TLS Session Resumption with Proxy in Inner-Tunnel Not Working

MERLE Pierrick (Chef de projet réseau) - SG/DNUM/MSP/DIS/GIR pierrick.merle at i-carre.net
Mon Mar 3 13:22:21 UTC 2025


I only managed to make it work if i set "proxy_tunneled_request_as_eap = 
no" in my eap conf.
 From what I understand, It makes using plain mschapv2 between proxy and 
backend and not eap_mschapv2.

But I think there is something weird in the end: It is like response 
sent from the backend server is not sent back to the client using the 
established PEAP tunnel, but it is send directly as it is in the outer 
tunnel.

So it seems to work, but I see nothing saved in my TLS cache.

Below the full debug:

FreeRADIUS Version 3.2.4
Copyright (C) 1999-2023 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file 
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-04
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/cache_wifi
including configuration file 
/etc/freeradius/3.0/mods-enabled/eap_wlan_dot1x
including configuration file 
/etc/freeradius/3.0/mods-enabled/cache_local
including configuration file /etc/freeradius/3.0/mods-enabled/redis-lan
including configuration file 
/etc/freeradius/3.0/mods-enabled/eap_lan_dot1x
including configuration file /etc/freeradius/3.0/mods-enabled/redis-wlan
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/python3
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file 
/etc/freeradius/3.0/mods-enabled/my_module_ldap_m2
including configuration file 
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-00
including configuration file 
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-02
including configuration file /etc/freeradius/3.0/mods-enabled/cache
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file 
/etc/freeradius/3.0/mods-enabled/my_module_sql
including configuration file 
/etc/freeradius/3.0/mods-config/sql/main/postgresql/queries.conf
including configuration file 
/etc/freeradius/3.0/mods-enabled/cache_wired
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file 
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-01
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file 
/etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file 
/etc/freeradius/3.0/mods-enabled/my_module_files
including configuration file /etc/freeradius/3.0/mods-enabled/cache_laps
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file 
/etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file 
/etc/freeradius/3.0/policy.d/my_policy_ldap_group
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file 
/etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file 
/etc/freeradius/3.0/policy.d/my_policy_username
including configuration file 
/etc/freeradius/3.0/policy.d/my_policy_vlan-inner
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file 
/etc/freeradius/3.0/policy.d/my_policy_vlan-outer
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file 
/etc/freeradius/3.0/policy.d/canonicalization
including configuration file 
/etc/freeradius/3.0/policy.d/extreme-macaddress
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/accounting
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file 
/etc/freeradius/3.0/sites-enabled/inner-lan-dot1x
including configuration file 
/etc/freeradius/3.0/sites-enabled/control-socket
including configuration file 
/etc/freeradius/3.0/sites-enabled/inner-wlan-dot1x
including configuration file 
/etc/freeradius/3.0/sites-enabled/tls-cache-wlan
including configuration file /etc/freeradius/3.0/sites-enabled/dot1x
including files in directory /etc/freeradius/3.0/server.d/
including configuration file /etc/freeradius/3.0/server.d/lan-dot1x
including configuration file /etc/freeradius/3.0/server.d/wlan-dot1x
including configuration file 
/etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel
including configuration file 
/etc/freeradius/3.0/sites-enabled/tls-cache-lan
main {
  security {
  	user = "freerad"
  	group = "freerad"
  	allow_core_dumps = no
  }
	name = "freeradius"
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/freeradius"
	run_dir = "/var/run/freeradius"
}
main {
	name = "freeradius"
	prefix = "/usr"
	localstatedir = "/var"
	sbindir = "/usr/sbin"
	logdir = "/var/log/freeradius"
	run_dir = "/var/run/freeradius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/freeradius/radacct"
	hostname_lookups = no
	max_request_time = 30
	proxy_dedup_window = 1
	cleanup_delay = 5
	max_requests = 65535
	max_fds = 512
	postauth_client_lost = yes
	pidfile = "/var/run/freeradius/freeradius.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
  log {
  	stripped_names = yes
  	auth = yes
  	auth_badpass = no
  	auth_goodpass = yes
  	msg_badpass = "ALARM %{request:User-Name} 
V:%{%{%{reply:Extreme-Netlogin-Extended-Vlan}:-%{reply:Tunnel-Private-Group-Id}}:-UXXX} 
S:%{%{%{request:NAS-IP-Address}:-%{outer.request:NAS-IP-Address}}:-none} 
P:%{%{%{request:NAS-Port}:-%{outer.request:NAS-Port}}:-none} 
N:%{%{%{request:NAS-Identifier}:-%{outer.request:NAS-Identifier}}:-none} 
M:%{%{%{request:Calling-Station-Id}:-%{outer.request:Calling-Station-Id}}:-none} 
LDAP:%{%{control:ldap_AD-LDAP-Group}:-none} 
SR:%{%{request:EAP-Session-Resumed}:-none} 
H:%{%{request:Cache-Entry-Hits}:-0}"
  	msg_goodpass = "OK %{request:User-Name} 
V:%{%{%{reply:Extreme-Netlogin-Extended-Vlan}:-%{reply:Tunnel-Private-Group-Id}}:-UXXX} 
S:%{%{%{request:NAS-IP-Address}:-%{outer.request:NAS-IP-Address}}:-none} 
P:%{%{%{request:NAS-Port}:-%{outer.request:NAS-Port}}:-none} 
N:%{%{%{request:NAS-Identifier}:-%{outer.request:NAS-Identifier}}:-none} 
M:%{%{%{request:Calling-Station-Id}:-%{outer.request:Calling-Station-Id}}:-none} 
LDAP:%{%{control:ldap_AD-LDAP-Group}:-none} 
SR:%{%{request:EAP-Session-Resumed}:-none} 
H:%{%{request:Cache-Entry-Hits}:-0}"
  	colourise = yes
  	msg_denied = "You are already logged in - access denied"
  }
  resources {
  }
  security {
  	max_attributes = 200
  	reject_delay = 1.000000
  	status_server = no
  }
}
radiusd: #### Loading Realms and Home Servers ####
  home_server nps_cabinet {
  	nonblock = no
  	ipaddr = 10.116.249.13
  	port = 1812
  	type = "auth"
  	secret = <<< secret >>>
  	response_window = 20.000000
  	response_timeouts = 1
  	max_outstanding = 65536
  	zombie_period = 40
  	status_check = "status-server"
  	ping_interval = 30
  	check_timeout = 4
  	num_answers_to_alive = 3
  	revive_interval = 120
   limit {
   	max_connections = 16
   	max_requests = 0
   	lifetime = 0
   	idle_timeout = 0
   }
   coa {
   	irt = 2
   	mrt = 16
   	mrc = 5
   	mrd = 30
   }
  }
  home_server nps_server {
  	nonblock = no
  	ipaddr = 10.167.73.13
  	port = 1812
  	type = "auth"
  	secret = <<< secret >>>
  	response_window = 20.000000
  	response_timeouts = 1
  	max_outstanding = 65536
  	zombie_period = 40
  	status_check = "status-server"
  	ping_interval = 30
  	check_timeout = 4
  	num_answers_to_alive = 3
  	revive_interval = 120
   limit {
   	max_connections = 16
   	max_requests = 0
   	lifetime = 0
   	idle_timeout = 0
   }
   coa {
   	irt = 2
   	mrt = 16
   	mrc = 5
   	mrd = 30
   }
  }
  home_server_pool nps_pool {
	type = fail-over
	home_server = nps_server
  }
  realm nps_realm {
	auth_pool = nps_pool
  }
  realm PREPROD {
	auth_pool = nps_pool
  }
  home_server_pool cabinet_pool {
	type = fail-over
	home_server = nps_cabinet
  }
  realm CABINET {
	auth_pool = cabinet_pool
  }
  realm FORMATION {
	auth_pool = cabinet_pool
	nostrip
  }
radiusd: #### Loading Clients ####
  client test {
  	ipaddr = 127.0.0.1
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "localhost"
  	nas_type = "other"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client test2 {
  	ipaddr = 10.128.0.12
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "star-trek4"
  	nas_type = "other"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client SWITCH {
  	ipaddr = 10.128.0.0/20
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "SWITCH"
  	nas_type = "other"
  	virtual_server = "lan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.255.255.0/25 {
  	ipaddr = 10.255.255.0/25
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "LAN_Switch_SNUM"
  	virtual_server = "lan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.128.0.220 {
  	ipaddr = 10.128.0.220
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "centreon-seq"
  	nas_type = "other"
  	virtual_server = "lan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.128.0.221 {
  	ipaddr = 10.128.0.221
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "centreon-aps"
  	nas_type = "other"
  	virtual_server = "lan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.110.0/25 {
  	ipaddr = 10.166.110.0/25
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "LAN_Switch_SNUM_110"
  	virtual_server = "lan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.110.192/27 {
  	ipaddr = 10.166.110.192/27
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "LAN_Switch_SNUM_110"
  	virtual_server = "lan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.111.0/25 {
  	ipaddr = 10.166.111.0/25
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "LAN_Switch_SNUM_111"
  	virtual_server = "lan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.112.0/25 {
  	ipaddr = 10.166.112.0/25
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "LAN_Switch_SNUM_112"
  	virtual_server = "lan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.112.192/27 {
  	ipaddr = 10.166.112.192/27
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "LAN_Switch_SNUM_112"
  	virtual_server = "lan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.113.0/25 {
  	ipaddr = 10.166.113.0/25
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "LAN_Switch_SNUM_113"
  	virtual_server = "lan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.114.0/25 {
  	ipaddr = 10.166.114.0/25
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "LAN_Switch_SNUM_114"
  	virtual_server = "lan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.115.0/25 {
  	ipaddr = 10.166.115.0/25
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "LAN_Switch_SNUM_115"
  	virtual_server = "lan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.115.128/26 {
  	ipaddr = 10.166.115.128/26
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "LAN_Switch_SNUM_115"
  	virtual_server = "lan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.116.0/25 {
  	ipaddr = 10.166.116.0/25
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "LAN_Switch_SNUM_116"
  	virtual_server = "lan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.117.0/25 {
  	ipaddr = 10.166.117.0/25
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "LAN_Switch_SNUM_117"
  	virtual_server = "lan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client BORNE {
  	ipaddr = 10.128.96.0/20
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "BORNE"
  	nas_type = "other"
  	virtual_server = "wlan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.110.224/27 {
  	ipaddr = 10.166.110.224/27
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WLAN_Switch_SNUM_110"
  	virtual_server = "wlan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.111.224/27 {
  	ipaddr = 10.166.111.224/27
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WLAN_Switch_SNUM_111"
  	virtual_server = "wlan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.112.224/27 {
  	ipaddr = 10.166.112.224/27
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WLAN_Switch_SNUM_112"
  	virtual_server = "wlan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.113.224/27 {
  	ipaddr = 10.166.113.224/27
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WLAN_Switch_SNUM_113"
  	virtual_server = "wlan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.114.224/27 {
  	ipaddr = 10.166.114.224/27
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WLAN_Switch_SNUM_114"
  	virtual_server = "wlan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.115.224/27 {
  	ipaddr = 10.166.115.224/27
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WLAN_Switch_SNUM_115"
  	virtual_server = "wlan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.116.224/27 {
  	ipaddr = 10.166.116.224/27
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WLAN_Switch_SNUM_116"
  	virtual_server = "wlan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
  client 10.166.117.224/27 {
  	ipaddr = 10.166.117.224/27
  	require_message_authenticator = no
  	secret = <<< secret >>>
  	shortname = "WLAN_Switch_SNUM_117"
  	virtual_server = "wlan-dot1x"
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
  }
Debugger not attached
systemd watchdog is disabled
  # Creating Auth-Type = eap
  # Creating Auth-Type = eap_wlan_dot1x
  # Creating Auth-Type = MS-CHAP
  # Creating Auth-Type = eap_lan_dot1x
radiusd: #### Instantiating modules ####
  modules {
   # Loaded module rlm_ldap
   # Loading module "ldap_msauth04" from file 
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-04
   ldap ldap_msauth04 {
   	server = "ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr"
   	port = 636
    sasl {
    }
    user {
    	scope = "sub"
    	access_positive = yes
     sasl {
     }
    }
    group {
    	filter = "(objectClass=group)"
    	scope = "sub"
    	name_attribute = "cn"
    	membership_filter = 
"(member:1.2.840.113556.1.4.1941:=%{tolower:%{control:Ldap-UserDn}})(|(cn=aib.grp.vlan.*)(cn=integrateur))"
    	cacheable_name = yes
    	cacheable_dn = no
    	cache_attribute = "ldap_AD-LDAP-Group"
    	allow_dangling_group_ref = no
    }
    client {
    	filter = "(objectClass=radiusClient)"
    	scope = "sub"
    	base_dn = "dc=equipement,dc=gouv,dc=fr"
    }
    profile {
    }
    options {
    	ldap_debug = 0
    	chase_referrals = yes
    	rebind = yes
    	net_timeout = 1
    	res_timeout = 10
    	srv_timelimit = 3
    	idle = 60
    	probes = 3
    	interval = 3
    }
    tls {
    	ca_file = "/etc/freeradius/3.0/certs/ac-mte-applicative-10ans.pem"
    	check_crl = no
    	start_tls = no
    	require_cert = "hard"
    }
   }
Creating attribute ldap_msauth04-LDAP-Group
   # Loaded module rlm_linelog
   # Loading module "linelog" from file 
/etc/freeradius/3.0/mods-enabled/linelog
   linelog {
   	filename = "/var/log/freeradius/linelog"
   	escape_filenames = no
   	syslog_severity = "info"
   	permissions = 384
   	format = "This is a log message for %{User-Name}"
   	reference = "messages.%{%{reply:Packet-Type}:-default}"
   }
   # Loading module "log_accounting" from file 
/etc/freeradius/3.0/mods-enabled/linelog
   linelog log_accounting {
   	filename = "/var/log/freeradius/linelog-accounting"
   	escape_filenames = no
   	syslog_severity = "info"
   	permissions = 384
   	format = ""
   	reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
   }
   # Loaded module rlm_cache
   # Loading module "cache_wifi" from file 
/etc/freeradius/3.0/mods-enabled/cache_wifi
   cache cache_wifi {
   	driver = "rlm_cache_rbtree"
   	key = 
"%{User-Name}@%{%{&outer.request:Symbol-Current-ESSID}:-%{request:Symbol-Current-ESSID}}"
   	ttl = 600
   	max_entries = 0
   	epoch = 0
   	add_stats = yes
   }
   # Loaded module rlm_eap
   # Loading module "eap_wlan_dot1x" from file 
/etc/freeradius/3.0/mods-enabled/eap_wlan_dot1x
   eap eap_wlan_dot1x {
   	default_eap_type = "peap"
