FreeRADIUS Not Storing Cache Data in Redis
Luca Borruto
luca.borruto at agicap.com
Tue Feb 11 14:58:29 UTC 2025
Sorry I've been trying to read the documentation online but it's quite
confusing on the cache part imo.
Here's the output of my test client connecting:
```
Listening on auth+acct proto tcp address * port 2083 (TLS) bound to server
default
Listening on command file /var/run/freeradius/freeradius.sock
Ready to process requests
... new connection request on TCP socket
Listening on auth+acct from client (10.0.2.32, 48352) -> (*, 2083,
virtual-server=default)
Waking up in 0.7 seconds.
(0) (TLS) RADIUS/TLS -Initiating new session
(0) (TLS) RADIUS/TLS - Setting verify mode to require certificate from
client
(0) (TLS) Received PROXY protocol connection from client redacted:34975 ->
10.0.2.32:2083, via proxy 10.0.2.32:48352 -> 0.0.0.0:2083
(0) (TLS) RADIUS/TLS - Handshake state - before SSL initialization
(0) (TLS) RADIUS/TLS - Handshake state - Server before SSL initialization
(0) (TLS) RADIUS/TLS - Handshake state - Server before SSL initialization
(0) (TLS) RADIUS/TLS - recv TLS 1.3 Handshake, ClientHello
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS read client hello
(0) (TLS) RADIUS/TLS - send TLS 1.2 Handshake, ServerHello
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write server hello
(0) (TLS) RADIUS/TLS - send TLS 1.2 Handshake, Certificate
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write certificate
(0) (TLS) RADIUS/TLS - send TLS 1.2 Handshake, ServerKeyExchange
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write key exchange
(0) (TLS) RADIUS/TLS - send TLS 1.2 Handshake, CertificateRequest
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write certificate
request
(0) (TLS) RADIUS/TLS - send TLS 1.2 Handshake, ServerHelloDone
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write server done
(0) (TLS) RADIUS/TLS - Server : Need to read more data: SSLv3/TLS write
server done
(0) (TLS) RADIUS/TLS - In Handshake Phase
Waking up in 0.7 seconds.
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write server done
(0) (TLS) RADIUS/TLS - recv TLS 1.2 Handshake, Certificate
(0) (TLS) RADIUS/TLS - Creating attributes from 2 certificate in chain
(0) TLS-Cert-Serial := "11dab57caad571c6d5c4f11e982257350227cb66"
(0) TLS-Cert-Expiration := "21040920072654Z"
(0) TLS-Cert-Valid-Since := "240919072626Z"
(0) TLS-Cert-Subject := "/CN=Cisco Meraki Dashboard Organization No.
redacted"
(0) TLS-Cert-Issuer := "/CN=Cisco Meraki Dashboard Organization No.
redacted"
(0) TLS-Cert-Common-Name := "Cisco Meraki Dashboard Organization No.
redacted"
(0) (TLS) RADIUS/TLS - Creating attributes from 1 certificate in chain
(0) TLS-Client-Cert-Serial := "1cb739b0874d133493ea7bdde9f8b39775ca8f0c"
(0) TLS-Client-Cert-Expiration := "250328095310Z"
(0) TLS-Client-Cert-Valid-Since := "250127095240Z"
(0) TLS-Client-Cert-Subject := "/CN=redacted"
(0) TLS-Client-Cert-Issuer := "/CN=Cisco Meraki Dashboard Organization
No. redacted"
(0) TLS-Client-Cert-Common-Name := "redacted"
(0) TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client
Authentication"
(0) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(0) TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"5E:F0:78:25:04:34:8F:F4:20:32:FD:00:39:74:7A:A0:FB:C7:CD:4F"
(0) TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"E5:DB:DC:D8:61:A4:67:A1:B6:86:D3:26:57:37:79:3F:2E:D3:A8:84"
(0) TLS-Client-Cert-X509v3-Certificate-Policies += "Policy:
1.3.6.1.4.1.29671.1"
(0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
Certificate chain - 1 intermediate CA cert(s) untrusted
To forbid these certificates see 'reject_unknown_intermediate_ca'
(TLS) untrusted certificate with depth [0] subject name /CN=redacted
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS read client
certificate
(0) (TLS) RADIUS/TLS - recv TLS 1.2 Handshake, ClientKeyExchange
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS read client key
exchange
(0) (TLS) RADIUS/TLS - recv TLS 1.2 Handshake, CertificateVerify
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS read certificate
verify
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS read change
cipher spec
(0) (TLS) RADIUS/TLS - recv TLS 1.2 Handshake, Finished
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS read finished
(0) (TLS) RADIUS/TLS - send TLS 1.2 ChangeCipherSpec
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write change
cipher spec
(0) (TLS) RADIUS/TLS - send TLS 1.2 Handshake, Finished
(0) (TLS) RADIUS/TLS - Handshake state - Server SSLv3/TLS write finished
(0) (TLS) RADIUS/TLS - Handshake state - SSL negotiation finished
successfully
(0) (TLS) RADIUS/TLS - Connection Established
(0) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(0) TLS-Session-Version = "TLS 1.2"
Waking up in 0.6 seconds.
