Question / Copy inner to outer identity
Dominic Stalder
dominic.stalder at bluewin.ch
Tue Nov 4 08:54:01 UTC 2025
Hi guys
I know there is already some information out there about this topic, for example in this post from back in 2018: https://lists.freeradius.org/pipermail/freeradius-users/2018-November/093770.html
And there are also examples in the FreeRADIUS inner-proxy configuration file:
# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
#
# Note that the last packet of the inner-tunnel authentication
# MAY NOT BE the last packet of the outer session. So updating
# the outer reply MIGHT work, and sometimes MIGHT NOT. The
# exact functionality depends on both the inner and outer
# authentication methods.
#
# If you need to send a reply attribute in the outer session,
# the ONLY safe way is to set "use_tunneled_reply = yes", and
# then update the inner-tunnel reply.
post-auth {
# If you want privacy to remain, see the
# Chargeable-User-Identity attribute from RFC 4372.
# If you want to use it just uncomment the line below.
# cui-inner
#
# If you want the Access-Accept to contain the inner
# User-Name, uncomment the following lines.
#
# update outer.session-state {
# User-Name := &User-Name
# }
We use PEAP/MS-CHAPv2 on our eduroam SSID.
Goal: copy the inner identity to the Access-Accept RADIUS packet, if possible at all (?!) à our Cisco WLAN infrastructure could «see» the real username instead of a bunch of anonymous at unibe.ch accounts, this will be used for further processing in a cloud service.
But based on the debug output (see below), the inner-proxy configuration is not hit at all; I think this is based on how our FreeRADIUS proxing is done, but here I am not 100% sure about this.
But maybe you can help me out and point me into the right direction; in short: is there a way (for us) to achieve the copying of the inner to the outer identity for the Access-Accept packet (only)?
Thanks and best regards
Dominic
***
Debug output:
(14) Received Access-Request Id 161 from 1.2.3.4:63606 to 130.92.10.33:1812 length 461
(14) User-Name = anonymous at unibe.ch
(14) Service-Type = Framed-User
(14) Cisco-AVPair = "service-type=Framed"
(14) Framed-MTU = 1485
(14) EAP-Message = 0x0201001701616e6f6e796d6f757340756e6962652e6368
(14) Message-Authenticator = 0xcda0dbee35c44f95af0a726f08995386
(14) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(14) Cisco-AVPair = "method=dot1x"
(14) Cisco-AVPair = "client-iif-id=2818574557"
(14) Cisco-AVPair = "vlan-id=1000"
(14) NAS-IP-Address = 1.2.3.4
(14) NAS-Port-Id = "capwap_9000000c"
(14) NAS-Port-Type = Wireless-802.11
(14) NAS-Port = 4211
(14) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(14) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(14) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(14) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(14) Airespace-Wlan-Id = 97
(14) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(14) WLAN-Group-Cipher = 1027076
(14) WLAN-Pairwise-Cipher = 1027076
(14) WLAN-AKM-Suite = 1027075
(14) WLAN-Group-Mgmt-Cipher = 1027078
(14) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(14) authorize {
(14) policy rewrite_called_station_id {
(14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(14) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(14) update request {
(14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(14) --> 2C-E3-8E-ED-31-E0
(14) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(14) } # update request = noop
(14) if ("%{8}") {
(14) EXPAND %{8}
(14) --> eduroam
(14) if ("%{8}") -> TRUE
(14) if ("%{8}") {
(14) update request {
(14) EXPAND %{8}
(14) --> eduroam
(14) &Called-Station-SSID := eduroam
(14) EXPAND %{Called-Station-Id}:%{8}
(14) --> 2C-E3-8E-ED-31-E0:eduroam
(14) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(14) } # update request = noop
(14) } # if ("%{8}") = noop
(14) [updated] = updated
(14) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(14) ... skipping else: Preceding "if" was taken
(14) } # policy rewrite_called_station_id = updated
(14) policy rewrite_calling_station_id {
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(14) update request {
(14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(14) --> AC-DF-A1-B1-F1-5A
(14) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(14) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(14) --> AC:DF:A1:B1:F1:5A
(14) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(14) } # update request = noop
(14) [updated] = updated
(14) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(14) ... skipping else: Preceding "if" was taken
(14) } # policy rewrite_calling_station_id = updated
(14) if (Service-Type == Call-Check) {
(14) if (Service-Type == Call-Check) -> FALSE
(14) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(14) EXPAND Packet-Src-IP-Address
(14) --> 1.2.3.4
(14) EXPAND Packet-Src-IP-Address
(14) --> 1.2.3.4
(14) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(14) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(14) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(14) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(14) if (EAP-Message) {
(14) if (EAP-Message) -> TRUE
(14) if (EAP-Message) {
(14) policy filter_username {
(14) if (&User-Name) {
(14) if (&User-Name) -> TRUE
(14) if (&User-Name) {
(14) if (&User-Name =~ / /) {
(14) if (&User-Name =~ / /) -> FALSE
(14) if (&User-Name =~ /@[^@]*@/ ) {
(14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(14) if (&User-Name =~ /\.\./ ) {
(14) if (&User-Name =~ /\.\./ ) -> FALSE
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(14) if (&User-Name =~ /\.$/) {
(14) if (&User-Name =~ /\.$/) -> FALSE
(14) if (&User-Name =~ /@\./) {
(14) if (&User-Name =~ /@\./) -> FALSE
(14) } # if (&User-Name) = updated
(14) } # policy filter_username = updated
(14) suffix: Checking for suffix after "@"
(14) suffix: Looking up realm "unibe.ch" for User-Name = anonymous at unibe.ch
(14) suffix: Found realm "UNIBE.CH"
(14) suffix: Adding Realm = "UNIBE.CH"
(14) suffix: Authentication realm is LOCAL
(14) [suffix] = ok
(14) policy deny_no_realm {
(14) if (User-Name && (User-Name !~ /@/)) {
(14) if (User-Name && (User-Name !~ /@/)) -> FALSE
(14) } # policy deny_no_realm = updated
(14) update request {
(14) EXPAND %{toupper:%{Realm}}
(14) --> UNIBE.CH
(14) Realm := UNIBE.CH
(14) } # update request = noop
(14) eap: Peer sent EAP Response (code 2) ID 1 length 23
(14) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(14) [eap] = ok
(14) } # if (EAP-Message) = ok
(14) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(14) } # authorize = updated
(14) Found Auth-Type = eap
(14) # Executing group from file /etc/freeradius/sites-enabled/default
(14) Auth-Type eap {
(14) eap: Peer sent packet with method EAP Identity (1)
(14) eap: Using default_eap_type = PEAP
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: (TLS) PEAP -Initiating new session
(14) eap: Sending EAP Request (code 1) ID 2 length 6
(14) eap: EAP session adding &reply:State = 0x1a0c7e771a0e6752
(14) [eap] = handled
(14) if (handled && (Response-Packet-Type == Access-Challenge)) {
(14) EXPAND Response-Packet-Type
(14) --> Access-Challenge
(14) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(14) if (handled && (Response-Packet-Type == Access-Challenge)) {
(14) attr_filter.access_challenge: EXPAND %{User-Name}
(14) attr_filter.access_challenge: --> anonymous at unibe.ch
(14) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(14) [attr_filter.access_challenge.post-auth] = updated
(14) [handled] = handled
(14) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(14) } # Auth-Type eap = handled
(14) Using Post-Auth-Type Challenge
(14) Post-Auth-Type sub-section not found. Ignoring.
(14) # Executing group from file /etc/freeradius/sites-enabled/default
(14) session-state: Saving cached attributes
(14) Framed-MTU = 1014
(14) Sent Access-Challenge Id 161 from 130.92.10.33:1812 to 1.2.3.4:63606 length 64
(14) EAP-Message = 0x010200061920
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0x1a0c7e771a0e675279b57cf47df95d07
(14) Finished request
(15) Received Access-Request Id 162 from 1.2.3.4:63606 to 130.92.10.33:1812 length 617
(15) User-Name = anonymous at unibe.ch
(15) Service-Type = Framed-User
(15) Cisco-AVPair = "service-type=Framed"
(15) Framed-MTU = 1485
(15) EAP-Message = 0x020200a119800000009716030100920100008e03036909999b25b7e27b2e2e231f9c546c4a37d3b858ee2635bdaf836b8c39d42d6800002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306010005000501000000000012000000170000
(15) Message-Authenticator = 0xdf959aef8b75ae98ed4dda59508b7a60
(15) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(15) Cisco-AVPair = "method=dot1x"
(15) Cisco-AVPair = "client-iif-id=2818574557"
(15) Cisco-AVPair = "vlan-id=1000"
(15) NAS-IP-Address = 1.2.3.4
(15) NAS-Port-Id = "capwap_9000000c"
(15) NAS-Port-Type = Wireless-802.11
(15) NAS-Port = 4211
(15) State = 0x1a0c7e771a0e675279b57cf47df95d07
(15) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(15) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(15) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(15) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(15) Airespace-Wlan-Id = 97
(15) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(15) WLAN-Group-Cipher = 1027076
(15) WLAN-Pairwise-Cipher = 1027076
(15) WLAN-AKM-Suite = 1027075
(15) WLAN-Group-Mgmt-Cipher = 1027078
(15) Restoring &session-state
(15) &session-state:Framed-MTU = 1014
(15) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(15) authorize {
(15) policy rewrite_called_station_id {
(15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(15) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(15) update request {
(15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(15) --> 2C-E3-8E-ED-31-E0
(15) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(15) } # update request = noop
(15) if ("%{8}") {
(15) EXPAND %{8}
(15) --> eduroam
(15) if ("%{8}") -> TRUE
(15) if ("%{8}") {
(15) update request {
(15) EXPAND %{8}
(15) --> eduroam
(15) &Called-Station-SSID := eduroam
(15) EXPAND %{Called-Station-Id}:%{8}
(15) --> 2C-E3-8E-ED-31-E0:eduroam
(15) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(15) } # update request = noop
(15) } # if ("%{8}") = noop
(15) [updated] = updated
(15) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(15) ... skipping else: Preceding "if" was taken
(15) } # policy rewrite_called_station_id = updated
(15) policy rewrite_calling_station_id {
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(15) update request {
(15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(15) --> AC-DF-A1-B1-F1-5A
(15) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(15) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(15) --> AC:DF:A1:B1:F1:5A
(15) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(15) } # update request = noop
(15) [updated] = updated
(15) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(15) ... skipping else: Preceding "if" was taken
(15) } # policy rewrite_calling_station_id = updated
(15) if (Service-Type == Call-Check) {
(15) if (Service-Type == Call-Check) -> FALSE
(15) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(15) EXPAND Packet-Src-IP-Address
(15) --> 1.2.3.4
(15) EXPAND Packet-Src-IP-Address
(15) --> 1.2.3.4
(15) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(15) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(15) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(15) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(15) if (EAP-Message) {
(15) if (EAP-Message) -> TRUE
(15) if (EAP-Message) {
(15) policy filter_username {
(15) if (&User-Name) {
(15) if (&User-Name) -> TRUE
(15) if (&User-Name) {
(15) if (&User-Name =~ / /) {
(15) if (&User-Name =~ / /) -> FALSE
(15) if (&User-Name =~ /@[^@]*@/ ) {
(15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(15) if (&User-Name =~ /\.\./ ) {
(15) if (&User-Name =~ /\.\./ ) -> FALSE
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(15) if (&User-Name =~ /\.$/) {
(15) if (&User-Name =~ /\.$/) -> FALSE
(15) if (&User-Name =~ /@\./) {
(15) if (&User-Name =~ /@\./) -> FALSE
(15) } # if (&User-Name) = updated
(15) } # policy filter_username = updated
(15) suffix: Checking for suffix after "@"
(15) suffix: Looking up realm "unibe.ch" for User-Name = anonymous at unibe.ch
(15) suffix: Found realm "UNIBE.CH"
(15) suffix: Adding Realm = "UNIBE.CH"
(15) suffix: Authentication realm is LOCAL
(15) [suffix] = ok
(15) policy deny_no_realm {
(15) if (User-Name && (User-Name !~ /@/)) {
(15) if (User-Name && (User-Name !~ /@/)) -> FALSE
(15) } # policy deny_no_realm = updated
(15) update request {
(15) EXPAND %{toupper:%{Realm}}
(15) --> UNIBE.CH
(15) Realm := UNIBE.CH
(15) } # update request = noop
(15) eap: Peer sent EAP Response (code 2) ID 2 length 161
(15) eap: Continuing tunnel setup
(15) [eap] = ok
(15) } # if (EAP-Message) = ok
(15) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(15) } # authorize = updated
(15) Found Auth-Type = eap
(15) # Executing group from file /etc/freeradius/sites-enabled/default
(15) Auth-Type eap {
(15) eap: Removing EAP session with state 0x1a0c7e771a0e6752
(15) eap: Previous EAP request found for state 0x1a0c7e771a0e6752, released from the list
(15) eap: Peer sent packet with method EAP PEAP (25)
(15) eap: Calling submodule eap_peap to process data
(15) eap_peap: (TLS) EAP Peer says that the final record size will be 151 bytes
(15) eap_peap: (TLS) EAP Got all data (151 bytes)
(15) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization
(15) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization
(15) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization
(15) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello
(15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello
(15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello
(15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello
(15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate
(15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate
(15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange
(15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange
(15) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone
(15) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(15) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done
(15) eap_peap: (TLS) PEAP - In Handshake Phase
(15) eap: Sending EAP Request (code 1) ID 3 length 1024
(15) eap: EAP session adding &reply:State = 0x1a0c7e771b0f6752
(15) [eap] = handled
(15) if (handled && (Response-Packet-Type == Access-Challenge)) {
(15) EXPAND Response-Packet-Type
(15) --> Access-Challenge
(15) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(15) if (handled && (Response-Packet-Type == Access-Challenge)) {
(15) attr_filter.access_challenge: EXPAND %{User-Name}
(15) attr_filter.access_challenge: --> anonymous at unibe.ch
(15) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(15) [attr_filter.access_challenge.post-auth] = updated
(15) [handled] = handled
(15) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(15) } # Auth-Type eap = handled
(15) Using Post-Auth-Type Challenge
(15) Post-Auth-Type sub-section not found. Ignoring.