   	timer_expire = 60
   	max_eap_type = 52
   	ignore_unknown_eap_types = no
   	cisco_accounting_username_bug = no
   	max_sessions = 65535
   	dedup_key = ""
   }
   # Loading module "cache_local" from file 
/etc/freeradius/3.0/mods-enabled/cache_local
   cache cache_local {
   	driver = "rlm_cache_rbtree"
   	key = 
"%{User-Name}@%{%{&outer.request:NAS-IP-Address}:-%{request:NAS-IP-Address}}"
   	ttl = 36000
   	max_entries = 0
   	epoch = 0
   	add_stats = yes
   }
   # Loaded module rlm_redis
   # Loading module "redis-lan" from file 
/etc/freeradius/3.0/mods-enabled/redis-lan
   redis redis-lan {
   	server = "127.0.0.1"
   	port = 6379
   	database = 0
   	query_timeout = 5
   }
rlm_redis: libhiredis version: 0.14.1
   # Loading module "eap_lan_dot1x" from file 
/etc/freeradius/3.0/mods-enabled/eap_lan_dot1x
   eap eap_lan_dot1x {
   	default_eap_type = "peap"
   	timer_expire = 60
   	max_eap_type = 52
   	ignore_unknown_eap_types = no
   	cisco_accounting_username_bug = no
   	max_sessions = 65535
   	dedup_key = ""
   }
   # Loading module "redis-wlan" from file 
/etc/freeradius/3.0/mods-enabled/redis-wlan
   redis redis-wlan {
   	server = "127.0.0.1"
   	port = 6379
   	database = 1
   	query_timeout = 5
   }
rlm_redis: libhiredis version: 0.14.1
   # Loaded module rlm_detail
   # Loading module "detail" from file 
/etc/freeradius/3.0/mods-enabled/detail
   detail {
   	filename = 
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
   	header = "%t"
   	permissions = 384
   	locking = no
   	dates_as_integer = no
   	escape_filenames = no
   	log_packet_header = no
   }
   # Loaded module rlm_preprocess
   # Loading module "preprocess" from file 
/etc/freeradius/3.0/mods-enabled/preprocess
   preprocess {
   	huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
   	hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
   	with_ascend_hack = no
   	ascend_channels_per_line = 23
   	with_ntdomain_hack = no
   	with_specialix_jetstream_hack = no
   	with_cisco_vsa_hack = no
   	with_alvarion_vsa_hack = no
   }
   # Loaded module rlm_logintime
   # Loading module "logintime" from file 
/etc/freeradius/3.0/mods-enabled/logintime
   logintime {
   	minimum_timeout = 60
   }
   # Loaded module rlm_expiration
   # Loading module "expiration" from file 
/etc/freeradius/3.0/mods-enabled/expiration
   # Loaded module rlm_digest
   # Loading module "digest" from file 
/etc/freeradius/3.0/mods-enabled/digest
   # Loaded module rlm_exec
   # Loading module "exec" from file 
/etc/freeradius/3.0/mods-enabled/exec
   exec {
   	wait = yes
   	input_pairs = "request"
   	shell_escape = yes
   	timeout = 10
   }
   # Loaded module rlm_mschap
   # Loading module "mschap_AD" from file 
/etc/freeradius/3.0/mods-enabled/mschap
   mschap mschap_AD {
   	use_mppe = yes
   	require_encryption = yes
   	require_strong = yes
   	with_ntdomain_hack = yes
    passchange {
    }
   	allow_retry = yes
   	winbind_retry_with_normalised_username = no
   }
   # Loading module "mschap_LOCAL" from file 
/etc/freeradius/3.0/mods-enabled/mschap
   mschap mschap_LOCAL {
   	use_mppe = yes
   	require_encryption = yes
   	require_strong = yes
   	with_ntdomain_hack = yes
    passchange {
    }
   	allow_retry = yes
   	winbind_retry_with_normalised_username = no
   }
   # Loaded module rlm_radutmp
   # Loading module "sradutmp" from file 
/etc/freeradius/3.0/mods-enabled/sradutmp
   radutmp sradutmp {
   	filename = "/var/log/freeradius/sradutmp"
   	username = "%{User-Name}"
   	case_sensitive = yes
   	check_with_nas = yes
   	permissions = 420
   	caller_id = no
   }
   # Loading module "radutmp" from file 
/etc/freeradius/3.0/mods-enabled/radutmp
   radutmp {
   	filename = "/var/log/freeradius/radutmp"
   	username = "%{User-Name}"
   	case_sensitive = yes
   	check_with_nas = yes
   	permissions = 384
   	caller_id = yes
   }
   # Loaded module rlm_replicate
   # Loading module "replicate" from file 
/etc/freeradius/3.0/mods-enabled/replicate
   # Loading module "echo" from file 
/etc/freeradius/3.0/mods-enabled/echo
   exec echo {
   	wait = yes
   	program = "/bin/echo %{User-Name}"
   	input_pairs = "request"
   	output_pairs = "reply"
   	shell_escape = yes
   }
   # Loaded module rlm_unix
   # Loading module "unix" from file 
/etc/freeradius/3.0/mods-enabled/unix
   unix {
   	radwtmp = "/var/log/freeradius/radwtmp"
   }
Creating attribute Unix-Group
   # Loaded module rlm_unpack
   # Loading module "unpack" from file 
/etc/freeradius/3.0/mods-enabled/unpack
   # Loaded module rlm_python3
   # Loading module "python3" from file 
/etc/freeradius/3.0/mods-enabled/python3
   python3 {
   	mod_authorize = "laps"
   	func_authorize = "authorize"
   	python_path = 
"/etc/freeradius/3.0/mods-config/python3:/usr/local/lib/python3.10/dist-packages"
   	cext_compat = yes
   	pass_all_vps = no
   	pass_all_vps_dict = no
   }
   # Loaded module rlm_utf8
   # Loading module "utf8" from file 
/etc/freeradius/3.0/mods-enabled/utf8
   # Loading module "ldap_M2" from file 
/etc/freeradius/3.0/mods-enabled/my_module_ldap_m2
   ldap ldap_M2 {
   	server = "ldaps://ldapap.m2.e2.rie.gouv.fr"
   	port = 636
    sasl {
    }
    user {
    	scope = "sub"
    	access_positive = yes
     sasl {
     }
    }
    group {
    	scope = "sub"
    	name_attribute = "cn"
    	cacheable_name = no
    	cacheable_dn = no
    	allow_dangling_group_ref = no
    }
    client {
    	filter = "(objectClass=radiusClient)"
    	scope = "sub"
    	base_dn = "dc=equipement,dc=gouv,dc=fr"
    }
    profile {
    }
    options {
    	ldap_debug = 0
    	chase_referrals = yes
    	rebind = yes
    	net_timeout = 1
    	res_timeout = 10
    	srv_timelimit = 3
    	idle = 60
    	probes = 3
    	interval = 3
    }
    tls {
    	ca_file = "/etc/freeradius/3.0/certs/isrg-root-x1-cross-signed.pem"
    	check_crl = no
    	start_tls = no
    	require_cert = "never"
    }
   }
Creating attribute ldap_M2-LDAP-Group
   # Loading module "ldap_msauth00" from file 
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-00
   ldap ldap_msauth00 {
   	server = "ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr"
   	port = 636
   	identity = "radius.ac"
   	password = <<< secret >>>
    sasl {
    }
    user {
    	scope = "sub"
    	access_positive = yes
     sasl {
     }
    }
    group {
    	filter = "(objectClass=group)"
    	scope = "sub"
    	name_attribute = "cn"
    	membership_filter = 
"(member:1.2.840.113556.1.4.1941:=%{tolower:%{control:Ldap-UserDn}})(|(cn=aib.grp.vlan.*)(cn=integrateur))"
    	cacheable_name = yes
    	cacheable_dn = no
    	cache_attribute = "ldap_AD-LDAP-Group"
    	allow_dangling_group_ref = no
    }
    client {
    	filter = "(objectClass=radiusClient)"
    	scope = "sub"
    	base_dn = "dc=equipement,dc=gouv,dc=fr"
    }
    profile {
    }
    options {
    	ldap_debug = 0
    	chase_referrals = yes
    	rebind = yes
    	net_timeout = 1
    	res_timeout = 10
    	srv_timelimit = 3
    	idle = 60
    	probes = 3
    	interval = 3
    }
    tls {
    	ca_file = "/etc/freeradius/3.0/certs/ac-mte-applicative-10ans.pem"
    	check_crl = no
    	start_tls = no
    	require_cert = "hard"
    }
   }
Creating attribute ldap_msauth00-LDAP-Group
   # Loading module "ldap_msauth02" from file 
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-02
   ldap ldap_msauth02 {
   	server = "ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr"
   	port = 636
    sasl {
    }
    user {
    	scope = "sub"
    	access_positive = yes
     sasl {
     }
    }
    group {
    	filter = "(objectClass=group)"
    	scope = "sub"
    	name_attribute = "cn"
    	membership_filter = 
"(member:1.2.840.113556.1.4.1941:=%{tolower:%{control:Ldap-UserDn}})(|(cn=aib.grp.vlan.*)(cn=integrateur))"
    	cacheable_name = yes
    	cacheable_dn = no
    	cache_attribute = "ldap_AD-LDAP-Group"
    	allow_dangling_group_ref = no
    }
    client {
    	filter = "(objectClass=radiusClient)"
    	scope = "sub"
    	base_dn = "dc=equipement,dc=gouv,dc=fr"
    }
    profile {
    }
    options {
    	ldap_debug = 0
    	chase_referrals = yes
    	rebind = yes
    	net_timeout = 1
    	res_timeout = 10
    	srv_timelimit = 3
    	idle = 60
    	probes = 3
    	interval = 3
    }
    tls {
    	ca_file = "/etc/freeradius/3.0/certs/ac-mte-applicative-10ans.pem"
    	check_crl = no
    	start_tls = no
    	require_cert = "hard"
    }
   }
Creating attribute ldap_msauth02-LDAP-Group
   # Loading module "cache" from file 
/etc/freeradius/3.0/mods-enabled/cache
   cache {
   	driver = "rlm_cache_rbtree"
   	key = 
"%{User-Name}@%{%{&outer.request:NAS-IP-Address}:-%{request:NAS-IP-Address}}@%{%{&outer.request:Calling-Station-Id}:-%{request:Calling-Station-Id}}"
   	ttl = 15
   	max_entries = 0
   	epoch = 0
   	add_stats = yes
   }
   # Loaded module rlm_chap
   # Loading module "chap" from file 
/etc/freeradius/3.0/mods-enabled/chap
   # Loaded module rlm_sql
   # Loading module "sql" from file 
/etc/freeradius/3.0/mods-enabled/my_module_sql
   sql {
   	driver = "rlm_sql_postgresql"
   	server = "10.128.0.10"
   	port = 5432
   	login = "intranet"
   	password = <<< secret >>>
   	radius_db = "macip"
   	read_groups = yes
   	read_profiles = yes
   	read_clients = no
   	delete_stale_sessions = yes
   	sql_user_name = "%{User-Name}"
   	default_user_profile = ""
   	client_query = "SELECT id, nasname, shortname, type, secret, server 
FROM nas"
   	authorize_check_query = "SELECT id, UserName, Attribute, Value, Op 
FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
   	authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op 
FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
   	authorize_group_check_query = "SELECT id, GroupName, Attribute, 
Value, op FROM radgroupcheck WHERE GroupName = '%{SQL-Group}' ORDER BY 
id"
   	authorize_group_reply_query = "SELECT id, GroupName, Attribute, 
Value, op FROM radgroupreply WHERE GroupName = '%{SQL-Group}' ORDER BY 
id"
   	group_membership_query = "SELECT GroupName FROM radusergroup WHERE 
UserName='%{SQL-User-Name}' ORDER BY priority"
   	simul_count_query = "SELECT COUNT(*) FROM radacct WHERE 
UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL"
   	simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, 
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, 
FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND 
AcctStopTime IS NULL"
   	safe_characters = 
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
   	auto_escape = no
    accounting {
    	reference = "%{tolower:type.%{%{Acct-Status-Type}:-none}.query}"
     type {
      accounting-on {
      	query = "UPDATE radacct SET AcctStopTime = 
TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = 
TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = 
(%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))), 
AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE 
AcctStopTime IS NULL AND NASIPAddress= 
'%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <= 
'%S'::timestamp"
      }
      accounting-off {
      	query = "UPDATE radacct SET AcctStopTime = 
TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = 
TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = 
(%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))), 
AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE 
AcctStopTime IS NULL AND NASIPAddress= 
'%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <= 
'%S'::timestamp"
      }
      start {
      	query = "INSERT INTO radacct (AcctSessionId, AcctUniqueId, 
UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, 
AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, 
ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, 
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, 
FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', 
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), 
'%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', 
NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', 
TO_TIMESTAMP(%{integer:Event-Timestamp}), 
TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', 
'%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', 
'%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', 
NULLIF('%{Framed-IP-Address}', '')::inet)"
      }
      interim-update {
      	query = "UPDATE radacct SET FramedIPAddress = 
NULLIF('%{Framed-IP-Address}', '')::inet, AcctSessionTime = 
%{%{Acct-Session-Time}:-NULL}, AcctInterval = 
(%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM 
(COALESCE(AcctUpdateTime, AcctStartTime)))), AcctUpdateTime = 
TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctInputOctets = 
(('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + 
'%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = 
(('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + 
'%{%{Acct-Output-Octets}:-0}'::bigint) WHERE AcctUniqueId = 
'%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL"
      }
      stop {
      	query = "UPDATE radacct SET AcctStopTime = 
TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = 
TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = 
COALESCE(%{%{Acct-Session-Time}:-NULL}, (%{integer:Event-Timestamp} - 
EXTRACT(EPOCH FROM(AcctStartTime)))), AcctInputOctets = 
(('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + 
'%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = 
(('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + 
'%{%{Acct-Output-Octets}:-0}'::bigint), AcctTerminateCause = 
'%{Acct-Terminate-Cause}', FramedIPAddress = 
NULLIF('%{Framed-IP-Address}', '')::inet, ConnectInfo_stop = 
'%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND 
AcctStopTime IS NULL"
      }
     }
    }
    post-auth {
    	reference = ".query"
    	query = "INSERT INTO radpostauth (username, pass, reply, authdate) 
VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', 
'%{reply:Packet-Type}', NOW())"
    }
   }
rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) 
loaded and linked
Creating attribute SQL-Group
   # Loading module "cache_wired" from file 
/etc/freeradius/3.0/mods-enabled/cache_wired
   cache cache_wired {
   	driver = "rlm_cache_rbtree"
   	key = 
"%{User-Name}@%{%{&outer.request:NAS-IP-Address}:-%{request:NAS-IP-Address}}"
   	ttl = 600
   	max_entries = 0
   	epoch = 0
   	add_stats = yes
   }
   # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
   eap {
   	default_eap_type = "peap"
   	timer_expire = 60
   	max_eap_type = 52
   	ignore_unknown_eap_types = no
   	cisco_accounting_username_bug = no
   	max_sessions = 65535
   	dedup_key = ""
   }
   # Loading module "ldap_msauth01" from file 
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-01
   ldap ldap_msauth01 {
   	server = "ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr"
   	port = 636
   	identity = "radius.ac"
   	password = <<< secret >>>
    sasl {
    }
    user {
    	scope = "sub"
    	access_positive = yes
     sasl {
     }
    }
    group {
    	filter = "(objectClass=group)"
    	scope = "sub"
    	name_attribute = "cn"
    	membership_filter = 
"(member:1.2.840.113556.1.4.1941:=%{tolower:%{control:Ldap-UserDn}})(|(cn=aib.grp.vlan.*)(cn=integrateur))"
    	cacheable_name = yes
    	cacheable_dn = no
    	cache_attribute = "ldap_AD-LDAP-Group"
    	allow_dangling_group_ref = no
