FreeRADIUS RadSec TCP connection plateau at 505
Tayyab Elahi
tayyab.elahi at emumba.com
Wed Apr 22 10:37:09 UTC 2026
Hi all,
We're running FreeRADIUS 3.x as a RadSec terminator (TLS/TCP on port 2083)
in a Linux container, and we hit a hard ceiling at ~505 concurrent TLS
connections. Looking for guidance on the recommended path forward.
*Symptom (full logs attached):*
Every new connection above ~505 is rejected.
*Root cause: *The #ifndef HAVE_KQUEUE branch in event.c uses select() +
fd_set. On glibc, FD_SETSIZE and __FD_SETSIZE are hard-coded to 1024 in
<bits/typesizes.h>, and sizeof(fd_set) is 128 bytes (1024 bits). Since each
RadSec peer holds a persistent TCP FD, we run out at ~1000.
*What we tried (none of it gets past 1024):*
1. Raised FR_EV_MAX_FDS 512 → 2048 (event.c)
2. Raised MAX_SOCKETS 1024 → 2048 (packet.c)
3. Added -DFD_SETSIZE=65536 to CFLAGS — verified as a no-op: glibc redefines
4. FD_SETSIZE back to 1024 in <sys/select.h>, and sizeof(fd_set) stays 128
bytes
5. Raised ulimit -n / LimitNOFILE to 65536
6. Raised max_connections on the listener and per client
*Questions:*
1. Is there any supported way on v3.x to use an event backend other than
select() on Linux? I see the kqueue branch but no epoll branch.
2. Does upgrading to v4 solve this — i.e., can v4 handle 5k–10k concurrent
RadSec sessions on Linux out of the box?
3. Would an epoll backend patch for v3 (new #elif defined(HAVE_EPOLL)
branch in event.c, replacing fd_set with an fd-indexed array) be of
interest upstream, or is that out of scope for v3 maintenance?
4. Any deployment patterns people use to stretch v3 further, beyond tight
idle_timeout / lifetime / cleanup_delay and sharding across multiple FR
instances?
*Environment:*
- FreeRADIUS 3.x (event.c commit 92ab704b)
- Linux, glibc (Debian-based container), Kubernetes
- Single radiusd process, multi-threaded
- TLS listener on 0.0.0.0:2083, virtual-server=radius-tls
- ~1000 long-lived RadSec sessions at steady state
- Container confirms __FD_SETSIZE=1024, sizeof(fd_set)=128
Logs attached. Any pointers appreciated.
Thanks,
Tayyab Elahi
-------------- next part --------------
2026-04-21T12:18:12.173691020Z (160271) Cleaning up request packet ID 124 with timestamp +4272 due to cleanup_delay was reached
2026-04-21T12:18:12.173718111Z (160268) Cleaning up request packet ID 176 with timestamp +4272 due to cleanup_delay was reached
2026-04-21T12:18:12.180389726Z (160266) Cleaning up request packet ID 73 with timestamp +4272 due to cleanup_delay was reached
2026-04-21T12:18:12.210286633Z (160284) Cleaning up request packet ID 201 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.211071996Z (160285) Cleaning up request packet ID 29 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.212767565Z (160286) Cleaning up request packet ID 85 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.224408476Z (160287) Cleaning up request packet ID 135 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.290352574Z (160288) Cleaning up request packet ID 123 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.294906553Z (160289) Cleaning up request packet ID 45 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.299232558Z (160290) Cleaning up request packet ID 111 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.327891032Z (160291) Cleaning up request packet ID 109 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.328580024Z (160294) Cleaning up request packet ID 31 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.334466956Z (160292) Cleaning up request packet ID 66 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.335162918Z (160296) Cleaning up request packet ID 7 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.341788982Z (160293) Cleaning up request packet ID 82 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.348509799Z (160295) Cleaning up request packet ID 242 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.394148336Z (160297) Cleaning up request packet ID 15 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.397593605Z (160298) Cleaning up request packet ID 94 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.401786167Z (160299) Cleaning up request packet ID 137 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.403783532Z (160300) Cleaning up request packet ID 233 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.408601756Z (160301) Cleaning up request packet ID 86 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.409571823Z (160302) Cleaning up request packet ID 86 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.423089736Z (160303) Cleaning up request packet ID 181 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.429912323Z (160304) Cleaning up request packet ID 168 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.433760930Z (160306) Cleaning up request packet ID 123 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.435712133Z (160307) Cleaning up request packet ID 4 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.440151760Z (160309) Cleaning up request packet ID 62 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.496955090Z (160312) Cleaning up request packet ID 179 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.498846663Z (160313) Cleaning up request packet ID 253 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.505908454Z (160314) Cleaning up request packet ID 112 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.506833361Z (160315) Cleaning up request packet ID 211 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.512393126Z (160316) Cleaning up request packet ID 15 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.513691159Z (160317) Cleaning up request packet ID 165 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.527868614Z (160318) Cleaning up request packet ID 179 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.535756440Z (160319) Cleaning up request packet ID 161 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.536828759Z (160320) Cleaning up request packet ID 119 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.540730256Z (160321) Cleaning up request packet ID 28 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.543568695Z (160322) Cleaning up request packet ID 233 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.599389138Z (160323) Cleaning up request packet ID 141 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.600026999Z (160324) Cleaning up request packet ID 246 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.608726179Z (160325) Cleaning up request packet ID 77 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.609847779Z (160326) Cleaning up request packet ID 255 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.613495281Z (160327) Cleaning up request packet ID 25 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.616915530Z (160328) Cleaning up request packet ID 164 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.631442031Z (160329) Cleaning up request packet ID 237 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.640019500Z (160330) Cleaning up request packet ID 20 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.640326325Z (160331) Cleaning up request packet ID 175 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.644445706Z (160332) Cleaning up request packet ID 178 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.646971380Z (160333) Cleaning up request packet ID 249 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.711715967Z (160336) Cleaning up request packet ID 1 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.714483035Z (160337) Cleaning up request packet ID 128 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.714745659Z (160334) Cleaning up request packet ID 83 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.715646105Z (160335) Cleaning up request packet ID 154 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.719688724Z (160310) Cleaning up request packet ID 211 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.720341686Z (160339) Cleaning up request packet ID 45 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.725227230Z (160338) Cleaning up request packet ID 89 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.728559337Z (160311) Cleaning up request packet ID 5 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.728957994Z (160308) Cleaning up request packet ID 35 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.734915897Z (160340) Cleaning up request packet ID 28 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.741340598Z (160305) Cleaning up request packet ID 11 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.744233749Z (160341) Cleaning up request packet ID 44 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.747816051Z (160343) Cleaning up request packet ID 198 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.755975542Z (160342) Cleaning up request packet ID 182 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.763254248Z (160344) Cleaning up request packet ID 45 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.826707723Z (160346) Cleaning up request packet ID 143 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.833069342Z (160348) Cleaning up request packet ID 46 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.840004562Z (160349) Cleaning up request packet ID 69 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.850061455Z (160351) Cleaning up request packet ID 27 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.860321524Z (160352) Cleaning up request packet ID 178 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.867838713Z (160353) Cleaning up request packet ID 131 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:12.867851503Z Waking up in 0.3 seconds.
2026-04-21T12:18:13.181882483Z (160362) Cleaning up request packet ID 159 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.184170732Z (160363) Cleaning up request packet ID 166 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.184640840Z (160364) Cleaning up request packet ID 136 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.187260805Z (160365) Cleaning up request packet ID 151 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.193807799Z (160366) Cleaning up request packet ID 166 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.198499080Z (160367) Cleaning up request packet ID 20 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.284150768Z (160368) Cleaning up request packet ID 39 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.287476575Z (160369) Cleaning up request packet ID 122 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.287899852Z (160370) Cleaning up request packet ID 21 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.292332779Z (160371) Cleaning up request packet ID 98 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.297826744Z (160372) Cleaning up request packet ID 222 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.302932892Z (160373) Cleaning up request packet ID 166 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.362471259Z (160357) Cleaning up request packet ID 133 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:13.375791380Z (160358) Cleaning up request packet ID 91 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:13.378630509Z (160356) Cleaning up request packet ID 162 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:13.378842183Z (160361) Cleaning up request packet ID 107 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:13.379894061Z (160359) Cleaning up request packet ID 5 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:13.384984729Z (160374) Cleaning up request packet ID 4 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.387682255Z (160355) Cleaning up request packet ID 216 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:13.388641142Z (160375) Cleaning up request packet ID 50 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.389738190Z (160376) Cleaning up request packet ID 28 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.395949468Z (160377) Cleaning up request packet ID 184 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.400611038Z (160378) Cleaning up request packet ID 196 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.406298126Z (160379) Cleaning up request packet ID 124 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.443734182Z (160350) Cleaning up request packet ID 182 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:13.444022237Z (160345) Cleaning up request packet ID 150 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:13.458375515Z (160354) Cleaning up request packet ID 196 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:13.463642576Z (160360) Cleaning up request packet ID 174 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:13.470430582Z (160347) Cleaning up request packet ID 208 with timestamp +4273 due to cleanup_delay was reached
2026-04-21T12:18:13.486110784Z (160380) Cleaning up request packet ID 72 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.489666546Z (160381) Cleaning up request packet ID 215 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.491651740Z (160382) Cleaning up request packet ID 54 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.499932572Z (160383) Cleaning up request packet ID 39 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.503271020Z (160384) Cleaning up request packet ID 140 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.509600579Z (160385) Cleaning up request packet ID 87 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.565207699Z ... new connection request on TCP socket
2026-04-21T12:18:13.565239819Z Listening on auth+acct from client (10.60.43.16, 31062) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:13.565245439Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (10.60.43.16, 31062) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:13.565301880Z ... shutting down socket auth+acct from client (10.60.43.16, 31062) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:13.565310711Z ... cleaning up socket auth+acct from client (10.60.43.16, 31062) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:13.600100192Z (160386) Cleaning up request packet ID 82 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.606605074Z (160387) Cleaning up request packet ID 51 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.612783470Z (160388) Cleaning up request packet ID 39 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.619766311Z (160389) Cleaning up request packet ID 223 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.627075856Z (160390) Cleaning up request packet ID 69 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.634418223Z (160391) Cleaning up request packet ID 114 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.634429543Z Waking up in 0.1 seconds.
2026-04-21T12:18:13.634924092Z (0) (TLS): Access-Request packet from host 18.199.175.245 port 37301, id=120, length=163
2026-04-21T12:18:13.634998433Z Threads: deleting 1 spare out of 11 spares
2026-04-21T12:18:13.635006973Z Waking up in 0.1 seconds.
2026-04-21T12:18:13.635017523Z Thread 579 got semaphore
2026-04-21T12:18:13.635021843Z Thread 575 got semaphore
2026-04-21T12:18:13.635026413Z Thread 579 handling request 160536, (28 handled so far)
2026-04-21T12:18:13.635048624Z (160536) Received Access-Request Id 120 from 18.199.175.245:37301 to 0.0.0.0:2083 length 163
2026-04-21T12:18:13.635052974Z (160536) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:13.635056894Z (160536) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:13.635061054Z (160536) Calling-Station-Id = "02-7B-00-64-0E-D8"
2026-04-21T12:18:13.635065114Z (160536) Framed-MTU = 1400
2026-04-21T12:18:13.635068744Z (160536) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:13.635076504Z (160536) Service-Type = Framed-User
2026-04-21T12:18:13.635080564Z (160536) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:13.635084314Z (160536) EAP-Message = 0x02d4001c016469726563742d74756e6e656c40676d61696c2e636f6d
2026-04-21T12:18:13.635088644Z (160536) Message-Authenticator = 0x7cbbc644961ae5b3400d26712b47bcc9
2026-04-21T12:18:13.635093044Z (160536) Proxy-State = 0x30
2026-04-21T12:18:13.635097475Z (160536) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:13.635101675Z (160536) authorize {
2026-04-21T12:18:13.635106405Z (160536) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:13.635115835Z Thread 575 waiting to be assigned a request
2026-04-21T12:18:13.635119825Z (160536) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:13.635123815Z (160536) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:13.635127595Z (160536) update request {
2026-04-21T12:18:13.635131425Z (160536) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:13.635139385Z (160536) } # update request = noop
2026-04-21T12:18:13.635143485Z (160536) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:13.635147545Z (160536) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:13.635151396Z (160536) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:13.635155585Z (160536) --> 1343-0-5768143211650
2026-04-21T12:18:13.635163076Z (160536) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:13.635167056Z (160536) else {
2026-04-21T12:18:13.635171046Z (160536) update request {
2026-04-21T12:18:13.635175326Z (160536) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:13.635179476Z (160536) --> 1343-0-5768143211650
2026-04-21T12:18:13.635183276Z (160536) Extreme-VSA-RsCert := 1343-0-5768143211650
2026-04-21T12:18:13.635186956Z (160536) Request-Origin := "freeradius"
2026-04-21T12:18:13.635194446Z (160536) } # update request = noop
2026-04-21T12:18:13.635198626Z (160536) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:13.635202406Z (160536) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:13.635209137Z (160536) --> 1343-0-5768143211650
2026-04-21T12:18:13.635213317Z (160536) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:13.635217267Z (160536) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:13.635224777Z (160536) update request {
2026-04-21T12:18:13.635229107Z (160536) EXPAND %{1}-%{2}
2026-04-21T12:18:13.635232967Z (160536) --> 1343-0
2026-04-21T12:18:13.635237127Z (160536) Owner-Org-Id := 1343-0
2026-04-21T12:18:13.635241097Z (160536) } # update request = noop
2026-04-21T12:18:13.635245047Z (160536) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:13.635253817Z (160536) if (&EAP-Message) {
2026-04-21T12:18:13.635257717Z (160536) if (&EAP-Message) -> TRUE
2026-04-21T12:18:13.635261687Z (160536) if (&EAP-Message) {
2026-04-21T12:18:13.635265587Z (160536) update control {
2026-04-21T12:18:13.635269458Z (160536) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:13.635273478Z (160536) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:13.635277648Z (160536) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:13.635281818Z (160536) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:13.635290578Z (160536) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:13.635294758Z (160536) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:13.635301108Z (160536) } # update control = noop
2026-04-21T12:18:13.635314298Z (160536) eap: Peer sent EAP Response (code 2) ID 212 length 28
2026-04-21T12:18:13.635318418Z (160536) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
2026-04-21T12:18:13.635322468Z (160536) [eap] = ok
2026-04-21T12:18:13.635338879Z (160536) } # if (&EAP-Message) = ok
2026-04-21T12:18:13.635343629Z (160536) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:13.635347989Z (160536) } # else = ok
2026-04-21T12:18:13.635352059Z (160536) } # authorize = ok
2026-04-21T12:18:13.635356269Z (160536) Found Auth-Type = EAP
2026-04-21T12:18:13.635360699Z (160536) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:13.635365129Z (160536) Auth-Type EAP {
2026-04-21T12:18:13.635369649Z (160536) eap: Peer sent packet with method EAP Identity (1)
2026-04-21T12:18:13.635373529Z (160536) eap: Using default_eap_type = TTLS
2026-04-21T12:18:13.635379629Z (160536) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:13.635384040Z (160536) eap_ttls: (TLS) TTLS -Initiating new session
2026-04-21T12:18:13.635399300Z (160536) eap_ttls: (TLS) TTLS - Loading session certificate file "/etc/freeradius/fr-certs/realm/1343-0/cert.pem"
2026-04-21T12:18:13.638162167Z (160536) eap: Sending EAP Request (code 1) ID 213 length 6
2026-04-21T12:18:13.638169957Z (160536) eap: EAP session adding &reply:State = 0x926ab90b92bface7
2026-04-21T12:18:13.638174108Z (160536) [eap] = handled
2026-04-21T12:18:13.638177858Z (160536) } # Auth-Type EAP = handled
2026-04-21T12:18:13.638181308Z (160536) Using Post-Auth-Type Challenge
2026-04-21T12:18:13.638185068Z (160536) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:13.638188708Z (160536) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:13.638192148Z (160536) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:13.638195988Z (160536) Framed-MTU = 994
2026-04-21T12:18:13.638198428Z (160536) Sent Access-Challenge Id 120 from 0.0.0.0:2083 to 18.199.175.245:37301 length 67
2026-04-21T12:18:13.638200608Z (160536) EAP-Message = 0x01d500061520
2026-04-21T12:18:13.638202848Z (160536) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:13.638216108Z (160536) State = 0x926ab90b92bface7b033bb0fbadac5ce
2026-04-21T12:18:13.638226318Z (160536) Proxy-State = 0x30
2026-04-21T12:18:13.638229629Z (160536) Finished request
2026-04-21T12:18:13.638233229Z Thread 579 waiting to be assigned a request
2026-04-21T12:18:13.741985640Z (0) (TLS): Access-Request packet from host 18.199.175.245 port 37301, id=209, length=343
2026-04-21T12:18:13.742022190Z Thread 568 got semaphore
2026-04-21T12:18:13.742027290Z Thread 568 handling request 160537, (85 handled so far)
2026-04-21T12:18:13.742095611Z (160537) Received Access-Request Id 209 from 18.199.175.245:37301 to 0.0.0.0:2083 length 343
2026-04-21T12:18:13.742101842Z (160537) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:13.742106092Z (160537) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:13.742111112Z (160537) Calling-Station-Id = "02-7B-00-64-0E-D8"
2026-04-21T12:18:13.742115972Z (160537) Framed-MTU = 1400
2026-04-21T12:18:13.742120302Z (160537) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:13.742124232Z (160537) Service-Type = Framed-User
2026-04-21T12:18:13.742128342Z (160537) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:13.742132932Z (160537) EAP-Message = 0x02d500be150016030100b3010000af030363d54b0a0f5e72cad19035a2e64649cb61a3a24ab7820d24ff637cbb99f83681000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602
2026-04-21T12:18:13.742140092Z (160537) State = 0x926ab90b92bface7b033bb0fbadac5ce
2026-04-21T12:18:13.742144542Z (160537) Message-Authenticator = 0x2725bc215a3d8bca37444e5ba87814ac
2026-04-21T12:18:13.742148442Z (160537) Proxy-State = 0x31
2026-04-21T12:18:13.742152412Z (160537) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:13.742156363Z (160537) &session-state:Framed-MTU = 994
2026-04-21T12:18:13.742160533Z (160537) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:13.742164753Z (160537) authorize {
2026-04-21T12:18:13.742168733Z (160537) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:13.742172743Z (160537) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:13.742176733Z (160537) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:13.742180723Z (160537) update request {
2026-04-21T12:18:13.742184633Z (160537) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:13.742188473Z (160537) } # update request = noop
2026-04-21T12:18:13.742192773Z (160537) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:13.742197193Z (160537) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:13.742228124Z (160537) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:13.742232934Z (160537) --> 1343-0-5768143211650
2026-04-21T12:18:13.742236984Z (160537) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:13.742240804Z (160537) else {
2026-04-21T12:18:13.742244624Z (160537) update request {
2026-04-21T12:18:13.742249344Z (160537) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:13.742253134Z (160537) --> 1343-0-5768143211650
2026-04-21T12:18:13.742261544Z (160537) Extreme-VSA-RsCert := 1343-0-5768143211650
2026-04-21T12:18:13.742265774Z (160537) Request-Origin := "freeradius"
2026-04-21T12:18:13.742288955Z (160537) } # update request = noop
2026-04-21T12:18:13.742292855Z (160537) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:13.742296905Z (160537) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:13.742300835Z (160537) --> 1343-0-5768143211650
2026-04-21T12:18:13.742304425Z (160537) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:13.742314655Z (160537) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:13.742319055Z (160537) update request {
2026-04-21T12:18:13.742323105Z (160537) EXPAND %{1}-%{2}
2026-04-21T12:18:13.742327466Z (160537) --> 1343-0
2026-04-21T12:18:13.742331215Z (160537) Owner-Org-Id := 1343-0
2026-04-21T12:18:13.742334946Z (160537) } # update request = noop
2026-04-21T12:18:13.742339196Z (160537) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:13.742343186Z (160537) if (&EAP-Message) {
2026-04-21T12:18:13.742346816Z (160537) if (&EAP-Message) -> TRUE
2026-04-21T12:18:13.742350686Z (160537) if (&EAP-Message) {
2026-04-21T12:18:13.742354346Z (160537) update control {
2026-04-21T12:18:13.742358196Z (160537) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:13.742362416Z (160537) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:13.742366216Z (160537) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:13.742369906Z (160537) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:13.742375936Z (160537) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:13.742380306Z (160537) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:13.742384007Z (160537) } # update control = noop
2026-04-21T12:18:13.742413007Z (160537) eap: Peer sent EAP Response (code 2) ID 213 length 190
2026-04-21T12:18:13.742418187Z (160537) eap: Continuing tunnel setup
2026-04-21T12:18:13.742422157Z (160537) [eap] = ok
2026-04-21T12:18:13.742426227Z (160537) } # if (&EAP-Message) = ok
2026-04-21T12:18:13.742430187Z (160537) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:13.742434267Z (160537) } # else = ok
2026-04-21T12:18:13.742438347Z (160537) } # authorize = ok
2026-04-21T12:18:13.742442297Z (160537) Found Auth-Type = EAP
2026-04-21T12:18:13.742446177Z (160537) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:13.742449877Z (160537) Auth-Type EAP {
2026-04-21T12:18:13.742473218Z (160537) eap: Removing EAP session with state 0x926ab90b92bface7
2026-04-21T12:18:13.742477498Z (160537) eap: Previous EAP request found for state 0x926ab90b92bface7, released from the list
2026-04-21T12:18:13.742481378Z (160537) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:13.742485428Z (160537) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:13.742489148Z (160537) eap_ttls: Authenticate
2026-04-21T12:18:13.742492898Z (160537) eap_ttls: (TLS) EAP Got final fragment (184 bytes) total 184
2026-04-21T12:18:13.742497278Z (160537) eap_ttls: WARNING: (TLS) EAP Total received record fragments (184 bytes), does not equal expected expected data length (0 bytes)
2026-04-21T12:18:13.742500989Z (160537) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:13.742504818Z (160537) eap_ttls: (TLS) TTLS - Handshake state - before SSL initialization
2026-04-21T12:18:13.742508469Z (160537) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
2026-04-21T12:18:13.742512189Z (160537) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
2026-04-21T12:18:13.742516019Z (160537) eap_ttls: (TLS) TTLS - recv TLS 1.3 Handshake, ClientHello
2026-04-21T12:18:13.742529659Z (160537) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client hello
2026-04-21T12:18:13.742539389Z (160537) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHello
2026-04-21T12:18:13.742543159Z (160537) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server hello
2026-04-21T12:18:13.742553759Z (160537) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Certificate
2026-04-21T12:18:13.742557770Z (160537) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write certificate
2026-04-21T12:18:13.743574157Z (160537) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange
2026-04-21T12:18:13.743580047Z (160537) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write key exchange
2026-04-21T12:18:13.743583627Z (160537) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone
2026-04-21T12:18:13.743587117Z (160537) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
2026-04-21T12:18:13.743590417Z (160537) eap_ttls: (TLS) TTLS - Server : Need to read more data: SSLv3/TLS write server done
2026-04-21T12:18:13.743593697Z (160537) eap_ttls: (TLS) TTLS - In Handshake Phase
2026-04-21T12:18:13.743596877Z (160537) eap: Sending EAP Request (code 1) ID 214 length 1000
2026-04-21T12:18:13.743600317Z (160537) eap: EAP session adding &reply:State = 0x926ab90b93bcace7
2026-04-21T12:18:13.743603548Z (160537) [eap] = handled
2026-04-21T12:18:13.743606808Z (160537) } # Auth-Type EAP = handled
2026-04-21T12:18:13.743610088Z (160537) Using Post-Auth-Type Challenge
2026-04-21T12:18:13.743613788Z (160537) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:13.743617238Z (160537) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:13.743620718Z (160537) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:13.743633768Z (160537) Framed-MTU = 994
2026-04-21T12:18:13.743637028Z (160537) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:13.743640148Z (160537) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:13.743643388Z (160537) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:13.743646598Z (160537) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:13.743649548Z (160537) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:13.743655718Z (160537) Sent Access-Challenge Id 209 from 0.0.0.0:2083 to 18.199.175.245:37301 length 1067
2026-04-21T12:18:13.743731780Z (160537) EAP-Message = 0x01d603e815c000000a6d160303003d02000039030318e82cf14c79e295e03d6380989b405a22422413021448ad444f574e4752440100c030000011ff01000100000b0004030001020017000016030308ec0b0008e80008e5000598308205943082047ca00302010202143445f65cac1b06ffbc42da7b13d0322ec1e189b2300d06092a864886f70d01010b050030283115301306035504030c0c416973686149737375696e67310f300d060355040b0c06313334332d30301e170d3236303430363132353435305a170d3336303430333132353532305a3027310f300d060355040b1306313334332d30311430120603550403130b416973686173657276657230820122300d06092a864886f70d01010105000382010f003082010a028201010096b60938816c322227718a54c2354b5dbaddf8a22fcba9fbee3269f557931966ca0a2bcc491d01cdc19e2ea7618a1b70ea0bfe995585f95bc905a296b2ec1081f04d56be795c099549d4b633bed88989eefbaecf390be2fb110aa715e0
2026-04-21T12:18:13.743740970Z (160537) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:13.743745030Z (160537) State = 0x926ab90b93bcace7b033bb0fbadac5ce
2026-04-21T12:18:13.743748990Z (160537) Proxy-State = 0x31
2026-04-21T12:18:13.743752310Z (160537) Finished request
2026-04-21T12:18:13.743755990Z Thread 568 waiting to be assigned a request
2026-04-21T12:18:13.790651180Z (160398) Cleaning up request packet ID 99 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.793567280Z (160399) Cleaning up request packet ID 177 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.803328329Z (160400) Cleaning up request packet ID 18 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.804286795Z (160401) Cleaning up request packet ID 186 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.807694104Z (160402) Cleaning up request packet ID 183 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.810329459Z (160403) Cleaning up request packet ID 120 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.828151818Z (160404) Cleaning up request packet ID 31 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.831060508Z (160405) Cleaning up request packet ID 240 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.831860032Z (160406) Cleaning up request packet ID 249 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.836834167Z (160407) Cleaning up request packet ID 223 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.844696253Z (160408) Cleaning up request packet ID 19 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.845881543Z (160409) Cleaning up request packet ID 139 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.847306378Z (0) (TLS): Access-Request packet from host 18.199.175.245 port 37301, id=188, length=159
2026-04-21T12:18:13.847314628Z Thread 576 got semaphore
2026-04-21T12:18:13.847319198Z Thread 576 handling request 160538, (41 handled so far)
2026-04-21T12:18:13.847322798Z (160538) Received Access-Request Id 188 from 18.199.175.245:37301 to 0.0.0.0:2083 length 159
2026-04-21T12:18:13.847327128Z (160538) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:13.847330488Z (160538) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:13.847333859Z (160538) Calling-Station-Id = "02-7B-00-64-0E-D8"
2026-04-21T12:18:13.847338159Z (160538) Framed-MTU = 1400
2026-04-21T12:18:13.847344379Z (160538) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:13.847347769Z (160538) Service-Type = Framed-User
2026-04-21T12:18:13.847351179Z (160538) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:13.847354789Z (160538) EAP-Message = 0x02d600061500
2026-04-21T12:18:13.847358279Z (160538) State = 0x926ab90b93bcace7b033bb0fbadac5ce
2026-04-21T12:18:13.847362239Z (160538) Message-Authenticator = 0x9fc10457250c1ecec019aac7221b5474
2026-04-21T12:18:13.847365569Z (160538) Proxy-State = 0x32
2026-04-21T12:18:13.847377619Z (160538) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:13.847381149Z (160538) &session-state:Framed-MTU = 994
2026-04-21T12:18:13.847385159Z (160538) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:13.847391840Z (160538) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:13.847394929Z (160538) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:13.847398330Z (160538) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:13.847401470Z (160538) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:13.847407330Z (160538) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:13.847410460Z (160538) authorize {
2026-04-21T12:18:13.847418630Z (160538) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:13.847431160Z (160538) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:13.847434640Z (160538) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:13.847437870Z (160538) update request {
2026-04-21T12:18:13.847444870Z (160538) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:13.847448201Z (160538) } # update request = noop
2026-04-21T12:18:13.847454370Z (160538) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:13.847457691Z (160538) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:13.847460851Z (160538) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:13.847464291Z (160538) --> 1343-0-5768143211650
2026-04-21T12:18:13.847469881Z (160538) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:13.847473071Z (160538) else {
2026-04-21T12:18:13.847476451Z (160538) update request {
2026-04-21T12:18:13.847491881Z (160538) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:13.847500841Z (160538) --> 1343-0-5768143211650
2026-04-21T12:18:13.847505291Z (160538) Extreme-VSA-RsCert := 1343-0-5768143211650
2026-04-21T12:18:13.847509311Z (160538) Request-Origin := "freeradius"
2026-04-21T12:18:13.847526572Z (160538) } # update request = noop
2026-04-21T12:18:13.847531032Z (160538) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:13.847535172Z (160538) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:13.847538872Z (160538) --> 1343-0-5768143211650
2026-04-21T12:18:13.847581293Z (160538) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:13.847586183Z (160538) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:13.847590643Z (160538) update request {
2026-04-21T12:18:13.847594693Z (160538) EXPAND %{1}-%{2}
2026-04-21T12:18:13.847599023Z (160538) --> 1343-0
2026-04-21T12:18:13.847602963Z (160538) Owner-Org-Id := 1343-0
2026-04-21T12:18:13.847607063Z (160538) } # update request = noop
2026-04-21T12:18:13.847611113Z (160538) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:13.847615093Z (160538) if (&EAP-Message) {
2026-04-21T12:18:13.847619364Z (160538) if (&EAP-Message) -> TRUE
2026-04-21T12:18:13.847633584Z (160538) if (&EAP-Message) {
2026-04-21T12:18:13.847637704Z (160538) update control {
2026-04-21T12:18:13.847663494Z (160538) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:13.847667934Z (160538) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:13.847672314Z (160538) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:13.847676374Z (160538) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:13.847680285Z (160538) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:13.847684445Z (160538) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:13.847688685Z (160538) } # update control = noop
2026-04-21T12:18:13.847697685Z (160538) eap: Peer sent EAP Response (code 2) ID 214 length 6
2026-04-21T12:18:13.847701735Z (160538) eap: Continuing tunnel setup
2026-04-21T12:18:13.847705675Z (160538) [eap] = ok
2026-04-21T12:18:13.847709655Z (160538) } # if (&EAP-Message) = ok
2026-04-21T12:18:13.847721895Z (160538) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:13.847744035Z (160538) } # else = ok
2026-04-21T12:18:13.847748116Z (160538) } # authorize = ok
2026-04-21T12:18:13.847751786Z (160538) Found Auth-Type = EAP
2026-04-21T12:18:13.847754996Z (160538) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:13.847758526Z (160538) Auth-Type EAP {
2026-04-21T12:18:13.847761816Z (160538) eap: Removing EAP session with state 0x926ab90b93bcace7
2026-04-21T12:18:13.847765286Z (160538) eap: Previous EAP request found for state 0x926ab90b93bcace7, released from the list
2026-04-21T12:18:13.847768726Z (160538) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:13.847771886Z (160538) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:13.847775446Z (160538) eap_ttls: Authenticate
2026-04-21T12:18:13.847790046Z (160538) eap_ttls: (TLS) Peer ACKed our handshake fragment
2026-04-21T12:18:13.847793667Z (160538) eap: Sending EAP Request (code 1) ID 215 length 1000
2026-04-21T12:18:13.847797176Z (160538) eap: EAP session adding &reply:State = 0x926ab90b90bdace7
2026-04-21T12:18:13.847800736Z (160538) [eap] = handled
2026-04-21T12:18:13.847804317Z (160538) } # Auth-Type EAP = handled
2026-04-21T12:18:13.847807617Z (160538) Using Post-Auth-Type Challenge
2026-04-21T12:18:13.847810997Z (160538) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:13.847814287Z (160538) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:13.847820977Z (160538) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:13.847824497Z (160538) Framed-MTU = 994
2026-04-21T12:18:13.847827857Z (160538) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:13.847831317Z (160538) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:13.847834567Z (160538) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:13.847837837Z (160538) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:13.847841417Z (160538) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:13.847844997Z (160538) Sent Access-Challenge Id 188 from 0.0.0.0:2083 to 18.199.175.245:37301 length 1067
2026-04-21T12:18:13.847849327Z (160538) EAP-Message = 0x01d703e815c000000a6d393531333434393231393038382d706b692f636130410603551d11043a3038820b416973686173657276657282297261646975732e7a74612d71612d6c6f616474657374696e672e71612e78636c6f756469712e636f6d30819d0603551d1f04819530819230818fa0818ca0818986818668747470733a2f2f757a2d7661756c742d71612e71612e78636c6f756469712e636f6d2f76312f757a2d6e616d6573706163652d7a74612d71612d6c6f616474657374696e672d313334332d302d3730323839333234303635393730333733373335373332303038373331313733353133393531333434393231393038382d706b692f63726c300d06092a864886f70d01010b0500038201010048dd8c13c1f2da2de4bdc5bfecc4a830c288593c7af53c28af574c6522ac9f40a632ad7aada27fa12655ddee496df545499a55c33f74896176e3f41fa7593f311ed26251fd28fb127e2a02cdad7a1f83cf612e531f7025100b48aa3ff8f35519ef4cc2cf7e99beeb60
2026-04-21T12:18:13.847852097Z (160538) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:13.847854288Z (160538) State = 0x926ab90b90bdace7b033bb0fbadac5ce
2026-04-21T12:18:13.847856828Z (160538) Proxy-State = 0x32
2026-04-21T12:18:13.847867078Z (160538) Finished request
2026-04-21T12:18:13.847871068Z Thread 576 waiting to be assigned a request
2026-04-21T12:18:13.893844302Z (160410) Cleaning up request packet ID 65 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.896011029Z (160411) Cleaning up request packet ID 167 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.906640132Z (160412) Cleaning up request packet ID 238 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.906659782Z (160413) Cleaning up request packet ID 233 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.912390771Z (160414) Cleaning up request packet ID 161 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.913395359Z (160415) Cleaning up request packet ID 93 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.922670208Z (160392) Cleaning up request packet ID 193 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.923556694Z (160397) Cleaning up request packet ID 237 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.924096243Z (160395) Cleaning up request packet ID 175 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.935278137Z (160416) Cleaning up request packet ID 190 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.935557452Z (160417) Cleaning up request packet ID 112 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.936282664Z (160393) Cleaning up request packet ID 155 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.937335533Z (160418) Cleaning up request packet ID 162 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.939677493Z (160396) Cleaning up request packet ID 60 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.941760389Z (160419) Cleaning up request packet ID 124 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.947158632Z (160420) Cleaning up request packet ID 6 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.948560826Z (160394) Cleaning up request packet ID 97 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.950349737Z (160421) Cleaning up request packet ID 103 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.951312263Z (0) (TLS): Access-Request packet from host 18.199.175.245 port 37301, id=31, length=159
2026-04-21T12:18:13.951359424Z Thread 567 got semaphore
2026-04-21T12:18:13.951364294Z Thread 567 handling request 160539, (85 handled so far)
2026-04-21T12:18:13.951432876Z (160539) Received Access-Request Id 31 from 18.199.175.245:37301 to 0.0.0.0:2083 length 159
2026-04-21T12:18:13.951438896Z (160539) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:13.951442176Z (160539) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:13.951445756Z (160539) Calling-Station-Id = "02-7B-00-64-0E-D8"
2026-04-21T12:18:13.951449806Z (160539) Framed-MTU = 1400
2026-04-21T12:18:13.951452306Z (160539) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:13.951454446Z (160539) Service-Type = Framed-User
2026-04-21T12:18:13.951456566Z (160539) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:13.951458656Z (160539) EAP-Message = 0x02d700061500
2026-04-21T12:18:13.951460796Z (160539) State = 0x926ab90b90bdace7b033bb0fbadac5ce
2026-04-21T12:18:13.951463206Z (160539) Message-Authenticator = 0xdae3eb59a44862700bd3bb5b8c9dd917
2026-04-21T12:18:13.951465356Z (160539) Proxy-State = 0x33
2026-04-21T12:18:13.951467556Z (160539) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:13.951469766Z (160539) &session-state:Framed-MTU = 994
2026-04-21T12:18:13.951475706Z (160539) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:13.951477926Z (160539) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:13.951502337Z (160539) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:13.951538957Z (160539) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:13.951544807Z (160539) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:13.951548587Z (160539) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:13.951552618Z (160539) authorize {
2026-04-21T12:18:13.951556767Z (160539) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:13.951560298Z (160539) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:13.951563808Z (160539) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:13.951567878Z (160539) update request {
2026-04-21T12:18:13.951571128Z (160539) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:13.951575028Z (160539) } # update request = noop
2026-04-21T12:18:13.951588948Z (160539) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:13.951592458Z (160539) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:13.951604878Z (160539) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:13.951608368Z (160539) --> 1343-0-5768143211650
2026-04-21T12:18:13.951611599Z (160539) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:13.951614888Z (160539) else {
2026-04-21T12:18:13.951619029Z (160539) update request {
2026-04-21T12:18:13.951622419Z (160539) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:13.951624589Z (160539) --> 1343-0-5768143211650
2026-04-21T12:18:13.951626709Z (160539) Extreme-VSA-RsCert := 1343-0-5768143211650
2026-04-21T12:18:13.951628879Z (160539) Request-Origin := "freeradius"
2026-04-21T12:18:13.951634319Z (160539) } # update request = noop
2026-04-21T12:18:13.951638279Z (160539) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:13.951641539Z (160539) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:13.951644929Z (160539) --> 1343-0-5768143211650
2026-04-21T12:18:13.951648279Z (160539) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:13.951651549Z (160539) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:13.951654859Z (160539) update request {
2026-04-21T12:18:13.951658549Z (160539) EXPAND %{1}-%{2}
2026-04-21T12:18:13.951661749Z (160539) --> 1343-0
2026-04-21T12:18:13.951665069Z (160539) Owner-Org-Id := 1343-0
2026-04-21T12:18:13.951672509Z (160539) } # update request = noop
2026-04-21T12:18:13.951676060Z (160539) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:13.951679580Z (160539) if (&EAP-Message) {
2026-04-21T12:18:13.951682860Z (160539) if (&EAP-Message) -> TRUE
2026-04-21T12:18:13.951686330Z (160539) if (&EAP-Message) {
2026-04-21T12:18:13.951690070Z (160539) update control {
2026-04-21T12:18:13.951694380Z (160539) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:13.951698450Z (160539) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:13.951706400Z (160539) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:13.951718660Z (160539) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:13.951722950Z (160539) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:13.951727010Z (160539) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:13.951731061Z (160539) } # update control = noop
2026-04-21T12:18:13.951735131Z (160539) eap: Peer sent EAP Response (code 2) ID 215 length 6
2026-04-21T12:18:13.951739261Z (160539) eap: Continuing tunnel setup
2026-04-21T12:18:13.951743331Z (160539) [eap] = ok
2026-04-21T12:18:13.951747471Z (160539) } # if (&EAP-Message) = ok
2026-04-21T12:18:13.951752581Z (160539) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:13.951756661Z (160539) } # else = ok
2026-04-21T12:18:13.951765201Z (160539) } # authorize = ok
2026-04-21T12:18:13.951769091Z (160539) Found Auth-Type = EAP
2026-04-21T12:18:13.951773181Z (160539) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:13.951777391Z (160539) Auth-Type EAP {
2026-04-21T12:18:13.951781082Z (160539) eap: Removing EAP session with state 0x926ab90b90bdace7
2026-04-21T12:18:13.951783651Z (160539) eap: Previous EAP request found for state 0x926ab90b90bdace7, released from the list
2026-04-21T12:18:13.951801692Z (160539) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:13.951806652Z (160539) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:13.951810562Z (160539) eap_ttls: Authenticate
2026-04-21T12:18:13.951814382Z (160539) eap_ttls: (TLS) Peer ACKed our handshake fragment
2026-04-21T12:18:13.951818242Z (160539) eap: Sending EAP Request (code 1) ID 216 length 699
2026-04-21T12:18:13.951822002Z (160539) eap: EAP session adding &reply:State = 0x926ab90b91b2ace7
2026-04-21T12:18:13.951825942Z (160539) [eap] = handled
2026-04-21T12:18:13.951830312Z (160539) } # Auth-Type EAP = handled
2026-04-21T12:18:13.951834442Z (160539) Using Post-Auth-Type Challenge
2026-04-21T12:18:13.951843143Z (160539) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:13.951847212Z (160539) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:13.951851273Z (160539) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:13.951855583Z (160539) Framed-MTU = 994
2026-04-21T12:18:13.951859573Z (160539) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:13.951863623Z (160539) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:13.951867353Z (160539) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:13.951871013Z (160539) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:13.951874503Z (160539) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:13.951882093Z (160539) Sent Access-Challenge Id 31 from 0.0.0.0:2083 to 18.199.175.245:37301 length 764
2026-04-21T12:18:13.951886853Z (160539) EAP-Message = 0x01d802bb158000000a6d120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d0e04160414536d597c2da51597e65646af0b96b0fd5e8b8134301f0603551d2304183016801458dce0801b487fa5201ca25d255f27cfe1b02917300d06092a864886f70d01010b0500038201010083d5ee1bcb8b4ae146e1c1b828c1408a802da2b24ce1097c1c8e02a96bf3f53444b2549a31e5522475e2596aee0be9552edbac572b019684e8f26934743fcce75f616665459a2898de4699c9e084f17c51d0cf2e19415698c7f3817b3f629babcd3625687a26e4122f5963e0dff6d657525cdab9854812e1d24ae47be2551eaaedbf7ce67cb81b13769e30690d30f60b219996101a53897d281f08d213b63b03d3f1f1b47ac1568b621c9758f17716f1a10af146ac12687bcc298f9513c847b716c8bdc4c06c41701482baf1ed50f23bbc2c8f3c17bdfcc58e418e3861eef86963ab8360259e1ae0163f9d0f33caa80a013a8120878b8ff63b5257907a
2026-04-21T12:18:13.951896273Z (160539) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:13.951899633Z (160539) State = 0x926ab90b91b2ace7b033bb0fbadac5ce
2026-04-21T12:18:13.951901824Z (160539) Proxy-State = 0x33
2026-04-21T12:18:13.951955154Z (160539) Finished request
2026-04-21T12:18:13.951960634Z Thread 567 waiting to be assigned a request
2026-04-21T12:18:13.996949781Z (160422) Cleaning up request packet ID 141 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:13.997252687Z (160423) Cleaning up request packet ID 219 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:14.007665426Z (160424) Cleaning up request packet ID 108 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:14.008324717Z (160425) Cleaning up request packet ID 128 with timestamp +4274 due to cleanup_delay was reached
2026-04-21T12:18:14.015058843Z (160426) Cleaning up request packet ID 56 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.015518411Z (160427) Cleaning up request packet ID 198 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.038677751Z (160428) Cleaning up request packet ID 142 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.041120894Z (160429) Cleaning up request packet ID 81 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.041381538Z (160430) Cleaning up request packet ID 87 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.044838808Z (160431) Cleaning up request packet ID 39 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.048732055Z (160432) Cleaning up request packet ID 74 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.053867754Z (160433) Cleaning up request packet ID 233 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.058970512Z (0) (TLS): Access-Request packet from host 18.199.175.245 port 37301, id=61, length=252
2026-04-21T12:18:14.058978742Z Threads: deleting 1 spare out of 11 spares
2026-04-21T12:18:14.059065003Z Thread 562 got semaphore
2026-04-21T12:18:14.059071413Z Thread 562 handling request 160540, (86 handled so far)
2026-04-21T12:18:14.059075183Z Thread 570 got semaphore
2026-04-21T12:18:14.059079723Z Thread 570 waiting to be assigned a request
2026-04-21T12:18:14.059089924Z (160540) Received Access-Request Id 61 from 18.199.175.245:37301 to 0.0.0.0:2083 length 252
2026-04-21T12:18:14.059092864Z (160540) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.059095494Z (160540) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.059098134Z (160540) Calling-Station-Id = "02-7B-00-64-0E-D8"
2026-04-21T12:18:14.059101324Z (160540) Framed-MTU = 1400
2026-04-21T12:18:14.059103974Z (160540) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.059106604Z (160540) Service-Type = Framed-User
2026-04-21T12:18:14.059123734Z (160540) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.059129184Z (160540) EAP-Message = 0x02d8006315001603030025100000212013d0377afbd57fd9dc13f21539d311acb1224d51b0cc76bef58ca2e1d4cc215a14030300010116030300280fa05981c0b3f9d2d9e015be9a6da4030ec280df6d828851abd02a00b191be54eb050b3ea41cf805
2026-04-21T12:18:14.059149075Z (160540) State = 0x926ab90b91b2ace7b033bb0fbadac5ce
2026-04-21T12:18:14.059155315Z (160540) Message-Authenticator = 0x14c0a35ae783e436d8c4ba3ffaee1926
2026-04-21T12:18:14.059160115Z (160540) Proxy-State = 0x34
2026-04-21T12:18:14.059177785Z (160540) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.059182105Z (160540) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.059186815Z (160540) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.059191036Z (160540) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.059195276Z (160540) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.059199705Z (160540) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.059204296Z (160540) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.059209056Z (160540) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.059216936Z (160540) authorize {
2026-04-21T12:18:14.059221576Z (160540) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.059225776Z (160540) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.059235266Z (160540) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.059239376Z (160540) update request {
2026-04-21T12:18:14.059243426Z (160540) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.059247956Z (160540) } # update request = noop
2026-04-21T12:18:14.059252626Z (160540) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.059257966Z (160540) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.059260697Z (160540) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.059263347Z (160540) --> 1343-0-5768143211650
2026-04-21T12:18:14.059266027Z (160540) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.059268647Z (160540) else {
2026-04-21T12:18:14.059271337Z (160540) update request {
2026-04-21T12:18:14.059277087Z (160540) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.059279817Z (160540) --> 1343-0-5768143211650
2026-04-21T12:18:14.059285267Z (160540) Extreme-VSA-RsCert := 1343-0-5768143211650
2026-04-21T12:18:14.059289907Z (160540) Request-Origin := "freeradius"
2026-04-21T12:18:14.059294687Z (160540) } # update request = noop
2026-04-21T12:18:14.059298997Z (160540) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.059303297Z (160540) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.059307527Z (160540) --> 1343-0-5768143211650
2026-04-21T12:18:14.059312007Z (160540) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.059316178Z (160540) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.059320508Z (160540) update request {
2026-04-21T12:18:14.059324738Z (160540) EXPAND %{1}-%{2}
2026-04-21T12:18:14.059329008Z (160540) --> 1343-0
2026-04-21T12:18:14.059333198Z (160540) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.059337538Z (160540) } # update request = noop
2026-04-21T12:18:14.059341748Z (160540) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.059354128Z (160540) if (&EAP-Message) {
2026-04-21T12:18:14.059358448Z (160540) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.059374999Z (160540) if (&EAP-Message) {
2026-04-21T12:18:14.059384059Z (160540) update control {
2026-04-21T12:18:14.059388279Z (160540) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.059392099Z (160540) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.059396769Z (160540) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.059401679Z (160540) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.059406019Z (160540) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.059410709Z (160540) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.059414819Z (160540) } # update control = noop
2026-04-21T12:18:14.059419249Z (160540) eap: Peer sent EAP Response (code 2) ID 216 length 99
2026-04-21T12:18:14.059435770Z (160540) eap: Continuing tunnel setup
2026-04-21T12:18:14.059440490Z (160540) [eap] = ok
2026-04-21T12:18:14.059445200Z (160540) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.059449250Z (160540) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.059453580Z (160540) } # else = ok
2026-04-21T12:18:14.059457470Z (160540) } # authorize = ok
2026-04-21T12:18:14.059461490Z (160540) Found Auth-Type = EAP
2026-04-21T12:18:14.059465820Z (160540) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.059470400Z (160540) Auth-Type EAP {
2026-04-21T12:18:14.059473920Z (160540) eap: Removing EAP session with state 0x926ab90b91b2ace7
2026-04-21T12:18:14.059476700Z (160540) eap: Previous EAP request found for state 0x926ab90b91b2ace7, released from the list
2026-04-21T12:18:14.059479340Z (160540) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.059481950Z (160540) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.059491751Z (160540) eap_ttls: Authenticate
2026-04-21T12:18:14.059494511Z (160540) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:14.059497171Z (160540) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
2026-04-21T12:18:14.059499751Z (160540) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange
2026-04-21T12:18:14.059582302Z (160540) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client key exchange
2026-04-21T12:18:14.059589072Z (160540) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read change cipher spec
2026-04-21T12:18:14.059598223Z (160540) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, Finished
2026-04-21T12:18:14.059602892Z (160540) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read finished
2026-04-21T12:18:14.059607183Z (160540) eap_ttls: (TLS) TTLS - send TLS 1.2 ChangeCipherSpec
2026-04-21T12:18:14.059635853Z (160540) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write change cipher spec
2026-04-21T12:18:14.068946593Z (160540) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Finished
2026-04-21T12:18:14.068958714Z (160540) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write finished
2026-04-21T12:18:14.068962274Z (160540) eap_ttls: (TLS) TTLS - Handshake state - SSL negotiation finished successfully
2026-04-21T12:18:14.068965344Z (160540) eap_ttls: (TLS) TTLS - Connection Established
2026-04-21T12:18:14.068968764Z (160540) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:14.068971844Z (160540) eap_ttls: TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:14.069012115Z (160540) eap: Sending EAP Request (code 1) ID 217 length 61
2026-04-21T12:18:14.069016185Z (160540) eap: EAP session adding &reply:State = 0x926ab90b96b3ace7
2026-04-21T12:18:14.069024345Z (160540) [eap] = handled
2026-04-21T12:18:14.069028025Z (160540) } # Auth-Type EAP = handled
2026-04-21T12:18:14.069031545Z (160540) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.069034945Z (160540) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.069038395Z (160540) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.069042215Z (160540) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.069045465Z (160540) Framed-MTU = 994
2026-04-21T12:18:14.069048615Z (160540) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.069051795Z (160540) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.069055145Z (160540) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.069058446Z (160540) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.069061655Z (160540) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.069064755Z (160540) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
2026-04-21T12:18:14.069067726Z (160540) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
2026-04-21T12:18:14.069070636Z (160540) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
2026-04-21T12:18:14.069073576Z (160540) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
2026-04-21T12:18:14.069076786Z (160540) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:14.069079806Z (160540) TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:14.069131917Z (160540) Sent Access-Challenge Id 61 from 0.0.0.0:2083 to 18.199.175.245:37301 length 122
2026-04-21T12:18:14.069136937Z (160540) EAP-Message = 0x01d9003d1580000000331403030001011603030028dd0d4c2326e65e6808d491cac1ad88e7ecc811d46f6c0f2549222adb1d0819690196b10fafcd32ea
2026-04-21T12:18:14.069140547Z (160540) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.069144317Z (160540) State = 0x926ab90b96b3ace7b033bb0fbadac5ce
2026-04-21T12:18:14.069148217Z (160540) Proxy-State = 0x34
2026-04-21T12:18:14.069151987Z (160540) Finished request
2026-04-21T12:18:14.069154957Z Thread 562 exiting...
2026-04-21T12:18:14.098606116Z (160434) Cleaning up request packet ID 235 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.098621616Z (160435) Cleaning up request packet ID 20 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.108545217Z (160436) Cleaning up request packet ID 188 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.109718058Z (160437) Cleaning up request packet ID 99 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.116505755Z (160438) Cleaning up request packet ID 117 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.118662042Z (160439) Cleaning up request packet ID 201 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.141814071Z (160440) Cleaning up request packet ID 148 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.145450194Z (160441) Cleaning up request packet ID 203 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.146631155Z (160442) Cleaning up request packet ID 187 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.147764334Z (160443) Cleaning up request packet ID 5 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.150144856Z (160444) Cleaning up request packet ID 160 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.157337090Z (160445) Cleaning up request packet ID 198 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.172910928Z (0) (TLS): Access-Request packet from host 18.199.175.245 port 37301, id=94, length=244
2026-04-21T12:18:14.173023160Z Deleting thread 562
2026-04-21T12:18:14.173029950Z Threads: total/active/spare threads = 20/0/20
2026-04-21T12:18:14.173034190Z Thread 569 got semaphore
2026-04-21T12:18:14.173038390Z Thread 569 handling request 160541, (80 handled so far)
2026-04-21T12:18:14.173090381Z (160541) Received Access-Request Id 94 from 18.199.175.245:37301 to 0.0.0.0:2083 length 244
2026-04-21T12:18:14.173096451Z (160541) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.173099981Z (160541) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.173104082Z (160541) Calling-Station-Id = "02-7B-00-64-0E-D8"
2026-04-21T12:18:14.173108991Z (160541) Framed-MTU = 1400
2026-04-21T12:18:14.173113342Z (160541) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.173117572Z (160541) Service-Type = Framed-User
2026-04-21T12:18:14.173121882Z (160541) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.173131362Z (160541) EAP-Message = 0x02d9005b150017030300500fa05981c0b3f9d32852c068e2e56d9fe914a27b272d9336cfbf7a70f8920c9e56b83c68e4ceef60ac15841eb7fe5639785fa6b73e627613a3803a9197fbdc8ea653d8e87d1c0ac13528cfefd2a946d9
2026-04-21T12:18:14.173135722Z (160541) State = 0x926ab90b96b3ace7b033bb0fbadac5ce
2026-04-21T12:18:14.173140132Z (160541) Message-Authenticator = 0xd03c0a4500aa5a24e82c19757512181d
2026-04-21T12:18:14.173147502Z (160541) Proxy-State = 0x35
2026-04-21T12:18:14.173151882Z (160541) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.173155942Z (160541) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.173161143Z (160541) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.173173823Z (160541) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.173178403Z (160541) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.173182673Z (160541) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.173186853Z (160541) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.173191113Z (160541) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
2026-04-21T12:18:14.173195323Z (160541) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
2026-04-21T12:18:14.173199343Z (160541) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
2026-04-21T12:18:14.173203413Z (160541) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
2026-04-21T12:18:14.173207673Z (160541) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:14.173214813Z (160541) &session-state:TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:14.173219524Z (160541) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.173223904Z (160541) authorize {
2026-04-21T12:18:14.173228374Z (160541) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.173264494Z (160541) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.173270154Z (160541) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.173282405Z (160541) update request {
2026-04-21T12:18:14.173287155Z (160541) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.173291995Z (160541) } # update request = noop
2026-04-21T12:18:14.173296085Z (160541) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.173300075Z (160541) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.173304195Z (160541) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.173308455Z (160541) --> 1343-0-5768143211650
2026-04-21T12:18:14.173313165Z (160541) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.173317705Z (160541) else {
2026-04-21T12:18:14.173379326Z (160541) update request {
2026-04-21T12:18:14.173386856Z (160541) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.173391427Z (160541) --> 1343-0-5768143211650
2026-04-21T12:18:14.173395816Z (160541) Extreme-VSA-RsCert := 1343-0-5768143211650
2026-04-21T12:18:14.173400356Z (160541) Request-Origin := "freeradius"
2026-04-21T12:18:14.173404327Z (160541) } # update request = noop
2026-04-21T12:18:14.173408417Z (160541) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.173412457Z (160541) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.173416867Z (160541) --> 1343-0-5768143211650
2026-04-21T12:18:14.173421317Z (160541) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.173425657Z (160541) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.173429877Z (160541) update request {
2026-04-21T12:18:14.173434477Z (160541) EXPAND %{1}-%{2}
2026-04-21T12:18:14.173438597Z (160541) --> 1343-0
2026-04-21T12:18:14.173442887Z (160541) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.173447047Z (160541) } # update request = noop
2026-04-21T12:18:14.173451368Z (160541) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.173455908Z (160541) if (&EAP-Message) {
2026-04-21T12:18:14.173460037Z (160541) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.173464338Z (160541) if (&EAP-Message) {
2026-04-21T12:18:14.173468288Z (160541) update control {
2026-04-21T12:18:14.173472778Z (160541) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.173477008Z (160541) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.173480868Z (160541) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.173484778Z (160541) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.173488948Z (160541) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.173495348Z (160541) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.173499868Z (160541) } # update control = noop
2026-04-21T12:18:14.173516098Z (160541) eap: Peer sent EAP Response (code 2) ID 217 length 91
2026-04-21T12:18:14.173520419Z (160541) eap: Continuing tunnel setup
2026-04-21T12:18:14.173524479Z (160541) [eap] = ok
2026-04-21T12:18:14.173528459Z (160541) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.173532519Z (160541) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.173536459Z (160541) } # else = ok
2026-04-21T12:18:14.173546189Z (160541) } # authorize = ok
2026-04-21T12:18:14.173550029Z (160541) Found Auth-Type = EAP
2026-04-21T12:18:14.173553819Z (160541) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.173557769Z (160541) Auth-Type EAP {
2026-04-21T12:18:14.173561749Z (160541) eap: Removing EAP session with state 0x926ab90b96b3ace7
2026-04-21T12:18:14.173565670Z (160541) eap: Previous EAP request found for state 0x926ab90b96b3ace7, released from the list
2026-04-21T12:18:14.173569659Z (160541) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.173573850Z (160541) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.173577810Z (160541) eap_ttls: Authenticate
2026-04-21T12:18:14.173581800Z (160541) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:14.173596010Z (160541) eap_ttls: Session established. Proceeding to decode tunneled attributes
2026-04-21T12:18:14.173600280Z (160541) eap_ttls: Got tunneled request
2026-04-21T12:18:14.173604150Z (160541) eap_ttls: User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.173607900Z (160541) eap_ttls: User-Password = <<< secret >>>
2026-04-21T12:18:14.173611880Z (160541) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
2026-04-21T12:18:14.173616340Z (160541) eap_ttls: Sending tunneled request
2026-04-21T12:18:14.173620190Z (160541) Virtual server my-inner-tunnel received request
2026-04-21T12:18:14.173623980Z (160541) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.173627760Z (160541) User-Password = <<< secret >>>
2026-04-21T12:18:14.173631720Z (160541) FreeRADIUS-Proxied-To = 127.0.0.1
2026-04-21T12:18:14.173635761Z (160541) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.173648431Z (160541) Calling-Station-Id = "02-7B-00-64-0E-D8"
2026-04-21T12:18:14.173654101Z (160541) Framed-MTU = 1400
2026-04-21T12:18:14.173658181Z (160541) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.173662191Z (160541) Service-Type = Framed-User
2026-04-21T12:18:14.173666531Z (160541) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.173670951Z (160541) Extreme-Eduroam-AuthnOnly = "false"
2026-04-21T12:18:14.173675381Z (160541) WARNING: Outer and inner identities are the same. User privacy is compromised.
2026-04-21T12:18:14.173678101Z (160541) server my-inner-tunnel {
2026-04-21T12:18:14.173680841Z (160541) # Executing section authorize from file /etc/freeradius/sites-enabled/my-inner-tunnel
2026-04-21T12:18:14.173683701Z (160541) authorize {
2026-04-21T12:18:14.173686372Z (160541) if (&User-Password && !&EAP-Message) {
2026-04-21T12:18:14.173689052Z (160541) if (&User-Password && !&EAP-Message) -> TRUE
2026-04-21T12:18:14.173691721Z (160541) if (&User-Password && !&EAP-Message) {
2026-04-21T12:18:14.173694422Z (160541) update outer.request {
2026-04-21T12:18:14.173697122Z (160541) &Tmp-String-8 := "TTLS-PAP"
2026-04-21T12:18:14.173699742Z (160541) } # update outer.request = noop
2026-04-21T12:18:14.173702442Z (160541) } # if (&User-Password && !&EAP-Message) = noop
2026-04-21T12:18:14.173705142Z (160541) update request {
2026-04-21T12:18:14.173707792Z (160541) Auth-Endpoint := "auth"
2026-04-21T12:18:14.173710422Z (160541) EAP-Auth-Type := "EAP-TTLS"
2026-04-21T12:18:14.173713062Z (160541) EXPAND %{outer.Extreme-VSA-RsCert}
2026-04-21T12:18:14.173718022Z (160541) --> 1343-0-5768143211650
2026-04-21T12:18:14.173721772Z (160541) Extreme-VSA-RsCert := 1343-0-5768143211650
2026-04-21T12:18:14.173725172Z (160541) EXPAND %{outer.Request-Origin}
2026-04-21T12:18:14.173731972Z (160541) --> freeradius
2026-04-21T12:18:14.173735322Z (160541) Request-Origin := freeradius
2026-04-21T12:18:14.173739052Z (160541) EXPAND %{outer.Extreme-Eduroam-AuthnOnly}
2026-04-21T12:18:14.173741662Z (160541) --> false
2026-04-21T12:18:14.173751363Z (160541) Extreme-Eduroam-AuthnOnly := false
2026-04-21T12:18:14.173754103Z (160541) } # update request = noop
2026-04-21T12:18:14.173757743Z (160541) update control {
2026-04-21T12:18:14.173761513Z (160541) &REST-HTTP-Header += "api-secret: ZnJlZXJhZGl1czpkZGE0YTI3NDUxMGRmZTA4NTY0ODAyYzYwMmZkYWI1Nwo="
2026-04-21T12:18:14.173764883Z (160541) Auth-Type = rest
2026-04-21T12:18:14.173768573Z (160541) } # update control = noop
2026-04-21T12:18:14.173772073Z (160541) } # authorize = noop
2026-04-21T12:18:14.173775373Z (160541) Found Auth-Type = rest
2026-04-21T12:18:14.173778963Z (160541) # Executing group from file /etc/freeradius/sites-enabled/my-inner-tunnel
2026-04-21T12:18:14.173782223Z (160541) Auth-Type REST {
2026-04-21T12:18:14.173785423Z rlm_rest (rest): Reserved connection (143)
2026-04-21T12:18:14.173788853Z (160541) rest: Expanding URI components
2026-04-21T12:18:14.173792043Z (160541) rest: EXPAND http://craas-auth.craas-core.svc.cluster.local:8006
2026-04-21T12:18:14.173795403Z (160541) rest: --> http://craas-auth.craas-core.svc.cluster.local:8006
2026-04-21T12:18:14.173798594Z (160541) rest: EXPAND /auth
2026-04-21T12:18:14.173801774Z (160541) rest: --> /auth
2026-04-21T12:18:14.173804954Z (160541) rest: Sending HTTP POST to "http://craas-auth.craas-core.svc.cluster.local:8006/auth"
2026-04-21T12:18:14.173818914Z (160541) rest: EXPAND {"User-Name": "%{User-Name}","User-Password": "%{User-Password}","NAS-Identifier": "%{NAS-Identifier}","NAS-Port-Type": "%{NAS-Port-Type}","NAS-IP-Address": "%{NAS-IP-Address}","NAS-Port": "%{NAS-Port}","NAS-Port-Id": "%{NAS-Port-Id}","Called-Station-Id": "%{Called-Station-Id}","Calling-Station-Id": "%{Calling-Station-Id}","tenant-id": "%{Extreme-VSA-RsCert}","EAP-Auth-Type": "%{EAP-Auth-Type}","TLS-Client-Cert-Common-Name": "%{TLS-Client-Cert-Common-Name}","EAP-Message": "%{EAP-Message}","TLS-Client-Cert-Serial": "%{TLS-Client-Cert-Serial}","TLS-Client-Cert-Expiration": "%{TLS-Client-Cert-Expiration}","TLS-Client-Cert-Issuer": "%{TLS-Client-Cert-Issuer}","TLS-Client-Cert-Subject": "%{TLS-Client-Cert-Subject}","TLS-Client-Cert-Common-Name": "%{TLS-Client-Cert-Common-Name}","TLS-Client-Cert-Filename": "%{TLS-Client-Cert-Filename}","TLS-Client-Cert-Subject-Alt-Name-Email": "%{TLS-Client-Cert-Subject-Alt-Name-Email}","TLS-Client-Cert-X509v3-Extended-Key-Usage": "%{TLS-Client-Cert-X509v3-Extended-Key-Usage}","TLS-Client-Cert-X509v3-Subject-Key-Identifier": "%{TLS-Client-Cert-X509v3-Subject-Key-Identifier}","TLS-Client-Cert-X509v3-Authority-Key-Identifier": "%{TLS-Client-Cert-X509v3-Authority-Key-Identifier}","TLS-Client-Cert-X509v3-Basic-Constraints": "%{TLS-Client-Cert-X509v3-Basic-Constraints}","TLS-Client-Cert-Subject-Alt-Name-Dns": "%{TLS-Client-Cert-Subject-Alt-Name-Dns}","TLS-Client-Cert-Subject-Alt-Name-Upn": "%{TLS-Client-Cert-Subject-Alt-Name-Upn}","TLS-Client-Cert-X509v3-Extended-Key-Usage-OID": "%{TLS-Client-Cert-X509v3-Extended-Key-Usage-OID}","TLS-Client-Cert-Valid-Since": "%{TLS-Client-Cert-Valid-Since}","TLS-Client-Cert-X509v3-Certificate-Policies": "%{TLS-Client-Cert-X509v3-Certificate-Policies}","Subject-Distinguished-Name": "%{TLS-Client-Cert-Subject}","SAN-DNS-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Dns}","SAN-User-Principal-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Upn}","SAN-Service-Principal-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Spn}","SAN-Email": "%{TLS-Client-Cert-Subject-Alt-Name-Email}","Request-Origin": "%{Request-Origin}","AuthnOnly": %{Extreme-Eduroam-AuthnOnly}, "TLS-Cert-Serial": "%{TLS-Cert-Serial}", "TLS-Client-Cert-Issuer": "%{TLS-Client-Cert-Issuer}"},
2026-04-21T12:18:14.173828354Z (160541) rest: --> {"User-Name": "direct-tunnel at gmail.com","User-Password": "Emumba at 123","NAS-Identifier": "","NAS-Port-Type": "Wireless-802.11","NAS-IP-Address": "127.0.0.1","NAS-Port": "","NAS-Port-Id": "","Called-Station-Id": "","Calling-Station-Id": "02-7B-00-64-0E-D8","tenant-id": "1343-0-5768143211650","EAP-Auth-Type": "EAP-TTLS","TLS-Client-Cert-Common-Name": "","EAP-Message": "","TLS-Client-Cert-Serial": "","TLS-Client-Cert-Expiration": "","TLS-Client-Cert-Issuer": "","TLS-Client-Cert-Subject": "","TLS-Client-Cert-Common-Name": "","TLS-Client-Cert-Filename": "","TLS-Client-Cert-Subject-Alt-Name-Email": "","TLS-Client-Cert-X509v3-Extended-Key-Usage": "","TLS-Client-Cert-X509v3-Subject-Key-Identifier": "","TLS-Client-Cert-X509v3-Authority-Key-Identifier": "","TLS-Client-Cert-X509v3-Basic-Constraints": "","TLS-Client-Cert-Subject-Alt-Name-Dns": "","TLS-Client-Cert-Subject-Alt-Name-Upn": "","TLS-Client-Cert-X509v3-Extended-Key-Usage-OID": "","TLS-Client-Cert-Valid-Since": "","TLS-Client-Cert-X509v3-Certificate-Policies": "","Subject-Distinguished-Name": "","SAN-DNS-Name": "","SAN-User-Principal-Name": "","SAN-Service-Principal-Name": "","SAN-Email": "","Request-Origin": "freeradius","AuthnOnly": false, "TLS-Cert-Serial": "", "TLS-Client-Cert-Issuer": ""},
2026-04-21T12:18:14.174259181Z (160541) rest: Processing response header
2026-04-21T12:18:14.174268951Z (160541) rest: Status : 100 (Continue)
2026-04-21T12:18:14.174272011Z (160541) rest: Continuing...
