How does CUI works? How does anonymous works? Im lost

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

How does CUI works? How does anonymous works? Im lost

daniel.pena
Hi all,

I'm facing hard times trying to understand how radius auth Works. Every time I think I understood, a new problem appears and mass with my head.

Reading files, I saw that inner tunnel username can be different from outer username due to privacy. But, in those cases, outer username must be an anonymous username, otherwise, it might be spoofing.

What happens in my logs is NOT anonymous. Some devices (always android) send username as a number and for inner-tunnel, the real username. One problem is that this number is different for each user, but it never change, like user01, his number will always be the same for him, but differs from user02. So, I cant use filter username.

So, searching e-mails, I found some update outer.reply stuff (and some other things) to put in post-auth, but had no success.

So, until now, I have this (real usernames):
User joao.bosco will connect to wifi, so he enables wifi in his device.
Then, the first request come with this username: User-Name = "321457" (and for him, always the same)
So, freeradius goes on, create inner tunnel and his real username appears:
(224) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(224) sql:    --> joao.bosco
(224) sql: SQL-User-Name set to 'joao.bosco'
(224) sql: EXPAND SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL
(224) sql:    --> SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL
(224) sql: Executing select query: SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL

Here, it checks for simultaneous sessions. This part is ok.
Then, freeradius goes on, and things I found in my searches appears to work (outer.reply stuff):
(224)       update outer.reply {
(224)         User-Name := &request:User-Name -> 'joao.bosco'
(224)       } # update outer.reply = noop
(224)     } # post-auth = ok
(224)   Login OK: [joao.bosco] (from client AP-CEI-TER-221 port 0 via TLS tunnel)
(224) } # server inner-tunnel
(224) Virtual server sending reply
(224)   Idle-Timeout = 300
(224)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(224)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(224)   MS-MPPE-Send-Key = 0x7b0f70472005cfcee3f2942f7484f8e0
(224)   MS-MPPE-Recv-Key = 0xcbb304c0e2f86a5828dfdb393906bea4
(224)   EAP-Message = 0x03cb0004
(224)   Message-Authenticator = 0x00000000000000000000000000000000
(224*******)   User-Name = "joao.bosco"
(224) eap_peap: Got tunneled reply code 2
(224) eap_peap:   Idle-Timeout = 300
(224) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(224) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(224) eap_peap:   MS-MPPE-Send-Key = 0x7b0f70472005cfcee3f2942f7484f8e0
(224) eap_peap:   MS-MPPE-Recv-Key = 0xcbb304c0e2f86a5828dfdb393906bea4
(224) eap_peap:   EAP-Message = 0x03cb0004
(224) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(224) eap_peap:   User-Name = "joao.bosco"
(224) eap_peap: Got tunneled reply RADIUS code 2
(224) eap_peap:   Idle-Timeout = 300
(224) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(224) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(224) eap_peap:   MS-MPPE-Send-Key = 0x7b0f70472005cfcee3f2942f7484f8e0
(224) eap_peap:   MS-MPPE-Recv-Key = 0xcbb304c0e2f86a5828dfdb393906bea4
(224) eap_peap:   EAP-Message = 0x03cb0004
(224) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(224) eap_peap:   User-Name = "joao.bosco"
(224) eap_peap: Tunneled authentication was successful
(224) eap_peap: SUCCESS
(224) eap: Sending EAP Request (code 1) ID 204 length 46
(224) eap: EAP session adding &reply:State = 0x2899acb82055b5bd
(224)     [eap] = handled
(224)   } # authenticate = handled
(224) Using Post-Auth-Type Challenge
(224) Post-Auth-Type sub-section not found.  Ignoring.
(224) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(224) Sent Access-Challenge Id 127 from 10.34.242.3:1812 to 10.34.87.221:44442 length 0
(224*********)   User-Name := "joao.bosco"
(224)   EAP-Message = 0x01cc002e1900170303002307a25f0b393cc4df3f654be203d74fbcdd1ec936ebbbb6fdba3e8867a9583c5f6677bc
(224)   Message-Authenticator = 0x00000000000000000000000000000000
(224)   State = 0x2899acb82055b5bdee6ad9f73e1a7846

Those ******** show what I think is the right consequence for outer.reply.

Continuing, next packet, the number is back:
(225) Received Access-Request Id 128 from 10.34.87.221:44442 to 10.34.242.3:1812 length 313
(225)   User-Name = "321457"

Then, it executes post-auth in name of 321457, inserting into DB wrong username:
(225) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(225)   post-auth {
(225)     update {
(225)       No attributes updated
(225)     } # update = noop
(225) sql: EXPAND .query
(225) sql:    --> .query
(225) sql: Using query template 'query'
(225) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(225) sql:    --> 321457
(225) sql: SQL-User-Name set to '321457'
(225) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{%{integer:Event-Timestamp}:-NOW()}))
(225) sql:    --> INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('321457', 'Chap-Password', 'Access-Accept', '74-DA-88-ED-D3-32:MPDFT', '70-FD-46-BE-0D-8A', TO_TIMESTAMP(1593000289))
(225) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('321457', 'Chap-Password', 'Access-Accept', '74-DA-88-ED-D3-32:MPDFT', '70-FD-46-BE-0D-8A', TO_TIMESTAMP(1593000289))
(225) sql: SQL query returned: success
(225) sql: 1 record(s) updated
(225)     [sql] = ok
(225)     [exec] = noop
(225)     policy remove_reply_message_if_eap {
(225)       if (&reply:EAP-Message && &reply:Reply-Message) {
(225)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(225)       else {
(225)         [noop] = noop
(225)       } # else = noop
(225)     } # policy remove_reply_message_if_eap = noop
(225)   } # post-auth = ok
(225) Login OK: [321457] (from client AP-CEI-TER-221 port 0 cli 70-FD-46-BE-0D-8A)

This part:
(225)   post-auth {
(225)     update {
(225)       No attributes updated
(225)     } # update = noop
I thought put something here to update username... but then: "from where could I pick the right one?" No clue.
And here comes the Access-Accept:
(225) Sent Access-Accept Id 128 from 10.34.242.3:1812 to 10.34.87.221:44442 length 0
(225)   MS-MPPE-Recv-Key = 0x64f41978c0fde374a2b11308204593aed2e7feba32223cdcd5dbec47c0c80593
(225)   MS-MPPE-Send-Key = 0xd71b8e63dce5a856f8e77f0f86fc9459bd07f8130dbc72a001f6431043ec29aa
(225)   EAP-Message = 0x03cc0004
(225)   Message-Authenticator = 0x00000000000000000000000000000000
(225)   User-Name = "321457"
Wrong username again.


And, for the last, Account-Request:
(236) Received Accounting-Request Id 129 from 10.34.87.221:37992 to 10.34.242.3:1813 length 247
(236)   Acct-Status-Type = Start
(236)   Acct-Authentic = RADIUS
(236)   User-Name = "321457"

That send to line-log this: Connect: [321457] (did 74-DA-88-ED-D3-32:MPDFT cli 70-FD-46-BE-0D-8A port  ip 172.28.255.182)
And insert into radacct this:
(236) sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('74da88edd332-203B18825AE31355', '2e382eabcf5b705081c1d8cdbbb1d876', '321457', NULLIF('', ''), '10.34.87.221', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1593000292), TO_TIMESTAMP(1593000292), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '74-DA-88-ED-D3-32:MPDFT', '70-FD-46-BE-0D-8A', NULL, 'Framed-User', '', NULLIF('172.28.255.182', '')::inet)
(236) sql: SQL query returned: success
(236) sql: 1 record(s) updated

Well, with this scenario, everything works fine for 321457. I have queries that closes stalled sessions, etc... but, I don't know the real username, AND, simultaneous user will never work, since its checking the real username... I cant call accounting queries from inner-tunnel...


In another e-mail, somebody told me to use CUI. I read all documentation, but I simply did not understand. What it will do? I need to register at radacct the real username...

It appears that the more a read, the less I understand... I have android and I don't even know how to configure it to create this scenario with 2 different usernames ...











-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How does CUI works? How does anonymous works? Im lost

Alan DeKok-2
On Jun 24, 2020, at 9:01 AM, Daniel Guimaraes Pena <[hidden email]> wrote:
> I'm facing hard times trying to understand how radius auth Works. Every time I think I understood, a new problem appears and mass with my head.

  It's very complex.  There are many, many, moving parts to RADIUS authentication.

  There's a lot of explanation on our corporate site:  https://networkradius.com/freeradius-documentation/

  We're also working on updating the main FreeRADIUS site with lots more documentation.

> Reading files, I saw that inner tunnel username can be different from outer username due to privacy. But, in those cases, outer username must be an anonymous username, otherwise, it might be spoofing.

  Yes.  That's the recommendation.  But not everyone does that.

> What happens in my logs is NOT anonymous. Some devices (always android) send username as a number and for inner-tunnel, the real username. One problem is that this number is different for each user, but it never change, like user01, his number will always be the same for him, but differs from user02. So, I cant use filter username.

  Then you don't have rules which depend on the outer name.  The rules should depend on the inner name.

> So, searching e-mails, I found some update outer.reply stuff (and some other things) to put in post-auth, but had no success.

  What does that mean?  "I tried stuff and it didn't work".

> So, until now, I have this (real usernames):
> User joao.bosco will connect to wifi, so he enables wifi in his device.
> Then, the first request come with this username: User-Name = "321457" (and for him, always the same)
> So, freeradius goes on, create inner tunnel and his real username appears:

  Not quite "create".  It's set up via a TLS connection.  The users machine sends the inner tunnel data to FreeRADIUS.

> (224) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
> (224) sql:    --> joao.bosco
> (224) sql: SQL-User-Name set to 'joao.bosco'
> (224) sql: EXPAND SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL
> (224) sql:    --> SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL
> (224) sql: Executing select query: SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL
>
> Here, it checks for simultaneous sessions. This part is ok.

   OK...

> Then, freeradius goes on, and things I found in my searches appears to work (outer.reply stuff):
> (224)       update outer.reply {
> (224)         User-Name := &request:User-Name -> 'joao.bosco'
> (224)       } # update outer.reply = noop
> (224)     } # post-auth = ok

   You should probably instead do:

        update outer.state {
                User-Name := &request:User-Name
        }

  Which means "track the user name across multiple packets".  When you do "update outer.reply", it just updates *this* reply.  Not the final Access-Accept, which may be many packets later.

> This part:
> (225)   post-auth {
> (225)     update {
> (225)       No attributes updated
> (225)     } # update = noop
> I thought put something here to update username... but then: "from where could I pick the right one?" No clue.

  Is that the *outer* post-auth section?

  You should read sites-enabled/default, and look for "TTLS and PEAP" in the post-auth section.  The comments there are for exactly this situation.

  If you don't have those comments, upgrade to the most recent version of the server.  Or, look on GitHub for the default configuration.

> And here comes the Access-Accept:
> (225) Sent Access-Accept Id 128 from 10.34.242.3:1812 to 10.34.87.221:44442 length 0
> (225)   MS-MPPE-Recv-Key = 0x64f41978c0fde374a2b11308204593aed2e7feba32223cdcd5dbec47c0c80593
> (225)   MS-MPPE-Send-Key = 0xd71b8e63dce5a856f8e77f0f86fc9459bd07f8130dbc72a001f6431043ec29aa
> (225)   EAP-Message = 0x03cc0004
> (225)   Message-Authenticator = 0x00000000000000000000000000000000
> (225)   User-Name = "321457"
> Wrong username again.

  Yes.  Because the debug log shows the User-Name being sent in an earlier Access-Challenge.

> In another e-mail, somebody told me to use CUI. I read all documentation, but I simply did not understand. What it will do? I need to register at radacct the real username...

  Don't bother with CUI.

> It appears that the more a read, the less I understand... I have android and I don't even know how to configure it to create this scenario with 2 different usernames ...

  Most third-party web sites are confusing or wrong.  Much advice about FreeRADIUS is confusing or wrong.

  The FreeRADIUS documentation, wiki, and the corporate site above are correct. And even pretty clear most of the time.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RES: How does CUI works? How does anonymous works? Im lost

daniel.pena
>  What does that mean?  "I tried stuff and it didn't work".

I searched here: http://freeradius.1045715.n5.nabble.com/ (read a lot of things, but thought that all of them wouldnt work for me) so, as you can see, I tried only one of them and did not work... (I know why now, thanks to your explain)


>   You should probably instead do:
>
> update outer.state {
> User-Name := &request:User-Name
> }
>
> Which means "track the user name across multiple packets".  When you do "update outer.reply", it just updates *this* reply.  Not the final Access-Accept, which may be many packets later.

I'll do that


>  Is that the *outer* post-auth section?

Yes, it is... logs with number 225 are from virtual server default:
(225) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default

>  You should read sites-enabled/default, and look for "TTLS and PEAP" in the post-auth section.  The comments there are for exactly this situation.
>
>  If you don't have those comments, upgrade to the most recent version of the server.  Or, look on GitHub for the default configuration.

I read this... I imagine that this has to do with your suggestion of outer.state, right?

>  Don't bother with CUI.

you dont know how happy I got reading this =)




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RES: How does CUI works? How does anonymous works? Im lost

daniel.pena
By doing this
> update outer.state {
> User-Name := &request:User-Name
> }

in post-auth at sites-available/inner-tunnel, results in this error:

} # server default
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading session {...}
 # Loading pre-proxy {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
/etc/freeradius/3.0/sites-enabled/inner-tunnel[374]: Default list "state" specified in mapping section is invalid
/etc/freeradius/3.0/sites-enabled/inner-tunnel[286]: Errors parsing post-auth section.



Does it have to be like this?
> update outer.session-state {
> User-Name := &request:User-Name
> }

I am starting to think radical: Enabling filter_inner_identity to block those requests that has different usernames

                #
                #  There's no outer realm.  The outer NAI is different from the
                #  inner NAI.  The User-Name MUST be anonymized.
                #
                #  Otherwise, you could log in as outer "bob", and inner "doug",
                #  and we'd have no idea which one was correct.
                #
                elsif (&outer.request:User-Name !~ /^anon/) {
                        update request {
                                Module-Failure-Message = "User-Name is not anonymized"
                        }
                        reject
                }





-----Mensagem original-----
De: Freeradius-Users <freeradius-users-bounces+daniel.pena=[hidden email]> Em nome de Daniel Guimaraes Pena
Enviada em: quarta-feira, 24 de junho de 2020 11:09
Para: 'FreeRadius users mailing list' <[hidden email]>
Assunto: RES: How does CUI works? How does anonymous works? Im lost

>  What does that mean?  "I tried stuff and it didn't work".

I searched here: http://freeradius.1045715.n5.nabble.com/ (read a lot of things, but thought that all of them wouldnt work for me) so, as you can see, I tried only one of them and did not work... (I know why now, thanks to your explain)


>   You should probably instead do:
>
> update outer.state {
> User-Name := &request:User-Name
> }
>
> Which means "track the user name across multiple packets".  When you do "update outer.reply", it just updates *this* reply.  Not the final Access-Accept, which may be many packets later.

I'll do that


>  Is that the *outer* post-auth section?

Yes, it is... logs with number 225 are from virtual server default:
(225) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default

>  You should read sites-enabled/default, and look for "TTLS and PEAP" in the post-auth section.  The comments there are for exactly this situation.
>
>  If you don't have those comments, upgrade to the most recent version of the server.  Or, look on GitHub for the default configuration.

I read this... I imagine that this has to do with your suggestion of outer.state, right?

>  Don't bother with CUI.

you dont know how happy I got reading this =)




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RES: How does CUI works? How does anonymous works? Im lost

Alan DeKok-2
On Jun 24, 2020, at 10:41 AM, Daniel Guimaraes Pena <[hidden email]> wrote:

>
> By doing this
>> update outer.state {
>> User-Name := &request:User-Name
>> }
>
> in post-auth at sites-available/inner-tunnel, results in this error:
>
> } # server default
> server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> # Loading authenticate {...}
> # Loading authorize {...}
> # Loading session {...}
> # Loading pre-proxy {...}
> # Loading post-proxy {...}
> # Loading post-auth {...}
> /etc/freeradius/3.0/sites-enabled/inner-tunnel[374]: Default list "state" specified in mapping section is invalid
> /etc/freeradius/3.0/sites-enabled/inner-tunnel[286]: Errors parsing post-auth section.

  Sorry, that's a typo.

> Does it have to be like this?
>> update outer.session-state {
>> User-Name := &request:User-Name
>> }

  Yes.

> I am starting to think radical: Enabling filter_inner_identity to block those requests that has different usernames

  If you can't update the clients which send the wrong outer identity, there's not much you can do.  Rejecting them won't work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RES: RES: How does CUI works? How does anonymous works? Im lost

daniel.pena
I've been running and analyzing debug log for a while now...
This worked (for 99,9%):
> Does it have to be like this?
>> update outer.session-state {
>> User-Name := &request:User-Name
>> }
So I don’t need to block via filter.

Talking to a user, I discovered how these outer users appears: configuring androids anonymous identity (obvius, I know, but I never tried it)

Well, as I can't force them to left this field empty, I have to discover why these 0,1% is not working.

