freeradius confuses switch
Christoph Egger
christoph_egger at gmx.de
Fri May 9 10:08:30 UTC 2025
Am 09.05.25 um 10:55 schrieb Matthew Newton via Freeradius-Users:
> On 09/05/2025 08:56, Christoph Egger via Freeradius-Users wrote:
>> switch -> freeradius: access-request (1), id: 0x2d
>> freeradius -> switch: access-reject (3), id: 0x2d
>> freeradius -> switch: access-accept (2), id: 0x2c
>
> FreeRADIUS never sends a reject followed by an accept for the same request.
>
> As always, what does the full debug output show?
>
Here it is the EAP-TTLS + PAP, after that the corresponding tcpdump:
authentik-freeradius-1 | (45) Received Access-Request Id 46 from 172.16.1.1:49514 to 172.16.1.2:1812 length 138
authentik-freeradius-1 | (45) User-Name = "apple_lan_thatsme"
authentik-freeradius-1 | (45) EAP-Message = 0x02020016016170706c655f6c616e5f74686174736d65
authentik-freeradius-1 | (45) NAS-IP-Address = 10.0.0.3
authentik-freeradius-1 | (45) NAS-Port = 3
authentik-freeradius-1 | (45) NAS-Identifier = "DC6279CF8CB4"
authentik-freeradius-1 | (45) Service-Type = Framed-User
authentik-freeradius-1 | (45) if (&User-Name =~ / /) {
authentik-freeradius-1 | (45) if (&User-Name =~ / /) -> FALSE
authentik-freeradius-1 | (45) if (&User-Name =~ /@[^@]*@/ ) {
authentik-freeradius-1 | (45) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
authentik-freeradius-1 | (45) if (&User-Name =~ /\.\./ ) {
authentik-freeradius-1 | (45) if (&User-Name =~ /\.\./ ) -> FALSE
authentik-freeradius-1 | (45) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
authentik-freeradius-1 | (45) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
authentik-freeradius-1 | (45) if (&User-Name =~ /\.$/) {
authentik-freeradius-1 | (45) if (&User-Name =~ /\.$/) -> FALSE
authentik-freeradius-1 | (45) if (&User-Name =~ /@\./) {
authentik-freeradius-1 | (45) if (&User-Name =~ /@\./) -> FALSE
authentik-freeradius-1 | (45) } # if (&User-Name) = notfound
authentik-freeradius-1 | (45) suffix: No such realm "NULL"
authentik-freeradius-1 | (45) [suffix] = noop
authentik-freeradius-1 | (45) eap: Peer sent EAP Response (code 2) ID 2 length 22
authentik-freeradius-1 | (45) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
authentik-freeradius-1 | (45) [eap] = ok
authentik-freeradius-1 | (45) } # authorize = ok
authentik-freeradius-1 | (45) Found Auth-Type = eap
authentik-freeradius-1 | (45) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (45) authenticate {
authentik-freeradius-1 | (45) eap: Peer sent packet with method EAP Identity (1)
authentik-freeradius-1 | (45) eap: Using default_eap_type = TTLS
authentik-freeradius-1 | (45) eap: Calling submodule eap_ttls to process data
authentik-freeradius-1 | (45) eap_ttls: (TLS) TTLS -Initiating new session
authentik-freeradius-1 | (45) eap: Sending EAP Request (code 1) ID 3 length 6
authentik-freeradius-1 | (45) eap: EAP session adding &reply:State = 0x2d378bd52d349ea4
authentik-freeradius-1 | (45) [eap] = handled
authentik-freeradius-1 | (45) } # authenticate = handled
authentik-freeradius-1 | (45) Using Post-Auth-Type Challenge
authentik-freeradius-1 | (45) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (45) Challenge { ... } # empty sub-section is ignored
authentik-freeradius-1 | (45) session-state: Saving cached attributes
authentik-freeradius-1 | (45) Framed-MTU = 994
authentik-freeradius-1 | (45) Sent Access-Challenge Id 46 from 172.16.1.2:1812 to 172.16.1.1:49514 length 64
authentik-freeradius-1 | (45) EAP-Message = 0x010300061520
authentik-freeradius-1 | (45) Message-Authenticator = 0x00000000000000000000000000000000
authentik-freeradius-1 | (45) State = 0x2d378bd52d349ea48c81890488f2e33c
authentik-freeradius-1 | (45) Finished request
authentik-freeradius-1 | Waking up in 4.9 seconds.
authentik-freeradius-1 | (46) Received Access-Request Id 47 from 172.16.1.1:49514 to 172.16.1.2:1812 length 295
authentik-freeradius-1 | (46) User-Name = "apple_lan_thatsme"
authentik-freeradius-1 | (46) EAP-Message = 0x020300a115800000009716030300920100008e0303681dc4befd642d026911306f371557d5d2f4a94b96242867061ce633f5245fe800002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
authentik-freeradius-1 | (46) NAS-IP-Address = 10.0.0.3
authentik-freeradius-1 | (46) NAS-Port = 3
authentik-freeradius-1 | (46) NAS-Identifier = "DC6279CF8CB4"
authentik-freeradius-1 | (46) Service-Type = Framed-User
authentik-freeradius-1 | (46) Calling-Station-Id = "00-E0-4C-68-20-7E"
authentik-freeradius-1 | (46) NAS-Port-Type = Ethernet
authentik-freeradius-1 | (46) State = 0x2d378bd52d349ea48c81890488f2e33c
authentik-freeradius-1 | (46) Message-Authenticator = 0x6dd431248b2fbe0228d157c2fa27a529
authentik-freeradius-1 | (46) Restoring &session-state
authentik-freeradius-1 | (46) &session-state:Framed-MTU = 994
authentik-freeradius-1 | (46) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (46) authorize {
authentik-freeradius-1 | (46) policy filter_username {
authentik-freeradius-1 | (46) if (&User-Name) {
authentik-freeradius-1 | (46) if (&User-Name) -> TRUE
authentik-freeradius-1 | (46) if (&User-Name) {
authentik-freeradius-1 | (46) if (&User-Name =~ / /) {
authentik-freeradius-1 | (46) if (&User-Name =~ / /) -> FALSE
authentik-freeradius-1 | (46) if (&User-Name =~ /@[^@]*@/ ) {
authentik-freeradius-1 | (46) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
authentik-freeradius-1 | (46) if (&User-Name =~ /\.\./ ) {
authentik-freeradius-1 | (46) if (&User-Name =~ /\.\./ ) -> FALSE
authentik-freeradius-1 | (46) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
authentik-freeradius-1 | (46) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
authentik-freeradius-1 | (46) if (&User-Name =~ /\.$/) {
authentik-freeradius-1 | (46) if (&User-Name =~ /\.$/) -> FALSE
authentik-freeradius-1 | (46) if (&User-Name =~ /@\./) {
authentik-freeradius-1 | (46) if (&User-Name =~ /@\./) -> FALSE
authentik-freeradius-1 | (46) } # if (&User-Name) = notfound
authentik-freeradius-1 | (46) } # policy filter_username = notfound
authentik-freeradius-1 | (46) [preprocess] = ok
authentik-freeradius-1 | (46) [chap] = noop
authentik-freeradius-1 | (46) [mschap] = noop
authentik-freeradius-1 | (46) [digest] = noop
authentik-freeradius-1 | (46) suffix: Checking for suffix after "@"
authentik-freeradius-1 | (46) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL
authentik-freeradius-1 | (46) suffix: No such realm "NULL"
authentik-freeradius-1 | (46) [suffix] = noop
authentik-freeradius-1 | (46) eap: Peer sent EAP Response (code 2) ID 3 length 161
authentik-freeradius-1 | (46) eap: Continuing tunnel setup
authentik-freeradius-1 | (46) [eap] = ok
authentik-freeradius-1 | (46) } # authorize = ok
authentik-freeradius-1 | (46) Found Auth-Type = eap
