EAP-TTLS+PAP with MPPE keys
Christoph Egger
christoph_egger at gmx.de
Wed Jul 9 16:35:10 UTC 2025
Hello,
Below is the full debug output of freeradius 3.2.7.
The final Access-Accept is this:
authentik-freeradius-1 | (15) Sent Access-Accept Id 16 from 10.1.2.1:1812 to 10.0.0.5:46092 length 61
authentik-freeradius-1 | (15) Framed-MTU += 994
authentik-freeradius-1 | (15) Tunnel-Type = VLAN
authentik-freeradius-1 | (15) Tunnel-Medium-Type = IEEE-802
authentik-freeradius-1 | (15) Tunnel-Private-Group-Id = "110"
I need to add MPPE keys in the reply packet for the WPA NAS to have an encrypted connection to the mobile client.
That is what the vendor says their WPA NAS requires for wireless clients.
The documentation I found concerning to MPPE keys are related to MS-CHAP.
What keys/values can I use to add MPPE ? I am doing EAP-TTLS+PAP.
The final Access-Accept should look like this:
authentik-freeradius-1 | (15) Sent Access-Accept Id 16 from 10.1.2.1:1812 to 10.0.0.5:46092 length YYY
authentik-freeradius-1 | (15) MS-MPPE-Recv-Key = 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
authentik-freeradius-1 | (15) MS-MPPE-Send-Key = 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
authentik-freeradius-1 | (15) EAP-Message = 0xYYYYYYYYYYY
authentik-freeradius-1 | (15) Framed-MTU += 994
authentik-freeradius-1 | (15) Tunnel-Type = VLAN
authentik-freeradius-1 | (15) Tunnel-Medium-Type = IEEE-802
authentik-freeradius-1 | (15) Tunnel-Private-Group-Id = "110"
The full debug output:
authentik-freeradius-1 | (8) Received Access-Request Id 9 from 10.0.0.5:46092 to 10.1.2.1:1812 length 273
authentik-freeradius-1 | (8) User-Name = "thatsme"
authentik-freeradius-1 | (8) NAS-IP-Address = 10.0.0.5
authentik-freeradius-1 | (8) NAS-Port-Id = "00000001"
authentik-freeradius-1 | (8) NAS-Identifier = "TP-Link:263626d2c501"
authentik-freeradius-1 | (8) Called-Station-Id = "26-36-26-D2-C5-01:Relevant"
authentik-freeradius-1 | (8) NAS-Port-Type = Wireless-802.11
authentik-freeradius-1 | (8) Event-Timestamp = "Jun 30 2025 13:12:02 UTC"
authentik-freeradius-1 | (8) Connect-Info = "CONNECT 54Mbps 802.11a"
authentik-freeradius-1 | (8) Acct-Session-Id = "263626d2c501-9F3FBFEE3494B7C3"
authentik-freeradius-1 | (8) Acct-Multi-Session-Id = "1B9880FB001579F3"
authentik-freeradius-1 | (8) WLAN-Pairwise-Cipher = 1027076
authentik-freeradius-1 | (8) Framed-MTU = 1400
authentik-freeradius-1 | (8) EAP-Message = 0x0278000c0174686174736d65
authentik-freeradius-1 | (8) Message-Authenticator = 0xfe647dc553addf954631112df816fd9f
authentik-freeradius-1 | (8) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (8) authorize {
authentik-freeradius-1 | (8) if (&User-Name) {
authentik-freeradius-1 | (8) if (&User-Name) -> TRUE
authentik-freeradius-1 | (8) if (&User-Name) {
authentik-freeradius-1 | (8) if (&User-Name =~ / /) {
authentik-freeradius-1 | (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
authentik-freeradius-1 | (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
authentik-freeradius-1 | (8) if (&User-Name =~ /@\./) -> FALSE
authentik-freeradius-1 | (8) } # if (&User-Name) = notfound
authentik-freeradius-1 | (8) } # policy filter_username = notfound
authentik-freeradius-1 | (8) [digest] = noop
authentik-freeradius-1 | (8) suffix: Checking for suffix after "@"
authentik-freeradius-1 | (8) suffix: No '@' in User-Name = "thatsme", looking up realm NULL
authentik-freeradius-1 | (8) if (User-Name && !User-Password) {
authentik-freeradius-1 | (8) if (User-Name && !User-Password) -> TRUE
authentik-freeradius-1 | (8) if (User-Name && !User-Password) {
authentik-freeradius-1 | (8) update request {
authentik-freeradius-1 | (8) &User-Password := &User-Name -> 'thatsme'
authentik-freeradius-1 | (8) } # update request = noop
authentik-freeradius-1 | (8) } # if (User-Name && !User-Password) = noop
authentik-freeradius-1 | (8) eap: Peer sent EAP Response (code 2) ID 120 length 12
authentik-freeradius-1 | (8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
authentik-freeradius-1 | (8) [eap] = ok
authentik-freeradius-1 | (8) } # authorize = ok
authentik-freeradius-1 | (8) Found Auth-Type = eap
authentik-freeradius-1 | (8) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (8) authenticate {
authentik-freeradius-1 | (8) eap: Peer sent packet with method EAP Identity (1)
authentik-freeradius-1 | (8) eap: Using default_eap_type = TTLS
authentik-freeradius-1 | (8) eap: Calling submodule eap_ttls to process data
authentik-freeradius-1 | (8) eap_ttls: (TLS) TTLS -Initiating new session
authentik-freeradius-1 | (8) eap: Sending EAP Request (code 1) ID 121 length 6
authentik-freeradius-1 | (8) eap: EAP session adding &reply:State = 0x13652bfd131c3ee0
authentik-freeradius-1 | (8) [eap] = handled
authentik-freeradius-1 | (8) } # authenticate = handled
authentik-freeradius-1 | (8) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (8) Challenge { ... } # empty sub-section is ignored
authentik-freeradius-1 | (8) Framed-MTU = 994
authentik-freeradius-1 | (8) Sent Access-Challenge Id 9 from 10.1.2.1:1812 to 10.0.0.5:46092 length 64
authentik-freeradius-1 | (8) EAP-Message = 0x017900061520
authentik-freeradius-1 | (8) Message-Authenticator = 0x00000000000000000000000000000000
authentik-freeradius-1 | (8) State = 0x13652bfd131c3ee02cb9291428252449
authentik-freeradius-1 | (8) Finished request
authentik-freeradius-1 | Waking up in 4.9 seconds.