(0) (TLS): Access-Request packet from host redacted port 34975, id=219,
length=382
Threads: total/active/spare threads = 20/0/20
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
(0) Received Access-Request Id 219 from redacted:34975 to 10.0.2.32:2083
length 382
(0) User-Name = "redacted"
(0) NAS-IP-Address = redacted
(0) NAS-Identifier = "redacted:vap14"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) NAS-Port = 1
(0) Calling-Station-Id = "redacted"
(0) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 52 / Channel:
132"
(0) Acct-Session-Id = "775DEA09A6E6B977"
(0) Acct-Multi-Session-Id = "02D5720D8A66E2E0"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027073
(0) Meraki-Network-Name = "redacted - redacted - wireless"
(0) Meraki-Ap-Name = "redacted"
(0) Meraki-Ap-Tags = " RADIUS "
(0) Called-Station-Id = "redacted:redacted"
(0) Meraki-Device-Name = "redacted"
(0) Framed-MTU = 1400
(0) EAP-Message = 0x02060011014656464a4835505731574659
(0) Message-Authenticator = 0x25e20c0637b50615a50deb95c2f601af
(0) Proxy-State = 0x3839
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "redacted", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 6 length 17
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: (TLS) TLS -Initiating new session
(0) eap_tls: (TLS) TLS - Setting verify mode to require certificate from
client
(0) eap: Sending EAP Request (code 1) ID 7 length 10
(0) eap: EAP session adding &reply:State = 0x678ce86b678be506
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0) Framed-MTU = 1400
(0) Sent Access-Challenge Id 219 from 10.0.2.32:2083 to redacted:34975
length 72
(0) EAP-Message = 0x0107000a0da000000000
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x678ce86b678be506eecbea7deb819ffb
(0) Proxy-State = 0x3839
(0) Finished request
Thread 1 waiting to be assigned a request
Waking up in 0.6 seconds.
(0) (TLS): Access-Request packet from host redacted port 34975, id=22,
length=545
Thread 2 got semaphore
Thread 2 handling request 1, (1 handled so far)
(1) Received Access-Request Id 22 from redacted:34975 to 10.0.2.32:2083
length 545
(1) User-Name = "redacted"
(1) NAS-IP-Address = redacted
(1) NAS-Identifier = "redacted:vap14"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) NAS-Port = 1
(1) Calling-Station-Id = "redacted"
(1) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 52 / Channel:
132"
(1) Acct-Session-Id = "775DEA09A6E6B977"
(1) Acct-Multi-Session-Id = "02D5720D8A66E2E0"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027073
(1) Meraki-Network-Name = "redacted - redacted - wireless"
(1) Meraki-Ap-Name = "redacted"
(1) Meraki-Ap-Tags = " RADIUS "
(1) Called-Station-Id = "redacted:redacted"
(1) Meraki-Device-Name = "redacted"
(1) Framed-MTU = 1400
(1) EAP-Message =
0x020700a20d800000009816030100930100008f0303c563583d889ede0ba9495b153484f78b10d85f8c6f678c42120e0293f66966f5000022c02cc02bcca9c030c02fcca8c00ac009c014c013009d009c0035002fc008c012000a0100004400170000ff01000100000a000a0008001d001700180019000b00020100000500050100000000000d00160014040308040401050308050805050108060601020100120000
(1) State = 0x678ce86b678be506eecbea7deb819ffb
(1) Message-Authenticator = 0x6ca29efb8d12c45734a7bd752fceb400
(1) Proxy-State = 0x3930
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 1400
(1) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "redacted", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 7 length 162
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap: Removing EAP session with state 0x678ce86b678be506
(1) eap: Previous EAP request found for state 0x678ce86b678be506, released
from the list
(1) eap: Peer sent packet with method EAP TLS (13)
(1) eap: Calling submodule eap_tls to process data
(1) eap_tls: (TLS) EAP Peer says that the final record size will be 152
bytes
(1) eap_tls: (TLS) EAP Got all data (152 bytes)
(1) eap_tls: (TLS) TLS - Handshake state - before SSL initialization
(1) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization
(1) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization
(1) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client
hello
(1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerHello
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server
hello
(1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, Certificate
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write
certificate
Waking up in 0.6 seconds.
