pathfinder8 Опубликовано 25 июля, 2022 · Жалоба Всем привет! Пытаюсь настроить Freeradius для динамического назначения vlan при подключении Wi-Fi пользователей. Есть несколько Wi-Fi точек Aruba IAP которые обращаются к radius серверу. В качестве radius сервера развернут Freeradius с GUI Daloradius. В Daloradius настроил NAS и тестового пользователя который привязан к профилю и в профиле указал атрибуты ответа: Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := " нужный номер vlan" Тест User Connectivity проходит успешно, настроенные атрибуты передаются от Freeradius в сообщении Sent Access-Accept. А вот кода приходит запрос от адреса виртуального контроллера Aruba с тем же логином паролем тестового пользователя, то в дебаге видно, что Freeradius авторизовывает пользователя, но отправляет сообщение Sent Access-Accept без атрибутов. Похоже проблема связана с EAP. Что может быть не так и как правильно настроить? Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...
pathfinder8 Опубликовано 3 августа, 2022 · Жалоба вывод в дебаге тестового подключения с Daloradius: Spoiler (15863) Received Access-Request Id 37 from 127.0.0.1:52329 to 127.0.0.1:1812 length 46 (15863) User-Name = "test12" (15863) User-Password = "test12" (15863) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15863) authorize { (15863) policy filter_username { (15863) if (&User-Name) { (15863) if (&User-Name) -> TRUE (15863) if (&User-Name) { (15863) if (&User-Name =~ / /) { (15863) if (&User-Name =~ / /) -> FALSE (15863) if (&User-Name =~ /@[^@]*@/ ) { (15863) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15863) if (&User-Name =~ /\.\./ ) { (15863) if (&User-Name =~ /\.\./ ) -> FALSE (15863) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15863) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15863) if (&User-Name =~ /\.$/) { (15863) if (&User-Name =~ /\.$/) -> FALSE (15863) if (&User-Name =~ /@\./) { (15863) if (&User-Name =~ /@\./) -> FALSE (15863) } # if (&User-Name) = notfound (15863) } # policy filter_username = notfound (15863) [preprocess] = ok (15863) [chap] = noop (15863) [mschap] = noop (15863) [digest] = noop (15863) suffix: Checking for suffix after "@" (15863) suffix: No '@' in User-Name = "test12", looking up realm NULL (15863) suffix: No such realm "NULL" (15863) [suffix] = noop (15863) eap: No EAP-Message, not doing EAP (15863) [eap] = noop (15863) [files] = noop (15863) sql: EXPAND %{User-Name} (15863) sql: --> test12 (15863) sql: SQL-User-Name set to 'test12' rlm_sql (sql): Reserved connection (5225) (15863) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (15863) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test12' ORDER BY id (15863) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test12' ORDER BY id (15863) sql: User found in radcheck table (15863) sql: Conditional check items matched, merging assignment check items (15863) sql: Cleartext-Password := "test12" (15863) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (15863) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test12' ORDER BY id (15863) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test12' ORDER BY id rlm_sql (sql): Reserved connection (5226) rlm_sql (sql): Released connection (5226) Need 7 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (5228), 1 of 28 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.34-MariaDB-0ubuntu0.20.04.1, protocol version 10 (15863) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (15863) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test12' ORDER BY priority (15863) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test12' ORDER BY priority (15863) sql: User found in the group table (15863) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (15863) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Dynamic Vlan Assigment' ORDER BY id (15863) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Dynamic Vlan Assigment' ORDER BY id (15863) sql: Group "Dynamic Vlan Assigment": Conditional check items matched (15863) sql: Group "Dynamic Vlan Assigment": Merging assignment check items (15863) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (15863) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Dynamic Vlan Assigment' ORDER BY id (15863) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Dynamic Vlan Assigment' ORDER BY id (15863) sql: Group "Dynamic Vlan Assigment": Merging reply items (15863) sql: Tunnel-Type := VLAN (15863) sql: Tunnel-Private-Group-Id := "84" (15863) sql: Tunnel-Medium-Type := IEEE-802 (15863) sql: Aruba-User-Vlan := 4 (15863) sql: Framed-Protocol = PPP (15863) sql: Service-Type = Framed-User rlm_sql (sql): Released connection (5225) (15863) [sql] = ok (15863) [expiration] = noop (15863) [logintime] = noop (15863) [pap] = updated (15863) } # authorize = updated (15863) Found Auth-Type = PAP (15863) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15863) Auth-Type PAP { (15863) pap: Login attempt with password (15863) pap: Comparing with "known good" Cleartext-Password (15863) pap: User authenticated successfully (15863) [pap] = ok (15863) } # Auth-Type PAP = ok (15863) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (15863) post-auth { (15863) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (15863) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (15863) update { (15863) No attributes updated for RHS &session-state: (15863) } # update = noop (15863) sql: EXPAND .query (15863) sql: --> .query (15863) sql: Using query template 'query' rlm_sql (sql): Reserved connection (5224) (15863) sql: EXPAND %{User-Name} (15863) sql: --> test12 (15863) sql: SQL-User-Name set to 'test12' (15863) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (15863) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test12', 'test12', 'Access-Accept', '2022-08-03 11:05:59') (15863) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test12', 'test12', 'Access-Accept', '2022-08-03 11:05:59') (15863) sql: SQL query returned: success (15863) sql: 1 record(s) updated rlm_sql (sql): Released connection (5224) (15863) [sql] = ok (15863) [exec] = noop (15863) policy remove_reply_message_if_eap { (15863) if (&reply:EAP-Message && &reply:Reply-Message) { (15863) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (15863) else { (15863) [noop] = noop (15863) } # else = noop (15863) } # policy remove_reply_message_if_eap = noop (15863) } # post-auth = ok (15863) Sent Access-Accept Id 37 from 127.0.0.1:1812 to 127.0.0.1:52329 length 0 (15863) Tunnel-Type = VLAN (15863) Tunnel-Private-Group-Id = "84" (15863) Tunnel-Medium-Type = IEEE-802 (15863) Aruba-User-Vlan = 4 (15863) Framed-Protocol = PPP (15863) Service-Type = Framed-User (15863) Finished request Waking up in 4.9 seconds. (15863) Cleaning up request packet ID 37 with timestamp +751938 Ready to process requests вывод в дебаге подключения с Wi-Fi точек доступа Aruba: Spoiler (15895) Received Access-Request Id 11 from 10.80.10.100:54194 to 10.80.9.2:1812 length 216 (15895) User-Name = "test12" (15895) NAS-IP-Address = 10.80.10.100 (15895) NAS-Port = 0 (15895) NAS-Identifier = "10.80.10.159" (15895) NAS-Port-Type = Wireless-802.11 (15895) Calling-Station-Id = "606ee82d9a34" (15895) Called-Station-Id = "904c81c63c70" (15895) Service-Type = Framed-User (15895) Framed-MTU = 1100 (15895) EAP-Message = 0x0201000b01746573743132 (15895) Aruba-Essid-Name = "TEST-SSID" (15895) Aruba-Location-Id = "Aruba-AP-5" (15895) Aruba-AP-Group = "wi-fi-aruba" (15895) Aruba-Device-Type = "Linux" (15895) Message-Authenticator = 0x2070d6c1adcc70a413da32e33e8e1f17 (15895) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15895) authorize { (15895) policy filter_username { (15895) if (&User-Name) { (15895) if (&User-Name) -> TRUE (15895) if (&User-Name) { (15895) if (&User-Name =~ / /) { (15895) if (&User-Name =~ / /) -> FALSE (15895) if (&User-Name =~ /@[^@]*@/ ) { (15895) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15895) if (&User-Name =~ /\.\./ ) { (15895) if (&User-Name =~ /\.\./ ) -> FALSE (15895) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15895) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15895) if (&User-Name =~ /\.$/) { (15895) if (&User-Name =~ /\.