Question / Copy inner to outer identity
Dominic Stalder
dominic.stalder at bluewin.ch
Fri Nov 7 13:10:21 UTC 2025
Hi Alan
I think I was on track with getting it running based on your recommendation, but I think this „defect“ here is playing against our setup:
https://github.com/FreeRADIUS/freeradius-server/issues/5288
https://lists.freeradius.org/pipermail/freeradius-users/2024-December/105157.html
I know you wrote this back then:
> For now, don't do internal proxying, and it should work. I'll see if I can find time to track this down.
But I am not able to completely change our setup in a short amount of time. Is there any other workaround for this specific problem?
(0) Received Access-Request Id 0 from 127.0.0.1:51983 to 127.0.0.1:1812 length 177
(0) User-Name = "anonymous at example.com"
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = "02-00-00-00-00-01"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(0) EAP-Message = 0x02ca001701616e6f6e796d6f757340756e6962652e6368
(0) Message-Authenticator = 0x8b7b499dec603bb90409b32543918122
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) policy rewrite_called_station_id {
(0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(0) update request {
(0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(0) --> 11-22-33-44-55-66
(0) &Called-Station-Id := 11-22-33-44-55-66
(0) } # update request = noop
(0) if ("%{8}") {
(0) EXPAND %{8}
(0) --> eduroam
(0) if ("%{8}") -> TRUE
(0) if ("%{8}") {
(0) update request {
(0) EXPAND %{8}
(0) --> eduroam
(0) &Called-Station-SSID := eduroam
(0) EXPAND %{Called-Station-Id}:%{8}
(0) --> 11-22-33-44-55-66:eduroam
(0) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(0) } # update request = noop
(0) } # if ("%{8}") = noop
(0) [updated] = updated
(0) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(0) ... skipping else: Preceding "if" was taken
(0) } # policy rewrite_called_station_id = updated
(0) policy rewrite_calling_station_id {
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(0) update request {
(0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(0) --> 02-00-00-00-00-01
(0) &Calling-Station-Id := 02-00-00-00-00-01
(0) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(0) --> 02:00:00:00:00:01
(0) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(0) } # update request = noop
(0) [updated] = updated
(0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(0) ... skipping else: Preceding "if" was taken
(0) } # policy rewrite_calling_station_id = updated
(0) if (Service-Type == Call-Check) {
(0) if (Service-Type == Call-Check) -> FALSE
(0) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(0) EXPAND Packet-Src-IP-Address
(0) --> 127.0.0.1
(0) EXPAND Packet-Src-IP-Address
(0) --> 127.0.0.1
(0) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(0) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(0) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(0) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(0) if (EAP-Message) {
(0) if (EAP-Message) -> TRUE
(0) if (EAP-Message) {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = updated
(0) } # policy filter_username = updated
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(0) suffix: Found realm "EXAMPLE.COM"
(0) suffix: Adding Realm = "EXAMPLE.COM"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
(0) policy deny_no_realm {
(0) if (User-Name && (User-Name !~ /@/)) {
(0) if (User-Name && (User-Name !~ /@/)) -> FALSE
(0) } # policy deny_no_realm = updated
(0) update request {
(0) EXPAND %{toupper:%{Realm}}
(0) --> EXAMPLE.COM
(0) Realm := EXAMPLE.COM
(0) } # update request = noop
(0) eap: Peer sent EAP Response (code 2) ID 202 length 23
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # if (EAP-Message) = ok
(0) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(0) } # authorize = updated
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Auth-Type eap {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Using default_eap_type = PEAP
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: (TLS) PEAP -Initiating new session
(0) eap: Sending EAP Request (code 1) ID 203 length 6
(0) eap: EAP session adding &reply:State = 0xd7951377d75e0ac5
(0) [eap] = handled
(0) if (handled && (Response-Packet-Type == Access-Challenge)) {
(0) EXPAND Response-Packet-Type
(0) --> Access-Challenge
(0) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(0) if (handled && (Response-Packet-Type == Access-Challenge)) {
(0) attr_filter.access_challenge: EXPAND %{User-Name}
(0) attr_filter.access_challenge: --> anonymous at example.com
(0) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(0) [attr_filter.access_challenge.post-auth] = updated
(0) [handled] = handled
(0) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(0) } # Auth-Type eap = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) session-state: Saving cached attributes
(0) Framed-MTU = 1014
(0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:51983 length 64
(0) EAP-Message = 0x01cb00061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xd7951377d75e0ac5141f11c810ce92e5
(0) Finished request
Thread 5 waiting to be assigned a request
Thread 2 got semaphore
Thread 2 handling request 1, (1 handled so far)
(1) Received Access-Request Id 1 from 127.0.0.1:51983 to 127.0.0.1:1812 length 366
(1) User-Name = "anonymous at example.com"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(1) EAP-Message = 0x02cb00c21980000000b816030100b3010000af03033ef9ddb2c9690718a1123db2cf6d4508b04f43b75bde677dfa20266a8414e6c0000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602
(1) State = 0xd7951377d75e0ac5141f11c810ce92e5
(1) Message-Authenticator = 0xe15c5d324b55396d678e2a0aed9622ea
(1) Restoring &session-state
Waking up in 0.3 seconds.
(1) &session-state:Framed-MTU = 1014
(1) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(1) authorize {
(1) policy rewrite_called_station_id {
(1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(1) update request {
(1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1) --> 11-22-33-44-55-66
(1) &Called-Station-Id := 11-22-33-44-55-66
(1) } # update request = noop
(1) if ("%{8}") {
(1) EXPAND %{8}
(1) --> eduroam
(1) if ("%{8}") -> TRUE
(1) if ("%{8}") {
(1) update request {
(1) EXPAND %{8}
(1) --> eduroam
(1) &Called-Station-SSID := eduroam
(1) EXPAND %{Called-Station-Id}:%{8}
(1) --> 11-22-33-44-55-66:eduroam
(1) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(1) } # update request = noop
(1) } # if ("%{8}") = noop
(1) [updated] = updated
(1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy rewrite_called_station_id = updated
(1) policy rewrite_calling_station_id {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) update request {
(1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1) --> 02-00-00-00-00-01
(1) &Calling-Station-Id := 02-00-00-00-00-01
(1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(1) --> 02:00:00:00:00:01
(1) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(1) } # update request = noop
(1) [updated] = updated
(1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy rewrite_calling_station_id = updated
(1) if (Service-Type == Call-Check) {
(1) if (Service-Type == Call-Check) -> FALSE
(1) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(1) EXPAND Packet-Src-IP-Address
(1) --> 127.0.0.1
(1) EXPAND Packet-Src-IP-Address
(1) --> 127.0.0.1
(1) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(1) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(1) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(1) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(1) if (EAP-Message) {
(1) if (EAP-Message) -> TRUE
(1) if (EAP-Message) {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = updated
(1) } # policy filter_username = updated
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(1) suffix: Found realm "EXAMPLE.COM"
(1) suffix: Adding Realm = "EXAMPLE.COM"
(1) suffix: Authentication realm is LOCAL
(1) [suffix] = ok
(1) policy deny_no_realm {
(1) if (User-Name && (User-Name !~ /@/)) {
(1) if (User-Name && (User-Name !~ /@/)) -> FALSE
(1) } # policy deny_no_realm = updated
(1) update request {
(1) EXPAND %{toupper:%{Realm}}
(1) --> EXAMPLE.COM
(1) Realm := EXAMPLE.COM
(1) } # update request = noop
(1) eap: Peer sent EAP Response (code 2) ID 203 length 194
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # if (EAP-Message) = ok
(1) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Auth-Type eap {
(1) eap: Removing EAP session with state 0xd7951377d75e0ac5
(1) eap: Previous EAP request found for state 0xd7951377d75e0ac5, released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: (TLS) EAP Peer says that the final record size will be 184 bytes
(1) eap_peap: (TLS) EAP Got all data (184 bytes)
(1) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization
(1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization
(1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization
(1) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(1) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done
(1) eap_peap: (TLS) PEAP - In Handshake Phase
(1) eap: Sending EAP Request (code 1) ID 204 length 1024
(1) eap: EAP session adding &reply:State = 0xd7951377d6590ac5
(1) [eap] = handled
(1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(1) EXPAND Response-Packet-Type
(1) --> Access-Challenge
(1) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(1) attr_filter.access_challenge: EXPAND %{User-Name}
(1) attr_filter.access_challenge: --> anonymous at example.com
(1) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(1) [attr_filter.access_challenge.post-auth] = updated
(1) [handled] = handled
(1) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(1) } # Auth-Type eap = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) session-state: Saving cached attributes
(1) Framed-MTU = 1014
(1) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:51983 length 1090
(1) EAP-Message = 0x01cc040019c000001135160303003d02000039030385b131ca62bb9399ec4cfeef6086f9689782dafdd184bffa444f574e4752440100c030000011ff01000100000b000403000102001700001603030f930b000f8f000f8c0007253082072130820609a00302010202100dae0ee5cc17916457adb4fc96626395300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3235303532333030303030305a170d3236303532323233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xd7951377d6590ac5141f11c810ce92e5
(1) Finished request
Thread 2 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 1 got semaphore
Thread 1 handling request 2, (1 handled so far)
(2) Received Access-Request Id 2 from 127.0.0.1:51983 to 127.0.0.1:1812 length 178
(2) User-Name = "anonymous at example.com"
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = "02-00-00-00-00-01"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(2) EAP-Message = 0x02cc00061900
(2) State = 0xd7951377d6590ac5141f11c810ce92e5
(2) Message-Authenticator = 0x57bbf79e433bd872f0b103261a61153f
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 1014
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2) authorize {
(2) policy rewrite_called_station_id {
(2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(2) update request {
(2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(2) --> 11-22-33-44-55-66
(2) &Called-Station-Id := 11-22-33-44-55-66
(2) } # update request = noop
(2) if ("%{8}") {
(2) EXPAND %{8}
(2) --> eduroam
(2) if ("%{8}") -> TRUE
(2) if ("%{8}") {
(2) update request {
(2) EXPAND %{8}
(2) --> eduroam
(2) &Called-Station-SSID := eduroam
(2) EXPAND %{Called-Station-Id}:%{8}
(2) --> 11-22-33-44-55-66:eduroam
(2) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(2) } # update request = noop
(2) } # if ("%{8}") = noop
(2) [updated] = updated
(2) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(2) ... skipping else: Preceding "if" was taken
(2) } # policy rewrite_called_station_id = updated
(2) policy rewrite_calling_station_id {
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(2) update request {
(2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(2) --> 02-00-00-00-00-01
(2) &Calling-Station-Id := 02-00-00-00-00-01
(2) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(2) --> 02:00:00:00:00:01
(2) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(2) } # update request = noop
(2) [updated] = updated
(2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(2) ... skipping else: Preceding "if" was taken
(2) } # policy rewrite_calling_station_id = updated
(2) if (Service-Type == Call-Check) {
(2) if (Service-Type == Call-Check) -> FALSE
(2) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(2) EXPAND Packet-Src-IP-Address