(1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write key
exchange
(1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, CertificateRequest
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write
certificate request
(1) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone
(1) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server
done
(1) eap_tls: (TLS) TLS - Server : Need to read more data: SSLv3/TLS write
server done
(1) eap_tls: (TLS) TLS - In Handshake Phase
(1) eap: Sending EAP Request (code 1) ID 8 length 1406
(1) eap: EAP session adding &reply:State = 0x678ce86b6684e506
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1) Framed-MTU = 1400
(1) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(1) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(1) Sent Access-Challenge Id 22 from 10.0.2.32:2083 to redacted:34975
length 1478
(1) EAP-Message =
0x0108057e0dc000000b26160303005d0200005903033e39d453da530dd1a307e7f1f13e08dd8e9055edb33c78f2444f574e4752440120ea1d9428603d161311ba7d9e647f14fd13d2d7bc76a4ce80b892230e641a7911c02f000011ff01000100000b00040300010200170000160303094c0b0009480009450005de308205da308204c2a00302010202134900000037b77a03fa15ec6b16000000000037300d06092a864886f70d01010b0500304131133011060a0992268993f22c6401191603636f6d31163014060a0992268993f22c640119160661676963617031123010060355040313094167696361702d4341301e170d3234303832393132313234325a170d3334303732333130353730355a301c311a3018060355040313117261646975732e6167696361702e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c5493f649ed417f3f9a68aa3aa73c262c629dda9de01ea89a19aca61a9a5245eace36469ead3489699
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x678ce86b6684e506eecbea7deb819ffb
(1) Proxy-State = 0x3930
(1) Finished request
Thread 2 waiting to be assigned a request
(0) (TLS): Access-Request packet from host redacted port 34975, id=36,
length=389
Waking up in 0.5 seconds.
Thread 5 got semaphore
Thread 5 handling request 2, (1 handled so far)
(2) Received Access-Request Id 36 from redacted:34975 to 10.0.2.32:2083
length 389
(2) User-Name = "redacted"
(2) NAS-IP-Address = redacted
(2) NAS-Identifier = "redacted:vap14"
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) NAS-Port = 1
(2) Calling-Station-Id = "redacted"
(2) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 52 / Channel:
132"
(2) Acct-Session-Id = "775DEA09A6E6B977"
(2) Acct-Multi-Session-Id = "02D5720D8A66E2E0"
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027076
(2) WLAN-AKM-Suite = 1027073
(2) Meraki-Network-Name = "redacted - redacted - wireless"
(2) Meraki-Ap-Name = "redacted"
(2) Meraki-Ap-Tags = " RADIUS "
(2) Called-Station-Id = "redacted:redacted"
(2) Meraki-Device-Name = "redacted"
(2) Framed-MTU = 1400
(2) EAP-Message = 0x020800060d00
(2) State = 0x678ce86b6684e506eecbea7deb819ffb
(2) Message-Authenticator = 0x8c2f46530c6a103cd33eca0280c1a2ee
(2) Proxy-State = 0x3931
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 1400
(2) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(2) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(2) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "redacted", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 8 length 6
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) [files] = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) } # authorize = updated
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) authenticate {
(2) eap: Removing EAP session with state 0x678ce86b6684e506
(2) eap: Previous EAP request found for state 0x678ce86b6684e506, released
from the list
(2) eap: Peer sent packet with method EAP TLS (13)
(2) eap: Calling submodule eap_tls to process data
(2) eap_tls: (TLS) Peer ACKed our handshake fragment
(2) eap: Sending EAP Request (code 1) ID 9 length 1406
(2) eap: EAP session adding &reply:State = 0x678ce86b6585e506
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 1400
(2) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(2) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(2) Sent Access-Challenge Id 36 from 10.0.2.32:2083 to redacted:34975
length 1478
(2) EAP-Message =
0x0109057e0dc000000b266feb0db610b95cc89010e0d5cb2f3703d107fde81316091f801cc6a853661a2a373c4a214e19e46f0b261ebf06ebbde790ef4975859457f4419c5a4928d775aa4c10d1c440a0c0cb41be4bf2f12ed37e7dc9252ae3dd7fe5ca0e0e500ca68197b1f6c41191f1c84f870a73f818d374e8e9229191f0f6ac1503f9c0d2d1f53be136f859b0e429414289716b96901ffd9d1bc9d77bde61b5e71b2b793dbc2b9b70bbb177b656374e41672c99e39c28668c2bce0172f1772b6e5c409f1713cf582679ca4f66571140294e05d72e19b12ab392925a3ad707e5fcf5ca310003613082035d30820245a00302010202106b92ee8fe3454c9b47b46b05a3e74566300d06092a864886f70d01010b0500304131133011060a0992268993f22c6401191603636f6d31163014060a0992268993f22c640119160661676963617031123010060355040313094167696361702d4341301e170d3234303732333130343730355a170d3334303732333130353730
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x678ce86b6585e506eecbea7deb819ffb
(2) Proxy-State = 0x3931
(2) Finished request
Thread 5 waiting to be assigned a request
(0) (TLS): Access-Request packet from host redacted port 34975, id=168,
length=389
Thread 6 got semaphore
Thread 6 handling request 3, (1 handled so far)
(3) Received Access-Request Id 168 from redacted:34975 to 10.0.2.32:2083
length 389
(3) User-Name = "redacted"
