FreeRADIUS 3.2.8 with EAP-FAST: MS-CHAP2-Response is incorrect
Dennis Bland
dennis at dbperformance.com
Mon Jan 5 04:16:26 UTC 2026
Hi FreeRADIUS:
I've compiled/installed FreeRADIUS 3.2.8 on Ubuntu 24.04 (Linux 6.8.0
and OpenSSL 3.0.13), and it gives the attached "MS-CHAP2 Response is
incorrect" error during inner tunnel negotiation in Phase 0 (PAC file
creation) of EAP-FAST. Upgrading the Linux kernel to 6.16 and OpenSSL
3.0.16 gives the same result. Compiling the latest FreeRADIUS 3.2.x
branch head (3.2.9 dev) as of a few days ago also gives the same
result.
Note that EAP-PEAP/MSCHAPV2 works fine (log also attached) on the
identical supplicant / authenticator / authentication server platform.
The supplicant is also on a Ubuntu 24.04 platform (OpenSSL 3.0.13),
running the latest snapshot of wpa_supplicant, and TLS 1.3 has been
confirmed working with EAP-PEAP when tls_max is set to 1.3 in
FreeRADIUS on the authentication server.
Supplicant version:
dbland at NUC13-Linux2:~$ wpa_supplicant -v
wpa_supplicant v2.12-devel-20251221-hostap_2_11-1307-g3ea5c0df5+
Copyright (c) 2003-2024, Jouni Malinen <j at w1.fi> and contributors
dbland at NUC13-Linux2:~$
Supplicant EAP-FAST configuration:
network={
ssid="asus6e_5"
proto=RSN
key_mgmt=WPA-EAP
bgscan="simple:5:-70:60"
eap=FAST
identity="bob_loblaw"
anonymous_identity="FAST-123456789012"
password="password"
phase1="fast_provisioning=1"
phase2="auth=MSCHAPV2"
pac_file="/home/dbland/certs_nuc13/bob_loblaw.pac"
}
Background: Recent Ubuntu versions have forcibly disabled TLS 1.0 and
TLS 1.1, and EAP-FAST support with TLS 1.2 was first introduced in
FreeRADIUS 3.2.8. However, the FreeRADIUS package version bundled
with Ubuntu 24.04 is version 3.2.5, and version 3.2.7 with Ubuntu
25.10. This unfortunately leaves a gap in EAP-FAST support. Until a
newer FreeRADIUS package is available on Ubuntu, compiling the 3.2.8
source seems to be the only option in order to support BOTH TLS 1.3
with EAP-PEAP and TLS 1.2 with EAP-FAST.
Any further troubleshooting suggestions? From reading the mailing
list archives, I've seen this EAP-FAST issue pop up a few times in the
past on earlier 3.0.x versions, but with no resolution.
Best regards,
Dennis Bland
-------------- next part --------------
~$ sudo radiusd -X
FreeRADIUS Version 3.2.8
Copyright (C) 1999-2025 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
FreeRADIUS is developed, maintained, and supported by InkBridge Networks.
For commercial support, please email sales at inkbridgenetworks.com
https://inkbridgenetworks.com/
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/proxy_rate_limit
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/totp
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /usr/local/etc/raddb/policy.d/rfc7542
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/debug
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
proxy_dedup_window = 1
cleanup_delay = 5
max_requests = 16384
max_fds = 512
postauth_client_lost = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
delay_proxy_rejects = no
status_server = yes
require_message_authenticator = "auto"
limit_proxy_state = "auto"
allow_vulnerable_openssl = "no"
}
unlang {
group_stop_return = no
policy_stop_return = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
nonblock = no
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client pal {
ipaddr = 192.168.0.0/24
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost {
ipaddr = 127.0.0.1
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 900
}
}
Shared secret for client localhost is short, and likely can be broken by an attacker.
client localhost_ipv6 {
ipv6addr = ::1
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Shared secret for client localhost_ipv6 is short, and likely can be broken by an attacker.
Debugger not attached
Configuration version: 5c25-1e41-96dc-e8f1
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Autz-Type = New-TLS-Connection
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /usr/local/etc/raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/usr/local/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
max_eap_type = 52
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
dedup_key = ""
}
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
# Loaded module rlm_detail
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_date
# Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /usr/local/etc/raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
detail {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_digest
# Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_unpack
# Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
# Loaded module rlm_files
# Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/usr/local/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/usr/local/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.coa {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_proxy_rate_limit
# Loading module "proxy_rate_limit" from file /usr/local/etc/raddb/mods-enabled/proxy_rate_limit
proxy_rate_limit {
max_entries = 2048
idle_timeout = 10
num_subtables = 256
window = 1
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_totp
# Loading module "totp" from file /usr/local/etc/raddb/mods-enabled/totp
totp {
time_step = 30
otp_length = 6
lookback_steps = 1
lookback_interval = 30
lookforward_steps = 0
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
instantiate {
}
# Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "bangpath" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/3.0/certs/server.key"
certificate_file = "/etc/freeradius/3.0/certs/server.pem"
ca_file = "/etc/freeradius/3.0/certs/ca.pem"
private_key_password = <<< secret >>>
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT"
cipher_server_preference = no
reject_unknown_intermediate_ca = no
ecdh_curve = ""
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
tmpdir = "/tmp/radiusd"
client = "/usr/bin/openssl verify -CAfile /etc/freeradius/3.0/certs/ca.pem %{TLS-Client-Cert-Filename}"
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Linked to sub-module rlm_eap_fast
fast {
tls = "tls-common"
default_eap_type = "mschapv2"
virtual_server = "inner-tunnel"
cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2:@SECLEVEL=0"
require_client_cert = no
pac_lifetime = 315576000
authority_identity = "1234"
pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
copy_request_to_tunnel = no
use_tunneled_reply = no
}
tls: Using cached TLS configuration from previous invocation
# Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
# Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/coa
# Instantiating module "proxy_rate_limit" from file /usr/local/etc/raddb/mods-enabled/proxy_rate_limit
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
# Instantiating module "totp" from file /usr/local/etc/raddb/mods-enabled/totp
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
Compiling Autz-Type New-TLS-Connection for attr Autz-Type
# Loading preacct {...}
# Loading accounting {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
} # server default
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:366
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 900
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 40468
Listening on proxy address :: port 49449
Ready to process requests
(0) Received Access-Request Id 88 from 192.168.0.45:50430 to 192.168.0.94:1812 length 222
(0) User-Name = "bob_loblaw"
(0) NAS-IP-Address = 192.168.0.45
(0) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Calling-Station-Id = "A0-B3-39-64-69-23"
(0) Connect-Info = "CONNECT 24Mbps 802.11a"
(0) Acct-Session-Id = "FFD0437394F4DB53"
(0) Acct-Multi-Session-Id = "9F68D2D452BFD86B"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027073
(0) Framed-MTU = 1400
(0) EAP-Message = 0x0294000f01626f625f6c6f626c6177
(0) Message-Authenticator = 0x4a8f56cbb59576cd2f6fb68756d32923
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "bob_loblaw", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 148 length 15
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Using default_eap_type = PEAP
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: (TLS) PEAP -Initiating new session
(0) eap: Sending EAP Request (code 1) ID 149 length 6
(0) eap: EAP session adding &reply:State = 0x7f0561dd7f907822
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0) Framed-MTU = 984
(0) Sent Access-Challenge Id 88 from 192.168.0.94:1812 to 192.168.0.45:50430 length 64
(0) EAP-Message = 0x019500061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x7f0561dd7f9078226908638262d2a043
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 89 from 192.168.0.45:50430 to 192.168.0.94:1812 length 494
(1) User-Name = "bob_loblaw"
(1) NAS-IP-Address = 192.168.0.45
(1) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Calling-Station-Id = "A0-B3-39-64-69-23"
(1) Connect-Info = "CONNECT 24Mbps 802.11a"
(1) Acct-Session-Id = "FFD0437394F4DB53"
(1) Acct-Multi-Session-Id = "9F68D2D452BFD86B"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027073
(1) Framed-MTU = 1400
(1) EAP-Message = 0x0295010b19800000010116030100fc010000f8030329a4b7dd7f58a26af078a26e43903d904122ea9abafa5391a368e29fc6b2b26d00003e130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000091000b000403000102000a00160014001d0017001e00190018010001010102010301040016000000170000000d002a0028040305030603080708080809080a080b080408050806040105010601030303010302040205020602002b00050403040303002d00020101003300260024001d0020379dc2b327d35f34b94731a5e59bae30d2702d511352e49d5d05ecb72a9b810f