(2) --> 127.0.0.1
(2) EXPAND Packet-Src-IP-Address
(2) --> 127.0.0.1
(2) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(2) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(2) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(2) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(2) if (EAP-Message) {
(2) if (EAP-Message) -> TRUE
(2) if (EAP-Message) {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = updated
(2) } # policy filter_username = updated
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(2) suffix: Found realm "EXAMPLE.COM"
(2) suffix: Adding Realm = "EXAMPLE.COM"
(2) suffix: Authentication realm is LOCAL
(2) [suffix] = ok
(2) policy deny_no_realm {
(2) if (User-Name && (User-Name !~ /@/)) {
(2) if (User-Name && (User-Name !~ /@/)) -> FALSE
(2) } # policy deny_no_realm = updated
(2) update request {
(2) EXPAND %{toupper:%{Realm}}
(2) --> EXAMPLE.COM
(2) Realm := EXAMPLE.COM
(2) } # update request = noop
(2) eap: Peer sent EAP Response (code 2) ID 204 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # if (EAP-Message) = ok
(2) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(2) } # authorize = updated
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) Auth-Type eap {
(2) eap: Removing EAP session with state 0xd7951377d6590ac5
(2) eap: Previous EAP request found for state 0xd7951377d6590ac5, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: (TLS) Peer ACKed our handshake fragment
(2) eap: Sending EAP Request (code 1) ID 205 length 1020
(2) eap: EAP session adding &reply:State = 0xd7951377d5580ac5
(2) [eap] = handled
(2) if (handled && (Response-Packet-Type == Access-Challenge)) {
(2) EXPAND Response-Packet-Type
(2) --> Access-Challenge
(2) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(2) if (handled && (Response-Packet-Type == Access-Challenge)) {
(2) attr_filter.access_challenge: EXPAND %{User-Name}
(2) attr_filter.access_challenge: --> anonymous at example.com
(2) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(2) [attr_filter.access_challenge.post-auth] = updated
(2) [handled] = handled
(2) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(2) } # Auth-Type eap = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) session-state: Saving cached attributes
(2) Framed-MTU = 1014
(2) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:51983 length 1086
(2) EAP-Message = 0x01cd03fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040230003082017f060a2b06010401d6790204020482016f0482016b01690077000e5794bcf3aea93e331b2c9907b3f790df9bc23d713225dd21a925ac61c54e2100000196fd68459a0000040300483046022100abde8fd62ca059be569c5f14a3ce1588684528f0228b3c7320a7af6c1b29e485022100f139ea2369375155ef47d38c4e196798015b054e81
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xd7951377d5580ac5141f11c810ce92e5
(2) Finished request
Thread 1 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 3 got semaphore
Thread 3 handling request 3, (1 handled so far)
(3) Received Access-Request Id 3 from 127.0.0.1:51983 to 127.0.0.1:1812 length 178
(3) User-Name = "anonymous at example.com"
(3) NAS-IP-Address = 127.0.0.1
(3) Calling-Station-Id = "02-00-00-00-00-01"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(3) EAP-Message = 0x02cd00061900
(3) State = 0xd7951377d5580ac5141f11c810ce92e5
(3) Message-Authenticator = 0xa8b9317b7fa52631e457c50926dbde4c
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 1014
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(3) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(3) authorize {
(3) policy rewrite_called_station_id {
(3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(3) update request {
(3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(3) --> 11-22-33-44-55-66
(3) &Called-Station-Id := 11-22-33-44-55-66
(3) } # update request = noop
(3) if ("%{8}") {
(3) EXPAND %{8}
(3) --> eduroam
(3) if ("%{8}") -> TRUE
(3) if ("%{8}") {
(3) update request {
(3) EXPAND %{8}
(3) --> eduroam
(3) &Called-Station-SSID := eduroam
(3) EXPAND %{Called-Station-Id}:%{8}
(3) --> 11-22-33-44-55-66:eduroam
(3) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(3) } # update request = noop
(3) } # if ("%{8}") = noop
(3) [updated] = updated
(3) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(3) ... skipping else: Preceding "if" was taken
(3) } # policy rewrite_called_station_id = updated
(3) policy rewrite_calling_station_id {
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(3) update request {
(3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(3) --> 02-00-00-00-00-01
(3) &Calling-Station-Id := 02-00-00-00-00-01
(3) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(3) --> 02:00:00:00:00:01
(3) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(3) } # update request = noop
(3) [updated] = updated
(3) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(3) ... skipping else: Preceding "if" was taken
(3) } # policy rewrite_calling_station_id = updated
(3) if (Service-Type == Call-Check) {
(3) if (Service-Type == Call-Check) -> FALSE
(3) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(3) EXPAND Packet-Src-IP-Address
(3) --> 127.0.0.1
(3) EXPAND Packet-Src-IP-Address
(3) --> 127.0.0.1
(3) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(3) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(3) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(3) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(3) if (EAP-Message) {
(3) if (EAP-Message) -> TRUE
(3) if (EAP-Message) {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = updated
(3) } # policy filter_username = updated
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(3) suffix: Found realm "EXAMPLE.COM"
(3) suffix: Adding Realm = "EXAMPLE.COM"
(3) suffix: Authentication realm is LOCAL
(3) [suffix] = ok
(3) policy deny_no_realm {
(3) if (User-Name && (User-Name !~ /@/)) {
(3) if (User-Name && (User-Name !~ /@/)) -> FALSE
(3) } # policy deny_no_realm = updated
(3) update request {
(3) EXPAND %{toupper:%{Realm}}
(3) --> EXAMPLE.COM
(3) Realm := EXAMPLE.COM
(3) } # update request = noop
(3) eap: Peer sent EAP Response (code 2) ID 205 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # if (EAP-Message) = ok
(3) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(3) } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) Auth-Type eap {
(3) eap: Removing EAP session with state 0xd7951377d5580ac5
(3) eap: Previous EAP request found for state 0xd7951377d5580ac5, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 206 length 1020
(3) eap: EAP session adding &reply:State = 0xd7951377d45b0ac5
(3) [eap] = handled
(3) if (handled && (Response-Packet-Type == Access-Challenge)) {
(3) EXPAND Response-Packet-Type
(3) --> Access-Challenge
(3) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(3) if (handled && (Response-Packet-Type == Access-Challenge)) {
(3) attr_filter.access_challenge: EXPAND %{User-Name}
(3) attr_filter.access_challenge: --> anonymous at example.com
(3) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(3) [attr_filter.access_challenge.post-auth] = updated
(3) [handled] = handled
(3) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(3) } # Auth-Type eap = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) session-state: Saving cached attributes
(3) Framed-MTU = 1014
(3) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:51983 length 1086
(3) EAP-Message = 0x01ce03fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xd7951377d45b0ac5141f11c810ce92e5
(3) Finished request
Thread 3 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 4 got semaphore
Thread 4 handling request 4, (1 handled so far)
(4) Received Access-Request Id 4 from 127.0.0.1:51983 to 127.0.0.1:1812 length 178
(4) User-Name = "anonymous at example.com"
(4) NAS-IP-Address = 127.0.0.1
(4) Calling-Station-Id = "02-00-00-00-00-01"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(4) EAP-Message = 0x02ce00061900
(4) State = 0xd7951377d45b0ac5141f11c810ce92e5
(4) Message-Authenticator = 0x98a95941ef599d046953b555bbd0a67f
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 1014
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(4) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(4) authorize {
(4) policy rewrite_called_station_id {
(4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(4) update request {
(4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(4) --> 11-22-33-44-55-66
(4) &Called-Station-Id := 11-22-33-44-55-66
(4) } # update request = noop
(4) if ("%{8}") {
(4) EXPAND %{8}
(4) --> eduroam
(4) if ("%{8}") -> TRUE
(4) if ("%{8}") {
(4) update request {
(4) EXPAND %{8}
(4) --> eduroam
(4) &Called-Station-SSID := eduroam
(4) EXPAND %{Called-Station-Id}:%{8}
(4) --> 11-22-33-44-55-66:eduroam
(4) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(4) } # update request = noop
(4) } # if ("%{8}") = noop
(4) [updated] = updated
(4) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(4) ... skipping else: Preceding "if" was taken
(4) } # policy rewrite_called_station_id = updated
(4) policy rewrite_calling_station_id {
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(4) update request {
(4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(4) --> 02-00-00-00-00-01
(4) &Calling-Station-Id := 02-00-00-00-00-01
(4) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(4) --> 02:00:00:00:00:01
(4) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(4) } # update request = noop
(4) [updated] = updated
(4) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(4) ... skipping else: Preceding "if" was taken
(4) } # policy rewrite_calling_station_id = updated
(4) if (Service-Type == Call-Check) {
(4) if (Service-Type == Call-Check) -> FALSE
(4) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(4) EXPAND Packet-Src-IP-Address
(4) --> 127.0.0.1
(4) EXPAND Packet-Src-IP-Address
(4) --> 127.0.0.1
(4) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(4) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(4) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(4) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(4) if (EAP-Message) {
(4) if (EAP-Message) -> TRUE
(4) if (EAP-Message) {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = updated
(4) } # policy filter_username = updated
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(4) suffix: Found realm "EXAMPLE.COM"
(4) suffix: Adding Realm = "EXAMPLE.COM"
(4) suffix: Authentication realm is LOCAL
(4) [suffix] = ok
(4) policy deny_no_realm {
(4) if (User-Name && (User-Name !~ /@/)) {
(4) if (User-Name && (User-Name !~ /@/)) -> FALSE
(4) } # policy deny_no_realm = updated
(4) update request {
(4) EXPAND %{toupper:%{Realm}}
(4) --> EXAMPLE.COM
(4) Realm := EXAMPLE.COM
(4) } # update request = noop
(4) eap: Peer sent EAP Response (code 2) ID 206 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # if (EAP-Message) = ok
(4) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(4) } # authorize = updated
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) Auth-Type eap {
(4) eap: Removing EAP session with state 0xd7951377d45b0ac5
(4) eap: Previous EAP request found for state 0xd7951377d45b0ac5, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: (TLS) Peer ACKed our handshake fragment
(4) eap: Sending EAP Request (code 1) ID 207 length 1020
(4) eap: EAP session adding &reply:State = 0xd7951377d35a0ac5
(4) [eap] = handled
(4) if (handled && (Response-Packet-Type == Access-Challenge)) {
(4) EXPAND Response-Packet-Type
(4) --> Access-Challenge
(4) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(4) if (handled && (Response-Packet-Type == Access-Challenge)) {
(4) attr_filter.access_challenge: EXPAND %{User-Name}
(4) attr_filter.access_challenge: --> anonymous at example.com
(4) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(4) [attr_filter.access_challenge.post-auth] = updated
(4) [handled] = handled
(4) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(4) } # Auth-Type eap = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) session-state: Saving cached attributes
(4) Framed-MTU = 1014
(4) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:51983 length 1086
(4) EAP-Message = 0x01cf03fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xd7951377d35a0ac5141f11c810ce92e5
(4) Finished request
Thread 4 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 5 got semaphore
Thread 5 handling request 5, (2 handled so far)
(5) Received Access-Request Id 5 from 127.0.0.1:51983 to 127.0.0.1:1812 length 178
(5) User-Name = "anonymous at example.com"
(5) NAS-IP-Address = 127.0.0.1
(5) Calling-Station-Id = "02-00-00-00-00-01"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(5) EAP-Message = 0x02cf00061900