authentik-freeradius-1 | (9) Received Access-Request Id 10 from 10.0.0.5:46092 to 10.1.2.1:1812 length 416
authentik-freeradius-1 | (9) User-Name = "thatsme"
authentik-freeradius-1 | (9) NAS-IP-Address = 10.0.0.5
authentik-freeradius-1 | (9) NAS-Port-Id = "00000001"
authentik-freeradius-1 | (9) Event-Timestamp = "Jun 30 2025 13:12:02 UTC"
authentik-freeradius-1 | (9) Service-Type = Framed-User
authentik-freeradius-1 | (9) NAS-Port = 1
authentik-freeradius-1 | (9) Calling-Station-Id = "1E-04-F0-DE-D7-92"
authentik-freeradius-1 | (9) Connect-Info = "CONNECT 54Mbps 802.11a"
authentik-freeradius-1 | (9) Acct-Session-Id = "263626d2c501-9F3FBFEE3494B7C3"
authentik-freeradius-1 | (9) Acct-Multi-Session-Id = "1B9880FB001579F3"
authentik-freeradius-1 | (9) WLAN-Pairwise-Cipher = 1027076
authentik-freeradius-1 | (9) WLAN-Group-Cipher = 1027076
authentik-freeradius-1 | (9) WLAN-AKM-Suite = 1027073
authentik-freeradius-1 | (9) WLAN-Group-Mgmt-Cipher = 1027078
authentik-freeradius-1 | (9) Framed-MTU = 1400
authentik-freeradius-1 | (9) EAP-Message = 0x027900891500160301007e0100007a0303f7cdef6120f26539c5194f2edb74c67cbf671649516edb239c950d2ac1ac293a00001ec02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f0035000a0100003300170000ff01000100000a00080006001d00170018000b00020100000d00140012040308040401050308050501080606010201
authentik-freeradius-1 | (9) State = 0x13652bfd131c3ee02cb9291428252449
authentik-freeradius-1 | (9) Message-Authenticator = 0x0f5496a242d2e1b94c10cfcd20052d23
authentik-freeradius-1 | (9) Restoring &session-state
authentik-freeradius-1 | (9) &session-state:Framed-MTU = 994
authentik-freeradius-1 | (9) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (9) authorize {
authentik-freeradius-1 | (9) policy filter_username {
authentik-freeradius-1 | (9) if (&User-Name) {
authentik-freeradius-1 | (9) if (&User-Name) -> TRUE
authentik-freeradius-1 | (9) if (&User-Name) {
authentik-freeradius-1 | (9) if (&User-Name =~ / /) {
authentik-freeradius-1 | (9) if (&User-Name =~ / /) -> FALSE
authentik-freeradius-1 | (9) if (&User-Name =~ /@[^@]*@/ ) {
authentik-freeradius-1 | (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
authentik-freeradius-1 | (9) if (&User-Name =~ /\.\./ ) {
authentik-freeradius-1 | (9) if (&User-Name =~ /\.\./ ) -> FALSE
authentik-freeradius-1 | (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
authentik-freeradius-1 | (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
authentik-freeradius-1 | (9) if (&User-Name =~ /\.$/) {
authentik-freeradius-1 | (9) if (&User-Name =~ /\.$/) -> FALSE
authentik-freeradius-1 | (9) if (&User-Name =~ /@\./) {
authentik-freeradius-1 | (9) if (&User-Name =~ /@\./) -> FALSE
authentik-freeradius-1 | (9) } # if (&User-Name) = notfound
authentik-freeradius-1 | (9) } # policy filter_username = notfound
authentik-freeradius-1 | (9) [digest] = noop
authentik-freeradius-1 | (9) suffix: Checking for suffix after "@"
authentik-freeradius-1 | (9) if (User-Name && !User-Password) {
authentik-freeradius-1 | (9) update request {
authentik-freeradius-1 | (9) &User-Password := &User-Name -> 'thatsme'
authentik-freeradius-1 | (9) } # update request = noop
authentik-freeradius-1 | (9) } # if (User-Name && !User-Password) = noop
authentik-freeradius-1 | (9) eap: Peer sent EAP Response (code 2) ID 121 length 137
authentik-freeradius-1 | (9) eap: Continuing tunnel setup
authentik-freeradius-1 | (9) [eap] = ok
authentik-freeradius-1 | (9) } # authorize = ok
authentik-freeradius-1 | (9) Found Auth-Type = eap
authentik-freeradius-1 | (9) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (9) authenticate {
authentik-freeradius-1 | (9) eap: Removing EAP session with state 0x13652bfd131c3ee0
authentik-freeradius-1 | (9) eap: Previous EAP request found for state 0x13652bfd131c3ee0, released from the list
authentik-freeradius-1 | (9) eap: Peer sent packet with method EAP TTLS (21)
authentik-freeradius-1 | (9) eap: Calling submodule eap_ttls to process data
authentik-freeradius-1 | (9) eap_ttls: Authenticate
authentik-freeradius-1 | (9) eap_ttls: (TLS) EAP Got final fragment (131 bytes) total 131
authentik-freeradius-1 | (9) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange
authentik-freeradius-1 | (9) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write key exchange
authentik-freeradius-1 | (9) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone
authentik-freeradius-1 | (9) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
authentik-freeradius-1 | (9) eap_ttls: (TLS) TTLS - Server : Need to read more data: SSLv3/TLS write server done
authentik-freeradius-1 | (9) eap_ttls: (TLS) TTLS - In Handshake Phase
authentik-freeradius-1 | (9) eap: Sending EAP Request (code 1) ID 122 length 1000
authentik-freeradius-1 | (9) eap: EAP session adding &reply:State = 0x13652bfd121f3ee0
authentik-freeradius-1 | (9) Using Post-Auth-Type Challenge
authentik-freeradius-1 | (9) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (10) Received Access-Request Id 11 from 10.0.0.5:46092 to 10.1.2.1:1812 length 285
