {
(353) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(353) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(353) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(353) update request {
(353) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(353) --> 22-E0-73-F2-50-23
(353) &Calling-Station-Id := 22-E0-73-F2-50-23
(353) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(353) --> 22:E0:73:F2:50:23
(353) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(353) } # update request = noop
(353) [updated] = updated
(353) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(353) ... skipping else: Preceding "if" was taken
(353) } # policy rewrite_calling_station_id = updated
(353) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(353) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(353) if (Service-Type == Call-Check) {
(353) if (Service-Type == Call-Check) -> FALSE
(353) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(353) EXPAND Packet-Src-IP-Address
(353) --> 130.92.42.15
(353) EXPAND Packet-Src-IP-Address
(353) --> 130.92.42.15
(353) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(353) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(353) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(353) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(353) if (EAP-Message) {
(353) if (EAP-Message) -> TRUE
(353) if (EAP-Message) {
(353) policy filter_username {
(353) if (&User-Name) {
(353) if (&User-Name) -> TRUE
(353) if (&User-Name) {
(353) if (&User-Name =~ / /) {
(353) if (&User-Name =~ / /) -> FALSE
(353) if (&User-Name =~ /@[^@]*@/ ) {
(353) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(353) if (&User-Name =~ /\.\./ ) {
(353) if (&User-Name =~ /\.\./ ) -> FALSE
(353) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(353) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(353) if (&User-Name =~ /\.$/) {
(353) if (&User-Name =~ /\.$/) -> FALSE
(353) if (&User-Name =~ /@\./) {
(353) if (&User-Name =~ /@\./) -> FALSE
(353) } # if (&User-Name) = updated
(353) } # policy filter_username = updated
(353) suffix: Checking for suffix after "@"
(353) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(353) suffix: Found realm "REALM.COM"
(353) suffix: Adding Realm = "REALM.COM"
(353) suffix: Authentication realm is LOCAL
(353) [suffix] = ok
(353) policy deny_no_realm {
(353) if (User-Name && (User-Name !~ /@/)) {
(353) if (User-Name && (User-Name !~ /@/)) -> FALSE
(353) } # policy deny_no_realm = updated
(353) update request {
(353) EXPAND %{toupper:%{Realm}}
(353) --> REALM.COM
(353) Realm := REALM.COM
(353) } # update request = noop
(353) eap: Peer sent EAP Response (code 2) ID 3 length 6
(353) eap: Continuing tunnel setup
(353) [eap] = ok
(353) } # if (EAP-Message) = ok
(353) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(353) } # authorize = updated
(353) Found Auth-Type = eap
(353) # Executing group from file /etc/freeradius/sites-enabled/default
(353) Auth-Type eap {
(353) eap: Removing EAP session with state 0xceec9f67cfef86c2
(353) eap: Previous EAP request found for state 0xceec9f67cfef86c2, released from the list
(353) eap: Peer sent packet with method EAP PEAP (25)
(353) eap: Calling submodule eap_peap to process data
(353) eap_peap: (TLS) Peer ACKed our handshake fragment
(353) eap: Sending EAP Request (code 1) ID 4 length 1020
(353) eap: EAP session adding &reply:State = 0xceec9f67cce886c2
(353) [eap] = handled
(353) if (handled && (Response-Packet-Type == Access-Challenge)) {
(353) EXPAND Response-Packet-Type
(353) --> Access-Challenge
(353) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(353) if (handled && (Response-Packet-Type == Access-Challenge)) {
(353) attr_filter.access_challenge: EXPAND %{User-Name}
(353) attr_filter.access_challenge: --> xyz at realm.com
(353) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(353) [attr_filter.access_challenge.post-auth] = updated
(353) [handled] = handled
(353) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(353) } # Auth-Type eap = handled
(353) Using Post-Auth-Type Challenge
(353) Post-Auth-Type sub-section not found. Ignoring.
(353) # Executing group from file /etc/freeradius/sites-enabled/default
(353) session-state: Saving cached attributes
(353) Framed-MTU = 1014
(353) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(353) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(353) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(353) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(353) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(353) Sent Access-Challenge Id 39 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086
(353) EAP-Message = 0x010403fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040230003082017f060a2b06010401d6790204020482016f0482016b01690077004e75a3275c9a10c3385b6cd4df3f52eb1df0e08e1b8d69c0b1fa64b1629a39df0000018fc49a2e690000040300483046022100c3703d534899e5150ee51285759f020d6d69574d1db223e7a6fba90105e34a98022100a96786ea2924a95667b25b5efae9fb8e9b5e2b8494
(353) Message-Authenticator = 0x00000000000000000000000000000000
(353) State = 0xceec9f67cce886c299469da09cee92a1
(353) Finished request
Waking up in 3.9 seconds.
(354) Received Access-Request Id 47 from 130.92.42.15:60533 to 130.92.10.33:1812 length 440
(354) User-Name = "xyz at realm.com"
(354) Service-Type = Framed-User
(354) Cisco-AVPair = "service-type=Framed"
(354) Framed-MTU = 1485
(354) EAP-Message = 0x020400061900
(354) Message-Authenticator = 0xb510334983626c4527fe4b7d8fce100f
(354) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(354) Cisco-AVPair = "method=dot1x"
(354) Cisco-AVPair = "client-iif-id=201332865"
(354) Cisco-AVPair = "vlan-id=1876"
(354) NAS-IP-Address = 130.92.42.15
(354) NAS-Port-Type = Wireless-802.11
(354) NAS-Port = 4211
(354) State = 0xceec9f67cce886c299469da09cee92a1
(354) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(354) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(354) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(354) Calling-Station-Id = "22-e0-73-f2-50-23"
(354) Airespace-Wlan-Id = 98
(354) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(354) WLAN-Group-Cipher = 1027076
(354) WLAN-Pairwise-Cipher = 1027076
(354) WLAN-AKM-Suite = 1027075
(354) Restoring &session-state
(354) &session-state:Framed-MTU = 1014
(354) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(354) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(354) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(354) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(354) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(354) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(354) authorize {
(354) policy rewrite_called_station_id {
(354) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(354) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(354) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(354) update request {
(354) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(354) --> 60-B9-C0-04-C4-40
(354) &Called-Station-Id := 60-B9-C0-04-C4-40
(354) } # update request = noop
(354) if ("%{8}") {
(354) EXPAND %{8}
(354) --> eduroam
(354) if ("%{8}") -> TRUE
(354) if ("%{8}") {
(354) update request {
(354) EXPAND %{8}
(354) --> eduroam
(354) &Called-Station-SSID := eduroam
(354) EXPAND %{Called-Station-Id}:%{8}
(354) --> 60-B9-C0-04-C4-40:eduroam
(354) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(354) } # update request = noop
(354) } # if ("%{8}") = noop
(354) [updated] = updated
(354) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(354) ... skipping else: Preceding "if" was taken
(354) } # policy rewrite_called_station_id = updated
(354) policy rewrite_calling_station_id {
(354) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(354) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(354) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(354) update request {
(354) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(354) --> 22-E0-73-F2-50-23
(354) &Calling-Station-Id := 22-E0-73-F2-50-23
(354) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(354) --> 22:E0:73:F2:50:23
(354) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(354) } # update request = noop
(354) [updated] = updated
(354) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(354) ... skipping else: Preceding "if" was taken
(354) } # policy rewrite_calling_station_id = updated
(354) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(354) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(354) if (Service-Type == Call-Check) {
(354) if (Service-Type == Call-Check) -> FALSE
(354) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(354) EXPAND Packet-Src-IP-Address
(354) --> 130.92.42.15
(354) EXPAND Packet-Src-IP-Address
(354) --> 130.92.42.15
(354) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(354) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(354) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(354) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(354) if (EAP-Message) {
(354) if (EAP-Message) -> TRUE
(354) if (EAP-Message) {
(354) policy filter_username {
(354) if (&User-Name) {
(354) if (&User-Name) -> TRUE
(354) if (&User-Name) {
(354) if (&User-Name =~ / /) {
(354) if (&User-Name =~ / /) -> FALSE
(354) if (&User-Name =~ /@[^@]*@/ ) {
(354) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(354) if (&User-Name =~ /\.\./ ) {
(354) if (&User-Name =~ /\.\./ ) -> FALSE
(354) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(354) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(354) if (&User-Name =~ /\.$/) {
(354) if (&User-Name =~ /\.$/) -> FALSE
(354) if (&User-Name =~ /@\./) {
(354) if (&User-Name =~ /@\./) -> FALSE
(354) } # if (&User-Name) = updated
(354) } # policy filter_username = updated
(354) suffix: Checking for suffix after "@"
(354) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(354) suffix: Found realm "REALM.COM"
(354) suffix: Adding Realm = "REALM.COM"
(354) suffix: Authentication realm is LOCAL
(354) [suffix] = ok
(354) policy deny_no_realm {
(354) if (User-Name && (User-Name !~ /@/)) {
(354) if (User-Name && (User-Name !~ /@/)) -> FALSE
(354) } # policy deny_no_realm = updated
(354) update request {
(354) EXPAND %{toupper:%{Realm}}
(354) --> REALM.COM
(354) Realm := REALM.COM
(354) } # update request = noop
(354) eap: Peer sent EAP Response (code 2) ID 4 length 6
(354) eap: Continuing tunnel setup
(354) [eap] = ok
(354) } # if (EAP-Message) = ok
(354) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(354) } # authorize = updated
(354) Found Auth-Type = eap
(354) # Executing group from file /etc/freeradius/sites-enabled/default
(354) Auth-Type eap {
(354) eap: Removing EAP session with state 0xceec9f67cce886c2
(354) eap: Previous EAP request found for state 0xceec9f67cce886c2, released from the list
(354) eap: Peer sent packet with method EAP PEAP (25)
(354) eap: Calling submodule eap_peap to process data
(354) eap_peap: (TLS) Peer ACKed our handshake fragment
(354) eap: Sending EAP Request (code 1) ID 5 length 1020
(354) eap: EAP session adding &reply:State = 0xceec9f67cde986c2
(354) [eap] = handled
(354) if (handled && (Response-Packet-Type == Access-Challenge)) {
(354) EXPAND Response-Packet-Type
(354) --> Access-Challenge
(354) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(354) if (handled && (Response-Packet-Type == Access-Challenge)) {
(354) attr_filter.access_challenge: EXPAND %{User-Name}
(354) attr_filter.access_challenge: --> xyz at realm.com
(354) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(354) [attr_filter.access_challenge.post-auth] = updated
(354) [handled] = handled
(354) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(354) } # Auth-Type eap = handled
(354) Using Post-Auth-Type Challenge
(354) Post-Auth-Type sub-section not found. Ignoring.
(354) # Executing group from file /etc/freeradius/sites-enabled/default
(354) session-state: Saving cached attributes
(354) Framed-MTU = 1014
(354) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(354) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(354) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(354) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(354) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(354) Sent Access-Challenge Id 47 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086
(354) EAP-Message = 0x010503fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d
(354) Message-Authenticator = 0x00000000000000000000000000000000
(354) State = 0xceec9f67cde986c299469da09cee92a1
(354) Finished request
Waking up in 3.8 seconds.
