TLS Session Resumption with Proxy in Inner-Tunnel Not Working
MERLE Pierrick (Chef de projet réseau) - SG/DNUM/MSP/DIS/GIR
pierrick.merle at i-carre.net
Mon Mar 3 13:22:21 UTC 2025
I only managed to make it work if i set "proxy_tunneled_request_as_eap =
no" in my eap conf.
From what I understand, It makes using plain mschapv2 between proxy and
backend and not eap_mschapv2.
But I think there is something weird in the end: It is like response
sent from the backend server is not sent back to the client using the
established PEAP tunnel, but it is send directly as it is in the outer
tunnel.
So it seems to work, but I see nothing saved in my TLS cache.
Below the full debug:
FreeRADIUS Version 3.2.4
Copyright (C) 1999-2023 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-04
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/cache_wifi
including configuration file
/etc/freeradius/3.0/mods-enabled/eap_wlan_dot1x
including configuration file
/etc/freeradius/3.0/mods-enabled/cache_local
including configuration file /etc/freeradius/3.0/mods-enabled/redis-lan
including configuration file
/etc/freeradius/3.0/mods-enabled/eap_lan_dot1x
including configuration file /etc/freeradius/3.0/mods-enabled/redis-wlan
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/python3
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file
/etc/freeradius/3.0/mods-enabled/my_module_ldap_m2
including configuration file
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-00
including configuration file
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-02
including configuration file /etc/freeradius/3.0/mods-enabled/cache
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file
/etc/freeradius/3.0/mods-enabled/my_module_sql
including configuration file
/etc/freeradius/3.0/mods-config/sql/main/postgresql/queries.conf
including configuration file
/etc/freeradius/3.0/mods-enabled/cache_wired
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-01
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file
/etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file
/etc/freeradius/3.0/mods-enabled/my_module_files
including configuration file /etc/freeradius/3.0/mods-enabled/cache_laps
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file
/etc/freeradius/3.0/policy.d/my_policy_ldap_group
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file
/etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including configuration file
/etc/freeradius/3.0/policy.d/my_policy_username
including configuration file
/etc/freeradius/3.0/policy.d/my_policy_vlan-inner
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file
/etc/freeradius/3.0/policy.d/my_policy_vlan-outer
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file
/etc/freeradius/3.0/policy.d/canonicalization
including configuration file
/etc/freeradius/3.0/policy.d/extreme-macaddress
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/accounting
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file
/etc/freeradius/3.0/sites-enabled/inner-lan-dot1x
including configuration file
/etc/freeradius/3.0/sites-enabled/control-socket
including configuration file
/etc/freeradius/3.0/sites-enabled/inner-wlan-dot1x
including configuration file
/etc/freeradius/3.0/sites-enabled/tls-cache-wlan
including configuration file /etc/freeradius/3.0/sites-enabled/dot1x
including files in directory /etc/freeradius/3.0/server.d/
including configuration file /etc/freeradius/3.0/server.d/lan-dot1x
including configuration file /etc/freeradius/3.0/server.d/wlan-dot1x
including configuration file
/etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel
including configuration file
/etc/freeradius/3.0/sites-enabled/tls-cache-lan
main {
security {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
}
main {
name = "freeradius"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/freeradius"
run_dir = "/var/run/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
proxy_dedup_window = 1
cleanup_delay = 5
max_requests = 65535
max_fds = 512
postauth_client_lost = yes
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = yes
auth = yes
auth_badpass = no
auth_goodpass = yes
msg_badpass = "ALARM %{request:User-Name}
V:%{%{%{reply:Extreme-Netlogin-Extended-Vlan}:-%{reply:Tunnel-Private-Group-Id}}:-UXXX}
S:%{%{%{request:NAS-IP-Address}:-%{outer.request:NAS-IP-Address}}:-none}
P:%{%{%{request:NAS-Port}:-%{outer.request:NAS-Port}}:-none}
N:%{%{%{request:NAS-Identifier}:-%{outer.request:NAS-Identifier}}:-none}
M:%{%{%{request:Calling-Station-Id}:-%{outer.request:Calling-Station-Id}}:-none}
LDAP:%{%{control:ldap_AD-LDAP-Group}:-none}
SR:%{%{request:EAP-Session-Resumed}:-none}
H:%{%{request:Cache-Entry-Hits}:-0}"
msg_goodpass = "OK %{request:User-Name}
V:%{%{%{reply:Extreme-Netlogin-Extended-Vlan}:-%{reply:Tunnel-Private-Group-Id}}:-UXXX}
S:%{%{%{request:NAS-IP-Address}:-%{outer.request:NAS-IP-Address}}:-none}
P:%{%{%{request:NAS-Port}:-%{outer.request:NAS-Port}}:-none}
N:%{%{%{request:NAS-Identifier}:-%{outer.request:NAS-Identifier}}:-none}
M:%{%{%{request:Calling-Station-Id}:-%{outer.request:Calling-Station-Id}}:-none}
LDAP:%{%{control:ldap_AD-LDAP-Group}:-none}
SR:%{%{request:EAP-Session-Resumed}:-none}
H:%{%{request:Cache-Entry-Hits}:-0}"
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = no
}
}
radiusd: #### Loading Realms and Home Servers ####
home_server nps_cabinet {
nonblock = no
ipaddr = 10.116.249.13
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server nps_server {
nonblock = no
ipaddr = 10.167.73.13
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool nps_pool {
type = fail-over
home_server = nps_server
}
realm nps_realm {
auth_pool = nps_pool
}
realm PREPROD {
auth_pool = nps_pool
}
home_server_pool cabinet_pool {
type = fail-over
home_server = nps_cabinet
}
realm CABINET {
auth_pool = cabinet_pool
}
realm FORMATION {
auth_pool = cabinet_pool
nostrip
}
radiusd: #### Loading Clients ####
client test {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = <<< secret >>>
shortname = "localhost"
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client test2 {
ipaddr = 10.128.0.12
require_message_authenticator = no
secret = <<< secret >>>
shortname = "star-trek4"
nas_type = "other"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client SWITCH {
ipaddr = 10.128.0.0/20
require_message_authenticator = no
secret = <<< secret >>>
shortname = "SWITCH"
nas_type = "other"
virtual_server = "lan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.255.255.0/25 {
ipaddr = 10.255.255.0/25
require_message_authenticator = no
secret = <<< secret >>>
shortname = "LAN_Switch_SNUM"
virtual_server = "lan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.128.0.220 {
ipaddr = 10.128.0.220
require_message_authenticator = no
secret = <<< secret >>>
shortname = "centreon-seq"
nas_type = "other"
virtual_server = "lan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.128.0.221 {
ipaddr = 10.128.0.221
require_message_authenticator = no
secret = <<< secret >>>
shortname = "centreon-aps"
nas_type = "other"
virtual_server = "lan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.110.0/25 {
ipaddr = 10.166.110.0/25
require_message_authenticator = no
secret = <<< secret >>>
shortname = "LAN_Switch_SNUM_110"
virtual_server = "lan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.110.192/27 {
ipaddr = 10.166.110.192/27
require_message_authenticator = no
secret = <<< secret >>>
shortname = "LAN_Switch_SNUM_110"
virtual_server = "lan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.111.0/25 {
ipaddr = 10.166.111.0/25
require_message_authenticator = no
secret = <<< secret >>>
shortname = "LAN_Switch_SNUM_111"
virtual_server = "lan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.112.0/25 {
ipaddr = 10.166.112.0/25
require_message_authenticator = no
secret = <<< secret >>>
shortname = "LAN_Switch_SNUM_112"
virtual_server = "lan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.112.192/27 {
ipaddr = 10.166.112.192/27
require_message_authenticator = no
secret = <<< secret >>>
shortname = "LAN_Switch_SNUM_112"
virtual_server = "lan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.113.0/25 {
ipaddr = 10.166.113.0/25
require_message_authenticator = no
secret = <<< secret >>>
shortname = "LAN_Switch_SNUM_113"
virtual_server = "lan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.114.0/25 {
ipaddr = 10.166.114.0/25
require_message_authenticator = no
secret = <<< secret >>>
shortname = "LAN_Switch_SNUM_114"
virtual_server = "lan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.115.0/25 {
ipaddr = 10.166.115.0/25
require_message_authenticator = no
secret = <<< secret >>>
shortname = "LAN_Switch_SNUM_115"
virtual_server = "lan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.115.128/26 {
ipaddr = 10.166.115.128/26
require_message_authenticator = no
secret = <<< secret >>>
shortname = "LAN_Switch_SNUM_115"
virtual_server = "lan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.116.0/25 {
ipaddr = 10.166.116.0/25
require_message_authenticator = no
secret = <<< secret >>>
shortname = "LAN_Switch_SNUM_116"
virtual_server = "lan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.117.0/25 {
ipaddr = 10.166.117.0/25
require_message_authenticator = no
secret = <<< secret >>>
shortname = "LAN_Switch_SNUM_117"
virtual_server = "lan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client BORNE {
ipaddr = 10.128.96.0/20
require_message_authenticator = no
secret = <<< secret >>>
shortname = "BORNE"
nas_type = "other"
virtual_server = "wlan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.110.224/27 {
ipaddr = 10.166.110.224/27
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WLAN_Switch_SNUM_110"
virtual_server = "wlan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.111.224/27 {
ipaddr = 10.166.111.224/27
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WLAN_Switch_SNUM_111"
virtual_server = "wlan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.112.224/27 {
ipaddr = 10.166.112.224/27
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WLAN_Switch_SNUM_112"
virtual_server = "wlan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.113.224/27 {
ipaddr = 10.166.113.224/27
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WLAN_Switch_SNUM_113"
virtual_server = "wlan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.114.224/27 {
ipaddr = 10.166.114.224/27
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WLAN_Switch_SNUM_114"
virtual_server = "wlan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.115.224/27 {
ipaddr = 10.166.115.224/27
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WLAN_Switch_SNUM_115"
virtual_server = "wlan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.116.224/27 {
ipaddr = 10.166.116.224/27
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WLAN_Switch_SNUM_116"
virtual_server = "wlan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client 10.166.117.224/27 {
ipaddr = 10.166.117.224/27
require_message_authenticator = no
secret = <<< secret >>>
shortname = "WLAN_Switch_SNUM_117"
virtual_server = "wlan-dot1x"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Debugger not attached
systemd watchdog is disabled
# Creating Auth-Type = eap
# Creating Auth-Type = eap_wlan_dot1x
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = eap_lan_dot1x
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_ldap
# Loading module "ldap_msauth04" from file
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-04
ldap ldap_msauth04 {
server = "ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr"
port = 636
sasl {
}
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=group)"
scope = "sub"
name_attribute = "cn"
membership_filter =
"(member:1.2.840.113556.1.4.1941:=%{tolower:%{control:Ldap-UserDn}})(|(cn=aib.grp.vlan.*)(cn=integrateur))"
cacheable_name = yes
cacheable_dn = no
cache_attribute = "ldap_AD-LDAP-Group"
allow_dangling_group_ref = no
}
client {
filter = "(objectClass=radiusClient)"
scope = "sub"
base_dn = "dc=equipement,dc=gouv,dc=fr"
}
profile {
}
options {
ldap_debug = 0
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 10
srv_timelimit = 3
idle = 60
probes = 3
interval = 3
}
tls {
ca_file = "/etc/freeradius/3.0/certs/ac-mte-applicative-10ans.pem"
check_crl = no
start_tls = no
require_cert = "hard"
}
}
Creating attribute ldap_msauth04-LDAP-Group
# Loaded module rlm_linelog
# Loading module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
linelog {
filename = "/var/log/freeradius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/freeradius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_cache
# Loading module "cache_wifi" from file
/etc/freeradius/3.0/mods-enabled/cache_wifi
cache cache_wifi {
driver = "rlm_cache_rbtree"
key =
"%{User-Name}@%{%{&outer.request:Symbol-Current-ESSID}:-%{request:Symbol-Current-ESSID}}"
ttl = 600
max_entries = 0
epoch = 0
add_stats = yes
}
# Loaded module rlm_eap
# Loading module "eap_wlan_dot1x" from file
/etc/freeradius/3.0/mods-enabled/eap_wlan_dot1x
eap eap_wlan_dot1x {
default_eap_type = "peap"
timer_expire = 60
max_eap_type = 52
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 65535
dedup_key = ""
}
# Loading module "cache_local" from file
/etc/freeradius/3.0/mods-enabled/cache_local
cache cache_local {
driver = "rlm_cache_rbtree"
key =
"%{User-Name}@%{%{&outer.request:NAS-IP-Address}:-%{request:NAS-IP-Address}}"
ttl = 36000
max_entries = 0
epoch = 0
add_stats = yes
}
# Loaded module rlm_redis
# Loading module "redis-lan" from file
/etc/freeradius/3.0/mods-enabled/redis-lan
redis redis-lan {
server = "127.0.0.1"