(3) NAS-IP-Address = redacted
(3) NAS-Identifier = "redacted:vap14"
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) NAS-Port = 1
(3) Calling-Station-Id = "redacted"
(3) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 52 / Channel:
132"
(3) Acct-Session-Id = "775DEA09A6E6B977"
(3) Acct-Multi-Session-Id = "02D5720D8A66E2E0"
(3) WLAN-Pairwise-Cipher = 1027076
(3) WLAN-Group-Cipher = 1027076
(3) WLAN-AKM-Suite = 1027073
(3) Meraki-Network-Name = "redacted - redacted - wireless"
(3) Meraki-Ap-Name = "redacted"
(3) Meraki-Ap-Tags = " RADIUS "
(3) Called-Station-Id = "redacted:redacted"
(3) Meraki-Device-Name = "redacted"
(3) Framed-MTU = 1400
(3) EAP-Message = 0x020900060d00
(3) State = 0x678ce86b6585e506eecbea7deb819ffb
(3) Message-Authenticator = 0x8dade919f97ef968cab2d2772e9e2401
(3) Proxy-State = 0x3932
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 1400
(3) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(3) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(3) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "redacted", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 9 length 6
(3) eap: No EAP Start, assuming it's an on-going EAP conversation
(3) [eap] = updated
(3) [files] = noop
(3) [expiration] = noop
(3) [logintime] = noop
(3) } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) authenticate {
(3) eap: Removing EAP session with state 0x678ce86b6585e506
(3) eap: Previous EAP request found for state 0x678ce86b6585e506, released
from the list
(3) eap: Peer sent packet with method EAP TLS (13)
(3) eap: Calling submodule eap_tls to process data
(3) eap_tls: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 10 length 72
(3) eap: EAP session adding &reply:State = 0x678ce86b6486e506
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3) Framed-MTU = 1400
(3) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(3) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(3) Sent Access-Challenge Id 168 from 10.0.2.32:2083 to redacted:34975
length 134
(3) EAP-Message =
0x010a00480d8000000b26340d000030030102400028040305030603080708080809080a080b080408050806040105010601030303010302040205020602000016030300040e000000
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x678ce86b6486e506eecbea7deb819ffb
(3) Proxy-State = 0x3932
(3) Finished request
Thread 6 waiting to be assigned a request
Waking up in 0.5 seconds.
(0) (TLS): Access-Request packet from host redacted port 34975, id=33,
length=1669
Waking up in 0.4 seconds.
Thread 7 got semaphore
Thread 7 handling request 4, (1 handled so far)
(4) Received Access-Request Id 33 from redacted:34975 to 10.0.2.32:2083
length 1669
(4) User-Name = "redacted"
(4) NAS-IP-Address = redacted
(4) NAS-Identifier = "redacted:vap14"
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) NAS-Port = 1
(4) Calling-Station-Id = "redacted"
(4) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 53 / Channel:
132"
(4) Acct-Session-Id = "775DEA09A6E6B977"
(4) Acct-Multi-Session-Id = "02D5720D8A66E2E0"
(4) WLAN-Pairwise-Cipher = 1027076
(4) WLAN-Group-Cipher = 1027076
(4) WLAN-AKM-Suite = 1027073
(4) Meraki-Network-Name = "redacted - redacted - wireless"
(4) Meraki-Ap-Name = "redacted"
(4) Meraki-Ap-Tags = " RADIUS "
(4) Called-Station-Id = "redacted:redacted"
(4) Meraki-Device-Name = "redacted"
(4) Framed-MTU = 1400
(4) EAP-Message =
0x020a04fc0dc000000abb160303094c0b0009480009450005de308205da308204c2a003020102021349000010f9f23608014b67362b0000000010f9300d06092a864886f70d01010b0500304131133011060a0992268993f22c6401191603636f6d31163014060a0992268993f22c640119160661676963617031123010060355040313094167696361702d4341301e170d3235303230343038343132335a170d3237303230343038343132335a3017311530130603550403130c4656464a483550573157465930820122300d06092a864886f70d01010105000382010f003082010a0282010100b317c68240bed2e9f5ac41dcc81a1c499f83be1114197d01dc1e1c66d331c26fd7f5f847b7e96fe11928a43d6fcebde6a66ea31a2cf1cd09d347a38f5cd5177b5f3ef1ba2046b7876e65e9c97a1391200fec18aa4ba903f0cea9d1fdb6718dd7b07d9f473185b5d1a31a802ae69f16347e2921a97d60d7c8994c4ae2f6d26d8bfeee8ebd47be3adfedc7648fd19c1cbd
(4) State = 0x678ce86b6486e506eecbea7deb819ffb
(4) Message-Authenticator = 0xfa55042e700b60cf120fc4526190f520
(4) Proxy-State = 0x3933
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 1400
(4) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(4) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(4) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "redacted", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 10 length 1276
(4) eap: No EAP Start, assuming it's an on-going EAP conversation
(4) [eap] = updated
(4) [files] = noop
(4) [expiration] = noop
(4) [logintime] = noop
(4) } # authorize = updated
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) authenticate {
(4) eap: Removing EAP session with state 0x678ce86b6486e506
(4) eap: Previous EAP request found for state 0x678ce86b6486e506, released
from the list
(4) eap: Peer sent packet with method EAP TLS (13)
(4) eap: Calling submodule eap_tls to process data
(4) eap_tls: (TLS) EAP Peer says that the final record size will be 2747
bytes
(4) eap_tls: (TLS) EAP Expecting 3 fragments
(4) eap_tls: (TLS) EAP Got first TLS fragment (1266 bytes). Peer says more
fragments will follow
(4) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data.