authentik-freeradius-1 | (46) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (46) authenticate {
authentik-freeradius-1 | (46) eap: Removing EAP session with state 0x2d378bd52d349ea4
authentik-freeradius-1 | (46) eap: Previous EAP request found for state 0x2d378bd52d349ea4, released from the list
authentik-freeradius-1 | (46) eap: Peer sent packet with method EAP TTLS (21)
authentik-freeradius-1 | (46) eap: Calling submodule eap_ttls to process data
authentik-freeradius-1 | (46) eap_ttls: Authenticate
authentik-freeradius-1 | (46) eap_ttls: (TLS) EAP Peer says that the final record size will be 151 bytes
authentik-freeradius-1 | (46) eap_ttls: (TLS) EAP Got all data (151 bytes)
authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - before SSL initialization
authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - recv TLS 1.3 Handshake, ClientHello
authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client hello
authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHello
authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server hello
authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Certificate
authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write certificate
authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange
authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write key exchange
authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone
authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - Server : Need to read more data: SSLv3/TLS write server done
authentik-freeradius-1 | (46) eap_ttls: (TLS) TTLS - In Handshake Phase
authentik-freeradius-1 | (46) eap: Sending EAP Request (code 1) ID 4 length 1000
authentik-freeradius-1 | (46) eap: EAP session adding &reply:State = 0x2d378bd52c339ea4
authentik-freeradius-1 | (46) [eap] = handled
authentik-freeradius-1 | (46) } # authenticate = handled
authentik-freeradius-1 | (46) Using Post-Auth-Type Challenge
authentik-freeradius-1 | (46) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (46) Challenge { ... } # empty sub-section is ignored
authentik-freeradius-1 | (46) session-state: Saving cached attributes
authentik-freeradius-1 | (46) Framed-MTU = 994
authentik-freeradius-1 | (46) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
authentik-freeradius-1 | (46) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
authentik-freeradius-1 | (46) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
authentik-freeradius-1 | (46) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
authentik-freeradius-1 | (46) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (46) Sent Access-Challenge Id 47 from 172.16.1.2:1812 to 172.16.1.1:49514 length 1064
authentik-freeradius-1 | (46) EAP-Message = 0x010403e815c000000fb4160303003d02000039030388fff48d047feef3d5ff00a05d375edda874c47f374df3e3444f574e4752440100c030000011ff01000100000b000403000102001700001603030d120b000d0e000d0b00062b308206273082040fa003020102020101300d06092a864886f70d01010b0500308187310b3009060355040613024445310b300906035504080c024257310c300a06035504070c035348413111300f060355040a0c0852656c6576616e743121301f06092a864886f70d010901161269744076696e65796172642d7368612e64653127302506035504030c1e52656c6576616e7420436572746966696361746520417574686f72697479301e170d3235303432393132333934305a170d3235303732383132333934305a3079310b3009060355040613024445310b300906035504080c0242573111300f060355040a0c0852656c6576616e743127302506035504030c1e52656c6576616e742043657274696669636174652041757468
authentik-freeradius-1 | (46) Message-Authenticator = 0x00000000000000000000000000000000
authentik-freeradius-1 | (46) State = 0x2d378bd52c339ea48c81890488f2e33c
authentik-freeradius-1 | (46) Finished request
authentik-freeradius-1 | Waking up in 4.9 seconds.
authentik-freeradius-1 | (47) Received Access-Request Id 48 from 172.16.1.1:49514 to 172.16.1.2:1812 length 140
authentik-freeradius-1 | (47) User-Name = "apple_lan_thatsme"
authentik-freeradius-1 | (47) EAP-Message = 0x020400061500
authentik-freeradius-1 | (47) NAS-IP-Address = 10.0.0.3
authentik-freeradius-1 | (47) NAS-Port = 3
authentik-freeradius-1 | (47) NAS-Identifier = "DC6279CF8CB4"
authentik-freeradius-1 | (47) Service-Type = Framed-User
authentik-freeradius-1 | (47) Calling-Station-Id = "00-E0-4C-68-20-7E"
authentik-freeradius-1 | (47) NAS-Port-Type = Ethernet
authentik-freeradius-1 | (47) State = 0x2d378bd52c339ea48c81890488f2e33c
authentik-freeradius-1 | (47) Message-Authenticator = 0x8ba8cf973db7dbf690257fd18897e523
authentik-freeradius-1 | (47) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
authentik-freeradius-1 | (47) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
authentik-freeradius-1 | (47) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
authentik-freeradius-1 | (47) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (47) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (47) authorize {
authentik-freeradius-1 | (47) policy filter_username {
authentik-freeradius-1 | (47) if (&User-Name) {
authentik-freeradius-1 | (47) if (&User-Name) -> TRUE
authentik-freeradius-1 | (47) if (&User-Name) {
authentik-freeradius-1 | (47) if (&User-Name =~ / /) {
authentik-freeradius-1 | (47) if (&User-Name =~ / /) -> FALSE
authentik-freeradius-1 | (47) } # if (&User-Name) = notfound
authentik-freeradius-1 | (47) } # policy filter_username = notfound
authentik-freeradius-1 | (47) [preprocess] = ok
authentik-freeradius-1 | (47) [chap] = noop
authentik-freeradius-1 | (47) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
authentik-freeradius-1 | (47) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (47) Sent Access-Challenge Id 48 from 172.16.1.2:1812 to 172.16.1.1:49514 length 1064
authentik-freeradius-1 | (47) EAP-Message = 0x010503e815c000000fb42f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c30180603551d200411300f300d060b2b0601040182be68010302301d0603551d0e041604144a7e2994148f5496048c2dc652719f5c7607bc98301f0603551d23041830168014701806d2e6c468e75987bb23a0b1d9f88d709ac4300d06092a864886f70d01010b0500038202010093980ec717a88f949a6937eb2936cd0debc7605e805a0b8630abbc62f35350a0fff1a7886d653db8558319b1bc2d2c31bfea23208c6426ca6f3e50e2572dc7d7a6d90c97a3ef13a70dac554e6549f528a113d0e2a20391b34f295a38966530b917f843450cff4f133d4478bdac234d2a688305ffe69e3220319337fe4903fcc7240c57c33a2c988bb015733f4175045e6d7af21979a035f0a9e10da845b181fd32ae894991b560372a07ebdb52499f94e2f94e271260f08711830b89d8e9ca8873d822f14d1cccd8a24be1e9cbd773
authentik-freeradius-1 | (47) Message-Authenticator = 0x00000000000000000000000000000000
authentik-freeradius-1 | (47) State = 0x2d378bd52f329ea48c81890488f2e33c
authentik-freeradius-1 | (47) Finished request
authentik-freeradius-1 | Waking up in 4.9 seconds.