2026-04-21T12:18:14.212026054Z (160446) Cleaning up request packet ID 157 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.218982543Z (160447) Cleaning up request packet ID 34 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.225730680Z (160448) Cleaning up request packet ID 75 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.232724690Z (160449) Cleaning up request packet ID 238 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.239708731Z (160450) Cleaning up request packet ID 207 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.246857184Z (160451) Cleaning up request packet ID 184 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.248922810Z (0) (TLS): Access-Request packet from host 18.193.75.88 port 33781, id=133, length=163
2026-04-21T12:18:14.249016561Z Thread 564 got semaphore
2026-04-21T12:18:14.249023721Z Thread 564 handling request 160542, (94 handled so far)
2026-04-21T12:18:14.249028691Z (160542) Received Access-Request Id 133 from 18.193.75.88:33781 to 0.0.0.0:2083 length 163
2026-04-21T12:18:14.249033391Z (160542) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.249037821Z (160542) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.249041761Z (160542) Calling-Station-Id = "02-40-2C-8C-47-E1"
2026-04-21T12:18:14.249046532Z (160542) Framed-MTU = 1400
2026-04-21T12:18:14.249050492Z (160542) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.249054702Z (160542) Service-Type = Framed-User
2026-04-21T12:18:14.249058682Z (160542) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.249063002Z (160542) EAP-Message = 0x0214001c016469726563742d74756e6e656c40676d61696c2e636f6d
2026-04-21T12:18:14.249067752Z (160542) Message-Authenticator = 0x85092390294322ab75da3e9e5ec0b224
2026-04-21T12:18:14.249071602Z (160542) Proxy-State = 0x30
2026-04-21T12:18:14.249075712Z (160542) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.249079712Z (160542) authorize {
2026-04-21T12:18:14.249083532Z (160542) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.249087952Z (160542) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.249101262Z (160542) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.249105343Z (160542) update request {
2026-04-21T12:18:14.249109403Z (160542) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.249124493Z (160542) } # update request = noop
2026-04-21T12:18:14.249128553Z (160542) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.249132863Z (160542) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.249140953Z (160542) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.249145653Z (160542) --> 1343-0-5768143211720
2026-04-21T12:18:14.249149543Z (160542) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.249153974Z (160542) else {
2026-04-21T12:18:14.249158123Z (160542) update request {
2026-04-21T12:18:14.249162524Z (160542) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.249166084Z (160542) --> 1343-0-5768143211720
2026-04-21T12:18:14.249170294Z (160542) Extreme-VSA-RsCert := 1343-0-5768143211720
2026-04-21T12:18:14.249174334Z (160542) Request-Origin := "freeradius"
2026-04-21T12:18:14.249178484Z (160542) } # update request = noop
2026-04-21T12:18:14.249182294Z (160542) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.249186224Z (160542) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.249190154Z (160542) --> 1343-0-5768143211720
2026-04-21T12:18:14.249194124Z (160542) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.249198334Z (160542) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.249202454Z (160542) update request {
2026-04-21T12:18:14.249206844Z (160542) EXPAND %{1}-%{2}
2026-04-21T12:18:14.249211084Z (160542) --> 1343-0
2026-04-21T12:18:14.249215504Z (160542) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.249220075Z (160542) } # update request = noop
2026-04-21T12:18:14.249224305Z (160542) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.249228465Z (160542) if (&EAP-Message) {
2026-04-21T12:18:14.249232875Z (160542) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.249237085Z (160542) if (&EAP-Message) {
2026-04-21T12:18:14.249249945Z (160542) update control {
2026-04-21T12:18:14.249254795Z (160542) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.249259225Z (160542) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.249263475Z (160542) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.249273705Z (160542) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.249278426Z (160542) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.249282786Z (160542) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.249286946Z (160542) } # update control = noop
2026-04-21T12:18:14.249291776Z (160542) eap: Peer sent EAP Response (code 2) ID 20 length 28
2026-04-21T12:18:14.249296496Z (160542) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
2026-04-21T12:18:14.249300486Z (160542) [eap] = ok
2026-04-21T12:18:14.249303156Z (160542) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.249311796Z (160542) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.249316106Z (160542) } # else = ok
2026-04-21T12:18:14.249320566Z (160542) } # authorize = ok
2026-04-21T12:18:14.249324846Z (160542) Found Auth-Type = EAP
2026-04-21T12:18:14.249329326Z (160542) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.249333637Z (160542) Auth-Type EAP {
2026-04-21T12:18:14.249337697Z (160542) eap: Peer sent packet with method EAP Identity (1)
2026-04-21T12:18:14.249341607Z (160542) eap: Using default_eap_type = TTLS
2026-04-21T12:18:14.249345747Z (160542) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.249349977Z (160542) eap_ttls: (TLS) TTLS -Initiating new session
2026-04-21T12:18:14.249373427Z (160542) eap_ttls: (TLS) TTLS - Loading session certificate file "/etc/freeradius/fr-certs/realm/1343-0/cert.pem"
2026-04-21T12:18:14.249680203Z (0) (TLS): Access-Request packet from host 63.178.227.84 port 37423, id=26, length=163
2026-04-21T12:18:14.249688563Z Thread 561 got semaphore
2026-04-21T12:18:14.249693623Z Thread 561 handling request 160543, (88 handled so far)
2026-04-21T12:18:14.249702843Z (160543) Received Access-Request Id 26 from 63.178.227.84:37423 to 0.0.0.0:2083 length 163
2026-04-21T12:18:14.249709973Z (160543) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.249714113Z (160543) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.249718233Z (160543) Calling-Station-Id = "02-B9-26-6B-2B-A8"
2026-04-21T12:18:14.249723183Z (160543) Framed-MTU = 1400
2026-04-21T12:18:14.249727583Z (160543) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.249736533Z (160543) Service-Type = Framed-User
2026-04-21T12:18:14.249740624Z (160543) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.249744364Z (160543) EAP-Message = 0x0231001c016469726563742d74756e6e656c40676d61696c2e636f6d
2026-04-21T12:18:14.249748934Z (160543) Message-Authenticator = 0xefb4448c6d5a2f0fd7629eb86e35a72f
2026-04-21T12:18:14.249753034Z (160543) Proxy-State = 0x30
2026-04-21T12:18:14.249760774Z (160543) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.249765504Z (160543) authorize {
2026-04-21T12:18:14.249769384Z (160543) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.249773234Z (160543) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.249777644Z (160543) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.249781914Z (160543) update request {
2026-04-21T12:18:14.249786014Z (160543) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.249789974Z (160543) } # update request = noop
2026-04-21T12:18:14.249793485Z (160543) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.249796765Z (160543) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.249799975Z (160543) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.249802935Z (160543) --> 1343-0-5768143211642
2026-04-21T12:18:14.249808085Z (160543) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.249811275Z (160543) else {
2026-04-21T12:18:14.249818495Z (160543) update request {
2026-04-21T12:18:14.249836215Z (160543) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.249839835Z (160543) --> 1343-0-5768143211642
2026-04-21T12:18:14.249843225Z (160543) Extreme-VSA-RsCert := 1343-0-5768143211642
2026-04-21T12:18:14.249873026Z (160543) Request-Origin := "freeradius"
2026-04-21T12:18:14.249876796Z (160543) } # update request = noop
2026-04-21T12:18:14.249880156Z (160543) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.249883316Z (160543) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.249886136Z (160543) --> 1343-0-5768143211642
2026-04-21T12:18:14.249889006Z (160543) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.249891956Z (160543) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.249895176Z (160543) update request {
2026-04-21T12:18:14.249898416Z (160543) EXPAND %{1}-%{2}
2026-04-21T12:18:14.249901476Z (160543) --> 1343-0
2026-04-21T12:18:14.249904536Z (160543) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.249907516Z (160543) } # update request = noop
2026-04-21T12:18:14.249910596Z (160543) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.249917607Z (160543) if (&EAP-Message) {
2026-04-21T12:18:14.249921107Z (160543) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.249924347Z (160543) if (&EAP-Message) {
2026-04-21T12:18:14.249927437Z (160543) update control {
2026-04-21T12:18:14.249930797Z (160543) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.249933717Z (160543) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.249936837Z (160543) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.249940117Z (160543) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.249943237Z (160543) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.249946157Z (160543) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.249949397Z (160543) } # update control = noop
2026-04-21T12:18:14.249952757Z (160543) eap: Peer sent EAP Response (code 2) ID 49 length 28
2026-04-21T12:18:14.249956067Z (160543) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
2026-04-21T12:18:14.249959007Z (160543) [eap] = ok
2026-04-21T12:18:14.249962068Z (160543) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.249965197Z (160543) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.249968448Z (160543) } # else = ok
2026-04-21T12:18:14.249971677Z (160543) } # authorize = ok
2026-04-21T12:18:14.249974838Z (160543) Found Auth-Type = EAP
2026-04-21T12:18:14.249978258Z (160543) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.249981358Z (160543) Auth-Type EAP {
2026-04-21T12:18:14.249989018Z (160543) eap: Peer sent packet with method EAP Identity (1)
2026-04-21T12:18:14.249992368Z (160543) eap: Using default_eap_type = TTLS
2026-04-21T12:18:14.249995608Z (160543) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.249998678Z (160543) eap_ttls: (TLS) TTLS -Initiating new session
2026-04-21T12:18:14.250005778Z (160543) eap_ttls: (TLS) TTLS - Loading session certificate file "/etc/freeradius/fr-certs/realm/1343-0/cert.pem"
2026-04-21T12:18:14.252673084Z (160542) eap: Sending EAP Request (code 1) ID 21 length 6
2026-04-21T12:18:14.252686364Z (160542) eap: EAP session adding &reply:State = 0xc331b34ac324a64e
2026-04-21T12:18:14.252690495Z (160542) [eap] = handled
2026-04-21T12:18:14.252694115Z (160542) } # Auth-Type EAP = handled
2026-04-21T12:18:14.252712345Z (160542) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.252715995Z (160542) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.252719385Z (160542) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.252722795Z (160542) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.252726425Z (160542) Framed-MTU = 994
2026-04-21T12:18:14.252740025Z (160542) Sent Access-Challenge Id 133 from 0.0.0.0:2083 to 18.193.75.88:33781 length 67
2026-04-21T12:18:14.252743815Z (160542) EAP-Message = 0x011500061520
2026-04-21T12:18:14.252746875Z (160542) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.252750165Z (160542) State = 0xc331b34ac324a64eba0bb1b1b0e6d86e
2026-04-21T12:18:14.252753276Z (160542) Proxy-State = 0x30
2026-04-21T12:18:14.252766726Z (160542) Finished request
2026-04-21T12:18:14.252772726Z Thread 564 waiting to be assigned a request
2026-04-21T12:18:14.252986720Z (160543) eap: Sending EAP Request (code 1) ID 50 length 6
2026-04-21T12:18:14.252993730Z (160543) eap: EAP session adding &reply:State = 0xd26084a0d2529123
2026-04-21T12:18:14.252997580Z (160543) [eap] = handled
2026-04-21T12:18:14.253001200Z (160543) } # Auth-Type EAP = handled
2026-04-21T12:18:14.253004380Z (160543) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.253007720Z (160543) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.253011180Z (160543) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.253014700Z (160543) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.253018190Z (160543) Framed-MTU = 994
2026-04-21T12:18:14.253021670Z (160543) Sent Access-Challenge Id 26 from 0.0.0.0:2083 to 63.178.227.84:37423 length 67
2026-04-21T12:18:14.253025040Z (160543) EAP-Message = 0x013200061520
2026-04-21T12:18:14.253028360Z (160543) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.253036320Z (160543) State = 0xd26084a0d25291238d7986808755bf2d
2026-04-21T12:18:14.253039501Z (160543) Proxy-State = 0x30
2026-04-21T12:18:14.253042330Z (160543) Finished request
2026-04-21T12:18:14.253045281Z Thread 561 exiting...
2026-04-21T12:18:14.253468218Z (0) (TLS): Access-Request packet from host 63.178.198.32 port 54907, id=25, length=163
2026-04-21T12:18:14.253480268Z Deleting thread 561
2026-04-21T12:18:14.253483588Z Threads: total/active/spare threads = 19/1/18
2026-04-21T12:18:14.253496358Z Thread 566 got semaphore
2026-04-21T12:18:14.253780833Z Thread 566 handling request 160544, (85 handled so far)
2026-04-21T12:18:14.253789883Z (160544) Received Access-Request Id 25 from 63.178.198.32:54907 to 0.0.0.0:2083 length 163
2026-04-21T12:18:14.253794123Z (160544) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.253797363Z (160544) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.253800323Z (160544) Calling-Station-Id = "02-B0-86-1C-79-19"
2026-04-21T12:18:14.253803944Z (160544) Framed-MTU = 1400
2026-04-21T12:18:14.253807734Z (160544) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.253810984Z (160544) Service-Type = Framed-User
2026-04-21T12:18:14.253813404Z (160544) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.253815544Z (160544) EAP-Message = 0x02e8001c016469726563742d74756e6e656c40676d61696c2e636f6d
2026-04-21T12:18:14.253817954Z (160544) Message-Authenticator = 0xa691985976f351cb1eeeb2667b82a8ad
2026-04-21T12:18:14.253820104Z (160544) Proxy-State = 0x30
2026-04-21T12:18:14.253822264Z (160544) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.253829084Z (160544) authorize {
2026-04-21T12:18:14.253831254Z (160544) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.253833364Z (160544) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.253835444Z (160544) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.253838384Z (160544) update request {
2026-04-21T12:18:14.253842194Z (160544) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.253845374Z (160544) } # update request = noop
2026-04-21T12:18:14.253850775Z (160544) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.253854324Z (160544) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.253857804Z (160544) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.253861295Z (160544) --> 1343-0-5768143211798
2026-04-21T12:18:14.253864695Z (160544) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.253867045Z (160544) else {
2026-04-21T12:18:14.253869245Z (160544) update request {
2026-04-21T12:18:14.253871835Z (160544) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.253873915Z (160544) --> 1343-0-5768143211798
2026-04-21T12:18:14.253876065Z (160544) Extreme-VSA-RsCert := 1343-0-5768143211798
2026-04-21T12:18:14.253878085Z (160544) Request-Origin := "freeradius"
2026-04-21T12:18:14.253880175Z (160544) } # update request = noop
2026-04-21T12:18:14.253882235Z (160544) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.253884435Z (160544) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.253886615Z (160544) --> 1343-0-5768143211798
2026-04-21T12:18:14.253888715Z (160544) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.253890835Z (160544) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.253892915Z (160544) update request {
2026-04-21T12:18:14.253894945Z (160544) EXPAND %{1}-%{2}
2026-04-21T12:18:14.253896995Z (160544) --> 1343-0
2026-04-21T12:18:14.253899035Z (160544) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.253901055Z (160544) } # update request = noop
2026-04-21T12:18:14.253903145Z (160544) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.253905205Z (160544) if (&EAP-Message) {
2026-04-21T12:18:14.253907385Z (160544) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.253909645Z (160544) if (&EAP-Message) {
2026-04-21T12:18:14.253911705Z (160544) update control {
2026-04-21T12:18:14.253913856Z (160544) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.253915905Z (160544) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.253917945Z (160544) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.253920096Z (160544) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.253922146Z (160544) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.253924236Z (160544) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.253927806Z (160544) } # update control = noop
2026-04-21T12:18:14.253931406Z (160544) eap: Peer sent EAP Response (code 2) ID 232 length 28
2026-04-21T12:18:14.253934766Z (160544) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
2026-04-21T12:18:14.253942016Z (160544) [eap] = ok
2026-04-21T12:18:14.253945426Z (160544) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.253948956Z (160544) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.253952236Z (160544) } # else = ok
2026-04-21T12:18:14.253954376Z (160544) } # authorize = ok
2026-04-21T12:18:14.253956436Z (160544) Found Auth-Type = EAP
2026-04-21T12:18:14.253958486Z (160544) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.253960586Z (160544) Auth-Type EAP {
2026-04-21T12:18:14.253962666Z (160544) eap: Peer sent packet with method EAP Identity (1)
2026-04-21T12:18:14.253964706Z (160544) eap: Using default_eap_type = TTLS
2026-04-21T12:18:14.253966846Z (160544) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.253968877Z (160544) eap_ttls: (TLS) TTLS -Initiating new session
2026-04-21T12:18:14.253971306Z (160544) eap_ttls: (TLS) TTLS - Loading session certificate file "/etc/freeradius/fr-certs/realm/1343-0/cert.pem"
2026-04-21T12:18:14.255936630Z (160544) eap: Sending EAP Request (code 1) ID 233 length 6
2026-04-21T12:18:14.255944591Z (160544) eap: EAP session adding &reply:State = 0xc99fadcec976b812
2026-04-21T12:18:14.255948240Z (160544) [eap] = handled
2026-04-21T12:18:14.255951621Z (160544) } # Auth-Type EAP = handled
2026-04-21T12:18:14.255954891Z (160544) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.255957831Z (160544) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.255960641Z (160544) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.255963911Z (160544) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.255967291Z (160544) Framed-MTU = 994
2026-04-21T12:18:14.255970981Z (160544) Sent Access-Challenge Id 25 from 0.0.0.0:2083 to 63.178.198.32:54907 length 67
2026-04-21T12:18:14.255974491Z (160544) EAP-Message = 0x01e900061520
2026-04-21T12:18:14.255977651Z (160544) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.255981181Z (160544) State = 0xc99fadcec976b812a4a9af92aec5119a
2026-04-21T12:18:14.255984461Z (160544) Proxy-State = 0x30
2026-04-21T12:18:14.255993521Z (160544) Finished request
2026-04-21T12:18:14.255996721Z Thread 566 waiting to be assigned a request
2026-04-21T12:18:14.257259763Z (160452) Cleaning up request packet ID 8 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.266234959Z (160454) Cleaning up request packet ID 251 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.272834903Z (160453) Cleaning up request packet ID 80 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.279637380Z (160455) Cleaning up request packet ID 63 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.286802524Z (160456) Cleaning up request packet ID 230 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.294617979Z (160457) Cleaning up request packet ID 154 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.355690233Z (0) (TLS): Access-Request packet from host 18.193.75.88 port 33781, id=110, length=343
2026-04-21T12:18:14.355720363Z Thread 578 got semaphore
2026-04-21T12:18:14.355725313Z Thread 578 handling request 160545, (30 handled so far)
2026-04-21T12:18:14.355737233Z (160545) Received Access-Request Id 110 from 18.193.75.88:33781 to 0.0.0.0:2083 length 343
2026-04-21T12:18:14.355741913Z (160545) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.355746133Z (160545) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.355776414Z (160545) Calling-Station-Id = "02-40-2C-8C-47-E1"
2026-04-21T12:18:14.355780544Z (160545) Framed-MTU = 1400
2026-04-21T12:18:14.355784134Z (160545) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.355787344Z (160545) Service-Type = Framed-User
2026-04-21T12:18:14.355792914Z (160545) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.355796974Z (160545) EAP-Message = 0x021500be150016030100b3010000af030328268a998104e5643a6b3eb0c937f46cf1cea9e4c5841b4b9a26c68bd343ffa9000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602
2026-04-21T12:18:14.355800134Z (160545) State = 0xc331b34ac324a64eba0bb1b1b0e6d86e
2026-04-21T12:18:14.355803984Z (160545) Message-Authenticator = 0xd2a3d9dd30a2d2e55c6b0df5870361ee
2026-04-21T12:18:14.355807064Z (160545) Proxy-State = 0x31
2026-04-21T12:18:14.355926597Z (160545) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.355932477Z (160545) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.355936087Z (160545) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.355939357Z (160545) authorize {
2026-04-21T12:18:14.355942667Z (160545) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.355945677Z (160545) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.355948697Z (160545) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.355952277Z (160545) update request {
2026-04-21T12:18:14.355955307Z (160545) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.355958177Z (160545) } # update request = noop
2026-04-21T12:18:14.355961047Z (160545) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.355964167Z (160545) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.355967257Z (160545) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.355982107Z (160545) --> 1343-0-5768143211720
2026-04-21T12:18:14.355985747Z (160545) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.355989147Z (160545) else {
2026-04-21T12:18:14.355992768Z (160545) update request {
2026-04-21T12:18:14.355996948Z (160545) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.356000148Z (160545) --> 1343-0-5768143211720
2026-04-21T12:18:14.356003478Z (160545) Extreme-VSA-RsCert := 1343-0-5768143211720
2026-04-21T12:18:14.356006748Z (160545) Request-Origin := "freeradius"
2026-04-21T12:18:14.356009878Z (160545) } # update request = noop
2026-04-21T12:18:14.356012898Z (160545) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.356015968Z (160545) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.356018968Z (160545) --> 1343-0-5768143211720
2026-04-21T12:18:14.356022108Z (160545) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.356025338Z (160545) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.356028498Z (160545) update request {
2026-04-21T12:18:14.356032088Z (160545) EXPAND %{1}-%{2}
2026-04-21T12:18:14.356035498Z (160545) --> 1343-0
2026-04-21T12:18:14.356038719Z (160545) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.356046308Z (160545) } # update request = noop
2026-04-21T12:18:14.356049919Z (160545) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.356056199Z (160545) if (&EAP-Message) {
2026-04-21T12:18:14.356059899Z (160545) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.356063139Z (160545) if (&EAP-Message) {
2026-04-21T12:18:14.356066529Z (160545) update control {
2026-04-21T12:18:14.356070289Z (160545) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.356073569Z (160545) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.356076639Z (160545) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.356079709Z (160545) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.356082749Z (160545) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.356086339Z (160545) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.356089519Z (160545) } # update control = noop
2026-04-21T12:18:14.356092479Z (160545) eap: Peer sent EAP Response (code 2) ID 21 length 190
2026-04-21T12:18:14.356095459Z (160545) eap: Continuing tunnel setup
2026-04-21T12:18:14.356098540Z (160545) [eap] = ok
2026-04-21T12:18:14.356101529Z (160545) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.356104540Z (160545) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.356107470Z (160545) } # else = ok
2026-04-21T12:18:14.356110510Z (160545) } # authorize = ok
2026-04-21T12:18:14.356113390Z (160545) Found Auth-Type = EAP
2026-04-21T12:18:14.356116370Z (160545) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.356119370Z (160545) Auth-Type EAP {
2026-04-21T12:18:14.356122450Z (160545) eap: Removing EAP session with state 0xc331b34ac324a64e
2026-04-21T12:18:14.356125460Z (160545) eap: Previous EAP request found for state 0xc331b34ac324a64e, released from the list
2026-04-21T12:18:14.356128390Z (160545) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.356131340Z (160545) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.356134310Z (160545) eap_ttls: Authenticate
2026-04-21T12:18:14.356137320Z (160545) eap_ttls: (TLS) EAP Got final fragment (184 bytes) total 184
2026-04-21T12:18:14.356140860Z (160545) eap_ttls: WARNING: (TLS) EAP Total received record fragments (184 bytes), does not equal expected expected data length (0 bytes)
2026-04-21T12:18:14.356144110Z (160545) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:14.356158350Z (160545) eap_ttls: (TLS) TTLS - Handshake state - before SSL initialization
2026-04-21T12:18:14.356161930Z (160545) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
2026-04-21T12:18:14.356164821Z (160545) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
2026-04-21T12:18:14.356167801Z (160545) eap_ttls: (TLS) TTLS - recv TLS 1.3 Handshake, ClientHello
2026-04-21T12:18:14.356170951Z (160545) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client hello
2026-04-21T12:18:14.356173851Z (160545) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHello
2026-04-21T12:18:14.356183661Z (160545) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server hello
2026-04-21T12:18:14.356187041Z (160545) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Certificate
2026-04-21T12:18:14.356190031Z (160545) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write certificate
2026-04-21T12:18:14.356240112Z (0) (TLS): Access-Request packet from host 63.178.227.84 port 37423, id=60, length=343
2026-04-21T12:18:14.356312533Z Thread 572 got semaphore
2026-04-21T12:18:14.356318393Z Thread 572 handling request 160546, (88 handled so far)
2026-04-21T12:18:14.356337893Z (160546) Received Access-Request Id 60 from 63.178.227.84:37423 to 0.0.0.0:2083 length 343
2026-04-21T12:18:14.356341774Z (160546) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.356351394Z (160546) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.356354614Z (160546) Calling-Station-Id = "02-B9-26-6B-2B-A8"
2026-04-21T12:18:14.356418195Z (160546) Framed-MTU = 1400
2026-04-21T12:18:14.356424265Z (160546) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.356427815Z (160546) Service-Type = Framed-User
2026-04-21T12:18:14.356431065Z (160546) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.356434825Z (160546) EAP-Message = 0x023200be150016030100b3010000af0303c141158c5d87739aa04598feb5dce6f25db3424bf2425315abbfcf8d9e4f621c000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602
2026-04-21T12:18:14.356438095Z (160546) State = 0xd26084a0d25291238d7986808755bf2d
2026-04-21T12:18:14.356441615Z (160546) Message-Authenticator = 0x04fea89ade409e4875a932f4c29e0c6d
2026-04-21T12:18:14.356444855Z (160546) Proxy-State = 0x31
2026-04-21T12:18:14.356448086Z (160546) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.356451215Z (160546) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.356454626Z (160546) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.356457826Z (160546) authorize {
2026-04-21T12:18:14.356460866Z (160546) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.356463936Z (160546) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.356467056Z (160546) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.356469966Z (160546) update request {
2026-04-21T12:18:14.356472996Z (160546) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.356475996Z (160546) } # update request = noop
2026-04-21T12:18:14.356479266Z (160546) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.356482416Z (160546) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.356515297Z (160546) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.356519347Z (160546) --> 1343-0-5768143211642
2026-04-21T12:18:14.356523097Z (160546) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.356526377Z (160546) else {
2026-04-21T12:18:14.356529667Z (160546) update request {
2026-04-21T12:18:14.356533307Z (160546) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.356536277Z (160546) --> 1343-0-5768143211642
2026-04-21T12:18:14.356539467Z (160546) Extreme-VSA-RsCert := 1343-0-5768143211642
2026-04-21T12:18:14.356542737Z (160546) Request-Origin := "freeradius"
2026-04-21T12:18:14.356545967Z (160546) } # update request = noop
2026-04-21T12:18:14.356549567Z (160546) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.356552627Z (160546) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.356555957Z (160546) --> 1343-0-5768143211642
2026-04-21T12:18:14.356564037Z (160546) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.356567197Z (160546) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.356570468Z (160546) update request {
2026-04-21T12:18:14.356573748Z (160546) EXPAND %{1}-%{2}
2026-04-21T12:18:14.356576998Z (160546) --> 1343-0
2026-04-21T12:18:14.356580218Z (160546) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.356583258Z (160546) } # update request = noop
2026-04-21T12:18:14.356586598Z (160546) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.356589778Z (160546) if (&EAP-Message) {
2026-04-21T12:18:14.356592918Z (160546) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.356596188Z (160546) if (&EAP-Message) {
2026-04-21T12:18:14.356599418Z (160546) update control {
2026-04-21T12:18:14.356602848Z (160546) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.356606048Z (160546) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.356609428Z (160546) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.356612758Z (160546) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.356615638Z (160546) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.356618789Z (160546) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.356622009Z (160546) } # update control = noop
2026-04-21T12:18:14.356625078Z (160546) eap: Peer sent EAP Response (code 2) ID 50 length 190
2026-04-21T12:18:14.356628238Z (160546) eap: Continuing tunnel setup
2026-04-21T12:18:14.356631559Z (160546) [eap] = ok
2026-04-21T12:18:14.356634789Z (160546) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.356637919Z (160546) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.356641139Z (160546) } # else = ok
2026-04-21T12:18:14.356644499Z (160546) } # authorize = ok
2026-04-21T12:18:14.356647769Z (160546) Found Auth-Type = EAP
2026-04-21T12:18:14.356658279Z (160546) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.356661659Z (160546) Auth-Type EAP {
2026-04-21T12:18:14.356664879Z (160546) eap: Removing EAP session with state 0xd26084a0d2529123
2026-04-21T12:18:14.356668119Z (160546) eap: Previous EAP request found for state 0xd26084a0d2529123, released from the list
2026-04-21T12:18:14.356671489Z (160546) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.356674669Z (160546) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.356678019Z (160546) eap_ttls: Authenticate
2026-04-21T12:18:14.356681339Z (160546) eap_ttls: (TLS) EAP Got final fragment (184 bytes) total 184
2026-04-21T12:18:14.356685159Z (160546) eap_ttls: WARNING: (TLS) EAP Total received record fragments (184 bytes), does not equal expected expected data length (0 bytes)
2026-04-21T12:18:14.356688620Z (160546) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:14.356698440Z (160546) eap_ttls: (TLS) TTLS - Handshake state - before SSL initialization
2026-04-21T12:18:14.356701810Z (160546) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
2026-04-21T12:18:14.356705040Z (160546) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
2026-04-21T12:18:14.356708320Z (160546) eap_ttls: (TLS) TTLS - recv TLS 1.3 Handshake, ClientHello
2026-04-21T12:18:14.356711560Z (160546) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client hello
2026-04-21T12:18:14.356718600Z (160546) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHello
2026-04-21T12:18:14.356721940Z (160546) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server hello
2026-04-21T12:18:14.356734080Z (160546) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Certificate
2026-04-21T12:18:14.356737740Z (160546) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write certificate
2026-04-21T12:18:14.357683447Z (160545) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange
2026-04-21T12:18:14.357689607Z (160545) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write key exchange
2026-04-21T12:18:14.357692937Z (160545) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone
2026-04-21T12:18:14.357696657Z (160545) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
2026-04-21T12:18:14.357699957Z (160545) eap_ttls: (TLS) TTLS - Server : Need to read more data: SSLv3/TLS write server done
2026-04-21T12:18:14.357707257Z (160545) eap_ttls: (TLS) TTLS - In Handshake Phase
2026-04-21T12:18:14.357710467Z (160545) eap: Sending EAP Request (code 1) ID 22 length 1000
2026-04-21T12:18:14.357713947Z (160545) eap: EAP session adding &reply:State = 0xc331b34ac227a64e
2026-04-21T12:18:14.357717487Z (160545) [eap] = handled
2026-04-21T12:18:14.357720767Z (160545) } # Auth-Type EAP = handled
2026-04-21T12:18:14.357723957Z (160545) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.357727368Z (160545) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.357730877Z (160545) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.357734898Z (160545) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.357738158Z (160545) Framed-MTU = 994
2026-04-21T12:18:14.357741508Z (160545) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.357745248Z (160545) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.357748818Z (160545) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.357755638Z (160545) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.357759198Z (160545) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.357796499Z (160545) Sent Access-Challenge Id 110 from 0.0.0.0:2083 to 18.193.75.88:33781 length 1067
2026-04-21T12:18:14.357814509Z (160545) EAP-Message = 0x011603e815c000000a6d160303003d020000390303b6fb407670c51ca0edd79bd6f30098475be011544f87f49c444f574e4752440100c030000011ff01000100000b0004030001020017000016030308ec0b0008e80008e5000598308205943082047ca00302010202143445f65cac1b06ffbc42da7b13d0322ec1e189b2300d06092a864886f70d01010b050030283115301306035504030c0c416973686149737375696e67310f300d060355040b0c06313334332d30301e170d3236303430363132353435305a170d3336303430333132353532305a3027310f300d060355040b1306313334332d30311430120603550403130b416973686173657276657230820122300d06092a864886f70d01010105000382010f003082010a028201010096b60938816c322227718a54c2354b5dbaddf8a22fcba9fbee3269f557931966ca0a2bcc491d01cdc19e2ea7618a1b70ea0bfe995585f95bc905a296b2ec1081f04d56be795c099549d4b633bed88989eefbaecf390be2fb110aa715e0
2026-04-21T12:18:14.357818229Z (160545) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.357821619Z (160545) State = 0xc331b34ac227a64eba0bb1b1b0e6d86e
2026-04-21T12:18:14.357825019Z (160545) Proxy-State = 0x31
2026-04-21T12:18:14.357833289Z (160545) Finished request
2026-04-21T12:18:14.357837039Z Thread 578 waiting to be assigned a request
2026-04-21T12:18:14.358183005Z (160546) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange
2026-04-21T12:18:14.358191365Z (160546) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write key exchange
2026-04-21T12:18:14.358195116Z (160546) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone
2026-04-21T12:18:14.358198286Z (160546) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
2026-04-21T12:18:14.358201566Z (160546) eap_ttls: (TLS) TTLS - Server : Need to read more data: SSLv3/TLS write server done
2026-04-21T12:18:14.358205006Z (160546) eap_ttls: (TLS) TTLS - In Handshake Phase
2026-04-21T12:18:14.358207946Z (160546) eap: Sending EAP Request (code 1) ID 51 length 1000
2026-04-21T12:18:14.358210906Z (160546) eap: EAP session adding &reply:State = 0xd26084a0d3539123
2026-04-21T12:18:14.358214156Z (160546) [eap] = handled
2026-04-21T12:18:14.358217506Z (160546) } # Auth-Type EAP = handled
2026-04-21T12:18:14.358220796Z (160546) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.358224246Z (160546) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.358227566Z (160546) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.358230976Z (160546) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.358245846Z (160546) Framed-MTU = 994
2026-04-21T12:18:14.358249677Z (160546) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.358252846Z (160546) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.358256577Z (160546) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.358259887Z (160546) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.358263167Z (160546) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.358266477Z (160546) Sent Access-Challenge Id 60 from 0.0.0.0:2083 to 63.178.227.84:37423 length 1067
2026-04-21T12:18:14.358270717Z (160546) EAP-Message = 0x013303e815c000000a6d160303003d020000390303626215f96b99f415fa69b1112e8c180d14d99f11b85ea6b2444f574e4752440100c030000011ff01000100000b0004030001020017000016030308ec0b0008e80008e5000598308205943082047ca00302010202143445f65cac1b06ffbc42da7b13d0322ec1e189b2300d06092a864886f70d01010b050030283115301306035504030c0c416973686149737375696e67310f300d060355040b0c06313334332d30301e170d3236303430363132353435305a170d3336303430333132353532305a3027310f300d060355040b1306313334332d30311430120603550403130b416973686173657276657230820122300d06092a864886f70d01010105000382010f003082010a028201010096b60938816c322227718a54c2354b5dbaddf8a22fcba9fbee3269f557931966ca0a2bcc491d01cdc19e2ea7618a1b70ea0bfe995585f95bc905a296b2ec1081f04d56be795c099549d4b633bed88989eefbaecf390be2fb110aa715e0
2026-04-21T12:18:14.358274417Z (160546) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.358278117Z (160546) State = 0xd26084a0d35391238d7986808755bf2d
2026-04-21T12:18:14.358281627Z (160546) Proxy-State = 0x31
2026-04-21T12:18:14.358309158Z (160546) Finished request
2026-04-21T12:18:14.358314078Z Thread 572 waiting to be assigned a request
2026-04-21T12:18:14.360633618Z (0) (TLS): Access-Request packet from host 63.178.198.32 port 54907, id=31, length=343
2026-04-21T12:18:14.360707439Z Thread 573 got semaphore
2026-04-21T12:18:14.360712019Z Thread 573 handling request 160547, (29 handled so far)
2026-04-21T12:18:14.360715259Z (160547) Received Access-Request Id 31 from 63.178.198.32:54907 to 0.0.0.0:2083 length 343
2026-04-21T12:18:14.360718489Z (160547) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.360721699Z (160547) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.360729539Z (160547) Calling-Station-Id = "02-B0-86-1C-79-19"
2026-04-21T12:18:14.360732699Z (160547) Framed-MTU = 1400
2026-04-21T12:18:14.360735799Z (160547) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.360739049Z (160547) Service-Type = Framed-User
2026-04-21T12:18:14.360742429Z (160547) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.360746540Z (160547) EAP-Message = 0x02e900be150016030100b3010000af03039ad89c806cbce7fcae77e07bbca60e685c2a2b099475d50dd3ae955c4290e80d000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602
2026-04-21T12:18:14.360750060Z (160547) State = 0xc99fadcec976b812a4a9af92aec5119a
2026-04-21T12:18:14.360753240Z (160547) Message-Authenticator = 0x2d72ae51e96f15f7245ada110f6d347d
2026-04-21T12:18:14.360757260Z (160547) Proxy-State = 0x31
2026-04-21T12:18:14.360760470Z (160547) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.360769010Z (160547) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.360778790Z (160547) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.360783060Z (160547) authorize {
2026-04-21T12:18:14.360787220Z (160547) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.360791460Z (160547) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.360795630Z (160547) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.360837101Z (160547) update request {
2026-04-21T12:18:14.360841701Z (160547) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.360845671Z (160547) } # update request = noop
2026-04-21T12:18:14.360849921Z (160547) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.360854061Z (160547) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.360857942Z (160547) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.360861891Z (160547) --> 1343-0-5768143211798
2026-04-21T12:18:14.360865872Z (160547) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.360869922Z (160547) else {
2026-04-21T12:18:14.360932383Z (160547) update request {
2026-04-21T12:18:14.360937553Z (160547) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.360941553Z (160547) --> 1343-0-5768143211798
2026-04-21T12:18:14.360945683Z (160547) Extreme-VSA-RsCert := 1343-0-5768143211798
2026-04-21T12:18:14.360957443Z (160547) Request-Origin := "freeradius"
2026-04-21T12:18:14.360961953Z (160547) } # update request = noop
2026-04-21T12:18:14.360966103Z (160547) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.360970463Z (160547) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.360974624Z (160547) --> 1343-0-5768143211798
2026-04-21T12:18:14.360978704Z (160547) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.360982504Z (160547) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.360986934Z (160547) update request {
2026-04-21T12:18:14.360990784Z (160547) EXPAND %{1}-%{2}
2026-04-21T12:18:14.360994954Z (160547) --> 1343-0
2026-04-21T12:18:14.361013894Z (160547) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.361047415Z (160547) } # update request = noop
2026-04-21T12:18:14.361056835Z (160547) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.361060945Z (160547) if (&EAP-Message) {
2026-04-21T12:18:14.361065015Z (160547) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.361069065Z (160547) if (&EAP-Message) {
2026-04-21T12:18:14.361072995Z (160547) update control {
2026-04-21T12:18:14.361077005Z (160547) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.361080935Z (160547) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.361085395Z (160547) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.361089386Z (160547) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.361093266Z (160547) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.361097255Z (160547) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.361100916Z (160547) } # update control = noop
2026-04-21T12:18:14.361104726Z (160547) eap: Peer sent EAP Response (code 2) ID 233 length 190
2026-04-21T12:18:14.361108416Z (160547) eap: Continuing tunnel setup
2026-04-21T12:18:14.361112256Z (160547) [eap] = ok
2026-04-21T12:18:14.361116396Z (160547) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.361120066Z (160547) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.361123756Z (160547) } # else = ok
2026-04-21T12:18:14.361127586Z (160547) } # authorize = ok
2026-04-21T12:18:14.361131266Z (160547) Found Auth-Type = EAP
2026-04-21T12:18:14.361134966Z (160547) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.361138766Z (160547) Auth-Type EAP {
2026-04-21T12:18:14.361142486Z (160547) eap: Removing EAP session with state 0xc99fadcec976b812
2026-04-21T12:18:14.361146276Z (160547) eap: Previous EAP request found for state 0xc99fadcec976b812, released from the list
2026-04-21T12:18:14.361150116Z (160547) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.361153896Z (160547) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.361157717Z (160547) eap_ttls: Authenticate
2026-04-21T12:18:14.361161467Z (160547) eap_ttls: (TLS) EAP Got final fragment (184 bytes) total 184
2026-04-21T12:18:14.361165407Z (160547) eap_ttls: WARNING: (TLS) EAP Total received record fragments (184 bytes), does not equal expected expected data length (0 bytes)
2026-04-21T12:18:14.361169437Z (160547) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:14.361187737Z (160547) eap_ttls: (TLS) TTLS - Handshake state - before SSL initialization
2026-04-21T12:18:14.361191857Z (160547) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
2026-04-21T12:18:14.361195747Z (160547) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
2026-04-21T12:18:14.361199497Z (160547) eap_ttls: (TLS) TTLS - recv TLS 1.3 Handshake, ClientHello
2026-04-21T12:18:14.361210597Z (160547) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client hello
2026-04-21T12:18:14.361214578Z (160547) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHello
2026-04-21T12:18:14.361218288Z (160547) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server hello
2026-04-21T12:18:14.361222018Z (160547) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Certificate
2026-04-21T12:18:14.361225638Z (160547) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write certificate
2026-04-21T12:18:14.362296686Z (160547) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange
2026-04-21T12:18:14.362302136Z (160547) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write key exchange
2026-04-21T12:18:14.362305396Z (160547) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone
2026-04-21T12:18:14.362308907Z (160547) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
2026-04-21T12:18:14.362312187Z (160547) eap_ttls: (TLS) TTLS - Server : Need to read more data: SSLv3/TLS write server done
2026-04-21T12:18:14.362315587Z (160547) eap_ttls: (TLS) TTLS - In Handshake Phase
2026-04-21T12:18:14.362318747Z (160547) eap: Sending EAP Request (code 1) ID 234 length 1000
2026-04-21T12:18:14.362322147Z (160547) eap: EAP session adding &reply:State = 0xc99fadcec875b812
2026-04-21T12:18:14.362325207Z (160547) [eap] = handled
2026-04-21T12:18:14.362328137Z (160547) } # Auth-Type EAP = handled
2026-04-21T12:18:14.362331467Z (160547) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.362334757Z (160547) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.362337957Z (160547) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.362341397Z (160547) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.362349997Z (160547) Framed-MTU = 994
2026-04-21T12:18:14.362353777Z (160547) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.362357187Z (160547) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.362360647Z (160547) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.362363797Z (160547) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.362367077Z (160547) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.362370457Z (160547) Sent Access-Challenge Id 31 from 0.0.0.0:2083 to 63.178.198.32:54907 length 1067
2026-04-21T12:18:14.362374608Z (160547) EAP-Message = 0x01ea03e815c000000a6d160303003d02000039030387f0310576a63040c7796ce3bc959f40afc9dafdd67f6cda444f574e4752440100c030000011ff01000100000b0004030001020017000016030308ec0b0008e80008e5000598308205943082047ca00302010202143445f65cac1b06ffbc42da7b13d0322ec1e189b2300d06092a864886f70d01010b050030283115301306035504030c0c416973686149737375696e67310f300d060355040b0c06313334332d30301e170d3236303430363132353435305a170d3336303430333132353532305a3027310f300d060355040b1306313334332d30311430120603550403130b416973686173657276657230820122300d06092a864886f70d01010105000382010f003082010a028201010096b60938816c322227718a54c2354b5dbaddf8a22fcba9fbee3269f557931966ca0a2bcc491d01cdc19e2ea7618a1b70ea0bfe995585f95bc905a296b2ec1081f04d56be795c099549d4b633bed88989eefbaecf390be2fb110aa715e0
2026-04-21T12:18:14.362378368Z (160547) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.362381908Z (160547) State = 0xc99fadcec875b812a4a9af92aec5119a
2026-04-21T12:18:14.362385388Z (160547) Proxy-State = 0x31
2026-04-21T12:18:14.362396318Z (160547) Finished request
2026-04-21T12:18:14.362399738Z Thread 573 waiting to be assigned a request
2026-04-21T12:18:14.401090266Z (160470) Cleaning up request packet ID 204 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.403259164Z (160471) Cleaning up request packet ID 251 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.408088547Z (160472) Cleaning up request packet ID 175 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.410402187Z (160473) Cleaning up request packet ID 173 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.460746636Z (0) (TLS): Access-Request packet from host 18.193.75.88 port 33781, id=21, length=159
2026-04-21T12:18:14.460776056Z Thread 577 got semaphore
2026-04-21T12:18:14.460780836Z Thread 577 handling request 160548, (33 handled so far)
2026-04-21T12:18:14.460792517Z (160548) Received Access-Request Id 21 from 18.193.75.88:33781 to 0.0.0.0:2083 length 159
2026-04-21T12:18:14.460796667Z (160548) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.460800117Z (160548) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.460803197Z (160548) Calling-Station-Id = "02-40-2C-8C-47-E1"
2026-04-21T12:18:14.460806657Z (160548) Framed-MTU = 1400
2026-04-21T12:18:14.460809987Z (160548) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.460813007Z (160548) Service-Type = Framed-User
2026-04-21T12:18:14.460816107Z (160548) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.460819407Z (160548) EAP-Message = 0x021600061500
2026-04-21T12:18:14.460822497Z (160548) State = 0xc331b34ac227a64eba0bb1b1b0e6d86e
2026-04-21T12:18:14.460826197Z (160548) Message-Authenticator = 0x37f4a86e1977045eed63da0260cfc864
2026-04-21T12:18:14.460829827Z (160548) Proxy-State = 0x32
2026-04-21T12:18:14.460833017Z (160548) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.460836307Z (160548) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.460840257Z (160548) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.460846648Z (160548) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.460849978Z (160548) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.460853348Z (160548) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.460859868Z (160548) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.460863128Z (160548) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.460866268Z (160548) authorize {
2026-04-21T12:18:14.460869728Z (160548) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.460874928Z (160548) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.460877888Z (160548) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.460880958Z (160548) update request {
2026-04-21T12:18:14.460884418Z (160548) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.460887648Z (160548) } # update request = noop
2026-04-21T12:18:14.460891318Z (160548) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.460894398Z (160548) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.460901289Z (160548) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.460904629Z (160548) --> 1343-0-5768143211720
2026-04-21T12:18:14.460908259Z (160548) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.460911339Z (160548) else {
2026-04-21T12:18:14.460914739Z (160548) update request {
2026-04-21T12:18:14.460918139Z (160548) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.460921239Z (160548) --> 1343-0-5768143211720
2026-04-21T12:18:14.460924389Z (160548) Extreme-VSA-RsCert := 1343-0-5768143211720
2026-04-21T12:18:14.460927639Z (160548) Request-Origin := "freeradius"
2026-04-21T12:18:14.460939099Z (160548) } # update request = noop
2026-04-21T12:18:14.460942659Z (160548) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.460946059Z (160548) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.460949459Z (160548) --> 1343-0-5768143211720
2026-04-21T12:18:14.460956290Z (160548) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.460959519Z (160548) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.460962699Z (160548) update request {
2026-04-21T12:18:14.460965840Z (160548) EXPAND %{1}-%{2}
2026-04-21T12:18:14.460969130Z (160548) --> 1343-0
2026-04-21T12:18:14.460972590Z (160548) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.460975960Z (160548) } # update request = noop
2026-04-21T12:18:14.460979330Z (160548) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.460982670Z (160548) if (&EAP-Message) {
2026-04-21T12:18:14.460985860Z (160548) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.460988970Z (160548) if (&EAP-Message) {
2026-04-21T12:18:14.460991950Z (160548) update control {
2026-04-21T12:18:14.460995350Z (160548) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.460998600Z (160548) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.461001800Z (160548) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.461004990Z (160548) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.461012640Z (160548) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.461016120Z (160548) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.461019340Z (160548) } # update control = noop
2026-04-21T12:18:14.461046501Z (160548) eap: Peer sent EAP Response (code 2) ID 22 length 6
2026-04-21T12:18:14.461052791Z (160548) eap: Continuing tunnel setup
2026-04-21T12:18:14.461056191Z (160548) [eap] = ok
2026-04-21T12:18:14.461059581Z (160548) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.461063021Z (160548) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.461066181Z (160548) } # else = ok
2026-04-21T12:18:14.461069301Z (160548) } # authorize = ok
2026-04-21T12:18:14.461072221Z (160548) Found Auth-Type = EAP
2026-04-21T12:18:14.461075141Z (160548) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.461078021Z (160548) Auth-Type EAP {
2026-04-21T12:18:14.461085722Z (160548) eap: Removing EAP session with state 0xc331b34ac227a64e
2026-04-21T12:18:14.461088792Z (160548) eap: Previous EAP request found for state 0xc331b34ac227a64e, released from the list
2026-04-21T12:18:14.461239024Z (160548) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.461244924Z (160548) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.461248844Z (160548) eap_ttls: Authenticate
2026-04-21T12:18:14.461252055Z (160548) eap_ttls: (TLS) Peer ACKed our handshake fragment
2026-04-21T12:18:14.461254995Z (160548) eap: Sending EAP Request (code 1) ID 23 length 1000
2026-04-21T12:18:14.461258655Z (160548) eap: EAP session adding &reply:State = 0xc331b34ac126a64e
2026-04-21T12:18:14.461261515Z (160548) [eap] = handled
2026-04-21T12:18:14.461264935Z (160548) } # Auth-Type EAP = handled
2026-04-21T12:18:14.461267845Z (160548) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.461274355Z (160548) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.461277505Z (160548) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.461366977Z (160548) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.461372727Z (160548) Framed-MTU = 994
2026-04-21T12:18:14.461376597Z (160548) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.461379627Z (160548) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.461382987Z (160548) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.461386107Z (160548) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.461389257Z (160548) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.461401977Z (160548) Sent Access-Challenge Id 21 from 0.0.0.0:2083 to 18.193.75.88:33781 length 1067
2026-04-21T12:18:14.461415387Z (160548) EAP-Message = 0x011703e815c000000a6d393531333434393231393038382d706b692f636130410603551d11043a3038820b416973686173657276657282297261646975732e7a74612d71612d6c6f616474657374696e672e71612e78636c6f756469712e636f6d30819d0603551d1f04819530819230818fa0818ca0818986818668747470733a2f2f757a2d7661756c742d71612e71612e78636c6f756469712e636f6d2f76312f757a2d6e616d6573706163652d7a74612d71612d6c6f616474657374696e672d313334332d302d3730323839333234303635393730333733373335373332303038373331313733353133393531333434393231393038382d706b692f63726c300d06092a864886f70d01010b0500038201010048dd8c13c1f2da2de4bdc5bfecc4a830c288593c7af53c28af574c6522ac9f40a632ad7aada27fa12655ddee496df545499a55c33f74896176e3f41fa7593f311ed26251fd28fb127e2a02cdad7a1f83cf612e531f7025100b48aa3ff8f35519ef4cc2cf7e99beeb60
2026-04-21T12:18:14.461419098Z (160548) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.461422387Z (160548) State = 0xc331b34ac126a64eba0bb1b1b0e6d86e
2026-04-21T12:18:14.461425378Z (160548) Proxy-State = 0x32
2026-04-21T12:18:14.461428487Z (0) (TLS): Access-Request packet from host 63.178.227.84 port 37423, id=156, length=159
2026-04-21T12:18:14.461434268Z (160548) Finished request
2026-04-21T12:18:14.461437848Z Thread 577 waiting to be assigned a request
2026-04-21T12:18:14.461441438Z Thread 577 got semaphore
2026-04-21T12:18:14.461444738Z Thread 577 handling request 160549, (34 handled so far)
2026-04-21T12:18:14.461448008Z (160549) Received Access-Request Id 156 from 63.178.227.84:37423 to 0.0.0.0:2083 length 159
2026-04-21T12:18:14.461451468Z (160549) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.461454808Z (160549) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.461458368Z (160549) Calling-Station-Id = "02-B9-26-6B-2B-A8"
2026-04-21T12:18:14.461461508Z (160549) Framed-MTU = 1400
2026-04-21T12:18:14.461464858Z (160549) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.461478479Z (160549) Service-Type = Framed-User
2026-04-21T12:18:14.461481939Z (160549) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.461485079Z (160549) EAP-Message = 0x023300061500
2026-04-21T12:18:14.461488209Z (160549) State = 0xd26084a0d35391238d7986808755bf2d
2026-04-21T12:18:14.461491539Z (160549) Message-Authenticator = 0x77b7736e251813b491fa407ab89db2c1
2026-04-21T12:18:14.461494869Z (160549) Proxy-State = 0x32
2026-04-21T12:18:14.461498279Z (160549) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.461501489Z (160549) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.461505319Z (160549) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.461517059Z (160549) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.461520459Z (160549) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.461523679Z (160549) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.461527149Z (160549) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.461530369Z (160549) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.461533699Z (160549) authorize {
2026-04-21T12:18:14.461537020Z (160549) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.461540280Z (160549) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.461543760Z (160549) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.461547210Z (160549) update request {
2026-04-21T12:18:14.461550650Z (160549) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.461554020Z (160549) } # update request = noop
2026-04-21T12:18:14.461557160Z (160549) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.461560470Z (160549) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.461563870Z (160549) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.461567190Z (160549) --> 1343-0-5768143211642
2026-04-21T12:18:14.461570490Z (160549) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.461582660Z (160549) else {
2026-04-21T12:18:14.461586300Z (160549) update request {
2026-04-21T12:18:14.461589640Z (160549) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.461593021Z (160549) --> 1343-0-5768143211642
2026-04-21T12:18:14.461596421Z (160549) Extreme-VSA-RsCert := 1343-0-5768143211642
2026-04-21T12:18:14.461599741Z (160549) Request-Origin := "freeradius"
2026-04-21T12:18:14.461602730Z (160549) } # update request = noop
2026-04-21T12:18:14.461605951Z (160549) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.461609081Z (160549) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.461612431Z (160549) --> 1343-0-5768143211642
2026-04-21T12:18:14.461615571Z (160549) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.461629191Z (160549) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.461632791Z (160549) update request {
2026-04-21T12:18:14.461635961Z (160549) EXPAND %{1}-%{2}
2026-04-21T12:18:14.461639271Z (160549) --> 1343-0
2026-04-21T12:18:14.461642701Z (160549) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.461646041Z (160549) } # update request = noop
2026-04-21T12:18:14.461649451Z (160549) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.461652702Z (160549) if (&EAP-Message) {
2026-04-21T12:18:14.461656191Z (160549) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.461659622Z (160549) if (&EAP-Message) {
2026-04-21T12:18:14.461662712Z (160549) update control {
2026-04-21T12:18:14.461666002Z (160549) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.461669462Z (160549) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.461676242Z (160549) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.461679292Z (160549) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.461682692Z (160549) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.461685902Z (160549) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.461689352Z (160549) } # update control = noop
2026-04-21T12:18:14.461692192Z (160549) eap: Peer sent EAP Response (code 2) ID 51 length 6
2026-04-21T12:18:14.461694812Z (160549) eap: Continuing tunnel setup
2026-04-21T12:18:14.461698012Z (160549) [eap] = ok
2026-04-21T12:18:14.461701342Z (160549) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.461704322Z (160549) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.461707442Z (160549) } # else = ok
2026-04-21T12:18:14.461710552Z (160549) } # authorize = ok
2026-04-21T12:18:14.461713743Z (160549) Found Auth-Type = EAP
2026-04-21T12:18:14.461716843Z (160549) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.461720153Z (160549) Auth-Type EAP {
2026-04-21T12:18:14.461723493Z (160549) eap: Removing EAP session with state 0xd26084a0d3539123
2026-04-21T12:18:14.461726613Z (160549) eap: Previous EAP request found for state 0xd26084a0d3539123, released from the list
2026-04-21T12:18:14.461729823Z (160549) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.461733493Z (160549) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.461736713Z (160549) eap_ttls: Authenticate
2026-04-21T12:18:14.461740253Z (160549) eap_ttls: (TLS) Peer ACKed our handshake fragment
2026-04-21T12:18:14.461743813Z (160549) eap: Sending EAP Request (code 1) ID 52 length 1000
2026-04-21T12:18:14.461747203Z (160549) eap: EAP session adding &reply:State = 0xd26084a0d0549123
2026-04-21T12:18:14.461750603Z (160549) [eap] = handled
2026-04-21T12:18:14.461753883Z (160549) } # Auth-Type EAP = handled
2026-04-21T12:18:14.461756993Z (160549) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.461760293Z (160549) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.461763653Z (160549) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.461766853Z (160549) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.461769993Z (160549) Framed-MTU = 994
2026-04-21T12:18:14.461788664Z (160549) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.461792804Z (160549) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.461796154Z (160549) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.461799674Z (160549) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.461802994Z (160549) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.461806284Z (160549) Sent Access-Challenge Id 156 from 0.0.0.0:2083 to 63.178.227.84:37423 length 1067
2026-04-21T12:18:14.461816964Z (160549) EAP-Message = 0x013403e815c000000a6d393531333434393231393038382d706b692f636130410603551d11043a3038820b416973686173657276657282297261646975732e7a74612d71612d6c6f616474657374696e672e71612e78636c6f756469712e636f6d30819d0603551d1f04819530819230818fa0818ca0818986818668747470733a2f2f757a2d7661756c742d71612e71612e78636c6f756469712e636f6d2f76312f757a2d6e616d6573706163652d7a74612d71612d6c6f616474657374696e672d313334332d302d3730323839333234303635393730333733373335373332303038373331313733353133393531333434393231393038382d706b692f63726c300d06092a864886f70d01010b0500038201010048dd8c13c1f2da2de4bdc5bfecc4a830c288593c7af53c28af574c6522ac9f40a632ad7aada27fa12655ddee496df545499a55c33f74896176e3f41fa7593f311ed26251fd28fb127e2a02cdad7a1f83cf612e531f7025100b48aa3ff8f35519ef4cc2cf7e99beeb60
2026-04-21T12:18:14.461824234Z (160549) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.461827845Z (160549) State = 0xd26084a0d05491238d7986808755bf2d
2026-04-21T12:18:14.461831274Z (160549) Proxy-State = 0x32
2026-04-21T12:18:14.461834185Z (160549) Finished request
2026-04-21T12:18:14.461836335Z Thread 577 waiting to be assigned a request
2026-04-21T12:18:14.466990054Z (0) (TLS): Access-Request packet from host 63.178.198.32 port 54907, id=46, length=159
2026-04-21T12:18:14.467087535Z Thread 565 got semaphore
2026-04-21T12:18:14.467093665Z Thread 565 handling request 160550, (82 handled so far)
2026-04-21T12:18:14.467097745Z (160550) Received Access-Request Id 46 from 63.178.198.32:54907 to 0.0.0.0:2083 length 159
2026-04-21T12:18:14.467102445Z (160550) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.467106585Z (160550) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.467110285Z (160550) Calling-Station-Id = "02-B0-86-1C-79-19"
2026-04-21T12:18:14.467114256Z (160550) Framed-MTU = 1400
2026-04-21T12:18:14.467118076Z (160550) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.467121946Z (160550) Service-Type = Framed-User
2026-04-21T12:18:14.467125876Z (160550) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.467129826Z (160550) EAP-Message = 0x02ea00061500
2026-04-21T12:18:14.467134016Z (160550) State = 0xc99fadcec875b812a4a9af92aec5119a
2026-04-21T12:18:14.467138376Z (160550) Message-Authenticator = 0x67fb0624a2101ed94be231d3bd42d65a
2026-04-21T12:18:14.467142366Z (160550) Proxy-State = 0x32
2026-04-21T12:18:14.467146286Z (160550) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.467150006Z (160550) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.467153986Z (160550) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.467158026Z (160550) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.467161836Z (160550) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.467165917Z (160550) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.467169906Z (160550) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.467173846Z (160550) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.467177757Z (160550) authorize {
2026-04-21T12:18:14.467181777Z (160550) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.467185627Z (160550) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.467194647Z (160550) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.467198677Z (160550) update request {
2026-04-21T12:18:14.467202577Z (160550) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.467206477Z (160550) } # update request = noop
2026-04-21T12:18:14.467210287Z (160550) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.467214407Z (160550) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.467218377Z (160550) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.467227758Z (160550) --> 1343-0-5768143211798
2026-04-21T12:18:14.467235488Z (160550) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.467239488Z (160550) else {
2026-04-21T12:18:14.467243338Z (160550) update request {
2026-04-21T12:18:14.467247048Z (160550) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.467250868Z (160550) --> 1343-0-5768143211798
2026-04-21T12:18:14.467254918Z (160550) Extreme-VSA-RsCert := 1343-0-5768143211798
2026-04-21T12:18:14.467258698Z (160550) Request-Origin := "freeradius"
2026-04-21T12:18:14.467262918Z (160550) } # update request = noop
2026-04-21T12:18:14.467267228Z (160550) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.467271118Z (160550) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.467274878Z (160550) --> 1343-0-5768143211798
2026-04-21T12:18:14.467278698Z (160550) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.467282639Z (160550) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.467286968Z (160550) update request {
2026-04-21T12:18:14.467291509Z (160550) EXPAND %{1}-%{2}
2026-04-21T12:18:14.467295099Z (160550) --> 1343-0
2026-04-21T12:18:14.467299259Z (160550) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.467303649Z (160550) } # update request = noop
2026-04-21T12:18:14.467307919Z (160550) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.467311969Z (160550) if (&EAP-Message) {
2026-04-21T12:18:14.467315959Z (160550) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.467320019Z (160550) if (&EAP-Message) {
2026-04-21T12:18:14.467324219Z (160550) update control {