(4) eap: Sending EAP Request (code 1) ID 11 length 6
(4) eap: EAP session adding &reply:State = 0x678ce86b6387e506
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) Framed-MTU = 1400
(4) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(4) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(4) Sent Access-Challenge Id 33 from 10.0.2.32:2083 to redacted:34975
length 68
(4) EAP-Message = 0x010b00060d00
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x678ce86b6387e506eecbea7deb819ffb
(4) Proxy-State = 0x3933
(4) Finished request
Thread 7 waiting to be assigned a request
(0) (TLS): Access-Request packet from host redacted port 34975, id=81,
length=1669
Waking up in 0.4 seconds.
Thread 8 got semaphore
Thread 8 handling request 5, (1 handled so far)
(5) Received Access-Request Id 81 from redacted:34975 to 10.0.2.32:2083
length 1669
(5) User-Name = "redacted"
(5) NAS-IP-Address = redacted
(5) NAS-Identifier = "redacted:vap14"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) NAS-Port = 1
(5) Calling-Station-Id = "redacted"
(5) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 53 / Channel:
132"
(5) Acct-Session-Id = "775DEA09A6E6B977"
(5) Acct-Multi-Session-Id = "02D5720D8A66E2E0"
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027076
(5) WLAN-AKM-Suite = 1027073
(5) Meraki-Network-Name = "redacted - redacted - wireless"
(5) Meraki-Ap-Name = "redacted"
(5) Meraki-Ap-Tags = " RADIUS "
(5) Called-Station-Id = "redacted:redacted"
(5) Meraki-Device-Name = "redacted"
(5) Framed-MTU = 1400
(5) EAP-Message =
0x020b04fc0d404cac6da2e18a59159af8d757f4e22f3f8f24a7767d57175fdaf5a60bb2dec6e44ee04e57350d4f75eaa4ded0367774ea48ba9c6f2519d19d37c83469ad325e0cd77223582cf6694f7b8de9e803cefa1d3b1ab00992bc19ff29b5a4de4849ff91b2b9bb5abc822501a54d17be5c09ee29444387bd5f945777cb8f6c24a5701d7562ac335569dcd7f7cf891a65fefa3fa1761ea68a03b8dd5ace199610d9082488b7aa8ff40a68659732f9d3853830403def4f7bf01acc396a9f6084773704ec07b62b3884e26017c62377d6d1e464e90919d9adcd1a71fb3eadb6603da5205087ab337cb1865fdb63e007daedc466102c2435df52f823919ec177260003613082035d30820245a00302010202106b92ee8fe3454c9b47b46b05a3e74566300d06092a864886f70d01010b0500304131133011060a0992268993f22c6401191603636f6d31163014060a0992268993f22c640119160661676963617031123010060355040313094167696361702d4341301e
(5) State = 0x678ce86b6387e506eecbea7deb819ffb
(5) Message-Authenticator = 0x11bb325168d6a68060564b849692ef80
(5) Proxy-State = 0x3934
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 1400
(5) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(5) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "redacted", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 11 length 1276
(5) eap: No EAP Start, assuming it's an on-going EAP conversation
(5) [eap] = updated
(5) [files] = noop
(5) [expiration] = noop
(5) [logintime] = noop
(5) } # authorize = updated
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap: Removing EAP session with state 0x678ce86b6387e506
(5) eap: Previous EAP request found for state 0x678ce86b6387e506, released
from the list
(5) eap: Peer sent packet with method EAP TLS (13)
(5) eap: Calling submodule eap_tls to process data
(5) eap_tls: (TLS) EAP Got additional fragment (1270 bytes). Peer says
more fragments will follow
(5) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data.
