Question / Copy inner to outer identity
Dominic Stalder
dominic.stalder at bluewin.ch
Sun Nov 9 10:01:37 UTC 2025
Hi Alan
I have updated the system to the following version, which includes your last patches:
root at id-radiustest1:/etc/freeradius# freeradius -v
radiusd: FreeRADIUS Version 3.2.9 (git #8efdca0c6), for host x86_64-pc-linux-gnu
FreeRADIUS Version 3.2.9
Again, this is the situation i am fighting with and maybe you have an finger point, what else I can try to „workaround“ the disadvantages with your current setup:
- FreeRADIUS 3.2.9
- PEAP with MS-CHAPv2
- Proxying is always done internally / locally first
- ONLY the inner tunnel is proxied to a Microsoft NPS server
- the MS NPS server is not able to return the inner username in the Access-Accept message
- I hit defect / bug #5288: "[defect]: session-state is empty in post_auth section after proxying request to home server, branch 3.2.x“
- I will change our setup to „not doing internal proxying“ in the near future, but this takes time and I will have to involve another team, which takes care of the Microsoft server infrastructure —> I know, this will help in the future, but as I said, not changeble in a timely fashion
- Files involved (in my opinion): sites-available/default, sites-available/proxy-inner-tunnel, mods-available/eap
I have tried to save the inner username to an attribute called locInner-User-Name in either the session-state namespace (which is affected by the defect / bug #5288) or another namespace like control. In both cases, the variable is not persistent till the end of the RADIUS process, please see debug output below.
Again, do you have any idea how to overcome the actual situation with our setup (internal proxying) and the current defect / bug #5288?
Any help is appreciated.
Regards
Dominic
(0) Received Access-Request Id 0 from 127.0.0.1:58298 to 127.0.0.1:1812 length 177
(0) User-Name = "anonymous at example.com"
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = "02-00-00-00-00-01"
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(0) EAP-Message = 0x020d001701616e6f6e796d6f757340756e6962652e6368
(0) Message-Authenticator = 0x06c1c680b3ef95df1202c79fb45166a2
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(0) authorize {
(0) policy rewrite_called_station_id {
(0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(0) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(0) update request {
(0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(0) --> 11-22-33-44-55-66
(0) &Called-Station-Id := 11-22-33-44-55-66
(0) } # update request = noop
(0) if ("%{8}") {
(0) EXPAND %{8}
(0) --> eduroam
(0) if ("%{8}") -> TRUE
(0) if ("%{8}") {
(0) update request {
(0) EXPAND %{8}
(0) --> eduroam
(0) &Called-Station-SSID := eduroam
(0) EXPAND %{Called-Station-Id}:%{8}
(0) --> 11-22-33-44-55-66:eduroam
(0) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(0) } # update request = noop
(0) } # if ("%{8}") = noop
(0) [updated] = updated
(0) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(0) ... skipping else: Preceding "if" was taken
(0) } # policy rewrite_called_station_id = updated
(0) policy rewrite_calling_station_id {
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(0) update request {
(0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(0) --> 02-00-00-00-00-01
(0) &Calling-Station-Id := 02-00-00-00-00-01
(0) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(0) --> 02:00:00:00:00:01
(0) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(0) } # update request = noop
(0) [updated] = updated
(0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(0) ... skipping else: Preceding "if" was taken
(0) } # policy rewrite_calling_station_id = updated
(0) if (Service-Type == Call-Check) {
(0) if (Service-Type == Call-Check) -> FALSE
(0) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(0) EXPAND Packet-Src-IP-Address
(0) --> 127.0.0.1
(0) EXPAND Packet-Src-IP-Address
(0) --> 127.0.0.1
(0) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(0) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(0) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(0) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(0) if (EAP-Message) {
(0) if (EAP-Message) -> TRUE
(0) if (EAP-Message) {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = updated
(0) } # policy filter_username = updated
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(0) suffix: Found realm "EXAMPLE.COM"
(0) suffix: Adding Realm = "EXAMPLE.COM"
(0) suffix: Authentication realm is LOCAL
(0) [suffix] = ok
(0) policy deny_no_realm {
(0) if (User-Name && (User-Name !~ /@/)) {
(0) if (User-Name && (User-Name !~ /@/)) -> FALSE
(0) } # policy deny_no_realm = updated
(0) update request {
(0) EXPAND %{toupper:%{Realm}}
(0) --> EXAMPLE.COM
(0) Realm := EXAMPLE.COM
(0) } # update request = noop
(0) eap: Peer sent EAP Response (code 2) ID 13 length 23
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # if (EAP-Message) = ok
(0) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(0) } # authorize = updated
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Auth-Type eap {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Using default_eap_type = PEAP
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: (TLS) PEAP -Initiating new session
(0) eap: Sending EAP Request (code 1) ID 14 length 6
(0) eap: EAP session adding &reply:State = 0xafa7dc71afa9c54b
(0) [eap] = handled
(0) if (handled && (Response-Packet-Type == Access-Challenge)) {
(0) EXPAND Response-Packet-Type
(0) --> Access-Challenge
(0) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(0) if (handled && (Response-Packet-Type == Access-Challenge)) {
(0) attr_filter.access_challenge: EXPAND %{User-Name}
(0) attr_filter.access_challenge: --> anonymous at example.com
(0) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(0) [attr_filter.access_challenge.post-auth] = updated
(0) [handled] = handled
(0) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(0) } # Auth-Type eap = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) session-state: Saving cached attributes for server default
(0) Framed-MTU = 1014
(0) Sent Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:58298 length 64
(0) EAP-Message = 0x010e00061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xafa7dc71afa9c54bd50cde17df51e2b7
(0) Finished request
Thread 4 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 2 got semaphore
Thread 2 handling request 1, (1 handled so far)
(1) Received Access-Request Id 1 from 127.0.0.1:58298 to 127.0.0.1:1812 length 366
(1) User-Name = "anonymous at example.com"
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = "02-00-00-00-00-01"
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Connect-Info = "CONNECT 11Mbps 802.11b"
(1) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(1) EAP-Message = 0x020e00c21980000000b816030100b3010000af0303a6603acb0ad334b1a7514619e97a2ed5509c041248ca4cc446156e535d62be04000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602
(1) State = 0xafa7dc71afa9c54bd50cde17df51e2b7
(1) Message-Authenticator = 0xf80e555becc8e15c44c723043ac11b4b
(1) session-state: Restoring attributes for server default
(1) &session-state:Framed-MTU = 1014
(1) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(1) authorize {
(1) policy rewrite_called_station_id {
(1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(1) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(1) update request {
(1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1) --> 11-22-33-44-55-66
(1) &Called-Station-Id := 11-22-33-44-55-66
(1) } # update request = noop
(1) if ("%{8}") {
(1) EXPAND %{8}
(1) --> eduroam
(1) if ("%{8}") -> TRUE
(1) if ("%{8}") {
(1) update request {
(1) EXPAND %{8}
(1) --> eduroam
(1) &Called-Station-SSID := eduroam
(1) EXPAND %{Called-Station-Id}:%{8}
(1) --> 11-22-33-44-55-66:eduroam
(1) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(1) } # update request = noop
(1) } # if ("%{8}") = noop
(1) [updated] = updated
(1) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy rewrite_called_station_id = updated
(1) policy rewrite_calling_station_id {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1) update request {
(1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1) --> 02-00-00-00-00-01
(1) &Calling-Station-Id := 02-00-00-00-00-01
(1) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(1) --> 02:00:00:00:00:01
(1) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(1) } # update request = noop
(1) [updated] = updated
(1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(1) ... skipping else: Preceding "if" was taken
(1) } # policy rewrite_calling_station_id = updated
(1) if (Service-Type == Call-Check) {
(1) if (Service-Type == Call-Check) -> FALSE
(1) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(1) EXPAND Packet-Src-IP-Address
(1) --> 127.0.0.1
(1) EXPAND Packet-Src-IP-Address
(1) --> 127.0.0.1
(1) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(1) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(1) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(1) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(1) if (EAP-Message) {
(1) if (EAP-Message) -> TRUE
(1) if (EAP-Message) {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = updated
(1) } # policy filter_username = updated
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(1) suffix: Found realm "EXAMPLE.COM"
(1) suffix: Adding Realm = "EXAMPLE.COM"
(1) suffix: Authentication realm is LOCAL
(1) [suffix] = ok
(1) policy deny_no_realm {
(1) if (User-Name && (User-Name !~ /@/)) {
(1) if (User-Name && (User-Name !~ /@/)) -> FALSE
(1) } # policy deny_no_realm = updated
(1) update request {
(1) EXPAND %{toupper:%{Realm}}
(1) --> EXAMPLE.COM
(1) Realm := EXAMPLE.COM
(1) } # update request = noop
(1) eap: Peer sent EAP Response (code 2) ID 14 length 194
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # if (EAP-Message) = ok
(1) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) Auth-Type eap {
(1) eap: Removing EAP session with state 0xafa7dc71afa9c54b
(1) eap: Previous EAP request found for state 0xafa7dc71afa9c54b, released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: (TLS) EAP Peer says that the final record size will be 184 bytes
(1) eap_peap: (TLS) EAP Got all data (184 bytes)
(1) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization
(1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization
(1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization
(1) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(1) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done
(1) eap_peap: (TLS) PEAP - In Handshake Phase
(1) eap: Sending EAP Request (code 1) ID 15 length 1024
(1) eap: EAP session adding &reply:State = 0xafa7dc71aea8c54b
(1) [eap] = handled
(1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(1) EXPAND Response-Packet-Type
(1) --> Access-Challenge
(1) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(1) if (handled && (Response-Packet-Type == Access-Challenge)) {
(1) attr_filter.access_challenge: EXPAND %{User-Name}
(1) attr_filter.access_challenge: --> anonymous at example.com
(1) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(1) [attr_filter.access_challenge.post-auth] = updated
(1) [handled] = handled
(1) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(1) } # Auth-Type eap = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) session-state: Saving cached attributes for server default
(1) Framed-MTU = 1014
(1) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(1) Sent Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:58298 length 1090
(1) EAP-Message = 0x010f040019c000001135160303003d020000390303c6dc5fc2f65c269aa22fac4d563962cfd78795555dc90102444f574e4752440100c030000011ff01000100000b000403000102001700001603030f930b000f8f000f8c0007253082072130820609a00302010202100dae0ee5cc17916457adb4fc96626395300d06092a864886f70d01010b05003059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c532052534120534841323536203230323020434131301e170d3235303532333030303030305a170d3236303532323233353935395a305f310b3009060355040613024348310d300b060355040813044265726e310d300b060355040713044265726e311b3019060355040a1312556e6976657273697479206f66204265726e311530130603550403130c6161692e756e6962652e636830820122300d06092a864886f70d01010105
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xafa7dc71aea8c54bd50cde17df51e2b7
(1) Finished request
Thread 2 waiting to be assigned a request
Thread 5 got semaphore
Thread 5 handling request 2, (1 handled so far)
(2) Received Access-Request Id 2 from 127.0.0.1:58298 to 127.0.0.1:1812 length 178
(2) User-Name = "anonymous at example.com"
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = "02-00-00-00-00-01"
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Connect-Info = "CONNECT 11Mbps 802.11b"
(2) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(2) EAP-Message = 0x020f00061900
(2) State = 0xafa7dc71aea8c54bd50cde17df51e2b7
(2) Message-Authenticator = 0xc0f08954ac4322ac403afe73ba484134
(2) session-state: Restoring attributes for server default
(2) &session-state:Framed-MTU = 1014
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
Waking up in 0.3 seconds.