(355) Received Access-Request Id 55 from 130.92.42.15:60533 to 130.92.10.33:1812 length 440
(355) User-Name = "xyz at realm.com"
(355) Service-Type = Framed-User
(355) Cisco-AVPair = "service-type=Framed"
(355) Framed-MTU = 1485
(355) EAP-Message = 0x020500061900
(355) Message-Authenticator = 0x8e81bbf2bf5fb1fbc216fcb932dee869
(355) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(355) Cisco-AVPair = "method=dot1x"
(355) Cisco-AVPair = "client-iif-id=201332865"
(355) Cisco-AVPair = "vlan-id=1876"
(355) NAS-IP-Address = 130.92.42.15
(355) NAS-Port-Type = Wireless-802.11
(355) NAS-Port = 4211
(355) State = 0xceec9f67cde986c299469da09cee92a1
(355) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(355) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(355) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(355) Calling-Station-Id = "22-e0-73-f2-50-23"
(355) Airespace-Wlan-Id = 98
(355) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(355) WLAN-Group-Cipher = 1027076
(355) WLAN-Pairwise-Cipher = 1027076
(355) WLAN-AKM-Suite = 1027075
(355) Restoring &session-state
(355) &session-state:Framed-MTU = 1014
(355) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(355) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(355) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(355) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(355) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(355) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(355) authorize {
(355) policy rewrite_called_station_id {
(355) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(355) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(355) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(355) update request {
(355) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(355) --> 60-B9-C0-04-C4-40
(355) &Called-Station-Id := 60-B9-C0-04-C4-40
(355) } # update request = noop
(355) if ("%{8}") {
(355) EXPAND %{8}
(355) --> eduroam
(355) if ("%{8}") -> TRUE
(355) if ("%{8}") {
(355) update request {
(355) EXPAND %{8}
(355) --> eduroam
(355) &Called-Station-SSID := eduroam
(355) EXPAND %{Called-Station-Id}:%{8}
(355) --> 60-B9-C0-04-C4-40:eduroam
(355) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(355) } # update request = noop
(355) } # if ("%{8}") = noop
(355) [updated] = updated
(355) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(355) ... skipping else: Preceding "if" was taken
(355) } # policy rewrite_called_station_id = updated
(355) policy rewrite_calling_station_id {
(355) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(355) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(355) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(355) update request {
(355) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(355) --> 22-E0-73-F2-50-23
(355) &Calling-Station-Id := 22-E0-73-F2-50-23
(355) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(355) --> 22:E0:73:F2:50:23
(355) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(355) } # update request = noop
(355) [updated] = updated
(355) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(355) ... skipping else: Preceding "if" was taken
(355) } # policy rewrite_calling_station_id = updated
(355) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(355) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(355) if (Service-Type == Call-Check) {
(355) if (Service-Type == Call-Check) -> FALSE
(355) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(355) EXPAND Packet-Src-IP-Address
(355) --> 130.92.42.15
(355) EXPAND Packet-Src-IP-Address
(355) --> 130.92.42.15
(355) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(355) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(355) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(355) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(355) if (EAP-Message) {
(355) if (EAP-Message) -> TRUE
(355) if (EAP-Message) {
(355) policy filter_username {
(355) if (&User-Name) {
(355) if (&User-Name) -> TRUE
(355) if (&User-Name) {
(355) if (&User-Name =~ / /) {
(355) if (&User-Name =~ / /) -> FALSE
(355) if (&User-Name =~ /@[^@]*@/ ) {
(355) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(355) if (&User-Name =~ /\.\./ ) {
(355) if (&User-Name =~ /\.\./ ) -> FALSE
(355) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(355) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(355) if (&User-Name =~ /\.$/) {
(355) if (&User-Name =~ /\.$/) -> FALSE
(355) if (&User-Name =~ /@\./) {
(355) if (&User-Name =~ /@\./) -> FALSE
(355) } # if (&User-Name) = updated
(355) } # policy filter_username = updated
(355) suffix: Checking for suffix after "@"
(355) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(355) suffix: Found realm "REALM.COM"
(355) suffix: Adding Realm = "REALM.COM"
(355) suffix: Authentication realm is LOCAL
(355) [suffix] = ok
(355) policy deny_no_realm {
(355) if (User-Name && (User-Name !~ /@/)) {
(355) if (User-Name && (User-Name !~ /@/)) -> FALSE
(355) } # policy deny_no_realm = updated
(355) update request {
(355) EXPAND %{toupper:%{Realm}}
(355) --> REALM.COM
(355) Realm := REALM.COM
(355) } # update request = noop
(355) eap: Peer sent EAP Response (code 2) ID 5 length 6
(355) eap: Continuing tunnel setup
(355) [eap] = ok
(355) } # if (EAP-Message) = ok
(355) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(355) } # authorize = updated
(355) Found Auth-Type = eap
(355) # Executing group from file /etc/freeradius/sites-enabled/default
(355) Auth-Type eap {
(355) eap: Removing EAP session with state 0xceec9f67cde986c2
(355) eap: Previous EAP request found for state 0xceec9f67cde986c2, released from the list
(355) eap: Peer sent packet with method EAP PEAP (25)
(355) eap: Calling submodule eap_peap to process data
(355) eap_peap: (TLS) Peer ACKed our handshake fragment
(355) eap: Sending EAP Request (code 1) ID 6 length 1020
(355) eap: EAP session adding &reply:State = 0xceec9f67caea86c2
(355) [eap] = handled
(355) if (handled && (Response-Packet-Type == Access-Challenge)) {
(355) EXPAND Response-Packet-Type
(355) --> Access-Challenge
(355) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(355) if (handled && (Response-Packet-Type == Access-Challenge)) {
(355) attr_filter.access_challenge: EXPAND %{User-Name}
(355) attr_filter.access_challenge: --> xyz at realm.com
(355) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(355) [attr_filter.access_challenge.post-auth] = updated
(355) [handled] = handled
(355) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(355) } # Auth-Type eap = handled
(355) Using Post-Auth-Type Challenge
(355) Post-Auth-Type sub-section not found. Ignoring.
(355) # Executing group from file /etc/freeradius/sites-enabled/default
(355) session-state: Saving cached attributes
(355) Framed-MTU = 1014
(355) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(355) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(355) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(355) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(355) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(355) Sent Access-Challenge Id 55 from 130.92.10.33:1812 to 130.92.42.15:60533 length 1086
(355) EAP-Message = 0x010603fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261
(355) Message-Authenticator = 0x00000000000000000000000000000000
(355) State = 0xceec9f67caea86c299469da09cee92a1
(355) Finished request
Waking up in 3.8 seconds.
(356) Received Access-Request Id 63 from 130.92.42.15:60533 to 130.92.10.33:1812 length 440
(356) User-Name = "xyz at realm.com"
(356) Service-Type = Framed-User
(356) Cisco-AVPair = "service-type=Framed"
(356) Framed-MTU = 1485
(356) EAP-Message = 0x020600061900
(356) Message-Authenticator = 0xc44289330177ed5b3c4d95479193adc0
(356) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(356) Cisco-AVPair = "method=dot1x"
(356) Cisco-AVPair = "client-iif-id=201332865"
(356) Cisco-AVPair = "vlan-id=1876"
(356) NAS-IP-Address = 130.92.42.15
(356) NAS-Port-Type = Wireless-802.11
(356) NAS-Port = 4211
(356) State = 0xceec9f67caea86c299469da09cee92a1
(356) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(356) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(356) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(356) Calling-Station-Id = "22-e0-73-f2-50-23"
(356) Airespace-Wlan-Id = 98
(356) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(356) WLAN-Group-Cipher = 1027076
(356) WLAN-Pairwise-Cipher = 1027076
(356) WLAN-AKM-Suite = 1027075
(356) Restoring &session-state
(356) &session-state:Framed-MTU = 1014
(356) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(356) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(356) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(356) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(356) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(356) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(356) authorize {
(356) policy rewrite_called_station_id {
(356) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(356) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(356) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(356) update request {
(356) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(356) --> 60-B9-C0-04-C4-40
(356) &Called-Station-Id := 60-B9-C0-04-C4-40
(356) } # update request = noop
(356) if ("%{8}") {
(356) EXPAND %{8}
(356) --> eduroam
(356) if ("%{8}") -> TRUE
(356) if ("%{8}") {
(356) update request {
(356) EXPAND %{8}
(356) --> eduroam
(356) &Called-Station-SSID := eduroam
(356) EXPAND %{Called-Station-Id}:%{8}
(356) --> 60-B9-C0-04-C4-40:eduroam
(356) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(356) } # update request = noop
(356) } # if ("%{8}") = noop
(356) [updated] = updated
(356) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(356) ... skipping else: Preceding "if" was taken
(356) } # policy rewrite_called_station_id = updated
(356) policy rewrite_calling_station_id {
(356) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(356) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(356) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(356) update request {
(356) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(356) --> 22-E0-73-F2-50-23
(356) &Calling-Station-Id := 22-E0-73-F2-50-23
(356) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(356) --> 22:E0:73:F2:50:23
(356) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(356) } # update request = noop
(356) [updated] = updated
(356) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(356) ... skipping else: Preceding "if" was taken
(356) } # policy rewrite_calling_station_id = updated
(356) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(356) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(356) if (Service-Type == Call-Check) {
(356) if (Service-Type == Call-Check) -> FALSE
(356) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(356) EXPAND Packet-Src-IP-Address
(356) --> 130.92.42.15
(356) EXPAND Packet-Src-IP-Address
(356) --> 130.92.42.15
(356) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(356) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(356) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(356) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(356) if (EAP-Message) {
(356) if (EAP-Message) -> TRUE
(356) if (EAP-Message) {
(356) policy filter_username {
(356) if (&User-Name) {
(356) if (&User-Name) -> TRUE
(356) if (&User-Name) {
(356) if (&User-Name =~ / /) {
(356) if (&User-Name =~ / /) -> FALSE
(356) if (&User-Name =~ /@[^@]*@/ ) {
(356) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(356) if (&User-Name =~ /\.\./ ) {
(356) if (&User-Name =~ /\.\./ ) -> FALSE
(356) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(356) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(356) if (&User-Name =~ /\.$/) {
(356) if (&User-Name =~ /\.$/) -> FALSE
(356) if (&User-Name =~ /@\./) {
(356) if (&User-Name =~ /@\./) -> FALSE
(356) } # if (&User-Name) = updated
(356) } # policy filter_username = updated
(356) suffix: Checking for suffix after "@"
(356) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(356) suffix: Found realm "REALM.COM"
(356) suffix: Adding Realm = "REALM.COM"
(356) suffix: Authentication realm is LOCAL
(356) [suffix] = ok
(356) policy deny_no_realm {
(356) if (User-Name && (User-Name !~ /@/)) {
(356) if (User-Name && (User-Name !~ /@/)) -> FALSE
(356) } # policy deny_no_realm = updated
(356) update request {
(356) EXPAND %{toupper:%{Realm}}
(356) --> REALM.COM
(356) Realm := REALM.COM
(356) } # update request = noop
(356) eap: Peer sent EAP Response (code 2) ID 6 length 6
(356) eap: Continuing tunnel setup
(356) [eap] = ok
(356) } # if (EAP-Message) = ok
(356) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(356) } # authorize = updated
(356) Found Auth-Type = eap
(356) # Executing group from file /etc/freeradius/sites-enabled/default
(356) Auth-Type eap {
(356) eap: Removing EAP session with state 0xceec9f67caea86c2
(356) eap: Previous EAP request found for state 0xceec9f67caea86c2, released from the list
(356) eap: Peer sent packet with method EAP PEAP (25)
(356) eap: Calling submodule eap_peap to process data
(356) eap_peap: (TLS) Peer ACKed our handshake fragment
(356) eap: Sending EAP Request (code 1) ID 7 length 355
(356) eap: EAP session adding &reply:State = 0xceec9f67cbeb86c2
(356) [eap] = handled
(356) if (handled && (Response-Packet-Type == Access-Challenge)) {
(356) EXPAND Response-Packet-Type
(356) --> Access-Challenge
(356) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(356) if (handled && (Response-Packet-Type == Access-Challenge)) {
(356) attr_filter.access_challenge: EXPAND %{User-Name}
(356) attr_filter.access_challenge: --> xyz at realm.com
(356) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(356) [attr_filter.access_challenge.post-auth] = updated
(356) [handled] = handled
(356) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(356) } # Auth-Type eap = handled
(356) Using Post-Auth-Type Challenge
(356) Post-Auth-Type sub-section not found. Ignoring.