port = 6379
database = 0
query_timeout = 5
}
rlm_redis: libhiredis version: 0.14.1
# Loading module "eap_lan_dot1x" from file
/etc/freeradius/3.0/mods-enabled/eap_lan_dot1x
eap eap_lan_dot1x {
default_eap_type = "peap"
timer_expire = 60
max_eap_type = 52
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 65535
dedup_key = ""
}
# Loading module "redis-wlan" from file
/etc/freeradius/3.0/mods-enabled/redis-wlan
redis redis-wlan {
server = "127.0.0.1"
port = 6379
database = 1
query_timeout = 5
}
rlm_redis: libhiredis version: 0.14.1
# Loaded module rlm_detail
# Loading module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
detail {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
preprocess {
huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
# Loaded module rlm_logintime
# Loading module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_expiration
# Loading module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
# Loaded module rlm_digest
# Loading module "digest" from file
/etc/freeradius/3.0/mods-enabled/digest
# Loaded module rlm_exec
# Loading module "exec" from file
/etc/freeradius/3.0/mods-enabled/exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_mschap
# Loading module "mschap_AD" from file
/etc/freeradius/3.0/mods-enabled/mschap
mschap mschap_AD {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loading module "mschap_LOCAL" from file
/etc/freeradius/3.0/mods-enabled/mschap
mschap mschap_LOCAL {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file
/etc/freeradius/3.0/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/freeradius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loading module "radutmp" from file
/etc/freeradius/3.0/mods-enabled/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_replicate
# Loading module "replicate" from file
/etc/freeradius/3.0/mods-enabled/replicate
# Loading module "echo" from file
/etc/freeradius/3.0/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_unix
# Loading module "unix" from file
/etc/freeradius/3.0/mods-enabled/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_unpack
# Loading module "unpack" from file
/etc/freeradius/3.0/mods-enabled/unpack
# Loaded module rlm_python3
# Loading module "python3" from file
/etc/freeradius/3.0/mods-enabled/python3
python3 {
mod_authorize = "laps"
func_authorize = "authorize"
python_path =
"/etc/freeradius/3.0/mods-config/python3:/usr/local/lib/python3.10/dist-packages"
cext_compat = yes
pass_all_vps = no
pass_all_vps_dict = no
}
# Loaded module rlm_utf8
# Loading module "utf8" from file
/etc/freeradius/3.0/mods-enabled/utf8
# Loading module "ldap_M2" from file
/etc/freeradius/3.0/mods-enabled/my_module_ldap_m2
ldap ldap_M2 {
server = "ldaps://ldapap.m2.e2.rie.gouv.fr"
port = 636
sasl {
}
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
scope = "sub"
name_attribute = "cn"
cacheable_name = no
cacheable_dn = no
allow_dangling_group_ref = no
}
client {
filter = "(objectClass=radiusClient)"
scope = "sub"
base_dn = "dc=equipement,dc=gouv,dc=fr"
}
profile {
}
options {
ldap_debug = 0
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 10
srv_timelimit = 3
idle = 60
probes = 3
interval = 3
}
tls {
ca_file = "/etc/freeradius/3.0/certs/isrg-root-x1-cross-signed.pem"
check_crl = no
start_tls = no
require_cert = "never"
}
}
Creating attribute ldap_M2-LDAP-Group
# Loading module "ldap_msauth00" from file
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-00
ldap ldap_msauth00 {
server = "ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr"
port = 636
identity = "radius.ac"
password = <<< secret >>>
sasl {
}
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=group)"
scope = "sub"
name_attribute = "cn"
membership_filter =
"(member:1.2.840.113556.1.4.1941:=%{tolower:%{control:Ldap-UserDn}})(|(cn=aib.grp.vlan.*)(cn=integrateur))"
cacheable_name = yes
cacheable_dn = no
cache_attribute = "ldap_AD-LDAP-Group"
allow_dangling_group_ref = no
}
client {
filter = "(objectClass=radiusClient)"
scope = "sub"
base_dn = "dc=equipement,dc=gouv,dc=fr"
}
profile {
}
options {
ldap_debug = 0
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 10
srv_timelimit = 3
idle = 60
probes = 3
interval = 3
}
tls {
ca_file = "/etc/freeradius/3.0/certs/ac-mte-applicative-10ans.pem"
check_crl = no
start_tls = no
require_cert = "hard"
}
}
Creating attribute ldap_msauth00-LDAP-Group
# Loading module "ldap_msauth02" from file
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-02
ldap ldap_msauth02 {
server = "ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr"
port = 636
sasl {
}
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=group)"
scope = "sub"
name_attribute = "cn"
membership_filter =
"(member:1.2.840.113556.1.4.1941:=%{tolower:%{control:Ldap-UserDn}})(|(cn=aib.grp.vlan.*)(cn=integrateur))"
cacheable_name = yes
cacheable_dn = no
cache_attribute = "ldap_AD-LDAP-Group"
allow_dangling_group_ref = no
}
client {
filter = "(objectClass=radiusClient)"
scope = "sub"
base_dn = "dc=equipement,dc=gouv,dc=fr"
}
profile {
}
options {
ldap_debug = 0
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 10
srv_timelimit = 3
idle = 60
probes = 3
interval = 3
}
tls {
ca_file = "/etc/freeradius/3.0/certs/ac-mte-applicative-10ans.pem"
check_crl = no
start_tls = no
require_cert = "hard"
}
}
Creating attribute ldap_msauth02-LDAP-Group
# Loading module "cache" from file
/etc/freeradius/3.0/mods-enabled/cache
cache {
driver = "rlm_cache_rbtree"
key =
"%{User-Name}@%{%{&outer.request:NAS-IP-Address}:-%{request:NAS-IP-Address}}@%{%{&outer.request:Calling-Station-Id}:-%{request:Calling-Station-Id}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = yes
}
# Loaded module rlm_chap
# Loading module "chap" from file
/etc/freeradius/3.0/mods-enabled/chap
# Loaded module rlm_sql
# Loading module "sql" from file
/etc/freeradius/3.0/mods-enabled/my_module_sql
sql {
driver = "rlm_sql_postgresql"
server = "10.128.0.10"
port = 5432
login = "intranet"
password = <<< secret >>>
radius_db = "macip"
read_groups = yes
read_profiles = yes
read_clients = no
delete_stale_sessions = yes
sql_user_name = "%{User-Name}"
default_user_profile = ""
client_query = "SELECT id, nasname, shortname, type, secret, server
FROM nas"
authorize_check_query = "SELECT id, UserName, Attribute, Value, Op
FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op
FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
authorize_group_check_query = "SELECT id, GroupName, Attribute,
Value, op FROM radgroupcheck WHERE GroupName = '%{SQL-Group}' ORDER BY
id"
authorize_group_reply_query = "SELECT id, GroupName, Attribute,
Value, op FROM radgroupreply WHERE GroupName = '%{SQL-Group}' ORDER BY
id"
group_membership_query = "SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority"
simul_count_query = "SELECT COUNT(*) FROM radacct WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL"
simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId,
FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND
AcctStopTime IS NULL"
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
auto_escape = no
accounting {
reference = "%{tolower:type.%{%{Acct-Status-Type}:-none}.query}"
type {
accounting-on {
query = "UPDATE radacct SET AcctStopTime =
TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime =
TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime =
(%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))),
AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
AcctStopTime IS NULL AND NASIPAddress=
'%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <=
'%S'::timestamp"
}
accounting-off {
query = "UPDATE radacct SET AcctStopTime =
TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime =
TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime =
(%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))),
AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE
AcctStopTime IS NULL AND NASIPAddress=
'%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <=
'%S'::timestamp"
}
start {
query = "INSERT INTO radacct (AcctSessionId, AcctUniqueId,
UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime,
AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}',
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''),
'%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}',
NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}',
TO_TIMESTAMP(%{integer:Event-Timestamp}),
TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}',
'%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}',
'%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}',
NULLIF('%{Framed-IP-Address}', '')::inet)"
}
interim-update {
query = "UPDATE radacct SET FramedIPAddress =
NULLIF('%{Framed-IP-Address}', '')::inet, AcctSessionTime =
%{%{Acct-Session-Time}:-NULL}, AcctInterval =
(%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM
(COALESCE(AcctUpdateTime, AcctStartTime)))), AcctUpdateTime =
TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctInputOctets =
(('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) +
'%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets =
(('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) +
'%{%{Acct-Output-Octets}:-0}'::bigint) WHERE AcctUniqueId =
'%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL"
}
stop {
query = "UPDATE radacct SET AcctStopTime =
TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime =
TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime =
COALESCE(%{%{Acct-Session-Time}:-NULL}, (%{integer:Event-Timestamp} -
EXTRACT(EPOCH FROM(AcctStartTime)))), AcctInputOctets =
(('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) +
'%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets =
(('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) +
'%{%{Acct-Output-Octets}:-0}'::bigint), AcctTerminateCause =
'%{Acct-Terminate-Cause}', FramedIPAddress =
NULLIF('%{Framed-IP-Address}', '')::inet, ConnectInfo_stop =
'%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND
AcctStopTime IS NULL"
}
}
}
post-auth {
reference = ".query"
query = "INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}',
'%{reply:Packet-Type}', NOW())"
}
}
rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql)
loaded and linked
Creating attribute SQL-Group
# Loading module "cache_wired" from file
/etc/freeradius/3.0/mods-enabled/cache_wired
cache cache_wired {
driver = "rlm_cache_rbtree"
key =
"%{User-Name}@%{%{&outer.request:NAS-IP-Address}:-%{request:NAS-IP-Address}}"
ttl = 600
max_entries = 0
epoch = 0
add_stats = yes
}
# Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
max_eap_type = 52
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 65535
dedup_key = ""
}
# Loading module "ldap_msauth01" from file
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-01
ldap ldap_msauth01 {
server = "ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr"
port = 636
identity = "radius.ac"
password = <<< secret >>>
sasl {
}
user {
scope = "sub"
access_positive = yes
sasl {
}
}
group {
filter = "(objectClass=group)"
scope = "sub"
name_attribute = "cn"
membership_filter =
"(member:1.2.840.113556.1.4.1941:=%{tolower:%{control:Ldap-UserDn}})(|(cn=aib.grp.vlan.*)(cn=integrateur))"
cacheable_name = yes
cacheable_dn = no
cache_attribute = "ldap_AD-LDAP-Group"
allow_dangling_group_ref = no
}
client {
filter = "(objectClass=radiusClient)"
scope = "sub"
base_dn = "dc=equipement,dc=gouv,dc=fr"
}
profile {
}
options {
ldap_debug = 0
chase_referrals = yes
rebind = yes
net_timeout = 1
res_timeout = 10
srv_timelimit = 3
idle = 60
probes = 3
interval = 3
}
tls {
ca_file = "/etc/freeradius/3.0/certs/ac-mte-applicative-10ans.pem"
check_crl = no
start_tls = no
require_cert = "hard"
}
}
Creating attribute ldap_msauth01-LDAP-Group
# Loaded module rlm_realm
# Loading module "IPASS" from file
/etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename =
"/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_expr
# Loading module "expr" from file
/etc/freeradius/3.0/mods-enabled/expr
expr {
safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "authfile" from file
/etc/freeradius/3.0/mods-enabled/my_module_files
files authfile {
filename = "/etc/freeradius/3.0/files.d/authfile"
}
# Loading module "authorized_macs" from file
/etc/freeradius/3.0/mods-enabled/my_module_files
files authorized_macs {
filename = "/etc/freeradius/3.0/files.d/authorized_macs"
}
# Loading module "cache_laps" from file
/etc/freeradius/3.0/mods-enabled/cache_laps
cache cache_laps {
driver = "rlm_cache_rbtree"
key =
"%{User-Name}@%{%{&outer.request:Calling-Station-Id}:-%{request:Calling-Station-Id}}"
ttl = 36000
max_entries = 0
epoch = 0
add_stats = yes
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_soh
# Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_always
# Loading module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file
/etc/freeradius/3.0/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file
/etc/freeradius/3.0/mods-enabled/dynamic_clients
# Loading module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail auth_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail reply_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail pre_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
detail post_proxy_log {
filename =
"/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
instantiate {
# Instantiating module "ldap_msauth00" from file
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-00
rlm_ldap: libldap vendor: OpenLDAP, version: 20517
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
!! There may be random issues with TLS connections due to this conflict.