    }
    client {
    	filter = "(objectClass=radiusClient)"
    	scope = "sub"
    	base_dn = "dc=equipement,dc=gouv,dc=fr"
    }
    profile {
    }
    options {
    	ldap_debug = 0
    	chase_referrals = yes
    	rebind = yes
    	net_timeout = 1
    	res_timeout = 10
    	srv_timelimit = 3
    	idle = 60
    	probes = 3
    	interval = 3
    }
    tls {
    	ca_file = "/etc/freeradius/3.0/certs/ac-mte-applicative-10ans.pem"
    	check_crl = no
    	start_tls = no
    	require_cert = "hard"
    }
   }
Creating attribute ldap_msauth01-LDAP-Group
   # Loaded module rlm_realm
   # Loading module "IPASS" from file 
/etc/freeradius/3.0/mods-enabled/realm
   realm IPASS {
   	format = "prefix"
   	delimiter = "/"
   	ignore_default = no
   	ignore_null = no
   }
   # Loading module "suffix" from file 
/etc/freeradius/3.0/mods-enabled/realm
   realm suffix {
   	format = "suffix"
   	delimiter = "@"
   	ignore_default = no
   	ignore_null = no
   }
   # Loading module "realmpercent" from file 
/etc/freeradius/3.0/mods-enabled/realm
   realm realmpercent {
   	format = "suffix"
   	delimiter = "%"
   	ignore_default = no
   	ignore_null = no
   }
   # Loading module "ntdomain" from file 
/etc/freeradius/3.0/mods-enabled/realm
   realm ntdomain {
   	format = "prefix"
   	delimiter = "\"
   	ignore_default = no
   	ignore_null = no
   }
   # Loaded module rlm_passwd
   # Loading module "etc_passwd" from file 
/etc/freeradius/3.0/mods-enabled/passwd
   passwd etc_passwd {
   	filename = "/etc/passwd"
   	format = "*User-Name:Crypt-Password:"
   	delimiter = ":"
   	ignore_nislike = no
   	ignore_empty = yes
   	allow_multiple_keys = no
   	hash_size = 100
   }
   # Loaded module rlm_attr_filter
   # Loading module "attr_filter.post-proxy" from file 
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.post-proxy {
   	filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
   	key = "%{Realm}"
   	relaxed = no
   }
   # Loading module "attr_filter.pre-proxy" from file 
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.pre-proxy {
   	filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
   	key = "%{Realm}"
   	relaxed = no
   }
   # Loading module "attr_filter.access_reject" from file 
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.access_reject {
   	filename = 
"/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
   	key = "%{User-Name}"
   	relaxed = no
   }
   # Loading module "attr_filter.access_challenge" from file 
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.access_challenge {
   	filename = 
"/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
   	key = "%{User-Name}"
   	relaxed = no
   }
   # Loading module "attr_filter.accounting_response" from file 
/etc/freeradius/3.0/mods-enabled/attr_filter
   attr_filter attr_filter.accounting_response {
   	filename = 
"/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
   	key = "%{User-Name}"
   	relaxed = no
   }
   # Loaded module rlm_expr
   # Loading module "expr" from file 
/etc/freeradius/3.0/mods-enabled/expr
   expr {
   	safe_characters = 
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: 
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
   }
   # Loaded module rlm_files
   # Loading module "authfile" from file 
/etc/freeradius/3.0/mods-enabled/my_module_files
   files authfile {
   	filename = "/etc/freeradius/3.0/files.d/authfile"
   }
   # Loading module "authorized_macs" from file 
/etc/freeradius/3.0/mods-enabled/my_module_files
   files authorized_macs {
   	filename = "/etc/freeradius/3.0/files.d/authorized_macs"
   }
   # Loading module "cache_laps" from file 
/etc/freeradius/3.0/mods-enabled/cache_laps
   cache cache_laps {
   	driver = "rlm_cache_rbtree"
   	key = 
"%{User-Name}@%{%{&outer.request:Calling-Station-Id}:-%{request:Calling-Station-Id}}"
   	ttl = 36000
   	max_entries = 0
   	epoch = 0
   	add_stats = yes
   }
   # Loaded module rlm_pap
   # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
   pap {
   	normalise = yes
   }
   # Loaded module rlm_soh
   # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
   soh {
   	dhcp = yes
   }
   # Loaded module rlm_always
   # Loading module "reject" from file 
/etc/freeradius/3.0/mods-enabled/always
   always reject {
   	rcode = "reject"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "fail" from file 
/etc/freeradius/3.0/mods-enabled/always
   always fail {
   	rcode = "fail"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "ok" from file 
/etc/freeradius/3.0/mods-enabled/always
   always ok {
   	rcode = "ok"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "handled" from file 
/etc/freeradius/3.0/mods-enabled/always
   always handled {
   	rcode = "handled"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "invalid" from file 
/etc/freeradius/3.0/mods-enabled/always
   always invalid {
   	rcode = "invalid"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "userlock" from file 
/etc/freeradius/3.0/mods-enabled/always
   always userlock {
   	rcode = "userlock"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "notfound" from file 
/etc/freeradius/3.0/mods-enabled/always
   always notfound {
   	rcode = "notfound"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "noop" from file 
/etc/freeradius/3.0/mods-enabled/always
   always noop {
   	rcode = "noop"
   	simulcount = 0
   	mpp = no
   }
   # Loading module "updated" from file 
/etc/freeradius/3.0/mods-enabled/always
   always updated {
   	rcode = "updated"
   	simulcount = 0
   	mpp = no
   }
   # Loaded module rlm_dynamic_clients
   # Loading module "dynamic_clients" from file 
/etc/freeradius/3.0/mods-enabled/dynamic_clients
   # Loading module "auth_log" from file 
/etc/freeradius/3.0/mods-enabled/detail.log
   detail auth_log {
   	filename = 
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
   	header = "%t"
   	permissions = 384
   	locking = no
   	dates_as_integer = no
   	escape_filenames = no
   	log_packet_header = no
   }
   # Loading module "reply_log" from file 
/etc/freeradius/3.0/mods-enabled/detail.log
   detail reply_log {
   	filename = 
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
   	header = "%t"
   	permissions = 384
   	locking = no
   	dates_as_integer = no
   	escape_filenames = no
   	log_packet_header = no
   }
   # Loading module "pre_proxy_log" from file 
/etc/freeradius/3.0/mods-enabled/detail.log
   detail pre_proxy_log {
   	filename = 
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
   	header = "%t"
   	permissions = 384
   	locking = no
   	dates_as_integer = no
   	escape_filenames = no
   	log_packet_header = no
   }
   # Loading module "post_proxy_log" from file 
/etc/freeradius/3.0/mods-enabled/detail.log
   detail post_proxy_log {
   	filename = 
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
   	header = "%t"
   	permissions = 384
   	locking = no
   	dates_as_integer = no
   	escape_filenames = no
   	log_packet_header = no
   }
   instantiate {
   # Instantiating module "ldap_msauth00" from file 
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-00
rlm_ldap: libldap vendor: OpenLDAP, version: 20517
    accounting {
    	reference = "%{tolower:type.%{Acct-Status-Type}}"
    }
    post-auth {
    	reference = "."
    }
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
!! There may be random issues with TLS connections due to this conflict.
!! The server may also crash.
!! See https://wiki.freeradius.org/modules/Rlm_ldap for more 
information.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
rlm_ldap (ldap_msauth00): Initialising connection pool
    pool {
    	start = 5
    	min = 3
    	max = 32
    	spare = 10
    	uses = 0
    	lifetime = 0
    	cleanup_interval = 30
    	idle_timeout = 60
    	retry_delay = 30
    	max_retries = 5
    	spread = no
    }
rlm_ldap (ldap_msauth00): Opening additional connection (0), 1 of 32 
pending slots used
rlm_ldap (ldap_msauth00): Connecting to 
ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth00): Waiting for bind result...
rlm_ldap (ldap_msauth00): Bind successful
rlm_ldap (ldap_msauth00): Opening additional connection (1), 1 of 31 
pending slots used
rlm_ldap (ldap_msauth00): Connecting to 
ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth00): Waiting for bind result...
rlm_ldap (ldap_msauth00): Bind successful
rlm_ldap (ldap_msauth00): Opening additional connection (2), 1 of 30 
pending slots used
rlm_ldap (ldap_msauth00): Connecting to 
ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth00): Waiting for bind result...
rlm_ldap (ldap_msauth00): Bind successful
rlm_ldap (ldap_msauth00): Opening additional connection (3), 1 of 29 
pending slots used
rlm_ldap (ldap_msauth00): Connecting to 
ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth00): Waiting for bind result...
rlm_ldap (ldap_msauth00): Bind successful
rlm_ldap (ldap_msauth00): Opening additional connection (4), 1 of 28 
pending slots used
rlm_ldap (ldap_msauth00): Connecting to 
ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth00): Waiting for bind result...
rlm_ldap (ldap_msauth00): Bind successful
   # Instantiating module "ldap_msauth01" from file 
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-01
    accounting {
    	reference = "%{tolower:type.%{Acct-Status-Type}}"
    }
    post-auth {
    	reference = "."
    }
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
!! There may be random issues with TLS connections due to this conflict.
!! The server may also crash.
!! See https://wiki.freeradius.org/modules/Rlm_ldap for more 
information.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
rlm_ldap (ldap_msauth01): Initialising connection pool
    pool {
    	start = 5
    	min = 3
    	max = 32
    	spare = 10
    	uses = 0
    	lifetime = 0
    	cleanup_interval = 30
    	idle_timeout = 60
    	retry_delay = 30
    	max_retries = 5
    	spread = no
    }
rlm_ldap (ldap_msauth01): Opening additional connection (0), 1 of 32 
pending slots used
rlm_ldap (ldap_msauth01): Connecting to 
ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth01): Waiting for bind result...
rlm_ldap (ldap_msauth01): Bind successful
rlm_ldap (ldap_msauth01): Opening additional connection (1), 1 of 31 
pending slots used
rlm_ldap (ldap_msauth01): Connecting to 
ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth01): Waiting for bind result...
rlm_ldap (ldap_msauth01): Bind successful
rlm_ldap (ldap_msauth01): Opening additional connection (2), 1 of 30 
pending slots used
rlm_ldap (ldap_msauth01): Connecting to 
ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth01): Waiting for bind result...
rlm_ldap (ldap_msauth01): Bind successful
rlm_ldap (ldap_msauth01): Opening additional connection (3), 1 of 29 
pending slots used
rlm_ldap (ldap_msauth01): Connecting to 
ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth01): Waiting for bind result...
rlm_ldap (ldap_msauth01): Bind successful
rlm_ldap (ldap_msauth01): Opening additional connection (4), 1 of 28 
pending slots used
rlm_ldap (ldap_msauth01): Connecting to 
ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth01): Waiting for bind result...
rlm_ldap (ldap_msauth01): Bind successful
   # Instantiating module "ldap_msauth02" from file 
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-02
    accounting {
    	reference = "%{tolower:type.%{Acct-Status-Type}}"
    }
    post-auth {
    	reference = "."
    }
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
!! There may be random issues with TLS connections due to this conflict.
!! The server may also crash.
!! See https://wiki.freeradius.org/modules/Rlm_ldap for more 
information.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
rlm_ldap (ldap_msauth02): Initialising connection pool
    pool {
    	start = 5
    	min = 3
    	max = 32
    	spare = 10
    	uses = 0
    	lifetime = 0
    	cleanup_interval = 30
    	idle_timeout = 60
    	retry_delay = 30
    	max_retries = 5
    	spread = no
    }
rlm_ldap (ldap_msauth02): Opening additional connection (0), 1 of 32 
pending slots used
rlm_ldap (ldap_msauth02): Connecting to 
ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth02): Waiting for bind result...
rlm_ldap (ldap_msauth02): Bind successful
rlm_ldap (ldap_msauth02): Opening additional connection (1), 1 of 31 
pending slots used
rlm_ldap (ldap_msauth02): Connecting to 
ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth02): Waiting for bind result...
rlm_ldap (ldap_msauth02): Bind successful
rlm_ldap (ldap_msauth02): Opening additional connection (2), 1 of 30 
pending slots used
rlm_ldap (ldap_msauth02): Connecting to 
ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth02): Waiting for bind result...
rlm_ldap (ldap_msauth02): Bind successful
rlm_ldap (ldap_msauth02): Opening additional connection (3), 1 of 29 
pending slots used
rlm_ldap (ldap_msauth02): Connecting to 
ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth02): Waiting for bind result...
rlm_ldap (ldap_msauth02): Bind successful
rlm_ldap (ldap_msauth02): Opening additional connection (4), 1 of 28 
pending slots used
rlm_ldap (ldap_msauth02): Connecting to 
ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth02): Waiting for bind result...
rlm_ldap (ldap_msauth02): Bind successful
   # Instantiating module "ldap_msauth04" from file 
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-04
    accounting {
    	reference = "%{tolower:type.%{Acct-Status-Type}}"
    }
    post-auth {
    	reference = "."
    }
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
!! There may be random issues with TLS connections due to this conflict.
!! The server may also crash.
!! See https://wiki.freeradius.org/modules/Rlm_ldap for more 
information.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
rlm_ldap (ldap_msauth04): Initialising connection pool
    pool {
    	start = 5
    	min = 3
    	max = 32
    	spare = 10
    	uses = 0
    	lifetime = 0
    	cleanup_interval = 30
    	idle_timeout = 60
    	retry_delay = 30
    	max_retries = 5
    	spread = no
    }
rlm_ldap (ldap_msauth04): Opening additional connection (0), 1 of 32 
pending slots used
rlm_ldap (ldap_msauth04): Connecting to 
ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth04): Waiting for bind result...
rlm_ldap (ldap_msauth04): Bind successful
rlm_ldap (ldap_msauth04): Opening additional connection (1), 1 of 31 
pending slots used
rlm_ldap (ldap_msauth04): Connecting to 
ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth04): Waiting for bind result...
rlm_ldap (ldap_msauth04): Bind successful
rlm_ldap (ldap_msauth04): Opening additional connection (2), 1 of 30 
pending slots used
rlm_ldap (ldap_msauth04): Connecting to 
ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth04): Waiting for bind result...
rlm_ldap (ldap_msauth04): Bind successful
rlm_ldap (ldap_msauth04): Opening additional connection (3), 1 of 29 
pending slots used
rlm_ldap (ldap_msauth04): Connecting to 
ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth04): Waiting for bind result...
rlm_ldap (ldap_msauth04): Bind successful
rlm_ldap (ldap_msauth04): Opening additional connection (4), 1 of 28 
pending slots used
rlm_ldap (ldap_msauth04): Connecting to 
ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth04): Waiting for bind result...