(1) State = 0x7f0561dd7f9078226908638262d2a043
(1) Message-Authenticator = 0xf8a98431695d10aed9ca00e4bf476f5c
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 984
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "bob_loblaw", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 149 length 267
(1) eap: Continuing tunnel setup
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Removing EAP session with state 0x7f0561dd7f907822
(1) eap: Previous EAP request found for state 0x7f0561dd7f907822, released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: (TLS) EAP Peer says that the final record size will be 257 bytes
(1) eap_peap: (TLS) EAP Got all data (257 bytes)
(1) eap_peap: (TLS) PEAP - Handshake state - before SSL initialization
(1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization
(1) eap_peap: (TLS) PEAP - Handshake state - Server before SSL initialization
(1) eap_peap: (TLS) PEAP - recv TLS 1.3 Handshake, ClientHello
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client hello
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHello
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server hello
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Certificate
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write certificate
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write key exchange
(1) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone
(1) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(1) eap_peap: (TLS) PEAP - Server : Need to read more data: SSLv3/TLS write server done
(1) eap_peap: (TLS) PEAP - In Handshake Phase
(1) eap: Sending EAP Request (code 1) ID 150 length 994
(1) eap: EAP session adding &reply:State = 0x7f0561dd7e937822
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1) Framed-MTU = 984
(1) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(1) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(1) Sent Access-Challenge Id 89 from 192.168.0.94:1812 to 192.168.0.45:50430 length 1058
(1) EAP-Message = 0x019603e219c000000a85160303003d020000390303da1a16a53e1eafe6390efefa832a15c100855feef509fedaca27b6078c1a41b100c030000011ff01000100000b0004030001020017000016030309040b0009000008fd000429308204253082030da003020102020101300d06092a864886f70d01010b0500308183310b3009060355040613024341310b300906035504080c0241423110300e06035504070c0743616c67617279311c301a060355040a0c13644220506572666f726d616e636520496e632e3126302406092a864886f70d010901161761646d696e406462706572666f726d616e63652e636f6d310f300d06035504030c066462705f6361301e170d3235313031353033353130355a170d3330313031343033353130355a307b310b3009060355040613024341310b300906035504080c024142311c301a060355040a0c13644220506572666f726d616e636520496e632e3119301706035504030c106f63746f73636f70655f7365727665723126
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x7f0561dd7e9378226908638262d2a043
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 90 from 192.168.0.45:50430 to 192.168.0.94:1812 length 231
(2) User-Name = "bob_loblaw"
(2) NAS-IP-Address = 192.168.0.45
(2) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Calling-Station-Id = "A0-B3-39-64-69-23"
(2) Connect-Info = "CONNECT 24Mbps 802.11a"
(2) Acct-Session-Id = "FFD0437394F4DB53"
(2) Acct-Multi-Session-Id = "9F68D2D452BFD86B"
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027076
(2) WLAN-AKM-Suite = 1027073
(2) Framed-MTU = 1400
(2) EAP-Message = 0x029600061900
(2) State = 0x7f0561dd7e9378226908638262d2a043
(2) Message-Authenticator = 0xa21405ca3b4184505280e741c281da93
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 984
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(2) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "bob_loblaw", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 150 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Removing EAP session with state 0x7f0561dd7e937822
(2) eap: Previous EAP request found for state 0x7f0561dd7e937822, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: (TLS) Peer ACKed our handshake fragment
(2) eap: Sending EAP Request (code 1) ID 151 length 990
(2) eap: EAP session adding &reply:State = 0x7f0561dd7d927822
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 984
(2) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(2) Sent Access-Challenge Id 90 from 192.168.0.94:1812 to 192.168.0.45:50430 length 1054
(2) EAP-Message = 0x019703de194054bc825455e27d1b27291ab8cd32d5fbb6ec5c29b0fe0e3bc13486dd0cb9f0a04d953c8e21b27bbd0493dd9324afb41d1ce01ce856350dfd96ccf75e6c7c61c51bd211edf0e2d0b5bd10f63bfe5c4e66b9e4a987550a61599124487ab098714df17805c09ab6a7da437786093ed5ebe2b8ceb67e43b275dea593a7a0bbaa5d055ca74eed0f6442e4be5b51a6eb4ad5d2edd408467904b46daf2493986302cb967f960004ce308204ca308203b2a00302010202140bfa8d619a7067af8aa372e6c254fb7b5642b1e3300d06092a864886f70d01010b0500308183310b3009060355040613024341310b300906035504080c0241423110300e06035504070c0743616c67617279311c301a060355040a0c13644220506572666f726d616e636520496e632e3126302406092a864886f70d010901161761646d696e406462706572666f726d616e63652e636f6d310f300d06035504030c066462705f6361301e170d3235313031353033343732385a170d33
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x7f0561dd7d9278226908638262d2a043
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 91 from 192.168.0.45:50430 to 192.168.0.94:1812 length 231
(3) User-Name = "bob_loblaw"
(3) NAS-IP-Address = 192.168.0.45
(3) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Calling-Station-Id = "A0-B3-39-64-69-23"
(3) Connect-Info = "CONNECT 24Mbps 802.11a"
(3) Acct-Session-Id = "FFD0437394F4DB53"
(3) Acct-Multi-Session-Id = "9F68D2D452BFD86B"
(3) WLAN-Pairwise-Cipher = 1027076
(3) WLAN-Group-Cipher = 1027076
(3) WLAN-AKM-Suite = 1027073
(3) Framed-MTU = 1400
(3) EAP-Message = 0x029700061900
(3) State = 0x7f0561dd7d9278226908638262d2a043
(3) Message-Authenticator = 0x75c256b55d7fe59efa05c9e3677be454
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 984
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "bob_loblaw", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 151 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Removing EAP session with state 0x7f0561dd7d927822
(3) eap: Previous EAP request found for state 0x7f0561dd7d927822, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: (TLS) Peer ACKed our handshake fragment
(3) eap: Sending EAP Request (code 1) ID 152 length 731
(3) eap: EAP session adding &reply:State = 0x7f0561dd7c9d7822
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3) Framed-MTU = 984
(3) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(3) Sent Access-Challenge Id 91 from 192.168.0.94:1812 to 192.168.0.45:50430 length 793
(3) EAP-Message = 0x019802db190061646d696e406462706572666f726d616e63652e636f6d310f300d06035504030c066462705f636182140bfa8d619a7067af8aa372e6c254fb7b5642b1e3300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101000caa859d01cb3960f0599da5d89ce9a7b923c8fe1523a6d297b10f2a77962478a51740f6c074352649948d944cbfafa05f40c486ce5209d5fcd029d2affd38a8ba2a65cd1b5b05cbdd81e3327abbb1e55166b71996822c10d3160523194a413869dfc123bc1c19ad1398aea7574828544d4c8f9fd75d29c8f7817c663d941217f1994997e683e80f6d0469ee4cda7c7b8794dc1a44c176df13b4944aaa03ba857b8450c344285bbb7a4f6baa719ae44a9eb4e7938e0b761ddad851ae6fa22f9230f3fdad93d5a4110e9642f00b2eca74f5c6f9893c94
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x7f0561dd7c9d78226908638262d2a043
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 92 from 192.168.0.45:50430 to 192.168.0.94:1812 length 328
(4) User-Name = "bob_loblaw"
(4) NAS-IP-Address = 192.168.0.45
(4) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Calling-Station-Id = "A0-B3-39-64-69-23"
(4) Connect-Info = "CONNECT 24Mbps 802.11a"
(4) Acct-Session-Id = "FFD0437394F4DB53"
(4) Acct-Multi-Session-Id = "9F68D2D452BFD86B"
(4) WLAN-Pairwise-Cipher = 1027076
(4) WLAN-Group-Cipher = 1027076
(4) WLAN-AKM-Suite = 1027073
(4) Framed-MTU = 1400
(4) EAP-Message = 0x0298006719800000005d16030300251000002120f39c97e98d2ab48d0579d2e49cb3b16e932b3aa367cdac2f36e54947b00488661403030001011603030028d4a7f63a1a9606bca60550c694f32b631dc14e0cde5d129b55c6fa6b87a2ca43f6457bfbe83290be
(4) State = 0x7f0561dd7c9d78226908638262d2a043
(4) Message-Authenticator = 0xd03f64e487983dfc5b860acc7e0be665
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 984
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "bob_loblaw", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 152 length 103
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Removing EAP session with state 0x7f0561dd7c9d7822
(4) eap: Previous EAP request found for state 0x7f0561dd7c9d7822, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: (TLS) EAP Peer says that the final record size will be 93 bytes
(4) eap_peap: (TLS) EAP Got all data (93 bytes)
(4) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write server done
(4) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange
(4) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read client key exchange
(4) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read change cipher spec
(4) eap_peap: (TLS) PEAP - recv TLS 1.2 Handshake, Finished
(4) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS read finished
(4) eap_peap: (TLS) PEAP - send TLS 1.2 ChangeCipherSpec
(4) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write change cipher spec
(4) eap_peap: (TLS) PEAP - send TLS 1.2 Handshake, Finished
(4) eap_peap: (TLS) PEAP - Handshake state - Server SSLv3/TLS write finished