$/) -> FALSE (15895) if (&User-Name =~ /@\./) { (15895) if (&User-Name =~ /@\./) -> FALSE (15895) } # if (&User-Name) = notfound (15895) } # policy filter_username = notfound (15895) [preprocess] = ok (15895) [chap] = noop (15895) [mschap] = noop (15895) [digest] = noop (15895) suffix: Checking for suffix after "@" (15895) suffix: No '@' in User-Name = "test12", looking up realm NULL (15895) suffix: No such realm "NULL" (15895) [suffix] = noop (15895) eap: Peer sent EAP Response (code 2) ID 1 length 11 (15895) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (15895) [eap] = ok (15895) } # authorize = ok (15895) Found Auth-Type = eap (15895) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15895) authenticate { (15895) eap: Peer sent packet with method EAP Identity (1) (15895) eap: Calling submodule eap_tls to process data (15895) eap_tls: Initiating new TLS session (15895) eap_tls: Setting verify mode to require certificate from client (15895) eap_tls: [eaptls start] = request (15895) eap: Sending EAP Request (code 1) ID 2 length 6 (15895) eap: EAP session adding &reply:State = 0x289e91c1289c9c55 (15895) [eap] = handled (15895) } # authenticate = handled (15895) Using Post-Auth-Type Challenge (15895) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15895) Challenge { ... } # empty sub-section is ignored (15895) Sent Access-Challenge Id 11 from 10.80.9.2:1812 to 10.80.10.100:54194 length 0 (15895) EAP-Message = 0x010200060d20 (15895) Message-Authenticator = 0x00000000000000000000000000000000 (15895) State = 0x289e91c1289c9c55ee3fc9064da4dff1 (15895) Finished request Waking up in 4.9 seconds. (15896) Received Access-Request Id 12 from 10.80.10.100:54194 to 10.80.9.2:1812 length 231 (15896) User-Name = "test12" (15896) NAS-IP-Address = 10.80.10.100 (15896) NAS-Port = 0 (15896) NAS-Identifier = "10.80.10.159" (15896) NAS-Port-Type = Wireless-802.11 (15896) Calling-Station-Id = "606ee82d9a34" (15896) Called-Station-Id = "904c81c63c70" (15896) Service-Type = Framed-User (15896) Framed-MTU = 1100 (15896) EAP-Message = 0x0202000803191534 (15896) State = 0x289e91c1289c9c55ee3fc9064da4dff1 (15896) Aruba-Essid-Name = "TEST-SSID" (15896) Aruba-Location-Id = "Aruba-AP-5" (15896) Aruba-AP-Group = "wi-fi-aruba" (15896) Aruba-Device-Type = "Linux" (15896) Message-Authenticator = 0xe068f9184b5fc9607f8ccce9cd74f20e (15896) session-state: No cached attributes (15896) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15896) authorize { (15896) policy filter_username { (15896) if (&User-Name) { (15896) if (&User-Name) -> TRUE (15896) if (&User-Name) { (15896) if (&User-Name =~ / /) { (15896) if (&User-Name =~ / /) -> FALSE (15896) if (&User-Name =~ /@[^@]*@/ ) { (15896) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15896) if (&User-Name =~ /\.\./ ) { (15896) if (&User-Name =~ /\.\./ ) -> FALSE (15896) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15896) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15896) if (&User-Name =~ /\.$/) { (15896) if (&User-Name =~ /\.$/) -> FALSE (15896) if (&User-Name =~ /@\./) { (15896) if (&User-Name =~ /@\./) -> FALSE (15896) } # if (&User-Name) = notfound (15896) } # policy filter_username = notfound (15896) [preprocess] = ok (15896) [chap] = noop (15896) [mschap] = noop (15896) [digest] = noop (15896) suffix: Checking for suffix after "@" (15896) suffix: No '@' in User-Name = "test12", looking up realm NULL (15896) suffix: No such realm "NULL" (15896) [suffix] = noop (15896) eap: Peer sent EAP Response (code 2) ID 2 length 8 (15896) eap: No EAP Start, assuming it's an on-going EAP conversation (15896) [eap] = updated (15896) [files] = noop (15896) sql: EXPAND %{User-Name} (15896) sql: --> test12 (15896) sql: SQL-User-Name set to 'test12' rlm_sql (sql): Closing connection (5235): Hit idle_timeout, was idle for 65 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (5236): Hit idle_timeout, was idle for 65 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (5234): Hit idle_timeout, was idle for 65 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (5237), 1 of 32 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.34-MariaDB-0ubuntu0.20.04.1, protocol version 10 rlm_sql (sql): Reserved connection (5237) (15896) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (15896) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test12' ORDER BY id (15896) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test12' ORDER BY id (15896) sql: User found in radcheck table (15896) sql: Conditional check items matched, merging assignment check items (15896) sql: Cleartext-Password := "test12" (15896) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (15896) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test12' ORDER BY id (15896) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test12' ORDER BY id rlm_sql (sql): 1 of 1 connections in use. You may need to increase "spare" rlm_sql (sql): Opening additional connection (5238), 1 of 31 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.34-MariaDB-0ubuntu0.20.04.1, protocol version 10 rlm_sql (sql): Reserved connection (5238) rlm_sql (sql): Released connection (5238) Need 1 more connections to reach min connections (3) rlm_sql (sql): Opening additional connection (5239), 1 of 30 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.5.5-10.3.34-MariaDB-0ubuntu0.20.04.1, protocol version 10 (15896) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (15896) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test12' ORDER BY priority (15896) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test12' ORDER BY priority (15896) sql: User found in the group table (15896) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (15896) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Dynamic Vlan Assigment' ORDER BY id (15896) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Dynamic Vlan Assigment' ORDER BY id (15896) sql: Group "Dynamic Vlan Assigment": Conditional check items matched (15896) sql: Group "Dynamic Vlan Assigment": Merging assignment check items (15896) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (15896) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Dynamic Vlan Assigment' ORDER BY id (15896) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Dynamic Vlan Assigment' ORDER BY id (15896) sql: Group "Dynamic Vlan Assigment": Merging reply items (15896) sql: Tunnel-Type := VLAN (15896) sql: Tunnel-Private-Group-Id := "84" (15896) sql: Tunnel-Medium-Type := IEEE-802 (15896) sql: Aruba-User-Vlan := 4 (15896) sql: Framed-Protocol = PPP (15896) sql: Service-Type = Framed-User rlm_sql (sql): Released connection (5237) (15896) [sql] = ok (15896) [expiration] = noop (15896) [logintime] = noop (15896) pap: WARNING: Auth-Type already set. Not setting to PAP (15896) [pap] = noop (15896) } # authorize = updated (15896) Found Auth-Type = eap (15896) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15896) authenticate { (15896) eap: Expiring EAP session with state 0x289e91c1289c9c55 (15896) eap: Finished EAP session with state 0x289e91c1289c9c55 (15896) eap: Previous EAP request found for state 0x289e91c1289c9c55, released from the list (15896) eap: Peer sent packet with method EAP NAK (3) (15896) eap: Found mutually acceptable type PEAP (25) (15896) eap: Calling submodule eap_peap to process data (15896) eap_peap: Initiating new TLS session (15896) eap_peap: [eaptls start] = request (15896) eap: Sending EAP Request (code 1) ID 3 length 6 (15896) eap: EAP session adding &reply:State = 0x289e91c1299d8855 (15896) [eap] = handled (15896) } # authenticate = handled (15896) Using Post-Auth-Type Challenge (15896) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15896) Challenge { ... } # empty sub-section is ignored (15896) Sent Access-Challenge Id 12 from 10.80.9.2:1812 to 10.80.10.100:54194 length 0 (15896) Tunnel-Type = VLAN (15896) Tunnel-Private-Group-Id = "84" (15896) Tunnel-Medium-Type = IEEE-802 (15896) Aruba-User-Vlan = 4 (15896) Framed-Protocol = PPP (15896) Service-Type = Framed-User (15896) EAP-Message = 0x010300061920 (15896) Message-Authenticator = 0x00000000000000000000000000000000 (15896) State = 0x289e91c1299d8855ee3fc9064da4dff1 (15896) Finished request Waking up in 4.9 seconds. (15897) Received Access-Request Id 13 from 10.80.10.100:54194 to 10.80.9.2:1812 length 364 (15897) User-Name = "test12" (15897) NAS-IP-Address = 10.80.10.100 (15897) NAS-Port = 0 (15897) NAS-Identifier = "10.80.10.159" (15897) NAS-Port-Type = Wireless-802.11 (15897) Calling-Station-Id = "606ee82d9a34" (15897) Called-Station-Id = "904c81c63c70" (15897) Service-Type = Framed-User (15897) Framed-MTU = 1100 (15897) EAP-Message = 0x0203008d198000000083160301007e0100007a03038f20528e95f2f4930f4ac1e380ad72ccb9a12086d7e4159d28f5355cfc1547a700001ec02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f0035000a0100003300170000ff01000100000a00080006001d00170018000b00020100000d00140012040308040401050308050501080606010201 (15897) State = 0x289e91c1299d8855ee3fc9064da4dff1 (15897) Aruba-Essid-Name = "TEST-SSID" (15897) Aruba-Location-Id = "Aruba-AP-5" (15897) Aruba-AP-Group = "wi-fi-aruba" (15897) Aruba-Device-Type = "Linux" (15897) Message-Authenticator = 0x20d29198e0ba8de162e713f9f2edece2 (15897) session-state: No cached attributes (15897) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15897) authorize { (15897) policy filter_username { (15897) if (&User-Name) { (15897) if (&User-Name) -> TRUE (15897) if (&User-Name) { (15897) if (&User-Name =~ / /) { (15897) if (&User-Name =~ / /) -> FALSE (15897) if (&User-Name =~ /@[^@]*@/ ) { (15897) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15897) if (&User-Name =~ /\.\./ ) { (15897) if (&User-Name =~ /\.\./ ) -> FALSE (15897) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15897) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15897) if (&User-Name =~ /\.$/) { (15897) if (&User-Name =~ /\.