authentik-freeradius-1 | (48) Received Access-Request Id 49 from 172.16.1.1:49514 to 172.16.1.2:1812 length 140
authentik-freeradius-1 | (48) User-Name = "apple_lan_thatsme"
authentik-freeradius-1 | (48) EAP-Message = 0x020500061500
authentik-freeradius-1 | (48) NAS-IP-Address = 10.0.0.3
authentik-freeradius-1 | (48) NAS-Port = 3
authentik-freeradius-1 | (48) NAS-Identifier = "DC6279CF8CB4"
authentik-freeradius-1 | (48) Service-Type = Framed-User
authentik-freeradius-1 | (48) Calling-Station-Id = "00-E0-4C-68-20-7E"
authentik-freeradius-1 | (48) NAS-Port-Type = Ethernet
authentik-freeradius-1 | (48) State = 0x2d378bd52f329ea48c81890488f2e33c
authentik-freeradius-1 | (48) Message-Authenticator = 0x7e9c351c6e0c60bec88aae42cbfd7a82
authentik-freeradius-1 | (48) Restoring &session-state
authentik-freeradius-1 | (48) &session-state:Framed-MTU = 994
authentik-freeradius-1 | (48) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
authentik-freeradius-1 | (48) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
authentik-freeradius-1 | (48) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
authentik-freeradius-1 | (48) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
authentik-freeradius-1 | (48) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (48) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (48) authorize {
authentik-freeradius-1 | (48) policy filter_username {
authentik-freeradius-1 | (48) if (&User-Name) {
authentik-freeradius-1 | (48) if (&User-Name) -> TRUE
authentik-freeradius-1 | (48) if (&User-Name) {
authentik-freeradius-1 | (48) if (&User-Name =~ / /) {
authentik-freeradius-1 | (48) if (&User-Name =~ / /) -> FALSE
authentik-freeradius-1 | (48) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
authentik-freeradius-1 | (48) if (&User-Name =~ /\.\./ ) {
authentik-freeradius-1 | (48) if (&User-Name =~ /\.\./ ) -> FALSE
authentik-freeradius-1 | (48) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
authentik-freeradius-1 | (48) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
authentik-freeradius-1 | (48) if (&User-Name =~ /\.$/) {
authentik-freeradius-1 | (48) if (&User-Name =~ /\.$/) -> FALSE
authentik-freeradius-1 | (48) if (&User-Name =~ /@\./) {
authentik-freeradius-1 | (48) if (&User-Name =~ /@\./) -> FALSE
authentik-freeradius-1 | (48) } # if (&User-Name) = notfound
authentik-freeradius-1 | (48) } # policy filter_username = notfound
authentik-freeradius-1 | (48) [preprocess] = ok
authentik-freeradius-1 | (48) [chap] = noop
authentik-freeradius-1 | (48) [mschap] = noop
authentik-freeradius-1 | (48) [digest] = noop
authentik-freeradius-1 | (48) suffix: Checking for suffix after "@"
authentik-freeradius-1 | (48) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL
authentik-freeradius-1 | (48) suffix: No such realm "NULL"
authentik-freeradius-1 | (48) [suffix] = noop
authentik-freeradius-1 | (48) eap: Peer sent EAP Response (code 2) ID 5 length 6
authentik-freeradius-1 | (48) eap: Continuing tunnel setup
authentik-freeradius-1 | (48) [eap] = ok
authentik-freeradius-1 | (48) } # authorize = ok
authentik-freeradius-1 | (48) Found Auth-Type = eap
authentik-freeradius-1 | (48) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (48) authenticate {
authentik-freeradius-1 | (48) eap: Removing EAP session with state 0x2d378bd52f329ea4
authentik-freeradius-1 | (48) eap: Previous EAP request found for state 0x2d378bd52f329ea4, released from the list
authentik-freeradius-1 | (48) eap: Peer sent packet with method EAP TTLS (21)
authentik-freeradius-1 | (48) eap: Calling submodule eap_ttls to process data
authentik-freeradius-1 | (48) eap_ttls: Authenticate
authentik-freeradius-1 | (48) eap_ttls: (TLS) Peer ACKed our handshake fragment
authentik-freeradius-1 | (48) eap: Sending EAP Request (code 1) ID 6 length 1000
authentik-freeradius-1 | (48) eap: EAP session adding &reply:State = 0x2d378bd52e319ea4
authentik-freeradius-1 | (48) [eap] = handled
authentik-freeradius-1 | (48) } # authenticate = handled
authentik-freeradius-1 | (48) Using Post-Auth-Type Challenge
authentik-freeradius-1 | (48) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (48) Challenge { ... } # empty sub-section is ignored
authentik-freeradius-1 | (48) session-state: Saving cached attributes
authentik-freeradius-1 | (48) Framed-MTU = 994
authentik-freeradius-1 | (48) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
authentik-freeradius-1 | (48) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
authentik-freeradius-1 | (48) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
authentik-freeradius-1 | (48) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
authentik-freeradius-1 | (48) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (48) Sent Access-Challenge Id 49 from 172.16.1.2:1812 to 172.16.1.1:49514 length 1064
authentik-freeradius-1 | (48) EAP-Message = 0x010603e815c000000fb43127302506035504030c1e52656c6576616e7420436572746966696361746520417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a0282020100e55d87d38cf2c678cd5e9b9cf81d94b6b91cd6463f8d77ec2fc375c2b6b502157c3ead93d845cda3997b1f428ee037cc776726254b9d4746fbf022bbf59228b2b912925af38f8647bc270e8052662caf474f4607aabb9b484b4b3cecfeafd6c483f7f3f77680ae050a7708020d92bda2c75a55113d207dc9511d2e1cac2e4b6dbed4f86a604e08dca9285f4edaf786c6e35f10f91bdad17e23ab955aa3e0f8c29fccedd093d20811fe24aefdc0b7635cb7c9e89a0dbe073a4e7f16180c21594c71660ccf797685939894048d34a8140428b943cb915289a0fc98b52316853f150037f925946cf9be5bfbdebd22bd12041ba4234091b663c0660b86a509bde5ed5116c928fea2bd51297cd2b1c47b076fe41b4a0daf19d765a1e6da397ce03b2816cedd
authentik-freeradius-1 | (48) Message-Authenticator = 0x00000000000000000000000000000000
authentik-freeradius-1 | (48) State = 0x2d378bd52e319ea48c81890488f2e33c
authentik-freeradius-1 | (48) Finished request
authentik-freeradius-1 | Waking up in 4.9 seconds.