(356) # Executing group from file /etc/freeradius/sites-enabled/default
(356) session-state: Saving cached attributes
(356) Framed-MTU = 1014
(356) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(356) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(356) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(356) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(356) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(356) Sent Access-Challenge Id 63 from 130.92.10.33:1812 to 130.92.42.15:60533 length 415
(356) EAP-Message = 0x01070163190032b6160303014d0c0001490300174104fd6e5579656e70bface3d2b6d7664dca8778ee606beca867cc96cbfeba740a9811c4088d3f08e679c201e01ba123428692cf6d1461cc0616e75a09374cbf5a59040101005148dfba1d9ef30df850975688a6168a9bff2732b603dc5588a1fb0940bb209aea2f0a9f68bc21c3405aaa6d12e4eb9a2254e2d66c6574d8c6606725c4e3d892c5ee30cacf546266a1f0ddce941a205c1bb6a8c3954c70cfda7ac819335b97e3fcc50e47058806fa895dd2940de272d1cd4c45ad8955e3aedbf11b406fc63ff963f7938e09f319660f5e9e2aebc29babb851f01af3880331b9cbbf671f154782a62464143d70c240b5ce6ad52a51a0c9f0df0d2337686d044595f6650de8e02702eb257118e24ea2525fd8a8b0d77ed6975ca0cf73e1a2d22148d96f74ef166ba96ae8488ff4c1369ce9998a47d91b145e83bccadd6fff90e44119e661cd482f16030300040e000000
(356) Message-Authenticator = 0x00000000000000000000000000000000
(356) State = 0xceec9f67cbeb86c299469da09cee92a1
(356) Finished request
Waking up in 3.8 seconds.
(357) Received Access-Request Id 71 from 130.92.42.15:60533 to 130.92.10.33:1812 length 570
(357) User-Name = "xyz at realm.com"
(357) Service-Type = Framed-User
(357) Cisco-AVPair = "service-type=Framed"
(357) Framed-MTU = 1485
(357) EAP-Message = 0x0207008819800000007e1603030046100000424104dc75f0e99c0d10be5910b5ec7c9f9d1c239f795540d3f569fe73a2a28522d16ba31504a1cd5350b4b6bdff5dfc1527a84f9d4d38b82ef18a7a34cdf139cc71691403030001011603030028d818ac38e08209544a07329d759f59053fa0a4d1764f92143881d18b37e116582dc7d0618d43df56
(357) Message-Authenticator = 0x382bd2b906d4f4e2b5d7d11e1b7805a1
(357) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(357) Cisco-AVPair = "method=dot1x"
(357) Cisco-AVPair = "client-iif-id=201332865"
(357) Cisco-AVPair = "vlan-id=1876"
(357) NAS-IP-Address = 130.92.42.15
(357) NAS-Port-Type = Wireless-802.11
(357) NAS-Port = 4211
(357) State = 0xceec9f67cbeb86c299469da09cee92a1
(357) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(357) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(357) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(357) Calling-Station-Id = "22-e0-73-f2-50-23"
(357) Airespace-Wlan-Id = 98
(357) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(357) WLAN-Group-Cipher = 1027076
(357) WLAN-Pairwise-Cipher = 1027076
(357) WLAN-AKM-Suite = 1027075
(357) Restoring &session-state
(357) &session-state:Framed-MTU = 1014
(357) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(357) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(357) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(357) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(357) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(357) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(357) authorize {
(357) policy rewrite_called_station_id {
(357) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(357) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(357) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(357) update request {
(357) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(357) --> 60-B9-C0-04-C4-40
(357) &Called-Station-Id := 60-B9-C0-04-C4-40
(357) } # update request = noop
(357) if ("%{8}") {
(357) EXPAND %{8}
(357) --> eduroam
(357) if ("%{8}") -> TRUE
(357) if ("%{8}") {
(357) update request {
(357) EXPAND %{8}
(357) --> eduroam
(357) &Called-Station-SSID := eduroam
(357) EXPAND %{Called-Station-Id}:%{8}
(357) --> 60-B9-C0-04-C4-40:eduroam
(357) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(357) } # update request = noop
(357) } # if ("%{8}") = noop
(357) [updated] = updated
(357) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(357) ... skipping else: Preceding "if" was taken
(357) } # policy rewrite_called_station_id = updated
(357) policy rewrite_calling_station_id {
(357) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(357) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(357) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(357) update request {
(357) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(357) --> 22-E0-73-F2-50-23
(357) &Calling-Station-Id := 22-E0-73-F2-50-23
(357) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(357) --> 22:E0:73:F2:50:23
(357) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(357) } # update request = noop
(357) [updated] = updated
(357) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(357) ... skipping else: Preceding "if" was taken
(357) } # policy rewrite_calling_station_id = updated
(357) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(357) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(357) if (Service-Type == Call-Check) {
(357) if (Service-Type == Call-Check) -> FALSE
(357) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(357) EXPAND Packet-Src-IP-Address
(357) --> 130.92.42.15
(357) EXPAND Packet-Src-IP-Address
(357) --> 130.92.42.15
(357) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(357) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(357) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(357) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(357) if (EAP-Message) {
(357) if (EAP-Message) -> TRUE
(357) if (EAP-Message) {
(357) policy filter_username {
(357) if (&User-Name) {
(357) if (&User-Name) -> TRUE
(357) if (&User-Name) {
(357) if (&User-Name =~ / /) {
(357) if (&User-Name =~ / /) -> FALSE
(357) if (&User-Name =~ /@[^@]*@/ ) {
(357) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(357) if (&User-Name =~ /\.\./ ) {
(357) if (&User-Name =~ /\.\./ ) -> FALSE
(357) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(357) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(357) if (&User-Name =~ /\.$/) {
(357) if (&User-Name =~ /\.$/) -> FALSE
(357) if (&User-Name =~ /@\./) {
(357) if (&User-Name =~ /@\./) -> FALSE
(357) } # if (&User-Name) = updated
(357) } # policy filter_username = updated
(357) suffix: Checking for suffix after "@"
(357) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(357) suffix: Found realm "REALM.COM"
(357) suffix: Adding Realm = "REALM.COM"
(357) suffix: Authentication realm is LOCAL
(357) [suffix] = ok
(357) policy deny_no_realm {
(357) if (User-Name && (User-Name !~ /@/)) {
(357) if (User-Name && (User-Name !~ /@/)) -> FALSE
(357) } # policy deny_no_realm = updated
(357) update request {
(357) EXPAND %{toupper:%{Realm}}
(357) --> REALM.COM
(357) Realm := REALM.COM
(357) } # update request = noop
(357) eap: Peer sent EAP Response (code 2) ID 7 length 136
(357) eap: Continuing tunnel setup
(357) [eap] = ok
(357) } # if (EAP-Message) = ok
(357) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(357) } # authorize = updated
(357) Found Auth-Type = eap
(357) # Executing group from file /etc/freeradius/sites-enabled/default
(357) Auth-Type eap {
(357) eap: Removing EAP session with state 0xceec9f67cbeb86c2
(357) eap: Previous EAP request found for state 0xceec9f67cbeb86c2, released from the list
(357) eap: Peer sent packet with method EAP PEAP (25)
(357) eap: Calling submodule eap_peap to process data
(357) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes
(357) eap_peap: (TLS) EAP Got all data (126 bytes)
(357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(357) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange
(357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange
(357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec
(357) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished
(357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished
(357) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec
(357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec
(357) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished
(357) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished
(357) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully
(357) eap_peap: (TLS) PEAP - Connection Established
(357) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(357) eap_peap: TLS-Session-Version = "TLS 1.2"
(357) eap: Sending EAP Request (code 1) ID 8 length 57
(357) eap: EAP session adding &reply:State = 0xceec9f67c8e486c2
(357) [eap] = handled
(357) if (handled && (Response-Packet-Type == Access-Challenge)) {
(357) EXPAND Response-Packet-Type
(357) --> Access-Challenge
(357) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(357) if (handled && (Response-Packet-Type == Access-Challenge)) {
(357) attr_filter.access_challenge: EXPAND %{User-Name}
(357) attr_filter.access_challenge: --> xyz at realm.com
(357) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(357) [attr_filter.access_challenge.post-auth] = updated
(357) [handled] = handled
(357) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(357) } # Auth-Type eap = handled
(357) Using Post-Auth-Type Challenge
(357) Post-Auth-Type sub-section not found. Ignoring.
(357) # Executing group from file /etc/freeradius/sites-enabled/default
(357) session-state: Saving cached attributes
(357) Framed-MTU = 1014
(357) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(357) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(357) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(357) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(357) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(357) TLS-Session-Version = "TLS 1.2"
(357) Sent Access-Challenge Id 71 from 130.92.10.33:1812 to 130.92.42.15:60533 length 115
(357) EAP-Message = 0x010800391900140303000101160303002873e2e1347334f5dd971479d4d9917d655bb89c8eb3ccb1feaff891be79433e47510170e89cd75911
(357) Message-Authenticator = 0x00000000000000000000000000000000
(357) State = 0xceec9f67c8e486c299469da09cee92a1
(357) Finished request
Waking up in 3.8 seconds.