2026-04-21T12:18:14.467328169Z (160550) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.467332159Z (160550) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.467336269Z (160550) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.467351590Z (160550) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.467356100Z (160550) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.467360460Z (160550) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.467364650Z (160550) } # update control = noop
2026-04-21T12:18:14.467368940Z (160550) eap: Peer sent EAP Response (code 2) ID 234 length 6
2026-04-21T12:18:14.467373230Z (160550) eap: Continuing tunnel setup
2026-04-21T12:18:14.467377560Z (160550) [eap] = ok
2026-04-21T12:18:14.467381480Z (160550) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.467385810Z (160550) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.467389720Z (160550) } # else = ok
2026-04-21T12:18:14.467393760Z (160550) } # authorize = ok
2026-04-21T12:18:14.467397821Z (160550) Found Auth-Type = EAP
2026-04-21T12:18:14.467402301Z (160550) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.467413581Z (160550) Auth-Type EAP {
2026-04-21T12:18:14.467416501Z (160550) eap: Removing EAP session with state 0xc99fadcec875b812
2026-04-21T12:18:14.467419181Z (160550) eap: Previous EAP request found for state 0xc99fadcec875b812, released from the list
2026-04-21T12:18:14.467421801Z (160550) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.467430181Z (160550) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.467434131Z (160550) eap_ttls: Authenticate
2026-04-21T12:18:14.467438951Z (160550) eap_ttls: (TLS) Peer ACKed our handshake fragment
2026-04-21T12:18:14.467443221Z (160550) eap: Sending EAP Request (code 1) ID 235 length 1000
2026-04-21T12:18:14.467447551Z (160550) eap: EAP session adding &reply:State = 0xc99fadcecb74b812
2026-04-21T12:18:14.467451751Z (160550) [eap] = handled
2026-04-21T12:18:14.467456131Z (160550) } # Auth-Type EAP = handled
2026-04-21T12:18:14.467460431Z (160550) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.467464302Z (160550) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.467468762Z (160550) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.467473372Z (160550) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.467477482Z (160550) Framed-MTU = 994
2026-04-21T12:18:14.467481802Z (160550) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.467486212Z (160550) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.467490582Z (160550) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.467494872Z (160550) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.467498592Z (160550) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.467510522Z (160550) Sent Access-Challenge Id 46 from 0.0.0.0:2083 to 63.178.198.32:54907 length 1067
2026-04-21T12:18:14.467514043Z (160550) EAP-Message = 0x01eb03e815c000000a6d393531333434393231393038382d706b692f636130410603551d11043a3038820b416973686173657276657282297261646975732e7a74612d71612d6c6f616474657374696e672e71612e78636c6f756469712e636f6d30819d0603551d1f04819530819230818fa0818ca0818986818668747470733a2f2f757a2d7661756c742d71612e71612e78636c6f756469712e636f6d2f76312f757a2d6e616d6573706163652d7a74612d71612d6c6f616474657374696e672d313334332d302d3730323839333234303635393730333733373335373332303038373331313733353133393531333434393231393038382d706b692f63726c300d06092a864886f70d01010b0500038201010048dd8c13c1f2da2de4bdc5bfecc4a830c288593c7af53c28af574c6522ac9f40a632ad7aada27fa12655ddee496df545499a55c33f74896176e3f41fa7593f311ed26251fd28fb127e2a02cdad7a1f83cf612e531f7025100b48aa3ff8f35519ef4cc2cf7e99beeb60
2026-04-21T12:18:14.467516763Z (160550) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.467519332Z (160550) State = 0xc99fadcecb74b812a4a9af92aec5119a
2026-04-21T12:18:14.467521952Z (160550) Proxy-State = 0x32
2026-04-21T12:18:14.467530753Z (160550) Finished request
2026-04-21T12:18:14.467533433Z Thread 565 waiting to be assigned a request
2026-04-21T12:18:14.505934486Z (160474) Cleaning up request packet ID 64 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.505960536Z (160475) Cleaning up request packet ID 211 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.510387832Z (160476) Cleaning up request packet ID 51 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.515118064Z (160477) Cleaning up request packet ID 212 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.527881314Z (160458) Cleaning up request packet ID 93 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.532068276Z (160459) Cleaning up request packet ID 77 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.538482787Z (160460) Cleaning up request packet ID 33 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.544241526Z (160468) Cleaning up request packet ID 40 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.550344662Z (160467) Cleaning up request packet ID 190 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.552063232Z (160465) Cleaning up request packet ID 124 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.564003038Z (0) (TLS): Access-Request packet from host 18.193.75.88 port 33781, id=150, length=159
2026-04-21T12:18:14.564115360Z Thread 563 got semaphore
2026-04-21T12:18:14.564125680Z Thread 563 handling request 160551, (87 handled so far)
2026-04-21T12:18:14.564136060Z (160551) Received Access-Request Id 150 from 18.193.75.88:33781 to 0.0.0.0:2083 length 159
2026-04-21T12:18:14.564140970Z (160551) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.564145880Z (160551) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.564150270Z (160551) Calling-Station-Id = "02-40-2C-8C-47-E1"
2026-04-21T12:18:14.564160460Z (160551) Framed-MTU = 1400
2026-04-21T12:18:14.564165031Z (160551) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.564173241Z (160551) Service-Type = Framed-User
2026-04-21T12:18:14.564177771Z (160551) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.564181921Z (160551) EAP-Message = 0x021700061500
2026-04-21T12:18:14.564185991Z (160551) State = 0xc331b34ac126a64eba0bb1b1b0e6d86e
2026-04-21T12:18:14.564190771Z (160551) Message-Authenticator = 0x446c442a2dcae51ba18e165b888764e7
2026-04-21T12:18:14.564195061Z (160551) Proxy-State = 0x33
2026-04-21T12:18:14.564203831Z (160551) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.564208281Z (160551) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.564212831Z (160551) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.564216981Z (160551) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.564221012Z (160551) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.564225361Z (160551) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.564229622Z (160551) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.564243392Z (160551) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.564258922Z (160551) authorize {
2026-04-21T12:18:14.564263852Z (160551) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.564268392Z (160551) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.564272342Z (160551) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.564276593Z (160551) update request {
2026-04-21T12:18:14.564283833Z (160551) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.564322343Z (160551) } # update request = noop
2026-04-21T12:18:14.564330913Z (160551) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.564360264Z (160551) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.564365334Z (160551) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.564369404Z (160551) --> 1343-0-5768143211720
2026-04-21T12:18:14.564373644Z (160551) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.564377794Z (160551) else {
2026-04-21T12:18:14.564393495Z (160551) update request {
2026-04-21T12:18:14.564398784Z (160551) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.564403135Z (160551) --> 1343-0-5768143211720
2026-04-21T12:18:14.564407585Z (160551) Extreme-VSA-RsCert := 1343-0-5768143211720
2026-04-21T12:18:14.564411965Z (160551) Request-Origin := "freeradius"
2026-04-21T12:18:14.564416275Z (160551) } # update request = noop
2026-04-21T12:18:14.564420655Z (160551) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.564424715Z (160551) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.564428905Z (160551) --> 1343-0-5768143211720
2026-04-21T12:18:14.564432995Z (160551) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.564437105Z (160551) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.564441135Z (160551) update request {
2026-04-21T12:18:14.564444965Z (160551) EXPAND %{1}-%{2}
2026-04-21T12:18:14.564449165Z (160551) --> 1343-0
2026-04-21T12:18:14.564453325Z (160551) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.564460076Z (160551) } # update request = noop
2026-04-21T12:18:14.564464526Z (160551) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.564468806Z (160551) if (&EAP-Message) {
2026-04-21T12:18:14.564473206Z (160551) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.564477396Z (160551) if (&EAP-Message) {
2026-04-21T12:18:14.564481776Z (160551) update control {
2026-04-21T12:18:14.564594428Z (160551) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.564603858Z (160551) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.564607818Z (160551) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.564625308Z (160551) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.564629079Z (160551) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.564632889Z (160551) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.564636719Z (160551) } # update control = noop
2026-04-21T12:18:14.564640329Z (160551) eap: Peer sent EAP Response (code 2) ID 23 length 6
2026-04-21T12:18:14.564672089Z (160551) eap: Continuing tunnel setup
2026-04-21T12:18:14.564676709Z (160551) [eap] = ok
2026-04-21T12:18:14.564680329Z (160551) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.564684469Z (160551) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.564688709Z (160551) } # else = ok
2026-04-21T12:18:14.564692590Z (160551) } # authorize = ok
2026-04-21T12:18:14.564697010Z (160551) Found Auth-Type = EAP
2026-04-21T12:18:14.564701020Z (160551) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.564704850Z (160551) Auth-Type EAP {
2026-04-21T12:18:14.564709320Z (160551) eap: Removing EAP session with state 0xc331b34ac126a64e
2026-04-21T12:18:14.564713500Z (160551) eap: Previous EAP request found for state 0xc331b34ac126a64e, released from the list
2026-04-21T12:18:14.564729950Z (160551) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.564770621Z (160551) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.564775271Z (160551) eap_ttls: Authenticate
2026-04-21T12:18:14.564778911Z (160551) eap_ttls: (TLS) Peer ACKed our handshake fragment
2026-04-21T12:18:14.564808422Z (160551) eap: Sending EAP Request (code 1) ID 24 length 699
2026-04-21T12:18:14.564812002Z (160551) eap: EAP session adding &reply:State = 0xc331b34ac029a64e
2026-04-21T12:18:14.564815312Z (160551) [eap] = handled
2026-04-21T12:18:14.564818362Z (160551) } # Auth-Type EAP = handled
2026-04-21T12:18:14.564837022Z (160551) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.564840622Z (160551) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.564844072Z (160551) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.564847672Z (160551) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.564851112Z (160551) Framed-MTU = 994
2026-04-21T12:18:14.564854352Z (160551) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.564857703Z (160551) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.564861112Z (160551) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.564864123Z (160551) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.564866323Z (160551) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.564868443Z (160551) Sent Access-Challenge Id 150 from 0.0.0.0:2083 to 18.193.75.88:33781 length 764
2026-04-21T12:18:14.564871433Z (160551) EAP-Message = 0x011802bb158000000a6d120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d0e04160414536d597c2da51597e65646af0b96b0fd5e8b8134301f0603551d2304183016801458dce0801b487fa5201ca25d255f27cfe1b02917300d06092a864886f70d01010b0500038201010083d5ee1bcb8b4ae146e1c1b828c1408a802da2b24ce1097c1c8e02a96bf3f53444b2549a31e5522475e2596aee0be9552edbac572b019684e8f26934743fcce75f616665459a2898de4699c9e084f17c51d0cf2e19415698c7f3817b3f629babcd3625687a26e4122f5963e0dff6d657525cdab9854812e1d24ae47be2551eaaedbf7ce67cb81b13769e30690d30f60b219996101a53897d281f08d213b63b03d3f1f1b47ac1568b621c9758f17716f1a10af146ac12687bcc298f9513c847b716c8bdc4c06c41701482baf1ed50f23bbc2c8f3c17bdfcc58e418e3861eef86963ab8360259e1ae0163f9d0f33caa80a013a8120878b8ff63b5257907a
2026-04-21T12:18:14.564873783Z (160551) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.564885963Z (160551) State = 0xc331b34ac029a64eba0bb1b1b0e6d86e
2026-04-21T12:18:14.564889623Z (160551) Proxy-State = 0x33
2026-04-21T12:18:14.564912604Z (160551) Finished request
2026-04-21T12:18:14.564932984Z Thread 563 waiting to be assigned a request
2026-04-21T12:18:14.564937194Z (0) (TLS): Access-Request packet from host 63.178.227.84 port 37423, id=2, length=159
2026-04-21T12:18:14.564945124Z Thread 581 got semaphore
2026-04-21T12:18:14.564948644Z Thread 581 handling request 160552, (35 handled so far)
2026-04-21T12:18:14.564952014Z (160552) Received Access-Request Id 2 from 63.178.227.84:37423 to 0.0.0.0:2083 length 159
2026-04-21T12:18:14.564955194Z (160552) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.564958694Z (160552) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.564961994Z (160552) Calling-Station-Id = "02-B9-26-6B-2B-A8"
2026-04-21T12:18:14.564965464Z (160552) Framed-MTU = 1400
2026-04-21T12:18:14.564968954Z (160552) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.564972714Z (160552) Service-Type = Framed-User
2026-04-21T12:18:14.564976094Z (160552) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.564979465Z (160552) EAP-Message = 0x023400061500
2026-04-21T12:18:14.564982595Z (160552) State = 0xd26084a0d05491238d7986808755bf2d
2026-04-21T12:18:14.564985625Z (160552) Message-Authenticator = 0xd746177ebe9519176abd23398d51399a
2026-04-21T12:18:14.564993535Z (160552) Proxy-State = 0x33
2026-04-21T12:18:14.564996215Z (160552) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.564998355Z (160552) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.565000615Z (160552) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.565002885Z (160552) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.565005045Z (160552) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.565007285Z (160552) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.565009485Z (160552) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.565011615Z (160552) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.565013805Z (160552) authorize {
2026-04-21T12:18:14.565016015Z (160552) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.565018255Z (160552) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.565020385Z (160552) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.565023345Z (160552) update request {
2026-04-21T12:18:14.565027125Z (160552) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.565030675Z (160552) } # update request = noop
2026-04-21T12:18:14.565033926Z (160552) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.565037766Z (160552) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.565041346Z (160552) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.565044756Z (160552) --> 1343-0-5768143211642
2026-04-21T12:18:14.565048266Z (160552) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.565051816Z (160552) else {
2026-04-21T12:18:14.565055126Z (160552) update request {
2026-04-21T12:18:14.565058296Z (160552) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.565061666Z (160552) --> 1343-0-5768143211642
2026-04-21T12:18:14.565065056Z (160552) Extreme-VSA-RsCert := 1343-0-5768143211642
2026-04-21T12:18:14.565068556Z (160552) Request-Origin := "freeradius"
2026-04-21T12:18:14.565071916Z (160552) } # update request = noop
2026-04-21T12:18:14.565075066Z (160552) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.565078386Z (160552) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.565081906Z (160552) --> 1343-0-5768143211642
2026-04-21T12:18:14.565085246Z (160552) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.565087436Z (160552) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.565089576Z (160552) update request {
2026-04-21T12:18:14.565091727Z (160552) EXPAND %{1}-%{2}
2026-04-21T12:18:14.565093836Z (160552) --> 1343-0
2026-04-21T12:18:14.565095967Z (160552) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.565098077Z (160552) } # update request = noop
2026-04-21T12:18:14.565111257Z (160552) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.565114927Z (160552) if (&EAP-Message) {
2026-04-21T12:18:14.565118517Z (160552) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.565125747Z (160552) if (&EAP-Message) {
2026-04-21T12:18:14.565129427Z (160552) update control {
2026-04-21T12:18:14.565132917Z (160552) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.565136387Z (160552) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.565139947Z (160552) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.565143147Z (160552) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.565148897Z (160552) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.565152128Z (160552) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.565155398Z (160552) } # update control = noop
2026-04-21T12:18:14.565158998Z (160552) eap: Peer sent EAP Response (code 2) ID 52 length 6
2026-04-21T12:18:14.565162348Z (160552) eap: Continuing tunnel setup
2026-04-21T12:18:14.565172678Z (160552) [eap] = ok
2026-04-21T12:18:14.565175018Z (160552) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.565177228Z (160552) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.565179378Z (160552) } # else = ok
2026-04-21T12:18:14.565181548Z (160552) } # authorize = ok
2026-04-21T12:18:14.565183668Z (160552) Found Auth-Type = EAP
2026-04-21T12:18:14.565185868Z (160552) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.565187978Z (160552) Auth-Type EAP {
2026-04-21T12:18:14.565190258Z (160552) eap: Removing EAP session with state 0xd26084a0d0549123
2026-04-21T12:18:14.565192758Z (160552) eap: Previous EAP request found for state 0xd26084a0d0549123, released from the list
2026-04-21T12:18:14.565195038Z (160552) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.565197188Z (160552) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.565199328Z (160552) eap_ttls: Authenticate
2026-04-21T12:18:14.565201458Z (160552) eap_ttls: (TLS) Peer ACKed our handshake fragment
2026-04-21T12:18:14.565203598Z (160552) eap: Sending EAP Request (code 1) ID 53 length 699
2026-04-21T12:18:14.565205758Z (160552) eap: EAP session adding &reply:State = 0xd26084a0d1559123
2026-04-21T12:18:14.565207929Z (160552) [eap] = handled
2026-04-21T12:18:14.565211398Z (160552) } # Auth-Type EAP = handled
2026-04-21T12:18:14.565215129Z (160552) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.565218599Z (160552) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.565221939Z (160552) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.565225509Z (160552) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.565229139Z (160552) Framed-MTU = 994
2026-04-21T12:18:14.565232729Z (160552) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.565236009Z (160552) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.565239379Z (160552) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.565242799Z (160552) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.565244939Z (160552) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.565247089Z (160552) Sent Access-Challenge Id 2 from 0.0.0.0:2083 to 63.178.227.84:37423 length 764
2026-04-21T12:18:14.565249379Z (160552) EAP-Message = 0x013502bb158000000a6d120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d0e04160414536d597c2da51597e65646af0b96b0fd5e8b8134301f0603551d2304183016801458dce0801b487fa5201ca25d255f27cfe1b02917300d06092a864886f70d01010b0500038201010083d5ee1bcb8b4ae146e1c1b828c1408a802da2b24ce1097c1c8e02a96bf3f53444b2549a31e5522475e2596aee0be9552edbac572b019684e8f26934743fcce75f616665459a2898de4699c9e084f17c51d0cf2e19415698c7f3817b3f629babcd3625687a26e4122f5963e0dff6d657525cdab9854812e1d24ae47be2551eaaedbf7ce67cb81b13769e30690d30f60b219996101a53897d281f08d213b63b03d3f1f1b47ac1568b621c9758f17716f1a10af146ac12687bcc298f9513c847b716c8bdc4c06c41701482baf1ed50f23bbc2c8f3c17bdfcc58e418e3861eef86963ab8360259e1ae0163f9d0f33caa80a013a8120878b8ff63b5257907a
2026-04-21T12:18:14.565254549Z (160552) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.565256699Z (160552) State = 0xd26084a0d15591238d7986808755bf2d
2026-04-21T12:18:14.565258949Z (160552) Proxy-State = 0x33
2026-04-21T12:18:14.565267579Z (160552) Finished request
2026-04-21T12:18:14.565269890Z Thread 581 waiting to be assigned a request
2026-04-21T12:18:14.572103997Z (0) (TLS): Access-Request packet from host 63.178.198.32 port 54907, id=249, length=159
2026-04-21T12:18:14.572116077Z Thread 571 got semaphore
2026-04-21T12:18:14.572120588Z Thread 571 handling request 160553, (82 handled so far)
2026-04-21T12:18:14.572129408Z (160553) Received Access-Request Id 249 from 63.178.198.32:54907 to 0.0.0.0:2083 length 159
2026-04-21T12:18:14.572146518Z (160553) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.572150728Z (160553) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.572154568Z (160553) Calling-Station-Id = "02-B0-86-1C-79-19"
2026-04-21T12:18:14.572158768Z (160553) Framed-MTU = 1400
2026-04-21T12:18:14.572162848Z (160553) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.572166909Z (160553) Service-Type = Framed-User
2026-04-21T12:18:14.572170918Z (160553) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.572174778Z (160553) EAP-Message = 0x02eb00061500
2026-04-21T12:18:14.572178819Z (160553) State = 0xc99fadcecb74b812a4a9af92aec5119a
2026-04-21T12:18:14.572183059Z (160553) Message-Authenticator = 0x55e9fb4a0126a07fd0bf2889b2f30ca2
2026-04-21T12:18:14.572200489Z (160553) Proxy-State = 0x33
2026-04-21T12:18:14.572204769Z (160553) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.572208539Z (160553) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.572212219Z (160553) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.572218759Z (160553) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.572222999Z (160553) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.572226819Z (160553) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.572230759Z (160553) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.572239010Z (160553) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.572243170Z (160553) authorize {
2026-04-21T12:18:14.572247540Z (160553) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.572251580Z (160553) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.572255710Z (160553) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.572259490Z (160553) update request {
2026-04-21T12:18:14.572263350Z (160553) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.572273120Z (160553) } # update request = noop
2026-04-21T12:18:14.572277020Z (160553) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.572281110Z (160553) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.572296771Z (160553) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.572300991Z (160553) --> 1343-0-5768143211798
2026-04-21T12:18:14.572304881Z (160553) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.572308651Z (160553) else {
2026-04-21T12:18:14.572312521Z (160553) update request {
2026-04-21T12:18:14.572316581Z (160553) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.572320441Z (160553) --> 1343-0-5768143211798
2026-04-21T12:18:14.572324511Z (160553) Extreme-VSA-RsCert := 1343-0-5768143211798
2026-04-21T12:18:14.572328291Z (160553) Request-Origin := "freeradius"
2026-04-21T12:18:14.572332131Z (160553) } # update request = noop
2026-04-21T12:18:14.572336681Z (160553) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.572340792Z (160553) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.572356362Z (160553) --> 1343-0-5768143211798
2026-04-21T12:18:14.572360382Z (160553) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.572364432Z (160553) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.572368442Z (160553) update request {
2026-04-21T12:18:14.572372572Z (160553) EXPAND %{1}-%{2}
2026-04-21T12:18:14.572376592Z (160553) --> 1343-0
2026-04-21T12:18:14.572380812Z (160553) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.572387062Z (160553) } # update request = noop
2026-04-21T12:18:14.572391362Z (160553) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.572395332Z (160553) if (&EAP-Message) {
2026-04-21T12:18:14.572399553Z (160553) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.572403922Z (160553) if (&EAP-Message) {
2026-04-21T12:18:14.572407842Z (160553) update control {
2026-04-21T12:18:14.572412103Z (160553) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.572416503Z (160553) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.572420613Z (160553) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.572424753Z (160553) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.572428743Z (160553) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.572447573Z (160553) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.572452243Z (160553) } # update control = noop
2026-04-21T12:18:14.572456243Z (160553) eap: Peer sent EAP Response (code 2) ID 235 length 6
2026-04-21T12:18:14.572460163Z (160553) eap: Continuing tunnel setup
2026-04-21T12:18:14.572464234Z (160553) [eap] = ok
2026-04-21T12:18:14.572468524Z (160553) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.572472764Z (160553) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.572477134Z (160553) } # else = ok
2026-04-21T12:18:14.572481664Z (160553) } # authorize = ok
2026-04-21T12:18:14.572486084Z (160553) Found Auth-Type = EAP
2026-04-21T12:18:14.572494164Z (160553) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.572498414Z (160553) Auth-Type EAP {
2026-04-21T12:18:14.572502294Z (160553) eap: Removing EAP session with state 0xc99fadcecb74b812
2026-04-21T12:18:14.572506444Z (160553) eap: Previous EAP request found for state 0xc99fadcecb74b812, released from the list
2026-04-21T12:18:14.572510484Z (160553) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.572519515Z (160553) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.572523924Z (160553) eap_ttls: Authenticate
2026-04-21T12:18:14.572528125Z (160553) eap_ttls: (TLS) Peer ACKed our handshake fragment
2026-04-21T12:18:14.572532035Z (160553) eap: Sending EAP Request (code 1) ID 236 length 699
2026-04-21T12:18:14.572536025Z (160553) eap: EAP session adding &reply:State = 0xc99fadceca73b812
2026-04-21T12:18:14.572540345Z (160553) [eap] = handled
2026-04-21T12:18:14.572544335Z (160553) } # Auth-Type EAP = handled
2026-04-21T12:18:14.572548345Z (160553) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.572552715Z (160553) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.572556955Z (160553) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.572561335Z (160553) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.572565895Z (160553) Framed-MTU = 994
2026-04-21T12:18:14.572570045Z (160553) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.572572725Z (160553) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.572575385Z (160553) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.572577996Z (160553) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.572580836Z (160553) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.572593976Z (160553) Sent Access-Challenge Id 249 from 0.0.0.0:2083 to 63.178.198.32:54907 length 764
2026-04-21T12:18:14.572598496Z (160553) EAP-Message = 0x01ec02bb158000000a6d120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d0e04160414536d597c2da51597e65646af0b96b0fd5e8b8134301f0603551d2304183016801458dce0801b487fa5201ca25d255f27cfe1b02917300d06092a864886f70d01010b0500038201010083d5ee1bcb8b4ae146e1c1b828c1408a802da2b24ce1097c1c8e02a96bf3f53444b2549a31e5522475e2596aee0be9552edbac572b019684e8f26934743fcce75f616665459a2898de4699c9e084f17c51d0cf2e19415698c7f3817b3f629babcd3625687a26e4122f5963e0dff6d657525cdab9854812e1d24ae47be2551eaaedbf7ce67cb81b13769e30690d30f60b219996101a53897d281f08d213b63b03d3f1f1b47ac1568b621c9758f17716f1a10af146ac12687bcc298f9513c847b716c8bdc4c06c41701482baf1ed50f23bbc2c8f3c17bdfcc58e418e3861eef86963ab8360259e1ae0163f9d0f33caa80a013a8120878b8ff63b5257907a
2026-04-21T12:18:14.572602996Z (160553) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.572607056Z (160553) State = 0xc99fadceca73b812a4a9af92aec5119a
2026-04-21T12:18:14.572610906Z (160553) Proxy-State = 0x33
2026-04-21T12:18:14.572624436Z (160553) Finished request
2026-04-21T12:18:14.572628906Z Thread 571 waiting to be assigned a request
2026-04-21T12:18:14.573688515Z (160469) Cleaning up request packet ID 248 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.573695335Z (160463) Cleaning up request packet ID 78 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.575863302Z (160461) Cleaning up request packet ID 221 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.576747067Z (160464) Cleaning up request packet ID 101 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.578169872Z (160462) Cleaning up request packet ID 144 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.581334746Z (160466) Cleaning up request packet ID 207 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.607418527Z (160478) Cleaning up request packet ID 160 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.608887053Z (160479) Cleaning up request packet ID 90 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.611685861Z (160480) Cleaning up request packet ID 245 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.618694782Z (160481) Cleaning up request packet ID 56 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.670694480Z (0) (TLS): Access-Request packet from host 18.193.75.88 port 33781, id=106, length=252
2026-04-21T12:18:14.670732611Z Thread 574 got semaphore
2026-04-21T12:18:14.670739111Z Thread 574 handling request 160554, (29 handled so far)
2026-04-21T12:18:14.670747911Z (160554) Received Access-Request Id 106 from 18.193.75.88:33781 to 0.0.0.0:2083 length 252
2026-04-21T12:18:14.670752701Z (160554) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.670757171Z (160554) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.670761091Z (160554) Calling-Station-Id = "02-40-2C-8C-47-E1"
2026-04-21T12:18:14.670765411Z (160554) Framed-MTU = 1400
2026-04-21T12:18:14.670769561Z (160554) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.670773511Z (160554) Service-Type = Framed-User
2026-04-21T12:18:14.670777491Z (160554) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.670782851Z (160554) EAP-Message = 0x021800631500160303002510000021201e0aa7f8b906c8e3a86d7e853b5c6cc5a4b8d47135e02c8729d0434a3fd03f5b140303000101160303002809d94a52b7ebb9a5bf2d6aa3207bb273404ecfcebc3ec9b66583e7fde76810d498a4b242663c131d
2026-04-21T12:18:14.670786741Z (160554) State = 0xc331b34ac029a64eba0bb1b1b0e6d86e
2026-04-21T12:18:14.670791332Z (160554) Message-Authenticator = 0x23a1d6f730512400df1b9ce03ca31bcd
2026-04-21T12:18:14.670806332Z (160554) Proxy-State = 0x34
2026-04-21T12:18:14.670810962Z (160554) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.670815022Z (160554) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.670829322Z (160554) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.670833722Z (160554) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.670838302Z (160554) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.670842302Z (160554) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.670846742Z (160554) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.670850833Z (160554) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.670854862Z (160554) authorize {
2026-04-21T12:18:14.670859033Z (160554) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.670873493Z (160554) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.670877543Z (160554) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.670881573Z (160554) update request {
2026-04-21T12:18:14.670885623Z (160554) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.670889503Z (160554) } # update request = noop
2026-04-21T12:18:14.670902363Z (160554) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.670906203Z (160554) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.670914894Z (160554) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.670919524Z (160554) --> 1343-0-5768143211720
2026-04-21T12:18:14.670923854Z (160554) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.670927974Z (160554) else {
2026-04-21T12:18:14.670932214Z (160554) update request {
2026-04-21T12:18:14.670936744Z (160554) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.670941044Z (160554) --> 1343-0-5768143211720
2026-04-21T12:18:14.670945274Z (160554) Extreme-VSA-RsCert := 1343-0-5768143211720
2026-04-21T12:18:14.670949644Z (160554) Request-Origin := "freeradius"
2026-04-21T12:18:14.670954164Z (160554) } # update request = noop
2026-04-21T12:18:14.670958554Z (160554) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.670962864Z (160554) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.670977595Z (160554) --> 1343-0-5768143211720
2026-04-21T12:18:14.670981665Z (160554) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.670985965Z (160554) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.670990025Z (160554) update request {
2026-04-21T12:18:14.670993915Z (160554) EXPAND %{1}-%{2}
2026-04-21T12:18:14.670998265Z (160554) --> 1343-0
2026-04-21T12:18:14.671005225Z (160554) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.671009575Z (160554) } # update request = noop
2026-04-21T12:18:14.671013925Z (160554) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.671018115Z (160554) if (&EAP-Message) {
2026-04-21T12:18:14.671045746Z (160554) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.671064056Z (160554) if (&EAP-Message) {
2026-04-21T12:18:14.671068296Z (160554) update control {
2026-04-21T12:18:14.671072636Z (160554) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.671076946Z (160554) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.671080946Z (160554) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.671084766Z (160554) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.671088746Z (160554) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.671092637Z (160554) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.671096727Z (160554) } # update control = noop
2026-04-21T12:18:14.671100857Z (160554) eap: Peer sent EAP Response (code 2) ID 24 length 99
2026-04-21T12:18:14.671104777Z (160554) eap: Continuing tunnel setup
2026-04-21T12:18:14.671108897Z (160554) [eap] = ok
2026-04-21T12:18:14.671113107Z (160554) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.671119657Z (160554) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.671124087Z (160554) } # else = ok
2026-04-21T12:18:14.671128457Z (160554) } # authorize = ok
2026-04-21T12:18:14.671132677Z (160554) Found Auth-Type = EAP
2026-04-21T12:18:14.671136777Z (160554) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.671157398Z (160554) Auth-Type EAP {
2026-04-21T12:18:14.671162158Z (160554) eap: Removing EAP session with state 0xc331b34ac029a64e
2026-04-21T12:18:14.671166158Z (160554) eap: Previous EAP request found for state 0xc331b34ac029a64e, released from the list
2026-04-21T12:18:14.671170038Z (160554) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.671175068Z (160554) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.671178948Z (160554) eap_ttls: Authenticate
2026-04-21T12:18:14.671181598Z (160554) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:14.671184268Z (160554) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
2026-04-21T12:18:14.671197788Z (160554) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange
2026-04-21T12:18:14.671261989Z (160554) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client key exchange
2026-04-21T12:18:14.671271050Z (160554) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read change cipher spec
2026-04-21T12:18:14.671275810Z (160554) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, Finished
2026-04-21T12:18:14.671280290Z (160554) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read finished
2026-04-21T12:18:14.671335371Z (160554) eap_ttls: (TLS) TTLS - send TLS 1.2 ChangeCipherSpec
2026-04-21T12:18:14.671342371Z (160554) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write change cipher spec
2026-04-21T12:18:14.671884930Z (0) (TLS): Access-Request packet from host 63.178.227.84 port 37423, id=191, length=252
2026-04-21T12:18:14.671917431Z Thread 575 got semaphore
2026-04-21T12:18:14.671921611Z Thread 575 handling request 160555, (30 handled so far)
2026-04-21T12:18:14.671925201Z (160555) Received Access-Request Id 191 from 63.178.227.84:37423 to 0.0.0.0:2083 length 252
2026-04-21T12:18:14.671928871Z (160555) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.671931991Z (160555) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.671950391Z (160555) Calling-Station-Id = "02-B9-26-6B-2B-A8"
2026-04-21T12:18:14.671954541Z (160555) Framed-MTU = 1400
2026-04-21T12:18:14.671957641Z (160555) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.671960532Z (160555) Service-Type = Framed-User
2026-04-21T12:18:14.671963642Z (160555) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.671967002Z (160555) EAP-Message = 0x02350063150016030300251000002120c05deb5cb038ff6244d1fce5d03af6abf1bbb193b901c6255e0f481a03c22f6e140303000101160303002893801aec1a9d9b5d9267df25218dcdffe7091b43cdf45f9481b459854105553e7c430d648b5c6687
2026-04-21T12:18:14.671970112Z (160555) State = 0xd26084a0d15591238d7986808755bf2d
2026-04-21T12:18:14.671974002Z (160555) Message-Authenticator = 0x6e6ed19abd0c018d186361695a10c187
2026-04-21T12:18:14.671977262Z (160555) Proxy-State = 0x34
2026-04-21T12:18:14.671980232Z (160555) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.671983372Z (160555) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.671986782Z (160555) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.671989952Z (160555) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.671995932Z (160555) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.671999282Z (160555) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.672002252Z (160555) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.672009693Z (160555) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.672012942Z (160555) authorize {
2026-04-21T12:18:14.672016142Z (160555) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.672019382Z (160555) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.672022293Z (160555) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.672025303Z (160555) update request {
2026-04-21T12:18:14.672028353Z (160555) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.672031373Z (160555) } # update request = noop
2026-04-21T12:18:14.672034413Z (160555) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.672037383Z (160555) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.672040333Z (160555) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.672043353Z (160555) --> 1343-0-5768143211642
2026-04-21T12:18:14.672046473Z (160555) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.672049553Z (160555) else {
2026-04-21T12:18:14.672052573Z (160555) update request {
2026-04-21T12:18:14.672055683Z (160555) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.672058763Z (160555) --> 1343-0-5768143211642
2026-04-21T12:18:14.672061783Z (160555) Extreme-VSA-RsCert := 1343-0-5768143211642
2026-04-21T12:18:14.672064813Z (160555) Request-Origin := "freeradius"
2026-04-21T12:18:14.672070814Z (160555) } # update request = noop
2026-04-21T12:18:14.672074183Z (160555) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.672077434Z (160555) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.672082144Z (160555) --> 1343-0-5768143211642
2026-04-21T12:18:14.672085444Z (160555) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.672088704Z (160555) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.672091814Z (160555) update request {
2026-04-21T12:18:14.672095064Z (160555) EXPAND %{1}-%{2}
2026-04-21T12:18:14.672098244Z (160555) --> 1343-0
2026-04-21T12:18:14.672101494Z (160555) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.672104594Z (160555) } # update request = noop
2026-04-21T12:18:14.672107974Z (160555) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.672111174Z (160555) if (&EAP-Message) {
2026-04-21T12:18:14.672114284Z (160555) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.672117484Z (160555) if (&EAP-Message) {
2026-04-21T12:18:14.672120684Z (160555) update control {
2026-04-21T12:18:14.672123794Z (160555) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.672126824Z (160555) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.672130004Z (160555) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.672133355Z (160555) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.672136755Z (160555) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.672140125Z (160555) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.672143355Z (160555) } # update control = noop
2026-04-21T12:18:14.672146575Z (160555) eap: Peer sent EAP Response (code 2) ID 53 length 99
2026-04-21T12:18:14.672153195Z (160555) eap: Continuing tunnel setup
2026-04-21T12:18:14.672156855Z (160555) [eap] = ok
2026-04-21T12:18:14.672160205Z (160555) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.672163685Z (160555) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.672167175Z (160555) } # else = ok
2026-04-21T12:18:14.672170535Z (160555) } # authorize = ok
2026-04-21T12:18:14.672174085Z (160555) Found Auth-Type = EAP
2026-04-21T12:18:14.672177475Z (160555) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.672180925Z (160555) Auth-Type EAP {
2026-04-21T12:18:14.672183985Z (160555) eap: Removing EAP session with state 0xd26084a0d1559123
2026-04-21T12:18:14.672191285Z (160555) eap: Previous EAP request found for state 0xd26084a0d1559123, released from the list
2026-04-21T12:18:14.672195436Z (160555) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.672198716Z (160555) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.672202166Z (160555) eap_ttls: Authenticate
2026-04-21T12:18:14.672205556Z (160555) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:14.672208876Z (160555) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
2026-04-21T12:18:14.672212316Z (160555) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange
2026-04-21T12:18:14.672223146Z (160555) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client key exchange
2026-04-21T12:18:14.672226476Z (160555) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read change cipher spec
2026-04-21T12:18:14.672232426Z (160555) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, Finished
2026-04-21T12:18:14.672238846Z (160555) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read finished
2026-04-21T12:18:14.672242246Z (160555) eap_ttls: (TLS) TTLS - send TLS 1.2 ChangeCipherSpec
2026-04-21T12:18:14.672323038Z (160555) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write change cipher spec
2026-04-21T12:18:14.679945909Z (160554) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Finished
2026-04-21T12:18:14.680094712Z (160554) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write finished
2026-04-21T12:18:14.680101712Z (160554) eap_ttls: (TLS) TTLS - Handshake state - SSL negotiation finished successfully
2026-04-21T12:18:14.680106522Z (160554) eap_ttls: (TLS) TTLS - Connection Established
2026-04-21T12:18:14.680110582Z (160554) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:14.680114232Z (160554) eap_ttls: TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:14.680118092Z (160554) eap: Sending EAP Request (code 1) ID 25 length 61
2026-04-21T12:18:14.680121742Z (160554) eap: EAP session adding &reply:State = 0xc331b34ac728a64e
2026-04-21T12:18:14.680125942Z (160554) [eap] = handled
2026-04-21T12:18:14.680130462Z (160554) } # Auth-Type EAP = handled
2026-04-21T12:18:14.680135033Z (160554) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.680139493Z (160554) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.680143482Z (160554) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.680147613Z (160554) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.680151383Z (160554) Framed-MTU = 994
2026-04-21T12:18:14.680155833Z (160554) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.680166103Z (160554) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.680177313Z (160554) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.680181363Z (160554) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.680185563Z (160554) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.680189623Z (160554) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
2026-04-21T12:18:14.680193643Z (160554) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
2026-04-21T12:18:14.680197823Z (160554) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
2026-04-21T12:18:14.680201863Z (160554) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
2026-04-21T12:18:14.680206124Z (160554) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:14.680210214Z (160554) TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:14.680214414Z (160554) Sent Access-Challenge Id 106 from 0.0.0.0:2083 to 18.193.75.88:33781 length 122
2026-04-21T12:18:14.680219414Z (160554) EAP-Message = 0x0119003d15800000003314030300010116030300281ab9622d0fcb71f77ae24872f94867b7df00512764d2c4573c1562f7317e0074c3edf71e6a58e06d
2026-04-21T12:18:14.680224344Z (160554) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.680228774Z (160554) State = 0xc331b34ac728a64eba0bb1b1b0e6d86e
2026-04-21T12:18:14.680233384Z (160554) Proxy-State = 0x34
2026-04-21T12:18:14.680249434Z (160554) Finished request
2026-04-21T12:18:14.680254175Z Thread 574 waiting to be assigned a request
2026-04-21T12:18:14.680685532Z (0) (TLS): Access-Request packet from host 63.178.198.32 port 54907, id=21, length=252
2026-04-21T12:18:14.680911716Z Thread 579 got semaphore
2026-04-21T12:18:14.680918686Z Thread 579 handling request 160556, (29 handled so far)
2026-04-21T12:18:14.680923216Z (160556) Received Access-Request Id 21 from 63.178.198.32:54907 to 0.0.0.0:2083 length 252
2026-04-21T12:18:14.680928096Z (160556) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.680932366Z (160556) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.680936576Z (160556) Calling-Station-Id = "02-B0-86-1C-79-19"
2026-04-21T12:18:14.680940766Z (160556) Framed-MTU = 1400
2026-04-21T12:18:14.680944726Z (160556) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.680951227Z (160556) Service-Type = Framed-User
2026-04-21T12:18:14.680956007Z (160556) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.680959057Z (160556) EAP-Message = 0x02ec0063150016030300251000002120072675b2ba9713831b16e53942804cbf75801a03007b024010b1496be778f87e1403030001011603030028cfc7107932e0d301d16bf91aef664f4cd2b1a81bc5d759a0d2b67adf3386d10297105e9b59a6f5ce
2026-04-21T12:18:14.680961737Z (160556) State = 0xc99fadceca73b812a4a9af92aec5119a
2026-04-21T12:18:14.680964507Z (160556) Message-Authenticator = 0xbf16d97b3b1696d8c4ad6341a392c36c
2026-04-21T12:18:14.680967177Z (160556) Proxy-State = 0x34
2026-04-21T12:18:14.680969837Z (160556) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.680972467Z (160556) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.680975227Z (160556) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.680977747Z (160556) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.680980387Z (160556) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.680983567Z (160556) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.680993487Z (160556) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.680997677Z (160556) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.681001687Z (160556) authorize {
2026-04-21T12:18:14.681005888Z (160556) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.681011137Z (160556) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.681015248Z (160556) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.681019188Z (160556) update request {
2026-04-21T12:18:14.681059628Z (160556) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.681068909Z (160556) } # update request = noop
2026-04-21T12:18:14.681073018Z (160556) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.681077019Z (160556) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.681164160Z (160556) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.681171620Z (160556) --> 1343-0-5768143211798
2026-04-21T12:18:14.681175970Z (160556) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.681180731Z (160556) else {
2026-04-21T12:18:14.681184220Z (160556) update request {
2026-04-21T12:18:14.681186891Z (160556) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.681189511Z (160556) --> 1343-0-5768143211798
2026-04-21T12:18:14.681192101Z (160556) Extreme-VSA-RsCert := 1343-0-5768143211798
2026-04-21T12:18:14.681194671Z (160556) Request-Origin := "freeradius"
2026-04-21T12:18:14.681197421Z (160556) } # update request = noop
2026-04-21T12:18:14.681199991Z (160556) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.681202561Z (160556) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.681205161Z (160556) --> 1343-0-5768143211798
2026-04-21T12:18:14.681207731Z (160556) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.681210351Z (160556) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.681213121Z (160556) update request {
2026-04-21T12:18:14.681215621Z (160556) EXPAND %{1}-%{2}
2026-04-21T12:18:14.681218131Z (160556) --> 1343-0
2026-04-21T12:18:14.681220681Z (160556) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.681223201Z (160556) } # update request = noop
2026-04-21T12:18:14.681225791Z (160556) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.681228401Z (160556) if (&EAP-Message) {
2026-04-21T12:18:14.681230931Z (160556) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.681233851Z (160556) if (&EAP-Message) {
2026-04-21T12:18:14.681238241Z (160556) update control {
2026-04-21T12:18:14.681244901Z (160556) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.681249502Z (160556) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.681253972Z (160556) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.681258272Z (160556) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.681262482Z (160556) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.681266282Z (160556) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.681273532Z (160556) } # update control = noop
2026-04-21T12:18:14.681276152Z (160556) eap: Peer sent EAP Response (code 2) ID 236 length 99
2026-04-21T12:18:14.681278682Z (160556) eap: Continuing tunnel setup
2026-04-21T12:18:14.681281252Z (160556) [eap] = ok
2026-04-21T12:18:14.681283792Z (160556) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.681301262Z (160556) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.681305813Z (160556) } # else = ok
2026-04-21T12:18:14.681310023Z (160556) } # authorize = ok
2026-04-21T12:18:14.681314443Z (160556) Found Auth-Type = EAP
2026-04-21T12:18:14.681318493Z (160556) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.681321083Z (160556) Auth-Type EAP {
2026-04-21T12:18:14.681323683Z (160556) eap: Removing EAP session with state 0xc99fadceca73b812
2026-04-21T12:18:14.681328023Z (160556) eap: Previous EAP request found for state 0xc99fadceca73b812, released from the list
2026-04-21T12:18:14.681332773Z (160556) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.681337323Z (160556) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.681341753Z (160556) eap_ttls: Authenticate
2026-04-21T12:18:14.681346003Z (160556) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:14.681360303Z (160556) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
2026-04-21T12:18:14.681364804Z (160556) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange
2026-04-21T12:18:14.681368894Z (160556) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client key exchange
2026-04-21T12:18:14.681373034Z (160556) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read change cipher spec
2026-04-21T12:18:14.681377764Z (160556) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, Finished
2026-04-21T12:18:14.681380734Z (160556) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read finished
2026-04-21T12:18:14.681383304Z (160556) eap_ttls: (TLS) TTLS - send TLS 1.2 ChangeCipherSpec
2026-04-21T12:18:14.681385934Z (160556) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write change cipher spec
2026-04-21T12:18:14.682914000Z (160541) rest: Processing response header
2026-04-21T12:18:14.682920641Z (160541) rest: Status : 200 (OK)
2026-04-21T12:18:14.682924081Z (160541) rest: Type : json (application/json)
2026-04-21T12:18:14.682927630Z (160541) rest: Adding reply:REST-HTTP-Status-Code = "200"
2026-04-21T12:18:14.682935131Z (160541) rest: Parsing attribute "Session-Timeout"
2026-04-21T12:18:14.682946051Z (160541) rest: EXPAND 3600
2026-04-21T12:18:14.682949621Z (160541) rest: --> 3600
2026-04-21T12:18:14.682953381Z (160541) rest: Session-Timeout = 3600
2026-04-21T12:18:14.682956891Z (160541) rest: Parsing attribute "Termination-Action"
2026-04-21T12:18:14.682964511Z (160541) rest: EXPAND 1
2026-04-21T12:18:14.682968321Z (160541) rest: --> 1
2026-04-21T12:18:14.682971881Z (160541) rest: Termination-Action = RADIUS-Request
2026-04-21T12:18:14.683042832Z rlm_rest (rest): Released connection (143)
2026-04-21T12:18:14.683048373Z (160541) [rest] = updated
2026-04-21T12:18:14.683051613Z (160541) if (updated) {
2026-04-21T12:18:14.683056223Z (160541) if (updated) -> TRUE
2026-04-21T12:18:14.683096553Z (160541) if (updated) {
2026-04-21T12:18:14.683100473Z (160541) [ok] = ok
2026-04-21T12:18:14.683105284Z (160541) } # if (updated) = ok
2026-04-21T12:18:14.683108264Z (160541) } # Auth-Type REST = ok
2026-04-21T12:18:14.683116634Z (160541) Login OK: [direct-tunnel at gmail.com] (from client everyone port 0 cli 02-7B-00-64-0E-D8 via TLS tunnel)
2026-04-21T12:18:14.683119664Z (160541) } # server my-inner-tunnel
2026-04-21T12:18:14.683122484Z (160541) Virtual server sending reply
2026-04-21T12:18:14.683125354Z (160541) REST-HTTP-Status-Code = 200
2026-04-21T12:18:14.683128174Z (160541) Session-Timeout = 3600
2026-04-21T12:18:14.683131154Z (160541) Termination-Action = RADIUS-Request
2026-04-21T12:18:14.683134124Z (160541) eap_ttls: Got tunneled Access-Accept
2026-04-21T12:18:14.683146094Z (160541) eap: Sending EAP Success (code 3) ID 217 length 4
2026-04-21T12:18:14.683149874Z (160541) eap: Freeing handler
2026-04-21T12:18:14.683207295Z (160541) [eap] = ok
2026-04-21T12:18:14.683213146Z (160541) } # Auth-Type EAP = ok
2026-04-21T12:18:14.683216446Z (160541) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.683219766Z (160541) Login OK: [direct-tunnel at gmail.com] (from client everyone port 0 cli 02-7B-00-64-0E-D8)
2026-04-21T12:18:14.683223366Z (160541) Sent Access-Accept Id 94 from 0.0.0.0:2083 to 18.199.175.245:37301 length 200
2026-04-21T12:18:14.683226896Z (160541) Session-Timeout = 3600
2026-04-21T12:18:14.683230376Z (160541) Termination-Action = RADIUS-Request
2026-04-21T12:18:14.683233906Z (160541) MS-MPPE-Recv-Key = <<< secret >>>
2026-04-21T12:18:14.683237356Z (160541) MS-MPPE-Send-Key = <<< secret >>>
2026-04-21T12:18:14.683248486Z (160541) EAP-Message = 0x03d90004
2026-04-21T12:18:14.683261246Z (160541) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.683264436Z (160541) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.683267916Z (160541) Proxy-State = 0x35
2026-04-21T12:18:14.683305357Z (160541) Finished request
2026-04-21T12:18:14.683310827Z Thread 569 waiting to be assigned a request
2026-04-21T12:18:14.686127906Z (160555) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Finished
2026-04-21T12:18:14.686136186Z (160555) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write finished
2026-04-21T12:18:14.686140776Z (160555) eap_ttls: (TLS) TTLS - Handshake state - SSL negotiation finished successfully
2026-04-21T12:18:14.686145166Z (160555) eap_ttls: (TLS) TTLS - Connection Established
2026-04-21T12:18:14.686149746Z (160555) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:14.686153956Z (160555) eap_ttls: TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:14.686158016Z (160555) eap: Sending EAP Request (code 1) ID 54 length 61
2026-04-21T12:18:14.686162426Z (160555) eap: EAP session adding &reply:State = 0xd26084a0d6569123
2026-04-21T12:18:14.686166596Z (160555) [eap] = handled
2026-04-21T12:18:14.686170746Z (160555) } # Auth-Type EAP = handled
2026-04-21T12:18:14.686210627Z (160555) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.686215777Z (160555) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.686219917Z (160555) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.686224207Z (160555) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.686228407Z (160555) Framed-MTU = 994
2026-04-21T12:18:14.686232318Z (160555) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.686236127Z (160555) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.686249428Z (160555) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.686253848Z (160555) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.686270428Z (160555) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.686275048Z (160555) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
2026-04-21T12:18:14.686279438Z (160555) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
2026-04-21T12:18:14.686283448Z (160555) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
2026-04-21T12:18:14.686287599Z (160555) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
2026-04-21T12:18:14.686292099Z (160555) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:14.686296129Z (160555) TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:14.686300089Z (160555) Sent Access-Challenge Id 191 from 0.0.0.0:2083 to 63.178.227.84:37423 length 122
2026-04-21T12:18:14.686307219Z (160555) EAP-Message = 0x0136003d158000000033140303000101160303002845b354e7b32422f84e1aea4ecaa7717505c78a08896ae933ff3f84e1c4079cec214c3a5275a4fd42
2026-04-21T12:18:14.686309989Z (160555) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.686312729Z (160555) State = 0xd26084a0d65691238d7986808755bf2d
2026-04-21T12:18:14.686315389Z (160555) Proxy-State = 0x34
2026-04-21T12:18:14.686329899Z (160555) Finished request
2026-04-21T12:18:14.686334329Z Thread 575 waiting to be assigned a request
2026-04-21T12:18:14.693348460Z (160556) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Finished
2026-04-21T12:18:14.693360230Z (160556) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write finished
2026-04-21T12:18:14.693363640Z (160556) eap_ttls: (TLS) TTLS - Handshake state - SSL negotiation finished successfully
2026-04-21T12:18:14.693367081Z (160556) eap_ttls: (TLS) TTLS - Connection Established
2026-04-21T12:18:14.693370590Z (160556) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:14.693373701Z (160556) eap_ttls: TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:14.693376951Z (160556) eap: Sending EAP Request (code 1) ID 237 length 61
2026-04-21T12:18:14.693380341Z (160556) eap: EAP session adding &reply:State = 0xc99fadcecd72b812
2026-04-21T12:18:14.693383871Z (160556) [eap] = handled
2026-04-21T12:18:14.693387341Z (160556) } # Auth-Type EAP = handled
2026-04-21T12:18:14.693390491Z (160556) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.693393521Z (160556) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.693396621Z (160556) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.693399871Z (160556) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.693403461Z (160556) Framed-MTU = 994
2026-04-21T12:18:14.693406971Z (160556) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.693416021Z (160556) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.693419441Z (160556) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.693422691Z (160556) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.693426202Z (160556) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.693429562Z (160556) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
2026-04-21T12:18:14.693432951Z (160556) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
2026-04-21T12:18:14.693436482Z (160556) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
2026-04-21T12:18:14.693444562Z (160556) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
2026-04-21T12:18:14.693447772Z (160556) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:14.693451052Z (160556) TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:14.693462912Z (160556) Sent Access-Challenge Id 21 from 0.0.0.0:2083 to 63.178.198.32:54907 length 122
2026-04-21T12:18:14.693466722Z (160556) EAP-Message = 0x01ed003d158000000033140303000101160303002881826f673f4b5e0033cab77d6187f33c3b67136a42972e308a2f351772539e5e8fb651374ae0e06e
2026-04-21T12:18:14.693470102Z (160556) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.693473252Z (160556) State = 0xc99fadcecd72b812a4a9af92aec5119a
2026-04-21T12:18:14.693476982Z (160556) Proxy-State = 0x34
2026-04-21T12:18:14.693488923Z (160556) Finished request
2026-04-21T12:18:14.693492683Z Thread 579 waiting to be assigned a request
2026-04-21T12:18:14.709132532Z (160482) Cleaning up request packet ID 94 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.711843619Z (160483) Cleaning up request packet ID 251 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.713042940Z (160484) Cleaning up request packet ID 236 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.722232389Z (160485) Cleaning up request packet ID 75 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.782906647Z (0) (TLS): Access-Request packet from host 18.193.75.88 port 33781, id=91, length=244
2026-04-21T12:18:14.782937277Z Thread 568 got semaphore
2026-04-21T12:18:14.782941487Z Thread 568 handling request 160557, (86 handled so far)
2026-04-21T12:18:14.782951097Z (160557) Received Access-Request Id 91 from 18.193.75.88:33781 to 0.0.0.0:2083 length 244
2026-04-21T12:18:14.782954917Z (160557) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.782958107Z (160557) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.782961028Z (160557) Calling-Station-Id = "02-40-2C-8C-47-E1"
2026-04-21T12:18:14.782964477Z (160557) Framed-MTU = 1400
2026-04-21T12:18:14.782967517Z (160557) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.782970437Z (160557) Service-Type = Framed-User
2026-04-21T12:18:14.782973428Z (160557) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.782976878Z (160557) EAP-Message = 0x0219005b1500170303005009d94a52b7ebb9a6087a8f1db1bc9b07e8fd7480b275f73f740b6afec3fd848c2643be2bb67ac67f51de1f80e8598e3bc89e3f6f281a8286ff4afb1e2508289f7b9705787fe924df5473d123ea18cd74
2026-04-21T12:18:14.782979848Z (160557) State = 0xc331b34ac728a64eba0bb1b1b0e6d86e
2026-04-21T12:18:14.782983638Z (160557) Message-Authenticator = 0x64ff587e11bee1631897baf6115c81d3
2026-04-21T12:18:14.782986618Z (160557) Proxy-State = 0x35
2026-04-21T12:18:14.782989618Z (160557) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.782992488Z (160557) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.782996098Z (160557) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.782999198Z (160557) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.783002398Z (160557) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.783009688Z (160557) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.783012778Z (160557) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.783024329Z (160557) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
2026-04-21T12:18:14.783027678Z (160557) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
2026-04-21T12:18:14.783030929Z (160557) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
2026-04-21T12:18:14.783034119Z (160557) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
2026-04-21T12:18:14.783038229Z (160557) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:14.783041379Z (160557) &session-state:TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:14.783044479Z (160557) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.783047399Z (160557) authorize {
2026-04-21T12:18:14.783050539Z (160557) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.783053669Z (160557) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.783056619Z (160557) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.783059679Z (160557) update request {
2026-04-21T12:18:14.783062849Z (160557) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.783065979Z (160557) } # update request = noop
2026-04-21T12:18:14.783069209Z (160557) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.783072449Z (160557) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.783082210Z (160557) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.783092570Z (160557) --> 1343-0-5768143211720
2026-04-21T12:18:14.783098240Z (160557) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.783103110Z (160557) else {
2026-04-21T12:18:14.783108460Z (160557) update request {
2026-04-21T12:18:14.783113080Z (160557) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.783117530Z (160557) --> 1343-0-5768143211720
2026-04-21T12:18:14.783121770Z (160557) Extreme-VSA-RsCert := 1343-0-5768143211720
2026-04-21T12:18:14.783125850Z (160557) Request-Origin := "freeradius"
2026-04-21T12:18:14.783130240Z (160557) } # update request = noop
2026-04-21T12:18:14.783135371Z (160557) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.783139351Z (160557) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.783143460Z (160557) --> 1343-0-5768143211720
2026-04-21T12:18:14.783147501Z (160557) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.783151581Z (160557) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.783155851Z (160557) update request {
2026-04-21T12:18:14.783159891Z (160557) EXPAND %{1}-%{2}
2026-04-21T12:18:14.783172081Z (160557) --> 1343-0
2026-04-21T12:18:14.783176661Z (160557) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.783181131Z (160557) } # update request = noop
2026-04-21T12:18:14.783185061Z (160557) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.783188911Z (160557) if (&EAP-Message) {
2026-04-21T12:18:14.783193012Z (160557) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.783197241Z (160557) if (&EAP-Message) {
2026-04-21T12:18:14.783201641Z (160557) update control {
2026-04-21T12:18:14.783206172Z (160557) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.783227412Z (160557) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.783230652Z (160557) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.783235872Z (160557) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.783238702Z (160557) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.783241462Z (160557) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.783244202Z (160557) } # update control = noop
2026-04-21T12:18:14.783259742Z (160557) eap: Peer sent EAP Response (code 2) ID 25 length 91
2026-04-21T12:18:14.783264313Z (160557) eap: Continuing tunnel setup
2026-04-21T12:18:14.783268793Z (160557) [eap] = ok
2026-04-21T12:18:14.783272993Z (160557) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.783276943Z (160557) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.783281203Z (160557) } # else = ok
2026-04-21T12:18:14.783285353Z (160557) } # authorize = ok
2026-04-21T12:18:14.783289613Z (160557) Found Auth-Type = EAP
2026-04-21T12:18:14.783294103Z (160557) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.783298583Z (160557) Auth-Type EAP {
2026-04-21T12:18:14.783314303Z (160557) eap: Removing EAP session with state 0xc331b34ac728a64e
2026-04-21T12:18:14.783318654Z (160557) eap: Previous EAP request found for state 0xc331b34ac728a64e, released from the list
2026-04-21T12:18:14.783322794Z (160557) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.783326704Z (160557) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.783330934Z (160557) eap_ttls: Authenticate
2026-04-21T12:18:14.783335604Z (160557) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:14.783338774Z (160557) eap_ttls: Session established. Proceeding to decode tunneled attributes
2026-04-21T12:18:14.783351144Z (160557) eap_ttls: Got tunneled request
2026-04-21T12:18:14.783355484Z (160557) eap_ttls: User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.783362254Z (160557) eap_ttls: User-Password = <<< secret >>>
2026-04-21T12:18:14.783366164Z (160557) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
2026-04-21T12:18:14.783370684Z (160557) eap_ttls: Sending tunneled request
2026-04-21T12:18:14.783375415Z (160557) Virtual server my-inner-tunnel received request
2026-04-21T12:18:14.783379735Z (160557) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.783384535Z (160557) User-Password = <<< secret >>>
2026-04-21T12:18:14.783388555Z (160557) FreeRADIUS-Proxied-To = 127.0.0.1
2026-04-21T12:18:14.783392605Z (160557) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.783396585Z (160557) Calling-Station-Id = "02-40-2C-8C-47-E1"
2026-04-21T12:18:14.783400545Z (160557) Framed-MTU = 1400
2026-04-21T12:18:14.783404535Z (160557) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.783408955Z (160557) Service-Type = Framed-User
2026-04-21T12:18:14.783413055Z (160557) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.783417205Z (160557) Extreme-Eduroam-AuthnOnly = "false"
2026-04-21T12:18:14.783421245Z (160557) WARNING: Outer and inner identities are the same. User privacy is compromised.