(15) # Executing group from file /etc/freeradius/sites-enabled/default
(15) session-state: Saving cached attributes
(15) Framed-MTU = 1014
(15) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(15) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(15) Sent Access-Challenge Id 162 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1090
(15) EAP-Message = 0x0103040019c000001135160303003d020000390303f0334014735b9a350f95ccc549063d3e99ba127b1d030030444f574e4752440100c010000011ff01000100000b000401000102001700001603030f930b000f8f000f8c0007253082072130820609a00302010202100dae0ee5cc17916457adb4fc96626395300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3235303532333030303030305a170d3236303532323233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105
(15) Message-Authenticator = 0x00000000000000000000000000000000
(15) State = 0x1a0c7e771b0f675279b57cf47df95d07
(15) Finished request
(16) Received Access-Request Id 163 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462
(16) User-Name = anonymous at unibe.ch
(16) Service-Type = Framed-User
(16) Cisco-AVPair = "service-type=Framed"
(16) Framed-MTU = 1485
(16) EAP-Message = 0x020100061900
(16) Message-Authenticator = 0x256013f8a4cd33b09aea930439831655
(16) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(16) Cisco-AVPair = "method=dot1x"
(16) Cisco-AVPair = "client-iif-id=2818574557"
(16) Cisco-AVPair = "vlan-id=1000"
(16) NAS-IP-Address = 1.2.3.4
(16) NAS-Port-Id = "capwap_9000000c"
(16) NAS-Port-Type = Wireless-802.11
(16) NAS-Port = 4211
(16) State = 0x1a0c7e771b0f675279b57cf47df95d07
(16) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(16) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(16) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(16) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(16) Airespace-Wlan-Id = 97
(16) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(16) WLAN-Group-Cipher = 1027076
(16) WLAN-Pairwise-Cipher = 1027076
(16) WLAN-AKM-Suite = 1027075
(16) WLAN-Group-Mgmt-Cipher = 1027078
(16) Restoring &session-state
(16) &session-state:Framed-MTU = 1014
(16) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(16) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(16) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(16) authorize {
(16) policy rewrite_called_station_id {
(16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(16) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(16) update request {
(16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(16) --> 2C-E3-8E-ED-31-E0
(16) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(16) } # update request = noop
(16) if ("%{8}") {
(16) EXPAND %{8}
(16) --> eduroam
(16) if ("%{8}") -> TRUE
(16) if ("%{8}") {
(16) update request {
(16) EXPAND %{8}
(16) --> eduroam
(16) &Called-Station-SSID := eduroam
(16) EXPAND %{Called-Station-Id}:%{8}
(16) --> 2C-E3-8E-ED-31-E0:eduroam
(16) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(16) } # update request = noop
(16) } # if ("%{8}") = noop
(16) [updated] = updated
(16) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(16) ... skipping else: Preceding "if" was taken
(16) } # policy rewrite_called_station_id = updated
(16) policy rewrite_calling_station_id {
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(16) update request {
(16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(16) --> AC-DF-A1-B1-F1-5A
(16) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(16) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(16) --> AC:DF:A1:B1:F1:5A
(16) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(16) } # update request = noop
(16) [updated] = updated
(16) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(16) ... skipping else: Preceding "if" was taken
(16) } # policy rewrite_calling_station_id = updated
(16) if (Service-Type == Call-Check) {
(16) if (Service-Type == Call-Check) -> FALSE
(16) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(16) EXPAND Packet-Src-IP-Address
(16) --> 1.2.3.4
(16) EXPAND Packet-Src-IP-Address
(16) --> 1.2.3.4
(16) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(16) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(16) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(16) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(16) if (EAP-Message) {
(16) if (EAP-Message) -> TRUE
(16) if (EAP-Message) {
(16) policy filter_username {
(16) if (&User-Name) {
(16) if (&User-Name) -> TRUE
(16) if (&User-Name) {
(16) if (&User-Name =~ / /) {
(16) if (&User-Name =~ / /) -> FALSE
(16) if (&User-Name =~ /@[^@]*@/ ) {
(16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(16) if (&User-Name =~ /\.\./ ) {
(16) if (&User-Name =~ /\.\./ ) -> FALSE
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(16) if (&User-Name =~ /\.$/) {
(16) if (&User-Name =~ /\.$/) -> FALSE
(16) if (&User-Name =~ /@\./) {
(16) if (&User-Name =~ /@\./) -> FALSE
(16) } # if (&User-Name) = updated
(16) } # policy filter_username = updated
(16) suffix: Checking for suffix after "@"
(16) suffix: Looking up realm "unibe.ch" for User-Name = anonymous at unibe.ch
(16) suffix: Found realm "UNIBE.CH"
(16) suffix: Adding Realm = "UNIBE.CH"
(16) suffix: Authentication realm is LOCAL
(16) [suffix] = ok
(16) policy deny_no_realm {
(16) if (User-Name && (User-Name !~ /@/)) {
(16) if (User-Name && (User-Name !~ /@/)) -> FALSE
(16) } # policy deny_no_realm = updated
(16) update request {
(16) EXPAND %{toupper:%{Realm}}
(16) --> UNIBE.CH
(16) Realm := UNIBE.CH
(16) } # update request = noop
(16) eap: Peer sent EAP Response (code 2) ID 3 length 6
(16) eap: Continuing tunnel setup
(16) [eap] = ok
(16) } # if (EAP-Message) = ok
(16) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(16) } # authorize = updated
(16) Found Auth-Type = eap
(16) # Executing group from file /etc/freeradius/sites-enabled/default
(16) Auth-Type eap {
(16) eap: Removing EAP session with state 0x1a0c7e771b0f6752
(16) eap: Previous EAP request found for state 0x1a0c7e771b0f6752, released from the list
(16) eap: Peer sent packet with method EAP PEAP (25)
(16) eap: Calling submodule eap_peap to process data
(16) eap_peap: (TLS) Peer ACKed our handshake fragment
(16) eap: Sending EAP Request (code 1) ID 4 length 1020
(16) eap: EAP session adding &reply:State = 0x1a0c7e7718086752
(16) [eap] = handled
(16) if (handled && (Response-Packet-Type == Access-Challenge)) {
(16) EXPAND Response-Packet-Type
(16) --> Access-Challenge
(16) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(16) if (handled && (Response-Packet-Type == Access-Challenge)) {
(16) attr_filter.access_challenge: EXPAND %{User-Name}
(16) attr_filter.access_challenge: --> anonymous at unibe.ch
(16) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(16) [attr_filter.access_challenge.post-auth] = updated
(16) [handled] = handled
(16) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(16) } # Auth-Type eap = handled
(16) Using Post-Auth-Type Challenge
(16) Post-Auth-Type sub-section not found. Ignoring.