authentik-freeradius-1 | (49) Received Access-Request Id 50 from 172.16.1.1:49514 to 172.16.1.2:1812 length 140
authentik-freeradius-1 | (49) User-Name = "apple_lan_thatsme"
authentik-freeradius-1 | (49) EAP-Message = 0x020600061500
authentik-freeradius-1 | (49) NAS-IP-Address = 10.0.0.3
authentik-freeradius-1 | (49) NAS-Port = 3
authentik-freeradius-1 | (49) NAS-Identifier = "DC6279CF8CB4"
authentik-freeradius-1 | (49) Service-Type = Framed-User
authentik-freeradius-1 | (49) Calling-Station-Id = "00-E0-4C-68-20-7E"
authentik-freeradius-1 | (49) NAS-Port-Type = Ethernet
authentik-freeradius-1 | (49) Message-Authenticator = 0x813ff55ff1a4a9e8af7bfd6b291b0e9b
authentik-freeradius-1 | (49) Restoring &session-state
authentik-freeradius-1 | (49) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
authentik-freeradius-1 | (49) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
authentik-freeradius-1 | (49) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
authentik-freeradius-1 | (49) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (49) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (49) authorize {
authentik-freeradius-1 | (49) policy filter_username {
authentik-freeradius-1 | (49) if (&User-Name) {
authentik-freeradius-1 | (49) if (&User-Name) -> TRUE
authentik-freeradius-1 | (49) if (&User-Name) {
authentik-freeradius-1 | (49) if (&User-Name =~ / /) -> FALSE
authentik-freeradius-1 | (49) if (&User-Name =~ /@[^@]*@/ ) {
authentik-freeradius-1 | (49) if (&User-Name =~ /\.\./ ) -> FALSE
authentik-freeradius-1 | (49) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
authentik-freeradius-1 | (49) if (&User-Name =~ /\.$/) {
authentik-freeradius-1 | (49) if (&User-Name =~ /\.$/) -> FALSE
authentik-freeradius-1 | (49) if (&User-Name =~ /@\./) {
authentik-freeradius-1 | (49) if (&User-Name =~ /@\./) -> FALSE
authentik-freeradius-1 | (49) } # if (&User-Name) = notfound
authentik-freeradius-1 | (49) } # policy filter_username = notfound
authentik-freeradius-1 | (50) Received Access-Request Id 51 from 172.16.1.1:49514 to 172.16.1.2:1812 length 140
authentik-freeradius-1 | (50) User-Name = "apple_lan_thatsme"
authentik-freeradius-1 | (50) EAP-Message = 0x020700061500
authentik-freeradius-1 | (50) NAS-IP-Address = 10.0.0.3
authentik-freeradius-1 | (50) NAS-Port = 3
authentik-freeradius-1 | (50) NAS-Identifier = "DC6279CF8CB4"
authentik-freeradius-1 | (50) Service-Type = Framed-User
authentik-freeradius-1 | (50) Calling-Station-Id = "00-E0-4C-68-20-7E"
authentik-freeradius-1 | (50) NAS-Port-Type = Ethernet
authentik-freeradius-1 | (50) State = 0x2d378bd529309ea48c81890488f2e33c
authentik-freeradius-1 | (50) Message-Authenticator = 0xf81e574264216b6dad0e74b30869f07f
authentik-freeradius-1 | (50) Restoring &session-state
authentik-freeradius-1 | (50) &session-state:Framed-MTU = 994
authentik-freeradius-1 | (50) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
authentik-freeradius-1 | (50) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
authentik-freeradius-1 | (50) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
authentik-freeradius-1 | (50) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
authentik-freeradius-1 | (50) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (50) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (50) authorize {
authentik-freeradius-1 | (50) policy filter_username {
authentik-freeradius-1 | (50) if (&User-Name) {
authentik-freeradius-1 | (50) if (&User-Name) -> TRUE
authentik-freeradius-1 | (50) if (&User-Name) {
authentik-freeradius-1 | (50) if (&User-Name =~ / /) {
authentik-freeradius-1 | (50) if (&User-Name =~ / /) -> FALSE
authentik-freeradius-1 | (50) if (&User-Name =~ /@[^@]*@/ ) {
authentik-freeradius-1 | (50) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
authentik-freeradius-1 | (50) if (&User-Name =~ /\.\./ ) {
authentik-freeradius-1 | (50) if (&User-Name =~ /\.\./ ) -> FALSE
authentik-freeradius-1 | (50) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
authentik-freeradius-1 | (50) if (&User-Name =~ /\.$/) {
authentik-freeradius-1 | (50) if (&User-Name =~ /\.$/) -> FALSE
authentik-freeradius-1 | (50) if (&User-Name =~ /@\./) {
authentik-freeradius-1 | (50) if (&User-Name =~ /@\./) -> FALSE
authentik-freeradius-1 | (50) } # if (&User-Name) = notfound
authentik-freeradius-1 | (50) } # policy filter_username = notfound
authentik-freeradius-1 | (50) [preprocess] = ok
authentik-freeradius-1 | (50) [chap] = noop
authentik-freeradius-1 | (50) [mschap] = noop
authentik-freeradius-1 | (50) [digest] = noop
authentik-freeradius-1 | (50) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL
authentik-freeradius-1 | (50) suffix: No such realm "NULL"
authentik-freeradius-1 | (50) [suffix] = noop
authentik-freeradius-1 | (50) eap: Peer sent EAP Response (code 2) ID 7 length 6
authentik-freeradius-1 | (50) eap: Continuing tunnel setup
authentik-freeradius-1 | (50) [eap] = ok
authentik-freeradius-1 | (50) } # authorize = ok
authentik-freeradius-1 | (50) Found Auth-Type = eap
authentik-freeradius-1 | (50) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (50) authenticate {
authentik-freeradius-1 | (50) eap: Removing EAP session with state 0x2d378bd529309ea4
authentik-freeradius-1 | (50) eap: Previous EAP request found for state 0x2d378bd529309ea4, released from the list
authentik-freeradius-1 | (50) eap: Peer sent packet with method EAP TTLS (21)
authentik-freeradius-1 | (50) eap: Calling submodule eap_ttls to process data
authentik-freeradius-1 | (50) eap_ttls: Authenticate
authentik-freeradius-1 | (50) eap_ttls: (TLS) Peer ACKed our handshake fragment
authentik-freeradius-1 | (50) eap: Sending EAP Request (code 1) ID 8 length 70
authentik-freeradius-1 | (50) [eap] = handled
authentik-freeradius-1 | (50) } # authenticate = handled
authentik-freeradius-1 | (50) Using Post-Auth-Type Challenge
authentik-freeradius-1 | (50) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (50) Challenge { ... } # empty sub-section is ignored
authentik-freeradius-1 | (50) session-state: Saving cached attributes
authentik-freeradius-1 | (50) Framed-MTU = 994
authentik-freeradius-1 | (50) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
authentik-freeradius-1 | (50) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
authentik-freeradius-1 | (50) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
authentik-freeradius-1 | (50) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
authentik-freeradius-1 | (50) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (50) Sent Access-Challenge Id 51 from 172.16.1.2:1812 to 172.16.1.1:49514 length 128
authentik-freeradius-1 | (50) EAP-Message = 0x01080046158000000fb4869667380632a4142079fb1f2ff5c8def2967978b74b3087d78a0bc118847696a8454a2a272af3d6cd31a29d59fbf04fcea73416030300040e000000
authentik-freeradius-1 | (50) Message-Authenticator = 0x00000000000000000000000000000000
authentik-freeradius-1 | (50) State = 0x2d378bd5283f9ea48c81890488f2e33c
authentik-freeradius-1 | (50) Finished request
authentik-freeradius-1 | Waking up in 4.9 seconds.