2026-04-21T12:18:14.783425716Z (160557) server my-inner-tunnel {
2026-04-21T12:18:14.783430076Z (160557) # Executing section authorize from file /etc/freeradius/sites-enabled/my-inner-tunnel
2026-04-21T12:18:14.783434705Z (160557) authorize {
2026-04-21T12:18:14.783444546Z (160557) if (&User-Password && !&EAP-Message) {
2026-04-21T12:18:14.783448856Z (160557) if (&User-Password && !&EAP-Message) -> TRUE
2026-04-21T12:18:14.783453386Z (160557) if (&User-Password && !&EAP-Message) {
2026-04-21T12:18:14.783457526Z (160557) update outer.request {
2026-04-21T12:18:14.783475076Z (160557) &Tmp-String-8 := "TTLS-PAP"
2026-04-21T12:18:14.783479766Z (160557) } # update outer.request = noop
2026-04-21T12:18:14.783483957Z (160557) } # if (&User-Password && !&EAP-Message) = noop
2026-04-21T12:18:14.783488257Z (160557) update request {
2026-04-21T12:18:14.783492546Z (160557) Auth-Endpoint := "auth"
2026-04-21T12:18:14.783496857Z (160557) EAP-Auth-Type := "EAP-TTLS"
2026-04-21T12:18:14.783501647Z (160557) EXPAND %{outer.Extreme-VSA-RsCert}
2026-04-21T12:18:14.783504527Z (160557) --> 1343-0-5768143211720
2026-04-21T12:18:14.783507177Z (160557) Extreme-VSA-RsCert := 1343-0-5768143211720
2026-04-21T12:18:14.783509797Z (160557) EXPAND %{outer.Request-Origin}
2026-04-21T12:18:14.783512397Z (160557) --> freeradius
2026-04-21T12:18:14.783515017Z (160557) Request-Origin := freeradius
2026-04-21T12:18:14.783517727Z (160557) EXPAND %{outer.Extreme-Eduroam-AuthnOnly}
2026-04-21T12:18:14.783528977Z (160557) --> false
2026-04-21T12:18:14.783533887Z (160557) Extreme-Eduroam-AuthnOnly := false
2026-04-21T12:18:14.783537937Z (160557) } # update request = noop
2026-04-21T12:18:14.783542027Z (160557) update control {
2026-04-21T12:18:14.783546007Z (160557) &REST-HTTP-Header += "api-secret: ZnJlZXJhZGl1czpkZGE0YTI3NDUxMGRmZTA4NTY0ODAyYzYwMmZkYWI1Nwo="
2026-04-21T12:18:14.783550767Z (160557) Auth-Type = rest
2026-04-21T12:18:14.783554958Z (160557) } # update control = noop
2026-04-21T12:18:14.783558818Z (160557) } # authorize = noop
2026-04-21T12:18:14.783562948Z (160557) Found Auth-Type = rest
2026-04-21T12:18:14.783567378Z (160557) # Executing group from file /etc/freeradius/sites-enabled/my-inner-tunnel
2026-04-21T12:18:14.783571548Z (160557) Auth-Type REST {
2026-04-21T12:18:14.783576038Z rlm_rest (rest): Reserved connection (152)
2026-04-21T12:18:14.783580428Z (160557) rest: Expanding URI components
2026-04-21T12:18:14.783584768Z (160557) rest: EXPAND http://craas-auth.craas-core.svc.cluster.local:8006
2026-04-21T12:18:14.783588848Z (160557) rest: --> http://craas-auth.craas-core.svc.cluster.local:8006
2026-04-21T12:18:14.783592788Z (160557) rest: EXPAND /auth
2026-04-21T12:18:14.783596958Z (160557) rest: --> /auth
2026-04-21T12:18:14.783601468Z (160557) rest: Sending HTTP POST to "http://craas-auth.craas-core.svc.cluster.local:8006/auth"
2026-04-21T12:18:14.783615519Z (160557) rest: EXPAND {"User-Name": "%{User-Name}","User-Password": "%{User-Password}","NAS-Identifier": "%{NAS-Identifier}","NAS-Port-Type": "%{NAS-Port-Type}","NAS-IP-Address": "%{NAS-IP-Address}","NAS-Port": "%{NAS-Port}","NAS-Port-Id": "%{NAS-Port-Id}","Called-Station-Id": "%{Called-Station-Id}","Calling-Station-Id": "%{Calling-Station-Id}","tenant-id": "%{Extreme-VSA-RsCert}","EAP-Auth-Type": "%{EAP-Auth-Type}","TLS-Client-Cert-Common-Name": "%{TLS-Client-Cert-Common-Name}","EAP-Message": "%{EAP-Message}","TLS-Client-Cert-Serial": "%{TLS-Client-Cert-Serial}","TLS-Client-Cert-Expiration": "%{TLS-Client-Cert-Expiration}","TLS-Client-Cert-Issuer": "%{TLS-Client-Cert-Issuer}","TLS-Client-Cert-Subject": "%{TLS-Client-Cert-Subject}","TLS-Client-Cert-Common-Name": "%{TLS-Client-Cert-Common-Name}","TLS-Client-Cert-Filename": "%{TLS-Client-Cert-Filename}","TLS-Client-Cert-Subject-Alt-Name-Email": "%{TLS-Client-Cert-Subject-Alt-Name-Email}","TLS-Client-Cert-X509v3-Extended-Key-Usage": "%{TLS-Client-Cert-X509v3-Extended-Key-Usage}","TLS-Client-Cert-X509v3-Subject-Key-Identifier": "%{TLS-Client-Cert-X509v3-Subject-Key-Identifier}","TLS-Client-Cert-X509v3-Authority-Key-Identifier": "%{TLS-Client-Cert-X509v3-Authority-Key-Identifier}","TLS-Client-Cert-X509v3-Basic-Constraints": "%{TLS-Client-Cert-X509v3-Basic-Constraints}","TLS-Client-Cert-Subject-Alt-Name-Dns": "%{TLS-Client-Cert-Subject-Alt-Name-Dns}","TLS-Client-Cert-Subject-Alt-Name-Upn": "%{TLS-Client-Cert-Subject-Alt-Name-Upn}","TLS-Client-Cert-X509v3-Extended-Key-Usage-OID": "%{TLS-Client-Cert-X509v3-Extended-Key-Usage-OID}","TLS-Client-Cert-Valid-Since": "%{TLS-Client-Cert-Valid-Since}","TLS-Client-Cert-X509v3-Certificate-Policies": "%{TLS-Client-Cert-X509v3-Certificate-Policies}","Subject-Distinguished-Name": "%{TLS-Client-Cert-Subject}","SAN-DNS-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Dns}","SAN-User-Principal-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Upn}","SAN-Service-Principal-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Spn}","SAN-Email": "%{TLS-Client-Cert-Subject-Alt-Name-Email}","Request-Origin": "%{Request-Origin}","AuthnOnly": %{Extreme-Eduroam-AuthnOnly}, "TLS-Cert-Serial": "%{TLS-Cert-Serial}", "TLS-Client-Cert-Issuer": "%{TLS-Client-Cert-Issuer}"},
2026-04-21T12:18:14.783625509Z (160557) rest: --> {"User-Name": "direct-tunnel at gmail.com","User-Password": "Emumba at 123","NAS-Identifier": "","NAS-Port-Type": "Wireless-802.11","NAS-IP-Address": "127.0.0.1","NAS-Port": "","NAS-Port-Id": "","Called-Station-Id": "","Calling-Station-Id": "02-40-2C-8C-47-E1","tenant-id": "1343-0-5768143211720","EAP-Auth-Type": "EAP-TTLS","TLS-Client-Cert-Common-Name": "","EAP-Message": "","TLS-Client-Cert-Serial": "","TLS-Client-Cert-Expiration": "","TLS-Client-Cert-Issuer": "","TLS-Client-Cert-Subject": "","TLS-Client-Cert-Common-Name": "","TLS-Client-Cert-Filename": "","TLS-Client-Cert-Subject-Alt-Name-Email": "","TLS-Client-Cert-X509v3-Extended-Key-Usage": "","TLS-Client-Cert-X509v3-Subject-Key-Identifier": "","TLS-Client-Cert-X509v3-Authority-Key-Identifier": "","TLS-Client-Cert-X509v3-Basic-Constraints": "","TLS-Client-Cert-Subject-Alt-Name-Dns": "","TLS-Client-Cert-Subject-Alt-Name-Upn": "","TLS-Client-Cert-X509v3-Extended-Key-Usage-OID": "","TLS-Client-Cert-Valid-Since": "","TLS-Client-Cert-X509v3-Certificate-Policies": "","Subject-Distinguished-Name": "","SAN-DNS-Name": "","SAN-User-Principal-Name": "","SAN-Service-Principal-Name": "","SAN-Email": "","Request-Origin": "freeradius","AuthnOnly": false, "TLS-Cert-Serial": "", "TLS-Client-Cert-Issuer": ""},
2026-04-21T12:18:14.783968045Z (160557) rest: Processing response header
2026-04-21T12:18:14.783972865Z (160557) rest: Status : 100 (Continue)
2026-04-21T12:18:14.783975195Z (160557) rest: Continuing...
2026-04-21T12:18:14.789279216Z (0) (TLS): Access-Request packet from host 63.178.227.84 port 37423, id=183, length=244
2026-04-21T12:18:14.789287477Z Thread 576 got semaphore
2026-04-21T12:18:14.789291937Z Thread 576 handling request 160558, (42 handled so far)
2026-04-21T12:18:14.789301537Z (160558) Received Access-Request Id 183 from 63.178.227.84:37423 to 0.0.0.0:2083 length 244
2026-04-21T12:18:14.789305697Z (160558) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.789309847Z (160558) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.789313697Z (160558) Calling-Station-Id = "02-B9-26-6B-2B-A8"
2026-04-21T12:18:14.789318137Z (160558) Framed-MTU = 1400
2026-04-21T12:18:14.789322307Z (160558) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.789326587Z (160558) Service-Type = Framed-User
2026-04-21T12:18:14.789334757Z (160558) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.789339367Z (160558) EAP-Message = 0x0236005b1500170303005093801aec1a9d9b5ea2f15bff203f4015fe9edc38c8adfafb786eefd827e2115ff2d5767d25d432692cfe84eecf8b05d483e1c5cc86d18dd5f0ac9ea5d408e4385f6850bad407e32b89303fc2d1656746
2026-04-21T12:18:14.789348558Z (160558) State = 0xd26084a0d65691238d7986808755bf2d
2026-04-21T12:18:14.789352807Z (160558) Message-Authenticator = 0x456f80906161f8215af4a9d1edaa6e36
2026-04-21T12:18:14.789356768Z (160558) Proxy-State = 0x35
2026-04-21T12:18:14.789360788Z (160558) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.789368778Z (160558) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.789372848Z (160558) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.789376618Z (160558) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.789380318Z (160558) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.789383978Z (160558) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.789387688Z (160558) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.789391608Z (160558) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
2026-04-21T12:18:14.789395758Z (160558) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
2026-04-21T12:18:14.789399578Z (160558) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
2026-04-21T12:18:14.789403459Z (160558) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
2026-04-21T12:18:14.789407479Z (160558) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:14.789411239Z (160558) &session-state:TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:14.789419209Z (160558) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.789423239Z (160558) authorize {
2026-04-21T12:18:14.789427169Z (160558) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.789430779Z (160558) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.789434699Z (160558) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.789438939Z (160558) update request {
2026-04-21T12:18:14.789442719Z (160558) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.789446429Z (160558) } # update request = noop
2026-04-21T12:18:14.789450389Z (160558) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.789454149Z (160558) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.789458029Z (160558) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.789462060Z (160558) --> 1343-0-5768143211642
2026-04-21T12:18:14.789465960Z (160558) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.789469580Z (160558) else {
2026-04-21T12:18:14.789473570Z (160558) update request {
2026-04-21T12:18:14.789477600Z (160558) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.789481520Z (160558) --> 1343-0-5768143211642
2026-04-21T12:18:14.789485580Z (160558) Extreme-VSA-RsCert := 1343-0-5768143211642
2026-04-21T12:18:14.789489370Z (160558) Request-Origin := "freeradius"
2026-04-21T12:18:14.789493020Z (160558) } # update request = noop
2026-04-21T12:18:14.789496820Z (160558) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.789500650Z (160558) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.789511730Z (160558) --> 1343-0-5768143211642
2026-04-21T12:18:14.789515770Z (160558) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.789520050Z (160558) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.789523990Z (160558) update request {
2026-04-21T12:18:14.789528081Z (160558) EXPAND %{1}-%{2}
2026-04-21T12:18:14.789532351Z (160558) --> 1343-0
2026-04-21T12:18:14.789536401Z (160558) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.789540851Z (160558) } # update request = noop
2026-04-21T12:18:14.789544891Z (160558) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.789548621Z (160558) if (&EAP-Message) {
2026-04-21T12:18:14.789552701Z (160558) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.789556761Z (160558) if (&EAP-Message) {
2026-04-21T12:18:14.789561131Z (160558) update control {
2026-04-21T12:18:14.789565031Z (160558) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.789568821Z (160558) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.789573291Z (160558) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.789577082Z (160558) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.789581171Z (160558) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.789585071Z (160558) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.789588972Z (160558) } # update control = noop
2026-04-21T12:18:14.789592812Z (160558) eap: Peer sent EAP Response (code 2) ID 54 length 91
2026-04-21T12:18:14.789596812Z (160558) eap: Continuing tunnel setup
2026-04-21T12:18:14.789600482Z (160558) [eap] = ok
2026-04-21T12:18:14.789604192Z (160558) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.789608362Z (160558) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.789612212Z (160558) } # else = ok
2026-04-21T12:18:14.789616502Z (160558) } # authorize = ok
2026-04-21T12:18:14.789620912Z (160558) Found Auth-Type = EAP
2026-04-21T12:18:14.789625142Z (160558) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.789629332Z (160558) Auth-Type EAP {
2026-04-21T12:18:14.789633282Z (160558) eap: Removing EAP session with state 0xd26084a0d6569123
2026-04-21T12:18:14.789637323Z (160558) eap: Previous EAP request found for state 0xd26084a0d6569123, released from the list
2026-04-21T12:18:14.789646463Z (160558) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.789650313Z (160558) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.789654373Z (160558) eap_ttls: Authenticate
2026-04-21T12:18:14.789658223Z (160558) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:14.789662103Z (160558) eap_ttls: Session established. Proceeding to decode tunneled attributes
2026-04-21T12:18:14.789665773Z (160558) eap_ttls: Got tunneled request
2026-04-21T12:18:14.789669623Z (160558) eap_ttls: User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.789673603Z (160558) eap_ttls: User-Password = <<< secret >>>
2026-04-21T12:18:14.789677603Z (160558) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
2026-04-21T12:18:14.789681583Z (160558) eap_ttls: Sending tunneled request
2026-04-21T12:18:14.789685453Z (160558) Virtual server my-inner-tunnel received request
2026-04-21T12:18:14.789688983Z (160558) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.789696564Z (160558) User-Password = <<< secret >>>
2026-04-21T12:18:14.789701053Z (160558) FreeRADIUS-Proxied-To = 127.0.0.1
2026-04-21T12:18:14.789705124Z (160558) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.789708904Z (160558) Calling-Station-Id = "02-B9-26-6B-2B-A8"
2026-04-21T12:18:14.789712774Z (160558) Framed-MTU = 1400
2026-04-21T12:18:14.789716874Z (160558) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.789720874Z (160558) Service-Type = Framed-User
2026-04-21T12:18:14.789724854Z (160558) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.789728834Z (160558) Extreme-Eduroam-AuthnOnly = "false"
2026-04-21T12:18:14.789733104Z (160558) WARNING: Outer and inner identities are the same. User privacy is compromised.
2026-04-21T12:18:14.789737704Z (160558) server my-inner-tunnel {
2026-04-21T12:18:14.789741874Z (160558) # Executing section authorize from file /etc/freeradius/sites-enabled/my-inner-tunnel
2026-04-21T12:18:14.789746504Z (160558) authorize {
2026-04-21T12:18:14.789749124Z (160558) if (&User-Password && !&EAP-Message) {
2026-04-21T12:18:14.789751665Z (160558) if (&User-Password && !&EAP-Message) -> TRUE
2026-04-21T12:18:14.789754265Z (160558) if (&User-Password && !&EAP-Message) {
2026-04-21T12:18:14.789757614Z (160558) update outer.request {
2026-04-21T12:18:14.789760205Z (160558) &Tmp-String-8 := "TTLS-PAP"
2026-04-21T12:18:14.789762785Z (160558) } # update outer.request = noop
2026-04-21T12:18:14.789765395Z (160558) } # if (&User-Password && !&EAP-Message) = noop
2026-04-21T12:18:14.789767975Z (160558) update request {
2026-04-21T12:18:14.789770305Z (160558) Auth-Endpoint := "auth"
2026-04-21T12:18:14.789772385Z (160558) EAP-Auth-Type := "EAP-TTLS"
2026-04-21T12:18:14.789774435Z (160558) EXPAND %{outer.Extreme-VSA-RsCert}
2026-04-21T12:18:14.789776585Z (160558) --> 1343-0-5768143211642
2026-04-21T12:18:14.789778665Z (160558) Extreme-VSA-RsCert := 1343-0-5768143211642
2026-04-21T12:18:14.789785355Z (160558) EXPAND %{outer.Request-Origin}
2026-04-21T12:18:14.789788845Z (160558) --> freeradius
2026-04-21T12:18:14.789792405Z (160558) Request-Origin := freeradius
2026-04-21T12:18:14.789795875Z (160558) EXPAND %{outer.Extreme-Eduroam-AuthnOnly}
2026-04-21T12:18:14.789799095Z (160558) --> false
2026-04-21T12:18:14.789802645Z (160558) Extreme-Eduroam-AuthnOnly := false
2026-04-21T12:18:14.789805885Z (160558) } # update request = noop
2026-04-21T12:18:14.789809126Z (160558) update control {
2026-04-21T12:18:14.789812786Z (160558) &REST-HTTP-Header += "api-secret: ZnJlZXJhZGl1czpkZGE0YTI3NDUxMGRmZTA4NTY0ODAyYzYwMmZkYWI1Nwo="
2026-04-21T12:18:14.789816106Z (160558) Auth-Type = rest
2026-04-21T12:18:14.789819706Z (160558) } # update control = noop
2026-04-21T12:18:14.789822966Z (160558) } # authorize = noop
2026-04-21T12:18:14.789826456Z (160558) Found Auth-Type = rest
2026-04-21T12:18:14.789829636Z (160558) # Executing group from file /etc/freeradius/sites-enabled/my-inner-tunnel
2026-04-21T12:18:14.789832896Z (160558) Auth-Type REST {
2026-04-21T12:18:14.789836196Z rlm_rest (rest): Reserved connection (153)
2026-04-21T12:18:14.789839496Z (160558) rest: Expanding URI components
2026-04-21T12:18:14.789843136Z (160558) rest: EXPAND http://craas-auth.craas-core.svc.cluster.local:8006
2026-04-21T12:18:14.789846336Z (160558) rest: --> http://craas-auth.craas-core.svc.cluster.local:8006
2026-04-21T12:18:14.789853226Z (160558) rest: EXPAND /auth
2026-04-21T12:18:14.789856646Z (160558) rest: --> /auth
2026-04-21T12:18:14.789860396Z (160558) rest: Sending HTTP POST to "http://craas-auth.craas-core.svc.cluster.local:8006/auth"
2026-04-21T12:18:14.789878737Z (160558) rest: EXPAND {"User-Name": "%{User-Name}","User-Password": "%{User-Password}","NAS-Identifier": "%{NAS-Identifier}","NAS-Port-Type": "%{NAS-Port-Type}","NAS-IP-Address": "%{NAS-IP-Address}","NAS-Port": "%{NAS-Port}","NAS-Port-Id": "%{NAS-Port-Id}","Called-Station-Id": "%{Called-Station-Id}","Calling-Station-Id": "%{Calling-Station-Id}","tenant-id": "%{Extreme-VSA-RsCert}","EAP-Auth-Type": "%{EAP-Auth-Type}","TLS-Client-Cert-Common-Name": "%{TLS-Client-Cert-Common-Name}","EAP-Message": "%{EAP-Message}","TLS-Client-Cert-Serial": "%{TLS-Client-Cert-Serial}","TLS-Client-Cert-Expiration": "%{TLS-Client-Cert-Expiration}","TLS-Client-Cert-Issuer": "%{TLS-Client-Cert-Issuer}","TLS-Client-Cert-Subject": "%{TLS-Client-Cert-Subject}","TLS-Client-Cert-Common-Name": "%{TLS-Client-Cert-Common-Name}","TLS-Client-Cert-Filename": "%{TLS-Client-Cert-Filename}","TLS-Client-Cert-Subject-Alt-Name-Email": "%{TLS-Client-Cert-Subject-Alt-Name-Email}","TLS-Client-Cert-X509v3-Extended-Key-Usage": "%{TLS-Client-Cert-X509v3-Extended-Key-Usage}","TLS-Client-Cert-X509v3-Subject-Key-Identifier": "%{TLS-Client-Cert-X509v3-Subject-Key-Identifier}","TLS-Client-Cert-X509v3-Authority-Key-Identifier": "%{TLS-Client-Cert-X509v3-Authority-Key-Identifier}","TLS-Client-Cert-X509v3-Basic-Constraints": "%{TLS-Client-Cert-X509v3-Basic-Constraints}","TLS-Client-Cert-Subject-Alt-Name-Dns": "%{TLS-Client-Cert-Subject-Alt-Name-Dns}","TLS-Client-Cert-Subject-Alt-Name-Upn": "%{TLS-Client-Cert-Subject-Alt-Name-Upn}","TLS-Client-Cert-X509v3-Extended-Key-Usage-OID": "%{TLS-Client-Cert-X509v3-Extended-Key-Usage-OID}","TLS-Client-Cert-Valid-Since": "%{TLS-Client-Cert-Valid-Since}","TLS-Client-Cert-X509v3-Certificate-Policies": "%{TLS-Client-Cert-X509v3-Certificate-Policies}","Subject-Distinguished-Name": "%{TLS-Client-Cert-Subject}","SAN-DNS-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Dns}","SAN-User-Principal-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Upn}","SAN-Service-Principal-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Spn}","SAN-Email": "%{TLS-Client-Cert-Subject-Alt-Name-Email}","Request-Origin": "%{Request-Origin}","AuthnOnly": %{Extreme-Eduroam-AuthnOnly}, "TLS-Cert-Serial": "%{TLS-Cert-Serial}", "TLS-Client-Cert-Issuer": "%{TLS-Client-Cert-Issuer}"},
2026-04-21T12:18:14.789892127Z (160558) rest: --> {"User-Name": "direct-tunnel at gmail.com","User-Password": "Emumba at 123","NAS-Identifier": "","NAS-Port-Type": "Wireless-802.11","NAS-IP-Address": "127.0.0.1","NAS-Port": "","NAS-Port-Id": "","Called-Station-Id": "","Calling-Station-Id": "02-B9-26-6B-2B-A8","tenant-id": "1343-0-5768143211642","EAP-Auth-Type": "EAP-TTLS","TLS-Client-Cert-Common-Name": "","EAP-Message": "","TLS-Client-Cert-Serial": "","TLS-Client-Cert-Expiration": "","TLS-Client-Cert-Issuer": "","TLS-Client-Cert-Subject": "","TLS-Client-Cert-Common-Name": "","TLS-Client-Cert-Filename": "","TLS-Client-Cert-Subject-Alt-Name-Email": "","TLS-Client-Cert-X509v3-Extended-Key-Usage": "","TLS-Client-Cert-X509v3-Subject-Key-Identifier": "","TLS-Client-Cert-X509v3-Authority-Key-Identifier": "","TLS-Client-Cert-X509v3-Basic-Constraints": "","TLS-Client-Cert-Subject-Alt-Name-Dns": "","TLS-Client-Cert-Subject-Alt-Name-Upn": "","TLS-Client-Cert-X509v3-Extended-Key-Usage-OID": "","TLS-Client-Cert-Valid-Since": "","TLS-Client-Cert-X509v3-Certificate-Policies": "","Subject-Distinguished-Name": "","SAN-DNS-Name": "","SAN-User-Principal-Name": "","SAN-Service-Principal-Name": "","SAN-Email": "","Request-Origin": "freeradius","AuthnOnly": false, "TLS-Cert-Serial": "", "TLS-Client-Cert-Issuer": ""},
2026-04-21T12:18:14.790765962Z (160558) rest: Processing response header
2026-04-21T12:18:14.790772872Z (160558) rest: Status : 100 (Continue)
2026-04-21T12:18:14.790777242Z (160558) rest: Continuing...
2026-04-21T12:18:14.797983916Z (0) (TLS): Access-Request packet from host 63.178.198.32 port 54907, id=110, length=244
2026-04-21T12:18:14.798041917Z Thread 567 got semaphore
2026-04-21T12:18:14.798048217Z Thread 567 handling request 160559, (86 handled so far)
2026-04-21T12:18:14.798052837Z (160559) Received Access-Request Id 110 from 63.178.198.32:54907 to 0.0.0.0:2083 length 244
2026-04-21T12:18:14.798057368Z (160559) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.798061188Z (160559) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.798065038Z (160559) Calling-Station-Id = "02-B0-86-1C-79-19"
2026-04-21T12:18:14.798069418Z (160559) Framed-MTU = 1400
2026-04-21T12:18:14.798073438Z (160559) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.798077128Z (160559) Service-Type = Framed-User
2026-04-21T12:18:14.798081088Z (160559) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.798103758Z (160559) EAP-Message = 0x02ed005b15001703030050cfc7107932e0d302b00019f4d6975d07f9d5bd47fe69649d81a796c2351a7b41299f872d4086a1fdd934bc7a4d568cdcd84806a17ea71469814ac2682eb457d98bd0bcae7f8144dcf3dabe338840ae52
2026-04-21T12:18:14.798107769Z (160559) State = 0xc99fadcecd72b812a4a9af92aec5119a
2026-04-21T12:18:14.798112218Z (160559) Message-Authenticator = 0x47ce1027412f055a7b18a8b40bd5c406
2026-04-21T12:18:14.798116069Z (160559) Proxy-State = 0x35
2026-04-21T12:18:14.798120079Z (160559) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:14.798123989Z (160559) &session-state:Framed-MTU = 994
2026-04-21T12:18:14.798128519Z (160559) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:14.798132599Z (160559) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:14.798136719Z (160559) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:14.798140529Z (160559) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:14.798144479Z (160559) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:14.798148409Z (160559) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
2026-04-21T12:18:14.798152229Z (160559) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
2026-04-21T12:18:14.798157939Z (160559) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
2026-04-21T12:18:14.798161789Z (160559) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
2026-04-21T12:18:14.798165470Z (160559) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:14.798169519Z (160559) &session-state:TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:14.798173479Z (160559) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.798177260Z (160559) authorize {
2026-04-21T12:18:14.798181490Z (160559) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.798185440Z (160559) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.798189310Z (160559) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.798193240Z (160559) update request {
2026-04-21T12:18:14.798197130Z (160559) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.798201090Z (160559) } # update request = noop
2026-04-21T12:18:14.798205060Z (160559) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.798220450Z (160559) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.798224440Z (160559) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.798228500Z (160559) --> 1343-0-5768143211798
2026-04-21T12:18:14.798232340Z (160559) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.798236101Z (160559) else {
2026-04-21T12:18:14.798240241Z (160559) update request {
2026-04-21T12:18:14.798244551Z (160559) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.798248841Z (160559) --> 1343-0-5768143211798
2026-04-21T12:18:14.798252761Z (160559) Extreme-VSA-RsCert := 1343-0-5768143211798
2026-04-21T12:18:14.798256941Z (160559) Request-Origin := "freeradius"
2026-04-21T12:18:14.798261311Z (160559) } # update request = noop
2026-04-21T12:18:14.798265771Z (160559) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.798269911Z (160559) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.798273961Z (160559) --> 1343-0-5768143211798
2026-04-21T12:18:14.798278371Z (160559) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.798282521Z (160559) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.798286441Z (160559) update request {
2026-04-21T12:18:14.798290541Z (160559) EXPAND %{1}-%{2}
2026-04-21T12:18:14.798294342Z (160559) --> 1343-0
2026-04-21T12:18:14.798298212Z (160559) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.798302392Z (160559) } # update request = noop
2026-04-21T12:18:14.798306452Z (160559) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.798310432Z (160559) if (&EAP-Message) {
2026-04-21T12:18:14.798316712Z (160559) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.798320892Z (160559) if (&EAP-Message) {
2026-04-21T12:18:14.798324852Z (160559) update control {
2026-04-21T12:18:14.798328632Z (160559) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.798332582Z (160559) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.798336492Z (160559) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.798340802Z (160559) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.798345233Z (160559) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.798349923Z (160559) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.798354263Z (160559) } # update control = noop
2026-04-21T12:18:14.798358343Z (160559) eap: Peer sent EAP Response (code 2) ID 237 length 91
2026-04-21T12:18:14.798376733Z (160559) eap: Continuing tunnel setup
2026-04-21T12:18:14.798380993Z (160559) [eap] = ok
2026-04-21T12:18:14.798384933Z (160559) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.798388763Z (160559) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.798396483Z (160559) } # else = ok
2026-04-21T12:18:14.798400434Z (160559) } # authorize = ok
2026-04-21T12:18:14.798404214Z (160559) Found Auth-Type = EAP
2026-04-21T12:18:14.798408104Z (160559) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.798411824Z (160559) Auth-Type EAP {
2026-04-21T12:18:14.798415784Z (160559) eap: Removing EAP session with state 0xc99fadcecd72b812
2026-04-21T12:18:14.798423794Z (160559) eap: Previous EAP request found for state 0xc99fadcecd72b812, released from the list
2026-04-21T12:18:14.798427744Z (160559) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:14.798431664Z (160559) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.798435444Z (160559) eap_ttls: Authenticate
2026-04-21T12:18:14.798439254Z (160559) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:14.798443154Z (160559) eap_ttls: Session established. Proceeding to decode tunneled attributes
2026-04-21T12:18:14.798447054Z (160559) eap_ttls: Got tunneled request
2026-04-21T12:18:14.798451294Z (160559) eap_ttls: User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.798455315Z (160559) eap_ttls: User-Password = <<< secret >>>
2026-04-21T12:18:14.798459044Z (160559) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
2026-04-21T12:18:14.798463244Z (160559) eap_ttls: Sending tunneled request
2026-04-21T12:18:14.798467215Z (160559) Virtual server my-inner-tunnel received request
2026-04-21T12:18:14.798471415Z (160559) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.798475235Z (160559) User-Password = <<< secret >>>
2026-04-21T12:18:14.798478945Z (160559) FreeRADIUS-Proxied-To = 127.0.0.1
2026-04-21T12:18:14.798482565Z (160559) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.798486915Z (160559) Calling-Station-Id = "02-B0-86-1C-79-19"
2026-04-21T12:18:14.798491095Z (160559) Framed-MTU = 1400
2026-04-21T12:18:14.798495215Z (160559) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.798499625Z (160559) Service-Type = Framed-User
2026-04-21T12:18:14.798504005Z (160559) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.798508095Z (160559) Extreme-Eduroam-AuthnOnly = "false"
2026-04-21T12:18:14.798512285Z (160559) WARNING: Outer and inner identities are the same. User privacy is compromised.
2026-04-21T12:18:14.798516705Z (160559) server my-inner-tunnel {
2026-04-21T12:18:14.798520785Z (160559) # Executing section authorize from file /etc/freeradius/sites-enabled/my-inner-tunnel
2026-04-21T12:18:14.798525226Z (160559) authorize {
2026-04-21T12:18:14.798529506Z (160559) if (&User-Password && !&EAP-Message) {
2026-04-21T12:18:14.798533856Z (160559) if (&User-Password && !&EAP-Message) -> TRUE
2026-04-21T12:18:14.798537866Z (160559) if (&User-Password && !&EAP-Message) {
2026-04-21T12:18:14.798542226Z (160559) update outer.request {
2026-04-21T12:18:14.798545556Z (160559) &Tmp-String-8 := "TTLS-PAP"
2026-04-21T12:18:14.798548096Z (160559) } # update outer.request = noop
2026-04-21T12:18:14.798550676Z (160559) } # if (&User-Password && !&EAP-Message) = noop
2026-04-21T12:18:14.798553296Z (160559) update request {
2026-04-21T12:18:14.798565576Z (160559) Auth-Endpoint := "auth"
2026-04-21T12:18:14.798568316Z (160559) EAP-Auth-Type := "EAP-TTLS"
2026-04-21T12:18:14.798572086Z (160559) EXPAND %{outer.Extreme-VSA-RsCert}
2026-04-21T12:18:14.798576806Z (160559) --> 1343-0-5768143211798
2026-04-21T12:18:14.798580837Z (160559) Extreme-VSA-RsCert := 1343-0-5768143211798
2026-04-21T12:18:14.798594497Z (160559) EXPAND %{outer.Request-Origin}
2026-04-21T12:18:14.798598987Z (160559) --> freeradius
2026-04-21T12:18:14.798603177Z (160559) Request-Origin := freeradius
2026-04-21T12:18:14.798607467Z (160559) EXPAND %{outer.Extreme-Eduroam-AuthnOnly}
2026-04-21T12:18:14.798611447Z (160559) --> false
2026-04-21T12:18:14.798615447Z (160559) Extreme-Eduroam-AuthnOnly := false
2026-04-21T12:18:14.798624307Z (160559) } # update request = noop
2026-04-21T12:18:14.798628697Z (160559) update control {
2026-04-21T12:18:14.798633178Z (160559) &REST-HTTP-Header += "api-secret: ZnJlZXJhZGl1czpkZGE0YTI3NDUxMGRmZTA4NTY0ODAyYzYwMmZkYWI1Nwo="
2026-04-21T12:18:14.798637598Z (160559) Auth-Type = rest
2026-04-21T12:18:14.798641868Z (160559) } # update control = noop
2026-04-21T12:18:14.798646098Z (160559) } # authorize = noop
2026-04-21T12:18:14.798650268Z (160559) Found Auth-Type = rest
2026-04-21T12:18:14.798654458Z (160559) # Executing group from file /etc/freeradius/sites-enabled/my-inner-tunnel
2026-04-21T12:18:14.798658848Z (160559) Auth-Type REST {
2026-04-21T12:18:14.798661718Z rlm_rest (rest): Reserved connection (167)
2026-04-21T12:18:14.798664358Z (160559) rest: Expanding URI components
2026-04-21T12:18:14.798667008Z (160559) rest: EXPAND http://craas-auth.craas-core.svc.cluster.local:8006
2026-04-21T12:18:14.798669578Z (160559) rest: --> http://craas-auth.craas-core.svc.cluster.local:8006
2026-04-21T12:18:14.798672168Z (160559) rest: EXPAND /auth
2026-04-21T12:18:14.798674758Z (160559) rest: --> /auth
2026-04-21T12:18:14.798677408Z (160559) rest: Sending HTTP POST to "http://craas-auth.craas-core.svc.cluster.local:8006/auth"
2026-04-21T12:18:14.798689148Z (160559) rest: EXPAND {"User-Name": "%{User-Name}","User-Password": "%{User-Password}","NAS-Identifier": "%{NAS-Identifier}","NAS-Port-Type": "%{NAS-Port-Type}","NAS-IP-Address": "%{NAS-IP-Address}","NAS-Port": "%{NAS-Port}","NAS-Port-Id": "%{NAS-Port-Id}","Called-Station-Id": "%{Called-Station-Id}","Calling-Station-Id": "%{Calling-Station-Id}","tenant-id": "%{Extreme-VSA-RsCert}","EAP-Auth-Type": "%{EAP-Auth-Type}","TLS-Client-Cert-Common-Name": "%{TLS-Client-Cert-Common-Name}","EAP-Message": "%{EAP-Message}","TLS-Client-Cert-Serial": "%{TLS-Client-Cert-Serial}","TLS-Client-Cert-Expiration": "%{TLS-Client-Cert-Expiration}","TLS-Client-Cert-Issuer": "%{TLS-Client-Cert-Issuer}","TLS-Client-Cert-Subject": "%{TLS-Client-Cert-Subject}","TLS-Client-Cert-Common-Name": "%{TLS-Client-Cert-Common-Name}","TLS-Client-Cert-Filename": "%{TLS-Client-Cert-Filename}","TLS-Client-Cert-Subject-Alt-Name-Email": "%{TLS-Client-Cert-Subject-Alt-Name-Email}","TLS-Client-Cert-X509v3-Extended-Key-Usage": "%{TLS-Client-Cert-X509v3-Extended-Key-Usage}","TLS-Client-Cert-X509v3-Subject-Key-Identifier": "%{TLS-Client-Cert-X509v3-Subject-Key-Identifier}","TLS-Client-Cert-X509v3-Authority-Key-Identifier": "%{TLS-Client-Cert-X509v3-Authority-Key-Identifier}","TLS-Client-Cert-X509v3-Basic-Constraints": "%{TLS-Client-Cert-X509v3-Basic-Constraints}","TLS-Client-Cert-Subject-Alt-Name-Dns": "%{TLS-Client-Cert-Subject-Alt-Name-Dns}","TLS-Client-Cert-Subject-Alt-Name-Upn": "%{TLS-Client-Cert-Subject-Alt-Name-Upn}","TLS-Client-Cert-X509v3-Extended-Key-Usage-OID": "%{TLS-Client-Cert-X509v3-Extended-Key-Usage-OID}","TLS-Client-Cert-Valid-Since": "%{TLS-Client-Cert-Valid-Since}","TLS-Client-Cert-X509v3-Certificate-Policies": "%{TLS-Client-Cert-X509v3-Certificate-Policies}","Subject-Distinguished-Name": "%{TLS-Client-Cert-Subject}","SAN-DNS-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Dns}","SAN-User-Principal-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Upn}","SAN-Service-Principal-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Spn}","SAN-Email": "%{TLS-Client-Cert-Subject-Alt-Name-Email}","Request-Origin": "%{Request-Origin}","AuthnOnly": %{Extreme-Eduroam-AuthnOnly}, "TLS-Cert-Serial": "%{TLS-Cert-Serial}", "TLS-Client-Cert-Issuer": "%{TLS-Client-Cert-Issuer}"},
2026-04-21T12:18:14.798692479Z (160559) rest: --> {"User-Name": "direct-tunnel at gmail.com","User-Password": "Emumba at 123","NAS-Identifier": "","NAS-Port-Type": "Wireless-802.11","NAS-IP-Address": "127.0.0.1","NAS-Port": "","NAS-Port-Id": "","Called-Station-Id": "","Calling-Station-Id": "02-B0-86-1C-79-19","tenant-id": "1343-0-5768143211798","EAP-Auth-Type": "EAP-TTLS","TLS-Client-Cert-Common-Name": "","EAP-Message": "","TLS-Client-Cert-Serial": "","TLS-Client-Cert-Expiration": "","TLS-Client-Cert-Issuer": "","TLS-Client-Cert-Subject": "","TLS-Client-Cert-Common-Name": "","TLS-Client-Cert-Filename": "","TLS-Client-Cert-Subject-Alt-Name-Email": "","TLS-Client-Cert-X509v3-Extended-Key-Usage": "","TLS-Client-Cert-X509v3-Subject-Key-Identifier": "","TLS-Client-Cert-X509v3-Authority-Key-Identifier": "","TLS-Client-Cert-X509v3-Basic-Constraints": "","TLS-Client-Cert-Subject-Alt-Name-Dns": "","TLS-Client-Cert-Subject-Alt-Name-Upn": "","TLS-Client-Cert-X509v3-Extended-Key-Usage-OID": "","TLS-Client-Cert-Valid-Since": "","TLS-Client-Cert-X509v3-Certificate-Policies": "","Subject-Distinguished-Name": "","SAN-DNS-Name": "","SAN-User-Principal-Name": "","SAN-Service-Principal-Name": "","SAN-Email": "","Request-Origin": "freeradius","AuthnOnly": false, "TLS-Cert-Serial": "", "TLS-Client-Cert-Issuer": ""},
2026-04-21T12:18:14.799571774Z (160559) rest: Processing response header
2026-04-21T12:18:14.799579074Z (160559) rest: Status : 100 (Continue)
2026-04-21T12:18:14.799583044Z (160559) rest: Continuing...
2026-04-21T12:18:14.823840082Z (160486) Cleaning up request packet ID 82 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.831188550Z (160487) Cleaning up request packet ID 93 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.837654141Z (160488) Cleaning up request packet ID 4 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.845258683Z (160489) Cleaning up request packet ID 228 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.951879373Z (0) (TLS): Access-Request packet from host 3.122.233.175 port 59659, id=32, length=163
2026-04-21T12:18:14.952222119Z Thread 570 got semaphore
2026-04-21T12:18:14.952229159Z Thread 570 handling request 160560, (71 handled so far)
2026-04-21T12:18:14.952232909Z (160560) Received Access-Request Id 32 from 3.122.233.175:59659 to 0.0.0.0:2083 length 163
2026-04-21T12:18:14.952236649Z (160560) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.952239559Z (160560) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.952242899Z (160560) Calling-Station-Id = "02-E5-2B-3E-B8-78"
2026-04-21T12:18:14.952246689Z (160560) Framed-MTU = 1400
2026-04-21T12:18:14.952249989Z (160560) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.952253259Z (160560) Service-Type = Framed-User
2026-04-21T12:18:14.952256589Z (160560) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.952259710Z (160560) EAP-Message = 0x02a7001c016469726563742d74756e6e656c40676d61696c2e636f6d
2026-04-21T12:18:14.952263510Z (160560) Message-Authenticator = 0xf498d68c8f13ac16e77859ec0d23223c
2026-04-21T12:18:14.952266719Z (160560) Proxy-State = 0x30
2026-04-21T12:18:14.952269939Z (160560) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.952272860Z (160560) authorize {
2026-04-21T12:18:14.952275610Z (160560) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.952279100Z (160560) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.952282450Z (160560) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.952285610Z (160560) update request {
2026-04-21T12:18:14.952289080Z (160560) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.952292370Z (160560) } # update request = noop
2026-04-21T12:18:14.952295740Z (160560) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.952298910Z (160560) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.952302170Z (160560) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.952312460Z (160560) --> 1343-0-5768143212362
2026-04-21T12:18:14.952315860Z (160560) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.952319151Z (160560) else {
2026-04-21T12:18:14.952322351Z (160560) update request {
2026-04-21T12:18:14.952325991Z (160560) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.952329241Z (160560) --> 1343-0-5768143212362
2026-04-21T12:18:14.952332361Z (160560) Extreme-VSA-RsCert := 1343-0-5768143212362
2026-04-21T12:18:14.952335521Z (160560) Request-Origin := "freeradius"
2026-04-21T12:18:14.952338821Z (160560) } # update request = noop
2026-04-21T12:18:14.952357181Z (160560) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.952360511Z (160560) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.952363731Z (160560) --> 1343-0-5768143212362
2026-04-21T12:18:14.952366861Z (160560) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.952370151Z (160560) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.952373231Z (160560) update request {
2026-04-21T12:18:14.952376972Z (160560) EXPAND %{1}-%{2}
2026-04-21T12:18:14.952380161Z (160560) --> 1343-0
2026-04-21T12:18:14.952383452Z (160560) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.952386552Z (160560) } # update request = noop
2026-04-21T12:18:14.952389852Z (160560) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.952393132Z (160560) if (&EAP-Message) {
2026-04-21T12:18:14.952396282Z (160560) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.952399522Z (160560) if (&EAP-Message) {
2026-04-21T12:18:14.952402752Z (160560) update control {
2026-04-21T12:18:14.952405822Z (160560) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.952408942Z (160560) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.952412442Z (160560) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.952415452Z (160560) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.952418652Z (160560) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.952422002Z (160560) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.952425232Z (160560) } # update control = noop
2026-04-21T12:18:14.952428332Z (160560) eap: Peer sent EAP Response (code 2) ID 167 length 28
2026-04-21T12:18:14.952431442Z (160560) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
2026-04-21T12:18:14.952434593Z (160560) [eap] = ok
2026-04-21T12:18:14.952437773Z (160560) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.952440882Z (160560) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.952443982Z (160560) } # else = ok
2026-04-21T12:18:14.952447123Z (160560) } # authorize = ok
2026-04-21T12:18:14.952450173Z (160560) Found Auth-Type = EAP
2026-04-21T12:18:14.952453553Z (160560) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.952456873Z (160560) Auth-Type EAP {
2026-04-21T12:18:14.952459923Z (0) (TLS): Access-Request packet from host 35.156.107.143 port 43211, id=170, length=163
2026-04-21T12:18:14.952463163Z (160560) eap: Peer sent packet with method EAP Identity (1)
2026-04-21T12:18:14.952472263Z (160560) eap: Using default_eap_type = TTLS
2026-04-21T12:18:14.952475703Z (160560) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.952478733Z (160560) eap_ttls: (TLS) TTLS -Initiating new session
2026-04-21T12:18:14.952481973Z Thread 564 got semaphore
2026-04-21T12:18:14.952484973Z Thread 564 handling request 160561, (95 handled so far)
2026-04-21T12:18:14.952491163Z (160560) eap_ttls: (TLS) TTLS - Loading session certificate file "/etc/freeradius/fr-certs/realm/1343-0/cert.pem"
2026-04-21T12:18:14.952494414Z (160561) Received Access-Request Id 170 from 35.156.107.143:43211 to 0.0.0.0:2083 length 163
2026-04-21T12:18:14.952497574Z (160561) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.952500843Z (160561) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.952503884Z (160561) Calling-Station-Id = "02-FA-38-9E-18-06"
2026-04-21T12:18:14.952506814Z (160561) Framed-MTU = 1400
2026-04-21T12:18:14.952509594Z (160561) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.952512724Z (160561) Service-Type = Framed-User
2026-04-21T12:18:14.952515724Z (160561) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.952518894Z (160561) EAP-Message = 0x02f9001c016469726563742d74756e6e656c40676d61696c2e636f6d
2026-04-21T12:18:14.952522124Z (160561) Message-Authenticator = 0xaa71a8c68dfc6ee262f127b275f6f576
2026-04-21T12:18:14.952525104Z (160561) Proxy-State = 0x30
2026-04-21T12:18:14.952528514Z (160561) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.952531634Z (160561) authorize {
2026-04-21T12:18:14.952534854Z (160561) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.952538064Z (160561) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.952541484Z (160561) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.952544864Z (160561) update request {
2026-04-21T12:18:14.952547974Z (160561) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.952551235Z (160561) } # update request = noop
2026-04-21T12:18:14.952554524Z (160561) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.952557835Z (160561) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.952561475Z (160561) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.952564915Z (160561) --> 1343-0-5768143212022
2026-04-21T12:18:14.952568305Z (160561) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.952571685Z (160561) else {
2026-04-21T12:18:14.952575235Z (160561) update request {
2026-04-21T12:18:14.952578455Z (160561) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.952581625Z (160561) --> 1343-0-5768143212022
2026-04-21T12:18:14.952585035Z (160561) Extreme-VSA-RsCert := 1343-0-5768143212022
2026-04-21T12:18:14.952588405Z (160561) Request-Origin := "freeradius"
2026-04-21T12:18:14.952591765Z (160561) } # update request = noop
2026-04-21T12:18:14.952595385Z (160561) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.952598925Z (160561) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.952614516Z (160561) --> 1343-0-5768143212022
2026-04-21T12:18:14.952618376Z (160561) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.952622136Z (160561) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.952629396Z (160561) update request {
2026-04-21T12:18:14.952637036Z (160561) EXPAND %{1}-%{2}
2026-04-21T12:18:14.952640566Z (160561) --> 1343-0
2026-04-21T12:18:14.952643646Z (160561) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.952647206Z (160561) } # update request = noop
2026-04-21T12:18:14.952650546Z (160561) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.952653996Z (160561) if (&EAP-Message) {
2026-04-21T12:18:14.952657376Z (160561) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.952660286Z (160561) if (&EAP-Message) {
2026-04-21T12:18:14.952662416Z (160561) update control {
2026-04-21T12:18:14.952664556Z (160561) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.952666706Z (160561) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.952668817Z (160561) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.952670957Z (160561) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.952673006Z (160561) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.952675066Z (160561) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.952677157Z (160561) } # update control = noop
2026-04-21T12:18:14.952679227Z (160561) eap: Peer sent EAP Response (code 2) ID 249 length 28
2026-04-21T12:18:14.952681297Z (160561) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
2026-04-21T12:18:14.952683357Z (160561) [eap] = ok
2026-04-21T12:18:14.952685407Z (160561) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.952687507Z (160561) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.952689577Z (160561) } # else = ok
2026-04-21T12:18:14.952691637Z (160561) } # authorize = ok
2026-04-21T12:18:14.952693687Z (160561) Found Auth-Type = EAP
2026-04-21T12:18:14.952695787Z (160561) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.952697837Z (160561) Auth-Type EAP {
2026-04-21T12:18:14.952699897Z (160561) eap: Peer sent packet with method EAP Identity (1)
2026-04-21T12:18:14.952701947Z (160561) eap: Using default_eap_type = TTLS
2026-04-21T12:18:14.952703977Z (160561) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.952706077Z (160561) eap_ttls: (TLS) TTLS -Initiating new session
2026-04-21T12:18:14.952716657Z (160561) eap_ttls: (TLS) TTLS - Loading session certificate file "/etc/freeradius/fr-certs/realm/1343-0/cert.pem"
2026-04-21T12:18:14.952720407Z (0) (TLS): Access-Request packet from host 63.177.85.182 port 46491, id=125, length=163
2026-04-21T12:18:14.952723758Z Thread 566 got semaphore
2026-04-21T12:18:14.952726927Z Thread 566 handling request 160562, (86 handled so far)
2026-04-21T12:18:14.952730378Z (160562) Received Access-Request Id 125 from 63.177.85.182:46491 to 0.0.0.0:2083 length 163
2026-04-21T12:18:14.952732858Z (160562) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:14.952734988Z (160562) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:14.952737038Z (160562) Calling-Station-Id = "02-AC-5E-7A-E8-7C"
2026-04-21T12:18:14.952739078Z (160562) Framed-MTU = 1400
2026-04-21T12:18:14.952741198Z (160562) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:14.952743258Z (160562) Service-Type = Framed-User
2026-04-21T12:18:14.952746118Z (160562) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:14.952748178Z (160562) EAP-Message = 0x0218001c016469726563742d74756e6e656c40676d61696c2e636f6d
2026-04-21T12:18:14.952753298Z (160562) Message-Authenticator = 0x485732771f779c1f572b028d2b51d8b3
2026-04-21T12:18:14.952755398Z (160562) Proxy-State = 0x30
2026-04-21T12:18:14.952757468Z (160562) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.952759498Z (160562) authorize {
2026-04-21T12:18:14.952761578Z (160562) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.952763628Z (160562) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:14.952767218Z (160562) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:14.952770618Z (160562) update request {
2026-04-21T12:18:14.952774008Z (160562) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:14.952777338Z (160562) } # update request = noop
2026-04-21T12:18:14.952780768Z (160562) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:14.952784008Z (160562) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:14.952787728Z (160562) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:14.952789808Z (160562) --> 1343-0-5768143212145
2026-04-21T12:18:14.952791928Z (160562) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:14.952793999Z (160562) else {
2026-04-21T12:18:14.952796069Z (160562) update request {
2026-04-21T12:18:14.952798159Z (160562) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:14.952800229Z (160562) --> 1343-0-5768143212145
2026-04-21T12:18:14.952802269Z (160562) Extreme-VSA-RsCert := 1343-0-5768143212145
2026-04-21T12:18:14.952804429Z (160562) Request-Origin := "freeradius"
2026-04-21T12:18:14.952806489Z (160562) } # update request = noop
2026-04-21T12:18:14.952808559Z (160562) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.952810609Z (160562) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:14.952812679Z (160562) --> 1343-0-5768143212145
2026-04-21T12:18:14.952814809Z (160562) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:14.952816949Z (160562) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:14.952818989Z (160562) update request {
2026-04-21T12:18:14.952821159Z (160562) EXPAND %{1}-%{2}
2026-04-21T12:18:14.952823189Z (160562) --> 1343-0
2026-04-21T12:18:14.952825259Z (160562) Owner-Org-Id := 1343-0
2026-04-21T12:18:14.952827319Z (160562) } # update request = noop
2026-04-21T12:18:14.952829449Z (160562) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:14.952831509Z (160562) if (&EAP-Message) {
2026-04-21T12:18:14.952833569Z (160562) if (&EAP-Message) -> TRUE
2026-04-21T12:18:14.952835639Z (160562) if (&EAP-Message) {
2026-04-21T12:18:14.952837709Z (160562) update control {
2026-04-21T12:18:14.952839780Z (160562) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:14.952841860Z (160562) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.952843920Z (160562) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:14.952845960Z (160562) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:14.952847989Z (160562) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.952854660Z (160562) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:14.952857960Z (160562) } # update control = noop
2026-04-21T12:18:14.952861620Z (160562) eap: Peer sent EAP Response (code 2) ID 24 length 28
2026-04-21T12:18:14.952865030Z (160562) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
2026-04-21T12:18:14.952868680Z (160562) [eap] = ok
2026-04-21T12:18:14.952872040Z (160562) } # if (&EAP-Message) = ok
2026-04-21T12:18:14.952877150Z (160562) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:14.952879430Z (160562) } # else = ok
2026-04-21T12:18:14.952881520Z (160562) } # authorize = ok
2026-04-21T12:18:14.952883610Z (160562) Found Auth-Type = EAP
2026-04-21T12:18:14.952886920Z (160562) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.952889070Z (160562) Auth-Type EAP {
2026-04-21T12:18:14.952891220Z (160562) eap: Peer sent packet with method EAP Identity (1)
2026-04-21T12:18:14.952893320Z (160562) eap: Using default_eap_type = TTLS
2026-04-21T12:18:14.952895380Z (160562) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:14.952897970Z (160562) eap_ttls: (TLS) TTLS -Initiating new session
2026-04-21T12:18:14.952901721Z (160562) eap_ttls: (TLS) TTLS - Loading session certificate file "/etc/freeradius/fr-certs/realm/1343-0/cert.pem"
2026-04-21T12:18:14.954567969Z (160560) eap: Sending EAP Request (code 1) ID 168 length 6
2026-04-21T12:18:14.954574989Z (160560) eap: EAP session adding &reply:State = 0x6f6ec6d06fc6d339
2026-04-21T12:18:14.954578619Z (160560) [eap] = handled
2026-04-21T12:18:14.954581890Z (160560) } # Auth-Type EAP = handled
2026-04-21T12:18:14.954584979Z (160560) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.954588150Z (160560) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.954591259Z (160560) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.954594440Z (160560) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.954598190Z (160560) Framed-MTU = 994
2026-04-21T12:18:14.954606500Z (160560) Sent Access-Challenge Id 32 from 0.0.0.0:2083 to 3.122.233.175:59659 length 67
2026-04-21T12:18:14.954610200Z (160560) EAP-Message = 0x01a800061520
2026-04-21T12:18:14.954613740Z (160560) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.954616940Z (160560) State = 0x6f6ec6d06fc6d339cf75c4b4c5430e32
2026-04-21T12:18:14.954620450Z (160560) Proxy-State = 0x30
2026-04-21T12:18:14.954686231Z (160560) Finished request
2026-04-21T12:18:14.954691651Z Thread 570 waiting to be assigned a request
2026-04-21T12:18:14.955463205Z (160561) eap: Sending EAP Request (code 1) ID 250 length 6
2026-04-21T12:18:14.955469725Z (160561) eap: EAP session adding &reply:State = 0xedddef24ed27fa7c
2026-04-21T12:18:14.955472895Z (160561) [eap] = handled
2026-04-21T12:18:14.955476615Z (160561) } # Auth-Type EAP = handled
2026-04-21T12:18:14.955480165Z (160562) eap: Sending EAP Request (code 1) ID 25 length 6
2026-04-21T12:18:14.955483385Z (160561) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.955487065Z (160562) eap: EAP session adding &reply:State = 0x2a2067242a3972e8
2026-04-21T12:18:14.955490625Z (160561) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.955494425Z (160562) [eap] = handled
2026-04-21T12:18:14.955500385Z (160561) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.955514655Z (160562) } # Auth-Type EAP = handled
2026-04-21T12:18:14.955518255Z (160561) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.955526736Z (160561) Framed-MTU = 994
2026-04-21T12:18:14.955530416Z (160562) Using Post-Auth-Type Challenge
2026-04-21T12:18:14.955532846Z (160562) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:14.955534916Z (160562) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:14.955537056Z (160562) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:14.955539156Z (160562) Framed-MTU = 994
2026-04-21T12:18:14.955541736Z (160561) Sent Access-Challenge Id 170 from 0.0.0.0:2083 to 35.156.107.143:43211 length 67
2026-04-21T12:18:14.955543866Z (160561) EAP-Message = 0x01fa00061520
2026-04-21T12:18:14.955545946Z (160561) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.955548066Z (160561) State = 0xedddef24ed27fa7ce6ededd1ec52e695
2026-04-21T12:18:14.955550146Z (160562) Sent Access-Challenge Id 125 from 0.0.0.0:2083 to 63.177.85.182:46491 length 67
2026-04-21T12:18:14.955552216Z (160561) Proxy-State = 0x30
2026-04-21T12:18:14.955554336Z (160562) EAP-Message = 0x011900061520
2026-04-21T12:18:14.955561136Z (160562) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:14.955563296Z (160562) State = 0x2a2067242a3972e86e37653a6478cb5c
2026-04-21T12:18:14.955565396Z (160562) Proxy-State = 0x30
2026-04-21T12:18:14.955567507Z (160561) Finished request
2026-04-21T12:18:14.955569567Z (160562) Finished request
2026-04-21T12:18:14.955571796Z Thread 564 waiting to be assigned a request
2026-04-21T12:18:14.955573916Z Thread 566 waiting to be assigned a request
2026-04-21T12:18:14.974931440Z (160494) Cleaning up request packet ID 107 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.981302010Z (160495) Cleaning up request packet ID 65 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.982626403Z (160496) Cleaning up request packet ID 114 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:14.983296024Z (160497) Cleaning up request packet ID 243 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:15.056034181Z (0) (TLS): Access-Request packet from host 3.122.233.175 port 59659, id=76, length=343
2026-04-21T12:18:15.056065841Z Threads: total/active/spare threads = 19/3/16
2026-04-21T12:18:15.056073531Z Threads: deleting 1 spare out of 6 spares
2026-04-21T12:18:15.056081042Z Thread 578 got semaphore
2026-04-21T12:18:15.056088612Z Thread 578 handling request 160563, (31 handled so far)
2026-04-21T12:18:15.056149763Z (160563) Received Access-Request Id 76 from 3.122.233.175:59659 to 0.0.0.0:2083 length 343
2026-04-21T12:18:15.056157203Z (160563) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.056162903Z (160563) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.056168673Z (160563) Calling-Station-Id = "02-E5-2B-3E-B8-78"
2026-04-21T12:18:15.056174903Z (160563) Framed-MTU = 1400
2026-04-21T12:18:15.056180713Z (160563) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.056186553Z (160563) Service-Type = Framed-User
2026-04-21T12:18:15.056192604Z (160563) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.056198964Z (160563) EAP-Message = 0x02a800be150016030100b3010000af03031f71770d577805420714943be70d75d6b3af21ed8fd8fe49adfef2472859a2cd000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602
2026-04-21T12:18:15.056204974Z (160563) State = 0x6f6ec6d06fc6d339cf75c4b4c5430e32
2026-04-21T12:18:15.056223294Z (160563) Message-Authenticator = 0xfbeee392759f8936bb46eceac9629b7c
2026-04-21T12:18:15.056229524Z (160563) Proxy-State = 0x31
2026-04-21T12:18:15.056239584Z (160563) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:15.056245454Z (160563) &session-state:Framed-MTU = 994
2026-04-21T12:18:15.056259805Z (160563) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.056265875Z (160563) authorize {
2026-04-21T12:18:15.056271835Z (160563) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.056277555Z (160563) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:15.056282945Z (160563) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.056288475Z (160563) update request {
2026-04-21T12:18:15.056294275Z (160563) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:15.056299995Z (160563) } # update request = noop
2026-04-21T12:18:15.056305775Z (160563) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:15.056311646Z (160563) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:15.056317946Z (160563) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:15.056323586Z (160563) --> 1343-0-5768143212362
2026-04-21T12:18:15.056329146Z (160563) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:15.056335126Z (160563) else {
2026-04-21T12:18:15.056340926Z (160563) update request {
2026-04-21T12:18:15.056377167Z (160563) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:15.056383187Z (160563) --> 1343-0-5768143212362
2026-04-21T12:18:15.056389317Z (160563) Extreme-VSA-RsCert := 1343-0-5768143212362
2026-04-21T12:18:15.056400907Z (160563) Request-Origin := "freeradius"
2026-04-21T12:18:15.056407097Z (160563) } # update request = noop
2026-04-21T12:18:15.056412807Z (160563) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.056418957Z (160563) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:15.056425148Z (160563) --> 1343-0-5768143212362
2026-04-21T12:18:15.056431148Z (160563) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:15.056436808Z (160563) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.056442958Z (160563) update request {
2026-04-21T12:18:15.056448568Z (160563) EXPAND %{1}-%{2}
2026-04-21T12:18:15.056454278Z (160563) --> 1343-0
2026-04-21T12:18:15.056460268Z (160563) Owner-Org-Id := 1343-0
2026-04-21T12:18:15.056466198Z (160563) } # update request = noop
2026-04-21T12:18:15.056472018Z (160563) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:15.056478048Z (160563) if (&EAP-Message) {
2026-04-21T12:18:15.056483829Z (160563) if (&EAP-Message) -> TRUE
2026-04-21T12:18:15.056489399Z (160563) if (&EAP-Message) {
2026-04-21T12:18:15.056495189Z (160563) update control {
2026-04-21T12:18:15.056501029Z (160563) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:15.056521409Z (160563) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.056527539Z (160563) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.056533659Z (160563) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:15.056547760Z (160563) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.056554530Z (160563) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.056566990Z (160563) } # update control = noop
2026-04-21T12:18:15.056573130Z (160563) eap: Peer sent EAP Response (code 2) ID 168 length 190
2026-04-21T12:18:15.056579020Z (160563) eap: Continuing tunnel setup
2026-04-21T12:18:15.056585050Z (160563) [eap] = ok
2026-04-21T12:18:15.056591200Z (160563) } # if (&EAP-Message) = ok
2026-04-21T12:18:15.056597551Z (160563) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:15.056603671Z (160563) } # else = ok
2026-04-21T12:18:15.056609921Z (160563) } # authorize = ok
2026-04-21T12:18:15.056616371Z (160563) Found Auth-Type = EAP
2026-04-21T12:18:15.056622261Z (160563) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.056628221Z (160563) Auth-Type EAP {
2026-04-21T12:18:15.056635101Z (160563) eap: Removing EAP session with state 0x6f6ec6d06fc6d339
2026-04-21T12:18:15.056641881Z (160563) eap: Previous EAP request found for state 0x6f6ec6d06fc6d339, released from the list
2026-04-21T12:18:15.056646171Z (160563) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:15.056650061Z (160563) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:15.056653912Z (160563) eap_ttls: Authenticate
2026-04-21T12:18:15.056659841Z (160563) eap_ttls: (TLS) EAP Got final fragment (184 bytes) total 184
2026-04-21T12:18:15.056667892Z (160563) eap_ttls: WARNING: (TLS) EAP Total received record fragments (184 bytes), does not equal expected expected data length (0 bytes)
2026-04-21T12:18:15.056692152Z (160563) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:15.056699412Z (160563) eap_ttls: (TLS) TTLS - Handshake state - before SSL initialization
2026-04-21T12:18:15.056722383Z (160563) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
2026-04-21T12:18:15.056738493Z Thread 572 got semaphore
2026-04-21T12:18:15.056748733Z (160563) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
2026-04-21T12:18:15.056775243Z Thread 572 waiting to be assigned a request
2026-04-21T12:18:15.056781684Z (160563) eap_ttls: (TLS) TTLS - recv TLS 1.3 Handshake, ClientHello
2026-04-21T12:18:15.056795264Z (160563) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client hello
2026-04-21T12:18:15.056798774Z (160563) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHello
2026-04-21T12:18:15.056801994Z (160563) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server hello
2026-04-21T12:18:15.056804994Z (160563) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Certificate
2026-04-21T12:18:15.056808084Z (160563) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write certificate
2026-04-21T12:18:15.057080359Z (0) (TLS): Access-Request packet from host 63.177.85.182 port 46491, id=183, length=343
2026-04-21T12:18:15.057087039Z Thread 573 got semaphore
2026-04-21T12:18:15.057102879Z Thread 573 handling request 160564, (30 handled so far)
2026-04-21T12:18:15.057285672Z (160564) Received Access-Request Id 183 from 63.177.85.182:46491 to 0.0.0.0:2083 length 343
2026-04-21T12:18:15.057291812Z (160564) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.057295112Z (160564) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.057298612Z (160564) Calling-Station-Id = "02-AC-5E-7A-E8-7C"
2026-04-21T12:18:15.057302293Z (160564) Framed-MTU = 1400
2026-04-21T12:18:15.057305293Z (160564) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.057313163Z (160564) Service-Type = Framed-User
2026-04-21T12:18:15.057316173Z (160564) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.057319913Z (160564) EAP-Message = 0x021900be150016030100b3010000af03038e811359c2f122cc3df96d2d3ad88ef3df8bdd4b14437d63e76e6ef2e895c7b6000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602
2026-04-21T12:18:15.057323333Z (160564) State = 0x2a2067242a3972e86e37653a6478cb5c
2026-04-21T12:18:15.057328603Z (160564) Message-Authenticator = 0x94f9914d39f385463cbce124c3ec1ca4
2026-04-21T12:18:15.057331983Z (160564) Proxy-State = 0x31
2026-04-21T12:18:15.057335433Z (160564) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:15.057338693Z (160564) &session-state:Framed-MTU = 994
2026-04-21T12:18:15.057341903Z (160564) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.057345443Z (160564) authorize {
2026-04-21T12:18:15.057348583Z (160564) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.057351884Z (160564) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:15.057355113Z (160564) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.057358393Z (160564) update request {
2026-04-21T12:18:15.057361484Z (160564) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:15.057364524Z (160564) } # update request = noop
2026-04-21T12:18:15.057367504Z (160564) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:15.057370554Z (160564) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:15.057373604Z (160564) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:15.057376544Z (160564) --> 1343-0-5768143212145
2026-04-21T12:18:15.057379684Z (160564) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:15.057382714Z (160564) else {
2026-04-21T12:18:15.057385744Z (160564) update request {
2026-04-21T12:18:15.057391274Z (160564) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:15.057394224Z (160564) --> 1343-0-5768143212145