(16) # Executing group from file /etc/freeradius/sites-enabled/default
(16) session-state: Saving cached attributes
(16) Framed-MTU = 1014
(16) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(16) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(16) Sent Access-Challenge Id 163 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1086
(16) EAP-Message = 0x010403fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040210003082017f060a2b06010401d6790204020482016f0482016b01690077000e5794bcf3aea93e331b2c9907b3f790df9bc23d713225dd21a925ac61c54e2100000196fd68459a0000040300483046022100abde8fd62ca059be569c5f14a3ce1588684528f0228b3c7320a7af6c1b29e485022100f139ea2369375155ef47d38c4e196798015b054e81
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0x1a0c7e771808675279b57cf47df95d07
(16) Finished request
(17) Received Access-Request Id 164 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462
(17) User-Name = anonymous at unibe.ch
(17) Service-Type = Framed-User
(17) Cisco-AVPair = "service-type=Framed"
(17) Framed-MTU = 1485
(17) EAP-Message = 0x020400061900
(17) Message-Authenticator = 0x6f9b085346287fdd22fc589a3c0b70f2
(17) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(17) Cisco-AVPair = "method=dot1x"
(17) Cisco-AVPair = "client-iif-id=2818574557"
(17) Cisco-AVPair = "vlan-id=1000"
(17) NAS-IP-Address = 1.2.3.4
(17) NAS-Port-Id = "capwap_9000000c"
(17) NAS-Port-Type = Wireless-802.11
(17) NAS-Port = 4211
(17) State = 0x1a0c7e771808675279b57cf47df95d07
(17) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(17) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(17) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(17) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(17) Airespace-Wlan-Id = 97
(17) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(17) WLAN-Group-Cipher = 1027076
(17) WLAN-Pairwise-Cipher = 1027076
(17) WLAN-AKM-Suite = 1027075
(17) WLAN-Group-Mgmt-Cipher = 1027078
(17) Restoring &session-state
(17) &session-state:Framed-MTU = 1014
(17) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(17) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(17) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(17) authorize {
(17) policy rewrite_called_station_id {
(17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(17) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(17) update request {
(17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(17) --> 2C-E3-8E-ED-31-E0
(17) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(17) } # update request = noop
(17) if ("%{8}") {
(17) EXPAND %{8}
(17) --> eduroam
(17) if ("%{8}") -> TRUE
(17) if ("%{8}") {
(17) update request {
(17) EXPAND %{8}
(17) --> eduroam
(17) &Called-Station-SSID := eduroam
(17) EXPAND %{Called-Station-Id}:%{8}
(17) --> 2C-E3-8E-ED-31-E0:eduroam
(17) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(17) } # update request = noop
(17) } # if ("%{8}") = noop
(17) [updated] = updated
(17) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(17) ... skipping else: Preceding "if" was taken
(17) } # policy rewrite_called_station_id = updated
(17) policy rewrite_calling_station_id {
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(17) update request {
(17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(17) --> AC-DF-A1-B1-F1-5A
(17) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(17) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(17) --> AC:DF:A1:B1:F1:5A
(17) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(17) } # update request = noop
(17) [updated] = updated
(17) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(17) ... skipping else: Preceding "if" was taken
(17) } # policy rewrite_calling_station_id = updated
(17) if (Service-Type == Call-Check) {
(17) if (Service-Type == Call-Check) -> FALSE
(17) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(17) EXPAND Packet-Src-IP-Address
(17) --> 1.2.3.4
(17) EXPAND Packet-Src-IP-Address
(17) --> 1.2.3.4
(17) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(17) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(17) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(17) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(17) if (EAP-Message) {
(17) if (EAP-Message) -> TRUE
(17) if (EAP-Message) {
(17) policy filter_username {
(17) if (&User-Name) {
(17) if (&User-Name) -> TRUE
(17) if (&User-Name) {
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@[^@]*@/ ) {
(17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /@\./) {
(17) if (&User-Name =~ /@\./) -> FALSE
(17) } # if (&User-Name) = updated
(17) } # policy filter_username = updated
(17) suffix: Checking for suffix after "@"
(17) suffix: Looking up realm "unibe.ch" for User-Name = anonymous at unibe.ch
(17) suffix: Found realm "UNIBE.CH"
(17) suffix: Adding Realm = "UNIBE.CH"
(17) suffix: Authentication realm is LOCAL
(17) [suffix] = ok
(17) policy deny_no_realm {
(17) if (User-Name && (User-Name !~ /@/)) {
(17) if (User-Name && (User-Name !~ /@/)) -> FALSE
(17) } # policy deny_no_realm = updated
(17) update request {
(17) EXPAND %{toupper:%{Realm}}
(17) --> UNIBE.CH
(17) Realm := UNIBE.CH
(17) } # update request = noop
(17) eap: Peer sent EAP Response (code 2) ID 4 length 6
(17) eap: Continuing tunnel setup
(17) [eap] = ok
(17) } # if (EAP-Message) = ok
(17) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(17) } # authorize = updated
(17) Found Auth-Type = eap
(17) # Executing group from file /etc/freeradius/sites-enabled/default
(17) Auth-Type eap {
(17) eap: Removing EAP session with state 0x1a0c7e7718086752
(17) eap: Previous EAP request found for state 0x1a0c7e7718086752, released from the list
(17) eap: Peer sent packet with method EAP PEAP (25)
(17) eap: Calling submodule eap_peap to process data
(17) eap_peap: (TLS) Peer ACKed our handshake fragment
(17) eap: Sending EAP Request (code 1) ID 5 length 1020
(17) eap: EAP session adding &reply:State = 0x1a0c7e7719096752
(17) [eap] = handled
(17) if (handled && (Response-Packet-Type == Access-Challenge)) {
(17) EXPAND Response-Packet-Type
(17) --> Access-Challenge
(17) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(17) if (handled && (Response-Packet-Type == Access-Challenge)) {
(17) attr_filter.access_challenge: EXPAND %{User-Name}
(17) attr_filter.access_challenge: --> anonymous at unibe.ch
(17) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(17) [attr_filter.access_challenge.post-auth] = updated
(17) [handled] = handled
(17) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(17) } # Auth-Type eap = handled
(17) Using Post-Auth-Type Challenge
(17) Post-Auth-Type sub-section not found. Ignoring.
(17) # Executing group from file /etc/freeradius/sites-enabled/default
(17) session-state: Saving cached attributes
(17) Framed-MTU = 1014
(17) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(17) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(17) Sent Access-Challenge Id 164 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1086
(17) EAP-Message = 0x010503fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d
(17) Message-Authenticator = 0x00000000000000000000000000000000
(17) State = 0x1a0c7e771909675279b57cf47df95d07
(17) Finished request
(18) Received Access-Request Id 165 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462
(18) User-Name = anonymous at unibe.ch
(18) Service-Type = Framed-User
(18) Cisco-AVPair = "service-type=Framed"
(18) Framed-MTU = 1485
(18) EAP-Message = 0x020500061900
(18) Message-Authenticator = 0xc196c62add7f8f693998f8856485d83b
(18) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(18) Cisco-AVPair = "method=dot1x"
(18) Cisco-AVPair = "client-iif-id=2818574557"
(18) Cisco-AVPair = "vlan-id=1000"
(18) NAS-IP-Address = 1.2.3.4
(18) NAS-Port-Id = "capwap_9000000c"
(18) NAS-Port-Type = Wireless-802.11
(18) NAS-Port = 4211
(18) State = 0x1a0c7e771909675279b57cf47df95d07
(18) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(18) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(18) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(18) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(18) Airespace-Wlan-Id = 97
(18) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(18) WLAN-Group-Cipher = 1027076
(18) WLAN-Pairwise-Cipher = 1027076
(18) WLAN-AKM-Suite = 1027075
(18) WLAN-Group-Mgmt-Cipher = 1027078
(18) Restoring &session-state
(18) &session-state:Framed-MTU = 1014
(18) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(18) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(18) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(18) authorize {
(18) policy rewrite_called_station_id {
(18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(18) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(18) update request {
Waking up in 0.2 seconds.
(18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(18) --> 2C-E3-8E-ED-31-E0
(18) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(18) } # update request = noop
(18) if ("%{8}") {
(18) EXPAND %{8}
(18) --> eduroam
(18) if ("%{8}") -> TRUE
(18) if ("%{8}") {
(18) update request {
(18) EXPAND %{8}
(18) --> eduroam
(18) &Called-Station-SSID := eduroam
(18) EXPAND %{Called-Station-Id}:%{8}
(18) --> 2C-E3-8E-ED-31-E0:eduroam
(18) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(18) } # update request = noop
(18) } # if ("%{8}") = noop
(18) [updated] = updated
(18) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(18) ... skipping else: Preceding "if" was taken
(18) } # policy rewrite_called_station_id = updated
(18) policy rewrite_calling_station_id {
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(18) update request {
(18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(18) --> AC-DF-A1-B1-F1-5A
(18) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(18) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(18) --> AC:DF:A1:B1:F1:5A
(18) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(18) } # update request = noop
(18) [updated] = updated
(18) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(18) ... skipping else: Preceding "if" was taken
(18) } # policy rewrite_calling_station_id = updated
(18) if (Service-Type == Call-Check) {
(18) if (Service-Type == Call-Check) -> FALSE
(18) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(18) EXPAND Packet-Src-IP-Address
(18) --> 1.2.3.4
(18) EXPAND Packet-Src-IP-Address
(18) --> 1.2.3.4
(18) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(18) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(18) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(18) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(18) if (EAP-Message) {
(18) if (EAP-Message) -> TRUE
(18) if (EAP-Message) {
(18) policy filter_username {
(18) if (&User-Name) {
(18) if (&User-Name) -> TRUE
(18) if (&User-Name) {
(18) if (&User-Name =~ / /) {
(18) if (&User-Name =~ / /) -> FALSE
(18) if (&User-Name =~ /@[^@]*@/ ) {
(18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(18) if (&User-Name =~ /\.\./ ) {
(18) if (&User-Name =~ /\.\./ ) -> FALSE
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(18) if (&User-Name =~ /\.$/) {
(18) if (&User-Name =~ /\.$/) -> FALSE
(18) if (&User-Name =~ /@\./) {
(18) if (&User-Name =~ /@\./) -> FALSE
(18) } # if (&User-Name) = updated
(18) } # policy filter_username = updated
(18) suffix: Checking for suffix after "@"
(18) suffix: Looking up realm "unibe.ch" for User-Name = anonymous at unibe.ch
(18) suffix: Found realm "UNIBE.CH"
(18) suffix: Adding Realm = "UNIBE.CH"
(18) suffix: Authentication realm is LOCAL
(18) [suffix] = ok
(18) policy deny_no_realm {
(18) if (User-Name && (User-Name !~ /@/)) {
(18) if (User-Name && (User-Name !~ /@/)) -> FALSE
(18) } # policy deny_no_realm = updated
(18) update request {
(18) EXPAND %{toupper:%{Realm}}
(18) --> UNIBE.CH
(18) Realm := UNIBE.CH
(18) } # update request = noop
(18) eap: Peer sent EAP Response (code 2) ID 5 length 6
(18) eap: Continuing tunnel setup
(18) [eap] = ok
(18) } # if (EAP-Message) = ok
(18) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(18) } # authorize = updated
(18) Found Auth-Type = eap
(18) # Executing group from file /etc/freeradius/sites-enabled/default
(18) Auth-Type eap {
(18) eap: Removing EAP session with state 0x1a0c7e7719096752
(18) eap: Previous EAP request found for state 0x1a0c7e7719096752, released from the list
(18) eap: Peer sent packet with method EAP PEAP (25)
(18) eap: Calling submodule eap_peap to process data
(18) eap_peap: (TLS) Peer ACKed our handshake fragment
(18) eap: Sending EAP Request (code 1) ID 6 length 1020
(18) eap: EAP session adding &reply:State = 0x1a0c7e771e0a6752
(18) [eap] = handled
(18) if (handled && (Response-Packet-Type == Access-Challenge)) {
(18) EXPAND Response-Packet-Type
(18) --> Access-Challenge
(18) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(18) if (handled && (Response-Packet-Type == Access-Challenge)) {
(18) attr_filter.access_challenge: EXPAND %{User-Name}
(18) attr_filter.access_challenge: --> anonymous at unibe.ch
(18) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(18) [attr_filter.access_challenge.post-auth] = updated
(18) [handled] = handled
(18) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(18) } # Auth-Type eap = handled
(18) Using Post-Auth-Type Challenge
(18) Post-Auth-Type sub-section not found. Ignoring.