rlm_ldap (ldap_msauth04): Bind successful
   }
   # Instantiating module "linelog" from file 
/etc/freeradius/3.0/mods-enabled/linelog
   # Instantiating module "log_accounting" from file 
/etc/freeradius/3.0/mods-enabled/linelog
   # Instantiating module "cache_wifi" from file 
/etc/freeradius/3.0/mods-enabled/cache_wifi
rlm_cache (cache_wifi): Driver rlm_cache_rbtree (module 
rlm_cache_rbtree) loaded and linked
   # Instantiating module "eap_wlan_dot1x" from file 
/etc/freeradius/3.0/mods-enabled/eap_wlan_dot1x
    # Linked to sub-module rlm_eap_md5
    # Linked to sub-module rlm_eap_tls
    tls {
    	tls = "tls-cae"
    }
    tls-config tls-cae {
    	verify_depth = 0
    	pem_file_type = yes
    	private_key_file = 
"/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr.key"
    	certificate_file = 
"/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr_avec_chaine_ACs.pem"
    	ca_file = "/etc/freeradius/3.0/certs/AC-ANTSv3-AAE-3.pem"
    	random_file = "/dev/urandom"
    	fragment_size = 1024
    	include_length = yes
    	auto_chain = yes
    	check_crl = no
    	check_all_crl = no
    	ca_path_reload_interval = 0
    	cipher_list = "DEFAULT at SECLEVEL=0"
    	reject_unknown_intermediate_ca = no
    	ecdh_curve = "prime256v1"
    	disable_tlsv1_1 = no
    	disable_tlsv1_2 = no
    	tls_max_version = "1.2"
    	tls_min_version = "1.0"
     cache {
     	enable = yes
     	lifetime = 11
     	name = "EAP module"
     	max_entries = 0
     	virtual_server = "tls-cache-lan"
     }
     verify {
     	skip_if_ocsp_ok = no
     }
     ocsp {
     	enable = no
     	override_cert_url = yes
     	url = "http://127.0.0.1/ocsp/"
     	use_nonce = yes
     	timeout = 0
     	softfail = no
     }
    }
    # Linked to sub-module rlm_eap_peap
    peap {
    	tls = "tls-common"
    	default_eap_type = "mschapv2"
    	copy_request_to_tunnel = no
    	use_tunneled_reply = yes
    	proxy_tunneled_request_as_eap = yes
    	virtual_server = "inner-wlan-dot1x"
    	soh = no
    	require_client_cert = no
    }
    tls-config tls-common {
    	verify_depth = 0
    	ca_path = "/etc/freeradius/3.0/certs"
    	pem_file_type = yes
    	private_key_file = 
"/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr.key"
    	certificate_file = 
"/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr_avec_chaine_ACs.pem"
    	random_file = "/dev/urandom"
    	fragment_size = 1024
    	include_length = yes
    	auto_chain = yes
    	check_crl = no
    	check_all_crl = no
    	ca_path_reload_interval = 0
    	cipher_list = "HIGH:MEDIUM:!LOW:!NULL:!EXPORT"
    	reject_unknown_intermediate_ca = no
    	ecdh_curve = "prime256v1"
    	disable_tlsv1_1 = no
    	disable_tlsv1_2 = no
    	tls_max_version = "1.2"
    	tls_min_version = "1.2"
     cache {
     	enable = yes
     	lifetime = 11
     	name = "EAP module"
     	max_entries = 0
     	virtual_server = "tls-cache-wlan"
     }
     verify {
     	skip_if_ocsp_ok = no
     }
     ocsp {
     	enable = no
     	override_cert_url = yes
     	url = "http://127.0.0.1/ocsp/"
     	use_nonce = yes
     	timeout = 0
     	softfail = no
     }
    }
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
    	with_ntdomain_hack = no
    	send_error = no
    	identity = "FreeRADIUS"
    }
   # Instantiating module "cache_local" from file 
/etc/freeradius/3.0/mods-enabled/cache_local
rlm_cache (cache_local): Driver rlm_cache_rbtree (module 
rlm_cache_rbtree) loaded and linked
   # Instantiating module "redis-lan" from file 
/etc/freeradius/3.0/mods-enabled/redis-lan
rlm_redis (redis-lan): Initialising connection pool
    pool {
    	start = 5
    	min = 3
    	max = 32
    	spare = 10
    	uses = 0
    	lifetime = 86400
    	cleanup_interval = 300
    	idle_timeout = 600
    	retry_delay = 30
    	max_retries = 5
    	spread = no
    }
rlm_redis (redis-lan): Opening additional connection (0), 1 of 32 
pending slots used
rlm_redis (redis-lan): Opening additional connection (1), 1 of 31 
pending slots used
rlm_redis (redis-lan): Opening additional connection (2), 1 of 30 
pending slots used
rlm_redis (redis-lan): Opening additional connection (3), 1 of 29 
pending slots used
rlm_redis (redis-lan): Opening additional connection (4), 1 of 28 
pending slots used
   # Instantiating module "eap_lan_dot1x" from file 
/etc/freeradius/3.0/mods-enabled/eap_lan_dot1x
    # Linked to sub-module rlm_eap_md5
    # Linked to sub-module rlm_eap_tls
    tls {
    	tls = "tls-cae"
    }
    tls-config tls-cae {
    	verify_depth = 0
    	pem_file_type = yes
    	private_key_file = 
"/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr.key"
    	certificate_file = 
"/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr_avec_chaine_ACs.pem"
    	ca_file = "/etc/freeradius/3.0/certs/AC-ANTSv3-AAE-3.pem"
    	random_file = "/dev/urandom"
    	fragment_size = 1024
    	include_length = yes
    	auto_chain = yes
    	check_crl = no
    	check_all_crl = no
    	ca_path_reload_interval = 0
    	cipher_list = "DEFAULT"
    	reject_unknown_intermediate_ca = no
    	ecdh_curve = "prime256v1"
    	disable_tlsv1_1 = no
    	disable_tlsv1_2 = no
    	tls_max_version = "1.2"
    	tls_min_version = "1.0"
     cache {
     	enable = yes
     	lifetime = 11
     	name = "EAP module"
     	max_entries = 0
     	virtual_server = "tls-cache-lan"
     }
     verify {
     	skip_if_ocsp_ok = no
     }
     ocsp {
     	enable = no
     	override_cert_url = yes
     	url = "http://127.0.0.1/ocsp/"
     	use_nonce = yes
     	timeout = 0
     	softfail = no
     }
    }
tls: In order to use TLS 1.0 and/or TLS 1.1, you likely need to set: 
cipher_list = "DEFAULT at SECLEVEL=0"
    # Linked to sub-module rlm_eap_peap
    peap {
    	tls = "tls-common"
    	default_eap_type = "mschapv2"
    	copy_request_to_tunnel = no
    	use_tunneled_reply = yes
    	proxy_tunneled_request_as_eap = no
    	virtual_server = "inner-lan-dot1x"
    	soh = no
    	require_client_cert = no
    }
    tls-config tls-common {
    	verify_depth = 0
    	ca_path = "/etc/freeradius/3.0/certs"
    	pem_file_type = yes
    	private_key_file = 
"/etc/freeradius/3.0/certs/2024_prod_radius.ac.e2.rie.gouv.fr.key"
    	certificate_file = 
"/etc/freeradius/3.0/certs/2024_prod_radius.ac.e2.rie.gouv.fr_chain.pem"
    	random_file = "/dev/urandom"
    	fragment_size = 1024
    	include_length = yes
    	auto_chain = yes
    	check_crl = no
    	check_all_crl = no
    	ca_path_reload_interval = 0
    	cipher_list = "DEFAULT at SECLEVEL=0"
    	sigalgs_list = 
"ECDSA+SHA512:ECDSA+SHA384:ECDSA+SHA256:RSA+SHA512:RSA+SHA384:RSA+SHA256"
    	reject_unknown_intermediate_ca = no
    	ecdh_curve = "prime256v1"
    	tls_max_version = "1.2"
    	tls_min_version = "1.1"
     cache {
     	enable = yes
     	lifetime = 11
     	name = "EAP module"
     	max_entries = 0
     	virtual_server = "tls-cache-lan"
     }
     verify {
     	skip_if_ocsp_ok = no
     }
     ocsp {
     	enable = no
     	override_cert_url = yes
     	url = "http://127.0.0.1/ocsp/"
     	use_nonce = yes
     	timeout = 0
     	softfail = no
     }
    }
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
    	with_ntdomain_hack = no
    	send_error = no
    	identity = "FreeRADIUS"
    }
   # Instantiating module "redis-wlan" from file 
/etc/freeradius/3.0/mods-enabled/redis-wlan
rlm_redis (redis-wlan): Initialising connection pool
    pool {
    	start = 5
    	min = 3
    	max = 32
    	spare = 10
    	uses = 0
    	lifetime = 86400
    	cleanup_interval = 300
    	idle_timeout = 600
    	retry_delay = 30
    	max_retries = 5
    	spread = no
    }
rlm_redis (redis-wlan): Opening additional connection (0), 1 of 32 
pending slots used
rlm_redis (redis-wlan): Opening additional connection (1), 1 of 31 
pending slots used
rlm_redis (redis-wlan): Opening additional connection (2), 1 of 30 
pending slots used
rlm_redis (redis-wlan): Opening additional connection (3), 1 of 29 
pending slots used
rlm_redis (redis-wlan): Opening additional connection (4), 1 of 28 
pending slots used
   # Instantiating module "detail" from file 
/etc/freeradius/3.0/mods-enabled/detail
   # Instantiating module "preprocess" from file 
/etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file 
/etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
   # Instantiating module "logintime" from file 
/etc/freeradius/3.0/mods-enabled/logintime
   # Instantiating module "expiration" from file 
/etc/freeradius/3.0/mods-enabled/expiration
   # Instantiating module "mschap_AD" from file 
/etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap_AD): Initialising connection pool
    pool {
    	start = 5
    	min = 3
    	max = 32
    	spare = 10
    	uses = 0
    	lifetime = 86400
    	cleanup_interval = 300
    	idle_timeout = 600
    	retry_delay = 30
    	max_retries = 5
    	spread = no
    }
rlm_mschap (mschap_AD): Opening additional connection (0), 1 of 32 
pending slots used
rlm_mschap (mschap_AD): Opening additional connection (1), 1 of 31 
pending slots used
rlm_mschap (mschap_AD): Opening additional connection (2), 1 of 30 
pending slots used
rlm_mschap (mschap_AD): Opening additional connection (3), 1 of 29 
pending slots used
rlm_mschap (mschap_AD): Opening additional connection (4), 1 of 28 
pending slots used
rlm_mschap (mschap_AD): authenticating directly to winbind
   # Instantiating module "mschap_LOCAL" from file 
/etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap_LOCAL): using internal authentication
   # Instantiating module "python3" from file 
/etc/freeradius/3.0/mods-enabled/python3
Python version: 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0]
   # Instantiating module "ldap_M2" from file 
/etc/freeradius/3.0/mods-enabled/my_module_ldap_m2
    accounting {
    	reference = "%{tolower:type.%{Acct-Status-Type}}"
    }
    post-auth {
    	reference = "."
    }
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
!! There may be random issues with TLS connections due to this conflict.
!! The server may also crash.
!! See https://wiki.freeradius.org/modules/Rlm_ldap for more 
information.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
rlm_ldap (ldap_M2): Initialising connection pool
    pool {
    	start = 5
    	min = 3
    	max = 32
    	spare = 10
    	uses = 0
    	lifetime = 0
    	cleanup_interval = 30
    	idle_timeout = 60
    	retry_delay = 30
    	max_retries = 5
    	spread = no
    }
rlm_ldap (ldap_M2): Opening additional connection (0), 1 of 32 pending 
slots used
rlm_ldap (ldap_M2): Connecting to ldaps://ldapap.m2.e2.rie.gouv.fr:636
rlm_ldap (ldap_M2): Waiting for bind result...
rlm_ldap (ldap_M2): Bind successful
rlm_ldap (ldap_M2): Opening additional connection (1), 1 of 31 pending 
slots used
rlm_ldap (ldap_M2): Connecting to ldaps://ldapap.m2.e2.rie.gouv.fr:636
rlm_ldap (ldap_M2): Waiting for bind result...
rlm_ldap (ldap_M2): Bind successful
rlm_ldap (ldap_M2): Opening additional connection (2), 1 of 30 pending 
slots used
rlm_ldap (ldap_M2): Connecting to ldaps://ldapap.m2.e2.rie.gouv.fr:636
rlm_ldap (ldap_M2): Waiting for bind result...
rlm_ldap (ldap_M2): Bind successful
rlm_ldap (ldap_M2): Opening additional connection (3), 1 of 29 pending 
slots used
rlm_ldap (ldap_M2): Connecting to ldaps://ldapap.m2.e2.rie.gouv.fr:636
rlm_ldap (ldap_M2): Waiting for bind result...
rlm_ldap (ldap_M2): Bind successful
rlm_ldap (ldap_M2): Opening additional connection (4), 1 of 28 pending 
slots used
rlm_ldap (ldap_M2): Connecting to ldaps://ldapap.m2.e2.rie.gouv.fr:636
rlm_ldap (ldap_M2): Waiting for bind result...
rlm_ldap (ldap_M2): Bind successful
   # Instantiating module "cache" from file 
/etc/freeradius/3.0/mods-enabled/cache
rlm_cache (cache): Driver rlm_cache_rbtree (module rlm_cache_rbtree) 
loaded and linked
   # Instantiating module "sql" from file 
/etc/freeradius/3.0/mods-enabled/my_module_sql
    postgresql {
    	send_application_name = no
    }
rlm_sql (sql): Attempting to connect to database "macip"
rlm_sql (sql): Initialising connection pool
    pool {
    	start = 5
    	min = 3
    	max = 32
    	spare = 10
    	uses = 0
    	lifetime = 0
    	cleanup_interval = 30
    	idle_timeout = 60
    	retry_delay = 30
    	max_retries = 5
    	spread = no
    }
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots 
used
rlm_sql_postgresql: Connecting using parameters: dbname='macip' 
host='10.128.0.10' port=5432 user='intranet' password='GoYaVe'
Connected to database 'macip' on '10.128.0.10' server version 130013, 
protocol version 3, backend PID 1428654
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots 
used
rlm_sql_postgresql: Connecting using parameters: dbname='macip' 
host='10.128.0.10' port=5432 user='intranet' password='GoYaVe'
Connected to database 'macip' on '10.128.0.10' server version 130013, 
protocol version 3, backend PID 1428655
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots 
used
rlm_sql_postgresql: Connecting using parameters: dbname='macip' 
host='10.128.0.10' port=5432 user='intranet' password='GoYaVe'
Connected to database 'macip' on '10.128.0.10' server version 130013, 
protocol version 3, backend PID 1428656
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots 
used
rlm_sql_postgresql: Connecting using parameters: dbname='macip' 
host='10.128.0.10' port=5432 user='intranet' password='GoYaVe'
Connected to database 'macip' on '10.128.0.10' server version 130013, 
protocol version 3, backend PID 1428657
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots 
used
rlm_sql_postgresql: Connecting using parameters: dbname='macip' 
host='10.128.0.10' port=5432 user='intranet' password='GoYaVe'
Connected to database 'macip' on '10.128.0.10' server version 130013, 
protocol version 3, backend PID 1428658
   # Instantiating module "cache_wired" from file 
/etc/freeradius/3.0/mods-enabled/cache_wired
rlm_cache (cache_wired): Driver rlm_cache_rbtree (module 
rlm_cache_rbtree) loaded and linked
   # Instantiating module "eap" from file 
/etc/freeradius/3.0/mods-enabled/eap
    # Linked to sub-module rlm_eap_md5
    # Linked to sub-module rlm_eap_peap
    peap {
    	tls = "tls-common"
    	default_eap_type = "mschapv2"
    	copy_request_to_tunnel = yes
    	use_tunneled_reply = yes
    	proxy_tunneled_request_as_eap = yes
    	virtual_server = "inner-tunnel"
    	soh = no
    	require_client_cert = no
    }
    tls-config tls-common {
    	verify_depth = 0
    	ca_path = "/etc/freeradius/3.0/certs"
    	pem_file_type = yes
    	private_key_file = 
"/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr.key"
    	certificate_file = 
"/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr_avec_chaine_ACs.pem"
    	random_file = "/dev/urandom"
    	fragment_size = 1024
    	include_length = yes
    	auto_chain = yes
    	check_crl = no
    	check_all_crl = no
    	ca_path_reload_interval = 0
    	cipher_list = "HIGH:MEDIUM:!LOW:!NULL:!EXPORT"
    	reject_unknown_intermediate_ca = no
    	ecdh_curve = "secp521r1"
    	disable_tlsv1 = no
    	disable_tlsv1_1 = no
    	disable_tlsv1_2 = no
    	tls_max_version = "1.2"
    	tls_min_version = "1.0"
     cache {
     	enable = yes
     	lifetime = 11
     	name = "EAP module"
     	max_entries = 0
     	persist_dir = "/var/log/freeradius/tlscache"
     }
     verify {
     	skip_if_ocsp_ok = no
     }
     ocsp {
     	enable = no
     	override_cert_url = yes
     	url = "http://127.0.0.1/ocsp/"
     	use_nonce = yes
     	timeout = 0
     	softfail = no
     }
    }
tls: In order to use TLS 1.0 and/or TLS 1.1, you likely need to set: 
cipher_list = "DEFAULT at SECLEVEL=0"
    # Linked to sub-module rlm_eap_mschapv2
    mschapv2 {
    	with_ntdomain_hack = no
    	send_error = no
    	identity = "FreeRADIUS"
    }
   # Instantiating module "IPASS" from file 
/etc/freeradius/3.0/mods-enabled/realm
   # Instantiating module "suffix" from file 
/etc/freeradius/3.0/mods-enabled/realm
   # Instantiating module "realmpercent" from file 
/etc/freeradius/3.0/mods-enabled/realm
   # Instantiating module "ntdomain" from file 
/etc/freeradius/3.0/mods-enabled/realm
   # Instantiating module "etc_passwd" from file 
/etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
   # Instantiating module "attr_filter.post-proxy" from file 
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file 
/etc/freeradius/3.0/mods-config/attr_filter/post-proxy
   # Instantiating module "attr_filter.pre-proxy" from file 
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file 
/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
   # Instantiating module "attr_filter.access_reject" from file 
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file 
/etc/freeradius/3.0/mods-config/attr_filter/access_reject
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check 
item "FreeRADIUS-Response-Delay" 	found in filter list for realm 
"DEFAULT".