authentik-freeradius-1 | (51) Received Access-Request Id 52 from 172.16.1.1:49514 to 172.16.1.2:1812 length 270
authentik-freeradius-1 | (51) User-Name = "apple_lan_thatsme"
authentik-freeradius-1 | (51) EAP-Message = 0x0208008815800000007e160303004610000042410419ae54fd8e6d6cf9d33816dcca4bf092ad18d110ad1ca18ad0b68e5a397c0a604e49c6add9cb514acac0811f412580d3cef6aa3a37a814eedfebef46ec8f48aa1403030001011603030028f5828f0161eb6130a671794392becd9618fa618cb47c6265cadcaea18ccfc8b2b2e03cd124ea548b
authentik-freeradius-1 | (51) NAS-IP-Address = 10.0.0.3
authentik-freeradius-1 | (51) NAS-Port = 3
authentik-freeradius-1 | (51) NAS-Identifier = "DC6279CF8CB4"
authentik-freeradius-1 | (51) Service-Type = Framed-User
authentik-freeradius-1 | (51) Calling-Station-Id = "00-E0-4C-68-20-7E"
authentik-freeradius-1 | (51) NAS-Port-Type = Ethernet
authentik-freeradius-1 | (51) State = 0x2d378bd5283f9ea48c81890488f2e33c
authentik-freeradius-1 | (51) Message-Authenticator = 0x31d9c558591c9fa84bb37e2443138f02
authentik-freeradius-1 | (51) Restoring &session-state
authentik-freeradius-1 | (51) &session-state:Framed-MTU = 994
authentik-freeradius-1 | (51) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
authentik-freeradius-1 | (51) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
authentik-freeradius-1 | (51) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
authentik-freeradius-1 | (51) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (51) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (51) authorize {
authentik-freeradius-1 | (51) policy filter_username {
authentik-freeradius-1 | (51) if (&User-Name) {
authentik-freeradius-1 | (51) if (&User-Name) -> TRUE
authentik-freeradius-1 | (51) if (&User-Name) {
authentik-freeradius-1 | (51) if (&User-Name =~ / /) {
authentik-freeradius-1 | (51) if (&User-Name =~ / /) -> FALSE
authentik-freeradius-1 | (51) [mschap] = noop
authentik-freeradius-1 | (51) [digest] = noop
authentik-freeradius-1 | (51) suffix: Checking for suffix after "@"
authentik-freeradius-1 | (51) [suffix] = noop
authentik-freeradius-1 | (51) eap: Peer sent EAP Response (code 2) ID 8 length 136
authentik-freeradius-1 | (51) [eap] = ok
authentik-freeradius-1 | (51) } # authorize = ok
authentik-freeradius-1 | (51) Found Auth-Type = eap
authentik-freeradius-1 | (51) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (51) authenticate {
authentik-freeradius-1 | (51) eap: Removing EAP session with state 0x2d378bd5283f9ea4
authentik-freeradius-1 | (51) eap: Peer sent packet with method EAP TTLS (21)
authentik-freeradius-1 | (51) eap: Calling submodule eap_ttls to process data
authentik-freeradius-1 | (51) eap_ttls: Authenticate
authentik-freeradius-1 | (51) eap_ttls: (TLS) EAP Peer says that the final record size will be 126 bytes
authentik-freeradius-1 | (51) eap_ttls: (TLS) EAP Got all data (126 bytes)
authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange
authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client key exchange
authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read change cipher spec
authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - send TLS 1.2 ChangeCipherSpec
authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write change cipher spec
authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Finished
authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write finished
authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Handshake state - SSL negotiation finished successfully
authentik-freeradius-1 | (51) eap_ttls: (TLS) TTLS - Connection Established
authentik-freeradius-1 | (51) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
authentik-freeradius-1 | (51) eap_ttls: TLS-Session-Version = "TLS 1.2"
authentik-freeradius-1 | (51) eap: Sending EAP Request (code 1) ID 9 length 61
authentik-freeradius-1 | (51) eap: EAP session adding &reply:State = 0x2d378bd52b3e9ea4
authentik-freeradius-1 | (51) } # authenticate = handled
authentik-freeradius-1 | (51) Using Post-Auth-Type Challenge
authentik-freeradius-1 | (51) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (51) Challenge { ... } # empty sub-section is ignored
authentik-freeradius-1 | (51) session-state: Saving cached attributes
authentik-freeradius-1 | (51) Framed-MTU = 994
authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
authentik-freeradius-1 | (51) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
authentik-freeradius-1 | (51) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
authentik-freeradius-1 | (51) TLS-Session-Version = "TLS 1.2"
authentik-freeradius-1 | (51) Sent Access-Challenge Id 52 from 172.16.1.2:1812 to 172.16.1.1:49514 length 119
authentik-freeradius-1 | (51) EAP-Message = 0x0109003d15800000003314030300010116030300281c6440dcdfdbf05f1f9394118125311533b66d6444bdb7f11ce8b2a04b349adc2bb5de540eb22132
authentik-freeradius-1 | (51) Message-Authenticator = 0x00000000000000000000000000000000
authentik-freeradius-1 | (51) State = 0x2d378bd52b3e9ea48c81890488f2e33c
authentik-freeradius-1 | (51) Finished request
authentik-freeradius-1 | Waking up in 4.9 seconds.
authentik-freeradius-1 | (52) Received Access-Request Id 53 from 172.16.1.1:49514 to 172.16.1.2:1812 length 217
authentik-freeradius-1 | (52) User-Name = "apple_lan_thatsme"
authentik-freeradius-1 | (52) NAS-Identifier = "DC6279CF8CB4"
authentik-freeradius-1 | (52) Service-Type = Framed-User
authentik-freeradius-1 | (52) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (52) authorize {
authentik-freeradius-1 | (52) } # policy filter_username = notfound
authentik-freeradius-1 | (52) [preprocess] = ok
authentik-freeradius-1 | (52) [chap] = noop
authentik-freeradius-1 | (52) [mschap] = noop
authentik-freeradius-1 | (52) [digest] = noop
authentik-freeradius-1 | (52) suffix: Checking for suffix after "@"
authentik-freeradius-1 | (52) # Executing section authorize from file /opt/etc/raddb/sites-enabled/proxy-inner-tunnel
authentik-freeradius-1 | (52) authorize {
authentik-freeradius-1 | (52) eap: No EAP-Message, not doing EAP
authentik-freeradius-1 | (52) Expecting proxy response no later than 29.667705 seconds from now
authentik-freeradius-1 | Waking up in 4.6 seconds.
authentik-freeradius-1 | (45) Cleaning up request packet ID 46 with timestamp +11387 due to cleanup_delay was reached
authentik-freeradius-1 | (46) Cleaning up request packet ID 47 with timestamp +11387 due to cleanup_delay was reached
authentik-freeradius-1 | (47) Cleaning up request packet ID 48 with timestamp +11387 due to cleanup_delay was reached
authentik-freeradius-1 | (48) Cleaning up request packet ID 49 with timestamp +11387 due to cleanup_delay was reached
authentik-freeradius-1 | (49) Cleaning up request packet ID 50 with timestamp +11387 due to cleanup_delay was reached
authentik-freeradius-1 | (50) Cleaning up request packet ID 51 with timestamp +11387 due to cleanup_delay was reached
authentik-freeradius-1 | (53) Received Access-Request Id 54 from 172.16.1.1:49514 to 172.16.1.2:1812 length 199
authentik-freeradius-1 | (53) User-Name = "apple_lan_thatsme"
authentik-freeradius-1 | (53) EAP-Message = 0x020900531580000000491703030044f5828f0161eb61316a55dc0318f1460b3b7334667f0071641ae2e702ff03769d06cb5b770a0b91a2406baea074cc3469f3bb06a9b829d90524f48ca3d56d8dc94c46827d
authentik-freeradius-1 | (53) NAS-IP-Address = 10.0.0.3
authentik-freeradius-1 | (53) NAS-Port = 3
authentik-freeradius-1 | (53) NAS-Identifier = "DC6279CF8CB4"
authentik-freeradius-1 | (53) Service-Type = Framed-User
authentik-freeradius-1 | (53) Calling-Station-Id = "00-E0-4C-68-20-7E"
authentik-freeradius-1 | (53) NAS-Port-Type = Ethernet
authentik-freeradius-1 | (53) Message-Authenticator = 0xfdd12d739d02d46620b603b2b5201094
authentik-freeradius-1 | (53) # Executing section authorize from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (53) authorize {
authentik-freeradius-1 | (53) policy filter_username {
authentik-freeradius-1 | (53) if (&User-Name) {
authentik-freeradius-1 | (53) if (&User-Name) -> TRUE
authentik-freeradius-1 | (53) if (&User-Name) {
authentik-freeradius-1 | (53) if (&User-Name =~ / /) {
authentik-freeradius-1 | (53) if (&User-Name =~ / /) -> FALSE
authentik-freeradius-1 | (53) if (&User-Name =~ /@[^@]*@/ ) {
authentik-freeradius-1 | (53) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
authentik-freeradius-1 | (53) if (&User-Name =~ /\.\./ ) {
authentik-freeradius-1 | (53) if (&User-Name =~ /\.\./ ) -> FALSE
authentik-freeradius-1 | (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
authentik-freeradius-1 | (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
authentik-freeradius-1 | (53) if (&User-Name =~ /\.$/) {
authentik-freeradius-1 | (53) if (&User-Name =~ /\.$/) -> FALSE
authentik-freeradius-1 | (53) if (&User-Name =~ /@\./) {
authentik-freeradius-1 | (53) if (&User-Name =~ /@\./) -> FALSE
authentik-freeradius-1 | (53) } # if (&User-Name) = notfound
authentik-freeradius-1 | (53) } # policy filter_username = notfound
authentik-freeradius-1 | (53) [preprocess] = ok
authentik-freeradius-1 | (53) [chap] = noop
authentik-freeradius-1 | (53) [mschap] = noop
authentik-freeradius-1 | (53) [digest] = noop
authentik-freeradius-1 | (53) suffix: Checking for suffix after "@"
authentik-freeradius-1 | (53) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL
authentik-freeradius-1 | (53) suffix: No such realm "NULL"
authentik-freeradius-1 | (53) eap: Continuing tunnel setup
authentik-freeradius-1 | (53) [eap] = ok
authentik-freeradius-1 | (53) } # authorize = ok
authentik-freeradius-1 | (53) Found Auth-Type = eap
authentik-freeradius-1 | (53) # Executing group from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (53) authenticate {
authentik-freeradius-1 | (53) eap: ERROR: EAP requires the State attribute to work, but no State exists in the Access-Request packet.
