Accounting Packet not sent

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Accounting Packet not sent

Michael Fischer
Hi!

My goal is to authenticate WiFi-Users via FreeRadius with an eDirectory
backend. FreeRadius should then send an accounting packet to a
FortiGate firewall where a SSO agent is running.

The authentication part is working find, a user can connect to the
WiFi.

As far as I understood it, I should configure FreeRadius to write a
detail file which is then parsed an an accounting package sent to the
Fortigate firewall.
I configured a realm in proxy.conf:
realm Fortigate {
        accthost = 172.16.1.253
        secret = ***********
}

And I enabled the site "copy-accounting-to-home-server" with the
following configuration:

server copy-acct-to-home-server {
        listen {
                type = detail
                filename = ${radacctdir}/detail-*
                load_factor = 10
        }

        preacct {
                preprocess
                suffix
                files
                update control {
                        Proxy-To-Realm := 'Fortigate'
                }
        }

        accounting {
                   ok
        }

        pre-proxy {
        }

        post-proxy {
        }
}

Reading the detail file seems to work fine, but no accounting package
is sent to the FortiGate firewall (I even checked using Wireshark). See
a part of the debug-log here:
(9) Login OK: [fimi] (from client private-network-1 port 0 cli F4-60-
E2-B3-96-5C)
(9) Sent Access-Accept Id 107 from 172.16.1.104:1812 to
192.168.251.51:39578 length 0
(9)   Class := 0x54657374
(9)   MS-MPPE-Recv-Key =
0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea
(9)   MS-MPPE-Send-Key =
0x1120b9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224
(9)   EAP-Message = 0x03d10004
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   User-Name += "fimi"
(9) Finished request
Waking up in 4.8 seconds.
detail (/var/log/radius/radacct/detail-*): Polling for detail file
detail (/var/log/radius/radacct/detail-*): Renaming
/var/log/radius/radacct/detail-192.168.251.51-20210216 ->
/var/log/radius/radacct/detail.work
detail (/var/log/radius/radacct/detail-*): Read packet from
/var/log/radius/radacct/detail.work
        Packet-Type = Access-Accept
        Class = 0x54657374
        User-Name = "fimi"
        MS-MPPE-Recv-Key =
0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea
        MS-MPPE-Send-Key =
0x1120b9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224
        EAP-MSK =
0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea1120b
9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224
        EAP-EMSK =
0xd3a64e1f290603568302a9f6c13c3ae00eaea0f45caeff1503b5609e2faf9b06be114
12f1243564b0a08b8df5d58cc33235989699b860f0171b9b73a29bb0e36
        EAP-Session-Id =
0x19c2bce2a85918a3ba9ea0068fd39acacb8173753f6c2a19ac67249b606157c82923f
2dacd82dc178f0df970ea5031e0e57b82ad5100de437f43b4f8303af37cae
        EAP-Message = 0x03d10004
        Message-Authenticator = 0x00000000000000000000000000000000
        Packet-Original-Timestamp = "Feb 16 2021 14:22:24 CET"
        Packet-Transmit-Counter = 1
Waking up in 4.6 seconds.

See full debug-log attached.

I would really appreciate your help!

Thanks, Mike

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Accounting Packet not sent

Michael Fischer
On Tue, 2021-02-16 at 14:38 +0100, Michael Fischer wrote:

> Hi!
>
> My goal is to authenticate WiFi-Users via FreeRadius with an eDirectory
> backend. FreeRadius should then send an accounting packet to a
> FortiGate firewall where a SSO agent is running.
>
> The authentication part is working find, a user can connect to the
> WiFi.
>
> As far as I understood it, I should configure FreeRadius to write a
> detail file which is then parsed an an accounting package sent to the
> Fortigate firewall.
> I configured a realm in proxy.conf:
> realm Fortigate {
> accthost = 172.16.1.253
> secret = ***********
> }
>
> And I enabled the site "copy-accounting-to-home-server" with the
> following configuration:
>
> server copy-acct-to-home-server {
> listen {
> type = detail
> filename = ${radacctdir}/detail-*
> load_factor = 10
> }
>
> preacct {
> preprocess
> suffix
> files
> update control {
> Proxy-To-Realm := 'Fortigate'
> }
> }
>
> accounting {
>   ok
> }
>
> pre-proxy {
> }
>
> post-proxy {
> }
> }
>
> Reading the detail file seems to work fine, but no accounting package
> is sent to the FortiGate firewall (I even checked using Wireshark). See
> a part of the debug-log here:
> (9) Login OK: [fimi] (from client private-network-1 port 0 cli F4-60-
> E2-B3-96-5C)
> (9) Sent Access-Accept Id 107 from 172.16.1.104:1812 to
> 192.168.251.51:39578 length 0
> (9)   Class := 0x54657374
> (9)   MS-MPPE-Recv-Key =
> 0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea
> (9)   MS-MPPE-Send-Key =
> 0x1120b9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224
> (9)   EAP-Message = 0x03d10004
> (9)   Message-Authenticator = 0x00000000000000000000000000000000
> (9)   User-Name += "fimi"
> (9) Finished request
> Waking up in 4.8 seconds.
> detail (/var/log/radius/radacct/detail-*): Polling for detail file
> detail (/var/log/radius/radacct/detail-*): Renaming
> /var/log/radius/radacct/detail-192.168.251.51-20210216 ->
> /var/log/radius/radacct/detail.work
> detail (/var/log/radius/radacct/detail-*): Read packet from
> /var/log/radius/radacct/detail.work
> Packet-Type = Access-Accept
> Class = 0x54657374
> User-Name = "fimi"
> MS-MPPE-Recv-Key =
> 0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea
> MS-MPPE-Send-Key =
> 0x1120b9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224
> EAP-MSK =
> 0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea1120b
> 9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224
> EAP-EMSK =
> 0xd3a64e1f290603568302a9f6c13c3ae00eaea0f45caeff1503b5609e2faf9b06be114
> 12f1243564b0a08b8df5d58cc33235989699b860f0171b9b73a29bb0e36
> EAP-Session-Id =
> 0x19c2bce2a85918a3ba9ea0068fd39acacb8173753f6c2a19ac67249b606157c82923f
> 2dacd82dc178f0df970ea5031e0e57b82ad5100de437f43b4f8303af37cae
> EAP-Message = 0x03d10004
> Message-Authenticator = 0x00000000000000000000000000000000
> Packet-Original-Timestamp = "Feb 16 2021 14:22:24 CET"
> Packet-Transmit-Counter = 1
> Waking up in 4.6 seconds.
>
> See full debug-log attached.
>
> I would really appreciate your help!
>
> Thanks, Mike
Hi again!