(5) State = 0xd7951377d35a0ac5141f11c810ce92e5
(5) Message-Authenticator = 0x3cae6ba42a44fc5129aa533e41977792
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 1014
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5) authorize {
(5) policy rewrite_called_station_id {
(5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(5) update request {
(5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(5) --> 11-22-33-44-55-66
(5) &Called-Station-Id := 11-22-33-44-55-66
(5) } # update request = noop
(5) if ("%{8}") {
(5) EXPAND %{8}
(5) --> eduroam
(5) if ("%{8}") -> TRUE
(5) if ("%{8}") {
(5) update request {
(5) EXPAND %{8}
(5) --> eduroam
(5) &Called-Station-SSID := eduroam
(5) EXPAND %{Called-Station-Id}:%{8}
(5) --> 11-22-33-44-55-66:eduroam
(5) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(5) } # update request = noop
(5) } # if ("%{8}") = noop
(5) [updated] = updated
(5) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(5) ... skipping else: Preceding "if" was taken
(5) } # policy rewrite_called_station_id = updated
(5) policy rewrite_calling_station_id {
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(5) update request {
(5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(5) --> 02-00-00-00-00-01
(5) &Calling-Station-Id := 02-00-00-00-00-01
(5) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(5) --> 02:00:00:00:00:01
(5) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(5) } # update request = noop
(5) [updated] = updated
(5) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(5) ... skipping else: Preceding "if" was taken
(5) } # policy rewrite_calling_station_id = updated
(5) if (Service-Type == Call-Check) {
(5) if (Service-Type == Call-Check) -> FALSE
(5) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(5) EXPAND Packet-Src-IP-Address
(5) --> 127.0.0.1
(5) EXPAND Packet-Src-IP-Address
(5) --> 127.0.0.1
(5) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(5) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(5) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(5) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(5) if (EAP-Message) {
(5) if (EAP-Message) -> TRUE
(5) if (EAP-Message) {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = updated
(5) } # policy filter_username = updated
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(5) suffix: Found realm "EXAMPLE.COM"
(5) suffix: Adding Realm = "EXAMPLE.COM"
(5) suffix: Authentication realm is LOCAL
(5) [suffix] = ok
(5) policy deny_no_realm {
(5) if (User-Name && (User-Name !~ /@/)) {
(5) if (User-Name && (User-Name !~ /@/)) -> FALSE
(5) } # policy deny_no_realm = updated
(5) update request {
(5) EXPAND %{toupper:%{Realm}}
(5) --> EXAMPLE.COM
(5) Realm := EXAMPLE.COM
(5) } # update request = noop
(5) eap: Peer sent EAP Response (code 2) ID 207 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # if (EAP-Message) = ok
(5) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(5) } # authorize = updated
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) Auth-Type eap {
(5) eap: Removing EAP session with state 0xd7951377d35a0ac5
(5) eap: Previous EAP request found for state 0xd7951377d35a0ac5, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: (TLS) Peer ACKed our handshake fragment
(5) eap: Sending EAP Request (code 1) ID 208 length 355
(5) eap: EAP session adding &reply:State = 0xd7951377d2450ac5
(5) [eap] = handled
(5) if (handled && (Response-Packet-Type == Access-Challenge)) {
(5) EXPAND Response-Packet-Type
(5) --> Access-Challenge
(5) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(5) if (handled && (Response-Packet-Type == Access-Challenge)) {
(5) attr_filter.access_challenge: EXPAND %{User-Name}
(5) attr_filter.access_challenge: --> anonymous at example.com
(5) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(5) [attr_filter.access_challenge.post-auth] = updated
(5) [handled] = handled
(5) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(5) } # Auth-Type eap = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) session-state: Saving cached attributes
(5) Framed-MTU = 1014
(5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(5) Sent Access-Challenge Id 5 from 127.0.0.1:1812 to 127.0.0.1:51983 length 415
(5) EAP-Message = 0x01d00163190032b6160303014d0c00014903001741043eb618d64c9a4f2c11dca1d111e45afc17d21b94e275618c39b75c80cbc2a22b9a47d4927813add21c1c6995922f01ec5f6c6ea612dc4fb32d0442dc75b9564b08040100b6c75eb1a4de4c59ebe6e6096bde28d88d196f55f44e6fc8a07582e89d48ad8087664f9819704f9ae4922260a89d4430265cae49395ded285f2381e397d9ca98144dcb8058f6e694ab8595b9167625f77a2181f46060fa2759a2a6c7f22436f8b0902920d76cb5859b0b59ff432e20db773b0772b4488faf0031ef1c27deda852f159f3e717a9dd4f3fd67d2139f65e4f0e5c1bd0ef2d08dfb31748e29537356bc3defb6ed3dac1fda0b4f4f1c2df9562ff3b63bf0bbcdfc40ccb4cba7134e900010c6eedf02976f6e7ffd36531bce970234138754ab164645759df2363321d59374aff938e0bde8ce5cb88d5ba051497469585e3f1b1ed08ecab44d6998035b16030300040e000000
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xd7951377d2450ac5141f11c810ce92e5
(5) Finished request
Thread 5 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 2 got semaphore
Thread 2 handling request 6, (2 handled so far)
(6) Received Access-Request Id 6 from 127.0.0.1:51983 to 127.0.0.1:1812 length 308
(6) User-Name = "anonymous at example.com"
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(6) EAP-Message = 0x02d0008819800000007e16030300461000004241041c7d2bbdbac2ec0bc6c5ce30a2725fc857aa1a7b49d9a2044a3c8c7e7d0fc414634c946707b7c8134f6164204b8175c1d8c7f29b5957ad8ca59753ab49569e3a1403030001011603030028a0c35e659375723f9bd0423aa783b1e765497fb8e21f9d07b6b9653a6c7c860b1d6d9aa8d12a575f
(6) State = 0xd7951377d2450ac5141f11c810ce92e5
(6) Message-Authenticator = 0x0450b73c031ded354ff2e255509e72e5
(6) Restoring &session-state
(6) &session-state:Framed-MTU = 1014
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(6) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(6) authorize {
(6) policy rewrite_called_station_id {
(6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(6) update request {
(6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6) --> 11-22-33-44-55-66
(6) &Called-Station-Id := 11-22-33-44-55-66
(6) } # update request = noop
(6) if ("%{8}") {
(6) EXPAND %{8}
(6) --> eduroam
(6) if ("%{8}") -> TRUE
(6) if ("%{8}") {
(6) update request {
(6) EXPAND %{8}
(6) --> eduroam
(6) &Called-Station-SSID := eduroam
(6) EXPAND %{Called-Station-Id}:%{8}
(6) --> 11-22-33-44-55-66:eduroam
(6) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(6) } # update request = noop
(6) } # if ("%{8}") = noop
(6) [updated] = updated
(6) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(6) ... skipping else: Preceding "if" was taken
(6) } # policy rewrite_called_station_id = updated
(6) policy rewrite_calling_station_id {
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(6) update request {
(6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6) --> 02-00-00-00-00-01
(6) &Calling-Station-Id := 02-00-00-00-00-01
(6) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(6) --> 02:00:00:00:00:01
(6) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(6) } # update request = noop
(6) [updated] = updated
(6) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(6) ... skipping else: Preceding "if" was taken
(6) } # policy rewrite_calling_station_id = updated
(6) if (Service-Type == Call-Check) {
(6) if (Service-Type == Call-Check) -> FALSE
(6) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(6) EXPAND Packet-Src-IP-Address
(6) --> 127.0.0.1
(6) EXPAND Packet-Src-IP-Address
(6) --> 127.0.0.1
(6) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(6) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(6) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(6) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(6) if (EAP-Message) {
(6) if (EAP-Message) -> TRUE
(6) if (EAP-Message) {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = updated
(6) } # policy filter_username = updated
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(6) suffix: Found realm "EXAMPLE.COM"
(6) suffix: Adding Realm = "EXAMPLE.COM"
(6) suffix: Authentication realm is LOCAL
(6) [suffix] = ok
(6) policy deny_no_realm {
(6) if (User-Name && (User-Name !~ /@/)) {
(6) if (User-Name && (User-Name !~ /@/)) -> FALSE
(6) } # policy deny_no_realm = updated
(6) update request {
(6) EXPAND %{toupper:%{Realm}}
(6) --> EXAMPLE.COM
(6) Realm := EXAMPLE.COM
(6) } # update request = noop
(6) eap: Peer sent EAP Response (code 2) ID 208 length 136
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # if (EAP-Message) = ok
(6) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(6) } # authorize = updated
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) Auth-Type eap {
(6) eap: Removing EAP session with state 0xd7951377d2450ac5
(6) eap: Previous EAP request found for state 0xd7951377d2450ac5, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes
(6) eap_peap: (TLS) EAP Got all data (126 bytes)
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec
(6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished
(6) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec
(6) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished
(6) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully
(6) eap_peap: (TLS) PEAP - Connection Established
(6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) eap_peap: TLS-Session-Version = "TLS 1.2"
(6) eap: Sending EAP Request (code 1) ID 209 length 57
(6) eap: EAP session adding &reply:State = 0xd7951377d1440ac5
(6) [eap] = handled
(6) if (handled && (Response-Packet-Type == Access-Challenge)) {
(6) EXPAND Response-Packet-Type
(6) --> Access-Challenge
(6) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(6) if (handled && (Response-Packet-Type == Access-Challenge)) {
(6) attr_filter.access_challenge: EXPAND %{User-Name}
(6) attr_filter.access_challenge: --> anonymous at example.com
(6) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(6) [attr_filter.access_challenge.post-auth] = updated
(6) [handled] = handled
(6) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(6) } # Auth-Type eap = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) session-state: Saving cached attributes
(6) Framed-MTU = 1014
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 6 from 127.0.0.1:1812 to 127.0.0.1:51983 length 115
(6) EAP-Message = 0x01d1003919001403030001011603030028d08871868b3bffb640e6728735837752ba623d50f6893d4fc7b7af7d4efd7bcaf2ca8ac6bb7a0f43
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xd7951377d1440ac5141f11c810ce92e5
(6) Finished request
Thread 2 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 1 got semaphore
Thread 1 handling request 7, (2 handled so far)
(7) Received Access-Request Id 7 from 127.0.0.1:51983 to 127.0.0.1:1812 length 178
(7) User-Name = "anonymous at example.com"
(7) NAS-IP-Address = 127.0.0.1
(7) Calling-Station-Id = "02-00-00-00-00-01"
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Connect-Info = "CONNECT 11Mbps 802.11b"
(7) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(7) EAP-Message = 0x02d100061900
(7) State = 0xd7951377d1440ac5141f11c810ce92e5
(7) Message-Authenticator = 0xb9a9d7c2cba7afd51165bed1a9850eae
(7) Restoring &session-state
(7) &session-state:Framed-MTU = 1014
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(7) authorize {
(7) policy rewrite_called_station_id {
(7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(7) update request {
(7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(7) --> 11-22-33-44-55-66
(7) &Called-Station-Id := 11-22-33-44-55-66
(7) } # update request = noop
(7) if ("%{8}") {
(7) EXPAND %{8}
(7) --> eduroam
(7) if ("%{8}") -> TRUE
(7) if ("%{8}") {
(7) update request {
(7) EXPAND %{8}
(7) --> eduroam
(7) &Called-Station-SSID := eduroam
(7) EXPAND %{Called-Station-Id}:%{8}
(7) --> 11-22-33-44-55-66:eduroam
(7) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(7) } # update request = noop
(7) } # if ("%{8}") = noop
(7) [updated] = updated
(7) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(7) ... skipping else: Preceding "if" was taken
(7) } # policy rewrite_called_station_id = updated
(7) policy rewrite_calling_station_id {
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(7) update request {
(7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(7) --> 02-00-00-00-00-01
(7) &Calling-Station-Id := 02-00-00-00-00-01
(7) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(7) --> 02:00:00:00:00:01
(7) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(7) } # update request = noop
(7) [updated] = updated