(358) Received Access-Request Id 79 from 130.92.42.15:60533 to 130.92.10.33:1812 length 440
(358) User-Name = "xyz at realm.com"
(358) Service-Type = Framed-User
(358) Cisco-AVPair = "service-type=Framed"
(358) Framed-MTU = 1485
(358) EAP-Message = 0x020800061900
(358) Message-Authenticator = 0xc637f3644e15e782c86c9fe11b23d1a0
(358) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(358) Cisco-AVPair = "method=dot1x"
(358) Cisco-AVPair = "client-iif-id=201332865"
(358) Cisco-AVPair = "vlan-id=1876"
(358) NAS-IP-Address = 130.92.42.15
(358) NAS-Port-Type = Wireless-802.11
(358) NAS-Port = 4211
(358) State = 0xceec9f67c8e486c299469da09cee92a1
(358) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(358) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(358) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(358) Calling-Station-Id = "22-e0-73-f2-50-23"
(358) Airespace-Wlan-Id = 98
(358) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(358) WLAN-Group-Cipher = 1027076
(358) WLAN-Pairwise-Cipher = 1027076
(358) WLAN-AKM-Suite = 1027075
(358) Restoring &session-state
(358) &session-state:Framed-MTU = 1014
(358) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(358) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(358) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(358) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(358) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(358) &session-state:TLS-Session-Version = "TLS 1.2"
(358) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(358) authorize {
(358) policy rewrite_called_station_id {
(358) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(358) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(358) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(358) update request {
(358) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(358) --> 60-B9-C0-04-C4-40
(358) &Called-Station-Id := 60-B9-C0-04-C4-40
(358) } # update request = noop
(358) if ("%{8}") {
(358) EXPAND %{8}
(358) --> eduroam
(358) if ("%{8}") -> TRUE
(358) if ("%{8}") {
(358) update request {
(358) EXPAND %{8}
(358) --> eduroam
(358) &Called-Station-SSID := eduroam
(358) EXPAND %{Called-Station-Id}:%{8}
(358) --> 60-B9-C0-04-C4-40:eduroam
(358) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(358) } # update request = noop
(358) } # if ("%{8}") = noop
(358) [updated] = updated
(358) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(358) ... skipping else: Preceding "if" was taken
(358) } # policy rewrite_called_station_id = updated
(358) policy rewrite_calling_station_id {
(358) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(358) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(358) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(358) update request {
(358) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(358) --> 22-E0-73-F2-50-23
(358) &Calling-Station-Id := 22-E0-73-F2-50-23
(358) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(358) --> 22:E0:73:F2:50:23
(358) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(358) } # update request = noop
(358) [updated] = updated
(358) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(358) ... skipping else: Preceding "if" was taken
(358) } # policy rewrite_calling_station_id = updated
(358) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(358) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(358) if (Service-Type == Call-Check) {
(358) if (Service-Type == Call-Check) -> FALSE
(358) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(358) EXPAND Packet-Src-IP-Address
(358) --> 130.92.42.15
(358) EXPAND Packet-Src-IP-Address
(358) --> 130.92.42.15
(358) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(358) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(358) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(358) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(358) if (EAP-Message) {
(358) if (EAP-Message) -> TRUE
(358) if (EAP-Message) {
(358) policy filter_username {
(358) if (&User-Name) {
(358) if (&User-Name) -> TRUE
(358) if (&User-Name) {
(358) if (&User-Name =~ / /) {
(358) if (&User-Name =~ / /) -> FALSE
(358) if (&User-Name =~ /@[^@]*@/ ) {
(358) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(358) if (&User-Name =~ /\.\./ ) {
(358) if (&User-Name =~ /\.\./ ) -> FALSE
(358) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(358) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(358) if (&User-Name =~ /\.$/) {
(358) if (&User-Name =~ /\.$/) -> FALSE
(358) if (&User-Name =~ /@\./) {
(358) if (&User-Name =~ /@\./) -> FALSE
(358) } # if (&User-Name) = updated
(358) } # policy filter_username = updated
(358) suffix: Checking for suffix after "@"
(358) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(358) suffix: Found realm "REALM.COM"
(358) suffix: Adding Realm = "REALM.COM"
(358) suffix: Authentication realm is LOCAL
(358) [suffix] = ok
(358) policy deny_no_realm {
(358) if (User-Name && (User-Name !~ /@/)) {
(358) if (User-Name && (User-Name !~ /@/)) -> FALSE
(358) } # policy deny_no_realm = updated
(358) update request {
(358) EXPAND %{toupper:%{Realm}}
(358) --> REALM.COM
(358) Realm := REALM.COM
(358) } # update request = noop
(358) eap: Peer sent EAP Response (code 2) ID 8 length 6
(358) eap: Continuing tunnel setup
(358) [eap] = ok
(358) } # if (EAP-Message) = ok
(358) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(358) } # authorize = updated
(358) Found Auth-Type = eap
(358) # Executing group from file /etc/freeradius/sites-enabled/default
(358) Auth-Type eap {
(358) eap: Removing EAP session with state 0xceec9f67c8e486c2
(358) eap: Previous EAP request found for state 0xceec9f67c8e486c2, released from the list
(358) eap: Peer sent packet with method EAP PEAP (25)
(358) eap: Calling submodule eap_peap to process data
(358) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished
(358) eap_peap: Session established. Decoding tunneled attributes
(358) eap_peap: PEAP state TUNNEL ESTABLISHED
(358) eap: Sending EAP Request (code 1) ID 9 length 40
(358) eap: EAP session adding &reply:State = 0xceec9f67c9e586c2
(358) [eap] = handled
(358) if (handled && (Response-Packet-Type == Access-Challenge)) {
(358) EXPAND Response-Packet-Type
(358) --> Access-Challenge
(358) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(358) if (handled && (Response-Packet-Type == Access-Challenge)) {
(358) attr_filter.access_challenge: EXPAND %{User-Name}
(358) attr_filter.access_challenge: --> xyz at realm.com
(358) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(358) [attr_filter.access_challenge.post-auth] = updated
(358) [handled] = handled
(358) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(358) } # Auth-Type eap = handled
(358) Using Post-Auth-Type Challenge
(358) Post-Auth-Type sub-section not found. Ignoring.
(358) # Executing group from file /etc/freeradius/sites-enabled/default
(358) session-state: Saving cached attributes
(358) Framed-MTU = 1014
(358) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(358) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(358) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(358) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(358) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(358) TLS-Session-Version = "TLS 1.2"
(358) Sent Access-Challenge Id 79 from 130.92.10.33:1812 to 130.92.42.15:60533 length 98
(358) EAP-Message = 0x010900281900170303001d73e2e1347334f5dee8b4d42eb4a6ac1f21e84645180ec145b6e6f3c747
(358) Message-Authenticator = 0x00000000000000000000000000000000
(358) State = 0xceec9f67c9e586c299469da09cee92a1
(358) Finished request
Waking up in 3.8 seconds.
(359) Received Access-Request Id 87 from 130.92.42.15:60533 to 130.92.10.33:1812 length 494
(359) User-Name = "xyz at realm.com"
(359) Service-Type = Framed-User
(359) Cisco-AVPair = "service-type=Framed"
(359) Framed-MTU = 1485
(359) EAP-Message = 0x0209003c19001703030031d818ac38e0820955dfa6371a6b6a589774c9c0627ebd45e6682397c1e3b42b5dc37c9c55586bc468386d5729515b62a634
(359) Message-Authenticator = 0x0b1308903782a64609d4283693fee522
(359) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(359) Cisco-AVPair = "method=dot1x"
(359) Cisco-AVPair = "client-iif-id=201332865"
(359) Cisco-AVPair = "vlan-id=1876"
(359) NAS-IP-Address = 130.92.42.15
(359) NAS-Port-Type = Wireless-802.11
(359) NAS-Port = 4211
(359) State = 0xceec9f67c9e586c299469da09cee92a1
(359) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(359) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(359) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(359) Calling-Station-Id = "22-e0-73-f2-50-23"
(359) Airespace-Wlan-Id = 98
(359) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(359) WLAN-Group-Cipher = 1027076
(359) WLAN-Pairwise-Cipher = 1027076
(359) WLAN-AKM-Suite = 1027075
(359) Restoring &session-state
(359) &session-state:Framed-MTU = 1014
(359) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(359) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(359) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(359) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(359) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(359) &session-state:TLS-Session-Version = "TLS 1.2"
(359) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(359) authorize {
(359) policy rewrite_called_station_id {
(359) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(359) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(359) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(359) update request {
(359) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(359) --> 60-B9-C0-04-C4-40
(359) &Called-Station-Id := 60-B9-C0-04-C4-40
(359) } # update request = noop
(359) if ("%{8}") {
(359) EXPAND %{8}
(359) --> eduroam
(359) if ("%{8}") -> TRUE
(359) if ("%{8}") {
(359) update request {
(359) EXPAND %{8}
(359) --> eduroam
(359) &Called-Station-SSID := eduroam
(359) EXPAND %{Called-Station-Id}:%{8}
(359) --> 60-B9-C0-04-C4-40:eduroam
(359) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(359) } # update request = noop
(359) } # if ("%{8}") = noop
(359) [updated] = updated
(359) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(359) ... skipping else: Preceding "if" was taken
(359) } # policy rewrite_called_station_id = updated
(359) policy rewrite_calling_station_id {
(359) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(359) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(359) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(359) update request {
(359) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(359) --> 22-E0-73-F2-50-23
(359) &Calling-Station-Id := 22-E0-73-F2-50-23
(359) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(359) --> 22:E0:73:F2:50:23
(359) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(359) } # update request = noop
(359) [updated] = updated
(359) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(359) ... skipping else: Preceding "if" was taken
(359) } # policy rewrite_calling_station_id = updated
(359) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(359) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(359) if (Service-Type == Call-Check) {
(359) if (Service-Type == Call-Check) -> FALSE
(359) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(359) EXPAND Packet-Src-IP-Address
(359) --> 130.92.42.15
(359) EXPAND Packet-Src-IP-Address
(359) --> 130.92.42.15
(359) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(359) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(359) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(359) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(359) if (EAP-Message) {
(359) if (EAP-Message) -> TRUE
(359) if (EAP-Message) {
(359) policy filter_username {
(359) if (&User-Name) {
(359) if (&User-Name) -> TRUE
(359) if (&User-Name) {
(359) if (&User-Name =~ / /) {
(359) if (&User-Name =~ / /) -> FALSE
(359) if (&User-Name =~ /@[^@]*@/ ) {
(359) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(359) if (&User-Name =~ /\.\./ ) {
(359) if (&User-Name =~ /\.\./ ) -> FALSE
(359) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(359) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(359) if (&User-Name =~ /\.$/) {
(359) if (&User-Name =~ /\.$/) -> FALSE
(359) if (&User-Name =~ /@\./) {
(359) if (&User-Name =~ /@\./) -> FALSE
(359) } # if (&User-Name) = updated
(359) } # policy filter_username = updated
(359) suffix: Checking for suffix after "@"
(359) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(359) suffix: Found realm "REALM.COM"
(359) suffix: Adding Realm = "REALM.COM"
(359) suffix: Authentication realm is LOCAL
(359) [suffix] = ok
(359) policy deny_no_realm {
(359) if (User-Name && (User-Name !~ /@/)) {
(359) if (User-Name && (User-Name !~ /@/)) -> FALSE
(359) } # policy deny_no_realm = updated
(359) update request {
(359) EXPAND %{toupper:%{Realm}}
(359) --> REALM.COM
(359) Realm := REALM.COM
(359) } # update request = noop
(359) eap: Peer sent EAP Response (code 2) ID 9 length 60
(359) eap: Continuing tunnel setup
(359) [eap] = ok
(359) } # if (EAP-Message) = ok
(359) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(359) } # authorize = updated
(359) Found Auth-Type = eap
(359) # Executing group from file /etc/freeradius/sites-enabled/default
(359) Auth-Type eap {
(359) eap: Removing EAP session with state 0xceec9f67c9e586c2
(359) eap: Previous EAP request found for state 0xceec9f67c9e586c2, released from the list
(359) eap: Peer sent packet with method EAP PEAP (25)
(359) eap: Calling submodule eap_peap to process data
(359) eap_peap: (TLS) EAP Done initial handshake
(359) eap_peap: Session established. Decoding tunneled attributes
(359) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(359) eap_peap: Identity - xyz at realm.com
(359) eap_peap: Got inner identity 'xyz at realm.com'
(359) eap_peap: Setting default EAP type for tunneled EAP session
(359) eap_peap: Got tunneled request
(359) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368
(359) eap_peap: Setting User-Name to xyz at realm.com
(359) eap_peap: Sending tunneled request to proxy-inner-tunnel
(359) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368
(359) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(359) eap_peap: User-Name = "xyz at realm.com"
(359) eap_peap: Service-Type = Framed-User
(359) eap_peap: Cisco-AVPair = "service-type=Framed"
(359) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(359) eap_peap: Cisco-AVPair = "method=dot1x"
(359) eap_peap: Cisco-AVPair = "client-iif-id=201332865"
(359) eap_peap: Cisco-AVPair = "vlan-id=1876"
(359) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(359) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(359) eap_peap: Framed-MTU = 1485
(359) eap_peap: NAS-IP-Address = 130.92.42.15
(359) eap_peap: NAS-Port-Type = Wireless-802.11
(359) eap_peap: NAS-Port = 4211
(359) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(359) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23"
(359) eap_peap: Airespace-Wlan-Id = 98
(359) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(359) eap_peap: WLAN-Group-Cipher = 1027076
(359) eap_peap: WLAN-Pairwise-Cipher = 1027076
(359) eap_peap: WLAN-AKM-Suite = 1027075
(359) Virtual server proxy-inner-tunnel received request
(359) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368
(359) FreeRADIUS-Proxied-To = 127.0.0.1
(359) User-Name = "xyz at realm.com"
(359) Service-Type = Framed-User
(359) Cisco-AVPair = "service-type=Framed"
(359) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(359) Cisco-AVPair = "method=dot1x"
(359) Cisco-AVPair = "client-iif-id=201332865"
(359) Cisco-AVPair = "vlan-id=1876"
(359) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(359) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(359) Framed-MTU = 1485
(359) NAS-IP-Address = 130.92.42.15
(359) NAS-Port-Type = Wireless-802.11
(359) NAS-Port = 4211
(359) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(359) Calling-Station-Id := "22-E0-73-F2-50-23"
(359) Airespace-Wlan-Id = 98
(359) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(359) WLAN-Group-Cipher = 1027076
(359) WLAN-Pairwise-Cipher = 1027076
(359) WLAN-AKM-Suite = 1027075
(359) WARNING: Outer and inner identities are the same. User privacy is compromised.