As I received my E-Mail from the List without attachment - here is the
debug output:
FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb//dictionary
including configuration file /etc/raddb//radiusd.conf
including configuration file /etc/raddb//proxy.conf
including configuration file /etc/raddb//clients.conf
including files in directory /etc/raddb//mods-enabled/
including configuration file /etc/raddb//mods-enabled/always
including configuration file /etc/raddb//mods-enabled/attr_filter
including configuration file /etc/raddb//mods-enabled/cache_eap
including configuration file /etc/raddb//mods-enabled/chap
including configuration file /etc/raddb//mods-enabled/date
including configuration file /etc/raddb//mods-enabled/detail
including configuration file /etc/raddb//mods-enabled/digest
including configuration file /etc/raddb//mods-enabled/dynamic_clients
including configuration file /etc/raddb//mods-enabled/eap
including configuration file /etc/raddb//mods-enabled/echo
including configuration file /etc/raddb//mods-enabled/exec
including configuration file /etc/raddb//mods-enabled/expiration
including configuration file /etc/raddb//mods-enabled/expr
including configuration file /etc/raddb//mods-enabled/files
including configuration file /etc/raddb//mods-enabled/linelog
including configuration file /etc/raddb//mods-enabled/logintime
including configuration file /etc/raddb//mods-enabled/mschap
including configuration file /etc/raddb//mods-enabled/ntlm_auth
including configuration file /etc/raddb//mods-enabled/pap
including configuration file /etc/raddb//mods-enabled/passwd
including configuration file /etc/raddb//mods-enabled/preprocess
including configuration file /etc/raddb//mods-enabled/radutmp
including configuration file /etc/raddb//mods-enabled/realm
including configuration file /etc/raddb//mods-enabled/replicate
including configuration file /etc/raddb//mods-enabled/soh
including configuration file /etc/raddb//mods-enabled/sradutmp
including configuration file /etc/raddb//mods-enabled/unix
including configuration file /etc/raddb//mods-enabled/unpack
including configuration file /etc/raddb//mods-enabled/utf8
including configuration file /etc/raddb//mods-enabled/ldap
including files in directory /etc/raddb//policy.d/
including configuration file /etc/raddb//policy.d/abfab-tr
including configuration file /etc/raddb//policy.d/accounting
including configuration file /etc/raddb//policy.d/canonicalization
including configuration file /etc/raddb//policy.d/control
including configuration file /etc/raddb//policy.d/cui
including configuration file /etc/raddb//policy.d/debug
including configuration file /etc/raddb//policy.d/dhcp
including configuration file /etc/raddb//policy.d/eap
including configuration file /etc/raddb//policy.d/filter
including configuration file /etc/raddb//policy.d/moonshot-targeted-ids
including configuration file /etc/raddb//policy.d/operator-name
including configuration file /etc/raddb//policy.d/rfc7542
including files in directory /etc/raddb//sites-enabled/
including configuration file /etc/raddb//sites-enabled/default
including configuration file /etc/raddb//sites-enabled/inner-tunnel
including configuration file /etc/raddb//sites-enabled/copy-acct-to-
home-server
main {
 security {
  allow_core_dumps = no
 }
        name = "radiusd"
        prefix = "/usr"
        localstatedir = "/var"
        logdir = "/var/log/radius"
        run_dir = "/var/run/radiusd"
}
main {
        name = "radiusd"
        prefix = "/usr"
        localstatedir = "/var"
        sbindir = "/usr/sbin"
        logdir = "/var/log/radius"
        run_dir = "/var/run/radiusd"
        libdir = "/usr/lib64/freeradius"
        radacctdir = "/var/log/radius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 16384
        pidfile = "/var/run/radiusd/radiusd.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
  stripped_names = no
  auth = yes
  auth_badpass = no
  auth_goodpass = no
  colourise = yes
  msg_denied = "You are already logged in - access denied"
 }
 resources {
 }
 security {
  max_attributes = 200
  reject_delay = 1.000000
  status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
  retry_delay = 5
  retry_count = 3
  default_fallback = no
  dead_time = 120
  wake_all_if_all_dead = no
 }
 home_server localhost {
  ipaddr = 127.0.0.1
  port = 1812
  type = "auth"
  secret = <<< secret >>>
  response_window = 20.000000
  response_timeouts = 1
  max_outstanding = 65536
  zombie_period = 40
  status_check = "status-server"
  ping_interval = 30
  check_interval = 30
  check_timeout = 4
  num_answers_to_alive = 3
  revive_interval = 120
  limit {
  max_connections = 16
  max_requests = 0
  lifetime = 0
  idle_timeout = 0
  }
  coa {
  irt = 2
  mrt = 16
  mrc = 5
  mrd = 30
  }
 }
 home_server_pool my_auth_failover {
        type = fail-over
        home_server = localhost
 }
 realm example.com {
        auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
 realm Fortigate {
        accthost = 172.16.1.253
        secret = <<< secret >>>
 }
radiusd: #### Loading Clients ####
 client localhost {
  ipaddr = 127.0.0.1
  require_message_authenticator = no
  secret = <<< secret >>>
  nas_type = "other"
  proto = "*"
  limit {
  max_connections = 16
  lifetime = 0
  idle_timeout = 30
  }
 }
 client localhost_ipv6 {
  ipv6addr = ::1
  require_message_authenticator = no
  secret = <<< secret >>>
  limit {
  max_connections = 16
  lifetime = 0
  idle_timeout = 30
  }
 }
 client private-network-1 {
  ipaddr = 192.168.251.0/24
  require_message_authenticator = no
  secret = <<< secret >>>
  limit {
  max_connections = 16
  lifetime = 0
  idle_timeout = 30
  }
 }
Debugger not attached
 # Creating Auth-Type = mschap
 # Creating Auth-Type = digest
 # Creating Auth-Type = eap
 # Creating Auth-Type = PAP
 # Creating Auth-Type = CHAP
 # Creating Auth-Type = MS-CHAP
 # Creating Auth-Type = LDAP
radiusd: #### Instantiating modules ####
 modules {
  # Loaded module rlm_always
  # Loading module "reject" from file /etc/raddb//mods-enabled/always
  always reject {
  rcode = "reject"
  simulcount = 0
  mpp = no
  }
  # Loading module "fail" from file /etc/raddb//mods-enabled/always
  always fail {
  rcode = "fail"
  simulcount = 0
  mpp = no
  }
  # Loading module "ok" from file /etc/raddb//mods-enabled/always
  always ok {
  rcode = "ok"
  simulcount = 0
  mpp = no
  }
  # Loading module "handled" from file /etc/raddb//mods-enabled/always
  always handled {
  rcode = "handled"
  simulcount = 0
  mpp = no
  }
  # Loading module "invalid" from file /etc/raddb//mods-enabled/always
  always invalid {
  rcode = "invalid"
  simulcount = 0
  mpp = no
  }
  # Loading module "userlock" from file /etc/raddb//mods-enabled/always
  always userlock {
  rcode = "userlock"
  simulcount = 0
  mpp = no
  }
  # Loading module "notfound" from file /etc/raddb//mods-enabled/always
  always notfound {
  rcode = "notfound"
  simulcount = 0
  mpp = no
  }
  # Loading module "noop" from file /etc/raddb//mods-enabled/always
  always noop {
  rcode = "noop"
  simulcount = 0
  mpp = no
  }
  # Loading module "updated" from file /etc/raddb//mods-enabled/always
  always updated {
  rcode = "updated"
  simulcount = 0
  mpp = no
  }
  # Loaded module rlm_attr_filter
  # Loading module "attr_filter.post-proxy" from file /etc/raddb//mods-
enabled/attr_filter
  attr_filter attr_filter.post-proxy {
  filename = "/etc/raddb//mods-config/attr_filter/post-proxy"
  key = "%{Realm}"
  relaxed = no
  }
  # Loading module "attr_filter.pre-proxy" from file /etc/raddb//mods-
enabled/attr_filter
  attr_filter attr_filter.pre-proxy {
  filename = "/etc/raddb//mods-config/attr_filter/pre-proxy"
  key = "%{Realm}"
  relaxed = no
  }
  # Loading module "attr_filter.access_reject" from file
/etc/raddb//mods-enabled/attr_filter
  attr_filter attr_filter.access_reject {
  filename = "/etc/raddb//mods-config/attr_filter/access_reject"
  key = "%{User-Name}"
  relaxed = no
  }
  # Loading module "attr_filter.access_challenge" from file
/etc/raddb//mods-enabled/attr_filter
  attr_filter attr_filter.access_challenge {
  filename = "/etc/raddb//mods-
config/attr_filter/access_challenge"
  key = "%{User-Name}"
  relaxed = no
  }
  # Loading module "attr_filter.accounting_response" from file
/etc/raddb//mods-enabled/attr_filter
  attr_filter attr_filter.accounting_response {
  filename = "/etc/raddb//mods-
config/attr_filter/accounting_response"
  key = "%{User-Name}"
  relaxed = no
  }
  # Loaded module rlm_cache
  # Loading module "cache_eap" from file /etc/raddb//mods-
enabled/cache_eap
  cache cache_eap {
  driver = "rlm_cache_rbtree"
  key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
  ttl = 15
  max_entries = 0
  epoch = 0
  add_stats = no
  }
  # Loaded module rlm_chap
  # Loading module "chap" from file /etc/raddb//mods-enabled/chap
  # Loaded module rlm_date
  # Loading module "date" from file /etc/raddb//mods-enabled/date
  date {
  format = "%b %e %Y %H:%M:%S %Z"
  utc = no
  }
  # Loading module "wispr2date" from file /etc/raddb//mods-enabled/date
  date wispr2date {
  format = "%Y-%m-%dT%H:%M:%S"
  utc = no
  }
  # Loaded module rlm_detail
  # Loading module "detail" from file /etc/raddb//mods-enabled/detail
  detail {
  filename = "/var/log/radius/radacct/detail-%{Packet-Src-IP-
Address}-%Y%m%d"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loaded module rlm_digest
  # Loading module "digest" from file /etc/raddb//mods-enabled/digest
  # Loaded module rlm_dynamic_clients
  # Loading module "dynamic_clients" from file /etc/raddb//mods-
enabled/dynamic_clients
  # Loaded module rlm_eap
  # Loading module "eap" from file /etc/raddb//mods-enabled/eap
  eap {
  default_eap_type = "peap"
  timer_expire = 60
  ignore_unknown_eap_types = no
  cisco_accounting_username_bug = no
  max_sessions = 16384
  }
  # Loaded module rlm_exec
  # Loading module "echo" from file /etc/raddb//mods-enabled/echo
  exec echo {
  wait = yes
  program = "/bin/echo %{User-Name}"
  input_pairs = "request"
  output_pairs = "reply"
  shell_escape = yes
  }
  # Loading module "exec" from file /etc/raddb//mods-enabled/exec
  exec {
  wait = no
  input_pairs = "request"
  shell_escape = yes
  timeout = 10
  }
  # Loaded module rlm_expiration
  # Loading module "expiration" from file /etc/raddb//mods-
enabled/expiration
  # Loaded module rlm_expr
  # Loading module "expr" from file /etc/raddb//mods-enabled/expr
  expr {
  safe_characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_:
/äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  }
  # Loaded module rlm_files
  # Loading module "files" from file /etc/raddb//mods-enabled/files
  files {
  filename = "/etc/raddb//mods-config/files/authorize"
  acctusersfile = "/etc/raddb//mods-config/files/accounting"
  preproxy_usersfile = "/etc/raddb//mods-config/files/pre-proxy"
  }
  # Loaded module rlm_linelog
  # Loading module "linelog" from file /etc/raddb//mods-enabled/linelog
  linelog {
  filename = "/var/log/radius/linelog"
  escape_filenames = no
  syslog_severity = "info"
  permissions = 384
  format = "This is a log message for %{User-Name}"
  reference = "messages.%{%{reply:Packet-Type}:-default}"
  }
  # Loading module "log_accounting" from file /etc/raddb//mods-
enabled/linelog
  linelog log_accounting {
  filename = "/var/log/radius/linelog-accounting"
  escape_filenames = no
  syslog_severity = "info"
  permissions = 384
  format = ""
  reference = "Accounting-Request.%{%{Acct-Status-Type}:-
unknown}"
  }
  # Loaded module rlm_logintime
  # Loading module "logintime" from file /etc/raddb//mods-
enabled/logintime
  logintime {
  minimum_timeout = 60
  }
  # Loaded module rlm_mschap
  # Loading module "mschap" from file /etc/raddb//mods-enabled/mschap
  mschap {
  use_mppe = yes
  require_encryption = no
  require_strong = no
  with_ntdomain_hack = yes
   passchange {
   }
  allow_retry = yes
  winbind_retry_with_normalised_username = no
  }
  # Loading module "ntlm_auth" from file /etc/raddb//mods-
enabled/ntlm_auth
  exec ntlm_auth {