(7) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(7) ... skipping else: Preceding "if" was taken
(7) } # policy rewrite_calling_station_id = updated
(7) if (Service-Type == Call-Check) {
(7) if (Service-Type == Call-Check) -> FALSE
(7) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(7) EXPAND Packet-Src-IP-Address
(7) --> 127.0.0.1
(7) EXPAND Packet-Src-IP-Address
(7) --> 127.0.0.1
(7) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(7) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(7) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(7) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(7) if (EAP-Message) {
(7) if (EAP-Message) -> TRUE
(7) if (EAP-Message) {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = updated
(7) } # policy filter_username = updated
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(7) suffix: Found realm "EXAMPLE.COM"
(7) suffix: Adding Realm = "EXAMPLE.COM"
(7) suffix: Authentication realm is LOCAL
(7) [suffix] = ok
(7) policy deny_no_realm {
(7) if (User-Name && (User-Name !~ /@/)) {
(7) if (User-Name && (User-Name !~ /@/)) -> FALSE
(7) } # policy deny_no_realm = updated
(7) update request {
(7) EXPAND %{toupper:%{Realm}}
(7) --> EXAMPLE.COM
(7) Realm := EXAMPLE.COM
(7) } # update request = noop
(7) eap: Peer sent EAP Response (code 2) ID 209 length 6
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # if (EAP-Message) = ok
(7) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) Auth-Type eap {
(7) eap: Removing EAP session with state 0xd7951377d1440ac5
(7) eap: Previous EAP request found for state 0xd7951377d1440ac5, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state TUNNEL ESTABLISHED
(7) eap: Sending EAP Request (code 1) ID 210 length 40
(7) eap: EAP session adding &reply:State = 0xd7951377d0470ac5
(7) [eap] = handled
(7) if (handled && (Response-Packet-Type == Access-Challenge)) {
(7) EXPAND Response-Packet-Type
(7) --> Access-Challenge
(7) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(7) if (handled && (Response-Packet-Type == Access-Challenge)) {
(7) attr_filter.access_challenge: EXPAND %{User-Name}
(7) attr_filter.access_challenge: --> anonymous at example.com
(7) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(7) [attr_filter.access_challenge.post-auth] = updated
(7) [handled] = handled
(7) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(7) } # Auth-Type eap = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) session-state: Saving cached attributes
(7) Framed-MTU = 1014
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 7 from 127.0.0.1:1812 to 127.0.0.1:51983 length 98
(7) EAP-Message = 0x01d200281900170303001dd08871868b3bffb7bbc2bed6ce68327f71572c0a5cabefeb22d06f5ae2
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xd7951377d0470ac5141f11c810ce92e5
(7) Finished request
Thread 1 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 3 got semaphore
Thread 3 handling request 8, (2 handled so far)
(8) Received Access-Request Id 8 from 127.0.0.1:51983 to 127.0.0.1:1812 length 231
(8) User-Name = "anonymous at example.com"
(8) NAS-IP-Address = 127.0.0.1
(8) Calling-Station-Id = "02-00-00-00-00-01"
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Connect-Info = "CONNECT 11Mbps 802.11b"
(8) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(8) EAP-Message = 0x02d2003b19001703030030a0c35e6593757240eeb6e8507a8fe95476b2d592a8e730d86f4ff08f5749d37c2bc16b7b1a20a93a7c5affaeb24aea9b
(8) State = 0xd7951377d0470ac5141f11c810ce92e5
(8) Message-Authenticator = 0x039cdbc36148d08b6ec83e5e4217a9c9
(8) Restoring &session-state
(8) &session-state:Framed-MTU = 1014
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(8) authorize {
(8) policy rewrite_called_station_id {
(8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(8) update request {
(8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(8) --> 11-22-33-44-55-66
(8) &Called-Station-Id := 11-22-33-44-55-66
(8) } # update request = noop
(8) if ("%{8}") {
(8) EXPAND %{8}
(8) --> eduroam
(8) if ("%{8}") -> TRUE
(8) if ("%{8}") {
(8) update request {
(8) EXPAND %{8}
(8) --> eduroam
(8) &Called-Station-SSID := eduroam
(8) EXPAND %{Called-Station-Id}:%{8}
(8) --> 11-22-33-44-55-66:eduroam
(8) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(8) } # update request = noop
(8) } # if ("%{8}") = noop
(8) [updated] = updated
(8) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(8) ... skipping else: Preceding "if" was taken
(8) } # policy rewrite_called_station_id = updated
(8) policy rewrite_calling_station_id {
(8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(8) update request {
(8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(8) --> 02-00-00-00-00-01
(8) &Calling-Station-Id := 02-00-00-00-00-01
(8) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(8) --> 02:00:00:00:00:01
(8) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(8) } # update request = noop
(8) [updated] = updated
(8) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(8) ... skipping else: Preceding "if" was taken
(8) } # policy rewrite_calling_station_id = updated
(8) if (Service-Type == Call-Check) {
(8) if (Service-Type == Call-Check) -> FALSE
(8) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(8) EXPAND Packet-Src-IP-Address
(8) --> 127.0.0.1
(8) EXPAND Packet-Src-IP-Address
(8) --> 127.0.0.1
(8) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(8) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(8) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(8) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(8) if (EAP-Message) {
(8) if (EAP-Message) -> TRUE
(8) if (EAP-Message) {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = updated
(8) } # policy filter_username = updated
(8) suffix: Checking for suffix after "@"
(8) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(8) suffix: Found realm "EXAMPLE.COM"
(8) suffix: Adding Realm = "EXAMPLE.COM"
(8) suffix: Authentication realm is LOCAL
(8) [suffix] = ok
(8) policy deny_no_realm {
(8) if (User-Name && (User-Name !~ /@/)) {
(8) if (User-Name && (User-Name !~ /@/)) -> FALSE
(8) } # policy deny_no_realm = updated
(8) update request {
(8) EXPAND %{toupper:%{Realm}}
(8) --> EXAMPLE.COM
(8) Realm := EXAMPLE.COM
(8) } # update request = noop
(8) eap: Peer sent EAP Response (code 2) ID 210 length 59
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # if (EAP-Message) = ok
(8) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) Auth-Type eap {
(8) eap: Removing EAP session with state 0xd7951377d0470ac5
(8) eap: Previous EAP request found for state 0xd7951377d0470ac5, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: (TLS) EAP Done initial handshake
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(8) eap_peap: Identity - testuser at example.com
(8) eap_peap: Got inner identity 'testuser at example.com'
(8) eap_peap: Setting default EAP type for tunneled EAP session
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x02d2001c0169645f726164696e66737461666640756e6962652e6368
(8) eap_peap: Setting User-Name to testuser at example.com
(8) eap_peap: Sending tunneled request to proxy-inner-tunnel
(8) eap_peap: EAP-Message = 0x02d2001c0169645f726164696e66737461666640756e6962652e6368
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "testuser at example.com"
(8) eap_peap: NAS-IP-Address = 127.0.0.1
(8) eap_peap: Calling-Station-Id := "02-00-00-00-00-01"
(8) eap_peap: Framed-MTU = 1400
(8) eap_peap: NAS-Port-Type = Wireless-802.11
(8) eap_peap: Service-Type = Framed-User
(8) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b"
(8) eap_peap: Called-Station-Id := "11-22-33-44-55-66:eduroam"
(8) Virtual server proxy-inner-tunnel received request
(8) EAP-Message = 0x02d2001c0169645f726164696e66737461666640756e6962652e6368
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "testuser at example.com"
(8) NAS-IP-Address = 127.0.0.1
(8) Calling-Station-Id := "02-00-00-00-00-01"
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Connect-Info = "CONNECT 11Mbps 802.11b"
(8) Called-Station-Id := "11-22-33-44-55-66:eduroam"
(8) server proxy-inner-tunnel {
(8) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(8) authorize {
(8) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) {
(8) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) -> FALSE
(8) if (!NAS-Port-Type){
(8) if (!NAS-Port-Type) -> FALSE
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) update {
(8) &outer.session-state:locInner-User-Name := "overwritten at example.com"
(8) } # update = noop
(8) } # if (&User-Name) = noop
(8) update control {
(8) &Proxy-To-Realm := REALM-NPS-DEV
(8) } # update control = noop
(8) } # authorize = noop
(8) } # server proxy-inner-tunnel
(8) Virtual server sending reply
(8) eap_peap: Got tunneled reply code 0
(8) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(8) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(8) [eap] = handled
(8) if (handled && (Response-Packet-Type == Access-Challenge)) {
(8) EXPAND Response-Packet-Type
(8) -->
(8) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(8) } # Auth-Type eap = handled
(8) Starting proxy to home server 1.2.3.4 port 1812
(8) server default {
(8) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(8) pre-proxy {
(8) attr_filter.pre-proxy: EXPAND %{Realm}
(8) attr_filter.pre-proxy: --> EXAMPLE.COM
(8) attr_filter.pre-proxy: Matched entry DEFAULT at line 50
(8) [attr_filter.pre-proxy] = updated
(8) } # pre-proxy = updated
(8) }
(8) Proxying request to home server 1.2.3.4 port 1812 timeout 20.000000
(8) Sent Access-Request Id 8 from 0.0.0.0:41928 to 1.2.3.4:1812 length 165
(8) Operator-Name := "1example.com"
(8) EAP-Message = 0x02d2001c0169645f726164696e66737461666640756e6962652e6368
(8) User-Name = "testuser at example.com"
(8) NAS-IP-Address = 127.0.0.1
(8) Calling-Station-Id := "02-00-00-00-00-01"
(8) NAS-Port-Type = Wireless-802.11
(8) Called-Station-Id := "11-22-33-44-55-66:eduroam"
(8) Message-Authenticator = 0x
(8) Proxy-State = 0x38
Thread 3 waiting to be assigned a request
(8) Marking home server 1.2.3.4 port 1812 alive
Waking up in 0.2 seconds.
Thread 4 got semaphore
Thread 4 handling request 8, (2 handled so far)
(8) Clearing existing &reply: attributes
(8) Received Access-Challenge Id 8 from 1.2.3.4:1812 to 130.92.10.33:41928 length 126
(8) Message-Authenticator = 0x4a97c2d8c5105a0a1b32d305769d6e44
(8) Proxy-State = 0x38
(8) Session-Timeout = 60
(8) EAP-Message = 0x01d300271a01d300221080a64f5e68bbed2e8c546c3d33d9ebf44141492d4e50532d4544555632
(8) State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9
(8) server default {
(8) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(8) post-proxy {
(8) if (&session-state:locInner-User-Name) {
(8) if (&session-state:locInner-User-Name) -> TRUE
(8) if (&session-state:locInner-User-Name) {
(8) update reply {
(8) EXPAND %{session-state:locInner-User-Name}
(8) --> overwritten at example.com
(8) User-Name := overwritten at example.com
(8) } # update reply = noop
(8) } # if (&session-state:locInner-User-Name) = noop
(8) attr_filter.post-proxy: EXPAND %{Realm}
(8) attr_filter.post-proxy: --> EXAMPLE.COM
(8) attr_filter.post-proxy: Matched entry EXAMPLE.COM at line 102
(8) [attr_filter.post-proxy] = updated
(8) eap: Doing post-proxy callback
(8) eap: Passing reply from proxy back into the tunnel
(8) eap: Got tunneled reply RADIUS code 11
(8) eap: Tunnel-Type := VLAN
(8) eap: Tunnel-Medium-Type := IEEE-802
(8) eap: Message-Authenticator = 0x4a97c2d8c5105a0a1b32d305769d6e44
(8) eap: Proxy-State = 0x38
(8) eap: EAP-Message = 0x01d300271a01d300221080a64f5e68bbed2e8c546c3d33d9ebf44141492d4e50532d4544555632
(8) eap: State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9
(8) eap: Got tunneled Access-Challenge
(8) eap: Reply was handled
(8) eap: Sending EAP Request (code 1) ID 211 length 70
(8) eap: EAP session adding &reply:State = 0xd7951377df460ac5
(8) [eap] = ok
(8) } # post-proxy = updated
(8) }
(8) session-state: Saving cached attributes
(8) Framed-MTU = 1014
(8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) TLS-Session-Version = "TLS 1.2"
(8) locInner-User-Name := "overwritten at example.com"
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) Sent Access-Challenge Id 8 from 127.0.0.1:1812 to 127.0.0.1:51983 length 150
(8) User-Name := "overwritten at example.com"
(8) EAP-Message = 0x01d300461900170303003bd08871868b3bffb8898d17a0f67bee71192351814e45d330c2d4fdf93134401cabff44a6f3c2d4f97562ef73dc0609e7b1c4ff74a2b44e4a2863cf
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xd7951377df460ac5141f11c810ce92e5
(8) Finished request
Thread 4 waiting to be assigned a request
Waking up in 0.2 seconds.