Here is tow logs: working and one not working (at the botton, if needed, my inner-tunnel e default site-enabled)

============== DEBUG FOR WORKING PACKET ============
(757) Received Access-Request Id 251 from 10.34.87.223:58030 to 10.34.242.3:1812 length 260
(757)   User-Name = "321457"
(757)   NAS-IP-Address = 10.34.87.223
(757)   NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(757)   NAS-Port-Id = "00000001"
(757)   Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(757)   NAS-Port-Type = Wireless-802.11
(757)   Event-Timestamp = "Jun 24 2020 14:21:10 -03"
(757)   Service-Type = Framed-User
(757)   Calling-Station-Id = "70-FD-46-BE-0D-8A"
(757)   Connect-Info = "CONNECT 0Mbps 802.11b"
(757)   Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(757)   Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(757)   WLAN-Pairwise-Cipher = 1027076
(757)   WLAN-Group-Cipher = 1027076
(757)   WLAN-AKM-Suite = 1027073
(757)   Framed-MTU = 1400
(757)   EAP-Message = 0x0243000b01333231343537
(757)   Message-Authenticator = 0x5b97d8214a2888c145bf0fefcc4e78d1
(757) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(757)   authorize {
(757)     policy filter_username {
(757)       if (&User-Name) {
(757)       if (&User-Name)  -> TRUE
(757)       if (&User-Name)  {
(757)         if (&User-Name != "%{tolower:%{User-Name}}") {
(757)         EXPAND %{tolower:%{User-Name}}
(757)            --> 321457
(757)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(757)         if (&User-Name =~ /\// ) {
(757)         if (&User-Name =~ /\// )  -> FALSE
(757)         if (&User-Name =~ / /) {
(757)         if (&User-Name =~ / /)  -> FALSE
(757)         if (&User-Name =~ /@[^@]*@/ ) {
(757)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(757)         if (&User-Name =~ /\.\./ ) {
(757)         if (&User-Name =~ /\.\./ )  -> FALSE
(757)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(757)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(757)         if (&User-Name =~ /\.$/)  {
(757)         if (&User-Name =~ /\.$/)   -> FALSE
(757)         if (&User-Name =~ /@\./)  {
(757)         if (&User-Name =~ /@\./)   -> FALSE
(757)       } # if (&User-Name)  = notfound
(757)     } # policy filter_username = notfound
(757)     policy split_username_nai {
(757)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(757)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(757)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(757)         update request {
(757)           EXPAND %{1}
(757)              --> 321457
(757)           &Stripped-User-Name := 321457
(757)           EXPAND %{3}
(757)              -->
(757)           &Stripped-User-Domain =
(757)         } # update request = noop
(757)         [updated] = updated
(757)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(757)       ... skipping else: Preceding "if" was taken
(757)     } # policy split_username_nai = updated
(757)     [preprocess] = ok
(757) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(757) auth_log:    --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(757) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(757) auth_log: EXPAND %t
(757) auth_log:    --> Wed Jun 24 14:21:12 2020
(757)     [auth_log] = ok
(757)     [chap] = noop
(757)     [mschap] = noop
(757)     [digest] = noop
(757) suffix: Checking for suffix after "@"
(757) suffix: No '@' in User-Name = "321457", looking up realm NULL
(757) suffix: No such realm "NULL"
(757)     [suffix] = noop
(757) eap: Peer sent EAP Response (code 2) ID 67 length 11
(757) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(757)     [eap] = ok
(757)   } # authorize = ok
(757) Found Auth-Type = eap
(757) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(757)   authenticate {
(757) eap: Peer sent packet with method EAP Identity (1)
(757) eap: Calling submodule eap_md5 to process data
(757) eap_md5: Issuing MD5 Challenge
(757) eap: Sending EAP Request (code 1) ID 68 length 22
(757) eap: EAP session adding &reply:State = 0xa44f7f64a40b7b04
(757)     [eap] = handled
(757)   } # authenticate = handled
(757) Using Post-Auth-Type Challenge
(757) Post-Auth-Type sub-section not found.  Ignoring.
(757) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(757) Sent Access-Challenge Id 251 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(757)   EAP-Message = 0x0144001604107b9dac6052ee6e19390d5bcefa2b7bfd
(757)   Message-Authenticator = 0x00000000000000000000000000000000
(757)   State = 0xa44f7f64a40b7b04dd9f2a05e7c26035
(757) Finished request
(760) Received Access-Request Id 252 from 10.34.87.223:58030 to 10.34.242.3:1812 length 273
(760)   User-Name = "321457"
(760)   NAS-IP-Address = 10.34.87.223
(760)   NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(760)   NAS-Port-Id = "00000001"
(760)   Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(760)   NAS-Port-Type = Wireless-802.11
(760)   Event-Timestamp = "Jun 24 2020 14:21:10 -03"
(760)   Service-Type = Framed-User
(760)   Calling-Station-Id = "70-FD-46-BE-0D-8A"
(760)   Connect-Info = "CONNECT 0Mbps 802.11b"
(760)   Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(760)   Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(760)   WLAN-Pairwise-Cipher = 1027076
(760)   WLAN-Group-Cipher = 1027076
(760)   WLAN-AKM-Suite = 1027073
(760)   Framed-MTU = 1400
(760)   EAP-Message = 0x024400060319
(760)   State = 0xa44f7f64a40b7b04dd9f2a05e7c26035
(760)   Message-Authenticator = 0xc5f7d82f6510961bc609c44849336443
(760) session-state: No cached attributes
(760) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(760)   authorize {
(760)     policy filter_username {
(760)       if (&User-Name) {
(760)       if (&User-Name)  -> TRUE
(760)       if (&User-Name)  {
(760)         if (&User-Name != "%{tolower:%{User-Name}}") {
(760)         EXPAND %{tolower:%{User-Name}}
(760)            --> 321457
(760)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(760)         if (&User-Name =~ /\// ) {
(760)         if (&User-Name =~ /\// )  -> FALSE
(760)         if (&User-Name =~ / /) {
(760)         if (&User-Name =~ / /)  -> FALSE
(760)         if (&User-Name =~ /@[^@]*@/ ) {
(760)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(760)         if (&User-Name =~ /\.\./ ) {
(760)         if (&User-Name =~ /\.\./ )  -> FALSE
(760)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(760)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(760)         if (&User-Name =~ /\.$/)  {
(760)         if (&User-Name =~ /\.$/)   -> FALSE
(760)         if (&User-Name =~ /@\./)  {
(760)         if (&User-Name =~ /@\./)   -> FALSE
(760)       } # if (&User-Name)  = notfound
(760)     } # policy filter_username = notfound
(760)     policy split_username_nai {
(760)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(760)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(760)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(760)         update request {
(760)           EXPAND %{1}
(760)              --> 321457
(760)           &Stripped-User-Name := 321457
(760)           EXPAND %{3}
(760)              -->
(760)           &Stripped-User-Domain =
(760)         } # update request = noop
(760)         [updated] = updated
(760)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(760)       ... skipping else: Preceding "if" was taken
(760)     } # policy split_username_nai = updated
(760)     [preprocess] = ok
(760) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(760) auth_log:    --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(760) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(760) auth_log: EXPAND %t
(760) auth_log:    --> Wed Jun 24 14:21:13 2020
(760)     [auth_log] = ok
(760)     [chap] = noop
(760)     [mschap] = noop
(760)     [digest] = noop
(760) suffix: Checking for suffix after "@"
(760) suffix: No '@' in User-Name = "321457", looking up realm NULL
(760) suffix: No such realm "NULL"
(760)     [suffix] = noop
(760) eap: Peer sent EAP Response (code 2) ID 68 length 6
(760) eap: No EAP Start, assuming it's an on-going EAP conversation
(760)     [eap] = updated
(760) files: Failed resolving UID: No error
(760) files: Failed resolving UID: No error
(760) files: Failed resolving UID: No error
(760) files: Failed resolving UID: No error
(760) files: Failed resolving UID: No error
(760)     [files] = noop
(760) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(760) sql:    --> 321457
(760) sql: SQL-User-Name set to '321457'
(760) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(760) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '321457' ORDER BY id
(760) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '321457' ORDER BY id
(760) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(760) sql:    --> SELECT GroupName FROM radusergroup WHERE UserName='321457' ORDER BY priority
(760) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='321457' ORDER BY priority
(760) sql: User not found in any groups
(760)     [sql] = notfound
(760)     [expiration] = noop
(760)     [logintime] = noop
(760)     if (ok) {
(760)     if (ok)  -> FALSE
(760) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(760) pap: WARNING: Authentication will fail unless a "known good" password is available
(760)     [pap] = noop
(760)   } # authorize = updated
(760) Found Auth-Type = eap
(760) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(760)   authenticate {
(760) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(760) eap: Finished EAP session with state 0xa44f7f64a40b7b04
(760) eap: Previous EAP request found for state 0xa44f7f64a40b7b04, released from the list
(760) eap: Peer sent packet with method EAP NAK (3)
(760) eap: Found mutually acceptable type PEAP (25)
(760) eap: Calling submodule eap_peap to process data
(760) eap_peap: Initiating new EAP-TLS session
(760) eap_peap: [eaptls start] = request
(760) eap: Sending EAP Request (code 1) ID 69 length 6
(760) eap: EAP session adding &reply:State = 0xa44f7f64a50a6604
(760)     [eap] = handled
(760)   } # authenticate = handled
(760) Using Post-Auth-Type Challenge
(760) Post-Auth-Type sub-section not found.  Ignoring.
(760) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(760) Sent Access-Challenge Id 252 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(760)   EAP-Message = 0x014500061920
(760)   Message-Authenticator = 0x00000000000000000000000000000000
(760)   State = 0xa44f7f64a50a6604dd9f2a05e7c26035
(760) Finished request
(763) Received Access-Request Id 253 from 10.34.87.223:58030 to 10.34.242.3:1812 length 438
(763)   User-Name = "321457"
(763)   NAS-IP-Address = 10.34.87.223
(763)   NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(763)   NAS-Port-Id = "00000001"
(763)   Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(763)   NAS-Port-Type = Wireless-802.11
(763)   Event-Timestamp = "Jun 24 2020 14:21:11 -03"
(763)   Service-Type = Framed-User
(763)   Calling-Station-Id = "70-FD-46-BE-0D-8A"
(763)   Connect-Info = "CONNECT 0Mbps 802.11b"
(763)   Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(763)   Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(763)   WLAN-Pairwise-Cipher = 1027076
(763)   WLAN-Group-Cipher = 1027076
(763)   WLAN-AKM-Suite = 1027073
(763)   Framed-MTU = 1400
(763)   EAP-Message = 0x024500ab1980000000a1160301009c01000098030381b72e1f7d9acc726933c5b2658331ef8cc8806b275a6f9d6b23f15fe385d85400003cc02bc02f009ec02cc030009fcca9cca8c009c023c013c02700330067c00ac024c014c0280039006bc007c011009c009d002f003c0035003d0005000a010000
(763)   State = 0xa44f7f64a50a6604dd9f2a05e7c26035
(763)   Message-Authenticator = 0xc101a5cabfd2b6dc7fd2863e25399ace
(763) session-state: No cached attributes
(763) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(763)   authorize {
(763)     policy filter_username {
(763)       if (&User-Name) {
(763)       if (&User-Name)  -> TRUE
(763)       if (&User-Name)  {
(763)         if (&User-Name != "%{tolower:%{User-Name}}") {
(763)         EXPAND %{tolower:%{User-Name}}
(763)            --> 321457
(763)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(763)         if (&User-Name =~ /\// ) {
(763)         if (&User-Name =~ /\// )  -> FALSE
(763)         if (&User-Name =~ / /) {
(763)         if (&User-Name =~ / /)  -> FALSE
(763)         if (&User-Name =~ /@[^@]*@/ ) {
(763)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(763)         if (&User-Name =~ /\.\./ ) {
(763)         if (&User-Name =~ /\.\./ )  -> FALSE
(763)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(763)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(763)         if (&User-Name =~ /\.$/)  {
(763)         if (&User-Name =~ /\.$/)   -> FALSE
(763)         if (&User-Name =~ /@\./)  {
(763)         if (&User-Name =~ /@\./)   -> FALSE
(763)       } # if (&User-Name)  = notfound
(763)     } # policy filter_username = notfound
(763)     policy split_username_nai {
(763)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(763)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(763)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(763)         update request {
(763)           EXPAND %{1}
(763)              --> 321457
(763)           &Stripped-User-Name := 321457
(763)           EXPAND %{3}
(763)              -->
(763)           &Stripped-User-Domain =
(763)         } # update request = noop
(763)         [updated] = updated
(763)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(763)       ... skipping else: Preceding "if" was taken
(763)     } # policy split_username_nai = updated
(763)     [preprocess] = ok
(763) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(763) auth_log:    --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(763) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(763) auth_log: EXPAND %t
(763) auth_log:    --> Wed Jun 24 14:21:13 2020
(763)     [auth_log] = ok
(763)     [chap] = noop
(763)     [mschap] = noop
(763)     [digest] = noop
(763) suffix: Checking for suffix after "@"
(763) suffix: No '@' in User-Name = "321457", looking up realm NULL
(763) suffix: No such realm "NULL"
(763)     [suffix] = noop
(763) eap: Peer sent EAP Response (code 2) ID 69 length 171
(763) eap: Continuing tunnel setup
(763)     [eap] = ok
(763)   } # authorize = ok
(763) Found Auth-Type = eap
(763) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(763)   authenticate {
(763) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(763) eap: Finished EAP session with state 0xa44f7f64a50a6604
(763) eap: Previous EAP request found for state 0xa44f7f64a50a6604, released from the list
(763) eap: Peer sent packet with method EAP PEAP (25)
(763) eap: Calling submodule eap_peap to process data
(763) eap_peap: Continuing EAP-TLS
(763) eap_peap: Peer indicated complete TLS record size will be 161 bytes
(763) eap_peap: Got complete TLS record (161 bytes)
(763) eap_peap: [eaptls verify] = length included
(763) eap_peap: (other): before SSL initialization
(763) eap_peap: TLS_accept: before SSL initialization
(763) eap_peap: TLS_accept: before SSL initialization
(763) eap_peap: <<< recv TLS 1.2  [length 009c]
(763) eap_peap: TLS_accept: SSLv3/TLS read client hello
(763) eap_peap: >>> send TLS 1.2  [length 003d]
(763) eap_peap: TLS_accept: SSLv3/TLS write server hello
(763) eap_peap: >>> send TLS 1.2  [length 0309]
(763) eap_peap: TLS_accept: SSLv3/TLS write certificate
(763) eap_peap: >>> send TLS 1.2  [length 014d]
(763) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(763) eap_peap: >>> send TLS 1.2  [length 0004]
(763) eap_peap: TLS_accept: SSLv3/TLS write server done
(763) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(763) eap_peap: In SSL Handshake Phase
(763) eap_peap: In SSL Accept mode
(763) eap_peap: [eaptls process] = handled
(763) eap: Sending EAP Request (code 1) ID 70 length 1004
(763) eap: EAP session adding &reply:State = 0xa44f7f64a6096604
(763)     [eap] = handled
(763)   } # authenticate = handled
(763) Using Post-Auth-Type Challenge
(763) Post-Auth-Type sub-section not found.  Ignoring.
(763) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(763) Sent Access-Challenge Id 253 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(763)   EAP-Message = 0x014603ec19c0000004ab160303003d0200003903031421541e93d31add097acc5d5c4b54d61a77aadc4239976b7410b514c7153cdb00c02f000011ff01000100000b0004030001020017000016030303090b0003050003020002ff308202fb308201e3a003020102020900c2aeeb1715cab80a300d0609
(763)   Message-Authenticator = 0x00000000000000000000000000000000
(763)   State = 0xa44f7f64a6096604dd9f2a05e7c26035
(763) Finished request
(764) Received Access-Request Id 254 from 10.34.87.223:58030 to 10.34.242.3:1812 length 273
(764)   User-Name = "321457"
(764)   NAS-IP-Address = 10.34.87.223
(764)   NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(764)   NAS-Port-Id = "00000001"
(764)   Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(764)   NAS-Port-Type = Wireless-802.11
(764)   Event-Timestamp = "Jun 24 2020 14:21:11 -03"
(764)   Service-Type = Framed-User
(764)   Calling-Station-Id = "70-FD-46-BE-0D-8A"
(764)   Connect-Info = "CONNECT 0Mbps 802.11b"
(764)   Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(764)   Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(764)   WLAN-Pairwise-Cipher = 1027076
(764)   WLAN-Group-Cipher = 1027076
(764)   WLAN-AKM-Suite = 1027073
(764)   Framed-MTU = 1400
(764)   EAP-Message = 0x024600061900
(764)   State = 0xa44f7f64a6096604dd9f2a05e7c26035
(764)   Message-Authenticator = 0x8e9c53dd077cd7d0230acfb260c8aed6
(764) session-state: No cached attributes
(764) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(764)   authorize {
(764)     policy filter_username {
(764)       if (&User-Name) {
(764)       if (&User-Name)  -> TRUE
(764)       if (&User-Name)  {
(764)         if (&User-Name != "%{tolower:%{User-Name}}") {
(764)         EXPAND %{tolower:%{User-Name}}
(764)            --> 321457
(764)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(764)         if (&User-Name =~ /\// ) {
(764)         if (&User-Name =~ /\// )  -> FALSE
(764)         if (&User-Name =~ / /) {
(764)         if (&User-Name =~ / /)  -> FALSE
(764)         if (&User-Name =~ /@[^@]*@/ ) {
(764)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(764)         if (&User-Name =~ /\.\./ ) {
(764)         if (&User-Name =~ /\.\./ )  -> FALSE
(764)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(764)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(764)         if (&User-Name =~ /\.$/)  {
(764)         if (&User-Name =~ /\.$/)   -> FALSE
(764)         if (&User-Name =~ /@\./)  {
(764)         if (&User-Name =~ /@\./)   -> FALSE
(764)       } # if (&User-Name)  = notfound
(764)     } # policy filter_username = notfound
(764)     policy split_username_nai {
(764)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(764)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(764)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(764)         update request {
(764)           EXPAND %{1}
(764)              --> 321457
(764)           &Stripped-User-Name := 321457
(764)           EXPAND %{3}
(764)              -->
(764)           &Stripped-User-Domain =
(764)         } # update request = noop
(764)         [updated] = updated
(764)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(764)       ... skipping else: Preceding "if" was taken
(764)     } # policy split_username_nai = updated
(764)     [preprocess] = ok
(764) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(764) auth_log:    --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(764) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(764) auth_log: EXPAND %t
(764) auth_log:    --> Wed Jun 24 14:21:13 2020
(764)     [auth_log] = ok
(764)     [chap] = noop
(764)     [mschap] = noop
(764)     [digest] = noop
(764) suffix: Checking for suffix after "@"
(764) suffix: No '@' in User-Name = "321457", looking up realm NULL
(764) suffix: No such realm "NULL"
(764)     [suffix] = noop
(764) eap: Peer sent EAP Response (code 2) ID 70 length 6
(764) eap: Continuing tunnel setup
(764)     [eap] = ok
(764)   } # authorize = ok
(764) Found Auth-Type = eap