authentik-freeradius-1 | (10) User-Name = "thatsme"
authentik-freeradius-1 | (10) NAS-IP-Address = 10.0.0.5
authentik-freeradius-1 | (10) NAS-Port-Id = "00000001"
authentik-freeradius-1 | (10) NAS-Identifier = "TP-Link:263626d2c501"
authentik-freeradius-1 | (10) Called-Station-Id = "26-36-26-D2-C5-01:Relevant"
authentik-freeradius-1 | (10) NAS-Port-Type = Wireless-802.11
authentik-freeradius-1 | (10) Event-Timestamp = "Jun 30 2025 13:12:02 UTC"
authentik-freeradius-1 | (10) Service-Type = Framed-User
authentik-freeradius-1 | (10) NAS-Port = 1
authentik-freeradius-1 | (10) Calling-Station-Id = "1E-04-F0-DE-D7-92"
authentik-freeradius-1 | (10) Connect-Info = "CONNECT 54Mbps 802.11a"
authentik-freeradius-1 | (10) Acct-Session-Id = "263626d2c501-9F3FBFEE3494B7C3"
authentik-freeradius-1 | (10) Acct-Multi-Session-Id = "1B9880FB001579F3"
authentik-freeradius-1 | (10) WLAN-Pairwise-Cipher = 1027076
authentik-freeradius-1 | (10) WLAN-Group-Cipher = 1027076
authentik-freeradius-1 | (10) WLAN-AKM-Suite = 1027073
authentik-freeradius-1 | (10) WLAN-Group-Mgmt-Cipher = 1027078
authentik-freeradius-1 | (10) Framed-MTU = 1400
authentik-freeradius-1 | (10) EAP-Message = 0x027a00061500
authentik-freeradius-1 | (10) State = 0x13652bfd121f3ee02cb9291428252449
authentik-freeradius-1 | (10) Restoring &session-state
authentik-freeradius-1 | (10) &session-state:Framed-MTU = 994
authentik-freeradius-1 | (10) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
authentik-freeradius-1 | (10) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
authentik-freeradius-1 | (10) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
authentik-freeradius-1 | (10) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
authentik-freeradius-1 | (10) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (10) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (10) authorize {
authentik-freeradius-1 | (10) policy filter_username {
authentik-freeradius-1 | (10) if (&User-Name) {
authentik-freeradius-1 | (10) if (&User-Name) -> TRUE
authentik-freeradius-1 | (10) if (&User-Name) {
authentik-freeradius-1 | (10) if (&User-Name =~ / /) -> FALSE
authentik-freeradius-1 | (10) if (&User-Name =~ /@[^@]*@/ ) {
authentik-freeradius-1 | (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
authentik-freeradius-1 | (10) if (&User-Name =~ /\.\./ ) {
authentik-freeradius-1 | (10) if (&User-Name =~ /\.\./ ) -> FALSE
authentik-freeradius-1 | (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
authentik-freeradius-1 | (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
authentik-freeradius-1 | (10) if (&User-Name =~ /@\./) {
authentik-freeradius-1 | (10) if (&User-Name =~ /@\./) -> FALSE
authentik-freeradius-1 | (10) } # if (&User-Name) = notfound
authentik-freeradius-1 | (10) } # policy filter_username = notfound
authentik-freeradius-1 | (10) [preprocess] = ok
authentik-freeradius-1 | (10) [chap] = noop
authentik-freeradius-1 | (10) [digest] = noop
authentik-freeradius-1 | (10) suffix: Checking for suffix after "@"
authentik-freeradius-1 | (10) suffix: No '@' in User-Name = "thatsme", looking up realm NULL
authentik-freeradius-1 | (10) suffix: No such realm "NULL"
authentik-freeradius-1 | (10) [suffix] = noop
authentik-freeradius-1 | (10) if (User-Name && !User-Password) {
authentik-freeradius-1 | (10) if (User-Name && !User-Password) -> TRUE
authentik-freeradius-1 | (10) if (User-Name && !User-Password) {
authentik-freeradius-1 | (10) &User-Password := &User-Name -> 'thatsme'
authentik-freeradius-1 | (10) } # update request = noop
authentik-freeradius-1 | (10) } # if (User-Name && !User-Password) = noop
authentik-freeradius-1 | (10) eap: Peer sent EAP Response (code 2) ID 122 length 6
authentik-freeradius-1 | (10) eap: Continuing tunnel setup
authentik-freeradius-1 | (10) [eap] = ok
authentik-freeradius-1 | (10) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
authentik-freeradius-1 | (10) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (10) Sent Access-Challenge Id 11 from 10.1.2.1:1812 to 10.0.0.5:46092 length 1064
authentik-freeradius-1 | (10) EAP-Message = 0x017b03e815c000000f932f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c30180603551d200411300f300d060b2b0601040182be68010302301d0603551d0e041604144a7e2994148f5496048c2dc652719f5c7607bc98301f0603551d23041830168014701806d2e6c468e75987bb23a0b1d9f88d709ac4300d06092a864886f70d01010b0500038202010093980ec717a88f949a6937eb2936cd0debc7605e805a0b8630abbc62f35350a0fff1a7886d653db8558319b1bc2d2c31bfea23208c6426ca6f3e50e2572dc7d7a6d90c97a3ef13a70dac554e6549f528a113d0e2a20391b34f295a38966530b917f843450cff4f133d4478bdac234d2a688305ffe69e3220319337fe4903fcc7240c57c33a2c988bb015733f4175045e6d7af21979a035f0a9e10da845b181fd32ae894991b560372a07ebdb52499f94e2f94e271260f08711830b89d8e9ca8873d822f14d1cccd8a24be1e9cbd773
authentik-freeradius-1 | (10) Message-Authenticator = 0x00000000000000000000000000000000
authentik-freeradius-1 | (10) State = 0x13652bfd111e3ee02cb9291428252449
authentik-freeradius-1 | (10) Finished request
authentik-freeradius-1 | Waking up in 4.9 seconds.