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2) authorize {
(2) policy rewrite_called_station_id {
(2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(2) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(2) update request {
(2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(2) --> 11-22-33-44-55-66
(2) &Called-Station-Id := 11-22-33-44-55-66
(2) } # update request = noop
(2) if ("%{8}") {
(2) EXPAND %{8}
(2) --> eduroam
(2) if ("%{8}") -> TRUE
(2) if ("%{8}") {
(2) update request {
(2) EXPAND %{8}
(2) --> eduroam
(2) &Called-Station-SSID := eduroam
(2) EXPAND %{Called-Station-Id}:%{8}
(2) --> 11-22-33-44-55-66:eduroam
(2) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(2) } # update request = noop
(2) } # if ("%{8}") = noop
(2) [updated] = updated
(2) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(2) ... skipping else: Preceding "if" was taken
(2) } # policy rewrite_called_station_id = updated
(2) policy rewrite_calling_station_id {
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(2) update request {
(2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(2) --> 02-00-00-00-00-01
(2) &Calling-Station-Id := 02-00-00-00-00-01
(2) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(2) --> 02:00:00:00:00:01
(2) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(2) } # update request = noop
(2) [updated] = updated
(2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(2) ... skipping else: Preceding "if" was taken
(2) } # policy rewrite_calling_station_id = updated
(2) if (Service-Type == Call-Check) {
(2) if (Service-Type == Call-Check) -> FALSE
(2) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(2) EXPAND Packet-Src-IP-Address
(2) --> 127.0.0.1
(2) EXPAND Packet-Src-IP-Address
(2) --> 127.0.0.1
(2) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(2) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(2) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(2) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(2) if (EAP-Message) {
(2) if (EAP-Message) -> TRUE
(2) if (EAP-Message) {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = updated
(2) } # policy filter_username = updated
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(2) suffix: Found realm "EXAMPLE.COM"
(2) suffix: Adding Realm = "EXAMPLE.COM"
(2) suffix: Authentication realm is LOCAL
(2) [suffix] = ok
(2) policy deny_no_realm {
(2) if (User-Name && (User-Name !~ /@/)) {
(2) if (User-Name && (User-Name !~ /@/)) -> FALSE
(2) } # policy deny_no_realm = updated
(2) update request {
(2) EXPAND %{toupper:%{Realm}}
(2) --> EXAMPLE.COM
(2) Realm := EXAMPLE.COM
(2) } # update request = noop
(2) eap: Peer sent EAP Response (code 2) ID 15 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # if (EAP-Message) = ok
(2) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(2) } # authorize = updated
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) Auth-Type eap {
(2) eap: Removing EAP session with state 0xafa7dc71aea8c54b
(2) eap: Previous EAP request found for state 0xafa7dc71aea8c54b, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: (TLS) Peer ACKed our handshake fragment
(2) eap: Sending EAP Request (code 1) ID 16 length 1020
(2) eap: EAP session adding &reply:State = 0xafa7dc71adb7c54b
(2) [eap] = handled
(2) if (handled && (Response-Packet-Type == Access-Challenge)) {
(2) EXPAND Response-Packet-Type
(2) --> Access-Challenge
(2) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(2) if (handled && (Response-Packet-Type == Access-Challenge)) {
(2) attr_filter.access_challenge: EXPAND %{User-Name}
(2) attr_filter.access_challenge: --> anonymous at example.com
(2) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(2) [attr_filter.access_challenge.post-auth] = updated
(2) [handled] = handled
(2) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(2) } # Auth-Type eap = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found. Ignoring.
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2) session-state: Saving cached attributes for server default
(2) Framed-MTU = 1014
(2) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(2) Sent Access-Challenge Id 2 from 127.0.0.1:1812 to 127.0.0.1:58298 length 1086
(2) EAP-Message = 0x011003fc1940312d312e63726c3048a046a0448642687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e63726c30818706082b06010505070101047b3079302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d305106082b060105050730028645687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c4732544c53525341534841323536323032304341312d312e637274300c0603551d130101ff040230003082017f060a2b06010401d6790204020482016f0482016b01690077000e5794bcf3aea93e331b2c9907b3f790df9bc23d713225dd21a925ac61c54e2100000196fd68459a0000040300483046022100abde8fd62ca059be569c5f14a3ce1588684528f0228b3c7320a7af6c1b29e485022100f139ea2369375155ef47d38c4e196798015b054e81
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xafa7dc71adb7c54bd50cde17df51e2b7
(2) Finished request
Thread 5 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 1 got semaphore
Thread 1 handling request 3, (1 handled so far)
(3) Received Access-Request Id 3 from 127.0.0.1:58298 to 127.0.0.1:1812 length 178
(3) User-Name = "anonymous at example.com"
(3) NAS-IP-Address = 127.0.0.1
(3) Calling-Station-Id = "02-00-00-00-00-01"
(3) Framed-MTU = 1400
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Connect-Info = "CONNECT 11Mbps 802.11b"
(3) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(3) EAP-Message = 0x021000061900
(3) State = 0xafa7dc71adb7c54bd50cde17df51e2b7
(3) Message-Authenticator = 0xcb3fb191e4250283a6d6250e964b3200
(3) session-state: Restoring attributes for server default
(3) &session-state:Framed-MTU = 1014
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(3) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(3) authorize {
(3) policy rewrite_called_station_id {
(3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(3) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(3) update request {
(3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(3) --> 11-22-33-44-55-66
(3) &Called-Station-Id := 11-22-33-44-55-66
(3) } # update request = noop
(3) if ("%{8}") {
(3) EXPAND %{8}
(3) --> eduroam
(3) if ("%{8}") -> TRUE
(3) if ("%{8}") {
(3) update request {
(3) EXPAND %{8}
(3) --> eduroam
(3) &Called-Station-SSID := eduroam
(3) EXPAND %{Called-Station-Id}:%{8}
(3) --> 11-22-33-44-55-66:eduroam
(3) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(3) } # update request = noop
(3) } # if ("%{8}") = noop
(3) [updated] = updated
(3) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(3) ... skipping else: Preceding "if" was taken
(3) } # policy rewrite_called_station_id = updated
(3) policy rewrite_calling_station_id {
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(3) update request {
(3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(3) --> 02-00-00-00-00-01
(3) &Calling-Station-Id := 02-00-00-00-00-01
(3) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(3) --> 02:00:00:00:00:01
(3) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(3) } # update request = noop
(3) [updated] = updated
(3) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(3) ... skipping else: Preceding "if" was taken
(3) } # policy rewrite_calling_station_id = updated
(3) if (Service-Type == Call-Check) {
(3) if (Service-Type == Call-Check) -> FALSE
(3) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(3) EXPAND Packet-Src-IP-Address
(3) --> 127.0.0.1
(3) EXPAND Packet-Src-IP-Address
(3) --> 127.0.0.1
(3) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(3) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(3) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(3) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(3) if (EAP-Message) {
(3) if (EAP-Message) -> TRUE
(3) if (EAP-Message) {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = updated
(3) } # policy filter_username = updated
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(3) suffix: Found realm "EXAMPLE.COM"
(3) suffix: Adding Realm = "EXAMPLE.COM"
(3) suffix: Authentication realm is LOCAL
(3) [suffix] = ok
(3) policy deny_no_realm {
(3) if (User-Name && (User-Name !~ /@/)) {
(3) if (User-Name && (User-Name !~ /@/)) -> FALSE
(3) } # policy deny_no_realm = updated
(3) update request {
(3) EXPAND %{toupper:%{Realm}}
(3) --> EXAMPLE.COM
(3) Realm := EXAMPLE.COM
(3) } # update request = noop
(3) eap: Peer sent EAP Response (code 2) ID 16 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # if (EAP-Message) = ok
(3) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(3) } # authorize = updated
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) Auth-Type eap {
(3) eap: Removing EAP session with state 0xafa7dc71adb7c54b
(3) eap: Previous EAP request found for state 0xafa7dc71adb7c54b, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 17 length 1020
(3) eap: EAP session adding &reply:State = 0xafa7dc71acb6c54b
(3) [eap] = handled
(3) if (handled && (Response-Packet-Type == Access-Challenge)) {
(3) EXPAND Response-Packet-Type
(3) --> Access-Challenge
(3) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(3) if (handled && (Response-Packet-Type == Access-Challenge)) {
(3) attr_filter.access_challenge: EXPAND %{User-Name}
(3) attr_filter.access_challenge: --> anonymous at example.com
(3) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(3) [attr_filter.access_challenge.post-auth] = updated
(3) [handled] = handled
(3) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(3) } # Auth-Type eap = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found. Ignoring.