$/) -> FALSE (15897) if (&User-Name =~ /@\./) { (15897) if (&User-Name =~ /@\./) -> FALSE (15897) } # if (&User-Name) = notfound (15897) } # policy filter_username = notfound (15897) [preprocess] = ok (15897) [chap] = noop (15897) [mschap] = noop (15897) [digest] = noop (15897) suffix: Checking for suffix after "@" (15897) suffix: No '@' in User-Name = "test12", looking up realm NULL (15897) suffix: No such realm "NULL" (15897) [suffix] = noop (15897) eap: Peer sent EAP Response (code 2) ID 3 length 141 (15897) eap: Continuing tunnel setup (15897) [eap] = ok (15897) } # authorize = ok (15897) Found Auth-Type = eap (15897) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15897) authenticate { (15897) eap: Expiring EAP session with state 0x289e91c1299d8855 (15897) eap: Finished EAP session with state 0x289e91c1299d8855 (15897) eap: Previous EAP request found for state 0x289e91c1299d8855, released from the list (15897) eap: Peer sent packet with method EAP PEAP (25) (15897) eap: Calling submodule eap_peap to process data (15897) eap_peap: Continuing EAP-TLS (15897) eap_peap: Peer indicated complete TLS record size will be 131 bytes (15897) eap_peap: Got complete TLS record (131 bytes) (15897) eap_peap: [eaptls verify] = length included (15897) eap_peap: (other): before SSL initialization (15897) eap_peap: TLS_accept: before SSL initialization (15897) eap_peap: TLS_accept: before SSL initialization (15897) eap_peap: <<< recv TLS 1.3 [length 007e] (15897) eap_peap: TLS_accept: SSLv3/TLS read client hello (15897) eap_peap: >>> send TLS 1.2 [length 003d] (15897) eap_peap: TLS_accept: SSLv3/TLS write server hello (15897) eap_peap: >>> send TLS 1.2 [length 0884] (15897) eap_peap: TLS_accept: SSLv3/TLS write certificate (15897) eap_peap: >>> send TLS 1.2 [length 014d] (15897) eap_peap: TLS_accept: SSLv3/TLS write key exchange (15897) eap_peap: >>> send TLS 1.2 [length 0004] (15897) eap_peap: TLS_accept: SSLv3/TLS write server done (15897) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (15897) eap_peap: TLS - In Handshake Phase (15897) eap_peap: TLS - got 2598 bytes of data (15897) eap_peap: [eaptls process] = handled (15897) eap: Sending EAP Request (code 1) ID 4 length 1004 (15897) eap: EAP session adding &reply:State = 0x289e91c12a9a8855 (15897) [eap] = handled (15897) } # authenticate = handled (15897) Using Post-Auth-Type Challenge (15897) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15897) Challenge { ... } # empty sub-section is ignored (15897) Sent Access-Challenge Id 13 from 10.80.9.2:1812 to 10.80.10.100:54194 length 0 (15897) EAP-Message = 0x010403ec19c000000a26160303003d0200003903034664f5728092f10356510ec480f05a830c457a3d36a9150422aa99b518ddf64000c02f000011ff01000100000b0004030001020017000016030308840b00088000087d0003bf308203bb308202a3a003020102020101300d06092a864886f70d01010b0500307d310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673110300e06035504030c07526f6f74204341301e170d3232303732303135323030345a170d3232303931383135323030345a3074310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e311b301906035504030c125365727665722043657274696669636174653120301e06092a864886 (15897) Message-Authenticator = 0x00000000000000000000000000000000 (15897) State = 0x289e91c12a9a8855ee3fc9064da4dff1 (15897) Finished request Waking up in 4.9 seconds. (15898) Received Access-Request Id 14 from 10.80.10.100:54194 to 10.80.9.2:1812 length 229 (15898) User-Name = "test12" (15898) NAS-IP-Address = 10.80.10.100 (15898) NAS-Port = 0 (15898) NAS-Identifier = "10.80.10.159" (15898) NAS-Port-Type = Wireless-802.11 (15898) Calling-Station-Id = "606ee82d9a34" (15898) Called-Station-Id = "904c81c63c70" (15898) Service-Type = Framed-User (15898) Framed-MTU = 1100 (15898) EAP-Message = 0x020400061900 (15898) State = 0x289e91c12a9a8855ee3fc9064da4dff1 (15898) Aruba-Essid-Name = "TEST-SSID" (15898) Aruba-Location-Id = "Aruba-AP-5" (15898) Aruba-AP-Group = "wi-fi-aruba" (15898) Aruba-Device-Type = "Linux" (15898) Message-Authenticator = 0x4a3e83a9f8189685d37b0503b229da2d (15898) session-state: No cached attributes (15898) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15898) authorize { (15898) policy filter_username { (15898) if (&User-Name) { (15898) if (&User-Name) -> TRUE (15898) if (&User-Name) { (15898) if (&User-Name =~ / /) { (15898) if (&User-Name =~ / /) -> FALSE (15898) if (&User-Name =~ /@[^@]*@/ ) { (15898) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15898) if (&User-Name =~ /\.\./ ) { (15898) if (&User-Name =~ /\.\./ ) -> FALSE (15898) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15898) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15898) if (&User-Name =~ /\.$/) { (15898) if (&User-Name =~ /\.$/) -> FALSE (15898) if (&User-Name =~ /@\./) { (15898) if (&User-Name =~ /@\./) -> FALSE (15898) } # if (&User-Name) = notfound (15898) } # policy filter_username = notfound (15898) [preprocess] = ok (15898) [chap] = noop (15898) [mschap] = noop (15898) [digest] = noop (15898) suffix: Checking for suffix after "@" (15898) suffix: No '@' in User-Name = "test12", looking up realm NULL (15898) suffix: No such realm "NULL" (15898) [suffix] = noop (15898) eap: Peer sent EAP Response (code 2) ID 4 length 6 (15898) eap: Continuing tunnel setup (15898) [eap] = ok (15898) } # authorize = ok (15898) Found Auth-Type = eap (15898) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15898) authenticate { (15898) eap: Expiring EAP session with state 0x289e91c12a9a8855 (15898) eap: Finished EAP session with state 0x289e91c12a9a8855 (15898) eap: Previous EAP request found for state 0x289e91c12a9a8855, released from the list (15898) eap: Peer sent packet with method EAP PEAP (25) (15898) eap: Calling submodule eap_peap to process data (15898) eap_peap: Continuing EAP-TLS (15898) eap_peap: Peer ACKed our handshake fragment (15898) eap_peap: [eaptls verify] = request (15898) eap_peap: [eaptls process] = handled (15898) eap: Sending EAP Request (code 1) ID 5 length 1000 (15898) eap: EAP session adding &reply:State = 0x289e91c12b9b8855 (15898) [eap] = handled (15898) } # authenticate = handled (15898) Using Post-Auth-Type Challenge (15898) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15898) Challenge { ... } # empty sub-section is ignored (15898) Sent Access-Challenge Id 14 from 10.80.9.2:1812 to 10.80.10.100:54194 length 0 (15898) EAP-Message = 0x010503e819408380a71bab0239f85557faae3cbcbf0597aadd273175371ffebf023dcb7e60f4e5817d2158ab304f96166d090c2d0004b8308204b43082039ca00302010202142dc00f81e7d5149544d5c87d0fece93eeb1bacd1300d06092a864886f70d01010b0500307d310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673110300e06035504030c07526f6f74204341301e170d3232303732303135323030345a170d3232303931383135323030345a307d310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673110 (15898) Message-Authenticator = 0x00000000000000000000000000000000 (15898) State = 0x289e91c12b9b8855ee3fc9064da4dff1 (15898) Finished request Waking up in 4.9 seconds. (15899) Received Access-Request Id 15 from 10.80.10.100:54194 to 10.80.9.2:1812 length 229 (15899) User-Name = "test12" (15899) NAS-IP-Address = 10.80.10.100 (15899) NAS-Port = 0 (15899) NAS-Identifier = "10.80.10.159" (15899) NAS-Port-Type = Wireless-802.11 (15899) Calling-Station-Id = "606ee82d9a34" (15899) Called-Station-Id = "904c81c63c70" (15899) Service-Type = Framed-User (15899) Framed-MTU = 1100 (15899) EAP-Message = 0x020500061900 (15899) State = 0x289e91c12b9b8855ee3fc9064da4dff1 (15899) Aruba-Essid-Name = "TEST-SSID" (15899) Aruba-Location-Id = "Aruba-AP-5" (15899) Aruba-AP-Group = "wi-fi-aruba" (15899) Aruba-Device-Type = "Linux" (15899) Message-Authenticator = 0xb4ba1bddb32caf486b262a91b02f7267 (15899) session-state: No cached attributes (15899) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15899) authorize { (15899) policy filter_username { (15899) if (&User-Name) { (15899) if (&User-Name) -> TRUE (15899) if (&User-Name) { (15899) if (&User-Name =~ / /) { (15899) if (&User-Name =~ / /) -> FALSE (15899) if (&User-Name =~ /@[^@]*@/ ) { (15899) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15899) if (&User-Name =~ /\.\./ ) { (15899) if (&User-Name =~ /\.\./ ) -> FALSE (15899) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15899) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15899) if (&User-Name =~ /\.$/) { (15899) if (&User-Name =~ /\.