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check 
item "FreeRADIUS-Response-Delay-USec" 	found in filter list for realm 
"DEFAULT".
   # Instantiating module "attr_filter.access_challenge" from file 
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file 
/etc/freeradius/3.0/mods-config/attr_filter/access_challenge
   # Instantiating module "attr_filter.accounting_response" from file 
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file 
/etc/freeradius/3.0/mods-config/attr_filter/accounting_response
   # Instantiating module "authfile" from file 
/etc/freeradius/3.0/mods-enabled/my_module_files
reading pairlist file /etc/freeradius/3.0/files.d/authfile
   # Instantiating module "authorized_macs" from file 
/etc/freeradius/3.0/mods-enabled/my_module_files
reading pairlist file /etc/freeradius/3.0/files.d/authorized_macs
   # Instantiating module "cache_laps" from file 
/etc/freeradius/3.0/mods-enabled/cache_laps
rlm_cache (cache_laps): Driver rlm_cache_rbtree (module 
rlm_cache_rbtree) loaded and linked
   # Instantiating module "pap" from file 
/etc/freeradius/3.0/mods-enabled/pap
   # Instantiating module "reject" from file 
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "fail" from file 
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "ok" from file 
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "handled" from file 
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "invalid" from file 
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "userlock" from file 
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "notfound" from file 
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "noop" from file 
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "updated" from file 
/etc/freeradius/3.0/mods-enabled/always
   # Instantiating module "auth_log" from file 
/etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in 
detail output
   # Instantiating module "reply_log" from file 
/etc/freeradius/3.0/mods-enabled/detail.log
   # Instantiating module "pre_proxy_log" from file 
/etc/freeradius/3.0/mods-enabled/detail.log
   # Instantiating module "post_proxy_log" from file 
/etc/freeradius/3.0/mods-enabled/detail.log
  } # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server inner-lan-dot1x { # from file 
/etc/freeradius/3.0/sites-enabled/inner-lan-dot1x
  # Loading authenticate {...}
  # Loading authorize {...}
  # Loading post-proxy {...}
  # Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-lan-dot1x
server inner-wlan-dot1x { # from file 
/etc/freeradius/3.0/sites-enabled/inner-wlan-dot1x
  # Loading authenticate {...}
Compiling Auth-Type MS-CHAP for attr Auth-Type
  # Loading authorize {...}
  # Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-wlan-dot1x
server tls-cache-wlan { # from file 
/etc/freeradius/3.0/sites-enabled/tls-cache-wlan
Compiling cache load for attr TLS-Cache-Method
Compiling cache save for attr TLS-Cache-Method
Compiling cache clear for attr TLS-Cache-Method
Compiling cache refresh for attr TLS-Cache-Method
} # server tls-cache-wlan
server lan-dot1x { # from file /etc/freeradius/3.0/server.d/lan-dot1x
  # Loading authenticate {...}
Compiling Auth-Type eap_lan_dot1x for attr Auth-Type
  # Loading authorize {...}
  # Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
} # server lan-dot1x
server wlan-dot1x { # from file /etc/freeradius/3.0/server.d/wlan-dot1x
  # Loading authenticate {...}
Compiling Auth-Type eap_wlan_dot1x for attr Auth-Type
Compiling Auth-Type eap for attr Auth-Type
  # Loading authorize {...}
  # Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
} # server wlan-dot1x
server proxy-inner-tunnel { # from file 
/etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel
  # Loading authenticate {...}
  # Loading authorize {...}
} # server proxy-inner-tunnel
server tls-cache-lan { # from file 
/etc/freeradius/3.0/sites-enabled/tls-cache-lan
Compiling cache load for attr TLS-Cache-Method
Compiling cache save for attr TLS-Cache-Method
Compiling cache clear for attr TLS-Cache-Method
Compiling cache refresh for attr TLS-Cache-Method
} # server tls-cache-lan
radiusd: #### Opening IP addresses and Ports ####
listen {
  	type = "control"
  listen {
  	socket = "/tmp/freeradius.sock"
  	mode = "rw"
  	peercred = yes
  }
}
listen {
  	type = "auth"
  	ipaddr = *
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
   	type = "auth"
   	ipaddr = 127.0.0.1
   	port = 18121
}
listen {
   	type = "auth"
   	ipaddr = 127.0.0.1
   	port = 18122
}
Listening on command file /tmp/freeradius.sock
Listening on auth address * port 1812
Listening on auth address 127.0.0.1 port 18121 bound to server 
inner-lan-dot1x
Listening on auth address 127.0.0.1 port 18122 bound to server 
inner-wlan-dot1x
Listening on proxy address * port 37655
Ready to process requests
(0) Received Access-Request Id 197 from 10.128.2.54:32769 to 
10.128.0.58:1812 length 178
(0)   Message-Authenticator = 0x681f93be02ffa3fa2d2ead82ffaf4433
(0)   User-Name = "PREPROD\\pierrick.merle.i"
(0)   NAS-IP-Address = 10.128.2.54
(0)   Called-Station-Id = "00-04-96-fa-2c-10"
(0)   NAS-Identifier = "SXT_APS20f"
(0)   NAS-Port = 1004
(0)   NAS-Port-Id = "4"
(0)   NAS-Port-Type = Ethernet
(0)   Service-Type = Framed-User
(0)   Calling-Station-Id = "54-05-DB-EC-7A-F7"
(0)   EAP-Message = 
0x02dc001d0150524550524f445c706965727269636b2e6d65726c652e69
(0)   Framed-MTU = 1300
(0) # Executing section authorize from file 
/etc/freeradius/3.0/server.d/lan-dot1x
(0)   authorize {
(0)     [preprocess] = ok
(0)     policy extreme_rewrite_calling_station_id {
(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
{
(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  -> TRUE
(0)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  {
(0)         update request {
(0)           EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(0)              --> 54:05:DB:EC:7A:F7
(0)           &Calling-Station-Id := 54:05:DB:EC:7A:F7
(0)         } # update request = noop
(0)         [updated] = updated
(0)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  = updated
(0)       ... skipping else: Preceding "if" was taken
(0)     } # policy extreme_rewrite_calling_station_id = updated
(0)     if (!&request:EAP-Message) {
(0)     if (!&request:EAP-Message)  -> FALSE
(0)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(0)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  -> TRUE
(0)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  {
(0) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 220 length 29
(0) eap_lan_dot1x: EAP-Identity reply, returning 'ok' so we can 
short-circuit the rest of authorize
(0)       [eap_lan_dot1x] = ok
(0)     } # elsif (&request:User-Name =~ /^PREPROD/ || 
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  
= ok
(0)     ... skipping elsif: Preceding "if" was taken
(0)     ... skipping else: Preceding "if" was taken
(0)   } # authorize = updated
(0) Found Auth-Type = eap_lan_dot1x
(0) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(0)   Auth-Type eap_lan_dot1x {
(0) eap_lan_dot1x: Peer sent packet with method EAP Identity (1)
(0) eap_lan_dot1x: Calling submodule eap_peap to process data
(0) eap_peap: (TLS) PEAP -Initiating new session
(0) eap_lan_dot1x: Sending EAP Request (code 1) ID 221 length 6
(0) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39fabe4ea12
(0)     [eap_lan_dot1x] = handled
(0)   } # Auth-Type eap_lan_dot1x = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(0)   Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0)   Framed-MTU = 1014
(0) Sent Access-Challenge Id 197 from 10.128.0.58:1812 to 
10.128.2.54:32769 length 64
(0)   EAP-Message = 0x01dd00061920
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xab39f39fabe4ea12f769f1fff0534bd1
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 198 from 10.128.2.54:32769 to 
10.128.0.58:1812 length 362
(1)   Message-Authenticator = 0xe82132d7fa8da33e0b0f07bbc832dd14
(1)   User-Name = "PREPROD\\pierrick.merle.i"
(1)   State = 0xab39f39fabe4ea12f769f1fff0534bd1
(1)   NAS-IP-Address = 10.128.2.54
(1)   Called-Station-Id = "00-04-96-fa-2c-10"
(1)   NAS-Identifier = "SXT_APS20f"
(1)   NAS-Port = 1004
(1)   NAS-Port-Id = "4"
(1)   NAS-Port-Type = Ethernet
(1)   Framed-MTU = 1300
(1)   Service-Type = Framed-User
(1)   Calling-Station-Id = "54-05-DB-EC-7A-F7"
(1)   EAP-Message = 
0x02dd00c31980000000b916030300b4010000b0030367c5a9517d60cd207bf08fd71f19f663cd5852706f2c03cd97e2ef911657e8622034aef38d484057e9cbdfd82468b4ca70a41bf9e30ef21bbb980c2cc5425db932002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a0100003d000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(1) Restoring &session-state
(1)   &session-state:Framed-MTU = 1014
(1) # Executing section authorize from file 
/etc/freeradius/3.0/server.d/lan-dot1x
(1)   authorize {
(1)     [preprocess] = ok
(1)     policy extreme_rewrite_calling_station_id {
(1)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
{
(1)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  -> TRUE
(1)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  {
(1)         update request {
(1)           EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(1)              --> 54:05:DB:EC:7A:F7
(1)           &Calling-Station-Id := 54:05:DB:EC:7A:F7
(1)         } # update request = noop
(1)         [updated] = updated
(1)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  = updated
(1)       ... skipping else: Preceding "if" was taken
(1)     } # policy extreme_rewrite_calling_station_id = updated
(1)     if (!&request:EAP-Message) {
(1)     if (!&request:EAP-Message)  -> FALSE
(1)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(1)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  -> TRUE
(1)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  {
(1) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 221 length 195
(1) eap_lan_dot1x: Continuing tunnel setup
(1)       [eap_lan_dot1x] = ok
(1)     } # elsif (&request:User-Name =~ /^PREPROD/ || 
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  
= ok
(1)     ... skipping elsif: Preceding "if" was taken
(1)     ... skipping else: Preceding "if" was taken
(1)   } # authorize = updated
(1) Found Auth-Type = eap_lan_dot1x
(1) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(1)   Auth-Type eap_lan_dot1x {
(1) eap_lan_dot1x: Removing EAP session with state 0xab39f39fabe4ea12
(1) eap_lan_dot1x: Previous EAP request found for state 
0xab39f39fabe4ea12, released from the list
(1) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25)
(1) eap_lan_dot1x: Calling submodule eap_peap to process data
(1) eap_peap: (TLS) EAP Peer says that the final record size will be 185 
bytes
(1) eap_peap: (TLS) EAP Got all data (185 bytes)
(1) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization
(1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL 
initialization
(1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL 
initialization
(1) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello
(1) eap_peap: Peer requested cached session: 
34aef38d484057e9cbdfd82468b4ca70a41bf9e30ef21bbb980c2cc5425db932
(0)   cache load {
(0)     update {
rlm_redis (redis-lan): Reserved connection (0)
rlm_redis (redis-lan): executing the query: "GET 
0x34aef38d484057e9cbdfd82468b4ca70a41bf9e30ef21bbb980c2cc5425db932"
(0)       rlm_redis (redis-lan): Can't write result, insufficient space 
or unsupported result
rlm_redis (redis-lan): Released connection (0)
Need more connections to reach 10 spares
rlm_redis (redis-lan): Opening additional connection (5), 1 of 27 
pending slots used
(0)       EXPAND %{redis-lan:GET %{request:TLS-Session-ID}}
(0)          -->
(0)       &Tmp-String-0 :=
(0)     } # update = noop
(0)     if (!&Tmp-String-0 || &Tmp-String-0 !~ /^([^|]+)\|([^|]+)$/) {
(0)     if (!&Tmp-String-0 || &Tmp-String-0 !~ /^([^|]+)\|([^|]+)$/)  -> 
TRUE
(0)     if (!&Tmp-String-0 || &Tmp-String-0 !~ /^([^|]+)\|([^|]+)$/)  {
(0)       return
(0)     } # if (!&Tmp-String-0 || &Tmp-String-0 !~ /^([^|]+)\|([^|]+)$/) 
  = noop
(0)   } # cache load = noop
(1) eap_peap: WARNING: (TLS) PEAP - Failed to find TLS-Session-Data in 
'session-state' list for session 
34aef38d484057e9cbdfd82468b4ca70a41bf9e30ef21bbb980c2cc5425db932
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read 
client hello
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write 
server hello
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write 
certificate
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key 
exchange
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write 
server done
(1) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS 
write server done
(1) eap_peap: (TLS) PEAP - In Handshake Phase
(1) eap_lan_dot1x: Sending EAP Request (code 1) ID 222 length 1024
(1) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39faae7ea12
(1)     [eap_lan_dot1x] = handled
(1)   } # Auth-Type eap_lan_dot1x = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(1)   Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1)   Framed-MTU = 1014
(1)   TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, 
ClientHello"
(1)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerHello"
(1)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
Certificate"
(1)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerKeyExchange"
(1)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerHelloDone"
(1) Sent Access-Challenge Id 198 from 10.128.0.58:1812 to 
10.128.2.54:32769 length 1090
(1)   EAP-Message = 
0x01de040019c000000e2c160303005d0200005903035e4ae8e817988c3566f217c68bf58793f7e07a63c47a49261acaaea76576eefa2084298149cd6dba04ae6b1bfd7e1569034959ac77a2d0a5ad27082b792402b726c030000011ff01000100000b000403000102001700001603030c6a0b000c66000c630005c4308205c0308203a8a00302010202143db2792d468f53db29cf70cd516deeb6d7d7e144300d06092a864886f70d01010b05003065310b3009060355040613024652311b3019060355040a13124d696e6973746572652045636f6c6f676965310d300b060355040b1304444e554d312a30280603550403132145434f20524d494e20414320496e7465726d65646961697265204d616368696e65301e170d3234303630353037353934365a170d3235303630353038303031365a30233121301f060355040313187261646975732e61632e65322e7269652e676f75762e667230820122300d06092a864886f70d01010105000382010f003082010a0282
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0xab39f39faae7ea12f769f1fff0534bd1