(3) # Executing group from file /etc/freeradius/sites-enabled/default
(3) session-state: Saving cached attributes for server default
(3) Framed-MTU = 1014
(3) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(3) Sent Access-Challenge Id 3 from 127.0.0.1:1812 to 127.0.0.1:58298 length 1086
(3) EAP-Message = 0x011103fc194006035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3231303333303030303030305a170d3331303332393233353935395a3059310b300906035504061302555331153013060355040a130c446967694365727420496e63313330310603550403132a446967694365727420476c6f62616c20473220544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100ccf710624fa6bb636fed905256c56d277b7a12568af1f4f9d6e7e18fbd95abf260411570db1200fa270ab557385b7db2519371950e6a41945b351bfa7bfabbc5be2430fe56efc4f37d97e314f5144dcba710f216eaab22f031221161699026ba78d9971fe37d66ab75449573c8acffef5d0a8a5943e1acb23a0ff348fcd76b37c163dcde46d6db45fe7d23fd90e851071e51a35fed4946547f2c88c5f4139c97153c03e8a139dc690c32c1af16574c9447427ca2c89c7d
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xafa7dc71acb6c54bd50cde17df51e2b7
(3) Finished request
Thread 1 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 3 got semaphore
Thread 3 handling request 4, (1 handled so far)
(4) Received Access-Request Id 4 from 127.0.0.1:58298 to 127.0.0.1:1812 length 178
(4) User-Name = "anonymous at example.com"
(4) NAS-IP-Address = 127.0.0.1
(4) Calling-Station-Id = "02-00-00-00-00-01"
(4) Framed-MTU = 1400
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Connect-Info = "CONNECT 11Mbps 802.11b"
(4) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(4) EAP-Message = 0x021100061900
(4) State = 0xafa7dc71acb6c54bd50cde17df51e2b7
(4) Message-Authenticator = 0x95ae360623a91d8e19ce9b76b3238fad
(4) session-state: Restoring attributes for server default
(4) &session-state:Framed-MTU = 1014
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(4) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(4) authorize {
(4) policy rewrite_called_station_id {
(4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(4) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(4) update request {
(4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(4) --> 11-22-33-44-55-66
(4) &Called-Station-Id := 11-22-33-44-55-66
(4) } # update request = noop
(4) if ("%{8}") {
(4) EXPAND %{8}
(4) --> eduroam
(4) if ("%{8}") -> TRUE
(4) if ("%{8}") {
(4) update request {
(4) EXPAND %{8}
(4) --> eduroam
(4) &Called-Station-SSID := eduroam
(4) EXPAND %{Called-Station-Id}:%{8}
(4) --> 11-22-33-44-55-66:eduroam
(4) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(4) } # update request = noop
(4) } # if ("%{8}") = noop
(4) [updated] = updated
(4) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(4) ... skipping else: Preceding "if" was taken
(4) } # policy rewrite_called_station_id = updated
(4) policy rewrite_calling_station_id {
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(4) update request {
(4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(4) --> 02-00-00-00-00-01
(4) &Calling-Station-Id := 02-00-00-00-00-01
(4) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(4) --> 02:00:00:00:00:01
(4) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(4) } # update request = noop
(4) [updated] = updated
(4) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(4) ... skipping else: Preceding "if" was taken
(4) } # policy rewrite_calling_station_id = updated
(4) if (Service-Type == Call-Check) {
(4) if (Service-Type == Call-Check) -> FALSE
(4) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(4) EXPAND Packet-Src-IP-Address
(4) --> 127.0.0.1
(4) EXPAND Packet-Src-IP-Address
(4) --> 127.0.0.1
(4) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(4) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(4) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(4) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(4) if (EAP-Message) {
(4) if (EAP-Message) -> TRUE
(4) if (EAP-Message) {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = updated
(4) } # policy filter_username = updated
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(4) suffix: Found realm "EXAMPLE.COM"
(4) suffix: Adding Realm = "EXAMPLE.COM"
(4) suffix: Authentication realm is LOCAL
(4) [suffix] = ok
(4) policy deny_no_realm {
(4) if (User-Name && (User-Name !~ /@/)) {
(4) if (User-Name && (User-Name !~ /@/)) -> FALSE
(4) } # policy deny_no_realm = updated
(4) update request {
(4) EXPAND %{toupper:%{Realm}}
(4) --> EXAMPLE.COM
(4) Realm := EXAMPLE.COM
(4) } # update request = noop
(4) eap: Peer sent EAP Response (code 2) ID 17 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # if (EAP-Message) = ok
(4) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(4) } # authorize = updated
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) Auth-Type eap {
(4) eap: Removing EAP session with state 0xafa7dc71acb6c54b
(4) eap: Previous EAP request found for state 0xafa7dc71acb6c54b, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: (TLS) Peer ACKed our handshake fragment
(4) eap: Sending EAP Request (code 1) ID 18 length 1020
(4) eap: EAP session adding &reply:State = 0xafa7dc71abb5c54b
(4) [eap] = handled
(4) if (handled && (Response-Packet-Type == Access-Challenge)) {
(4) EXPAND Response-Packet-Type
(4) --> Access-Challenge
(4) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(4) if (handled && (Response-Packet-Type == Access-Challenge)) {
(4) attr_filter.access_challenge: EXPAND %{User-Name}
(4) attr_filter.access_challenge: --> anonymous at example.com
(4) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(4) [attr_filter.access_challenge.post-auth] = updated
(4) [handled] = handled
(4) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(4) } # Auth-Type eap = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found. Ignoring.
(4) # Executing group from file /etc/freeradius/sites-enabled/default
(4) session-state: Saving cached attributes for server default
(4) Framed-MTU = 1014
(4) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(4) Sent Access-Challenge Id 4 from 127.0.0.1:1812 to 127.0.0.1:58298 length 1086
(4) EAP-Message = 0x011203fc1940c6278481d47e8c8ca39b52e7c688ec377c2afbf0555a387210d80013cf4c73dbaa3735a82981699c76bcde187b90d4cacfef6703fd045a2116b1ffea3fdfdc82f5ebf45992230d242a95254ccaa191e6d4b7ac8774b3f16da399dbf9d5bd84409f07980003923082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f6261
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xafa7dc71abb5c54bd50cde17df51e2b7
(4) Finished request
Waking up in 0.3 seconds.
Thread 4 got semaphore
Thread 4 handling request 5, (2 handled so far)
(5) Received Access-Request Id 5 from 127.0.0.1:58298 to 127.0.0.1:1812 length 178
(5) User-Name = "anonymous at example.com"
(5) NAS-IP-Address = 127.0.0.1
(5) Calling-Station-Id = "02-00-00-00-00-01"
(5) Framed-MTU = 1400
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Connect-Info = "CONNECT 11Mbps 802.11b"
(5) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(5) EAP-Message = 0x021200061900
(5) State = 0xafa7dc71abb5c54bd50cde17df51e2b7
(5) Message-Authenticator = 0x110895b87d5f426939588767952b980e
(5) session-state: Restoring attributes for server default
(5) &session-state:Framed-MTU = 1014
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5) authorize {
(5) policy rewrite_called_station_id {
(5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(5) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(5) update request {
(5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(5) --> 11-22-33-44-55-66
(5) &Called-Station-Id := 11-22-33-44-55-66
(5) } # update request = noop
(5) if ("%{8}") {
(5) EXPAND %{8}
(5) --> eduroam
(5) if ("%{8}") -> TRUE
(5) if ("%{8}") {
(5) update request {
(5) EXPAND %{8}
(5) --> eduroam
(5) &Called-Station-SSID := eduroam
(5) EXPAND %{Called-Station-Id}:%{8}
(5) --> 11-22-33-44-55-66:eduroam
(5) &Called-Station-Id := 11-22-33-44-55-66:eduroam
Thread 3 waiting to be assigned a request
(5) } # update request = noop
(5) } # if ("%{8}") = noop
(5) [updated] = updated
(5) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(5) ... skipping else: Preceding "if" was taken
(5) } # policy rewrite_called_station_id = updated
(5) policy rewrite_calling_station_id {
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(5) update request {
(5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(5) --> 02-00-00-00-00-01
(5) &Calling-Station-Id := 02-00-00-00-00-01
(5) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(5) --> 02:00:00:00:00:01
(5) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(5) } # update request = noop
(5) [updated] = updated
(5) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(5) ... skipping else: Preceding "if" was taken
(5) } # policy rewrite_calling_station_id = updated
(5) if (Service-Type == Call-Check) {
(5) if (Service-Type == Call-Check) -> FALSE
(5) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(5) EXPAND Packet-Src-IP-Address
(5) --> 127.0.0.1
(5) EXPAND Packet-Src-IP-Address
(5) --> 127.0.0.1
(5) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(5) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(5) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(5) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(5) if (EAP-Message) {
(5) if (EAP-Message) -> TRUE
(5) if (EAP-Message) {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = updated
(5) } # policy filter_username = updated
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(5) suffix: Found realm "EXAMPLE.COM"
(5) suffix: Adding Realm = "EXAMPLE.COM"
(5) suffix: Authentication realm is LOCAL
(5) [suffix] = ok
(5) policy deny_no_realm {
(5) if (User-Name && (User-Name !~ /@/)) {
(5) if (User-Name && (User-Name !~ /@/)) -> FALSE
(5) } # policy deny_no_realm = updated
(5) update request {
(5) EXPAND %{toupper:%{Realm}}
(5) --> EXAMPLE.COM
(5) Realm := EXAMPLE.COM
(5) } # update request = noop
(5) eap: Peer sent EAP Response (code 2) ID 18 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # if (EAP-Message) = ok
(5) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(5) } # authorize = updated
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) Auth-Type eap {
(5) eap: Removing EAP session with state 0xafa7dc71abb5c54b
(5) eap: Previous EAP request found for state 0xafa7dc71abb5c54b, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: (TLS) Peer ACKed our handshake fragment
(5) eap: Sending EAP Request (code 1) ID 19 length 355
(5) eap: EAP session adding &reply:State = 0xafa7dc71aab4c54b
(5) [eap] = handled
(5) if (handled && (Response-Packet-Type == Access-Challenge)) {
(5) EXPAND Response-Packet-Type
(5) --> Access-Challenge
(5) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(5) if (handled && (Response-Packet-Type == Access-Challenge)) {
(5) attr_filter.access_challenge: EXPAND %{User-Name}
(5) attr_filter.access_challenge: --> anonymous at example.com
(5) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(5) [attr_filter.access_challenge.post-auth] = updated
(5) [handled] = handled
(5) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(5) } # Auth-Type eap = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) session-state: Saving cached attributes for server default
(5) Framed-MTU = 1014
(5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(5) Sent Access-Challenge Id 5 from 127.0.0.1:1812 to 127.0.0.1:58298 length 415