(4) eap_peap: (TLS) PEAP - Handshake state - SSL negotiation finished successfully
(4) eap_peap: (TLS) PEAP - Connection Established
(4) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4) eap_peap: TLS-Session-Version = "TLS 1.2"
(4) eap: Sending EAP Request (code 1) ID 153 length 57
(4) eap: EAP session adding &reply:State = 0x7f0561dd7b9c7822
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) Framed-MTU = 984
(4) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(4) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(4) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(4) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(4) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(4) TLS-Session-Version = "TLS 1.2"
(4) Sent Access-Challenge Id 92 from 192.168.0.94:1812 to 192.168.0.45:50430 length 115
(4) EAP-Message = 0x01990039190014030300010116030300282e2b636f62316a4a917b58c46db851a63e7f80e51d729f07c9e6d39ea6d3422f2e62d37cc3641b69
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x7f0561dd7b9c78226908638262d2a043
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 93 from 192.168.0.45:50430 to 192.168.0.94:1812 length 231
(5) User-Name = "bob_loblaw"
(5) NAS-IP-Address = 192.168.0.45
(5) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Calling-Station-Id = "A0-B3-39-64-69-23"
(5) Connect-Info = "CONNECT 24Mbps 802.11a"
(5) Acct-Session-Id = "FFD0437394F4DB53"
(5) Acct-Multi-Session-Id = "9F68D2D452BFD86B"
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027076
(5) WLAN-AKM-Suite = 1027073
(5) Framed-MTU = 1400
(5) EAP-Message = 0x029900061900
(5) State = 0x7f0561dd7b9c78226908638262d2a043
(5) Message-Authenticator = 0x2476a314db00b6287b0bb39e1d2b833f
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 984
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(5) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(5) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) &session-state:TLS-Session-Version = "TLS 1.2"
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "bob_loblaw", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 153 length 6
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Removing EAP session with state 0x7f0561dd7b9c7822
(5) eap: Previous EAP request found for state 0x7f0561dd7b9c7822, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished
(5) eap_peap: Session established. Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 154 length 40
(5) eap: EAP session adding &reply:State = 0x7f0561dd7a9f7822
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) Framed-MTU = 984
(5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(5) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(5) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(5) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 93 from 192.168.0.94:1812 to 192.168.0.45:50430 length 98
(5) EAP-Message = 0x019a00281900170303001d2e2b636f62316a4b4c136730d7aef943329e5bec4a832be9023ca5ad67
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x7f0561dd7a9f78226908638262d2a043
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 94 from 192.168.0.45:50430 to 192.168.0.94:1812 length 271
(6) User-Name = "bob_loblaw"
(6) NAS-IP-Address = 192.168.0.45
(6) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Calling-Station-Id = "A0-B3-39-64-69-23"
(6) Connect-Info = "CONNECT 24Mbps 802.11a"
(6) Acct-Session-Id = "FFD0437394F4DB53"
(6) Acct-Multi-Session-Id = "9F68D2D452BFD86B"
(6) WLAN-Pairwise-Cipher = 1027076
(6) WLAN-Group-Cipher = 1027076
(6) WLAN-AKM-Suite = 1027073
(6) Framed-MTU = 1400
(6) EAP-Message = 0x029a002e19001703030023d4a7f63a1a9606bdb439a99813e68130472f59fa6a3e0c99aaaf30cde1c347ca513b9f
(6) State = 0x7f0561dd7a9f78226908638262d2a043
(6) Message-Authenticator = 0x68a2f486e7bc5467dc3069c58dba9f3c
(6) Restoring &session-state
(6) &session-state:Framed-MTU = 984
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(6) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(6) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "bob_loblaw", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 154 length 46
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Removing EAP session with state 0x7f0561dd7a9f7822
(6) eap: Previous EAP request found for state 0x7f0561dd7a9f7822, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: (TLS) EAP Done initial handshake
(6) eap_peap: Session established. Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - bob_loblaw
(6) eap_peap: Got inner identity 'bob_loblaw'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap: EAP-Message = 0x029a000f01626f625f6c6f626c6177
(6) eap_peap: Setting User-Name to bob_loblaw
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap: EAP-Message = 0x029a000f01626f625f6c6f626c6177
(6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap: User-Name = "bob_loblaw"
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x029a000f01626f625f6c6f626c6177
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "bob_loblaw"
(6) WARNING: Outer and inner identities are the same. User privacy is compromised.
(6) server inner-tunnel {
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "bob_loblaw", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 154 length 15
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Found &control:EAP-Type = MSCHAPv2
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 155 length 42
(6) eap: EAP session adding &reply:State = 0x68e0f948687be313
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found. Ignoring.
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) EAP-Message = 0x019b002a1a019b00251066b16fd6c3a70aef6cfe6e3e294945b6667265657261646975732d332e322e38
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x68e0f948687be313f1a4fbc5fa9adf8c
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap: EAP-Message = 0x019b002a1a019b00251066b16fd6c3a70aef6cfe6e3e294945b6667265657261646975732d332e322e38
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x68e0f948687be313f1a4fbc5fa9adf8c
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap: EAP-Message = 0x019b002a1a019b00251066b16fd6c3a70aef6cfe6e3e294945b6667265657261646975732d332e322e38
(6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap: State = 0x68e0f948687be313f1a4fbc5fa9adf8c
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 155 length 73
(6) eap: EAP session adding &reply:State = 0x7f0561dd799e7822
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6) Framed-MTU = 984
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(6) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(6) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(6) TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 94 from 192.168.0.94:1812 to 192.168.0.45:50430 length 131
(6) EAP-Message = 0x019b00491900170303003e2e2b636f62316a4c4582c5c2a121d745c4f898f5f12645716bd597d09bca86550f25ae094fc2b084d4565234600e0de266413c6ac4911e9ea9dfba99343e
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x7f0561dd799e78226908638262d2a043
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 95 from 192.168.0.45:50430 to 192.168.0.94:1812 length 325
(7) User-Name = "bob_loblaw"
(7) NAS-IP-Address = 192.168.0.45
(7) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(7) NAS-Port-Type = Wireless-802.11
(7) Service-Type = Framed-User
(7) Calling-Station-Id = "A0-B3-39-64-69-23"
(7) Connect-Info = "CONNECT 24Mbps 802.11a"
(7) Acct-Session-Id = "FFD0437394F4DB53"
(7) Acct-Multi-Session-Id = "9F68D2D452BFD86B"
(7) WLAN-Pairwise-Cipher = 1027076
(7) WLAN-Group-Cipher = 1027076
(7) WLAN-AKM-Suite = 1027073
(7) Framed-MTU = 1400
(7) EAP-Message = 0x029b006419001703030059d4a7f63a1a9606be7b592a8fd20bf010c5a48b4f81f4d9d6c866c0f00182eb2dec16553c803c8d55c22675503306e90fa8111ee9308941675542ff2dc7e3fde057b95dee39bf41cfc04e37aedb6383b21a65977c9a25f0c259
(7) State = 0x7f0561dd799e78226908638262d2a043
(7) Message-Authenticator = 0x7ad31a1eec516dbb5611dd354b1a19fc
(7) Restoring &session-state
(7) &session-state:Framed-MTU = 984
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(7) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "bob_loblaw", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 155 length 100
(7) eap: Continuing tunnel setup
(7) [eap] = ok
(7) } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7) authenticate {
(7) eap: Removing EAP session with state 0x7f0561dd799e7822
(7) eap: Previous EAP request found for state 0x7f0561dd799e7822, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: (TLS) EAP Done initial handshake
(7) eap_peap: Session established. Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap: EAP-Message = 0x029b00451a029b00403120c05d840be6163ef8442d5ae95e0b20000000000000000052e4a1eae0609cfd38a146db6020bbea637e76569849d94300626f625f6c6f626c6177
(7) eap_peap: Setting User-Name to bob_loblaw
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap: EAP-Message = 0x029b00451a029b00403120c05d840be6163ef8442d5ae95e0b20000000000000000052e4a1eae0609cfd38a146db6020bbea637e76569849d94300626f625f6c6f626c6177
(7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap: User-Name = "bob_loblaw"
(7) eap_peap: State = 0x68e0f948687be313f1a4fbc5fa9adf8c
(7) Virtual server inner-tunnel received request
(7) EAP-Message = 0x029b00451a029b00403120c05d840be6163ef8442d5ae95e0b20000000000000000052e4a1eae0609cfd38a146db6020bbea637e76569849d94300626f625f6c6f626c6177
(7) FreeRADIUS-Proxied-To = 127.0.0.1
(7) User-Name = "bob_loblaw"
(7) State = 0x68e0f948687be313f1a4fbc5fa9adf8c
(7) WARNING: Outer and inner identities are the same. User privacy is compromised.