authentik-freeradius-1 | (53) eap: ERROR: The RADIUS client is broken. No amount of changing FreeRADIUS will fix the RADIUS client.
authentik-freeradius-1 | (53) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
authentik-freeradius-1 | Waking up in 0.6 seconds.
authentik-freeradius-1 | (53) Sending delayed response
authentik-freeradius-1 | (53) Sent Access-Reject Id 54 from 172.16.1.2:1812 to 172.16.1.1:49514 length 38
authentik-freeradius-1 | Waking up in 3.9 seconds.
authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
authentik-freeradius-1 | (52) BlastRADIUS check: Received packet without Message-Authenticator from home_server authentik_radius_outpost
authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
authentik-freeradius-1 | (52) The packet does not contain Message-Authenticator, which is a security issue
authentik-freeradius-1 | (52) Once the home server is upgraded, set "require_message_authenticator = true" for home_server authentik_radius_outpost
authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
authentik-freeradius-1 | (52) Clearing existing &reply: attributes
authentik-freeradius-1 | (52) Found Auth-Type = eap
authentik-freeradius-1 | (52) Found Auth-Type = Accept
authentik-freeradius-1 | (52) ERROR: Warning: Found 2 auth-types on request for user 'apple_lan_thatsme'
authentik-freeradius-1 | (52) Auth-Type = Accept, accepting the user
authentik-freeradius-1 | (52) # Executing section post-auth from file /opt/etc/raddb/sites-enabled/default
authentik-freeradius-1 | (52) post-auth {
authentik-freeradius-1 | (52) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
authentik-freeradius-1 | (52) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
authentik-freeradius-1 | (52) update {
authentik-freeradius-1 | (52) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 994
authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello'
authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, ServerHello'
authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, Certificate'
authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange'
authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone'
authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange'
authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - recv TLS 1.2 Handshake, Finished'
authentik-freeradius-1 | (52) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TTLS - send TLS 1.2 Handshake, Finished'
authentik-freeradius-1 | (52) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
authentik-freeradius-1 | (52) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
authentik-freeradius-1 | (52) } # update = noop
authentik-freeradius-1 | (52) reply_log: EXPAND /opt/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d
authentik-freeradius-1 | (52) reply_log: --> /opt/var/log/radius/radacct/172.16.1.1/reply-detail-20250509
authentik-freeradius-1 | (52) reply_log: /opt/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d expands to /opt/var/log/radius/radacct/172.16.1.1/reply-detail-20250509
authentik-freeradius-1 | (52) reply_log: EXPAND %t
authentik-freeradius-1 | (52) reply_log: --> Fri May 9 09:02:54 2025
authentik-freeradius-1 | (52) [reply_log] = ok
authentik-freeradius-1 | (52) [exec] = noop
authentik-freeradius-1 | (52) policy remove_reply_message_if_eap {
authentik-freeradius-1 | (52) if (&reply:EAP-Message && &reply:Reply-Message) {
authentik-freeradius-1 | (52) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
authentik-freeradius-1 | (52) else {
authentik-freeradius-1 | (52) [noop] = noop
authentik-freeradius-1 | (52) } # else = noop
authentik-freeradius-1 | (52) } # policy remove_reply_message_if_eap = noop
authentik-freeradius-1 | (52) if (EAP-Key-Name && &reply:EAP-Session-Id) {
authentik-freeradius-1 | rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare"
authentik-freeradius-1 | rlm_ldap (ldap): Opening additional connection (15), 1 of 32 pending slots used
authentik-freeradius-1 | rlm_ldap (ldap): Connecting to ldap://outpost-ldap:3389
authentik-freeradius-1 | rlm_ldap (ldap): Waiting for bind result...
authentik-freeradius-1 | rlm_ldap (ldap): Bind successful
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15)
authentik-freeradius-1 | (52) EXPAND (&(objectClass=posixAccount)(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}}))
authentik-freeradius-1 | (52) --> (&(objectClass=posixAccount)(cn=christoph))
authentik-freeradius-1 | (52) Performing search in "ou=users,dc=ldap,dc=example,dc=com" with filter "(&(objectClass=posixAccount)(cn=christoph))", scope "sub"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) User object found at DN "cn=christoph,ou=users,dc=ldap,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (52) Checking for user in group objects
authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Teamboss)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (52) --> (&(cn=RelVY_Teamboss)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))
authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Teamboss)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Search returned no results
authentik-freeradius-1 | (52) Checking user object's memberOf attributes
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15)
authentik-freeradius-1 | rlm_ldap (ldap): Waiting for bind result...