Thread 5 got semaphore
Thread 5 handling request 9, (3 handled so far)
(9) Received Access-Request Id 9 from 127.0.0.1:51983 to 127.0.0.1:1812 length 285
(9) User-Name = "anonymous at example.com"
(9) NAS-IP-Address = 127.0.0.1
(9) Calling-Station-Id = "02-00-00-00-00-01"
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Connect-Info = "CONNECT 11Mbps 802.11b"
(9) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(9) EAP-Message = 0x02d3007119001703030066a0c35e6593757241d3554722e6c7f69584c67010f08f501367355e0643178f963092b1d1aadacac4dc657416eb2eff4d4c5f95bbf77f57c2e555ba8aaf81312d5d520f70391c810abb19a35894fbc828587c6dab71a5da723ce0c4c29b10341296d6ceca2ab0
(9) State = 0xd7951377df460ac5141f11c810ce92e5
(9) Message-Authenticator = 0x56297f0c514ed4ed1376686dfebebf59
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(9) authorize {
(9) policy rewrite_called_station_id {
(9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(9) update request {
(9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(9) --> 11-22-33-44-55-66
(9) &Called-Station-Id := 11-22-33-44-55-66
(9) } # update request = noop
(9) if ("%{8}") {
(9) EXPAND %{8}
(9) --> eduroam
(9) if ("%{8}") -> TRUE
(9) if ("%{8}") {
(9) update request {
(9) EXPAND %{8}
(9) --> eduroam
(9) &Called-Station-SSID := eduroam
(9) EXPAND %{Called-Station-Id}:%{8}
(9) --> 11-22-33-44-55-66:eduroam
(9) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(9) } # update request = noop
(9) } # if ("%{8}") = noop
(9) [updated] = updated
(9) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(9) ... skipping else: Preceding "if" was taken
(9) } # policy rewrite_called_station_id = updated
(9) policy rewrite_calling_station_id {
(9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(9) update request {
(9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(9) --> 02-00-00-00-00-01
(9) &Calling-Station-Id := 02-00-00-00-00-01
(9) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(9) --> 02:00:00:00:00:01
(9) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(9) } # update request = noop
(9) [updated] = updated
(9) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(9) ... skipping else: Preceding "if" was taken
(9) } # policy rewrite_calling_station_id = updated
(9) if (Service-Type == Call-Check) {
(9) if (Service-Type == Call-Check) -> FALSE
(9) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(9) EXPAND Packet-Src-IP-Address
(9) --> 127.0.0.1
(9) EXPAND Packet-Src-IP-Address
(9) --> 127.0.0.1
(9) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(9) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(9) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(9) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(9) if (EAP-Message) {
(9) if (EAP-Message) -> TRUE
(9) if (EAP-Message) {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = updated
(9) } # policy filter_username = updated
(9) suffix: Checking for suffix after "@"
(9) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(9) suffix: Found realm "EXAMPLE.COM"
(9) suffix: Adding Realm = "EXAMPLE.COM"
(9) suffix: Authentication realm is LOCAL
(9) [suffix] = ok
(9) policy deny_no_realm {
(9) if (User-Name && (User-Name !~ /@/)) {
(9) if (User-Name && (User-Name !~ /@/)) -> FALSE
(9) } # policy deny_no_realm = updated
(9) update request {
(9) EXPAND %{toupper:%{Realm}}
(9) --> EXAMPLE.COM
(9) Realm := EXAMPLE.COM
(9) } # update request = noop
(9) eap: Peer sent EAP Response (code 2) ID 211 length 113
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # if (EAP-Message) = ok
(9) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(9) } # authorize = updated
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) Auth-Type eap {
(9) eap: Removing EAP session with state 0xd7951377df460ac5
(9) eap: Previous EAP request found for state 0xd7951377df460ac5, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: (TLS) EAP Done initial handshake
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x02d300521a02d3004d31c32ac4a7733d52b8a3b9e89cedcc69cc00000000000000002442d9b6b5db9a4b86c1d4fbd4859b2fecf1d533e437bdd20069645f726164696e66737461666640756e6962652e6368
(9) eap_peap: Setting User-Name to testuser at example.com
(9) eap_peap: Sending tunneled request to proxy-inner-tunnel
(9) eap_peap: EAP-Message = 0x02d300521a02d3004d31c32ac4a7733d52b8a3b9e89cedcc69cc00000000000000002442d9b6b5db9a4b86c1d4fbd4859b2fecf1d533e437bdd20069645f726164696e66737461666640756e6962652e6368
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "testuser at example.com"
(9) eap_peap: State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9
(9) eap_peap: NAS-IP-Address = 127.0.0.1
(9) eap_peap: Calling-Station-Id := "02-00-00-00-00-01"
(9) eap_peap: Framed-MTU = 1400
(9) eap_peap: NAS-Port-Type = Wireless-802.11
(9) eap_peap: Service-Type = Framed-User
(9) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b"
(9) eap_peap: Called-Station-Id := "11-22-33-44-55-66:eduroam"
(9) Virtual server proxy-inner-tunnel received request
(9) EAP-Message = 0x02d300521a02d3004d31c32ac4a7733d52b8a3b9e89cedcc69cc00000000000000002442d9b6b5db9a4b86c1d4fbd4859b2fecf1d533e437bdd20069645f726164696e66737461666640756e6962652e6368
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "testuser at example.com"
(9) State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9
(9) NAS-IP-Address = 127.0.0.1
(9) Calling-Station-Id := "02-00-00-00-00-01"
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Connect-Info = "CONNECT 11Mbps 802.11b"
(9) Called-Station-Id := "11-22-33-44-55-66:eduroam"
(9) server proxy-inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(9) authorize {
(9) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) {
(9) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) -> FALSE
(9) if (!NAS-Port-Type){
(9) if (!NAS-Port-Type) -> FALSE
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) update {
(9) &outer.session-state:locInner-User-Name := "overwritten at example.com"
(9) } # update = noop
(9) } # if (&User-Name) = noop
(9) update control {
(9) &Proxy-To-Realm := REALM-NPS-DEV
(9) } # update control = noop
(9) } # authorize = noop
(9) } # server proxy-inner-tunnel
(9) Virtual server sending reply
(9) eap_peap: Got tunneled reply code 0
(9) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(9) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(9) [eap] = handled
(9) if (handled && (Response-Packet-Type == Access-Challenge)) {
(9) EXPAND Response-Packet-Type
(9) -->
(9) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(9) } # Auth-Type eap = handled
(9) Starting proxy to home server 1.2.3.4 port 1812
(9) server default {
(9) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(9) pre-proxy {
(9) attr_filter.pre-proxy: EXPAND %{Realm}
(9) attr_filter.pre-proxy: --> EXAMPLE.COM
(9) attr_filter.pre-proxy: Matched entry DEFAULT at line 50
(9) [attr_filter.pre-proxy] = updated
(9) } # pre-proxy = updated
(9) }
(9) Proxying request to home server 1.2.3.4 port 1812 timeout 20.000000
(9) Sent Access-Request Id 9 from 0.0.0.0:41928 to 1.2.3.4:1812 length 257
(9) Operator-Name := "1example.com"
(9) EAP-Message = 0x02d300521a02d3004d31c32ac4a7733d52b8a3b9e89cedcc69cc00000000000000002442d9b6b5db9a4b86c1d4fbd4859b2fecf1d533e437bdd20069645f726164696e66737461666640756e6962652e6368
(9) User-Name = "testuser at example.com"
(9) State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9
(9) NAS-IP-Address = 127.0.0.1
(9) Calling-Station-Id := "02-00-00-00-00-01"
(9) NAS-Port-Type = Wireless-802.11
(9) Called-Station-Id := "11-22-33-44-55-66:eduroam"
(9) Message-Authenticator = 0x
(9) Proxy-State = 0x39
Thread 5 waiting to be assigned a request
Waking up in 0.2 seconds.
Thread 2 got semaphore
Thread 2 handling request 9, (3 handled so far)
(9) Clearing existing &reply: attributes
(9) Received Access-Challenge Id 9 from 1.2.3.4:1812 to 130.92.10.33:41928 length 138
(9) Message-Authenticator = 0x1028f60eb9d66a0b41cbdf79d64a7521
(9) Proxy-State = 0x39
(9) Session-Timeout = 60
(9) EAP-Message = 0x01d400331a03d3002e533d41344544444533414142453541433645354245453243393935333033464146363942463138383244
(9) State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9
(9) server default {
(9) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(9) post-proxy {
(9) if (&session-state:locInner-User-Name) {
(9) if (&session-state:locInner-User-Name) -> TRUE
(9) if (&session-state:locInner-User-Name) {
(9) update reply {
(9) EXPAND %{session-state:locInner-User-Name}
(9) --> overwritten at example.com
(9) User-Name := overwritten at example.com
(9) } # update reply = noop
(9) } # if (&session-state:locInner-User-Name) = noop
(9) attr_filter.post-proxy: EXPAND %{Realm}
(9) attr_filter.post-proxy: --> EXAMPLE.COM
(9) attr_filter.post-proxy: Matched entry EXAMPLE.COM at line 102
(9) [attr_filter.post-proxy] = updated
(9) eap: Doing post-proxy callback
(9) eap: Passing reply from proxy back into the tunnel
(9) eap: Got tunneled reply RADIUS code 11
(9) eap: Tunnel-Type := VLAN
(9) eap: Tunnel-Medium-Type := IEEE-802
(9) eap: Message-Authenticator = 0x1028f60eb9d66a0b41cbdf79d64a7521
(9) eap: Proxy-State = 0x39
(9) eap: EAP-Message = 0x01d400331a03d3002e533d41344544444533414142453541433645354245453243393935333033464146363942463138383244
(9) eap: State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9
(9) eap: Got tunneled Access-Challenge
(9) eap: Reply was handled
(9) eap: Sending EAP Request (code 1) ID 212 length 82
(9) eap: EAP session adding &reply:State = 0xd7951377de410ac5
(9) [eap] = ok
(9) } # post-proxy = updated
(9) }
(9) session-state: Saving cached attributes
(9) locInner-User-Name := "overwritten at example.com"
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) Sent Access-Challenge Id 9 from 127.0.0.1:1812 to 127.0.0.1:51983 length 162
(9) User-Name := "overwritten at example.com"
(9) EAP-Message = 0x01d4005219001703030047d08871868b3bffb936ed24a5eaa21c60c25f876fffb9062133a55a5be1ec394155ee3eba9e85fd2aab9843b2ba06657093c2fd4e9300a294a3904150691cd79e497180ed7df574
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xd7951377de410ac5141f11c810ce92e5
(9) Finished request
Thread 2 waiting to be assigned a request
Waking up in 0.2 seconds.