(5) eap: Sending EAP Request (code 1) ID 12 length 6
(5) eap: EAP session adding &reply:State = 0x678ce86b6280e506
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) Framed-MTU = 1400
(5) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(5) Sent Access-Challenge Id 81 from 10.0.2.32:2083 to redacted:34975
length 68
(5) EAP-Message = 0x010c00060d00
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x678ce86b6280e506eecbea7deb819ffb
(5) Proxy-State = 0x3934
(5) Finished request
Thread 8 waiting to be assigned a request
(0) (TLS): Access-Request packet from host redacted port 34975, id=232,
length=600
Thread 9 got semaphore
Thread 9 handling request 6, (1 handled so far)
(6) Received Access-Request Id 232 from redacted:34975 to 10.0.2.32:2083
length 600
(6) User-Name = "redacted"
(6) NAS-IP-Address = redacted
(6) NAS-Identifier = "redacted:vap14"
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) NAS-Port = 1
(6) Calling-Station-Id = "redacted"
(6) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 53 / Channel:
132"
(6) Acct-Session-Id = "775DEA09A6E6B977"
(6) Acct-Multi-Session-Id = "02D5720D8A66E2E0"
(6) WLAN-Pairwise-Cipher = 1027076
(6) WLAN-Group-Cipher = 1027076
(6) WLAN-AKM-Suite = 1027073
(6) Meraki-Network-Name = "redacted - redacted - wireless"
(6) Meraki-Ap-Name = "redacted"
(6) Meraki-Ap-Tags = " RADIUS "
(6) Called-Station-Id = "redacted:redacted"
(6) Meraki-Device-Name = "redacted"
(6) Framed-MTU = 1400
(6) EAP-Message =
0x020c00d90d00d4008f5e4030e199569f6cacb99687a7cc1255d616b5fea7051110f13bdd06b0b6b8c608f3b08c05da38bf87fe18f2f0b5abb7b49680f2de1f4150aaa85c65fea3fd6e42a1b0714baba76eaa6b95ec214ddac29ade0c1bbf9332767d4e609fa2dc063e725acdc16727ce90853104eeda23fc6e5f89b10b785ce22bcdd7d3b69c59ad068e047079d3764e76f42785191519bfea90723b6a039450888ee1d2b99614030300010116030300280000000000000000eecb7c97731d3918923a14c8975504277e957a5deb5f90e2605edf73c3943d9b
(6) State = 0x678ce86b6280e506eecbea7deb819ffb
(6) Message-Authenticator = 0xe483f5c24641fe08e6dce12b763efe27
(6) Proxy-State = 0x3935
(6) Restoring &session-state
(6) &session-state:Framed-MTU = 1400
(6) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(6) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(6) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "redacted", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 12 length 217
(6) eap: No EAP Start, assuming it's an on-going EAP conversation
(6) [eap] = updated
(6) [files] = noop
(6) [expiration] = noop
(6) [logintime] = noop
(6) } # authorize = updated
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) authenticate {
(6) eap: Removing EAP session with state 0x678ce86b6280e506
(6) eap: Previous EAP request found for state 0x678ce86b6280e506, released
from the list
(6) eap: Peer sent packet with method EAP TLS (13)
(6) eap: Calling submodule eap_tls to process data
(6) eap_tls: (TLS) EAP Got final fragment (211 bytes)
(6) eap_tls: (TLS) EAP Done initial handshake
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server
done
(6) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Certificate
Waking up in 0.4 seconds.
(6) eap_tls: (TLS) TLS - Creating attributes from 2 certificate in chain
(6) eap_tls: TLS-Cert-Serial := "6b92ee8fe3454c9b47b46b05a3e74566"
(6) eap_tls: TLS-Cert-Expiration := "340723105705Z"
(6) eap_tls: TLS-Cert-Valid-Since := "240723104705Z"
(6) eap_tls: TLS-Cert-Subject := "/DC=com/DC=redacted/CN=redacted-CA"
(6) eap_tls: TLS-Cert-Issuer := "/DC=com/DC=redacted/CN=redacted-CA"
(6) eap_tls: TLS-Cert-Common-Name := "redacted-CA"
(6) eap_tls: (TLS) TLS - Creating attributes from 1 certificate in chain
(6) eap_tls: TLS-Client-Cert-Serial :=
"49000010f9f23608014b67362b0000000010f9"
(6) eap_tls: TLS-Client-Cert-Expiration := "270204084123Z"
(6) eap_tls: TLS-Client-Cert-Valid-Since := "250204084123Z"
(6) eap_tls: TLS-Client-Cert-Subject := "/CN=redacted"
(6) eap_tls: TLS-Client-Cert-Issuer :=
"/DC=com/DC=redacted/CN=redacted-CA"
(6) eap_tls: TLS-Client-Cert-Common-Name := "redacted"
(6) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"65:2F:67:BC:AB:F5:E6:FA:68:26:07:48:6D:8F:2C:29:AC:D4:E7:FA"
(6) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"DB:E9:4E:6C:67:B9:24:1B:0E:CB:22:D7:A3:AA:86:65:F4:85:2F:6C"
(6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client
Authentication, E-mail Protection, Microsoft Encrypted File System"
(6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
(6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.4"
(6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.4.1.311.10.3.4"
Certificate chain - 1 intermediate CA cert(s) untrusted
To forbid these certificates see 'reject_unknown_intermediate_ca'
(TLS) untrusted certificate with depth [1] subject name
/DC=com/DC=redacted/CN=redacted-CA
(TLS) untrusted certificate with depth [0] subject name /CN=redacted
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client
certificate
(6) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client key
exchange
(6) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read
certificate verify
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read change
cipher spec
(6) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Finished
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read finished
(6) eap_tls: (TLS) TLS - send TLS 1.2 ChangeCipherSpec
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write change
cipher spec
(6) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, Finished