  wait = yes
  program = "/path/to/ntlm_auth --request-nt-key --
domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-
Password}"
  shell_escape = yes
  }
  # Loaded module rlm_pap
  # Loading module "pap" from file /etc/raddb//mods-enabled/pap
  pap {
  normalise = yes
  }
  # Loaded module rlm_passwd
  # Loading module "etc_passwd" from file /etc/raddb//mods-
enabled/passwd
  passwd etc_passwd {
  filename = "/etc/passwd"
  format = "*User-Name:Crypt-Password:"
  delimiter = ":"
  ignore_nislike = no
  ignore_empty = yes
  allow_multiple_keys = no
  hash_size = 100
  }
  # Loaded module rlm_preprocess
  # Loading module "preprocess" from file /etc/raddb//mods-
enabled/preprocess
  preprocess {
  huntgroups = "/etc/raddb//mods-config/preprocess/huntgroups"
  hints = "/etc/raddb//mods-config/preprocess/hints"
  with_ascend_hack = no
  ascend_channels_per_line = 23
  with_ntdomain_hack = no
  with_specialix_jetstream_hack = no
  with_cisco_vsa_hack = no
  with_alvarion_vsa_hack = no
  }
  # Loaded module rlm_radutmp
  # Loading module "radutmp" from file /etc/raddb//mods-enabled/radutmp
  radutmp {
  filename = "/var/log/radius/radutmp"
  username = "%{User-Name}"
  case_sensitive = yes
  check_with_nas = yes
  permissions = 384
  caller_id = yes
  }
  # Loaded module rlm_realm
  # Loading module "IPASS" from file /etc/raddb//mods-enabled/realm
  realm IPASS {
  format = "prefix"
  delimiter = "/"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "suffix" from file /etc/raddb//mods-enabled/realm
  realm suffix {
  format = "suffix"
  delimiter = "@"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "bangpath" from file /etc/raddb//mods-enabled/realm
  realm bangpath {
  format = "prefix"
  delimiter = "!"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "realmpercent" from file /etc/raddb//mods-
enabled/realm
  realm realmpercent {
  format = "suffix"
  delimiter = "%"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "ntdomain" from file /etc/raddb//mods-enabled/realm
  realm ntdomain {
  format = "prefix"
  delimiter = "\\"
  ignore_default = no
  ignore_null = no
  }
  # Loaded module rlm_replicate
  # Loading module "replicate" from file /etc/raddb//mods-
enabled/replicate
  # Loaded module rlm_soh
  # Loading module "soh" from file /etc/raddb//mods-enabled/soh
  soh {
  dhcp = yes
  }
  # Loading module "sradutmp" from file /etc/raddb//mods-
enabled/sradutmp
  radutmp sradutmp {
  filename = "/var/log/radius/sradutmp"
  username = "%{User-Name}"
  case_sensitive = yes
  check_with_nas = yes
  permissions = 420
  caller_id = no
  }
  # Loaded module rlm_unix
  # Loading module "unix" from file /etc/raddb//mods-enabled/unix
  unix {
  radwtmp = "/var/log/radius/radwtmp"
  }
Creating attribute Unix-Group
  # Loaded module rlm_unpack
  # Loading module "unpack" from file /etc/raddb//mods-enabled/unpack
  # Loaded module rlm_utf8
  # Loading module "utf8" from file /etc/raddb//mods-enabled/utf8
  # Loaded module rlm_ldap
  # Loading module "ldap" from file /etc/raddb//mods-enabled/ldap
  ldap {
  server = "ldaps://172.16.1.33"
  port = 636
  identity = "cn=8021xproxy,ou=server,o=htbl"
  password = <<< secret >>>
   sasl {
   }
  user_dn = "LDAP-UserDn"
  edir = yes
  edir_autz = yes
   user {
    scope = "sub"
    access_attribute = "dialupAccess"
    access_positive = yes
    sasl {
    }
   }
   group {
    filter = "(objectClass=posixGroup)"
    scope = "sub"
    name_attribute = "cn"
    membership_attribute = "memberOf"
    cacheable_name = no
    cacheable_dn = no
    allow_dangling_group_ref = no
   }
   client {
    filter = "(objectClass=radiusClient)"
    scope = "sub"
    base_dn = "o=HTBL"
   }
   profile {
   }
   options {
    ldap_debug = 40
    chase_referrals = yes
    rebind = yes
    net_timeout = 1
    res_timeout = 10
    srv_timelimit = 3
    idle = 60
    probes = 3
    interval = 3
   }
   tls {
    ca_file = "/etc/raddb//certs/eDirCAcert.pem"
    start_tls = no
    require_cert = "allow"
   }
  }
Creating attribute LDAP-Group
  instantiate {
  }
  # Instantiating module "reject" from file /etc/raddb//mods-
enabled/always
  # Instantiating module "fail" from file /etc/raddb//mods-
enabled/always
  # Instantiating module "ok" from file /etc/raddb//mods-enabled/always
  # Instantiating module "handled" from file /etc/raddb//mods-
enabled/always
  # Instantiating module "invalid" from file /etc/raddb//mods-
enabled/always
  # Instantiating module "userlock" from file /etc/raddb//mods-
enabled/always
  # Instantiating module "notfound" from file /etc/raddb//mods-
enabled/always
  # Instantiating module "noop" from file /etc/raddb//mods-
enabled/always
  # Instantiating module "updated" from file /etc/raddb//mods-
enabled/always
  # Instantiating module "attr_filter.post-proxy" from file
/etc/raddb//mods-enabled/attr_filter
reading pairlist file /etc/raddb//mods-config/attr_filter/post-proxy
  # Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb//mods-enabled/attr_filter
reading pairlist file /etc/raddb//mods-config/attr_filter/pre-proxy
  # Instantiating module "attr_filter.access_reject" from file
/etc/raddb//mods-enabled/attr_filter
reading pairlist file /etc/raddb//mods-config/attr_filter/access_reject
  # Instantiating module "attr_filter.access_challenge" from file
/etc/raddb//mods-enabled/attr_filter
reading pairlist file /etc/raddb//mods-
config/attr_filter/access_challenge
  # Instantiating module "attr_filter.accounting_response" from file
/etc/raddb//mods-enabled/attr_filter
reading pairlist file /etc/raddb//mods-
config/attr_filter/accounting_response
  # Instantiating module "cache_eap" from file /etc/raddb//mods-
enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
  # Instantiating module "detail" from file /etc/raddb//mods-
enabled/detail
  # Instantiating module "eap" from file /etc/raddb//mods-enabled/eap
   # Linked to sub-module rlm_eap_md5
   # Linked to sub-module rlm_eap_tls
   tls {
    tls = "tls-common"
   }
   tls-config tls-common {
    verify_depth = 0
    ca_path = "/etc/raddb//certs"
    pem_file_type = yes
    private_key_file = "/etc/raddb//certs/server.pem"
    certificate_file = "/etc/raddb//certs/server.pem"
    ca_file = "/etc/raddb//certs/ca.pem"
    private_key_password = <<< secret >>>
    dh_file = "/etc/raddb//certs/dh"
    fragment_size = 1024
    include_length = yes
    auto_chain = yes
    check_crl = no
    check_all_crl = no
    cipher_list = "DEFAULT"
    cipher_server_preference = no
    ecdh_curve = "prime256v1"
    disable_tlsv1 = no
    disable_tlsv1_1 = no
    disable_tlsv1_2 = no
    tls_max_version = "1.2"
    tls_min_version = "1.0"
    cache {
    enable = no
    lifetime = 24
    max_entries = 255
    }
    verify {
    skip_if_ocsp_ok = no
    }
    ocsp {
    enable = no
    override_cert_url = yes
    url = "http://127.0.0.1/ocsp/"
    use_nonce = yes
    timeout = 0
    softfail = no
    }
   }
The configuration allows TLS 1.0 and/or TLS 1.1.  We STRONGLY recommned
using only TLS 1.2 for security
Please set: tls_min_version = "1.2"
   # Linked to sub-module rlm_eap_ttls
   ttls {
    tls = "tls-common"
    default_eap_type = "md5"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    virtual_server = "inner-tunnel"
    include_length = yes
    require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_peap
   peap {
    tls = "tls-common"
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = yes
    use_tunneled_reply = yes
    proxy_tunneled_request_as_eap = yes
    virtual_server = "inner-tunnel"
    soh = no
    require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_mschapv2
   mschapv2 {
    with_ntdomain_hack = no
    send_error = no
   }
  # Instantiating module "expiration" from file /etc/raddb//mods-
enabled/expiration
  # Instantiating module "files" from file /etc/raddb//mods-
enabled/files
reading pairlist file /etc/raddb//mods-config/files/authorize
reading pairlist file /etc/raddb//mods-config/files/accounting
reading pairlist file /etc/raddb//mods-config/files/pre-proxy
  # Instantiating module "linelog" from file /etc/raddb//mods-
enabled/linelog
  # Instantiating module "log_accounting" from file /etc/raddb//mods-
enabled/linelog
  # Instantiating module "logintime" from file /etc/raddb//mods-
enabled/logintime
  # Instantiating module "mschap" from file /etc/raddb//mods-
enabled/mschap
rlm_mschap (mschap): using internal authentication
  # Instantiating module "pap" from file /etc/raddb//mods-enabled/pap
  # Instantiating module "etc_passwd" from file /etc/raddb//mods-
enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  # Instantiating module "preprocess" from file /etc/raddb//mods-
enabled/preprocess
reading pairlist file /etc/raddb//mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb//mods-config/preprocess/hints
  # Instantiating module "IPASS" from file /etc/raddb//mods-
enabled/realm
  # Instantiating module "suffix" from file /etc/raddb//mods-
enabled/realm
  # Instantiating module "bangpath" from file /etc/raddb//mods-
enabled/realm
  # Instantiating module "realmpercent" from file /etc/raddb//mods-
enabled/realm
  # Instantiating module "ntdomain" from file /etc/raddb//mods-
enabled/realm
  # Instantiating module "ldap" from file /etc/raddb//mods-enabled/ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20446
   accounting {
    reference = "%{tolower:type.%{Acct-Status-Type}}"
   }
   post-auth {
    reference = "."
   }
rlm_ldap (ldap): Initialising connection pool
   pool {
    start = 5
    min = 3
    max = 32
    spare = 10
    uses = 0
    lifetime = 0
    cleanup_interval = 30
    idle_timeout = 60
    retry_delay = 30
    spread = no
   }
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending
slots used
rlm_ldap (ldap): Connecting to ldaps://172.16.1.33:636
TLS certificate verification: Error, unable to get issuer certificate
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending
slots used
rlm_ldap (ldap): Connecting to ldaps://172.16.1.33:636
TLS certificate verification: Error, unable to get issuer certificate
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending
slots used
rlm_ldap (ldap): Connecting to ldaps://172.16.1.33:636
TLS certificate verification: Error, unable to get issuer certificate
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending
slots used
rlm_ldap (ldap): Connecting to ldaps://172.16.1.33:636
TLS certificate verification: Error, unable to get issuer certificate
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending
slots used
rlm_ldap (ldap): Connecting to ldaps://172.16.1.33:636
TLS certificate verification: Error, unable to get issuer certificate
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
 } # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb//radiusd.conf
} # server
server default { # from file /etc/raddb//sites-enabled/default
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading preacct {...}
 # Loading accounting {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/raddb//sites-enabled/inner-
tunnel
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading session {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
 # Skipping contents of 'if' as it is always 'false' --
/etc/raddb//sites-enabled/inner-tunnel:345
} # server inner-tunnel
server copy-acct-to-home-server { # from file /etc/raddb//sites-
enabled/copy-acct-to-home-server
 # Loading preacct {...}
 # Loading accounting {...}
} # server copy-acct-to-home-server
radiusd: #### Opening IP addresses and Ports ####
listen {
  type = "auth"
  ipaddr = *
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "acct"
  ipaddr = *
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "auth"
  ipv6addr = ::
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "acct"
  ipv6addr = ::
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "auth"
  ipaddr = 127.0.0.1
  port = 18120
}
listen {
  type = "detail"
  listen {
  filename = "/var/log/radius/radacct/detail-*"
  load_factor = 10
  poll_interval = 1
  retry_interval = 30
  one_shot = no