(18) # Executing group from file /etc/freeradius/sites-enabled/default
(18) session-state: Saving cached attributes
(18) Framed-MTU = 1014
(18) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(18) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(18) Sent Access-Challenge Id 165 from 130.92.10.33:1812 to 1.2.3.4:63606 length 1086
(18) EAP-Message = 0x010603fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261
(18) Message-Authenticator = 0x00000000000000000000000000000000
(18) State = 0x1a0c7e771e0a675279b57cf47df95d07
(18) Finished request
(19) Received Access-Request Id 166 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462
(19) User-Name = anonymous at unibe.ch
(19) Service-Type = Framed-User
(19) Cisco-AVPair = "service-type=Framed"
(19) Framed-MTU = 1485
(19) EAP-Message = 0x020600061900
(19) Message-Authenticator = 0x572ab59ccb8ceac06d4c053497b4dad6
(19) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(19) Cisco-AVPair = "method=dot1x"
(19) Cisco-AVPair = "client-iif-id=2818574557"
(19) Cisco-AVPair = "vlan-id=1000"
(19) NAS-IP-Address = 1.2.3.4
(19) NAS-Port-Id = "capwap_9000000c"
(19) NAS-Port-Type = Wireless-802.11
(19) NAS-Port = 4211
(19) State = 0x1a0c7e771e0a675279b57cf47df95d07
(19) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(19) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(19) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(19) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(19) Airespace-Wlan-Id = 97
(19) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(19) WLAN-Group-Cipher = 1027076
(19) WLAN-Pairwise-Cipher = 1027076
(19) WLAN-AKM-Suite = 1027075
(19) WLAN-Group-Mgmt-Cipher = 1027078
(19) Restoring &session-state
(19) &session-state:Framed-MTU = 1014
(19) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(19) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(19) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(19) authorize {
(19) policy rewrite_called_station_id {
(19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(19) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(19) update request {
(19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(19) --> 2C-E3-8E-ED-31-E0
(19) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(19) } # update request = noop
(19) if ("%{8}") {
(19) EXPAND %{8}
(19) --> eduroam
(19) if ("%{8}") -> TRUE
(19) if ("%{8}") {
(19) update request {
(19) EXPAND %{8}
(19) --> eduroam
(19) &Called-Station-SSID := eduroam
(19) EXPAND %{Called-Station-Id}:%{8}
(19) --> 2C-E3-8E-ED-31-E0:eduroam
(19) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(19) } # update request = noop
(19) } # if ("%{8}") = noop
(19) [updated] = updated
(19) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(19) ... skipping else: Preceding "if" was taken
(19) } # policy rewrite_called_station_id = updated
(19) policy rewrite_calling_station_id {
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(19) update request {
(19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(19) --> AC-DF-A1-B1-F1-5A
(19) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(19) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(19) --> AC:DF:A1:B1:F1:5A
(19) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(19) } # update request = noop
(19) [updated] = updated
(19) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(19) ... skipping else: Preceding "if" was taken
(19) } # policy rewrite_calling_station_id = updated
(19) if (Service-Type == Call-Check) {
(19) if (Service-Type == Call-Check) -> FALSE
(19) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(19) EXPAND Packet-Src-IP-Address
(19) --> 1.2.3.4
(19) EXPAND Packet-Src-IP-Address
(19) --> 1.2.3.4
(19) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(19) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(19) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(19) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(19) if (EAP-Message) {
(19) if (EAP-Message) -> TRUE
(19) if (EAP-Message) {
(19) policy filter_username {
(19) if (&User-Name) {
(19) if (&User-Name) -> TRUE
(19) if (&User-Name) {
(19) if (&User-Name =~ / /) {
(19) if (&User-Name =~ / /) -> FALSE
(19) if (&User-Name =~ /@[^@]*@/ ) {
(19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(19) if (&User-Name =~ /\.\./ ) {
(19) if (&User-Name =~ /\.\./ ) -> FALSE
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(19) if (&User-Name =~ /\.$/) {
(19) if (&User-Name =~ /\.$/) -> FALSE
(19) if (&User-Name =~ /@\./) {
(19) if (&User-Name =~ /@\./) -> FALSE
(19) } # if (&User-Name) = updated
(19) } # policy filter_username = updated
(19) suffix: Checking for suffix after "@"
(19) suffix: Looking up realm "unibe.ch" for User-Name = anonymous at unibe.ch
(19) suffix: Found realm "UNIBE.CH"
(19) suffix: Adding Realm = "UNIBE.CH"
(19) suffix: Authentication realm is LOCAL
(19) [suffix] = ok
(19) policy deny_no_realm {
(19) if (User-Name && (User-Name !~ /@/)) {
(19) if (User-Name && (User-Name !~ /@/)) -> FALSE
(19) } # policy deny_no_realm = updated
(19) update request {
(19) EXPAND %{toupper:%{Realm}}
(19) --> UNIBE.CH
(19) Realm := UNIBE.CH
(19) } # update request = noop
(19) eap: Peer sent EAP Response (code 2) ID 6 length 6
(19) eap: Continuing tunnel setup
(19) [eap] = ok
(19) } # if (EAP-Message) = ok
(19) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(19) } # authorize = updated
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/freeradius/sites-enabled/default
(19) Auth-Type eap {
(19) eap: Removing EAP session with state 0x1a0c7e771e0a6752
(19) eap: Previous EAP request found for state 0x1a0c7e771e0a6752, released from the list
(19) eap: Peer sent packet with method EAP PEAP (25)
(19) eap: Calling submodule eap_peap to process data
(19) eap_peap: (TLS) Peer ACKed our handshake fragment
(19) eap: Sending EAP Request (code 1) ID 7 length 355
(19) eap: EAP session adding &reply:State = 0x1a0c7e771f0b6752
(19) [eap] = handled
(19) if (handled && (Response-Packet-Type == Access-Challenge)) {
(19) EXPAND Response-Packet-Type
(19) --> Access-Challenge
(19) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(19) if (handled && (Response-Packet-Type == Access-Challenge)) {
(19) attr_filter.access_challenge: EXPAND %{User-Name}
(19) attr_filter.access_challenge: --> anonymous at unibe.ch
(19) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(19) [attr_filter.access_challenge.post-auth] = updated
(19) [handled] = handled
(19) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(19) } # Auth-Type eap = handled
(19) Using Post-Auth-Type Challenge
(19) Post-Auth-Type sub-section not found. Ignoring.
(19) # Executing group from file /etc/freeradius/sites-enabled/default
(19) session-state: Saving cached attributes
(19) Framed-MTU = 1014
(19) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(19) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(19) Sent Access-Challenge Id 166 from 130.92.10.33:1812 to 1.2.3.4:63606 length 415
(19) EAP-Message = 0x01070163190032b6160303014d0c0001490300174104b201a57bca112447dfce17a89ba625c372e0c009eea006a95c79ba5b83514cfc4abe5c00673d4584a35b11ecef0ee23a6e2a18d0c95f8a48f744f685b7bfb054040101001e420d428e4df3bafadfc43614f7e02a46b54eb352afdd238fbe58786c1286d9f48726ae0f45415d47bfb81a54ebf3ac667c828dea5428d65f8c0a1634fc04cd2fddd88809d833251f68c1b85caea91c7c135b8d87ee7b5c91c3fec8e93d09ae2157a548d07e80f8a8ba9cc9267bef2fc1e9433312e89e45d1dbf9650fa7c0f5eb555b12ebf51e2575fe325de4871702c00041a05bf89a779a12f8b0eba2fe702054fb0fc16ec288b6861c55fd6d9a853a574516dbb5684d8b61318e526bc7328643edc25ee4692ac13c9843aba9a028992b5befa9331b65a63b890e5432d66d27e4fc6eae4f0aa2625394096c5e7e469992c9e8003b3af457be9e8309fac01116030100040e000000
(19) Message-Authenticator = 0x00000000000000000000000000000000
(19) State = 0x1a0c7e771f0b675279b57cf47df95d07
(19) Finished request
(20) Received Access-Request Id 167 from 1.2.3.4:63606 to 130.92.10.33:1812 length 592
(20) User-Name = anonymous at unibe.ch
(20) Service-Type = Framed-User
(20) Cisco-AVPair = "service-type=Framed"
(20) Framed-MTU = 1485
(20) EAP-Message = 0x0207008819800000007e16030300461000004241044bdd335d8636b35b96f838a591e11c19c257fa1853f19b291dd5e25fc57342414c3f644fb0abbd7078454afdc6a47d7f15433d807ebbb5d30efaeb9bc509783f14030100010116030300283667ef69fc720083fa52d1f339bce71060104b344322cb0514ad95532ba10a78d425cd99eb1ea915
(20) Message-Authenticator = 0xfa3c07c12db0b8ddfacd1df94f1e5aff
(20) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(20) Cisco-AVPair = "method=dot1x"
(20) Cisco-AVPair = "client-iif-id=2818574557"
(20) Cisco-AVPair = "vlan-id=1000"
(20) NAS-IP-Address = 1.2.3.4
(20) NAS-Port-Id = "capwap_9000000c"
(20) NAS-Port-Type = Wireless-802.11
(20) NAS-Port = 4211
(20) State = 0x1a0c7e771f0b675279b57cf47df95d07
(20) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(20) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(20) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(20) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(20) Airespace-Wlan-Id = 97
(20) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(20) WLAN-Group-Cipher = 1027076
(20) WLAN-Pairwise-Cipher = 1027076
(20) WLAN-AKM-Suite = 1027075
(20) WLAN-Group-Mgmt-Cipher = 1027078
(20) Restoring &session-state
(20) &session-state:Framed-MTU = 1014
(20) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(20) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(20) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(20) authorize {
(20) policy rewrite_called_station_id {
(20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(20) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(20) update request {
(20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(20) --> 2C-E3-8E-ED-31-E0
(20) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(20) } # update request = noop
(20) if ("%{8}") {
(20) EXPAND %{8}
(20) --> eduroam
(20) if ("%{8}") -> TRUE
(20) if ("%{8}") {
(20) update request {
(20) EXPAND %{8}
(20) --> eduroam
(20) &Called-Station-SSID := eduroam
(20) EXPAND %{Called-Station-Id}:%{8}
(20) --> 2C-E3-8E-ED-31-E0:eduroam
(20) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(20) } # update request = noop
(20) } # if ("%{8}") = noop
(20) [updated] = updated
(20) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(20) ... skipping else: Preceding "if" was taken
(20) } # policy rewrite_called_station_id = updated
(20) policy rewrite_calling_station_id {
(20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(20) update request {
(20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(20) --> AC-DF-A1-B1-F1-5A
(20) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(20) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(20) --> AC:DF:A1:B1:F1:5A
(20) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(20) } # update request = noop
(20) [updated] = updated
(20) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(20) ... skipping else: Preceding "if" was taken
(20) } # policy rewrite_calling_station_id = updated
(20) if (Service-Type == Call-Check) {
(20) if (Service-Type == Call-Check) -> FALSE
(20) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(20) EXPAND Packet-Src-IP-Address
(20) --> 1.2.3.4
(20) EXPAND Packet-Src-IP-Address
(20) --> 1.2.3.4
(20) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(20) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(20) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(20) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(20) if (EAP-Message) {
(20) if (EAP-Message) -> TRUE
(20) if (EAP-Message) {
(20) policy filter_username {
(20) if (&User-Name) {
(20) if (&User-Name) -> TRUE
(20) if (&User-Name) {
(20) if (&User-Name =~ / /) {
(20) if (&User-Name =~ / /) -> FALSE
(20) if (&User-Name =~ /@[^@]*@/ ) {
(20) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(20) if (&User-Name =~ /\.\./ ) {
(20) if (&User-Name =~ /\.\./ ) -> FALSE
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(20) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(20) if (&User-Name =~ /\.$/) {
(20) if (&User-Name =~ /\.$/) -> FALSE
(20) if (&User-Name =~ /@\./) {
(20) if (&User-Name =~ /@\./) -> FALSE
(20) } # if (&User-Name) = updated
(20) } # policy filter_username = updated
(20) suffix: Checking for suffix after "@"
(20) suffix: Looking up realm "unibe.ch" for User-Name = anonymous at unibe.ch
(20) suffix: Found realm "UNIBE.CH"
(20) suffix: Adding Realm = "UNIBE.CH"
(20) suffix: Authentication realm is LOCAL
(20) [suffix] = ok
(20) policy deny_no_realm {
(20) if (User-Name && (User-Name !~ /@/)) {
(20) if (User-Name && (User-Name !~ /@/)) -> FALSE
(20) } # policy deny_no_realm = updated
(20) update request {
(20) EXPAND %{toupper:%{Realm}}
(20) --> UNIBE.CH
(20) Realm := UNIBE.CH
(20) } # update request = noop
(20) eap: Peer sent EAP Response (code 2) ID 7 length 136
(20) eap: Continuing tunnel setup
(20) [eap] = ok
(20) } # if (EAP-Message) = ok
(20) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(20) } # authorize = updated
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/freeradius/sites-enabled/default
(20) Auth-Type eap {
(20) eap: Removing EAP session with state 0x1a0c7e771f0b6752
(20) eap: Previous EAP request found for state 0x1a0c7e771f0b6752, released from the list
(20) eap: Peer sent packet with method EAP PEAP (25)
(20) eap: Calling submodule eap_peap to process data
(20) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes
(20) eap_peap: (TLS) EAP Got all data (126 bytes)
(20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(20) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange
(20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange
(20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec
(20) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished
(20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished
(20) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec
(20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec
(20) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished
(20) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished
(20) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully
(20) eap_peap: (TLS) PEAP - Connection Established
(20) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(20) eap_peap: TLS-Session-Version = "TLS 1.2"
(20) eap: Sending EAP Request (code 1) ID 8 length 57
(20) eap: EAP session adding &reply:State = 0x1a0c7e771c046752
(20) [eap] = handled
(20) if (handled && (Response-Packet-Type == Access-Challenge)) {
(20) EXPAND Response-Packet-Type
(20) --> Access-Challenge
(20) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(20) if (handled && (Response-Packet-Type == Access-Challenge)) {
(20) attr_filter.access_challenge: EXPAND %{User-Name}
(20) attr_filter.access_challenge: --> anonymous at unibe.ch
(20) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(20) [attr_filter.access_challenge.post-auth] = updated
(20) [handled] = handled
(20) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(20) } # Auth-Type eap = handled
(20) Using Post-Auth-Type Challenge
(20) Post-Auth-Type sub-section not found. Ignoring.