!! The server may also crash.
!! See https://wiki.freeradius.org/modules/Rlm_ldap for more
information.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
rlm_ldap (ldap_msauth00): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
max_retries = 5
spread = no
}
rlm_ldap (ldap_msauth00): Opening additional connection (0), 1 of 32
pending slots used
rlm_ldap (ldap_msauth00): Connecting to
ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth00): Waiting for bind result...
rlm_ldap (ldap_msauth00): Bind successful
rlm_ldap (ldap_msauth00): Opening additional connection (1), 1 of 31
pending slots used
rlm_ldap (ldap_msauth00): Connecting to
ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth00): Waiting for bind result...
rlm_ldap (ldap_msauth00): Bind successful
rlm_ldap (ldap_msauth00): Opening additional connection (2), 1 of 30
pending slots used
rlm_ldap (ldap_msauth00): Connecting to
ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth00): Waiting for bind result...
rlm_ldap (ldap_msauth00): Bind successful
rlm_ldap (ldap_msauth00): Opening additional connection (3), 1 of 29
pending slots used
rlm_ldap (ldap_msauth00): Connecting to
ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth00): Waiting for bind result...
rlm_ldap (ldap_msauth00): Bind successful
rlm_ldap (ldap_msauth00): Opening additional connection (4), 1 of 28
pending slots used
rlm_ldap (ldap_msauth00): Connecting to
ldaps://ms-auth-00.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth00): Waiting for bind result...
rlm_ldap (ldap_msauth00): Bind successful
# Instantiating module "ldap_msauth01" from file
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-01
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
!! There may be random issues with TLS connections due to this conflict.
!! The server may also crash.
!! See https://wiki.freeradius.org/modules/Rlm_ldap for more
information.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
rlm_ldap (ldap_msauth01): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
max_retries = 5
spread = no
}
rlm_ldap (ldap_msauth01): Opening additional connection (0), 1 of 32
pending slots used
rlm_ldap (ldap_msauth01): Connecting to
ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth01): Waiting for bind result...
rlm_ldap (ldap_msauth01): Bind successful
rlm_ldap (ldap_msauth01): Opening additional connection (1), 1 of 31
pending slots used
rlm_ldap (ldap_msauth01): Connecting to
ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth01): Waiting for bind result...
rlm_ldap (ldap_msauth01): Bind successful
rlm_ldap (ldap_msauth01): Opening additional connection (2), 1 of 30
pending slots used
rlm_ldap (ldap_msauth01): Connecting to
ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth01): Waiting for bind result...
rlm_ldap (ldap_msauth01): Bind successful
rlm_ldap (ldap_msauth01): Opening additional connection (3), 1 of 29
pending slots used
rlm_ldap (ldap_msauth01): Connecting to
ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth01): Waiting for bind result...
rlm_ldap (ldap_msauth01): Bind successful
rlm_ldap (ldap_msauth01): Opening additional connection (4), 1 of 28
pending slots used
rlm_ldap (ldap_msauth01): Connecting to
ldaps://ms-auth-01.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth01): Waiting for bind result...
rlm_ldap (ldap_msauth01): Bind successful
# Instantiating module "ldap_msauth02" from file
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-02
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
!! There may be random issues with TLS connections due to this conflict.
!! The server may also crash.
!! See https://wiki.freeradius.org/modules/Rlm_ldap for more
information.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
rlm_ldap (ldap_msauth02): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
max_retries = 5
spread = no
}
rlm_ldap (ldap_msauth02): Opening additional connection (0), 1 of 32
pending slots used
rlm_ldap (ldap_msauth02): Connecting to
ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth02): Waiting for bind result...
rlm_ldap (ldap_msauth02): Bind successful
rlm_ldap (ldap_msauth02): Opening additional connection (1), 1 of 31
pending slots used
rlm_ldap (ldap_msauth02): Connecting to
ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth02): Waiting for bind result...
rlm_ldap (ldap_msauth02): Bind successful
rlm_ldap (ldap_msauth02): Opening additional connection (2), 1 of 30
pending slots used
rlm_ldap (ldap_msauth02): Connecting to
ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth02): Waiting for bind result...
rlm_ldap (ldap_msauth02): Bind successful
rlm_ldap (ldap_msauth02): Opening additional connection (3), 1 of 29
pending slots used
rlm_ldap (ldap_msauth02): Connecting to
ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth02): Waiting for bind result...
rlm_ldap (ldap_msauth02): Bind successful
rlm_ldap (ldap_msauth02): Opening additional connection (4), 1 of 28
pending slots used
rlm_ldap (ldap_msauth02): Connecting to
ldaps://ms-auth-02.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth02): Waiting for bind result...
rlm_ldap (ldap_msauth02): Bind successful
# Instantiating module "ldap_msauth04" from file
/etc/freeradius/3.0/mods-enabled/ldap_ms-auth-04
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
!! There may be random issues with TLS connections due to this conflict.
!! The server may also crash.
!! See https://wiki.freeradius.org/modules/Rlm_ldap for more
information.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
rlm_ldap (ldap_msauth04): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
max_retries = 5
spread = no
}
rlm_ldap (ldap_msauth04): Opening additional connection (0), 1 of 32
pending slots used
rlm_ldap (ldap_msauth04): Connecting to
ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth04): Waiting for bind result...
rlm_ldap (ldap_msauth04): Bind successful
rlm_ldap (ldap_msauth04): Opening additional connection (1), 1 of 31
pending slots used
rlm_ldap (ldap_msauth04): Connecting to
ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth04): Waiting for bind result...
rlm_ldap (ldap_msauth04): Bind successful
rlm_ldap (ldap_msauth04): Opening additional connection (2), 1 of 30
pending slots used
rlm_ldap (ldap_msauth04): Connecting to
ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth04): Waiting for bind result...
rlm_ldap (ldap_msauth04): Bind successful
rlm_ldap (ldap_msauth04): Opening additional connection (3), 1 of 29
pending slots used
rlm_ldap (ldap_msauth04): Connecting to
ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth04): Waiting for bind result...
rlm_ldap (ldap_msauth04): Bind successful
rlm_ldap (ldap_msauth04): Opening additional connection (4), 1 of 28
pending slots used
rlm_ldap (ldap_msauth04): Connecting to
ldaps://ms-auth-04.auth.ad.e2.rie.gouv.fr:636
rlm_ldap (ldap_msauth04): Waiting for bind result...
rlm_ldap (ldap_msauth04): Bind successful
}
# Instantiating module "linelog" from file
/etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "log_accounting" from file
/etc/freeradius/3.0/mods-enabled/linelog
# Instantiating module "cache_wifi" from file
/etc/freeradius/3.0/mods-enabled/cache_wifi
rlm_cache (cache_wifi): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "eap_wlan_dot1x" from file
/etc/freeradius/3.0/mods-enabled/eap_wlan_dot1x
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-cae"
}
tls-config tls-cae {
verify_depth = 0
pem_file_type = yes
private_key_file =
"/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr.key"
certificate_file =
"/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr_avec_chaine_ACs.pem"
ca_file = "/etc/freeradius/3.0/certs/AC-ANTSv3-AAE-3.pem"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT at SECLEVEL=0"
reject_unknown_intermediate_ca = no
ecdh_curve = "prime256v1"
disable_tlsv1_1 = no
disable_tlsv1_2 = no
tls_max_version = "1.2"
tls_min_version = "1.0"
cache {
enable = yes
lifetime = 11
name = "EAP module"
max_entries = 0
virtual_server = "tls-cache-lan"
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-wlan-dot1x"
soh = no
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file =
"/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr.key"
certificate_file =
"/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr_avec_chaine_ACs.pem"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "HIGH:MEDIUM:!LOW:!NULL:!EXPORT"
reject_unknown_intermediate_ca = no
ecdh_curve = "prime256v1"
disable_tlsv1_1 = no
disable_tlsv1_2 = no
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = yes
lifetime = 11
name = "EAP module"
max_entries = 0
virtual_server = "tls-cache-wlan"
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
identity = "FreeRADIUS"
}
# Instantiating module "cache_local" from file
/etc/freeradius/3.0/mods-enabled/cache_local
rlm_cache (cache_local): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "redis-lan" from file
/etc/freeradius/3.0/mods-enabled/redis-lan
rlm_redis (redis-lan): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
retry_delay = 30
max_retries = 5
spread = no
}
rlm_redis (redis-lan): Opening additional connection (0), 1 of 32
pending slots used
rlm_redis (redis-lan): Opening additional connection (1), 1 of 31
pending slots used
rlm_redis (redis-lan): Opening additional connection (2), 1 of 30
pending slots used
rlm_redis (redis-lan): Opening additional connection (3), 1 of 29
pending slots used
rlm_redis (redis-lan): Opening additional connection (4), 1 of 28
pending slots used
# Instantiating module "eap_lan_dot1x" from file
/etc/freeradius/3.0/mods-enabled/eap_lan_dot1x
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-cae"
}
tls-config tls-cae {
verify_depth = 0
pem_file_type = yes
private_key_file =
"/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr.key"
certificate_file =
"/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr_avec_chaine_ACs.pem"
ca_file = "/etc/freeradius/3.0/certs/AC-ANTSv3-AAE-3.pem"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT"
reject_unknown_intermediate_ca = no
ecdh_curve = "prime256v1"
disable_tlsv1_1 = no
disable_tlsv1_2 = no
tls_max_version = "1.2"
tls_min_version = "1.0"
cache {
enable = yes
lifetime = 11
name = "EAP module"
max_entries = 0
virtual_server = "tls-cache-lan"
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
tls: In order to use TLS 1.0 and/or TLS 1.1, you likely need to set:
cipher_list = "DEFAULT at SECLEVEL=0"
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "inner-lan-dot1x"
soh = no
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file =
"/etc/freeradius/3.0/certs/2024_prod_radius.ac.e2.rie.gouv.fr.key"
certificate_file =
"/etc/freeradius/3.0/certs/2024_prod_radius.ac.e2.rie.gouv.fr_chain.pem"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT at SECLEVEL=0"
sigalgs_list =
"ECDSA+SHA512:ECDSA+SHA384:ECDSA+SHA256:RSA+SHA512:RSA+SHA384:RSA+SHA256"
reject_unknown_intermediate_ca = no
ecdh_curve = "prime256v1"
tls_max_version = "1.2"
tls_min_version = "1.1"
cache {
enable = yes
lifetime = 11
name = "EAP module"
max_entries = 0
virtual_server = "tls-cache-lan"
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
identity = "FreeRADIUS"
}
# Instantiating module "redis-wlan" from file
/etc/freeradius/3.0/mods-enabled/redis-wlan
rlm_redis (redis-wlan): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
retry_delay = 30
max_retries = 5
spread = no
}
rlm_redis (redis-wlan): Opening additional connection (0), 1 of 32
pending slots used
rlm_redis (redis-wlan): Opening additional connection (1), 1 of 31
pending slots used
rlm_redis (redis-wlan): Opening additional connection (2), 1 of 30
pending slots used
rlm_redis (redis-wlan): Opening additional connection (3), 1 of 29
pending slots used
rlm_redis (redis-wlan): Opening additional connection (4), 1 of 28
pending slots used
# Instantiating module "detail" from file
/etc/freeradius/3.0/mods-enabled/detail
# Instantiating module "preprocess" from file
/etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file
/etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
# Instantiating module "logintime" from file
/etc/freeradius/3.0/mods-enabled/logintime
# Instantiating module "expiration" from file
/etc/freeradius/3.0/mods-enabled/expiration
# Instantiating module "mschap_AD" from file
/etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap_AD): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
retry_delay = 30
max_retries = 5
spread = no
}
rlm_mschap (mschap_AD): Opening additional connection (0), 1 of 32
pending slots used
rlm_mschap (mschap_AD): Opening additional connection (1), 1 of 31
pending slots used
rlm_mschap (mschap_AD): Opening additional connection (2), 1 of 30
pending slots used
rlm_mschap (mschap_AD): Opening additional connection (3), 1 of 29
pending slots used
rlm_mschap (mschap_AD): Opening additional connection (4), 1 of 28
pending slots used
rlm_mschap (mschap_AD): authenticating directly to winbind
# Instantiating module "mschap_LOCAL" from file
/etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap_LOCAL): using internal authentication
# Instantiating module "python3" from file
/etc/freeradius/3.0/mods-enabled/python3
Python version: 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0]
# Instantiating module "ldap_M2" from file
/etc/freeradius/3.0/mods-enabled/my_module_ldap_m2
accounting {
reference = "%{tolower:type.%{Acct-Status-Type}}"
}
post-auth {
reference = "."