(359) server proxy-inner-tunnel {
(359) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(359) authorize {
(359) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) {
(359) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(359) if (!NAS-Port-Type){
(359) if (!NAS-Port-Type) -> FALSE
(359) update control {
(359) &Proxy-To-Realm := REALM-NPS-DEV
(359) } # update control = noop
(359) } # authorize = noop
(359) } # server proxy-inner-tunnel
(359) Virtual server sending reply
(359) eap_peap: Got tunneled reply code 0
(359) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(359) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(359) [eap] = handled
(359) if (handled && (Response-Packet-Type == Access-Challenge)) {
(359) EXPAND Response-Packet-Type
(359) -->
(359) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(359) } # Auth-Type eap = handled
(359) Starting proxy to home server 130.92.14.27 port 1812
(359) server default {
(359) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(359) pre-proxy {
(359) attr_filter.pre-proxy: EXPAND %{Realm}
(359) attr_filter.pre-proxy: --> REALM.COM
(359) attr_filter.pre-proxy: Matched entry DEFAULT at line 58
(359) [attr_filter.pre-proxy] = updated
(359) } # pre-proxy = updated
(359) }
(359) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000
(359) Sent Access-Request Id 103 from 0.0.0.0:37193 to 130.92.14.27:1812 length 195
(359) Operator-Name := "1realm.com"
(359) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368
(359) User-Name = "xyz at realm.com"
(359) NAS-IP-Address = 130.92.42.15
(359) NAS-Port-Type = Wireless-802.11
(359) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(359) Calling-Station-Id := "22-E0-73-F2-50-23"
(359) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(359) Message-Authenticator = 0x
(359) Proxy-State = 0x3837
Waking up in 0.3 seconds.
(359) Clearing existing &reply: attributes
(359) Received Access-Challenge Id 103 from 130.92.14.27:1812 to 130.92.10.33:37193 length 127
(359) Proxy-State = 0x3837
(359) Session-Timeout = 60
(359) EAP-Message = 0x010a00271a010a002210b525a5e4caa7f64b01519323866680a94141492d4e50532d4544555632
(359) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a
(359) Message-Authenticator = 0x6c901afb83800964ca430f40dbb6a48b
(359) server default {
(359) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(359) post-proxy {
(359) attr_filter.post-proxy: EXPAND %{Realm}
(359) attr_filter.post-proxy: --> REALM.COM
(359) attr_filter.post-proxy: Matched entry REALM.COM at line 102
(359) [attr_filter.post-proxy] = updated
(359) eap: Doing post-proxy callback
(359) eap: Passing reply from proxy back into the tunnel
(359) eap: Got tunneled reply RADIUS code 11
(359) eap: Tunnel-Type := VLAN
(359) eap: Tunnel-Medium-Type := IEEE-802
(359) eap: Proxy-State = 0x3837
(359) eap: EAP-Message = 0x010a00271a010a002210b525a5e4caa7f64b01519323866680a94141492d4e50532d4544555632
(359) eap: State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a
(359) eap: Message-Authenticator = 0x6c901afb83800964ca430f40dbb6a48b
(359) eap: Got tunneled Access-Challenge
(359) eap: Reply was handled
(359) eap: Sending EAP Request (code 1) ID 10 length 70
(359) eap: EAP session adding &reply:State = 0xceec9f67c6e686c2
(359) [eap] = ok
(359) } # post-proxy = updated
(359) }
(359) session-state: Saving cached attributes
(359) Framed-MTU = 1014
(359) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(359) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(359) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(359) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(359) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(359) TLS-Session-Version = "TLS 1.2"
(359) Using Post-Auth-Type Challenge
(359) Post-Auth-Type sub-section not found. Ignoring.
(359) # Executing group from file /etc/freeradius/sites-enabled/default
(359) Sent Access-Challenge Id 87 from 130.92.10.33:1812 to 130.92.42.15:60533 length 128
(359) EAP-Message = 0x010a00461900170303003b73e2e1347334f5df1334975397eb27f2ea72218216b601e30cf6534633cacf5a4f96d474e4bffc863fe12f3e090719d63005d2a90bc4c033687695
(359) Message-Authenticator = 0x00000000000000000000000000000000
(359) State = 0xceec9f67c6e686c299469da09cee92a1
(359) Finished request
Waking up in 3.8 seconds.
(360) Received Access-Request Id 95 from 130.92.42.15:60533 to 130.92.10.33:1812 length 548
(360) User-Name = "xyz at realm.com"
(360) Service-Type = Framed-User
(360) Cisco-AVPair = "service-type=Framed"
(360) Framed-MTU = 1485
(360) EAP-Message = 0x020a007219001703030067d818ac38e0820956a55dbc84dc8dbff396eccf45bb84d17cc4414d36aa58a10bfade9f10e4c8549941c34c865f02def6b2a999172f24205fd30a5703670a8fe6fc25539a682f648d3b9335e448383a088e0a335073a2f1eaa5928e025acc5025caa3e63b446141
(360) Message-Authenticator = 0x5d740b470e2d200c7136d0498c3882b5
(360) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(360) Cisco-AVPair = "method=dot1x"
(360) Cisco-AVPair = "client-iif-id=201332865"
(360) Cisco-AVPair = "vlan-id=1876"
(360) NAS-IP-Address = 130.92.42.15
(360) NAS-Port-Type = Wireless-802.11
(360) NAS-Port = 4211
(360) State = 0xceec9f67c6e686c299469da09cee92a1
(360) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(360) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(360) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(360) Calling-Station-Id = "22-e0-73-f2-50-23"
(360) Airespace-Wlan-Id = 98
(360) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(360) WLAN-Group-Cipher = 1027076
(360) WLAN-Pairwise-Cipher = 1027076
(360) WLAN-AKM-Suite = 1027075
(360) session-state: No cached attributes
(360) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(360) authorize {
(360) policy rewrite_called_station_id {
(360) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(360) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(360) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(360) update request {
(360) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(360) --> 60-B9-C0-04-C4-40
(360) &Called-Station-Id := 60-B9-C0-04-C4-40
(360) } # update request = noop
(360) if ("%{8}") {
(360) EXPAND %{8}
(360) --> eduroam
(360) if ("%{8}") -> TRUE
(360) if ("%{8}") {
(360) update request {
(360) EXPAND %{8}
(360) --> eduroam
(360) &Called-Station-SSID := eduroam
(360) EXPAND %{Called-Station-Id}:%{8}
(360) --> 60-B9-C0-04-C4-40:eduroam
(360) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(360) } # update request = noop
(360) } # if ("%{8}") = noop
(360) [updated] = updated
(360) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(360) ... skipping else: Preceding "if" was taken
(360) } # policy rewrite_called_station_id = updated
(360) policy rewrite_calling_station_id {
(360) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(360) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(360) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(360) update request {
(360) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(360) --> 22-E0-73-F2-50-23
(360) &Calling-Station-Id := 22-E0-73-F2-50-23
(360) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(360) --> 22:E0:73:F2:50:23
(360) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(360) } # update request = noop
(360) [updated] = updated
(360) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(360) ... skipping else: Preceding "if" was taken
(360) } # policy rewrite_calling_station_id = updated
(360) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(360) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(360) if (Service-Type == Call-Check) {
(360) if (Service-Type == Call-Check) -> FALSE
(360) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(360) EXPAND Packet-Src-IP-Address
(360) --> 130.92.42.15
(360) EXPAND Packet-Src-IP-Address
(360) --> 130.92.42.15
(360) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(360) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(360) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(360) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(360) if (EAP-Message) {
(360) if (EAP-Message) -> TRUE
(360) if (EAP-Message) {
(360) policy filter_username {
(360) if (&User-Name) {
(360) if (&User-Name) -> TRUE
(360) if (&User-Name) {
(360) if (&User-Name =~ / /) {
(360) if (&User-Name =~ / /) -> FALSE
(360) if (&User-Name =~ /@[^@]*@/ ) {
(360) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(360) if (&User-Name =~ /\.\./ ) {
(360) if (&User-Name =~ /\.\./ ) -> FALSE
(360) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(360) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(360) if (&User-Name =~ /\.$/) {
(360) if (&User-Name =~ /\.$/) -> FALSE
(360) if (&User-Name =~ /@\./) {
(360) if (&User-Name =~ /@\./) -> FALSE
(360) } # if (&User-Name) = updated
(360) } # policy filter_username = updated
(360) suffix: Checking for suffix after "@"
(360) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(360) suffix: Found realm "REALM.COM"
(360) suffix: Adding Realm = "REALM.COM"
(360) suffix: Authentication realm is LOCAL
(360) [suffix] = ok
(360) policy deny_no_realm {
(360) if (User-Name && (User-Name !~ /@/)) {
(360) if (User-Name && (User-Name !~ /@/)) -> FALSE
(360) } # policy deny_no_realm = updated
(360) update request {
(360) EXPAND %{toupper:%{Realm}}
(360) --> REALM.COM
(360) Realm := REALM.COM
(360) } # update request = noop
(360) eap: Peer sent EAP Response (code 2) ID 10 length 114
(360) eap: Continuing tunnel setup
(360) [eap] = ok
(360) } # if (EAP-Message) = ok
(360) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(360) } # authorize = updated
(360) Found Auth-Type = eap
(360) # Executing group from file /etc/freeradius/sites-enabled/default
(360) Auth-Type eap {
(360) eap: Removing EAP session with state 0xceec9f67c6e686c2
(360) eap: Previous EAP request found for state 0xceec9f67c6e686c2, released from the list
(360) eap: Peer sent packet with method EAP PEAP (25)
(360) eap: Calling submodule eap_peap to process data
(360) eap_peap: (TLS) EAP Done initial handshake
(360) eap_peap: Session established. Decoding tunneled attributes
(360) eap_peap: PEAP state phase2
(360) eap_peap: EAP method MSCHAPv2 (26)
(360) eap_peap: Got tunneled request
(360) eap_peap: EAP-Message = 0x020a00531a020a004e31eedbe3edb2c8dab25469d6799f7457e10000000000000000172138e88718b79481fa3052f5d30b07434ece6a30bd74a400646f6d696e69632e7374616c64657240756e6962652e6368
(360) eap_peap: Setting User-Name to xyz at realm.com
(360) eap_peap: Sending tunneled request to proxy-inner-tunnel
(360) eap_peap: EAP-Message = 0x020a00531a020a004e31eedbe3edb2c8dab25469d6799f7457e10000000000000000172138e88718b79481fa3052f5d30b07434ece6a30bd74a400646f6d696e69632e7374616c64657240756e6962652e6368
(360) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(360) eap_peap: User-Name = "xyz at realm.com"
(360) eap_peap: State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a
(360) eap_peap: Service-Type = Framed-User
(360) eap_peap: Cisco-AVPair = "service-type=Framed"
(360) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(360) eap_peap: Cisco-AVPair = "method=dot1x"
(360) eap_peap: Cisco-AVPair = "client-iif-id=201332865"
(360) eap_peap: Cisco-AVPair = "vlan-id=1876"
(360) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(360) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(360) eap_peap: Framed-MTU = 1485
(360) eap_peap: NAS-IP-Address = 130.92.42.15
(360) eap_peap: NAS-Port-Type = Wireless-802.11
(360) eap_peap: NAS-Port = 4211
(360) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(360) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23"
(360) eap_peap: Airespace-Wlan-Id = 98
(360) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(360) eap_peap: WLAN-Group-Cipher = 1027076
(360) eap_peap: WLAN-Pairwise-Cipher = 1027076
(360) eap_peap: WLAN-AKM-Suite = 1027075
(360) Virtual server proxy-inner-tunnel received request
(360) EAP-Message = 0x020a00531a020a004e31eedbe3edb2c8dab25469d6799f7457e10000000000000000172138e88718b79481fa3052f5d30b07434ece6a30bd74a400646f6d696e69632e7374616c64657240756e6962652e6368
(360) FreeRADIUS-Proxied-To = 127.0.0.1
(360) User-Name = "xyz at realm.com"
(360) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a
(360) Service-Type = Framed-User
(360) Cisco-AVPair = "service-type=Framed"
(360) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(360) Cisco-AVPair = "method=dot1x"
(360) Cisco-AVPair = "client-iif-id=201332865"
(360) Cisco-AVPair = "vlan-id=1876"
(360) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(360) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(360) Framed-MTU = 1485
(360) NAS-IP-Address = 130.92.42.15
(360) NAS-Port-Type = Wireless-802.11
(360) NAS-Port = 4211
(360) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(360) Calling-Station-Id := "22-E0-73-F2-50-23"
(360) Airespace-Wlan-Id = 98
(360) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(360) WLAN-Group-Cipher = 1027076
(360) WLAN-Pairwise-Cipher = 1027076
(360) WLAN-AKM-Suite = 1027075
(360) WARNING: Outer and inner identities are the same. User privacy is compromised.