(7) server inner-tunnel {
(7) session-state: No cached attributes
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [chap] = noop
(7) [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "bob_loblaw", looking up realm NULL
(7) suffix: No such realm "NULL"
(7) [suffix] = noop
(7) update control {
(7) &Proxy-To-Realm := LOCAL
(7) } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 155 length 69
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) files: users: Matched entry bob_loblaw at line 1
(7) [files] = ok
(7) [expiration] = noop
(7) [logintime] = noop
(7) pap: WARNING: Auth-Type already set. Not setting to PAP
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(7) authenticate {
(7) eap: Removing EAP session with state 0x68e0f948687be313
(7) eap: Previous EAP request found for state 0x68e0f948687be313, released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(7) eap_mschapv2: authenticate {
(7) mschap: Found Cleartext-Password, hashing to create NT-Password
(7) mschap: Creating challenge hash with username: bob_loblaw
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Adding MS-CHAPv2 MPPE keys
(7) eap_mschapv2: [mschap] = ok
(7) eap_mschapv2: } # authenticate = ok
(7) eap_mschapv2: MSCHAP Success
(7) eap: Sending EAP Request (code 1) ID 156 length 51
(7) eap: EAP session adding &reply:State = 0x68e0f948697ce313
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) EAP-Message = 0x019c00331a039b002e533d43363839314436304434354442384343314539374433324634373837413045323533333846303743
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x68e0f948697ce313f1a4fbc5fa9adf8c
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap: EAP-Message = 0x019c00331a039b002e533d43363839314436304434354442384343314539374433324634373837413045323533333846303743
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x68e0f948697ce313f1a4fbc5fa9adf8c
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap: EAP-Message = 0x019c00331a039b002e533d43363839314436304434354442384343314539374433324634373837413045323533333846303743
(7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap: State = 0x68e0f948697ce313f1a4fbc5fa9adf8c
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 156 length 82
(7) eap: EAP session adding &reply:State = 0x7f0561dd78997822
(7) [eap] = handled
(7) } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7) Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7) Framed-MTU = 984
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(7) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(7) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7) TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 95 from 192.168.0.94:1812 to 192.168.0.45:50430 length 140
(7) EAP-Message = 0x019c0052190017030300472e2b636f62316a4d1b453f25e86e09d982d09e061bff8b195f63ff44d9b863ffb9f3778b25ba84c877213e0c05f64eab6913c3f2333f68f016304c70728bd6fa220e3c6a8ff7ac
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) State = 0x7f0561dd789978226908638262d2a043
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 96 from 192.168.0.45:50430 to 192.168.0.94:1812 length 262
(8) User-Name = "bob_loblaw"
(8) NAS-IP-Address = 192.168.0.45
(8) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Calling-Station-Id = "A0-B3-39-64-69-23"
(8) Connect-Info = "CONNECT 24Mbps 802.11a"
(8) Acct-Session-Id = "FFD0437394F4DB53"
(8) Acct-Multi-Session-Id = "9F68D2D452BFD86B"
(8) WLAN-Pairwise-Cipher = 1027076
(8) WLAN-Group-Cipher = 1027076
(8) WLAN-AKM-Suite = 1027073
(8) Framed-MTU = 1400
(8) EAP-Message = 0x029c00251900170303001ad4a7f63a1a9606bf21bbed1a4194cc2a66bd864165e27584f916
(8) State = 0x7f0561dd789978226908638262d2a043
(8) Message-Authenticator = 0xc0faf2c8ea300832dc8fd71c5733f529
(8) Restoring &session-state
(8) &session-state:Framed-MTU = 984
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(8) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "bob_loblaw", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 156 length 37
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Removing EAP session with state 0x7f0561dd78997822
(8) eap: Previous EAP request found for state 0x7f0561dd78997822, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: (TLS) EAP Done initial handshake
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x029c00061a03
(8) eap_peap: Setting User-Name to bob_loblaw
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x029c00061a03
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "bob_loblaw"
(8) eap_peap: State = 0x68e0f948697ce313f1a4fbc5fa9adf8c
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x029c00061a03
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "bob_loblaw"
(8) State = 0x68e0f948697ce313f1a4fbc5fa9adf8c
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "bob_loblaw", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 156 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) files: users: Matched entry bob_loblaw at line 1
(8) [files] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Removing EAP session with state 0x68e0f948697ce313
(8) eap: Previous EAP request found for state 0x68e0f948697ce313, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 156 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) post-auth {
(8) if (0) {
(8) if (0) -> FALSE
(8) } # post-auth = noop
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) MS-MPPE-Send-Key = 0x5eec6133eec8a85b992a5166ee427747
(8) MS-MPPE-Recv-Key = 0x5f9374a040a79b2bdb88be3431dc3d68
(8) EAP-Message = 0x039c0004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "bob_loblaw"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0x5eec6133eec8a85b992a5166ee427747
(8) eap_peap: MS-MPPE-Recv-Key = 0x5f9374a040a79b2bdb88be3431dc3d68
(8) eap_peap: EAP-Message = 0x039c0004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "bob_loblaw"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0x5eec6133eec8a85b992a5166ee427747
(8) eap_peap: MS-MPPE-Recv-Key = 0x5f9374a040a79b2bdb88be3431dc3d68
(8) eap_peap: EAP-Message = 0x039c0004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "bob_loblaw"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap: Sending EAP Request (code 1) ID 157 length 46
(8) eap: EAP session adding &reply:State = 0x7f0561dd77987822
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) session-state: Saving cached attributes
(8) Framed-MTU = 984
(8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(8) TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(8) TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) TLS-Session-Version = "TLS 1.2"
(8) Sent Access-Challenge Id 96 from 192.168.0.94:1812 to 192.168.0.45:50430 length 104
(8) EAP-Message = 0x019d002e190017030300232e2b636f62316a4e4b01bd95e86a84edca29d720f1f252585d4ee5326c88928a51dcef
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x7f0561dd779878226908638262d2a043
(8) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 97 from 192.168.0.45:50430 to 192.168.0.94:1812 length 271
(9) User-Name = "bob_loblaw"
(9) NAS-IP-Address = 192.168.0.45
(9) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(9) NAS-Port-Type = Wireless-802.11
(9) Service-Type = Framed-User
(9) Calling-Station-Id = "A0-B3-39-64-69-23"
(9) Connect-Info = "CONNECT 24Mbps 802.11a"
(9) Acct-Session-Id = "FFD0437394F4DB53"
(9) Acct-Multi-Session-Id = "9F68D2D452BFD86B"
(9) WLAN-Pairwise-Cipher = 1027076
(9) WLAN-Group-Cipher = 1027076
(9) WLAN-AKM-Suite = 1027073
(9) Framed-MTU = 1400
(9) EAP-Message = 0x029d002e19001703030023d4a7f63a1a9606c09c34aa06a0f39029d459f49b945040a472a222fa5c84f367db3aa3
(9) State = 0x7f0561dd779878226908638262d2a043
(9) Message-Authenticator = 0x8d32d9cc0e29593129b5670d68177c31
(9) Restoring &session-state
(9) &session-state:Framed-MTU = 984
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHello"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Certificate"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - recv TLS 1.2 Handshake, Finished"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 ChangeCipherSpec"
(9) &session-state:TLS-Session-Information = "(TLS) PEAP - send TLS 1.2 Handshake, Finished"
(9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(9) &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "bob_loblaw", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 157 length 46
(9) eap: Continuing tunnel setup
(9) [eap] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Removing EAP session with state 0x7f0561dd77987822
(9) eap: Previous EAP request found for state 0x7f0561dd77987822, released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: (TLS) EAP Done initial handshake
(9) eap_peap: Session established. Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap: Sending EAP Success (code 3) ID 157 length 4
(9) eap: Freeing handler
(9) [eap] = ok
(9) } # authenticate = ok
(9) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(9) post-auth {
(9) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(9) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(9) update {
(9) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 984
(9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.3 Handshake, ClientHello'
(9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, ServerHello'
(9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, Certificate'
(9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, ServerKeyExchange'
(9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, ServerHelloDone'
(9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.2 Handshake, ClientKeyExchange'
(9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - recv TLS 1.2 Handshake, Finished'
(9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 ChangeCipherSpec'
(9) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) PEAP - send TLS 1.2 Handshake, Finished'
(9) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(9) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
(9) } # update = noop
(9) [exec] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) if (EAP-Key-Name && &reply:EAP-Session-Id) {
(9) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
(9) } # post-auth = noop
(9) Sent Access-Accept Id 97 from 192.168.0.94:1812 to 192.168.0.45:50430 length 178
(9) MS-MPPE-Recv-Key = 0xd7ba7964a16101dc6cc30a306e594a58bf47b93f71bbdb3071eec3f849563a29
(9) MS-MPPE-Send-Key = 0xdae5c2e6bb463c96fcce441575215fce501fd76a704b784657cf97eaf96aefae
(9) EAP-Message = 0x039d0004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) User-Name = "bob_loblaw"
(9) Framed-MTU += 984
(9) Finished request
Waking up in 2.0 seconds.
-------------- next part --------------
~$ sudo radiusd -X
FreeRADIUS Version 3.2.8
Copyright (C) 1999-2025 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
FreeRADIUS is developed, maintained, and supported by InkBridge Networks.