  track = no
  }
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-
tunnel
Listening on detail file /var/log/radius/radacct/detail-* as server
copy-acct-to-home-server
Listening on proxy address * port 33344
Listening on proxy address :: port 45782
Ready to process requests
detail (/var/log/radius/radacct/detail-*): Polling for detail file
detail (/var/log/radius/radacct/detail-*): Detail listener state
unopened waiting 0.769579 sec
detail (/var/log/radius/radacct/detail-*): Polling for detail file
detail (/var/log/radius/radacct/detail-*): Detail listener state
unopened waiting 1.219527 sec
detail (/var/log/radius/radacct/detail-*): Polling for detail file
detail (/var/log/radius/radacct/detail-*): Detail listener state
unopened waiting 1.173822 sec
detail (/var/log/radius/radacct/detail-*): Polling for detail file
detail (/var/log/radius/radacct/detail-*): Detail listener state
unopened waiting 1.129156 sec
detail (/var/log/radius/radacct/detail-*): Polling for detail file
detail (/var/log/radius/radacct/detail-*): Detail listener state
unopened waiting 1.249627 sec
detail (/var/log/radius/radacct/detail-*): Polling for detail file
detail (/var/log/radius/radacct/detail-*): Detail listener state
unopened waiting 1.031091 sec
detail (/var/log/radius/radacct/detail-*): Polling for detail file
detail (/var/log/radius/radacct/detail-*): Detail listener state
unopened waiting 0.840066 sec
detail (/var/log/radius/radacct/detail-*): Polling for detail file
detail (/var/log/radius/radacct/detail-*): Detail listener state
unopened waiting 1.239105 sec
(0) Received Access-Request Id 108 from 192.168.251.51:39578 to
172.16.1.104:1812 length 190
(0)   User-Name = "fimi"
(0)   NAS-Identifier = "a22aa8d26c65"
(0)   Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Service-Type = Framed-User
(0)   Calling-Station-Id = "F4-60-E2-B3-96-5C"
(0)   Connect-Info = "CONNECT 0Mbps 802.11b"
(0)   Acct-Session-Id = "6A0D6C94095D2E0A"
(0)   WLAN-Pairwise-Cipher = 1027076
(0)   WLAN-Group-Cipher = 1027076
(0)   WLAN-AKM-Suite = 1027073
(0)   Framed-MTU = 1400
(0)   EAP-Message = 0x028b00090166696d69
(0)   Message-Authenticator = 0xed1d56eb859202891d34ba433c96ff60
(0) # Executing section authorize from file /etc/raddb//sites-
enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
{
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "fimi", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 139 length 9
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb//sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new TLS session
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 140 length 6
(0) eap: EAP session adding &reply:State = 0xacb59afcac3983f3
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/raddb//sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 108 from 172.16.1.104:1812 to
192.168.251.51:39578 length 0
(0)   EAP-Message = 0x018c00061920
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xacb59afcac3983f3c10471c5771ffc72
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 109 from 192.168.251.51:39578 to
172.16.1.104:1812 length 340
(1)   User-Name = "fimi"
(1)   NAS-Identifier = "a22aa8d26c65"
(1)   Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Service-Type = Framed-User
(1)   Calling-Station-Id = "F4-60-E2-B3-96-5C"
(1)   Connect-Info = "CONNECT 0Mbps 802.11b"
(1)   Acct-Session-Id = "6A0D6C94095D2E0A"
(1)   WLAN-Pairwise-Cipher = 1027076
(1)   WLAN-Group-Cipher = 1027076
(1)   WLAN-AKM-Suite = 1027073
(1)   Framed-MTU = 1400
(1)   EAP-Message =
0x028c008d198000000083160301007e0100007a030363c73063457cfb114c1273ccdcd
419324e47cc9d731c536da4118f5ca68b117700001ec02bc02fc02cc030cca9cca8c009
c013c00ac014009c009d002f0035000a0100003300170000ff01000100000a000800060
01d00170018000b00020100000d00140012040308040401050308050501080606010201
(1)   State = 0xacb59afcac3983f3c10471c5771ffc72
(1)   Message-Authenticator = 0x1eebb054a163ed4d02c96042b2be741d
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb//sites-
enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
{
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "fimi", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 140 length 141
(1) eap: Continuing tunnel setup
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb//sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0xacb59afcac3983f3
(1) eap: Finished EAP session with state 0xacb59afcac3983f3
(1) eap: Previous EAP request found for state 0xacb59afcac3983f3,
released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 131 bytes
(1) eap_peap: Got complete TLS record (131 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: <<< recv TLS 1.3  [length 007e]
(1) eap_peap: TLS_accept: SSLv3/TLS read client hello
(1) eap_peap: >>> send TLS 1.2  [length 003d]
(1) eap_peap: TLS_accept: SSLv3/TLS write server hello
(1) eap_peap: >>> send TLS 1.2  [length 0903]
(1) eap_peap: TLS_accept: SSLv3/TLS write certificate
(1) eap_peap: >>> send TLS 1.2  [length 014d]
(1) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(1) eap_peap: >>> send TLS 1.2  [length 0004]
(1) eap_peap: TLS_accept: SSLv3/TLS write server done
(1) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write
server done
(1) eap_peap: TLS - In Handshake Phase
(1) eap_peap: TLS - got 2725 bytes of data
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 141 length 1004
(1) eap: EAP session adding &reply:State = 0xacb59afcad3883f3
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/raddb//sites-enabled/default
(1)   Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 109 from 172.16.1.104:1812 to
192.168.251.51:39578 length 0
(1)   EAP-Message =
0x018d03ec19c000000aa5160303003d020000390303a6c97603f1cc359df7d25c0b12e
85f72f42fbd5b6cc194d7f4d4eb950ef62b3b00c02f000011ff01000100000b00040300
01020017000016030309030b0008ff0008fc0003f8308203f4308202dca003020102020
101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f30
0d06035504080c065261646975733112301006035504070c09536f6d657768657265311
53013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d0109
01161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d7
06c6520436572746966696361746520417574686f72697479301e170d32313032313331
36333433395a170d3231303431343136333433395a307c310b300906035504061302465
2310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c65
20496e632e3123302106035504030c1a4578616d70
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0xacb59afcad3883f3c10471c5771ffc72
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 110 from 192.168.251.51:39578 to
172.16.1.104:1812 length 205
(2)   User-Name = "fimi"
(2)   NAS-Identifier = "a22aa8d26c65"
(2)   Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x"
(2)   NAS-Port-Type = Wireless-802.11
(2)   Service-Type = Framed-User
(2)   Calling-Station-Id = "F4-60-E2-B3-96-5C"
(2)   Connect-Info = "CONNECT 0Mbps 802.11b"
(2)   Acct-Session-Id = "6A0D6C94095D2E0A"
(2)   WLAN-Pairwise-Cipher = 1027076
(2)   WLAN-Group-Cipher = 1027076
(2)   WLAN-AKM-Suite = 1027073
(2)   Framed-MTU = 1400
(2)   EAP-Message = 0x028d00061900
(2)   State = 0xacb59afcad3883f3c10471c5771ffc72
(2)   Message-Authenticator = 0x10a42051d77dc96d1a8fdb6e1790ddc7
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb//sites-
enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
{
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "fimi", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 141 length 6
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb//sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0xacb59afcad3883f3
(2) eap: Finished EAP session with state 0xacb59afcad3883f3
(2) eap: Previous EAP request found for state 0xacb59afcad3883f3,
released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 142 length 1000
(2) eap: EAP session adding &reply:State = 0xacb59afcae3b83f3
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/raddb//sites-enabled/default
(2)   Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 110 from 172.16.1.104:1812 to
192.168.251.51:39578 length 0
(2)   EAP-Message =
0x018e03e81940252cedfbf4c3836e44225fdb79c5f5071c20dc8677feb32af525d7756
778521e8aa7957a7d648b1ba1868b19e84857fb8b172605a1f8f8a4a47ab109a8159d2f
8f5b68023e42aa2322f04ae0a25214f052122adb16ea6d8f688e58ae3759cdc84b24c20
e97f5290004fe308204fa308203e2a003020102021404394f2a191606a4278a02c0e327
b5d0dc1a1914300d06092a864886f70d01010b0500308193310b3009060355040613024
652310f300d06035504080c065261646975733112301006035504070c09536f6d657768
65726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a86488
6f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d
4578616d706c6520436572746966696361746520417574686f72697479301e170d32313
03231333136333433395a170d3231303431343136333433395a308193310b3009060355
040613024652310f300d06035504080c0652616469
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0xacb59afcae3b83f3c10471c5771ffc72
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 111 from 192.168.251.51:39578 to
172.16.1.104:1812 length 205
(3)   User-Name = "fimi"
(3)   NAS-Identifier = "a22aa8d26c65"
(3)   Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x"
(3)   NAS-Port-Type = Wireless-802.11
(3)   Service-Type = Framed-User
(3)   Calling-Station-Id = "F4-60-E2-B3-96-5C"
(3)   Connect-Info = "CONNECT 0Mbps 802.11b"
(3)   Acct-Session-Id = "6A0D6C94095D2E0A"
(3)   WLAN-Pairwise-Cipher = 1027076
(3)   WLAN-Group-Cipher = 1027076
(3)   WLAN-AKM-Suite = 1027073
(3)   Framed-MTU = 1400
(3)   EAP-Message = 0x028e00061900
(3)   State = 0xacb59afcae3b83f3c10471c5771ffc72
(3)   Message-Authenticator = 0xb14601361b16a123aaab75b0b82ba00c
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb//sites-
enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
{
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "fimi", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 142 length 6
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb//sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0xacb59afcae3b83f3
(3) eap: Finished EAP session with state 0xacb59afcae3b83f3
(3) eap: Previous EAP request found for state 0xacb59afcae3b83f3,
released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 143 length 743
(3) eap: EAP session adding &reply:State = 0xacb59afcaf3a83f3
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/raddb//sites-enabled/default
(3)   Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 111 from 172.16.1.104:1812 to
192.168.251.51:39578 length 0
(3)   EAP-Message =
0x018f02e7190072746966696361746520417574686f72697479821404394f2a191606a
4278a02c0e327b5d0dc1a1914300f0603551d130101ff040530030101ff30360603551d
1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672
f6578616d706c655f63612e63726c300d06092a864886f70d01010b0500038201010084
0b869b8c26a23a9a120e670346fc3ad59f8b235ee1578ade13cd710668564a9a61b5260
ea04a54c65eaed7e37aac1a23b130517fa45fdf34576991981c3e6793f75d88cb482d64
8dd02ac3a08e2ebc23556b1b76f5f3fad93845bd775e210aa5cefd6d2baa0f871d82f34
710b0eea477ea8e26be0521ab9979c249db93590e7c0c1ad8e76dd8241c19f58ced944e
28442b8d4265a21784cd2103a23e43bcb854ebeb2c1038780b723eaaefe957e1c5d2758
2afce334ed5e623832e0ad69a5e9c5d31915eef72ff1d2115168b50e019f2cf54892574
97281e6efe5b26acc91510ffa40f528f3c1b54aa5a
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0xacb59afcaf3a83f3c10471c5771ffc72
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 112 from 192.168.251.51:39578 to
172.16.1.104:1812 length 335
(4)   User-Name = "fimi"
(4)   NAS-Identifier = "a22aa8d26c65"
(4)   Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x"
(4)   NAS-Port-Type = Wireless-802.11
(4)   Service-Type = Framed-User
(4)   Calling-Station-Id = "F4-60-E2-B3-96-5C"
(4)   Connect-Info = "CONNECT 0Mbps 802.11b"
(4)   Acct-Session-Id = "6A0D6C94095D2E0A"
(4)   WLAN-Pairwise-Cipher = 1027076
(4)   WLAN-Group-Cipher = 1027076
(4)   WLAN-AKM-Suite = 1027073
(4)   Framed-MTU = 1400
(4)   EAP-Message =
0x028f008819800000007e16030300461000004241048fdc417fe1d3fcecaffdcc000a5
1421f8063c74ef6fd3035691c0eb23b7727f1920fcb300efa8b867394dc98d5cea84698