authentik-freeradius-1 | rlm_ldap (ldap): Bind successful
authentik-freeradius-1 | (52) User is not a member of "RelVY_Teamboss"
authentik-freeradius-1 | (52) if (LDAP-Group == "RelVY_Teamboss") -> FALSE
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Orgaleitung_1") {
authentik-freeradius-1 | (52) Searching for user in group "RelVY_Orgaleitung_1"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15)
authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (52) Checking for user in group objects
authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Orgaleitung_1)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (52) --> (&(cn=RelVY_Orgaleitung_1)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))
authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Orgaleitung_1)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Search returned no results
authentik-freeradius-1 | (52) Checking user object's memberOf attributes
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15)
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Orgaleitung_1") -> FALSE
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Orgaleitung_2") {
authentik-freeradius-1 | (52) Searching for user in group "RelVY_Orgaleitung_2"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (16)
authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (52) Checking for user in group objects
authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Orgaleitung_2)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (52) --> (&(cn=RelVY_Orgaleitung_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))
authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Orgaleitung_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Search returned no results
authentik-freeradius-1 | (52) Checking user object's memberOf attributes
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16)
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Orgaleitung_2") -> FALSE
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein") {
authentik-freeradius-1 | (52) Searching for user in group "RelVY_Verein"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15)
authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (52) Checking for user in group objects
authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Verein)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (52) --> (&(cn=RelVY_Verein)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))
authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Verein)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Search returned no results
authentik-freeradius-1 | (52) Checking user object's memberOf attributes
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1"
authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Verein_1)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Search returned no results
authentik-freeradius-1 | (52) Checking user object's memberOf attributes
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16)
authentik-freeradius-1 | (52) User is not a member of "RelVY_Verein_1"
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_1") -> FALSE
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_2") {
authentik-freeradius-1 | (52) Searching for user in group "RelVY_Verein_2"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15)
authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (52) Checking for user in group objects
authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Verein_2)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (52) --> (&(cn=RelVY_Verein_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))
authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Verein_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Search returned no results
authentik-freeradius-1 | (52) Checking user object's memberOf attributes
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15)
authentik-freeradius-1 | (52) User is not a member of "RelVY_Verein_2"
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_2") -> FALSE
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_3") {
authentik-freeradius-1 | (52) Searching for user in group "RelVY_Verein_3"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (16)
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Search returned no results
authentik-freeradius-1 | (52) Checking user object's memberOf attributes
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16)
authentik-freeradius-1 | (52) User is not a member of "RelVY_Verein_3"
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_3") -> FALSE
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_4") {
authentik-freeradius-1 | (52) Searching for user in group "RelVY_Verein_4"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15)
authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (52) Checking for user in group objects
authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Verein_4)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (52) --> (&(cn=RelVY_Verein_4)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))
authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Verein_4)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Search returned no results
authentik-freeradius-1 | (52) Checking user object's memberOf attributes
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15)
authentik-freeradius-1 | (52) User is not a member of "RelVY_Verein_4"
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_4") -> FALSE
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Verein_Vorsitz") {
authentik-freeradius-1 | (52) Searching for user in group "RelVY_Verein_Vorsitz"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (16)
authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (52) Checking for user in group objects
authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Verein_Vorsitz)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (52) --> (&(cn=RelVY_Verein_Vorsitz)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))
authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Verein_Vorsitz)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Search returned no results
authentik-freeradius-1 | (52) Checking user object's memberOf attributes
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16)
authentik-freeradius-1 | (52) User is not a member of "RelVY_Verein_Vorsitz"
authentik-freeradius-1 | (52) --> (&(cn=RelVY_Teamleader_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))
authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Teamleader_2)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1"
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15)
authentik-freeradius-1 | (52) User is not a member of "RelVY_Teamleader_2"
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Teamleader_2") -> FALSE
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Team_2") {
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Search returned no results
authentik-freeradius-1 | (52) Checking user object's memberOf attributes
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=christoph,ou=users,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Public,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Public"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Teamleader_1"
authentik-freeradius-1 | (52) Processing memberOf value "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" as a DN
authentik-freeradius-1 | (52) Resolving group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" to group name
authentik-freeradius-1 | (52) Performing unfiltered search in "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com", scope "base"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) Group DN "cn=RelVY_Team_1,ou=groups,dc=ldap,dc=example,dc=com" resolves to name "RelVY_Team_1"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16)
authentik-freeradius-1 | (52) User is not a member of "RelVY_Team_2"
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Team_2") -> FALSE
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Teamleader_1") {
authentik-freeradius-1 | (52) Searching for user in group "RelVY_Teamleader_1"
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (15)
authentik-freeradius-1 | (52) Using user DN from request "cn=christoph,ou=users,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | (52) Checking for user in group objects
authentik-freeradius-1 | (52) EXPAND (&(cn=RelVY_Teamleader_1)(objectClass=posixGroup)(|(member=%{control:LDAP-UserDn})(cn=%{%{&control:Stripped-User-Name}:-%{&control:User-Name}})))
authentik-freeradius-1 | (52) --> (&(cn=RelVY_Teamleader_1)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))
authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Teamleader_1)(objectClass=posixGroup)(|(member=cn\3dchristoph\2cou\3dusers\2cdc\3dldap\2cdc\3dexample\2cdc\3dcom)(cn=christoph)))", scope "sub"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | (52) User found in group object "cn=RelVY_Teamleader_1,ou=groups,dc=ldap,dc=example,dc=com"
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (15)
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Teamleader_1") -> TRUE
authentik-freeradius-1 | (52) elsif (LDAP-Group == "RelVY_Teamleader_1") {
authentik-freeradius-1 | (52) update reply {
authentik-freeradius-1 | rlm_ldap (ldap): Reserved connection (16)
authentik-freeradius-1 | (52) Performing search in "ou=groups,dc=ldap,dc=example,dc=com" with filter "(&(cn=RelVY_Teamleader_1)(member=*christoph*))", scope "one"
authentik-freeradius-1 | (52) Waiting for search result...
authentik-freeradius-1 | rlm_ldap (ldap): Released connection (16)
authentik-freeradius-1 | (52) EXPAND %{%{ldap:ldap:///ou=groups,dc=ldap,dc=example,dc=com?Tunnel-Private-Group-Id?one?(&(cn=RelVY_Teamleader_1)(member=*%{&control:User-Name}*))}:-20}
authentik-freeradius-1 | (52) --> 11
authentik-freeradius-1 | (52) &Tunnel-Private-Group-Id = 11
authentik-freeradius-1 | (52) } # update reply = noop
authentik-freeradius-1 | (52) } # elsif (LDAP-Group == "RelVY_Teamleader_1") = noop
authentik-freeradius-1 | (52) ... skipping elsif: Preceding "if" was taken
authentik-freeradius-1 | (52) ... skipping elsif: Preceding "if" was taken
authentik-freeradius-1 | (52) ... skipping elsif: Preceding "if" was taken
authentik-freeradius-1 | (52) ... skipping elsif: Preceding "if" was taken
authentik-freeradius-1 | (52) ... skipping elsif: Preceding "if" was taken
authentik-freeradius-1 | (52) ... skipping else: Preceding "if" was taken
authentik-freeradius-1 | (52) [updated] = updated
authentik-freeradius-1 | (52) } # post-auth = updated
authentik-freeradius-1 | (52) Sent Access-Accept Id 53 from 172.16.1.2:1812 to 172.16.1.1:49514 length 60
authentik-freeradius-1 | (52) Framed-MTU += 994
authentik-freeradius-1 | (52) Tunnel-Type = VLAN
authentik-freeradius-1 | (52) Tunnel-Medium-Type = IEEE-802
authentik-freeradius-1 | (52) Finished request
authentik-freeradius-1 | Waking up in 2.0 seconds.
authentik-freeradius-1 | (53) Cleaning up request packet ID 54 with timestamp +11392 due to cleanup_delay was reached
authentik-freeradius-1 | Waking up in 2.9 seconds.
authentik-freeradius-1 | (52) Cleaning up request packet ID 53 with timestamp +11387 due to cleanup_delay was reached
authentik-freeradius-1 | Ready to process requests
Here is the corresponding tcpdump:
11:02:54.478033 IP (tos 0x0, ttl 64, id 16203, offset 0, flags [DF], proto UDP (17), length 166)
SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 138
Access-Request (1), id: 0x2e, Authenticator: 4b738f889cbc442647b2c2e8536f3ccf
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 24, Value: Response (2), id 2, len 22
Type Identity (1), Identity: apple_lan_thatsme
NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
Message-Authenticator Attribute (80), length: 18, Value: .....O.Z'.x. .g.
11:02:54.479542 IP (tos 0x0, ttl 63, id 29929, offset 0, flags [DF], proto UDP (17), length 92)
10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 64
Access-Challenge (11), id: 0x2e, Authenticator: d7071e95b29ff0017add0f037e666954
Message-Authenticator Attribute (80), length: 18, Value: ...-.. ). at ...9..
EAP-Message Attribute (79), length: 8, Value: Request (1), id 3, len 6
Type TTLS (21) TTLSv0 flags [Start bit] 0x20
State Attribute (24), length: 18, Value: -7..-4.........<
11:02:54.485256 IP (tos 0x0, ttl 64, id 16204, offset 0, flags [DF], proto UDP (17), length 323)
SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 295
Access-Request (1), id: 0x2f, Authenticator: 4b738f889cbc442647b2c2e8536f3ccf
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 163, Value: Response (2), id 3, len 161
Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 151
NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 18, Value: -7..-4.........<
Message-Authenticator Attribute (80), length: 18, Value: m.1$./..(.W..'.)