authentik-freeradius-1 | (11) Received Access-Request Id 12 from 10.0.0.5:46092 to 10.1.2.1:1812 length 285
authentik-freeradius-1 | (11) User-Name = "thatsme"
authentik-freeradius-1 | (11) NAS-IP-Address = 10.0.0.5
authentik-freeradius-1 | (11) NAS-Port-Id = "00000001"
authentik-freeradius-1 | (11) NAS-Identifier = "TP-Link:263626d2c501"
authentik-freeradius-1 | (11) Called-Station-Id = "26-36-26-D2-C5-01:Relevant"
authentik-freeradius-1 | (11) NAS-Port-Type = Wireless-802.11
authentik-freeradius-1 | (11) Event-Timestamp = "Jun 30 2025 13:12:02 UTC"
authentik-freeradius-1 | (11) Calling-Station-Id = "1E-04-F0-DE-D7-92"
authentik-freeradius-1 | (11) Connect-Info = "CONNECT 54Mbps 802.11a"
authentik-freeradius-1 | (11) WLAN-Pairwise-Cipher = 1027076
authentik-freeradius-1 | (11) WLAN-Group-Cipher = 1027076
authentik-freeradius-1 | (11) State = 0x13652bfd111e3ee02cb9291428252449
authentik-freeradius-1 | (11) Message-Authenticator = 0x3e816d3fa576146ddf2021a82ec4c68a
authentik-freeradius-1 | (11) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
authentik-freeradius-1 | (11) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
authentik-freeradius-1 | (11) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (11) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (11) policy filter_username {
authentik-freeradius-1 | (11) if (&User-Name) {
authentik-freeradius-1 | (11) if (&User-Name) {
authentik-freeradius-1 | (11) if (&User-Name =~ / /) {
authentik-freeradius-1 | (11) if (&User-Name =~ /@[^@]*@/ ) {
authentik-freeradius-1 | (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
authentik-freeradius-1 | (11) if (&User-Name =~ /\.\./ ) {
authentik-freeradius-1 | (11) if (&User-Name =~ /\.\./ ) -> FALSE
authentik-freeradius-1 | (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
authentik-freeradius-1 | (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
authentik-freeradius-1 | (11) if (&User-Name =~ /\.$/) {
authentik-freeradius-1 | (11) if (&User-Name =~ /\.$/) -> FALSE
authentik-freeradius-1 | (11) if (&User-Name =~ /@\./) {
authentik-freeradius-1 | (11) if (&User-Name =~ /@\./) -> FALSE
authentik-freeradius-1 | (11) } # if (&User-Name) = notfound
authentik-freeradius-1 | (11) } # policy filter_username = notfound
authentik-freeradius-1 | (11) [preprocess] = ok
authentik-freeradius-1 | (11) [chap] = noop
authentik-freeradius-1 | (11) [mschap] = noop
authentik-freeradius-1 | (11) [digest] = noop
authentik-freeradius-1 | (11) suffix: Checking for suffix after "@"
authentik-freeradius-1 | (11) suffix: No '@' in User-Name = "thatsme", looking up realm NULL
authentik-freeradius-1 | (11) suffix: No such realm "NULL"
authentik-freeradius-1 | (11) [suffix] = noop
authentik-freeradius-1 | (11) if (User-Name && !User-Password) {
authentik-freeradius-1 | (11) if (User-Name && !User-Password) -> TRUE
authentik-freeradius-1 | (11) if (User-Name && !User-Password) {
authentik-freeradius-1 | (11) &User-Password := &User-Name -> 'thatsme'
authentik-freeradius-1 | (11) } # update request = noop
authentik-freeradius-1 | (11) } # if (User-Name && !User-Password) = noop
authentik-freeradius-1 | (11) eap: Continuing tunnel setup
authentik-freeradius-1 | (11) [eap] = ok
authentik-freeradius-1 | (11) } # authorize = ok
authentik-freeradius-1 | (11) Found Auth-Type = eap
authentik-freeradius-1 | (11) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (11) authenticate {
authentik-freeradius-1 | (11) eap: Removing EAP session with state 0x13652bfd111e3ee0
authentik-freeradius-1 | (11) eap: Previous EAP request found for state 0x13652bfd111e3ee0, released from the list
authentik-freeradius-1 | (11) eap: Peer sent packet with method EAP TTLS (21)
authentik-freeradius-1 | (11) eap: Calling submodule eap_ttls to process data
authentik-freeradius-1 | (11) eap_ttls: Authenticate
authentik-freeradius-1 | (11) eap_ttls: (TLS) Peer ACKed our handshake fragment
authentik-freeradius-1 | (11) eap: Sending EAP Request (code 1) ID 124 length 1000
authentik-freeradius-1 | (11) eap: EAP session adding &reply:State = 0x13652bfd10193ee0
authentik-freeradius-1 | (11) [eap] = handled
authentik-freeradius-1 | (11) } # authenticate = handled
authentik-freeradius-1 | (11) Using Post-Auth-Type Challenge
authentik-freeradius-1 | (11) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (11) Challenge { ... } # empty sub-section is ignored
authentik-freeradius-1 | (11) session-state: Saving cached attributes
authentik-freeradius-1 | (11) Framed-MTU = 994
authentik-freeradius-1 | (11) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
authentik-freeradius-1 | (11) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
authentik-freeradius-1 | (11) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
authentik-freeradius-1 | (11) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
authentik-freeradius-1 | (11) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (11) Sent Access-Challenge Id 12 from 10.1.2.1:1812 to 10.0.0.5:46092 length 1064
authentik-freeradius-1 | (11) EAP-Message = 0x017c03e815c000000f933127302506035504030c1e52656c6576616e7420436572746966696361746520417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a0282020100e55d87d38cf2c678cd5e9b9cf81d94b6b91cd6463f8d77ec2fc375c2b6b502157c3ead93d845cda3997b1f428ee037cc776726254b9d4746fbf022bbf59228b2b912925af38f8647bc270e8052662caf474f4607aabb9b484b4b3cecfeafd6c483f7f3f77680ae050a7708020d92bda2c75a55113d207dc9511d2e1cac2e4b6dbed4f86a604e08dca9285f4edaf786c6e35f10f91bdad17e23ab955aa3e0f8c29fccedd093d20811fe24aefdc0b7635cb7c9e89a0dbe073a4e7f16180c21594c71660ccf797685939894048d34a8140428b943cb915289a0fc98b52316853f150037f925946cf9be5bfbdebd22bd12041ba4234091b663c0660b86a509bde5ed5116c928fea2bd51297cd2b1c47b076fe41b4a0daf19d765a1e6da397ce03b2816cedd
authentik-freeradius-1 | (11) Message-Authenticator = 0x00000000000000000000000000000000
authentik-freeradius-1 | (11) State = 0x13652bfd10193ee02cb9291428252449
authentik-freeradius-1 | (11) Finished request
authentik-freeradius-1 | Waking up in 4.9 seconds.