(764) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(764)   authenticate {
(764) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(764) eap: Finished EAP session with state 0xa44f7f64a6096604
(764) eap: Previous EAP request found for state 0xa44f7f64a6096604, released from the list
(764) eap: Peer sent packet with method EAP PEAP (25)
(764) eap: Calling submodule eap_peap to process data
(764) eap_peap: Continuing EAP-TLS
(764) eap_peap: Peer ACKed our handshake fragment
(764) eap_peap: [eaptls verify] = request
(764) eap_peap: [eaptls process] = handled
(764) eap: Sending EAP Request (code 1) ID 71 length 207
(764) eap: EAP session adding &reply:State = 0xa44f7f64a7086604
(764)     [eap] = handled
(764)   } # authenticate = handled
(764) Using Post-Auth-Type Challenge
(764) Post-Auth-Type sub-section not found.  Ignoring.
(764) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(764) Sent Access-Challenge Id 254 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(764)   EAP-Message = 0x014700cf1900e61bd97b1dc7439c95566d9ae87f362b9195be7adc3f77b668a41bed7f9dd833ba6250b3cd63779058702bc59c08b96f2628c0762cd1014094155e90b96601fa2b38b786eb4c5783ac98bb79901a11cf2c84319de6937e6fde7385cdd97d4fec1f6035d8a61bf158ce7f8fa1f4c9356473
(764)   Message-Authenticator = 0x00000000000000000000000000000000
(764)   State = 0xa44f7f64a7086604dd9f2a05e7c26035
(764) Finished request
(765) Received Access-Request Id 255 from 10.34.87.223:58030 to 10.34.242.3:1812 length 403
(765)   User-Name = "321457"
(765)   NAS-IP-Address = 10.34.87.223
(765)   NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(765)   NAS-Port-Id = "00000001"
(765)   Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(765)   NAS-Port-Type = Wireless-802.11
(765)   Event-Timestamp = "Jun 24 2020 14:21:11 -03"
(765)   Service-Type = Framed-User
(765)   Calling-Station-Id = "70-FD-46-BE-0D-8A"
(765)   Connect-Info = "CONNECT 0Mbps 802.11b"
(765)   Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(765)   Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(765)   WLAN-Pairwise-Cipher = 1027076
(765)   WLAN-Group-Cipher = 1027076
(765)   WLAN-AKM-Suite = 1027073
(765)   Framed-MTU = 1400
(765)   EAP-Message = 0x0247008819800000007e16030300461000004241040108ad053cb70377bd49ebd354b63037f761b15e1ab5440b5585714f3229f0bc82b38369a49acea7dce100805920db3e47dabfc2d08bffca2c25dbe63625dca51403030001011603030028000000000000000075b1ccb921c95a58aa06c792ed58f4
(765)   State = 0xa44f7f64a7086604dd9f2a05e7c26035
(765)   Message-Authenticator = 0x8ba6a03d424e4961b4bd0fadf8e7e500
(765) session-state: No cached attributes
(765) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(765)   authorize {
(765)     policy filter_username {
(765)       if (&User-Name) {
(765)       if (&User-Name)  -> TRUE
(765)       if (&User-Name)  {
(765)         if (&User-Name != "%{tolower:%{User-Name}}") {
(765)         EXPAND %{tolower:%{User-Name}}
(765)            --> 321457
(765)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(765)         if (&User-Name =~ /\// ) {
(765)         if (&User-Name =~ /\// )  -> FALSE
(765)         if (&User-Name =~ / /) {
(765)         if (&User-Name =~ / /)  -> FALSE
(765)         if (&User-Name =~ /@[^@]*@/ ) {
(765)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(765)         if (&User-Name =~ /\.\./ ) {
(765)         if (&User-Name =~ /\.\./ )  -> FALSE
(765)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(765)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(765)         if (&User-Name =~ /\.$/)  {
(765)         if (&User-Name =~ /\.$/)   -> FALSE
(765)         if (&User-Name =~ /@\./)  {
(765)         if (&User-Name =~ /@\./)   -> FALSE
(765)       } # if (&User-Name)  = notfound
(765)     } # policy filter_username = notfound
(765)     policy split_username_nai {
(765)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(765)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(765)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(765)         update request {
(765)           EXPAND %{1}
(765)              --> 321457
(765)           &Stripped-User-Name := 321457
(765)           EXPAND %{3}
(765)              -->
(765)           &Stripped-User-Domain =
(765)         } # update request = noop
(765)         [updated] = updated
(765)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(765)       ... skipping else: Preceding "if" was taken
(765)     } # policy split_username_nai = updated
(765)     [preprocess] = ok
(765) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(765) auth_log:    --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(765) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(765) auth_log: EXPAND %t
(765) auth_log:    --> Wed Jun 24 14:21:13 2020
(765)     [auth_log] = ok
(765)     [chap] = noop
(765)     [mschap] = noop
(765)     [digest] = noop
(765) suffix: Checking for suffix after "@"
(765) suffix: No '@' in User-Name = "321457", looking up realm NULL
(765) suffix: No such realm "NULL"
(765)     [suffix] = noop
(765) eap: Peer sent EAP Response (code 2) ID 71 length 136
(765) eap: Continuing tunnel setup
(765)     [eap] = ok
(765)   } # authorize = ok
(765) Found Auth-Type = eap
(765) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(765)   authenticate {
(765) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(765) eap: Finished EAP session with state 0xa44f7f64a7086604
(765) eap: Previous EAP request found for state 0xa44f7f64a7086604, released from the list
(765) eap: Peer sent packet with method EAP PEAP (25)
(765) eap: Calling submodule eap_peap to process data
(765) eap_peap: Continuing EAP-TLS
(765) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(765) eap_peap: Got complete TLS record (126 bytes)
(765) eap_peap: [eaptls verify] = length included
(765) eap_peap: TLS_accept: SSLv3/TLS write server done
(765) eap_peap: <<< recv TLS 1.2  [length 0046]
(765) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(765) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(765) eap_peap: <<< recv TLS 1.2  [length 0010]
(765) eap_peap: TLS_accept: SSLv3/TLS read finished
(765) eap_peap: >>> send TLS 1.2  [length 0001]
(765) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(765) eap_peap: >>> send TLS 1.2  [length 0010]
(765) eap_peap: TLS_accept: SSLv3/TLS write finished
(765) eap_peap: (other): SSL negotiation finished successfully
(765) eap_peap: SSL Connection Established
(765) eap_peap: [eaptls process] = handled
(765) eap: Sending EAP Request (code 1) ID 72 length 57
(765) eap: EAP session adding &reply:State = 0xa44f7f64a0076604
(765)     [eap] = handled
(765)   } # authenticate = handled
(765) Using Post-Auth-Type Challenge
(765) Post-Auth-Type sub-section not found.  Ignoring.
(765) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(765) Sent Access-Challenge Id 255 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(765)   EAP-Message = 0x0148003919001403030001011603030028a3eb5bde72e8f757a60ca8a9b6b7f7ba318970644cc8cf9cedfe251fd9659666083fe867938067b1
(765)   Message-Authenticator = 0x00000000000000000000000000000000
(765)   State = 0xa44f7f64a0076604dd9f2a05e7c26035
(765) Finished request
(766) Received Access-Request Id 0 from 10.34.87.223:58030 to 10.34.242.3:1812 length 273
(766)   User-Name = "321457"
(766)   NAS-IP-Address = 10.34.87.223
(766)   NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(766)   NAS-Port-Id = "00000001"
(766)   Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(766)   NAS-Port-Type = Wireless-802.11
(766)   Event-Timestamp = "Jun 24 2020 14:21:11 -03"
(766)   Service-Type = Framed-User
(766)   Calling-Station-Id = "70-FD-46-BE-0D-8A"
(766)   Connect-Info = "CONNECT 0Mbps 802.11b"
(766)   Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(766)   Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(766)   WLAN-Pairwise-Cipher = 1027076
(766)   WLAN-Group-Cipher = 1027076
(766)   WLAN-AKM-Suite = 1027073
(766)   Framed-MTU = 1400
(766)   EAP-Message = 0x024800061900
(766)   State = 0xa44f7f64a0076604dd9f2a05e7c26035
(766)   Message-Authenticator = 0x34618cd7843285417f2bf22c018e9956
(766) session-state: No cached attributes
(766) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(766)   authorize {
(766)     policy filter_username {
(766)       if (&User-Name) {
(766)       if (&User-Name)  -> TRUE
(766)       if (&User-Name)  {
(766)         if (&User-Name != "%{tolower:%{User-Name}}") {
(766)         EXPAND %{tolower:%{User-Name}}
(766)            --> 321457
(766)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(766)         if (&User-Name =~ /\// ) {
(766)         if (&User-Name =~ /\// )  -> FALSE
(766)         if (&User-Name =~ / /) {
(766)         if (&User-Name =~ / /)  -> FALSE
(766)         if (&User-Name =~ /@[^@]*@/ ) {
(766)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(766)         if (&User-Name =~ /\.\./ ) {
(766)         if (&User-Name =~ /\.\./ )  -> FALSE
(766)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(766)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(766)         if (&User-Name =~ /\.$/)  {
(766)         if (&User-Name =~ /\.$/)   -> FALSE
(766)         if (&User-Name =~ /@\./)  {
(766)         if (&User-Name =~ /@\./)   -> FALSE
(766)       } # if (&User-Name)  = notfound
(766)     } # policy filter_username = notfound
(766)     policy split_username_nai {
(766)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(766)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(766)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(766)         update request {
(766)           EXPAND %{1}
(766)              --> 321457
(766)           &Stripped-User-Name := 321457
(766)           EXPAND %{3}
(766)              -->
(766)           &Stripped-User-Domain =
(766)         } # update request = noop
(766)         [updated] = updated
(766)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(766)       ... skipping else: Preceding "if" was taken
(766)     } # policy split_username_nai = updated
(766)     [preprocess] = ok
(766) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(766) auth_log:    --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(766) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(766) auth_log: EXPAND %t
(766) auth_log:    --> Wed Jun 24 14:21:13 2020
(766)     [auth_log] = ok
(766)     [chap] = noop
(766)     [mschap] = noop
(766)     [digest] = noop
(766) suffix: Checking for suffix after "@"
(766) suffix: No '@' in User-Name = "321457", looking up realm NULL
(766) suffix: No such realm "NULL"
(766)     [suffix] = noop
(766) eap: Peer sent EAP Response (code 2) ID 72 length 6
(766) eap: Continuing tunnel setup
(766)     [eap] = ok
(766)   } # authorize = ok
(766) Found Auth-Type = eap
(766) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(766)   authenticate {
(766) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(766) eap: Finished EAP session with state 0xa44f7f64a0076604
(766) eap: Previous EAP request found for state 0xa44f7f64a0076604, released from the list
(766) eap: Peer sent packet with method EAP PEAP (25)
(766) eap: Calling submodule eap_peap to process data
(766) eap_peap: Continuing EAP-TLS
(766) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(766) eap_peap: [eaptls verify] = success
(766) eap_peap: [eaptls process] = success
(766) eap_peap: Session established.  Decoding tunneled attributes
(766) eap_peap: PEAP state TUNNEL ESTABLISHED
(766) eap: Sending EAP Request (code 1) ID 73 length 40
(766) eap: EAP session adding &reply:State = 0xa44f7f64a1066604
(766)     [eap] = handled
(766)   } # authenticate = handled
(766) Using Post-Auth-Type Challenge
(766) Post-Auth-Type sub-section not found.  Ignoring.
(766) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(766) Sent Access-Challenge Id 0 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(766)   EAP-Message = 0x014900281900170303001da3eb5bde72e8f7589f7933f043a7f8fd1d94a80bca8a3e4b7ca1a17bc4
(766)   Message-Authenticator = 0x00000000000000000000000000000000
(766)   State = 0xa44f7f64a1066604dd9f2a05e7c26035
(766) Finished request
(769) Received Access-Request Id 1 from 10.34.87.223:58030 to 10.34.242.3:1812 length 313
(769)   User-Name = "321457"
(769)   NAS-IP-Address = 10.34.87.223
(769)   NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(769)   NAS-Port-Id = "00000001"
(769)   Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(769)   NAS-Port-Type = Wireless-802.11
(769)   Event-Timestamp = "Jun 24 2020 14:21:11 -03"
(769)   Service-Type = Framed-User
(769)   Calling-Station-Id = "70-FD-46-BE-0D-8A"
(769)   Connect-Info = "CONNECT 0Mbps 802.11b"
(769)   Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(769)   Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(769)   WLAN-Pairwise-Cipher = 1027076
(769)   WLAN-Group-Cipher = 1027076
(769)   WLAN-AKM-Suite = 1027073
(769)   Framed-MTU = 1400
(769)   EAP-Message = 0x0249002e1900170303002300000000000000015379bd5554b89258e3f28428fd044c453ae83a5bb03868943f5ae8
(769)   State = 0xa44f7f64a1066604dd9f2a05e7c26035
(769)   Message-Authenticator = 0x42020da0a72aa257ddd03a35e6524652
(769) session-state: No cached attributes
(769) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(769)   authorize {
(769)     policy filter_username {
(769)       if (&User-Name) {
(769)       if (&User-Name)  -> TRUE
(769)       if (&User-Name)  {
(769)         if (&User-Name != "%{tolower:%{User-Name}}") {
(769)         EXPAND %{tolower:%{User-Name}}
(769)            --> 321457
(769)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(769)         if (&User-Name =~ /\// ) {
(769)         if (&User-Name =~ /\// )  -> FALSE
(769)         if (&User-Name =~ / /) {
(769)         if (&User-Name =~ / /)  -> FALSE
(769)         if (&User-Name =~ /@[^@]*@/ ) {
(769)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(769)         if (&User-Name =~ /\.\./ ) {
(769)         if (&User-Name =~ /\.\./ )  -> FALSE
(769)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(769)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(769)         if (&User-Name =~ /\.$/)  {
(769)         if (&User-Name =~ /\.$/)   -> FALSE
(769)         if (&User-Name =~ /@\./)  {
(769)         if (&User-Name =~ /@\./)   -> FALSE
(769)       } # if (&User-Name)  = notfound
(769)     } # policy filter_username = notfound
(769)     policy split_username_nai {
(769)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(769)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(769)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(769)         update request {
(769)           EXPAND %{1}
(769)              --> 321457
(769)           &Stripped-User-Name := 321457
(769)           EXPAND %{3}
(769)              -->
(769)           &Stripped-User-Domain =
(769)         } # update request = noop
(769)         [updated] = updated
(769)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(769)       ... skipping else: Preceding "if" was taken
(769)     } # policy split_username_nai = updated
(769)     [preprocess] = ok
(769) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(769) auth_log:    --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(769) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(769) auth_log: EXPAND %t
(769) auth_log:    --> Wed Jun 24 14:21:13 2020
(769)     [auth_log] = ok
(769)     [chap] = noop
(769)     [mschap] = noop
(769)     [digest] = noop
(769) suffix: Checking for suffix after "@"
(769) suffix: No '@' in User-Name = "321457", looking up realm NULL
(769) suffix: No such realm "NULL"
(769)     [suffix] = noop
(769) eap: Peer sent EAP Response (code 2) ID 73 length 46
(769) eap: Continuing tunnel setup
(769)     [eap] = ok
(769)   } # authorize = ok
(769) Found Auth-Type = eap
(769) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(769)   authenticate {
(769) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(769) eap: Finished EAP session with state 0xa44f7f64a1066604
(769) eap: Previous EAP request found for state 0xa44f7f64a1066604, released from the list
(769) eap: Peer sent packet with method EAP PEAP (25)
(769) eap: Calling submodule eap_peap to process data
(769) eap_peap: Continuing EAP-TLS
(769) eap_peap: [eaptls verify] = ok
(769) eap_peap: Done initial handshake
(769) eap_peap: [eaptls process] = ok
(769) eap_peap: Session established.  Decoding tunneled attributes
(769) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(769) eap_peap: Identity - joao.bosco
(769) eap_peap: Got inner identity 'joao.bosco'
(769) eap_peap: Setting default EAP type for tunneled EAP session
(769) eap_peap: Got tunneled request
(769) eap_peap:   EAP-Message = 0x0249000f016a6f616f2e626f73636f
(769) eap_peap: Setting User-Name to joao.bosco
(769) eap_peap: Sending tunneled request to inner-tunnel
(769) eap_peap:   EAP-Message = 0x0249000f016a6f616f2e626f73636f
(769) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(769) eap_peap:   User-Name = "joao.bosco"
(769) Virtual server inner-tunnel received request
(769)   EAP-Message = 0x0249000f016a6f616f2e626f73636f
(769)   FreeRADIUS-Proxied-To = 127.0.0.1
(769)   User-Name = "joao.bosco"
(769) WARNING: Outer User-Name is not anonymized.  User privacy is compromised.
(769) server inner-tunnel {
(769)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(769)     authorize {
(769)       policy filter_username {
(769)         if (&User-Name) {
(769)         if (&User-Name)  -> TRUE
(769)         if (&User-Name)  {
(769)           if (&User-Name != "%{tolower:%{User-Name}}") {
(769)           EXPAND %{tolower:%{User-Name}}
(769)              --> joao.bosco
(769)           if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(769)           if (&User-Name =~ /\// ) {
(769)           if (&User-Name =~ /\// )  -> FALSE
(769)           if (&User-Name =~ / /) {
(769)           if (&User-Name =~ / /)  -> FALSE
(769)           if (&User-Name =~ /@[^@]*@/ ) {
(769)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(769)           if (&User-Name =~ /\.\./ ) {
(769)           if (&User-Name =~ /\.\./ )  -> FALSE
(769)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(769)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(769)           if (&User-Name =~ /\.$/)  {
(769)           if (&User-Name =~ /\.$/)   -> FALSE
(769)           if (&User-Name =~ /@\./)  {
(769)           if (&User-Name =~ /@\./)   -> FALSE
(769)         } # if (&User-Name)  = notfound
(769)       } # policy filter_username = notfound
(769)       policy split_username_nai {
(769)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(769)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(769)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(769)           update request {
(769)             EXPAND %{1}
(769)                --> joao.bosco
(769)             &Stripped-User-Name := joao.bosco
(769)             EXPAND %{3}
(769)                -->
(769)             &Stripped-User-Domain =
(769)           } # update request = noop
(769)           [updated] = updated
(769)         } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(769)         ... skipping else: Preceding "if" was taken
(769)       } # policy split_username_nai = updated
(769)       [chap] = noop
(769)       [mschap] = noop
(769) suffix: Checking for suffix after "@"
(769) suffix: No '@' in User-Name = "joao.bosco", looking up realm NULL
(769) suffix: No such realm "NULL"
(769)       [suffix] = noop
(769)       update control {
(769)         &Proxy-To-Realm := LOCAL
(769)       } # update control = noop
(769) eap: Peer sent EAP Response (code 2) ID 73 length 15
(769) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(769)       [eap] = ok
(769)     } # authorize = ok
(769)   Found Auth-Type = eap
(769)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(769)     authenticate {
(769) eap: Peer sent packet with method EAP Identity (1)
(769) eap: Calling submodule eap_mschapv2 to process data
(769) eap_mschapv2: Issuing Challenge
(769) eap: Sending EAP Request (code 1) ID 74 length 43
(769) eap: EAP session adding &reply:State = 0x51d9eef05193f45a
(769)       [eap] = handled