(5) EAP-Message = 0x01130163190032b6160303014d0c0001490300174104d6c25131955fa9d5a32b82fe0c9946faa04077b64b76fd5f22e57029916c464206ae3b257202f4dbdfe1e232fefa15c33e76d79f90734cf2cf51224d83add402080401002b481341defb4b68e8c1fc1c89928bbfe7b34c4a6c331e2dad3c23fe2c97e36be88fa8f03eaa3a37f4597fc8e7a5130b15b6b117d6efa5ed8e41e380f60275bc361a21ef3c3c38d0f7ce1caa34748c3fdbd13176c71bfeff614668912c8443e2407d4d63bbf843c0a48ca4bb96050bf1339d63a54c7c1b81c37da94df70b03b93de626466c45c241c1592bc18764d5903b6190312461866f0daff4b4d07877be03946eb340cbb691bf61dbbe7c00c574447f2cfc213997406f40b375840bec78e375f39ecf5fae42e505a91676c8db7e5e4d11e13ab14cf87ed90a14a404ed4bc0792b060a1fcb096483e0ec609bc243a47d7f84a135bcfa4fcfa863ab7a2ee316030300040e000000
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xafa7dc71aab4c54bd50cde17df51e2b7
(5) Finished request
Thread 4 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 2 got semaphore
Thread 2 handling request 6, (2 handled so far)
(6) Received Access-Request Id 6 from 127.0.0.1:58298 to 127.0.0.1:1812 length 308
(6) User-Name = "anonymous at example.com"
(6) NAS-IP-Address = 127.0.0.1
(6) Calling-Station-Id = "02-00-00-00-00-01"
(6) Framed-MTU = 1400
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Connect-Info = "CONNECT 11Mbps 802.11b"
(6) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(6) EAP-Message = 0x0213008819800000007e1603030046100000424104cde4725a02e51628adb570203425942e8376b7eb917052c91cf73ee58f4549727707cefd46163decb23e5bce3a9abbc967fd7ee5b51977503f6af2fbb44023e1140303000101160303002875b785dd798fea122dc888bf79c0739b1388ab79106c0ebdcd9b56ddf7860757295939c2bc9b9c1f
(6) State = 0xafa7dc71aab4c54bd50cde17df51e2b7
(6) Message-Authenticator = 0x3f4dfe266ae453efe5a645253d32a41f
(6) session-state: Restoring attributes for server default
(6) &session-state:Framed-MTU = 1014
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(6) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(6) authorize {
(6) policy rewrite_called_station_id {
(6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(6) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(6) update request {
(6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6) --> 11-22-33-44-55-66
(6) &Called-Station-Id := 11-22-33-44-55-66
(6) } # update request = noop
(6) if ("%{8}") {
(6) EXPAND %{8}
(6) --> eduroam
(6) if ("%{8}") -> TRUE
(6) if ("%{8}") {
(6) update request {
(6) EXPAND %{8}
(6) --> eduroam
(6) &Called-Station-SSID := eduroam
(6) EXPAND %{Called-Station-Id}:%{8}
(6) --> 11-22-33-44-55-66:eduroam
(6) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(6) } # update request = noop
(6) } # if ("%{8}") = noop
(6) [updated] = updated
(6) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(6) ... skipping else: Preceding "if" was taken
(6) } # policy rewrite_called_station_id = updated
(6) policy rewrite_calling_station_id {
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(6) update request {
(6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6) --> 02-00-00-00-00-01
(6) &Calling-Station-Id := 02-00-00-00-00-01
(6) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(6) --> 02:00:00:00:00:01
(6) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(6) } # update request = noop
(6) [updated] = updated
(6) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(6) ... skipping else: Preceding "if" was taken
(6) } # policy rewrite_calling_station_id = updated
(6) if (Service-Type == Call-Check) {
(6) if (Service-Type == Call-Check) -> FALSE
(6) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(6) EXPAND Packet-Src-IP-Address
(6) --> 127.0.0.1
(6) EXPAND Packet-Src-IP-Address
(6) --> 127.0.0.1
(6) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(6) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(6) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(6) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(6) if (EAP-Message) {
(6) if (EAP-Message) -> TRUE
(6) if (EAP-Message) {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = updated
(6) } # policy filter_username = updated
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(6) suffix: Found realm "EXAMPLE.COM"
(6) suffix: Adding Realm = "EXAMPLE.COM"
(6) suffix: Authentication realm is LOCAL
(6) [suffix] = ok
(6) policy deny_no_realm {
(6) if (User-Name && (User-Name !~ /@/)) {
(6) if (User-Name && (User-Name !~ /@/)) -> FALSE
(6) } # policy deny_no_realm = updated
(6) update request {
(6) EXPAND %{toupper:%{Realm}}
(6) --> EXAMPLE.COM
(6) Realm := EXAMPLE.COM
(6) } # update request = noop
(6) eap: Peer sent EAP Response (code 2) ID 19 length 136
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # if (EAP-Message) = ok
(6) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(6) } # authorize = updated
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) Auth-Type eap {
(6) eap: Removing EAP session with state 0xafa7dc71aab4c54b
(6) eap: Previous EAP request found for state 0xafa7dc71aab4c54b, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes
(6) eap_peap: (TLS) EAP Got all data (126 bytes)
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec
(6) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished
(6) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec
(6) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished
(6) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished
(6) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully
(6) eap_peap: (TLS) PEAP - Connection Established
(6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) eap_peap: TLS-Session-Version = "TLS 1.2"
(6) eap: Sending EAP Request (code 1) ID 20 length 57
(6) eap: EAP session adding &reply:State = 0xafa7dc71a9b3c54b
(6) [eap] = handled
(6) if (handled && (Response-Packet-Type == Access-Challenge)) {
(6) EXPAND Response-Packet-Type
(6) --> Access-Challenge
(6) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(6) if (handled && (Response-Packet-Type == Access-Challenge)) {
(6) attr_filter.access_challenge: EXPAND %{User-Name}
(6) attr_filter.access_challenge: --> anonymous at example.com
(6) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(6) [attr_filter.access_challenge.post-auth] = updated
(6) [handled] = handled
(6) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(6) } # Auth-Type eap = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) session-state: Saving cached attributes for server default
(6) Framed-MTU = 1014
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 6 from 127.0.0.1:1812 to 127.0.0.1:58298 length 115
(6) EAP-Message = 0x011400391900140303000101160303002864f52ed12ea54c8db9ec40c1c930f12216b536521fe729a169e6512baba1fb9f4254162bc18808f0
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0xafa7dc71a9b3c54bd50cde17df51e2b7
(6) Finished request
Thread 2 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 5 got semaphore
Thread 5 handling request 7, (2 handled so far)
(7) Received Access-Request Id 7 from 127.0.0.1:58298 to 127.0.0.1:1812 length 178
(7) User-Name = "anonymous at example.com"
(7) NAS-IP-Address = 127.0.0.1
(7) Calling-Station-Id = "02-00-00-00-00-01"
(7) Framed-MTU = 1400
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Connect-Info = "CONNECT 11Mbps 802.11b"
(7) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(7) EAP-Message = 0x021400061900
(7) State = 0xafa7dc71a9b3c54bd50cde17df51e2b7
(7) Message-Authenticator = 0xcb8cc4aaf40234fb76c6e2771c68a54d
(7) session-state: Restoring attributes for server default
(7) &session-state:Framed-MTU = 1014
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(7) authorize {
(7) policy rewrite_called_station_id {
(7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(7) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(7) update request {
(7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(7) --> 11-22-33-44-55-66
(7) &Called-Station-Id := 11-22-33-44-55-66
(7) } # update request = noop
(7) if ("%{8}") {
(7) EXPAND %{8}
(7) --> eduroam
(7) if ("%{8}") -> TRUE
(7) if ("%{8}") {
(7) update request {
(7) EXPAND %{8}
(7) --> eduroam
(7) &Called-Station-SSID := eduroam
(7) EXPAND %{Called-Station-Id}:%{8}
(7) --> 11-22-33-44-55-66:eduroam
(7) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(7) } # update request = noop
(7) } # if ("%{8}") = noop
(7) [updated] = updated
(7) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(7) ... skipping else: Preceding "if" was taken
(7) } # policy rewrite_called_station_id = updated
(7) policy rewrite_calling_station_id {
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(7) update request {
(7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(7) --> 02-00-00-00-00-01
(7) &Calling-Station-Id := 02-00-00-00-00-01
(7) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(7) --> 02:00:00:00:00:01
(7) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(7) } # update request = noop
(7) [updated] = updated
(7) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(7) ... skipping else: Preceding "if" was taken
(7) } # policy rewrite_calling_station_id = updated
(7) if (Service-Type == Call-Check) {
(7) if (Service-Type == Call-Check) -> FALSE
(7) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(7) EXPAND Packet-Src-IP-Address
(7) --> 127.0.0.1
(7) EXPAND Packet-Src-IP-Address
(7) --> 127.0.0.1
(7) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(7) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(7) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(7) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(7) if (EAP-Message) {
(7) if (EAP-Message) -> TRUE
(7) if (EAP-Message) {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = updated
(7) } # policy filter_username = updated
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(7) suffix: Found realm "EXAMPLE.COM"
(7) suffix: Adding Realm = "EXAMPLE.COM"
(7) suffix: Authentication realm is LOCAL
(7) [suffix] = ok
(7) policy deny_no_realm {
(7) if (User-Name && (User-Name !~ /@/)) {
(7) if (User-Name && (User-Name !~ /@/)) -> FALSE
(7) } # policy deny_no_realm = updated
(7) update request {
(7) EXPAND %{toupper:%{Realm}}
(7) --> EXAMPLE.COM
(7) Realm := EXAMPLE.COM
(7) } # update request = noop
(7) eap: Peer sent EAP Response (code 2) ID 20 length 6
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # if (EAP-Message) = ok
(7) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) Auth-Type eap {
(7) eap: Removing EAP session with state 0xafa7dc71a9b3c54b
(7) eap: Previous EAP request found for state 0xafa7dc71a9b3c54b, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state TUNNEL ESTABLISHED
(7) eap: Sending EAP Request (code 1) ID 21 length 40
(7) eap: EAP session adding &reply:State = 0xafa7dc71a8b2c54b
(7) [eap] = handled
(7) if (handled && (Response-Packet-Type == Access-Challenge)) {
(7) EXPAND Response-Packet-Type
(7) --> Access-Challenge
(7) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(7) if (handled && (Response-Packet-Type == Access-Challenge)) {
(7) attr_filter.access_challenge: EXPAND %{User-Name}
(7) attr_filter.access_challenge: --> anonymous at example.com
(7) attr_filter.access_challenge: Matched entry DEFAULT at line 12
(7) [attr_filter.access_challenge.post-auth] = updated
(7) [handled] = handled
(7) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(7) } # Auth-Type eap = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /etc/freeradius/sites-enabled/default
(7) session-state: Saving cached attributes for server default
(7) Framed-MTU = 1014
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 7 from 127.0.0.1:1812 to 127.0.0.1:58298 length 98
(7) EAP-Message = 0x011500281900170303001d64f52ed12ea54c8e39e6e9ae296be6f270041366136e149607ad91f48e
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0xafa7dc71a8b2c54bd50cde17df51e2b7
(7) Finished request
Thread 5 waiting to be assigned a request
Waking up in 0.3 seconds.