61c3ef699a8b80721e9a487b2dbd8814030300010116030300280000000000000000fd3
e43ecc7209d9245ae40f8cc7d87f77abaa962fd01d56cf55fe9070e075946
(4)   State = 0xacb59afcaf3a83f3c10471c5771ffc72
(4)   Message-Authenticator = 0x44a410d1eba2411512f46bed2a722cea
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb//sites-
enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
{
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "fimi", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 143 length 136
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb//sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0xacb59afcaf3a83f3
(4) eap: Finished EAP session with state 0xacb59afcaf3a83f3
(4) eap: Previous EAP request found for state 0xacb59afcaf3a83f3,
released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(4) eap_peap: Got complete TLS record (126 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: TLS_accept: SSLv3/TLS write server done
(4) eap_peap: <<< recv TLS 1.2  [length 0046]
(4) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(4) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(4) eap_peap: <<< recv TLS 1.2  [length 0010]
(4) eap_peap: TLS_accept: SSLv3/TLS read finished
(4) eap_peap: >>> send TLS 1.2  [length 0001]
(4) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(4) eap_peap: >>> send TLS 1.2  [length 0010]
(4) eap_peap: TLS_accept: SSLv3/TLS write finished
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: TLS - Connection Established
(4) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(4) eap_peap: TLS-Session-Version = "TLS 1.2"
(4) eap_peap: TLS - got 51 bytes of data
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 144 length 57
(4) eap: EAP session adding &reply:State = 0xacb59afca82583f3
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/raddb//sites-enabled/default
(4)   Challenge { ... } # empty sub-section is ignored
(4) session-state: Saving cached attributes
(4)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(4)   TLS-Session-Version = "TLS 1.2"
(4) Sent Access-Challenge Id 112 from 172.16.1.104:1812 to
192.168.251.51:39578 length 0
(4)   EAP-Message =
0x0190003919001403030001011603030028d7bfce4f731f8923b50d6ba0a6ff17eac0f
e578415834ef87798c898e5d1b5230abb0fc49392cd52
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0xacb59afca82583f3c10471c5771ffc72
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 113 from 192.168.251.51:39578 to
172.16.1.104:1812 length 205
(5)   User-Name = "fimi"
(5)   NAS-Identifier = "a22aa8d26c65"
(5)   Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x"
(5)   NAS-Port-Type = Wireless-802.11
(5)   Service-Type = Framed-User
(5)   Calling-Station-Id = "F4-60-E2-B3-96-5C"
(5)   Connect-Info = "CONNECT 0Mbps 802.11b"
(5)   Acct-Session-Id = "6A0D6C94095D2E0A"
(5)   WLAN-Pairwise-Cipher = 1027076
(5)   WLAN-Group-Cipher = 1027076
(5)   WLAN-AKM-Suite = 1027073
(5)   Framed-MTU = 1400
(5)   EAP-Message = 0x029000061900
(5)   State = 0xacb59afca82583f3c10471c5771ffc72
(5)   Message-Authenticator = 0xf6d9bebdbb69b67dc8d7eb81d451fb22
(5) Restoring &session-state
(5)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-
SHA256"
(5)   &session-state:TLS-Session-Version = "TLS 1.2"
(5) # Executing section authorize from file /etc/raddb//sites-
enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
{
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "fimi", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 144 length 6
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb//sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0xacb59afca82583f3
(5) eap: Finished EAP session with state 0xacb59afca82583f3
(5) eap: Previous EAP request found for state 0xacb59afca82583f3,
released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established.  Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 145 length 40
(5) eap: EAP session adding &reply:State = 0xacb59afca92483f3
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/raddb//sites-enabled/default
(5)   Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(5)   TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 113 from 172.16.1.104:1812 to
192.168.251.51:39578 length 0
(5)   EAP-Message =
0x019100281900170303001dd7bfce4f731f8924bd8d9b93f79b404ccc3552c051b5803
0a6668f437a
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0xacb59afca92483f3c10471c5771ffc72
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 114 from 192.168.251.51:39578 to
172.16.1.104:1812 length 239
(6)   User-Name = "fimi"
(6)   NAS-Identifier = "a22aa8d26c65"
(6)   Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x"
(6)   NAS-Port-Type = Wireless-802.11
(6)   Service-Type = Framed-User
(6)   Calling-Station-Id = "F4-60-E2-B3-96-5C"
(6)   Connect-Info = "CONNECT 0Mbps 802.11b"
(6)   Acct-Session-Id = "6A0D6C94095D2E0A"
(6)   WLAN-Pairwise-Cipher = 1027076
(6)   WLAN-Group-Cipher = 1027076
(6)   WLAN-AKM-Suite = 1027073
(6)   Framed-MTU = 1400
(6)   EAP-Message =
0x029100281900170303001d00000000000000016cef8464a32987af1dd82e0082a1aa1
d2885a73a67
(6)   State = 0xacb59afca92483f3c10471c5771ffc72
(6)   Message-Authenticator = 0x1895937a755c97428d05e1a5719571f7
(6) Restoring &session-state
(6)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-
SHA256"
(6)   &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /etc/raddb//sites-
enabled/default
(6)   authorize {
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> TRUE
(6)       if (&User-Name)  {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /)  -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ )  -> FALSE
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
{
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(6)         if (&User-Name =~ /\.$/)  {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./)  {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name)  = notfound
(6)     } # policy filter_username = notfound
(6)     [preprocess] = ok
(6)     [chap] = noop
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "fimi", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 145 length 40
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb//sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0xacb59afca92483f3
(6) eap: Finished EAP session with state 0xacb59afca92483f3
(6) eap: Previous EAP request found for state 0xacb59afca92483f3,
released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established.  Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - fimi
(6) eap_peap: Got inner identity 'fimi'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap:   EAP-Message = 0x029100090166696d69
(6) eap_peap: Setting User-Name to fimi
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap:   EAP-Message = 0x029100090166696d69
(6) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap:   User-Name = "fimi"
(6) eap_peap:   NAS-Identifier = "a22aa8d26c65"
(6) eap_peap:   Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x"
(6) eap_peap:   NAS-Port-Type = Wireless-802.11
(6) eap_peap:   Service-Type = Framed-User
(6) eap_peap:   Calling-Station-Id = "F4-60-E2-B3-96-5C"
(6) eap_peap:   Connect-Info = "CONNECT 0Mbps 802.11b"
(6) eap_peap:   Acct-Session-Id = "6A0D6C94095D2E0A"
(6) eap_peap:   WLAN-Pairwise-Cipher = 1027076
(6) eap_peap:   WLAN-Group-Cipher = 1027076
(6) eap_peap:   WLAN-AKM-Suite = 1027073
(6) eap_peap:   Framed-MTU = 1400
(6) eap_peap:   Event-Timestamp = "Feb 16 2021 14:31:51 CET"
(6) eap_peap:   NAS-IP-Address = 192.168.251.51
(6) Virtual server inner-tunnel received request
(6)   EAP-Message = 0x029100090166696d69
(6)   FreeRADIUS-Proxied-To = 127.0.0.1
(6)   User-Name = "fimi"
(6)   NAS-Identifier = "a22aa8d26c65"
(6)   Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x"
(6)   NAS-Port-Type = Wireless-802.11
(6)   Service-Type = Framed-User
(6)   Calling-Station-Id = "F4-60-E2-B3-96-5C"
(6)   Connect-Info = "CONNECT 0Mbps 802.11b"
(6)   Acct-Session-Id = "6A0D6C94095D2E0A"
(6)   WLAN-Pairwise-Cipher = 1027076
(6)   WLAN-Group-Cipher = 1027076
(6)   WLAN-AKM-Suite = 1027073
(6)   Framed-MTU = 1400
(6)   Event-Timestamp = "Feb 16 2021 14:31:51 CET"
(6)   NAS-IP-Address = 192.168.251.51
(6) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(6) server inner-tunnel {
(6)   # Executing section authorize from file /etc/raddb//sites-
enabled/inner-tunnel
(6)     authorize {
(6)       policy filter_username {
(6)         if (&User-Name) {
(6)         if (&User-Name)  -> TRUE
(6)         if (&User-Name)  {
(6)           if (&User-Name =~ / /) {
(6)           if (&User-Name =~ / /)  -> FALSE
(6)           if (&User-Name =~ /@[^@]*@/ ) {
(6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)           if (&User-Name =~ /\.\./ ) {
(6)           if (&User-Name =~ /\.\./ )  -> FALSE
(6)           if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/))  {
(6)           if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/))   -> FALSE
(6)           if (&User-Name =~ /\.$/)  {
(6)           if (&User-Name =~ /\.$/)   -> FALSE
(6)           if (&User-Name =~ /@\./)  {
(6)           if (&User-Name =~ /@\./)   -> FALSE
(6)         } # if (&User-Name)  = notfound
(6)       } # policy filter_username = notfound
(6)       [chap] = noop
(6)       [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "fimi", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)       [suffix] = noop
(6)       update control {
(6)         &Proxy-To-Realm := LOCAL
(6)       } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 145 length 9
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(6)       [eap] = ok
(6)     } # authorize = ok
(6)   Found Auth-Type = eap
(6)   # Executing group from file /etc/raddb//sites-enabled/inner-
tunnel
(6)     authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_mschapv2 to process data
(6) eap_mschapv2: Issuing Challenge
(6) eap: Sending EAP Request (code 1) ID 146 length 43
(6) eap: EAP session adding &reply:State = 0xce54cccdcec6d606
(6)       [eap] = handled
(6)     } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6)   EAP-Message =
0x0192002b1a01920026108a40c95e71e0350f2a078d5cbc650f6766726565726164697
5732d332e302e3231
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0xce54cccdcec6d6066e64469f1bba9a6c
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap:   EAP-Message =
0x0192002b1a01920026108a40c95e71e0350f2a078d5cbc650f6766726565726164697
5732d332e302e3231
(6) eap_peap:   Message-Authenticator =
0x00000000000000000000000000000000
(6) eap_peap:   State = 0xce54cccdcec6d6066e64469f1bba9a6c
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap:   EAP-Message =
0x0192002b1a01920026108a40c95e71e0350f2a078d5cbc650f6766726565726164697
5732d332e302e3231
(6) eap_peap:   Message-Authenticator =
0x00000000000000000000000000000000
(6) eap_peap:   State = 0xce54cccdcec6d6066e64469f1bba9a6c
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 146 length 74
(6) eap: EAP session adding &reply:State = 0xacb59afcaa2783f3
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/raddb//sites-enabled/default
(6)   Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(6)   TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 114 from 172.16.1.104:1812 to
192.168.251.51:39578 length 0
(6)   EAP-Message =
0x0192004a1900170303003fd7bfce4f731f89250b2de5e4317f7ea66feafcc910fc583
31b209ae3b2f1645748cb849feea90736c1b3dd2fd65985670cf8b0500ebf9f65f4c2cd
9c7666bb
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0xacb59afcaa2783f3c10471c5771ffc72
(6) Finished request
Waking up in 4.9 seconds.
(7) Received Access-Request Id 115 from 192.168.251.51:39578 to
172.16.1.104:1812 length 293
(7)   User-Name = "fimi"
(7)   NAS-Identifier = "a22aa8d26c65"
(7)   Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x"
(7)   NAS-Port-Type = Wireless-802.11
(7)   Service-Type = Framed-User
(7)   Calling-Station-Id = "F4-60-E2-B3-96-5C"
(7)   Connect-Info = "CONNECT 0Mbps 802.11b"
(7)   Acct-Session-Id = "6A0D6C94095D2E0A"
(7)   WLAN-Pairwise-Cipher = 1027076
(7)   WLAN-Group-Cipher = 1027076
(7)   WLAN-AKM-Suite = 1027073