(769)     } # authenticate = handled
(769) } # server inner-tunnel
(769) Virtual server sending reply
(769)   EAP-Message = 0x014a002b1a014a00261053addb6f534452e9c21a2a061cee1b2a667265657261646975732d332e302e3132
(769)   Message-Authenticator = 0x00000000000000000000000000000000
(769)   State = 0x51d9eef05193f45af86aca3e309ab33f
(769) eap_peap: Got tunneled reply code 11
(769) eap_peap:   EAP-Message = 0x014a002b1a014a00261053addb6f534452e9c21a2a061cee1b2a667265657261646975732d332e302e3132
(769) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(769) eap_peap:   State = 0x51d9eef05193f45af86aca3e309ab33f
(769) eap_peap: Got tunneled reply RADIUS code 11
(769) eap_peap:   EAP-Message = 0x014a002b1a014a00261053addb6f534452e9c21a2a061cee1b2a667265657261646975732d332e302e3132
(769) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(769) eap_peap:   State = 0x51d9eef05193f45af86aca3e309ab33f
(769) eap_peap: Got tunneled Access-Challenge
(769) eap: Sending EAP Request (code 1) ID 74 length 74
(769) eap: EAP session adding &reply:State = 0xa44f7f64a2056604
(769)     [eap] = handled
(769)   } # authenticate = handled
(769) Using Post-Auth-Type Challenge
(769) Post-Auth-Type sub-section not found.  Ignoring.
(769) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(769) Sent Access-Challenge Id 1 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(769)   EAP-Message = 0x014a004a1900170303003fa3eb5bde72e8f75908b3a5551d4fd734c4be4e09e9211c532244f154694140ee39a2a5221652cfa9ab03c3479ac2e7d73997491148efc814c98268d04423e2
(769)   Message-Authenticator = 0x00000000000000000000000000000000
(769)   State = 0xa44f7f64a2056604dd9f2a05e7c26035
(769) Finished request
(770) Received Access-Request Id 2 from 10.34.87.223:58030 to 10.34.242.3:1812 length 367
(770)   User-Name = "321457"
(770)   NAS-IP-Address = 10.34.87.223
(770)   NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(770)   NAS-Port-Id = "00000001"
(770)   Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(770)   NAS-Port-Type = Wireless-802.11
(770)   Event-Timestamp = "Jun 24 2020 14:21:11 -03"
(770)   Service-Type = Framed-User
(770)   Calling-Station-Id = "70-FD-46-BE-0D-8A"
(770)   Connect-Info = "CONNECT 0Mbps 802.11b"
(770)   Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(770)   Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(770)   WLAN-Pairwise-Cipher = 1027076
(770)   WLAN-Group-Cipher = 1027076
(770)   WLAN-AKM-Suite = 1027073
(770)   Framed-MTU = 1400
(770)   EAP-Message = 0x024a00641900170303005900000000000000029179f847ab4dc2d21f2daf73a3a77edf63beb405acfc69222021171c355883591ce3ae2d5f00b46c89c17d09604e3f7e028edc15852a723a23f6c06096e82ea8b599cf339177286214a3a99b316b259513
(770)   State = 0xa44f7f64a2056604dd9f2a05e7c26035
(770)   Message-Authenticator = 0x64fa5d7bb2a5e5c26483f9babb52af0e
(770) session-state: No cached attributes
(770) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(770)   authorize {
(770)     policy filter_username {
(770)       if (&User-Name) {
(770)       if (&User-Name)  -> TRUE
(770)       if (&User-Name)  {
(770)         if (&User-Name != "%{tolower:%{User-Name}}") {
(770)         EXPAND %{tolower:%{User-Name}}
(770)            --> 321457
(770)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(770)         if (&User-Name =~ /\// ) {
(770)         if (&User-Name =~ /\// )  -> FALSE
(770)         if (&User-Name =~ / /) {
(770)         if (&User-Name =~ / /)  -> FALSE
(770)         if (&User-Name =~ /@[^@]*@/ ) {
(770)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(770)         if (&User-Name =~ /\.\./ ) {
(770)         if (&User-Name =~ /\.\./ )  -> FALSE
(770)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(770)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(770)         if (&User-Name =~ /\.$/)  {
(770)         if (&User-Name =~ /\.$/)   -> FALSE
(770)         if (&User-Name =~ /@\./)  {
(770)         if (&User-Name =~ /@\./)   -> FALSE
(770)       } # if (&User-Name)  = notfound
(770)     } # policy filter_username = notfound
(770)     policy split_username_nai {
(770)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(770)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(770)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(770)         update request {
(770)           EXPAND %{1}
(770)              --> 321457
(770)           &Stripped-User-Name := 321457
(770)           EXPAND %{3}
(770)              -->
(770)           &Stripped-User-Domain =
(770)         } # update request = noop
(770)         [updated] = updated
(770)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(770)       ... skipping else: Preceding "if" was taken
(770)     } # policy split_username_nai = updated
(770)     [preprocess] = ok
(770) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(770) auth_log:    --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(770) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(770) auth_log: EXPAND %t
(770) auth_log:    --> Wed Jun 24 14:21:13 2020
(770)     [auth_log] = ok
(770)     [chap] = noop
(770)     [mschap] = noop
(770)     [digest] = noop
(770) suffix: Checking for suffix after "@"
(770) suffix: No '@' in User-Name = "321457", looking up realm NULL
(770) suffix: No such realm "NULL"
(770)     [suffix] = noop
(770) eap: Peer sent EAP Response (code 2) ID 74 length 100
(770) eap: Continuing tunnel setup
(770)     [eap] = ok
(770)   } # authorize = ok
(770) Found Auth-Type = eap
(770) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(770)   authenticate {
(770) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(770) eap: Finished EAP session with state 0xa44f7f64a2056604
(770) eap: Previous EAP request found for state 0xa44f7f64a2056604, released from the list
(770) eap: Peer sent packet with method EAP PEAP (25)
(770) eap: Calling submodule eap_peap to process data
(770) eap_peap: Continuing EAP-TLS
(770) eap_peap: [eaptls verify] = ok
(770) eap_peap: Done initial handshake
(770) eap_peap: [eaptls process] = ok
(770) eap_peap: Session established.  Decoding tunneled attributes
(770) eap_peap: PEAP state phase2
(770) eap_peap: EAP method MSCHAPv2 (26)
(770) eap_peap: Got tunneled request
(770) eap_peap:   EAP-Message = 0x024a00451a024a0040317edd61bab3a4a5dba22fa64805ad6b3a000000000000000095644adfe99660d5436482536faa63b841fdaa186c01d601006a6f616f2e626f73636f
(770) eap_peap: Setting User-Name to joao.bosco
(770) eap_peap: Sending tunneled request to inner-tunnel
(770) eap_peap:   EAP-Message = 0x024a00451a024a0040317edd61bab3a4a5dba22fa64805ad6b3a000000000000000095644adfe99660d5436482536faa63b841fdaa186c01d601006a6f616f2e626f73636f
(770) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(770) eap_peap:   User-Name = "joao.bosco"
(770) eap_peap:   State = 0x51d9eef05193f45af86aca3e309ab33f
(770) Virtual server inner-tunnel received request
(770)   EAP-Message = 0x024a00451a024a0040317edd61bab3a4a5dba22fa64805ad6b3a000000000000000095644adfe99660d5436482536faa63b841fdaa186c01d601006a6f616f2e626f73636f
(770)   FreeRADIUS-Proxied-To = 127.0.0.1
(770)   User-Name = "joao.bosco"
(770)   State = 0x51d9eef05193f45af86aca3e309ab33f
(770) WARNING: Outer User-Name is not anonymized.  User privacy is compromised.
(770) server inner-tunnel {
(770)   session-state: No cached attributes
(770)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(770)     authorize {
(770)       policy filter_username {
(770)         if (&User-Name) {
(770)         if (&User-Name)  -> TRUE
(770)         if (&User-Name)  {
(770)           if (&User-Name != "%{tolower:%{User-Name}}") {
(770)           EXPAND %{tolower:%{User-Name}}
(770)              --> joao.bosco
(770)           if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(770)           if (&User-Name =~ /\// ) {
(770)           if (&User-Name =~ /\// )  -> FALSE
(770)           if (&User-Name =~ / /) {
(770)           if (&User-Name =~ / /)  -> FALSE
(770)           if (&User-Name =~ /@[^@]*@/ ) {
(770)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(770)           if (&User-Name =~ /\.\./ ) {
(770)           if (&User-Name =~ /\.\./ )  -> FALSE
(770)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(770)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(770)           if (&User-Name =~ /\.$/)  {
(770)           if (&User-Name =~ /\.$/)   -> FALSE
(770)           if (&User-Name =~ /@\./)  {
(770)           if (&User-Name =~ /@\./)   -> FALSE
(770)         } # if (&User-Name)  = notfound
(770)       } # policy filter_username = notfound
(770)       policy split_username_nai {
(770)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(770)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(770)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(770)           update request {
(770)             EXPAND %{1}
(770)                --> joao.bosco
(770)             &Stripped-User-Name := joao.bosco
(770)             EXPAND %{3}
(770)                -->
(770)             &Stripped-User-Domain =
(770)           } # update request = noop
(770)           [updated] = updated
(770)         } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(770)         ... skipping else: Preceding "if" was taken
(770)       } # policy split_username_nai = updated
(770)       [chap] = noop
(770)       [mschap] = noop
(770) suffix: Checking for suffix after "@"
(770) suffix: No '@' in User-Name = "joao.bosco", looking up realm NULL
(770) suffix: No such realm "NULL"
(770)       [suffix] = noop
(770)       update control {
(770)         &Proxy-To-Realm := LOCAL
(770)       } # update control = noop
(770) eap: Peer sent EAP Response (code 2) ID 74 length 69
(770) eap: No EAP Start, assuming it's an on-going EAP conversation
(770)       [eap] = updated
(770) files: users: Matched entry DEFAULT at line 84
(770)       [files] = ok
(770) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(770) sql:    --> joao.bosco
(770) sql: SQL-User-Name set to 'joao.bosco'
(770) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(770) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'joao.bosco' ORDER BY id
(770) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'joao.bosco' ORDER BY id
(770) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(770) sql:    --> SELECT GroupName FROM radusergroup WHERE UserName='joao.bosco' ORDER BY priority
(770) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='joao.bosco' ORDER BY priority
(770) sql: User not found in any groups
(770)       [sql] = notfound
(770)       [expiration] = noop
(770)       [logintime] = noop
(770)       [pap] = noop
(770)     } # authorize = updated
(770)   Found Auth-Type = eap
(770)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(770)     authenticate {
(770) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(770) eap: Finished EAP session with state 0x51d9eef05193f45a
(770) eap: Previous EAP request found for state 0x51d9eef05193f45a, released from the list
(770) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(770) eap: Calling submodule eap_mschapv2 to process data
(770) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(770) eap_mschapv2:   authenticate {
(770) mschap: Creating challenge hash with username: joao.bosco
(770) mschap: Client is using MS-CHAPv2
(770) mschap: EXPAND %{mschap:User-Name}
(770) mschap:    --> joao.bosco
(770) mschap: ERROR: No NT-Domain was found in the User-Name
(770) mschap: EXPAND %{mschap:NT-Domain}
(770) mschap:    -->
(770) mschap: sending authentication request user='joao.bosco' domain=''
(770) mschap: Authenticated successfully
(770) mschap: Adding MS-CHAPv2 MPPE keys
(770)     [mschap] = ok
(770)   } # authenticate = ok
(770) MSCHAP Success
(770) eap: Sending EAP Request (code 1) ID 75 length 51
(770) eap: EAP session adding &reply:State = 0x51d9eef05092f45a
(770)       [eap] = handled
(770)     } # authenticate = handled
(770) } # server inner-tunnel
(770) Virtual server sending reply
(770)   Idle-Timeout = 300
(770)   EAP-Message = 0x014b00331a034a002e533d34353544333243423735363233313430433346303032323335313132314345383332444346363641
(770)   Message-Authenticator = 0x00000000000000000000000000000000
(770)   State = 0x51d9eef05092f45af86aca3e309ab33f
(770) eap_peap: Got tunneled reply code 11
(770) eap_peap:   Idle-Timeout = 300
(770) eap_peap:   EAP-Message = 0x014b00331a034a002e533d34353544333243423735363233313430433346303032323335313132314345383332444346363641
(770) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(770) eap_peap:   State = 0x51d9eef05092f45af86aca3e309ab33f
(770) eap_peap: Got tunneled reply RADIUS code 11
(770) eap_peap:   Idle-Timeout = 300
(770) eap_peap:   EAP-Message = 0x014b00331a034a002e533d34353544333243423735363233313430433346303032323335313132314345383332444346363641
(770) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(770) eap_peap:   State = 0x51d9eef05092f45af86aca3e309ab33f
(770) eap_peap: Got tunneled Access-Challenge
(770) eap: Sending EAP Request (code 1) ID 75 length 82
(770) eap: EAP session adding &reply:State = 0xa44f7f64a3046604
(770)     [eap] = handled
(770)   } # authenticate = handled
(770) Using Post-Auth-Type Challenge
(770) Post-Auth-Type sub-section not found.  Ignoring.
(770) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(770) Sent Access-Challenge Id 2 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(770)   EAP-Message = 0x014b005219001703030047a3eb5bde72e8f75a1f4b8481c411504c33305b9637036aea4e7db053f95d7c31e935156455848f079d12243134fcaf4553b54c28c82891ffa3e4f8690fba5ed94c2af6efaa77e8
(770)   Message-Authenticator = 0x00000000000000000000000000000000
(770)   State = 0xa44f7f64a3046604dd9f2a05e7c26035
(770) Finished request
(771) Received Access-Request Id 3 from 10.34.87.223:58030 to 10.34.242.3:1812 length 304
(771)   User-Name = "321457"
(771)   NAS-IP-Address = 10.34.87.223
(771)   NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(771)   NAS-Port-Id = "00000001"
(771)   Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(771)   NAS-Port-Type = Wireless-802.11
(771)   Event-Timestamp = "Jun 24 2020 14:21:11 -03"
(771)   Service-Type = Framed-User
(771)   Calling-Station-Id = "70-FD-46-BE-0D-8A"
(771)   Connect-Info = "CONNECT 0Mbps 802.11b"
(771)   Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(771)   Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(771)   WLAN-Pairwise-Cipher = 1027076
(771)   WLAN-Group-Cipher = 1027076
(771)   WLAN-AKM-Suite = 1027073
(771)   Framed-MTU = 1400
(771)   EAP-Message = 0x024b00251900170303001a0000000000000003695705aa6ea3fa4f9e764db8342fc4ef284e
(771)   State = 0xa44f7f64a3046604dd9f2a05e7c26035
(771)   Message-Authenticator = 0x9442f992d6c781983fbd2914045a1126
(771) session-state: No cached attributes
(771) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(771)   authorize {
(771)     policy filter_username {
(771)       if (&User-Name) {
(771)       if (&User-Name)  -> TRUE
(771)       if (&User-Name)  {
(771)         if (&User-Name != "%{tolower:%{User-Name}}") {
(771)         EXPAND %{tolower:%{User-Name}}
(771)            --> 321457
(771)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(771)         if (&User-Name =~ /\// ) {
(771)         if (&User-Name =~ /\// )  -> FALSE
(771)         if (&User-Name =~ / /) {
(771)         if (&User-Name =~ / /)  -> FALSE
(771)         if (&User-Name =~ /@[^@]*@/ ) {
(771)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(771)         if (&User-Name =~ /\.\./ ) {
(771)         if (&User-Name =~ /\.\./ )  -> FALSE
(771)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(771)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(771)         if (&User-Name =~ /\.$/)  {
(771)         if (&User-Name =~ /\.$/)   -> FALSE
(771)         if (&User-Name =~ /@\./)  {
(771)         if (&User-Name =~ /@\./)   -> FALSE
(771)       } # if (&User-Name)  = notfound
(771)     } # policy filter_username = notfound
(771)     policy split_username_nai {
(771)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(771)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(771)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(771)         update request {
(771)           EXPAND %{1}
(771)              --> 321457
(771)           &Stripped-User-Name := 321457
(771)           EXPAND %{3}
(771)              -->
(771)           &Stripped-User-Domain =
(771)         } # update request = noop
(771)         [updated] = updated
(771)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(771)       ... skipping else: Preceding "if" was taken
(771)     } # policy split_username_nai = updated
(771)     [preprocess] = ok
(771) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(771) auth_log:    --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(771) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(771) auth_log: EXPAND %t
(771) auth_log:    --> Wed Jun 24 14:21:13 2020
(771)     [auth_log] = ok
(771)     [chap] = noop
(771)     [mschap] = noop
(771)     [digest] = noop
(771) suffix: Checking for suffix after "@"
(771) suffix: No '@' in User-Name = "321457", looking up realm NULL
(771) suffix: No such realm "NULL"
(771)     [suffix] = noop
(771) eap: Peer sent EAP Response (code 2) ID 75 length 37
(771) eap: Continuing tunnel setup
(771)     [eap] = ok
(771)   } # authorize = ok
(771) Found Auth-Type = eap
(771) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(771)   authenticate {
(771) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(771) eap: Finished EAP session with state 0xa44f7f64a3046604
(771) eap: Previous EAP request found for state 0xa44f7f64a3046604, released from the list
(771) eap: Peer sent packet with method EAP PEAP (25)
(771) eap: Calling submodule eap_peap to process data
(771) eap_peap: Continuing EAP-TLS
(771) eap_peap: [eaptls verify] = ok
(771) eap_peap: Done initial handshake
(771) eap_peap: [eaptls process] = ok
(771) eap_peap: Session established.  Decoding tunneled attributes
(771) eap_peap: PEAP state phase2
(771) eap_peap: EAP method MSCHAPv2 (26)
(771) eap_peap: Got tunneled request
(771) eap_peap:   EAP-Message = 0x024b00061a03
(771) eap_peap: Setting User-Name to joao.bosco
(771) eap_peap: Sending tunneled request to inner-tunnel
(771) eap_peap:   EAP-Message = 0x024b00061a03
(771) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(771) eap_peap:   User-Name = "joao.bosco"
(771) eap_peap:   State = 0x51d9eef05092f45af86aca3e309ab33f
(771) Virtual server inner-tunnel received request
(771)   EAP-Message = 0x024b00061a03
(771)   FreeRADIUS-Proxied-To = 127.0.0.1
(771)   User-Name = "joao.bosco"
(771)   State = 0x51d9eef05092f45af86aca3e309ab33f
(771) WARNING: Outer User-Name is not anonymized.  User privacy is compromised.
(771) server inner-tunnel {
(771)   session-state: No cached attributes
(771)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(771)     authorize {
(771)       policy filter_username {
(771)         if (&User-Name) {
(771)         if (&User-Name)  -> TRUE
(771)         if (&User-Name)  {
(771)           if (&User-Name != "%{tolower:%{User-Name}}") {
(771)           EXPAND %{tolower:%{User-Name}}
(771)              --> joao.bosco
(771)           if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(771)           if (&User-Name =~ /\// ) {
(771)           if (&User-Name =~ /\// )  -> FALSE
(771)           if (&User-Name =~ / /) {
(771)           if (&User-Name =~ / /)  -> FALSE
(771)           if (&User-Name =~ /@[^@]*@/ ) {
(771)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(771)           if (&User-Name =~ /\.\./ ) {
(771)           if (&User-Name =~ /\.\./ )  -> FALSE
(771)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(771)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(771)           if (&User-Name =~ /\.$/)  {
(771)           if (&User-Name =~ /\.$/)   -> FALSE
(771)           if (&User-Name =~ /@\./)  {
(771)           if (&User-Name =~ /@\./)   -> FALSE
(771)         } # if (&User-Name)  = notfound
(771)       } # policy filter_username = notfound
(771)       policy split_username_nai {
(771)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(771)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(771)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(771)           update request {