Thread 1 got semaphore
Thread 1 handling request 8, (2 handled so far)
(8) Received Access-Request Id 8 from 127.0.0.1:58298 to 127.0.0.1:1812 length 231
(8) User-Name = "anonymous at example.com"
(8) NAS-IP-Address = 127.0.0.1
(8) Calling-Station-Id = "02-00-00-00-00-01"
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Connect-Info = "CONNECT 11Mbps 802.11b"
(8) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(8) EAP-Message = 0x0215003b1900170303003075b785dd798fea13d1e6304c1b7160227a0e83e6dc155dc3cd1f3fe96cf86c7daeac8cef201b136415b1f64de9552925
(8) State = 0xafa7dc71a8b2c54bd50cde17df51e2b7
(8) Message-Authenticator = 0x91788ea1d6feeaa72a328302eccee0fc
(8) session-state: Restoring attributes for server default
(8) &session-state:Framed-MTU = 1014
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(8) authorize {
(8) policy rewrite_called_station_id {
(8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(8) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(8) update request {
(8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(8) --> 11-22-33-44-55-66
(8) &Called-Station-Id := 11-22-33-44-55-66
(8) } # update request = noop
(8) if ("%{8}") {
(8) EXPAND %{8}
(8) --> eduroam
(8) if ("%{8}") -> TRUE
(8) if ("%{8}") {
(8) update request {
(8) EXPAND %{8}
(8) --> eduroam
(8) &Called-Station-SSID := eduroam
(8) EXPAND %{Called-Station-Id}:%{8}
(8) --> 11-22-33-44-55-66:eduroam
(8) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(8) } # update request = noop
(8) } # if ("%{8}") = noop
(8) [updated] = updated
(8) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(8) ... skipping else: Preceding "if" was taken
(8) } # policy rewrite_called_station_id = updated
(8) policy rewrite_calling_station_id {
(8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(8) update request {
(8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(8) --> 02-00-00-00-00-01
(8) &Calling-Station-Id := 02-00-00-00-00-01
(8) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(8) --> 02:00:00:00:00:01
(8) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(8) } # update request = noop
(8) [updated] = updated
(8) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(8) ... skipping else: Preceding "if" was taken
(8) } # policy rewrite_calling_station_id = updated
(8) if (Service-Type == Call-Check) {
(8) if (Service-Type == Call-Check) -> FALSE
(8) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(8) EXPAND Packet-Src-IP-Address
(8) --> 127.0.0.1
(8) EXPAND Packet-Src-IP-Address
(8) --> 127.0.0.1
(8) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(8) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(8) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(8) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(8) if (EAP-Message) {
(8) if (EAP-Message) -> TRUE
(8) if (EAP-Message) {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = updated
(8) } # policy filter_username = updated
(8) suffix: Checking for suffix after "@"
(8) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(8) suffix: Found realm "EXAMPLE.COM"
(8) suffix: Adding Realm = "EXAMPLE.COM"
(8) suffix: Authentication realm is LOCAL
(8) [suffix] = ok
(8) policy deny_no_realm {
(8) if (User-Name && (User-Name !~ /@/)) {
(8) if (User-Name && (User-Name !~ /@/)) -> FALSE
(8) } # policy deny_no_realm = updated
(8) update request {
(8) EXPAND %{toupper:%{Realm}}
(8) --> EXAMPLE.COM
(8) Realm := EXAMPLE.COM
(8) } # update request = noop
(8) eap: Peer sent EAP Response (code 2) ID 21 length 59
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # if (EAP-Message) = ok
(8) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) Auth-Type eap {
(8) eap: Removing EAP session with state 0xafa7dc71a8b2c54b
(8) eap: Previous EAP request found for state 0xafa7dc71a8b2c54b, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: (TLS) EAP Done initial handshake
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(8) eap_peap: Identity - user at example.com
(8) eap_peap: Got inner identity 'user at example.com'
(8) eap_peap: Setting default EAP type for tunneled EAP session
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x0215001c0169645f726164696e66737461666640756e6962652e6368
(8) eap_peap: Setting User-Name to user at example.com
(8) eap_peap: Sending tunneled request to proxy-inner-tunnel
(8) eap_peap: EAP-Message = 0x0215001c0169645f726164696e66737461666640756e6962652e6368
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "user at example.com"
(8) eap_peap: NAS-IP-Address = 127.0.0.1
(8) eap_peap: Calling-Station-Id := "02-00-00-00-00-01"
(8) eap_peap: Framed-MTU = 1400
(8) eap_peap: NAS-Port-Type = Wireless-802.11
(8) eap_peap: Service-Type = Framed-User
(8) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b"
(8) eap_peap: Called-Station-Id := "11-22-33-44-55-66:eduroam"
(8) Virtual server proxy-inner-tunnel received request
(8) EAP-Message = 0x0215001c0169645f726164696e66737461666640756e6962652e6368
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "user at example.com"
(8) NAS-IP-Address = 127.0.0.1
(8) Calling-Station-Id := "02-00-00-00-00-01"
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Connect-Info = "CONNECT 11Mbps 802.11b"
(8) Called-Station-Id := "11-22-33-44-55-66:eduroam"
(8) server proxy-inner-tunnel {
(8) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(8) authorize {
(8) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) {
(8) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) -> FALSE
(8) update outer.control {
(8) EXPAND %{User-Name}
(8) --> user at example.com
(8) locInner-User-Name := user at example.com
(8) } # update outer.control = noop
(8) if (!NAS-Port-Type){
(8) if (!NAS-Port-Type) -> FALSE
(8) update control {
(8) &Proxy-To-Realm := REALM-NPS-DEV
(8) } # update control = noop
(8) } # authorize = noop
(8) } # server proxy-inner-tunnel
(8) Virtual server sending reply
(8) eap_peap: Got tunneled reply code 0
(8) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(8) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(8) [eap] = handled
(8) if (handled && (Response-Packet-Type == Access-Challenge)) {
(8) EXPAND Response-Packet-Type
(8) -->
(8) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(8) } # Auth-Type eap = handled
(8) Starting proxy to home server 2.2.2.2 port 1812
(8) server default {
(8) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(8) pre-proxy {
(8) attr_filter.pre-proxy: EXPAND %{Realm}
(8) attr_filter.pre-proxy: --> EXAMPLE.COM
(8) attr_filter.pre-proxy: Matched entry DEFAULT at line 50
(8) [attr_filter.pre-proxy] = updated
(8) } # pre-proxy = updated
(8) }
(8) Proxying request to home server 2.2.2.2 port 1812 timeout 20.000000
(8) Sent Access-Request Id 8 from 0.0.0.0:52965 to 2.2.2.2:1812 length 165
(8) Operator-Name := "1EXAMPLE.COM"
(8) EAP-Message = 0x0215001c0169645f726164696e66737461666640756e6962652e6368
(8) User-Name = "user at example.com"
(8) NAS-IP-Address = 127.0.0.1
(8) Calling-Station-Id := "02-00-00-00-00-01"
(8) NAS-Port-Type = Wireless-802.11
(8) Called-Station-Id := "11-22-33-44-55-66:eduroam"
(8) Message-Authenticator = 0x
(8) Proxy-State = 0x38
Thread 1 waiting to be assigned a request
(8) Marking home server 2.2.2.2 port 1812 alive
Waking up in 0.2 seconds.
Thread 3 got semaphore
Thread 3 handling request 8, (2 handled so far)
(8) Received Access-Challenge Id 8 from 2.2.2.2:1812 to 1.1.1.1:52965 length 126
(8) Message-Authenticator = 0x66483cd50ef9f92fccdcd294bb7d2c04
(8) Proxy-State = 0x38
(8) Session-Timeout = 60
(8) EAP-Message = 0x011600271a0116002210eb9cf2395a8053f7a7da8f5303e3e63b4141492d4e50532d4544555632
(8) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04
(8) Clearing existing &reply: attributes
(8) server default {
(8) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(8) post-proxy {
(8) attr_filter.post-proxy: EXPAND %{Realm}
(8) attr_filter.post-proxy: --> EXAMPLE.COM
(8) attr_filter.post-proxy: Matched entry EXAMPLE.COM at line 102
(8) [attr_filter.post-proxy] = updated
(8) eap: Doing post-proxy callback
(8) eap: Passing reply from proxy back into the tunnel
(8) eap: Got tunneled reply RADIUS code 11
(8) eap: Tunnel-Type := VLAN
(8) eap: Tunnel-Medium-Type := IEEE-802
(8) eap: Message-Authenticator = 0x66483cd50ef9f92fccdcd294bb7d2c04
(8) eap: Proxy-State = 0x38
(8) eap: EAP-Message = 0x011600271a0116002210eb9cf2395a8053f7a7da8f5303e3e63b4141492d4e50532d4544555632
(8) eap: State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04
(8) eap: Got tunneled Access-Challenge
(8) eap: Reply was handled
(8) eap: Sending EAP Request (code 1) ID 22 length 70
(8) eap: EAP session adding &reply:State = 0xafa7dc71a7b1c54b
(8) [eap] = ok
(8) update reply {
(8) EXPAND %{control:locInner-User-Name}
(8) --> user at example.com
(8) &User-Name := user at example.com
(8) } # update reply = noop
(8) } # post-proxy = updated
(8) }
(8) session-state: Saving cached attributes for server default
(8) Framed-MTU = 1014
(8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) TLS-Session-Version = "TLS 1.2"
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) Sent Access-Challenge Id 8 from 127.0.0.1:1812 to 127.0.0.1:58298 length 153
(8) EAP-Message = 0x011600461900170303003b64f52ed12ea54c8f18512005c0151ef6bdf23f5a7ad4df27fbbbad944ae3352f168c363e09cab960ef0f81ff81dfdebc0eaac34b350227b3647f66
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xafa7dc71a7b1c54bd50cde17df51e2b7
(8) User-Name := "user at example.com"
(8) Finished request
Thread 3 waiting to be assigned a request
Waking up in 0.2 seconds.