(6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write finished
(6) eap_tls: (TLS) TLS - Handshake state - SSL negotiation finished
successfully
(6) eap_tls: (TLS) TLS - Connection Established
(6) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(6) eap_tls: TLS-Session-Version = "TLS 1.2"
(6) eap: Sending EAP Request (code 1) ID 13 length 61
(6) eap: EAP session adding &reply:State = 0x678ce86b6181e506
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6) Framed-MTU = 1400
(6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
Certificate"
(6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
ClientKeyExchange"
(6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
CertificateVerify"
(6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
Finished"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 ChangeCipherSpec"
(6) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Finished"
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 232 from 10.0.2.32:2083 to redacted:34975
length 123
(6) EAP-Message =
0x010d003d0d80000000331403030001011603030028d56a4920524bc0c861fb3720087a4bc4f839eb5a96d0a26029b196f251efafa918497cb5f5e37f0a
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x678ce86b6181e506eecbea7deb819ffb
(6) Proxy-State = 0x3935
(6) Finished request
Thread 9 waiting to be assigned a request
(0) (TLS): Access-Request packet from host redacted port 34975, id=223,
length=389
Thread 10 got semaphore
Thread 10 handling request 7, (1 handled so far)
(7) Received Access-Request Id 223 from redacted:34975 to 10.0.2.32:2083
length 389
(7) User-Name = "redacted"
(7) NAS-IP-Address = redacted
(7) NAS-Identifier = "redacted:vap14"
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) NAS-Port = 1
(7) Calling-Station-Id = "redacted"
(7) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 53 / Channel:
132"
(7) Acct-Session-Id = "775DEA09A6E6B977"
(7) Acct-Multi-Session-Id = "02D5720D8A66E2E0"
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027076
(7) WLAN-AKM-Suite = 1027073
(7) Meraki-Network-Name = "redacted - redacted - wireless"
(7) Meraki-Ap-Name = "redacted"
(7) Meraki-Ap-Tags = " RADIUS "
(7) Called-Station-Id = "redacted:redacted"
(7) Meraki-Device-Name = "redacted"
(7) Framed-MTU = 1400
(7) EAP-Message = 0x020d00060d00
(7) State = 0x678ce86b6181e506eecbea7deb819ffb
(7) Message-Authenticator = 0xdf8530963d5b6e5c58e534702cd0341c
(7) Proxy-State = 0x3936
(7) Restoring &session-state
(7) &session-state:Framed-MTU = 1400
(7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3
Handshake, ClientHello"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHello"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Certificate"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2
Handshake, Certificate"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2
Handshake, ClientKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2
Handshake, CertificateVerify"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.2
Handshake, Finished"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
ChangeCipherSpec"
(7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.2
Handshake, Finished"
(7) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES128-GCM-SHA256"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "redacted", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 13 length 6
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) [expiration] = noop
(7) [logintime] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) authenticate {
(7) eap: Removing EAP session with state 0x678ce86b6181e506
(7) eap: Previous EAP request found for state 0x678ce86b6181e506, released
from the list
(7) eap: Peer sent packet with method EAP TLS (13)
(7) eap: Calling submodule eap_tls to process data
(7) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished
(7) eap_tls: (TLS) cache - Setting up attributes for session resumption
(7) eap_tls: caching EAP-Type = TLS
(7) eap_tls: caching TLS-Cert-Serial :=
"6b92ee8fe3454c9b47b46b05a3e74566"
(7) eap_tls: caching TLS-Cert-Expiration := "340723105705Z"
(7) eap_tls: caching TLS-Cert-Valid-Since := "240723104705Z"
(7) eap_tls: caching TLS-Cert-Subject :=
"/DC=com/DC=redacted/CN=redacted-CA"
(7) eap_tls: caching TLS-Cert-Issuer :=
"/DC=com/DC=redacted/CN=redacted-CA"
(7) eap_tls: caching TLS-Cert-Common-Name := "redacted-CA"
(7) eap_tls: caching TLS-Client-Cert-Serial :=
"49000010f9f23608014b67362b0000000010f9"
(7) eap_tls: caching TLS-Client-Cert-Expiration := "270204084123Z"
(7) eap_tls: caching TLS-Client-Cert-Valid-Since := "250204084123Z"
(7) eap_tls: caching TLS-Client-Cert-Subject := "/CN=redacted"
(7) eap_tls: caching TLS-Client-Cert-Issuer :=
"/DC=com/DC=redacted/CN=redacted-CA"
(7) eap_tls: caching TLS-Client-Cert-Common-Name := "redacted"
(7) eap_tls: caching TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"65:2F:67:BC:AB:F5:E6:FA:68:26:07:48:6D:8F:2C:29:AC:D4:E7:FA"
(7) eap_tls: caching TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"DB:E9:4E:6C:67:B9:24:1B:0E:CB:22:D7:A3:AA:86:65:F4:85:2F:6C"
(7) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS
Web Client Authentication, E-mail Protection, Microsoft Encrypted File
System"
(7) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
(7) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.4"
(7) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.4.1.311.10.3.4"
(7) eap_tls: Failed to find 'persist_dir' in TLS configuration. Session
will not be cached on disk.