(20) # Executing group from file /etc/freeradius/sites-enabled/default
(20) session-state: Saving cached attributes
(20) Framed-MTU = 1014
(20) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(20) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(20) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(20) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(20) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(20) TLS-Session-Version = "TLS 1.2"
(20) Sent Access-Challenge Id 167 from 130.92.10.33:1812 to 1.2.3.4:63606 length 115
(20) EAP-Message = 0x010800391900140301000101160303002869cd9549766a5c057197e758662301e6fe3808b412033491c980bcc9560e2fe6e86f4e532b875f92
(20) Message-Authenticator = 0x00000000000000000000000000000000
(20) State = 0x1a0c7e771c04675279b57cf47df95d07
(20) Finished request
(21) Received Access-Request Id 168 from 1.2.3.4:63606 to 130.92.10.33:1812 length 462
(21) User-Name = anonymous at unibe.ch
(21) Service-Type = Framed-User
(21) Cisco-AVPair = "service-type=Framed"
(21) Framed-MTU = 1485
(21) EAP-Message = 0x020800061900
(21) Message-Authenticator = 0x9c7f30b1e78bb9f5274c566d1a73f367
(21) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(21) Cisco-AVPair = "method=dot1x"
(21) Cisco-AVPair = "client-iif-id=2818574557"
(21) Cisco-AVPair = "vlan-id=1000"
(21) NAS-IP-Address = 1.2.3.4
(21) NAS-Port-Id = "capwap_9000000c"
(21) NAS-Port-Type = Wireless-802.11
(21) NAS-Port = 4211
(21) State = 0x1a0c7e771c04675279b57cf47df95d07
(21) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(21) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(21) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(21) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(21) Airespace-Wlan-Id = 97
(21) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(21) WLAN-Group-Cipher = 1027076
(21) WLAN-Pairwise-Cipher = 1027076
(21) WLAN-AKM-Suite = 1027075
(21) WLAN-Group-Mgmt-Cipher = 1027078
(21) Restoring &session-state
(21) &session-state:Framed-MTU = 1014
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
Waking up in 0.2 seconds.
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(21) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(21) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(21) &session-state:TLS-Session-Version = "TLS 1.2"
(21) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(21) authorize {
(21) policy rewrite_called_station_id {
(21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(21) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(21) update request {
(21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(21) --> 2C-E3-8E-ED-31-E0
(21) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(21) } # update request = noop
(21) if ("%{8}") {
(21) EXPAND %{8}
(21) --> eduroam
(21) if ("%{8}") -> TRUE
(21) if ("%{8}") {
(21) update request {
(21) EXPAND %{8}
(21) --> eduroam
(21) &Called-Station-SSID := eduroam
(21) EXPAND %{Called-Station-Id}:%{8}
(21) --> 2C-E3-8E-ED-31-E0:eduroam
(21) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(21) } # update request = noop
(21) } # if ("%{8}") = noop
(21) [updated] = updated
(21) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(21) ... skipping else: Preceding "if" was taken
(21) } # policy rewrite_called_station_id = updated
(21) policy rewrite_calling_station_id {
(21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(21) update request {
(21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(21) --> AC-DF-A1-B1-F1-5A
(21) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(21) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(21) --> AC:DF:A1:B1:F1:5A
(21) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(21) } # update request = noop
(21) [updated] = updated
(21) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(21) ... skipping else: Preceding "if" was taken
(21) } # policy rewrite_calling_station_id = updated
(21) if (Service-Type == Call-Check) {
(21) if (Service-Type == Call-Check) -> FALSE
(21) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(21) EXPAND Packet-Src-IP-Address
(21) --> 1.2.3.4
(21) EXPAND Packet-Src-IP-Address
(21) --> 1.2.3.4
(21) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(21) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(21) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(21) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(21) if (EAP-Message) {
(21) if (EAP-Message) -> TRUE
(21) if (EAP-Message) {
(21) policy filter_username {
(21) if (&User-Name) {
(21) if (&User-Name) -> TRUE
(21) if (&User-Name) {
(21) if (&User-Name =~ / /) {
(21) if (&User-Name =~ / /) -> FALSE
(21) if (&User-Name =~ /@[^@]*@/ ) {
(21) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(21) if (&User-Name =~ /\.\./ ) {
(21) if (&User-Name =~ /\.\./ ) -> FALSE
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(21) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(21) if (&User-Name =~ /\.$/) {
(21) if (&User-Name =~ /\.$/) -> FALSE
(21) if (&User-Name =~ /@\./) {
(21) if (&User-Name =~ /@\./) -> FALSE
(21) } # if (&User-Name) = updated
(21) } # policy filter_username = updated
(21) suffix: Checking for suffix after "@"
(21) suffix: Looking up realm "unibe.ch" for User-Name = anonymous at unibe.ch
(21) suffix: Found realm "UNIBE.CH"
(21) suffix: Adding Realm = "UNIBE.CH"
(21) suffix: Authentication realm is LOCAL
(21) [suffix] = ok
(21) policy deny_no_realm {
(21) if (User-Name && (User-Name !~ /@/)) {
(21) if (User-Name && (User-Name !~ /@/)) -> FALSE
(21) } # policy deny_no_realm = updated
(21) update request {
(21) EXPAND %{toupper:%{Realm}}
(21) --> UNIBE.CH
(21) Realm := UNIBE.CH
(21) } # update request = noop
(21) eap: Peer sent EAP Response (code 2) ID 8 length 6
(21) eap: Continuing tunnel setup
(21) [eap] = ok
(21) } # if (EAP-Message) = ok
(21) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(21) } # authorize = updated
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/freeradius/sites-enabled/default
(21) Auth-Type eap {
(21) eap: Removing EAP session with state 0x1a0c7e771c046752
(21) eap: Previous EAP request found for state 0x1a0c7e771c046752, released from the list
(21) eap: Peer sent packet with method EAP PEAP (25)
(21) eap: Calling submodule eap_peap to process data
(21) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished
(21) eap_peap: Session established. Decoding tunneled attributes
(21) eap_peap: PEAP state TUNNEL ESTABLISHED
(21) eap: Sending EAP Request (code 1) ID 9 length 40
(21) eap: EAP session adding &reply:State = 0x1a0c7e771d056752
(21) [eap] = handled
(21) if (handled && (Response-Packet-Type == Access-Challenge)) {
(21) EXPAND Response-Packet-Type
(21) --> Access-Challenge
(21) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(21) if (handled && (Response-Packet-Type == Access-Challenge)) {
(21) attr_filter.access_challenge: EXPAND %{User-Name}
(21) attr_filter.access_challenge: --> anonymous at unibe.ch
(21) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(21) [attr_filter.access_challenge.post-auth] = updated
(21) [handled] = handled
(21) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(21) } # Auth-Type eap = handled
(21) Using Post-Auth-Type Challenge
(21) Post-Auth-Type sub-section not found. Ignoring.
(21) # Executing group from file /etc/freeradius/sites-enabled/default
(21) session-state: Saving cached attributes
(21) Framed-MTU = 1014
(21) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(21) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(21) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(21) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(21) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(21) TLS-Session-Version = "TLS 1.2"
(21) Sent Access-Challenge Id 168 from 130.92.10.33:1812 to 1.2.3.4:63606 length 98
(21) EAP-Message = 0x010900281900170303001d69cd9549766a5c065b771e1e6ad4419bc5deec9aca8c6dc933d69e4320
(21) Message-Authenticator = 0x00000000000000000000000000000000
(21) State = 0x1a0c7e771d05675279b57cf47df95d07
(21) Finished request
(22) Received Access-Request Id 169 from 1.2.3.4:63606 to 130.92.10.33:1812 length 516
(22) User-Name = anonymous at unibe.ch
(22) Service-Type = Framed-User
(22) Cisco-AVPair = "service-type=Framed"
(22) Framed-MTU = 1485
(22) EAP-Message = 0x0209003c190017030300313667ef69fc720084f72dcb9c5d07674afc517dc2cee1604014c42f78dd87c1fc4dd53bf9579819c736546b1d6568257d75
(22) Message-Authenticator = 0x06ac4226a9e15764f25be4a011e74e0d
(22) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(22) Cisco-AVPair = "method=dot1x"
(22) Cisco-AVPair = "client-iif-id=2818574557"
(22) Cisco-AVPair = "vlan-id=1000"
(22) NAS-IP-Address = 1.2.3.4
(22) NAS-Port-Id = "capwap_9000000c"
(22) NAS-Port-Type = Wireless-802.11
(22) NAS-Port = 4211
(22) State = 0x1a0c7e771d05675279b57cf47df95d07
(22) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(22) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(22) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(22) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(22) Airespace-Wlan-Id = 97
(22) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(22) WLAN-Group-Cipher = 1027076
(22) WLAN-Pairwise-Cipher = 1027076
(22) WLAN-AKM-Suite = 1027075
(22) WLAN-Group-Mgmt-Cipher = 1027078
(22) Restoring &session-state
(22) &session-state:Framed-MTU = 1014
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(22) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(22) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(22) &session-state:TLS-Session-Version = "TLS 1.2"
(22) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(22) authorize {
(22) policy rewrite_called_station_id {
(22) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(22) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(22) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(22) update request {
(22) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(22) --> 2C-E3-8E-ED-31-E0
(22) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(22) } # update request = noop
(22) if ("%{8}") {
(22) EXPAND %{8}
(22) --> eduroam
(22) if ("%{8}") -> TRUE
(22) if ("%{8}") {
(22) update request {
(22) EXPAND %{8}
(22) --> eduroam
(22) &Called-Station-SSID := eduroam
(22) EXPAND %{Called-Station-Id}:%{8}
(22) --> 2C-E3-8E-ED-31-E0:eduroam
(22) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(22) } # update request = noop
(22) } # if ("%{8}") = noop
(22) [updated] = updated
(22) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(22) ... skipping else: Preceding "if" was taken
(22) } # policy rewrite_called_station_id = updated
(22) policy rewrite_calling_station_id {
(22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(22) update request {
(22) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(22) --> AC-DF-A1-B1-F1-5A