Thread 1 got semaphore
Thread 1 handling request 10, (3 handled so far)
(10) Received Access-Request Id 10 from 127.0.0.1:51983 to 127.0.0.1:1812 length 209
(10) User-Name = "anonymous at example.com"
(10) NAS-IP-Address = 127.0.0.1
(10) Calling-Station-Id = "02-00-00-00-00-01"
(10) Framed-MTU = 1400
(10) NAS-Port-Type = Wireless-802.11
(10) Service-Type = Framed-User
(10) Connect-Info = "CONNECT 11Mbps 802.11b"
(10) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(10) EAP-Message = 0x02d400251900170303001aa0c35e65937572427f15529a5d3471616022201d08ed5df09dea
(10) State = 0xd7951377de410ac5141f11c810ce92e5
(10) Message-Authenticator = 0x0ceccd37f46dbf5e5c3b841abb622626
(10) session-state: No cached attributes
(10) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(10) authorize {
(10) policy rewrite_called_station_id {
(10) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(10) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(10) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(10) update request {
(10) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(10) --> 11-22-33-44-55-66
(10) &Called-Station-Id := 11-22-33-44-55-66
(10) } # update request = noop
(10) if ("%{8}") {
(10) EXPAND %{8}
(10) --> eduroam
(10) if ("%{8}") -> TRUE
(10) if ("%{8}") {
(10) update request {
(10) EXPAND %{8}
(10) --> eduroam
(10) &Called-Station-SSID := eduroam
(10) EXPAND %{Called-Station-Id}:%{8}
(10) --> 11-22-33-44-55-66:eduroam
(10) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(10) } # update request = noop
(10) } # if ("%{8}") = noop
(10) [updated] = updated
(10) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(10) ... skipping else: Preceding "if" was taken
(10) } # policy rewrite_called_station_id = updated
(10) policy rewrite_calling_station_id {
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(10) update request {
(10) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(10) --> 02-00-00-00-00-01
(10) &Calling-Station-Id := 02-00-00-00-00-01
(10) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(10) --> 02:00:00:00:00:01
(10) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(10) } # update request = noop
(10) [updated] = updated
(10) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(10) ... skipping else: Preceding "if" was taken
(10) } # policy rewrite_calling_station_id = updated
(10) if (Service-Type == Call-Check) {
(10) if (Service-Type == Call-Check) -> FALSE
(10) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(10) EXPAND Packet-Src-IP-Address
(10) --> 127.0.0.1
(10) EXPAND Packet-Src-IP-Address
(10) --> 127.0.0.1
(10) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(10) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(10) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(10) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(10) if (EAP-Message) {
(10) if (EAP-Message) -> TRUE
(10) if (EAP-Message) {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = updated
(10) } # policy filter_username = updated
(10) suffix: Checking for suffix after "@"
(10) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(10) suffix: Found realm "EXAMPLE.COM"
(10) suffix: Adding Realm = "EXAMPLE.COM"
(10) suffix: Authentication realm is LOCAL
(10) [suffix] = ok
(10) policy deny_no_realm {
(10) if (User-Name && (User-Name !~ /@/)) {
(10) if (User-Name && (User-Name !~ /@/)) -> FALSE
(10) } # policy deny_no_realm = updated
(10) update request {
(10) EXPAND %{toupper:%{Realm}}
(10) --> EXAMPLE.COM
(10) Realm := EXAMPLE.COM
(10) } # update request = noop
(10) eap: Peer sent EAP Response (code 2) ID 212 length 37
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # if (EAP-Message) = ok
(10) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(10) } # authorize = updated
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/sites-enabled/default
(10) Auth-Type eap {
(10) eap: Removing EAP session with state 0xd7951377de410ac5
(10) eap: Previous EAP request found for state 0xd7951377de410ac5, released from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: (TLS) EAP Done initial handshake
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state phase2
(10) eap_peap: EAP method MSCHAPv2 (26)
(10) eap_peap: Got tunneled request
(10) eap_peap: EAP-Message = 0x02d400061a03
(10) eap_peap: Setting User-Name to testuser at example.com
(10) eap_peap: Sending tunneled request to proxy-inner-tunnel
(10) eap_peap: EAP-Message = 0x02d400061a03
(10) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(10) eap_peap: User-Name = "testuser at example.com"
(10) eap_peap: State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9
(10) eap_peap: NAS-IP-Address = 127.0.0.1
(10) eap_peap: Calling-Station-Id := "02-00-00-00-00-01"
(10) eap_peap: Framed-MTU = 1400
(10) eap_peap: NAS-Port-Type = Wireless-802.11
(10) eap_peap: Service-Type = Framed-User
(10) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b"
(10) eap_peap: Called-Station-Id := "11-22-33-44-55-66:eduroam"
(10) Virtual server proxy-inner-tunnel received request
(10) EAP-Message = 0x02d400061a03
(10) FreeRADIUS-Proxied-To = 127.0.0.1
(10) User-Name = "testuser at example.com"
(10) State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9
(10) NAS-IP-Address = 127.0.0.1
(10) Calling-Station-Id := "02-00-00-00-00-01"
(10) Framed-MTU = 1400
(10) NAS-Port-Type = Wireless-802.11
(10) Service-Type = Framed-User
(10) Connect-Info = "CONNECT 11Mbps 802.11b"
(10) Called-Station-Id := "11-22-33-44-55-66:eduroam"
(10) server proxy-inner-tunnel {
(10) session-state: No cached attributes
(10) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(10) authorize {
(10) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) {
(10) if (User-Name !~ /^([\w-.]{1,}\.[\w-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) -> FALSE
(10) if (!NAS-Port-Type){
(10) if (!NAS-Port-Type) -> FALSE
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) update {
(10) &outer.session-state:locInner-User-Name := "overwritten at example.com"
(10) } # update = noop
(10) } # if (&User-Name) = noop
(10) update control {
(10) &Proxy-To-Realm := REALM-NPS-DEV
(10) } # update control = noop
(10) } # authorize = noop
(10) } # server proxy-inner-tunnel
(10) Virtual server sending reply
(10) eap_peap: Got tunneled reply code 0
(10) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(10) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(10) [eap] = handled
(10) if (handled && (Response-Packet-Type == Access-Challenge)) {
(10) EXPAND Response-Packet-Type
(10) -->
(10) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(10) } # Auth-Type eap = handled
(10) Starting proxy to home server 1.2.3.4 port 1812
(10) server default {
(10) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(10) pre-proxy {
(10) attr_filter.pre-proxy: EXPAND %{Realm}
(10) attr_filter.pre-proxy: --> EXAMPLE.COM
(10) attr_filter.pre-proxy: Matched entry DEFAULT at line 50
(10) [attr_filter.pre-proxy] = updated
(10) } # pre-proxy = updated
(10) }
(10) Proxying request to home server 1.2.3.4 port 1812 timeout 20.000000
(10) Sent Access-Request Id 10 from 0.0.0.0:41928 to 1.2.3.4:1812 length 182
(10) Operator-Name := "1example.com"
(10) EAP-Message = 0x02d400061a03
(10) User-Name = "testuser at example.com"
(10) State = 0x239c03850000013700010200825c0e1b0000000000000000000000000000000426d28db9
(10) NAS-IP-Address = 127.0.0.1
(10) Calling-Station-Id := "02-00-00-00-00-01"
(10) NAS-Port-Type = Wireless-802.11
(10) Called-Station-Id := "11-22-33-44-55-66:eduroam"
(10) Message-Authenticator = 0x
(10) Proxy-State = 0x3130
Thread 1 waiting to be assigned a request
Thread 3 got semaphore
Thread 3 handling request 10, (3 handled so far)
(10) Clearing existing &reply: attributes
Waking up in 0.2 seconds.
(10) Received Access-Accept Id 10 from 1.2.3.4:1812 to 130.92.10.33:41928 length 288
(10) Message-Authenticator = 0x795ada91d9ec4181b5702670e0bcdc09
(10) Proxy-State = 0x3130
(10) Class = 0x7374616666
(10) Filter-Id = "staff"
(10) Framed-Protocol = PPP
(10) Service-Type = Framed-User
(10) Tunnel-Medium-Type:0 = IEEE-802
(10) Tunnel-Private-Group-Id:0 = "1874"
(10) Tunnel-Type:0 = VLAN
(10) EAP-Message = 0x03d40004
(10) Class = 0x5c3b06d70000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060f340
(10) MS-CHAP-Domain = "\001CAMPUS"
(10) MS-MPPE-Send-Key = 0xc654f28aee914809685418249aba76f7
(10) MS-MPPE-Recv-Key = 0x68315c4f74c4f699d0750567dd9f24b4
(10) MS-CHAP2-Success = 0x01533d41344544444533414142453541433645354245453243393935333033464146363942463138383244
(10) server default {
(10) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(10) post-proxy {
(10) if (&session-state:locInner-User-Name) {
(10) if (&session-state:locInner-User-Name) -> TRUE
(10) if (&session-state:locInner-User-Name) {
(10) update reply {
(10) EXPAND %{session-state:locInner-User-Name}
(10) --> overwritten at example.com
(10) User-Name := overwritten at example.com
(10) } # update reply = noop
(10) } # if (&session-state:locInner-User-Name) = noop
(10) attr_filter.post-proxy: EXPAND %{Realm}
(10) attr_filter.post-proxy: --> EXAMPLE.COM
(10) attr_filter.post-proxy: Matched entry EXAMPLE.COM at line 102
(10) [attr_filter.post-proxy] = updated
(10) eap: Doing post-proxy callback
(10) eap: Passing reply from proxy back into the tunnel
(10) eap: Got tunneled reply RADIUS code 2
(10) eap: Tunnel-Type := VLAN
(10) eap: Tunnel-Medium-Type := IEEE-802
(10) eap: Message-Authenticator = 0x795ada91d9ec4181b5702670e0bcdc09
(10) eap: Proxy-State = 0x3130
(10) eap: Class = 0x7374616666
(10) eap: Filter-Id = "staff"
(10) eap: Tunnel-Private-Group-Id:0 = "1874"
(10) eap: EAP-Message = 0x03d40004
(10) eap: Class = 0x5c3b06d70000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060f340
(10) eap: MS-MPPE-Send-Key = 0xc654f28aee914809685418249aba76f7
(10) eap: MS-MPPE-Recv-Key = 0x68315c4f74c4f699d0750567dd9f24b4
(10) eap: Tunneled authentication was successful
(10) eap: SUCCESS
(10) eap: Saving tunneled attributes for later
(10) eap: Reply was handled
(10) eap: Sending EAP Request (code 1) ID 213 length 46
(10) eap: EAP session adding &reply:State = 0xd7951377dd400ac5
(10) [eap] = ok
(10) } # post-proxy = updated
(10) }
(10) session-state: Saving cached attributes
(10) locInner-User-Name := "overwritten at example.com"
(10) Using Post-Auth-Type Challenge
(10) Post-Auth-Type sub-section not found. Ignoring.