(7)   Framed-MTU = 1400
(7)   EAP-Message =
0x0292005e190017030300530000000000000002c33e469fe868a89587b88a78a823d95
ce11565b6bae206f2ab459b4db443f4f19749b732f97a0bb868d5fa960b4195aea1b707
773f8080e9444b35bccc989c93a662e56f8036a8077d5eb9
(7)   State = 0xacb59afcaa2783f3c10471c5771ffc72
(7)   Message-Authenticator = 0xb9aba9255bb19133efecdb6c7e8efc39
(7) Restoring &session-state
(7)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-
SHA256"
(7)   &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /etc/raddb//sites-
enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
{
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "fimi", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 146 length 94
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb//sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0xce54cccdcec6d606
(7) eap: Finished EAP session with state 0xacb59afcaa2783f3
(7) eap: Previous EAP request found for state 0xacb59afcaa2783f3,
released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method MSCHAPv2 (26)
(7) eap_peap: Got tunneled request
(7) eap_peap:   EAP-Message =
0x0292003f1a0292003a31d459203b242256b2671bad6cb9aad4d100000000000000000
2e154a7254fcd1553ac37739e9c987d0efa389627bcf2f30066696d69
(7) eap_peap: Setting User-Name to fimi
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap:   EAP-Message =
0x0292003f1a0292003a31d459203b242256b2671bad6cb9aad4d100000000000000000
2e154a7254fcd1553ac37739e9c987d0efa389627bcf2f30066696d69
(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap:   User-Name = "fimi"
(7) eap_peap:   State = 0xce54cccdcec6d6066e64469f1bba9a6c
(7) eap_peap:   NAS-Identifier = "a22aa8d26c65"
(7) eap_peap:   Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x"
(7) eap_peap:   NAS-Port-Type = Wireless-802.11
(7) eap_peap:   Service-Type = Framed-User
(7) eap_peap:   Calling-Station-Id = "F4-60-E2-B3-96-5C"
(7) eap_peap:   Connect-Info = "CONNECT 0Mbps 802.11b"
(7) eap_peap:   Acct-Session-Id = "6A0D6C94095D2E0A"
(7) eap_peap:   WLAN-Pairwise-Cipher = 1027076
(7) eap_peap:   WLAN-Group-Cipher = 1027076
(7) eap_peap:   WLAN-AKM-Suite = 1027073
(7) eap_peap:   Framed-MTU = 1400
(7) eap_peap:   Event-Timestamp = "Feb 16 2021 14:31:51 CET"
(7) eap_peap:   NAS-IP-Address = 192.168.251.51
(7) Virtual server inner-tunnel received request
(7)   EAP-Message =
0x0292003f1a0292003a31d459203b242256b2671bad6cb9aad4d100000000000000000
2e154a7254fcd1553ac37739e9c987d0efa389627bcf2f30066696d69
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "fimi"
(7)   State = 0xce54cccdcec6d6066e64469f1bba9a6c
(7)   NAS-Identifier = "a22aa8d26c65"
(7)   Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x"
(7)   NAS-Port-Type = Wireless-802.11
(7)   Service-Type = Framed-User
(7)   Calling-Station-Id = "F4-60-E2-B3-96-5C"
(7)   Connect-Info = "CONNECT 0Mbps 802.11b"
(7)   Acct-Session-Id = "6A0D6C94095D2E0A"
(7)   WLAN-Pairwise-Cipher = 1027076
(7)   WLAN-Group-Cipher = 1027076
(7)   WLAN-AKM-Suite = 1027073
(7)   Framed-MTU = 1400
(7)   Event-Timestamp = "Feb 16 2021 14:31:51 CET"
(7)   NAS-IP-Address = 192.168.251.51
(7) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(7) server inner-tunnel {
(7)   session-state: No cached attributes
(7)   # Executing section authorize from file /etc/raddb//sites-
enabled/inner-tunnel
(7)     authorize {
(7)       policy filter_username {
(7)         if (&User-Name) {
(7)         if (&User-Name)  -> TRUE
(7)         if (&User-Name)  {
(7)           if (&User-Name =~ / /) {
(7)           if (&User-Name =~ / /)  -> FALSE
(7)           if (&User-Name =~ /@[^@]*@/ ) {
(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)           if (&User-Name =~ /\.\./ ) {
(7)           if (&User-Name =~ /\.\./ )  -> FALSE
(7)           if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/))  {
(7)           if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/))   -> FALSE
(7)           if (&User-Name =~ /\.$/)  {
(7)           if (&User-Name =~ /\.$/)   -> FALSE
(7)           if (&User-Name =~ /@\./)  {
(7)           if (&User-Name =~ /@\./)   -> FALSE
(7)         } # if (&User-Name)  = notfound
(7)       } # policy filter_username = notfound
(7)       [chap] = noop
(7)       [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "fimi", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)       [suffix] = noop
(7)       update control {
(7)         &Proxy-To-Realm := LOCAL
(7)       } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 146 length 63
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)       [eap] = updated
(7)       [files] = noop
rlm_ldap (ldap): Reserved connection (0)
(7) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap:    --> (cn=fimi)
(7) ldap: Performing search in "o=HTBL" with filter "(cn=fimi)", scope
"sub"
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN "cn=FIMI,ou=TEACHERS,ou=EL,o=HTBL"
(7) ldap: Added eDirectory password
(7) ldap: Binding as user for eDirectory authorization checks
(7) ldap: Waiting for bind result...
(7) ldap: Bind successful
(7) ldap: Bind as user 'cn=FIMI,ou=TEACHERS,ou=EL,o=HTBL' was
successful
(7) ldap: Processing user attributes
(7) ldap: reply:Class := 0x54657374
rlm_ldap (ldap): Released connection (0)
Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending
slots used
rlm_ldap (ldap): Connecting to ldaps://172.16.1.33:636
TLS certificate verification: Error, unable to get issuer certificate
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(7)       [ldap] = updated
(7)       if ((ok || updated) && User-Password) {
(7)       if ((ok || updated) && User-Password)  -> FALSE
(7)       [expiration] = noop
(7)       [logintime] = noop
(7) pap: WARNING: Auth-Type already set.  Not setting to PAP
(7)       [pap] = noop
(7)     } # authorize = updated
(7)   Found Auth-Type = eap
(7)   # Executing group from file /etc/raddb//sites-enabled/inner-
tunnel
(7)     authenticate {
(7) eap: Expiring EAP session with state 0xce54cccdcec6d606
(7) eap: Finished EAP session with state 0xce54cccdcec6d606
(7) eap: Previous EAP request found for state 0xce54cccdcec6d606,
released from the list
(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(7) eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: # Executing group from file /etc/raddb//sites-
enabled/inner-tunnel
(7) eap_mschapv2:   authenticate {
(7) mschap: Found Cleartext-Password, hashing to create NT-Password
(7) mschap: Creating challenge hash with username: fimi
(7) mschap: Client is using MS-CHAPv2
(7) mschap: Adding MS-CHAPv2 MPPE keys
(7) eap_mschapv2:     [mschap] = ok
(7) eap_mschapv2:   } # authenticate = ok
(7) eap_mschapv2: MSCHAP Success
(7) eap: Sending EAP Request (code 1) ID 147 length 51
(7) eap: EAP session adding &reply:State = 0xce54cccdcfc7d606
(7)       [eap] = handled
(7)     } # authenticate = handled
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7)   Class := 0x54657374
(7)   EAP-Message =
0x019300331a0392002e533d37344538383341333831323330303433453231423444393
831443846304645303534393332434436
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0xce54cccdcfc7d6066e64469f1bba9a6c
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap:   Class := 0x54657374
(7) eap_peap:   EAP-Message =
0x019300331a0392002e533d37344538383341333831323330303433453231423444393
831443846304645303534393332434436
(7) eap_peap:   Message-Authenticator =
0x00000000000000000000000000000000
(7) eap_peap:   State = 0xce54cccdcfc7d6066e64469f1bba9a6c
(7) eap_peap: Got tunneled reply RADIUS code 11
(7) eap_peap:   Class := 0x54657374
(7) eap_peap:   EAP-Message =
0x019300331a0392002e533d37344538383341333831323330303433453231423444393
831443846304645303534393332434436
(7) eap_peap:   Message-Authenticator =
0x00000000000000000000000000000000
(7) eap_peap:   State = 0xce54cccdcfc7d6066e64469f1bba9a6c
(7) eap_peap: Got tunneled Access-Challenge
(7) eap: Sending EAP Request (code 1) ID 147 length 82
(7) eap: EAP session adding &reply:State = 0xacb59afcab2683f3
(7)     [eap] = handled
(7)   } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/raddb//sites-enabled/default
(7)   Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(7)   TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 115 from 172.16.1.104:1812 to
192.168.251.51:39578 length 0
(7)   EAP-Message =
0x0193005219001703030047d7bfce4f731f8926d0eb5fb2fb64d352a28529a911dc1f1
6f04df90f49ca7b5d558c6aaa9551b79d2aefe09cabc8d6dab3f7ddfd3e1975c56b057b
a096a0d20f24ffcf1b0f8b39
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0xacb59afcab2683f3c10471c5771ffc72
(7) Finished request
Waking up in 4.9 seconds.
(8) Received Access-Request Id 116 from 192.168.251.51:39578 to
172.16.1.104:1812 length 236
(8)   User-Name = "fimi"
(8)   NAS-Identifier = "a22aa8d26c65"
(8)   Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x"
(8)   NAS-Port-Type = Wireless-802.11
(8)   Service-Type = Framed-User
(8)   Calling-Station-Id = "F4-60-E2-B3-96-5C"
(8)   Connect-Info = "CONNECT 0Mbps 802.11b"
(8)   Acct-Session-Id = "6A0D6C94095D2E0A"
(8)   WLAN-Pairwise-Cipher = 1027076
(8)   WLAN-Group-Cipher = 1027076
(8)   WLAN-AKM-Suite = 1027073
(8)   Framed-MTU = 1400
(8)   EAP-Message =
0x029300251900170303001a0000000000000003df886c4c4c30475c1e9f179b8e75396
288fa
(8)   State = 0xacb59afcab2683f3c10471c5771ffc72
(8)   Message-Authenticator = 0xc30bd0a5031ba8aa96fa0c1beae66554
(8) Restoring &session-state
(8)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-
SHA256"
(8)   &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /etc/raddb//sites-
enabled/default
(8)   authorize {
(8)     policy filter_username {
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
{
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = notfound
(8)     } # policy filter_username = notfound
(8)     [preprocess] = ok
(8)     [chap] = noop
(8)     [mschap] = noop
(8)     [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "fimi", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 147 length 37
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb//sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0xce54cccdcfc7d606
(8) eap: Finished EAP session with state 0xacb59afcab2683f3
(8) eap: Previous EAP request found for state 0xacb59afcab2683f3,
released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message = 0x029300061a03
(8) eap_peap: Setting User-Name to fimi
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap:   EAP-Message = 0x029300061a03
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = "fimi"
(8) eap_peap:   State = 0xce54cccdcfc7d6066e64469f1bba9a6c
(8) eap_peap:   NAS-Identifier = "a22aa8d26c65"
(8) eap_peap:   Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x"
(8) eap_peap:   NAS-Port-Type = Wireless-802.11
(8) eap_peap:   Service-Type = Framed-User
(8) eap_peap:   Calling-Station-Id = "F4-60-E2-B3-96-5C"
(8) eap_peap:   Connect-Info = "CONNECT 0Mbps 802.11b"
(8) eap_peap:   Acct-Session-Id = "6A0D6C94095D2E0A"
(8) eap_peap:   WLAN-Pairwise-Cipher = 1027076
(8) eap_peap:   WLAN-Group-Cipher = 1027076
(8) eap_peap:   WLAN-AKM-Suite = 1027073
(8) eap_peap:   Framed-MTU = 1400
(8) eap_peap:   Event-Timestamp = "Feb 16 2021 14:31:51 CET"
(8) eap_peap:   NAS-IP-Address = 192.168.251.51
(8) Virtual server inner-tunnel received request
(8)   EAP-Message = 0x029300061a03
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = "fimi"
(8)   State = 0xce54cccdcfc7d6066e64469f1bba9a6c
(8)   NAS-Identifier = "a22aa8d26c65"
(8)   Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x"
(8)   NAS-Port-Type = Wireless-802.11
(8)   Service-Type = Framed-User
(8)   Calling-Station-Id = "F4-60-E2-B3-96-5C"
(8)   Connect-Info = "CONNECT 0Mbps 802.11b"
(8)   Acct-Session-Id = "6A0D6C94095D2E0A"
(8)   WLAN-Pairwise-Cipher = 1027076
(8)   WLAN-Group-Cipher = 1027076
(8)   WLAN-AKM-Suite = 1027073
(8)   Framed-MTU = 1400
(8)   Event-Timestamp = "Feb 16 2021 14:31:51 CET"
(8)   NAS-IP-Address = 192.168.251.51
(8) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(8) server inner-tunnel {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file /etc/raddb//sites-