$/) -> FALSE (15899) if (&User-Name =~ /@\./) { (15899) if (&User-Name =~ /@\./) -> FALSE (15899) } # if (&User-Name) = notfound (15899) } # policy filter_username = notfound (15899) [preprocess] = ok (15899) [chap] = noop (15899) [mschap] = noop (15899) [digest] = noop (15899) suffix: Checking for suffix after "@" (15899) suffix: No '@' in User-Name = "test12", looking up realm NULL (15899) suffix: No such realm "NULL" (15899) [suffix] = noop (15899) eap: Peer sent EAP Response (code 2) ID 5 length 6 (15899) eap: Continuing tunnel setup (15899) [eap] = ok (15899) } # authorize = ok (15899) Found Auth-Type = eap (15899) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15899) authenticate { (15899) eap: Expiring EAP session with state 0x289e91c12b9b8855 (15899) eap: Finished EAP session with state 0x289e91c12b9b8855 (15899) eap: Previous EAP request found for state 0x289e91c12b9b8855, released from the list (15899) eap: Peer sent packet with method EAP PEAP (25) (15899) eap: Calling submodule eap_peap to process data (15899) eap_peap: Continuing EAP-TLS (15899) eap_peap: Peer ACKed our handshake fragment (15899) eap_peap: [eaptls verify] = request (15899) eap_peap: [eaptls process] = handled (15899) eap: Sending EAP Request (code 1) ID 6 length 616 (15899) eap: EAP session adding &reply:State = 0x289e91c12c988855 (15899) [eap] = handled (15899) } # authenticate = handled (15899) Using Post-Auth-Type Challenge (15899) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15899) Challenge { ... } # empty sub-section is ignored (15899) Sent Access-Challenge Id 15 from 10.80.9.2:1812 to 10.80.10.100:54194 length 0 (15899) EAP-Message = 0x010602681900050003820101005dcea2bb866c37f1d3655e63b1cfc256d495929e4057b989c79938e1c1d9fc9984e63c57b470a9c8eb8717856218dc9f7bce8bbc982016c1a76e5ea563d642b9f7eda66628df5103595cec2b3ad1981bf55cf424aff4355891101915834b30100342e4cd6765d3aaf28e8ebb8600f579968c8437c293bf61a4abf97ade7e196dafa7fe61348c530fb5b6db12e9a82aef91e797b8331417746441b689357ea4805538306d15cb65c2026b0b9b69f8c95206485a986fb093a4ad3740f27e65dc357118be3a2ae6a8aca8b5fd1566a52239c43c33995654dbb1ad93f8ffd0b459c6921860006a780847e6c86547a9dfd205a3c136db3f1862cec9080106cecf9533160303014d0c00014903001741045a769c1cb5e3b8a0ff04fec9be60a8f46461fe4bfa005940fa806308ec4c218572e5bebcad517a1faa500a56de374d50ab5a380047989ae686e1b308837a6fd8080401008d30cd6e5d60a4aa018866b8c5ba59d8022f243cf4b695d5 (15899) Message-Authenticator = 0x00000000000000000000000000000000 (15899) State = 0x289e91c12c988855ee3fc9064da4dff1 (15899) Finished request Waking up in 4.8 seconds. (15900) Received Access-Request Id 16 from 10.80.10.100:54194 to 10.80.9.2:1812 length 359 (15900) User-Name = "test12" (15900) NAS-IP-Address = 10.80.10.100 (15900) NAS-Port = 0 (15900) NAS-Identifier = "10.80.10.159" (15900) NAS-Port-Type = Wireless-802.11 (15900) Calling-Station-Id = "606ee82d9a34" (15900) Called-Station-Id = "904c81c63c70" (15900) Service-Type = Framed-User (15900) Framed-MTU = 1100 (15900) EAP-Message = 0x0206008819800000007e160303004610000042410447484a7b932cd1d2d24b535cd2e1abb4f00b023385311c034d942b03fb12f12499a8b327ba9daec659966266b7e2fc74820e0df2d78f3037164c890374e33a0f14030300010116030300280000000000000000a78df3082aaf6b7856e4ced0f0537f7130ceaab22faf1d3270258d426e901aae (15900) State = 0x289e91c12c988855ee3fc9064da4dff1 (15900) Aruba-Essid-Name = "TEST-SSID" (15900) Aruba-Location-Id = "Aruba-AP-5" (15900) Aruba-AP-Group = "wi-fi-aruba" (15900) Aruba-Device-Type = "Linux" (15900) Message-Authenticator = 0x3d9e9c3e404ab0cebe5b8c32aa33ad5d (15900) session-state: No cached attributes (15900) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15900) authorize { (15900) policy filter_username { (15900) if (&User-Name) { (15900) if (&User-Name) -> TRUE (15900) if (&User-Name) { (15900) if (&User-Name =~ / /) { (15900) if (&User-Name =~ / /) -> FALSE (15900) if (&User-Name =~ /@[^@]*@/ ) { (15900) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15900) if (&User-Name =~ /\.\./ ) { (15900) if (&User-Name =~ /\.\./ ) -> FALSE (15900) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15900) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15900) if (&User-Name =~ /\.$/) { (15900) if (&User-Name =~ /\.$/) -> FALSE (15900) if (&User-Name =~ /@\./) { (15900) if (&User-Name =~ /@\./) -> FALSE (15900) } # if (&User-Name) = notfound (15900) } # policy filter_username = notfound (15900) [preprocess] = ok (15900) [chap] = noop (15900) [mschap] = noop (15900) [digest] = noop (15900) suffix: Checking for suffix after "@" (15900) suffix: No '@' in User-Name = "test12", looking up realm NULL (15900) suffix: No such realm "NULL" (15900) [suffix] = noop (15900) eap: Peer sent EAP Response (code 2) ID 6 length 136 (15900) eap: Continuing tunnel setup (15900) [eap] = ok (15900) } # authorize = ok (15900) Found Auth-Type = eap (15900) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15900) authenticate { (15900) eap: Expiring EAP session with state 0x289e91c12c988855 (15900) eap: Finished EAP session with state 0x289e91c12c988855 (15900) eap: Previous EAP request found for state 0x289e91c12c988855, released from the list (15900) eap: Peer sent packet with method EAP PEAP (25) (15900) eap: Calling submodule eap_peap to process data (15900) eap_peap: Continuing EAP-TLS (15900) eap_peap: Peer indicated complete TLS record size will be 126 bytes (15900) eap_peap: Got complete TLS record (126 bytes) (15900) eap_peap: [eaptls verify] = length included (15900) eap_peap: TLS_accept: SSLv3/TLS write server done (15900) eap_peap: <<< recv TLS 1.2 [length 0046] (15900) eap_peap: TLS_accept: SSLv3/TLS read client key exchange (15900) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec (15900) eap_peap: <<< recv TLS 1.2 [length 0010] (15900) eap_peap: TLS_accept: SSLv3/TLS read finished (15900) eap_peap: >>> send TLS 1.2 [length 0001] (15900) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec (15900) eap_peap: >>> send TLS 1.2 [length 0010] (15900) eap_peap: TLS_accept: SSLv3/TLS write finished (15900) eap_peap: (other): SSL negotiation finished successfully (15900) eap_peap: TLS - Connection Established (15900) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (15900) eap_peap: TLS-Session-Version = "TLS 1.2" (15900) eap_peap: TLS - got 51 bytes of data (15900) eap_peap: [eaptls process] = handled (15900) eap: Sending EAP Request (code 1) ID 7 length 57 (15900) eap: EAP session adding &reply:State = 0x289e91c12d998855 (15900) [eap] = handled (15900) } # authenticate = handled (15900) Using Post-Auth-Type Challenge (15900) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15900) Challenge { ... } # empty sub-section is ignored (15900) session-state: Saving cached attributes (15900) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (15900) TLS-Session-Version = "TLS 1.2" (15900) Sent Access-Challenge Id 16 from 10.80.9.2:1812 to 10.80.10.100:54194 length 0 (15900) EAP-Message = 0x010700391900140303000101160303002819c13e2fff220621a335d0669ef6f7905e59188195ebc0d240092475d7576163021c4526ce753c76 (15900) Message-Authenticator = 0x00000000000000000000000000000000 (15900) State = 0x289e91c12d998855ee3fc9064da4dff1 (15900) Finished request Waking up in 4.8 seconds. (15901) Received Access-Request Id 17 from 10.80.10.100:54194 to 10.80.9.2:1812 length 229 (15901) User-Name = "test12" (15901) NAS-IP-Address = 10.80.10.100 (15901) NAS-Port = 0 (15901) NAS-Identifier = "10.80.10.159" (15901) NAS-Port-Type = Wireless-802.11 (15901) Calling-Station-Id = "606ee82d9a34" (15901) Called-Station-Id = "904c81c63c70" (15901) Service-Type = Framed-User (15901) Framed-MTU = 1100 (15901) EAP-Message = 0x020700061900 (15901) State = 0x289e91c12d998855ee3fc9064da4dff1 (15901) Aruba-Essid-Name = "TEST-SSID" (15901) Aruba-Location-Id = "Aruba-AP-5" (15901) Aruba-AP-Group = "wi-fi-aruba" (15901) Aruba-Device-Type = "Linux" (15901) Message-Authenticator = 0x06925ed0038a088ba618f0fb68f5ce16 (15901) Restoring &session-state (15901) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (15901) &session-state:TLS-Session-Version = "TLS 1.2" (15901) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15901) authorize { (15901) policy filter_username { (15901) if (&User-Name) { (15901) if (&User-Name) -> TRUE (15901) if (&User-Name) { (15901) if (&User-Name =~ / /) { (15901) if (&User-Name =~ / /) -> FALSE (15901) if (&User-Name =~ /@[^@]*@/ ) { (15901) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15901) if (&User-Name =~ /\.\./ ) { (15901) if (&User-Name =~ /\.\./ ) -> FALSE (15901) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15901) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15901) if (&User-Name =~ /\.$/) { (15901) if (&User-Name =~ /\.$/) -> FALSE (15901) if (&User-Name =~ /@\./) { (15901) if (&User-Name =~ /@\./) -> FALSE (15901) } # if (&User-Name) = notfound (15901) } # policy filter_username = notfound (15901) [preprocess] = ok (15901) [chap] = noop (15901) [mschap] = noop (15901) [digest] = noop (15901) suffix: Checking for suffix after "@" (15901) suffix: No '@' in User-Name = "test12", looking up realm NULL (15901) suffix: No such realm "NULL" (15901) [suffix] = noop (15901) eap: Peer sent EAP Response (code 2) ID 7 length 6 (15901) eap: Continuing tunnel setup (15901) [eap] = ok (15901) } # authorize = ok (15901) Found Auth-Type = eap (15901) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15901) authenticate { (15901) eap: Expiring EAP session with state 0x289e91c12d998855 (15901) eap: Finished EAP session with state 0x289e91c12d998855 (15901) eap: Previous EAP request found for state 0x289e91c12d998855, released from the list (15901) eap: Peer sent packet with method EAP PEAP (25) (15901) eap: Calling submodule eap_peap to process data (15901) eap_peap: Continuing EAP-TLS (15901) eap_peap: Peer ACKed our handshake fragment. handshake is finished (15901) eap_peap: [eaptls verify] = success (15901) eap_peap: [eaptls process] = success (15901) eap_peap: Session established. Decoding tunneled attributes (15901) eap_peap: PEAP state TUNNEL ESTABLISHED (15901) eap: Sending EAP Request (code 1) ID 8 length 40 (15901) eap: EAP session adding &reply:State = 0x289e91c12e968855 (15901) [eap] = handled (15901) } # authenticate = handled (15901) Using Post-Auth-Type Challenge (15901) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15901) Challenge { ... } # empty sub-section is ignored (15901) session-state: Saving cached attributes (15901) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (15901) TLS-Session-Version = "TLS 1.2" (15901) Sent Access-Challenge Id 17 from 10.80.9.2:1812 to 10.80.10.100:54194 length 0 (15901) EAP-Message = 0x010800281900170303001d19c13e2fff220622de4e7225f9b7aa765da3b80f3eb9f1d255753fff00 (15901) Message-Authenticator = 0x00000000000000000000000000000000 (15901) State = 0x289e91c12e968855ee3fc9064da4dff1 (15901) Finished request Waking up in 4.7 seconds. (15902) Received Access-Request Id 18 from 10.80.10.100:54194 to 10.80.9.2:1812 length 265 (15902) User-Name = "test12" (15902) NAS-IP-Address = 10.80.10.100 (15902) NAS-Port = 0 (15902) NAS-Identifier = "10.80.10.159" (15902) NAS-Port-Type = Wireless-802.11 (15902) Calling-Station-Id = "606ee82d9a34" (15902) Called-Station-Id = "904c81c63c70" (15902) Service-Type = Framed-User (15902) Framed-MTU = 1100 (15902) EAP-Message = 0x0208002a1900170303001f00000000000000011284c0b264680a099d48462559ff66da636779115801c7 (15902) State = 0x289e91c12e968855ee3fc9064da4dff1 (15902) Aruba-Essid-Name = "TEST-SSID" (15902) Aruba-Location-Id = "Aruba-AP-5" (15902) Aruba-AP-Group = "wi-fi-aruba" (15902) Aruba-Device-Type = "Linux" (15902) Message-Authenticator = 0x2c9a4a2a7790084bb4029be16c541a99 (15902) Restoring &session-state (15902) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (15902) &session-state:TLS-Session-Version = "TLS 1.2" (15902) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15902) authorize { (15902) policy filter_username { (15902) if (&User-Name) { (15902) if (&User-Name) -> TRUE (15902) if (&User-Name) { (15902) if (&User-Name =~ / /) { (15902) if (&User-Name =~ / /) -> FALSE (15902) if (&User-Name =~ /@[^@]*@/ ) { (15902) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15902) if (&User-Name =~ /\.\./ ) { (15902) if (&User-Name =~ /\.\./ ) -> FALSE (15902) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15902) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15902) if (&User-Name =~ /\.$/) { (15902) if (&User-Name =~ /\.$/) -> FALSE (15902) if (&User-Name =~ /@\./) { (15902) if (&User-Name =~ /@\./) -> FALSE (15902) } # if (&User-Name) = notfound (15902) } # policy filter_username = notfound (15902) [preprocess] = ok (15902) [chap] = noop (15902) [mschap] = noop (15902) [digest] = noop (15902) suffix: Checking for suffix after "@" (15902) suffix: No '@' in User-Name = "test12", looking up realm NULL (15902) suffix: No such realm "NULL" (15902) [suffix] = noop (15902) eap: Peer sent EAP Response (code 2) ID 8 length 42 (15902) eap: Continuing tunnel setup (15902) [eap] = ok (15902) } # authorize = ok (15902) Found Auth-Type = eap (15902) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15902) authenticate { (15902) eap: Expiring EAP session with state 0x289e91c12e968855 (15902) eap: Finished EAP session with state 0x289e91c12e968855 (15902) eap: Previous EAP request found for state 0x289e91c12e968855, released from the list (15902) eap: Peer sent packet with method EAP PEAP (25) (15902) eap: Calling submodule eap_peap to process data (15902) eap_peap: Continuing EAP-TLS (15902) eap_peap: [eaptls verify] = ok (15902) eap_peap: Done initial handshake (15902) eap_peap: [eaptls process] = ok (15902) eap_peap: Session established. Decoding tunneled attributes (15902) eap_peap: PEAP state WAITING FOR INNER IDENTITY (15902) eap_peap: Identity - test12 (15902) eap_peap: Got inner identity 'test12' (15902) eap_peap: Setting default EAP type for tunneled EAP session (15902) eap_peap: Got tunneled request (15902) eap_peap: EAP-Message = 0x0208000b01746573743132 (15902) eap_peap: Setting User-Name to test12 (15902) eap_peap: Sending tunneled request to inner-tunnel (15902) eap_peap: EAP-Message = 0x0208000b01746573743132 (15902) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (15902) eap_peap: User-Name = "test12" (15902) Virtual server inner-tunnel received request (15902) EAP-Message = 0x0208000b01746573743132 (15902) FreeRADIUS-Proxied-To = 127.0.0.1 (15902) User-Name = "test12" (15902) WARNING: Outer and inner identities are the same. User privacy is compromised. (15902) server inner-tunnel { (15902) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (15902) authorize { (15902) policy filter_username { (15902) if (&User-Name) { (15902) if (&User-Name) -> TRUE (15902) if (&User-Name) { (15902) if (&User-Name =~ / /) { (15902) if (&User-Name =~ / /) -> FALSE (15902) if (&User-Name =~ /@[^@]*@/ ) { (15902) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15902) if (&User-Name =~ /\.\./ ) { (15902) if (&User-Name =~ /\.\./ ) -> FALSE (15902) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15902) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15902) if (&User-Name =~ /\.$/) { (15902) if (&User-Name =~ /\.$/) -> FALSE (15902) if (&User-Name =~ /@\./) { (15902) if (&User-Name =~ /@\./) -> FALSE (15902) } # if (&User-Name) = notfound (15902) } # policy filter_username = notfound (15902) [chap] = noop (15902) [mschap] = noop (15902) suffix: Checking for suffix after "@" (15902) suffix: No '@' in User-Name = "test12", looking up realm NULL (15902) suffix: No such realm "NULL" (15902) [suffix] = noop (15902) update control { (15902) &Proxy-To-Realm := LOCAL (15902) } # update control = noop (15902) eap: Peer sent EAP Response (code 2) ID 8 length 11 (15902) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (15902) [eap] = ok (15902) } # authorize = ok (15902) Found Auth-Type = eap (15902) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (15902) authenticate { (15902) eap: Peer sent packet with method EAP Identity (1) (15902) eap: Calling submodule eap_mschapv2 to process data (15902) eap_mschapv2: Issuing Challenge (15902) eap: Sending EAP Request (code 1) ID 9 length 43 (15902) eap: EAP session adding &reply:State = 0x7e33b8807e3aa23b (15902) [eap] = handled (15902) } # authenticate = handled (15902) } # server inner-tunnel (15902) Virtual server sending reply (15902) EAP-Message = 0x0109002b1a0109002610429c6c01e396762acefc3105c20366e6667265657261646975732d332e302e3230 (15902) Message-Authenticator = 0x00000000000000000000000000000000 (15902) State = 0x7e33b8807e3aa23bd4880a649b237942 (15902) eap_peap: Got tunneled reply code 11 (15902) eap_peap: EAP-Message = 0x0109002b1a0109002610429c6c01e396762acefc3105c20366e6667265657261646975732d332e302e3230 (15902) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (15902) eap_peap: State = 0x7e33b8807e3aa23bd4880a649b237942 (15902) eap_peap: Got tunneled reply RADIUS code 11 (15902) eap_peap: EAP-Message = 0x0109002b1a0109002610429c6c01e396762acefc3105c20366e6667265657261646975732d332e302e3230 (15902) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (15902) eap_peap: State = 0x7e33b8807e3aa23bd4880a649b237942 (15902) eap_peap: Got tunneled Access-Challenge (15902) eap: Sending EAP Request (code 1) ID 9 length 74 (15902) eap: EAP session adding &reply:State = 0x289e91c12f978855 (15902) [eap] = handled (15902) } # authenticate = handled (15902) Using Post-Auth-Type Challenge (15902) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15902) Challenge { ... } # empty sub-section is ignored (15902) session-state: Saving cached attributes (15902) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (15902) TLS-Session-Version = "TLS 1.2" (15902) Sent Access-Challenge Id 18 from 10.80.9.2:1812 to 10.80.10.100:54194 length 0 (15902) EAP-Message = 0x0109004a1900170303003f19c13e2fff2206238a1fddfa73d945dd6949627be3a0c0ffe6a0684fb8c1dd2b456ceab423f60e84bdaf73d7aa702a599ee4814b47b33a1ee491c36e0a7584 (15902) Message-Authenticator = 0x00000000000000000000000000000000 (15902) State = 0x289e91c12f978855ee3fc9064da4dff1 (15902) Finished request Waking up in 4.7 seconds. (15903) Received Access-Request Id 19 from 10.80.10.100:54194 to 10.80.9.2:1812 length 319 (15903) User-Name = "test12" (15903) NAS-IP-Address = 10.80.10.100 (15903) NAS-Port = 0 (15903) NAS-Identifier = "10.80.10.159" (15903) NAS-Port-Type = Wireless-802.11 (15903) Calling-Station-Id = "606ee82d9a34" (15903) Called-Station-Id = "904c81c63c70" (15903) Service-Type = Framed-User (15903) Framed-MTU = 1100 (15903) EAP-Message = 0x020900601900170303005500000000000000028543f6e3255f6fea8088850354474c668f458aec461ff545516d11c0096cf9adcb3fa34a321c5026b7e548667dfc11ee3bebf2479cb8dbe58b8924f707aad3f1b43dcf90fdb1c74dd60cf59cb5 (15903) State = 0x289e91c12f978855ee3fc9064da4dff1 (15903) Aruba-Essid-Name = "TEST-SSID" (15903) Aruba-Location-Id = "Aruba-AP-5" (15903) Aruba-AP-Group = "wi-fi-aruba" (15903) Aruba-Device-Type = "Linux" (15903) Message-Authenticator = 0x7a8dcbd0f05e6442e2695144b060992e (15903) Restoring &session-state (15903) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (15903) &session-state:TLS-Session-Version = "TLS 1.2" (15903) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15903) authorize { (15903) policy filter_username { (15903) if (&User-Name) { (15903) if (&User-Name) -> TRUE (15903) if (&User-Name) { (15903) if (&User-Name =~ / /) { (15903) if (&User-Name =~ / /) -> FALSE (15903) if (&User-Name =~ /@[^@]*@/ ) { (15903) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15903) if (&User-Name =~ /\.