2026-04-21T12:18:15.057397234Z (160564) Extreme-VSA-RsCert := 1343-0-5768143212145
2026-04-21T12:18:15.057400124Z (160564) Request-Origin := "freeradius"
2026-04-21T12:18:15.057403004Z (160564) } # update request = noop
2026-04-21T12:18:15.057405934Z (160564) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.057409025Z (160564) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:15.057412165Z (160564) --> 1343-0-5768143212145
2026-04-21T12:18:15.057415234Z (160564) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:15.057418425Z (160564) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.057421635Z (160564) update request {
2026-04-21T12:18:15.057424935Z (160564) EXPAND %{1}-%{2}
2026-04-21T12:18:15.057427995Z (160564) --> 1343-0
2026-04-21T12:18:15.057431215Z (160564) Owner-Org-Id := 1343-0
2026-04-21T12:18:15.057434295Z (160564) } # update request = noop
2026-04-21T12:18:15.057437215Z (160564) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:15.057440195Z (160564) if (&EAP-Message) {
2026-04-21T12:18:15.057446055Z (160564) if (&EAP-Message) -> TRUE
2026-04-21T12:18:15.057449265Z (160564) if (&EAP-Message) {
2026-04-21T12:18:15.057452345Z (160564) update control {
2026-04-21T12:18:15.057455465Z (160564) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:15.057458445Z (160564) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.057462905Z (160564) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.057465975Z (160564) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:15.057469015Z (160564) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.057472015Z (160564) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.057475006Z (160564) } # update control = noop
2026-04-21T12:18:15.057477886Z (160564) eap: Peer sent EAP Response (code 2) ID 25 length 190
2026-04-21T12:18:15.057480966Z (160564) eap: Continuing tunnel setup
2026-04-21T12:18:15.057483986Z (160564) [eap] = ok
2026-04-21T12:18:15.057486956Z (160564) } # if (&EAP-Message) = ok
2026-04-21T12:18:15.057489916Z (160564) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:15.057492906Z (160564) } # else = ok
2026-04-21T12:18:15.057495786Z (160564) } # authorize = ok
2026-04-21T12:18:15.057498746Z (160564) Found Auth-Type = EAP
2026-04-21T12:18:15.057501696Z (160564) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.057504616Z (160564) Auth-Type EAP {
2026-04-21T12:18:15.057507526Z (160564) eap: Removing EAP session with state 0x2a2067242a3972e8
2026-04-21T12:18:15.057510506Z (160564) eap: Previous EAP request found for state 0x2a2067242a3972e8, released from the list
2026-04-21T12:18:15.057513496Z (160564) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:15.057529836Z (160564) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:15.057533056Z (160564) eap_ttls: Authenticate
2026-04-21T12:18:15.057535967Z (160564) eap_ttls: (TLS) EAP Got final fragment (184 bytes) total 184
2026-04-21T12:18:15.057539437Z (160564) eap_ttls: WARNING: (TLS) EAP Total received record fragments (184 bytes), does not equal expected expected data length (0 bytes)
2026-04-21T12:18:15.057544367Z (160564) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:15.057920663Z (0) (TLS): Access-Request packet from host 35.156.107.143 port 43211, id=247, length=343
2026-04-21T12:18:15.057926263Z (160564) eap_ttls: (TLS) TTLS - Handshake state - before SSL initialization
2026-04-21T12:18:15.057929454Z (160564) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
2026-04-21T12:18:15.057932703Z (160564) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
2026-04-21T12:18:15.057935674Z (160564) eap_ttls: (TLS) TTLS - recv TLS 1.3 Handshake, ClientHello
2026-04-21T12:18:15.057938763Z (160564) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client hello
2026-04-21T12:18:15.057941874Z (160564) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHello
2026-04-21T12:18:15.057944904Z (160564) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server hello
2026-04-21T12:18:15.057947804Z (160564) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Certificate
2026-04-21T12:18:15.057950894Z (160564) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write certificate
2026-04-21T12:18:15.057953904Z Thread 577 got semaphore
2026-04-21T12:18:15.057956904Z Thread 577 handling request 160565, (35 handled so far)
2026-04-21T12:18:15.057963694Z (160565) Received Access-Request Id 247 from 35.156.107.143:43211 to 0.0.0.0:2083 length 343
2026-04-21T12:18:15.057966804Z (160565) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.057969774Z (160565) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.057972764Z (160565) Calling-Station-Id = "02-FA-38-9E-18-06"
2026-04-21T12:18:15.057975724Z (160565) Framed-MTU = 1400
2026-04-21T12:18:15.057978734Z (160565) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.057981714Z (160565) Service-Type = Framed-User
2026-04-21T12:18:15.057984654Z (160565) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.057987755Z (160565) EAP-Message = 0x02fa00be150016030100b3010000af03036c64f69c3f9ef85ce66bd730d9d05a6925118183cc7ed1bf63ae494fa78f8e6b000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602
2026-04-21T12:18:15.057990784Z (160565) State = 0xedddef24ed27fa7ce6ededd1ec52e695
2026-04-21T12:18:15.057993804Z (160565) Message-Authenticator = 0x96882999c44f3d5eeed0b5f151e12d3e
2026-04-21T12:18:15.057996824Z (160565) Proxy-State = 0x31
2026-04-21T12:18:15.057999785Z (160565) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:15.058002785Z (160565) &session-state:Framed-MTU = 994
2026-04-21T12:18:15.058005745Z (160565) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.058008745Z (160565) authorize {
2026-04-21T12:18:15.058011725Z (160565) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.058014835Z (160565) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:15.058017795Z (160565) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.058021095Z (160565) update request {
2026-04-21T12:18:15.058024075Z (160565) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:15.058027045Z (160565) } # update request = noop
2026-04-21T12:18:15.058030105Z (160565) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:15.058033095Z (160565) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:15.058036205Z (160565) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:15.058039185Z (160565) --> 1343-0-5768143212022
2026-04-21T12:18:15.058042175Z (160565) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:15.058045376Z (160565) else {
2026-04-21T12:18:15.058048376Z (160565) update request {
2026-04-21T12:18:15.058051556Z (160565) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:15.058054576Z (160565) --> 1343-0-5768143212022
2026-04-21T12:18:15.058057496Z (160565) Extreme-VSA-RsCert := 1343-0-5768143212022
2026-04-21T12:18:15.058060586Z (160565) Request-Origin := "freeradius"
2026-04-21T12:18:15.058063576Z (160565) } # update request = noop
2026-04-21T12:18:15.058066596Z (160565) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.058069656Z (160565) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:15.058072686Z (160565) --> 1343-0-5768143212022
2026-04-21T12:18:15.058075746Z (160565) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:15.058078806Z (160565) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.058084176Z (160565) update request {
2026-04-21T12:18:15.058087186Z (160565) EXPAND %{1}-%{2}
2026-04-21T12:18:15.058090156Z (160565) --> 1343-0
2026-04-21T12:18:15.058093156Z (160565) Owner-Org-Id := 1343-0
2026-04-21T12:18:15.058096116Z (160565) } # update request = noop
2026-04-21T12:18:15.058099076Z (160565) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:15.058102086Z (160565) if (&EAP-Message) {
2026-04-21T12:18:15.058105077Z (160565) if (&EAP-Message) -> TRUE
2026-04-21T12:18:15.058108157Z (160565) if (&EAP-Message) {
2026-04-21T12:18:15.058111126Z (160565) update control {
2026-04-21T12:18:15.058114097Z (160565) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:15.058117067Z (160565) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.058120067Z (160565) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.058124957Z (160565) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:15.058128077Z (160565) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.058131087Z (160565) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.058134097Z (160565) } # update control = noop
2026-04-21T12:18:15.058137207Z (160565) eap: Peer sent EAP Response (code 2) ID 250 length 190
2026-04-21T12:18:15.058140227Z (160565) eap: Continuing tunnel setup
2026-04-21T12:18:15.058143227Z (160565) [eap] = ok
2026-04-21T12:18:15.058146257Z (160565) } # if (&EAP-Message) = ok
2026-04-21T12:18:15.058149197Z (160565) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:15.058152147Z (160565) } # else = ok
2026-04-21T12:18:15.058155187Z (160565) } # authorize = ok
2026-04-21T12:18:15.058158337Z (160565) Found Auth-Type = EAP
2026-04-21T12:18:15.058161387Z (160565) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.058164378Z (160565) Auth-Type EAP {
2026-04-21T12:18:15.058167487Z (160565) eap: Removing EAP session with state 0xedddef24ed27fa7c
2026-04-21T12:18:15.058170567Z (160565) eap: Previous EAP request found for state 0xedddef24ed27fa7c, released from the list
2026-04-21T12:18:15.058173568Z (160565) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:15.058176558Z (160565) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:15.058179568Z (160565) eap_ttls: Authenticate
2026-04-21T12:18:15.058182608Z (160565) eap_ttls: (TLS) EAP Got final fragment (184 bytes) total 184
2026-04-21T12:18:15.058185628Z (160565) eap_ttls: WARNING: (TLS) EAP Total received record fragments (184 bytes), does not equal expected expected data length (0 bytes)
2026-04-21T12:18:15.058188648Z (160565) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:15.058191708Z (160565) eap_ttls: (TLS) TTLS - Handshake state - before SSL initialization
2026-04-21T12:18:15.058194718Z (160565) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
2026-04-21T12:18:15.058197898Z (160565) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
2026-04-21T12:18:15.058200858Z (160565) eap_ttls: (TLS) TTLS - recv TLS 1.3 Handshake, ClientHello
2026-04-21T12:18:15.058203878Z (160565) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client hello
2026-04-21T12:18:15.058206918Z (160565) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHello
2026-04-21T12:18:15.058210028Z (160565) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server hello
2026-04-21T12:18:15.058215498Z (160565) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Certificate
2026-04-21T12:18:15.058218538Z (160565) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write certificate
2026-04-21T12:18:15.058347341Z (160563) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange
2026-04-21T12:18:15.058352081Z (160563) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write key exchange
2026-04-21T12:18:15.058355231Z (160563) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone
2026-04-21T12:18:15.058358241Z (160563) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
2026-04-21T12:18:15.058361221Z (160563) eap_ttls: (TLS) TTLS - Server : Need to read more data: SSLv3/TLS write server done
2026-04-21T12:18:15.058427392Z (160563) eap_ttls: (TLS) TTLS - In Handshake Phase
2026-04-21T12:18:15.058431352Z (160563) eap: Sending EAP Request (code 1) ID 169 length 1000
2026-04-21T12:18:15.058434532Z (160563) eap: EAP session adding &reply:State = 0x6f6ec6d06ec7d339
2026-04-21T12:18:15.058437652Z (160563) [eap] = handled
2026-04-21T12:18:15.058440742Z (160563) } # Auth-Type EAP = handled
2026-04-21T12:18:15.058443662Z (160563) Using Post-Auth-Type Challenge
2026-04-21T12:18:15.058446642Z (160563) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:15.058449822Z (160563) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.058452852Z (160563) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:15.058455903Z (160563) Framed-MTU = 994
2026-04-21T12:18:15.058458992Z (160563) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.058462183Z (160563) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.058465593Z (160563) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.058468663Z (160563) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.058471923Z (160563) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.058475043Z (160563) Sent Access-Challenge Id 76 from 0.0.0.0:2083 to 3.122.233.175:59659 length 1067
2026-04-21T12:18:15.058485223Z (160563) EAP-Message = 0x01a903e815c000000a6d160303003d020000390303434bef1c4c26d7b3d50e56ed1820089009c0d15cadba3341444f574e4752440100c030000011ff01000100000b0004030001020017000016030308ec0b0008e80008e5000598308205943082047ca00302010202143445f65cac1b06ffbc42da7b13d0322ec1e189b2300d06092a864886f70d01010b050030283115301306035504030c0c416973686149737375696e67310f300d060355040b0c06313334332d30301e170d3236303430363132353435305a170d3336303430333132353532305a3027310f300d060355040b1306313334332d30311430120603550403130b416973686173657276657230820122300d06092a864886f70d01010105000382010f003082010a028201010096b60938816c322227718a54c2354b5dbaddf8a22fcba9fbee3269f557931966ca0a2bcc491d01cdc19e2ea7618a1b70ea0bfe995585f95bc905a296b2ec1081f04d56be795c099549d4b633bed88989eefbaecf390be2fb110aa715e0
2026-04-21T12:18:15.058488463Z (160563) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.058491543Z (160563) State = 0x6f6ec6d06ec7d339cf75c4b4c5430e32
2026-04-21T12:18:15.058494573Z (160563) Proxy-State = 0x31
2026-04-21T12:18:15.058507923Z (160563) Finished request
2026-04-21T12:18:15.058511233Z Thread 578 waiting to be assigned a request
2026-04-21T12:18:15.058738707Z (160564) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange
2026-04-21T12:18:15.058744688Z (160564) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write key exchange
2026-04-21T12:18:15.058752108Z (160564) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone
2026-04-21T12:18:15.058755108Z (160564) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
2026-04-21T12:18:15.058758098Z (160564) eap_ttls: (TLS) TTLS - Server : Need to read more data: SSLv3/TLS write server done
2026-04-21T12:18:15.058828579Z (160564) eap_ttls: (TLS) TTLS - In Handshake Phase
2026-04-21T12:18:15.058835779Z (160564) eap: Sending EAP Request (code 1) ID 26 length 1000
2026-04-21T12:18:15.058839809Z (160564) eap: EAP session adding &reply:State = 0x2a2067242b3a72e8
2026-04-21T12:18:15.058843979Z (160564) [eap] = handled
2026-04-21T12:18:15.058847309Z (160564) } # Auth-Type EAP = handled
2026-04-21T12:18:15.058850349Z (160564) Using Post-Auth-Type Challenge
2026-04-21T12:18:15.058879700Z (160564) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:15.058883170Z (160564) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.058886240Z (160564) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:15.058889410Z (160564) Framed-MTU = 994
2026-04-21T12:18:15.058892680Z (160564) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.058895780Z (160564) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.058898700Z (160564) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.058901780Z (160564) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.058904760Z (160564) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.058907920Z (160564) Sent Access-Challenge Id 183 from 0.0.0.0:2083 to 63.177.85.182:46491 length 1067
2026-04-21T12:18:15.058916611Z (160564) EAP-Message = 0x011a03e815c000000a6d160303003d020000390303b7759bfc5b5a09001cdc9123462eb63688734ae4041602b3444f574e4752440100c030000011ff01000100000b0004030001020017000016030308ec0b0008e80008e5000598308205943082047ca00302010202143445f65cac1b06ffbc42da7b13d0322ec1e189b2300d06092a864886f70d01010b050030283115301306035504030c0c416973686149737375696e67310f300d060355040b0c06313334332d30301e170d3236303430363132353435305a170d3336303430333132353532305a3027310f300d060355040b1306313334332d30311430120603550403130b416973686173657276657230820122300d06092a864886f70d01010105000382010f003082010a028201010096b60938816c322227718a54c2354b5dbaddf8a22fcba9fbee3269f557931966ca0a2bcc491d01cdc19e2ea7618a1b70ea0bfe995585f95bc905a296b2ec1081f04d56be795c099549d4b633bed88989eefbaecf390be2fb110aa715e0
2026-04-21T12:18:15.058919991Z (160564) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.058923100Z (160564) State = 0x2a2067242b3a72e86e37653a6478cb5c
2026-04-21T12:18:15.058926131Z (160564) Proxy-State = 0x31
2026-04-21T12:18:15.058929201Z (160564) Finished request
2026-04-21T12:18:15.058932361Z Thread 573 waiting to be assigned a request
2026-04-21T12:18:15.059305547Z (160565) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange
2026-04-21T12:18:15.059312297Z (160565) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write key exchange
2026-04-21T12:18:15.059315587Z (160565) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone
2026-04-21T12:18:15.059318907Z (160565) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
2026-04-21T12:18:15.059321978Z (160565) eap_ttls: (TLS) TTLS - Server : Need to read more data: SSLv3/TLS write server done
2026-04-21T12:18:15.059325147Z (160565) eap_ttls: (TLS) TTLS - In Handshake Phase
2026-04-21T12:18:15.059328387Z (160565) eap: Sending EAP Request (code 1) ID 251 length 1000
2026-04-21T12:18:15.059336768Z (160565) eap: EAP session adding &reply:State = 0xedddef24ec26fa7c
2026-04-21T12:18:15.059340198Z (160565) [eap] = handled
2026-04-21T12:18:15.059343808Z (160565) } # Auth-Type EAP = handled
2026-04-21T12:18:15.059352208Z (160565) Using Post-Auth-Type Challenge
2026-04-21T12:18:15.059355468Z (160565) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:15.059358608Z (160565) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.059361658Z (160565) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:15.059364918Z (160565) Framed-MTU = 994
2026-04-21T12:18:15.059368298Z (160565) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.059371398Z (160565) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.059374938Z (160565) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.059378278Z (160565) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.059381488Z (160565) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.059389279Z (160565) Sent Access-Challenge Id 247 from 0.0.0.0:2083 to 35.156.107.143:43211 length 1067
2026-04-21T12:18:15.059392869Z (160565) EAP-Message = 0x01fb03e815c000000a6d160303003d0200003903030793662be9edfac51126e970741bbca5b35c06d59e557a03444f574e4752440100c030000011ff01000100000b0004030001020017000016030308ec0b0008e80008e5000598308205943082047ca00302010202143445f65cac1b06ffbc42da7b13d0322ec1e189b2300d06092a864886f70d01010b050030283115301306035504030c0c416973686149737375696e67310f300d060355040b0c06313334332d30301e170d3236303430363132353435305a170d3336303430333132353532305a3027310f300d060355040b1306313334332d30311430120603550403130b416973686173657276657230820122300d06092a864886f70d01010105000382010f003082010a028201010096b60938816c322227718a54c2354b5dbaddf8a22fcba9fbee3269f557931966ca0a2bcc491d01cdc19e2ea7618a1b70ea0bfe995585f95bc905a296b2ec1081f04d56be795c099549d4b633bed88989eefbaecf390be2fb110aa715e0
2026-04-21T12:18:15.059396539Z (160565) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.059399999Z (160565) State = 0xedddef24ec26fa7ce6ededd1ec52e695
2026-04-21T12:18:15.059403179Z (160565) Proxy-State = 0x31
2026-04-21T12:18:15.059438669Z (160565) Finished request
2026-04-21T12:18:15.059443220Z Thread 577 waiting to be assigned a request
2026-04-21T12:18:15.074209644Z (160490) Cleaning up request packet ID 96 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:15.075734800Z (160492) Cleaning up request packet ID 135 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:15.079858041Z (160498) Cleaning up request packet ID 151 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.084142645Z (160499) Cleaning up request packet ID 194 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.085574430Z (160500) Cleaning up request packet ID 244 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.086899803Z (160501) Cleaning up request packet ID 236 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.088227565Z (160491) Cleaning up request packet ID 117 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:15.092194684Z (160493) Cleaning up request packet ID 90 with timestamp +4275 due to cleanup_delay was reached
2026-04-21T12:18:15.159610678Z (0) (TLS): Access-Request packet from host 3.122.233.175 port 59659, id=236, length=159
2026-04-21T12:18:15.159641099Z Thread 580 got semaphore
2026-04-21T12:18:15.159655519Z Thread 580 handling request 160566, (35 handled so far)
2026-04-21T12:18:15.159694990Z (160566) Received Access-Request Id 236 from 3.122.233.175:59659 to 0.0.0.0:2083 length 159
2026-04-21T12:18:15.159700670Z (160566) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.159704670Z (160566) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.159708680Z (160566) Calling-Station-Id = "02-E5-2B-3E-B8-78"
2026-04-21T12:18:15.159712760Z (160566) Framed-MTU = 1400
2026-04-21T12:18:15.159716960Z (160566) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.159720780Z (160566) Service-Type = Framed-User
2026-04-21T12:18:15.159725170Z (160566) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.159729091Z (160566) EAP-Message = 0x02a900061500
2026-04-21T12:18:15.159732940Z (160566) State = 0x6f6ec6d06ec7d339cf75c4b4c5430e32
2026-04-21T12:18:15.159737231Z (160566) Message-Authenticator = 0x92d463db6e890005c93551e656a0bccd
2026-04-21T12:18:15.159741621Z (160566) Proxy-State = 0x32
2026-04-21T12:18:15.159750561Z (160566) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:15.159754611Z (160566) &session-state:Framed-MTU = 994
2026-04-21T12:18:15.159758751Z (160566) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.159763581Z (160566) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.159767691Z (160566) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.159773871Z (160566) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.159777131Z (160566) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.159780211Z (160566) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.159783201Z (160566) authorize {
2026-04-21T12:18:15.159786421Z (160566) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.159789761Z (160566) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:15.159793101Z (160566) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.159796552Z (160566) update request {
2026-04-21T12:18:15.159803372Z (160566) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:15.159806692Z (160566) } # update request = noop
2026-04-21T12:18:15.159809902Z (160566) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:15.159813232Z (160566) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:15.159816522Z (160566) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:15.159819622Z (160566) --> 1343-0-5768143212362
2026-04-21T12:18:15.159824902Z (160566) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:15.159828302Z (160566) else {
2026-04-21T12:18:15.159831342Z (160566) update request {
2026-04-21T12:18:15.159834462Z (160566) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:15.159837562Z (160566) --> 1343-0-5768143212362
2026-04-21T12:18:15.159840682Z (160566) Extreme-VSA-RsCert := 1343-0-5768143212362
2026-04-21T12:18:15.159843862Z (160566) Request-Origin := "freeradius"
2026-04-21T12:18:15.159846953Z (160566) } # update request = noop
2026-04-21T12:18:15.159850453Z (160566) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.159857833Z (160566) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:15.159861283Z (160566) --> 1343-0-5768143212362
2026-04-21T12:18:15.159873973Z (160566) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:15.159877303Z (160566) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.159880513Z (160566) update request {
2026-04-21T12:18:15.159883923Z (160566) EXPAND %{1}-%{2}
2026-04-21T12:18:15.159887123Z (160566) --> 1343-0
2026-04-21T12:18:15.159890243Z (160566) Owner-Org-Id := 1343-0
2026-04-21T12:18:15.159893363Z (160566) } # update request = noop
2026-04-21T12:18:15.159896723Z (160566) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:15.159900114Z (160566) if (&EAP-Message) {
2026-04-21T12:18:15.159903383Z (160566) if (&EAP-Message) -> TRUE
2026-04-21T12:18:15.159906794Z (160566) if (&EAP-Message) {
2026-04-21T12:18:15.159909744Z (160566) update control {
2026-04-21T12:18:15.159912724Z (160566) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:15.159915994Z (160566) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.159919224Z (160566) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.159922374Z (160566) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:15.159925514Z (160566) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.159928824Z (160566) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.159932154Z (160566) } # update control = noop
2026-04-21T12:18:15.159946084Z (160566) eap: Peer sent EAP Response (code 2) ID 169 length 6
2026-04-21T12:18:15.159949644Z (160566) eap: Continuing tunnel setup
2026-04-21T12:18:15.159953094Z (160566) [eap] = ok
2026-04-21T12:18:15.159956475Z (160566) } # if (&EAP-Message) = ok
2026-04-21T12:18:15.159959875Z (160566) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:15.159963164Z (160566) } # else = ok
2026-04-21T12:18:15.159966564Z (160566) } # authorize = ok
2026-04-21T12:18:15.159969805Z (160566) Found Auth-Type = EAP
2026-04-21T12:18:15.159973065Z (160566) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.159976095Z (160566) Auth-Type EAP {
2026-04-21T12:18:15.159979475Z (160566) eap: Removing EAP session with state 0x6f6ec6d06ec7d339
2026-04-21T12:18:15.159982645Z (160566) eap: Previous EAP request found for state 0x6f6ec6d06ec7d339, released from the list
2026-04-21T12:18:15.160001805Z (160566) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:15.160005455Z (160566) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:15.160008835Z (160566) eap_ttls: Authenticate
2026-04-21T12:18:15.160012195Z (160566) eap_ttls: (TLS) Peer ACKed our handshake fragment
2026-04-21T12:18:15.160023445Z (160566) eap: Sending EAP Request (code 1) ID 170 length 1000
2026-04-21T12:18:15.160026796Z (160566) eap: EAP session adding &reply:State = 0x6f6ec6d06dc4d339
2026-04-21T12:18:15.160030186Z (160566) [eap] = handled
2026-04-21T12:18:15.160033716Z (160566) } # Auth-Type EAP = handled
2026-04-21T12:18:15.160036996Z (160566) Using Post-Auth-Type Challenge
2026-04-21T12:18:15.160040346Z (160566) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:15.160043656Z (160566) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.160054016Z (160566) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:15.160057406Z (160566) Framed-MTU = 994
2026-04-21T12:18:15.160061026Z (160566) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.160064426Z (160566) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.160067586Z (160566) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.160070656Z (160566) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.160073906Z (160566) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.160088207Z (160566) Sent Access-Challenge Id 236 from 0.0.0.0:2083 to 3.122.233.175:59659 length 1067
2026-04-21T12:18:15.160092097Z (160566) EAP-Message = 0x01aa03e815c000000a6d393531333434393231393038382d706b692f636130410603551d11043a3038820b416973686173657276657282297261646975732e7a74612d71612d6c6f616474657374696e672e71612e78636c6f756469712e636f6d30819d0603551d1f04819530819230818fa0818ca0818986818668747470733a2f2f757a2d7661756c742d71612e71612e78636c6f756469712e636f6d2f76312f757a2d6e616d6573706163652d7a74612d71612d6c6f616474657374696e672d313334332d302d3730323839333234303635393730333733373335373332303038373331313733353133393531333434393231393038382d706b692f63726c300d06092a864886f70d01010b0500038201010048dd8c13c1f2da2de4bdc5bfecc4a830c288593c7af53c28af574c6522ac9f40a632ad7aada27fa12655ddee496df545499a55c33f74896176e3f41fa7593f311ed26251fd28fb127e2a02cdad7a1f83cf612e531f7025100b48aa3ff8f35519ef4cc2cf7e99beeb60
2026-04-21T12:18:15.160095717Z (160566) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.160098977Z (160566) State = 0x6f6ec6d06dc4d339cf75c4b4c5430e32
2026-04-21T12:18:15.160102697Z (160566) Proxy-State = 0x32
2026-04-21T12:18:15.160114187Z (160566) Finished request
2026-04-21T12:18:15.160118007Z Thread 580 waiting to be assigned a request
2026-04-21T12:18:15.160289140Z (0) (TLS): Access-Request packet from host 63.177.85.182 port 46491, id=176, length=159
2026-04-21T12:18:15.160296130Z Thread 565 got semaphore
2026-04-21T12:18:15.160299740Z Thread 565 handling request 160567, (83 handled so far)
2026-04-21T12:18:15.160306581Z (160567) Received Access-Request Id 176 from 63.177.85.182:46491 to 0.0.0.0:2083 length 159
2026-04-21T12:18:15.160310010Z (160567) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.160313191Z (160567) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.160316111Z (160567) Calling-Station-Id = "02-AC-5E-7A-E8-7C"
2026-04-21T12:18:15.160319591Z (160567) Framed-MTU = 1400
2026-04-21T12:18:15.160322811Z (160567) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.160326121Z (160567) Service-Type = Framed-User
2026-04-21T12:18:15.160332391Z (160567) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.160335431Z (160567) EAP-Message = 0x021a00061500
2026-04-21T12:18:15.160338871Z (160567) State = 0x2a2067242b3a72e86e37653a6478cb5c
2026-04-21T12:18:15.160342751Z (160567) Message-Authenticator = 0x3a1c1cfc39ade39637f04db76269e34d
2026-04-21T12:18:15.160352401Z (160567) Proxy-State = 0x32
2026-04-21T12:18:15.160355741Z (160567) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:15.160358791Z (160567) &session-state:Framed-MTU = 994
2026-04-21T12:18:15.160362331Z (160567) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.160365491Z (160567) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.160371852Z (160567) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.160379852Z (160567) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.160383062Z (160567) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.160386192Z (160567) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.160389332Z (160567) authorize {
2026-04-21T12:18:15.160392542Z (160567) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.160395652Z (160567) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:15.160398992Z (160567) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.160402232Z (160567) update request {
2026-04-21T12:18:15.160405342Z (160567) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:15.160408412Z (160567) } # update request = noop
2026-04-21T12:18:15.160414652Z (160567) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:15.160417803Z (160567) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:15.160420843Z (160567) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:15.160423923Z (160567) --> 1343-0-5768143212145
2026-04-21T12:18:15.160427123Z (160567) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:15.160430213Z (160567) else {
2026-04-21T12:18:15.160433253Z (160567) update request {
2026-04-21T12:18:15.160436373Z (160567) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:15.160439543Z (160567) --> 1343-0-5768143212145
2026-04-21T12:18:15.160442593Z (160567) Extreme-VSA-RsCert := 1343-0-5768143212145
2026-04-21T12:18:15.160445643Z (160567) Request-Origin := "freeradius"
2026-04-21T12:18:15.160448723Z (160567) } # update request = noop
2026-04-21T12:18:15.160451833Z (160567) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.160454833Z (160567) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:15.160457943Z (160567) --> 1343-0-5768143212145
2026-04-21T12:18:15.160461073Z (160567) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:15.160464223Z (160567) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.160467373Z (160567) update request {
2026-04-21T12:18:15.160470393Z (160567) EXPAND %{1}-%{2}
2026-04-21T12:18:15.160473483Z (160567) --> 1343-0
2026-04-21T12:18:15.160476604Z (160567) Owner-Org-Id := 1343-0
2026-04-21T12:18:15.160479924Z (160567) } # update request = noop
2026-04-21T12:18:15.160483084Z (160567) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:15.160486204Z (160567) if (&EAP-Message) {
2026-04-21T12:18:15.160489504Z (160567) if (&EAP-Message) -> TRUE
2026-04-21T12:18:15.160496554Z (160567) if (&EAP-Message) {
2026-04-21T12:18:15.160499914Z (160567) update control {
2026-04-21T12:18:15.160502904Z (160567) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:15.160505864Z (160567) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.160508994Z (160567) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.160512324Z (160567) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:15.160518174Z (160567) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.160521474Z (160567) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.160524994Z (160567) } # update control = noop
2026-04-21T12:18:15.160528174Z (160567) eap: Peer sent EAP Response (code 2) ID 26 length 6
2026-04-21T12:18:15.160531305Z (160567) eap: Continuing tunnel setup
2026-04-21T12:18:15.160534645Z (160567) [eap] = ok
2026-04-21T12:18:15.160537774Z (160567) } # if (&EAP-Message) = ok
2026-04-21T12:18:15.160541134Z (160567) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:15.160544385Z (160567) } # else = ok
2026-04-21T12:18:15.160547915Z (160567) } # authorize = ok
2026-04-21T12:18:15.160551445Z (160567) Found Auth-Type = EAP
2026-04-21T12:18:15.160554805Z (160567) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.160558215Z (160567) Auth-Type EAP {
2026-04-21T12:18:15.160561375Z (160567) eap: Removing EAP session with state 0x2a2067242b3a72e8
2026-04-21T12:18:15.160564365Z (160567) eap: Previous EAP request found for state 0x2a2067242b3a72e8, released from the list
2026-04-21T12:18:15.160567515Z (160567) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:15.160570625Z (160567) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:15.160573925Z (160567) eap_ttls: Authenticate
2026-04-21T12:18:15.160577275Z (160567) eap_ttls: (TLS) Peer ACKed our handshake fragment
2026-04-21T12:18:15.160585215Z (160567) eap: Sending EAP Request (code 1) ID 27 length 1000
2026-04-21T12:18:15.160588935Z (160567) eap: EAP session adding &reply:State = 0x2a206724283b72e8
2026-04-21T12:18:15.160592095Z (160567) [eap] = handled
2026-04-21T12:18:15.160595486Z (160567) } # Auth-Type EAP = handled
2026-04-21T12:18:15.160598886Z (160567) Using Post-Auth-Type Challenge
2026-04-21T12:18:15.160602236Z (160567) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:15.160605926Z (160567) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.160609296Z (160567) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:15.160612736Z (160567) Framed-MTU = 994
2026-04-21T12:18:15.160615946Z (160567) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.160619496Z (160567) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.160622846Z (160567) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.160628046Z (160567) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.160631536Z (160567) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.160634836Z (160567) Sent Access-Challenge Id 176 from 0.0.0.0:2083 to 63.177.85.182:46491 length 1067
2026-04-21T12:18:15.160639396Z (160567) EAP-Message = 0x011b03e815c000000a6d393531333434393231393038382d706b692f636130410603551d11043a3038820b416973686173657276657282297261646975732e7a74612d71612d6c6f616474657374696e672e71612e78636c6f756469712e636f6d30819d0603551d1f04819530819230818fa0818ca0818986818668747470733a2f2f757a2d7661756c742d71612e71612e78636c6f756469712e636f6d2f76312f757a2d6e616d6573706163652d7a74612d71612d6c6f616474657374696e672d313334332d302d3730323839333234303635393730333733373335373332303038373331313733353133393531333434393231393038382d706b692f63726c300d06092a864886f70d01010b0500038201010048dd8c13c1f2da2de4bdc5bfecc4a830c288593c7af53c28af574c6522ac9f40a632ad7aada27fa12655ddee496df545499a55c33f74896176e3f41fa7593f311ed26251fd28fb127e2a02cdad7a1f83cf612e531f7025100b48aa3ff8f35519ef4cc2cf7e99beeb60
2026-04-21T12:18:15.160646267Z (160567) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.160648427Z (160567) State = 0x2a206724283b72e86e37653a6478cb5c
2026-04-21T12:18:15.160650516Z (160567) Proxy-State = 0x32
2026-04-21T12:18:15.160660037Z (160567) Finished request
2026-04-21T12:18:15.160662227Z Thread 565 waiting to be assigned a request
2026-04-21T12:18:15.161079904Z (0) (TLS): Access-Request packet from host 35.156.107.143 port 43211, id=104, length=159
2026-04-21T12:18:15.161124265Z Thread 563 got semaphore
2026-04-21T12:18:15.161128455Z Thread 563 handling request 160568, (88 handled so far)
2026-04-21T12:18:15.161131865Z (160568) Received Access-Request Id 104 from 35.156.107.143:43211 to 0.0.0.0:2083 length 159
2026-04-21T12:18:15.161135115Z (160568) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.161138255Z (160568) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.161154365Z (160568) Calling-Station-Id = "02-FA-38-9E-18-06"
2026-04-21T12:18:15.161157705Z (160568) Framed-MTU = 1400
2026-04-21T12:18:15.161161005Z (160568) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.161164065Z (160568) Service-Type = Framed-User
2026-04-21T12:18:15.161167236Z (160568) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.161170405Z (160568) EAP-Message = 0x02fb00061500
2026-04-21T12:18:15.161177236Z (160568) State = 0xedddef24ec26fa7ce6ededd1ec52e695
2026-04-21T12:18:15.161180686Z (160568) Message-Authenticator = 0xd77c541d4a315dc6b0de6b848b586a4b
2026-04-21T12:18:15.161184056Z (160568) Proxy-State = 0x32
2026-04-21T12:18:15.161187256Z (160568) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:15.161190696Z (160568) &session-state:Framed-MTU = 994
2026-04-21T12:18:15.161194136Z (160568) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.161197326Z (160568) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.161200776Z (160568) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.161204216Z (160568) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.161207666Z (160568) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.161210916Z (160568) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.161214006Z (160568) authorize {
2026-04-21T12:18:15.161217256Z (160568) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.161220266Z (160568) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:15.161223286Z (160568) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.161226406Z (160568) update request {
2026-04-21T12:18:15.161229617Z (160568) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:15.161232746Z (160568) } # update request = noop
2026-04-21T12:18:15.161235897Z (160568) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:15.161238947Z (160568) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:15.161242047Z (160568) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:15.161245007Z (160568) --> 1343-0-5768143212022
2026-04-21T12:18:15.161248027Z (160568) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:15.161255327Z (160568) else {
2026-04-21T12:18:15.161258487Z (160568) update request {
2026-04-21T12:18:15.161265367Z (160568) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:15.161268567Z (160568) --> 1343-0-5768143212022
2026-04-21T12:18:15.161271777Z (160568) Extreme-VSA-RsCert := 1343-0-5768143212022
2026-04-21T12:18:15.161274787Z (160568) Request-Origin := "freeradius"
2026-04-21T12:18:15.161280997Z (160568) } # update request = noop
2026-04-21T12:18:15.161284287Z (160568) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.161287458Z (160568) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:15.161290847Z (160568) --> 1343-0-5768143212022
2026-04-21T12:18:15.161294318Z (160568) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:15.161297648Z (160568) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.161300998Z (160568) update request {
2026-04-21T12:18:15.161304328Z (160568) EXPAND %{1}-%{2}
2026-04-21T12:18:15.161307538Z (160568) --> 1343-0
2026-04-21T12:18:15.161310898Z (160568) Owner-Org-Id := 1343-0
2026-04-21T12:18:15.161314158Z (160568) } # update request = noop
2026-04-21T12:18:15.161317198Z (160568) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:15.161320298Z (160568) if (&EAP-Message) {
2026-04-21T12:18:15.161323148Z (160568) if (&EAP-Message) -> TRUE
2026-04-21T12:18:15.161326248Z (160568) if (&EAP-Message) {
2026-04-21T12:18:15.161329308Z (160568) update control {
2026-04-21T12:18:15.161332598Z (160568) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:15.161335838Z (160568) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.161339308Z (160568) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.161343008Z (160568) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:15.161346159Z (160568) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.161349539Z (160568) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.161352869Z (160568) } # update control = noop
2026-04-21T12:18:15.161356149Z (160568) eap: Peer sent EAP Response (code 2) ID 251 length 6
2026-04-21T12:18:15.161359339Z (160568) eap: Continuing tunnel setup
2026-04-21T12:18:15.161362669Z (160568) [eap] = ok
2026-04-21T12:18:15.161365909Z (160568) } # if (&EAP-Message) = ok
2026-04-21T12:18:15.161369349Z (160568) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:15.161372889Z (160568) } # else = ok
2026-04-21T12:18:15.161376149Z (160568) } # authorize = ok
2026-04-21T12:18:15.161379259Z (160568) Found Auth-Type = EAP
2026-04-21T12:18:15.161385599Z (160568) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.161389099Z (160568) Auth-Type EAP {
2026-04-21T12:18:15.161392559Z (160568) eap: Removing EAP session with state 0xedddef24ec26fa7c
2026-04-21T12:18:15.161395899Z (160568) eap: Previous EAP request found for state 0xedddef24ec26fa7c, released from the list
2026-04-21T12:18:15.161399300Z (160568) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:15.161403060Z (160568) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:15.161410520Z (160568) eap_ttls: Authenticate
2026-04-21T12:18:15.161413920Z (160568) eap_ttls: (TLS) Peer ACKed our handshake fragment
2026-04-21T12:18:15.161417350Z (160568) eap: Sending EAP Request (code 1) ID 252 length 1000
2026-04-21T12:18:15.161420630Z (160568) eap: EAP session adding &reply:State = 0xedddef24ef21fa7c
2026-04-21T12:18:15.161423860Z (160568) [eap] = handled
2026-04-21T12:18:15.161427330Z (160568) } # Auth-Type EAP = handled
2026-04-21T12:18:15.161431000Z (160568) Using Post-Auth-Type Challenge
2026-04-21T12:18:15.161434270Z (160568) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:15.161438050Z (160568) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.161441510Z (160568) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:15.161444690Z (160568) Framed-MTU = 994
2026-04-21T12:18:15.161448060Z (160568) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.161451140Z (160568) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.161454240Z (160568) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.161457770Z (160568) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.161461381Z (160568) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.161464810Z (160568) Sent Access-Challenge Id 104 from 0.0.0.0:2083 to 35.156.107.143:43211 length 1067
2026-04-21T12:18:15.161467861Z (160568) EAP-Message = 0x01fc03e815c000000a6d393531333434393231393038382d706b692f636130410603551d11043a3038820b416973686173657276657282297261646975732e7a74612d71612d6c6f616474657374696e672e71612e78636c6f756469712e636f6d30819d0603551d1f04819530819230818fa0818ca0818986818668747470733a2f2f757a2d7661756c742d71612e71612e78636c6f756469712e636f6d2f76312f757a2d6e616d6573706163652d7a74612d71612d6c6f616474657374696e672d313334332d302d3730323839333234303635393730333733373335373332303038373331313733353133393531333434393231393038382d706b692f63726c300d06092a864886f70d01010b0500038201010048dd8c13c1f2da2de4bdc5bfecc4a830c288593c7af53c28af574c6522ac9f40a632ad7aada27fa12655ddee496df545499a55c33f74896176e3f41fa7593f311ed26251fd28fb127e2a02cdad7a1f83cf612e531f7025100b48aa3ff8f35519ef4cc2cf7e99beeb60
2026-04-21T12:18:15.161469951Z (160568) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.161472011Z (160568) State = 0xedddef24ef21fa7ce6ededd1ec52e695
2026-04-21T12:18:15.161474141Z (160568) Proxy-State = 0x32
2026-04-21T12:18:15.161482681Z (160568) Finished request
2026-04-21T12:18:15.161484851Z Thread 563 exiting...
2026-04-21T12:18:15.183692424Z (160502) Cleaning up request packet ID 160 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.185443514Z (160503) Cleaning up request packet ID 12 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.186398480Z (160504) Cleaning up request packet ID 87 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.189802419Z (160505) Cleaning up request packet ID 62 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.261446965Z (0) (TLS): Access-Request packet from host 3.122.233.175 port 59659, id=33, length=159
2026-04-21T12:18:15.261476286Z Deleting thread 563
2026-04-21T12:18:15.261481526Z Threads: total/active/spare threads = 18/3/15
2026-04-21T12:18:15.261493416Z Thread 581 got semaphore
2026-04-21T12:18:15.261498026Z Thread 581 handling request 160569, (36 handled so far)
2026-04-21T12:18:15.261573857Z (160569) Received Access-Request Id 33 from 3.122.233.175:59659 to 0.0.0.0:2083 length 159
2026-04-21T12:18:15.261588317Z (160569) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.261593148Z (160569) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.261598328Z (160569) Calling-Station-Id = "02-E5-2B-3E-B8-78"
2026-04-21T12:18:15.261602898Z (160569) Framed-MTU = 1400
2026-04-21T12:18:15.261607248Z (160569) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.261611308Z (160569) Service-Type = Framed-User
2026-04-21T12:18:15.261615678Z (160569) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.261619968Z (160569) EAP-Message = 0x02aa00061500
2026-04-21T12:18:15.261623458Z (160569) State = 0x6f6ec6d06dc4d339cf75c4b4c5430e32
2026-04-21T12:18:15.261626758Z (160569) Message-Authenticator = 0x0c6fc107837c4127a87a48810f828e8d
2026-04-21T12:18:15.261629858Z (160569) Proxy-State = 0x33
2026-04-21T12:18:15.261634168Z (160569) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:15.261638578Z (160569) &session-state:Framed-MTU = 994
2026-04-21T12:18:15.261643318Z (160569) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.261648178Z (160569) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.261665059Z (160569) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.261673909Z (160569) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.261677949Z (160569) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.261682289Z (160569) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.261687469Z (160569) authorize {
2026-04-21T12:18:15.261691769Z (160569) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.261695889Z (160569) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:15.261699839Z (160569) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.261704219Z (160569) update request {
2026-04-21T12:18:15.261709099Z (160569) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:15.261711859Z (160569) } # update request = noop
2026-04-21T12:18:15.261714580Z (160569) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:15.261717310Z (160569) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:15.261719930Z (160569) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:15.261723070Z (160569) --> 1343-0-5768143212362
2026-04-21T12:18:15.261727350Z (160569) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:15.261732060Z (160569) else {
2026-04-21T12:18:15.261736570Z (160569) update request {
2026-04-21T12:18:15.261740760Z (160569) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:15.261745210Z (160569) --> 1343-0-5768143212362
2026-04-21T12:18:15.261749230Z (160569) Extreme-VSA-RsCert := 1343-0-5768143212362
2026-04-21T12:18:15.261753930Z (160569) Request-Origin := "freeradius"
2026-04-21T12:18:15.261785671Z (160569) } # update request = noop
2026-04-21T12:18:15.261794231Z (160569) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.261797791Z (160569) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:15.261801161Z (160569) --> 1343-0-5768143212362
2026-04-21T12:18:15.261809441Z (160569) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:15.261818171Z (160569) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.261821512Z (160569) update request {
2026-04-21T12:18:15.261824581Z (160569) EXPAND %{1}-%{2}
2026-04-21T12:18:15.261828312Z (160569) --> 1343-0
2026-04-21T12:18:15.261831522Z (160569) Owner-Org-Id := 1343-0
2026-04-21T12:18:15.261834592Z (160569) } # update request = noop
2026-04-21T12:18:15.261837742Z (160569) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:15.261840622Z (160569) if (&EAP-Message) {
2026-04-21T12:18:15.261843682Z (160569) if (&EAP-Message) -> TRUE
2026-04-21T12:18:15.261846782Z (160569) if (&EAP-Message) {
2026-04-21T12:18:15.261849692Z (160569) update control {
2026-04-21T12:18:15.261852762Z (160569) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:15.261856062Z (160569) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.261859312Z (160569) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.261862412Z (160569) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:15.261865592Z (160569) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.261869042Z (160569) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.261872122Z (160569) } # update control = noop
2026-04-21T12:18:15.261875382Z (160569) eap: Peer sent EAP Response (code 2) ID 170 length 6
2026-04-21T12:18:15.261883242Z (160569) eap: Continuing tunnel setup
2026-04-21T12:18:15.261886582Z (160569) [eap] = ok
2026-04-21T12:18:15.261889773Z (160569) } # if (&EAP-Message) = ok
2026-04-21T12:18:15.261893293Z (160569) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:15.261896713Z (160569) } # else = ok
2026-04-21T12:18:15.261900183Z (160569) } # authorize = ok
2026-04-21T12:18:15.261903813Z (160569) Found Auth-Type = EAP
2026-04-21T12:18:15.261907623Z (160569) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.261910713Z (160569) Auth-Type EAP {
2026-04-21T12:18:15.261959564Z (160569) eap: Removing EAP session with state 0x6f6ec6d06dc4d339
2026-04-21T12:18:15.261964834Z (160569) eap: Previous EAP request found for state 0x6f6ec6d06dc4d339, released from the list
2026-04-21T12:18:15.261968214Z (160569) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:15.261971624Z (160569) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:15.261974774Z (160569) eap_ttls: Authenticate
2026-04-21T12:18:15.261978084Z (160569) eap_ttls: (TLS) Peer ACKed our handshake fragment
2026-04-21T12:18:15.261981364Z (160569) eap: Sending EAP Request (code 1) ID 171 length 699
2026-04-21T12:18:15.261984954Z (160569) eap: EAP session adding &reply:State = 0x6f6ec6d06cc5d339
2026-04-21T12:18:15.261988444Z (160569) [eap] = handled
2026-04-21T12:18:15.261991534Z (160569) } # Auth-Type EAP = handled
2026-04-21T12:18:15.261993564Z (160569) Using Post-Auth-Type Challenge
2026-04-21T12:18:15.261995664Z (160569) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:15.261997735Z (160569) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.262002064Z (160569) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:15.262004144Z (160569) Framed-MTU = 994
2026-04-21T12:18:15.262006255Z (160569) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.262011745Z (160569) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.262013895Z (160569) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.262015995Z (160569) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.262018045Z (160569) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.262020095Z (160569) Sent Access-Challenge Id 33 from 0.0.0.0:2083 to 3.122.233.175:59659 length 764
2026-04-21T12:18:15.262024985Z (160569) EAP-Message = 0x01ab02bb158000000a6d120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d0e04160414536d597c2da51597e65646af0b96b0fd5e8b8134301f0603551d2304183016801458dce0801b487fa5201ca25d255f27cfe1b02917300d06092a864886f70d01010b0500038201010083d5ee1bcb8b4ae146e1c1b828c1408a802da2b24ce1097c1c8e02a96bf3f53444b2549a31e5522475e2596aee0be9552edbac572b019684e8f26934743fcce75f616665459a2898de4699c9e084f17c51d0cf2e19415698c7f3817b3f629babcd3625687a26e4122f5963e0dff6d657525cdab9854812e1d24ae47be2551eaaedbf7ce67cb81b13769e30690d30f60b219996101a53897d281f08d213b63b03d3f1f1b47ac1568b621c9758f17716f1a10af146ac12687bcc298f9513c847b716c8bdc4c06c41701482baf1ed50f23bbc2c8f3c17bdfcc58e418e3861eef86963ab8360259e1ae0163f9d0f33caa80a013a8120878b8ff63b5257907a
2026-04-21T12:18:15.262028685Z (160569) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.262032295Z (160569) State = 0x6f6ec6d06cc5d339cf75c4b4c5430e32
2026-04-21T12:18:15.262035825Z (160569) Proxy-State = 0x33
2026-04-21T12:18:15.262038935Z (160569) Finished request
2026-04-21T12:18:15.262042285Z Thread 581 waiting to be assigned a request
2026-04-21T12:18:15.262101246Z (0) (TLS): Access-Request packet from host 63.177.85.182 port 46491, id=252, length=159
2026-04-21T12:18:15.262106366Z Thread 571 got semaphore
2026-04-21T12:18:15.262109526Z Thread 571 handling request 160570, (83 handled so far)
2026-04-21T12:18:15.262116926Z (160570) Received Access-Request Id 252 from 63.177.85.182:46491 to 0.0.0.0:2083 length 159
2026-04-21T12:18:15.262120217Z (160570) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.262123267Z (160570) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.262126377Z (160570) Calling-Station-Id = "02-AC-5E-7A-E8-7C"
2026-04-21T12:18:15.262132587Z (160570) Framed-MTU = 1400
2026-04-21T12:18:15.262135647Z (160570) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.262138527Z (160570) Service-Type = Framed-User
2026-04-21T12:18:15.262141647Z (160570) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.262144727Z (160570) EAP-Message = 0x021b00061500
2026-04-21T12:18:15.262147747Z (160570) State = 0x2a206724283b72e86e37653a6478cb5c
2026-04-21T12:18:15.262153857Z (160570) Message-Authenticator = 0xf18480ef754b405184cd55aa1c226c05
2026-04-21T12:18:15.262157067Z (160570) Proxy-State = 0x33
2026-04-21T12:18:15.262160457Z (160570) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:15.262163427Z (160570) &session-state:Framed-MTU = 994
2026-04-21T12:18:15.262166557Z (160570) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.262169738Z (160570) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.262172758Z (160570) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.262178958Z (160570) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.262186428Z (160570) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.262189568Z (160570) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.262192738Z (160570) authorize {
2026-04-21T12:18:15.262195858Z (160570) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.262199088Z (160570) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:15.262202358Z (160570) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.262205568Z (160570) update request {
2026-04-21T12:18:15.262212298Z (160570) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:15.262215438Z (160570) } # update request = noop
2026-04-21T12:18:15.262218518Z (160570) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:15.262221608Z (160570) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:15.262224798Z (160570) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:15.262227959Z (160570) --> 1343-0-5768143212145
2026-04-21T12:18:15.262231328Z (160570) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:15.262234688Z (160570) else {
2026-04-21T12:18:15.262238049Z (160570) update request {
2026-04-21T12:18:15.262241209Z (160570) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:15.262244329Z (160570) --> 1343-0-5768143212145
2026-04-21T12:18:15.262247449Z (160570) Extreme-VSA-RsCert := 1343-0-5768143212145
2026-04-21T12:18:15.262253769Z (160570) Request-Origin := "freeradius"
2026-04-21T12:18:15.262256949Z (160570) } # update request = noop
2026-04-21T12:18:15.262260069Z (160570) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.262263199Z (160570) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:15.262266459Z (160570) --> 1343-0-5768143212145
2026-04-21T12:18:15.262269649Z (160570) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:15.262272939Z (160570) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.262276159Z (160570) update request {
2026-04-21T12:18:15.262279329Z (160570) EXPAND %{1}-%{2}
2026-04-21T12:18:15.262282469Z (160570) --> 1343-0
2026-04-21T12:18:15.262285620Z (160570) Owner-Org-Id := 1343-0
2026-04-21T12:18:15.262288700Z (160570) } # update request = noop
2026-04-21T12:18:15.262291980Z (160570) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:15.262295200Z (160570) if (&EAP-Message) {
2026-04-21T12:18:15.262298380Z (160570) if (&EAP-Message) -> TRUE
2026-04-21T12:18:15.262301620Z (160570) if (&EAP-Message) {
2026-04-21T12:18:15.262307960Z (160570) update control {
2026-04-21T12:18:15.262311200Z (160570) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:15.262314490Z (160570) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.262317770Z (160570) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.262320930Z (160570) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:15.262324130Z (160570) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.262327210Z (160570) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.262333770Z (160570) } # update control = noop
2026-04-21T12:18:15.262337000Z (160570) eap: Peer sent EAP Response (code 2) ID 27 length 6
2026-04-21T12:18:15.262340150Z (160570) eap: Continuing tunnel setup
2026-04-21T12:18:15.262343321Z (160570) [eap] = ok
2026-04-21T12:18:15.262346721Z (160570) } # if (&EAP-Message) = ok
2026-04-21T12:18:15.262349621Z (160570) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:15.262352871Z (160570) } # else = ok
2026-04-21T12:18:15.262355981Z (160570) } # authorize = ok
2026-04-21T12:18:15.262359171Z (160570) Found Auth-Type = EAP
2026-04-21T12:18:15.262362371Z (160570) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.262365491Z (160570) Auth-Type EAP {
2026-04-21T12:18:15.262368531Z (160570) eap: Removing EAP session with state 0x2a206724283b72e8
2026-04-21T12:18:15.262371501Z (160570) eap: Previous EAP request found for state 0x2a206724283b72e8, released from the list
2026-04-21T12:18:15.262378621Z (160570) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:15.262381891Z (160570) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:15.262385011Z (160570) eap_ttls: Authenticate
2026-04-21T12:18:15.262388471Z (160570) eap_ttls: (TLS) Peer ACKed our handshake fragment
2026-04-21T12:18:15.262391541Z (160570) eap: Sending EAP Request (code 1) ID 28 length 699
2026-04-21T12:18:15.262394451Z (160570) eap: EAP session adding &reply:State = 0x2a206724293c72e8
2026-04-21T12:18:15.262397601Z (160570) [eap] = handled
2026-04-21T12:18:15.262400571Z (160570) } # Auth-Type EAP = handled
2026-04-21T12:18:15.262403842Z (160570) Using Post-Auth-Type Challenge
2026-04-21T12:18:15.262407102Z (160570) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:15.262410762Z (160570) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.262414202Z (160570) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:15.262417692Z (160570) Framed-MTU = 994
2026-04-21T12:18:15.262421142Z (160570) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.262424682Z (160570) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.262427902Z (160570) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.262431322Z (160570) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.262434832Z (160570) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.262442772Z (160570) Sent Access-Challenge Id 252 from 0.0.0.0:2083 to 63.177.85.182:46491 length 764
2026-04-21T12:18:15.262446332Z (160570) EAP-Message = 0x011c02bb158000000a6d120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d0e04160414536d597c2da51597e65646af0b96b0fd5e8b8134301f0603551d2304183016801458dce0801b487fa5201ca25d255f27cfe1b02917300d06092a864886f70d01010b0500038201010083d5ee1bcb8b4ae146e1c1b828c1408a802da2b24ce1097c1c8e02a96bf3f53444b2549a31e5522475e2596aee0be9552edbac572b019684e8f26934743fcce75f616665459a2898de4699c9e084f17c51d0cf2e19415698c7f3817b3f629babcd3625687a26e4122f5963e0dff6d657525cdab9854812e1d24ae47be2551eaaedbf7ce67cb81b13769e30690d30f60b219996101a53897d281f08d213b63b03d3f1f1b47ac1568b621c9758f17716f1a10af146ac12687bcc298f9513c847b716c8bdc4c06c41701482baf1ed50f23bbc2c8f3c17bdfcc58e418e3861eef86963ab8360259e1ae0163f9d0f33caa80a013a8120878b8ff63b5257907a
2026-04-21T12:18:15.262449732Z (160570) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.262456852Z (160570) State = 0x2a206724293c72e86e37653a6478cb5c
2026-04-21T12:18:15.262460123Z (160570) Proxy-State = 0x33
2026-04-21T12:18:15.262467323Z (160570) Finished request
2026-04-21T12:18:15.262473333Z Thread 571 waiting to be assigned a request
2026-04-21T12:18:15.263206735Z (0) (TLS): Access-Request packet from host 35.156.107.143 port 43211, id=29, length=159
2026-04-21T12:18:15.263291667Z Thread 574 got semaphore
2026-04-21T12:18:15.263298077Z Thread 574 handling request 160571, (30 handled so far)
2026-04-21T12:18:15.263302057Z (160571) Received Access-Request Id 29 from 35.156.107.143:43211 to 0.0.0.0:2083 length 159
2026-04-21T12:18:15.263306067Z (160571) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.263309477Z (160571) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.263312727Z (160571) Calling-Station-Id = "02-FA-38-9E-18-06"
2026-04-21T12:18:15.263316207Z (160571) Framed-MTU = 1400
2026-04-21T12:18:15.263319377Z (160571) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.263322307Z (160571) Service-Type = Framed-User
2026-04-21T12:18:15.263325857Z (160571) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.263329007Z (160571) EAP-Message = 0x02fc00061500
2026-04-21T12:18:15.263332027Z (160571) State = 0xedddef24ef21fa7ce6ededd1ec52e695
2026-04-21T12:18:15.263335818Z (160571) Message-Authenticator = 0x31eeb87195ee1fd49bf2ccb14529104b
2026-04-21T12:18:15.263339127Z (160571) Proxy-State = 0x33
2026-04-21T12:18:15.263342278Z (160571) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:15.263345458Z (160571) &session-state:Framed-MTU = 994
2026-04-21T12:18:15.263348918Z (160571) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.263352558Z (160571) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.263355578Z (160571) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.263362268Z (160571) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.263365458Z (160571) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.263368568Z (160571) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.263371838Z (160571) authorize {
2026-04-21T12:18:15.263375268Z (160571) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.263378498Z (160571) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:15.263381598Z (160571) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.263384898Z (160571) update request {
2026-04-21T12:18:15.263388048Z (160571) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:15.263391119Z (160571) } # update request = noop
2026-04-21T12:18:15.263394239Z (160571) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:15.263397549Z (160571) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:15.263400589Z (160571) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:15.263403869Z (160571) --> 1343-0-5768143212022
2026-04-21T12:18:15.263407379Z (160571) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:15.263410699Z (160571) else {
2026-04-21T12:18:15.263413849Z (160571) update request {
2026-04-21T12:18:15.263417009Z (160571) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:15.263425029Z (160571) --> 1343-0-5768143212022
2026-04-21T12:18:15.263428229Z (160571) Extreme-VSA-RsCert := 1343-0-5768143212022
2026-04-21T12:18:15.263431629Z (160571) Request-Origin := "freeradius"
2026-04-21T12:18:15.263434889Z (160571) } # update request = noop
2026-04-21T12:18:15.263438159Z (160571) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.263441409Z (160571) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:15.263444680Z (160571) --> 1343-0-5768143212022
2026-04-21T12:18:15.263447760Z (160571) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:15.263468800Z (160571) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.263472400Z (160571) update request {
2026-04-21T12:18:15.263475570Z (160571) EXPAND %{1}-%{2}
2026-04-21T12:18:15.263478620Z (160571) --> 1343-0
2026-04-21T12:18:15.263481840Z (160571) Owner-Org-Id := 1343-0
2026-04-21T12:18:15.263485120Z (160571) } # update request = noop
2026-04-21T12:18:15.263488320Z (160571) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:15.263491590Z (160571) if (&EAP-Message) {
2026-04-21T12:18:15.263494930Z (160571) if (&EAP-Message) -> TRUE
2026-04-21T12:18:15.263497980Z (160571) if (&EAP-Message) {
2026-04-21T12:18:15.263501030Z (160571) update control {