Thread 4 got semaphore
Thread 4 handling request 9, (3 handled so far)
(9) Received Access-Request Id 9 from 127.0.0.1:58298 to 127.0.0.1:1812 length 285
(9) User-Name = "anonymous at example.com"
(9) NAS-IP-Address = 127.0.0.1
(9) Calling-Station-Id = "02-00-00-00-00-01"
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Connect-Info = "CONNECT 11Mbps 802.11b"
(9) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(9) EAP-Message = 0x021600711900170303006675b785dd798fea14870e20dbbfa5338af5df058a43d9647480c865545aeabbd722b49d8021d29eab61642104c445a4eb8c06df995a802a2967ad27883f2de941c3fa2b208626eb79a87e2fb828ae327790dedf08f415bf5d51851abdb153ec11db68f1d29b52
(9) State = 0xafa7dc71a7b1c54bd50cde17df51e2b7
(9) Message-Authenticator = 0x7056f3072ea11a647ea29135b157bb20
(9) session-state: No cached attributes for server default
(9) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(9) authorize {
(9) policy rewrite_called_station_id {
(9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(9) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(9) update request {
(9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(9) --> 11-22-33-44-55-66
(9) &Called-Station-Id := 11-22-33-44-55-66
(9) } # update request = noop
(9) if ("%{8}") {
(9) EXPAND %{8}
(9) --> eduroam
(9) if ("%{8}") -> TRUE
(9) if ("%{8}") {
(9) update request {
(9) EXPAND %{8}
(9) --> eduroam
(9) &Called-Station-SSID := eduroam
(9) EXPAND %{Called-Station-Id}:%{8}
(9) --> 11-22-33-44-55-66:eduroam
(9) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(9) } # update request = noop
(9) } # if ("%{8}") = noop
(9) [updated] = updated
(9) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(9) ... skipping else: Preceding "if" was taken
(9) } # policy rewrite_called_station_id = updated
(9) policy rewrite_calling_station_id {
(9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(9) update request {
(9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(9) --> 02-00-00-00-00-01
(9) &Calling-Station-Id := 02-00-00-00-00-01
(9) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(9) --> 02:00:00:00:00:01
(9) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(9) } # update request = noop
(9) [updated] = updated
(9) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(9) ... skipping else: Preceding "if" was taken
(9) } # policy rewrite_calling_station_id = updated
(9) if (Service-Type == Call-Check) {
(9) if (Service-Type == Call-Check) -> FALSE
(9) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(9) EXPAND Packet-Src-IP-Address
(9) --> 127.0.0.1
(9) EXPAND Packet-Src-IP-Address
(9) --> 127.0.0.1
(9) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(9) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(9) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(9) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(9) if (EAP-Message) {
(9) if (EAP-Message) -> TRUE
(9) if (EAP-Message) {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = updated
(9) } # policy filter_username = updated
(9) suffix: Checking for suffix after "@"
(9) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(9) suffix: Found realm "EXAMPLE.COM"
(9) suffix: Adding Realm = "EXAMPLE.COM"
(9) suffix: Authentication realm is LOCAL
(9) [suffix] = ok
(9) policy deny_no_realm {
(9) if (User-Name && (User-Name !~ /@/)) {
(9) if (User-Name && (User-Name !~ /@/)) -> FALSE
(9) } # policy deny_no_realm = updated
(9) update request {
(9) EXPAND %{toupper:%{Realm}}
(9) --> EXAMPLE.COM
(9) Realm := EXAMPLE.COM
(9) } # update request = noop
(9) eap: Peer sent EAP Response (code 2) ID 22 length 113
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # if (EAP-Message) = ok
(9) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(9) } # authorize = updated
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) Auth-Type eap {
(9) eap: Removing EAP session with state 0xafa7dc71a7b1c54b
(9) eap: Previous EAP request found for state 0xafa7dc71a7b1c54b, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: (TLS) EAP Done initial handshake
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap: EAP-Message = 0x021600521a0216004d31d2fc572f78b18280f6a77c0368bbf0ef0000000000000000ff99e31f1ffcf38448dc7834a8296f0bfb5b4da6104aeb120069645f726164696e66737461666640756e6962652e6368
(9) eap_peap: Setting User-Name to user at example.com
(9) eap_peap: Sending tunneled request to proxy-inner-tunnel
(9) eap_peap: EAP-Message = 0x021600521a0216004d31d2fc572f78b18280f6a77c0368bbf0ef0000000000000000ff99e31f1ffcf38448dc7834a8296f0bfb5b4da6104aeb120069645f726164696e66737461666640756e6962652e6368
(9) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap: User-Name = "user at example.com"
(9) eap_peap: State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04
(9) eap_peap: NAS-IP-Address = 127.0.0.1
(9) eap_peap: Calling-Station-Id := "02-00-00-00-00-01"
(9) eap_peap: Framed-MTU = 1400
(9) eap_peap: NAS-Port-Type = Wireless-802.11
(9) eap_peap: Service-Type = Framed-User
(9) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b"
(9) eap_peap: Called-Station-Id := "11-22-33-44-55-66:eduroam"
(9) Virtual server proxy-inner-tunnel received request
(9) EAP-Message = 0x021600521a0216004d31d2fc572f78b18280f6a77c0368bbf0ef0000000000000000ff99e31f1ffcf38448dc7834a8296f0bfb5b4da6104aeb120069645f726164696e66737461666640756e6962652e6368
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "user at example.com"
(9) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04
(9) NAS-IP-Address = 127.0.0.1
(9) Calling-Station-Id := "02-00-00-00-00-01"
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Connect-Info = "CONNECT 11Mbps 802.11b"
(9) Called-Station-Id := "11-22-33-44-55-66:eduroam"
(9) server proxy-inner-tunnel {
(9) session-state: No cached attributes for server proxy-inner-tunnel
(9) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(9) authorize {
(9) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) {
(9) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) -> FALSE
(9) update outer.control {
(9) EXPAND %{User-Name}
(9) --> user at example.com
(9) locInner-User-Name := user at example.com
(9) } # update outer.control = noop
(9) if (!NAS-Port-Type){
(9) if (!NAS-Port-Type) -> FALSE
(9) update control {
(9) &Proxy-To-Realm := REALM-NPS-DEV
(9) } # update control = noop
(9) } # authorize = noop
(9) } # server proxy-inner-tunnel
(9) Virtual server sending reply
(9) eap_peap: Got tunneled reply code 0
(9) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(9) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(9) [eap] = handled
(9) if (handled && (Response-Packet-Type == Access-Challenge)) {
(9) EXPAND Response-Packet-Type
(9) -->
(9) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(9) } # Auth-Type eap = handled
(9) Starting proxy to home server 2.2.2.2 port 1812
(9) server default {
(9) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(9) pre-proxy {
(9) attr_filter.pre-proxy: EXPAND %{Realm}
(9) attr_filter.pre-proxy: --> EXAMPLE.COM
(9) attr_filter.pre-proxy: Matched entry DEFAULT at line 50
(9) [attr_filter.pre-proxy] = updated
(9) } # pre-proxy = updated
(9) }
(9) Proxying request to home server 2.2.2.2 port 1812 timeout 20.000000
(9) Sent Access-Request Id 9 from 0.0.0.0:52965 to 2.2.2.2:1812 length 257
(9) Operator-Name := "1EXAMPLE.COM"
(9) EAP-Message = 0x021600521a0216004d31d2fc572f78b18280f6a77c0368bbf0ef0000000000000000ff99e31f1ffcf38448dc7834a8296f0bfb5b4da6104aeb120069645f726164696e66737461666640756e6962652e6368
(9) User-Name = "user at example.com"
(9) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04
(9) NAS-IP-Address = 127.0.0.1
(9) Calling-Station-Id := "02-00-00-00-00-01"
(9) NAS-Port-Type = Wireless-802.11
(9) Called-Station-Id := "11-22-33-44-55-66:eduroam"
(9) Message-Authenticator = 0x
(9) Proxy-State = 0x39
Thread 4 waiting to be assigned a request
Waking up in 0.2 seconds.
Thread 2 got semaphore
Thread 2 handling request 9, (3 handled so far)
(9) Received Access-Challenge Id 9 from 2.2.2.2:1812 to 1.1.1.1:52965 length 138
(9) Message-Authenticator = 0xc42d2656dd05f7f1f02bef15d5e8e38f
(9) Proxy-State = 0x39
(9) Session-Timeout = 60
(9) EAP-Message = 0x011700331a0316002e533d33444131374638464334373842394132304537414644353430364246394537424135454143454639
(9) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04
(9) Clearing existing &reply: attributes
(9) server default {
(9) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(9) post-proxy {
(9) attr_filter.post-proxy: EXPAND %{Realm}
(9) attr_filter.post-proxy: --> EXAMPLE.COM
(9) attr_filter.post-proxy: Matched entry EXAMPLE.COM at line 102
(9) [attr_filter.post-proxy] = updated
(9) eap: Doing post-proxy callback
(9) eap: Passing reply from proxy back into the tunnel
(9) eap: Got tunneled reply RADIUS code 11
(9) eap: Tunnel-Type := VLAN
(9) eap: Tunnel-Medium-Type := IEEE-802
(9) eap: Message-Authenticator = 0xc42d2656dd05f7f1f02bef15d5e8e38f
(9) eap: Proxy-State = 0x39
(9) eap: EAP-Message = 0x011700331a0316002e533d33444131374638464334373842394132304537414644353430364246394537424135454143454639
(9) eap: State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04
(9) eap: Got tunneled Access-Challenge
(9) eap: Reply was handled
(9) eap: Sending EAP Request (code 1) ID 23 length 82
(9) eap: EAP session adding &reply:State = 0xafa7dc71a6b0c54b
(9) [eap] = ok
(9) update reply {
(9) EXPAND %{control:locInner-User-Name}
(9) --> user at example.com
(9) &User-Name := user at example.com
(9) } # update reply = noop
(9) } # post-proxy = updated
(9) }
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9) Sent Access-Challenge Id 9 from 127.0.0.1:1812 to 127.0.0.1:58298 length 165
(9) EAP-Message = 0x011700521900170303004764f52ed12ea54c902b90dd600763d13a74ca5367c8fc00299e6e7c32c374e6250ed30140f7f089b51de255471b31f6a804cce004a5383471438d6333d4b042429f782af1c6c4e1
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0xafa7dc71a6b0c54bd50cde17df51e2b7
(9) User-Name := "user at example.com"
(9) Finished request
Thread 2 waiting to be assigned a request
Waking up in 0.2 seconds.