(10) # Executing group from file /etc/freeradius/sites-enabled/default
(10) Sent Access-Challenge Id 10 from 127.0.0.1:1812 to 127.0.0.1:51983 length 126
(10) User-Name := "overwritten at example.com"
(10) EAP-Message = 0x01d5002e19001703030023d08871868b3bffba3aeb9f54843f450a8efea94c3d8831971b58e905a7825e996795d8
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0xd7951377dd400ac5141f11c810ce92e5
(10) Finished request
Thread 3 waiting to be assigned a request
Thread 4 got semaphore
Thread 4 handling request 11, (3 handled so far)
(11) Received Access-Request Id 11 from 127.0.0.1:51983 to 127.0.0.1:1812 length 218
(11) User-Name = "anonymous at example.com"
(11) NAS-IP-Address = 127.0.0.1
(11) Calling-Station-Id = "02-00-00-00-00-01"
Waking up in 0.2 seconds.
(11) Framed-MTU = 1400
(11) NAS-Port-Type = Wireless-802.11
(11) Service-Type = Framed-User
(11) Connect-Info = "CONNECT 11Mbps 802.11b"
(11) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(11) EAP-Message = 0x02d5002e19001703030023a0c35e6593757243a3f598e329dd849cfc8f29e1217aab5fe1ced41afd18f9725b6ea6
(11) State = 0xd7951377dd400ac5141f11c810ce92e5
(11) Message-Authenticator = 0x668bc11b060431f36f2a66547e67f3cc
(11) session-state: No cached attributes
(11) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(11) authorize {
(11) policy rewrite_called_station_id {
(11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(11) update request {
(11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(11) --> 11-22-33-44-55-66
(11) &Called-Station-Id := 11-22-33-44-55-66
(11) } # update request = noop
(11) if ("%{8}") {
(11) EXPAND %{8}
(11) --> eduroam
(11) if ("%{8}") -> TRUE
(11) if ("%{8}") {
(11) update request {
(11) EXPAND %{8}
(11) --> eduroam
(11) &Called-Station-SSID := eduroam
(11) EXPAND %{Called-Station-Id}:%{8}
(11) --> 11-22-33-44-55-66:eduroam
(11) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(11) } # update request = noop
(11) } # if ("%{8}") = noop
(11) [updated] = updated
(11) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(11) ... skipping else: Preceding "if" was taken
(11) } # policy rewrite_called_station_id = updated
(11) policy rewrite_calling_station_id {
(11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(11) update request {
(11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(11) --> 02-00-00-00-00-01
(11) &Calling-Station-Id := 02-00-00-00-00-01
(11) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(11) --> 02:00:00:00:00:01
(11) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(11) } # update request = noop
(11) [updated] = updated
(11) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(11) ... skipping else: Preceding "if" was taken
(11) } # policy rewrite_calling_station_id = updated
(11) if (Service-Type == Call-Check) {
(11) if (Service-Type == Call-Check) -> FALSE
(11) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(11) EXPAND Packet-Src-IP-Address
(11) --> 127.0.0.1
(11) EXPAND Packet-Src-IP-Address
(11) --> 127.0.0.1
(11) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(11) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(11) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(11) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(11) if (EAP-Message) {
(11) if (EAP-Message) -> TRUE
(11) if (EAP-Message) {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /@\./) {
(11) if (&User-Name =~ /@\./) -> FALSE
(11) } # if (&User-Name) = updated
(11) } # policy filter_username = updated
(11) suffix: Checking for suffix after "@"
(11) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(11) suffix: Found realm "EXAMPLE.COM"
(11) suffix: Adding Realm = "EXAMPLE.COM"
(11) suffix: Authentication realm is LOCAL
(11) [suffix] = ok
(11) policy deny_no_realm {
(11) if (User-Name && (User-Name !~ /@/)) {
(11) if (User-Name && (User-Name !~ /@/)) -> FALSE
(11) } # policy deny_no_realm = updated
(11) update request {
(11) EXPAND %{toupper:%{Realm}}
(11) --> EXAMPLE.COM
(11) Realm := EXAMPLE.COM
(11) } # update request = noop
(11) eap: Peer sent EAP Response (code 2) ID 213 length 46
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # if (EAP-Message) = ok
(11) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(11) } # authorize = updated
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/freeradius/sites-enabled/default
(11) Auth-Type eap {
(11) eap: Removing EAP session with state 0xd7951377dd400ac5
(11) eap: Previous EAP request found for state 0xd7951377dd400ac5, released from the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: (TLS) EAP Done initial handshake
(11) eap_peap: Session established. Decoding tunneled attributes
(11) eap_peap: PEAP state send tlv success
(11) eap_peap: Received EAP-TLV response
(11) eap_peap: Success
(11) eap_peap: Using saved attributes from the original Access-Accept
(11) eap_peap: Tunnel-Type := VLAN
(11) eap_peap: Tunnel-Medium-Type := IEEE-802
(11) eap_peap: Class = 0x7374616666
(11) eap_peap: Filter-Id = "staff"
(11) eap_peap: Tunnel-Private-Group-Id:0 = "1874"
(11) eap_peap: Class = 0x5c3b06d70000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060f340
(11) eap: Sending EAP Success (code 3) ID 213 length 4
(11) eap: Freeing handler
(11) [eap] = ok
(11) if (handled && (Response-Packet-Type == Access-Challenge)) {
(11) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(11) } # Auth-Type eap = ok
(11) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(11) post-auth {
(11) policy debug_all {
(11) policy debug_control {
(11) if ("%{debug_attr:control:}" == '') {
(11) Attributes matching "control:"
(11) &control:Auth-Type = eap
(11) EXPAND %{debug_attr:control:}
(11) -->
(11) if ("%{debug_attr:control:}" == '') -> TRUE
(11) if ("%{debug_attr:control:}" == '') {
(11) [noop] = noop
(11) } # if ("%{debug_attr:control:}" == '') = noop
(11) } # policy debug_control = noop
(11) policy debug_request {
(11) if ("%{debug_attr:request:}" == '') {
(11) Attributes matching "request:"
(11) &request:User-Name = anonymous at example.com
(11) &request:NAS-IP-Address = 127.0.0.1
(11) &request:Calling-Station-Id := 02-00-00-00-00-01
(11) &request:Framed-MTU = 1400
(11) &request:NAS-Port-Type = Wireless-802.11
(11) &request:Service-Type = Framed-User
(11) &request:Connect-Info = CONNECT 11Mbps 802.11b
(11) &request:Called-Station-Id := 11-22-33-44-55-66:eduroam
(11) &request:EAP-Message = 0x02d5002e19001703030023a0c35e6593757243a3f598e329dd849cfc8f29e1217aab5fe1ced41afd18f9725b6ea6
(11) &request:State = 0xd7951377dd400ac5141f11c810ce92e5
(11) &request:Message-Authenticator = 0x668bc11b060431f36f2a66547e67f3cc
(11) &request:Called-Station-SSID := eduroam
(11) &request:locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(11) &request:Realm := EXAMPLE.COM
(11) &request:EAP-Type = PEAP
(11) EXPAND %{debug_attr:request:}
(11) -->
(11) if ("%{debug_attr:request:}" == '') -> TRUE
(11) if ("%{debug_attr:request:}" == '') {
(11) [noop] = noop
(11) } # if ("%{debug_attr:request:}" == '') = noop
(11) } # policy debug_request = noop
(11) policy debug_coa {
(11) if ("%{debug_attr:coa:}" == '') {
(11) Attributes matching "coa:"
(11) WARNING: List "coa" is not available
(11) EXPAND %{debug_attr:coa:}
(11) -->
(11) if ("%{debug_attr:coa:}" == '') -> TRUE
(11) if ("%{debug_attr:coa:}" == '') {
(11) [noop] = noop
(11) } # if ("%{debug_attr:coa:}" == '') = noop
(11) } # policy debug_coa = noop
(11) policy debug_reply {
(11) if ("%{debug_attr:reply:}" == '') {
(11) Attributes matching "reply:"
(11) &reply:Tunnel-Type:-128 := VLAN
(11) &reply:Tunnel-Medium-Type:-128 := IEEE-802
(11) &reply:Class = 0x7374616666
(11) &reply:Filter-Id = staff
(11) &reply:Tunnel-Private-Group-Id:0 = 1874
(11) &reply:Class = 0x5c3b06d70000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060f340
(11) &reply:MS-MPPE-Recv-Key = 0x163a2fbf791deed0abd60b9c33c10a2ffb3b740ebb1a1a237f62666363ebc05a
(11) &reply:MS-MPPE-Send-Key = 0x00c6e8217b371e2163fb13a51dfc114b9799b4fff58bd85037db6c03f568465d
(11) &reply:EAP-MSK = 0x163a2fbf791deed0abd60b9c33c10a2ffb3b740ebb1a1a237f62666363ebc05a00c6e8217b371e2163fb13a51dfc114b9799b4fff58bd85037db6c03f568465d
(11) &reply:EAP-EMSK = 0x89d4b3bc7a7ba0051fc32759a78266fadc1965bbf19c06c0f0ceb31dd4b714f58560add74659a1d49dc75b59b99e08e41032f585097625faa0cbf879b3656280
(11) &reply:EAP-Session-Id = 0x193ef9ddb2c9690718a1123db2cf6d4508b04f43b75bde677dfa20266a8414e6c085b131ca62bb9399ec4cfeef6086f9689782dafdd184bffa444f574e47524401
(11) &reply:EAP-Message = 0x03d50004
(11) &reply:Message-Authenticator = 0x00000000000000000000000000000000
(11) &reply:User-Name = anonymous at example.com
(11) EXPAND %{debug_attr:reply:}
(11) -->
(11) if ("%{debug_attr:reply:}" == '') -> TRUE
(11) if ("%{debug_attr:reply:}" == '') {
(11) [noop] = noop
(11) } # if ("%{debug_attr:reply:}" == '') = noop
(11) } # policy debug_reply = noop
(11) policy debug_session_state {
(11) if ("%{debug_attr:session-state:}" == '') {
(11) Attributes matching "session-state:"
(11) EXPAND %{debug_attr:session-state:}
(11) -->
(11) if ("%{debug_attr:session-state:}" == '') -> TRUE
(11) if ("%{debug_attr:session-state:}" == '') {
(11) [noop] = noop
(11) } # if ("%{debug_attr:session-state:}" == '') = noop
(11) } # policy debug_session_state = noop
(11) } # policy debug_all = noop
(11) if (&session-state:locInner-User-Name) {
(11) if (&session-state:locInner-User-Name) -> FALSE
(11) update {
(11) No attributes updated for RHS &session-state