(22) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(22) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(22) --> AC:DF:A1:B1:F1:5A
(22) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(22) } # update request = noop
(22) [updated] = updated
(22) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(22) ... skipping else: Preceding "if" was taken
(22) } # policy rewrite_calling_station_id = updated
(22) if (Service-Type == Call-Check) {
(22) if (Service-Type == Call-Check) -> FALSE
(22) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(22) EXPAND Packet-Src-IP-Address
(22) --> 1.2.3.4
(22) EXPAND Packet-Src-IP-Address
(22) --> 1.2.3.4
(22) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(22) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(22) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(22) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(22) if (EAP-Message) {
(22) if (EAP-Message) -> TRUE
(22) if (EAP-Message) {
(22) policy filter_username {
(22) if (&User-Name) {
(22) if (&User-Name) -> TRUE
(22) if (&User-Name) {
(22) if (&User-Name =~ / /) {
(22) if (&User-Name =~ / /) -> FALSE
(22) if (&User-Name =~ /@[^@]*@/ ) {
(22) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(22) if (&User-Name =~ /\.\./ ) {
(22) if (&User-Name =~ /\.\./ ) -> FALSE
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(22) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(22) if (&User-Name =~ /\.$/) {
(22) if (&User-Name =~ /\.$/) -> FALSE
(22) if (&User-Name =~ /@\./) {
(22) if (&User-Name =~ /@\./) -> FALSE
(22) } # if (&User-Name) = updated
(22) } # policy filter_username = updated
(22) suffix: Checking for suffix after "@"
(22) suffix: Looking up realm "unibe.ch" for User-Name = anonymous at unibe.ch
(22) suffix: Found realm "UNIBE.CH"
(22) suffix: Adding Realm = "UNIBE.CH"
(22) suffix: Authentication realm is LOCAL
(22) [suffix] = ok
(22) policy deny_no_realm {
(22) if (User-Name && (User-Name !~ /@/)) {
(22) if (User-Name && (User-Name !~ /@/)) -> FALSE
(22) } # policy deny_no_realm = updated
(22) update request {
(22) EXPAND %{toupper:%{Realm}}
(22) --> UNIBE.CH
(22) Realm := UNIBE.CH
(22) } # update request = noop
(22) eap: Peer sent EAP Response (code 2) ID 9 length 60
(22) eap: Continuing tunnel setup
(22) [eap] = ok
(22) } # if (EAP-Message) = ok
(22) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(22) } # authorize = updated
(22) Found Auth-Type = eap
(22) # Executing group from file /etc/freeradius/sites-enabled/default
(22) Auth-Type eap {
(22) eap: Removing EAP session with state 0x1a0c7e771d056752
(22) eap: Previous EAP request found for state 0x1a0c7e771d056752, released from the list
(22) eap: Peer sent packet with method EAP PEAP (25)
(22) eap: Calling submodule eap_peap to process data
(22) eap_peap: (TLS) EAP Done initial handshake
(22) eap_peap: Session established. Decoding tunneled attributes
(22) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(22) eap_peap: Identity - jon.doe at unibe.ch
(22) eap_peap: Got inner identity 'jon.doe at unibe.ch'
(22) eap_peap: Setting default EAP type for tunneled EAP session
(22) eap_peap: Got tunneled request
(22) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368
(22) eap_peap: Setting User-Name to jon.doe at unibe.ch
(22) eap_peap: Sending tunneled request to proxy-inner-tunnel
(22) eap_peap: EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368
(22) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(22) eap_peap: User-Name = jon.doe at unibe.ch
(22) eap_peap: Service-Type = Framed-User
(22) eap_peap: Cisco-AVPair = "service-type=Framed"
(22) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(22) eap_peap: Cisco-AVPair = "method=dot1x"
(22) eap_peap: Cisco-AVPair = "client-iif-id=2818574557"
(22) eap_peap: Cisco-AVPair = "vlan-id=1000"
(22) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(22) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(22) eap_peap: Framed-MTU = 1485
(22) eap_peap: NAS-IP-Address = 1.2.3.4
(22) eap_peap: NAS-Port-Id = "capwap_9000000c"
(22) eap_peap: NAS-Port-Type = Wireless-802.11
(22) eap_peap: NAS-Port = 4211
(22) eap_peap: Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(22) eap_peap: Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(22) eap_peap: Airespace-Wlan-Id = 97
(22) eap_peap: NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(22) eap_peap: WLAN-Group-Cipher = 1027076
(22) eap_peap: WLAN-Pairwise-Cipher = 1027076
(22) eap_peap: WLAN-AKM-Suite = 1027075
(22) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078
(22) Virtual server proxy-inner-tunnel received request
(22) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368
(22) FreeRADIUS-Proxied-To = 127.0.0.1
(22) User-Name = jon.doe at unibe.ch
(22) Service-Type = Framed-User
(22) Cisco-AVPair = "service-type=Framed"
(22) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(22) Cisco-AVPair = "method=dot1x"
(22) Cisco-AVPair = "client-iif-id=2818574557"
(22) Cisco-AVPair = "vlan-id=1000"
(22) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(22) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(22) Framed-MTU = 1485
(22) NAS-IP-Address = 1.2.3.4
(22) NAS-Port-Id = "capwap_9000000c"
(22) NAS-Port-Type = Wireless-802.11
(22) NAS-Port = 4211
(22) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(22) Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(22) Airespace-Wlan-Id = 97
(22) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(22) WLAN-Group-Cipher = 1027076
(22) WLAN-Pairwise-Cipher = 1027076
(22) WLAN-AKM-Suite = 1027075
(22) WLAN-Group-Mgmt-Cipher = 1027078
(22) server proxy-inner-tunnel {
(22) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(22) authorize {
(22) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) {
(22) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(22) if (!NAS-Port-Type){
(22) if (!NAS-Port-Type) -> FALSE
(22) update control {
(22) &Proxy-To-Realm := REALM-NPS-DEV
(22) } # update control = noop
(22) } # authorize = noop
(22) } # server proxy-inner-tunnel
(22) Virtual server sending reply
(22) eap_peap: Got tunneled reply code 0
(22) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(22) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(22) [eap] = handled
(22) if (handled && (Response-Packet-Type == Access-Challenge)) {
(22) EXPAND Response-Packet-Type
(22) -->
(22) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(22) } # Auth-Type eap = handled
(22) Starting proxy to home server 9.9.9.9 port 1812
(22) server default {
(22) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(22) pre-proxy {
(22) attr_filter.pre-proxy: EXPAND %{Realm}
(22) attr_filter.pre-proxy: --> UNIBE.CH
(22) attr_filter.pre-proxy: Matched entry DEFAULT at line 50
(22) [attr_filter.pre-proxy] = updated
(22) } # pre-proxy = updated
(22) }
(22) Proxying request to home server 9.9.9.9 port 1812 timeout 20.000000
(22) Sent Access-Request Id 22 from 0.0.0.0:57225 to 9.9.9.9:1812 length 196
(22) Operator-Name := "1unibe.ch"
(22) EAP-Message = 0x0209001d01646f6d696e69632e7374616c64657240756e6962652e6368
(22) User-Name = jon.doe at unibe.ch
(22) NAS-IP-Address = 1.2.3.4
(22) NAS-Port-Type = Wireless-802.11
(22) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(22) Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(22) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(22) Message-Authenticator = 0x
(22) Proxy-State = 0x313639
(22) Clearing existing &reply: attributes
(22) Received Access-Challenge Id 22 from 9.9.9.9:1812 to 130.92.10.33:57225 length 128
(22) Message-Authenticator = 0x244c144bb9e47072809171dc07b68fe3
(22) Proxy-State = 0x313639
(22) Session-Timeout = 60
(22) EAP-Message = 0x010a00271a010a002210eeffe7fe7433fc33577c646e400a39e24141492d4e50532d4544555632
(22) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(22) server default {
Waking up in 0.2 seconds.
(22) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(22) post-proxy {
(22) attr_filter.post-proxy: EXPAND %{Realm}
(22) attr_filter.post-proxy: --> UNIBE.CH
(22) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102
(22) [attr_filter.post-proxy] = updated
(22) eap: Doing post-proxy callback
(22) eap: Passing reply from proxy back into the tunnel
(22) eap: Got tunneled reply RADIUS code 11
(22) eap: Tunnel-Type := VLAN
(22) eap: Tunnel-Medium-Type := IEEE-802
(22) eap: Message-Authenticator = 0x244c144bb9e47072809171dc07b68fe3
(22) eap: Proxy-State = 0x313639
(22) eap: EAP-Message = 0x010a00271a010a002210eeffe7fe7433fc33577c646e400a39e24141492d4e50532d4544555632
(22) eap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(22) eap: Got tunneled Access-Challenge
(22) eap: Reply was handled
(22) eap: Sending EAP Request (code 1) ID 10 length 70
(22) eap: EAP session adding &reply:State = 0x1a0c7e7712066752
(22) [eap] = ok
(22) } # post-proxy = updated
(22) }
(22) session-state: Saving cached attributes
(22) Framed-MTU = 1014
(22) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(22) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(22) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(22) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(22) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(22) TLS-Session-Version = "TLS 1.2"
(22) Using Post-Auth-Type Challenge
(22) Post-Auth-Type sub-section not found. Ignoring.
(22) # Executing group from file /etc/freeradius/sites-enabled/default
(22) Sent Access-Challenge Id 169 from 130.92.10.33:1812 to 1.2.3.4:63606 length 128
(22) EAP-Message = 0x010a00461900170303003b69cd9549766a5c07e7a533b4954f2b8a2f7d523485391d6347a7c8b129d5f82e531ee88bad59bbd4d844e6ca0cdcd6368cc58ada378c7aa1d5fb65
(22) Message-Authenticator = 0x00000000000000000000000000000000
(22) State = 0x1a0c7e771206675279b57cf47df95d07
(22) Finished request
(23) Received Access-Request Id 170 from 1.2.3.4:63606 to 130.92.10.33:1812 length 570
(23) User-Name = anonymous at unibe.ch
(23) Service-Type = Framed-User
(23) Cisco-AVPair = "service-type=Framed"
(23) Framed-MTU = 1485
(23) EAP-Message = 0x020a0072190017030300673667ef69fc7200855481c10f1f4a4302825d6e8e053a95b0043c86a557ab14b7cff518ef0e171c44cf1611aa60a6c005975617ce937379fa7458eb80d9295d9eec138d40cce24f5c736bc8763e2ef3ed83500c10663e2db0027b9bccb0657050e251766881076a
(23) Message-Authenticator = 0xbae882ea47144349739d08cdc2273497
(23) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(23) Cisco-AVPair = "method=dot1x"
(23) Cisco-AVPair = "client-iif-id=2818574557"
(23) Cisco-AVPair = "vlan-id=1000"
(23) NAS-IP-Address = 1.2.3.4
(23) NAS-Port-Id = "capwap_9000000c"
(23) NAS-Port-Type = Wireless-802.11
(23) NAS-Port = 4211
(23) State = 0x1a0c7e771206675279b57cf47df95d07