Thread 5 got semaphore
Thread 5 handling request 10, (3 handled so far)
(10) Received Access-Request Id 10 from 127.0.0.1:58298 to 127.0.0.1:1812 length 209
(10) User-Name = "anonymous at example.com"
(10) NAS-IP-Address = 127.0.0.1
(10) Calling-Station-Id = "02-00-00-00-00-01"
(10) Framed-MTU = 1400
(10) NAS-Port-Type = Wireless-802.11
(10) Service-Type = Framed-User
(10) Connect-Info = "CONNECT 11Mbps 802.11b"
(10) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(10) EAP-Message = 0x021700251900170303001a75b785dd798fea153b66975884eb245f9c132850db6c50233090
(10) State = 0xafa7dc71a6b0c54bd50cde17df51e2b7
(10) Message-Authenticator = 0x8a9c6f10bc67225977d457aab3be0c04
(10) session-state: No cached attributes for server default
(10) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(10) authorize {
(10) policy rewrite_called_station_id {
(10) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(10) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(10) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(10) update request {
(10) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(10) --> 11-22-33-44-55-66
(10) &Called-Station-Id := 11-22-33-44-55-66
(10) } # update request = noop
(10) if ("%{8}") {
(10) EXPAND %{8}
(10) --> eduroam
(10) if ("%{8}") -> TRUE
(10) if ("%{8}") {
(10) update request {
(10) EXPAND %{8}
(10) --> eduroam
(10) &Called-Station-SSID := eduroam
(10) EXPAND %{Called-Station-Id}:%{8}
(10) --> 11-22-33-44-55-66:eduroam
(10) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(10) } # update request = noop
(10) } # if ("%{8}") = noop
(10) [updated] = updated
(10) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(10) ... skipping else: Preceding "if" was taken
(10) } # policy rewrite_called_station_id = updated
(10) policy rewrite_calling_station_id {
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(10) update request {
(10) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(10) --> 02-00-00-00-00-01
(10) &Calling-Station-Id := 02-00-00-00-00-01
(10) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(10) --> 02:00:00:00:00:01
(10) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(10) } # update request = noop
(10) [updated] = updated
(10) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(10) ... skipping else: Preceding "if" was taken
(10) } # policy rewrite_calling_station_id = updated
(10) if (Service-Type == Call-Check) {
(10) if (Service-Type == Call-Check) -> FALSE
(10) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(10) EXPAND Packet-Src-IP-Address
(10) --> 127.0.0.1
(10) EXPAND Packet-Src-IP-Address
(10) --> 127.0.0.1
(10) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(10) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(10) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(10) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(10) if (EAP-Message) {
(10) if (EAP-Message) -> TRUE
(10) if (EAP-Message) {
(10) policy filter_username {
(10) if (&User-Name) {
(10) if (&User-Name) -> TRUE
(10) if (&User-Name) {
(10) if (&User-Name =~ / /) {
(10) if (&User-Name =~ / /) -> FALSE
(10) if (&User-Name =~ /@[^@]*@/ ) {
(10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(10) if (&User-Name =~ /\.\./ ) {
(10) if (&User-Name =~ /\.\./ ) -> FALSE
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(10) if (&User-Name =~ /\.$/) {
(10) if (&User-Name =~ /\.$/) -> FALSE
(10) if (&User-Name =~ /@\./) {
(10) if (&User-Name =~ /@\./) -> FALSE
(10) } # if (&User-Name) = updated
(10) } # policy filter_username = updated
(10) suffix: Checking for suffix after "@"
(10) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(10) suffix: Found realm "EXAMPLE.COM"
(10) suffix: Adding Realm = "EXAMPLE.COM"
(10) suffix: Authentication realm is LOCAL
(10) [suffix] = ok
(10) policy deny_no_realm {
(10) if (User-Name && (User-Name !~ /@/)) {
(10) if (User-Name && (User-Name !~ /@/)) -> FALSE
(10) } # policy deny_no_realm = updated
(10) update request {
(10) EXPAND %{toupper:%{Realm}}
(10) --> EXAMPLE.COM
(10) Realm := EXAMPLE.COM
(10) } # update request = noop
(10) eap: Peer sent EAP Response (code 2) ID 23 length 37
(10) eap: Continuing tunnel setup
(10) [eap] = ok
(10) } # if (EAP-Message) = ok
(10) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(10) } # authorize = updated
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/freeradius/sites-enabled/default
(10) Auth-Type eap {
(10) eap: Removing EAP session with state 0xafa7dc71a6b0c54b
(10) eap: Previous EAP request found for state 0xafa7dc71a6b0c54b, released from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: (TLS) EAP Done initial handshake
(10) eap_peap: Session established. Decoding tunneled attributes
(10) eap_peap: PEAP state phase2
(10) eap_peap: EAP method MSCHAPv2 (26)
(10) eap_peap: Got tunneled request
(10) eap_peap: EAP-Message = 0x021700061a03
(10) eap_peap: Setting User-Name to user at example.com
(10) eap_peap: Sending tunneled request to proxy-inner-tunnel
(10) eap_peap: EAP-Message = 0x021700061a03
(10) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(10) eap_peap: User-Name = "user at example.com"
(10) eap_peap: State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04
(10) eap_peap: NAS-IP-Address = 127.0.0.1
(10) eap_peap: Calling-Station-Id := "02-00-00-00-00-01"
(10) eap_peap: Framed-MTU = 1400
(10) eap_peap: NAS-Port-Type = Wireless-802.11
(10) eap_peap: Service-Type = Framed-User
(10) eap_peap: Connect-Info = "CONNECT 11Mbps 802.11b"
(10) eap_peap: Called-Station-Id := "11-22-33-44-55-66:eduroam"
(10) Virtual server proxy-inner-tunnel received request
(10) EAP-Message = 0x021700061a03
(10) FreeRADIUS-Proxied-To = 127.0.0.1
(10) User-Name = "user at example.com"
(10) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04
(10) NAS-IP-Address = 127.0.0.1
(10) Calling-Station-Id := "02-00-00-00-00-01"
(10) Framed-MTU = 1400
(10) NAS-Port-Type = Wireless-802.11
(10) Service-Type = Framed-User
(10) Connect-Info = "CONNECT 11Mbps 802.11b"
(10) Called-Station-Id := "11-22-33-44-55-66:eduroam"
(10) server proxy-inner-tunnel {
(10) session-state: No cached attributes for server proxy-inner-tunnel
(10) # Executing section authorize from file /etc/freeradius/sites-enabled/proxy-inner-tunnel
(10) authorize {
(10) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) {
(10) if (User-Name !~ /^([\w\-.]{1,}\.[\w\-.]{1,}@((example\.com)|(faculty\.example\.com)|(students\.example\.com)|(ext\.example\.com)))|(^[\w-]{1,20}@((campus\.example\.com)|(example\.com)))/) -> FALSE
(10) update outer.control {
(10) EXPAND %{User-Name}
(10) --> user at example.com
(10) locInner-User-Name := user at example.com
(10) } # update outer.control = noop
(10) if (!NAS-Port-Type){
(10) if (!NAS-Port-Type) -> FALSE
(10) update control {
(10) &Proxy-To-Realm := REALM-NPS-DEV
(10) } # update control = noop
(10) } # authorize = noop
(10) } # server proxy-inner-tunnel
(10) Virtual server sending reply
(10) eap_peap: Got tunneled reply code 0
(10) eap_peap: Tunnelled authentication will be proxied to REALM-NPS-DEV
(10) eap: WARNING: Tunneled session will be proxied. Not doing EAP
(10) [eap] = handled
(10) if (handled && (Response-Packet-Type == Access-Challenge)) {
(10) EXPAND Response-Packet-Type
(10) -->
(10) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(10) } # Auth-Type eap = handled
(10) Starting proxy to home server 2.2.2.2 port 1812
(10) server default {
(10) # Executing section pre-proxy from file /etc/freeradius/sites-enabled/default
(10) pre-proxy {
(10) attr_filter.pre-proxy: EXPAND %{Realm}
(10) attr_filter.pre-proxy: --> EXAMPLE.COM
(10) attr_filter.pre-proxy: Matched entry DEFAULT at line 50
(10) [attr_filter.pre-proxy] = updated
(10) } # pre-proxy = updated
(10) }
(10) Proxying request to home server 2.2.2.2 port 1812 timeout 20.000000
(10) Sent Access-Request Id 10 from 0.0.0.0:52965 to 2.2.2.2:1812 length 182
(10) Operator-Name := "1EXAMPLE.COM"
(10) EAP-Message = 0x021700061a03
(10) User-Name = "user at example.com"
(10) State = 0x234903010000013700010200825c0e1b0000000000000000000000000000000426d2be04
(10) NAS-IP-Address = 127.0.0.1
(10) Calling-Station-Id := "02-00-00-00-00-01"
(10) NAS-Port-Type = Wireless-802.11
(10) Called-Station-Id := "11-22-33-44-55-66:eduroam"
(10) Message-Authenticator = 0x
(10) Proxy-State = 0x3130
Thread 5 waiting to be assigned a request
Waking up in 0.2 seconds.
Thread 1 got semaphore
Thread 1 handling request 10, (3 handled so far)
(10) Received Access-Accept Id 10 from 2.2.2.2:1812 to 1.1.1.1:52965 length 288
(10) Message-Authenticator = 0x3b3904ca75e13b85992ee5aa89e1040f
(10) Proxy-State = 0x3130
(10) Class = 0x7374616666
(10) Filter-Id = "staff"
(10) Framed-Protocol = PPP
(10) Service-Type = Framed-User
(10) Tunnel-Medium-Type:0 = IEEE-802
(10) Tunnel-Private-Group-Id:0 = "1874"
(10) Tunnel-Type:0 = VLAN
(10) EAP-Message = 0x03170004
(10) Class = 0x5b8106ab0000013700010200825c0e1b00000000000000000000000001db980ee94295bf00000000006163a3
(10) MS-CHAP-Domain = "\001CAMPUS"
(10) MS-MPPE-Send-Key = 0xe41353497c2ce780e247ce0f7fec7fc2
(10) MS-MPPE-Recv-Key = 0x8f80fbfd47be7ca1597c79b8734fca7d
(10) MS-CHAP2-Success = 0x01533d33444131374638464334373842394132304537414644353430364246394537424135454143454639
(10) Clearing existing &reply: attributes
(10) server default {
(10) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
(10) post-proxy {
(10) attr_filter.post-proxy: EXPAND %{Realm}
(10) attr_filter.post-proxy: --> EXAMPLE.COM
(10) attr_filter.post-proxy: Matched entry EXAMPLE.COM at line 102
(10) [attr_filter.post-proxy] = updated
(10) eap: Doing post-proxy callback
(10) eap: Passing reply from proxy back into the tunnel
(10) eap: Got tunneled reply RADIUS code 2
(10) eap: Tunnel-Type := VLAN
(10) eap: Tunnel-Medium-Type := IEEE-802
(10) eap: Message-Authenticator = 0x3b3904ca75e13b85992ee5aa89e1040f
(10) eap: Proxy-State = 0x3130
(10) eap: Class = 0x7374616666
(10) eap: Filter-Id = "staff"
(10) eap: Tunnel-Private-Group-Id:0 = "1874"
(10) eap: EAP-Message = 0x03170004
(10) eap: Class = 0x5b8106ab0000013700010200825c0e1b00000000000000000000000001db980ee94295bf00000000006163a3
(10) eap: MS-MPPE-Send-Key = 0xe41353497c2ce780e247ce0f7fec7fc2
(10) eap: MS-MPPE-Recv-Key = 0x8f80fbfd47be7ca1597c79b8734fca7d
(10) eap: Tunneled authentication was successful
(10) eap: SUCCESS
(10) eap: Saving tunneled attributes for later
(10) eap: Reply was handled
(10) eap: Sending EAP Request (code 1) ID 24 length 46
(10) eap: EAP session adding &reply:State = 0xafa7dc71a5bfc54b
(10) [eap] = ok
(10) update reply {
(10) EXPAND %{control:locInner-User-Name}
(10) --> user at example.com
(10) &User-Name := user at example.com
(10) } # update reply = noop
(10) } # post-proxy = updated
(10) }
(10) Using Post-Auth-Type Challenge
(10) Post-Auth-Type sub-section not found. Ignoring.