2026-04-21T12:18:15.263504461Z (160571) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:15.263510841Z (160571) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.263514071Z (160571) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.263517281Z (160571) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:15.263520581Z (160571) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.263525831Z (160571) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.263528991Z (160571) } # update control = noop
2026-04-21T12:18:15.263532151Z (160571) eap: Peer sent EAP Response (code 2) ID 252 length 6
2026-04-21T12:18:15.263535421Z (160571) eap: Continuing tunnel setup
2026-04-21T12:18:15.263538671Z (160571) [eap] = ok
2026-04-21T12:18:15.263541961Z (160571) } # if (&EAP-Message) = ok
2026-04-21T12:18:15.263545271Z (160571) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:15.263548721Z (160571) } # else = ok
2026-04-21T12:18:15.263552101Z (160571) } # authorize = ok
2026-04-21T12:18:15.263555551Z (160571) Found Auth-Type = EAP
2026-04-21T12:18:15.263558691Z (160571) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.263561791Z (160571) Auth-Type EAP {
2026-04-21T12:18:15.263565002Z (160571) eap: Removing EAP session with state 0xedddef24ef21fa7c
2026-04-21T12:18:15.263568382Z (160571) eap: Previous EAP request found for state 0xedddef24ef21fa7c, released from the list
2026-04-21T12:18:15.263571892Z (160571) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:15.263575242Z (160571) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:15.263577942Z (160571) eap_ttls: Authenticate
2026-04-21T12:18:15.263591892Z (160571) eap_ttls: (TLS) Peer ACKed our handshake fragment
2026-04-21T12:18:15.263595852Z (160571) eap: Sending EAP Request (code 1) ID 253 length 699
2026-04-21T12:18:15.263602882Z (160571) eap: EAP session adding &reply:State = 0xedddef24ee20fa7c
2026-04-21T12:18:15.263606492Z (160571) [eap] = handled
2026-04-21T12:18:15.263609722Z (160571) } # Auth-Type EAP = handled
2026-04-21T12:18:15.263612532Z (160571) Using Post-Auth-Type Challenge
2026-04-21T12:18:15.263615192Z (160571) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:15.263617952Z (160571) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.263621083Z (160571) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:15.263624392Z (160571) Framed-MTU = 994
2026-04-21T12:18:15.263627823Z (160571) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.263638453Z (160571) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.263641773Z (160571) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.263645093Z (160571) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.263648413Z (160571) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.263651523Z (160571) Sent Access-Challenge Id 29 from 0.0.0.0:2083 to 35.156.107.143:43211 length 764
2026-04-21T12:18:15.263655513Z (160571) EAP-Message = 0x01fd02bb158000000a6d120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d0e04160414536d597c2da51597e65646af0b96b0fd5e8b8134301f0603551d2304183016801458dce0801b487fa5201ca25d255f27cfe1b02917300d06092a864886f70d01010b0500038201010083d5ee1bcb8b4ae146e1c1b828c1408a802da2b24ce1097c1c8e02a96bf3f53444b2549a31e5522475e2596aee0be9552edbac572b019684e8f26934743fcce75f616665459a2898de4699c9e084f17c51d0cf2e19415698c7f3817b3f629babcd3625687a26e4122f5963e0dff6d657525cdab9854812e1d24ae47be2551eaaedbf7ce67cb81b13769e30690d30f60b219996101a53897d281f08d213b63b03d3f1f1b47ac1568b621c9758f17716f1a10af146ac12687bcc298f9513c847b716c8bdc4c06c41701482baf1ed50f23bbc2c8f3c17bdfcc58e418e3861eef86963ab8360259e1ae0163f9d0f33caa80a013a8120878b8ff63b5257907a
2026-04-21T12:18:15.263659023Z (160571) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.263662513Z (160571) State = 0xedddef24ee20fa7ce6ededd1ec52e695
2026-04-21T12:18:15.263666023Z (160571) Proxy-State = 0x33
2026-04-21T12:18:15.263676293Z (160571) Finished request
2026-04-21T12:18:15.263680084Z Thread 574 waiting to be assigned a request
2026-04-21T12:18:15.279548428Z (160557) rest: Processing response header
2026-04-21T12:18:15.279561208Z (160557) rest: Status : 200 (OK)
2026-04-21T12:18:15.279564988Z (160557) rest: Type : json (application/json)
2026-04-21T12:18:15.279573819Z (160557) rest: Adding reply:REST-HTTP-Status-Code = "200"
2026-04-21T12:18:15.279601659Z (160557) rest: Parsing attribute "Session-Timeout"
2026-04-21T12:18:15.279605799Z (160557) rest: EXPAND 3600
2026-04-21T12:18:15.279609029Z (160557) rest: --> 3600
2026-04-21T12:18:15.279612179Z (160557) rest: Session-Timeout = 3600
2026-04-21T12:18:15.279615440Z (160557) rest: Parsing attribute "Termination-Action"
2026-04-21T12:18:15.279619149Z (160557) rest: EXPAND 1
2026-04-21T12:18:15.279622769Z (160557) rest: --> 1
2026-04-21T12:18:15.279635990Z (160557) rest: Termination-Action = RADIUS-Request
2026-04-21T12:18:15.279669870Z rlm_rest (rest): Released connection (152)
2026-04-21T12:18:15.279678161Z (160557) [rest] = updated
2026-04-21T12:18:15.279682081Z (160557) if (updated) {
2026-04-21T12:18:15.279685811Z (160557) if (updated) -> TRUE
2026-04-21T12:18:15.279689781Z (160557) if (updated) {
2026-04-21T12:18:15.279699961Z (160557) [ok] = ok
2026-04-21T12:18:15.279704031Z (160557) } # if (updated) = ok
2026-04-21T12:18:15.279716331Z (160557) } # Auth-Type REST = ok
2026-04-21T12:18:15.279721121Z (160557) Login OK: [direct-tunnel at gmail.com] (from client everyone port 0 cli 02-40-2C-8C-47-E1 via TLS tunnel)
2026-04-21T12:18:15.279725021Z (160557) } # server my-inner-tunnel
2026-04-21T12:18:15.279728871Z (160557) Virtual server sending reply
2026-04-21T12:18:15.279732831Z (160557) REST-HTTP-Status-Code = 200
2026-04-21T12:18:15.279736782Z (160557) Session-Timeout = 3600
2026-04-21T12:18:15.279740771Z (160557) Termination-Action = RADIUS-Request
2026-04-21T12:18:15.279744612Z (160557) eap_ttls: Got tunneled Access-Accept
2026-04-21T12:18:15.279791992Z (160557) eap: Sending EAP Success (code 3) ID 25 length 4
2026-04-21T12:18:15.279797543Z (160557) eap: Freeing handler
2026-04-21T12:18:15.279896154Z (160557) [eap] = ok
2026-04-21T12:18:15.279903385Z (160557) } # Auth-Type EAP = ok
2026-04-21T12:18:15.279907785Z (160557) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.279916995Z (160557) Login OK: [direct-tunnel at gmail.com] (from client everyone port 0 cli 02-40-2C-8C-47-E1)
2026-04-21T12:18:15.279921155Z (160557) Sent Access-Accept Id 91 from 0.0.0.0:2083 to 18.193.75.88:33781 length 200
2026-04-21T12:18:15.279925465Z (160557) Session-Timeout = 3600
2026-04-21T12:18:15.279929585Z (160557) Termination-Action = RADIUS-Request
2026-04-21T12:18:15.279934405Z (160557) MS-MPPE-Recv-Key = <<< secret >>>
2026-04-21T12:18:15.279939045Z (160557) MS-MPPE-Send-Key = <<< secret >>>
2026-04-21T12:18:15.279943385Z (160557) EAP-Message = 0x03190004
2026-04-21T12:18:15.279947765Z (160557) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.279951815Z (160557) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.279968415Z (160557) Proxy-State = 0x35
2026-04-21T12:18:15.280034467Z (160557) Finished request
2026-04-21T12:18:15.280038747Z Thread 568 waiting to be assigned a request
2026-04-21T12:18:15.286978167Z (160559) rest: Processing response header
2026-04-21T12:18:15.286992307Z (160559) rest: Status : 200 (OK)
2026-04-21T12:18:15.286997107Z (160559) rest: Type : json (application/json)
2026-04-21T12:18:15.287001077Z (160559) rest: Adding reply:REST-HTTP-Status-Code = "200"
2026-04-21T12:18:15.287009817Z (160559) rest: Parsing attribute "Session-Timeout"
2026-04-21T12:18:15.287014057Z (160559) rest: EXPAND 3600
2026-04-21T12:18:15.287018067Z (160559) rest: --> 3600
2026-04-21T12:18:15.287022237Z (160559) rest: Session-Timeout = 3600
2026-04-21T12:18:15.287026677Z (160559) rest: Parsing attribute "Termination-Action"
2026-04-21T12:18:15.287031288Z (160559) rest: EXPAND 1
2026-04-21T12:18:15.287035797Z (160559) rest: --> 1
2026-04-21T12:18:15.287039588Z (160559) rest: Termination-Action = RADIUS-Request
2026-04-21T12:18:15.287043618Z (160506) Cleaning up request packet ID 178 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.287047918Z rlm_rest (rest): Released connection (167)
2026-04-21T12:18:15.287051988Z (160559) [rest] = updated
2026-04-21T12:18:15.287055978Z (160559) if (updated) {
2026-04-21T12:18:15.287059938Z (160559) if (updated) -> TRUE
2026-04-21T12:18:15.287063928Z (160559) if (updated) {
2026-04-21T12:18:15.287068188Z (160559) [ok] = ok
2026-04-21T12:18:15.287073908Z (160559) } # if (updated) = ok
2026-04-21T12:18:15.287081938Z (160559) } # Auth-Type REST = ok
2026-04-21T12:18:15.287087708Z (160559) Login OK: [direct-tunnel at gmail.com] (from client everyone port 0 cli 02-B0-86-1C-79-19 via TLS tunnel)
2026-04-21T12:18:15.287097638Z (160559) } # server my-inner-tunnel
2026-04-21T12:18:15.287101759Z (160559) Virtual server sending reply
2026-04-21T12:18:15.287105709Z (160559) REST-HTTP-Status-Code = 200
2026-04-21T12:18:15.287109989Z (160559) Session-Timeout = 3600
2026-04-21T12:18:15.287114309Z (160559) Termination-Action = RADIUS-Request
2026-04-21T12:18:15.287118699Z (160559) eap_ttls: Got tunneled Access-Accept
2026-04-21T12:18:15.287160210Z (160559) eap: Sending EAP Success (code 3) ID 237 length 4
2026-04-21T12:18:15.287166240Z (160559) eap: Freeing handler
2026-04-21T12:18:15.287206300Z (160559) [eap] = ok
2026-04-21T12:18:15.287211091Z (160559) } # Auth-Type EAP = ok
2026-04-21T12:18:15.287215511Z (160559) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.287219961Z (160559) Login OK: [direct-tunnel at gmail.com] (from client everyone port 0 cli 02-B0-86-1C-79-19)
2026-04-21T12:18:15.287224341Z (160559) Sent Access-Accept Id 110 from 0.0.0.0:2083 to 63.178.198.32:54907 length 200
2026-04-21T12:18:15.287233091Z (160559) Session-Timeout = 3600
2026-04-21T12:18:15.287237611Z (160559) Termination-Action = RADIUS-Request
2026-04-21T12:18:15.287241701Z (160559) MS-MPPE-Recv-Key = <<< secret >>>
2026-04-21T12:18:15.287245451Z (160559) MS-MPPE-Send-Key = <<< secret >>>
2026-04-21T12:18:15.287249911Z (160559) EAP-Message = 0x03ed0004
2026-04-21T12:18:15.287261711Z (160559) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.287269592Z (160559) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.287273552Z (160559) Proxy-State = 0x35
2026-04-21T12:18:15.287279642Z (160507) Cleaning up request packet ID 114 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.287283812Z (160559) Finished request
2026-04-21T12:18:15.287287852Z Thread 567 waiting to be assigned a request
2026-04-21T12:18:15.287476645Z (160508) Cleaning up request packet ID 74 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.291887531Z (160558) rest: Processing response header
2026-04-21T12:18:15.291898371Z (160558) rest: Status : 200 (OK)
2026-04-21T12:18:15.291902531Z (160558) rest: Type : json (application/json)
2026-04-21T12:18:15.291906541Z (160558) rest: Adding reply:REST-HTTP-Status-Code = "200"
2026-04-21T12:18:15.291951602Z (160558) rest: Parsing attribute "Session-Timeout"
2026-04-21T12:18:15.291956452Z (160558) rest: EXPAND 3600
2026-04-21T12:18:15.291960292Z (160558) rest: --> 3600
2026-04-21T12:18:15.291964642Z (160558) rest: Session-Timeout = 3600
2026-04-21T12:18:15.291969013Z (160558) rest: Parsing attribute "Termination-Action"
2026-04-21T12:18:15.291973302Z (160558) rest: EXPAND 1
2026-04-21T12:18:15.291978053Z (160558) rest: --> 1
2026-04-21T12:18:15.291981733Z (160558) rest: Termination-Action = RADIUS-Request
2026-04-21T12:18:15.291985893Z rlm_rest (rest): Released connection (153)
2026-04-21T12:18:15.291989743Z (160558) [rest] = updated
2026-04-21T12:18:15.291993953Z (160558) if (updated) {
2026-04-21T12:18:15.291997833Z (160558) if (updated) -> TRUE
2026-04-21T12:18:15.292001963Z (160558) if (updated) {
2026-04-21T12:18:15.292016643Z (160558) [ok] = ok
2026-04-21T12:18:15.292021143Z (160558) } # if (updated) = ok
2026-04-21T12:18:15.292025563Z (160558) } # Auth-Type REST = ok
2026-04-21T12:18:15.292029183Z (160558) Login OK: [direct-tunnel at gmail.com] (from client everyone port 0 cli 02-B9-26-6B-2B-A8 via TLS tunnel)
2026-04-21T12:18:15.292042704Z (160558) } # server my-inner-tunnel
2026-04-21T12:18:15.292047194Z (160558) Virtual server sending reply
2026-04-21T12:18:15.292051464Z (160558) REST-HTTP-Status-Code = 200
2026-04-21T12:18:15.292055734Z (160558) Session-Timeout = 3600
2026-04-21T12:18:15.292060184Z (160558) Termination-Action = RADIUS-Request
2026-04-21T12:18:15.292064134Z (160558) eap_ttls: Got tunneled Access-Accept
2026-04-21T12:18:15.292074584Z (160558) eap: Sending EAP Success (code 3) ID 54 length 4
2026-04-21T12:18:15.292078754Z (160558) eap: Freeing handler
2026-04-21T12:18:15.292156396Z (160558) [eap] = ok
2026-04-21T12:18:15.292162396Z (160558) } # Auth-Type EAP = ok
2026-04-21T12:18:15.292166826Z (160558) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.292171046Z (160558) Login OK: [direct-tunnel at gmail.com] (from client everyone port 0 cli 02-B9-26-6B-2B-A8)
2026-04-21T12:18:15.292183406Z (160558) Sent Access-Accept Id 183 from 0.0.0.0:2083 to 63.178.227.84:37423 length 200
2026-04-21T12:18:15.292191816Z (160558) Session-Timeout = 3600
2026-04-21T12:18:15.292196426Z (160558) Termination-Action = RADIUS-Request
2026-04-21T12:18:15.292201377Z (160558) MS-MPPE-Recv-Key = <<< secret >>>
2026-04-21T12:18:15.292205846Z (160558) MS-MPPE-Send-Key = <<< secret >>>
2026-04-21T12:18:15.292210447Z (160558) EAP-Message = 0x03360004
2026-04-21T12:18:15.292219827Z (160558) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.292224357Z (160558) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.292263147Z (160558) Proxy-State = 0x35
2026-04-21T12:18:15.292276348Z (160558) Finished request
2026-04-21T12:18:15.292279468Z Thread 576 waiting to be assigned a request
2026-04-21T12:18:15.292763306Z (160509) Cleaning up request packet ID 183 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.366569529Z (0) (TLS): Access-Request packet from host 3.122.233.175 port 59659, id=8, length=252
2026-04-21T12:18:15.366596610Z Thread 569 got semaphore
2026-04-21T12:18:15.366606070Z Thread 569 handling request 160572, (81 handled so far)
2026-04-21T12:18:15.366643701Z (160572) Received Access-Request Id 8 from 3.122.233.175:59659 to 0.0.0.0:2083 length 252
2026-04-21T12:18:15.366648611Z (160572) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.366651821Z (160572) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.366655761Z (160572) Calling-Station-Id = "02-E5-2B-3E-B8-78"
2026-04-21T12:18:15.366659461Z (160572) Framed-MTU = 1400
2026-04-21T12:18:15.366662551Z (160572) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.366666151Z (160572) Service-Type = Framed-User
2026-04-21T12:18:15.366669431Z (160572) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.366673621Z (160572) EAP-Message = 0x02ab00631500160303002510000021201d5de51f76dceaa26e53b0abd9b380ab33a0d8191396108967733bba487017741403030001011603030028dc5be32455b3ee011f14399e013d1064fbe49b856d20f46ce50e33ef093aadba9347c9d53f808095
2026-04-21T12:18:15.366676971Z (160572) State = 0x6f6ec6d06cc5d339cf75c4b4c5430e32
2026-04-21T12:18:15.366680822Z (160572) Message-Authenticator = 0xd17cc51fcadcdde30e9c809c20e3402c
2026-04-21T12:18:15.366684062Z (160572) Proxy-State = 0x34
2026-04-21T12:18:15.366704832Z (160572) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:15.366708992Z (160572) &session-state:Framed-MTU = 994
2026-04-21T12:18:15.366713492Z (160572) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.366716912Z (160572) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.366749313Z (160572) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.366753183Z (160572) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.366756683Z (160572) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.366760233Z (160572) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.366763993Z (160572) authorize {
2026-04-21T12:18:15.366767073Z (160572) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.366770483Z (160572) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:15.366773933Z (160572) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.366777243Z (160572) update request {
2026-04-21T12:18:15.366780263Z (160572) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:15.366783333Z (160572) } # update request = noop
2026-04-21T12:18:15.366786943Z (160572) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:15.366790183Z (160572) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:15.366796753Z (160572) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:15.366800193Z (160572) --> 1343-0-5768143212362
2026-04-21T12:18:15.366820404Z (160572) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:15.366823964Z (160572) else {
2026-04-21T12:18:15.366827324Z (160572) update request {
2026-04-21T12:18:15.366830524Z (160572) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:15.366833724Z (160572) --> 1343-0-5768143212362
2026-04-21T12:18:15.366836954Z (160572) Extreme-VSA-RsCert := 1343-0-5768143212362
2026-04-21T12:18:15.366839864Z (160572) Request-Origin := "freeradius"
2026-04-21T12:18:15.366842934Z (160572) } # update request = noop
2026-04-21T12:18:15.366846004Z (160572) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.366862555Z (160572) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:15.366865945Z (160572) --> 1343-0-5768143212362
2026-04-21T12:18:15.366869195Z (160572) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:15.366872335Z (160572) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.366875765Z (160572) update request {
2026-04-21T12:18:15.366878985Z (160572) EXPAND %{1}-%{2}
2026-04-21T12:18:15.366882305Z (160572) --> 1343-0
2026-04-21T12:18:15.366885355Z (160572) Owner-Org-Id := 1343-0
2026-04-21T12:18:15.366913206Z (160572) } # update request = noop
2026-04-21T12:18:15.366916846Z (160572) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:15.366920366Z (160572) if (&EAP-Message) {
2026-04-21T12:18:15.366923516Z (160572) if (&EAP-Message) -> TRUE
2026-04-21T12:18:15.366925566Z (160572) if (&EAP-Message) {
2026-04-21T12:18:15.366927596Z (160572) update control {
2026-04-21T12:18:15.366929666Z (160572) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:15.366939046Z (160572) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.366941316Z (160572) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.366946766Z (160572) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:15.366948966Z (160572) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.366951026Z (160572) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.366953166Z (160572) } # update control = noop
2026-04-21T12:18:15.366955326Z (160572) eap: Peer sent EAP Response (code 2) ID 171 length 99
2026-04-21T12:18:15.366957336Z (160572) eap: Continuing tunnel setup
2026-04-21T12:18:15.366959396Z (160572) [eap] = ok
2026-04-21T12:18:15.366961516Z (160572) } # if (&EAP-Message) = ok
2026-04-21T12:18:15.366963566Z (160572) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:15.366965676Z (160572) } # else = ok
2026-04-21T12:18:15.366967776Z (160572) } # authorize = ok
2026-04-21T12:18:15.366969807Z (160572) Found Auth-Type = EAP
2026-04-21T12:18:15.366983617Z (160572) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.366987507Z (160572) Auth-Type EAP {
2026-04-21T12:18:15.366990717Z (160572) eap: Removing EAP session with state 0x6f6ec6d06cc5d339
2026-04-21T12:18:15.366994357Z (160572) eap: Previous EAP request found for state 0x6f6ec6d06cc5d339, released from the list
2026-04-21T12:18:15.367007117Z (160572) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:15.367013107Z (160572) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:15.367016567Z (160572) eap_ttls: Authenticate
2026-04-21T12:18:15.367019807Z (160572) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:15.367022847Z (160572) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
2026-04-21T12:18:15.367026048Z (160572) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange
2026-04-21T12:18:15.367036658Z (160572) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client key exchange
2026-04-21T12:18:15.367043408Z (160572) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read change cipher spec
2026-04-21T12:18:15.367046778Z (160572) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, Finished
2026-04-21T12:18:15.367050288Z (160572) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read finished
2026-04-21T12:18:15.367056388Z (160572) eap_ttls: (TLS) TTLS - send TLS 1.2 ChangeCipherSpec
2026-04-21T12:18:15.367094879Z (160572) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write change cipher spec
2026-04-21T12:18:15.367364763Z (0) (TLS): Access-Request packet from host 63.177.85.182 port 46491, id=127, length=252
2026-04-21T12:18:15.367370583Z Thread 575 got semaphore
2026-04-21T12:18:15.367373734Z Thread 575 handling request 160573, (31 handled so far)
2026-04-21T12:18:15.367422564Z (160573) Received Access-Request Id 127 from 63.177.85.182:46491 to 0.0.0.0:2083 length 252
2026-04-21T12:18:15.367426944Z (160573) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.367429974Z (160573) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.367433304Z (160573) Calling-Station-Id = "02-AC-5E-7A-E8-7C"
2026-04-21T12:18:15.367437124Z (160573) Framed-MTU = 1400
2026-04-21T12:18:15.367440555Z (160573) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.367443795Z (160573) Service-Type = Framed-User
2026-04-21T12:18:15.367446895Z (160573) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.367450665Z (160573) EAP-Message = 0x021c00631500160303002510000021208ba593d8dabe232c665c40a33fd51098ae96e991fff4abb44a29b07a02331371140303000101160303002880c5e7cc57487d8ad168ee767fbdfb5758f2fc2cacc853977dcee3b6b01341838b335bae2c49a9d7
2026-04-21T12:18:15.367458235Z (160573) State = 0x2a206724293c72e86e37653a6478cb5c
2026-04-21T12:18:15.367461465Z (160573) Message-Authenticator = 0xc3633bd437ec84ca82b450f90bf09cd8
2026-04-21T12:18:15.367464575Z (160573) Proxy-State = 0x34
2026-04-21T12:18:15.367469755Z (160573) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:15.367473225Z (160573) &session-state:Framed-MTU = 994
2026-04-21T12:18:15.367476495Z (160573) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.367479715Z (160573) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.367482735Z (160573) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.367486015Z (160573) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.367489325Z (160573) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.367492596Z (160573) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.367495916Z (160573) authorize {
2026-04-21T12:18:15.367498985Z (160573) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.367506146Z (160573) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:15.367509146Z (160573) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.367512226Z (160573) update request {
2026-04-21T12:18:15.367515236Z (160573) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:15.367518336Z (160573) } # update request = noop
2026-04-21T12:18:15.367521456Z (160573) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:15.367524776Z (160573) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:15.367528106Z (160573) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:15.367531276Z (160573) --> 1343-0-5768143212145
2026-04-21T12:18:15.367537726Z (160573) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:15.367540926Z (160573) else {
2026-04-21T12:18:15.367544326Z (160573) update request {
2026-04-21T12:18:15.367547577Z (160573) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:15.367550697Z (160573) --> 1343-0-5768143212145
2026-04-21T12:18:15.367553817Z (160573) Extreme-VSA-RsCert := 1343-0-5768143212145
2026-04-21T12:18:15.367556757Z (160573) Request-Origin := "freeradius"
2026-04-21T12:18:15.367559917Z (160573) } # update request = noop
2026-04-21T12:18:15.367563277Z (160573) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.367566857Z (160573) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:15.367570407Z (160573) --> 1343-0-5768143212145
2026-04-21T12:18:15.367573887Z (160573) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:15.367576587Z (160573) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.367579907Z (160573) update request {
2026-04-21T12:18:15.367583727Z (160573) EXPAND %{1}-%{2}
2026-04-21T12:18:15.367586937Z (160573) --> 1343-0
2026-04-21T12:18:15.367590527Z (160573) Owner-Org-Id := 1343-0
2026-04-21T12:18:15.367593757Z (160573) } # update request = noop
2026-04-21T12:18:15.367597027Z (160573) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:15.367603677Z (160573) if (&EAP-Message) {
2026-04-21T12:18:15.367606878Z (160573) if (&EAP-Message) -> TRUE
2026-04-21T12:18:15.367610218Z (160573) if (&EAP-Message) {
2026-04-21T12:18:15.367613838Z (160573) update control {
2026-04-21T12:18:15.367625358Z (160573) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:15.367628988Z (160573) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.367632468Z (160573) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.367635898Z (160573) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:15.367639328Z (160573) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.367642588Z (160573) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.367645658Z (160573) } # update control = noop
2026-04-21T12:18:15.367649008Z (160573) eap: Peer sent EAP Response (code 2) ID 28 length 99
2026-04-21T12:18:15.367652368Z (160573) eap: Continuing tunnel setup
2026-04-21T12:18:15.367663368Z (160573) [eap] = ok
2026-04-21T12:18:15.367666899Z (160573) } # if (&EAP-Message) = ok
2026-04-21T12:18:15.367670348Z (160573) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:15.367673848Z (160573) } # else = ok
2026-04-21T12:18:15.367676969Z (160573) } # authorize = ok
2026-04-21T12:18:15.367680429Z (160573) Found Auth-Type = EAP
2026-04-21T12:18:15.367683929Z (160573) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.367686299Z (160573) Auth-Type EAP {
2026-04-21T12:18:15.367688439Z (160573) eap: Removing EAP session with state 0x2a206724293c72e8
2026-04-21T12:18:15.367691409Z (160573) eap: Previous EAP request found for state 0x2a206724293c72e8, released from the list
2026-04-21T12:18:15.367694949Z (160573) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:15.367698169Z (160573) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:15.367701679Z (160573) eap_ttls: Authenticate
2026-04-21T12:18:15.367704959Z (160573) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:15.367708349Z (160573) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
2026-04-21T12:18:15.367711669Z (160573) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange
2026-04-21T12:18:15.367728269Z (160573) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client key exchange
2026-04-21T12:18:15.367732429Z (160573) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read change cipher spec
2026-04-21T12:18:15.367735740Z (160573) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, Finished
2026-04-21T12:18:15.367739200Z (160573) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read finished
2026-04-21T12:18:15.367749600Z (160573) eap_ttls: (TLS) TTLS - send TLS 1.2 ChangeCipherSpec
2026-04-21T12:18:15.367756830Z (160573) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write change cipher spec
2026-04-21T12:18:15.368611415Z (0) (TLS): Access-Request packet from host 35.156.107.143 port 43211, id=87, length=252
2026-04-21T12:18:15.368617945Z Thread 579 got semaphore
2026-04-21T12:18:15.368621385Z Thread 579 handling request 160574, (30 handled so far)
2026-04-21T12:18:15.368624755Z (160574) Received Access-Request Id 87 from 35.156.107.143:43211 to 0.0.0.0:2083 length 252
2026-04-21T12:18:15.368628155Z (160574) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.368635665Z (160574) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.368638825Z (160574) Calling-Station-Id = "02-FA-38-9E-18-06"
2026-04-21T12:18:15.368642375Z (160574) Framed-MTU = 1400
2026-04-21T12:18:15.368656576Z (160574) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.368660045Z (160574) Service-Type = Framed-User
2026-04-21T12:18:15.368663276Z (160574) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.368667396Z (160574) EAP-Message = 0x02fd006315001603030025100000212039536b19e5e97917e53944b3a141f67e4d7d07ba153ce11f078072b683d9931614030300010116030300287d82023e43c8a8d2f0cd9cf29cea1727fcaefbce84b902338ff2338f50c9a61ed3632d82a438be6a
2026-04-21T12:18:15.368670846Z (160574) State = 0xedddef24ee20fa7ce6ededd1ec52e695
2026-04-21T12:18:15.368674366Z (160574) Message-Authenticator = 0x0baebfab856d94dc1761a38d91fd4d97
2026-04-21T12:18:15.368677526Z (160574) Proxy-State = 0x34
2026-04-21T12:18:15.368680606Z (160574) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:15.368684036Z (160574) &session-state:Framed-MTU = 994
2026-04-21T12:18:15.368687926Z (160574) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.368691666Z (160574) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.368696926Z (160574) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.368700446Z (160574) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.368703726Z (160574) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.368706806Z (160574) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.368710097Z (160574) authorize {
2026-04-21T12:18:15.368713237Z (160574) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.368726657Z (160574) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:15.368729927Z (160574) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.368733167Z (160574) update request {
2026-04-21T12:18:15.368736327Z (160574) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:15.368739777Z (160574) } # update request = noop
2026-04-21T12:18:15.368742907Z (160574) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:15.368746177Z (160574) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:15.368749337Z (160574) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:15.368752377Z (160574) --> 1343-0-5768143212022
2026-04-21T12:18:15.368755797Z (160574) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:15.368759107Z (160574) else {
2026-04-21T12:18:15.368762097Z (160574) update request {
2026-04-21T12:18:15.368771438Z (160574) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:15.368774767Z (160574) --> 1343-0-5768143212022
2026-04-21T12:18:15.368778358Z (160574) Extreme-VSA-RsCert := 1343-0-5768143212022
2026-04-21T12:18:15.368781678Z (160574) Request-Origin := "freeradius"
2026-04-21T12:18:15.368784908Z (160574) } # update request = noop
2026-04-21T12:18:15.368788178Z (160574) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.368791778Z (160574) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:15.368795228Z (160574) --> 1343-0-5768143212022
2026-04-21T12:18:15.368813608Z (160574) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:15.368817158Z (160574) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.368820228Z (160574) update request {
2026-04-21T12:18:15.368823328Z (160574) EXPAND %{1}-%{2}
2026-04-21T12:18:15.368826459Z (160574) --> 1343-0
2026-04-21T12:18:15.368829648Z (160574) Owner-Org-Id := 1343-0
2026-04-21T12:18:15.368832579Z (160574) } # update request = noop
2026-04-21T12:18:15.368835969Z (160574) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:15.368839049Z (160574) if (&EAP-Message) {
2026-04-21T12:18:15.368842339Z (160574) if (&EAP-Message) -> TRUE
2026-04-21T12:18:15.368845539Z (160574) if (&EAP-Message) {
2026-04-21T12:18:15.368848919Z (160574) update control {
2026-04-21T12:18:15.368851839Z (160574) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:15.368854819Z (160574) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.368857789Z (160574) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.368861189Z (160574) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:15.368864749Z (160574) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.368868459Z (160574) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.368871509Z (160574) } # update control = noop
2026-04-21T12:18:15.368874499Z (160574) eap: Peer sent EAP Response (code 2) ID 253 length 99
2026-04-21T12:18:15.368877379Z (160574) eap: Continuing tunnel setup
2026-04-21T12:18:15.368880309Z (160574) [eap] = ok
2026-04-21T12:18:15.368891160Z (160574) } # if (&EAP-Message) = ok
2026-04-21T12:18:15.368894290Z (160574) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:15.368897320Z (160574) } # else = ok
2026-04-21T12:18:15.368900520Z (160574) } # authorize = ok
2026-04-21T12:18:15.368903800Z (160574) Found Auth-Type = EAP
2026-04-21T12:18:15.368907030Z (160574) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.368910290Z (160574) Auth-Type EAP {
2026-04-21T12:18:15.368920430Z (160574) eap: Removing EAP session with state 0xedddef24ee20fa7c
2026-04-21T12:18:15.368924260Z (160574) eap: Previous EAP request found for state 0xedddef24ee20fa7c, released from the list
2026-04-21T12:18:15.368927700Z (160574) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:15.368930980Z (160574) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:15.368934210Z (160574) eap_ttls: Authenticate
2026-04-21T12:18:15.368937400Z (160574) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:15.368940741Z (160574) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
2026-04-21T12:18:15.368943861Z (160574) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange
2026-04-21T12:18:15.368963071Z (160574) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client key exchange
2026-04-21T12:18:15.368974441Z (160574) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read change cipher spec
2026-04-21T12:18:15.369032802Z (160574) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, Finished
2026-04-21T12:18:15.369038992Z (160574) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read finished
2026-04-21T12:18:15.369042152Z (160574) eap_ttls: (TLS) TTLS - send TLS 1.2 ChangeCipherSpec
2026-04-21T12:18:15.369050192Z (160574) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write change cipher spec
2026-04-21T12:18:15.375856860Z (160572) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Finished
2026-04-21T12:18:15.375869210Z (160572) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write finished
2026-04-21T12:18:15.375872990Z (160572) eap_ttls: (TLS) TTLS - Handshake state - SSL negotiation finished successfully
2026-04-21T12:18:15.375876360Z (160572) eap_ttls: (TLS) TTLS - Connection Established
2026-04-21T12:18:15.375879640Z (160572) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:15.375884460Z (160572) eap_ttls: TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:15.375888120Z (160572) eap: Sending EAP Request (code 1) ID 172 length 61
2026-04-21T12:18:15.375891500Z (160572) eap: EAP session adding &reply:State = 0x6f6ec6d06bc2d339
2026-04-21T12:18:15.375895000Z (160572) [eap] = handled
2026-04-21T12:18:15.375898340Z (160572) } # Auth-Type EAP = handled
2026-04-21T12:18:15.375901590Z (160572) Using Post-Auth-Type Challenge
2026-04-21T12:18:15.375905021Z (160572) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:15.375908670Z (160572) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.375912021Z (160572) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:15.375915391Z (160572) Framed-MTU = 994
2026-04-21T12:18:15.375918881Z (160572) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.375922341Z (160572) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.375925531Z (160572) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.375928611Z (160572) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.375931561Z (160572) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.375934731Z (160572) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
2026-04-21T12:18:15.375937901Z (160572) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
2026-04-21T12:18:15.375941081Z (160572) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
2026-04-21T12:18:15.375944261Z (160572) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
2026-04-21T12:18:15.375947691Z (160572) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:15.375951021Z (160572) TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:15.375988952Z (160572) Sent Access-Challenge Id 8 from 0.0.0.0:2083 to 3.122.233.175:59659 length 122
2026-04-21T12:18:15.375996232Z (160572) EAP-Message = 0x01ac003d158000000033140303000101160303002844462e86dd61de94af5d7690d97ae61d39677e953535d71c7269653008644ce8376ec2cecebef939
2026-04-21T12:18:15.376000842Z (160572) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.376004402Z (160572) State = 0x6f6ec6d06bc2d339cf75c4b4c5430e32
2026-04-21T12:18:15.376008112Z (160572) Proxy-State = 0x34
2026-04-21T12:18:15.376011452Z (160572) Finished request
2026-04-21T12:18:15.376015192Z Thread 569 waiting to be assigned a request
2026-04-21T12:18:15.382511784Z (160573) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Finished
2026-04-21T12:18:15.382522045Z (160573) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write finished
2026-04-21T12:18:15.382525565Z (160573) eap_ttls: (TLS) TTLS - Handshake state - SSL negotiation finished successfully
2026-04-21T12:18:15.382534225Z (160573) eap_ttls: (TLS) TTLS - Connection Established
2026-04-21T12:18:15.382537775Z (160573) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:15.382541515Z (160573) eap_ttls: TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:15.382544925Z (160573) eap: Sending EAP Request (code 1) ID 29 length 61
2026-04-21T12:18:15.382548555Z (160573) eap: EAP session adding &reply:State = 0x2a2067242e3d72e8
2026-04-21T12:18:15.382552135Z (160573) [eap] = handled
2026-04-21T12:18:15.382555425Z (160573) } # Auth-Type EAP = handled
2026-04-21T12:18:15.382558715Z (160573) Using Post-Auth-Type Challenge
2026-04-21T12:18:15.382561955Z (160573) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:15.382565176Z (160573) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.382568865Z (160573) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:15.382572285Z (160573) Framed-MTU = 994
2026-04-21T12:18:15.382575616Z (160573) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.382585206Z (160573) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.382588606Z (160573) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.382592046Z (160573) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.382595626Z (160573) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.382599116Z (160573) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
2026-04-21T12:18:15.382609436Z (160573) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
2026-04-21T12:18:15.382612756Z (160573) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
2026-04-21T12:18:15.382615816Z (160573) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
2026-04-21T12:18:15.382619206Z (160573) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:15.382622957Z (160573) TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:15.382626906Z (160573) Sent Access-Challenge Id 127 from 0.0.0.0:2083 to 63.177.85.182:46491 length 122
2026-04-21T12:18:15.382629597Z (160573) EAP-Message = 0x011d003d1580000000331403030001011603030028ffc6af8f157bfdc81b8da40d453d2129cadfa3ac7fc6f377e7308d9421b16686c8e0afce8963bc89
2026-04-21T12:18:15.382631917Z (160573) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.382634027Z (160573) State = 0x2a2067242e3d72e86e37653a6478cb5c
2026-04-21T12:18:15.382637847Z (160573) Proxy-State = 0x34
2026-04-21T12:18:15.382649157Z (160573) Finished request
2026-04-21T12:18:15.382651607Z Thread 575 waiting to be assigned a request
2026-04-21T12:18:15.389071498Z (160574) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Finished
2026-04-21T12:18:15.389077959Z (160574) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write finished
2026-04-21T12:18:15.389081369Z (160574) eap_ttls: (TLS) TTLS - Handshake state - SSL negotiation finished successfully
2026-04-21T12:18:15.389084769Z (160574) eap_ttls: (TLS) TTLS - Connection Established
2026-04-21T12:18:15.389088129Z (160574) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:15.389091369Z (160574) eap_ttls: TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:15.389094799Z (160574) eap: Sending EAP Request (code 1) ID 254 length 61
2026-04-21T12:18:15.389098549Z (160574) eap: EAP session adding &reply:State = 0xedddef24e923fa7c
2026-04-21T12:18:15.389106799Z (160574) [eap] = handled
2026-04-21T12:18:15.389110639Z (160574) } # Auth-Type EAP = handled
2026-04-21T12:18:15.389119289Z (160574) Using Post-Auth-Type Challenge
2026-04-21T12:18:15.389123090Z (160574) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:15.389126319Z (160574) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.389129850Z (160574) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:15.389133400Z (160574) Framed-MTU = 994
2026-04-21T12:18:15.389136560Z (160574) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.389139840Z (160574) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.389143290Z (160574) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.389146580Z (160574) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.389149890Z (160574) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.389153150Z (160574) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
2026-04-21T12:18:15.389156520Z (160574) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
2026-04-21T12:18:15.389159880Z (160574) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
2026-04-21T12:18:15.389163150Z (160574) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
2026-04-21T12:18:15.389166600Z (160574) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:15.389169990Z (160574) TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:15.389176620Z (160574) Sent Access-Challenge Id 87 from 0.0.0.0:2083 to 35.156.107.143:43211 length 122
2026-04-21T12:18:15.389180431Z (160574) EAP-Message = 0x01fe003d158000000033140303000101160303002846d2a5f54c23cb829fda292eef4ed292732eae26351e76062b3095d868a2b3a9270db82123163b25
2026-04-21T12:18:15.389183431Z (160574) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.389187071Z (160574) State = 0xedddef24e923fa7ce6ededd1ec52e695
2026-04-21T12:18:15.389190671Z (160574) Proxy-State = 0x34
2026-04-21T12:18:15.389204041Z (160574) Finished request
2026-04-21T12:18:15.389208451Z Thread 579 waiting to be assigned a request
2026-04-21T12:18:15.400836992Z (160510) Cleaning up request packet ID 231 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.408127527Z (160511) Cleaning up request packet ID 141 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.414728351Z (160512) Cleaning up request packet ID 116 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.422382063Z (160513) Cleaning up request packet ID 4 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.477353772Z (0) (TLS): Access-Request packet from host 3.122.233.175 port 59659, id=2, length=244
2026-04-21T12:18:15.477387362Z Thread 570 got semaphore
2026-04-21T12:18:15.477392742Z Thread 570 handling request 160575, (72 handled so far)
2026-04-21T12:18:15.477410103Z (160575) Received Access-Request Id 2 from 3.122.233.175:59659 to 0.0.0.0:2083 length 244
2026-04-21T12:18:15.477415453Z (160575) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.477419953Z (160575) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.477423953Z (160575) Calling-Station-Id = "02-E5-2B-3E-B8-78"
2026-04-21T12:18:15.477428483Z (160575) Framed-MTU = 1400
2026-04-21T12:18:15.477432533Z (160575) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.477436343Z (160575) Service-Type = Framed-User
2026-04-21T12:18:15.477450393Z (160575) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.477455183Z (160575) EAP-Message = 0x02ac005b15001703030050dc5be32455b3ee0235b95a416c50df37906308d7a90e51f6c455adfa68b28e310976110437855786470c9f41000cda90787c7fe73e7b444c70a513f661fb1fff1ff7f7a568b923e4e7b1528add825efc
2026-04-21T12:18:15.477459314Z (160575) State = 0x6f6ec6d06bc2d339cf75c4b4c5430e32
2026-04-21T12:18:15.477464283Z (160575) Message-Authenticator = 0xd0b13bb6391467e89f94744361ac30f7
2026-04-21T12:18:15.477468664Z (160575) Proxy-State = 0x35
2026-04-21T12:18:15.477473154Z (160575) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:15.477477424Z (160575) &session-state:Framed-MTU = 994
2026-04-21T12:18:15.477481914Z (160575) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.477485904Z (160575) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.477490034Z (160575) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.477525095Z (160575) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.477535195Z (160575) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.477539975Z (160575) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
2026-04-21T12:18:15.477544515Z (160575) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
2026-04-21T12:18:15.477548635Z (160575) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
2026-04-21T12:18:15.477552805Z (160575) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
2026-04-21T12:18:15.477556795Z (160575) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:15.477578136Z (160575) &session-state:TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:15.477582436Z (160575) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.477586476Z (160575) authorize {
2026-04-21T12:18:15.477590526Z (160575) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.477594466Z (160575) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:15.477598616Z (160575) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.477602686Z (160575) update request {
2026-04-21T12:18:15.477606656Z (160575) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:15.477610626Z (160575) } # update request = noop
2026-04-21T12:18:15.477614706Z (160575) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:15.477618836Z (160575) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:15.477622936Z (160575) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:15.477626896Z (160575) --> 1343-0-5768143212362
2026-04-21T12:18:15.477630746Z (160575) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:15.477634946Z (160575) else {
2026-04-21T12:18:15.477639067Z (160575) update request {
2026-04-21T12:18:15.477643097Z (160575) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:15.477647057Z (160575) --> 1343-0-5768143212362
2026-04-21T12:18:15.477651207Z (160575) Extreme-VSA-RsCert := 1343-0-5768143212362
2026-04-21T12:18:15.477660977Z (160575) Request-Origin := "freeradius"
2026-04-21T12:18:15.477664847Z (160575) } # update request = noop
2026-04-21T12:18:15.477675377Z (160575) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.477679867Z (160575) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:15.477683917Z (160575) --> 1343-0-5768143212362
2026-04-21T12:18:15.477688118Z (160575) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:15.477692138Z (160575) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.477696087Z (160575) update request {
2026-04-21T12:18:15.477700338Z (160575) EXPAND %{1}-%{2}
2026-04-21T12:18:15.477704438Z (160575) --> 1343-0
2026-04-21T12:18:15.477708548Z (160575) Owner-Org-Id := 1343-0
2026-04-21T12:18:15.477712518Z (160575) } # update request = noop
2026-04-21T12:18:15.477719488Z (160575) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:15.477723538Z (160575) if (&EAP-Message) {
2026-04-21T12:18:15.477727538Z (160575) if (&EAP-Message) -> TRUE
2026-04-21T12:18:15.477731518Z (160575) if (&EAP-Message) {
2026-04-21T12:18:15.477736058Z (160575) update control {
2026-04-21T12:18:15.477740048Z (160575) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:15.477744468Z (160575) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.477750908Z (160575) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.477755309Z (160575) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:15.477759809Z (160575) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.477763789Z (160575) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.477767069Z (160575) } # update control = noop
2026-04-21T12:18:15.477770309Z (160575) eap: Peer sent EAP Response (code 2) ID 172 length 91
2026-04-21T12:18:15.477773389Z (160575) eap: Continuing tunnel setup
2026-04-21T12:18:15.477776509Z (160575) [eap] = ok
2026-04-21T12:18:15.477779879Z (160575) } # if (&EAP-Message) = ok
2026-04-21T12:18:15.477783209Z (160575) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:15.477786419Z (160575) } # else = ok
2026-04-21T12:18:15.477789459Z (160575) } # authorize = ok
2026-04-21T12:18:15.477792579Z (160575) Found Auth-Type = EAP
2026-04-21T12:18:15.477795869Z (160575) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.477804320Z (160575) Auth-Type EAP {
2026-04-21T12:18:15.477811049Z (160575) eap: Removing EAP session with state 0x6f6ec6d06bc2d339
2026-04-21T12:18:15.477815070Z (160575) eap: Previous EAP request found for state 0x6f6ec6d06bc2d339, released from the list
2026-04-21T12:18:15.477818360Z (160575) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:15.477821320Z (160575) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:15.477824540Z (160575) eap_ttls: Authenticate
2026-04-21T12:18:15.477839500Z (160575) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:15.477842870Z (160575) eap_ttls: Session established. Proceeding to decode tunneled attributes
2026-04-21T12:18:15.477846680Z (160575) eap_ttls: Got tunneled request
2026-04-21T12:18:15.477849890Z (160575) eap_ttls: User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.477852900Z (160575) eap_ttls: User-Password = <<< secret >>>
2026-04-21T12:18:15.477860020Z (160575) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
2026-04-21T12:18:15.477863190Z (160575) eap_ttls: Sending tunneled request
2026-04-21T12:18:15.477884421Z (160575) Virtual server my-inner-tunnel received request
2026-04-21T12:18:15.477887971Z (160575) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.477895991Z (160575) User-Password = <<< secret >>>
2026-04-21T12:18:15.477899191Z (160575) FreeRADIUS-Proxied-To = 127.0.0.1
2026-04-21T12:18:15.477902381Z (160575) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.477905771Z (160575) Calling-Station-Id = "02-E5-2B-3E-B8-78"
2026-04-21T12:18:15.477909451Z (160575) Framed-MTU = 1400
2026-04-21T12:18:15.477912261Z (160575) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.477914401Z (160575) Service-Type = Framed-User
2026-04-21T12:18:15.477916511Z (160575) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.477918642Z (160575) Extreme-Eduroam-AuthnOnly = "false"
2026-04-21T12:18:15.477920891Z (160575) WARNING: Outer and inner identities are the same. User privacy is compromised.
2026-04-21T12:18:15.477923051Z (160575) server my-inner-tunnel {
2026-04-21T12:18:15.477925231Z (160575) # Executing section authorize from file /etc/freeradius/sites-enabled/my-inner-tunnel
2026-04-21T12:18:15.477928131Z (160575) authorize {
2026-04-21T12:18:15.477930242Z (160575) if (&User-Password && !&EAP-Message) {
2026-04-21T12:18:15.477932332Z (160575) if (&User-Password && !&EAP-Message) -> TRUE
2026-04-21T12:18:15.477934382Z (160575) if (&User-Password && !&EAP-Message) {
2026-04-21T12:18:15.477936482Z (160575) update outer.request {
2026-04-21T12:18:15.477938492Z (160575) &Tmp-String-8 := "TTLS-PAP"
2026-04-21T12:18:15.477940562Z (160575) } # update outer.request = noop
2026-04-21T12:18:15.477942622Z (160575) } # if (&User-Password && !&EAP-Message) = noop
2026-04-21T12:18:15.477944632Z (160575) update request {
2026-04-21T12:18:15.477946672Z (160575) Auth-Endpoint := "auth"
2026-04-21T12:18:15.477948772Z (160575) EAP-Auth-Type := "EAP-TTLS"
2026-04-21T12:18:15.477972142Z (160575) EXPAND %{outer.Extreme-VSA-RsCert}
2026-04-21T12:18:15.477975762Z (160575) --> 1343-0-5768143212362
2026-04-21T12:18:15.477979163Z (160575) Extreme-VSA-RsCert := 1343-0-5768143212362
2026-04-21T12:18:15.477982603Z (160575) EXPAND %{outer.Request-Origin}
2026-04-21T12:18:15.477985592Z (160575) --> freeradius
2026-04-21T12:18:15.477988923Z (160575) Request-Origin := freeradius
2026-04-21T12:18:15.477992403Z (160575) EXPAND %{outer.Extreme-Eduroam-AuthnOnly}
2026-04-21T12:18:15.477995943Z (160575) --> false
2026-04-21T12:18:15.477999173Z (160575) Extreme-Eduroam-AuthnOnly := false
2026-04-21T12:18:15.478002433Z (160575) } # update request = noop
2026-04-21T12:18:15.478005703Z (160575) update control {
2026-04-21T12:18:15.478009213Z (160575) &REST-HTTP-Header += "api-secret: ZnJlZXJhZGl1czpkZGE0YTI3NDUxMGRmZTA4NTY0ODAyYzYwMmZkYWI1Nwo="
2026-04-21T12:18:15.478025973Z (160575) Auth-Type = rest
2026-04-21T12:18:15.478028893Z (160575) } # update control = noop
2026-04-21T12:18:15.478031023Z (160575) } # authorize = noop
2026-04-21T12:18:15.478033053Z (160575) Found Auth-Type = rest
2026-04-21T12:18:15.478035093Z (160575) # Executing group from file /etc/freeradius/sites-enabled/my-inner-tunnel
2026-04-21T12:18:15.478037124Z (160575) Auth-Type REST {
2026-04-21T12:18:15.478039213Z rlm_rest (rest): Reserved connection (150)
2026-04-21T12:18:15.478044584Z (160575) rest: Expanding URI components
2026-04-21T12:18:15.478047314Z (160575) rest: EXPAND http://craas-auth.craas-core.svc.cluster.local:8006
2026-04-21T12:18:15.478049494Z (160575) rest: --> http://craas-auth.craas-core.svc.cluster.local:8006
2026-04-21T12:18:15.478052904Z (160575) rest: EXPAND /auth
2026-04-21T12:18:15.478056354Z (160575) rest: --> /auth
2026-04-21T12:18:15.478059694Z (160575) rest: Sending HTTP POST to "http://craas-auth.craas-core.svc.cluster.local:8006/auth"
2026-04-21T12:18:15.478076214Z (160575) rest: EXPAND {"User-Name": "%{User-Name}","User-Password": "%{User-Password}","NAS-Identifier": "%{NAS-Identifier}","NAS-Port-Type": "%{NAS-Port-Type}","NAS-IP-Address": "%{NAS-IP-Address}","NAS-Port": "%{NAS-Port}","NAS-Port-Id": "%{NAS-Port-Id}","Called-Station-Id": "%{Called-Station-Id}","Calling-Station-Id": "%{Calling-Station-Id}","tenant-id": "%{Extreme-VSA-RsCert}","EAP-Auth-Type": "%{EAP-Auth-Type}","TLS-Client-Cert-Common-Name": "%{TLS-Client-Cert-Common-Name}","EAP-Message": "%{EAP-Message}","TLS-Client-Cert-Serial": "%{TLS-Client-Cert-Serial}","TLS-Client-Cert-Expiration": "%{TLS-Client-Cert-Expiration}","TLS-Client-Cert-Issuer": "%{TLS-Client-Cert-Issuer}","TLS-Client-Cert-Subject": "%{TLS-Client-Cert-Subject}","TLS-Client-Cert-Common-Name": "%{TLS-Client-Cert-Common-Name}","TLS-Client-Cert-Filename": "%{TLS-Client-Cert-Filename}","TLS-Client-Cert-Subject-Alt-Name-Email": "%{TLS-Client-Cert-Subject-Alt-Name-Email}","TLS-Client-Cert-X509v3-Extended-Key-Usage": "%{TLS-Client-Cert-X509v3-Extended-Key-Usage}","TLS-Client-Cert-X509v3-Subject-Key-Identifier": "%{TLS-Client-Cert-X509v3-Subject-Key-Identifier}","TLS-Client-Cert-X509v3-Authority-Key-Identifier": "%{TLS-Client-Cert-X509v3-Authority-Key-Identifier}","TLS-Client-Cert-X509v3-Basic-Constraints": "%{TLS-Client-Cert-X509v3-Basic-Constraints}","TLS-Client-Cert-Subject-Alt-Name-Dns": "%{TLS-Client-Cert-Subject-Alt-Name-Dns}","TLS-Client-Cert-Subject-Alt-Name-Upn": "%{TLS-Client-Cert-Subject-Alt-Name-Upn}","TLS-Client-Cert-X509v3-Extended-Key-Usage-OID": "%{TLS-Client-Cert-X509v3-Extended-Key-Usage-OID}","TLS-Client-Cert-Valid-Since": "%{TLS-Client-Cert-Valid-Since}","TLS-Client-Cert-X509v3-Certificate-Policies": "%{TLS-Client-Cert-X509v3-Certificate-Policies}","Subject-Distinguished-Name": "%{TLS-Client-Cert-Subject}","SAN-DNS-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Dns}","SAN-User-Principal-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Upn}","SAN-Service-Principal-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Spn}","SAN-Email": "%{TLS-Client-Cert-Subject-Alt-Name-Email}","Request-Origin": "%{Request-Origin}","AuthnOnly": %{Extreme-Eduroam-AuthnOnly}, "TLS-Cert-Serial": "%{TLS-Cert-Serial}", "TLS-Client-Cert-Issuer": "%{TLS-Client-Cert-Issuer}"},
2026-04-21T12:18:15.478081044Z (160575) rest: --> {"User-Name": "direct-tunnel at gmail.com","User-Password": "Emumba at 123","NAS-Identifier": "","NAS-Port-Type": "Wireless-802.11","NAS-IP-Address": "127.0.0.1","NAS-Port": "","NAS-Port-Id": "","Called-Station-Id": "","Calling-Station-Id": "02-E5-2B-3E-B8-78","tenant-id": "1343-0-5768143212362","EAP-Auth-Type": "EAP-TTLS","TLS-Client-Cert-Common-Name": "","EAP-Message": "","TLS-Client-Cert-Serial": "","TLS-Client-Cert-Expiration": "","TLS-Client-Cert-Issuer": "","TLS-Client-Cert-Subject": "","TLS-Client-Cert-Common-Name": "","TLS-Client-Cert-Filename": "","TLS-Client-Cert-Subject-Alt-Name-Email": "","TLS-Client-Cert-X509v3-Extended-Key-Usage": "","TLS-Client-Cert-X509v3-Subject-Key-Identifier": "","TLS-Client-Cert-X509v3-Authority-Key-Identifier": "","TLS-Client-Cert-X509v3-Basic-Constraints": "","TLS-Client-Cert-Subject-Alt-Name-Dns": "","TLS-Client-Cert-Subject-Alt-Name-Upn": "","TLS-Client-Cert-X509v3-Extended-Key-Usage-OID": "","TLS-Client-Cert-Valid-Since": "","TLS-Client-Cert-X509v3-Certificate-Policies": "","Subject-Distinguished-Name": "","SAN-DNS-Name": "","SAN-User-Principal-Name": "","SAN-Service-Principal-Name": "","SAN-Email": "","Request-Origin": "freeradius","AuthnOnly": false, "TLS-Cert-Serial": "", "TLS-Client-Cert-Issuer": ""},
2026-04-21T12:18:15.478488401Z (160575) rest: Processing response header
2026-04-21T12:18:15.478493871Z (160575) rest: Status : 100 (Continue)
2026-04-21T12:18:15.478496551Z (160575) rest: Continuing...
2026-04-21T12:18:15.484167379Z (0) (TLS): Access-Request packet from host 63.177.85.182 port 46491, id=135, length=244
2026-04-21T12:18:15.484221840Z Thread 564 got semaphore
2026-04-21T12:18:15.484228390Z Thread 564 handling request 160576, (96 handled so far)
2026-04-21T12:18:15.484232630Z (160576) Received Access-Request Id 135 from 63.177.85.182:46491 to 0.0.0.0:2083 length 244
2026-04-21T12:18:15.484237000Z (160576) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.484240750Z (160576) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.484244800Z (160576) Calling-Station-Id = "02-AC-5E-7A-E8-7C"
2026-04-21T12:18:15.484269301Z (160576) Framed-MTU = 1400
2026-04-21T12:18:15.484273141Z (160576) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.484277221Z (160576) Service-Type = Framed-User
2026-04-21T12:18:15.484281381Z (160576) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.484285451Z (160576) EAP-Message = 0x021d005b1500170303005080c5e7cc57487d8b2ed39f6023b668a7e3c4c5ea3d9e67a692bc50d3acc32dd5122831e2f00c1fe6f3cc4f561c8d472232263869a57f50011b15c59c274ba74d9f36404bf54b90b72c8cbbf83dcebfdc
2026-04-21T12:18:15.484289561Z (160576) State = 0x2a2067242e3d72e86e37653a6478cb5c
2026-04-21T12:18:15.484293911Z (160576) Message-Authenticator = 0xa823a303737705b628a34279a1c33977
2026-04-21T12:18:15.484297841Z (160576) Proxy-State = 0x35
2026-04-21T12:18:15.484301981Z (160576) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:15.484306252Z (160576) &session-state:Framed-MTU = 994
2026-04-21T12:18:15.484310281Z (160576) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.484314412Z (160576) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.484318352Z (160576) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.484322302Z (160576) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.484326672Z (160576) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.484330432Z (160576) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
2026-04-21T12:18:15.484334572Z (160576) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
2026-04-21T12:18:15.484342752Z (160576) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
2026-04-21T12:18:15.484357142Z (160576) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
2026-04-21T12:18:15.484360962Z (160576) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:15.484364933Z (160576) &session-state:TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:15.484368762Z (160576) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.484372473Z (160576) authorize {
2026-04-21T12:18:15.484376363Z (160576) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.484380453Z (160576) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:15.484384413Z (160576) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.484388373Z (160576) update request {
2026-04-21T12:18:15.484398573Z (160576) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:15.484402643Z (160576) } # update request = noop
2026-04-21T12:18:15.484406893Z (160576) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:15.484410793Z (160576) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:15.484414613Z (160576) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:15.484418674Z (160576) --> 1343-0-5768143212145
2026-04-21T12:18:15.484427034Z (160576) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:15.484431034Z (160576) else {
2026-04-21T12:18:15.484435044Z (160576) update request {
2026-04-21T12:18:15.484439174Z (160576) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:15.484442994Z (160576) --> 1343-0-5768143212145
2026-04-21T12:18:15.484446704Z (160576) Extreme-VSA-RsCert := 1343-0-5768143212145
2026-04-21T12:18:15.484450574Z (160576) Request-Origin := "freeradius"
2026-04-21T12:18:15.484454494Z (160576) } # update request = noop
2026-04-21T12:18:15.484458434Z (160576) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.484462534Z (160576) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:15.484466264Z (160576) --> 1343-0-5768143212145
2026-04-21T12:18:15.484470194Z (160576) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:15.484474084Z (160576) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.484477995Z (160576) update request {
2026-04-21T12:18:15.484482024Z (160576) EXPAND %{1}-%{2}
2026-04-21T12:18:15.484485995Z (160576) --> 1343-0
2026-04-21T12:18:15.484490125Z (160576) Owner-Org-Id := 1343-0
2026-04-21T12:18:15.484494225Z (160576) } # update request = noop
2026-04-21T12:18:15.484498375Z (160576) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:15.484502485Z (160576) if (&EAP-Message) {
2026-04-21T12:18:15.484506975Z (160576) if (&EAP-Message) -> TRUE
2026-04-21T12:18:15.484511145Z (160576) if (&EAP-Message) {
2026-04-21T12:18:15.484515495Z (160576) update control {
2026-04-21T12:18:15.484519905Z (160576) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:15.484524195Z (160576) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.484533485Z (160576) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.484537565Z (160576) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:15.484541216Z (160576) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.484545166Z (160576) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.484548956Z (160576) } # update control = noop
2026-04-21T12:18:15.484552866Z (160576) eap: Peer sent EAP Response (code 2) ID 29 length 91
2026-04-21T12:18:15.484556616Z (160576) eap: Continuing tunnel setup
2026-04-21T12:18:15.484560596Z (160576) [eap] = ok
2026-04-21T12:18:15.484564586Z (160576) } # if (&EAP-Message) = ok
2026-04-21T12:18:15.484615817Z (160576) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:15.484620017Z (160576) } # else = ok
2026-04-21T12:18:15.484623917Z (160576) } # authorize = ok
2026-04-21T12:18:15.484639437Z (160576) Found Auth-Type = EAP
2026-04-21T12:18:15.484643427Z (160576) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.484647647Z (160576) Auth-Type EAP {
2026-04-21T12:18:15.484651438Z (160576) eap: Removing EAP session with state 0x2a2067242e3d72e8
2026-04-21T12:18:15.484655518Z (160576) eap: Previous EAP request found for state 0x2a2067242e3d72e8, released from the list
2026-04-21T12:18:15.484695328Z (160576) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:15.484700918Z (160576) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:15.484705028Z (160576) eap_ttls: Authenticate
2026-04-21T12:18:15.484708748Z (160576) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:15.484712448Z (160576) eap_ttls: Session established. Proceeding to decode tunneled attributes
2026-04-21T12:18:15.484716568Z (160576) eap_ttls: Got tunneled request
2026-04-21T12:18:15.484720689Z (160576) eap_ttls: User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.484725319Z (160576) eap_ttls: User-Password = <<< secret >>>
2026-04-21T12:18:15.484729759Z (160576) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
2026-04-21T12:18:15.484732759Z (160576) eap_ttls: Sending tunneled request
2026-04-21T12:18:15.484735359Z (160576) Virtual server my-inner-tunnel received request
2026-04-21T12:18:15.484737929Z (160576) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.484753079Z (160576) User-Password = <<< secret >>>
2026-04-21T12:18:15.484757649Z (160576) FreeRADIUS-Proxied-To = 127.0.0.1
2026-04-21T12:18:15.484761779Z (160576) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.484766019Z (160576) Calling-Station-Id = "02-AC-5E-7A-E8-7C"
2026-04-21T12:18:15.484770220Z (160576) Framed-MTU = 1400
2026-04-21T12:18:15.484774280Z (160576) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.484778210Z (160576) Service-Type = Framed-User
2026-04-21T12:18:15.484782460Z (160576) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.484786820Z (160576) Extreme-Eduroam-AuthnOnly = "false"
2026-04-21T12:18:15.484791270Z (160576) WARNING: Outer and inner identities are the same. User privacy is compromised.