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 199 from 10.128.2.54:32769 to 
10.128.0.58:1812 length 173
(2)   Message-Authenticator = 0xf48533d25521399963817e7616597244
(2)   User-Name = "PREPROD\\pierrick.merle.i"
(2)   State = 0xab39f39faae7ea12f769f1fff0534bd1
(2)   NAS-IP-Address = 10.128.2.54
(2)   Called-Station-Id = "00-04-96-fa-2c-10"
(2)   NAS-Identifier = "SXT_APS20f"
(2)   NAS-Port = 1004
(2)   NAS-Port-Id = "4"
(2)   NAS-Port-Type = Ethernet
(2)   Framed-MTU = 1300
(2)   Service-Type = Framed-User
(2)   Calling-Station-Id = "54-05-DB-EC-7A-F7"
(2)   EAP-Message = 0x02de00061900
(2) Restoring &session-state
(2)   &session-state:Framed-MTU = 1014
(2)   &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 
1.3 Handshake, ClientHello"
(2)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerHello"
(2)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, Certificate"
(2)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerKeyExchange"
(2)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerHelloDone"
(2) # Executing section authorize from file 
/etc/freeradius/3.0/server.d/lan-dot1x
(2)   authorize {
(2)     [preprocess] = ok
(2)     policy extreme_rewrite_calling_station_id {
(2)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
{
(2)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  -> TRUE
(2)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  {
(2)         update request {
(2)           EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(2)              --> 54:05:DB:EC:7A:F7
(2)           &Calling-Station-Id := 54:05:DB:EC:7A:F7
(2)         } # update request = noop
(2)         [updated] = updated
(2)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  = updated
(2)       ... skipping else: Preceding "if" was taken
(2)     } # policy extreme_rewrite_calling_station_id = updated
(2)     if (!&request:EAP-Message) {
(2)     if (!&request:EAP-Message)  -> FALSE
(2)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(2)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  -> TRUE
(2)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  {
(2) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 222 length 6
(2) eap_lan_dot1x: Continuing tunnel setup
(2)       [eap_lan_dot1x] = ok
(2)     } # elsif (&request:User-Name =~ /^PREPROD/ || 
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  
= ok
(2)     ... skipping elsif: Preceding "if" was taken
(2)     ... skipping else: Preceding "if" was taken
(2)   } # authorize = updated
(2) Found Auth-Type = eap_lan_dot1x
(2) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(2)   Auth-Type eap_lan_dot1x {
(2) eap_lan_dot1x: Removing EAP session with state 0xab39f39faae7ea12
(2) eap_lan_dot1x: Previous EAP request found for state 
0xab39f39faae7ea12, released from the list
(2) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25)
(2) eap_lan_dot1x: Calling submodule eap_peap to process data
(2) eap_peap: (TLS) Peer ACKed our handshake fragment
(2) eap_lan_dot1x: Sending EAP Request (code 1) ID 223 length 1020
(2) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39fa9e6ea12
(2)     [eap_lan_dot1x] = handled
(2)   } # Auth-Type eap_lan_dot1x = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(2)   Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2)   Framed-MTU = 1014
(2)   TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, 
ClientHello"
(2)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerHello"
(2)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
Certificate"
(2)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerKeyExchange"
(2)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerHelloDone"
(2) Sent Access-Challenge Id 199 from 10.128.0.58:1812 to 
10.128.2.54:32769 length 1086
(2)   EAP-Message = 
0x01df03fc19402a687474703a2f2f63726c2e726d696e2e656463732e66722f696e7465726d616368696e6563612e63726c300d06092a864886f70d01010b050003820201000957bae2949136fbad39f5a4a62ca927fc84ff2f8c3b26bd5d5d50b753f24eaabc1e54b28481b405939853ec0fc868eb772139d2ee6c90c911bbd3f168409f9338587f3e61a2913145f8c9309ccc325b48d70149859c9f42d92a42a4ff93680181283565f5b3b37ad35e8ba57d089465b31e255f08ad34bfd63cde54374f10a4d18fb2ed50f1486146e74acfb8e211e439e841bfc54932ff929b98913e769cdf7e45d36657e9d3481d6d5216ac6c725591cb7154cb666062ebabb4096fa189865766abb1722ea1e15768ba1cf7e6ac805fb92f2495bf517b9e7730047fc54f69d20727f0cea8e3573e4a0fa69a4a6f0a6ca11266277cb448d61fa22e0a68009c42fdd11b2d4c3989fd2908fa3d7d0624616237610c1374afb462e42291dc44d78f9dfbe1cba02ea44c2817bd4ba9f1bc2160
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0xab39f39fa9e6ea12f769f1fff0534bd1
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 200 from 10.128.2.54:32769 to 
10.128.0.58:1812 length 173
(3)   Message-Authenticator = 0x53d1a6aee16c8987edf25b57090e579e
(3)   User-Name = "PREPROD\\pierrick.merle.i"
(3)   State = 0xab39f39fa9e6ea12f769f1fff0534bd1
(3)   NAS-IP-Address = 10.128.2.54
(3)   Called-Station-Id = "00-04-96-fa-2c-10"
(3)   NAS-Identifier = "SXT_APS20f"
(3)   NAS-Port = 1004
(3)   NAS-Port-Id = "4"
(3)   NAS-Port-Type = Ethernet
(3)   Framed-MTU = 1300
(3)   Service-Type = Framed-User
(3)   Calling-Station-Id = "54-05-DB-EC-7A-F7"
(3)   EAP-Message = 0x02df00061900
(3) Restoring &session-state
(3)   &session-state:Framed-MTU = 1014
(3)   &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 
1.3 Handshake, ClientHello"
(3)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerHello"
(3)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, Certificate"
(3)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerKeyExchange"
(3)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerHelloDone"
(3) # Executing section authorize from file 
/etc/freeradius/3.0/server.d/lan-dot1x
(3)   authorize {
(3)     [preprocess] = ok
(3)     policy extreme_rewrite_calling_station_id {
(3)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
{
(3)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  -> TRUE
(3)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  {
(3)         update request {
(3)           EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(3)              --> 54:05:DB:EC:7A:F7
(3)           &Calling-Station-Id := 54:05:DB:EC:7A:F7
(3)         } # update request = noop
(3)         [updated] = updated
(3)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  = updated
(3)       ... skipping else: Preceding "if" was taken
(3)     } # policy extreme_rewrite_calling_station_id = updated
(3)     if (!&request:EAP-Message) {
(3)     if (!&request:EAP-Message)  -> FALSE
(3)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(3)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  -> TRUE
(3)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  {
(3) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 223 length 6
(3) eap_lan_dot1x: Continuing tunnel setup
(3)       [eap_lan_dot1x] = ok
(3)     } # elsif (&request:User-Name =~ /^PREPROD/ || 
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  
= ok
(3)     ... skipping elsif: Preceding "if" was taken
(3)     ... skipping else: Preceding "if" was taken
(3)   } # authorize = updated
(3) Found Auth-Type = eap_lan_dot1x
(3) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(3)   Auth-Type eap_lan_dot1x {
(3) eap_lan_dot1x: Removing EAP session with state 0xab39f39fa9e6ea12
(3) eap_lan_dot1x: Previous EAP request found for state 
0xab39f39fa9e6ea12, released from the list
(3) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25)
(3) eap_lan_dot1x: Calling submodule eap_peap to process data
(3) eap_peap: (TLS) Peer ACKed our handshake fragment
(3) eap_lan_dot1x: Sending EAP Request (code 1) ID 224 length 1020
(3) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39fa8d9ea12
(3)     [eap_lan_dot1x] = handled
(3)   } # Auth-Type eap_lan_dot1x = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(3)   Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3)   Framed-MTU = 1014
(3)   TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, 
ClientHello"
(3)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerHello"
(3)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
Certificate"
(3)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerKeyExchange"
(3)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerHelloDone"
(3) Sent Access-Challenge Id 200 from 10.128.0.58:1812 to 
10.128.2.54:32769 length 1086
(3)   EAP-Message = 
0x01e003fc1940c7aa2e068818a20c750b7184a76445710d8c429a0221abbca66a5c355a3b63af6aeeaf6d1a77c800677b4998101328f4397e2b50b8d164dab887585adea9b07d64c14a5204b198944d6cfd333f9355d5e4d52810957a3c456fbbfc29f7be81704f0be0d4df65f0dfd7201550291a8195121cda6d3cc26ecc2326ed652f1934507e7dbc4d3318b6945a138f1ccca762d1e6382415a48f043902ab7735bad049d2ba09877d8a90cae08ba3e285fe097d9ac4e1eed66bebfcbe780d434e63003cb2dc51bd91d1b95d0287616b244ce4ed4e4da198f22be8017b6eb37ed521b9457f3fc07056374a2b41afa846e2359e63e1bdd93adce5ac9409c3d2d5650eb55376ccf9dad6d40ef7fbe0e5de98614702da923e3d512f90382acb5ca948f1a4338f6bbf3eebecb51d5ae4d5abf35d8738f4da2d57310f8e42eba1b2db4a92a4853d5919d695b11d92b0a2b89229a9f2b9e3472429d31e3ae29772b96a03216732a0452b7e6d60518fdb04cb0203010001a382
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0xab39f39fa8d9ea12f769f1fff0534bd1
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 201 from 10.128.2.54:32769 to 
10.128.0.58:1812 length 173
(4)   Message-Authenticator = 0xfd539975736768f13f95221dbf4d0ca0
(4)   User-Name = "PREPROD\\pierrick.merle.i"
(4)   State = 0xab39f39fa8d9ea12f769f1fff0534bd1
(4)   NAS-IP-Address = 10.128.2.54
(4)   Called-Station-Id = "00-04-96-fa-2c-10"
(4)   NAS-Identifier = "SXT_APS20f"
(4)   NAS-Port = 1004
(4)   NAS-Port-Id = "4"
(4)   NAS-Port-Type = Ethernet
(4)   Framed-MTU = 1300
(4)   Service-Type = Framed-User
(4)   Calling-Station-Id = "54-05-DB-EC-7A-F7"
(4)   EAP-Message = 0x02e000061900
(4) Restoring &session-state
(4)   &session-state:Framed-MTU = 1014
(4)   &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 
1.3 Handshake, ClientHello"
(4)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerHello"
(4)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, Certificate"
(4)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerKeyExchange"
(4)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerHelloDone"
(4) # Executing section authorize from file 
/etc/freeradius/3.0/server.d/lan-dot1x
(4)   authorize {
(4)     [preprocess] = ok
(4)     policy extreme_rewrite_calling_station_id {
(4)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
{
(4)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  -> TRUE
(4)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  {
(4)         update request {
(4)           EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(4)              --> 54:05:DB:EC:7A:F7
(4)           &Calling-Station-Id := 54:05:DB:EC:7A:F7
(4)         } # update request = noop
(4)         [updated] = updated
(4)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  = updated
(4)       ... skipping else: Preceding "if" was taken
(4)     } # policy extreme_rewrite_calling_station_id = updated
(4)     if (!&request:EAP-Message) {
(4)     if (!&request:EAP-Message)  -> FALSE
(4)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(4)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  -> TRUE
(4)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  {
(4) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 224 length 6
(4) eap_lan_dot1x: Continuing tunnel setup
(4)       [eap_lan_dot1x] = ok
(4)     } # elsif (&request:User-Name =~ /^PREPROD/ || 
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  
= ok
(4)     ... skipping elsif: Preceding "if" was taken
(4)     ... skipping else: Preceding "if" was taken
(4)   } # authorize = updated
(4) Found Auth-Type = eap_lan_dot1x
(4) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(4)   Auth-Type eap_lan_dot1x {
(4) eap_lan_dot1x: Removing EAP session with state 0xab39f39fa8d9ea12
(4) eap_lan_dot1x: Previous EAP request found for state 
0xab39f39fa8d9ea12, released from the list
(4) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25)
(4) eap_lan_dot1x: Calling submodule eap_peap to process data
(4) eap_peap: (TLS) Peer ACKed our handshake fragment
(4) eap_lan_dot1x: Sending EAP Request (code 1) ID 225 length 592
(4) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39fafd8ea12
(4)     [eap_lan_dot1x] = handled
(4)   } # Auth-Type eap_lan_dot1x = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(4)   Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4)   Framed-MTU = 1014
(4)   TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, 
ClientHello"
(4)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerHello"
(4)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
Certificate"
(4)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerKeyExchange"
(4)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerHelloDone"
(4) Sent Access-Challenge Id 201 from 10.128.0.58:1812 to 
10.128.2.54:32769 length 654
(4)   EAP-Message = 
0x01e1025019008e6fb31e34c535308289f4dcd79f82c53469189129212beebbde8a69f5239dc84fd2c00a0a7d30564f2c48ea5a49a49cdf79f200b5c408ce7354bc7ffef171a8724b15b86e52f27ad9991181caff2bf1f7190c900c2d5358bed4ddc9f853d5664b6a76f15a32c324277fb1f78b9970f9f7a483e1c7999e04a87a05af8469e90b6c535b322711f64111eff1dfd1eeabdfdc380204be62d525762e25471838b54ae3bfb8c0fd01b0cbf2b0542aa907585ab52f386d5d627d6cc965cbb9444bdd046a0422251c3368ecd8be1e917029987e66cb511820cd2a2cdaa570575416c54081271204d245581e28cec2dd66cfa2160303014d0c00014903001741046251b7e62bf95cb9ab08709f7abb30c19e7d19d4c5cd3e4f6aadf2f1a8ff4387c913b1b36b9f93931c77c74993a7573a9ff64c27e3b67b0d4e7c75eaec2d6f0b040101007b152e53b8146e29162fcba24e92a04629f33dcd7f70e9a9d28e044e7d9faf1c8888c407c4b3fe0be85c59c9b8a8633b
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0xab39f39fafd8ea12f769f1fff0534bd1
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 202 from 10.128.2.54:32769 to 
10.128.0.58:1812 length 303
(5)   Message-Authenticator = 0x330d17d58367b7c7debbd2388d24da3b
(5)   User-Name = "PREPROD\\pierrick.merle.i"
(5)   State = 0xab39f39fafd8ea12f769f1fff0534bd1
(5)   NAS-IP-Address = 10.128.2.54
(5)   Called-Station-Id = "00-04-96-fa-2c-10"
(5)   NAS-Identifier = "SXT_APS20f"
(5)   NAS-Port = 1004
(5)   NAS-Port-Id = "4"
(5)   NAS-Port-Type = Ethernet
(5)   Framed-MTU = 1300
(5)   Service-Type = Framed-User