enabled/inner-tunnel
(8)     authorize {
(8)       policy filter_username {
(8)         if (&User-Name) {
(8)         if (&User-Name)  -> TRUE
(8)         if (&User-Name)  {
(8)           if (&User-Name =~ / /) {
(8)           if (&User-Name =~ / /)  -> FALSE
(8)           if (&User-Name =~ /@[^@]*@/ ) {
(8)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)           if (&User-Name =~ /\.\./ ) {
(8)           if (&User-Name =~ /\.\./ )  -> FALSE
(8)           if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/))  {
(8)           if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/))   -> FALSE
(8)           if (&User-Name =~ /\.$/)  {
(8)           if (&User-Name =~ /\.$/)   -> FALSE
(8)           if (&User-Name =~ /@\./)  {
(8)           if (&User-Name =~ /@\./)   -> FALSE
(8)         } # if (&User-Name)  = notfound
(8)       } # policy filter_username = notfound
(8)       [chap] = noop
(8)       [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "fimi", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)       [suffix] = noop
(8)       update control {
(8)         &Proxy-To-Realm := LOCAL
(8)       } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 147 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8)       [eap] = updated
(8)       [files] = noop
rlm_ldap (ldap): Reserved connection (1)
(8) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap:    --> (cn=fimi)
(8) ldap: Performing search in "o=HTBL" with filter "(cn=fimi)", scope
"sub"
(8) ldap: Waiting for search result...
(8) ldap: User object found at DN "cn=FIMI,ou=TEACHERS,ou=EL,o=HTBL"
(8) ldap: Added eDirectory password
(8) ldap: Binding as user for eDirectory authorization checks
(8) ldap: Waiting for bind result...
(8) ldap: Bind successful
(8) ldap: Bind as user 'cn=FIMI,ou=TEACHERS,ou=EL,o=HTBL' was
successful
(8) ldap: Processing user attributes
(8) ldap: reply:Class := 0x54657374
rlm_ldap (ldap): Released connection (1)
(8)       [ldap] = updated
(8)       if ((ok || updated) && User-Password) {
(8)       if ((ok || updated) && User-Password)  -> FALSE
(8)       [expiration] = noop
(8)       [logintime] = noop
(8) pap: WARNING: Auth-Type already set.  Not setting to PAP
(8)       [pap] = noop
(8)     } # authorize = updated
(8)   Found Auth-Type = eap
(8)   # Executing group from file /etc/raddb//sites-enabled/inner-
tunnel
(8)     authenticate {
(8) eap: Expiring EAP session with state 0xce54cccdcfc7d606
(8) eap: Finished EAP session with state 0xce54cccdcfc7d606
(8) eap: Previous EAP request found for state 0xce54cccdcfc7d606,
released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 147 length 4
(8) eap: Freeing handler
(8)       [eap] = ok
(8)     } # authenticate = ok
(8)   # Executing section post-auth from file /etc/raddb//sites-
enabled/inner-tunnel
(8)     post-auth {
(8)       update outer.session-state {
(8)         User-Name := &User-Name -> 'fimi'
(8)       } # update outer.session-state = noop
(8)       if (0) {
(8)       if (0)  -> FALSE
(8)     } # post-auth = noop
(8)   Login OK: [fimi] (from client private-network-1 port 0 cli F4-60-
E2-B3-96-5C via TLS tunnel)
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8)   Class := 0x54657374
(8)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(8)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8)   MS-MPPE-Send-Key = 0x10c1a0afdb990b0c89cbafea1fb5a023
(8)   MS-MPPE-Recv-Key = 0x945a04e47cdc6cc2855e4671b019dac8
(8)   EAP-Message = 0x03930004
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   User-Name = "fimi"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap:   Class := 0x54657374
(8) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap:   MS-MPPE-Send-Key = 0x10c1a0afdb990b0c89cbafea1fb5a023
(8) eap_peap:   MS-MPPE-Recv-Key = 0x945a04e47cdc6cc2855e4671b019dac8
(8) eap_peap:   EAP-Message = 0x03930004
(8) eap_peap:   Message-Authenticator =
0x00000000000000000000000000000000
(8) eap_peap:   User-Name = "fimi"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap:   Class := 0x54657374
(8) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap:   MS-MPPE-Send-Key = 0x10c1a0afdb990b0c89cbafea1fb5a023
(8) eap_peap:   MS-MPPE-Recv-Key = 0x945a04e47cdc6cc2855e4671b019dac8
(8) eap_peap:   EAP-Message = 0x03930004
(8) eap_peap:   Message-Authenticator =
0x00000000000000000000000000000000
(8) eap_peap:   User-Name = "fimi"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap_peap: Saving tunneled attributes for later
(8) eap: Sending EAP Request (code 1) ID 148 length 46
(8) eap: EAP session adding &reply:State = 0xacb59afca42183f3
(8)     [eap] = handled
(8)   } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/raddb//sites-enabled/default
(8)   Challenge { ... } # empty sub-section is ignored
(8) session-state: Saving cached attributes
(8)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
(8)   TLS-Session-Version = "TLS 1.2"
(8)   User-Name := "fimi"
(8) Sent Access-Challenge Id 116 from 172.16.1.104:1812 to
192.168.251.51:39578 length 0
(8)   EAP-Message =
0x0194002e19001703030023d7bfce4f731f8927e59eccb9a0df53bdd33beb426543316
13c93d58c9b3cb1a370fd58
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0xacb59afca42183f3c10471c5771ffc72
(8) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 117 from 192.168.251.51:39578 to
172.16.1.104:1812 length 245
(9)   User-Name = "fimi"
(9)   NAS-Identifier = "a22aa8d26c65"
(9)   Called-Station-Id = "A2-2A-A8-D2-6C-65:8021x"
(9)   NAS-Port-Type = Wireless-802.11
(9)   Service-Type = Framed-User
(9)   Calling-Station-Id = "F4-60-E2-B3-96-5C"
(9)   Connect-Info = "CONNECT 0Mbps 802.11b"
(9)   Acct-Session-Id = "6A0D6C94095D2E0A"
(9)   WLAN-Pairwise-Cipher = 1027076
(9)   WLAN-Group-Cipher = 1027076
(9)   WLAN-AKM-Suite = 1027073
(9)   Framed-MTU = 1400
(9)   EAP-Message =
0x0294002e1900170303002300000000000000049cbc0856d443a17c57cf0e9696e0be8
29f55af83884de32f3d1fed
(9)   State = 0xacb59afca42183f3c10471c5771ffc72
(9)   Message-Authenticator = 0xbbafaf4a03ca8cd3833cd32b4090599f
(9) Restoring &session-state
(9)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-
SHA256"
(9)   &session-state:TLS-Session-Version = "TLS 1.2"
(9)   &session-state:User-Name := "fimi"
(9) # Executing section authorize from file /etc/raddb//sites-
enabled/default
(9)   authorize {
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
{
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     [preprocess] = ok
(9)     [chap] = noop
(9)     [mschap] = noop
(9)     [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "fimi", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 148 length 46
(9) eap: Continuing tunnel setup
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb//sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0xacb59afca42183f3
(9) eap: Finished EAP session with state 0xacb59afca42183f3
(9) eap: Previous EAP request found for state 0xacb59afca42183f3,
released from the list
(9) eap: Peer sent packet with method EAP PEAP (25)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state send tlv success
(9) eap_peap: Received EAP-TLV response
(9) eap_peap: Success
(9) eap_peap: Using saved attributes from the original Access-Accept
(9) eap_peap:   Class := 0x54657374
(9) eap_peap:   User-Name = "fimi"
(9) eap: Sending EAP Success (code 3) ID 148 length 4
(9) eap: Freeing handler
(9)     [eap] = ok
(9)   } # authenticate = ok
(9) # Executing section post-auth from file /etc/raddb//sites-
enabled/default
(9)   post-auth {
(9) detail: EXPAND /var/log/radius/radacct/detail-%{Packet-Src-IP-
Address}-%Y%m%d
(9) detail:    --> /var/log/radius/radacct/detail-192.168.251.51-
20210216
(9) detail: /var/log/radius/radacct/detail-%{Packet-Src-IP-Address}-
%Y%m%d expands to /var/log/radius/radacct/detail-192.168.251.51-
20210216
(9) detail: EXPAND %t
(9) detail:    --> Tue Feb 16 14:31:51 2021
(9)     [detail] = ok
(9)     if (session-state:User-Name && reply:User-Name && request:User-
Name && (reply:User-Name == request:User-Name)) {
(9)     if (session-state:User-Name && reply:User-Name && request:User-
Name && (reply:User-Name == request:User-Name))  -> TRUE
(9)     if (session-state:User-Name && reply:User-Name && request:User-
Name && (reply:User-Name == request:User-Name))  {
(9)       update reply {
(9)         &User-Name !* ANY
(9)       } # update reply = noop
(9)     } # if (session-state:User-Name && reply:User-Name &&
request:User-Name && (reply:User-Name == request:User-Name))  = noop
(9)     update {
(9)       &reply::TLS-Session-Cipher-Suite += &session-state:TLS-
Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES128-GCM-SHA256'
(9)       &reply::TLS-Session-Version += &session-state:TLS-Session-
Version[*] -> 'TLS 1.2'
(9)       &reply::User-Name += &session-state:User-Name[*] -> 'fimi'
(9)     } # update = noop
(9)     [exec] = noop
(9)   } # post-auth = ok
(9) Login OK: [fimi] (from client private-network-1 port 0 cli F4-60-
E2-B3-96-5C)
(9) Sent Access-Accept Id 117 from 172.16.1.104:1812 to
192.168.251.51:39578 length 0
(9)   Class := 0x54657374
(9)   MS-MPPE-Recv-Key =
0xf050c53e55a61c968578e1eb912fb311a88ac83aa9c8da1b150215372df7e8dd
(9)   MS-MPPE-Send-Key =
0x44486a1a39cd12bc26a4aa7af8ba5ab15af6d50c0761d5f871e30a0a26319915
(9)   EAP-Message = 0x03940004
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   User-Name += "fimi"
(9) Finished request
Waking up in 4.8 seconds.
detail (/var/log/radius/radacct/detail-*): Polling for detail file
detail (/var/log/radius/radacct/detail-*): Renaming
/var/log/radius/radacct/detail-192.168.251.51-20210216 ->
/var/log/radius/radacct/detail.work
detail (/var/log/radius/radacct/detail-*): Read packet from
/var/log/radius/radacct/detail.work
        Packet-Type = Access-Accept
        Class = 0x54657374
        User-Name = "fimi"
        MS-MPPE-Recv-Key =
0xf050c53e55a61c968578e1eb912fb311a88ac83aa9c8da1b150215372df7e8dd
        MS-MPPE-Send-Key =
0x44486a1a39cd12bc26a4aa7af8ba5ab15af6d50c0761d5f871e30a0a26319915
        EAP-MSK =
0xf050c53e55a61c968578e1eb912fb311a88ac83aa9c8da1b150215372df7e8dd44486
a1a39cd12bc26a4aa7af8ba5ab15af6d50c0761d5f871e30a0a26319915
        EAP-EMSK =
0x8e69ff7772e986232fe655bd169495f41d41a92fe5d60073c08629f8cc9a7829381a2
9a5277fbce20a14a70dadd25244e7f53ab509635c741374cd23769d9fe6
        EAP-Session-Id =
0x1963c73063457cfb114c1273ccdcd419324e47cc9d731c536da4118f5ca68b1177a6c
97603f1cc359df7d25c0b12e85f72f42fbd5b6cc194d7f4d4eb950ef62b3b
        EAP-Message = 0x03940004
        Message-Authenticator = 0x00000000000000000000000000000000
        Packet-Original-Timestamp = "Feb 16 2021 14:31:51 CET"
        Packet-Transmit-Counter = 1
Waking up in 3.9 seconds.
detail (/var/log/radius/radacct/detail-*): Unlinking
/var/log/radius/radacct/detail.work
detail (/var/log/radius/radacct/detail-*): Polling for detail file
detail (/var/log/radius/radacct/detail-*): Detail listener state
unopened waiting 0.757665 sec
detail (/var/log/radius/radacct/detail-*): Polling for detail file
detail (/var/log/radius/radacct/detail-*): Detail listener state
unopened waiting 0.917765 sec
detail (/var/log/radius/radacct/detail-*): Polling for detail file
detail (/var/log/radius/radacct/detail-*): Detail listener state
unopened waiting 0.913522 sec
detail (/var/log/radius/radacct/detail-*): Polling for detail file
detail (/var/log/radius/radacct/detail-*): Detail listener state
unopened waiting 1.103471 sec
(0) Cleaning up request packet ID 108 with timestamp +8
(1) Cleaning up request packet ID 109 with timestamp +8
(2) Cleaning up request packet ID 110 with timestamp +8
(3) Cleaning up request packet ID 111 with timestamp +8
(4) Cleaning up request packet ID 112 with timestamp +8
(5) Cleaning up request packet ID 113 with timestamp +8
(6) Cleaning up request packet ID 114 with timestamp +8
(7) Cleaning up request packet ID 115 with timestamp +8
(8) Cleaning up request packet ID 116 with timestamp +8
(9) Cleaning up request packet ID 117 with timestamp +8
Ready to process requests