}
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! libldap is using GnuTLS, while FreeRADIUS is using OpenSSL
!! There may be random issues with TLS connections due to this conflict.
!! The server may also crash.
!! See https://wiki.freeradius.org/modules/Rlm_ldap for more
information.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
rlm_ldap (ldap_M2): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
max_retries = 5
spread = no
}
rlm_ldap (ldap_M2): Opening additional connection (0), 1 of 32 pending
slots used
rlm_ldap (ldap_M2): Connecting to ldaps://ldapap.m2.e2.rie.gouv.fr:636
rlm_ldap (ldap_M2): Waiting for bind result...
rlm_ldap (ldap_M2): Bind successful
rlm_ldap (ldap_M2): Opening additional connection (1), 1 of 31 pending
slots used
rlm_ldap (ldap_M2): Connecting to ldaps://ldapap.m2.e2.rie.gouv.fr:636
rlm_ldap (ldap_M2): Waiting for bind result...
rlm_ldap (ldap_M2): Bind successful
rlm_ldap (ldap_M2): Opening additional connection (2), 1 of 30 pending
slots used
rlm_ldap (ldap_M2): Connecting to ldaps://ldapap.m2.e2.rie.gouv.fr:636
rlm_ldap (ldap_M2): Waiting for bind result...
rlm_ldap (ldap_M2): Bind successful
rlm_ldap (ldap_M2): Opening additional connection (3), 1 of 29 pending
slots used
rlm_ldap (ldap_M2): Connecting to ldaps://ldapap.m2.e2.rie.gouv.fr:636
rlm_ldap (ldap_M2): Waiting for bind result...
rlm_ldap (ldap_M2): Bind successful
rlm_ldap (ldap_M2): Opening additional connection (4), 1 of 28 pending
slots used
rlm_ldap (ldap_M2): Connecting to ldaps://ldapap.m2.e2.rie.gouv.fr:636
rlm_ldap (ldap_M2): Waiting for bind result...
rlm_ldap (ldap_M2): Bind successful
# Instantiating module "cache" from file
/etc/freeradius/3.0/mods-enabled/cache
rlm_cache (cache): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
# Instantiating module "sql" from file
/etc/freeradius/3.0/mods-enabled/my_module_sql
postgresql {
send_application_name = no
}
rlm_sql (sql): Attempting to connect to database "macip"
rlm_sql (sql): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 0
cleanup_interval = 30
idle_timeout = 60
retry_delay = 30
max_retries = 5
spread = no
}
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots
used
rlm_sql_postgresql: Connecting using parameters: dbname='macip'
host='10.128.0.10' port=5432 user='intranet' password='GoYaVe'
Connected to database 'macip' on '10.128.0.10' server version 130013,
protocol version 3, backend PID 1428654
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots
used
rlm_sql_postgresql: Connecting using parameters: dbname='macip'
host='10.128.0.10' port=5432 user='intranet' password='GoYaVe'
Connected to database 'macip' on '10.128.0.10' server version 130013,
protocol version 3, backend PID 1428655
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots
used
rlm_sql_postgresql: Connecting using parameters: dbname='macip'
host='10.128.0.10' port=5432 user='intranet' password='GoYaVe'
Connected to database 'macip' on '10.128.0.10' server version 130013,
protocol version 3, backend PID 1428656
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots
used
rlm_sql_postgresql: Connecting using parameters: dbname='macip'
host='10.128.0.10' port=5432 user='intranet' password='GoYaVe'
Connected to database 'macip' on '10.128.0.10' server version 130013,
protocol version 3, backend PID 1428657
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots
used
rlm_sql_postgresql: Connecting using parameters: dbname='macip'
host='10.128.0.10' port=5432 user='intranet' password='GoYaVe'
Connected to database 'macip' on '10.128.0.10' server version 130013,
protocol version 3, backend PID 1428658
# Instantiating module "cache_wired" from file
/etc/freeradius/3.0/mods-enabled/cache_wired
rlm_cache (cache_wired): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "eap" from file
/etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file =
"/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr.key"
certificate_file =
"/etc/freeradius/3.0/certs/2021_radius.ac.e2.rie.gouv.fr_avec_chaine_ACs.pem"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "HIGH:MEDIUM:!LOW:!NULL:!EXPORT"
reject_unknown_intermediate_ca = no
ecdh_curve = "secp521r1"
disable_tlsv1 = no
disable_tlsv1_1 = no
disable_tlsv1_2 = no
tls_max_version = "1.2"
tls_min_version = "1.0"
cache {
enable = yes
lifetime = 11
name = "EAP module"
max_entries = 0
persist_dir = "/var/log/freeradius/tlscache"
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
tls: In order to use TLS 1.0 and/or TLS 1.1, you likely need to set:
cipher_list = "DEFAULT at SECLEVEL=0"
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
identity = "FreeRADIUS"
}
# Instantiating module "IPASS" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "suffix" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "realmpercent" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "ntdomain" from file
/etc/freeradius/3.0/mods-enabled/realm
# Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "attr_filter.post-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_reject
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay" found in filter list for realm
"DEFAULT".
[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check
item "FreeRADIUS-Response-Delay-USec" found in filter list for realm
"DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file
/etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file
/etc/freeradius/3.0/mods-config/attr_filter/accounting_response
# Instantiating module "authfile" from file
/etc/freeradius/3.0/mods-enabled/my_module_files
reading pairlist file /etc/freeradius/3.0/files.d/authfile
# Instantiating module "authorized_macs" from file
/etc/freeradius/3.0/mods-enabled/my_module_files
reading pairlist file /etc/freeradius/3.0/files.d/authorized_macs
# Instantiating module "cache_laps" from file
/etc/freeradius/3.0/mods-enabled/cache_laps
rlm_cache (cache_laps): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "pap" from file
/etc/freeradius/3.0/mods-enabled/pap
# Instantiating module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "auth_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in
detail output
# Instantiating module "reply_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file
/etc/freeradius/3.0/mods-enabled/detail.log
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server inner-lan-dot1x { # from file
/etc/freeradius/3.0/sites-enabled/inner-lan-dot1x
# Loading authenticate {...}
# Loading authorize {...}
# Loading post-proxy {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-lan-dot1x
server inner-wlan-dot1x { # from file
/etc/freeradius/3.0/sites-enabled/inner-wlan-dot1x
# Loading authenticate {...}
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-wlan-dot1x
server tls-cache-wlan { # from file
/etc/freeradius/3.0/sites-enabled/tls-cache-wlan
Compiling cache load for attr TLS-Cache-Method
Compiling cache save for attr TLS-Cache-Method
Compiling cache clear for attr TLS-Cache-Method
Compiling cache refresh for attr TLS-Cache-Method
} # server tls-cache-wlan
server lan-dot1x { # from file /etc/freeradius/3.0/server.d/lan-dot1x
# Loading authenticate {...}
Compiling Auth-Type eap_lan_dot1x for attr Auth-Type
# Loading authorize {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
} # server lan-dot1x
server wlan-dot1x { # from file /etc/freeradius/3.0/server.d/wlan-dot1x
# Loading authenticate {...}
Compiling Auth-Type eap_wlan_dot1x for attr Auth-Type
Compiling Auth-Type eap for attr Auth-Type
# Loading authorize {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
} # server wlan-dot1x
server proxy-inner-tunnel { # from file
/etc/freeradius/3.0/sites-enabled/proxy-inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
} # server proxy-inner-tunnel
server tls-cache-lan { # from file
/etc/freeradius/3.0/sites-enabled/tls-cache-lan
Compiling cache load for attr TLS-Cache-Method
Compiling cache save for attr TLS-Cache-Method
Compiling cache clear for attr TLS-Cache-Method
Compiling cache refresh for attr TLS-Cache-Method
} # server tls-cache-lan
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "control"
listen {
socket = "/tmp/freeradius.sock"
mode = "rw"
peercred = yes
}
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18121
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18122
}
Listening on command file /tmp/freeradius.sock
Listening on auth address * port 1812
Listening on auth address 127.0.0.1 port 18121 bound to server
inner-lan-dot1x
Listening on auth address 127.0.0.1 port 18122 bound to server
inner-wlan-dot1x
Listening on proxy address * port 37655
Ready to process requests
(0) Received Access-Request Id 197 from 10.128.2.54:32769 to
10.128.0.58:1812 length 178
(0) Message-Authenticator = 0x681f93be02ffa3fa2d2ead82ffaf4433
(0) User-Name = "PREPROD\\pierrick.merle.i"
(0) NAS-IP-Address = 10.128.2.54
(0) Called-Station-Id = "00-04-96-fa-2c-10"
(0) NAS-Identifier = "SXT_APS20f"
(0) NAS-Port = 1004
(0) NAS-Port-Id = "4"
(0) NAS-Port-Type = Ethernet
(0) Service-Type = Framed-User
(0) Calling-Station-Id = "54-05-DB-EC-7A-F7"
(0) EAP-Message =
0x02dc001d0150524550524f445c706965727269636b2e6d65726c652e69
(0) Framed-MTU = 1300
(0) # Executing section authorize from file
/etc/freeradius/3.0/server.d/lan-dot1x
(0) authorize {
(0) [preprocess] = ok
(0) policy extreme_rewrite_calling_station_id {
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(0) update request {
(0) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(0) --> 54:05:DB:EC:7A:F7
(0) &Calling-Station-Id := 54:05:DB:EC:7A:F7
(0) } # update request = noop
(0) [updated] = updated
(0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(0) ... skipping else: Preceding "if" was taken
(0) } # policy extreme_rewrite_calling_station_id = updated
(0) if (!&request:EAP-Message) {
(0) if (!&request:EAP-Message) -> FALSE
(0) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(0) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE
(0) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(0) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 220 length 29
(0) eap_lan_dot1x: EAP-Identity reply, returning 'ok' so we can
short-circuit the rest of authorize
(0) [eap_lan_dot1x] = ok
(0) } # elsif (&request:User-Name =~ /^PREPROD/ ||
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)
= ok
(0) ... skipping elsif: Preceding "if" was taken
(0) ... skipping else: Preceding "if" was taken
(0) } # authorize = updated
(0) Found Auth-Type = eap_lan_dot1x
(0) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(0) Auth-Type eap_lan_dot1x {
(0) eap_lan_dot1x: Peer sent packet with method EAP Identity (1)
(0) eap_lan_dot1x: Calling submodule eap_peap to process data
(0) eap_peap: (TLS) PEAP -Initiating new session
(0) eap_lan_dot1x: Sending EAP Request (code 1) ID 221 length 6
(0) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39fabe4ea12
(0) [eap_lan_dot1x] = handled
(0) } # Auth-Type eap_lan_dot1x = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(0) Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0) Framed-MTU = 1014
(0) Sent Access-Challenge Id 197 from 10.128.0.58:1812 to
10.128.2.54:32769 length 64
(0) EAP-Message = 0x01dd00061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xab39f39fabe4ea12f769f1fff0534bd1
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 198 from 10.128.2.54:32769 to