(5)   Calling-Station-Id = "54-05-DB-EC-7A-F7"
(5)   EAP-Message = 
0x02e1008819800000007e1603030046100000424104478011a091c5392414894d3b1d96709c1c3a41ce60f156911ec687f2955d4e40e567885782f0be58e1374d4a11656554927dc06481a8e4023f6f96359b6c66cf1403030001011603030028000000000000000042308fd559fe9927cfb60949046a6718bbcb97c8243c745e3f0cd09ce51e7c01
(5) Restoring &session-state
(5)   &session-state:Framed-MTU = 1014
(5)   &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 
1.3 Handshake, ClientHello"
(5)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerHello"
(5)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, Certificate"
(5)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerKeyExchange"
(5)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerHelloDone"
(5) # Executing section authorize from file 
/etc/freeradius/3.0/server.d/lan-dot1x
(5)   authorize {
(5)     [preprocess] = ok
(5)     policy extreme_rewrite_calling_station_id {
(5)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
{
(5)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  -> TRUE
(5)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  {
(5)         update request {
(5)           EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(5)              --> 54:05:DB:EC:7A:F7
(5)           &Calling-Station-Id := 54:05:DB:EC:7A:F7
(5)         } # update request = noop
(5)         [updated] = updated
(5)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  = updated
(5)       ... skipping else: Preceding "if" was taken
(5)     } # policy extreme_rewrite_calling_station_id = updated
(5)     if (!&request:EAP-Message) {
(5)     if (!&request:EAP-Message)  -> FALSE
(5)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(5)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  -> TRUE
(5)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  {
(5) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 225 length 136
(5) eap_lan_dot1x: Continuing tunnel setup
(5)       [eap_lan_dot1x] = ok
(5)     } # elsif (&request:User-Name =~ /^PREPROD/ || 
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  
= ok
(5)     ... skipping elsif: Preceding "if" was taken
(5)     ... skipping else: Preceding "if" was taken
(5)   } # authorize = updated
(5) Found Auth-Type = eap_lan_dot1x
(5) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(5)   Auth-Type eap_lan_dot1x {
(5) eap_lan_dot1x: Removing EAP session with state 0xab39f39fafd8ea12
(5) eap_lan_dot1x: Previous EAP request found for state 
0xab39f39fafd8ea12, released from the list
(5) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25)
(5) eap_lan_dot1x: Calling submodule eap_peap to process data
(5) eap_peap: (TLS) EAP Peer says that the final record size will be 126 
bytes
(5) eap_peap: (TLS) EAP Got all data (126 bytes)
(5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write 
server done
(5) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange
(5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read 
client key exchange
(5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read 
change cipher spec
(5) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished
(5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read 
finished
(5) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec
(5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write 
change cipher spec
(5) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished
(5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write 
finished
(5) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished 
successfully
(5) eap_peap: (TLS) PEAP - Connection Established
(5) eap_peap:   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) eap_peap:   TLS-Session-Version = "TLS 1.2"
(5) eap_lan_dot1x: Sending EAP Request (code 1) ID 226 length 57
(5) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39faedbea12
(5)     [eap_lan_dot1x] = handled
(5)   } # Auth-Type eap_lan_dot1x = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(5)   Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5)   Framed-MTU = 1014
(5)   TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, 
ClientHello"
(5)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerHello"
(5)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
Certificate"
(5)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerKeyExchange"
(5)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerHelloDone"
(5)   TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, 
ClientKeyExchange"
(5)   TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, 
Finished"
(5)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 
ChangeCipherSpec"
(5)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
Finished"
(5)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5)   TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 202 from 10.128.0.58:1812 to 
10.128.2.54:32769 length 115
(5)   EAP-Message = 
0x01e2003919001403030001011603030028992e1d08a6281f94437d18a88f2f337b9abbd59b6c10d58320ae5341ff5cb1be50d4e0e30627f0e3
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0xab39f39faedbea12f769f1fff0534bd1
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 203 from 10.128.2.54:32769 to 
10.128.0.58:1812 length 173
(6)   Message-Authenticator = 0x01e2569fa0d0a5ef89068ddfa1ffba9d
(6)   User-Name = "PREPROD\\pierrick.merle.i"
(6)   State = 0xab39f39faedbea12f769f1fff0534bd1
(6)   NAS-IP-Address = 10.128.2.54
(6)   Called-Station-Id = "00-04-96-fa-2c-10"
(6)   NAS-Identifier = "SXT_APS20f"
(6)   NAS-Port = 1004
(6)   NAS-Port-Id = "4"
(6)   NAS-Port-Type = Ethernet
(6)   Framed-MTU = 1300
(6)   Service-Type = Framed-User
(6)   Calling-Station-Id = "54-05-DB-EC-7A-F7"
(6)   EAP-Message = 0x02e200061900
(6) Restoring &session-state
(6)   &session-state:Framed-MTU = 1014
(6)   &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 
1.3 Handshake, ClientHello"
(6)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerHello"
(6)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, Certificate"
(6)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerKeyExchange"
(6)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerHelloDone"
(6)   &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 
1.2 Handshake, ClientKeyExchange"
(6)   &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 
1.2 Handshake, Finished"
(6)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 ChangeCipherSpec"
(6)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, Finished"
(6)   &session-state:TLS-Session-Cipher-Suite = 
"ECDHE-RSA-AES256-GCM-SHA384"
(6)   &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file 
/etc/freeradius/3.0/server.d/lan-dot1x
(6)   authorize {
(6)     [preprocess] = ok
(6)     policy extreme_rewrite_calling_station_id {
(6)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
{
(6)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  -> TRUE
(6)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  {
(6)         update request {
(6)           EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(6)              --> 54:05:DB:EC:7A:F7
(6)           &Calling-Station-Id := 54:05:DB:EC:7A:F7
(6)         } # update request = noop
(6)         [updated] = updated
(6)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  = updated
(6)       ... skipping else: Preceding "if" was taken
(6)     } # policy extreme_rewrite_calling_station_id = updated
(6)     if (!&request:EAP-Message) {
(6)     if (!&request:EAP-Message)  -> FALSE
(6)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(6)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  -> TRUE
(6)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  {
(6) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 226 length 6
(6) eap_lan_dot1x: Continuing tunnel setup
(6)       [eap_lan_dot1x] = ok
(6)     } # elsif (&request:User-Name =~ /^PREPROD/ || 
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  
= ok
(6)     ... skipping elsif: Preceding "if" was taken
(6)     ... skipping else: Preceding "if" was taken
(6)   } # authorize = updated
(6) Found Auth-Type = eap_lan_dot1x
(6) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(6)   Auth-Type eap_lan_dot1x {
(6) eap_lan_dot1x: Removing EAP session with state 0xab39f39faedbea12
(6) eap_lan_dot1x: Previous EAP request found for state 
0xab39f39faedbea12, released from the list
(6) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25)
(6) eap_lan_dot1x: Calling submodule eap_peap to process data
(6) eap_peap: (TLS) Peer ACKed our handshake fragment.  handshake is 
finished
(6) eap_peap: Session established.  Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap_lan_dot1x: Sending EAP Request (code 1) ID 227 length 40
(6) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39faddaea12
(6)     [eap_lan_dot1x] = handled
(6)   } # Auth-Type eap_lan_dot1x = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(6)   Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6)   Framed-MTU = 1014
(6)   TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, 
ClientHello"
(6)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerHello"
(6)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
Certificate"
(6)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerKeyExchange"
(6)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerHelloDone"
(6)   TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, 
ClientKeyExchange"
(6)   TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, 
Finished"
(6)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 
ChangeCipherSpec"
(6)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
Finished"
(6)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6)   TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 203 from 10.128.0.58:1812 to 
10.128.2.54:32769 length 98
(6)   EAP-Message = 
0x01e300281900170303001d992e1d08a6281f952ddff245583c3e11a01f3a0811d5f52af6dc4daf1b
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0xab39f39faddaea12f769f1fff0534bd1
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 204 from 10.128.2.54:32769 to 
10.128.0.58:1812 length 227
(7)   Message-Authenticator = 0x96497c11b13a76a5b23e44be8f7d5ff9
(7)   User-Name = "PREPROD\\pierrick.merle.i"
(7)   State = 0xab39f39faddaea12f769f1fff0534bd1
(7)   NAS-IP-Address = 10.128.2.54
(7)   Called-Station-Id = "00-04-96-fa-2c-10"
(7)   NAS-Identifier = "SXT_APS20f"
(7)   NAS-Port = 1004
(7)   NAS-Port-Id = "4"
(7)   NAS-Port-Type = Ethernet
(7)   Framed-MTU = 1300
(7)   Service-Type = Framed-User
(7)   Calling-Station-Id = "54-05-DB-EC-7A-F7"
(7)   EAP-Message = 
0x02e3003c190017030300310000000000000001a09b6c88393f3903b90ebde72d0ec97a46ae05e7c48e47576720783176f2be7dfdd79503de20f2603a
(7) Restoring &session-state
(7)   &session-state:Framed-MTU = 1014
(7)   &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 
1.3 Handshake, ClientHello"
(7)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerHello"
(7)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, Certificate"
(7)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerKeyExchange"
(7)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerHelloDone"
(7)   &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 
1.2 Handshake, ClientKeyExchange"
(7)   &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 
1.2 Handshake, Finished"
(7)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 ChangeCipherSpec"
(7)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, Finished"
(7)   &session-state:TLS-Session-Cipher-Suite = 
"ECDHE-RSA-AES256-GCM-SHA384"
(7)   &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file 
/etc/freeradius/3.0/server.d/lan-dot1x
(7)   authorize {
(7)     [preprocess] = ok
(7)     policy extreme_rewrite_calling_station_id {
(7)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
{
(7)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  -> TRUE
(7)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  {
(7)         update request {
(7)           EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(7)              --> 54:05:DB:EC:7A:F7
(7)           &Calling-Station-Id := 54:05:DB:EC:7A:F7
(7)         } # update request = noop
(7)         [updated] = updated
(7)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  = updated
(7)       ... skipping else: Preceding "if" was taken
(7)     } # policy extreme_rewrite_calling_station_id = updated
(7)     if (!&request:EAP-Message) {
(7)     if (!&request:EAP-Message)  -> FALSE
(7)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(7)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  -> TRUE
(7)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  {
(7) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 227 length 60
(7) eap_lan_dot1x: Continuing tunnel setup
(7)       [eap_lan_dot1x] = ok
(7)     } # elsif (&request:User-Name =~ /^PREPROD/ || 
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  
= ok
(7)     ... skipping elsif: Preceding "if" was taken
(7)     ... skipping else: Preceding "if" was taken
(7)   } # authorize = updated
(7) Found Auth-Type = eap_lan_dot1x
(7) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(7)   Auth-Type eap_lan_dot1x {
(7) eap_lan_dot1x: Removing EAP session with state 0xab39f39faddaea12
(7) eap_lan_dot1x: Previous EAP request found for state 
0xab39f39faddaea12, released from the list
(7) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25)
(7) eap_lan_dot1x: Calling submodule eap_peap to process data
(7) eap_peap: (TLS) EAP Done initial handshake
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - PREPROD\pierrick.merle.i
(7) eap_peap: Got inner identity 'PREPROD\pierrick.merle.i'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap:   EAP-Message = 
0x02e3001d0150524550524f445c706965727269636b2e6d65726c652e69
(7) eap_peap: Setting User-Name to PREPROD\pierrick.merle.i
(7) eap_peap: Sending tunneled request to inner-lan-dot1x
(7) eap_peap:   EAP-Message = 
0x02e3001d0150524550524f445c706965727269636b2e6d65726c652e69
(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap:   User-Name = "PREPROD\\pierrick.merle.i"
(7) Virtual server inner-lan-dot1x received request
(7)   EAP-Message = 
0x02e3001d0150524550524f445c706965727269636b2e6d65726c652e69
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "PREPROD\\pierrick.merle.i"
(7) WARNING: Outer and inner identities are the same.  User privacy is 
compromised.