(360) server proxy-inner-tunnel {
(360) session-state: No cached attributes
(360) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(360) authorize {
(360) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) {
(360) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(360) if (!NAS-Port-Type){
(360) if (!NAS-Port-Type) -> FALSE
(360) update control {
(360) &Proxy-To-Realm := REALM-NPS-DEV
(360) } # update control = noop
(360) } # authorize = noop
(360) } # server proxy-inner-tunnel
(360) Virtual server sending reply
(360) eap_peap: Got tunneled reply code 0
(360) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(360) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(360) [eap] = handled
(360) if (handled && (Response-Packet-Type == Access-Challenge)) {
(360) EXPAND Response-Packet-Type
(360) -->
(360) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(360) } # Auth-Type eap = handled
(360) Starting proxy to home server 130.92.14.27 port 1812
(360) server default {
(360) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(360) pre-proxy {
(360) attr_filter.pre-proxy: EXPAND %{Realm}
(360) attr_filter.pre-proxy: --> REALM.COM
(360) attr_filter.pre-proxy: Matched entry DEFAULT at line 58
(360) [attr_filter.pre-proxy] = updated
(360) } # pre-proxy = updated
(360) }
(360) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000
(360) Sent Access-Request Id 104 from 0.0.0.0:37193 to 130.92.14.27:1812 length 287
(360) Operator-Name := "1realm.com"
(360) EAP-Message = 0x020a00531a020a004e31eedbe3edb2c8dab25469d6799f7457e10000000000000000172138e88718b79481fa3052f5d30b07434ece6a30bd74a400646f6d696e69632e7374616c64657240756e6962652e6368
(360) User-Name = "xyz at realm.com"
(360) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a
(360) NAS-IP-Address = 130.92.42.15
(360) NAS-Port-Type = Wireless-802.11
(360) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(360) Calling-Station-Id := "22-E0-73-F2-50-23"
(360) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(360) Message-Authenticator = 0x
(360) Proxy-State = 0x3935
Waking up in 0.3 seconds.
(360) Clearing existing &reply: attributes
(360) Received Access-Challenge Id 104 from 130.92.14.27:1812 to 130.92.10.33:37193 length 139
(360) Proxy-State = 0x3935
(360) Session-Timeout = 60
(360) EAP-Message = 0x010b00331a030a002e533d37303432393739324338443032374436374337313037313343324335364334414338354532443632
(360) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a
(360) Message-Authenticator = 0xee40e7346c5b8d679a4dc1c43877c728
(360) server default {
(360) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(360) post-proxy {
(360) attr_filter.post-proxy: EXPAND %{Realm}
(360) attr_filter.post-proxy: --> REALM.COM
(360) attr_filter.post-proxy: Matched entry REALM.COM at line 102
(360) [attr_filter.post-proxy] = updated
(360) eap: Doing post-proxy callback
(360) eap: Passing reply from proxy back into the tunnel
(360) eap: Got tunneled reply RADIUS code 11
(360) eap: Tunnel-Type := VLAN
(360) eap: Tunnel-Medium-Type := IEEE-802
(360) eap: Proxy-State = 0x3935
(360) eap: EAP-Message = 0x010b00331a030a002e533d37303432393739324338443032374436374337313037313343324335364334414338354532443632
(360) eap: State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a
(360) eap: Message-Authenticator = 0xee40e7346c5b8d679a4dc1c43877c728
(360) eap: Got tunneled Access-Challenge
(360) eap: Reply was handled
(360) eap: Sending EAP Request (code 1) ID 11 length 82
(360) eap: EAP session adding &reply:State = 0xceec9f67c7e786c2
(360) [eap] = ok
(360) } # post-proxy = updated
(360) }
(360) Using Post-Auth-Type Challenge
(360) Post-Auth-Type sub-section not found. Ignoring.
(360) # Executing group from file /etc/freeradius/sites-enabled/default
(360) Sent Access-Challenge Id 95 from 130.92.10.33:1812 to 130.92.42.15:60533 length 140
(360) EAP-Message = 0x010b00521900170303004773e2e1347334f5e09bc24daa64eee9138e1f2e55345df04bbcd5dd711c6c333de68f50de7d780d87c6d6336c23586f6b0fd197b261dd6213360e814416f8f2b07957dcacdce9c6
(360) Message-Authenticator = 0x00000000000000000000000000000000
(360) State = 0xceec9f67c7e786c299469da09cee92a1
(360) Finished request
Waking up in 3.8 seconds.
(361) Received Access-Request Id 103 from 130.92.42.15:60533 to 130.92.10.33:1812 length 471
(361) User-Name = "xyz at realm.com"
(361) Service-Type = Framed-User
(361) Cisco-AVPair = "service-type=Framed"
(361) Framed-MTU = 1485
(361) EAP-Message = 0x020b00251900170303001ad818ac38e082095774adfff902d724d0af5865cbe4c9b8c4b279
(361) Message-Authenticator = 0x2b9af5a6d3cafcc76039c652203d8380
(361) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(361) Cisco-AVPair = "method=dot1x"
(361) Cisco-AVPair = "client-iif-id=201332865"
(361) Cisco-AVPair = "vlan-id=1876"
(361) NAS-IP-Address = 130.92.42.15
(361) NAS-Port-Type = Wireless-802.11
(361) NAS-Port = 4211
(361) State = 0xceec9f67c7e786c299469da09cee92a1
(361) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(361) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(361) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(361) Calling-Station-Id = "22-e0-73-f2-50-23"
(361) Airespace-Wlan-Id = 98
(361) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(361) WLAN-Group-Cipher = 1027076
(361) WLAN-Pairwise-Cipher = 1027076
(361) WLAN-AKM-Suite = 1027075
(361) session-state: No cached attributes
(361) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(361) authorize {
(361) policy rewrite_called_station_id {
(361) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(361) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(361) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(361) update request {
(361) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(361) --> 60-B9-C0-04-C4-40
(361) &Called-Station-Id := 60-B9-C0-04-C4-40
(361) } # update request = noop
(361) if ("%{8}") {
(361) EXPAND %{8}
(361) --> eduroam
(361) if ("%{8}") -> TRUE
(361) if ("%{8}") {
(361) update request {
(361) EXPAND %{8}
(361) --> eduroam
(361) &Called-Station-SSID := eduroam
(361) EXPAND %{Called-Station-Id}:%{8}
(361) --> 60-B9-C0-04-C4-40:eduroam
(361) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(361) } # update request = noop
(361) } # if ("%{8}") = noop
(361) [updated] = updated
(361) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(361) ... skipping else: Preceding "if" was taken
(361) } # policy rewrite_called_station_id = updated
(361) policy rewrite_calling_station_id {
(361) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(361) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(361) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(361) update request {
(361) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(361) --> 22-E0-73-F2-50-23
(361) &Calling-Station-Id := 22-E0-73-F2-50-23
(361) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(361) --> 22:E0:73:F2:50:23
(361) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(361) } # update request = noop
(361) [updated] = updated
(361) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(361) ... skipping else: Preceding "if" was taken
(361) } # policy rewrite_calling_station_id = updated
(361) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(361) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(361) if (Service-Type == Call-Check) {
(361) if (Service-Type == Call-Check) -> FALSE
(361) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(361) EXPAND Packet-Src-IP-Address
(361) --> 130.92.42.15
(361) EXPAND Packet-Src-IP-Address
(361) --> 130.92.42.15
(361) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(361) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(361) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(361) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(361) if (EAP-Message) {
(361) if (EAP-Message) -> TRUE
(361) if (EAP-Message) {
(361) policy filter_username {
(361) if (&User-Name) {
(361) if (&User-Name) -> TRUE
(361) if (&User-Name) {
(361) if (&User-Name =~ / /) {
(361) if (&User-Name =~ / /) -> FALSE
(361) if (&User-Name =~ /@[^@]*@/ ) {
(361) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(361) if (&User-Name =~ /\.\./ ) {
(361) if (&User-Name =~ /\.\./ ) -> FALSE
(361) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(361) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(361) if (&User-Name =~ /\.$/) {
(361) if (&User-Name =~ /\.$/) -> FALSE
(361) if (&User-Name =~ /@\./) {
(361) if (&User-Name =~ /@\./) -> FALSE
(361) } # if (&User-Name) = updated
(361) } # policy filter_username = updated
(361) suffix: Checking for suffix after "@"
(361) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(361) suffix: Found realm "REALM.COM"
(361) suffix: Adding Realm = "REALM.COM"
(361) suffix: Authentication realm is LOCAL
(361) [suffix] = ok
(361) policy deny_no_realm {
(361) if (User-Name && (User-Name !~ /@/)) {
(361) if (User-Name && (User-Name !~ /@/)) -> FALSE
(361) } # policy deny_no_realm = updated
(361) update request {
(361) EXPAND %{toupper:%{Realm}}
(361) --> REALM.COM
(361) Realm := REALM.COM
(361) } # update request = noop
(361) eap: Peer sent EAP Response (code 2) ID 11 length 37
(361) eap: Continuing tunnel setup
(361) [eap] = ok
(361) } # if (EAP-Message) = ok
(361) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(361) } # authorize = updated
(361) Found Auth-Type = eap
(361) # Executing group from file /etc/freeradius/sites-enabled/default
(361) Auth-Type eap {
(361) eap: Removing EAP session with state 0xceec9f67c7e786c2
(361) eap: Previous EAP request found for state 0xceec9f67c7e786c2, released from the list
(361) eap: Peer sent packet with method EAP PEAP (25)
(361) eap: Calling submodule eap_peap to process data
(361) eap_peap: (TLS) EAP Done initial handshake
(361) eap_peap: Session established. Decoding tunneled attributes
(361) eap_peap: PEAP state phase2
(361) eap_peap: EAP method MSCHAPv2 (26)
(361) eap_peap: Got tunneled request
(361) eap_peap: EAP-Message = 0x020b00061a03
(361) eap_peap: Setting User-Name to xyz at realm.com
(361) eap_peap: Sending tunneled request to proxy-inner-tunnel
(361) eap_peap: EAP-Message = 0x020b00061a03
(361) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(361) eap_peap: User-Name = "xyz at realm.com"
(361) eap_peap: State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a
(361) eap_peap: Service-Type = Framed-User
(361) eap_peap: Cisco-AVPair = "service-type=Framed"
(361) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(361) eap_peap: Cisco-AVPair = "method=dot1x"
(361) eap_peap: Cisco-AVPair = "client-iif-id=201332865"
(361) eap_peap: Cisco-AVPair = "vlan-id=1876"
(361) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(361) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(361) eap_peap: Framed-MTU = 1485
(361) eap_peap: NAS-IP-Address = 130.92.42.15
(361) eap_peap: NAS-Port-Type = Wireless-802.11
(361) eap_peap: NAS-Port = 4211
(361) eap_peap: Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(361) eap_peap: Calling-Station-Id := "22-E0-73-F2-50-23"
(361) eap_peap: Airespace-Wlan-Id = 98
(361) eap_peap: NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(361) eap_peap: WLAN-Group-Cipher = 1027076
(361) eap_peap: WLAN-Pairwise-Cipher = 1027076
(361) eap_peap: WLAN-AKM-Suite = 1027075
(361) Virtual server proxy-inner-tunnel received request
(361) EAP-Message = 0x020b00061a03
(361) FreeRADIUS-Proxied-To = 127.0.0.1
(361) User-Name = "xyz at realm.com"
(361) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a
(361) Service-Type = Framed-User
(361) Cisco-AVPair = "service-type=Framed"
(361) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(361) Cisco-AVPair = "method=dot1x"
(361) Cisco-AVPair = "client-iif-id=201332865"
(361) Cisco-AVPair = "vlan-id=1876"
(361) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(361) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(361) Framed-MTU = 1485
(361) NAS-IP-Address = 130.92.42.15
(361) NAS-Port-Type = Wireless-802.11
(361) NAS-Port = 4211
(361) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(361) Calling-Station-Id := "22-E0-73-F2-50-23"
(361) Airespace-Wlan-Id = 98
(361) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(361) WLAN-Group-Cipher = 1027076
(361) WLAN-Pairwise-Cipher = 1027076
(361) WLAN-AKM-Suite = 1027075
(361) WARNING: Outer and inner identities are the same. User privacy is compromised.