10.128.0.58:1812 length 362
(1) Message-Authenticator = 0xe82132d7fa8da33e0b0f07bbc832dd14
(1) User-Name = "PREPROD\\pierrick.merle.i"
(1) State = 0xab39f39fabe4ea12f769f1fff0534bd1
(1) NAS-IP-Address = 10.128.2.54
(1) Called-Station-Id = "00-04-96-fa-2c-10"
(1) NAS-Identifier = "SXT_APS20f"
(1) NAS-Port = 1004
(1) NAS-Port-Id = "4"
(1) NAS-Port-Type = Ethernet
(1) Framed-MTU = 1300
(1) Service-Type = Framed-User
(1) Calling-Station-Id = "54-05-DB-EC-7A-F7"
(1) EAP-Message =
0x02dd00c31980000000b916030300b4010000b0030367c5a9517d60cd207bf08fd71f19f663cd5852706f2c03cd97e2ef911657e8622034aef38d484057e9cbdfd82468b4ca70a41bf9e30ef21bbb980c2cc5425db932002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a0100003d000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 1014
(1) # Executing section authorize from file
/etc/freeradius/3.0/server.d/lan-dot1x
(1) authorize {
(1) [preprocess] = ok
(1) policy extreme_rewrite_calling_station_id {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(1) update request {
(1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(1) --> 54:05:DB:EC:7A:F7
(1) &Calling-Station-Id := 54:05:DB:EC:7A:F7
(1) } # update request = noop
(1) [updated] = updated
(1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy extreme_rewrite_calling_station_id = updated
(1) if (!&request:EAP-Message) {
(1) if (!&request:EAP-Message) -> FALSE
(1) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(1) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE
(1) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(1) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 221 length 195
(1) eap_lan_dot1x: Continuing tunnel setup
(1) [eap_lan_dot1x] = ok
(1) } # elsif (&request:User-Name =~ /^PREPROD/ ||
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)
= ok
(1) ... skipping elsif: Preceding "if" was taken
(1) ... skipping else: Preceding "if" was taken
(1) } # authorize = updated
(1) Found Auth-Type = eap_lan_dot1x
(1) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(1) Auth-Type eap_lan_dot1x {
(1) eap_lan_dot1x: Removing EAP session with state 0xab39f39fabe4ea12
(1) eap_lan_dot1x: Previous EAP request found for state
0xab39f39fabe4ea12, released from the list
(1) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25)
(1) eap_lan_dot1x: Calling submodule eap_peap to process data
(1) eap_peap: (TLS) EAP Peer says that the final record size will be 185
bytes
(1) eap_peap: (TLS) EAP Got all data (185 bytes)
(1) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization
(1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL
initialization
(1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL
initialization
(1) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello
(1) eap_peap: Peer requested cached session:
34aef38d484057e9cbdfd82468b4ca70a41bf9e30ef21bbb980c2cc5425db932
(0) cache load {
(0) update {
rlm_redis (redis-lan): Reserved connection (0)
rlm_redis (redis-lan): executing the query: "GET
0x34aef38d484057e9cbdfd82468b4ca70a41bf9e30ef21bbb980c2cc5425db932"
(0) rlm_redis (redis-lan): Can't write result, insufficient space
or unsupported result
rlm_redis (redis-lan): Released connection (0)
Need more connections to reach 10 spares
rlm_redis (redis-lan): Opening additional connection (5), 1 of 27
pending slots used
(0) EXPAND %{redis-lan:GET %{request:TLS-Session-ID}}
(0) -->
(0) &Tmp-String-0 :=
(0) } # update = noop
(0) if (!&Tmp-String-0 || &Tmp-String-0 !~ /^([^|]+)\|([^|]+)$/) {
(0) if (!&Tmp-String-0 || &Tmp-String-0 !~ /^([^|]+)\|([^|]+)$/) ->
TRUE
(0) if (!&Tmp-String-0 || &Tmp-String-0 !~ /^([^|]+)\|([^|]+)$/) {
(0) return
(0) } # if (!&Tmp-String-0 || &Tmp-String-0 !~ /^([^|]+)\|([^|]+)$/)
= noop
(0) } # cache load = noop
(1) eap_peap: WARNING: (TLS) PEAP - Failed to find TLS-Session-Data in
'session-state' list for session
34aef38d484057e9cbdfd82468b4ca70a41bf9e30ef21bbb980c2cc5425db932
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read
client hello
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write
server hello
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write
certificate
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key
exchange
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write
server done
(1) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS
write server done
(1) eap_peap: (TLS) PEAP - In Handshake Phase
(1) eap_lan_dot1x: Sending EAP Request (code 1) ID 222 length 1024
(1) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39faae7ea12
(1) [eap_lan_dot1x] = handled
(1) } # Auth-Type eap_lan_dot1x = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(1) Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1) Framed-MTU = 1014
(1) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(1) Sent Access-Challenge Id 198 from 10.128.0.58:1812 to
10.128.2.54:32769 length 1090
(1) EAP-Message =
0x01de040019c000000e2c160303005d0200005903035e4ae8e817988c3566f217c68bf58793f7e07a63c47a49261acaaea76576eefa2084298149cd6dba04ae6b1bfd7e1569034959ac77a2d0a5ad27082b792402b726c030000011ff01000100000b000403000102001700001603030c6a0b000c66000c630005c4308205c0308203a8a00302010202143db2792d468f53db29cf70cd516deeb6d7d7e144300d06092a864886f70d01010b05003065310b3009060355040613024652311b3019060355040a13124d696e6973746572652045636f6c6f676965310d300b060355040b1304444e554d312a30280603550403132145434f20524d494e20414320496e7465726d65646961697265204d616368696e65301e170d3234303630353037353934365a170d3235303630353038303031365a30233121301f060355040313187261646975732e61632e65322e7269652e676f75762e667230820122300d06092a864886f70d01010105000382010f003082010a0282
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xab39f39faae7ea12f769f1fff0534bd1
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 199 from 10.128.2.54:32769 to
10.128.0.58:1812 length 173
(2) Message-Authenticator = 0xf48533d25521399963817e7616597244
(2) User-Name = "PREPROD\\pierrick.merle.i"
(2) State = 0xab39f39faae7ea12f769f1fff0534bd1
(2) NAS-IP-Address = 10.128.2.54
(2) Called-Station-Id = "00-04-96-fa-2c-10"
(2) NAS-Identifier = "SXT_APS20f"
(2) NAS-Port = 1004
(2) NAS-Port-Id = "4"
(2) NAS-Port-Type = Ethernet
(2) Framed-MTU = 1300
(2) Service-Type = Framed-User
(2) Calling-Station-Id = "54-05-DB-EC-7A-F7"
(2) EAP-Message = 0x02de00061900
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 1014
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(2) # Executing section authorize from file
/etc/freeradius/3.0/server.d/lan-dot1x
(2) authorize {
(2) [preprocess] = ok
(2) policy extreme_rewrite_calling_station_id {
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(2) update request {
(2) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(2) --> 54:05:DB:EC:7A:F7
(2) &Calling-Station-Id := 54:05:DB:EC:7A:F7
(2) } # update request = noop
(2) [updated] = updated
(2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(2) ... skipping else: Preceding "if" was taken
(2) } # policy extreme_rewrite_calling_station_id = updated
(2) if (!&request:EAP-Message) {
(2) if (!&request:EAP-Message) -> FALSE
(2) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(2) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE
(2) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(2) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 222 length 6
(2) eap_lan_dot1x: Continuing tunnel setup
(2) [eap_lan_dot1x] = ok
(2) } # elsif (&request:User-Name =~ /^PREPROD/ ||
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)
= ok
(2) ... skipping elsif: Preceding "if" was taken
(2) ... skipping else: Preceding "if" was taken
(2) } # authorize = updated
(2) Found Auth-Type = eap_lan_dot1x
(2) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(2) Auth-Type eap_lan_dot1x {
(2) eap_lan_dot1x: Removing EAP session with state 0xab39f39faae7ea12
(2) eap_lan_dot1x: Previous EAP request found for state
0xab39f39faae7ea12, released from the list
(2) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25)
(2) eap_lan_dot1x: Calling submodule eap_peap to process data
(2) eap_peap: (TLS) Peer ACKed our handshake fragment
(2) eap_lan_dot1x: Sending EAP Request (code 1) ID 223 length 1020
(2) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39fa9e6ea12
(2) [eap_lan_dot1x] = handled
(2) } # Auth-Type eap_lan_dot1x = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 1014
(2) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(2) Sent Access-Challenge Id 199 from 10.128.0.58:1812 to
10.128.2.54:32769 length 1086
(2) EAP-Message =
0x01df03fc19402a687474703a2f2f63726c2e726d696e2e656463732e66722f696e7465726d616368696e6563612e63726c300d06092a864886f70d01010b050003820201000957bae2949136fbad39f5a4a62ca927fc84ff2f8c3b26bd5d5d50b753f24eaabc1e54b28481b405939853ec0fc868eb772139d2ee6c90c911bbd3f168409f9338587f3e61a2913145f8c9309ccc325b48d70149859c9f42d92a42a4ff93680181283565f5b3b37ad35e8ba57d089465b31e255f08ad34bfd63cde54374f10a4d18fb2ed50f1486146e74acfb8e211e439e841bfc54932ff929b98913e769cdf7e45d36657e9d3481d6d5216ac6c725591cb7154cb666062ebabb4096fa189865766abb1722ea1e15768ba1cf7e6ac805fb92f2495bf517b9e7730047fc54f69d20727f0cea8e3573e4a0fa69a4a6f0a6ca11266277cb448d61fa22e0a68009c42fdd11b2d4c3989fd2908fa3d7d0624616237610c1374afb462e42291dc44d78f9dfbe1cba02ea44c2817bd4ba9f1bc2160
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xab39f39fa9e6ea12f769f1fff0534bd1
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 200 from 10.128.2.54:32769 to
10.128.0.58:1812 length 173
(3) Message-Authenticator = 0x53d1a6aee16c8987edf25b57090e579e
(3) User-Name = "PREPROD\\pierrick.merle.i"
(3) State = 0xab39f39fa9e6ea12f769f1fff0534bd1
(3) NAS-IP-Address = 10.128.2.54
(3) Called-Station-Id = "00-04-96-fa-2c-10"
(3) NAS-Identifier = "SXT_APS20f"
(3) NAS-Port = 1004
(3) NAS-Port-Id = "4"
(3) NAS-Port-Type = Ethernet
(3) Framed-MTU = 1300
(3) Service-Type = Framed-User
(3) Calling-Station-Id = "54-05-DB-EC-7A-F7"
(3) EAP-Message = 0x02df00061900
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 1014
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(3) # Executing section authorize from file
/etc/freeradius/3.0/server.d/lan-dot1x
(3) authorize {
(3) [preprocess] = ok
(3) policy extreme_rewrite_calling_station_id {
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(3) update request {
(3) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(3) --> 54:05:DB:EC:7A:F7
(3) &Calling-Station-Id := 54:05:DB:EC:7A:F7
(3) } # update request = noop
(3) [updated] = updated
(3) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(3) ... skipping else: Preceding "if" was taken
(3) } # policy extreme_rewrite_calling_station_id = updated
(3) if (!&request:EAP-Message) {
(3) if (!&request:EAP-Message) -> FALSE
(3) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(3) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE
(3) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(3) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 223 length 6
(3) eap_lan_dot1x: Continuing tunnel setup
(3) [eap_lan_dot1x] = ok
(3) } # elsif (&request:User-Name =~ /^PREPROD/ ||
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)
= ok
(3) ... skipping elsif: Preceding "if" was taken
(3) ... skipping else: Preceding "if" was taken
(3) } # authorize = updated
(3) Found Auth-Type = eap_lan_dot1x
(3) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(3) Auth-Type eap_lan_dot1x {