(23) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(23) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(23) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(23) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(23) Airespace-Wlan-Id = 97
(23) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(23) WLAN-Group-Cipher = 1027076
(23) WLAN-Pairwise-Cipher = 1027076
(23) WLAN-AKM-Suite = 1027075
(23) WLAN-Group-Mgmt-Cipher = 1027078
(23) session-state: No cached attributes
(23) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(23) authorize {
(23) policy rewrite_called_station_id {
(23) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(23) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(23) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(23) update request {
(23) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(23) --> 2C-E3-8E-ED-31-E0
(23) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(23) } # update request = noop
(23) if ("%{8}") {
(23) EXPAND %{8}
(23) --> eduroam
(23) if ("%{8}") -> TRUE
(23) if ("%{8}") {
(23) update request {
(23) EXPAND %{8}
(23) --> eduroam
(23) &Called-Station-SSID := eduroam
(23) EXPAND %{Called-Station-Id}:%{8}
(23) --> 2C-E3-8E-ED-31-E0:eduroam
(23) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(23) } # update request = noop
(23) } # if ("%{8}") = noop
(23) [updated] = updated
(23) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(23) ... skipping else: Preceding "if" was taken
(23) } # policy rewrite_called_station_id = updated
(23) policy rewrite_calling_station_id {
(23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(23) update request {
(23) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(23) --> AC-DF-A1-B1-F1-5A
(23) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(23) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(23) --> AC:DF:A1:B1:F1:5A
(23) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(23) } # update request = noop
(23) [updated] = updated
(23) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(23) ... skipping else: Preceding "if" was taken
(23) } # policy rewrite_calling_station_id = updated
(23) if (Service-Type == Call-Check) {
(23) if (Service-Type == Call-Check) -> FALSE
(23) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(23) EXPAND Packet-Src-IP-Address
(23) --> 1.2.3.4
(23) EXPAND Packet-Src-IP-Address
(23) --> 1.2.3.4
(23) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(23) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(23) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(23) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(23) if (EAP-Message) {
(23) if (EAP-Message) -> TRUE
(23) if (EAP-Message) {
(23) policy filter_username {
(23) if (&User-Name) {
(23) if (&User-Name) -> TRUE
(23) if (&User-Name) {
(23) if (&User-Name =~ / /) {
(23) if (&User-Name =~ / /) -> FALSE
(23) if (&User-Name =~ /@[^@]*@/ ) {
(23) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(23) if (&User-Name =~ /\.\./ ) {
(23) if (&User-Name =~ /\.\./ ) -> FALSE
(23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(23) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(23) if (&User-Name =~ /\.$/) {
(23) if (&User-Name =~ /\.$/) -> FALSE
(23) if (&User-Name =~ /@\./) {
(23) if (&User-Name =~ /@\./) -> FALSE
(23) } # if (&User-Name) = updated
(23) } # policy filter_username = updated
(23) suffix: Checking for suffix after "@"
(23) suffix: Looking up realm "unibe.ch" for User-Name = anonymous at unibe.ch
(23) suffix: Found realm "UNIBE.CH"
(23) suffix: Adding Realm = "UNIBE.CH"
(23) suffix: Authentication realm is LOCAL
(23) [suffix] = ok
(23) policy deny_no_realm {
(23) if (User-Name && (User-Name !~ /@/)) {
(23) if (User-Name && (User-Name !~ /@/)) -> FALSE
(23) } # policy deny_no_realm = updated
(23) update request {
(23) EXPAND %{toupper:%{Realm}}
(23) --> UNIBE.CH
(23) Realm := UNIBE.CH
(23) } # update request = noop
(23) eap: Peer sent EAP Response (code 2) ID 10 length 114
(23) eap: Continuing tunnel setup
(23) [eap] = ok
(23) } # if (EAP-Message) = ok
(23) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(23) } # authorize = updated
(23) Found Auth-Type = eap
(23) # Executing group from file /etc/freeradius/sites-enabled/default
(23) Auth-Type eap {
(23) eap: Removing EAP session with state 0x1a0c7e7712066752
(23) eap: Previous EAP request found for state 0x1a0c7e7712066752, released from the list
(23) eap: Peer sent packet with method EAP PEAP (25)
(23) eap: Calling submodule eap_peap to process data
(23) eap_peap: (TLS) EAP Done initial handshake
(23) eap_peap: Session established. Decoding tunneled attributes
(23) eap_peap: PEAP state phase2
(23) eap_peap: EAP method MSCHAPv2 (26)
(23) eap_peap: Got tunneled request
(23) eap_peap: EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368
(23) eap_peap: Setting User-Name to jon.doe at unibe.ch
(23) eap_peap: Sending tunneled request to proxy-inner-tunnel
(23) eap_peap: EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368
(23) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(23) eap_peap: User-Name = jon.doe at unibe.ch
(23) eap_peap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(23) eap_peap: Service-Type = Framed-User
(23) eap_peap: Cisco-AVPair = "service-type=Framed"
(23) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(23) eap_peap: Cisco-AVPair = "method=dot1x"
(23) eap_peap: Cisco-AVPair = "client-iif-id=2818574557"
(23) eap_peap: Cisco-AVPair = "vlan-id=1000"
(23) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(23) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(23) eap_peap: Framed-MTU = 1485
(23) eap_peap: NAS-IP-Address = 1.2.3.4
(23) eap_peap: NAS-Port-Id = "capwap_9000000c"
(23) eap_peap: NAS-Port-Type = Wireless-802.11
(23) eap_peap: NAS-Port = 4211
(23) eap_peap: Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(23) eap_peap: Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(23) eap_peap: Airespace-Wlan-Id = 97
(23) eap_peap: NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(23) eap_peap: WLAN-Group-Cipher = 1027076
(23) eap_peap: WLAN-Pairwise-Cipher = 1027076
(23) eap_peap: WLAN-AKM-Suite = 1027075
(23) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078
(23) Virtual server proxy-inner-tunnel received request
(23) EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368
(23) FreeRADIUS-Proxied-To = 127.0.0.1
(23) User-Name = jon.doe at unibe.ch
(23) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(23) Service-Type = Framed-User
(23) Cisco-AVPair = "service-type=Framed"
(23) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(23) Cisco-AVPair = "method=dot1x"
(23) Cisco-AVPair = "client-iif-id=2818574557"
(23) Cisco-AVPair = "vlan-id=1000"
(23) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(23) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(23) Framed-MTU = 1485
(23) NAS-IP-Address = 1.2.3.4
(23) NAS-Port-Id = "capwap_9000000c"
(23) NAS-Port-Type = Wireless-802.11
(23) NAS-Port = 4211
(23) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(23) Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(23) Airespace-Wlan-Id = 97
(23) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(23) WLAN-Group-Cipher = 1027076
(23) WLAN-Pairwise-Cipher = 1027076
(23) WLAN-AKM-Suite = 1027075
(23) WLAN-Group-Mgmt-Cipher = 1027078
(23) server proxy-inner-tunnel {
(23) session-state: No cached attributes
(23) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(23) authorize {
(23) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) {
(23) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(23) if (!NAS-Port-Type){
(23) if (!NAS-Port-Type) -> FALSE
(23) update control {
(23) &Proxy-To-Realm := REALM-NPS-DEV
(23) } # update control = noop
(23) } # authorize = noop
(23) } # server proxy-inner-tunnel
(23) Virtual server sending reply
(23) eap_peap: Got tunneled reply code 0
(23) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(23) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(23) [eap] = handled
(23) if (handled && (Response-Packet-Type == Access-Challenge)) {
(23) EXPAND Response-Packet-Type
(23) -->
(23) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(23) } # Auth-Type eap = handled
(23) Starting proxy to home server 9.9.9.9 port 1812
(23) server default {
(23) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(23) pre-proxy {
(23) attr_filter.pre-proxy: EXPAND %{Realm}
(23) attr_filter.pre-proxy: --> UNIBE.CH
(23) attr_filter.pre-proxy: Matched entry DEFAULT at line 50
(23) [attr_filter.pre-proxy] = updated
(23) } # pre-proxy = updated
(23) }
(23) Proxying request to home server 9.9.9.9 port 1812 timeout 20.000000
(23) Sent Access-Request Id 23 from 0.0.0.0:57225 to 9.9.9.9:1812 length 288
(23) Operator-Name := "1unibe.ch"
(23) EAP-Message = 0x020a00531a020a004e316d21ec3fe67486d2d26c6862f0a06a7100000000000000000d46c0e0974d505effde132e036b1e1dd2d838687203752c00646f6d696e69632e7374616c64657240756e6962652e6368
(23) User-Name = jon.doe at unibe.ch
(23) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(23) NAS-IP-Address = 1.2.3.4
(23) NAS-Port-Type = Wireless-802.11
(23) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(23) Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(23) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(23) Message-Authenticator = 0x
(23) Proxy-State = 0x313730
(23) Clearing existing &reply: attributes
(23) Received Access-Challenge Id 23 from 9.9.9.9:1812 to 130.92.10.33:57225 length 140
(23) Message-Authenticator = 0xe5cf1cf35e1d318a4f24f6ac4de8166a
(23) Proxy-State = 0x313730
(23) Session-Timeout = 60
(23) EAP-Message = 0x010b00331a030a002e533d42374430413432353333434331463134413332324334454333354443333837434632353343383943
(23) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(23) server default {
(23) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(23) post-proxy {
(23) attr_filter.post-proxy: EXPAND %{Realm}
(23) attr_filter.post-proxy: --> UNIBE.CH
(23) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102
(23) [attr_filter.post-proxy] = updated
(23) eap: Doing post-proxy callback
(23) eap: Passing reply from proxy back into the tunnel
(23) eap: Got tunneled reply RADIUS code 11
(23) eap: Tunnel-Type := VLAN
(23) eap: Tunnel-Medium-Type := IEEE-802
(23) eap: Message-Authenticator = 0xe5cf1cf35e1d318a4f24f6ac4de8166a
(23) eap: Proxy-State = 0x313730
(23) eap: EAP-Message = 0x010b00331a030a002e533d42374430413432353333434331463134413332324334454333354443333837434632353343383943
(23) eap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(23) eap: Got tunneled Access-Challenge
(23) eap: Reply was handled
(23) eap: Sending EAP Request (code 1) ID 11 length 82
(23) eap: EAP session adding &reply:State = 0x1a0c7e7713076752
(23) [eap] = ok
(23) } # post-proxy = updated
(23) }
(23) Using Post-Auth-Type Challenge
(23) Post-Auth-Type sub-section not found. Ignoring.