(361) server proxy-inner-tunnel {
(361) session-state: No cached attributes
(361) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(361) authorize {
(361) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) {
(361) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(361) if (!NAS-Port-Type){
(361) if (!NAS-Port-Type) -> FALSE
(361) update control {
(361) &Proxy-To-Realm := REALM-NPS-DEV
(361) } # update control = noop
(361) } # authorize = noop
(361) } # server proxy-inner-tunnel
(361) Virtual server sending reply
(361) eap_peap: Got tunneled reply code 0
(361) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(361) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(361) [eap] = handled
(361) if (handled && (Response-Packet-Type == Access-Challenge)) {
(361) EXPAND Response-Packet-Type
(361) -->
(361) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(361) } # Auth-Type eap = handled
(361) Starting proxy to home server 130.92.14.27 port 1812
(361) server default {
(361) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(361) pre-proxy {
(361) attr_filter.pre-proxy: EXPAND %{Realm}
(361) attr_filter.pre-proxy: --> REALM.COM
(361) attr_filter.pre-proxy: Matched entry DEFAULT at line 58
(361) [attr_filter.pre-proxy] = updated
(361) } # pre-proxy = updated
(361) }
(361) Proxying request to home server 130.92.14.27 port 1812 timeout 20.000000
(361) Sent Access-Request Id 105 from 0.0.0.0:37193 to 130.92.14.27:1812 length 211
(361) Operator-Name := "1realm.com"
(361) EAP-Message = 0x020b00061a03
(361) User-Name = "xyz at realm.com"
(361) State = 0x225c02b70000013700010200825c0e1b000000000000000000000000000000043a97554a
(361) NAS-IP-Address = 130.92.42.15
(361) NAS-Port-Type = Wireless-802.11
(361) Called-Station-Id := "60-B9-C0-04-C4-40:eduroam"
(361) Calling-Station-Id := "22-E0-73-F2-50-23"
(361) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(361) Message-Authenticator = 0x
(361) Proxy-State = 0x313033
Waking up in 0.3 seconds.
(361) Clearing existing &reply: attributes
(361) Received Access-Accept Id 105 from 130.92.14.27:1812 to 130.92.10.33:37193 length 289
(361) Proxy-State = 0x313033
(361) Class = 0x7374616666
(361) Filter-Id = "staff"
(361) Framed-Protocol = PPP
(361) Service-Type = Framed-User
(361) Tunnel-Medium-Type:0 = IEEE-802
(361) Tunnel-Private-Group-Id:0 = "1874"
(361) Tunnel-Type:0 = VLAN
(361) EAP-Message = 0x030b0004
(361) Class = 0x568905d60000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9604
(361) MS-CHAP-Domain = "\001CAMPUS"
(361) MS-MPPE-Send-Key = 0xa60a3993fdf2f10954366e08c310b7db
(361) MS-MPPE-Recv-Key = 0x0952b4931153bd484c9c87e2891a374f
(361) MS-CHAP2-Success = 0x01533d37303432393739324338443032374436374337313037313343324335364334414338354532443632
(361) Message-Authenticator = 0xf2e723cb6be9221293681e605767b8f6
(361) server default {
(361) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(361) post-proxy {
(361) attr_filter.post-proxy: EXPAND %{Realm}
(361) attr_filter.post-proxy: --> REALM.COM
(361) attr_filter.post-proxy: Matched entry REALM.COM at line 102
(361) [attr_filter.post-proxy] = updated
(361) eap: Doing post-proxy callback
(361) eap: Passing reply from proxy back into the tunnel
(361) eap: Got tunneled reply RADIUS code 2
(361) eap: Tunnel-Type := VLAN
(361) eap: Tunnel-Medium-Type := IEEE-802
(361) eap: Proxy-State = 0x313033
(361) eap: Class = 0x7374616666
(361) eap: Filter-Id = "staff"
(361) eap: Tunnel-Private-Group-Id:0 = "1874"
(361) eap: EAP-Message = 0x030b0004
(361) eap: Class = 0x568905d60000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9604
(361) eap: MS-MPPE-Send-Key = 0xa60a3993fdf2f10954366e08c310b7db
(361) eap: MS-MPPE-Recv-Key = 0x0952b4931153bd484c9c87e2891a374f
(361) eap: Message-Authenticator = 0xf2e723cb6be9221293681e605767b8f6
(361) eap: Tunneled authentication was successful
(361) eap: SUCCESS
(361) eap: Saving tunneled attributes for later
(361) eap: Reply was handled
(361) eap: Sending EAP Request (code 1) ID 12 length 46
(361) eap: EAP session adding &reply:State = 0xceec9f67c4e086c2
(361) [eap] = ok
(361) } # post-proxy = updated
(361) }
(361) Using Post-Auth-Type Challenge
(361) Post-Auth-Type sub-section not found. Ignoring.
(361) # Executing group from file /etc/freeradius/sites-enabled/default
(361) Sent Access-Challenge Id 103 from 130.92.10.33:1812 to 130.92.42.15:60533 length 104
(361) EAP-Message = 0x010c002e1900170303002373e2e1347334f5e1bba381c4911add30b08c615c0d0362241c25f21eb1ff0cf311aab6
(361) Message-Authenticator = 0x00000000000000000000000000000000
(361) State = 0xceec9f67c4e086c299469da09cee92a1
(361) Finished request
Waking up in 3.7 seconds.