For commercial support, please email sales at inkbridgenetworks.com
https://inkbridgenetworks.com/
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/proxy_rate_limit
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/totp
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /usr/local/etc/raddb/policy.d/rfc7542
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/debug
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
security {
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr/local"
localstatedir = "/usr/local/var"
sbindir = "/usr/local/sbin"
logdir = "/usr/local/var/log/radius"
run_dir = "/usr/local/var/run/radiusd"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
proxy_dedup_window = 1
cleanup_delay = 5
max_requests = 16384
max_fds = 512
postauth_client_lost = no
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
delay_proxy_rejects = no
status_server = yes
require_message_authenticator = "auto"
limit_proxy_state = "auto"
allow_vulnerable_openssl = "no"
}
unlang {
group_stop_return = no
policy_stop_return = no
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
nonblock = no
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 120
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client pal {
ipaddr = 192.168.0.0/24
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost {
ipaddr = 127.0.0.1
secret = <<< secret >>>
nas_type = "other"
proto = "*"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 900
}
}
Shared secret for client localhost is short, and likely can be broken by an attacker.
client localhost_ipv6 {
ipv6addr = ::1
secret = <<< secret >>>
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Shared secret for client localhost_ipv6 is short, and likely can be broken by an attacker.
Debugger not attached
Configuration version: 5c25-1e41-96dc-e8f1
# Creating Auth-Type = mschap
# Creating Auth-Type = digest
# Creating Auth-Type = eap
# Creating Auth-Type = PAP
# Creating Auth-Type = CHAP
# Creating Auth-Type = MS-CHAP
# Creating Autz-Type = New-TLS-Connection
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_chap
# Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
# Loaded module rlm_realm
# Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
# Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
# Loading module "bangpath" from file /usr/local/etc/raddb/mods-enabled/realm
realm bangpath {
format = "prefix"
delimiter = "!"
ignore_default = no
ignore_null = no
}
# Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
}
# Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\"
ignore_default = no
ignore_null = no
}
# Loaded module rlm_mschap
# Loading module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
winbind_retry_with_normalised_username = no
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/usr/local/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/replicate
# Loaded module rlm_eap
# Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
max_eap_type = 52
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
dedup_key = ""
}
# Loaded module rlm_expr
# Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_unix
# Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Creating attribute Unix-Group
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 384
caller_id = yes
}
# Loaded module rlm_soh
# Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_utf8
# Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
# Loaded module rlm_detail
# Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail auth_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail reply_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail pre_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
detail post_proxy_log {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loaded module rlm_date
# Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
utc = no
}
# Loading module "wispr2date" from file /usr/local/etc/raddb/mods-enabled/date
date wispr2date {
format = "%Y-%m-%dT%H:%M:%S"
utc = no
}
# Loaded module rlm_exec
# Loading module "ntlm_auth" from file /usr/local/etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
shell_escape = yes
}
# Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
detail {
filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
permissions = 384
locking = no
dates_as_integer = no
escape_filenames = no
log_packet_header = no
}
# Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loaded module rlm_digest
# Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
# Loaded module rlm_unpack
# Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
# Loaded module rlm_files
# Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
files {
filename = "/usr/local/etc/raddb/mods-config/files/authorize"
acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_pap
# Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Loaded module rlm_always
# Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog {
filename = "/usr/local/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/usr/local/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.coa" from file /usr/local/etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.coa {
filename = "/usr/local/etc/raddb/mods-config/attr_filter/coa"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_proxy_rate_limit
# Loading module "proxy_rate_limit" from file /usr/local/etc/raddb/mods-enabled/proxy_rate_limit
proxy_rate_limit {
max_entries = 2048
idle_timeout = 10
num_subtables = 256
window = 1
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_dynamic_clients
# Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled/dynamic_clients
# Loaded module rlm_totp
# Loading module "totp" from file /usr/local/etc/raddb/mods-enabled/totp
totp {
time_step = 30
otp_length = 6
lookback_steps = 1
lookback_interval = 30
lookforward_steps = 0
}
# Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_preprocess
# Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
instantiate {
}
# Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "bangpath" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
# Instantiating module "mschap" from file /usr/local/etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
# Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/3.0/certs/server.key"
certificate_file = "/etc/freeradius/3.0/certs/server.pem"
ca_file = "/etc/freeradius/3.0/certs/ca.pem"
private_key_password = <<< secret >>>
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
ca_path_reload_interval = 0
cipher_list = "DEFAULT"
cipher_server_preference = no
reject_unknown_intermediate_ca = no
ecdh_curve = ""
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
tmpdir = "/tmp/radiusd"
client = "/usr/bin/openssl verify -CAfile /etc/freeradius/3.0/certs/ca.pem %{TLS-Client-Cert-Filename}"
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Linked to sub-module rlm_eap_fast
fast {
tls = "tls-common"
default_eap_type = "mschapv2"
virtual_server = "inner-tunnel"
cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2:@SECLEVEL=0"
require_client_cert = no
pac_lifetime = 315576000
authority_identity = "1234"
pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
copy_request_to_tunnel = no
use_tunneled_reply = no
}
tls: Using cached TLS configuration from previous invocation
# Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
# Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/detail.log
# Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
# Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/files
reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
# Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
# Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enabled/expiration
# Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/always
# Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/linelog
# Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
# Instantiating module "attr_filter.access_challenge" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "attr_filter.coa" from file /usr/local/etc/raddb/mods-enabled/attr_filter
reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/coa
# Instantiating module "proxy_rate_limit" from file /usr/local/etc/raddb/mods-enabled/proxy_rate_limit
# Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled/logintime
# Instantiating module "totp" from file /usr/local/etc/raddb/mods-enabled/totp
# Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enabled/preprocess
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /usr/local/etc/raddb/radiusd.conf
} # server
server default { # from file /usr/local/etc/raddb/sites-enabled/default
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
Compiling Autz-Type New-TLS-Connection for attr Autz-Type
# Loading preacct {...}
# Loading accounting {...}
# Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
} # server default
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
# Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
# Loading authorize {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel:366
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 900
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 33321
Listening on proxy address :: port 42212
Ready to process requests
(0) Received Access-Request Id 81 from 192.168.0.45:50430 to 192.168.0.94:1812 length 236
(0) User-Name = "FAST-123456789012"
(0) NAS-IP-Address = 192.168.0.45