authentik-freeradius-1 | (12) Received Access-Request Id 13 from 10.0.0.5:46092 to 10.1.2.1:1812 length 285
authentik-freeradius-1 | (12) User-Name = "thatsme"
authentik-freeradius-1 | (12) NAS-Port-Id = "00000001"
authentik-freeradius-1 | (12) NAS-Identifier = "TP-Link:263626d2c501"
authentik-freeradius-1 | (12) Called-Station-Id = "26-36-26-D2-C5-01:Relevant"
authentik-freeradius-1 | (12) NAS-Port-Type = Wireless-802.11
authentik-freeradius-1 | (12) Event-Timestamp = "Jun 30 2025 13:12:02 UTC"
authentik-freeradius-1 | (12) Service-Type = Framed-User
authentik-freeradius-1 | (12) NAS-Port = 1
authentik-freeradius-1 | (12) Calling-Station-Id = "1E-04-F0-DE-D7-92"
authentik-freeradius-1 | (12) Connect-Info = "CONNECT 54Mbps 802.11a"
authentik-freeradius-1 | (12) Acct-Session-Id = "263626d2c501-9F3FBFEE3494B7C3"
authentik-freeradius-1 | (12) Acct-Multi-Session-Id = "1B9880FB001579F3"
authentik-freeradius-1 | (12) WLAN-Pairwise-Cipher = 1027076
authentik-freeradius-1 | (12) WLAN-Group-Cipher = 1027076
authentik-freeradius-1 | (12) WLAN-Group-Mgmt-Cipher = 1027078
authentik-freeradius-1 | (12) Framed-MTU = 1400
authentik-freeradius-1 | (12) EAP-Message = 0x027c00061500
authentik-freeradius-1 | (12) State = 0x13652bfd10193ee02cb9291428252449
authentik-freeradius-1 | (12) Message-Authenticator = 0x768549e29056b2a6c1056c54eb5f1701
authentik-freeradius-1 | (12) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
authentik-freeradius-1 | (12) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
authentik-freeradius-1 | (12) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
authentik-freeradius-1 | (12) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (12) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (12) authorize {
authentik-freeradius-1 | (12) policy filter_username {
authentik-freeradius-1 | (12) if (&User-Name) -> TRUE
authentik-freeradius-1 | (12) if (&User-Name) {
authentik-freeradius-1 | (12) if (&User-Name =~ / /) {
authentik-freeradius-1 | (12) if (&User-Name =~ / /) -> FALSE
authentik-freeradius-1 | (12) if (&User-Name =~ /@[^@]*@/ ) {
authentik-freeradius-1 | (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
authentik-freeradius-1 | (12) if (&User-Name =~ /\.\./ ) {
authentik-freeradius-1 | (12) if (&User-Name =~ /\.\./ ) -> FALSE
authentik-freeradius-1 | (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
authentik-freeradius-1 | (12) if (&User-Name =~ /@\./) -> FALSE
authentik-freeradius-1 | (12) } # if (&User-Name) = notfound
authentik-freeradius-1 | (12) } # policy filter_username = notfound
authentik-freeradius-1 | (12) [preprocess] = ok
authentik-freeradius-1 | (12) [chap] = noop
authentik-freeradius-1 | (12) [mschap] = noop
authentik-freeradius-1 | (12) [digest] = noop
authentik-freeradius-1 | (13) Received Access-Request Id 14 from 10.0.0.5:46092 to 10.1.2.1:1812 length 285
authentik-freeradius-1 | (13) User-Name = "thatsme"
authentik-freeradius-1 | (13) NAS-IP-Address = 10.0.0.5
authentik-freeradius-1 | (13) NAS-Port-Id = "00000001"
authentik-freeradius-1 | (13) NAS-Identifier = "TP-Link:263626d2c501"
authentik-freeradius-1 | (13) Called-Station-Id = "26-36-26-D2-C5-01:Relevant"
authentik-freeradius-1 | (13) NAS-Port-Type = Wireless-802.11
authentik-freeradius-1 | (13) Event-Timestamp = "Jun 30 2025 13:12:02 UTC"
authentik-freeradius-1 | (13) Service-Type = Framed-User
authentik-freeradius-1 | (13) NAS-Port = 1
authentik-freeradius-1 | (13) Calling-Station-Id = "1E-04-F0-DE-D7-92"
authentik-freeradius-1 | (13) Connect-Info = "CONNECT 54Mbps 802.11a"
authentik-freeradius-1 | (13) Acct-Session-Id = "263626d2c501-9F3FBFEE3494B7C3"
authentik-freeradius-1 | (13) Acct-Multi-Session-Id = "1B9880FB001579F3"
authentik-freeradius-1 | (13) WLAN-Pairwise-Cipher = 1027076
authentik-freeradius-1 | (13) WLAN-Group-Cipher = 1027076
authentik-freeradius-1 | (13) WLAN-AKM-Suite = 1027073
authentik-freeradius-1 | (13) WLAN-Group-Mgmt-Cipher = 1027078
authentik-freeradius-1 | (13) Framed-MTU = 1400
authentik-freeradius-1 | (13) EAP-Message = 0x027d00061500
authentik-freeradius-1 | (13) State = 0x13652bfd17183ee02cb9291428252449
authentik-freeradius-1 | (13) Message-Authenticator = 0xac7e4c54f452892a4f843cb1118bb999
authentik-freeradius-1 | (13) Restoring &session-state
authentik-freeradius-1 | (13) &session-state:Framed-MTU = 994
authentik-freeradius-1 | (13) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
authentik-freeradius-1 | (13) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
authentik-freeradius-1 | (13) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
authentik-freeradius-1 | (13) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
authentik-freeradius-1 | (13) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (13) if (&User-Name =~ /\.\./ ) {
authentik-freeradius-1 | (13) if (&User-Name =~ /\.\./ ) -> FALSE
authentik-freeradius-1 | (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
authentik-freeradius-1 | (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
authentik-freeradius-1 | (13) if (&User-Name =~ /\.$/) {
authentik-freeradius-1 | (13) if (&User-Name =~ /\.$/) -> FALSE
authentik-freeradius-1 | (13) if (&User-Name =~ /@\./) {
authentik-freeradius-1 | (13) if (&User-Name =~ /@\./) -> FALSE
authentik-freeradius-1 | (13) } # if (&User-Name) = notfound
authentik-freeradius-1 | (13) } # policy filter_username = notfound
authentik-freeradius-1 | (13) [preprocess] = ok
authentik-freeradius-1 | (13) [chap] = noop
authentik-freeradius-1 | (13) [mschap] = noop
authentik-freeradius-1 | (13) [digest] = noop
authentik-freeradius-1 | (13) suffix: Checking for suffix after "@"
authentik-freeradius-1 | (13) suffix: No '@' in User-Name = "thatsme", looking up realm NULL
authentik-freeradius-1 | (13) suffix: No such realm "NULL"
authentik-freeradius-1 | (13) [suffix] = noop
authentik-freeradius-1 | (13) if (User-Name && !User-Password) {
authentik-freeradius-1 | (13) if (User-Name && !User-Password) -> TRUE
authentik-freeradius-1 | (14) Received Access-Request Id 15 from 10.0.0.5:46092 to 10.1.2.1:1812 length 378
authentik-freeradius-1 | (14) User-Name = "thatsme"
authentik-freeradius-1 | (14) NAS-IP-Address = 10.0.0.5
authentik-freeradius-1 | (14) NAS-Port-Id = "00000001"
authentik-freeradius-1 | (14) NAS-Identifier = "TP-Link:263626d2c501"