(3) eap_lan_dot1x: Removing EAP session with state 0xab39f39fa9e6ea12
(3) eap_lan_dot1x: Previous EAP request found for state
0xab39f39fa9e6ea12, released from the list
(3) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25)
(3) eap_lan_dot1x: Calling submodule eap_peap to process data
(3) eap_peap: (TLS) Peer ACKed our handshake fragment
(3) eap_lan_dot1x: Sending EAP Request (code 1) ID 224 length 1020
(3) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39fa8d9ea12
(3) [eap_lan_dot1x] = handled
(3) } # Auth-Type eap_lan_dot1x = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(3) Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3) Framed-MTU = 1014
(3) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(3) Sent Access-Challenge Id 200 from 10.128.0.58:1812 to
10.128.2.54:32769 length 1086
(3) EAP-Message =
0x01e003fc1940c7aa2e068818a20c750b7184a76445710d8c429a0221abbca66a5c355a3b63af6aeeaf6d1a77c800677b4998101328f4397e2b50b8d164dab887585adea9b07d64c14a5204b198944d6cfd333f9355d5e4d52810957a3c456fbbfc29f7be81704f0be0d4df65f0dfd7201550291a8195121cda6d3cc26ecc2326ed652f1934507e7dbc4d3318b6945a138f1ccca762d1e6382415a48f043902ab7735bad049d2ba09877d8a90cae08ba3e285fe097d9ac4e1eed66bebfcbe780d434e63003cb2dc51bd91d1b95d0287616b244ce4ed4e4da198f22be8017b6eb37ed521b9457f3fc07056374a2b41afa846e2359e63e1bdd93adce5ac9409c3d2d5650eb55376ccf9dad6d40ef7fbe0e5de98614702da923e3d512f90382acb5ca948f1a4338f6bbf3eebecb51d5ae4d5abf35d8738f4da2d57310f8e42eba1b2db4a92a4853d5919d695b11d92b0a2b89229a9f2b9e3472429d31e3ae29772b96a03216732a0452b7e6d60518fdb04cb0203010001a382
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xab39f39fa8d9ea12f769f1fff0534bd1
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 201 from 10.128.2.54:32769 to
10.128.0.58:1812 length 173
(4) Message-Authenticator = 0xfd539975736768f13f95221dbf4d0ca0
(4) User-Name = "PREPROD\\pierrick.merle.i"
(4) State = 0xab39f39fa8d9ea12f769f1fff0534bd1
(4) NAS-IP-Address = 10.128.2.54
(4) Called-Station-Id = "00-04-96-fa-2c-10"
(4) NAS-Identifier = "SXT_APS20f"
(4) NAS-Port = 1004
(4) NAS-Port-Id = "4"
(4) NAS-Port-Type = Ethernet
(4) Framed-MTU = 1300
(4) Service-Type = Framed-User
(4) Calling-Station-Id = "54-05-DB-EC-7A-F7"
(4) EAP-Message = 0x02e000061900
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 1014
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(4) # Executing section authorize from file
/etc/freeradius/3.0/server.d/lan-dot1x
(4) authorize {
(4) [preprocess] = ok
(4) policy extreme_rewrite_calling_station_id {
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(4) update request {
(4) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(4) --> 54:05:DB:EC:7A:F7
(4) &Calling-Station-Id := 54:05:DB:EC:7A:F7
(4) } # update request = noop
(4) [updated] = updated
(4) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(4) ... skipping else: Preceding "if" was taken
(4) } # policy extreme_rewrite_calling_station_id = updated
(4) if (!&request:EAP-Message) {
(4) if (!&request:EAP-Message) -> FALSE
(4) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(4) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE
(4) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(4) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 224 length 6
(4) eap_lan_dot1x: Continuing tunnel setup
(4) [eap_lan_dot1x] = ok
(4) } # elsif (&request:User-Name =~ /^PREPROD/ ||
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)
= ok
(4) ... skipping elsif: Preceding "if" was taken
(4) ... skipping else: Preceding "if" was taken
(4) } # authorize = updated
(4) Found Auth-Type = eap_lan_dot1x
(4) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(4) Auth-Type eap_lan_dot1x {
(4) eap_lan_dot1x: Removing EAP session with state 0xab39f39fa8d9ea12
(4) eap_lan_dot1x: Previous EAP request found for state
0xab39f39fa8d9ea12, released from the list
(4) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25)
(4) eap_lan_dot1x: Calling submodule eap_peap to process data
(4) eap_peap: (TLS) Peer ACKed our handshake fragment
(4) eap_lan_dot1x: Sending EAP Request (code 1) ID 225 length 592
(4) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39fafd8ea12
(4) [eap_lan_dot1x] = handled
(4) } # Auth-Type eap_lan_dot1x = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) Framed-MTU = 1014
(4) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(4) Sent Access-Challenge Id 201 from 10.128.0.58:1812 to
10.128.2.54:32769 length 654
(4) EAP-Message =
0x01e1025019008e6fb31e34c535308289f4dcd79f82c53469189129212beebbde8a69f5239dc84fd2c00a0a7d30564f2c48ea5a49a49cdf79f200b5c408ce7354bc7ffef171a8724b15b86e52f27ad9991181caff2bf1f7190c900c2d5358bed4ddc9f853d5664b6a76f15a32c324277fb1f78b9970f9f7a483e1c7999e04a87a05af8469e90b6c535b322711f64111eff1dfd1eeabdfdc380204be62d525762e25471838b54ae3bfb8c0fd01b0cbf2b0542aa907585ab52f386d5d627d6cc965cbb9444bdd046a0422251c3368ecd8be1e917029987e66cb511820cd2a2cdaa570575416c54081271204d245581e28cec2dd66cfa2160303014d0c00014903001741046251b7e62bf95cb9ab08709f7abb30c19e7d19d4c5cd3e4f6aadf2f1a8ff4387c913b1b36b9f93931c77c74993a7573a9ff64c27e3b67b0d4e7c75eaec2d6f0b040101007b152e53b8146e29162fcba24e92a04629f33dcd7f70e9a9d28e044e7d9faf1c8888c407c4b3fe0be85c59c9b8a8633b
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xab39f39fafd8ea12f769f1fff0534bd1
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 202 from 10.128.2.54:32769 to
10.128.0.58:1812 length 303
(5) Message-Authenticator = 0x330d17d58367b7c7debbd2388d24da3b
(5) User-Name = "PREPROD\\pierrick.merle.i"
(5) State = 0xab39f39fafd8ea12f769f1fff0534bd1
(5) NAS-IP-Address = 10.128.2.54
(5) Called-Station-Id = "00-04-96-fa-2c-10"
(5) NAS-Identifier = "SXT_APS20f"
(5) NAS-Port = 1004
(5) NAS-Port-Id = "4"
(5) NAS-Port-Type = Ethernet
(5) Framed-MTU = 1300
(5) Service-Type = Framed-User
(5) Calling-Station-Id = "54-05-DB-EC-7A-F7"
(5) EAP-Message =
0x02e1008819800000007e1603030046100000424104478011a091c5392414894d3b1d96709c1c3a41ce60f156911ec687f2955d4e40e567885782f0be58e1374d4a11656554927dc06481a8e4023f6f96359b6c66cf1403030001011603030028000000000000000042308fd559fe9927cfb60949046a6718bbcb97c8243c745e3f0cd09ce51e7c01
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 1014
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(5) # Executing section authorize from file
/etc/freeradius/3.0/server.d/lan-dot1x
(5) authorize {
(5) [preprocess] = ok
(5) policy extreme_rewrite_calling_station_id {
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(5) update request {
(5) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(5) --> 54:05:DB:EC:7A:F7
(5) &Calling-Station-Id := 54:05:DB:EC:7A:F7
(5) } # update request = noop
(5) [updated] = updated
(5) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(5) ... skipping else: Preceding "if" was taken
(5) } # policy extreme_rewrite_calling_station_id = updated
(5) if (!&request:EAP-Message) {
(5) if (!&request:EAP-Message) -> FALSE
(5) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(5) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE
(5) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(5) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 225 length 136
(5) eap_lan_dot1x: Continuing tunnel setup
(5) [eap_lan_dot1x] = ok
(5) } # elsif (&request:User-Name =~ /^PREPROD/ ||
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)
= ok
(5) ... skipping elsif: Preceding "if" was taken
(5) ... skipping else: Preceding "if" was taken
(5) } # authorize = updated
(5) Found Auth-Type = eap_lan_dot1x
(5) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(5) Auth-Type eap_lan_dot1x {
(5) eap_lan_dot1x: Removing EAP session with state 0xab39f39fafd8ea12
(5) eap_lan_dot1x: Previous EAP request found for state
0xab39f39fafd8ea12, released from the list
(5) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25)
(5) eap_lan_dot1x: Calling submodule eap_peap to process data
(5) eap_peap: (TLS) EAP Peer says that the final record size will be 126
bytes
(5) eap_peap: (TLS) EAP Got all data (126 bytes)
(5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write
server done
(5) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange
(5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read
client key exchange
(5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read
change cipher spec
(5) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished
(5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read
finished
(5) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec
(5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write
change cipher spec
(5) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished
(5) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write
finished
(5) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished
successfully
(5) eap_peap: (TLS) PEAP - Connection Established
(5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) eap_peap: TLS-Session-Version = "TLS 1.2"
(5) eap_lan_dot1x: Sending EAP Request (code 1) ID 226 length 57
(5) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39faedbea12
(5) [eap_lan_dot1x] = handled
(5) } # Auth-Type eap_lan_dot1x = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) Framed-MTU = 1014
(5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
Finished"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2
ChangeCipherSpec"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Finished"
(5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 202 from 10.128.0.58:1812 to
10.128.2.54:32769 length 115
(5) EAP-Message =
0x01e2003919001403030001011603030028992e1d08a6281f94437d18a88f2f337b9abbd59b6c10d58320ae5341ff5cb1be50d4e0e30627f0e3
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xab39f39faedbea12f769f1fff0534bd1
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 203 from 10.128.2.54:32769 to
10.128.0.58:1812 length 173
(6) Message-Authenticator = 0x01e2569fa0d0a5ef89068ddfa1ffba9d
(6) User-Name = "PREPROD\\pierrick.merle.i"
(6) State = 0xab39f39faedbea12f769f1fff0534bd1
(6) NAS-IP-Address = 10.128.2.54
(6) Called-Station-Id = "00-04-96-fa-2c-10"
(6) NAS-Identifier = "SXT_APS20f"
(6) NAS-Port = 1004
(6) NAS-Port-Id = "4"
(6) NAS-Port-Type = Ethernet
(6) Framed-MTU = 1300
(6) Service-Type = Framed-User
(6) Calling-Station-Id = "54-05-DB-EC-7A-F7"
(6) EAP-Message = 0x02e200061900
(6) Restoring &session-state
(6) &session-state:Framed-MTU = 1014
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, ClientKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, Finished"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 ChangeCipherSpec"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Finished"
(6) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file
/etc/freeradius/3.0/server.d/lan-dot1x
(6) authorize {
(6) [preprocess] = ok
(6) policy extreme_rewrite_calling_station_id {
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(6) update request {
(6) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(6) --> 54:05:DB:EC:7A:F7
(6) &Calling-Station-Id := 54:05:DB:EC:7A:F7
(6) } # update request = noop
(6) [updated] = updated
(6) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(6) ... skipping else: Preceding "if" was taken
(6) } # policy extreme_rewrite_calling_station_id = updated
(6) if (!&request:EAP-Message) {