(7) eap: Sending EAP Success (code 3) ID 13 length 4
(7) eap: Freeing handler
(7) [eap] = ok
(7) } # authenticate = ok
(7) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(7) post-auth {
(7) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) {
(7) if (session-state:User-Name && reply:User-Name && request:User-Name
&& (reply:User-Name == request:User-Name)) -> FALSE
(7) update {
(7) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1400
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.3
Handshake, ClientHello'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, ServerHello'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, Certificate'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, ServerKeyExchange'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, CertificateRequest'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, ServerHelloDone'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2
Handshake, Certificate'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2
Handshake, ClientKeyExchange'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2
Handshake, CertificateVerify'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.2
Handshake, Finished'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
ChangeCipherSpec'
(7) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.2
Handshake, Finished'
(7) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES128-GCM-SHA256'
(7) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(7) } # update = noop
(7) [exec] = noop
(7) policy remove_reply_message_if_eap {
(7) if (&reply:EAP-Message && &reply:Reply-Message) {
(7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(7) else {
(7) [noop] = noop
(7) } # else = noop
(7) } # policy remove_reply_message_if_eap = noop
(7) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(7) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(7) } # post-auth = noop
(7) Login OK: [redacted] (from client AP-Meraki-redacted port 1 cli
redacted)
(7) Sent Access-Accept Id 223 from 10.0.2.32:2083 to redacted:34975 length
184
(7) MS-MPPE-Recv-Key =
0x3848fd9ec720e40b9e637d0303bf4b23124d6b3c28a49724972ccc88121c4310
(7) MS-MPPE-Send-Key =
0xe9ddfecd8cb6924f2b3ee5ed87560b168ebb4a9ece52793af9708b6eb0c751c4
(7) EAP-Message = 0x030d0004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) User-Name = "redacted"
(7) Proxy-State = 0x3936
(7) Framed-MTU += 1400
(7) Finished request
Thread 10 waiting to be assigned a request
Waking up in 0.4 seconds.
Waking up in 4.0 seconds.
(0) Cleaning up request packet ID 219 with timestamp +77 due to
cleanup_delay was reached
(1) Cleaning up request packet ID 22 with timestamp +77 due to
cleanup_delay was reached
(2) Cleaning up request packet ID 36 with timestamp +77 due to
cleanup_delay was reached
(3) Cleaning up request packet ID 168 with timestamp +77 due to
cleanup_delay was reached
(4) Cleaning up request packet ID 33 with timestamp +77 due to
cleanup_delay was reached
(5) Cleaning up request packet ID 81 with timestamp +77 due to
cleanup_delay was reached
(6) Cleaning up request packet ID 232 with timestamp +77 due to
cleanup_delay was reached
(7) Cleaning up request packet ID 223 with timestamp +77 due to
cleanup_delay was reached
Waking up in 24.9 seconds.
```
Le mar. 11 févr. 2025 à 15:48, Alan DeKok <aland at deployingradius.com> a
écrit :
> On Feb 11, 2025, at 6:56 AM, Luca Borruto via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
> > We are currently facing an issue with FreeRADIUS where no cache entries
> are
> > being created in Redis.
> > We’ve tested the Redis connection, authentication, and database
> selection,
> > but when we run KEYS * in Redis, it returns an empty array.
>
> i.e. the server isn't writing anything to redis.
>
> > When running FreeRADIUS in debug mode (radiusd -X), we do not see any
> > Redis-related errors, yet the expected data is not found in Redis.
>
> There may be other reasons why it's not writing to redis.
>
> > I configured redis, cache, cache_tls and cache_eap modules for testing
> > purpose, and it's still a bit confusing on which one to enable for
> > production (we use only EAP-TLS with Radsec):
> >
> > *mods-enabled/redis:*
>
> Why? When you join the list, you get a message which explains what
> information you should include in messages. It explicitly says do NOT
> include configuration files. DO include debug output.
>
> > Is there anything wrong with our configuration that could be preventing
> > data from being stored in Redis?
> >
> > Any help would be greatly appreciated. Please let me know if any
> additional
> > logs or details would be helpful.
>
> Read the documentation. Do what it says.
>
> http://wiki.freeradius.org/list-help
>
> Alan DeKok.
>
>
--
[image: logo]
<https://redirect.boostmymail.com/4Zm-4f0296580fcf4e5c80a33af00b0322c6>
Luca Borruto
IT System Administrator
luca.borruto at agicap.com
<https://redirect.boostmymail.com/4Zm-dc5779b061954defacc05e363a5696e4>
<https://redirect.boostmymail.com/4Zm-7a8e60341d744b8bb02d1f09d7d5b840>
[image: Linkedin]
<https://redirect.boostmymail.com/4Zm-a07de2ddc5c94500afa93e8a4151b576> [image:
Youtube]
<https://redirect.boostmymail.com/4Zm-f49d8598b69d4a63a6cab44c1497ad69>
[image: Campaign Banner]
<https://redirect.boostmymail.com/4Zm-bab88183ed3e45d38932a06020f826db>
More information about the Freeradius-Users
mailing list