(10) # Executing group from file /etc/freeradius/sites-enabled/default
(10) Sent Access-Challenge Id 10 from 127.0.0.1:1812 to 127.0.0.1:58298 length 129
(10) EAP-Message = 0x0118002e1900170303002364f52ed12ea54c9150459e4e53ee9a1964caff39307afe7fd675169c4441eb576e296d
(10) Message-Authenticator = 0x00000000000000000000000000000000
(10) State = 0xafa7dc71a5bfc54bd50cde17df51e2b7
(10) User-Name := "user at example.com"
(10) Finished request
Thread 1 waiting to be assigned a request
Waking up in 0.2 seconds.
Thread 3 got semaphore
Thread 3 handling request 11, (3 handled so far)
(11) Received Access-Request Id 11 from 127.0.0.1:58298 to 127.0.0.1:1812 length 218
(11) User-Name = "anonymous at example.com"
(11) NAS-IP-Address = 127.0.0.1
(11) Calling-Station-Id = "02-00-00-00-00-01"
(11) Framed-MTU = 1400
(11) NAS-Port-Type = Wireless-802.11
(11) Service-Type = Framed-User
(11) Connect-Info = "CONNECT 11Mbps 802.11b"
(11) Called-Station-Id = "11-22-33-44-55-66:eduroam"
(11) EAP-Message = 0x0218002e1900170303002375b785dd798fea1648f80b27505bfdcc3aee84a9d6f597fb136533ecc2664fea510e2d
(11) State = 0xafa7dc71a5bfc54bd50cde17df51e2b7
(11) Message-Authenticator = 0xeeb433c0442a232b09f02b69f261123b
(11) session-state: No cached attributes for server default
(11) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(11) authorize {
(11) policy rewrite_called_station_id {
(11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) -> TRUE
(11) if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) {
(11) update request {
(11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(11) --> 11-22-33-44-55-66
(11) &Called-Station-Id := 11-22-33-44-55-66
(11) } # update request = noop
(11) if ("%{8}") {
(11) EXPAND %{8}
(11) --> eduroam
(11) if ("%{8}") -> TRUE
(11) if ("%{8}") {
(11) update request {
(11) EXPAND %{8}
(11) --> eduroam
(11) &Called-Station-SSID := eduroam
(11) EXPAND %{Called-Station-Id}:%{8}
(11) --> 11-22-33-44-55-66:eduroam
(11) &Called-Station-Id := 11-22-33-44-55-66:eduroam
(11) } # update request = noop
(11) } # if ("%{8}") = noop
(11) [updated] = updated
(11) } # if (&Called-Station-Id && (&Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/i)) = updated
(11) ... skipping else: Preceding "if" was taken
(11) } # policy rewrite_called_station_id = updated
(11) policy rewrite_calling_station_id {
(11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(11) update request {
(11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(11) --> 02-00-00-00-00-01
(11) &Calling-Station-Id := 02-00-00-00-00-01
(11) EXPAND %{toupper:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(11) --> 02:00:00:00:00:01
(11) &locMacAuth-Calling-Station-Id := 02:00:00:00:00:01
(11) } # update request = noop
(11) [updated] = updated
(11) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(11) ... skipping else: Preceding "if" was taken
(11) } # policy rewrite_calling_station_id = updated
(11) if (Service-Type == Call-Check) {
(11) if (Service-Type == Call-Check) -> FALSE
(11) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) {
(11) EXPAND Packet-Src-IP-Address
(11) --> 127.0.0.1
(11) EXPAND Packet-Src-IP-Address
(11) --> 127.0.0.1
(11) if (Packet-Src-IP-Address == 130.59.31.24 || Packet-Src-IP-Address == 130.59.31.25) -> FALSE
(11) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(11) if (NAS-Port-Type =~ /Wireless-802\.11/i) -> TRUE
(11) if (NAS-Port-Type =~ /Wireless-802\.11/i) {
(11) if (EAP-Message) {
(11) if (EAP-Message) -> TRUE
(11) if (EAP-Message) {
(11) policy filter_username {
(11) if (&User-Name) {
(11) if (&User-Name) -> TRUE
(11) if (&User-Name) {
(11) if (&User-Name =~ / /) {
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@[^@]*@/ ) {
(11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(11) if (&User-Name =~ /\.\./ ) {
(11) if (&User-Name =~ /\.\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(11) if (&User-Name =~ /\.$/) {
(11) if (&User-Name =~ /\.$/) -> FALSE
(11) if (&User-Name =~ /@\./) {
(11) if (&User-Name =~ /@\./) -> FALSE
(11) } # if (&User-Name) = updated
(11) } # policy filter_username = updated
(11) suffix: Checking for suffix after "@"
(11) suffix: Looking up realm "EXAMPLE.COM" for User-Name = "anonymous at example.com"
(11) suffix: Found realm "EXAMPLE.COM"
(11) suffix: Adding Realm = "EXAMPLE.COM"
(11) suffix: Authentication realm is LOCAL
(11) [suffix] = ok
(11) policy deny_no_realm {
(11) if (User-Name && (User-Name !~ /@/)) {
(11) if (User-Name && (User-Name !~ /@/)) -> FALSE
(11) } # policy deny_no_realm = updated
(11) update request {
(11) EXPAND %{toupper:%{Realm}}
(11) --> EXAMPLE.COM
(11) Realm := EXAMPLE.COM
(11) } # update request = noop
(11) eap: Peer sent EAP Response (code 2) ID 24 length 46
(11) eap: Continuing tunnel setup
(11) [eap] = ok
(11) } # if (EAP-Message) = ok
(11) } # if (NAS-Port-Type =~ /Wireless-802\.11/i) = ok
(11) } # authorize = updated
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/freeradius/sites-enabled/default
(11) Auth-Type eap {
(11) eap: Removing EAP session with state 0xafa7dc71a5bfc54b
(11) eap: Previous EAP request found for state 0xafa7dc71a5bfc54b, released from the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: (TLS) EAP Done initial handshake
(11) eap_peap: Session established. Decoding tunneled attributes
(11) eap_peap: PEAP state send tlv success
(11) eap_peap: Received EAP-TLV response
(11) eap_peap: Success
(11) eap_peap: Using saved attributes from the original Access-Accept
(11) eap_peap: Tunnel-Type := VLAN
(11) eap_peap: Tunnel-Medium-Type := IEEE-802
(11) eap_peap: Class = 0x7374616666
(11) eap_peap: Filter-Id = "staff"
(11) eap_peap: Tunnel-Private-Group-Id:0 = "1874"
(11) eap_peap: Class = 0x5b8106ab0000013700010200825c0e1b00000000000000000000000001db980ee94295bf00000000006163a3
(11) eap: Sending EAP Success (code 3) ID 24 length 4
(11) eap: Freeing handler
(11) [eap] = ok
(11) if (handled && (Response-Packet-Type == Access-Challenge)) {
(11) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
(11) } # Auth-Type eap = ok
(11) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
(11) post-auth {
(11) update control {
(11) &Tmp-String-0 := "default > post-auth{}"
(11) EXPAND %{control:locInner-User-Name}
(11) -->
(11) &Tmp-String-1 :=
(11) } # update control = noop
(11) update {
(11) No attributes updated for RHS &session-state
(11) } # update = noop
(11) if (Service-Type == Call-Check) {
(11) if (Service-Type == Call-Check) -> FALSE
(11) else {
(11) 802.1x_auth_log: EXPAND %t : AuthZ: (%I) %{reply:Packet-Type}: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} operator-name %{%{request:Operator-Name}:-Unknown})
(11) 802.1x_auth_log: --> Sun Nov 9 10:57:40 2025 : AuthZ: (11) Access-Accept: [anonymous at example.com] TLS-Version=NULL TLS-Ciphers=NULL SSID=eduroam Calling-Station-Id=02-00-00-00-00-01 Called-Station-Id=11-22-33-44-55-66:eduroam Filter-ID=staff VLAN=1874 Class=0x7374616666 (from client localhost port 0 operator-name Unknown)
(11) 802.1x_auth_log: EXPAND /var/log/freeradius/802.1x_auth.log
(11) 802.1x_auth_log: --> /var/log/freeradius/802.1x_auth.log
(11) [802.1x_auth_log] = ok
(11) } # else = ok
(11) policy remove_reply_message_if_eap {
(11) if (&reply:EAP-Message && &reply:Reply-Message) {
(11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11) else {
(11) [noop] = noop
(11) } # else = noop
(11) } # policy remove_reply_message_if_eap = noop
(11) } # post-auth = ok
(11) Login OK: [anonymous at example.com] (from client localhost port 0 cli 02-00-00-00-00-01)
(11) Sent Access-Accept Id 11 from 127.0.0.1:1812 to 127.0.0.1:58298 length 258
(11) Tunnel-Type := VLAN
(11) Tunnel-Medium-Type := IEEE-802
(11) Class = 0x7374616666
(11) Filter-Id = "staff"
(11) Tunnel-Private-Group-Id:0 = "1874"
(11) Class = 0x5b8106ab0000013700010200825c0e1b00000000000000000000000001db980ee94295bf00000000006163a3
(11) MS-MPPE-Recv-Key = 0x9c49947d9239922ada70a14065fecc71f6487bda63c2f67f716bbe8a8dc2f9b3
(11) MS-MPPE-Send-Key = 0x9d0edd62febaf77bed0007c64bb759a21903395c4ecd9524717aeb8cfd3cd9bd
(11) EAP-Message = 0x03180004
(11) Message-Authenticator = 0x00000000000000000000000000000000
(11) User-Name = "anonymous at example.com"
(11) Finished request
More information about the Freeradius-Users
mailing list