\./ ) { (15903) if (&User-Name =~ /\.\./ ) -> FALSE (15903) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15903) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15903) if (&User-Name =~ /\.$/) { (15903) if (&User-Name =~ /\.$/) -> FALSE (15903) if (&User-Name =~ /@\./) { (15903) if (&User-Name =~ /@\./) -> FALSE (15903) } # if (&User-Name) = notfound (15903) } # policy filter_username = notfound (15903) [preprocess] = ok (15903) [chap] = noop (15903) [mschap] = noop (15903) [digest] = noop (15903) suffix: Checking for suffix after "@" (15903) suffix: No '@' in User-Name = "test12", looking up realm NULL (15903) suffix: No such realm "NULL" (15903) [suffix] = noop (15903) eap: Peer sent EAP Response (code 2) ID 9 length 96 (15903) eap: Continuing tunnel setup (15903) [eap] = ok (15903) } # authorize = ok (15903) Found Auth-Type = eap (15903) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15903) authenticate { (15903) eap: Expiring EAP session with state 0x7e33b8807e3aa23b (15903) eap: Finished EAP session with state 0x289e91c12f978855 (15903) eap: Previous EAP request found for state 0x289e91c12f978855, released from the list (15903) eap: Peer sent packet with method EAP PEAP (25) (15903) eap: Calling submodule eap_peap to process data (15903) eap_peap: Continuing EAP-TLS (15903) eap_peap: [eaptls verify] = ok (15903) eap_peap: Done initial handshake (15903) eap_peap: [eaptls process] = ok (15903) eap_peap: Session established. Decoding tunneled attributes (15903) eap_peap: PEAP state phase2 (15903) eap_peap: EAP method MSCHAPv2 (26) (15903) eap_peap: Got tunneled request (15903) eap_peap: EAP-Message = 0x020900411a0209003c31438d8be50c45d72f5946ba7b788ce72200000000000000000bfccac378426204acb770979598b757a4473a2f24cd268400746573743132 (15903) eap_peap: Setting User-Name to test12 (15903) eap_peap: Sending tunneled request to inner-tunnel (15903) eap_peap: EAP-Message = 0x020900411a0209003c31438d8be50c45d72f5946ba7b788ce72200000000000000000bfccac378426204acb770979598b757a4473a2f24cd268400746573743132 (15903) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (15903) eap_peap: User-Name = "test12" (15903) eap_peap: State = 0x7e33b8807e3aa23bd4880a649b237942 (15903) Virtual server inner-tunnel received request (15903) EAP-Message = 0x020900411a0209003c31438d8be50c45d72f5946ba7b788ce72200000000000000000bfccac378426204acb770979598b757a4473a2f24cd268400746573743132 (15903) FreeRADIUS-Proxied-To = 127.0.0.1 (15903) User-Name = "test12" (15903) State = 0x7e33b8807e3aa23bd4880a649b237942 (15903) WARNING: Outer and inner identities are the same. User privacy is compromised. (15903) server inner-tunnel { (15903) session-state: No cached attributes (15903) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (15903) authorize { (15903) policy filter_username { (15903) if (&User-Name) { (15903) if (&User-Name) -> TRUE (15903) if (&User-Name) { (15903) if (&User-Name =~ / /) { (15903) if (&User-Name =~ / /) -> FALSE (15903) if (&User-Name =~ /@[^@]*@/ ) { (15903) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15903) if (&User-Name =~ /\.\./ ) { (15903) if (&User-Name =~ /\.\./ ) -> FALSE (15903) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15903) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15903) if (&User-Name =~ /\.$/) { (15903) if (&User-Name =~ /\.$/) -> FALSE (15903) if (&User-Name =~ /@\./) { (15903) if (&User-Name =~ /@\./) -> FALSE (15903) } # if (&User-Name) = notfound (15903) } # policy filter_username = notfound (15903) [chap] = noop (15903) [mschap] = noop (15903) suffix: Checking for suffix after "@" (15903) suffix: No '@' in User-Name = "test12", looking up realm NULL (15903) suffix: No such realm "NULL" (15903) [suffix] = noop (15903) update control { (15903) &Proxy-To-Realm := LOCAL (15903) } # update control = noop (15903) eap: Peer sent EAP Response (code 2) ID 9 length 65 (15903) eap: No EAP Start, assuming it's an on-going EAP conversation (15903) [eap] = updated (15903) [files] = noop (15903) sql: EXPAND %{User-Name} (15903) sql: --> test12 (15903) sql: SQL-User-Name set to 'test12' rlm_sql (sql): Reserved connection (5237) (15903) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (15903) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test12' ORDER BY id (15903) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test12' ORDER BY id (15903) sql: User found in radcheck table (15903) sql: Conditional check items matched, merging assignment check items (15903) sql: Cleartext-Password := "test12" (15903) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (15903) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test12' ORDER BY id (15903) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test12' ORDER BY id rlm_sql (sql): Reserved connection (5238) rlm_sql (sql): Released connection (5238) (15903) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (15903) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test12' ORDER BY priority (15903) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test12' ORDER BY priority (15903) sql: User found in the group table (15903) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (15903) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Dynamic Vlan Assigment' ORDER BY id (15903) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Dynamic Vlan Assigment' ORDER BY id (15903) sql: Group "Dynamic Vlan Assigment": Conditional check items matched (15903) sql: Group "Dynamic Vlan Assigment": Merging assignment check items (15903) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (15903) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Dynamic Vlan Assigment' ORDER BY id (15903) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Dynamic Vlan Assigment' ORDER BY id (15903) sql: Group "Dynamic Vlan Assigment": Merging reply items (15903) sql: Tunnel-Type := VLAN (15903) sql: Tunnel-Private-Group-Id := "84" (15903) sql: Tunnel-Medium-Type := IEEE-802 (15903) sql: Aruba-User-Vlan := 4 (15903) sql: Framed-Protocol = PPP (15903) sql: Service-Type = Framed-User rlm_sql (sql): Released connection (5237) (15903) [sql] = ok (15903) [expiration] = noop (15903) [logintime] = noop (15903) pap: WARNING: Auth-Type already set. Not setting to PAP (15903) [pap] = noop (15903) } # authorize = updated (15903) Found Auth-Type = eap (15903) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (15903) authenticate { (15903) eap: Expiring EAP session with state 0x7e33b8807e3aa23b (15903) eap: Finished EAP session with state 0x7e33b8807e3aa23b (15903) eap: Previous EAP request found for state 0x7e33b8807e3aa23b, released from the list (15903) eap: Peer sent packet with method EAP MSCHAPv2 (26) (15903) eap: Calling submodule eap_mschapv2 to process data (15903) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (15903) eap_mschapv2: authenticate { (15903) mschap: Found Cleartext-Password, hashing to create NT-Password (15903) mschap: Creating challenge hash with username: test12 (15903) mschap: Client is using MS-CHAPv2 (15903) mschap: Adding MS-CHAPv2 MPPE keys (15903) eap_mschapv2: [mschap] = ok (15903) eap_mschapv2: } # authenticate = ok (15903) eap_mschapv2: MSCHAP Success (15903) eap: Sending EAP Request (code 1) ID 10 length 51 (15903) eap: EAP session adding &reply:State = 0x7e33b8807f39a23b (15903) [eap] = handled (15903) } # authenticate = handled (15903) } # server inner-tunnel (15903) Virtual server sending reply (15903) Tunnel-Type = VLAN (15903) Tunnel-Private-Group-Id = "84" (15903) Tunnel-Medium-Type = IEEE-802 (15903) Aruba-User-Vlan = 4 (15903) Framed-Protocol = PPP (15903) Service-Type = Framed-User (15903) EAP-Message = 0x010a00331a0309002e533d30313242364437413046393831313134313337453638353132443345373944454432443839374431 (15903) Message-Authenticator = 0x00000000000000000000000000000000 (15903) State = 0x7e33b8807f39a23bd4880a649b237942 (15903) eap_peap: Got tunneled reply code 11 (15903) eap_peap: Tunnel-Type = VLAN (15903) eap_peap: Tunnel-Private-Group-Id = "84" (15903) eap_peap: Tunnel-Medium-Type = IEEE-802 (15903) eap_peap: Aruba-User-Vlan = 4 (15903) eap_peap: Framed-Protocol = PPP (15903) eap_peap: Service-Type = Framed-User (15903) eap_peap: EAP-Message = 0x010a00331a0309002e533d30313242364437413046393831313134313337453638353132443345373944454432443839374431 (15903) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (15903) eap_peap: State = 0x7e33b8807f39a23bd4880a649b237942 (15903) eap_peap: Got tunneled reply RADIUS code 11 (15903) eap_peap: Tunnel-Type = VLAN (15903) eap_peap: Tunnel-Private-Group-Id = "84" (15903) eap_peap: Tunnel-Medium-Type = IEEE-802 (15903) eap_peap: Aruba-User-Vlan = 4 (15903) eap_peap: Framed-Protocol = PPP (15903) eap_peap: Service-Type = Framed-User (15903) eap_peap: EAP-Message = 0x010a00331a0309002e533d30313242364437413046393831313134313337453638353132443345373944454432443839374431 (15903) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (15903) eap_peap: State = 