(771)             EXPAND %{1}
(771)                --> joao.bosco
(771)             &Stripped-User-Name := joao.bosco
(771)             EXPAND %{3}
(771)                -->
(771)             &Stripped-User-Domain =
(771)           } # update request = noop
(771)           [updated] = updated
(771)         } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(771)         ... skipping else: Preceding "if" was taken
(771)       } # policy split_username_nai = updated
(771)       [chap] = noop
(771)       [mschap] = noop
(771) suffix: Checking for suffix after "@"
(771) suffix: No '@' in User-Name = "joao.bosco", looking up realm NULL
(771) suffix: No such realm "NULL"
(771)       [suffix] = noop
(771)       update control {
(771)         &Proxy-To-Realm := LOCAL
(771)       } # update control = noop
(771) eap: Peer sent EAP Response (code 2) ID 75 length 6
(771) eap: No EAP Start, assuming it's an on-going EAP conversation
(771)       [eap] = updated
(771) files: users: Matched entry DEFAULT at line 84
(771)       [files] = ok
(771) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(771) sql:    --> joao.bosco
(771) sql: SQL-User-Name set to 'joao.bosco'
(771) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(771) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'joao.bosco' ORDER BY id
(771) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'joao.bosco' ORDER BY id
(771) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(771) sql:    --> SELECT GroupName FROM radusergroup WHERE UserName='joao.bosco' ORDER BY priority
(771) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='joao.bosco' ORDER BY priority
(771) sql: User not found in any groups
(771)       [sql] = notfound
(771)       [expiration] = noop
(771)       [logintime] = noop
(771)       [pap] = noop
(771)     } # authorize = updated
(771)   Found Auth-Type = eap
(771)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(771)     authenticate {
(771) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(771) eap: Finished EAP session with state 0x51d9eef05092f45a
(771) eap: Previous EAP request found for state 0x51d9eef05092f45a, released from the list
(771) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(771) eap: Calling submodule eap_mschapv2 to process data
(771) eap: Sending EAP Success (code 3) ID 75 length 4
(771) eap: Freeing handler
(771)       [eap] = ok
(771)     } # authenticate = ok
(771)   # Executing section session from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(771)     session {
(771) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(771) sql:    --> joao.bosco
(771) sql: SQL-User-Name set to 'joao.bosco'
(771) sql: EXPAND SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL
(771) sql:    --> SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL
(771) sql: Executing select query: SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='joao.bosco' AND CallingStationId<>'70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL
(771)       [sql] = ok
(771)     } # session = ok
(771)   # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(771)     post-auth {
(771) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail
(771) reply_log:    --> /var/log/freeradius/radacct/10.34.87.223/reply-detail
(771) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail expands to /var/log/freeradius/radacct/10.34.87.223/reply-detail
(771) reply_log: EXPAND %t
(771) reply_log:    --> Wed Jun 24 14:21:13 2020
(771)       [reply_log] = ok
(771)       update outer.session-state {
(771)         User-Name := &request:User-Name -> 'joao.bosco'
(771)       } # update outer.session-state = noop
(771)     } # post-auth = ok
(771)   Login OK: [joao.bosco] (from client AP-CEI-TER-223 port 0 via TLS tunnel)
(771) } # server inner-tunnel
(771) Virtual server sending reply
(771)   Idle-Timeout = 300
(771)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(771)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(771)   MS-MPPE-Send-Key = 0xcbb480d7f6179c96599ec58bdbf6eddc
(771)   MS-MPPE-Recv-Key = 0x6163fd50b56fefb6a5e7a12ccc4bd252
(771)   EAP-Message = 0x034b0004
(771)   Message-Authenticator = 0x00000000000000000000000000000000
(771)   Stripped-User-Name := "joao.bosco"
(771) eap_peap: Got tunneled reply code 2
(771) eap_peap:   Idle-Timeout = 300
(771) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(771) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(771) eap_peap:   MS-MPPE-Send-Key = 0xcbb480d7f6179c96599ec58bdbf6eddc
(771) eap_peap:   MS-MPPE-Recv-Key = 0x6163fd50b56fefb6a5e7a12ccc4bd252
(771) eap_peap:   EAP-Message = 0x034b0004
(771) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(771) eap_peap:   Stripped-User-Name := "joao.bosco"
(771) eap_peap: Got tunneled reply RADIUS code 2
(771) eap_peap:   Idle-Timeout = 300
(771) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(771) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(771) eap_peap:   MS-MPPE-Send-Key = 0xcbb480d7f6179c96599ec58bdbf6eddc
(771) eap_peap:   MS-MPPE-Recv-Key = 0x6163fd50b56fefb6a5e7a12ccc4bd252
(771) eap_peap:   EAP-Message = 0x034b0004
(771) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(771) eap_peap:   Stripped-User-Name := "joao.bosco"
(771) eap_peap: Tunneled authentication was successful
(771) eap_peap: SUCCESS
(771) eap: Sending EAP Request (code 1) ID 76 length 46
(771) eap: EAP session adding &reply:State = 0xa44f7f64ac036604
(771)     [eap] = handled
(771)   } # authenticate = handled
(771) Using Post-Auth-Type Challenge
(771) Post-Auth-Type sub-section not found.  Ignoring.
(771) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(771) session-state: Saving cached attributes
(771)   User-Name := "joao.bosco"
(771) Sent Access-Challenge Id 3 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(771)   EAP-Message = 0x014c002e19001703030023a3eb5bde72e8f75b476d764d57d47de14e8b3244cdb2bdd44f4bf0fc595be62545171a
(771)   Message-Authenticator = 0x00000000000000000000000000000000
(771)   State = 0xa44f7f64ac036604dd9f2a05e7c26035
(771) Finished request
(772) Received Access-Request Id 4 from 10.34.87.223:58030 to 10.34.242.3:1812 length 313
(772)   User-Name = "321457"
(772)   NAS-IP-Address = 10.34.87.223
(772)   NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(772)   NAS-Port-Id = "00000001"
(772)   Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(772)   NAS-Port-Type = Wireless-802.11
(772)   Event-Timestamp = "Jun 24 2020 14:21:11 -03"
(772)   Service-Type = Framed-User
(772)   Calling-Station-Id = "70-FD-46-BE-0D-8A"
(772)   Connect-Info = "CONNECT 0Mbps 802.11b"
(772)   Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(772)   Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(772)   WLAN-Pairwise-Cipher = 1027076
(772)   WLAN-Group-Cipher = 1027076
(772)   WLAN-AKM-Suite = 1027073
(772)   Framed-MTU = 1400
(772)   EAP-Message = 0x024c002e190017030300230000000000000004fda2bf219fdc0ef55bf7050cfc147e2b1ac003860d8506d1cf400b
(772)   State = 0xa44f7f64ac036604dd9f2a05e7c26035
(772)   Message-Authenticator = 0x08c421bbfa2e7157408a6f2cf3214e1f
(772) Restoring &session-state
(772)   &session-state:User-Name := "joao.bosco"
(772) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(772)   authorize {
(772)     policy filter_username {
(772)       if (&User-Name) {
(772)       if (&User-Name)  -> TRUE
(772)       if (&User-Name)  {
(772)         if (&User-Name != "%{tolower:%{User-Name}}") {
(772)         EXPAND %{tolower:%{User-Name}}
(772)            --> 321457
(772)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(772)         if (&User-Name =~ /\// ) {
(772)         if (&User-Name =~ /\// )  -> FALSE
(772)         if (&User-Name =~ / /) {
(772)         if (&User-Name =~ / /)  -> FALSE
(772)         if (&User-Name =~ /@[^@]*@/ ) {
(772)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(772)         if (&User-Name =~ /\.\./ ) {
(772)         if (&User-Name =~ /\.\./ )  -> FALSE
(772)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(772)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(772)         if (&User-Name =~ /\.$/)  {
(772)         if (&User-Name =~ /\.$/)   -> FALSE
(772)         if (&User-Name =~ /@\./)  {
(772)         if (&User-Name =~ /@\./)   -> FALSE
(772)       } # if (&User-Name)  = notfound
(772)     } # policy filter_username = notfound
(772)     policy split_username_nai {
(772)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(772)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(772)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(772)         update request {
(772)           EXPAND %{1}
(772)              --> 321457
(772)           &Stripped-User-Name := 321457
(772)           EXPAND %{3}
(772)              -->
(772)           &Stripped-User-Domain =
(772)         } # update request = noop
(772)         [updated] = updated
(772)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(772)       ... skipping else: Preceding "if" was taken
(772)     } # policy split_username_nai = updated
(772)     [preprocess] = ok
(772) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(772) auth_log:    --> /var/log/freeradius/radacct/10.34.87.223/auth-detail
(772) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.87.223/auth-detail
(772) auth_log: EXPAND %t
(772) auth_log:    --> Wed Jun 24 14:21:13 2020
(772)     [auth_log] = ok
(772)     [chap] = noop
(772)     [mschap] = noop
(772)     [digest] = noop
(772) suffix: Checking for suffix after "@"
(772) suffix: No '@' in User-Name = "321457", looking up realm NULL
(772) suffix: No such realm "NULL"
(772)     [suffix] = noop
(772) eap: Peer sent EAP Response (code 2) ID 76 length 46
(772) eap: Continuing tunnel setup
(772)     [eap] = ok
(772)   } # authorize = ok
(772) Found Auth-Type = eap
(772) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(772)   authenticate {
(772) eap: Expiring EAP session with state 0xa0cf83d0a3cb9a4d
(772) eap: Finished EAP session with state 0xa44f7f64ac036604
(772) eap: Previous EAP request found for state 0xa44f7f64ac036604, released from the list
(772) eap: Peer sent packet with method EAP PEAP (25)
(772) eap: Calling submodule eap_peap to process data
(772) eap_peap: Continuing EAP-TLS
(772) eap_peap: [eaptls verify] = ok
(772) eap_peap: Done initial handshake
(772) eap_peap: [eaptls process] = ok
(772) eap_peap: Session established.  Decoding tunneled attributes
(772) eap_peap: PEAP state send tlv success
(772) eap_peap: Received EAP-TLV response
(772) eap_peap: Success
(772) eap: Sending EAP Success (code 3) ID 76 length 4
(772) eap: Freeing handler
(772)     [eap] = ok
(772)   } # authenticate = ok
(772) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(772)   post-auth {
(772)     update {
(772)       &reply::User-Name += &session-state:User-Name[*] -> 'joao.bosco'
(772)     } # update = noop
(772) sql: EXPAND .query
(772) sql:    --> .query
(772) sql: Using query template 'query'
(772) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(772) sql:    --> 321457
(772) sql: SQL-User-Name set to '321457'
(772) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{SQL-User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{%{integer:Event-Timestamp}:-NOW()}))
(772) sql:    --> INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('321457', 'Chap-Password', 'Access-Accept', '50-D4-F7-5B-86-9C:MPDFT', '70-FD-46-BE-0D-8A', TO_TIMESTAMP(1593019271))
(772) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('321457', 'Chap-Password', 'Access-Accept', '50-D4-F7-5B-86-9C:MPDFT', '70-FD-46-BE-0D-8A', TO_TIMESTAMP(1593019271))
(772) sql: SQL query returned: success
(772) sql: 1 record(s) updated
(772)     [sql] = ok
(772)     [exec] = noop
(772)     policy remove_reply_message_if_eap {
(772)       if (&reply:EAP-Message && &reply:Reply-Message) {
(772)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(772)       else {
(772)         [noop] = noop
(772)       } # else = noop
(772)     } # policy remove_reply_message_if_eap = noop
(772)   } # post-auth = ok
(772) Login OK: [321457] (from client AP-CEI-TER-223 port 0 cli 70-FD-46-BE-0D-8A)
(772) Sent Access-Accept Id 4 from 10.34.242.3:1812 to 10.34.87.223:58030 length 0
(772)   MS-MPPE-Recv-Key = 0xd4c273e37c10886abb1167c9c64b7e7a9555c080e574df74fdac80585fe89c4a
(772)   MS-MPPE-Send-Key = 0xbb83cd2094c7880532831cdf5e3c7986149e6a5c1d6bc4a84b9151c0988336a1
(772)   EAP-Message = 0x034c0004
(772)   Message-Authenticator = 0x00000000000000000000000000000000
(772)   User-Name += "joao.bosco"
(772) Finished request
(785) Received Accounting-Request Id 5 from 10.34.87.223:36144 to 10.34.242.3:1813 length 251
(785)   Acct-Status-Type = Start
(785)   Acct-Authentic = RADIUS
(785)   User-Name = "joao.bosco"
(785)   NAS-IP-Address = 10.34.87.223
(785)   NAS-Identifier = "TP-Link:50-D4-F7-5B-86-9C"
(785)   NAS-Port-Id = "00000001"
(785)   Called-Station-Id = "50-D4-F7-5B-86-9C:MPDFT"
(785)   NAS-Port-Type = Wireless-802.11
(785)   Event-Timestamp = "Jun 24 2020 14:21:14 -03"
(785)   Service-Type = Framed-User
(785)   Calling-Station-Id = "70-FD-46-BE-0D-8A"
(785)   Connect-Info = "CONNECT 0Mbps 802.11b"
(785)   Acct-Session-Id = "50d4f75b869c-393F96E03B858B46"
(785)   Acct-Multi-Session-Id = "4A2FD9DA7DF87ED6"
(785)   WLAN-Pairwise-Cipher = 1027076
(785)   WLAN-Group-Cipher = 1027076
(785)   WLAN-AKM-Suite = 1027073
(785)   Framed-IP-Address = 172.28.255.182
(785)   Acct-Delay-Time = 0
(785) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(785)   preacct {
(785)     [preprocess] = ok
(785)     policy split_username_nai {
(785)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(785)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(785)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(785)         update request {
(785)           EXPAND %{1}
(785)              --> joao.bosco
(785)           &Stripped-User-Name := joao.bosco
(785)           EXPAND %{3}
(785)              -->
(785)           &Stripped-User-Domain =
(785)         } # update request = noop
(785)         [updated] = updated
(785)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(785)       ... skipping else: Preceding "if" was taken
(785)     } # policy split_username_nai = updated
(785)     update request {
(785)       EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}
(785)          --> 1593019276
(785)       FreeRADIUS-Acct-Session-Start-Time = Jun 24 2020 14:21:16 -03
(785)     } # update request = noop
(785)     policy acct_unique {
(785)       update request {
(785)         Tmp-String-9 := "ai:"
(785)       } # update request = noop
(785)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&     ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(785)       EXPAND %{hex:&Class}
(785)          -->
(785)       EXPAND ^%{hex:&Tmp-String-9}
(785)          --> ^61693a
(785)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&     ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE
(785)       else {
(785)         update request {
(785)           EXPAND %{Acct-Session-ID}
(785)              --> 50d4f75b869c-393F96E03B858B46
(785)           &Acct-Unique-Session-Id := 50d4f75b869c-393F96E03B858B46
(785)           EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(785)              --> joao.bosco
(785)           &Acct-Unique-Session-Id := joao.bosco
(785)           EXPAND %{md5:%{%{Stripped-User-Name}:-%{User-Name}},%{Acct-Session-ID},%{Calling-Station-Id}}
(785)              --> 40fed0fa478c6669d9d1768d71840a84
(785)           &Acct-Unique-Session-Id := 40fed0fa478c6669d9d1768d71840a84
(785)         } # update request = noop
(785)       } # else = noop
(785)     } # policy acct_unique = noop
(785) suffix: Checking for suffix after "@"
(785) suffix: No '@' in User-Name = "joao.bosco", looking up realm NULL
(785) suffix: No such realm "NULL"
(785)     [suffix] = noop
(785) files: acct_users: Matched entry DEFAULT at line 22
(785) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(785) files:    --> joao.bosco
(785)     [files] = ok
(785)   } # preacct = updated
(785) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(785)   accounting {
(785) log_accounting: EXPAND Accounting-Request.%{%{Acct-Status-Type}:-unknown}
(785) log_accounting:    --> Accounting-Request.Start
(785) log_accounting: EXPAND %{date:Event-Timestamp} Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})
(785) log_accounting:    --> Wed, 24-06-2020 14:21:14 Connect: [joao.bosco] (did 50-D4-F7-5B-86-9C:MPDFT cli 70-FD-46-BE-0D-8A port  ip 172.28.255.182)
(785) log_accounting: EXPAND /var/log/freeradius/linelog-accounting
(785) log_accounting:    --> /var/log/freeradius/linelog-accounting
(785)     [log_accounting] = ok
(785) sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query}
(785) sql:    --> type.start.query
(785) sql: Using query template 'query'
(785) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(785) sql:    --> joao.bosco
(785) sql: SQL-User-Name set to 'joao.bosco'
(785) sql: EXPAND INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)
(785) sql:    --> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('50d4f75b869c-393F96E03B858B46', '40fed0fa478c6669d9d1768d71840a84', 'joao.bosco', NULLIF('', ''), '10.34.87.223', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1593019274), TO_TIMESTAMP(1593019274), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '50-D4-F7-5B-86-9C:MPDFT', '70-FD-46-BE-0D-8A', NULL, 'Framed-User', '', NULLIF('172.28.255.182', '')::inet)
(785) sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('50d4f75b869c-393F96E03B858B46', '40fed0fa478c6669d9d1768d71840a84', 'joao.bosco', NULLIF('', ''), '10.34.87.223', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1593019274), TO_TIMESTAMP(1593019274), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '50-D4-F7-5B-86-9C:MPDFT', '70-FD-46-BE-0D-8A', NULL, 'Framed-User', '', NULLIF('172.28.255.182', '')::inet)
(785) sql: SQL query returned: success
(785) sql: 1 record(s) updated
(785)     [sql] = ok
(785)     if (&request:Acct-Status-Type == start) {
(785)     if (&request:Acct-Status-Type == start)  -> TRUE
(785)     if (&request:Acct-Status-Type == start)  {
(785)       EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(785)          --> joao.bosco
(785)       SQL-User-Name set to 'joao.bosco'
(785)       Executing query: UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(1593019274), AcctUpdateTime = TO_TIMESTAMP(1593019274), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = 'CONNECT 0Mbps 802.11b' WHERE UserName = 'joao.bosco' AND AcctUniqueId <> '40fed0fa478c6669d9d1768d71840a84' AND CallingStationId = '70-FD-46-BE-0D-8A' AND AcctStopTime IS NULL
(785)       SQL query affected no rows
(785)       EXPAND %{sql:UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = '%{Connect-Info}' WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' AND CallingStationId = '%{Calling-Station-Id}' AND AcctStopTime IS NULL}
(785)          -->
(785)     } # if (&request:Acct-Status-Type == start)  = ok
(785)     [exec] = noop
(785) attr_filter.accounting_response: EXPAND %{User-Name}
(785) attr_filter.accounting_response:    --> joao.bosco
(785) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(785)     [attr_filter.accounting_response] = updated
(785)   } # accounting = updated
(785) Sent Accounting-Response Id 5 from 10.34.242.3:1813 to 10.34.87.223:36144 length 0
(785) Finished request
(785) Cleaning up request packet ID 5 with timestamp +196
(757) Cleaning up request packet ID 251 with timestamp +192
(760) Cleaning up request packet ID 252 with timestamp +193
(763) Cleaning up request packet ID 253 with timestamp +193
(764) Cleaning up request packet ID 254 with timestamp +193
(765) Cleaning up request packet ID 255 with timestamp +193
(766) Cleaning up request packet ID 0 with timestamp +193
(769) Cleaning up request packet ID 1 with timestamp +193
(770) Cleaning up request packet ID 2 with timestamp +193
(771) Cleaning up request packet ID 3 with timestamp +193
(772) Cleaning up request packet ID 4 with timestamp +193