(362) Received Access-Request Id 111 from 130.92.42.15:60533 to 130.92.10.33:1812 length 480
(362) User-Name = "xyz at realm.com"
(362) Service-Type = Framed-User
(362) Cisco-AVPair = "service-type=Framed"
(362) Framed-MTU = 1485
(362) EAP-Message = 0x020c002e19001703030023d818ac38e0820958689f4ed07787c227590ec1912b79c63017ac770cf137f4e047aae4
(362) Message-Authenticator = 0x356431e13542aff242df4e9cd2f24d4a
(362) Cisco-AVPair = "audit-session-id=0F2A5C8200001021C01F69E1"
(362) Cisco-AVPair = "method=dot1x"
(362) Cisco-AVPair = "client-iif-id=201332865"
(362) Cisco-AVPair = "vlan-id=1876"
(362) NAS-IP-Address = 130.92.42.15
(362) NAS-Port-Type = Wireless-802.11
(362) NAS-Port = 4211
(362) State = 0xceec9f67c4e086c299469da09cee92a1
(362) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(362) Cisco-AVPair = "wlan-profile-name=eduroam-DEV"
(362) Called-Station-Id = "60-b9-c0-04-c4-40:eduroam"
(362) Calling-Station-Id = "22-e0-73-f2-50-23"
(362) Airespace-Wlan-Id = 98
(362) NAS-Identifier = "60-b9-c0-04-c4-40:eduroam"
(362) WLAN-Group-Cipher = 1027076
(362) WLAN-Pairwise-Cipher = 1027076
(362) WLAN-AKM-Suite = 1027075
(362) session-state: No cached attributes
(362) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(362) authorize {
(362) policy rewrite_called_station_id {
(362) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(362) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(362) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(362) update request {
(362) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(362) --> 60-B9-C0-04-C4-40
(362) &Called-Station-Id := 60-B9-C0-04-C4-40
(362) } # update request = noop
(362) if ("%{8}") {
(362) EXPAND %{8}
(362) --> eduroam
(362) if ("%{8}") -> TRUE
(362) if ("%{8}") {
(362) update request {
(362) EXPAND %{8}
(362) --> eduroam
(362) &Called-Station-SSID := eduroam
(362) EXPAND %{Called-Station-Id}:%{8}
(362) --> 60-B9-C0-04-C4-40:eduroam
(362) &Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(362) } # update request = noop
(362) } # if ("%{8}") = noop
(362) [updated] = updated
(362) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(362) ... skipping else: Preceding "if" was taken
(362) } # policy rewrite_called_station_id = updated
(362) policy rewrite_calling_station_id {
(362) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(362) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(362) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(362) update request {
(362) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(362) --> 22-E0-73-F2-50-23
(362) &Calling-Station-Id := 22-E0-73-F2-50-23
(362) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(362) --> 22:E0:73:F2:50:23
(362) &locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(362) } # update request = noop
(362) [updated] = updated
(362) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(362) ... skipping else: Preceding "if" was taken
(362) } # policy rewrite_calling_station_id = updated
(362) if (NAS-Identifier == "uvisrz0215.insel.ch") {
(362) if (NAS-Identifier == "uvisrz0215.insel.ch") -> FALSE
(362) if (Service-Type == Call-Check) {
(362) if (Service-Type == Call-Check) -> FALSE
(362) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(362) EXPAND Packet-Src-IP-Address
(362) --> 130.92.42.15
(362) EXPAND Packet-Src-IP-Address
(362) --> 130.92.42.15
(362) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(362) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(362) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(362) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(362) if (EAP-Message) {
(362) if (EAP-Message) -> TRUE
(362) if (EAP-Message) {
(362) policy filter_username {
(362) if (&User-Name) {
(362) if (&User-Name) -> TRUE
(362) if (&User-Name) {
(362) if (&User-Name =~ / /) {
(362) if (&User-Name =~ / /) -> FALSE
(362) if (&User-Name =~ /@[^@]*@/ ) {
(362) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(362) if (&User-Name =~ /\.\./ ) {
(362) if (&User-Name =~ /\.\./ ) -> FALSE
(362) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(362) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(362) if (&User-Name =~ /\.$/) {
(362) if (&User-Name =~ /\.$/) -> FALSE
(362) if (&User-Name =~ /@\./) {
(362) if (&User-Name =~ /@\./) -> FALSE
(362) } # if (&User-Name) = updated
(362) } # policy filter_username = updated
(362) suffix: Checking for suffix after "@"
(362) suffix: Looking up realm "realm.com" for User-Name = "xyz at realm.com"
(362) suffix: Found realm "REALM.COM"
(362) suffix: Adding Realm = "REALM.COM"
(362) suffix: Authentication realm is LOCAL
(362) [suffix] = ok
(362) policy deny_no_realm {
(362) if (User-Name && (User-Name !~ /@/)) {
(362) if (User-Name && (User-Name !~ /@/)) -> FALSE
(362) } # policy deny_no_realm = updated
(362) update request {
(362) EXPAND %{toupper:%{Realm}}
(362) --> REALM.COM
(362) Realm := REALM.COM
(362) } # update request = noop
(362) eap: Peer sent EAP Response (code 2) ID 12 length 46
(362) eap: Continuing tunnel setup
(362) [eap] = ok
(362) } # if (EAP-Message) = ok
(362) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(362) } # authorize = updated
(362) Found Auth-Type = eap
(362) # Executing group from file /etc/freeradius/sites-enabled/default
(362) Auth-Type eap {
(362) eap: Removing EAP session with state 0xceec9f67c4e086c2
(362) eap: Previous EAP request found for state 0xceec9f67c4e086c2, released from the list
(362) eap: Peer sent packet with method EAP PEAP (25)
(362) eap: Calling submodule eap_peap to process data
(362) eap_peap: (TLS) EAP Done initial handshake
(362) eap_peap: Session established. Decoding tunneled attributes
(362) eap_peap: PEAP state send tlv success
(362) eap_peap: Received EAP-TLV response
(362) eap_peap: Success
(362) eap_peap: Using saved attributes from the original Access-Accept
(362) eap_peap: Tunnel-Type := VLAN
(362) eap_peap: Tunnel-Medium-Type := IEEE-802
(362) eap_peap: Class = 0x7374616666
(362) eap_peap: Filter-Id = "staff"
(362) eap_peap: Tunnel-Private-Group-Id:0 = "1874"
(362) eap_peap: Class = 0x568905d60000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9604
(362) eap: Sending EAP Success (code 3) ID 12 length 4
(362) eap: Freeing handler
(362) [eap] = ok
(362) if (handled && (Response-Packet-Type == Access-Challenge)) {
(362) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(362) } # Auth-Type eap = ok
(362) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(362) post-auth {
(362) policy debug_all {
(362) policy debug_control {
(362) if ("%{debug_attr:control:}" == '') {
(362) Attributes matching "control:"
(362) &control:Auth-Type = eap
(362) EXPAND %{debug_attr:control:}
(362) -->
(362) if ("%{debug_attr:control:}" == '') -> TRUE
(362) if ("%{debug_attr:control:}" == '') {
(362) [noop] = noop
(362) } # if ("%{debug_attr:control:}" == '') = noop
(362) } # policy debug_control = noop
(362) policy debug_request {
(362) if ("%{debug_attr:request:}" == '') {
(362) Attributes matching "request:"
(362) &request:User-Name = xyz at realm.com
(362) &request:Service-Type = Framed-User
(362) &request:Cisco-AVPair = service-type=Framed
(362) &request:Framed-MTU = 1485
(362) &request:EAP-Message = 0x020c002e19001703030023d818ac38e0820958689f4ed07787c227590ec1912b79c63017ac770cf137f4e047aae4
(362) &request:Message-Authenticator = 0x356431e13542aff242df4e9cd2f24d4a
(362) &request:Cisco-AVPair = audit-session-id=0F2A5C8200001021C01F69E1
(362) &request:Cisco-AVPair = method=dot1x
(362) &request:Cisco-AVPair = client-iif-id=201332865
(362) &request:Cisco-AVPair = vlan-id=1876
(362) &request:NAS-IP-Address = 130.92.42.15
(362) &request:NAS-Port-Type = Wireless-802.11
(362) &request:NAS-Port = 4211
(362) &request:State = 0xceec9f67c4e086c299469da09cee92a1
(362) &request:Cisco-AVPair = cisco-wlan-ssid=eduroam
(362) &request:Cisco-AVPair = wlan-profile-name=eduroam-DEV
(362) &request:Called-Station-Id := 60-B9-C0-04-C4-40:eduroam
(362) &request:Calling-Station-Id := 22-E0-73-F2-50-23
(362) &request:Airespace-Wlan-Id = 98
(362) &request:NAS-Identifier = 60-b9-c0-04-c4-40:eduroam
(362) &request:WLAN-Group-Cipher = 1027076
(362) &request:WLAN-Pairwise-Cipher = 1027076
(362) &request:WLAN-AKM-Suite = 1027075
(362) &request:Called-Station-SSID := eduroam
(362) &request:locMacAuth-Calling-Station-Id := 22:E0:73:F2:50:23
(362) &request:Realm := REALM.COM
(362) &request:EAP-Type = PEAP
(362) EXPAND %{debug_attr:request:}
(362) -->
(362) if ("%{debug_attr:request:}" == '') -> TRUE
(362) if ("%{debug_attr:request:}" == '') {
(362) [noop] = noop
(362) } # if ("%{debug_attr:request:}" == '') = noop
(362) } # policy debug_request = noop
(362) policy debug_coa {
(362) if ("%{debug_attr:coa:}" == '') {
(362) Attributes matching "coa:"
(362) WARNING: List "coa" is not available
(362) EXPAND %{debug_attr:coa:}
(362) -->
(362) if ("%{debug_attr:coa:}" == '') -> TRUE
(362) if ("%{debug_attr:coa:}" == '') {
(362) [noop] = noop
(362) } # if ("%{debug_attr:coa:}" == '') = noop
(362) } # policy debug_coa = noop
(362) policy debug_reply {
(362) if ("%{debug_attr:reply:}" == '') {
(362) Attributes matching "reply:"
(362) &reply:Tunnel-Type:-128 := VLAN
(362) &reply:Tunnel-Medium-Type:-128 := IEEE-802
(362) &reply:Class = 0x7374616666
(362) &reply:Filter-Id = staff
(362) &reply:Tunnel-Private-Group-Id:0 = 1874
(362) &reply:Class = 0x568905d60000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9604
(362) &reply:MS-MPPE-Recv-Key = 0x61178aafdea2c28ba065e567e0094e7e8cf727509d76d4f6de7a09f4878d7a6c
(362) &reply:MS-MPPE-Send-Key = 0xaf30a32b5acec9ee771c1a065ff1707fae023734e263873c185acb4c4fde39e8
(362) &reply:EAP-MSK = 0x61178aafdea2c28ba065e567e0094e7e8cf727509d76d4f6de7a09f4878d7a6caf30a32b5acec9ee771c1a065ff1707fae023734e263873c185acb4c4fde39e8
(362) &reply:EAP-EMSK = 0xc424a437bf386f3c790b6d4e981ac218f7bb39ecb682c0f7174da275922e64d1ab7db6825d96e096b8875bb8b777543c642771e9f1f4f877593bd2425a7b1a13
(362) &reply:EAP-Session-Id = 0x19675c3100dd1c7cdf9f74db6337b13313e75950e07ca8a60ec8a656c84cedb597a19642b1ba520223bc61e483ac418e3f44e0800ee85d2526444f574e47524401
(362) &reply:EAP-Message = 0x030c0004
(362) &reply:Message-Authenticator = 0x00000000000000000000000000000000
(362) &reply:User-Name = xyz at realm.com
(362) EXPAND %{debug_attr:reply:}
(362) -->
(362) if ("%{debug_attr:reply:}" == '') -> TRUE
(362) if ("%{debug_attr:reply:}" == '') {
(362) [noop] = noop
(362) } # if ("%{debug_attr:reply:}" == '') = noop
(362) } # policy debug_reply = noop
(362) policy debug_session_state {
(362) if ("%{debug_attr:session-state:}" == '') {
(362) Attributes matching "session-state:"
(362) EXPAND %{debug_attr:session-state:}
(362) -->
(362) if ("%{debug_attr:session-state:}" == '') -> TRUE
(362) if ("%{debug_attr:session-state:}" == '') {
(362) [noop] = noop
(362) } # if ("%{debug_attr:session-state:}" == '') = noop
(362) } # policy debug_session_state = noop
(362) } # policy debug_all = noop
(362) update {
(362) No attributes updated for RHS &session-state
(362) } # update = noop
(362) if (Service-Type == Call-Check) {
(362) if (Service-Type == Call-Check) -> FALSE
(362) else {
(362) 802.1x_auth_log: EXPAND %t : AuthZ: (%I) %{reply:Packet-Type}: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown})
(362) 802.1x_auth_log: --> Fri Dec 13 14:05:05 2024 : AuthZ: (111) Access-Accept: [xyz at realm.com] TLS-Version=NULL TLS-Ciphers=NULL SSID=eduroam Calling-Station-Id=22-E0-73-F2-50-23 Called-Station-Id=60-B9-C0-04-C4-40:eduroam Filter-ID=staff VLAN=1874 Class=0x7374616666 (from client xyz.wifi.realm.com port 4211 operator-name Unknown)
(362) 802.1x_auth_log: EXPAND /var/log/freeradius/802.1x_auth.log
(362) 802.1x_auth_log: --> /var/log/freeradius/802.1x_auth.log
(362) [802.1x_auth_log] = ok
(362) } # else = ok
(362) policy remove_reply_message_if_eap {
(362) if (&reply:EAP-Message && &reply:Reply-Message) {
(362) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(362) else {
(362) [noop] = noop
(362) } # else = noop
(362) } # policy remove_reply_message_if_eap = noop
(362) } # post-auth = ok
(362) Login OK: [xyz at realm.com] (from client xyz.wifi.realm.com port 4211 cli 22-E0-73-F2-50-23)
(362) Sent Access-Accept Id 111 from 130.92.10.33:1812 to 130.92.42.15:60533 length 264
(362) Tunnel-Type := VLAN
(362) Tunnel-Medium-Type := IEEE-802
(362) Class = 0x7374616666
(362) Filter-Id = "staff"
(362) Tunnel-Private-Group-Id:0 = "1874"
(362) Class = 0x568905d60000013700010200825c0e1b00000000000000000000000001dac0032e975ae000000000005c9604
(362) MS-MPPE-Recv-Key = 0x61178aafdea2c28ba065e567e0094e7e8cf727509d76d4f6de7a09f4878d7a6c
(362) MS-MPPE-Send-Key = 0xaf30a32b5acec9ee771c1a065ff1707fae023734e263873c185acb4c4fde39e8
(362) EAP-Message = 0x030c0004
(362) Message-Authenticator = 0x00000000000000000000000000000000
(362) User-Name = "xyz at realm.com"
(362) Finished request
Waking up in 3.7 seconds.
More information about the Freeradius-Users
mailing list