(0) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Calling-Station-Id = "A0-B3-39-64-69-23"
(0) Connect-Info = "CONNECT 24Mbps 802.11a"
(0) Acct-Session-Id = "E0F39D3C45B4683E"
(0) Acct-Multi-Session-Id = "9958DA1E87FD69F5"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027073
(0) Framed-MTU = 1400
(0) EAP-Message = 0x02de001601464153542d313233343536373839303132
(0) Message-Authenticator = 0x9b84af02f189f28a00eede6eb3653eaf
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "FAST-123456789012", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 222 length 22
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Using default_eap_type = PEAP
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: (TLS) PEAP -Initiating new session
(0) eap: Sending EAP Request (code 1) ID 223 length 6
(0) eap: EAP session adding &reply:State = 0x8dbc67c78d637ef2
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) session-state: Saving cached attributes
(0) Framed-MTU = 984
(0) Sent Access-Challenge Id 81 from 192.168.0.94:1812 to 192.168.0.45:50430 length 64
(0) EAP-Message = 0x01df00061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x8dbc67c78d637ef26f0d65fd646be2cc
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 82 from 192.168.0.45:50430 to 192.168.0.94:1812 length 238
(1) User-Name = "FAST-123456789012"
(1) NAS-IP-Address = 192.168.0.45
(1) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Calling-Station-Id = "A0-B3-39-64-69-23"
(1) Connect-Info = "CONNECT 24Mbps 802.11a"
(1) Acct-Session-Id = "E0F39D3C45B4683E"
(1) Acct-Multi-Session-Id = "9958DA1E87FD69F5"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027073
(1) Framed-MTU = 1400
(1) EAP-Message = 0x02df0006032b
(1) State = 0x8dbc67c78d637ef26f0d65fd646be2cc
(1) Message-Authenticator = 0xe71e222b66057775d1c7f6061d65be8b
(1) Restoring &session-state
(1) &session-state:Framed-MTU = 984
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> TRUE
(1) if (&User-Name) {
(1) if (&User-Name =~ / /) {
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@[^@]*@/ ) {
(1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(1) if (&User-Name =~ /\.\./ ) {
(1) if (&User-Name =~ /\.\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(1) if (&User-Name =~ /\.$/) {
(1) if (&User-Name =~ /\.$/) -> FALSE
(1) if (&User-Name =~ /@\./) {
(1) if (&User-Name =~ /@\./) -> FALSE
(1) } # if (&User-Name) = notfound
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "FAST-123456789012", looking up realm NULL
(1) suffix: No such realm "NULL"
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 223 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap: Removing EAP session with state 0x8dbc67c78d637ef2
(1) eap: Previous EAP request found for state 0x8dbc67c78d637ef2, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type FAST (43)
(1) eap: Found compatible type in NAK - EAP-Type = FAST
(1) eap: Calling submodule eap_fast to process data
(1) eap_fast: (TLS) FAST -Initiating new session
(1) eap_fast: Over-riding main cipher list with 'ALL:!EXPORT:!eNULL:!SSLv2:@SECLEVEL=0'
(1) eap_fast: Setting security level to 0 to allow anonymous cipher suites
(1) eap: Sending EAP Request (code 1) ID 224 length 26
(1) eap: EAP session adding &reply:State = 0x8dbc67c78c5c4cf2
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) session-state: Saving cached attributes
(1) Framed-MTU = 984
(1) Sent Access-Challenge Id 82 from 192.168.0.94:1812 to 192.168.0.45:50430 length 84
(1) EAP-Message = 0x01e0001a2b210004001081dc9bdb52d04dc20036dbd8313ed055
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x8dbc67c78c5c4cf26f0d65fd646be2cc
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 83 from 192.168.0.45:50430 to 192.168.0.94:1812 length 352
(2) User-Name = "FAST-123456789012"
(2) NAS-IP-Address = 192.168.0.45
(2) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(2) NAS-Port-Type = Wireless-802.11
(2) Service-Type = Framed-User
(2) Calling-Station-Id = "A0-B3-39-64-69-23"
(2) Connect-Info = "CONNECT 24Mbps 802.11a"
(2) Acct-Session-Id = "E0F39D3C45B4683E"
(2) Acct-Multi-Session-Id = "9958DA1E87FD69F5"
(2) WLAN-Pairwise-Cipher = 1027076
(2) WLAN-Group-Cipher = 1027076
(2) WLAN-AKM-Suite = 1027073
(2) Framed-MTU = 1400
(2) EAP-Message = 0x02e000782b01160301006d0100006903037e7412bd8f7ba6d8856caf27b0c2b176e6a3c706d19cc7fefe5dd447983a1f86000004003400ff0100003c0016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602
(2) State = 0x8dbc67c78c5c4cf26f0d65fd646be2cc
(2) Message-Authenticator = 0x210d2ef6a7c8150cb5cd20d2b9efb6a7
(2) Restoring &session-state
(2) &session-state:Framed-MTU = 984
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /@\./) {
(2) if (&User-Name =~ /@\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "FAST-123456789012", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 224 length 120
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap: Removing EAP session with state 0x8dbc67c78c5c4cf2
(2) eap: Previous EAP request found for state 0x8dbc67c78c5c4cf2, released from the list
(2) eap: Peer sent packet with method EAP FAST (43)
(2) eap: Calling submodule eap_fast to process data
(2) eap_fast: Authenticate
(2) eap_fast: (TLS) EAP Done initial handshake
(2) eap_fast: (TLS) FAST - Handshake state - before SSL initialization
(2) eap_fast: (TLS) FAST - Handshake state - Server before SSL initialization
(2) eap_fast: (TLS) FAST - Handshake state - Server before SSL initialization
(2) eap_fast: (TLS) FAST - recv TLS 1.3 Handshake, ClientHello
(2) eap_fast: (TLS) FAST - Handshake state - Server SSLv3/TLS read client hello
(2) eap_fast: (TLS) FAST - send TLS 1.2 Handshake, ServerHello
(2) eap_fast: (TLS) FAST - Handshake state - Server SSLv3/TLS write server hello
(2) eap_fast: (TLS) FAST - send TLS 1.2 Handshake, ServerKeyExchange
(2) eap_fast: (TLS) FAST - Handshake state - Server SSLv3/TLS write key exchange
(2) eap_fast: (TLS) FAST - send TLS 1.2 Handshake, ServerHelloDone
(2) eap_fast: (TLS) FAST - Handshake state - Server SSLv3/TLS write server done
(2) eap_fast: (TLS) FAST - Server : Need to read more data: SSLv3/TLS write server done
(2) eap_fast: (TLS) FAST - In Handshake Phase
(2) eap: Sending EAP Request (code 1) ID 225 length 349
(2) eap: EAP session adding &reply:State = 0x8dbc67c78f5d4cf2
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) session-state: Saving cached attributes
(2) Framed-MTU = 984
(2) TLS-Session-Information = "(TLS) FAST - recv TLS 1.3 Handshake, ClientHello"
(2) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerHello"
(2) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerKeyExchange"
(2) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerHelloDone"
(2) Sent Access-Challenge Id 83 from 192.168.0.94:1812 to 192.168.0.45:50430 length 409
(2) EAP-Message = 0x01e1015d2b0116030300390200003503036f7f48642ef77f1d94961704e237c4f625c0c468edd4d2cce1e4a3381819b91c00003400000dff010001000016000000170000160303010b0c0001070080ffffffffffffffffc90fdaa22168c234c4c6628b80dc1cd129024e088a67cc74020bbea63b139b22514a08798e3404ddef9519b3cd3a431b302b0a6df25f14374fe1356d6d51c245e485b576625e7ec6f44c42e9a637ed6b0bff5cb6f406b7edee386bfb5a899fa5ae9f24117c4b1fe649286651ece65381ffffffffffffffff0001020080de01fab7c585f725d24e2a918401d526c845c785f2ec2e5a4c8d65da3546c940b797135d7d44ed74832b3c56aeded23de615c9b7eeb7644121f8ad7608aea357aa616c46288612559615e00084710666fe15ceaf8800fc0b9a9f62b941ac6655a9afc3bf3f1eb3bf440a7e8c49659ebb07551fe31e0b16fc889f2b1383963a5a16030300040e000000
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0x8dbc67c78f5d4cf26f0d65fd646be2cc
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 84 from 192.168.0.45:50430 to 192.168.0.94:1812 length 456
(3) User-Name = "FAST-123456789012"
(3) NAS-IP-Address = 192.168.0.45
(3) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(3) NAS-Port-Type = Wireless-802.11
(3) Service-Type = Framed-User
(3) Calling-Station-Id = "A0-B3-39-64-69-23"
(3) Connect-Info = "CONNECT 24Mbps 802.11a"
(3) Acct-Session-Id = "E0F39D3C45B4683E"
(3) Acct-Multi-Session-Id = "9958DA1E87FD69F5"
(3) WLAN-Pairwise-Cipher = 1027076
(3) WLAN-Group-Cipher = 1027076
(3) WLAN-AKM-Suite = 1027073
(3) Framed-MTU = 1400
(3) EAP-Message = 0x02e100e02b01160303008610000082008034b11bc2c787ad432034cb33cca5f5dc79e1c7096b691d7a58de9c04ace9fdf99fd673718348b33be6cbb7abd520dc2af0f408c9214437619a3796c0fdbdcfa9747b9995715f638b81cb4507cea38b1557c334c0fd790d72bda1cb289a1f0a5c3aa8902d92797d682463f87e98164796fb18a0dd707f176d1d14e0e0e0043d7314030300010116030300441c4650b6223af641e58ede11c57b7da9fe33c4a0c554cb5f219b68310adf2ffd28d1266e5903ec87965a2cb4042bc1185d4fd0040df08d0d5d738cf7c9c2462ff5dbf09e
(3) State = 0x8dbc67c78f5d4cf26f0d65fd646be2cc
(3) Message-Authenticator = 0x6ddb9470ce2900636ab24dc7ef27a239
(3) Restoring &session-state
(3) &session-state:Framed-MTU = 984
(3) &session-state:TLS-Session-Information = "(TLS) FAST - recv TLS 1.3 Handshake, ClientHello"
(3) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerHello"
(3) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerKeyExchange"
(3) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerHelloDone"
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /@\./) {
(3) if (&User-Name =~ /@\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "FAST-123456789012", looking up realm NULL
(3) suffix: No such realm "NULL"
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 225 length 224