(7) server inner-lan-dot1x {
(7)   # Executing section authorize from file 
/etc/freeradius/3.0/sites-enabled/inner-lan-dot1x
(7)     authorize {
(7)       if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~ 
/^FORMATION/ ) {
(7)       if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~ 
/^FORMATION/ )  -> TRUE
(7)       if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~ 
/^FORMATION/ )  {
(7) ntdomain: Checking for prefix before "\"
(7) ntdomain: Looking up realm "PREPROD" for User-Name = 
"PREPROD\pierrick.merle.i"
(7) ntdomain: Found realm "PREPROD"
(7) ntdomain: Adding Stripped-User-Name = "pierrick.merle.i"
(7) ntdomain: Adding Realm = "PREPROD"
(7) ntdomain: Proxying request from user pierrick.merle.i to realm 
PREPROD
(7) ntdomain: Preparing to proxy authentication request to realm 
"PREPROD"
(7)         [ntdomain] = updated
(7)       } # if (&request:User-Name =~ /^PREPROD/ || &request:User-Name 
=~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name 
=~ /^FORMATION/ )  = updated
(7)       ... skipping elsif: Preceding "if" was taken
(7)       ... skipping elsif: Preceding "if" was taken
(7)       ... skipping elsif: Preceding "if" was taken
(7)       update {
(7)         No attributes updated for RHS 
&control:Extreme-Netlogin-Extended-Vlan
(7)         No attributes updated for RHS &control:Extreme-Policy-ACL[*]
(7)         No attributes updated for RHS 
&control:Fabric-Attach-Service-Request[*]
(7)         No attributes updated for RHS &control:Filter-Id
(7)         No attributes updated for RHS 
&control:Tunnel-Private-Group-Id
(7)         reply:User-Name := User-Name -> 'PREPROD\\pierrick.merle.i'
(7)       } # update = noop
(7)     } # authorize = updated
(7) } # server inner-lan-dot1x
(7) Virtual server sending reply
(7)   User-Name := "PREPROD\\pierrick.merle.i"
(7) eap_peap: Got tunneled reply code 0
(7) eap_peap:   User-Name := "PREPROD\\pierrick.merle.i"
(7) eap_peap: Calling authenticate in order to initiate tunneled EAP 
session
(7) # Executing group from file 
/etc/freeradius/3.0/sites-enabled/inner-lan-dot1x
(7)   authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) eap: Sending EAP Request (code 1) ID 228 length 36
(7) eap: EAP session adding &reply:State = 0x7b60a4d57b84bea7
(7)     [eap] = handled
(7)   } # authenticate = handled
(7) eap_peap: Cancelling proxy to realm PREPROD until the tunneled EAP 
session has been established
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap:   User-Name := "PREPROD\\pierrick.merle.i"
(7) eap_peap:   EAP-Message = 
0x01e400241a01e4001f10f0a506e01e192881a4906d742fc4b2e646726565524144495553
(7) eap_peap:   Message-Authenticator = 
0x00000000000000000000000000000000
(7) eap_peap:   State = 0x7b60a4d57b84bea7a078a662a72147dc
(7) eap_peap: Got tunneled Access-Challenge
(7) eap_lan_dot1x: Sending EAP Request (code 1) ID 228 length 67
(7) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39facddea12
(7)     [eap_lan_dot1x] = handled
(7)   } # Auth-Type eap_lan_dot1x = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(7)   Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7)   Framed-MTU = 1014
(7)   TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, 
ClientHello"
(7)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerHello"
(7)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
Certificate"
(7)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerKeyExchange"
(7)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
ServerHelloDone"
(7)   TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, 
ClientKeyExchange"
(7)   TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, 
Finished"
(7)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 
ChangeCipherSpec"
(7)   TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, 
Finished"
(7)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7)   TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 204 from 10.128.0.58:1812 to 
10.128.2.54:32769 length 125
(7)   EAP-Message = 
0x01e4004319001703030038992e1d08a6281f9686a180dc1b41a0f8984c319974a02913f93e71bac56da78cda96880678431a2282a64c261c993c336832c275f722fc55
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0xab39f39facddea12f769f1fff0534bd1
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 205 from 10.128.2.54:32769 to 
10.128.0.58:1812 length 281
(8)   Message-Authenticator = 0xf73b3d46fcc452447830970250510653
(8)   User-Name = "PREPROD\\pierrick.merle.i"
(8)   State = 0xab39f39facddea12f769f1fff0534bd1
(8)   NAS-IP-Address = 10.128.2.54
(8)   Called-Station-Id = "00-04-96-fa-2c-10"
(8)   NAS-Identifier = "SXT_APS20f"
(8)   NAS-Port = 1004
(8)   NAS-Port-Id = "4"
(8)   NAS-Port-Type = Ethernet
(8)   Framed-MTU = 1300
(8)   Service-Type = Framed-User
(8)   Calling-Station-Id = "54-05-DB-EC-7A-F7"
(8)   EAP-Message = 
0x02e40072190017030300670000000000000002cca31e7eae2c47f00df3d68a7c9871cbdf92c0ba98e0ed3b8e88e7af8d6620cbfa71200ac29d972f1304402d8ca4992f94e9d2bba3878f1e7c37139b64efc0c8a44e693a2c6e7b9a24f2b2f424c0987c51dd5b6b3345814d5a991fd963aca0
(8) Restoring &session-state
(8)   &session-state:Framed-MTU = 1014
(8)   &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 
1.3 Handshake, ClientHello"
(8)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerHello"
(8)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, Certificate"
(8)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerKeyExchange"
(8)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, ServerHelloDone"
(8)   &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 
1.2 Handshake, ClientKeyExchange"
(8)   &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 
1.2 Handshake, Finished"
(8)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 ChangeCipherSpec"
(8)   &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 
1.2 Handshake, Finished"
(8)   &session-state:TLS-Session-Cipher-Suite = 
"ECDHE-RSA-AES256-GCM-SHA384"
(8)   &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file 
/etc/freeradius/3.0/server.d/lan-dot1x
(8)   authorize {
(8)     [preprocess] = ok
(8)     policy extreme_rewrite_calling_station_id {
(8)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
{
(8)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  -> TRUE
(8)       if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  {
(8)         update request {
(8)           EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(8)              --> 54:05:DB:EC:7A:F7
(8)           &Calling-Station-Id := 54:05:DB:EC:7A:F7
(8)         } # update request = noop
(8)         [updated] = updated
(8)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ 
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) 
  = updated
(8)       ... skipping else: Preceding "if" was taken
(8)     } # policy extreme_rewrite_calling_station_id = updated
(8)     if (!&request:EAP-Message) {
(8)     if (!&request:EAP-Message)  -> FALSE
(8)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(8)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  -> TRUE
(8)     elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  {
(8) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 228 length 114
(8) eap_lan_dot1x: Continuing tunnel setup
(8)       [eap_lan_dot1x] = ok
(8)     } # elsif (&request:User-Name =~ /^PREPROD/ || 
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)  
= ok
(8)     ... skipping elsif: Preceding "if" was taken
(8)     ... skipping else: Preceding "if" was taken
(8)   } # authorize = updated
(8) Found Auth-Type = eap_lan_dot1x
(8) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(8)   Auth-Type eap_lan_dot1x {
(8) eap_lan_dot1x: Removing EAP session with state 0xab39f39facddea12
(8) eap_lan_dot1x: Previous EAP request found for state 
0xab39f39facddea12, released from the list
(8) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25)
(8) eap_lan_dot1x: Calling submodule eap_peap to process data
(8) eap_peap: (TLS) EAP Done initial handshake
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message = 
0x02e400531a02e4004e31ec8a1fbe71764029e6c856e60d94056e0000000000000000001c71308495add1402553b25cfd1fffa1b30d00f8d1838f0050524550524f445c706965727269636b2e6d65726c652e69
(8) eap_peap: Setting User-Name to PREPROD\pierrick.merle.i
(8) eap_peap: Sending tunneled request to inner-lan-dot1x
(8) eap_peap:   EAP-Message = 
0x02e400531a02e4004e31ec8a1fbe71764029e6c856e60d94056e0000000000000000001c71308495add1402553b25cfd1fffa1b30d00f8d1838f0050524550524f445c706965727269636b2e6d65726c652e69
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = "PREPROD\\pierrick.merle.i"
(8) eap_peap:   State = 0x7b60a4d57b84bea7a078a662a72147dc
(8) Virtual server inner-lan-dot1x received request
(8)   EAP-Message = 
0x02e400531a02e4004e31ec8a1fbe71764029e6c856e60d94056e0000000000000000001c71308495add1402553b25cfd1fffa1b30d00f8d1838f0050524550524f445c706965727269636b2e6d65726c652e69
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = "PREPROD\\pierrick.merle.i"
(8)   State = 0x7b60a4d57b84bea7a078a662a72147dc
(8) WARNING: Outer and inner identities are the same.  User privacy is 
compromised.
(8) server inner-lan-dot1x {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file 
/etc/freeradius/3.0/sites-enabled/inner-lan-dot1x
(8)     authorize {
(8)       if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~ 
/^FORMATION/ ) {
(8)       if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~ 
/^FORMATION/ )  -> TRUE
(8)       if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~ 
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~ 
/^FORMATION/ )  {
(8) ntdomain: Checking for prefix before "\"
(8) ntdomain: Looking up realm "PREPROD" for User-Name = 
"PREPROD\pierrick.merle.i"
(8) ntdomain: Found realm "PREPROD"
(8) ntdomain: Adding Stripped-User-Name = "pierrick.merle.i"
(8) ntdomain: Adding Realm = "PREPROD"
(8) ntdomain: Proxying request from user pierrick.merle.i to realm 
PREPROD
(8) ntdomain: Preparing to proxy authentication request to realm 
"PREPROD"
(8)         [ntdomain] = updated
(8)       } # if (&request:User-Name =~ /^PREPROD/ || &request:User-Name 
=~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name 
=~ /^FORMATION/ )  = updated
(8)       ... skipping elsif: Preceding "if" was taken
(8)       ... skipping elsif: Preceding "if" was taken
(8)       ... skipping elsif: Preceding "if" was taken
(8)       update {
(8)         No attributes updated for RHS 
&control:Extreme-Netlogin-Extended-Vlan
(8)         No attributes updated for RHS &control:Extreme-Policy-ACL[*]
(8)         No attributes updated for RHS 
&control:Fabric-Attach-Service-Request[*]
(8)         No attributes updated for RHS &control:Filter-Id
(8)         No attributes updated for RHS 
&control:Tunnel-Private-Group-Id
(8)         reply:User-Name := User-Name -> 'PREPROD\\pierrick.merle.i'
(8)       } # update = noop
(8)     } # authorize = updated
(8) } # server inner-lan-dot1x
(8) Virtual server sending reply
(8)   User-Name := "PREPROD\\pierrick.merle.i"
(8) eap_peap: Got tunneled reply code 0
(8) eap_peap:   User-Name := "PREPROD\\pierrick.merle.i"
(8) eap_peap: Calling authenticate in order to initiate tunneled EAP 
session
(8) # Executing group from file 
/etc/freeradius/3.0/sites-enabled/inner-lan-dot1x
(8)   authenticate {
(8) eap: Removing EAP session with state 0x7b60a4d57b84bea7
(8) eap: Previous EAP request found for state 0x7b60a4d57b84bea7, 
released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: Cancelling authentication and letting it be proxied
(8) eap: No EAP proxy set.  Not composing EAP
(8)     [eap] = handled
(8)   } # authenticate = handled
(8) eap_peap: Tunnelled authentication will be proxied to PREPROD
(8) eap_peap: Remembering to do EAP-MS-CHAP-V2 post-proxy
(8) eap_lan_dot1x: WARNING: Tunneled session will be proxied.  Not doing 
EAP
(8)     [eap_lan_dot1x] = handled
(8)   } # Auth-Type eap_lan_dot1x = handled
(8) Starting proxy to home server 10.167.73.13 port 1812
(8) server lan-dot1x {
(8) }
(8) Proxying request to home server 10.167.73.13 port 1812 timeout 
20.000000
(8) Sent Access-Request Id 248 from 0.0.0.0:37655 to 10.167.73.13:1812 
length 143
(8)   User-Name = "pierrick.merle.i"
(8)   MS-CHAP-Challenge = <redacted>
(8)   MS-CHAP2-Response = <redacted>
(8)   Message-Authenticator := 0x00
(8)   Proxy-State = 0x323035
Waking up in 0.3 seconds.
(8) Marking home server 10.167.73.13 port 1812 alive
(8) Clearing existing &reply: attributes
(8) Received Access-Accept Id 248 from 10.167.73.13:1812 to 
10.166.1.58:37655 length 252
(8)   Message-Authenticator = 0xea84928db30f8c9b048865c87d621a8a
(8)   Proxy-State = 0x323035
(8)   Framed-Protocol = PPP
(8)   Service-Type = Framed-User
(8)   Class = 
0x595505e400000137000102000aa7490d00000000000000000000000001db82dd2c49bf8300000000000000af
(8)   MS-MPPE-Recv-Key = <redacted>
(8)   MS-MPPE-Send-Key = <redacted>
(8)   MS-CHAP2-Success = <redacted>
(8)   MS-CHAP-Domain = "\344PREPROD"
(8) server lan-dot1x {
(8) }
(8) Found Auth-Type = eap_lan_dot1x
(8) Found Auth-Type = Accept
(8) ERROR: Warning:  Found 2 auth-types on request for user 
'PREPROD\pierrick.merle.i'
(8) Auth-Type = Accept, accepting the user
(8) # Executing section post-auth from file 
/etc/freeradius/3.0/server.d/lan-dot1x
(8)   post-auth {
(8)     if (session-state:User-Name && reply:User-Name && 
request:User-Name && (reply:User-Name == request:User-Name)) {
(8)     if (session-state:User-Name && reply:User-Name && 
request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
(8)     update {
(8)       &reply:MS-MPPE-Recv-Key !* ANY
(8)       &reply:MS-MPPE-Send-Key !* ANY
(8)       &reply:Tunnel-Private-Group-Id:0 !* ANY
(8)       &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014
(8)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.3 
Handshake, ClientHello'
(8)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 
Handshake, ServerHello'
(8)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 
Handshake, Certificate'
(8)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 
Handshake, ServerKeyExchange'
(8)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 
Handshake, ServerHelloDone'
(8)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.2 
Handshake, ClientKeyExchange'
(8)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.2 
Handshake, Finished'
(8)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 
ChangeCipherSpec'
(8)       &reply::TLS-Session-Information += 
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 
Handshake, Finished'
(8)       &reply::TLS-Session-Cipher-Suite += 
&session-state:TLS-Session-Cipher-Suite[*] -> 
'ECDHE-RSA-AES256-GCM-SHA384'
(8)       &reply::TLS-Session-Version += 
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(8)       &reply:User-Name := &request:User-Name -> 
'PREPROD\\pierrick.merle.i'
(8)       No attributes updated for RHS &control:Extreme-Policy-ACL[*]
(8)       No attributes updated for RHS 
&control:Fabric-Attach-Service-Request[*]
(8)       No attributes updated for RHS &control:Filter-Id
(8)       No attributes updated for RHS &control:Tunnel-Private-Group-Id
(8)     } # update = noop
(8)     if (request:Calling-Station-Id == "F4:A8:0D:A3:D5:AD" ) {
(8)     if (request:Calling-Station-Id == "F4:A8:0D:A3:D5:AD" )  -> 
FALSE
(8)     policy remove_reply_message_if_eap {
(8)       if (&reply:EAP-Message && &reply:Reply-Message) {
(8)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(8)       else {
(8)         [noop] = noop
(8)       } # else = noop
(8)     } # policy remove_reply_message_if_eap = noop
(8)   } # post-auth = noop
(8) EXPAND OK %{request:User-Name} 
V:%{%{%{reply:Extreme-Netlogin-Extended-Vlan}:-%{reply:Tunnel-Private-Group-Id}}:-UXXX} 
S:%{%{%{request:NAS-IP-Address}:-%{outer.request:NAS-IP-Address}}:-none} 
P:%{%{%{request:NAS-Port}:-%{outer.request:NAS-Port}}:-none} 
N:%{%{%{request:NAS-Identifier}:-%{outer.request:NAS-Identifier}}:-none} 
M:%{%{%{request:Calling-Station-Id}:-%{outer.request:Calling-Station-Id}}:-none} 
LDAP:%{%{control:ldap_AD-LDAP-Group}:-none} 
SR:%{%{request:EAP-Session-Resumed}:-none} 
H:%{%{request:Cache-Entry-Hits}:-0}
(8)    --> OK PREPROD\\pierrick.merle.i V:UXXX S:10.128.2.54 P:1004 
N:SXT_APS20f M:54:05:DB:EC:7A:F7 LDAP:none SR:none H:0
(8) Login OK: [PREPROD\pierrick.merle.i/<via Auth-Type = eap_lan_dot1x>] 
(from client SWITCH port 1004 cli 54:05:DB:EC:7A:F7) OK 
PREPROD\\pierrick.merle.i V:UXXX S:10.128.2.54 P:1004 N:SXT_APS20f 
M:54:05:DB:EC:7A:F7 LDAP:none SR:none H:0
(8) Sent Access-Accept Id 205 from 10.128.0.58:1812 to 10.128.2.54:32769 
length 195
(8)   Message-Authenticator = 0xea84928db30f8c9b048865c87d621a8a
(8)   Framed-Protocol = PPP
(8)   Service-Type = Framed-User
(8)   Class = 
0x595505e400000137000102000aa7490d00000000000000000000000001db82dd2c49bf8300000000000000af
(8)   MS-CHAP2-Success = <redacted>
(8)   MS-CHAP-Domain = "\344PREPROD"
(8)   Framed-MTU += 1014
(8)   User-Name := "PREPROD\\pierrick.merle.i"
(8) Finished request
Waking up in 4.9 seconds.

Le 21/02/2025 19:28, > aland a écrit :
> On Feb 21, 2025, at 1:04 PM, MERLE Pierrick (Chef de projet réseau) -
> SG/DNUM/MSP/DIS/GIR via Freeradius-Users
> <freeradius-users at lists.freeradius.org> wrote:
>> I am currently using FreeRADIUS 3.2.x as a RADIUS proxy to forward 
>> EAP-PEAP/MSCHAPv2 authentication requests to a backend Microsoft NPS 
>> server. The setup is working correctly, but I am facing an issue with 
>> TLS session resumption when using a proxy in the inner-tunnel: 
>> Attributes are never saved in the tls cache.
> 
>   There's no reason why it shouldn't work.
> 
>> When I use this setup without any proxy at all, TLS session resumption 
>> just works as expected.
>> 
>> Is TLS session resumption supported when using FreeRADIUS as a proxy 
>> for the inner authentication?
>> If so, how can I properly cache the TLS session in this scenario?
> 
>   If you configure it, it should work.  The code to save / restore
> session resumption data is independent of the inner-tunnel proxying.
> It's part of the TLS connection setup instead.
> 
>  Please post the full debug log for a situation where the session
> resumption doesn't work.  The code is FULL of debug messages which
> explain when / why it's saving sessions, or not.
> 
>   Alan DeKok.



More information about the Freeradius-Users mailing list