(6) if (!&request:EAP-Message) -> FALSE
(6) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(6) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE
(6) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(6) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 226 length 6
(6) eap_lan_dot1x: Continuing tunnel setup
(6) [eap_lan_dot1x] = ok
(6) } # elsif (&request:User-Name =~ /^PREPROD/ ||
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)
= ok
(6) ... skipping elsif: Preceding "if" was taken
(6) ... skipping else: Preceding "if" was taken
(6) } # authorize = updated
(6) Found Auth-Type = eap_lan_dot1x
(6) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(6) Auth-Type eap_lan_dot1x {
(6) eap_lan_dot1x: Removing EAP session with state 0xab39f39faedbea12
(6) eap_lan_dot1x: Previous EAP request found for state
0xab39f39faedbea12, released from the list
(6) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25)
(6) eap_lan_dot1x: Calling submodule eap_peap to process data
(6) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is
finished
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) eap_lan_dot1x: Sending EAP Request (code 1) ID 227 length 40
(6) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39faddaea12
(6) [eap_lan_dot1x] = handled
(6) } # Auth-Type eap_lan_dot1x = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(6) Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6) Framed-MTU = 1014
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
Finished"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2
ChangeCipherSpec"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Finished"
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 203 from 10.128.0.58:1812 to
10.128.2.54:32769 length 98
(6) EAP-Message =
0x01e300281900170303001d992e1d08a6281f952ddff245583c3e11a01f3a0811d5f52af6dc4daf1b
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xab39f39faddaea12f769f1fff0534bd1
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 204 from 10.128.2.54:32769 to
10.128.0.58:1812 length 227
(7) Message-Authenticator = 0x96497c11b13a76a5b23e44be8f7d5ff9
(7) User-Name = "PREPROD\\pierrick.merle.i"
(7) State = 0xab39f39faddaea12f769f1fff0534bd1
(7) NAS-IP-Address = 10.128.2.54
(7) Called-Station-Id = "00-04-96-fa-2c-10"
(7) NAS-Identifier = "SXT_APS20f"
(7) NAS-Port = 1004
(7) NAS-Port-Id = "4"
(7) NAS-Port-Type = Ethernet
(7) Framed-MTU = 1300
(7) Service-Type = Framed-User
(7) Calling-Station-Id = "54-05-DB-EC-7A-F7"
(7) EAP-Message =
0x02e3003c190017030300310000000000000001a09b6c88393f3903b90ebde72d0ec97a46ae05e7c48e47576720783176f2be7dfdd79503de20f2603a
(7) Restoring &session-state
(7) &session-state:Framed-MTU = 1014
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, ClientKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, Finished"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 ChangeCipherSpec"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Finished"
(7) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file
/etc/freeradius/3.0/server.d/lan-dot1x
(7) authorize {
(7) [preprocess] = ok
(7) policy extreme_rewrite_calling_station_id {
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(7) update request {
(7) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(7) --> 54:05:DB:EC:7A:F7
(7) &Calling-Station-Id := 54:05:DB:EC:7A:F7
(7) } # update request = noop
(7) [updated] = updated
(7) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(7) ... skipping else: Preceding "if" was taken
(7) } # policy extreme_rewrite_calling_station_id = updated
(7) if (!&request:EAP-Message) {
(7) if (!&request:EAP-Message) -> FALSE
(7) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(7) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE
(7) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(7) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 227 length 60
(7) eap_lan_dot1x: Continuing tunnel setup
(7) [eap_lan_dot1x] = ok
(7) } # elsif (&request:User-Name =~ /^PREPROD/ ||
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)
= ok
(7) ... skipping elsif: Preceding "if" was taken
(7) ... skipping else: Preceding "if" was taken
(7) } # authorize = updated
(7) Found Auth-Type = eap_lan_dot1x
(7) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(7) Auth-Type eap_lan_dot1x {
(7) eap_lan_dot1x: Removing EAP session with state 0xab39f39faddaea12
(7) eap_lan_dot1x: Previous EAP request found for state
0xab39f39faddaea12, released from the list
(7) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25)
(7) eap_lan_dot1x: Calling submodule eap_peap to process data
(7) eap_peap: (TLS) EAP Done initial handshake
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - PREPROD\pierrick.merle.i
(7) eap_peap: Got inner identity 'PREPROD\pierrick.merle.i'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message =
0x02e3001d0150524550524f445c706965727269636b2e6d65726c652e69
(7) eap_peap: Setting User-Name to PREPROD\pierrick.merle.i
(7) eap_peap: Sending tunneled request to inner-lan-dot1x
(7) eap_peap: EAP-Message =
0x02e3001d0150524550524f445c706965727269636b2e6d65726c652e69
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "PREPROD\\pierrick.merle.i"
(7) Virtual server inner-lan-dot1x received request
(7) EAP-Message =
0x02e3001d0150524550524f445c706965727269636b2e6d65726c652e69
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "PREPROD\\pierrick.merle.i"
(7) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(7) server inner-lan-dot1x {
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-lan-dot1x
(7) authorize {
(7) if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~
/^FORMATION/ ) {
(7) if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~
/^FORMATION/ ) -> TRUE
(7) if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~
/^FORMATION/ ) {
(7) ntdomain: Checking for prefix before "\"
(7) ntdomain: Looking up realm "PREPROD" for User-Name =
"PREPROD\pierrick.merle.i"
(7) ntdomain: Found realm "PREPROD"
(7) ntdomain: Adding Stripped-User-Name = "pierrick.merle.i"
(7) ntdomain: Adding Realm = "PREPROD"
(7) ntdomain: Proxying request from user pierrick.merle.i to realm
PREPROD
(7) ntdomain: Preparing to proxy authentication request to realm
"PREPROD"
(7) [ntdomain] = updated
(7) } # if (&request:User-Name =~ /^PREPROD/ || &request:User-Name
=~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name
=~ /^FORMATION/ ) = updated
(7) ... skipping elsif: Preceding "if" was taken
(7) ... skipping elsif: Preceding "if" was taken
(7) ... skipping elsif: Preceding "if" was taken
(7) update {
(7) No attributes updated for RHS
&control:Extreme-Netlogin-Extended-Vlan
(7) No attributes updated for RHS &control:Extreme-Policy-ACL[*]
(7) No attributes updated for RHS
&control:Fabric-Attach-Service-Request[*]
(7) No attributes updated for RHS &control:Filter-Id
(7) No attributes updated for RHS
&control:Tunnel-Private-Group-Id
(7) reply:User-Name := User-Name -> 'PREPROD\\pierrick.merle.i'
(7) } # update = noop
(7) } # authorize = updated
(7) } # server inner-lan-dot1x
(7) Virtual server sending reply
(7) User-Name := "PREPROD\\pierrick.merle.i"
(7) eap_peap: Got tunneled reply code 0
(7) eap_peap: User-Name := "PREPROD\\pierrick.merle.i"
(7) eap_peap: Calling authenticate in order to initiate tunneled EAP
session
(7) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-lan-dot1x
(7) authenticate {
(7) eap: Peer sent packet with method EAP Identity (1)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) eap: Sending EAP Request (code 1) ID 228 length 36
(7) eap: EAP session adding &reply:State = 0x7b60a4d57b84bea7
(7) [eap] = handled
(7) } # authenticate = handled
(7) eap_peap: Cancelling proxy to realm PREPROD until the tunneled EAP
session has been established
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: User-Name := "PREPROD\\pierrick.merle.i"
(7) eap_peap: EAP-Message =
0x01e400241a01e4001f10f0a506e01e192881a4906d742fc4b2e646726565524144495553
(7) eap_peap: Message-Authenticator =
0x00000000000000000000000000000000
(7) eap_peap: State = 0x7b60a4d57b84bea7a078a662a72147dc
(7) eap_peap: Got tunneled Access-Challenge
(7) eap_lan_dot1x: Sending EAP Request (code 1) ID 228 length 67
(7) eap_lan_dot1x: EAP session adding &reply:State = 0xab39f39facddea12
(7) [eap_lan_dot1x] = handled
(7) } # Auth-Type eap_lan_dot1x = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) Framed-MTU = 1014
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake,
ClientHello"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHello"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Certificate"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerKeyExchange"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
ServerHelloDone"
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
ClientKeyExchange"
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake,
Finished"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2
ChangeCipherSpec"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake,
Finished"
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 204 from 10.128.0.58:1812 to
10.128.2.54:32769 length 125
(7) EAP-Message =
0x01e4004319001703030038992e1d08a6281f9686a180dc1b41a0f8984c319974a02913f93e71bac56da78cda96880678431a2282a64c261c993c336832c275f722fc55
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xab39f39facddea12f769f1fff0534bd1
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 205 from 10.128.2.54:32769 to
10.128.0.58:1812 length 281
(8) Message-Authenticator = 0xf73b3d46fcc452447830970250510653
(8) User-Name = "PREPROD\\pierrick.merle.i"
(8) State = 0xab39f39facddea12f769f1fff0534bd1
(8) NAS-IP-Address = 10.128.2.54
(8) Called-Station-Id = "00-04-96-fa-2c-10"
(8) NAS-Identifier = "SXT_APS20f"
(8) NAS-Port = 1004
(8) NAS-Port-Id = "4"
(8) NAS-Port-Type = Ethernet
(8) Framed-MTU = 1300
(8) Service-Type = Framed-User
(8) Calling-Station-Id = "54-05-DB-EC-7A-F7"
(8) EAP-Message =
0x02e40072190017030300670000000000000002cca31e7eae2c47f00df3d68a7c9871cbdf92c0ba98e0ed3b8e88e7af8d6620cbfa71200ac29d972f1304402d8ca4992f94e9d2bba3878f1e7c37139b64efc0c8a44e693a2c6e7b9a24f2b2f424c0987c51dd5b6b3345814d5a991fd963aca0
(8) Restoring &session-state
(8) &session-state:Framed-MTU = 1014
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.3 Handshake, ClientHello"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHello"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Certificate"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerKeyExchange"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, ServerHelloDone"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, ClientKeyExchange"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS
1.2 Handshake, Finished"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 ChangeCipherSpec"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS
1.2 Handshake, Finished"
(8) &session-state:TLS-Session-Cipher-Suite =
"ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file
/etc/freeradius/3.0/server.d/lan-dot1x
(8) authorize {
(8) [preprocess] = ok
(8) policy extreme_rewrite_calling_station_id {
(8) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(8) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
-> TRUE
(8) if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
{
(8) update request {