11:02:54.495593 IP (tos 0x0, ttl 63, id 29939, offset 0, flags [DF], proto UDP (17), length 1092)
10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 1064
Access-Challenge (11), id: 0x2f, Authenticator: 3fbed79113c4ccfc7b70b06bfe90ddc6
Message-Authenticator Attribute (80), length: 18, Value: ......>.?......>
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 243, Value: EAP fragment?
State Attribute (24), length: 18, Value: -7..,3.........<
11:02:54.508580 IP (tos 0x0, ttl 64, id 16206, offset 0, flags [DF], proto UDP (17), length 168)
SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 140
Access-Request (1), id: 0x30, Authenticator: 3328535e7b536cf9b318055d8dce19fa
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 8, Value: Response (2), id 4, len 6
Type TTLS (21) TTLSv0 flags [none] 0x00
NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 18, Value: -7..,3.........<
Message-Authenticator Attribute (80), length: 18, Value: ....=....%.....#
11:02:54.510434 IP (tos 0x0, ttl 63, id 29954, offset 0, flags [DF], proto UDP (17), length 1092)
10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 1064
Access-Challenge (11), id: 0x30, Authenticator: f1155949a826c03d78b88c8716492fc5
Message-Authenticator Attribute (80), length: 18, Value: ^.Q.Vj.{.q_.....
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 243, Value: EAP fragment?
State Attribute (24), length: 18, Value: -7../2.........<
11:02:54.513539 IP (tos 0x0, ttl 64, id 16207, offset 0, flags [DF], proto UDP (17), length 168)
SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 140
Access-Request (1), id: 0x31, Authenticator: 3328535e7b536cf9b318055d8dce19fa
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 8, Value: Response (2), id 5, len 6
Type TTLS (21) TTLSv0 flags [none] 0x00
NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 18, Value: -7../2.........<
Message-Authenticator Attribute (80), length: 18, Value: ~.5.n.`....B..z.
11:02:54.514849 IP (tos 0x0, ttl 63, id 29957, offset 0, flags [DF], proto UDP (17), length 1092)
10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 1064
Access-Challenge (11), id: 0x31, Authenticator: 4c61ec5020319a7800baf316893e7018
Message-Authenticator Attribute (80), length: 18, Value: .$+R.R..d..o.s2.
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 243, Value: EAP fragment?
State Attribute (24), length: 18, Value: -7...1.........<
11:02:54.518103 IP (tos 0x0, ttl 64, id 16208, offset 0, flags [DF], proto UDP (17), length 168)
SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 140
Access-Request (1), id: 0x32, Authenticator: 3328535e7b536cf9b318055d8dce19fa
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 8, Value: Response (2), id 6, len 6
Type TTLS (21) TTLSv0 flags [none] 0x00
NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 18, Value: -7...1.........<
Message-Authenticator Attribute (80), length: 18, Value: .?._.....{.k)...
11:02:54.519623 IP (tos 0x0, ttl 63, id 29960, offset 0, flags [DF], proto UDP (17), length 1092)
10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 1064
Access-Challenge (11), id: 0x32, Authenticator: 678824bd907c75c8b2d8dc6ff22aeb60
Message-Authenticator Attribute (80), length: 18, Value: ........Y..{....
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 255, Value: EAP fragment?
EAP-Message Attribute (79), length: 243, Value: EAP fragment?
State Attribute (24), length: 18, Value: -7..)0.........<
11:02:54.522606 IP (tos 0x0, ttl 64, id 16209, offset 0, flags [DF], proto UDP (17), length 168)
SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 140
Access-Request (1), id: 0x33, Authenticator: 3328535e7b536cf9b318055d8dce19fa
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 8, Value: Response (2), id 7, len 6
Type TTLS (21) TTLSv0 flags [none] 0x00
NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 18, Value: -7..)0.........<
Message-Authenticator Attribute (80), length: 18, Value: ..WBd!km..t..i..
11:02:54.523961 IP (tos 0x0, ttl 63, id 29962, offset 0, flags [DF], proto UDP (17), length 156)
10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 128
Access-Challenge (11), id: 0x33, Authenticator: 0304fcd86e7f86ba4c2a0b92bd96ae44
Message-Authenticator Attribute (80), length: 18, Value: h..o..../f..V...
EAP-Message Attribute (79), length: 72, Value: Request (1), id 8, len 70
Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 4020
State Attribute (24), length: 18, Value: -7..(?.........<
11:02:54.535647 IP (tos 0x0, ttl 64, id 16210, offset 0, flags [DF], proto UDP (17), length 298)
SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 270
Access-Request (1), id: 0x34, Authenticator: 4fd8cd77ef97eaabb05b6a6788b19ff9
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 138, Value: Response (2), id 8, len 136
Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 126
NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 18, Value: -7..(?.........<
Message-Authenticator Attribute (80), length: 18, Value: 1..XY...K.~$C...
11:02:54.539823 IP (tos 0x0, ttl 63, id 29975, offset 0, flags [DF], proto UDP (17), length 147)
10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 119
Access-Challenge (11), id: 0x34, Authenticator: 2d0dcced9b854c9b21bc8f66158d5f53
Message-Authenticator Attribute (80), length: 18, Value: ..$.3..#...:..U.
EAP-Message Attribute (79), length: 63, Value: Request (1), id 9, len 61
Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 51
State Attribute (24), length: 18, Value: -7..+>.........<
11:02:54.542691 IP (tos 0x0, ttl 64, id 16211, offset 0, flags [DF], proto UDP (17), length 245)
SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 217
Access-Request (1), id: 0x35, Authenticator: 4fd8cd77ef97eaabb05b6a6788b19ff9
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 85, Value: Response (2), id 9, len 83
Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 73
NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
State Attribute (24), length: 18, Value: -7..+>.........<
Message-Authenticator Attribute (80), length: 18, Value: x....g.q..R.....
11:02:59.486633 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.1 tell SG3206X-M2.example.com, length 46
11:02:59.486636 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.0.0.1 is-at 00:00:5e:00:01:02 (oui IANA), length 28
11:02:59.537570 IP (tos 0x0, ttl 64, id 16391, offset 0, flags [DF], proto UDP (17), length 227)
SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 199
Access-Request (1), id: 0x36, Authenticator: 1c90635e4f03a9b669a2402965fc8e41
User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
EAP-Message Attribute (79), length: 85, Value: Response (2), id 9, len 83
Type TTLS (21) TTLSv0 flags [L bit] 0x80, len 73
NAS-IP-Address Attribute (4), length: 6, Value: SG3206X-M2.example.com
NAS-Port Attribute (5), length: 6, Value: 3
NAS-Identifier Attribute (32), length: 14, Value: DC6279CF8CB4
Service-Type Attribute (6), length: 6, Value: Framed
Calling-Station-Id Attribute (31), length: 19, Value: 00-E0-4C-68-20-7E
NAS-Port-Type Attribute (61), length: 6, Value: Ethernet
Message-Authenticator Attribute (80), length: 18, Value: ..-s...f .... ..
11:03:00.540835 IP (tos 0x0, ttl 63, id 34812, offset 0, flags [DF], proto UDP (17), length 66)
10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 38
Access-Reject (3), id: 0x36, Authenticator: d657e1caadf330afa206db0ffe469c17
Message-Authenticator Attribute (80), length: 18, Value: pK.._.....JN.j\0
11:03:02.449220 IP (tos 0x0, ttl 63, id 35102, offset 0, flags [DF], proto UDP (17), length 88)
10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 60
Access-Accept (2), id: 0x35, Authenticator: dfd3f8ac0586d2551621d599d5a00839
Message-Authenticator Attribute (80), length: 18, Value: .d.U.....q.K....
Framed-MTU Attribute (12), length: 6, Value: 994
Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] VLAN
Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802
Tunnel-Private-Group-ID Attribute (81), length: 4, Value: 11
More information about the Freeradius-Users
mailing list