============== DEBUG FOR !!!!NOT WORKING!!!! PACKET ============

(11048) Received Access-Request Id 139 from 10.34.27.220:3489 to 10.34.242.3:1812 length 149
(11048)   User-Name = "mpdft"
(11048)   NAS-IP-Address = 10.34.27.220
(11048)   NAS-Port = 2
(11048)   Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11048)   Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11048)   Framed-MTU = 1400
(11048)   NAS-Port-Type = Wireless-802.11
(11048)   Connect-Info = "CONNECT 54Mbps 802.11g"
(11048)   EAP-Message = 0x0200000a016d70646674
(11048)   Message-Authenticator = 0x408a3294efb8f536a6500de929db9311
(11048) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11048)   authorize {
(11048)     policy filter_username {
(11048)       if (&User-Name) {
(11048)       if (&User-Name)  -> TRUE
(11048)       if (&User-Name)  {
(11048)         if (&User-Name != "%{tolower:%{User-Name}}") {
(11048)         EXPAND %{tolower:%{User-Name}}
(11048)            --> mpdft
(11048)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(11048)         if (&User-Name =~ /\// ) {
(11048)         if (&User-Name =~ /\// )  -> FALSE
(11048)         if (&User-Name =~ / /) {
(11048)         if (&User-Name =~ / /)  -> FALSE
(11048)         if (&User-Name =~ /@[^@]*@/ ) {
(11048)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(11048)         if (&User-Name =~ /\.\./ ) {
(11048)         if (&User-Name =~ /\.\./ )  -> FALSE
(11048)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(11048)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(11048)         if (&User-Name =~ /\.$/)  {
(11048)         if (&User-Name =~ /\.$/)   -> FALSE
(11048)         if (&User-Name =~ /@\./)  {
(11048)         if (&User-Name =~ /@\./)   -> FALSE
(11048)       } # if (&User-Name)  = notfound
(11048)     } # policy filter_username = notfound
(11048)     policy split_username_nai {
(11048)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11048)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(11048)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(11048)         update request {
(11048)           EXPAND %{1}
(11048)              --> mpdft
(11048)           &Stripped-User-Name := mpdft
(11048)           EXPAND %{3}
(11048)              -->
(11048)           &Stripped-User-Domain =
(11048)         } # update request = noop
(11048)         [updated] = updated
(11048)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(11048)       ... skipping else: Preceding "if" was taken
(11048)     } # policy split_username_nai = updated
(11048)     [preprocess] = ok
(11048) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11048) auth_log:    --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11048) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11048) auth_log: EXPAND %t
(11048) auth_log:    --> Wed Jun 24 15:00:27 2020
(11048)     [auth_log] = ok
(11048)     [chap] = noop
(11048)     [mschap] = noop
(11048)     [digest] = noop
(11048) suffix: Checking for suffix after "@"
(11048) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11048) suffix: No such realm "NULL"
(11048)     [suffix] = noop
(11048) eap: Peer sent EAP Response (code 2) ID 0 length 10
(11048) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(11048)     [eap] = ok
(11048)   } # authorize = ok
(11048) Found Auth-Type = eap
(11048) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11048)   authenticate {
(11048) eap: Peer sent packet with method EAP Identity (1)
(11048) eap: Calling submodule eap_md5 to process data
(11048) eap_md5: Issuing MD5 Challenge
(11048) eap: Sending EAP Request (code 1) ID 1 length 22
(11048) eap: EAP session adding &reply:State = 0xbb52a0a1bb53a4af
(11048)     [eap] = handled
(11048)   } # authenticate = handled
(11048) Using Post-Auth-Type Challenge
(11048) Post-Auth-Type sub-section not found.  Ignoring.
(11048) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11048) Sent Access-Challenge Id 139 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11048)   EAP-Message = 0x010100160410b7e1efa9084013e0889cf10e97931880
(11048)   Message-Authenticator = 0x00000000000000000000000000000000
(11048)   State = 0xbb52a0a1bb53a4afa6d420c8f1230505
(11048) Finished request
(11049) Received Access-Request Id 140 from 10.34.27.220:3489 to 10.34.242.3:1812 length 163
(11049)   User-Name = "mpdft"
(11049)   NAS-IP-Address = 10.34.27.220
(11049)   NAS-Port = 2
(11049)   Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11049)   Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11049)   Framed-MTU = 1400
(11049)   NAS-Port-Type = Wireless-802.11
(11049)   Connect-Info = "CONNECT 54Mbps 802.11g"
(11049)   EAP-Message = 0x020100060319
(11049)   State = 0xbb52a0a1bb53a4afa6d420c8f1230505
(11049)   Message-Authenticator = 0x56eea29636534482dd0626f91ccc367c
(11049) session-state: No cached attributes
(11049) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11049)   authorize {
(11049)     policy filter_username {
(11049)       if (&User-Name) {
(11049)       if (&User-Name)  -> TRUE
(11049)       if (&User-Name)  {
(11049)         if (&User-Name != "%{tolower:%{User-Name}}") {
(11049)         EXPAND %{tolower:%{User-Name}}
(11049)            --> mpdft
(11049)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(11049)         if (&User-Name =~ /\// ) {
(11049)         if (&User-Name =~ /\// )  -> FALSE
(11049)         if (&User-Name =~ / /) {
(11049)         if (&User-Name =~ / /)  -> FALSE
(11049)         if (&User-Name =~ /@[^@]*@/ ) {
(11049)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(11049)         if (&User-Name =~ /\.\./ ) {
(11049)         if (&User-Name =~ /\.\./ )  -> FALSE
(11049)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(11049)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(11049)         if (&User-Name =~ /\.$/)  {
(11049)         if (&User-Name =~ /\.$/)   -> FALSE
(11049)         if (&User-Name =~ /@\./)  {
(11049)         if (&User-Name =~ /@\./)   -> FALSE
(11049)       } # if (&User-Name)  = notfound
(11049)     } # policy filter_username = notfound
(11049)     policy split_username_nai {
(11049)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11049)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(11049)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(11049)         update request {
(11049)           EXPAND %{1}
(11049)              --> mpdft
(11049)           &Stripped-User-Name := mpdft
(11049)           EXPAND %{3}
(11049)              -->
(11049)           &Stripped-User-Domain =
(11049)         } # update request = noop
(11049)         [updated] = updated
(11049)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(11049)       ... skipping else: Preceding "if" was taken
(11049)     } # policy split_username_nai = updated
(11049)     [preprocess] = ok
(11049) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11049) auth_log:    --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11049) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11049) auth_log: EXPAND %t
(11049) auth_log:    --> Wed Jun 24 15:00:27 2020
(11049)     [auth_log] = ok
(11049)     [chap] = noop
(11049)     [mschap] = noop
(11049)     [digest] = noop
(11049) suffix: Checking for suffix after "@"
(11049) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11049) suffix: No such realm "NULL"
(11049)     [suffix] = noop
(11049) eap: Peer sent EAP Response (code 2) ID 1 length 6
(11049) eap: No EAP Start, assuming it's an on-going EAP conversation
(11049)     [eap] = updated
(11049) files: Failed resolving UID: No error
(11049) files: Failed resolving UID: No error
(11049) files: Failed resolving UID: No error
(11049) files: Failed resolving UID: No error
(11049) files: Failed resolving UID: No error
(11049)     [files] = noop
(11049) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(11049) sql:    --> mpdft
(11049) sql: SQL-User-Name set to 'mpdft'
(11049) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(11049) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'mpdft' ORDER BY id
(11049) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'mpdft' ORDER BY id
(11049) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(11049) sql:    --> SELECT GroupName FROM radusergroup WHERE UserName='mpdft' ORDER BY priority
(11049) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='mpdft' ORDER BY priority
(11049) sql: User not found in any groups
(11049)     [sql] = notfound
(11049)     [expiration] = noop
(11049)     [logintime] = noop
(11049)     if (ok) {
(11049)     if (ok)  -> FALSE
(11049) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(11049) pap: WARNING: Authentication will fail unless a "known good" password is available
(11049)     [pap] = noop
(11049)   } # authorize = updated
(11049) Found Auth-Type = eap
(11049) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11049)   authenticate {
(11049) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11049) eap: Finished EAP session with state 0xbb52a0a1bb53a4af
(11049) eap: Previous EAP request found for state 0xbb52a0a1bb53a4af, released from the list
(11049) eap: Peer sent packet with method EAP NAK (3)
(11049) eap: Found mutually acceptable type PEAP (25)
(11049) eap: Calling submodule eap_peap to process data
(11049) eap_peap: Initiating new EAP-TLS session
(11049) eap_peap: [eaptls start] = request
(11049) eap: Sending EAP Request (code 1) ID 2 length 6
(11049) eap: EAP session adding &reply:State = 0xbb52a0a1ba50b9af
(11049)     [eap] = handled
(11049)   } # authenticate = handled
(11049) Using Post-Auth-Type Challenge
(11049) Post-Auth-Type sub-section not found.  Ignoring.
(11049) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11049) Sent Access-Challenge Id 140 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11049)   EAP-Message = 0x010200061920
(11049)   Message-Authenticator = 0x00000000000000000000000000000000
(11049)   State = 0xbb52a0a1ba50b9afa6d420c8f1230505
(11049) Finished request
(11050) Received Access-Request Id 141 from 10.34.27.220:3489 to 10.34.242.3:1812 length 328
(11050)   User-Name = "mpdft"
(11050)   NAS-IP-Address = 10.34.27.220
(11050)   NAS-Port = 2
(11050)   Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11050)   Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11050)   Framed-MTU = 1400
(11050)   NAS-Port-Type = Wireless-802.11
(11050)   Connect-Info = "CONNECT 54Mbps 802.11g"
(11050)   EAP-Message = 0x020200ab1980000000a1160301009c0100009803039c4c361bc616647397a5fcbb62da353c8e280950e62470a9b076ee8a4df5731200003cc02bc02f009ec02cc030009fcca9cca8c009c023c013c02700330067c00ac024c014c0280039006bc007c011009c009d002f003c0035003d0005000a010000
(11050)   State = 0xbb52a0a1ba50b9afa6d420c8f1230505
(11050)   Message-Authenticator = 0xee12d9c33e702dde45cc68d947157e10
(11050) session-state: No cached attributes
(11050) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11050)   authorize {
(11050)     policy filter_username {
(11050)       if (&User-Name) {
(11050)       if (&User-Name)  -> TRUE
(11050)       if (&User-Name)  {
(11050)         if (&User-Name != "%{tolower:%{User-Name}}") {
(11050)         EXPAND %{tolower:%{User-Name}}
(11050)            --> mpdft
(11050)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(11050)         if (&User-Name =~ /\// ) {
(11050)         if (&User-Name =~ /\// )  -> FALSE
(11050)         if (&User-Name =~ / /) {
(11050)         if (&User-Name =~ / /)  -> FALSE
(11050)         if (&User-Name =~ /@[^@]*@/ ) {
(11050)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(11050)         if (&User-Name =~ /\.\./ ) {
(11050)         if (&User-Name =~ /\.\./ )  -> FALSE
(11050)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(11050)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(11050)         if (&User-Name =~ /\.$/)  {
(11050)         if (&User-Name =~ /\.$/)   -> FALSE
(11050)         if (&User-Name =~ /@\./)  {
(11050)         if (&User-Name =~ /@\./)   -> FALSE
(11050)       } # if (&User-Name)  = notfound
(11050)     } # policy filter_username = notfound
(11050)     policy split_username_nai {
(11050)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11050)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(11050)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(11050)         update request {
(11050)           EXPAND %{1}
(11050)              --> mpdft
(11050)           &Stripped-User-Name := mpdft
(11050)           EXPAND %{3}
(11050)              -->
(11050)           &Stripped-User-Domain =
(11050)         } # update request = noop
(11050)         [updated] = updated
(11050)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(11050)       ... skipping else: Preceding "if" was taken
(11050)     } # policy split_username_nai = updated
(11050)     [preprocess] = ok
(11050) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11050) auth_log:    --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11050) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11050) auth_log: EXPAND %t
(11050) auth_log:    --> Wed Jun 24 15:00:27 2020
(11050)     [auth_log] = ok
(11050)     [chap] = noop
(11050)     [mschap] = noop
(11050)     [digest] = noop
(11050) suffix: Checking for suffix after "@"
(11050) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11050) suffix: No such realm "NULL"
(11050)     [suffix] = noop
(11050) eap: Peer sent EAP Response (code 2) ID 2 length 171
(11050) eap: Continuing tunnel setup
(11050)     [eap] = ok
(11050)   } # authorize = ok
(11050) Found Auth-Type = eap
(11050) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11050)   authenticate {
(11050) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11050) eap: Finished EAP session with state 0xbb52a0a1ba50b9af
(11050) eap: Previous EAP request found for state 0xbb52a0a1ba50b9af, released from the list
(11050) eap: Peer sent packet with method EAP PEAP (25)
(11050) eap: Calling submodule eap_peap to process data
(11050) eap_peap: Continuing EAP-TLS
(11050) eap_peap: Peer indicated complete TLS record size will be 161 bytes
(11050) eap_peap: Got complete TLS record (161 bytes)
(11050) eap_peap: [eaptls verify] = length included
(11050) eap_peap: (other): before SSL initialization
(11050) eap_peap: TLS_accept: before SSL initialization
(11050) eap_peap: TLS_accept: before SSL initialization
(11050) eap_peap: <<< recv TLS 1.2  [length 009c]
(11050) eap_peap: TLS_accept: SSLv3/TLS read client hello
(11050) eap_peap: >>> send TLS 1.2  [length 003d]
(11050) eap_peap: TLS_accept: SSLv3/TLS write server hello
(11050) eap_peap: >>> send TLS 1.2  [length 0309]
(11050) eap_peap: TLS_accept: SSLv3/TLS write certificate
(11050) eap_peap: >>> send TLS 1.2  [length 014d]
(11050) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(11050) eap_peap: >>> send TLS 1.2  [length 0004]
(11050) eap_peap: TLS_accept: SSLv3/TLS write server done
(11050) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(11050) eap_peap: In SSL Handshake Phase
(11050) eap_peap: In SSL Accept mode
(11050) eap_peap: [eaptls process] = handled
(11050) eap: Sending EAP Request (code 1) ID 3 length 1004
(11050) eap: EAP session adding &reply:State = 0xbb52a0a1b951b9af
(11050)     [eap] = handled
(11050)   } # authenticate = handled
(11050) Using Post-Auth-Type Challenge
(11050) Post-Auth-Type sub-section not found.  Ignoring.
(11050) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11050) Sent Access-Challenge Id 141 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11050)   EAP-Message = 0x010303ec19c0000004ab160303003d020000390303bff8d5bbdafc2ef1f9fe4ff68c004d2d5d255f840adf436732d14e188fb4896900c02f000011ff01000100000b0004030001020017000016030303090b0003050003020002ff308202fb308201e3a003020102020900c2aeeb1715cab80a300d0609
(11050)   Message-Authenticator = 0x00000000000000000000000000000000
(11050)   State = 0xbb52a0a1b951b9afa6d420c8f1230505
(11050) Finished request
(11051) Received Access-Request Id 142 from 10.34.27.220:3489 to 10.34.242.3:1812 length 163
(11051)   User-Name = "mpdft"
(11051)   NAS-IP-Address = 10.34.27.220
(11051)   NAS-Port = 2
(11051)   Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11051)   Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11051)   Framed-MTU = 1400
(11051)   NAS-Port-Type = Wireless-802.11
(11051)   Connect-Info = "CONNECT 54Mbps 802.11g"
(11051)   EAP-Message = 0x020300061900
(11051)   State = 0xbb52a0a1b951b9afa6d420c8f1230505
(11051)   Message-Authenticator = 0x91c78843c332dee8045c2bd4d2518647
(11051) session-state: No cached attributes
(11051) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11051)   authorize {
(11051)     policy filter_username {
(11051)       if (&User-Name) {
(11051)       if (&User-Name)  -> TRUE
(11051)       if (&User-Name)  {
(11051)         if (&User-Name != "%{tolower:%{User-Name}}") {
(11051)         EXPAND %{tolower:%{User-Name}}
(11051)            --> mpdft
(11051)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(11051)         if (&User-Name =~ /\// ) {
(11051)         if (&User-Name =~ /\// )  -> FALSE
(11051)         if (&User-Name =~ / /) {
(11051)         if (&User-Name =~ / /)  -> FALSE
(11051)         if (&User-Name =~ /@[^@]*@/ ) {
(11051)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(11051)         if (&User-Name =~ /\.\./ ) {
(11051)         if (&User-Name =~ /\.\./ )  -> FALSE
(11051)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(11051)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(11051)         if (&User-Name =~ /\.$/)  {
(11051)         if (&User-Name =~ /\.$/)   -> FALSE
(11051)         if (&User-Name =~ /@\./)  {
(11051)         if (&User-Name =~ /@\./)   -> FALSE
(11051)       } # if (&User-Name)  = notfound
(11051)     } # policy filter_username = notfound
(11051)     policy split_username_nai {
(11051)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11051)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(11051)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(11051)         update request {
(11051)           EXPAND %{1}
(11051)              --> mpdft
(11051)           &Stripped-User-Name := mpdft
(11051)           EXPAND %{3}
(11051)              -->
(11051)           &Stripped-User-Domain =
(11051)         } # update request = noop
(11051)         [updated] = updated
(11051)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(11051)       ... skipping else: Preceding "if" was taken
(11051)     } # policy split_username_nai = updated
(11051)     [preprocess] = ok