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3) authenticate {
(3) eap: Removing EAP session with state 0x8dbc67c78f5d4cf2
(3) eap: Previous EAP request found for state 0x8dbc67c78f5d4cf2, released from the list
(3) eap: Peer sent packet with method EAP FAST (43)
(3) eap: Calling submodule eap_fast to process data
(3) eap_fast: Authenticate
(3) eap_fast: (TLS) EAP Done initial handshake
(3) eap_fast: (TLS) FAST - Handshake state - Server SSLv3/TLS write server done
(3) eap_fast: (TLS) FAST - recv TLS 1.2 Handshake, ClientKeyExchange
(3) eap_fast: (TLS) FAST - Handshake state - Server SSLv3/TLS read client key exchange
(3) eap_fast: (TLS) FAST - Handshake state - Server SSLv3/TLS read change cipher spec
(3) eap_fast: (TLS) FAST - recv TLS 1.2 Handshake, Finished
(3) eap_fast: (TLS) FAST - Handshake state - Server SSLv3/TLS read finished
(3) eap_fast: (TLS) FAST - send TLS 1.2 ChangeCipherSpec
(3) eap_fast: (TLS) FAST - Handshake state - Server SSLv3/TLS write change cipher spec
(3) eap_fast: (TLS) FAST - send TLS 1.2 Handshake, Finished
(3) eap_fast: (TLS) FAST - Handshake state - Server SSLv3/TLS write finished
(3) eap_fast: (TLS) FAST - Handshake state - SSL negotiation finished successfully
(3) eap_fast: (TLS) FAST - Connection Established
(3) eap_fast: TLS-Session-Cipher-Suite = "ADH-AES128-SHA"
(3) eap_fast: TLS-Session-Version = "TLS 1.2"
(3) eap: Sending EAP Request (code 1) ID 226 length 85
(3) eap: EAP session adding &reply:State = 0x8dbc67c78e5e4cf2
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) session-state: Saving cached attributes
(3) Framed-MTU = 984
(3) TLS-Session-Information = "(TLS) FAST - recv TLS 1.3 Handshake, ClientHello"
(3) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerHello"
(3) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerKeyExchange"
(3) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerHelloDone"
(3) TLS-Session-Information = "(TLS) FAST - recv TLS 1.2 Handshake, ClientKeyExchange"
(3) TLS-Session-Information = "(TLS) FAST - recv TLS 1.2 Handshake, Finished"
(3) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 ChangeCipherSpec"
(3) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, Finished"
(3) TLS-Session-Cipher-Suite = "ADH-AES128-SHA"
(3) TLS-Session-Version = "TLS 1.2"
(3) Sent Access-Challenge Id 84 from 192.168.0.94:1812 to 192.168.0.45:50430 length 143
(3) EAP-Message = 0x01e200552b011403030001011603030044c687939ec6a7a0f43963cd862dbec5236a0bbef9044009547491341bc2e33a83b769e659ac1420f8d31d16d3d299c23184e9abe6c7cb9d5fb78c04efd4bdaf27e5a51f2a
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0x8dbc67c78e5e4cf26f0d65fd646be2cc
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 85 from 192.168.0.45:50430 to 192.168.0.94:1812 length 238
(4) User-Name = "FAST-123456789012"
(4) NAS-IP-Address = 192.168.0.45
(4) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(4) NAS-Port-Type = Wireless-802.11
(4) Service-Type = Framed-User
(4) Calling-Station-Id = "A0-B3-39-64-69-23"
(4) Connect-Info = "CONNECT 24Mbps 802.11a"
(4) Acct-Session-Id = "E0F39D3C45B4683E"
(4) Acct-Multi-Session-Id = "9958DA1E87FD69F5"
(4) WLAN-Pairwise-Cipher = 1027076
(4) WLAN-Group-Cipher = 1027076
(4) WLAN-AKM-Suite = 1027073
(4) Framed-MTU = 1400
(4) EAP-Message = 0x02e200062b01
(4) State = 0x8dbc67c78e5e4cf26f0d65fd646be2cc
(4) Message-Authenticator = 0x9fcc3ef52ee6cf6ae214b89dcf21e0d1
(4) Restoring &session-state
(4) &session-state:Framed-MTU = 984
(4) &session-state:TLS-Session-Information = "(TLS) FAST - recv TLS 1.3 Handshake, ClientHello"
(4) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerHello"
(4) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerHelloDone"
(4) &session-state:TLS-Session-Information = "(TLS) FAST - recv TLS 1.2 Handshake, ClientKeyExchange"
(4) &session-state:TLS-Session-Information = "(TLS) FAST - recv TLS 1.2 Handshake, Finished"
(4) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 ChangeCipherSpec"
(4) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, Finished"
(4) &session-state:TLS-Session-Cipher-Suite = "ADH-AES128-SHA"
(4) &session-state:TLS-Session-Version = "TLS 1.2"
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> TRUE
(4) if (&User-Name) {
(4) if (&User-Name =~ / /) {
(4) if (&User-Name =~ / /) -> FALSE
(4) if (&User-Name =~ /@[^@]*@/ ) {
(4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(4) if (&User-Name =~ /\.\./ ) {
(4) if (&User-Name =~ /\.\./ ) -> FALSE
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(4) if (&User-Name =~ /\.$/) {
(4) if (&User-Name =~ /\.$/) -> FALSE
(4) if (&User-Name =~ /@\./) {
(4) if (&User-Name =~ /@\./) -> FALSE
(4) } # if (&User-Name) = notfound
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "FAST-123456789012", looking up realm NULL
(4) suffix: No such realm "NULL"
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 226 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Removing EAP session with state 0x8dbc67c78e5e4cf2
(4) eap: Previous EAP request found for state 0x8dbc67c78e5e4cf2, released from the list
(4) eap: Peer sent packet with method EAP FAST (43)
(4) eap: Calling submodule eap_fast to process data
(4) eap_fast: Authenticate
(4) eap_fast: (TLS) Peer ACKed our handshake fragment. handshake is finished
(4) eap_fast: Session established. Proceeding to decode tunneled attributes
(4) eap_fast: Using anonymous provisioning
(4) eap_fast: Deriving EAP-FAST keys
(4) eap_fast: OpenSSL: keyblock size: mac_key_len=20 enc_key_len=16 fixed_iv_len=16
(4) eap_fast: Sending EAP-Identity
(4) eap_fast: Challenge
(4) eap: Sending EAP Request (code 1) ID 227 length 63
(4) eap: EAP session adding &reply:State = 0x8dbc67c7895f4cf2
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4) Framed-MTU = 984
(4) TLS-Session-Information = "(TLS) FAST - recv TLS 1.3 Handshake, ClientHello"
(4) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerHello"
(4) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerKeyExchange"
(4) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerHelloDone"
(4) TLS-Session-Information = "(TLS) FAST - recv TLS 1.2 Handshake, ClientKeyExchange"
(4) TLS-Session-Information = "(TLS) FAST - recv TLS 1.2 Handshake, Finished"
(4) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 ChangeCipherSpec"
(4) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, Finished"
(4) TLS-Session-Cipher-Suite = "ADH-AES128-SHA"
(4) TLS-Session-Version = "TLS 1.2"
(4) Sent Access-Challenge Id 85 from 192.168.0.94:1812 to 192.168.0.45:50430 length 121
(4) EAP-Message = 0x01e3003f2b0117030300344642ada0aac71e10cc347f8cd19851bb485cf028e1a89dd476cedea6163fbb1f833a37a10e52b5c38732664eb3d5c20b63866cdb
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0x8dbc67c7895f4cf26f0d65fd646be2cc
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 86 from 192.168.0.45:50430 to 192.168.0.94:1812 length 311
(5) User-Name = "FAST-123456789012"
(5) NAS-IP-Address = 192.168.0.45
(5) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) Calling-Station-Id = "A0-B3-39-64-69-23"
(5) Connect-Info = "CONNECT 24Mbps 802.11a"
(5) Acct-Session-Id = "E0F39D3C45B4683E"
(5) Acct-Multi-Session-Id = "9958DA1E87FD69F5"
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027076
(5) WLAN-AKM-Suite = 1027073
(5) Framed-MTU = 1400
(5) EAP-Message = 0x02e3004f2b011703030044c2462cbcb98b65b630a78b7fb080642a4433de24444afd96a9c6e7ca1f82e23c89c8c0c600d53774a896c2fd71810d9749c67de5c065921ac3324964cdbabe2978d23f99
(5) State = 0x8dbc67c7895f4cf26f0d65fd646be2cc
(5) Message-Authenticator = 0x9023e788148905c2bb39bf708f0c2514
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 984
(5) &session-state:TLS-Session-Information = "(TLS) FAST - recv TLS 1.3 Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerHelloDone"
(5) &session-state:TLS-Session-Information = "(TLS) FAST - recv TLS 1.2 Handshake, ClientKeyExchange"
(5) &session-state:TLS-Session-Information = "(TLS) FAST - recv TLS 1.2 Handshake, Finished"
(5) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 ChangeCipherSpec"
(5) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, Finished"
(5) &session-state:TLS-Session-Cipher-Suite = "ADH-AES128-SHA"
(5) &session-state:TLS-Session-Version = "TLS 1.2"
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "FAST-123456789012", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 227 length 79
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5) authenticate {
(5) eap: Removing EAP session with state 0x8dbc67c7895f4cf2
(5) eap: Previous EAP request found for state 0x8dbc67c7895f4cf2, released from the list
(5) eap: Peer sent packet with method EAP FAST (43)
(5) eap: Calling submodule eap_fast to process data
(5) eap_fast: Authenticate
(5) eap_fast: (TLS) EAP Done initial handshake
(5) eap_fast: Session established. Proceeding to decode tunneled attributes
(5) eap_fast: Got Tunneled FAST TLVs
(5) eap_fast: FreeRADIUS-EAP-FAST-EAP-Payload = 0x02e3000f01626f625f6c6f626c6177
(5) eap_fast: Processing received EAP Payload
(5) eap_fast: Got tunneled request
(5) eap_fast: EAP-Message = 0x02e3000f01626f625f6c6f626c6177
(5) eap_fast: Got tunneled identity of bob_loblaw
(5) eap_fast: AUTHENTICATION
(5) Virtual server inner-tunnel received request
(5) EAP-Message = 0x02e3000f01626f625f6c6f626c6177
(5) FreeRADIUS-Proxied-To = 127.0.0.1
(5) User-Name = "bob_loblaw"
(5) WARNING: Outer User-Name is not anonymized. User privacy is compromised.