(11) } # update = noop
(11) if (Service-Type == Call-Check) {
(11) if (Service-Type == Call-Check) -> FALSE
(11) else {
(11) 802.1x_auth_log: EXPAND %t : AuthZ: (%I) %{reply:Packet-Type}: [%{%{session-state:locInner-User-Name}:-NULL}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown})
(11) 802.1x_auth_log: --> Fri Nov 7 13:54:34 2025 : AuthZ: (11) Access-Accept: [NULL] TLS-Version=NULL TLS-Ciphers=NULL SSID=eduroam Calling-Station-Id=02-00-00-00-00-01 Called-Station-Id=11-22-33-44-55-66:eduroam Filter-ID=staff VLAN=1874 Class=0x7374616666 (from client localhost port 0 operator-name Unknown)
(11) 802.1x_auth_log: EXPAND /var/log/freeradius/802.1x_auth.log
(11) 802.1x_auth_log: --> /var/log/freeradius/802.1x_auth.log
(11) [802.1x_auth_log] = ok
(11) } # else = ok
(11) policy debug_all {
(11) policy debug_control {
(11) if ("%{debug_attr:control:}" == '') {
(11) Attributes matching "control:"
(11) &control:Auth-Type = eap
(11) EXPAND %{debug_attr:control:}
(11) -->
(11) if ("%{debug_attr:control:}" == '') -> TRUE
(11) if ("%{debug_attr:control:}" == '') {
(11) [noop] = noop
(11) } # if ("%{debug_attr:control:}" == '') = noop
(11) } # policy debug_control = noop
(11) policy debug_request {
(11) if ("%{debug_attr:request:}" == '') {
(11) Attributes matching "request:"
(11) &request:User-Name = anonymous at example.com
(11) &request:NAS-IP-Address = 127.0.0.1
(11) &request:Calling-Station-Id := 02-00-00-00-00-01
(11) &request:Framed-MTU = 1400
(11) &request:NAS-Port-Type = Wireless-802.11
(11) &request:Service-Type = Framed-User
(11) &request:Connect-Info = CONNECT 11Mbps 802.11b
(11) &request:Called-Station-Id := 11-22-33-44-55-66:eduroam
(11) &request:EAP-Message = 0x02d5002e19001703030023a0c35e6593757243a3f598e329dd849cfc8f29e1217aab5fe1ced41afd18f9725b6ea6
(11) &request:State = 0xd7951377dd400ac5141f11c810ce92e5
(11) &request:Message-Authenticator = 0x668bc11b060431f36f2a66547e67f3cc
(11) &request:Called-Station-SSID := eduroam
(11) &request:locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(11) &request:Realm := EXAMPLE.COM
(11) &request:EAP-Type = PEAP
(11) EXPAND %{debug_attr:request:}
(11) -->
(11) if ("%{debug_attr:request:}" == '') -> TRUE
(11) if ("%{debug_attr:request:}" == '') {
(11) [noop] = noop
(11) } # if ("%{debug_attr:request:}" == '') = noop
(11) } # policy debug_request = noop
(11) policy debug_coa {
(11) if ("%{debug_attr:coa:}" == '') {
(11) Attributes matching "coa:"
(11) WARNING: List "coa" is not available
(11) EXPAND %{debug_attr:coa:}
(11) -->
(11) if ("%{debug_attr:coa:}" == '') -> TRUE
(11) if ("%{debug_attr:coa:}" == '') {
(11) [noop] = noop
(11) } # if ("%{debug_attr:coa:}" == '') = noop
(11) } # policy debug_coa = noop
(11) policy debug_reply {
(11) if ("%{debug_attr:reply:}" == '') {
(11) Attributes matching "reply:"
(11) &reply:Tunnel-Type:-128 := VLAN
(11) &reply:Tunnel-Medium-Type:-128 := IEEE-802
(11) &reply:Class = 0x7374616666
(11) &reply:Filter-Id = staff
(11) &reply:Tunnel-Private-Group-Id:0 = 1874
(11) &reply:Class = 0x5c3b06d70000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060f340
(11) &reply:MS-MPPE-Recv-Key = 0x163a2fbf791deed0abd60b9c33c10a2ffb3b740ebb1a1a237f62666363ebc05a
(11) &reply:MS-MPPE-Send-Key = 0x00c6e8217b371e2163fb13a51dfc114b9799b4fff58bd85037db6c03f568465d
(11) &reply:EAP-MSK = 0x163a2fbf791deed0abd60b9c33c10a2ffb3b740ebb1a1a237f62666363ebc05a00c6e8217b371e2163fb13a51dfc114b9799b4fff58bd85037db6c03f568465d
(11) &reply:EAP-EMSK = 0x89d4b3bc7a7ba0051fc32759a78266fadc1965bbf19c06c0f0ceb31dd4b714f58560add74659a1d49dc75b59b99e08e41032f585097625faa0cbf879b3656280
(11) &reply:EAP-Session-Id = 0x193ef9ddb2c9690718a1123db2cf6d4508b04f43b75bde677dfa20266a8414e6c085b131ca62bb9399ec4cfeef6086f9689782dafdd184bffa444f574e47524401
(11) &reply:EAP-Message = 0x03d50004
(11) &reply:Message-Authenticator = 0x00000000000000000000000000000000
(11) &reply:User-Name = anonymous at example.com
(11) EXPAND %{debug_attr:reply:}
(11) -->
(11) if ("%{debug_attr:reply:}" == '') -> TRUE
(11) if ("%{debug_attr:reply:}" == '') {
(11) [noop] = noop
(11) } # if ("%{debug_attr:reply:}" == '') = noop
(11) } # policy debug_reply = noop
(11) policy debug_session_state {
(11) if ("%{debug_attr:session-state:}" == '') {
(11) Attributes matching "session-state:"
(11) EXPAND %{debug_attr:session-state:}
(11) -->
(11) if ("%{debug_attr:session-state:}" == '') -> TRUE
(11) if ("%{debug_attr:session-state:}" == '') {
(11) [noop] = noop
(11) } # if ("%{debug_attr:session-state:}" == '') = noop
(11) } # policy debug_session_state = noop
(11) } # policy debug_all = noop
(11) if (&session-state:locInner-User-Name) {
(11) if (&session-state:locInner-User-Name) -> FALSE
(11) policy debug_all {
(11) policy debug_control {
(11) if ("%{debug_attr:control:}" == '') {
(11) Attributes matching "control:"
(11) &control:Auth-Type = eap
(11) EXPAND %{debug_attr:control:}
(11) -->
(11) if ("%{debug_attr:control:}" == '') -> TRUE
(11) if ("%{debug_attr:control:}" == '') {
(11) [noop] = noop
(11) } # if ("%{debug_attr:control:}" == '') = noop
(11) } # policy debug_control = noop
(11) policy debug_request {
(11) if ("%{debug_attr:request:}" == '') {
(11) Attributes matching "request:"
(11) &request:User-Name = anonymous at example.com
(11) &request:NAS-IP-Address = 127.0.0.1
(11) &request:Calling-Station-Id := 02-00-00-00-00-01
(11) &request:Framed-MTU = 1400
(11) &request:NAS-Port-Type = Wireless-802.11
(11) &request:Service-Type = Framed-User
(11) &request:Connect-Info = CONNECT 11Mbps 802.11b
(11) &request:Called-Station-Id := 11-22-33-44-55-66:eduroam
(11) &request:EAP-Message = 0x02d5002e19001703030023a0c35e6593757243a3f598e329dd849cfc8f29e1217aab5fe1ced41afd18f9725b6ea6
(11) &request:State = 0xd7951377dd400ac5141f11c810ce92e5
(11) &request:Message-Authenticator = 0x668bc11b060431f36f2a66547e67f3cc
(11) &request:Called-Station-SSID := eduroam
(11) &request:locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(11) &request:Realm := EXAMPLE.COM
(11) &request:EAP-Type = PEAP
(11) EXPAND %{debug_attr:request:}
(11) -->
(11) if ("%{debug_attr:request:}" == '') -> TRUE
(11) if ("%{debug_attr:request:}" == '') {
(11) [noop] = noop
(11) } # if ("%{debug_attr:request:}" == '') = noop
(11) } # policy debug_request = noop
(11) policy debug_coa {
(11) if ("%{debug_attr:coa:}" == '') {
(11) Attributes matching "coa:"
(11) WARNING: List "coa" is not available
(11) EXPAND %{debug_attr:coa:}
(11) -->
(11) if ("%{debug_attr:coa:}" == '') -> TRUE
(11) if ("%{debug_attr:coa:}" == '') {
(11) [noop] = noop
(11) } # if ("%{debug_attr:coa:}" == '') = noop
(11) } # policy debug_coa = noop
(11) policy debug_reply {
(11) if ("%{debug_attr:reply:}" == '') {
(11) Attributes matching "reply:"
(11) &reply:Tunnel-Type:-128 := VLAN
(11) &reply:Tunnel-Medium-Type:-128 := IEEE-802
(11) &reply:Class = 0x7374616666
(11) &reply:Filter-Id = staff
(11) &reply:Tunnel-Private-Group-Id:0 = 1874
(11) &reply:Class = 0x5c3b06d70000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060f340
(11) &reply:MS-MPPE-Recv-Key = 0x163a2fbf791deed0abd60b9c33c10a2ffb3b740ebb1a1a237f62666363ebc05a
(11) &reply:MS-MPPE-Send-Key = 0x00c6e8217b371e2163fb13a51dfc114b9799b4fff58bd85037db6c03f568465d
(11) &reply:EAP-MSK = 0x163a2fbf791deed0abd60b9c33c10a2ffb3b740ebb1a1a237f62666363ebc05a00c6e8217b371e2163fb13a51dfc114b9799b4fff58bd85037db6c03f568465d
(11) &reply:EAP-EMSK = 0x89d4b3bc7a7ba0051fc32759a78266fadc1965bbf19c06c0f0ceb31dd4b714f58560add74659a1d49dc75b59b99e08e41032f585097625faa0cbf879b3656280
(11) &reply:EAP-Session-Id = 0x193ef9ddb2c9690718a1123db2cf6d4508b04f43b75bde677dfa20266a8414e6c085b131ca62bb9399ec4cfeef6086f9689782dafdd184bffa444f574e47524401
(11) &reply:EAP-Message = 0x03d50004
(11) &reply:Message-Authenticator = 0x00000000000000000000000000000000
(11) &reply:User-Name = anonymous at example.com
(11) EXPAND %{debug_attr:reply:}
(11) -->
(11) if ("%{debug_attr:reply:}" == '') -> TRUE
(11) if ("%{debug_attr:reply:}" == '') {
(11) [noop] = noop
(11) } # if ("%{debug_attr:reply:}" == '') = noop
(11) } # policy debug_reply = noop
(11) policy debug_session_state {
(11) if ("%{debug_attr:session-state:}" == '') {
(11) Attributes matching "session-state:"
(11) EXPAND %{debug_attr:session-state:}
(11) -->
(11) if ("%{debug_attr:session-state:}" == '') -> TRUE
(11) if ("%{debug_attr:session-state:}" == '') {
(11) [noop] = noop
(11) } # if ("%{debug_attr:session-state:}" == '') = noop
(11) } # policy debug_session_state = noop
(11) } # policy debug_all = noop
(11) } # post-auth = ok
(11) Login OK: [anonymous at example.com] (from client localhost port 0 cli 02-00-00-00-00-01)
(11) Sent Access-Accept Id 11 from 127.0.0.1:1812 to 127.0.0.1:51983 length 258
(11) Tunnel-Type := VLAN
(11) Tunnel-Medium-Type := IEEE-802
(11) Class = 0x7374616666
(11) Filter-Id = "staff"
(11) Tunnel-Private-Group-Id:0 = "1874"
(11) Class = 0x5c3b06d70000013700010200825c0e1b00000000000000000000000001db980ee94295bf000000000060f340
(11) MS-MPPE-Recv-Key = 0x163a2fbf791deed0abd60b9c33c10a2ffb3b740ebb1a1a237f62666363ebc05a
(11) MS-MPPE-Send-Key = 0x00c6e8217b371e2163fb13a51dfc114b9799b4fff58bd85037db6c03f568465d
(11) EAP-Message = 0x03d50004
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) User-Name = "anonymous at example.com"
(11) Finished request
Thread 4 waiting to be assigned a request
Waking up in 4.6 seconds.
More information about the Freeradius-Users
mailing list