(11051) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11051) auth_log:    --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11051) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11051) auth_log: EXPAND %t
(11051) auth_log:    --> Wed Jun 24 15:00:27 2020
(11051)     [auth_log] = ok
(11051)     [chap] = noop
(11051)     [mschap] = noop
(11051)     [digest] = noop
(11051) suffix: Checking for suffix after "@"
(11051) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11051) suffix: No such realm "NULL"
(11051)     [suffix] = noop
(11051) eap: Peer sent EAP Response (code 2) ID 3 length 6
(11051) eap: Continuing tunnel setup
(11051)     [eap] = ok
(11051)   } # authorize = ok
(11051) Found Auth-Type = eap
(11051) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11051)   authenticate {
(11051) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11051) eap: Finished EAP session with state 0xbb52a0a1b951b9af
(11051) eap: Previous EAP request found for state 0xbb52a0a1b951b9af, released from the list
(11051) eap: Peer sent packet with method EAP PEAP (25)
(11051) eap: Calling submodule eap_peap to process data
(11051) eap_peap: Continuing EAP-TLS
(11051) eap_peap: Peer ACKed our handshake fragment
(11051) eap_peap: [eaptls verify] = request
(11051) eap_peap: [eaptls process] = handled
(11051) eap: Sending EAP Request (code 1) ID 4 length 207
(11051) eap: EAP session adding &reply:State = 0xbb52a0a1b856b9af
(11051)     [eap] = handled
(11051)   } # authenticate = handled
(11051) Using Post-Auth-Type Challenge
(11051) Post-Auth-Type sub-section not found.  Ignoring.
(11051) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11051) Sent Access-Challenge Id 142 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11051)   EAP-Message = 0x010400cf190077d923f57ef28aa1228670ecd396ae9f5120736fed21274cc4e43fe548da4b0018966c35ae455f4bd6fe6740c7c8414a8adcd72b383bcd96b08acbb06444bd5259dbef85f8b44d37c2cbfffeb6c98619f1bcdba6d5e2e6f70b494289c12f22675199072877351a1e1e55c1901b67e1c0ce
(11051)   Message-Authenticator = 0x00000000000000000000000000000000
(11051)   State = 0xbb52a0a1b856b9afa6d420c8f1230505
(11051) Finished request
(11052) Received Access-Request Id 143 from 10.34.27.220:3489 to 10.34.242.3:1812 length 293
(11052)   User-Name = "mpdft"
(11052)   NAS-IP-Address = 10.34.27.220
(11052)   NAS-Port = 2
(11052)   Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11052)   Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11052)   Framed-MTU = 1400
(11052)   NAS-Port-Type = Wireless-802.11
(11052)   Connect-Info = "CONNECT 54Mbps 802.11g"
(11052)   EAP-Message = 0x0204008819800000007e16030300461000004241049d1d0aa98e339ec73f7114217ba102b7ec0faa4f48bd4430255a0c9f30e6e43587cbd5b858dd3eb66644df3703a1a74c19bcf7f526a95af9d8605e85aaa0b4e114030300010116030300280000000000000000b8d30db4ebe845ea5264df4293f41a
(11052)   State = 0xbb52a0a1b856b9afa6d420c8f1230505
(11052)   Message-Authenticator = 0x8117b45ab21207f6cc0085f9906d6737
(11052) session-state: No cached attributes
(11052) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11052)   authorize {
(11052)     policy filter_username {
(11052)       if (&User-Name) {
(11052)       if (&User-Name)  -> TRUE
(11052)       if (&User-Name)  {
(11052)         if (&User-Name != "%{tolower:%{User-Name}}") {
(11052)         EXPAND %{tolower:%{User-Name}}
(11052)            --> mpdft
(11052)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(11052)         if (&User-Name =~ /\// ) {
(11052)         if (&User-Name =~ /\// )  -> FALSE
(11052)         if (&User-Name =~ / /) {
(11052)         if (&User-Name =~ / /)  -> FALSE
(11052)         if (&User-Name =~ /@[^@]*@/ ) {
(11052)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(11052)         if (&User-Name =~ /\.\./ ) {
(11052)         if (&User-Name =~ /\.\./ )  -> FALSE
(11052)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(11052)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(11052)         if (&User-Name =~ /\.$/)  {
(11052)         if (&User-Name =~ /\.$/)   -> FALSE
(11052)         if (&User-Name =~ /@\./)  {
(11052)         if (&User-Name =~ /@\./)   -> FALSE
(11052)       } # if (&User-Name)  = notfound
(11052)     } # policy filter_username = notfound
(11052)     policy split_username_nai {
(11052)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11052)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(11052)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(11052)         update request {
(11052)           EXPAND %{1}
(11052)              --> mpdft
(11052)           &Stripped-User-Name := mpdft
(11052)           EXPAND %{3}
(11052)              -->
(11052)           &Stripped-User-Domain =
(11052)         } # update request = noop
(11052)         [updated] = updated
(11052)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(11052)       ... skipping else: Preceding "if" was taken
(11052)     } # policy split_username_nai = updated
(11052)     [preprocess] = ok
(11052) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11052) auth_log:    --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11052) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11052) auth_log: EXPAND %t
(11052) auth_log:    --> Wed Jun 24 15:00:27 2020
(11052)     [auth_log] = ok
(11052)     [chap] = noop
(11052)     [mschap] = noop
(11052)     [digest] = noop
(11052) suffix: Checking for suffix after "@"
(11052) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11052) suffix: No such realm "NULL"
(11052)     [suffix] = noop
(11052) eap: Peer sent EAP Response (code 2) ID 4 length 136
(11052) eap: Continuing tunnel setup
(11052)     [eap] = ok
(11052)   } # authorize = ok
(11052) Found Auth-Type = eap
(11052) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11052)   authenticate {
(11052) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11052) eap: Finished EAP session with state 0xbb52a0a1b856b9af
(11052) eap: Previous EAP request found for state 0xbb52a0a1b856b9af, released from the list
(11052) eap: Peer sent packet with method EAP PEAP (25)
(11052) eap: Calling submodule eap_peap to process data
(11052) eap_peap: Continuing EAP-TLS
(11052) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(11052) eap_peap: Got complete TLS record (126 bytes)
(11052) eap_peap: [eaptls verify] = length included
(11052) eap_peap: TLS_accept: SSLv3/TLS write server done
(11052) eap_peap: <<< recv TLS 1.2  [length 0046]
(11052) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(11052) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(11052) eap_peap: <<< recv TLS 1.2  [length 0010]
(11052) eap_peap: TLS_accept: SSLv3/TLS read finished
(11052) eap_peap: >>> send TLS 1.2  [length 0001]
(11052) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(11052) eap_peap: >>> send TLS 1.2  [length 0010]
(11052) eap_peap: TLS_accept: SSLv3/TLS write finished
(11052) eap_peap: (other): SSL negotiation finished successfully
(11052) eap_peap: SSL Connection Established
(11052) eap_peap: [eaptls process] = handled
(11052) eap: Sending EAP Request (code 1) ID 5 length 57
(11052) eap: EAP session adding &reply:State = 0xbb52a0a1bf57b9af
(11052)     [eap] = handled
(11052)   } # authenticate = handled
(11052) Using Post-Auth-Type Challenge
(11052) Post-Auth-Type sub-section not found.  Ignoring.
(11052) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11052) Sent Access-Challenge Id 143 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11052)   EAP-Message = 0x01050039190014030300010116030300288995cd8a76492654a82f8d2fc75b6ca674a25e522583f0877dfaf2b235972f869cd889c0383b0a82
(11052)   Message-Authenticator = 0x00000000000000000000000000000000
(11052)   State = 0xbb52a0a1bf57b9afa6d420c8f1230505
(11052) Finished request
(11053) Received Access-Request Id 144 from 10.34.27.220:3489 to 10.34.242.3:1812 length 163
(11053)   User-Name = "mpdft"
(11053)   NAS-IP-Address = 10.34.27.220
(11053)   NAS-Port = 2
(11053)   Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11053)   Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11053)   Framed-MTU = 1400
(11053)   NAS-Port-Type = Wireless-802.11
(11053)   Connect-Info = "CONNECT 54Mbps 802.11g"
(11053)   EAP-Message = 0x020500061900
(11053)   State = 0xbb52a0a1bf57b9afa6d420c8f1230505
(11053)   Message-Authenticator = 0xcd93b19502ff6f920112fbb490021062
(11053) session-state: No cached attributes
(11053) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11053)   authorize {
(11053)     policy filter_username {
(11053)       if (&User-Name) {
(11053)       if (&User-Name)  -> TRUE
(11053)       if (&User-Name)  {
(11053)         if (&User-Name != "%{tolower:%{User-Name}}") {
(11053)         EXPAND %{tolower:%{User-Name}}
(11053)            --> mpdft
(11053)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(11053)         if (&User-Name =~ /\// ) {
(11053)         if (&User-Name =~ /\// )  -> FALSE
(11053)         if (&User-Name =~ / /) {
(11053)         if (&User-Name =~ / /)  -> FALSE
(11053)         if (&User-Name =~ /@[^@]*@/ ) {
(11053)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(11053)         if (&User-Name =~ /\.\./ ) {
(11053)         if (&User-Name =~ /\.\./ )  -> FALSE
(11053)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(11053)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(11053)         if (&User-Name =~ /\.$/)  {
(11053)         if (&User-Name =~ /\.$/)   -> FALSE
(11053)         if (&User-Name =~ /@\./)  {
(11053)         if (&User-Name =~ /@\./)   -> FALSE
(11053)       } # if (&User-Name)  = notfound
(11053)     } # policy filter_username = notfound
(11053)     policy split_username_nai {
(11053)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11053)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(11053)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(11053)         update request {
(11053)           EXPAND %{1}
(11053)              --> mpdft
(11053)           &Stripped-User-Name := mpdft
(11053)           EXPAND %{3}
(11053)              -->
(11053)           &Stripped-User-Domain =
(11053)         } # update request = noop
(11053)         [updated] = updated
(11053)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(11053)       ... skipping else: Preceding "if" was taken
(11053)     } # policy split_username_nai = updated
(11053)     [preprocess] = ok
(11053) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11053) auth_log:    --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11053) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11053) auth_log: EXPAND %t
(11053) auth_log:    --> Wed Jun 24 15:00:27 2020
(11053)     [auth_log] = ok
(11053)     [chap] = noop
(11053)     [mschap] = noop
(11053)     [digest] = noop
(11053) suffix: Checking for suffix after "@"
(11053) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11053) suffix: No such realm "NULL"
(11053)     [suffix] = noop
(11053) eap: Peer sent EAP Response (code 2) ID 5 length 6
(11053) eap: Continuing tunnel setup
(11053)     [eap] = ok
(11053)   } # authorize = ok
(11053) Found Auth-Type = eap
(11053) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11053)   authenticate {
(11053) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11053) eap: Finished EAP session with state 0xbb52a0a1bf57b9af
(11053) eap: Previous EAP request found for state 0xbb52a0a1bf57b9af, released from the list
(11053) eap: Peer sent packet with method EAP PEAP (25)
(11053) eap: Calling submodule eap_peap to process data
(11053) eap_peap: Continuing EAP-TLS
(11053) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(11053) eap_peap: [eaptls verify] = success
(11053) eap_peap: [eaptls process] = success
(11053) eap_peap: Session established.  Decoding tunneled attributes
(11053) eap_peap: PEAP state TUNNEL ESTABLISHED
(11053) eap: Sending EAP Request (code 1) ID 6 length 40
(11053) eap: EAP session adding &reply:State = 0xbb52a0a1be54b9af
(11053)     [eap] = handled
(11053)   } # authenticate = handled
(11053) Using Post-Auth-Type Challenge
(11053) Post-Auth-Type sub-section not found.  Ignoring.
(11053) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11053) Sent Access-Challenge Id 144 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11053)   EAP-Message = 0x010600281900170303001d8995cd8a76492655aa9ea54c3b4322eaca154c899222b9039194e9813a
(11053)   Message-Authenticator = 0x00000000000000000000000000000000
(11053)   State = 0xbb52a0a1be54b9afa6d420c8f1230505
(11053) Finished request
(11054) Received Access-Request Id 145 from 10.34.27.220:3489 to 10.34.242.3:1812 length 211
(11054)   User-Name = "mpdft"
(11054)   NAS-IP-Address = 10.34.27.220
(11054)   NAS-Port = 2
(11054)   Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11054)   Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11054)   Framed-MTU = 1400
(11054)   NAS-Port-Type = Wireless-802.11
(11054)   Connect-Info = "CONNECT 54Mbps 802.11g"
(11054)   EAP-Message = 0x020600361900170303002b0000000000000001d8fc0d85e42ff3c7a9007d28e781d3f96bc92ec34bdd11b8e07e78a5c01255342524f0
(11054)   State = 0xbb52a0a1be54b9afa6d420c8f1230505
(11054)   Message-Authenticator = 0x970cdd80924dea90c2936c50ab414e02
(11054) session-state: No cached attributes
(11054) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11054)   authorize {
(11054)     policy filter_username {
(11054)       if (&User-Name) {
(11054)       if (&User-Name)  -> TRUE
(11054)       if (&User-Name)  {
(11054)         if (&User-Name != "%{tolower:%{User-Name}}") {
(11054)         EXPAND %{tolower:%{User-Name}}
(11054)            --> mpdft
(11054)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(11054)         if (&User-Name =~ /\// ) {
(11054)         if (&User-Name =~ /\// )  -> FALSE
(11054)         if (&User-Name =~ / /) {
(11054)         if (&User-Name =~ / /)  -> FALSE
(11054)         if (&User-Name =~ /@[^@]*@/ ) {
(11054)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(11054)         if (&User-Name =~ /\.\./ ) {
(11054)         if (&User-Name =~ /\.\./ )  -> FALSE
(11054)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(11054)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(11054)         if (&User-Name =~ /\.$/)  {
(11054)         if (&User-Name =~ /\.$/)   -> FALSE
(11054)         if (&User-Name =~ /@\./)  {
(11054)         if (&User-Name =~ /@\./)   -> FALSE
(11054)       } # if (&User-Name)  = notfound
(11054)     } # policy filter_username = notfound
(11054)     policy split_username_nai {
(11054)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11054)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(11054)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(11054)         update request {
(11054)           EXPAND %{1}
(11054)              --> mpdft
(11054)           &Stripped-User-Name := mpdft
(11054)           EXPAND %{3}
(11054)              -->
(11054)           &Stripped-User-Domain =
(11054)         } # update request = noop
(11054)         [updated] = updated
(11054)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(11054)       ... skipping else: Preceding "if" was taken
(11054)     } # policy split_username_nai = updated
(11054)     [preprocess] = ok
(11054) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11054) auth_log:    --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11054) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11054) auth_log: EXPAND %t
(11054) auth_log:    --> Wed Jun 24 15:00:27 2020
(11054)     [auth_log] = ok
(11054)     [chap] = noop
(11054)     [mschap] = noop
(11054)     [digest] = noop
(11054) suffix: Checking for suffix after "@"
(11054) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11054) suffix: No such realm "NULL"
(11054)     [suffix] = noop
(11054) eap: Peer sent EAP Response (code 2) ID 6 length 54
(11054) eap: Continuing tunnel setup
(11054)     [eap] = ok
(11054)   } # authorize = ok
(11054) Found Auth-Type = eap
(11054) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11054)   authenticate {
(11054) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11054) eap: Finished EAP session with state 0xbb52a0a1be54b9af
(11054) eap: Previous EAP request found for state 0xbb52a0a1be54b9af, released from the list
(11054) eap: Peer sent packet with method EAP PEAP (25)
(11054) eap: Calling submodule eap_peap to process data
(11054) eap_peap: Continuing EAP-TLS
(11054) eap_peap: [eaptls verify] = ok
(11054) eap_peap: Done initial handshake
(11054) eap_peap: [eaptls process] = ok
(11054) eap_peap: Session established.  Decoding tunneled attributes
(11054) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(11054) eap_peap: Identity - denisson.magalhaes
(11054) eap_peap: Got inner identity 'denisson.magalhaes'
(11054) eap_peap: Setting default EAP type for tunneled EAP session
(11054) eap_peap: Got tunneled request
(11054) eap_peap:   EAP-Message = 0x020600170164656e6973736f6e2e6d6167616c68616573
(11054) eap_peap: Setting User-Name to denisson.magalhaes
(11054) eap_peap: Sending tunneled request to inner-tunnel
(11054) eap_peap:   EAP-Message = 0x020600170164656e6973736f6e2e6d6167616c68616573
(11054) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(11054) eap_peap:   User-Name = "denisson.magalhaes"
(11054) Virtual server inner-tunnel received request
(11054)   EAP-Message = 0x020600170164656e6973736f6e2e6d6167616c68616573
(11054)   FreeRADIUS-Proxied-To = 127.0.0.1
(11054)   User-Name = "denisson.magalhaes"
(11054) WARNING: Outer User-Name is not anonymized.  User privacy is compromised.
(11054) server inner-tunnel {
(11054)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11054)     authorize {
(11054)       policy filter_username {
(11054)         if (&User-Name) {
(11054)         if (&User-Name)  -> TRUE
(11054)         if (&User-Name)  {
(11054)           if (&User-Name != "%{tolower:%{User-Name}}") {
(11054)           EXPAND %{tolower:%{User-Name}}
(11054)              --> denisson.magalhaes
(11054)           if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(11054)           if (&User-Name =~ /\// ) {
(11054)           if (&User-Name =~ /\// )  -> FALSE
(11054)           if (&User-Name =~ / /) {
(11054)           if (&User-Name =~ / /)  -> FALSE
(11054)           if (&User-Name =~ /@[^@]*@/ ) {
(11054)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(11054)           if (&User-Name =~ /\.\./ ) {
(11054)           if (&User-Name =~ /\.\./ )  -> FALSE
(11054)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(11054)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(11054)           if (&User-Name =~ /\.$/)  {