Have a nice day,
Mike


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Accounting Packet not sent

Alan DeKok-2
In reply to this post by Michael Fischer
On Feb 16, 2021, at 8:38 AM, Michael Fischer <[hidden email]> wrote:
> My goal is to authenticate WiFi-Users via FreeRadius with an eDirectory
> backend. FreeRadius should then send an accounting packet to a
> FortiGate firewall where a SSO agent is running.

  The server doesn't really originate accounting packets.

> The authentication part is working find, a user can connect to the
> WiFi.
>
> As far as I understood it, I should configure FreeRadius to write a
> detail file which is then parsed an an accounting package sent to the
> Fortigate firewall.

  Well... maybe.  But you can't write an Access-Accept packet, and have it magically turn into an Accounting-Request packet.

> Reading the detail file seems to work fine, but no accounting package
> is sent to the FortiGate firewall (I even checked using Wireshark). See
> a part of the debug-log here:
> ...
> detail (/var/log/radius/radacct/detail-*): Read packet from
> /var/log/radius/radacct/detail.work
> Packet-Type = Access-Accept

  That's not an Accounting packet, is it?

   Further, that packet doesn't contain any normal accounting attributes.

> Class = 0x54657374
> User-Name = "fimi"
> MS-MPPE-Recv-Key =
> 0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea
> MS-MPPE-Send-Key =
> 0x1120b9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224
> EAP-MSK =
> 0x28765691676b5035b99c8aa3b2b5bb8c1e9b4b3e32a457239e11df0cdac127ea1120b
> 9224c29ff96b3ed507b19eabd80bb1c7728772cbe8305a876cede81c224
> EAP-EMSK =
> 0xd3a64e1f290603568302a9f6c13c3ae00eaea0f45caeff1503b5609e2faf9b06be114
> 12f1243564b0a08b8df5d58cc33235989699b860f0171b9b73a29bb0e36

  You really don't want to send EAP-MSK and EAP-EMSK over the wire to another system.

  TBH, just run "radclient" for now.  Or, use the Perl / Python modules to send RADIUS packets.  The server isn't really designed to change packet types like this.

  We've fixed all of this in v4, where this goal is pretty much trivial to do.  But we're still a long way from releasing v4.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Accounting Packet not sent

Michael Fischer
On Tue, 2021-02-16 at 09:02 -0500, Alan DeKok wrote:

> On Feb 16, 2021, at 8:38 AM, Michael Fischer <[hidden email]> wrote:
> > My goal is to authenticate WiFi-Users via FreeRadius with an eDirectory
> > backend. FreeRadius should then send an accounting packet to a
> > FortiGate firewall where a SSO agent is running.
>
>   The server doesn't really originate accounting packets.
>
> > The authentication part is working find, a user can connect to the
> > WiFi.
> >
> > As far as I understood it, I should configure FreeRadius to write a
> > detail file which is then parsed an an accounting package sent to the
> > Fortigate firewall.
>
>   Well... maybe.  But you can't write an Access-Accept packet, and have it magically turn into an Accounting-Request packet.
Thank you very much - that was the hint that lead me to the solution!

I enabled "Radius Accounting" on my WiFi Controller. Now the proxying
to the Fortigate Firewall works fine!

Thanks a lot,
Mike

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html