(8) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(8) --> 54:05:DB:EC:7A:F7
(8) &Calling-Station-Id := 54:05:DB:EC:7A:F7
(8) } # update request = noop
(8) [updated] = updated
(8) } # if (&Calling-Station-Id && (&Calling-Station-Id =~
/^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))
= updated
(8) ... skipping else: Preceding "if" was taken
(8) } # policy extreme_rewrite_calling_station_id = updated
(8) if (!&request:EAP-Message) {
(8) if (!&request:EAP-Message) -> FALSE
(8) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(8) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) -> TRUE
(8) elsif (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/) {
(8) eap_lan_dot1x: Peer sent EAP Response (code 2) ID 228 length 114
(8) eap_lan_dot1x: Continuing tunnel setup
(8) [eap_lan_dot1x] = ok
(8) } # elsif (&request:User-Name =~ /^PREPROD/ ||
&request:User-Name =~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/)
= ok
(8) ... skipping elsif: Preceding "if" was taken
(8) ... skipping else: Preceding "if" was taken
(8) } # authorize = updated
(8) Found Auth-Type = eap_lan_dot1x
(8) # Executing group from file /etc/freeradius/3.0/server.d/lan-dot1x
(8) Auth-Type eap_lan_dot1x {
(8) eap_lan_dot1x: Removing EAP session with state 0xab39f39facddea12
(8) eap_lan_dot1x: Previous EAP request found for state
0xab39f39facddea12, released from the list
(8) eap_lan_dot1x: Peer sent packet with method EAP PEAP (25)
(8) eap_lan_dot1x: Calling submodule eap_peap to process data
(8) eap_peap: (TLS) EAP Done initial handshake
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message =
0x02e400531a02e4004e31ec8a1fbe71764029e6c856e60d94056e0000000000000000001c71308495add1402553b25cfd1fffa1b30d00f8d1838f0050524550524f445c706965727269636b2e6d65726c652e69
(8) eap_peap: Setting User-Name to PREPROD\pierrick.merle.i
(8) eap_peap: Sending tunneled request to inner-lan-dot1x
(8) eap_peap: EAP-Message =
0x02e400531a02e4004e31ec8a1fbe71764029e6c856e60d94056e0000000000000000001c71308495add1402553b25cfd1fffa1b30d00f8d1838f0050524550524f445c706965727269636b2e6d65726c652e69
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "PREPROD\\pierrick.merle.i"
(8) eap_peap: State = 0x7b60a4d57b84bea7a078a662a72147dc
(8) Virtual server inner-lan-dot1x received request
(8) EAP-Message =
0x02e400531a02e4004e31ec8a1fbe71764029e6c856e60d94056e0000000000000000001c71308495add1402553b25cfd1fffa1b30d00f8d1838f0050524550524f445c706965727269636b2e6d65726c652e69
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "PREPROD\\pierrick.merle.i"
(8) State = 0x7b60a4d57b84bea7a078a662a72147dc
(8) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(8) server inner-lan-dot1x {
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-lan-dot1x
(8) authorize {
(8) if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~
/^FORMATION/ ) {
(8) if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~
/^FORMATION/ ) -> TRUE
(8) if (&request:User-Name =~ /^PREPROD/ || &request:User-Name =~
/^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name =~
/^FORMATION/ ) {
(8) ntdomain: Checking for prefix before "\"
(8) ntdomain: Looking up realm "PREPROD" for User-Name =
"PREPROD\pierrick.merle.i"
(8) ntdomain: Found realm "PREPROD"
(8) ntdomain: Adding Stripped-User-Name = "pierrick.merle.i"
(8) ntdomain: Adding Realm = "PREPROD"
(8) ntdomain: Proxying request from user pierrick.merle.i to realm
PREPROD
(8) ntdomain: Preparing to proxy authentication request to realm
"PREPROD"
(8) [ntdomain] = updated
(8) } # if (&request:User-Name =~ /^PREPROD/ || &request:User-Name
=~ /^DRIHL-IF/ || &request:User-Name =~ /^CABINET/ || &request:User-Name
=~ /^FORMATION/ ) = updated
(8) ... skipping elsif: Preceding "if" was taken
(8) ... skipping elsif: Preceding "if" was taken
(8) ... skipping elsif: Preceding "if" was taken
(8) update {
(8) No attributes updated for RHS
&control:Extreme-Netlogin-Extended-Vlan
(8) No attributes updated for RHS &control:Extreme-Policy-ACL[*]
(8) No attributes updated for RHS
&control:Fabric-Attach-Service-Request[*]
(8) No attributes updated for RHS &control:Filter-Id
(8) No attributes updated for RHS
&control:Tunnel-Private-Group-Id
(8) reply:User-Name := User-Name -> 'PREPROD\\pierrick.merle.i'
(8) } # update = noop
(8) } # authorize = updated
(8) } # server inner-lan-dot1x
(8) Virtual server sending reply
(8) User-Name := "PREPROD\\pierrick.merle.i"
(8) eap_peap: Got tunneled reply code 0
(8) eap_peap: User-Name := "PREPROD\\pierrick.merle.i"
(8) eap_peap: Calling authenticate in order to initiate tunneled EAP
session
(8) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-lan-dot1x
(8) authenticate {
(8) eap: Removing EAP session with state 0x7b60a4d57b84bea7
(8) eap: Previous EAP request found for state 0x7b60a4d57b84bea7,
released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: Cancelling authentication and letting it be proxied
(8) eap: No EAP proxy set. Not composing EAP
(8) [eap] = handled
(8) } # authenticate = handled
(8) eap_peap: Tunnelled authentication will be proxied to PREPROD
(8) eap_peap: Remembering to do EAP-MS-CHAP-V2 post-proxy
(8) eap_lan_dot1x: WARNING: Tunneled session will be proxied. Not doing
EAP
(8) [eap_lan_dot1x] = handled
(8) } # Auth-Type eap_lan_dot1x = handled
(8) Starting proxy to home server 10.167.73.13 port 1812
(8) server lan-dot1x {
(8) }
(8) Proxying request to home server 10.167.73.13 port 1812 timeout
20.000000
(8) Sent Access-Request Id 248 from 0.0.0.0:37655 to 10.167.73.13:1812
length 143
(8) User-Name = "pierrick.merle.i"
(8) MS-CHAP-Challenge = <redacted>
(8) MS-CHAP2-Response = <redacted>
(8) Message-Authenticator := 0x00
(8) Proxy-State = 0x323035
Waking up in 0.3 seconds.
(8) Marking home server 10.167.73.13 port 1812 alive
(8) Clearing existing &reply: attributes
(8) Received Access-Accept Id 248 from 10.167.73.13:1812 to
10.166.1.58:37655 length 252
(8) Message-Authenticator = 0xea84928db30f8c9b048865c87d621a8a
(8) Proxy-State = 0x323035
(8) Framed-Protocol = PPP
(8) Service-Type = Framed-User
(8) Class =
0x595505e400000137000102000aa7490d00000000000000000000000001db82dd2c49bf8300000000000000af
(8) MS-MPPE-Recv-Key = <redacted>
(8) MS-MPPE-Send-Key = <redacted>
(8) MS-CHAP2-Success = <redacted>
(8) MS-CHAP-Domain = "\344PREPROD"
(8) server lan-dot1x {
(8) }
(8) Found Auth-Type = eap_lan_dot1x
(8) Found Auth-Type = Accept
(8) ERROR: Warning: Found 2 auth-types on request for user
'PREPROD\pierrick.merle.i'
(8) Auth-Type = Accept, accepting the user
(8) # Executing section post-auth from file
/etc/freeradius/3.0/server.d/lan-dot1x
(8) post-auth {
(8) if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) {
(8) if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(8) update {
(8) &reply:MS-MPPE-Recv-Key !* ANY
(8) &reply:MS-MPPE-Send-Key !* ANY
(8) &reply:Tunnel-Private-Group-Id:0 !* ANY
(8) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014
(8) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.3
Handshake, ClientHello'
(8) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2
Handshake, ServerHello'
(8) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2
Handshake, Certificate'
(8) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2
Handshake, ServerKeyExchange'
(8) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2
Handshake, ServerHelloDone'
(8) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.2
Handshake, ClientKeyExchange'
(8) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.2
Handshake, Finished'
(8) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2
ChangeCipherSpec'
(8) &reply::TLS-Session-Information +=
&session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2
Handshake, Finished'
(8) &reply::TLS-Session-Cipher-Suite +=
&session-state:TLS-Session-Cipher-Suite[*] ->
'ECDHE-RSA-AES256-GCM-SHA384'
(8) &reply::TLS-Session-Version +=
&session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(8) &reply:User-Name := &request:User-Name ->
'PREPROD\\pierrick.merle.i'
(8) No attributes updated for RHS &control:Extreme-Policy-ACL[*]
(8) No attributes updated for RHS
&control:Fabric-Attach-Service-Request[*]
(8) No attributes updated for RHS &control:Filter-Id
(8) No attributes updated for RHS &control:Tunnel-Private-Group-Id
(8) } # update = noop
(8) if (request:Calling-Station-Id == "F4:A8:0D:A3:D5:AD" ) {
(8) if (request:Calling-Station-Id == "F4:A8:0D:A3:D5:AD" ) ->
FALSE
(8) policy remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message) {
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else {
(8) [noop] = noop
(8) } # else = noop
(8) } # policy remove_reply_message_if_eap = noop
(8) } # post-auth = noop
(8) EXPAND OK %{request:User-Name}
V:%{%{%{reply:Extreme-Netlogin-Extended-Vlan}:-%{reply:Tunnel-Private-Group-Id}}:-UXXX}
S:%{%{%{request:NAS-IP-Address}:-%{outer.request:NAS-IP-Address}}:-none}
P:%{%{%{request:NAS-Port}:-%{outer.request:NAS-Port}}:-none}
N:%{%{%{request:NAS-Identifier}:-%{outer.request:NAS-Identifier}}:-none}
M:%{%{%{request:Calling-Station-Id}:-%{outer.request:Calling-Station-Id}}:-none}
LDAP:%{%{control:ldap_AD-LDAP-Group}:-none}
SR:%{%{request:EAP-Session-Resumed}:-none}
H:%{%{request:Cache-Entry-Hits}:-0}
(8) --> OK PREPROD\\pierrick.merle.i V:UXXX S:10.128.2.54 P:1004
N:SXT_APS20f M:54:05:DB:EC:7A:F7 LDAP:none SR:none H:0
(8) Login OK: [PREPROD\pierrick.merle.i/<via Auth-Type = eap_lan_dot1x>]
(from client SWITCH port 1004 cli 54:05:DB:EC:7A:F7) OK
PREPROD\\pierrick.merle.i V:UXXX S:10.128.2.54 P:1004 N:SXT_APS20f
M:54:05:DB:EC:7A:F7 LDAP:none SR:none H:0
(8) Sent Access-Accept Id 205 from 10.128.0.58:1812 to 10.128.2.54:32769
length 195
(8) Message-Authenticator = 0xea84928db30f8c9b048865c87d621a8a
(8) Framed-Protocol = PPP
(8) Service-Type = Framed-User
(8) Class =
0x595505e400000137000102000aa7490d00000000000000000000000001db82dd2c49bf8300000000000000af
(8) MS-CHAP2-Success = <redacted>
(8) MS-CHAP-Domain = "\344PREPROD"
(8) Framed-MTU += 1014
(8) User-Name := "PREPROD\\pierrick.merle.i"
(8) Finished request
Waking up in 4.9 seconds.
Le 21/02/2025 19:28, > aland a écrit :
> On Feb 21, 2025, at 1:04 PM, MERLE Pierrick (Chef de projet réseau) -
> SG/DNUM/MSP/DIS/GIR via Freeradius-Users
> <freeradius-users at lists.freeradius.org> wrote:
>> I am currently using FreeRADIUS 3.2.x as a RADIUS proxy to forward
>> EAP-PEAP/MSCHAPv2 authentication requests to a backend Microsoft NPS
>> server. The setup is working correctly, but I am facing an issue with
>> TLS session resumption when using a proxy in the inner-tunnel:
>> Attributes are never saved in the tls cache.
>
> There's no reason why it shouldn't work.
>
>> When I use this setup without any proxy at all, TLS session resumption
>> just works as expected.
>>
>> Is TLS session resumption supported when using FreeRADIUS as a proxy
>> for the inner authentication?
>> If so, how can I properly cache the TLS session in this scenario?
>
> If you configure it, it should work. The code to save / restore
> session resumption data is independent of the inner-tunnel proxying.
> It's part of the TLS connection setup instead.
>
> Please post the full debug log for a situation where the session
> resumption doesn't work. The code is FULL of debug messages which
> explain when / why it's saving sessions, or not.
>
> Alan DeKok.
More information about the Freeradius-Users
mailing list