authentik-freeradius-1 | (14) Called-Station-Id = "26-36-26-D2-C5-01:Relevant"
authentik-freeradius-1 | (14) NAS-Port-Type = Wireless-802.11
authentik-freeradius-1 | (14) Event-Timestamp = "Jun 30 2025 13:12:02 UTC"
authentik-freeradius-1 | (14) Service-Type = Framed-User
authentik-freeradius-1 | (14) NAS-Port = 1
authentik-freeradius-1 | (14) Calling-Station-Id = "1E-04-F0-DE-D7-92"
authentik-freeradius-1 | (14) Connect-Info = "CONNECT 54Mbps 802.11a"
authentik-freeradius-1 | (14) Acct-Session-Id = "263626d2c501-9F3FBFEE3494B7C3"
authentik-freeradius-1 | (14) Acct-Multi-Session-Id = "1B9880FB001579F3"
authentik-freeradius-1 | (14) WLAN-Pairwise-Cipher = 1027076
authentik-freeradius-1 | (14) WLAN-Group-Cipher = 1027076
authentik-freeradius-1 | (14) WLAN-AKM-Suite = 1027073
authentik-freeradius-1 | (14) WLAN-Group-Mgmt-Cipher = 1027078
authentik-freeradius-1 | (14) Framed-MTU = 1400
authentik-freeradius-1 | (14) if (&User-Name =~ /\.$/) {
authentik-freeradius-1 | (14) if (&User-Name =~ /\.$/) -> FALSE
authentik-freeradius-1 | (14) if (&User-Name =~ /@\./) {
authentik-freeradius-1 | (14) if (&User-Name =~ /@\./) -> FALSE
authentik-freeradius-1 | (14) } # if (&User-Name) = notfound
authentik-freeradius-1 | (14) } # policy filter_username = notfound
authentik-freeradius-1 | (14) [preprocess] = ok
authentik-freeradius-1 | (14) [chap] = noop
authentik-freeradius-1 | (14) [mschap] = noop
authentik-freeradius-1 | (14) [digest] = noop
authentik-freeradius-1 | (14) suffix: Checking for suffix after "@"
authentik-freeradius-1 | (14) suffix: No '@' in User-Name = "thatsme", looking up realm NULL
authentik-freeradius-1 | (14) suffix: No such realm "NULL"
authentik-freeradius-1 | (14) [suffix] = noop
authentik-freeradius-1 | (14) if (User-Name && !User-Password) {
authentik-freeradius-1 | (14) if (User-Name && !User-Password) -> TRUE
authentik-freeradius-1 | (14) if (User-Name && !User-Password) {
authentik-freeradius-1 | (14) update request {
authentik-freeradius-1 | (14) &User-Password := &User-Name -> 'thatsme'
authentik-freeradius-1 | (14) } # update request = noop
authentik-freeradius-1 | (14) eap: Peer sent EAP Response (code 2) ID 126 length 99
authentik-freeradius-1 | (14) eap: Continuing tunnel setup
authentik-freeradius-1 | (14) [eap] = ok
authentik-freeradius-1 | (14) } # authorize = ok
authentik-freeradius-1 | (14) Found Auth-Type = eap
authentik-freeradius-1 | (14) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (14) authenticate {
authentik-freeradius-1 | (14) eap: Removing EAP session with state 0x13652bfd161b3ee0
authentik-freeradius-1 | (14) eap: Previous EAP request found for state 0x13652bfd161b3ee0, released from the list
authentik-freeradius-1 | (14) eap: Peer sent packet with method EAP TTLS (21)
authentik-freeradius-1 | (14) eap: Calling submodule eap_ttls to process data
authentik-freeradius-1 | (14) eap_ttls: Authenticate
authentik-freeradius-1 | (14) eap_ttls: (TLS) EAP Done initial handshake
authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange
authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client key exchange
authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read change cipher spec
authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, Finished
authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read finished
authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - send TLS 1.2 ChangeCipherSpec
authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write change cipher spec
authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Finished
authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write finished
authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - Handshake state - SSL negotiation finished successfully
authentik-freeradius-1 | (14) eap_ttls: (TLS) TTLS - Connection Established
authentik-freeradius-1 | (14) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
authentik-freeradius-1 | (14) eap_ttls: TLS-Session-Version = "TLS 1.2"
authentik-freeradius-1 | (14) eap: Sending EAP Request (code 1) ID 127 length 61
authentik-freeradius-1 | (14) eap: EAP session adding &reply:State = 0x13652bfd151a3ee0
authentik-freeradius-1 | (14) [eap] = handled
authentik-freeradius-1 | (14) } # authenticate = handled
authentik-freeradius-1 | (14) Using Post-Auth-Type Challenge
authentik-freeradius-1 | (14) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (14) Challenge { ... } # empty sub-section is ignored
authentik-freeradius-1 | (14) session-state: Saving cached attributes
authentik-freeradius-1 | (14) Framed-MTU = 994
authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
authentik-freeradius-1 | (14) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
authentik-freeradius-1 | (14) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
authentik-freeradius-1 | (14) TLS-Session-Version = "TLS 1.2"
authentik-freeradius-1 | (14) Sent Access-Challenge Id 15 from 10.1.2.1:1812 to 10.0.0.5:46092 length 119
authentik-freeradius-1 | (14) EAP-Message = 0x017f003d1580000000331403030001011603030028885d67ae234bf583bbd727193f412d31587ea490ff35ea5ad2b97ca448267b32c534f76445568b6a
authentik-freeradius-1 | (14) Message-Authenticator = 0x00000000000000000000000000000000
authentik-freeradius-1 | (14) State = 0x13652bfd151a3ee02cb9291428252449
authentik-freeradius-1 | (14) Finished request
authentik-freeradius-1 | Waking up in 4.9 seconds.
authentik-freeradius-1 | (15) Received Access-Request Id 16 from 10.0.0.5:46092 to 10.1.2.1:1812 length 358
authentik-freeradius-1 | (15) User-Name = "thatsme"
authentik-freeradius-1 | (15) } # if (&User-Name) = notfound
authentik-freeradius-1 | (15) } # policy filter_username = notfound
authentik-freeradius-1 | (15) eap: Peer sent packet with method EAP TTLS (21)
authentik-freeradius-1 | (15) eap: Calling submodule eap_ttls to process data
authentik-freeradius-1 | (15) eap_ttls: Authenticate
authentik-freeradius-1 | (15) eap_ttls: (TLS) EAP Done initial handshake
authentik-freeradius-1 | (15) eap_ttls: Session established. Proceeding to decode tunneled attributes
authentik-freeradius-1 | (15) eap_ttls: Got tunneled request
authentik-freeradius-1 | (15) eap_ttls: User-Name = "testuser"
authentik-freeradius-1 | (15) Expecting proxy response no later than 29.667657 seconds from now
authentik-freeradius-1 | Waking up in 4.5 seconds.