0x7e33b8807f39a23bd4880a649b237942 (15903) eap_peap: Got tunneled Access-Challenge (15903) eap: Sending EAP Request (code 1) ID 10 length 82 (15903) eap: EAP session adding &reply:State = 0x289e91c120948855 (15903) [eap] = handled (15903) } # authenticate = handled (15903) Using Post-Auth-Type Challenge (15903) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15903) Challenge { ... } # empty sub-section is ignored (15903) session-state: Saving cached attributes (15903) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (15903) TLS-Session-Version = "TLS 1.2" (15903) Sent Access-Challenge Id 19 from 10.80.9.2:1812 to 10.80.10.100:54194 length 0 (15903) EAP-Message = 0x010a00521900170303004719c13e2fff220624798095d1afce280bb0d592ed6c78cae92c888d08cdfe66f496870783feb68249a45da15ffc51884ceea5a864c6a76107d325bf92e527f7f7650e375a908980 (15903) Message-Authenticator = 0x00000000000000000000000000000000 (15903) State = 0x289e91c120948855ee3fc9064da4dff1 (15903) Finished request Waking up in 4.7 seconds. (15904) Received Access-Request Id 20 from 10.80.10.100:54194 to 10.80.9.2:1812 length 260 (15904) User-Name = "test12" (15904) NAS-IP-Address = 10.80.10.100 (15904) NAS-Port = 0 (15904) NAS-Identifier = "10.80.10.159" (15904) NAS-Port-Type = Wireless-802.11 (15904) Calling-Station-Id = "606ee82d9a34" (15904) Called-Station-Id = "904c81c63c70" (15904) Service-Type = Framed-User (15904) Framed-MTU = 1100 (15904) EAP-Message = 0x020a00251900170303001a0000000000000003938868900849962335a47efe530c2fe42119 (15904) State = 0x289e91c120948855ee3fc9064da4dff1 (15904) Aruba-Essid-Name = "TEST-SSID" (15904) Aruba-Location-Id = "Aruba-AP-5" (15904) Aruba-AP-Group = "wi-fi-aruba" (15904) Aruba-Device-Type = "Linux" (15904) Message-Authenticator = 0x099ec4c0fbcfeb0cec576111734e7bf3 (15904) Restoring &session-state (15904) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (15904) &session-state:TLS-Session-Version = "TLS 1.2" (15904) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15904) authorize { (15904) policy filter_username { (15904) if (&User-Name) { (15904) if (&User-Name) -> TRUE (15904) if (&User-Name) { (15904) if (&User-Name =~ / /) { (15904) if (&User-Name =~ / /) -> FALSE (15904) if (&User-Name =~ /@[^@]*@/ ) { (15904) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15904) if (&User-Name =~ /\.\./ ) { (15904) if (&User-Name =~ /\.\./ ) -> FALSE (15904) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15904) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15904) if (&User-Name =~ /\.$/) { (15904) if (&User-Name =~ /\.$/) -> FALSE (15904) if (&User-Name =~ /@\./) { (15904) if (&User-Name =~ /@\./) -> FALSE (15904) } # if (&User-Name) = notfound (15904) } # policy filter_username = notfound (15904) [preprocess] = ok (15904) [chap] = noop (15904) [mschap] = noop (15904) [digest] = noop (15904) suffix: Checking for suffix after "@" (15904) suffix: No '@' in User-Name = "test12", looking up realm NULL (15904) suffix: No such realm "NULL" (15904) [suffix] = noop (15904) eap: Peer sent EAP Response (code 2) ID 10 length 37 (15904) eap: Continuing tunnel setup (15904) [eap] = ok (15904) } # authorize = ok (15904) Found Auth-Type = eap (15904) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15904) authenticate { (15904) eap: Expiring EAP session with state 0x7e33b8807f39a23b (15904) eap: Finished EAP session with state 0x289e91c120948855 (15904) eap: Previous EAP request found for state 0x289e91c120948855, released from the list (15904) eap: Peer sent packet with method EAP PEAP (25) (15904) eap: Calling submodule eap_peap to process data (15904) eap_peap: Continuing EAP-TLS (15904) eap_peap: [eaptls verify] = ok (15904) eap_peap: Done initial handshake (15904) eap_peap: [eaptls process] = ok (15904) eap_peap: Session established. Decoding tunneled attributes (15904) eap_peap: PEAP state phase2 (15904) eap_peap: EAP method MSCHAPv2 (26) (15904) eap_peap: Got tunneled request (15904) eap_peap: EAP-Message = 0x020a00061a03 (15904) eap_peap: Setting User-Name to test12 (15904) eap_peap: Sending tunneled request to inner-tunnel (15904) eap_peap: EAP-Message = 0x020a00061a03 (15904) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (15904) eap_peap: User-Name = "test12" (15904) eap_peap: State = 0x7e33b8807f39a23bd4880a649b237942 (15904) Virtual server inner-tunnel received request (15904) EAP-Message = 0x020a00061a03 (15904) FreeRADIUS-Proxied-To = 127.0.0.1 (15904) User-Name = "test12" (15904) State = 0x7e33b8807f39a23bd4880a649b237942 (15904) WARNING: Outer and inner identities are the same. User privacy is compromised. (15904) server inner-tunnel { (15904) session-state: No cached attributes (15904) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (15904) authorize { (15904) policy filter_username { (15904) if (&User-Name) { (15904) if (&User-Name) -> TRUE (15904) if (&User-Name) { (15904) if (&User-Name =~ / /) { (15904) if (&User-Name =~ / /) -> FALSE (15904) if (&User-Name =~ /@[^@]*@/ ) { (15904) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15904) if (&User-Name =~ /\.\./ ) { (15904) if (&User-Name =~ /\.\./ ) -> FALSE (15904) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15904) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15904) if (&User-Name =~ /\.$/) { (15904) if (&User-Name =~ /\.$/) -> FALSE (15904) if (&User-Name =~ /@\./) { (15904) if (&User-Name =~ /@\./) -> FALSE (15904) } # if (&User-Name) = notfound (15904) } # policy filter_username = notfound (15904) [chap] = noop (15904) [mschap] = noop (15904) suffix: Checking for suffix after "@" (15904) suffix: No '@' in User-Name = "test12", looking up realm NULL (15904) suffix: No such realm "NULL" (15904) [suffix] = noop (15904) update control { (15904) &Proxy-To-Realm := LOCAL (15904) } # update control = noop (15904) eap: Peer sent EAP Response (code 2) ID 10 length 6 (15904) eap: No EAP Start, assuming it's an on-going EAP conversation (15904) [eap] = updated (15904) [files] = noop (15904) sql: EXPAND %{User-Name} (15904) sql: --> test12 (15904) sql: SQL-User-Name set to 'test12' rlm_sql (sql): Reserved connection (5239) (15904) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (15904) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test12' ORDER BY id (15904) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test12' ORDER BY id (15904) sql: User found in radcheck table (15904) sql: Conditional check items matched, merging assignment check items (15904) sql: Cleartext-Password := "test12" (15904) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (15904) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test12' ORDER BY id (15904) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test12' ORDER BY id rlm_sql (sql): Reserved connection (5237) rlm_sql (sql): Released connection (5237) (15904) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (15904) sql: --> SELECT groupname FROM radusergroup WHERE username = 'test12' ORDER BY priority (15904) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test12' ORDER BY priority (15904) sql: User found in the group table (15904) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (15904) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Dynamic Vlan Assigment' ORDER BY id (15904) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Dynamic Vlan Assigment' ORDER BY id (15904) sql: Group "Dynamic Vlan Assigment": Conditional check items matched (15904) sql: Group "Dynamic Vlan Assigment": Merging assignment check items (15904) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (15904) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Dynamic Vlan Assigment' ORDER BY id (15904) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Dynamic Vlan Assigment' ORDER BY id (15904) sql: Group "Dynamic Vlan Assigment": Merging reply items (15904) sql: Tunnel-Type := VLAN (15904) sql: Tunnel-Private-Group-Id := "84" (15904) sql: Tunnel-Medium-Type := IEEE-802 (15904) sql: Aruba-User-Vlan := 4 (15904) sql: Framed-Protocol = PPP (15904) sql: Service-Type = Framed-User rlm_sql (sql): Released connection (5239) (15904) [sql] = ok (15904) [expiration] = noop (15904) [logintime] = noop (15904) pap: WARNING: Auth-Type already set. Not setting to PAP (15904) [pap] = noop (15904) } # authorize = updated (15904) Found Auth-Type = eap (15904) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (15904) authenticate { (15904) eap: Expiring EAP session with state 0x7e33b8807f39a23b (15904) eap: Finished EAP session with state 0x7e33b8807f39a23b (15904) eap: Previous EAP request found for state 0x7e33b8807f39a23b, released from the list (15904) eap: Peer sent packet with method EAP MSCHAPv2 (26) (15904) eap: Calling submodule eap_mschapv2 to process data (15904) eap: Sending EAP Success (code 3) ID 10 length 4 (15904) eap: Freeing handler (15904) [eap] = ok (15904) } # authenticate = ok (15904) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel (15904) post-auth { (15904) sql: EXPAND .query (15904) sql: --> .query (15904) sql: Using query template 'query' rlm_sql (sql): Reserved connection (5238) (15904) sql: EXPAND %{User-Name} (15904) sql: --> test12 (15904) sql: SQL-User-Name set to 