2026-04-21T12:18:15.484796550Z (160576) server my-inner-tunnel {
2026-04-21T12:18:15.484800760Z (160576) # Executing section authorize from file /etc/freeradius/sites-enabled/my-inner-tunnel
2026-04-21T12:18:15.484804870Z (160576) authorize {
2026-04-21T12:18:15.484808880Z (160576) if (&User-Password && !&EAP-Message) {
2026-04-21T12:18:15.484812620Z (160576) if (&User-Password && !&EAP-Message) -> TRUE
2026-04-21T12:18:15.484816120Z (160576) if (&User-Password && !&EAP-Message) {
2026-04-21T12:18:15.484819330Z (160576) update outer.request {
2026-04-21T12:18:15.484822930Z (160576) &Tmp-String-8 := "TTLS-PAP"
2026-04-21T12:18:15.484826050Z (160576) } # update outer.request = noop
2026-04-21T12:18:15.484829210Z (160576) } # if (&User-Password && !&EAP-Message) = noop
2026-04-21T12:18:15.484832461Z (160576) update request {
2026-04-21T12:18:15.484855121Z (160576) Auth-Endpoint := "auth"
2026-04-21T12:18:15.484858941Z (160576) EAP-Auth-Type := "EAP-TTLS"
2026-04-21T12:18:15.484862151Z (160576) EXPAND %{outer.Extreme-VSA-RsCert}
2026-04-21T12:18:15.484865611Z (160576) --> 1343-0-5768143212145
2026-04-21T12:18:15.484869111Z (160576) Extreme-VSA-RsCert := 1343-0-5768143212145
2026-04-21T12:18:15.484896182Z (160576) EXPAND %{outer.Request-Origin}
2026-04-21T12:18:15.484899402Z (160576) --> freeradius
2026-04-21T12:18:15.484906082Z (160576) Request-Origin := freeradius
2026-04-21T12:18:15.484908912Z (160576) EXPAND %{outer.Extreme-Eduroam-AuthnOnly}
2026-04-21T12:18:15.484912142Z (160576) --> false
2026-04-21T12:18:15.484915182Z (160576) Extreme-Eduroam-AuthnOnly := false
2026-04-21T12:18:15.484918452Z (160576) } # update request = noop
2026-04-21T12:18:15.484921532Z (160576) update control {
2026-04-21T12:18:15.484925062Z (160576) &REST-HTTP-Header += "api-secret: ZnJlZXJhZGl1czpkZGE0YTI3NDUxMGRmZTA4NTY0ODAyYzYwMmZkYWI1Nwo="
2026-04-21T12:18:15.484928432Z (160576) Auth-Type = rest
2026-04-21T12:18:15.484931682Z (160576) } # update control = noop
2026-04-21T12:18:15.484933722Z (160576) } # authorize = noop
2026-04-21T12:18:15.484935722Z (160576) Found Auth-Type = rest
2026-04-21T12:18:15.484937782Z (160576) # Executing group from file /etc/freeradius/sites-enabled/my-inner-tunnel
2026-04-21T12:18:15.484939852Z (160576) Auth-Type REST {
2026-04-21T12:18:15.484941863Z rlm_rest (rest): Reserved connection (172)
2026-04-21T12:18:15.484943892Z (160576) rest: Expanding URI components
2026-04-21T12:18:15.484945963Z (160576) rest: EXPAND http://craas-auth.craas-core.svc.cluster.local:8006
2026-04-21T12:18:15.484948083Z (160576) rest: --> http://craas-auth.craas-core.svc.cluster.local:8006
2026-04-21T12:18:15.484950132Z (160576) rest: EXPAND /auth
2026-04-21T12:18:15.484952163Z (160576) rest: --> /auth
2026-04-21T12:18:15.484963233Z (160576) rest: Sending HTTP POST to "http://craas-auth.craas-core.svc.cluster.local:8006/auth"
2026-04-21T12:18:15.484975193Z (160576) rest: EXPAND {"User-Name": "%{User-Name}","User-Password": "%{User-Password}","NAS-Identifier": "%{NAS-Identifier}","NAS-Port-Type": "%{NAS-Port-Type}","NAS-IP-Address": "%{NAS-IP-Address}","NAS-Port": "%{NAS-Port}","NAS-Port-Id": "%{NAS-Port-Id}","Called-Station-Id": "%{Called-Station-Id}","Calling-Station-Id": "%{Calling-Station-Id}","tenant-id": "%{Extreme-VSA-RsCert}","EAP-Auth-Type": "%{EAP-Auth-Type}","TLS-Client-Cert-Common-Name": "%{TLS-Client-Cert-Common-Name}","EAP-Message": "%{EAP-Message}","TLS-Client-Cert-Serial": "%{TLS-Client-Cert-Serial}","TLS-Client-Cert-Expiration": "%{TLS-Client-Cert-Expiration}","TLS-Client-Cert-Issuer": "%{TLS-Client-Cert-Issuer}","TLS-Client-Cert-Subject": "%{TLS-Client-Cert-Subject}","TLS-Client-Cert-Common-Name": "%{TLS-Client-Cert-Common-Name}","TLS-Client-Cert-Filename": "%{TLS-Client-Cert-Filename}","TLS-Client-Cert-Subject-Alt-Name-Email": "%{TLS-Client-Cert-Subject-Alt-Name-Email}","TLS-Client-Cert-X509v3-Extended-Key-Usage": "%{TLS-Client-Cert-X509v3-Extended-Key-Usage}","TLS-Client-Cert-X509v3-Subject-Key-Identifier": "%{TLS-Client-Cert-X509v3-Subject-Key-Identifier}","TLS-Client-Cert-X509v3-Authority-Key-Identifier": "%{TLS-Client-Cert-X509v3-Authority-Key-Identifier}","TLS-Client-Cert-X509v3-Basic-Constraints": "%{TLS-Client-Cert-X509v3-Basic-Constraints}","TLS-Client-Cert-Subject-Alt-Name-Dns": "%{TLS-Client-Cert-Subject-Alt-Name-Dns}","TLS-Client-Cert-Subject-Alt-Name-Upn": "%{TLS-Client-Cert-Subject-Alt-Name-Upn}","TLS-Client-Cert-X509v3-Extended-Key-Usage-OID": "%{TLS-Client-Cert-X509v3-Extended-Key-Usage-OID}","TLS-Client-Cert-Valid-Since": "%{TLS-Client-Cert-Valid-Since}","TLS-Client-Cert-X509v3-Certificate-Policies": "%{TLS-Client-Cert-X509v3-Certificate-Policies}","Subject-Distinguished-Name": "%{TLS-Client-Cert-Subject}","SAN-DNS-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Dns}","SAN-User-Principal-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Upn}","SAN-Service-Principal-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Spn}","SAN-Email": "%{TLS-Client-Cert-Subject-Alt-Name-Email}","Request-Origin": "%{Request-Origin}","AuthnOnly": %{Extreme-Eduroam-AuthnOnly}, "TLS-Cert-Serial": "%{TLS-Cert-Serial}", "TLS-Client-Cert-Issuer": "%{TLS-Client-Cert-Issuer}"},
2026-04-21T12:18:15.484983083Z (160576) rest: --> {"User-Name": "direct-tunnel at gmail.com","User-Password": "Emumba at 123","NAS-Identifier": "","NAS-Port-Type": "Wireless-802.11","NAS-IP-Address": "127.0.0.1","NAS-Port": "","NAS-Port-Id": "","Called-Station-Id": "","Calling-Station-Id": "02-AC-5E-7A-E8-7C","tenant-id": "1343-0-5768143212145","EAP-Auth-Type": "EAP-TTLS","TLS-Client-Cert-Common-Name": "","EAP-Message": "","TLS-Client-Cert-Serial": "","TLS-Client-Cert-Expiration": "","TLS-Client-Cert-Issuer": "","TLS-Client-Cert-Subject": "","TLS-Client-Cert-Common-Name": "","TLS-Client-Cert-Filename": "","TLS-Client-Cert-Subject-Alt-Name-Email": "","TLS-Client-Cert-X509v3-Extended-Key-Usage": "","TLS-Client-Cert-X509v3-Subject-Key-Identifier": "","TLS-Client-Cert-X509v3-Authority-Key-Identifier": "","TLS-Client-Cert-X509v3-Basic-Constraints": "","TLS-Client-Cert-Subject-Alt-Name-Dns": "","TLS-Client-Cert-Subject-Alt-Name-Upn": "","TLS-Client-Cert-X509v3-Extended-Key-Usage-OID": "","TLS-Client-Cert-Valid-Since": "","TLS-Client-Cert-X509v3-Certificate-Policies": "","Subject-Distinguished-Name": "","SAN-DNS-Name": "","SAN-User-Principal-Name": "","SAN-Service-Principal-Name": "","SAN-Email": "","Request-Origin": "freeradius","AuthnOnly": false, "TLS-Cert-Serial": "", "TLS-Client-Cert-Issuer": ""},
2026-04-21T12:18:15.485802007Z (160576) rest: Processing response header
2026-04-21T12:18:15.485808837Z (160576) rest: Status : 100 (Continue)
2026-04-21T12:18:15.485813078Z (160576) rest: Continuing...
2026-04-21T12:18:15.490970596Z (0) (TLS): Access-Request packet from host 35.156.107.143 port 43211, id=188, length=244
2026-04-21T12:18:15.490979116Z Thread 566 got semaphore
2026-04-21T12:18:15.490983487Z Thread 566 handling request 160577, (87 handled so far)
2026-04-21T12:18:15.490993127Z (160577) Received Access-Request Id 188 from 35.156.107.143:43211 to 0.0.0.0:2083 length 244
2026-04-21T12:18:15.490997667Z (160577) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.491001397Z (160577) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.491005227Z (160577) Calling-Station-Id = "02-FA-38-9E-18-06"
2026-04-21T12:18:15.491009647Z (160577) Framed-MTU = 1400
2026-04-21T12:18:15.491013647Z (160577) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.491017367Z (160577) Service-Type = Framed-User
2026-04-21T12:18:15.491045018Z (160577) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.491056258Z (160577) EAP-Message = 0x02fe005b150017030300507d82023e43c8a8d3df410dbdf186c6b0d1cbd95fe291da4ca4f7c9ca2edff07fb52ff527d7ea2f71b366b25df68149f63d0e03ddca1f94b7866af5ff7af5b10283dfbc48e49a793605c609e98e1b46d0
2026-04-21T12:18:15.491060298Z (160577) State = 0xedddef24e923fa7ce6ededd1ec52e695
2026-04-21T12:18:15.491064728Z (160577) Message-Authenticator = 0x1c595c12782e177d1e1f0dad54b2757d
2026-04-21T12:18:15.491068618Z (160577) Proxy-State = 0x35
2026-04-21T12:18:15.491072738Z (160577) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:15.491076898Z (160577) &session-state:Framed-MTU = 994
2026-04-21T12:18:15.491081318Z (160577) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:15.491085548Z (160577) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:15.491089578Z (160577) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:15.491093398Z (160577) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:15.491096978Z (160577) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:15.491101329Z (160577) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
2026-04-21T12:18:15.491111199Z (160577) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
2026-04-21T12:18:15.491115539Z (160577) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
2026-04-21T12:18:15.491126509Z (160577) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
2026-04-21T12:18:15.491187790Z (160577) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:15.491193720Z (160577) &session-state:TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:15.491198280Z (160577) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.491215291Z (160577) authorize {
2026-04-21T12:18:15.491219851Z (160577) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.491224131Z (160577) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:15.491228241Z (160577) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:15.491232521Z (160577) update request {
2026-04-21T12:18:15.491236921Z (160577) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:15.491241511Z (160577) } # update request = noop
2026-04-21T12:18:15.491276462Z (160577) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:15.491280492Z (160577) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:15.491284552Z (160577) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:15.491288762Z (160577) --> 1343-0-5768143212022
2026-04-21T12:18:15.491292902Z (160577) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:15.491297002Z (160577) else {
2026-04-21T12:18:15.491301102Z (160577) update request {
2026-04-21T12:18:15.491305382Z (160577) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:15.491309392Z (160577) --> 1343-0-5768143212022
2026-04-21T12:18:15.491313812Z (160577) Extreme-VSA-RsCert := 1343-0-5768143212022
2026-04-21T12:18:15.491317712Z (160577) Request-Origin := "freeradius"
2026-04-21T12:18:15.491321842Z (160577) } # update request = noop
2026-04-21T12:18:15.491325962Z (160577) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.491329962Z (160577) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:15.491333863Z (160577) --> 1343-0-5768143212022
2026-04-21T12:18:15.491360443Z (160577) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:15.491364773Z (160577) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:15.491368803Z (160577) update request {
2026-04-21T12:18:15.491393234Z (160577) EXPAND %{1}-%{2}
2026-04-21T12:18:15.491397424Z (160577) --> 1343-0
2026-04-21T12:18:15.491401604Z (160577) Owner-Org-Id := 1343-0
2026-04-21T12:18:15.491405664Z (160577) } # update request = noop
2026-04-21T12:18:15.491409524Z (160577) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:15.491413494Z (160577) if (&EAP-Message) {
2026-04-21T12:18:15.491417474Z (160577) if (&EAP-Message) -> TRUE
2026-04-21T12:18:15.491421594Z (160577) if (&EAP-Message) {
2026-04-21T12:18:15.491456385Z (160577) update control {
2026-04-21T12:18:15.491460825Z (160577) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:15.491464695Z (160577) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.491474955Z (160577) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:15.491478825Z (160577) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:15.491482505Z (160577) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.491486445Z (160577) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:15.491490205Z (160577) } # update control = noop
2026-04-21T12:18:15.491494045Z (160577) eap: Peer sent EAP Response (code 2) ID 254 length 91
2026-04-21T12:18:15.491497876Z (160577) eap: Continuing tunnel setup
2026-04-21T12:18:15.491501576Z (160577) [eap] = ok
2026-04-21T12:18:15.491505326Z (160577) } # if (&EAP-Message) = ok
2026-04-21T12:18:15.491509116Z (160577) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:15.491513046Z (160577) } # else = ok
2026-04-21T12:18:15.491516976Z (160577) } # authorize = ok
2026-04-21T12:18:15.491520906Z (160577) Found Auth-Type = EAP
2026-04-21T12:18:15.491524666Z (160577) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.491528496Z (160577) Auth-Type EAP {
2026-04-21T12:18:15.491532266Z (160577) eap: Removing EAP session with state 0xedddef24e923fa7c
2026-04-21T12:18:15.491547236Z (160577) eap: Previous EAP request found for state 0xedddef24e923fa7c, released from the list
2026-04-21T12:18:15.491551156Z (160577) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:15.491554986Z (160577) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:15.491558886Z (160577) eap_ttls: Authenticate
2026-04-21T12:18:15.491562507Z (160577) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:15.491566127Z (160577) eap_ttls: Session established. Proceeding to decode tunneled attributes
2026-04-21T12:18:15.491570017Z (160577) eap_ttls: Got tunneled request
2026-04-21T12:18:15.491573977Z (160577) eap_ttls: User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.491580907Z (160577) eap_ttls: User-Password = <<< secret >>>
2026-04-21T12:18:15.491585047Z (160577) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
2026-04-21T12:18:15.491589137Z (160577) eap_ttls: Sending tunneled request
2026-04-21T12:18:15.491593077Z (160577) Virtual server my-inner-tunnel received request
2026-04-21T12:18:15.491597247Z (160577) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.491601317Z (160577) User-Password = <<< secret >>>
2026-04-21T12:18:15.491605347Z (160577) FreeRADIUS-Proxied-To = 127.0.0.1
2026-04-21T12:18:15.491609478Z (160577) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:15.491613287Z (160577) Calling-Station-Id = "02-FA-38-9E-18-06"
2026-04-21T12:18:15.491617247Z (160577) Framed-MTU = 1400
2026-04-21T12:18:15.491621958Z (160577) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:15.491626388Z (160577) Service-Type = Framed-User
2026-04-21T12:18:15.491630908Z (160577) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:15.491635198Z (160577) Extreme-Eduroam-AuthnOnly = "false"
2026-04-21T12:18:15.491639458Z (160577) WARNING: Outer and inner identities are the same. User privacy is compromised.
2026-04-21T12:18:15.491643558Z (160577) server my-inner-tunnel {
2026-04-21T12:18:15.491648158Z (160577) # Executing section authorize from file /etc/freeradius/sites-enabled/my-inner-tunnel
2026-04-21T12:18:15.491652628Z (160577) authorize {
2026-04-21T12:18:15.491657428Z (160577) if (&User-Password && !&EAP-Message) {
2026-04-21T12:18:15.491667059Z (160577) if (&User-Password && !&EAP-Message) -> TRUE
2026-04-21T12:18:15.491671388Z (160577) if (&User-Password && !&EAP-Message) {
2026-04-21T12:18:15.491675688Z (160577) update outer.request {
2026-04-21T12:18:15.491680459Z (160577) &Tmp-String-8 := "TTLS-PAP"
2026-04-21T12:18:15.491685189Z (160577) } # update outer.request = noop
2026-04-21T12:18:15.491689029Z (160577) } # if (&User-Password && !&EAP-Message) = noop
2026-04-21T12:18:15.491691729Z (160577) update request {
2026-04-21T12:18:15.491694449Z (160577) Auth-Endpoint := "auth"
2026-04-21T12:18:15.491697129Z (160577) EAP-Auth-Type := "EAP-TTLS"
2026-04-21T12:18:15.491699759Z (160577) EXPAND %{outer.Extreme-VSA-RsCert}
2026-04-21T12:18:15.491702379Z (160577) --> 1343-0-5768143212022
2026-04-21T12:18:15.491705049Z (160577) Extreme-VSA-RsCert := 1343-0-5768143212022
2026-04-21T12:18:15.491707689Z (160577) EXPAND %{outer.Request-Origin}
2026-04-21T12:18:15.491710319Z (160577) --> freeradius
2026-04-21T12:18:15.491712949Z (160577) Request-Origin := freeradius
2026-04-21T12:18:15.491715609Z (160577) EXPAND %{outer.Extreme-Eduroam-AuthnOnly}
2026-04-21T12:18:15.491718269Z (160577) --> false
2026-04-21T12:18:15.491720919Z (160577) Extreme-Eduroam-AuthnOnly := false
2026-04-21T12:18:15.491723589Z (160577) } # update request = noop
2026-04-21T12:18:15.491726280Z (160577) update control {
2026-04-21T12:18:15.491740960Z (160577) &REST-HTTP-Header += "api-secret: ZnJlZXJhZGl1czpkZGE0YTI3NDUxMGRmZTA4NTY0ODAyYzYwMmZkYWI1Nwo="
2026-04-21T12:18:15.491744080Z (160577) Auth-Type = rest
2026-04-21T12:18:15.491746800Z (160577) } # update control = noop
2026-04-21T12:18:15.491749600Z (160577) } # authorize = noop
2026-04-21T12:18:15.491752240Z (160577) Found Auth-Type = rest
2026-04-21T12:18:15.491754990Z (160577) # Executing group from file /etc/freeradius/sites-enabled/my-inner-tunnel
2026-04-21T12:18:15.491757660Z (160577) Auth-Type REST {
2026-04-21T12:18:15.491760310Z rlm_rest (rest): Reserved connection (146)
2026-04-21T12:18:15.491763740Z (160577) rest: Expanding URI components
2026-04-21T12:18:15.491766500Z (160577) rest: EXPAND http://craas-auth.craas-core.svc.cluster.local:8006
2026-04-21T12:18:15.491769380Z (160577) rest: --> http://craas-auth.craas-core.svc.cluster.local:8006
2026-04-21T12:18:15.491772060Z (160577) rest: EXPAND /auth
2026-04-21T12:18:15.491774700Z (160577) rest: --> /auth
2026-04-21T12:18:15.491777370Z (160577) rest: Sending HTTP POST to "http://craas-auth.craas-core.svc.cluster.local:8006/auth"
2026-04-21T12:18:15.491786590Z (160577) rest: EXPAND {"User-Name": "%{User-Name}","User-Password": "%{User-Password}","NAS-Identifier": "%{NAS-Identifier}","NAS-Port-Type": "%{NAS-Port-Type}","NAS-IP-Address": "%{NAS-IP-Address}","NAS-Port": "%{NAS-Port}","NAS-Port-Id": "%{NAS-Port-Id}","Called-Station-Id": "%{Called-Station-Id}","Calling-Station-Id": "%{Calling-Station-Id}","tenant-id": "%{Extreme-VSA-RsCert}","EAP-Auth-Type": "%{EAP-Auth-Type}","TLS-Client-Cert-Common-Name": "%{TLS-Client-Cert-Common-Name}","EAP-Message": "%{EAP-Message}","TLS-Client-Cert-Serial": "%{TLS-Client-Cert-Serial}","TLS-Client-Cert-Expiration": "%{TLS-Client-Cert-Expiration}","TLS-Client-Cert-Issuer": "%{TLS-Client-Cert-Issuer}","TLS-Client-Cert-Subject": "%{TLS-Client-Cert-Subject}","TLS-Client-Cert-Common-Name": "%{TLS-Client-Cert-Common-Name}","TLS-Client-Cert-Filename": "%{TLS-Client-Cert-Filename}","TLS-Client-Cert-Subject-Alt-Name-Email": "%{TLS-Client-Cert-Subject-Alt-Name-Email}","TLS-Client-Cert-X509v3-Extended-Key-Usage": "%{TLS-Client-Cert-X509v3-Extended-Key-Usage}","TLS-Client-Cert-X509v3-Subject-Key-Identifier": "%{TLS-Client-Cert-X509v3-Subject-Key-Identifier}","TLS-Client-Cert-X509v3-Authority-Key-Identifier": "%{TLS-Client-Cert-X509v3-Authority-Key-Identifier}","TLS-Client-Cert-X509v3-Basic-Constraints": "%{TLS-Client-Cert-X509v3-Basic-Constraints}","TLS-Client-Cert-Subject-Alt-Name-Dns": "%{TLS-Client-Cert-Subject-Alt-Name-Dns}","TLS-Client-Cert-Subject-Alt-Name-Upn": "%{TLS-Client-Cert-Subject-Alt-Name-Upn}","TLS-Client-Cert-X509v3-Extended-Key-Usage-OID": "%{TLS-Client-Cert-X509v3-Extended-Key-Usage-OID}","TLS-Client-Cert-Valid-Since": "%{TLS-Client-Cert-Valid-Since}","TLS-Client-Cert-X509v3-Certificate-Policies": "%{TLS-Client-Cert-X509v3-Certificate-Policies}","Subject-Distinguished-Name": "%{TLS-Client-Cert-Subject}","SAN-DNS-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Dns}","SAN-User-Principal-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Upn}","SAN-Service-Principal-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Spn}","SAN-Email": "%{TLS-Client-Cert-Subject-Alt-Name-Email}","Request-Origin": "%{Request-Origin}","AuthnOnly": %{Extreme-Eduroam-AuthnOnly}, "TLS-Cert-Serial": "%{TLS-Cert-Serial}", "TLS-Client-Cert-Issuer": "%{TLS-Client-Cert-Issuer}"},
2026-04-21T12:18:15.491794451Z (160577) rest: --> {"User-Name": "direct-tunnel at gmail.com","User-Password": "Emumba at 123","NAS-Identifier": "","NAS-Port-Type": "Wireless-802.11","NAS-IP-Address": "127.0.0.1","NAS-Port": "","NAS-Port-Id": "","Called-Station-Id": "","Calling-Station-Id": "02-FA-38-9E-18-06","tenant-id": "1343-0-5768143212022","EAP-Auth-Type": "EAP-TTLS","TLS-Client-Cert-Common-Name": "","EAP-Message": "","TLS-Client-Cert-Serial": "","TLS-Client-Cert-Expiration": "","TLS-Client-Cert-Issuer": "","TLS-Client-Cert-Subject": "","TLS-Client-Cert-Common-Name": "","TLS-Client-Cert-Filename": "","TLS-Client-Cert-Subject-Alt-Name-Email": "","TLS-Client-Cert-X509v3-Extended-Key-Usage": "","TLS-Client-Cert-X509v3-Subject-Key-Identifier": "","TLS-Client-Cert-X509v3-Authority-Key-Identifier": "","TLS-Client-Cert-X509v3-Basic-Constraints": "","TLS-Client-Cert-Subject-Alt-Name-Dns": "","TLS-Client-Cert-Subject-Alt-Name-Upn": "","TLS-Client-Cert-X509v3-Extended-Key-Usage-OID": "","TLS-Client-Cert-Valid-Since": "","TLS-Client-Cert-X509v3-Certificate-Policies": "","Subject-Distinguished-Name": "","SAN-DNS-Name": "","SAN-User-Principal-Name": "","SAN-Service-Principal-Name": "","SAN-Email": "","Request-Origin": "freeradius","AuthnOnly": false, "TLS-Cert-Serial": "", "TLS-Client-Cert-Issuer": ""},
2026-04-21T12:18:15.492036805Z (160577) rest: Processing response header
2026-04-21T12:18:15.492041675Z (160577) rest: Status : 100 (Continue)
2026-04-21T12:18:15.492044025Z (160577) rest: Continuing...
2026-04-21T12:18:15.522299578Z (160514) Cleaning up request packet ID 113 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.534133162Z (160515) Cleaning up request packet ID 40 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.537128103Z (160518) Cleaning up request packet ID 211 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.539187359Z (160516) Cleaning up request packet ID 187 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.547611924Z (160517) Cleaning up request packet ID 208 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.643806775Z (160519) Cleaning up request packet ID 102 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.749037291Z (160520) Cleaning up request packet ID 36 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.771091811Z ... new connection request on TCP socket
2026-04-21T12:18:15.771104971Z Listening on auth+acct from client (63.182.253.79, 38879) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:15.771109611Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (63.182.253.79, 38879) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:15.771153832Z ... shutting down socket auth+acct from client (63.182.253.79, 38879) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:15.771158602Z ... cleaning up socket auth+acct from client (63.182.253.79, 38879) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:15.791753659Z ... new connection request on TCP socket
2026-04-21T12:18:15.791781979Z Listening on auth+acct from client (3.75.94.85, 46955) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:15.791786589Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.75.94.85, 46955) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:15.791839210Z ... shutting down socket auth+acct from client (3.75.94.85, 46955) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:15.791844390Z ... cleaning up socket auth+acct from client (3.75.94.85, 46955) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:15.794689249Z ... new connection request on TCP socket
2026-04-21T12:18:15.794705140Z Listening on auth+acct from client (3.121.41.224, 57163) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:15.794714620Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.121.41.224, 57163) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:15.794733680Z ... shutting down socket auth+acct from client (3.121.41.224, 57163) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:15.794742810Z ... cleaning up socket auth+acct from client (3.121.41.224, 57163) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:15.827846181Z ... new connection request on TCP socket
2026-04-21T12:18:15.827876221Z Listening on auth+acct from client (3.73.101.70, 33845) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:15.827881931Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.73.101.70, 33845) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:15.827886681Z ... shutting down socket auth+acct from client (3.73.101.70, 33845) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:15.827890851Z ... cleaning up socket auth+acct from client (3.73.101.70, 33845) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:15.854146445Z (160521) Cleaning up request packet ID 55 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.854159376Z Waking up in 0.1 seconds.
2026-04-21T12:18:15.885960954Z (160577) rest: Processing response header
2026-04-21T12:18:15.885974534Z (160577) rest: Status : 200 (OK)
2026-04-21T12:18:15.885978234Z (160577) rest: Type : json (application/json)
2026-04-21T12:18:15.885980934Z (160577) rest: Adding reply:REST-HTTP-Status-Code = "200"
2026-04-21T12:18:15.885993294Z (160577) rest: Parsing attribute "Session-Timeout"
2026-04-21T12:18:15.885996364Z (160577) rest: EXPAND 3600
2026-04-21T12:18:15.885999854Z (160577) rest: --> 3600
2026-04-21T12:18:15.886008745Z (160577) rest: Session-Timeout = 3600
2026-04-21T12:18:15.886013125Z (160577) rest: Parsing attribute "Termination-Action"
2026-04-21T12:18:15.886017765Z (160577) rest: EXPAND 1
2026-04-21T12:18:15.886022175Z (160577) rest: --> 1
2026-04-21T12:18:15.886031405Z (160577) rest: Termination-Action = RADIUS-Request
2026-04-21T12:18:15.886119896Z rlm_rest (rest): Released connection (146)
2026-04-21T12:18:15.886128156Z (160577) [rest] = updated
2026-04-21T12:18:15.886130967Z (160577) if (updated) {
2026-04-21T12:18:15.886133647Z (160577) if (updated) -> TRUE
2026-04-21T12:18:15.886136247Z (160577) if (updated) {
2026-04-21T12:18:15.886138807Z (160577) [ok] = ok
2026-04-21T12:18:15.886141467Z (160577) } # if (updated) = ok
2026-04-21T12:18:15.886149757Z (160577) } # Auth-Type REST = ok
2026-04-21T12:18:15.886153227Z (160577) Login OK: [direct-tunnel at gmail.com] (from client everyone port 0 cli 02-FA-38-9E-18-06 via TLS tunnel)
2026-04-21T12:18:15.886155817Z (160577) } # server my-inner-tunnel
2026-04-21T12:18:15.886159627Z (160577) Virtual server sending reply
2026-04-21T12:18:15.886164027Z (160577) REST-HTTP-Status-Code = 200
2026-04-21T12:18:15.886168507Z (160577) Session-Timeout = 3600
2026-04-21T12:18:15.886172727Z (160577) Termination-Action = RADIUS-Request
2026-04-21T12:18:15.886176997Z (160577) eap_ttls: Got tunneled Access-Accept
2026-04-21T12:18:15.886187288Z (160577) eap: Sending EAP Success (code 3) ID 254 length 4
2026-04-21T12:18:15.886191628Z (160577) eap: Freeing handler
2026-04-21T12:18:15.886300899Z (160577) [eap] = ok
2026-04-21T12:18:15.886307680Z (160577) } # Auth-Type EAP = ok
2026-04-21T12:18:15.886312040Z (160577) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.886315280Z (160577) session-state: Discarding attributes for server radius-tls
2026-04-21T12:18:15.886318130Z (160577) Login OK: [direct-tunnel at gmail.com] (from client everyone port 0 cli 02-FA-38-9E-18-06)
2026-04-21T12:18:15.886345770Z (160577) Sent Access-Accept Id 188 from 0.0.0.0:2083 to 35.156.107.143:43211 length 200
2026-04-21T12:18:15.886350770Z (160577) Session-Timeout = 3600
2026-04-21T12:18:15.886354920Z (160577) Termination-Action = RADIUS-Request
2026-04-21T12:18:15.886359211Z (160577) MS-MPPE-Recv-Key = <<< secret >>>
2026-04-21T12:18:15.886363500Z (160577) MS-MPPE-Send-Key = <<< secret >>>
2026-04-21T12:18:15.886367671Z (160577) EAP-Message = 0x03fe0004
2026-04-21T12:18:15.886371811Z (160577) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.886376011Z (160577) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.886380371Z (160577) Proxy-State = 0x35
2026-04-21T12:18:15.886474613Z (160577) Finished request
2026-04-21T12:18:15.886493313Z Thread 566 waiting to be assigned a request
2026-04-21T12:18:15.886497803Z (160575) rest: Processing response header
2026-04-21T12:18:15.886501813Z (160575) rest: Status : 200 (OK)
2026-04-21T12:18:15.886506113Z (160575) rest: Type : json (application/json)
2026-04-21T12:18:15.886510143Z (160575) rest: Adding reply:REST-HTTP-Status-Code = "200"
2026-04-21T12:18:15.886514113Z (160575) rest: Parsing attribute "Session-Timeout"
2026-04-21T12:18:15.886522903Z (160575) rest: EXPAND 3600
2026-04-21T12:18:15.886526683Z (160575) rest: --> 3600
2026-04-21T12:18:15.886530574Z (160575) rest: Session-Timeout = 3600
2026-04-21T12:18:15.886534743Z (160575) rest: Parsing attribute "Termination-Action"
2026-04-21T12:18:15.886539184Z (160575) rest: EXPAND 1
2026-04-21T12:18:15.886543454Z (160575) rest: --> 1
2026-04-21T12:18:15.886620875Z (160575) rest: Termination-Action = RADIUS-Request
2026-04-21T12:18:15.886629545Z rlm_rest (rest): Released connection (150)
2026-04-21T12:18:15.886633945Z (160575) [rest] = updated
2026-04-21T12:18:15.886661506Z (160575) if (updated) {
2026-04-21T12:18:15.886666716Z (160575) if (updated) -> TRUE
2026-04-21T12:18:15.886671326Z (160575) if (updated) {
2026-04-21T12:18:15.886675306Z (160575) [ok] = ok
2026-04-21T12:18:15.886679176Z (160575) } # if (updated) = ok
2026-04-21T12:18:15.886682826Z (160575) } # Auth-Type REST = ok
2026-04-21T12:18:15.886686536Z (160575) Login OK: [direct-tunnel at gmail.com] (from client everyone port 0 cli 02-E5-2B-3E-B8-78 via TLS tunnel)
2026-04-21T12:18:15.886690466Z (160575) } # server my-inner-tunnel
2026-04-21T12:18:15.886720147Z (160575) Virtual server sending reply
2026-04-21T12:18:15.886725667Z (160575) REST-HTTP-Status-Code = 200
2026-04-21T12:18:15.886733797Z (160575) Session-Timeout = 3600
2026-04-21T12:18:15.886738117Z (160575) Termination-Action = RADIUS-Request
2026-04-21T12:18:15.886742317Z (160575) eap_ttls: Got tunneled Access-Accept
2026-04-21T12:18:15.886746507Z (160575) eap: Sending EAP Success (code 3) ID 172 length 4
2026-04-21T12:18:15.886750607Z (160575) eap: Freeing handler
2026-04-21T12:18:15.886836079Z (160575) [eap] = ok
2026-04-21T12:18:15.886842689Z (160575) } # Auth-Type EAP = ok
2026-04-21T12:18:15.886846719Z (160575) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.886850579Z (160575) session-state: Discarding attributes for server radius-tls
2026-04-21T12:18:15.886854169Z (160575) Login OK: [direct-tunnel at gmail.com] (from client everyone port 0 cli 02-E5-2B-3E-B8-78)
2026-04-21T12:18:15.886857349Z (160575) Sent Access-Accept Id 2 from 0.0.0.0:2083 to 3.122.233.175:59659 length 200
2026-04-21T12:18:15.886860919Z (160575) Session-Timeout = 3600
2026-04-21T12:18:15.886864129Z (160575) Termination-Action = RADIUS-Request
2026-04-21T12:18:15.886898100Z (160575) MS-MPPE-Recv-Key = <<< secret >>>
2026-04-21T12:18:15.886903720Z (160575) MS-MPPE-Send-Key = <<< secret >>>
2026-04-21T12:18:15.886907250Z (160575) EAP-Message = 0x03ac0004
2026-04-21T12:18:15.886910920Z (160575) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.886914200Z (160575) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.886927030Z (160575) Proxy-State = 0x35
2026-04-21T12:18:15.886937430Z (160575) Finished request
2026-04-21T12:18:15.886946691Z Thread 570 waiting to be assigned a request
2026-04-21T12:18:15.892306353Z (160576) rest: Processing response header
2026-04-21T12:18:15.892388655Z (160576) rest: Status : 200 (OK)
2026-04-21T12:18:15.892394495Z (160576) rest: Type : json (application/json)
2026-04-21T12:18:15.892398995Z (160576) rest: Adding reply:REST-HTTP-Status-Code = "200"
2026-04-21T12:18:15.892403385Z (160576) rest: Parsing attribute "Session-Timeout"
2026-04-21T12:18:15.892421765Z (160576) rest: EXPAND 3600
2026-04-21T12:18:15.892426505Z (160576) rest: --> 3600
2026-04-21T12:18:15.892430685Z (160576) rest: Session-Timeout = 3600
2026-04-21T12:18:15.892434656Z (160576) rest: Parsing attribute "Termination-Action"
2026-04-21T12:18:15.892439205Z (160576) rest: EXPAND 1
2026-04-21T12:18:15.892443636Z (160576) rest: --> 1
2026-04-21T12:18:15.892447886Z (160576) rest: Termination-Action = RADIUS-Request
2026-04-21T12:18:15.892457296Z rlm_rest (rest): Released connection (172)
2026-04-21T12:18:15.892461966Z (160576) [rest] = updated
2026-04-21T12:18:15.892466076Z (160576) if (updated) {
2026-04-21T12:18:15.892470116Z (160576) if (updated) -> TRUE
2026-04-21T12:18:15.892474376Z (160576) if (updated) {
2026-04-21T12:18:15.892478736Z (160576) [ok] = ok
2026-04-21T12:18:15.892483086Z (160576) } # if (updated) = ok
2026-04-21T12:18:15.892487326Z (160576) } # Auth-Type REST = ok
2026-04-21T12:18:15.892491557Z (160576) Login OK: [direct-tunnel at gmail.com] (from client everyone port 0 cli 02-AC-5E-7A-E8-7C via TLS tunnel)
2026-04-21T12:18:15.892495797Z (160576) } # server my-inner-tunnel
2026-04-21T12:18:15.892499897Z (160576) Virtual server sending reply
2026-04-21T12:18:15.892503917Z (160576) REST-HTTP-Status-Code = 200
2026-04-21T12:18:15.892508047Z (160576) Session-Timeout = 3600
2026-04-21T12:18:15.892517647Z (160576) Termination-Action = RADIUS-Request
2026-04-21T12:18:15.892521187Z (160576) eap_ttls: Got tunneled Access-Accept
2026-04-21T12:18:15.892548938Z (160576) eap: Sending EAP Success (code 3) ID 29 length 4
2026-04-21T12:18:15.892553538Z (160576) eap: Freeing handler
2026-04-21T12:18:15.892560778Z (160576) [eap] = ok
2026-04-21T12:18:15.892564868Z (160576) } # Auth-Type EAP = ok
2026-04-21T12:18:15.892569778Z (160576) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:15.892574998Z (160576) session-state: Discarding attributes for server radius-tls
2026-04-21T12:18:15.892579208Z (160576) Login OK: [direct-tunnel at gmail.com] (from client everyone port 0 cli 02-AC-5E-7A-E8-7C)
2026-04-21T12:18:15.892583428Z (160576) Sent Access-Accept Id 135 from 0.0.0.0:2083 to 63.177.85.182:46491 length 200
2026-04-21T12:18:15.892587428Z (160576) Session-Timeout = 3600
2026-04-21T12:18:15.892608788Z (160576) Termination-Action = RADIUS-Request
2026-04-21T12:18:15.892612928Z (160576) MS-MPPE-Recv-Key = <<< secret >>>
2026-04-21T12:18:15.892616759Z (160576) MS-MPPE-Send-Key = <<< secret >>>
2026-04-21T12:18:15.892620359Z (160576) EAP-Message = 0x031d0004
2026-04-21T12:18:15.892624119Z (160576) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:15.892627889Z (160576) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:15.892631599Z (160576) Proxy-State = 0x35
2026-04-21T12:18:15.892645109Z (160576) Finished request
2026-04-21T12:18:15.892649159Z Thread 564 waiting to be assigned a request
2026-04-21T12:18:15.972631150Z (160522) Cleaning up request packet ID 53 with timestamp +4276 due to cleanup_delay was reached
2026-04-21T12:18:15.972646001Z Waking up in 0.1 seconds.
2026-04-21T12:18:15.980489846Z ... new connection request on TCP socket
2026-04-21T12:18:15.980498036Z Listening on auth+acct from client (35.159.23.216, 45439) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:15.980502446Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (35.159.23.216, 45439) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:15.980586607Z ... shutting down socket auth+acct from client (35.159.23.216, 45439) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:15.980595718Z ... cleaning up socket auth+acct from client (35.159.23.216, 45439) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:15.980601458Z Waking up in 0.1 seconds.
2026-04-21T12:18:16.037544050Z ... new connection request on TCP socket
2026-04-21T12:18:16.037558861Z Listening on auth+acct from client (63.180.71.208, 54299) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.037563451Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (63.180.71.208, 54299) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:16.037595221Z ... shutting down socket auth+acct from client (63.180.71.208, 54299) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.037603001Z ... cleaning up socket auth+acct from client (63.180.71.208, 54299) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.058205887Z ... new connection request on TCP socket
2026-04-21T12:18:16.058240058Z Listening on auth+acct from client (3.67.139.118, 56147) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.058245608Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.67.139.118, 56147) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:16.058257899Z ... shutting down socket auth+acct from client (3.67.139.118, 56147) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.058261599Z ... cleaning up socket auth+acct from client (3.67.139.118, 56147) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.071192802Z ... new connection request on TCP socket
2026-04-21T12:18:16.071203252Z Listening on auth+acct from client (52.59.199.103, 49347) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.071207042Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (52.59.199.103, 49347) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:16.071263833Z ... shutting down socket auth+acct from client (52.59.199.103, 49347) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.071270113Z ... cleaning up socket auth+acct from client (52.59.199.103, 49347) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.135571893Z (160524) Cleaning up request packet ID 181 with timestamp +4277 due to cleanup_delay was reached
2026-04-21T12:18:16.140508358Z (160525) Cleaning up request packet ID 108 with timestamp +4277 due to cleanup_delay was reached
2026-04-21T12:18:16.164589303Z (0) (TLS): Access-Request packet from host 35.156.117.38 port 59521, id=14, length=163
2026-04-21T12:18:16.164665814Z Threads: total/active/spare threads = 18/0/18
2026-04-21T12:18:16.164671744Z Threads: deleting 1 spare out of 8 spares
2026-04-21T12:18:16.164675624Z Thread 572 got semaphore
2026-04-21T12:18:16.164679324Z Thread 578 got semaphore
2026-04-21T12:18:16.164682844Z Thread 572 handling request 160578, (89 handled so far)
2026-04-21T12:18:16.164719695Z Thread 578 waiting to be assigned a request
2026-04-21T12:18:16.164724815Z (160578) Received Access-Request Id 14 from 35.156.117.38:59521 to 0.0.0.0:2083 length 163
2026-04-21T12:18:16.164728355Z (160578) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:16.164731965Z (160578) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:16.164735205Z (160578) Calling-Station-Id = "02-5F-84-2B-4E-59"
2026-04-21T12:18:16.164784326Z (160578) Framed-MTU = 1400
2026-04-21T12:18:16.164789026Z (160578) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:16.164792426Z (160578) Service-Type = Framed-User
2026-04-21T12:18:16.164795806Z (160578) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:16.164799366Z (160578) EAP-Message = 0x0291001c016469726563742d74756e6e656c40676d61696c2e636f6d
2026-04-21T12:18:16.164803136Z (160578) Message-Authenticator = 0xd38c3ca70ff5ebb8d8b1637334736d9f
2026-04-21T12:18:16.164807726Z (160578) Proxy-State = 0x30
2026-04-21T12:18:16.164811106Z (160578) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.164814597Z (160578) authorize {
2026-04-21T12:18:16.164818107Z (160578) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:16.164821647Z (160578) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:16.164825357Z (160578) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:16.164828737Z (160578) update request {
2026-04-21T12:18:16.164832077Z (160578) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:16.164835307Z (160578) } # update request = noop
2026-04-21T12:18:16.164838617Z (160578) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:16.164841647Z (160578) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:16.164978300Z (160578) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:16.165005830Z (160578) --> 1343-0-5768143211848
2026-04-21T12:18:16.165009310Z (160578) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:16.165012560Z (160578) else {
2026-04-21T12:18:16.165016020Z (160578) update request {
2026-04-21T12:18:16.165024440Z (160578) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:16.165027640Z (160578) --> 1343-0-5768143211848
2026-04-21T12:18:16.165050091Z (160578) Extreme-VSA-RsCert := 1343-0-5768143211848
2026-04-21T12:18:16.165053621Z (160578) Request-Origin := "freeradius"
2026-04-21T12:18:16.165057081Z (160578) } # update request = noop
2026-04-21T12:18:16.165060541Z (160578) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:16.165063921Z (160578) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:16.165067321Z (160578) --> 1343-0-5768143211848
2026-04-21T12:18:16.165070541Z (160578) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:16.165073971Z (160578) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:16.165077201Z (160578) update request {
2026-04-21T12:18:16.165080131Z (160578) EXPAND %{1}-%{2}
2026-04-21T12:18:16.165083211Z (160578) --> 1343-0
2026-04-21T12:18:16.165086371Z (160578) Owner-Org-Id := 1343-0
2026-04-21T12:18:16.165089301Z (160578) } # update request = noop
2026-04-21T12:18:16.165092571Z (160578) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:16.165096111Z (160578) if (&EAP-Message) {
2026-04-21T12:18:16.165099602Z (160578) if (&EAP-Message) -> TRUE
2026-04-21T12:18:16.165102782Z (160578) if (&EAP-Message) {
2026-04-21T12:18:16.165106422Z (160578) update control {
2026-04-21T12:18:16.165110132Z (160578) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:16.165113482Z (160578) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:16.165116852Z (160578) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:16.165120382Z (160578) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:16.165123732Z (160578) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:16.165129042Z (160578) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:16.165132742Z (160578) } # update control = noop
2026-04-21T12:18:16.165146622Z (160578) eap: Peer sent EAP Response (code 2) ID 145 length 28
2026-04-21T12:18:16.165150262Z (160578) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
2026-04-21T12:18:16.165153592Z (160578) [eap] = ok
2026-04-21T12:18:16.165156812Z (160578) } # if (&EAP-Message) = ok
2026-04-21T12:18:16.165159972Z (160578) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:16.165163043Z (160578) } # else = ok
2026-04-21T12:18:16.165166303Z (160578) } # authorize = ok
2026-04-21T12:18:16.165169733Z (160578) Found Auth-Type = EAP
2026-04-21T12:18:16.165173083Z (160578) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.165176523Z (160578) Auth-Type EAP {
2026-04-21T12:18:16.165179683Z (160578) eap: Peer sent packet with method EAP Identity (1)
2026-04-21T12:18:16.165182903Z (160578) eap: Using default_eap_type = TTLS
2026-04-21T12:18:16.165186163Z (160578) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:16.165189473Z (160578) eap_ttls: (TLS) TTLS -Initiating new session
2026-04-21T12:18:16.165193063Z (160578) eap_ttls: (TLS) TTLS - Loading session certificate file "/etc/freeradius/fr-certs/realm/1343-0/cert.pem"
2026-04-21T12:18:16.167735397Z (160578) eap: Sending EAP Request (code 1) ID 146 length 6
2026-04-21T12:18:16.167746997Z (160578) eap: EAP session adding &reply:State = 0xab5c08bdabce1dee
2026-04-21T12:18:16.167809558Z (160578) [eap] = handled
2026-04-21T12:18:16.167814978Z (160578) } # Auth-Type EAP = handled
2026-04-21T12:18:16.167818898Z (160578) Using Post-Auth-Type Challenge
2026-04-21T12:18:16.167822209Z (160578) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:16.167825458Z (160578) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.167828789Z (160578) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:16.167832109Z (160578) Framed-MTU = 994
2026-04-21T12:18:16.167856569Z (160578) Sent Access-Challenge Id 14 from 0.0.0.0:2083 to 35.156.117.38:59521 length 67
2026-04-21T12:18:16.167884759Z (160578) EAP-Message = 0x019200061520
2026-04-21T12:18:16.167892120Z (160578) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:16.167895720Z (160578) State = 0xab5c08bdabce1dee01410a370b544b33
2026-04-21T12:18:16.167898840Z (160578) Proxy-State = 0x30
2026-04-21T12:18:16.167902530Z (160578) Finished request
2026-04-21T12:18:16.167999872Z Thread 572 waiting to be assigned a request
2026-04-21T12:18:16.169590949Z (160523) Cleaning up request packet ID 4 with timestamp +4277 due to cleanup_delay was reached
2026-04-21T12:18:16.240769938Z (160526) Cleaning up request packet ID 78 with timestamp +4277 due to cleanup_delay was reached
2026-04-21T12:18:16.245003391Z (160527) Cleaning up request packet ID 186 with timestamp +4277 due to cleanup_delay was reached
2026-04-21T12:18:16.257199242Z ... new connection request on TCP socket
2026-04-21T12:18:16.257224602Z Listening on auth+acct from client (35.158.95.227, 49809) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.257232452Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (35.158.95.227, 49809) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:16.257250413Z ... shutting down socket auth+acct from client (35.158.95.227, 49809) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.257257923Z ... cleaning up socket auth+acct from client (35.158.95.227, 49809) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.271198913Z (0) (TLS): Access-Request packet from host 35.156.117.38 port 59521, id=17, length=343
2026-04-21T12:18:16.271244044Z Thread 573 got semaphore
2026-04-21T12:18:16.271248364Z Thread 573 handling request 160579, (31 handled so far)
2026-04-21T12:18:16.271320315Z (160579) Received Access-Request Id 17 from 35.156.117.38:59521 to 0.0.0.0:2083 length 343
2026-04-21T12:18:16.271326515Z (160579) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:16.271329505Z (160579) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:16.271331945Z (160579) Calling-Station-Id = "02-5F-84-2B-4E-59"
2026-04-21T12:18:16.271334515Z (160579) Framed-MTU = 1400
2026-04-21T12:18:16.271336685Z (160579) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:16.271338845Z (160579) Service-Type = Framed-User
2026-04-21T12:18:16.271340975Z (160579) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:16.271343525Z (160579) EAP-Message = 0x029200be150016030100b3010000af0303f59514ce40a2d8eac1844ce5a2f283da32f7a4bb6965ed04c4d38d17663ce8c6000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff0100004e000b000403000102000a000c000a001d0017001e001900180016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602
2026-04-21T12:18:16.271372456Z (160579) State = 0xab5c08bdabce1dee01410a370b544b33
2026-04-21T12:18:16.271384816Z (160579) Message-Authenticator = 0x90e44269767d9d69b6b77bc54b19a128
2026-04-21T12:18:16.271388596Z (160579) Proxy-State = 0x31
2026-04-21T12:18:16.271392366Z (160579) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:16.271417587Z (160579) &session-state:Framed-MTU = 994
2026-04-21T12:18:16.271421547Z (160579) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.271424977Z (160579) authorize {
2026-04-21T12:18:16.271434117Z (160579) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:16.271437757Z (160579) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:16.271443197Z (160579) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:16.271446657Z (160579) update request {
2026-04-21T12:18:16.271449667Z (160579) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:16.271452877Z (160579) } # update request = noop
2026-04-21T12:18:16.271456537Z (160579) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:16.271460467Z (160579) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:16.271463747Z (160579) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:16.271467358Z (160579) --> 1343-0-5768143211848
2026-04-21T12:18:16.271470998Z (160579) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:16.271474538Z (160579) else {
2026-04-21T12:18:16.271478008Z (160579) update request {
2026-04-21T12:18:16.271481458Z (160579) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:16.271485178Z (160579) --> 1343-0-5768143211848
2026-04-21T12:18:16.271514848Z (160579) Extreme-VSA-RsCert := 1343-0-5768143211848
2026-04-21T12:18:16.271522259Z (160579) Request-Origin := "freeradius"
2026-04-21T12:18:16.271526019Z (160579) } # update request = noop
2026-04-21T12:18:16.271529279Z (160579) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:16.271532699Z (160579) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:16.271536039Z (160579) --> 1343-0-5768143211848
2026-04-21T12:18:16.271539179Z (160579) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:16.271542359Z (160579) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:16.271545539Z (160579) update request {
2026-04-21T12:18:16.271548729Z (160579) EXPAND %{1}-%{2}
2026-04-21T12:18:16.271551659Z (160579) --> 1343-0
2026-04-21T12:18:16.271554579Z (160579) Owner-Org-Id := 1343-0
2026-04-21T12:18:16.271558439Z (160579) } # update request = noop
2026-04-21T12:18:16.271561449Z (160579) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:16.271564589Z (160579) if (&EAP-Message) {
2026-04-21T12:18:16.271567609Z (160579) if (&EAP-Message) -> TRUE
2026-04-21T12:18:16.271570689Z (160579) if (&EAP-Message) {
2026-04-21T12:18:16.271573789Z (160579) update control {
2026-04-21T12:18:16.271576800Z (160579) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:16.271579800Z (160579) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:16.271583289Z (160579) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:16.271586629Z (160579) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:16.271603610Z (160579) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:16.271607380Z (160579) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:16.271610510Z (160579) } # update control = noop
2026-04-21T12:18:16.271659701Z (160579) eap: Peer sent EAP Response (code 2) ID 146 length 190
2026-04-21T12:18:16.271666841Z (160579) eap: Continuing tunnel setup
2026-04-21T12:18:16.271670281Z (160579) [eap] = ok
2026-04-21T12:18:16.271673701Z (160579) } # if (&EAP-Message) = ok
2026-04-21T12:18:16.271687501Z (160579) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:16.271691081Z (160579) } # else = ok
2026-04-21T12:18:16.271694702Z (160579) } # authorize = ok
2026-04-21T12:18:16.271698231Z (160579) Found Auth-Type = EAP
2026-04-21T12:18:16.271701162Z (160579) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.271704712Z (160579) Auth-Type EAP {
2026-04-21T12:18:16.271706912Z (160579) eap: Removing EAP session with state 0xab5c08bdabce1dee
2026-04-21T12:18:16.271709062Z (160579) eap: Previous EAP request found for state 0xab5c08bdabce1dee, released from the list
2026-04-21T12:18:16.271711652Z (160579) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:16.271715242Z (160579) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:16.271718672Z (160579) eap_ttls: Authenticate
2026-04-21T12:18:16.271722202Z (160579) eap_ttls: (TLS) EAP Got final fragment (184 bytes) total 184
2026-04-21T12:18:16.271726112Z (160579) eap_ttls: WARNING: (TLS) EAP Total received record fragments (184 bytes), does not equal expected expected data length (0 bytes)
2026-04-21T12:18:16.271729872Z (160579) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:16.271733592Z (160579) eap_ttls: (TLS) TTLS - Handshake state - before SSL initialization
2026-04-21T12:18:16.271736852Z (160579) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
2026-04-21T12:18:16.271740342Z (160579) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization
2026-04-21T12:18:16.271743732Z (160579) eap_ttls: (TLS) TTLS - recv TLS 1.3 Handshake, ClientHello
2026-04-21T12:18:16.271753212Z (160579) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client hello
2026-04-21T12:18:16.271756603Z (160579) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHello
2026-04-21T12:18:16.271760032Z (160579) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server hello
2026-04-21T12:18:16.271777313Z (160579) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Certificate
2026-04-21T12:18:16.271783413Z (160579) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write certificate
2026-04-21T12:18:16.272848951Z (160579) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange
2026-04-21T12:18:16.272856302Z (160579) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write key exchange
2026-04-21T12:18:16.272859642Z (160579) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone
2026-04-21T12:18:16.272863331Z (160579) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
2026-04-21T12:18:16.272866622Z (160579) eap_ttls: (TLS) TTLS - Server : Need to read more data: SSLv3/TLS write server done
2026-04-21T12:18:16.272870372Z (160579) eap_ttls: (TLS) TTLS - In Handshake Phase
2026-04-21T12:18:16.272873932Z (160579) eap: Sending EAP Request (code 1) ID 147 length 1000
2026-04-21T12:18:16.272877262Z (160579) eap: EAP session adding &reply:State = 0xab5c08bdaacf1dee
2026-04-21T12:18:16.272879602Z (160579) [eap] = handled
2026-04-21T12:18:16.272886222Z (160579) } # Auth-Type EAP = handled
2026-04-21T12:18:16.272892432Z (160579) Using Post-Auth-Type Challenge
2026-04-21T12:18:16.272895982Z (160579) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:16.272899612Z (160579) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.272903202Z (160579) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:16.272906562Z (160579) Framed-MTU = 994
2026-04-21T12:18:16.272909952Z (160579) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:16.272913532Z (160579) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:16.272917103Z (160579) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:16.272920543Z (160579) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:16.272923953Z (160579) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:16.272931393Z (160579) Sent Access-Challenge Id 17 from 0.0.0.0:2083 to 35.156.117.38:59521 length 1067
2026-04-21T12:18:16.272936353Z (160579) EAP-Message = 0x019303e815c000000a6d160303003d020000390303c0a7046ac2d9f4735dbe43a08a7314932d3d4cc4279501d0444f574e4752440100c030000011ff01000100000b0004030001020017000016030308ec0b0008e80008e5000598308205943082047ca00302010202143445f65cac1b06ffbc42da7b13d0322ec1e189b2300d06092a864886f70d01010b050030283115301306035504030c0c416973686149737375696e67310f300d060355040b0c06313334332d30301e170d3236303430363132353435305a170d3336303430333132353532305a3027310f300d060355040b1306313334332d30311430120603550403130b416973686173657276657230820122300d06092a864886f70d01010105000382010f003082010a028201010096b60938816c322227718a54c2354b5dbaddf8a22fcba9fbee3269f557931966ca0a2bcc491d01cdc19e2ea7618a1b70ea0bfe995585f95bc905a296b2ec1081f04d56be795c099549d4b633bed88989eefbaecf390be2fb110aa715e0
2026-04-21T12:18:16.272939573Z (160579) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:16.272942653Z (160579) State = 0xab5c08bdaacf1dee01410a370b544b33
2026-04-21T12:18:16.272946283Z (160579) Proxy-State = 0x31
2026-04-21T12:18:16.273016814Z (160579) Finished request
2026-04-21T12:18:16.273021194Z Thread 573 waiting to be assigned a request
2026-04-21T12:18:16.344257334Z (160528) Cleaning up request packet ID 220 with timestamp +4277 due to cleanup_delay was reached
2026-04-21T12:18:16.348053950Z (160529) Cleaning up request packet ID 229 with timestamp +4277 due to cleanup_delay was reached
2026-04-21T12:18:16.376366198Z (0) (TLS): Access-Request packet from host 35.156.117.38 port 59521, id=165, length=159
2026-04-21T12:18:16.376383038Z Thread 577 got semaphore
2026-04-21T12:18:16.376387389Z Thread 577 handling request 160580, (36 handled so far)
2026-04-21T12:18:16.376471520Z (160580) Received Access-Request Id 165 from 35.156.117.38:59521 to 0.0.0.0:2083 length 159
2026-04-21T12:18:16.376479130Z (160580) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:16.376483010Z (160580) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:16.376486330Z (160580) Calling-Station-Id = "02-5F-84-2B-4E-59"
2026-04-21T12:18:16.376489590Z (160580) Framed-MTU = 1400
2026-04-21T12:18:16.376492870Z (160580) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:16.376495920Z (160580) Service-Type = Framed-User
2026-04-21T12:18:16.376499360Z (160580) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:16.376502391Z (160580) EAP-Message = 0x029300061500
2026-04-21T12:18:16.376505641Z (160580) State = 0xab5c08bdaacf1dee01410a370b544b33
2026-04-21T12:18:16.376509091Z (160580) Message-Authenticator = 0x8a04773e46a9f74c059c9d72fe7ad206
2026-04-21T12:18:16.376547101Z (160580) Proxy-State = 0x32
2026-04-21T12:18:16.376551321Z (160580) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:16.376565302Z (160580) &session-state:Framed-MTU = 994
2026-04-21T12:18:16.376569472Z (160580) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:16.376572772Z (160580) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:16.376575872Z (160580) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:16.376578992Z (160580) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:16.376582172Z (160580) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:16.376585212Z (160580) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.376589162Z (160580) authorize {
2026-04-21T12:18:16.376592432Z (160580) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:16.376595902Z (160580) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:16.376599032Z (160580) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:16.376602262Z (160580) update request {
2026-04-21T12:18:16.376605652Z (160580) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:16.376608792Z (160580) } # update request = noop
2026-04-21T12:18:16.376611993Z (160580) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:16.376615153Z (160580) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:16.376618402Z (160580) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:16.376621583Z (160580) --> 1343-0-5768143211848
2026-04-21T12:18:16.376624903Z (160580) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:16.376627943Z (160580) else {
2026-04-21T12:18:16.376631223Z (160580) update request {
2026-04-21T12:18:16.376634423Z (160580) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:16.376637693Z (160580) --> 1343-0-5768143211848
2026-04-21T12:18:16.376648683Z (160580) Extreme-VSA-RsCert := 1343-0-5768143211848
2026-04-21T12:18:16.376651973Z (160580) Request-Origin := "freeradius"
2026-04-21T12:18:16.376655303Z (160580) } # update request = noop
2026-04-21T12:18:16.376658283Z (160580) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:16.376661653Z (160580) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:16.376664893Z (160580) --> 1343-0-5768143211848
2026-04-21T12:18:16.376667943Z (160580) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:16.376674603Z (160580) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:16.376678084Z (160580) update request {
2026-04-21T12:18:16.376681514Z (160580) EXPAND %{1}-%{2}
2026-04-21T12:18:16.376684864Z (160580) --> 1343-0
2026-04-21T12:18:16.376688134Z (160580) Owner-Org-Id := 1343-0
2026-04-21T12:18:16.376691414Z (160580) } # update request = noop
2026-04-21T12:18:16.376694794Z (160580) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:16.376698004Z (160580) if (&EAP-Message) {
2026-04-21T12:18:16.376701264Z (160580) if (&EAP-Message) -> TRUE
2026-04-21T12:18:16.376708304Z (160580) if (&EAP-Message) {
2026-04-21T12:18:16.376711594Z (160580) update control {
2026-04-21T12:18:16.376714754Z (160580) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:16.376718104Z (160580) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:16.376721274Z (160580) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:16.376724464Z (160580) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:16.376727795Z (160580) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:16.376730824Z (160580) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:16.376733984Z (160580) } # update control = noop
2026-04-21T12:18:16.376737225Z (160580) eap: Peer sent EAP Response (code 2) ID 147 length 6
2026-04-21T12:18:16.376740445Z (160580) eap: Continuing tunnel setup
2026-04-21T12:18:16.376743915Z (160580) [eap] = ok
2026-04-21T12:18:16.376747345Z (160580) } # if (&EAP-Message) = ok
2026-04-21T12:18:16.376750525Z (160580) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:16.376753485Z (160580) } # else = ok
2026-04-21T12:18:16.376756465Z (160580) } # authorize = ok
2026-04-21T12:18:16.376759745Z (160580) Found Auth-Type = EAP
2026-04-21T12:18:16.376762905Z (160580) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.376766115Z (160580) Auth-Type EAP {
2026-04-21T12:18:16.376779385Z (160580) eap: Removing EAP session with state 0xab5c08bdaacf1dee
2026-04-21T12:18:16.376783245Z (160580) eap: Previous EAP request found for state 0xab5c08bdaacf1dee, released from the list
2026-04-21T12:18:16.376786716Z (160580) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:16.376790245Z (160580) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:16.376793476Z (160580) eap_ttls: Authenticate
2026-04-21T12:18:16.376807916Z (160580) eap_ttls: (TLS) Peer ACKed our handshake fragment
2026-04-21T12:18:16.376811586Z (160580) eap: Sending EAP Request (code 1) ID 148 length 1000
2026-04-21T12:18:16.376814926Z (160580) eap: EAP session adding &reply:State = 0xab5c08bda9c81dee
2026-04-21T12:18:16.376818036Z (160580) [eap] = handled
2026-04-21T12:18:16.376821526Z (160580) } # Auth-Type EAP = handled
2026-04-21T12:18:16.376825586Z (160580) Using Post-Auth-Type Challenge
2026-04-21T12:18:16.376829146Z (160580) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:16.376832646Z (160580) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.376836106Z (160580) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:16.376839236Z (160580) Framed-MTU = 994
2026-04-21T12:18:16.376842286Z (160580) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:16.376845557Z (160580) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:16.376849037Z (160580) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:16.376852807Z (160580) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:16.376855877Z (160580) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:16.376858027Z (160580) Sent Access-Challenge Id 165 from 0.0.0.0:2083 to 35.156.117.38:59521 length 1067
2026-04-21T12:18:16.376860557Z (160580) EAP-Message = 0x019403e815c000000a6d393531333434393231393038382d706b692f636130410603551d11043a3038820b416973686173657276657282297261646975732e7a74612d71612d6c6f616474657374696e672e71612e78636c6f756469712e636f6d30819d0603551d1f04819530819230818fa0818ca0818986818668747470733a2f2f757a2d7661756c742d71612e71612e78636c6f756469712e636f6d2f76312f757a2d6e616d6573706163652d7a74612d71612d6c6f616474657374696e672d313334332d302d3730323839333234303635393730333733373335373332303038373331313733353133393531333434393231393038382d706b692f63726c300d06092a864886f70d01010b0500038201010048dd8c13c1f2da2de4bdc5bfecc4a830c288593c7af53c28af574c6522ac9f40a632ad7aada27fa12655ddee496df545499a55c33f74896176e3f41fa7593f311ed26251fd28fb127e2a02cdad7a1f83cf612e531f7025100b48aa3ff8f35519ef4cc2cf7e99beeb60
2026-04-21T12:18:16.376866237Z (160580) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:16.376868417Z (160580) State = 0xab5c08bda9c81dee01410a370b544b33
2026-04-21T12:18:16.376870577Z (160580) Proxy-State = 0x32
2026-04-21T12:18:16.376879347Z (160580) Finished request
2026-04-21T12:18:16.376881567Z Thread 577 waiting to be assigned a request
2026-04-21T12:18:16.421785033Z ... new connection request on TCP socket
2026-04-21T12:18:16.421842534Z Listening on auth+acct from client (63.179.91.76, 41183) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.421851643Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (63.179.91.76, 41183) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:16.421863724Z ... shutting down socket auth+acct from client (63.179.91.76, 41183) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.421867664Z ... cleaning up socket auth+acct from client (63.179.91.76, 41183) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.448190917Z (160530) Cleaning up request packet ID 217 with timestamp +4277 due to cleanup_delay was reached
2026-04-21T12:18:16.450530378Z ... new connection request on TCP socket
2026-04-21T12:18:16.450539948Z Listening on auth+acct from client (3.75.223.102, 43105) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.450544938Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.75.223.102, 43105) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:16.450594519Z ... shutting down socket auth+acct from client (3.75.223.102, 43105) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.450600409Z ... cleaning up socket auth+acct from client (3.75.223.102, 43105) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.451314531Z (160531) Cleaning up request packet ID 8 with timestamp +4277 due to cleanup_delay was reached
2026-04-21T12:18:16.480301552Z (0) (TLS): Access-Request packet from host 35.156.117.38 port 59521, id=55, length=159
2026-04-21T12:18:16.480328273Z Thread 580 got semaphore
2026-04-21T12:18:16.480333583Z Thread 580 handling request 160581, (36 handled so far)
2026-04-21T12:18:16.480342143Z (160581) Received Access-Request Id 55 from 35.156.117.38:59521 to 0.0.0.0:2083 length 159
2026-04-21T12:18:16.480356903Z (160581) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:16.480360833Z (160581) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:16.480365084Z (160581) Calling-Station-Id = "02-5F-84-2B-4E-59"
2026-04-21T12:18:16.480374624Z (160581) Framed-MTU = 1400
2026-04-21T12:18:16.480379304Z (160581) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:16.480383554Z (160581) Service-Type = Framed-User
2026-04-21T12:18:16.480387574Z (160581) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:16.480391824Z (160581) EAP-Message = 0x029400061500
2026-04-21T12:18:16.480406104Z (160581) State = 0xab5c08bda9c81dee01410a370b544b33
2026-04-21T12:18:16.480414674Z (160581) Message-Authenticator = 0x8fda78841cfa030af6a995519a4c6b64
2026-04-21T12:18:16.480426994Z (160581) Proxy-State = 0x33
2026-04-21T12:18:16.480430625Z (160581) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:16.480434315Z (160581) &session-state:Framed-MTU = 994
2026-04-21T12:18:16.480437855Z (160581) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:16.480446545Z (160581) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:16.480545867Z (160581) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:16.480553317Z (160581) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:16.480557367Z (160581) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:16.480561677Z (160581) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.480566027Z (160581) authorize {
2026-04-21T12:18:16.480584157Z (160581) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:16.480588767Z (160581) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:16.480592687Z (160581) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:16.480596577Z (160581) update request {
2026-04-21T12:18:16.480600257Z (160581) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:16.480604608Z (160581) } # update request = noop
2026-04-21T12:18:16.480608328Z (160581) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:16.480612248Z (160581) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:16.480621608Z (160581) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:16.480625668Z (160581) --> 1343-0-5768143211848
2026-04-21T12:18:16.480629388Z (160581) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:16.480633098Z (160581) else {
2026-04-21T12:18:16.480636898Z (160581) update request {
2026-04-21T12:18:16.480640548Z (160581) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:16.480646868Z (160581) --> 1343-0-5768143211848
2026-04-21T12:18:16.480650748Z (160581) Extreme-VSA-RsCert := 1343-0-5768143211848
2026-04-21T12:18:16.480654538Z (160581) Request-Origin := "freeradius"
2026-04-21T12:18:16.480658198Z (160581) } # update request = noop
2026-04-21T12:18:16.480661769Z (160581) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:16.480665519Z (160581) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:16.480669479Z (160581) --> 1343-0-5768143211848
2026-04-21T12:18:16.480673239Z (160581) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:16.480677149Z (160581) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:16.480680649Z (160581) update request {
2026-04-21T12:18:16.480684259Z (160581) EXPAND %{1}-%{2}
2026-04-21T12:18:16.480687969Z (160581) --> 1343-0
2026-04-21T12:18:16.480691629Z (160581) Owner-Org-Id := 1343-0
2026-04-21T12:18:16.480695439Z (160581) } # update request = noop
2026-04-21T12:18:16.480699199Z (160581) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:16.480702859Z (160581) if (&EAP-Message) {
2026-04-21T12:18:16.480706389Z (160581) if (&EAP-Message) -> TRUE
2026-04-21T12:18:16.480716870Z (160581) if (&EAP-Message) {
2026-04-21T12:18:16.480720799Z (160581) update control {
2026-04-21T12:18:16.480724950Z (160581) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:16.480728720Z (160581) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:16.480732760Z (160581) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:16.480736460Z (160581) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:16.480739990Z (160581) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:16.480743470Z (160581) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:16.480747090Z (160581) } # update control = noop
2026-04-21T12:18:16.480755600Z (160581) eap: Peer sent EAP Response (code 2) ID 148 length 6
2026-04-21T12:18:16.480759430Z (160581) eap: Continuing tunnel setup
2026-04-21T12:18:16.480763170Z (160581) [eap] = ok
2026-04-21T12:18:16.480766850Z (160581) } # if (&EAP-Message) = ok
2026-04-21T12:18:16.480770711Z (160581) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:16.480774560Z (160581) } # else = ok
2026-04-21T12:18:16.480778691Z (160581) } # authorize = ok
2026-04-21T12:18:16.480782571Z (160581) Found Auth-Type = EAP
2026-04-21T12:18:16.480786551Z (160581) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.480790481Z (160581) Auth-Type EAP {
2026-04-21T12:18:16.480794391Z (160581) eap: Removing EAP session with state 0xab5c08bda9c81dee
2026-04-21T12:18:16.480798421Z (160581) eap: Previous EAP request found for state 0xab5c08bda9c81dee, released from the list
2026-04-21T12:18:16.480802251Z (160581) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:16.480806651Z (160581) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:16.480810721Z (160581) eap_ttls: Authenticate
2026-04-21T12:18:16.480814671Z (160581) eap_ttls: (TLS) Peer ACKed our handshake fragment
2026-04-21T12:18:16.480818481Z (160581) eap: Sending EAP Request (code 1) ID 149 length 699
2026-04-21T12:18:16.480821421Z (160581) eap: EAP session adding &reply:State = 0xab5c08bda8c91dee
2026-04-21T12:18:16.480824551Z (160581) [eap] = handled
2026-04-21T12:18:16.480828001Z (160581) } # Auth-Type EAP = handled
2026-04-21T12:18:16.480831661Z (160581) Using Post-Auth-Type Challenge
2026-04-21T12:18:16.480835221Z (160581) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:16.480838712Z (160581) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.480844112Z (160581) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:16.480847492Z (160581) Framed-MTU = 994
2026-04-21T12:18:16.480850732Z (160581) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:16.480854052Z (160581) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:16.480857592Z (160581) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:16.480860652Z (160581) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:16.480863962Z (160581) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:16.480872922Z (160581) Sent Access-Challenge Id 55 from 0.0.0.0:2083 to 35.156.117.38:59521 length 764
2026-04-21T12:18:16.480879872Z (160581) EAP-Message = 0x019502bb158000000a6d120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d0e04160414536d597c2da51597e65646af0b96b0fd5e8b8134301f0603551d2304183016801458dce0801b487fa5201ca25d255f27cfe1b02917300d06092a864886f70d01010b0500038201010083d5ee1bcb8b4ae146e1c1b828c1408a802da2b24ce1097c1c8e02a96bf3f53444b2549a31e5522475e2596aee0be9552edbac572b019684e8f26934743fcce75f616665459a2898de4699c9e084f17c51d0cf2e19415698c7f3817b3f629babcd3625687a26e4122f5963e0dff6d657525cdab9854812e1d24ae47be2551eaaedbf7ce67cb81b13769e30690d30f60b219996101a53897d281f08d213b63b03d3f1f1b47ac1568b621c9758f17716f1a10af146ac12687bcc298f9513c847b716c8bdc4c06c41701482baf1ed50f23bbc2c8f3c17bdfcc58e418e3861eef86963ab8360259e1ae0163f9d0f33caa80a013a8120878b8ff63b5257907a
2026-04-21T12:18:16.480888062Z (160581) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:16.480891553Z (160581) State = 0xab5c08bda8c91dee01410a370b544b33
2026-04-21T12:18:16.480894893Z (160581) Proxy-State = 0x33
2026-04-21T12:18:16.480898123Z (160581) Finished request
2026-04-21T12:18:16.480901313Z Thread 580 waiting to be assigned a request
2026-04-21T12:18:16.507374090Z ... new connection request on TCP socket
2026-04-21T12:18:16.507391340Z Listening on auth+acct from client (63.180.167.71, 33347) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.507396000Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (63.180.167.71, 33347) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:16.507455981Z ... shutting down socket auth+acct from client (63.180.167.71, 33347) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.507463301Z ... cleaning up socket auth+acct from client (63.180.167.71, 33347) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.564876562Z (160532) Cleaning up request packet ID 217 with timestamp +4277 due to cleanup_delay was reached
2026-04-21T12:18:16.573216167Z (160533) Cleaning up request packet ID 235 with timestamp +4277 due to cleanup_delay was reached
2026-04-21T12:18:16.587421451Z (0) (TLS): Access-Request packet from host 35.156.117.38 port 59521, id=5, length=252
2026-04-21T12:18:16.587498593Z Thread 565 got semaphore
2026-04-21T12:18:16.587505863Z Thread 565 handling request 160582, (84 handled so far)
2026-04-21T12:18:16.587558714Z (160582) Received Access-Request Id 5 from 35.156.117.38:59521 to 0.0.0.0:2083 length 252
2026-04-21T12:18:16.587565344Z (160582) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:16.587569444Z (160582) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:16.587573834Z (160582) Calling-Station-Id = "02-5F-84-2B-4E-59"
2026-04-21T12:18:16.587578044Z (160582) Framed-MTU = 1400
2026-04-21T12:18:16.587586484Z (160582) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:16.587590684Z (160582) Service-Type = Framed-User
2026-04-21T12:18:16.587594724Z (160582) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:16.587599244Z (160582) EAP-Message = 0x029500631500160303002510000021202039c15afa2cc868a540696a34dee7897078e8be1f1602c0d945f7d9b04529391403030001011603030028e2501c63ca4c575aec0b21d64fe3050b1fab8f31caa166b9e6a12fce34e69e4cef4ca023b5f46a66
2026-04-21T12:18:16.587603315Z (160582) State = 0xab5c08bda8c91dee01410a370b544b33
2026-04-21T12:18:16.587607664Z (160582) Message-Authenticator = 0xd82d568776d15fe3522db7a9f8170936
2026-04-21T12:18:16.587611745Z (160582) Proxy-State = 0x34
2026-04-21T12:18:16.587615795Z (160582) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:16.587635385Z (160582) &session-state:Framed-MTU = 994
2026-04-21T12:18:16.587646215Z (160582) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:16.587651025Z (160582) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:16.587667505Z (160582) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:16.587674256Z (160582) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:16.587678266Z (160582) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:16.587706106Z (160582) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.587717826Z (160582) authorize {
2026-04-21T12:18:16.587722346Z (160582) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:16.587727017Z (160582) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:16.587731077Z (160582) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:16.587735377Z (160582) update request {
2026-04-21T12:18:16.587739317Z (160582) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:16.587743257Z (160582) } # update request = noop
2026-04-21T12:18:16.587747657Z (160582) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:16.587751957Z (160582) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:16.587756057Z (160582) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:16.587760037Z (160582) --> 1343-0-5768143211848
2026-04-21T12:18:16.587764227Z (160582) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:16.587768267Z (160582) else {
2026-04-21T12:18:16.587795918Z (160582) update request {
2026-04-21T12:18:16.587799808Z (160582) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:16.587803928Z (160582) --> 1343-0-5768143211848
2026-04-21T12:18:16.587807908Z (160582) Extreme-VSA-RsCert := 1343-0-5768143211848
2026-04-21T12:18:16.587824998Z (160582) Request-Origin := "freeradius"
2026-04-21T12:18:16.587829258Z (160582) } # update request = noop
2026-04-21T12:18:16.587833379Z (160582) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:16.587845879Z (160582) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:16.587853809Z (160582) --> 1343-0-5768143211848
2026-04-21T12:18:16.587857879Z (160582) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:16.587870919Z (160582) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:16.587874359Z (160582) update request {
2026-04-21T12:18:16.587877479Z (160582) EXPAND %{1}-%{2}
2026-04-21T12:18:16.587881229Z (160582) --> 1343-0
2026-04-21T12:18:16.587884209Z (160582) Owner-Org-Id := 1343-0
2026-04-21T12:18:16.587887439Z (160582) } # update request = noop
2026-04-21T12:18:16.587890800Z (160582) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:16.587894089Z (160582) if (&EAP-Message) {
2026-04-21T12:18:16.587897400Z (160582) if (&EAP-Message) -> TRUE
2026-04-21T12:18:16.587900509Z (160582) if (&EAP-Message) {
2026-04-21T12:18:16.587903740Z (160582) update control {
2026-04-21T12:18:16.587908690Z (160582) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:16.587912030Z (160582) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:16.587915360Z (160582) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:16.587927470Z (160582) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:16.587930750Z (160582) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:16.587934230Z (160582) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:16.587937820Z (160582) } # update control = noop
2026-04-21T12:18:16.587941590Z (160582) eap: Peer sent EAP Response (code 2) ID 149 length 99
2026-04-21T12:18:16.587944480Z (160582) eap: Continuing tunnel setup
2026-04-21T12:18:16.587958401Z (160582) [eap] = ok
2026-04-21T12:18:16.587962151Z (160582) } # if (&EAP-Message) = ok
2026-04-21T12:18:16.587965661Z (160582) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:16.587968851Z (160582) } # else = ok
2026-04-21T12:18:16.587972101Z (160582) } # authorize = ok
2026-04-21T12:18:16.587975381Z (160582) Found Auth-Type = EAP
2026-04-21T12:18:16.587982951Z (160582) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.587986511Z (160582) Auth-Type EAP {
2026-04-21T12:18:16.587989951Z (160582) eap: Removing EAP session with state 0xab5c08bda8c91dee
2026-04-21T12:18:16.587993481Z (160582) eap: Previous EAP request found for state 0xab5c08bda8c91dee, released from the list
2026-04-21T12:18:16.587997151Z (160582) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:16.588000431Z (160582) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:16.588003681Z (160582) eap_ttls: Authenticate
2026-04-21T12:18:16.588006942Z (160582) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:16.588010022Z (160582) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write server done
2026-04-21T12:18:16.588013202Z (160582) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange
2026-04-21T12:18:16.588026852Z (160582) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read client key exchange
2026-04-21T12:18:16.588041502Z (160582) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read change cipher spec
2026-04-21T12:18:16.588082713Z (160582) eap_ttls: (TLS) TTLS - recv TLS 1.2 Handshake, Finished
2026-04-21T12:18:16.588087903Z (160582) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS read finished
2026-04-21T12:18:16.588091153Z (160582) eap_ttls: (TLS) TTLS - send TLS 1.2 ChangeCipherSpec
2026-04-21T12:18:16.588095043Z (160582) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write change cipher spec
2026-04-21T12:18:16.596641870Z (160582) eap_ttls: (TLS) TTLS - send TLS 1.2 Handshake, Finished
2026-04-21T12:18:16.596654531Z (160582) eap_ttls: (TLS) TTLS - Handshake state - Server SSLv3/TLS write finished
2026-04-21T12:18:16.596659060Z (160582) eap_ttls: (TLS) TTLS - Handshake state - SSL negotiation finished successfully
2026-04-21T12:18:16.596663240Z (160582) eap_ttls: (TLS) TTLS - Connection Established
2026-04-21T12:18:16.596667991Z (160582) eap_ttls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:16.596671911Z (160582) eap_ttls: TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:16.596676031Z (160582) eap: Sending EAP Request (code 1) ID 150 length 61
2026-04-21T12:18:16.596680191Z (160582) eap: EAP session adding &reply:State = 0xab5c08bdafca1dee
2026-04-21T12:18:16.596690411Z (160582) [eap] = handled
2026-04-21T12:18:16.596694621Z (160582) } # Auth-Type EAP = handled
2026-04-21T12:18:16.596699031Z (160582) Using Post-Auth-Type Challenge
2026-04-21T12:18:16.596703301Z (160582) Post-Auth-Type sub-section not found. Ignoring.