authentik-freeradius-1 | Suppressing duplicate proxied request (too fast) to home server 172.16.1.7 port 1812 - ID: 15
authentik-freeradius-1 | Waking up in 3.9 seconds.
authentik-freeradius-1 | (8) Cleaning up request packet ID 9 with timestamp +1250 due to cleanup_delay was reached
authentik-freeradius-1 | (9) Cleaning up request packet ID 10 with timestamp +1250 due to cleanup_delay was reached
authentik-freeradius-1 | (10) Cleaning up request packet ID 11 with timestamp +1250 due to cleanup_delay was reached
authentik-freeradius-1 | (11) Cleaning up request packet ID 12 with timestamp +1251 due to cleanup_delay was reached
authentik-freeradius-1 | (12) Cleaning up request packet ID 13 with timestamp +1251 due to cleanup_delay was reached
authentik-freeradius-1 | (13) Cleaning up request packet ID 14 with timestamp +1251 due to cleanup_delay was reached
authentik-freeradius-1 | (14) Cleaning up request packet ID 15 with timestamp +1251 due to cleanup_delay was reached
authentik-freeradius-1 | Waking up in 25.0 seconds.
authentik-freeradius-1 | (15) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
authentik-freeradius-1 | (15) BlastRADIUS check: Received packet without Message-Authenticator from home_server authentik_radius_outpost
authentik-freeradius-1 | (15) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
authentik-freeradius-1 | (15) The packet does not contain Message-Authenticator, which is a security issue
authentik-freeradius-1 | (15) UPGRADE THE HOME SERVER AS YOUR NETWORK IS VULNERABLE TO THE BLASTRADIUS ATTACK.
authentik-freeradius-1 | (15) Once the home server is upgraded, set "require_message_authenticator = true" for home_server authentik_radius_outpost
authentik-freeradius-1 | (15) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
authentik-freeradius-1 | (15) Clearing existing &reply: attributes
authentik-freeradius-1 | (15) Received Access-Accept Id 15 from 172.16.1.7:1812 to 10.1.2.1:47859 length 20
authentik-freeradius-1 | (15) server default {
authentik-freeradius-1 | (15) }
authentik-freeradius-1 | (15) Found Auth-Type = eap
authentik-freeradius-1 | (15) Found Auth-Type = Accept
authentik-freeradius-1 | (15) ERROR: Warning: Found 2 auth-types on request for user 'thatsme'
authentik-freeradius-1 | (15) Auth-Type = Accept, accepting the user
authentik-freeradius-1 | (15) # Executing section post-auth from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (15) post-auth {
authentik-freeradius-1 | (15) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
authentik-freeradius-1 | (15) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
authentik-freeradius-1 | (15) update {
authentik-freeradius-1 | (15) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello'
authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, ServerHello'
authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, Certificate'
authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange'
authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone'
authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange'
authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - recv TLS 1.2 Handshake, Finished'
authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 ChangeCipherSpec'
authentik-freeradius-1 | (15) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, Finished'
authentik-freeradius-1 | (15) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES128-GCM-SHA256'
authentik-freeradius-1 | (15) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
authentik-freeradius-1 | (15) } # update = noop
authentik-freeradius-1 | (15) [exec] = noop
authentik-freeradius-1 | (15) policy remove_reply_message_if_eap {
authentik-freeradius-1 | (15) if (&reply:EAP-Message && &reply:Reply-Message) {
authentik-freeradius-1 | (15) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
authentik-freeradius-1 | (15) else {
authentik-freeradius-1 | (15) [noop] = noop
authentik-freeradius-1 | (15) } # else = noop
authentik-freeradius-1 | (15) } # policy remove_reply_message_if_eap = noop
authentik-freeradius-1 | (15) if (EAP-Key-Name && &reply:EAP-Session-Id) {
authentik-freeradius-1 | (15) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
authentik-freeradius-1 | (15) update reply {
authentik-freeradius-1 | (15) &Tunnel-Type = VLAN
authentik-freeradius-1 | (15) &Tunnel-Medium-Type = IEEE-802
authentik-freeradius-1 | (15) } # update reply = noop
authentik-freeradius-1 | (15) if (LDAP-Group == "Group1") {
authentik-freeradius-1 | (15) Searching for user in group "Group1"
authentik-freeradius-1 | rlm_ldap (ldap): You probably need to lower "min"
authentik-freeradius-1 | rlm_ldap (ldap): Closing expired connection (6) - Hit lifetime limit
authentik-freeradius-1 | rlm_ldap (ldap): You probably need to lower "min"
authentik-freeradius-1 | rlm_ldap (ldap): Closing expired connection (5) - Hit lifetime limit
authentik-freeradius-1 | rlm_ldap (ldap): Waiting for bind result...