'test12' (15904) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (15904) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test12', '', 'Access-Accept', '2022-08-03 11:18:07') (15904) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test12', '', 'Access-Accept', '2022-08-03 11:18:07') (15904) sql: SQL query returned: success (15904) sql: 1 record(s) updated rlm_sql (sql): Released connection (5238) (15904) [sql] = ok (15904) if (0) { (15904) if (0) -> FALSE (15904) } # post-auth = ok (15904) } # server inner-tunnel (15904) Virtual server sending reply (15904) Tunnel-Type = VLAN (15904) Tunnel-Private-Group-Id = "84" (15904) Tunnel-Medium-Type = IEEE-802 (15904) Aruba-User-Vlan = 4 (15904) Framed-Protocol = PPP (15904) Service-Type = Framed-User (15904) MS-MPPE-Encryption-Policy = Encryption-Allowed (15904) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (15904) MS-MPPE-Send-Key = 0x20fabc726bb76c44546ee2b133a5a039 (15904) MS-MPPE-Recv-Key = 0x9df883f3c8e6f08521cca94374084ebb (15904) EAP-Message = 0x030a0004 (15904) Message-Authenticator = 0x00000000000000000000000000000000 (15904) User-Name = "test12" (15904) eap_peap: Got tunneled reply code 2 (15904) eap_peap: Tunnel-Type = VLAN (15904) eap_peap: Tunnel-Private-Group-Id = "84" (15904) eap_peap: Tunnel-Medium-Type = IEEE-802 (15904) eap_peap: Aruba-User-Vlan = 4 (15904) eap_peap: Framed-Protocol = PPP (15904) eap_peap: Service-Type = Framed-User (15904) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (15904) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (15904) eap_peap: MS-MPPE-Send-Key = 0x20fabc726bb76c44546ee2b133a5a039 (15904) eap_peap: MS-MPPE-Recv-Key = 0x9df883f3c8e6f08521cca94374084ebb (15904) eap_peap: EAP-Message = 0x030a0004 (15904) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (15904) eap_peap: User-Name = "test12" (15904) eap_peap: Got tunneled reply RADIUS code 2 (15904) eap_peap: Tunnel-Type = VLAN (15904) eap_peap: Tunnel-Private-Group-Id = "84" (15904) eap_peap: Tunnel-Medium-Type = IEEE-802 (15904) eap_peap: Aruba-User-Vlan = 4 (15904) eap_peap: Framed-Protocol = PPP (15904) eap_peap: Service-Type = Framed-User (15904) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed (15904) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed (15904) eap_peap: MS-MPPE-Send-Key = 0x20fabc726bb76c44546ee2b133a5a039 (15904) eap_peap: MS-MPPE-Recv-Key = 0x9df883f3c8e6f08521cca94374084ebb (15904) eap_peap: EAP-Message = 0x030a0004 (15904) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (15904) eap_peap: User-Name = "test12" (15904) eap_peap: Tunneled authentication was successful (15904) eap_peap: SUCCESS (15904) eap: Sending EAP Request (code 1) ID 11 length 46 (15904) eap: EAP session adding &reply:State = 0x289e91c121958855 (15904) [eap] = handled (15904) } # authenticate = handled (15904) Using Post-Auth-Type Challenge (15904) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15904) Challenge { ... } # empty sub-section is ignored (15904) session-state: Saving cached attributes (15904) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (15904) TLS-Session-Version = "TLS 1.2" (15904) Sent Access-Challenge Id 20 from 10.80.9.2:1812 to 10.80.10.100:54194 length 0 (15904) EAP-Message = 0x010b002e1900170303002319c13e2fff220625d6b8b0b6b94062c0f3475d5799d0803a4427e0e95c03753c74e606 (15904) Message-Authenticator = 0x00000000000000000000000000000000 (15904) State = 0x289e91c121958855ee3fc9064da4dff1 (15904) Finished request Waking up in 4.6 seconds. (15905) Received Access-Request Id 21 from 10.80.10.100:54194 to 10.80.9.2:1812 length 269 (15905) User-Name = "test12" (15905) NAS-IP-Address = 10.80.10.100 (15905) NAS-Port = 0 (15905) NAS-Identifier = "10.80.10.159" (15905) NAS-Port-Type = Wireless-802.11 (15905) Calling-Station-Id = "606ee82d9a34" (15905) Called-Station-Id = "904c81c63c70" (15905) Service-Type = Framed-User (15905) Framed-MTU = 1100 (15905) EAP-Message = 0x020b002e1900170303002300000000000000044bfb68fbf65c531a986b7e76e4afa89c6d06e8060ceb8b81f8da6e (15905) State = 0x289e91c121958855ee3fc9064da4dff1 (15905) Aruba-Essid-Name = "TEST-SSID" (15905) Aruba-Location-Id = "Aruba-AP-5" (15905) Aruba-AP-Group = "wi-fi-aruba" (15905) Aruba-Device-Type = "Linux" (15905) Message-Authenticator = 0x31fcc58e9a7bad467fc154c4fd2eb429 (15905) Restoring &session-state (15905) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (15905) &session-state:TLS-Session-Version = "TLS 1.2" (15905) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (15905) authorize { (15905) policy filter_username { (15905) if (&User-Name) { (15905) if (&User-Name) -> TRUE (15905) if (&User-Name) { (15905) if (&User-Name =~ / /) { (15905) if (&User-Name =~ / /) -> FALSE (15905) if (&User-Name =~ /@[^@]*@/ ) { (15905) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15905) if (&User-Name =~ /\.\./ ) { (15905) if (&User-Name =~ /\.\./ ) -> FALSE (15905) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15905) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15905) if (&User-Name =~ /\.$/) { (15905) if (&User-Name =~ /\.$/) -> FALSE (15905) if (&User-Name =~ /@\./) { (15905) if (&User-Name =~ /@\./) -> FALSE (15905) } # if (&User-Name) = notfound (15905) } # policy filter_username = notfound (15905) [preprocess] = ok (15905) [chap] = noop (15905) [mschap] = noop (15905) [digest] = noop (15905) suffix: Checking for suffix after "@" (15905) suffix: No '@' in User-Name = "test12", looking up realm NULL (15905) suffix: No such realm "NULL" (15905) [suffix] = noop (15905) eap: Peer sent EAP Response (code 2) ID 11 length 46 (15905) eap: Continuing tunnel setup (15905) [eap] = ok (15905) } # authorize = ok (15905) Found Auth-Type = eap (15905) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (15905) authenticate { (15905) eap: Expiring EAP session with state 0x289e91c121958855 (15905) eap: Finished EAP session with state 0x289e91c121958855 (15905) eap: Previous EAP request found for state 0x289e91c121958855, released from the list (15905) eap: Peer sent packet with method EAP PEAP (25) (15905) eap: Calling submodule eap_peap to process data (15905) eap_peap: Continuing EAP-TLS (15905) eap_peap: [eaptls verify] = ok (15905) eap_peap: Done initial handshake (15905) eap_peap: [eaptls process] = ok (15905) eap_peap: Session established. Decoding tunneled attributes (15905) eap_peap: PEAP state send tlv success (15905) eap_peap: Received EAP-TLV response (15905) eap_peap: Success (15905) eap: Sending EAP Success (code 3) ID 11 length 4 (15905) eap: Freeing handler (15905) [eap] = ok (15905) } # authenticate = ok (15905) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (15905) post-auth { (15905) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (15905) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (15905) update { (15905) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES128-GCM-SHA256' (15905) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' (15905) } # update = noop (15905) sql: EXPAND .query (15905) sql: --> .query (15905) sql: Using query template 'query' rlm_sql (sql): Reserved connection (5239) (15905) sql: EXPAND %{User-Name} (15905) sql: --> test12 (15905) sql: SQL-User-Name set to 'test12' (15905) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (15905) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test12', '', 'Access-Accept', '2022-08-03 11:18:07') (15905) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'test12', '', 'Access-Accept', '2022-08-03 11:18:07') (15905) sql: SQL query returned: success (15905) sql: 1 record(s) updated rlm_sql (sql): Released connection (5239) (15905) [sql] = ok (15905) [exec] = noop (15905) policy remove_reply_message_if_eap { (15905) if (&reply:EAP-Message && &reply:Reply-Message) { (15905) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (15905) else { (15905) [noop] = noop (15905) } # else = noop (15905) } # policy remove_reply_message_if_eap = noop (15905) } # post-auth = ok (15905) Sent Access-Accept Id 21 from 10.80.9.2:1812 to 10.80.10.100:54194 length 0 (15905) MS-MPPE-Recv-Key = 0xe4910073e6f26f2aa49ad008ee659bc843d078adc9f109c0f1f1842cfcb3df8d (15905) MS-MPPE-Send-Key = 0x635e3e1191ec21391f63ce76fe7b2e61c7cff67b6fc79083df69f00b70e4da43 (15905) EAP-Message = 0x030b0004 (15905) Message-Authenticator = 0x00000000000000000000000000000000 (15905) User-Name = "test12" (15905) Finished request Waking up in 4.6 seconds. (15895) Cleaning up request packet ID 11 with timestamp +752665 (15896) Cleaning up request packet ID 12 with timestamp +752666 (15897) Cleaning up request packet ID 13 with timestamp +752666 (15898) Cleaning up request packet ID 14 with timestamp +752666 (15899) Cleaning up request packet ID 15 with timestamp +752666 (15900) Cleaning up request packet ID 16 with timestamp +752666 (15901) Cleaning up request packet ID 17 with timestamp +752666 (15902) Cleaning up request packet ID 18 with timestamp +752666 (15903) Cleaning up request packet ID 19 with timestamp +752666 (15904) Cleaning up request packet ID 20 with timestamp +752666 (15905) Cleaning up request packet ID 21 with timestamp +752666 Ready to process requests Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...