(23) # Executing group from file /etc/freeradius/sites-enabled/default
(23) Sent Access-Challenge Id 170 from 130.92.10.33:1812 to 1.2.3.4:63606 length 140
(23) EAP-Message = 0x010b00521900170303004769cd9549766a5c08877f9dcc3d5bbb0c7718563cf3286f690c07a08da31ea6540f21eb3c1933d7d92dbe22551b18a7d5e2cbf116856b2a68d3fff389ebdb8926e8d42e50522ca4
(23) Message-Authenticator = 0x00000000000000000000000000000000
(23) State = 0x1a0c7e771307675279b57cf47df95d07
(23) Finished request
(24) Received Access-Request Id 171 from 1.2.3.4:63606 to 130.92.10.33:1812 length 493
(24) User-Name = anonymous at unibe.ch
(24) Service-Type = Framed-User
(24) Cisco-AVPair = "service-type=Framed"
(24) Framed-MTU = 1485
(24) EAP-Message = 0x020b00251900170303001a3667ef69fc7200864f7f9410f449a59651d6a1975df235030608
(24) Message-Authenticator = 0x9b70bdd088abd8b737cf77c71d3ba2c0
(24) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(24) Cisco-AVPair = "method=dot1x"
(24) Cisco-AVPair = "client-iif-id=2818574557"
(24) Cisco-AVPair = "vlan-id=1000"
(24) NAS-IP-Address = 1.2.3.4
(24) NAS-Port-Id = "capwap_9000000c"
(24) NAS-Port-Type = Wireless-802.11
(24) NAS-Port = 4211
(24) State = 0x1a0c7e771307675279b57cf47df95d07
(24) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(24) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(24) Called-Station-Id = "2c-e3-8e-ed-31-e0:eduroam"
(24) Calling-Station-Id = "ac-df-a1-b1-f1-5a"
(24) Airespace-Wlan-Id = 97
(24) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(24) WLAN-Group-Cipher = 1027076
(24) WLAN-Pairwise-Cipher = 1027076
(24) WLAN-AKM-Suite = 1027075
(24) WLAN-Group-Mgmt-Cipher = 1027078
(24) session-state: No cached attributes
(24) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(24) authorize {
(24) policy rewrite_called_station_id {
(24) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(24) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(24) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(24) update request {
(24) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(24) --> 2C-E3-8E-ED-31-E0
(24) &Called-Station-Id := 2C-E3-8E-ED-31-E0
(24) } # update request = noop
(24) if ("%{8}") {
(24) EXPAND %{8}
(24) --> eduroam
(24) if ("%{8}") -> TRUE
(24) if ("%{8}") {
(24) update request {
(24) EXPAND %{8}
(24) --> eduroam
(24) &Called-Station-SSID := eduroam
(24) EXPAND %{Called-Station-Id}:%{8}
(24) --> 2C-E3-8E-ED-31-E0:eduroam
(24) &Called-Station-Id := 2C-E3-8E-ED-31-E0:eduroam
(24) } # update request = noop
(24) } # if ("%{8}") = noop
(24) [updated] = updated
(24) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(24) ... skipping else: Preceding "if" was taken
(24) } # policy rewrite_called_station_id = updated
(24) policy rewrite_calling_station_id {
(24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(24) update request {
(24) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(24) --> AC-DF-A1-B1-F1-5A
(24) &Calling-Station-Id := AC-DF-A1-B1-F1-5A
(24) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(24) --> AC:DF:A1:B1:F1:5A
(24) &locMacAuth-Calling-Station-Id := AC:DF:A1:B1:F1:5A
(24) } # update request = noop
(24) [updated] = updated
(24) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(24) ... skipping else: Preceding "if" was taken
(24) } # policy rewrite_calling_station_id = updated
(24) if (Service-Type == Call-Check) {
(24) if (Service-Type == Call-Check) -> FALSE
(24) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(24) EXPAND Packet-Src-IP-Address
(24) --> 1.2.3.4
(24) EXPAND Packet-Src-IP-Address
(24) --> 1.2.3.4
(24) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(24) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(24) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(24) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(24) if (EAP-Message) {
(24) if (EAP-Message) -> TRUE
(24) if (EAP-Message) {
(24) policy filter_username {
(24) if (&User-Name) {
(24) if (&User-Name) -> TRUE
(24) if (&User-Name) {
(24) if (&User-Name =~ / /) {
(24) if (&User-Name =~ / /) -> FALSE
(24) if (&User-Name =~ /@[^@]*@/ ) {
(24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(24) if (&User-Name =~ /\.\./ ) {
(24) if (&User-Name =~ /\.\./ ) -> FALSE
(24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(24) if (&User-Name =~ /\.$/) {
(24) if (&User-Name =~ /\.$/) -> FALSE
(24) if (&User-Name =~ /@\./) {
(24) if (&User-Name =~ /@\./) -> FALSE
(24) } # if (&User-Name) = updated
(24) } # policy filter_username = updated
(24) suffix: Checking for suffix after "@"
(24) suffix: Looking up realm "unibe.ch" for User-Name = anonymous at unibe.ch
(24) suffix: Found realm "UNIBE.CH"
(24) suffix: Adding Realm = "UNIBE.CH"
(24) suffix: Authentication realm is LOCAL
(24) [suffix] = ok
(24) policy deny_no_realm {
(24) if (User-Name && (User-Name !~ /@/)) {
(24) if (User-Name && (User-Name !~ /@/)) -> FALSE
(24) } # policy deny_no_realm = updated
(24) update request {
(24) EXPAND %{toupper:%{Realm}}
(24) --> UNIBE.CH
(24) Realm := UNIBE.CH
(24) } # update request = noop
(24) eap: Peer sent EAP Response (code 2) ID 11 length 37
(24) eap: Continuing tunnel setup
(24) [eap] = ok
(24) } # if (EAP-Message) = ok
(24) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(24) } # authorize = updated
(24) Found Auth-Type = eap
(24) # Executing group from file /etc/freeradius/sites-enabled/default
(24) Auth-Type eap {
(24) eap: Removing EAP session with state 0x1a0c7e7713076752
(24) eap: Previous EAP request found for state 0x1a0c7e7713076752, released from the list
(24) eap: Peer sent packet with method EAP PEAP (25)
(24) eap: Calling submodule eap_peap to process data
(24) eap_peap: (TLS) EAP Done initial handshake
(24) eap_peap: Session established. Decoding tunneled attributes
(24) eap_peap: PEAP state phase2
(24) eap_peap: EAP method MSCHAPv2 (26)
(24) eap_peap: Got tunneled request
(24) eap_peap: EAP-Message = 0x020b00061a03
(24) eap_peap: Setting User-Name to jon.doe at unibe.ch
(24) eap_peap: Sending tunneled request to proxy-inner-tunnel
(24) eap_peap: EAP-Message = 0x020b00061a03
(24) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(24) eap_peap: User-Name = jon.doe at unibe.ch
(24) eap_peap: State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(24) eap_peap: Service-Type = Framed-User
(24) eap_peap: Cisco-AVPair = "service-type=Framed"
(24) eap_peap: Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(24) eap_peap: Cisco-AVPair = "method=dot1x"
(24) eap_peap: Cisco-AVPair = "client-iif-id=2818574557"
(24) eap_peap: Cisco-AVPair = "vlan-id=1000"
(24) eap_peap: Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(24) eap_peap: Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(24) eap_peap: Framed-MTU = 1485
(24) eap_peap: NAS-IP-Address = 1.2.3.4
(24) eap_peap: NAS-Port-Id = "capwap_9000000c"
(24) eap_peap: NAS-Port-Type = Wireless-802.11
(24) eap_peap: NAS-Port = 4211
(24) eap_peap: Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(24) eap_peap: Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(24) eap_peap: Airespace-Wlan-Id = 97
(24) eap_peap: NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(24) eap_peap: WLAN-Group-Cipher = 1027076
(24) eap_peap: WLAN-Pairwise-Cipher = 1027076
(24) eap_peap: WLAN-AKM-Suite = 1027075
(24) eap_peap: WLAN-Group-Mgmt-Cipher = 1027078
(24) Virtual server proxy-inner-tunnel received request
(24) EAP-Message = 0x020b00061a03
(24) FreeRADIUS-Proxied-To = 127.0.0.1
(24) User-Name = jon.doe at unibe.ch
(24) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(24) Service-Type = Framed-User
(24) Cisco-AVPair = "service-type=Framed"
(24) Cisco-AVPair = "audit-session-id=0F2A5C82000000284D8006C8"
(24) Cisco-AVPair = "method=dot1x"
(24) Cisco-AVPair = "client-iif-id=2818574557"
(24) Cisco-AVPair = "vlan-id=1000"
(24) Cisco-AVPair = "cisco-wlan-ssid=eduroam"
(24) Cisco-AVPair = "wlan-profile-name=eduroam-6GHz-TM"
(24) Framed-MTU = 1485
(24) NAS-IP-Address = 1.2.3.4
(24) NAS-Port-Id = "capwap_9000000c"
(24) NAS-Port-Type = Wireless-802.11
(24) NAS-Port = 4211
(24) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(24) Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(24) Airespace-Wlan-Id = 97
(24) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(24) WLAN-Group-Cipher = 1027076
(24) WLAN-Pairwise-Cipher = 1027076
(24) WLAN-AKM-Suite = 1027075
(24) WLAN-Group-Mgmt-Cipher = 1027078
(24) server proxy-inner-tunnel {
(24) session-state: No cached attributes
(24) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(24) authorize {
(24) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) {
(24) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((unibe\.ch)|(faculty\.unibe\.ch)|(students\.unibe\.ch)|(ext\.unibe\.ch)))|(^[\w-]{1,20}@((campus\.unibe\.ch)|(unibe\.ch)))/) -> FALSE
(24) if (!NAS-Port-Type){
(24) if (!NAS-Port-Type) -> FALSE
(24) update control {
(24) &Proxy-To-Realm := REALM-NPS-DEV
(24) } # update control = noop
(24) } # authorize = noop
(24) } # server proxy-inner-tunnel
(24) Virtual server sending reply
(24) eap_peap: Got tunneled reply code 0
(24) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(24) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(24) [eap] = handled
(24) if (handled && (Response-Packet-Type == Access-Challenge)) {
(24) EXPAND Response-Packet-Type
(24) -->
(24) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(24) } # Auth-Type eap = handled
(24) Starting proxy to home server 9.9.9.9 port 1812
(24) server default {
(24) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(24) pre-proxy {
(24) attr_filter.pre-proxy: EXPAND %{Realm}
(24) attr_filter.pre-proxy: --> UNIBE.CH
(24) attr_filter.pre-proxy: Matched entry DEFAULT at line 50
(24) [attr_filter.pre-proxy] = updated
(24) } # pre-proxy = updated
(24) }
(24) Proxying request to home server 9.9.9.9 port 1812 timeout 20.000000
(24) Sent Access-Request Id 24 from 0.0.0.0:57225 to 9.9.9.9:1812 length 211
(24) Operator-Name := "1unibe.ch"
(24) EAP-Message = 0x020b00061a03
(24) User-Name = jon.doe at unibe.ch
(24) State = 0x2354033e0000013700010200825c0e1b0000000000000000000000000000000426d28c73
(24) NAS-IP-Address = 1.2.3.4
(24) NAS-Port-Type = Wireless-802.11
(24) Called-Station-Id := "2C-E3-8E-ED-31-E0:eduroam"
(24) Calling-Station-Id := "AC-DF-A1-B1-F1-5A"
(24) NAS-Identifier = "2c-e3-8e-ed-31-e0:eduroam"
(24) Message-Authenticator = 0x
(24) Proxy-State = 0x313731
Thread 3 waiting to be assigned a request
Waking up in 0.1 seconds.
Thread 5 got semaphore
Thread 5 handling request 24, (7 handled so far)
(24) Clearing existing &reply: attributes
(24) Received Access-Accept Id 24 from 9.9.9.9:1812 to 130.92.10.33:57225 length 289
(24) Message-Authenticator = 0xe2aeca8badf38cd8faee768a6bd7fd56
(24) Proxy-State = 0x313731
(24) Class = 0x7374616666
(24) Filter-Id = "staff"
(24) Framed-Protocol = PPP
(24) Service-Type = Framed-User
(24) Tunnel-Medium-Type:0 = IEEE-802
(24) Tunnel-Private-Group-Id:0 = "2000"
(24) Tunnel-Type:0 = VLAN
(24) EAP-Message = 0x030b0004
(24) Class = 0x5cf107910000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060effe
(24) MS-CHAP-Domain = "\001CAMPUS"
(24) MS-MPPE-Send-Key = 0x9052dea3ac1da5021ae0464d2083676f
(24) MS-MPPE-Recv-Key = 0xc408c2c0fe593f0134a78f1a4fee5dc0
(24) MS-CHAP2-Success = 0x01533d42374430413432353333434331463134413332324334454333354443333837434632353343383943
(24) server default {
(24) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(24) post-proxy {
(24) attr_filter.post-proxy: EXPAND %{Realm}
(24) attr_filter.post-proxy: --> UNIBE.CH
(24) attr_filter.post-proxy: Matched entry UNIBE.CH at line 102
(24) [attr_filter.post-proxy] = updated
(24) eap: Doing post-proxy callback
(24) eap: Passing reply from proxy back into the tunnel
(24) eap: Got tunneled reply RADIUS code 2
(24) eap: Tunnel-Type := VLAN
(24) eap: Tunnel-Medium-Type := IEEE-802
(24) eap: Message-Authenticator = 0xe2aeca8badf38cd8faee768a6bd7fd56
(24) eap: Proxy-State = 0x313731
(24) eap: Class = 0x7374616666
(24) eap: Filter-Id = "staff"
(24) eap: Tunnel-Private-Group-Id:0 = "2000"
(24) eap: EAP-Message = 0x030b0004
(24) eap: Class = 0x5cf107910000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060effe
(24) eap: MS-MPPE-Send-Key = 0x9052dea3ac1da5021ae0464d2083676f
(24) eap: MS-MPPE-Recv-Key = 0xc408c2c0fe593f0134a78f1a4fee5dc0
(24) eap: Tunneled authentication was successful
(24) eap: SUCCESS
(24) eap: Saving tunneled attributes for later
(24) eap: Reply was handled
(24) eap: Sending EAP Request (code 1) ID 12 length 46
(24) eap: EAP session adding &reply:State = 0x1a0c7e7710006752
(24) [eap] = ok
(24) } # post-proxy = updated
(24) }
(24) Using Post-Auth-Type Challenge
(24) Post-Auth-Type sub-section not found. Ignoring.
(24) # Executing group from file /etc/freeradius/sites-enabled/default
(24) Sent Access-Challenge Id 171 from 130.92.10.33:1812 to 1.2.3.4:63606 length 104
(24) EAP-Message = 0x010c002e1900170303002369cd9549766a5c096f1e1c66977ad4a91fd857608710d39bf55e09ca568c703d98ec8f
(24) Message-Authenticator = 0x00000000000000000000000000000000
(24) State = 0x1a0c7e771000675279b57cf47df95d07
(24) Finished request
More information about the Freeradius-Users
mailing list