authentik-freeradius-1 | rlm_ldap (ldap): Bind successful
authentik-freeradius-1 | (15) User is not a member of "Group1"
authentik-freeradius-1 | (15) if (LDAP-Group == "Group1") -> FALSE
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group2") {
authentik-freeradius-1 | (15) Searching for user in group "Group2"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (7)
authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (15) Checking for user in group objects
authentik-freeradius-1 | (15) EXPAND (&(cn=Group2)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (15) --> (&(cn=Group2)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))
authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group2)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Search returned no results
authentik-freeradius-1 | (15) Checking user object's memberOf attributes
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (7)
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group6") {
authentik-freeradius-1 | (15) Searching for user in group "Group6"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (8)
authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (15) Checking for user in group objects
authentik-freeradius-1 | (15) EXPAND (&(cn=Group6)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (15) --> (&(cn=Group6)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))
authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group6)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Search returned no results
authentik-freeradius-1 | (15) Checking user object's memberOf attributes
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (8)
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group6") -> FALSE
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group7") {
authentik-freeradius-1 | (15) Searching for user in group "Group7"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (7)
authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (15) Checking for user in group objects
authentik-freeradius-1 | (15) EXPAND (&(cn=Group7)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (15) --> (&(cn=Group7)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))
authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group7)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub"
authentik-freeradius-1 | (15) Search returned no results
authentik-freeradius-1 | (15) Checking user object's memberOf attributes
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (7)
authentik-freeradius-1 | (15) User is not a member of "Group7"
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group7") -> FALSE
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8") {
authentik-freeradius-1 | (15) Searching for user in group "Group8"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (8)
authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (15) Checking for user in group objects
authentik-freeradius-1 | (15) EXPAND (&(cn=Group8)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (15) --> (&(cn=Group8)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))
authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group8)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Search returned no results
authentik-freeradius-1 | (15) Checking user object's memberOf attributes
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (8)
authentik-freeradius-1 | (15) User is not a member of "Group8"
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8") -> FALSE
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_Archiv") {
authentik-freeradius-1 | (15) Searching for user in group "Group8_Archiv"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (7)
authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (15) Search returned no results
authentik-freeradius-1 | (15) Checking user object's memberOf attributes
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (7)
authentik-freeradius-1 | (15) User is not a member of "Group8_Archiv"
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_Archiv") -> FALSE
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_Finanzen") {
authentik-freeradius-1 | (15) Searching for user in group "Group8_Finanzen"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (8)
authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (15) Checking for user in group objects
authentik-freeradius-1 | (15) EXPAND (&(cn=Group8_Finanzen)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (15) --> (&(cn=Group8_Finanzen)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))
authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group8_Finanzen)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Search returned no results
authentik-freeradius-1 | (15) Checking user object's memberOf attributes
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (8)
authentik-freeradius-1 | (15) User is not a member of "Group8_Finanzen"
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_Finanzen") -> FALSE
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_Office") {
authentik-freeradius-1 | (15) Searching for user in group "Group8_Office"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (7)
authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (15) Checking for user in group objects
authentik-freeradius-1 | (15) EXPAND (&(cn=Group8_Office)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (15) --> (&(cn=Group8_Office)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))
authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group8_Office)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Search returned no results
authentik-freeradius-1 | (15) Checking user object's memberOf attributes
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5"
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_Office") -> FALSE
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_VertraulicheDokumente") {
authentik-freeradius-1 | (15) Search returned no results
authentik-freeradius-1 | (15) Checking user object's memberOf attributes
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (8)
authentik-freeradius-1 | (15) User is not a member of "Group8_VertraulicheDokumente"
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_VertraulicheDokumente") -> FALSE
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_Vorsitz") {
authentik-freeradius-1 | (15) Searching for user in group "Group8_Vorsitz"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (7)
authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (15) Checking for user in group objects
authentik-freeradius-1 | (15) EXPAND (&(cn=Group8_Vorsitz)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (15) Search returned no results
authentik-freeradius-1 | (15) Checking user object's memberOf attributes
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (7)
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group8_Vorsitz") -> FALSE
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group14") {
authentik-freeradius-1 | (15) Searching for user in group "Group14"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (8)
authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (15) Checking for user in group objects
authentik-freeradius-1 | (15) EXPAND (&(cn=Group14)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (15) --> (&(cn=Group14)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))
authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group14)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Search returned no results
authentik-freeradius-1 | (15) Checking user object's memberOf attributes
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (8)
authentik-freeradius-1 | (15) User is not a member of "Group14"
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group14") -> FALSE
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group15") {
authentik-freeradius-1 | (15) Searching for user in group "Group15"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (7)
authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (15) Checking for user in group objects
authentik-freeradius-1 | (15) EXPAND (&(cn=Group15)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (15) --> (&(cn=Group15)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))
authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group15)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub"
authentik-freeradius-1 | (15) Search returned no results
authentik-freeradius-1 | (15) Checking user object's memberOf attributes
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=testuser,ou=users,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group3,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group3"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Performing unfiltered search in "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group4,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group4"
authentik-freeradius-1 | (15) Processing memberOf value "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (15) Resolving group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) Group DN "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "Group5"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (7)
authentik-freeradius-1 | (15) User is not a member of "Group15"
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group15") -> FALSE
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group5") {
authentik-freeradius-1 | (15) Searching for user in group "Group5"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (8)
authentik-freeradius-1 | (15) Using user DN from request "cn=testuser,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (15) Checking for user in group objects
authentik-freeradius-1 | (15) EXPAND (&(cn=Group5)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (15) --> (&(cn=Group5)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))
authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group5)(objectClass=posixGroup)(|(member=cn\3dtestuser\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=testuser)))", scope "sub"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | (15) User found in group object "cn=Group5,ou=groups,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (8)
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group5") -> TRUE
authentik-freeradius-1 | (15) elsif (LDAP-Group == "Group5") {
authentik-freeradius-1 | (15) update reply {
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (7)
authentik-freeradius-1 | (15) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=Group5)(member=*testuser*))", scope "one"
authentik-freeradius-1 | (15) Waiting for search result...
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (7)
authentik-freeradius-1 | (15) EXPAND %{%{ldap:ldap:///ou=groups,dc=ldap,dc=example,dc=com?Tunnel-Private-Group-Id?one?(&(cn=Group5)(member=*%{&control:User-Name}*))}:-20}
authentik-freeradius-1 | (15) --> 110
authentik-freeradius-1 | (15) &Tunnel-Private-Group-Id = 110
authentik-freeradius-1 | (15) } # update reply = noop
authentik-freeradius-1 | (15) } # elsif (LDAP-Group == "Group5") = noop
authentik-freeradius-1 | (15) ... skipping elsif: Preceding "if" was taken
authentik-freeradius-1 | (15) ... skipping elsif: Preceding "if" was taken
authentik-freeradius-1 | (15) ... skipping elsif: Preceding "if" was taken
authentik-freeradius-1 | (15) ... skipping elsif: Preceding "if" was taken
authentik-freeradius-1 | (15) ... skipping else: Preceding "if" was taken
authentik-freeradius-1 | (15) [updated] = updated
authentik-freeradius-1 | (15) } # post-auth = updated
authentik-freeradius-1 | (15) Sent Access-Accept Id 16 from 10.1.2.1:1812 to 10.0.0.5:46092 length 61
authentik-freeradius-1 | (15) Framed-MTU += 994
authentik-freeradius-1 | (15) Tunnel-Type = VLAN
authentik-freeradius-1 | (15) Tunnel-Medium-Type = IEEE-802
authentik-freeradius-1 | (15) Tunnel-Private-Group-Id = "110"
authentik-freeradius-1 | (15) Finished request
authentik-freeradius-1 | Waking up in 4.9 seconds.
authentik-freeradius-1 | (15) Cleaning up request packet ID 16 with timestamp +1251 due to cleanup_delay was reached
authentik-freeradius-1 | Ready to process requests
More information about the Freeradius-Users
mailing list