(5) server inner-tunnel {
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [chap] = noop
(5) [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "bob_loblaw", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) update control {
(5) &Proxy-To-Realm := LOCAL
(5) } # update control = noop
(5) eap: Peer sent EAP Response (code 2) ID 227 length 15
(5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(5) authenticate {
(5) eap: Peer sent packet with method EAP Identity (1)
(5) eap: Found &control:EAP-Type = MSCHAPv2
(5) eap: Calling submodule eap_mschapv2 to process data
(5) eap_mschapv2: Issuing Challenge
(5) eap: Sending EAP Request (code 1) ID 228 length 42
(5) eap: EAP session adding &reply:State = 0xdce19ac7dc058060
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found. Ignoring.
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5) EAP-Message = 0x01e4002a1a01e400251000000000000000000000000000000000667265657261646975732d332e322e38
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xdce19ac7dc058060924b98609966b5ea
(5) eap_fast: Got tunneled Access-Challenge
(5) eap_fast: Challenge
(5) eap: Sending EAP Request (code 1) ID 228 length 95
(5) eap: EAP session adding &reply:State = 0x8dbc67c788584cf2
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) Framed-MTU = 984
(5) TLS-Session-Information = "(TLS) FAST - recv TLS 1.3 Handshake, ClientHello"
(5) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerHello"
(5) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerKeyExchange"
(5) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerHelloDone"
(5) TLS-Session-Information = "(TLS) FAST - recv TLS 1.2 Handshake, ClientKeyExchange"
(5) TLS-Session-Information = "(TLS) FAST - recv TLS 1.2 Handshake, Finished"
(5) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 ChangeCipherSpec"
(5) TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, Finished"
(5) TLS-Session-Cipher-Suite = "ADH-AES128-SHA"
(5) TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 86 from 192.168.0.94:1812 to 192.168.0.45:50430 length 153
(5) EAP-Message = 0x01e4005f2b011703030054792c724c9255a126059b314f8b74e158f9a4de7427e956c6b74816ffc58874f3e3a5b9e931b33403cdb7b68aa94b90a39e2c9426ac7a737682eb2e3aaf7f309e4c4d453a2f3f6da26198692d4b1aec3736d2cadb
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x8dbc67c788584cf26f0d65fd646be2cc
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 87 from 192.168.0.45:50430 to 192.168.0.94:1812 length 359
(6) User-Name = "FAST-123456789012"
(6) NAS-IP-Address = 192.168.0.45
(6) Called-Station-Id = "FC-34-97-2D-7C-24:krave_asus6e_5"
(6) NAS-Port-Type = Wireless-802.11
(6) Service-Type = Framed-User
(6) Calling-Station-Id = "A0-B3-39-64-69-23"
(6) Connect-Info = "CONNECT 24Mbps 802.11a"
(6) Acct-Session-Id = "E0F39D3C45B4683E"
(6) Acct-Multi-Session-Id = "9958DA1E87FD69F5"
(6) WLAN-Pairwise-Cipher = 1027076
(6) WLAN-Group-Cipher = 1027076
(6) WLAN-AKM-Suite = 1027073
(6) Framed-MTU = 1400
(6) EAP-Message = 0x02e4007f2b0117030300743a3006d7db977d7c94241ee8bc5edb63502d2ede1af7b1d271275d2b2f2e4df95625996c7f66dbfeef5329e9caa3d51afb62437a4c1f8938a1177af23073c7aef6dd36106319def2924fbffaddac6d4f87200f9fa936fe413a41f863c19fda4c017adb9958b19a12fe2494dfd065a2ac03963de7
(6) State = 0x8dbc67c788584cf26f0d65fd646be2cc
(6) Message-Authenticator = 0xd0c387774fdfd453e525a18ccaccab9c
(6) Restoring &session-state
(6) &session-state:Framed-MTU = 984
(6) &session-state:TLS-Session-Information = "(TLS) FAST - recv TLS 1.3 Handshake, ClientHello"
(6) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerHello"
(6) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, ServerHelloDone"
(6) &session-state:TLS-Session-Information = "(TLS) FAST - recv TLS 1.2 Handshake, ClientKeyExchange"
(6) &session-state:TLS-Session-Information = "(TLS) FAST - recv TLS 1.2 Handshake, Finished"
(6) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 ChangeCipherSpec"
(6) &session-state:TLS-Session-Information = "(TLS) FAST - send TLS 1.2 Handshake, Finished"
(6) &session-state:TLS-Session-Cipher-Suite = "ADH-AES128-SHA"
(6) &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "FAST-123456789012", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 228 length 127
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) authenticate {
(6) eap: Removing EAP session with state 0x8dbc67c788584cf2
(6) eap: Previous EAP request found for state 0x8dbc67c788584cf2, released from the list
(6) eap: Peer sent packet with method EAP FAST (43)
(6) eap: Calling submodule eap_fast to process data
(6) eap_fast: Authenticate
(6) eap_fast: (TLS) EAP Done initial handshake
(6) eap_fast: Session established. Proceeding to decode tunneled attributes
(6) eap_fast: Got Tunneled FAST TLVs
(6) eap_fast: FreeRADIUS-EAP-FAST-EAP-Payload = 0x02e400451a02e4004031000000000000000000000000000000000000000000000000748596aa45dcd1b5a22f7aec21a0e705716632968c8c552a00626f625f6c6f626c6177
(6) eap_fast: Processing received EAP Payload
(6) eap_fast: Got tunneled request
(6) eap_fast: EAP-Message = 0x02e400451a02e4004031000000000000000000000000000000000000000000000000748596aa45dcd1b5a22f7aec21a0e705716632968c8c552a00626f625f6c6f626c6177
(6) eap_fast: AUTHENTICATION
(6) Virtual server inner-tunnel received request
(6) EAP-Message = 0x02e400451a02e4004031000000000000000000000000000000000000000000000000748596aa45dcd1b5a22f7aec21a0e705716632968c8c552a00626f625f6c6f626c6177
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) User-Name = "bob_loblaw"
(6) State = 0xdce19ac7dc058060924b98609966b5ea
(6) WARNING: Outer User-Name is not anonymized. User privacy is compromised.
(6) server inner-tunnel {
(6) session-state: No cached attributes
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "bob_loblaw", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 228 length 69
(6) eap: No EAP Start, assuming it's an on-going EAP conversation
(6) [eap] = updated
(6) files: users: Matched entry bob_loblaw at line 1
(6) [files] = ok
(6) [expiration] = noop
(6) [logintime] = noop
(6) pap: WARNING: Auth-Type already set. Not setting to PAP
(6) [pap] = noop
(6) } # authorize = updated
(6) Found Auth-Type = eap
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) authenticate {
(6) eap: Removing EAP session with state 0xdce19ac7dc058060
(6) eap: Previous EAP request found for state 0xdce19ac7dc058060, released from the list
(6) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) eap_mschapv2: authenticate {
(6) mschap: Found Cleartext-Password, hashing to create NT-Password
(6) mschap: Overriding peer challenge
(6) mschap: Creating challenge hash with username: bob_loblaw
(6) mschap: Client is using MS-CHAPv2
(6) mschap: ERROR: MS-CHAP2-Response is incorrect
(6) eap_mschapv2: [mschap] = reject
(6) eap_mschapv2: } # authenticate = reject
(6) eap: Sending EAP Failure (code 4) ID 228 length 4
(6) eap: Freeing handler
(6) [eap] = reject
(6) } # authenticate = reject
(6) Failed to authenticate the user
(6) Using Post-Auth-Type Reject
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(6) Post-Auth-Type REJECT {
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject: --> bob_loblaw
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6) [attr_filter.access_reject] = updated
(6) update outer.session-state {
(6) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: MS-CHAP2-Response is incorrect'
(6) } # update outer.session-state = noop
(6) } # Post-Auth-Type REJECT = updated
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) MS-CHAP-Error = "\344E=691 R=1 C=0fca5075fc182c45963743d21d8b85fc V=3 M=Authentication rejected"
(6) EAP-Message = 0x04e40004
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_fast: Got tunneled Access-Reject
(6) eap_fast: Reject
(6) eap: ERROR: Failed continuing EAP FAST (43) session. EAP sub-module failed
(6) eap: Sending EAP Failure (code 4) ID 228 length 4
(6) eap: Failed in EAP select
(6) [eap] = invalid
(6) } # authenticate = invalid
(6) Failed to authenticate the user
(6) Using Post-Auth-Type Reject
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(6) Post-Auth-Type REJECT {
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject: --> FAST-123456789012
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6) [attr_filter.access_reject] = updated
(6) [eap] = noop
(6) policy remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message) {
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else {
(6) [noop] = noop
(6) } # else = noop
(6) } # policy remove_reply_message_if_eap = noop
(6) } # Post-Auth-Type REJECT = updated
(6) Delaying response for 0.997396 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(6) Sending delayed response
(6) Sent Access-Reject Id 87 from 192.168.0.94:1812 to 192.168.0.45:50430 length 44
(6) EAP-Message = 0x04e40004
(6) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
More information about the Freeradius-Users
mailing list