2026-04-21T12:18:16.596707531Z (160582) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.596721992Z (160582) session-state: Saving cached attributes for server radius-tls
2026-04-21T12:18:16.596726702Z (160582) Framed-MTU = 994
2026-04-21T12:18:16.596731102Z (160582) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:16.596735222Z (160582) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:16.596751312Z (160582) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:16.596756082Z (160582) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:16.596760472Z (160582) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:16.596788163Z (160582) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
2026-04-21T12:18:16.596814293Z (160582) TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
2026-04-21T12:18:16.596817713Z (160582) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
2026-04-21T12:18:16.596820353Z (160582) TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
2026-04-21T12:18:16.596823063Z (160582) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:16.596825903Z (160582) TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:16.596828614Z (160582) Sent Access-Challenge Id 5 from 0.0.0.0:2083 to 35.156.117.38:59521 length 122
2026-04-21T12:18:16.596832954Z (160582) EAP-Message = 0x0196003d1580000000331403030001011603030028b3756cc728eca7d8b98d97adc7b2a4adb840f8a99404323f3b83a294f14ef84104384f400b799ac6
2026-04-21T12:18:16.596835603Z (160582) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:16.596838434Z (160582) State = 0xab5c08bdafca1dee01410a370b544b33
2026-04-21T12:18:16.596841214Z (160582) Proxy-State = 0x34
2026-04-21T12:18:16.596851484Z (160582) Finished request
2026-04-21T12:18:16.596854224Z Thread 565 waiting to be assigned a request
2026-04-21T12:18:16.604770020Z Waking up in 0.1 seconds.
2026-04-21T12:18:16.629165442Z ... new connection request on TCP socket
2026-04-21T12:18:16.629186992Z Listening on auth+acct from client (18.197.19.58, 57827) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.629192492Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (18.197.19.58, 57827) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:16.629238193Z ... shutting down socket auth+acct from client (18.197.19.58, 57827) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.629243783Z ... cleaning up socket auth+acct from client (18.197.19.58, 57827) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.700431912Z (0) (TLS): Access-Request packet from host 35.156.117.38 port 59521, id=94, length=244
2026-04-21T12:18:16.700518453Z Thread 581 got semaphore
2026-04-21T12:18:16.700524864Z Thread 581 handling request 160583, (37 handled so far)
2026-04-21T12:18:16.700534513Z (160583) Received Access-Request Id 94 from 35.156.117.38:59521 to 0.0.0.0:2083 length 244
2026-04-21T12:18:16.700539284Z (160583) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:16.700543284Z (160583) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:16.700547314Z (160583) Calling-Station-Id = "02-5F-84-2B-4E-59"
2026-04-21T12:18:16.700552034Z (160583) Framed-MTU = 1400
2026-04-21T12:18:16.700556424Z (160583) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:16.700560004Z (160583) Service-Type = Framed-User
2026-04-21T12:18:16.700575374Z (160583) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:16.700588625Z (160583) EAP-Message = 0x0296005b15001703030050e2501c63ca4c575b34009dacd3a8788d3f67a3a6155f30745f0e937d0f5ef87fc296f26d0553257af772c40aba6be030d8d021e008ab3ae1bb9bac731093a0792ef9a70da42aa7d597b6234e1c03c0a3
2026-04-21T12:18:16.700592774Z (160583) State = 0xab5c08bdafca1dee01410a370b544b33
2026-04-21T12:18:16.700597265Z (160583) Message-Authenticator = 0xfcfe60b7a8bfebd25e80229ff548e6d5
2026-04-21T12:18:16.700601295Z (160583) Proxy-State = 0x35
2026-04-21T12:18:16.700605285Z (160583) session-state: Restoring attributes for server radius-tls
2026-04-21T12:18:16.700614275Z (160583) &session-state:Framed-MTU = 994
2026-04-21T12:18:16.700619135Z (160583) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.3 Handshake, ClientHello"
2026-04-21T12:18:16.700623035Z (160583) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHello"
2026-04-21T12:18:16.700627075Z (160583) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Certificate"
2026-04-21T12:18:16.700631175Z (160583) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerKeyExchange"
2026-04-21T12:18:16.700635725Z (160583) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, ServerHelloDone"
2026-04-21T12:18:16.700639305Z (160583) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, ClientKeyExchange"
2026-04-21T12:18:16.700643555Z (160583) &session-state:TLS-Session-Information = "(TLS) TTLS - recv TLS 1.2 Handshake, Finished"
2026-04-21T12:18:16.700648275Z (160583) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 ChangeCipherSpec"
2026-04-21T12:18:16.700652616Z (160583) &session-state:TLS-Session-Information = "(TLS) TTLS - send TLS 1.2 Handshake, Finished"
2026-04-21T12:18:16.700656976Z (160583) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
2026-04-21T12:18:16.700661026Z (160583) &session-state:TLS-Session-Version = "TLS 1.2"
2026-04-21T12:18:16.700665176Z (160583) # Executing section authorize from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.700669346Z (160583) authorize {
2026-04-21T12:18:16.700673916Z (160583) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:16.700678356Z (160583) if (!"%{request:Extreme-Eduroam-AuthnOnly}") -> TRUE
2026-04-21T12:18:16.700682476Z (160583) if (!"%{request:Extreme-Eduroam-AuthnOnly}") {
2026-04-21T12:18:16.700687056Z (160583) update request {
2026-04-21T12:18:16.700691106Z (160583) Extreme-Eduroam-AuthnOnly := "false"
2026-04-21T12:18:16.700706936Z (160583) } # update request = noop
2026-04-21T12:18:16.700711097Z (160583) } # if (!"%{request:Extreme-Eduroam-AuthnOnly}") = noop
2026-04-21T12:18:16.700714927Z (160583) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") {
2026-04-21T12:18:16.700722907Z (160583) EXPAND %{listen:TLS-Client-Cert-Common-Name}
2026-04-21T12:18:16.700727197Z (160583) --> 1343-0-5768143211848
2026-04-21T12:18:16.700731197Z (160583) if ("%{listen:TLS-Client-Cert-Common-Name}" == "idm-freeradius") -> FALSE
2026-04-21T12:18:16.700735027Z (160583) else {
2026-04-21T12:18:16.700738807Z (160583) update request {
2026-04-21T12:18:16.700742957Z (160583) EXPAND %{%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}:-%{listen:TLS-Client-Cert-Common-Name}}
2026-04-21T12:18:16.700747137Z (160583) --> 1343-0-5768143211848
2026-04-21T12:18:16.700751177Z (160583) Extreme-VSA-RsCert := 1343-0-5768143211848
2026-04-21T12:18:16.700755307Z (160583) Request-Origin := "freeradius"
2026-04-21T12:18:16.700764708Z (160583) } # update request = noop
2026-04-21T12:18:16.700769058Z (160583) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:16.700773198Z (160583) EXPAND %{Extreme-VSA-RsCert}
2026-04-21T12:18:16.700777358Z (160583) --> 1343-0-5768143211848
2026-04-21T12:18:16.700781248Z (160583) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) -> TRUE
2026-04-21T12:18:16.700785588Z (160583) if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) {
2026-04-21T12:18:16.700789638Z (160583) update request {
2026-04-21T12:18:16.700793548Z (160583) EXPAND %{1}-%{2}
2026-04-21T12:18:16.700797808Z (160583) --> 1343-0
2026-04-21T12:18:16.700801888Z (160583) Owner-Org-Id := 1343-0
2026-04-21T12:18:16.700806668Z (160583) } # update request = noop
2026-04-21T12:18:16.700810208Z (160583) } # if ("%{Extreme-VSA-RsCert}" =~ /^([^\-]+)-([^\-]+)/) = noop
2026-04-21T12:18:16.700813218Z (160583) if (&EAP-Message) {
2026-04-21T12:18:16.700816558Z (160583) if (&EAP-Message) -> TRUE
2026-04-21T12:18:16.700820269Z (160583) if (&EAP-Message) {
2026-04-21T12:18:16.700823798Z (160583) update control {
2026-04-21T12:18:16.700827299Z (160583) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/cert.pem
2026-04-21T12:18:16.700830669Z (160583) --> /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:16.700834289Z (160583) TLS-Session-Cert-File := /etc/freeradius/fr-certs/realm/1343-0/cert.pem
2026-04-21T12:18:16.700837579Z (160583) EXPAND /etc/freeradius/fr-certs/realm/%{Owner-Org-Id}/server.key
2026-04-21T12:18:16.700840849Z (160583) --> /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:16.700844569Z (160583) TLS-Session-Cert-Private-Key-File := /etc/freeradius/fr-certs/realm/1343-0/server.key
2026-04-21T12:18:16.700848229Z (160583) } # update control = noop
2026-04-21T12:18:16.700851509Z (160583) eap: Peer sent EAP Response (code 2) ID 150 length 91
2026-04-21T12:18:16.700854669Z (160583) eap: Continuing tunnel setup
2026-04-21T12:18:16.700876259Z (160583) [eap] = ok
2026-04-21T12:18:16.700880090Z (160583) } # if (&EAP-Message) = ok
2026-04-21T12:18:16.700883350Z (160583) ... skipping else: Preceding "if" was taken
2026-04-21T12:18:16.700886440Z (160583) } # else = ok
2026-04-21T12:18:16.700889660Z (160583) } # authorize = ok
2026-04-21T12:18:16.700893290Z (160583) Found Auth-Type = EAP
2026-04-21T12:18:16.700899000Z (160583) # Executing group from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:16.700901190Z (160583) Auth-Type EAP {
2026-04-21T12:18:16.700903230Z (160583) eap: Removing EAP session with state 0xab5c08bdafca1dee
2026-04-21T12:18:16.700905270Z (160583) eap: Previous EAP request found for state 0xab5c08bdafca1dee, released from the list
2026-04-21T12:18:16.700907570Z (160583) eap: Peer sent packet with method EAP TTLS (21)
2026-04-21T12:18:16.700909630Z (160583) eap: Calling submodule eap_ttls to process data
2026-04-21T12:18:16.700911700Z (160583) eap_ttls: Authenticate
2026-04-21T12:18:16.700914740Z (160583) eap_ttls: (TLS) EAP Done initial handshake
2026-04-21T12:18:16.700931180Z (160583) eap_ttls: Session established. Proceeding to decode tunneled attributes
2026-04-21T12:18:16.700935260Z (160583) eap_ttls: Got tunneled request
2026-04-21T12:18:16.700938911Z (160583) eap_ttls: User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:16.700942421Z (160583) eap_ttls: User-Password = <<< secret >>>
2026-04-21T12:18:16.700946101Z (160583) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
2026-04-21T12:18:16.700953141Z (160583) eap_ttls: Sending tunneled request
2026-04-21T12:18:16.700956631Z (160583) Virtual server my-inner-tunnel received request
2026-04-21T12:18:16.700959991Z (160583) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:16.700963211Z (160583) User-Password = <<< secret >>>
2026-04-21T12:18:16.700966551Z (160583) FreeRADIUS-Proxied-To = 127.0.0.1
2026-04-21T12:18:16.700969641Z (160583) NAS-IP-Address = 127.0.0.1
2026-04-21T12:18:16.700972711Z (160583) Calling-Station-Id = "02-5F-84-2B-4E-59"
2026-04-21T12:18:16.700976091Z (160583) Framed-MTU = 1400
2026-04-21T12:18:16.700979611Z (160583) NAS-Port-Type = Wireless-802.11
2026-04-21T12:18:16.700982251Z (160583) Service-Type = Framed-User
2026-04-21T12:18:16.700984401Z (160583) Connect-Info = "CONNECT 11Mbps 802.11b"
2026-04-21T12:18:16.700986511Z (160583) Extreme-Eduroam-AuthnOnly = "false"
2026-04-21T12:18:16.700988551Z (160583) WARNING: Outer and inner identities are the same. User privacy is compromised.
2026-04-21T12:18:16.700990601Z (160583) server my-inner-tunnel {
2026-04-21T12:18:16.700992721Z (160583) # Executing section authorize from file /etc/freeradius/sites-enabled/my-inner-tunnel
2026-04-21T12:18:16.700994852Z (160583) authorize {
2026-04-21T12:18:16.700996881Z (160583) if (&User-Password && !&EAP-Message) {
2026-04-21T12:18:16.700998932Z (160583) if (&User-Password && !&EAP-Message) -> TRUE
2026-04-21T12:18:16.701001232Z (160583) if (&User-Password && !&EAP-Message) {
2026-04-21T12:18:16.701003262Z (160583) update outer.request {
2026-04-21T12:18:16.701005282Z (160583) &Tmp-String-8 := "TTLS-PAP"
2026-04-21T12:18:16.701007312Z (160583) } # update outer.request = noop
2026-04-21T12:18:16.701009332Z (160583) } # if (&User-Password && !&EAP-Message) = noop
2026-04-21T12:18:16.701011342Z (160583) update request {
2026-04-21T12:18:16.701013342Z (160583) Auth-Endpoint := "auth"
2026-04-21T12:18:16.701015362Z (160583) EAP-Auth-Type := "EAP-TTLS"
2026-04-21T12:18:16.701017372Z (160583) EXPAND %{outer.Extreme-VSA-RsCert}
2026-04-21T12:18:16.701019382Z (160583) --> 1343-0-5768143211848
2026-04-21T12:18:16.701043262Z (160583) Extreme-VSA-RsCert := 1343-0-5768143211848
2026-04-21T12:18:16.701050353Z (160583) EXPAND %{outer.Request-Origin}
2026-04-21T12:18:16.701053842Z (160583) --> freeradius
2026-04-21T12:18:16.701069273Z (160583) Request-Origin := freeradius
2026-04-21T12:18:16.701073063Z (160583) EXPAND %{outer.Extreme-Eduroam-AuthnOnly}
2026-04-21T12:18:16.701075813Z (160583) --> false
2026-04-21T12:18:16.701077823Z (160583) Extreme-Eduroam-AuthnOnly := false
2026-04-21T12:18:16.701080763Z (160583) } # update request = noop
2026-04-21T12:18:16.701084113Z (160583) update control {
2026-04-21T12:18:16.701087533Z (160583) &REST-HTTP-Header += "api-secret: ZnJlZXJhZGl1czpkZGE0YTI3NDUxMGRmZTA4NTY0ODAyYzYwMmZkYWI1Nwo="
2026-04-21T12:18:16.701090813Z (160583) Auth-Type = rest
2026-04-21T12:18:16.701094293Z (160583) } # update control = noop
2026-04-21T12:18:16.701097813Z (160583) } # authorize = noop
2026-04-21T12:18:16.701109394Z (160583) Found Auth-Type = rest
2026-04-21T12:18:16.701112794Z (160583) # Executing group from file /etc/freeradius/sites-enabled/my-inner-tunnel
2026-04-21T12:18:16.701115874Z (160583) Auth-Type REST {
2026-04-21T12:18:16.701119114Z rlm_rest (rest): Reserved connection (185)
2026-04-21T12:18:16.701122294Z (160583) rest: Expanding URI components
2026-04-21T12:18:16.701130404Z (160583) rest: EXPAND http://craas-auth.craas-core.svc.cluster.local:8006
2026-04-21T12:18:16.701134244Z (160583) rest: --> http://craas-auth.craas-core.svc.cluster.local:8006
2026-04-21T12:18:16.701137554Z (160583) rest: EXPAND /auth
2026-04-21T12:18:16.701140884Z (160583) rest: --> /auth
2026-04-21T12:18:16.701144454Z (160583) rest: Sending HTTP POST to "http://craas-auth.craas-core.svc.cluster.local:8006/auth"
2026-04-21T12:18:16.701157684Z (160583) rest: EXPAND {"User-Name": "%{User-Name}","User-Password": "%{User-Password}","NAS-Identifier": "%{NAS-Identifier}","NAS-Port-Type": "%{NAS-Port-Type}","NAS-IP-Address": "%{NAS-IP-Address}","NAS-Port": "%{NAS-Port}","NAS-Port-Id": "%{NAS-Port-Id}","Called-Station-Id": "%{Called-Station-Id}","Calling-Station-Id": "%{Calling-Station-Id}","tenant-id": "%{Extreme-VSA-RsCert}","EAP-Auth-Type": "%{EAP-Auth-Type}","TLS-Client-Cert-Common-Name": "%{TLS-Client-Cert-Common-Name}","EAP-Message": "%{EAP-Message}","TLS-Client-Cert-Serial": "%{TLS-Client-Cert-Serial}","TLS-Client-Cert-Expiration": "%{TLS-Client-Cert-Expiration}","TLS-Client-Cert-Issuer": "%{TLS-Client-Cert-Issuer}","TLS-Client-Cert-Subject": "%{TLS-Client-Cert-Subject}","TLS-Client-Cert-Common-Name": "%{TLS-Client-Cert-Common-Name}","TLS-Client-Cert-Filename": "%{TLS-Client-Cert-Filename}","TLS-Client-Cert-Subject-Alt-Name-Email": "%{TLS-Client-Cert-Subject-Alt-Name-Email}","TLS-Client-Cert-X509v3-Extended-Key-Usage": "%{TLS-Client-Cert-X509v3-Extended-Key-Usage}","TLS-Client-Cert-X509v3-Subject-Key-Identifier": "%{TLS-Client-Cert-X509v3-Subject-Key-Identifier}","TLS-Client-Cert-X509v3-Authority-Key-Identifier": "%{TLS-Client-Cert-X509v3-Authority-Key-Identifier}","TLS-Client-Cert-X509v3-Basic-Constraints": "%{TLS-Client-Cert-X509v3-Basic-Constraints}","TLS-Client-Cert-Subject-Alt-Name-Dns": "%{TLS-Client-Cert-Subject-Alt-Name-Dns}","TLS-Client-Cert-Subject-Alt-Name-Upn": "%{TLS-Client-Cert-Subject-Alt-Name-Upn}","TLS-Client-Cert-X509v3-Extended-Key-Usage-OID": "%{TLS-Client-Cert-X509v3-Extended-Key-Usage-OID}","TLS-Client-Cert-Valid-Since": "%{TLS-Client-Cert-Valid-Since}","TLS-Client-Cert-X509v3-Certificate-Policies": "%{TLS-Client-Cert-X509v3-Certificate-Policies}","Subject-Distinguished-Name": "%{TLS-Client-Cert-Subject}","SAN-DNS-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Dns}","SAN-User-Principal-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Upn}","SAN-Service-Principal-Name": "%{TLS-Client-Cert-Subject-Alt-Name-Spn}","SAN-Email": "%{TLS-Client-Cert-Subject-Alt-Name-Email}","Request-Origin": "%{Request-Origin}","AuthnOnly": %{Extreme-Eduroam-AuthnOnly}, "TLS-Cert-Serial": "%{TLS-Cert-Serial}", "TLS-Client-Cert-Issuer": "%{TLS-Client-Cert-Issuer}"},
2026-04-21T12:18:16.701161294Z (160583) rest: --> {"User-Name": "direct-tunnel at gmail.com","User-Password": "Emumba at 123","NAS-Identifier": "","NAS-Port-Type": "Wireless-802.11","NAS-IP-Address": "127.0.0.1","NAS-Port": "","NAS-Port-Id": "","Called-Station-Id": "","Calling-Station-Id": "02-5F-84-2B-4E-59","tenant-id": "1343-0-5768143211848","EAP-Auth-Type": "EAP-TTLS","TLS-Client-Cert-Common-Name": "","EAP-Message": "","TLS-Client-Cert-Serial": "","TLS-Client-Cert-Expiration": "","TLS-Client-Cert-Issuer": "","TLS-Client-Cert-Subject": "","TLS-Client-Cert-Common-Name": "","TLS-Client-Cert-Filename": "","TLS-Client-Cert-Subject-Alt-Name-Email": "","TLS-Client-Cert-X509v3-Extended-Key-Usage": "","TLS-Client-Cert-X509v3-Subject-Key-Identifier": "","TLS-Client-Cert-X509v3-Authority-Key-Identifier": "","TLS-Client-Cert-X509v3-Basic-Constraints": "","TLS-Client-Cert-Subject-Alt-Name-Dns": "","TLS-Client-Cert-Subject-Alt-Name-Upn": "","TLS-Client-Cert-X509v3-Extended-Key-Usage-OID": "","TLS-Client-Cert-Valid-Since": "","TLS-Client-Cert-X509v3-Certificate-Policies": "","Subject-Distinguished-Name": "","SAN-DNS-Name": "","SAN-User-Principal-Name": "","SAN-Service-Principal-Name": "","SAN-Email": "","Request-Origin": "freeradius","AuthnOnly": false, "TLS-Cert-Serial": "", "TLS-Client-Cert-Issuer": ""},
2026-04-21T12:18:16.701658673Z (160583) rest: Processing response header
2026-04-21T12:18:16.701664383Z (160583) rest: Status : 100 (Continue)
2026-04-21T12:18:16.701667743Z (160583) rest: Continuing...
2026-04-21T12:18:16.772482875Z ... new connection request on TCP socket
2026-04-21T12:18:16.772513166Z Listening on auth+acct from client (3.120.27.78, 42739) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.772519126Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.120.27.78, 42739) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:16.772532246Z ... shutting down socket auth+acct from client (3.120.27.78, 42739) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.772542326Z ... cleaning up socket auth+acct from client (3.120.27.78, 42739) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.786861364Z (160534) Cleaning up request packet ID 152 with timestamp +4277 due to cleanup_delay was reached
2026-04-21T12:18:16.786875094Z (160535) Cleaning up request packet ID 233 with timestamp +4277 due to cleanup_delay was reached
2026-04-21T12:18:16.786997916Z ... new connection request on TCP socket
2026-04-21T12:18:16.787005016Z Listening on auth+acct from client (63.179.94.3, 60041) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.787010076Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (63.179.94.3, 60041) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:16.787067137Z ... shutting down socket auth+acct from client (63.179.94.3, 60041) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.787072957Z ... cleaning up socket auth+acct from client (63.179.94.3, 60041) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.813819079Z Waking up in 0.1 seconds.
2026-04-21T12:18:16.840046361Z ... new connection request on TCP socket
2026-04-21T12:18:16.840059751Z Listening on auth+acct from client (3.75.86.120, 55237) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.840065321Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.75.86.120, 55237) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:16.840068421Z ... shutting down socket auth+acct from client (3.75.86.120, 55237) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.840074111Z ... cleaning up socket auth+acct from client (3.75.86.120, 55237) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.871172909Z ... new connection request on TCP socket
2026-04-21T12:18:16.871191019Z Listening on auth+acct from client (3.74.47.11, 48437) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.871196619Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.74.47.11, 48437) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:16.871250040Z ... shutting down socket auth+acct from client (3.74.47.11, 48437) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.871256150Z ... cleaning up socket auth+acct from client (3.74.47.11, 48437) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.898347117Z ... new connection request on TCP socket
2026-04-21T12:18:16.898366097Z Listening on auth+acct from client (10.60.43.16, 50498) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.898370147Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (10.60.43.16, 50498) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:16.898373717Z ... shutting down socket auth+acct from client (10.60.43.16, 50498) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.898376967Z ... cleaning up socket auth+acct from client (10.60.43.16, 50498) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.921007839Z Waking up in 0.1 seconds.
2026-04-21T12:18:16.957806564Z ... new connection request on TCP socket
2026-04-21T12:18:16.957824145Z Listening on auth+acct from client (52.28.53.239, 54389) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.957829825Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (52.28.53.239, 54389) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:16.957855595Z ... shutting down socket auth+acct from client (52.28.53.239, 54389) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:16.957863175Z ... cleaning up socket auth+acct from client (52.28.53.239, 54389) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.027258673Z ... new connection request on TCP socket
2026-04-21T12:18:17.027282043Z Listening on auth+acct from client (3.122.55.124, 46905) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.027287353Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.122.55.124, 46905) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:17.027291853Z ... shutting down socket auth+acct from client (3.122.55.124, 46905) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.027295624Z ... cleaning up socket auth+acct from client (3.122.55.124, 46905) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.034004309Z Waking up in 0.4 seconds.
2026-04-21T12:18:17.057752449Z (160583) rest: Processing response header
2026-04-21T12:18:17.057765249Z (160583) rest: Status : 200 (OK)
2026-04-21T12:18:17.057769279Z (160583) rest: Type : json (application/json)
2026-04-21T12:18:17.057772549Z (160583) rest: Adding reply:REST-HTTP-Status-Code = "200"
2026-04-21T12:18:17.057780299Z (160583) rest: Parsing attribute "Session-Timeout"
2026-04-21T12:18:17.057784029Z (160583) rest: EXPAND 3600
2026-04-21T12:18:17.057787059Z (160583) rest: --> 3600
2026-04-21T12:18:17.057819099Z (160583) rest: Session-Timeout = 3600
2026-04-21T12:18:17.057822900Z (160583) rest: Parsing attribute "Termination-Action"
2026-04-21T12:18:17.057826710Z (160583) rest: EXPAND 1
2026-04-21T12:18:17.057830080Z (160583) rest: --> 1
2026-04-21T12:18:17.057833060Z (160583) rest: Termination-Action = RADIUS-Request
2026-04-21T12:18:17.057871680Z rlm_rest (rest): Released connection (185)
2026-04-21T12:18:17.057906831Z rlm_rest (rest): Closing connection (186) - Too many unused connections.
2026-04-21T12:18:17.058019703Z (160583) [rest] = updated
2026-04-21T12:18:17.058027013Z (160583) if (updated) {
2026-04-21T12:18:17.058030483Z (160583) if (updated) -> TRUE
2026-04-21T12:18:17.058033153Z (160583) if (updated) {
2026-04-21T12:18:17.058036963Z (160583) [ok] = ok
2026-04-21T12:18:17.058041423Z (160583) } # if (updated) = ok
2026-04-21T12:18:17.058058714Z (160583) } # Auth-Type REST = ok
2026-04-21T12:18:17.058064394Z (160583) Login OK: [direct-tunnel at gmail.com] (from client everyone port 0 cli 02-5F-84-2B-4E-59 via TLS tunnel)
2026-04-21T12:18:17.058067604Z (160583) } # server my-inner-tunnel
2026-04-21T12:18:17.058072184Z (160583) Virtual server sending reply
2026-04-21T12:18:17.058076594Z (160583) REST-HTTP-Status-Code = 200
2026-04-21T12:18:17.058080614Z (160583) Session-Timeout = 3600
2026-04-21T12:18:17.058084914Z (160583) Termination-Action = RADIUS-Request
2026-04-21T12:18:17.058089194Z (160583) eap_ttls: Got tunneled Access-Accept
2026-04-21T12:18:17.058143005Z (160583) eap: Sending EAP Success (code 3) ID 150 length 4
2026-04-21T12:18:17.058220906Z (160583) eap: Freeing handler
2026-04-21T12:18:17.058312078Z (160583) [eap] = ok
2026-04-21T12:18:17.058320378Z (160583) } # Auth-Type EAP = ok
2026-04-21T12:18:17.058334168Z (160583) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
2026-04-21T12:18:17.058357559Z (160583) session-state: Discarding attributes for server radius-tls
2026-04-21T12:18:17.058363199Z (160583) Login OK: [direct-tunnel at gmail.com] (from client everyone port 0 cli 02-5F-84-2B-4E-59)
2026-04-21T12:18:17.058367579Z (160583) Sent Access-Accept Id 94 from 0.0.0.0:2083 to 35.156.117.38:59521 length 200
2026-04-21T12:18:17.058371609Z (160583) Session-Timeout = 3600
2026-04-21T12:18:17.058375889Z (160583) Termination-Action = RADIUS-Request
2026-04-21T12:18:17.058379869Z (160583) MS-MPPE-Recv-Key = <<< secret >>>
2026-04-21T12:18:17.058383999Z (160583) MS-MPPE-Send-Key = <<< secret >>>
2026-04-21T12:18:17.058388499Z (160583) EAP-Message = 0x03960004
2026-04-21T12:18:17.058392760Z (160583) Message-Authenticator = 0x00000000000000000000000000000000
2026-04-21T12:18:17.058410500Z (160583) User-Name = "direct-tunnel at gmail.com"
2026-04-21T12:18:17.058415960Z (160583) Proxy-State = 0x35
2026-04-21T12:18:17.058423010Z (160583) Finished request
2026-04-21T12:18:17.058425790Z Thread 581 waiting to be assigned a request
2026-04-21T12:18:17.192687248Z ... new connection request on TCP socket
2026-04-21T12:18:17.192716579Z Listening on auth+acct from client (52.59.205.163, 47275) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.192722599Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (52.59.205.163, 47275) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:17.192779020Z ... shutting down socket auth+acct from client (52.59.205.163, 47275) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.192787070Z ... cleaning up socket auth+acct from client (52.59.205.163, 47275) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.192793250Z Waking up in 0.3 seconds.
2026-04-21T12:18:17.199266612Z ... new connection request on TCP socket
2026-04-21T12:18:17.199277342Z Listening on auth+acct from client (3.127.151.249, 47831) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.199282262Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.127.151.249, 47831) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:17.199286302Z ... shutting down socket auth+acct from client (3.127.151.249, 47831) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.199289622Z ... cleaning up socket auth+acct from client (3.127.151.249, 47831) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.199293792Z Waking up in 0.3 seconds.
2026-04-21T12:18:17.214570125Z ... new connection request on TCP socket
2026-04-21T12:18:17.214588556Z Listening on auth+acct from client (63.179.243.227, 46789) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.214593906Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (63.179.243.227, 46789) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:17.214612606Z ... shutting down socket auth+acct from client (63.179.243.227, 46789) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.214618086Z ... cleaning up socket auth+acct from client (63.179.243.227, 46789) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.214622646Z Waking up in 0.3 seconds.
2026-04-21T12:18:17.265008776Z ... new connection request on TCP socket
2026-04-21T12:18:17.265038587Z Listening on auth+acct from client (3.79.32.150, 52871) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.265045627Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.79.32.150, 52871) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:17.265065927Z ... shutting down socket auth+acct from client (3.79.32.150, 52871) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.265070857Z ... cleaning up socket auth+acct from client (3.79.32.150, 52871) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.265075307Z Waking up in 0.2 seconds.
2026-04-21T12:18:17.349494593Z ... new connection request on TCP socket
2026-04-21T12:18:17.349532974Z Listening on auth+acct from client (63.179.103.166, 47719) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.349537504Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (63.179.103.166, 47719) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:17.349558865Z ... shutting down socket auth+acct from client (63.179.103.166, 47719) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.349562365Z ... cleaning up socket auth+acct from client (63.179.103.166, 47719) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.349567085Z Waking up in 0.1 seconds.
2026-04-21T12:18:17.364803639Z ... new connection request on TCP socket
2026-04-21T12:18:17.364825359Z Listening on auth+acct from client (3.72.77.217, 43605) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.364844219Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.72.77.217, 43605) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:17.364911101Z ... shutting down socket auth+acct from client (3.72.77.217, 43605) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.364917801Z ... cleaning up socket auth+acct from client (3.72.77.217, 43605) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.364922561Z Waking up in 0.1 seconds.
2026-04-21T12:18:17.483555858Z ... new connection request on TCP socket
2026-04-21T12:18:17.483585819Z Listening on auth+acct from client (3.73.38.7, 43045) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.483590189Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.73.38.7, 43045) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:17.483600609Z ... shutting down socket auth+acct from client (3.73.38.7, 43045) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.483603479Z ... cleaning up socket auth+acct from client (3.73.38.7, 43045) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.495144808Z ... new connection request on TCP socket
2026-04-21T12:18:17.495179419Z Listening on auth+acct from client (3.122.248.42, 38307) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.495184869Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.122.248.42, 38307) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:17.495206959Z ... shutting down socket auth+acct from client (3.122.248.42, 38307) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.495212729Z ... cleaning up socket auth+acct from client (3.122.248.42, 38307) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.534269794Z Waking up in 1.1 seconds.
2026-04-21T12:18:17.714091227Z ... new connection request on TCP socket
2026-04-21T12:18:17.714119767Z Listening on auth+acct from client (63.179.145.12, 58173) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.714126078Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (63.179.145.12, 58173) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:17.714139848Z ... shutting down socket auth+acct from client (63.179.145.12, 58173) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.714144688Z ... cleaning up socket auth+acct from client (63.179.145.12, 58173) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.714158518Z Waking up in 0.9 seconds.
2026-04-21T12:18:17.773952170Z ... new connection request on TCP socket
2026-04-21T12:18:17.773971451Z Listening on auth+acct from client (3.124.5.60, 53881) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.773976691Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.124.5.60, 53881) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:17.774013201Z ... shutting down socket auth+acct from client (3.124.5.60, 53881) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.774018501Z ... cleaning up socket auth+acct from client (3.124.5.60, 53881) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.774023051Z Waking up in 0.8 seconds.
2026-04-21T12:18:17.884971276Z ... new connection request on TCP socket
2026-04-21T12:18:17.884996547Z Listening on auth+acct from client (18.184.60.105, 55153) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.885002087Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (18.184.60.105, 55153) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:17.885015227Z ... shutting down socket auth+acct from client (18.184.60.105, 55153) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.885020917Z ... cleaning up socket auth+acct from client (18.184.60.105, 55153) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.885025387Z Waking up in 0.7 seconds.
2026-04-21T12:18:17.985908958Z ... new connection request on TCP socket
2026-04-21T12:18:17.985945329Z Listening on auth+acct from client (18.194.45.137, 49833) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.985955549Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (18.194.45.137, 49833) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:17.986039741Z ... shutting down socket auth+acct from client (18.194.45.137, 49833) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.986050661Z ... cleaning up socket auth+acct from client (18.194.45.137, 49833) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:17.986056241Z Waking up in 0.6 seconds.
2026-04-21T12:18:18.066345857Z ... new connection request on TCP socket
2026-04-21T12:18:18.066375207Z Listening on auth+acct from client (35.157.179.215, 39049) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.066380297Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (35.157.179.215, 39049) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.066391678Z ... shutting down socket auth+acct from client (35.157.179.215, 39049) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.066395518Z ... cleaning up socket auth+acct from client (35.157.179.215, 39049) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.066399968Z Waking up in 0.5 seconds.
2026-04-21T12:18:18.129022488Z ... new connection request on TCP socket
2026-04-21T12:18:18.129043219Z Listening on auth+acct from client (54.93.67.36, 59103) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.129047399Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (54.93.67.36, 59103) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.129064399Z ... shutting down socket auth+acct from client (54.93.67.36, 59103) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.129073719Z ... cleaning up socket auth+acct from client (54.93.67.36, 59103) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.129079349Z Waking up in 0.5 seconds.
2026-04-21T12:18:18.135228996Z ... new connection request on TCP socket
2026-04-21T12:18:18.135242926Z Listening on auth+acct from client (3.69.156.165, 51063) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.135255807Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.69.156.165, 51063) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.135299117Z ... shutting down socket auth+acct from client (3.69.156.165, 51063) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.135325248Z ... cleaning up socket auth+acct from client (3.69.156.165, 51063) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.135329818Z Waking up in 0.5 seconds.
2026-04-21T12:18:18.137988354Z ... new connection request on TCP socket
2026-04-21T12:18:18.137995604Z Listening on auth+acct from client (3.121.186.248, 52007) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.138006104Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.121.186.248, 52007) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.138019804Z ... shutting down socket auth+acct from client (3.121.186.248, 52007) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.138037755Z ... cleaning up socket auth+acct from client (3.121.186.248, 52007) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.138042315Z Waking up in 0.5 seconds.
2026-04-21T12:18:18.141162149Z ... new connection request on TCP socket
2026-04-21T12:18:18.141175769Z Listening on auth+acct from client (18.196.112.74, 59377) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.141181059Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (18.196.112.74, 59377) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.141245940Z ... shutting down socket auth+acct from client (18.196.112.74, 59377) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.141252191Z ... cleaning up socket auth+acct from client (18.196.112.74, 59377) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.141257191Z Waking up in 0.4 seconds.
2026-04-21T12:18:18.231508237Z ... new connection request on TCP socket
2026-04-21T12:18:18.231535538Z Listening on auth+acct from client (63.177.104.26, 43179) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.231541628Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (63.177.104.26, 43179) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.231608459Z ... shutting down socket auth+acct from client (63.177.104.26, 43179) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.231617559Z ... cleaning up socket auth+acct from client (63.177.104.26, 43179) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.231622379Z Waking up in 0.4 seconds.
2026-04-21T12:18:18.414556597Z ... new connection request on TCP socket
2026-04-21T12:18:18.414585317Z Listening on auth+acct from client (3.78.182.68, 48221) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.414590768Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.78.182.68, 48221) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.414604728Z ... shutting down socket auth+acct from client (3.78.182.68, 48221) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.414608888Z ... cleaning up socket auth+acct from client (3.78.182.68, 48221) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.414613188Z Waking up in 0.2 seconds.
2026-04-21T12:18:18.430506093Z ... new connection request on TCP socket
2026-04-21T12:18:18.430533633Z Listening on auth+acct from client (63.179.140.66, 53803) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.430542233Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (63.179.140.66, 53803) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.430572114Z ... shutting down socket auth+acct from client (63.179.140.66, 53803) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.430575924Z ... cleaning up socket auth+acct from client (63.179.140.66, 53803) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.430578774Z Waking up in 0.2 seconds.
2026-04-21T12:18:18.444827150Z ... new connection request on TCP socket
2026-04-21T12:18:18.444847990Z Listening on auth+acct from client (3.75.135.230, 56013) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.444852390Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.75.135.230, 56013) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.445063364Z ... shutting down socket auth+acct from client (3.75.135.230, 56013) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.445069954Z ... cleaning up socket auth+acct from client (3.75.135.230, 56013) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.445073824Z Waking up in 0.1 seconds.
2026-04-21T12:18:18.446873085Z ... new connection request on TCP socket
2026-04-21T12:18:18.446881955Z Listening on auth+acct from client (18.185.101.152, 33503) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.446885885Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (18.185.101.152, 33503) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.446889065Z ... shutting down socket auth+acct from client (18.185.101.152, 33503) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.446892015Z ... cleaning up socket auth+acct from client (18.185.101.152, 33503) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.446895185Z Waking up in 0.1 seconds.
2026-04-21T12:18:18.455463843Z ... new connection request on TCP socket
2026-04-21T12:18:18.455481893Z Listening on auth+acct from client (18.196.251.128, 48533) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.455487123Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (18.196.251.128, 48533) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.455502254Z ... shutting down socket auth+acct from client (18.196.251.128, 48533) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.455506154Z ... cleaning up socket auth+acct from client (18.196.251.128, 48533) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.455510034Z Waking up in 0.1 seconds.
2026-04-21T12:18:18.621777344Z ... new connection request on TCP socket
2026-04-21T12:18:18.621807544Z Listening on auth+acct from client (3.122.254.83, 53157) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.621813164Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.122.254.83, 53157) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.621825284Z ... shutting down socket auth+acct from client (3.122.254.83, 53157) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.621829284Z ... cleaning up socket auth+acct from client (3.122.254.83, 53157) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.638331469Z (160536) Cleaning up request packet ID 120 with timestamp +4279 due to cleanup_delay was reached
2026-04-21T12:18:18.638355249Z Waking up in 0.1 seconds.
2026-04-21T12:18:18.743960362Z (160537) Cleaning up request packet ID 209 with timestamp +4279 due to cleanup_delay was reached
2026-04-21T12:18:18.743979502Z Waking up in 0.1 seconds.
2026-04-21T12:18:18.791463312Z ... new connection request on TCP socket
2026-04-21T12:18:18.791496133Z Listening on auth+acct from client (3.121.231.62, 41733) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.791506543Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.121.231.62, 41733) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.791723006Z ... shutting down socket auth+acct from client (3.121.231.62, 41733) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.791737247Z ... cleaning up socket auth+acct from client (3.121.231.62, 41733) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.826533878Z ... new connection request on TCP socket
2026-04-21T12:18:18.826548598Z Listening on auth+acct from client (3.66.219.230, 39523) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.826554088Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.66.219.230, 39523) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.826569018Z ... shutting down socket auth+acct from client (3.66.219.230, 39523) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.826574599Z ... cleaning up socket auth+acct from client (3.66.219.230, 39523) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.848020688Z (160538) Cleaning up request packet ID 188 with timestamp +4279 due to cleanup_delay was reached
2026-04-21T12:18:18.848034458Z Waking up in 0.1 seconds.
2026-04-21T12:18:18.858093862Z ... new connection request on TCP socket
2026-04-21T12:18:18.858107272Z Listening on auth+acct from client (3.126.59.104, 46125) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.858111972Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.126.59.104, 46125) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.858158123Z ... shutting down socket auth+acct from client (3.126.59.104, 46125) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.858163573Z ... cleaning up socket auth+acct from client (3.126.59.104, 46125) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.952159926Z (160539) Cleaning up request packet ID 31 with timestamp +4279 due to cleanup_delay was reached
2026-04-21T12:18:18.952183186Z Waking up in 0.1 seconds.
2026-04-21T12:18:18.963730465Z ... new connection request on TCP socket
2026-04-21T12:18:18.963744365Z Listening on auth+acct from client (18.197.129.36, 52861) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.963747975Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (18.197.129.36, 52861) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.963798556Z ... shutting down socket auth+acct from client (18.197.129.36, 52861) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.963804396Z ... cleaning up socket auth+acct from client (18.197.129.36, 52861) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.963809396Z Waking up in 0.1 seconds.
2026-04-21T12:18:18.998360443Z ... new connection request on TCP socket
2026-04-21T12:18:18.998375924Z Listening on auth+acct from client (3.75.199.253, 59399) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.998380834Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.75.199.253, 59399) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:18.998447085Z ... shutting down socket auth+acct from client (3.75.199.253, 59399) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:18.998455825Z ... cleaning up socket auth+acct from client (3.75.199.253, 59399) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:19.052928945Z ... new connection request on TCP socket
2026-04-21T12:18:19.052955916Z Listening on auth+acct from client (63.177.94.198, 60157) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:19.052960736Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (63.177.94.198, 60157) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:19.052978876Z ... shutting down socket auth+acct from client (63.177.94.198, 60157) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:19.052982916Z ... cleaning up socket auth+acct from client (63.177.94.198, 60157) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:19.069200156Z (160540) Cleaning up request packet ID 61 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.069211386Z Waking up in 0.1 seconds.
2026-04-21T12:18:19.115475334Z ... new connection request on TCP socket
2026-04-21T12:18:19.115497435Z Listening on auth+acct from client (52.59.190.255, 45779) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:19.115503085Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (52.59.190.255, 45779) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:19.115560276Z ... shutting down socket auth+acct from client (52.59.190.255, 45779) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:19.115567376Z ... cleaning up socket auth+acct from client (52.59.190.255, 45779) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:19.115570836Z Waking up in 0.1 seconds.
2026-04-21T12:18:19.130487293Z ... new connection request on TCP socket
2026-04-21T12:18:19.130499933Z Listening on auth+acct from client (3.122.226.6, 36775) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:19.130504733Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.122.226.6, 36775) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:19.130520694Z ... shutting down socket auth+acct from client (3.122.226.6, 36775) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:19.130525344Z ... cleaning up socket auth+acct from client (3.122.226.6, 36775) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:19.130546814Z Waking up in 0.1 seconds.
2026-04-21T12:18:19.201511359Z ... new connection request on TCP socket
2026-04-21T12:18:19.201530679Z Listening on auth+acct from client (3.74.149.209, 46457) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:19.201535689Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (3.74.149.209, 46457) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:19.201563530Z ... shutting down socket auth+acct from client (3.74.149.209, 46457) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:19.201570000Z ... cleaning up socket auth+acct from client (3.74.149.209, 46457) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:19.253025708Z (160542) Cleaning up request packet ID 133 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.253272362Z (160543) Cleaning up request packet ID 26 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.256066040Z (160544) Cleaning up request packet ID 25 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.256073991Z Waking up in 0.1 seconds.
2026-04-21T12:18:19.358107743Z (160545) Cleaning up request packet ID 110 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.358405458Z (160546) Cleaning up request packet ID 60 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.362601610Z (160547) Cleaning up request packet ID 31 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.461624300Z (160548) Cleaning up request packet ID 21 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.461802803Z (160549) Cleaning up request packet ID 156 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.467562152Z (160550) Cleaning up request packet ID 46 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.566549951Z (160551) Cleaning up request packet ID 150 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.566580601Z (160552) Cleaning up request packet ID 2 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.572698997Z (160553) Cleaning up request packet ID 249 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.572714627Z Waking up in 0.1 seconds.
2026-04-21T12:18:19.680580809Z (160554) Cleaning up request packet ID 106 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.683393327Z (160541) Cleaning up request packet ID 94 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.686387639Z (160555) Cleaning up request packet ID 191 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.693591983Z (160556) Cleaning up request packet ID 21 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.693605633Z Waking up in 0.2 seconds.
2026-04-21T12:18:19.955142619Z (160560) Cleaning up request packet ID 32 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.955667498Z (160561) Cleaning up request packet ID 170 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.955674348Z (160562) Cleaning up request packet ID 125 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:19.955714698Z Waking up in 0.1 seconds.
2026-04-21T12:18:20.058857259Z (160563) Cleaning up request packet ID 76 with timestamp +4281 due to cleanup_delay was reached
2026-04-21T12:18:20.059369388Z (160564) Cleaning up request packet ID 183 with timestamp +4281 due to cleanup_delay was reached
2026-04-21T12:18:20.059546861Z (160565) Cleaning up request packet ID 247 with timestamp +4281 due to cleanup_delay was reached
2026-04-21T12:18:20.059623662Z Waking up in 0.1 seconds.
2026-04-21T12:18:20.160474671Z (160566) Cleaning up request packet ID 236 with timestamp +4281 due to cleanup_delay was reached
2026-04-21T12:18:20.160728126Z (160567) Cleaning up request packet ID 176 with timestamp +4281 due to cleanup_delay was reached
2026-04-21T12:18:20.161532680Z (160568) Cleaning up request packet ID 104 with timestamp +4281 due to cleanup_delay was reached
2026-04-21T12:18:20.161574941Z Waking up in 0.1 seconds.
2026-04-21T12:18:20.231290395Z ... new connection request on TCP socket
2026-04-21T12:18:20.231309045Z Listening on auth+acct from client (10.60.43.16, 8766) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:20.231314035Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (10.60.43.16, 8766) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:20.231329395Z ... shutting down socket auth+acct from client (10.60.43.16, 8766) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:20.231333286Z ... cleaning up socket auth+acct from client (10.60.43.16, 8766) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:20.262133706Z (160569) Cleaning up request packet ID 33 with timestamp +4281 due to cleanup_delay was reached
2026-04-21T12:18:20.262571924Z (160570) Cleaning up request packet ID 252 with timestamp +4281 due to cleanup_delay was reached
2026-04-21T12:18:20.263718184Z (160571) Cleaning up request packet ID 29 with timestamp +4281 due to cleanup_delay was reached
2026-04-21T12:18:20.280249750Z (160557) Cleaning up request packet ID 91 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:20.287385853Z (160559) Cleaning up request packet ID 110 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:20.292285518Z (160558) Cleaning up request packet ID 183 with timestamp +4280 due to cleanup_delay was reached
2026-04-21T12:18:20.376168085Z (160572) Cleaning up request packet ID 8 with timestamp +4281 due to cleanup_delay was reached
2026-04-21T12:18:20.382758978Z (160573) Cleaning up request packet ID 127 with timestamp +4281 due to cleanup_delay was reached
2026-04-21T12:18:20.389340013Z (160574) Cleaning up request packet ID 87 with timestamp +4281 due to cleanup_delay was reached
2026-04-21T12:18:20.389348853Z Waking up in 0.4 seconds.
2026-04-21T12:18:20.887069992Z (160577) Cleaning up request packet ID 188 with timestamp +4281 due to cleanup_delay was reached
2026-04-21T12:18:20.887084663Z (160575) Cleaning up request packet ID 2 with timestamp +4281 due to cleanup_delay was reached
2026-04-21T12:18:20.892778091Z (160576) Cleaning up request packet ID 135 with timestamp +4281 due to cleanup_delay was reached
2026-04-21T12:18:20.892802051Z Waking up in 0.2 seconds.
2026-04-21T12:18:21.168337377Z (160578) Cleaning up request packet ID 14 with timestamp +4282 due to cleanup_delay was reached
2026-04-21T12:18:21.168366957Z Waking up in 0.1 seconds.
2026-04-21T12:18:21.273269728Z (160579) Cleaning up request packet ID 17 with timestamp +4282 due to cleanup_delay was reached
2026-04-21T12:18:21.273285758Z Waking up in 0.1 seconds.
2026-04-21T12:18:21.377147591Z (160580) Cleaning up request packet ID 165 with timestamp +4282 due to cleanup_delay was reached
2026-04-21T12:18:21.377162391Z Waking up in 0.1 seconds.
2026-04-21T12:18:21.481248748Z (160581) Cleaning up request packet ID 55 with timestamp +4282 due to cleanup_delay was reached
2026-04-21T12:18:21.481291969Z Waking up in 0.1 seconds.
2026-04-21T12:18:21.597108588Z (160582) Cleaning up request packet ID 5 with timestamp +4282 due to cleanup_delay was reached
2026-04-21T12:18:21.597128888Z Waking up in 0.4 seconds.
2026-04-21T12:18:22.059033850Z (160583) Cleaning up request packet ID 94 with timestamp +4282 due to cleanup_delay was reached
2026-04-21T12:18:22.059047920Z Ready to process requests
2026-04-21T12:18:23.565345729Z ... new connection request on TCP socket
2026-04-21T12:18:23.565371690Z Listening on auth+acct from client (10.60.43.16, 1378) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:23.565376900Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (10.60.43.16, 1378) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:23.565428421Z ... shutting down socket auth+acct from client (10.60.43.16, 1378) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:23.565436551Z ... cleaning up socket auth+acct from client (10.60.43.16, 1378) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:23.565440651Z Ready to process requests
2026-04-21T12:18:26.898133098Z ... new connection request on TCP socket
2026-04-21T12:18:26.898170719Z Listening on auth+acct from client (10.60.43.16, 58945) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:26.898178639Z FD is larger than MAX FDsFailed adding event handler for socket auth+acct from client (10.60.43.16, 58945) -> (*, 2083, virtual-server=radius-tls):
2026-04-21T12:18:26.898221940Z ... shutting down socket auth+acct from client (10.60.43.16, 58945) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:26.898229020Z ... cleaning up socket auth+acct from client (10.60.43.16, 58945) -> (*, 2083, virtual-server=radius-tls)
2026-04-21T12:18:26.898235530Z Ready to process requests
More information about the Freeradius-Users
mailing list