(11054)           if (&User-Name =~ /\.$/)   -> FALSE
(11054)           if (&User-Name =~ /@\./)  {
(11054)           if (&User-Name =~ /@\./)   -> FALSE
(11054)         } # if (&User-Name)  = notfound
(11054)       } # policy filter_username = notfound
(11054)       policy split_username_nai {
(11054)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11054)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(11054)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(11054)           update request {
(11054)             EXPAND %{1}
(11054)                --> denisson.magalhaes
(11054)             &Stripped-User-Name := denisson.magalhaes
(11054)             EXPAND %{3}
(11054)                -->
(11054)             &Stripped-User-Domain =
(11054)           } # update request = noop
(11054)           [updated] = updated
(11054)         } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(11054)         ... skipping else: Preceding "if" was taken
(11054)       } # policy split_username_nai = updated
(11054)       [chap] = noop
(11054)       [mschap] = noop
(11054) suffix: Checking for suffix after "@"
(11054) suffix: No '@' in User-Name = "denisson.magalhaes", looking up realm NULL
(11054) suffix: No such realm "NULL"
(11054)       [suffix] = noop
(11054)       update control {
(11054)         &Proxy-To-Realm := LOCAL
(11054)       } # update control = noop
(11054) eap: Peer sent EAP Response (code 2) ID 6 length 23
(11054) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(11054)       [eap] = ok
(11054)     } # authorize = ok
(11054)   Found Auth-Type = eap
(11054)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11054)     authenticate {
(11054) eap: Peer sent packet with method EAP Identity (1)
(11054) eap: Calling submodule eap_mschapv2 to process data
(11054) eap_mschapv2: Issuing Challenge
(11054) eap: Sending EAP Request (code 1) ID 7 length 43
(11054) eap: EAP session adding &reply:State = 0x42859db4428287cc
(11054)       [eap] = handled
(11054)     } # authenticate = handled
(11054) } # server inner-tunnel
(11054) Virtual server sending reply
(11054)   EAP-Message = 0x0107002b1a0107002610f29348c6e9f606d19366f0b2aa8f7768667265657261646975732d332e302e3132
(11054)   Message-Authenticator = 0x00000000000000000000000000000000
(11054)   State = 0x42859db4428287cc3b9481c4f9ea1542
(11054) eap_peap: Got tunneled reply code 11
(11054) eap_peap:   EAP-Message = 0x0107002b1a0107002610f29348c6e9f606d19366f0b2aa8f7768667265657261646975732d332e302e3132
(11054) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(11054) eap_peap:   State = 0x42859db4428287cc3b9481c4f9ea1542
(11054) eap_peap: Got tunneled reply RADIUS code 11
(11054) eap_peap:   EAP-Message = 0x0107002b1a0107002610f29348c6e9f606d19366f0b2aa8f7768667265657261646975732d332e302e3132
(11054) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(11054) eap_peap:   State = 0x42859db4428287cc3b9481c4f9ea1542
(11054) eap_peap: Got tunneled Access-Challenge
(11054) eap: Sending EAP Request (code 1) ID 7 length 74
(11054) eap: EAP session adding &reply:State = 0xbb52a0a1bd55b9af
(11054)     [eap] = handled
(11054)   } # authenticate = handled
(11054) Using Post-Auth-Type Challenge
(11054) Post-Auth-Type sub-section not found.  Ignoring.
(11054) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11054) Sent Access-Challenge Id 145 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11054)   EAP-Message = 0x0107004a1900170303003f8995cd8a764926562bcf6a8d4e4fc36150939a3009148fd8d27651059f01ecb32a009ed57b2d586e2c8fdfc5574e7a006d90b1d5a56e19f86fd3ae11155229
(11054)   Message-Authenticator = 0x00000000000000000000000000000000
(11054)   State = 0xbb52a0a1bd55b9afa6d420c8f1230505
(11054) Finished request
(11055) Received Access-Request Id 146 from 10.34.27.220:3489 to 10.34.242.3:1812 length 265
(11055)   User-Name = "mpdft"
(11055)   NAS-IP-Address = 10.34.27.220
(11055)   NAS-Port = 2
(11055)   Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11055)   Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11055)   Framed-MTU = 1400
(11055)   NAS-Port-Type = Wireless-802.11
(11055)   Connect-Info = "CONNECT 54Mbps 802.11g"
(11055)   EAP-Message = 0x0207006c1900170303006100000000000000024d591a24a1d1ce11848fa5356bb8f2bf4f0862b3b05595d98b477efde9817e3fe9a90e73500086263fa7700d87902ddb01e2a0102b19e6c925e461ae10f42f0f17fda0b9381010aa00b76bb59fa7bf2091764c1fb3a468489a
(11055)   State = 0xbb52a0a1bd55b9afa6d420c8f1230505
(11055)   Message-Authenticator = 0xb206d85e899e2eb17db70c79d6d07fec
(11055) session-state: No cached attributes
(11055) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11055)   authorize {
(11055)     policy filter_username {
(11055)       if (&User-Name) {
(11055)       if (&User-Name)  -> TRUE
(11055)       if (&User-Name)  {
(11055)         if (&User-Name != "%{tolower:%{User-Name}}") {
(11055)         EXPAND %{tolower:%{User-Name}}
(11055)            --> mpdft
(11055)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(11055)         if (&User-Name =~ /\// ) {
(11055)         if (&User-Name =~ /\// )  -> FALSE
(11055)         if (&User-Name =~ / /) {
(11055)         if (&User-Name =~ / /)  -> FALSE
(11055)         if (&User-Name =~ /@[^@]*@/ ) {
(11055)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(11055)         if (&User-Name =~ /\.\./ ) {
(11055)         if (&User-Name =~ /\.\./ )  -> FALSE
(11055)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(11055)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(11055)         if (&User-Name =~ /\.$/)  {
(11055)         if (&User-Name =~ /\.$/)   -> FALSE
(11055)         if (&User-Name =~ /@\./)  {
(11055)         if (&User-Name =~ /@\./)   -> FALSE
(11055)       } # if (&User-Name)  = notfound
(11055)     } # policy filter_username = notfound
(11055)     policy split_username_nai {
(11055)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11055)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(11055)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(11055)         update request {
(11055)           EXPAND %{1}
(11055)              --> mpdft
(11055)           &Stripped-User-Name := mpdft
(11055)           EXPAND %{3}
(11055)              -->
(11055)           &Stripped-User-Domain =
(11055)         } # update request = noop
(11055)         [updated] = updated
(11055)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(11055)       ... skipping else: Preceding "if" was taken
(11055)     } # policy split_username_nai = updated
(11055)     [preprocess] = ok
(11055) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11055) auth_log:    --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11055) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11055) auth_log: EXPAND %t
(11055) auth_log:    --> Wed Jun 24 15:00:27 2020
(11055)     [auth_log] = ok
(11055)     [chap] = noop
(11055)     [mschap] = noop
(11055)     [digest] = noop
(11055) suffix: Checking for suffix after "@"
(11055) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11055) suffix: No such realm "NULL"
(11055)     [suffix] = noop
(11055) eap: Peer sent EAP Response (code 2) ID 7 length 108
(11055) eap: Continuing tunnel setup
(11055)     [eap] = ok
(11055)   } # authorize = ok
(11055) Found Auth-Type = eap
(11055) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11055)   authenticate {
(11055) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11055) eap: Finished EAP session with state 0xbb52a0a1bd55b9af
(11055) eap: Previous EAP request found for state 0xbb52a0a1bd55b9af, released from the list
(11055) eap: Peer sent packet with method EAP PEAP (25)
(11055) eap: Calling submodule eap_peap to process data
(11055) eap_peap: Continuing EAP-TLS
(11055) eap_peap: [eaptls verify] = ok
(11055) eap_peap: Done initial handshake
(11055) eap_peap: [eaptls process] = ok
(11055) eap_peap: Session established.  Decoding tunneled attributes
(11055) eap_peap: PEAP state phase2
(11055) eap_peap: EAP method MSCHAPv2 (26)
(11055) eap_peap: Got tunneled request
(11055) eap_peap:   EAP-Message = 0x0207004d1a0207004831136f25023f2aa6ee6d38270b3e2595e10000000000000000ec06ee23ed82afbcbc4b824a9d92d2d2391f9c837c9a06470064656e6973736f6e2e6d6167616c68616573
(11055) eap_peap: Setting User-Name to denisson.magalhaes
(11055) eap_peap: Sending tunneled request to inner-tunnel
(11055) eap_peap:   EAP-Message = 0x0207004d1a0207004831136f25023f2aa6ee6d38270b3e2595e10000000000000000ec06ee23ed82afbcbc4b824a9d92d2d2391f9c837c9a06470064656e6973736f6e2e6d6167616c68616573
(11055) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(11055) eap_peap:   User-Name = "denisson.magalhaes"
(11055) eap_peap:   State = 0x42859db4428287cc3b9481c4f9ea1542
(11055) Virtual server inner-tunnel received request
(11055)   EAP-Message = 0x0207004d1a0207004831136f25023f2aa6ee6d38270b3e2595e10000000000000000ec06ee23ed82afbcbc4b824a9d92d2d2391f9c837c9a06470064656e6973736f6e2e6d6167616c68616573
(11055)   FreeRADIUS-Proxied-To = 127.0.0.1
(11055)   User-Name = "denisson.magalhaes"
(11055)   State = 0x42859db4428287cc3b9481c4f9ea1542
(11055) WARNING: Outer User-Name is not anonymized.  User privacy is compromised.
(11055) server inner-tunnel {
(11055)   session-state: No cached attributes
(11055)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11055)     authorize {
(11055)       policy filter_username {
(11055)         if (&User-Name) {
(11055)         if (&User-Name)  -> TRUE
(11055)         if (&User-Name)  {
(11055)           if (&User-Name != "%{tolower:%{User-Name}}") {
(11055)           EXPAND %{tolower:%{User-Name}}
(11055)              --> denisson.magalhaes
(11055)           if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(11055)           if (&User-Name =~ /\// ) {
(11055)           if (&User-Name =~ /\// )  -> FALSE
(11055)           if (&User-Name =~ / /) {
(11055)           if (&User-Name =~ / /)  -> FALSE
(11055)           if (&User-Name =~ /@[^@]*@/ ) {
(11055)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(11055)           if (&User-Name =~ /\.\./ ) {
(11055)           if (&User-Name =~ /\.\./ )  -> FALSE
(11055)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(11055)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(11055)           if (&User-Name =~ /\.$/)  {
(11055)           if (&User-Name =~ /\.$/)   -> FALSE
(11055)           if (&User-Name =~ /@\./)  {
(11055)           if (&User-Name =~ /@\./)   -> FALSE
(11055)         } # if (&User-Name)  = notfound
(11055)       } # policy filter_username = notfound
(11055)       policy split_username_nai {
(11055)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11055)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(11055)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(11055)           update request {
(11055)             EXPAND %{1}
(11055)                --> denisson.magalhaes
(11055)             &Stripped-User-Name := denisson.magalhaes
(11055)             EXPAND %{3}
(11055)                -->
(11055)             &Stripped-User-Domain =
(11055)           } # update request = noop
(11055)           [updated] = updated
(11055)         } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(11055)         ... skipping else: Preceding "if" was taken
(11055)       } # policy split_username_nai = updated
(11055)       [chap] = noop
(11055)       [mschap] = noop
(11055) suffix: Checking for suffix after "@"
(11055) suffix: No '@' in User-Name = "denisson.magalhaes", looking up realm NULL
(11055) suffix: No such realm "NULL"
(11055)       [suffix] = noop
(11055)       update control {
(11055)         &Proxy-To-Realm := LOCAL
(11055)       } # update control = noop
(11055) eap: Peer sent EAP Response (code 2) ID 7 length 77
(11055) eap: No EAP Start, assuming it's an on-going EAP conversation
(11055)       [eap] = updated
(11055) files: users: Matched entry DEFAULT at line 90
(11055)       [files] = ok
(11055) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(11055) sql:    --> denisson.magalhaes
(11055) sql: SQL-User-Name set to 'denisson.magalhaes'
(11055) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(11055) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'denisson.magalhaes' ORDER BY id
(11055) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'denisson.magalhaes' ORDER BY id
(11055) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(11055) sql:    --> SELECT GroupName FROM radusergroup WHERE UserName='denisson.magalhaes' ORDER BY priority
(11055) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='denisson.magalhaes' ORDER BY priority
(11055) sql: User not found in any groups
(11055)       [sql] = notfound
(11055)       [expiration] = noop
(11055)       [logintime] = noop
(11055)       [pap] = noop
(11055)     } # authorize = updated
(11055)   Found Auth-Type = eap
(11055)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11055)     authenticate {
(11055) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11055) eap: Finished EAP session with state 0x42859db4428287cc
(11055) eap: Previous EAP request found for state 0x42859db4428287cc, released from the list
(11055) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(11055) eap: Calling submodule eap_mschapv2 to process data
(11055) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11055) eap_mschapv2:   authenticate {
(11055) mschap: Creating challenge hash with username: denisson.magalhaes
(11055) mschap: Client is using MS-CHAPv2
(11055) mschap: EXPAND %{mschap:User-Name}
(11055) mschap:    --> denisson.magalhaes
(11055) mschap: ERROR: No NT-Domain was found in the User-Name
(11055) mschap: EXPAND %{mschap:NT-Domain}
(11055) mschap:    -->
(11055) mschap: sending authentication request user='denisson.magalhaes' domain=''
(11055) mschap: Authenticated successfully
(11055) mschap: Adding MS-CHAPv2 MPPE keys
(11055)     [mschap] = ok
(11055)   } # authenticate = ok
(11055) MSCHAP Success
(11055) eap: Sending EAP Request (code 1) ID 8 length 51
(11055) eap: EAP session adding &reply:State = 0x42859db4438d87cc
(11055)       [eap] = handled
(11055)     } # authenticate = handled
(11055) } # server inner-tunnel
(11055) Virtual server sending reply
(11055)   Idle-Timeout = 300
(11055)   EAP-Message = 0x010800331a0307002e533d39463737433846384146344239334537444145393234433131363335374242303144424430433334
(11055)   Message-Authenticator = 0x00000000000000000000000000000000
(11055)   State = 0x42859db4438d87cc3b9481c4f9ea1542
(11055) eap_peap: Got tunneled reply code 11
(11055) eap_peap:   Idle-Timeout = 300
(11055) eap_peap:   EAP-Message = 0x010800331a0307002e533d39463737433846384146344239334537444145393234433131363335374242303144424430433334
(11055) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(11055) eap_peap:   State = 0x42859db4438d87cc3b9481c4f9ea1542
(11055) eap_peap: Got tunneled reply RADIUS code 11
(11055) eap_peap:   Idle-Timeout = 300
(11055) eap_peap:   EAP-Message = 0x010800331a0307002e533d39463737433846384146344239334537444145393234433131363335374242303144424430433334
(11055) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(11055) eap_peap:   State = 0x42859db4438d87cc3b9481c4f9ea1542
(11055) eap_peap: Got tunneled Access-Challenge
(11055) eap: Sending EAP Request (code 1) ID 8 length 82
(11055) eap: EAP session adding &reply:State = 0xbb52a0a1bc5ab9af
(11055)     [eap] = handled
(11055)   } # authenticate = handled
(11055) Using Post-Auth-Type Challenge
(11055) Post-Auth-Type sub-section not found.  Ignoring.
(11055) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11055) Sent Access-Challenge Id 146 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11055)   EAP-Message = 0x01080052190017030300478995cd8a764926570ee0b4bf6e9b90dd0bdaa8f1f13a3d44bceb60b3d4c779cd0e31ebfbe40fa16df76e27769cdfcc6b9f3fefc910c56308bef902dc01e91b87251ed4fa655992
(11055)   Message-Authenticator = 0x00000000000000000000000000000000
(11055)   State = 0xbb52a0a1bc5ab9afa6d420c8f1230505
(11055) Finished request
(11056) Received Access-Request Id 147 from 10.34.27.220:3489 to 10.34.242.3:1812 length 194
(11056)   User-Name = "mpdft"
(11056)   NAS-IP-Address = 10.34.27.220
(11056)   NAS-Port = 2
(11056)   Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11056)   Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11056)   Framed-MTU = 1400
(11056)   NAS-Port-Type = Wireless-802.11
(11056)   Connect-Info = "CONNECT 54Mbps 802.11g"
(11056)   EAP-Message = 0x020800251900170303001a00000000000000030c71fdcc8d24f633a88e6aa816fe57085c9a
(11056)   State = 0xbb52a0a1bc5ab9afa6d420c8f1230505
(11056)   Message-Authenticator = 0xef807e88c37c705c6ec3fa5bbcc830e6
(11056) session-state: No cached attributes
(11056) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11056)   authorize {
(11056)     policy filter_username {
(11056)       if (&User-Name) {
(11056)       if (&User-Name)  -> TRUE
(11056)       if (&User-Name)  {
(11056)         if (&User-Name != "%{tolower:%{User-Name}}") {
(11056)         EXPAND %{tolower:%{User-Name}}
(11056)            --> mpdft
(11056)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(11056)         if (&User-Name =~ /\// ) {
(11056)         if (&User-Name =~ /\// )  -> FALSE
(11056)         if (&User-Name =~ / /) {
(11056)         if (&User-Name =~ / /)  -> FALSE
(11056)         if (&User-Name =~ /@[^@]*@/ ) {
(11056)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(11056)         if (&User-Name =~ /\.\./ ) {
(11056)         if (&User-Name =~ /\.\./ )  -> FALSE
(11056)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(11056)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(11056)         if (&User-Name =~ /\.$/)  {
(11056)         if (&User-Name =~ /\.$/)   -> FALSE
(11056)         if (&User-Name =~ /@\./)  {
(11056)         if (&User-Name =~ /@\./)   -> FALSE
(11056)       } # if (&User-Name)  = notfound
(11056)     } # policy filter_username = notfound
(11056)     policy split_username_nai {
(11056)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11056)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(11056)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(11056)         update request {
(11056)           EXPAND %{1}
(11056)              --> mpdft
(11056)           &Stripped-User-Name := mpdft
(11056)           EXPAND %{3}
(11056)              -->
(11056)           &Stripped-User-Domain =
(11056)         } # update request = noop
(11056)         [updated] = updated
(11056)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(11056)       ... skipping else: Preceding "if" was taken
(11056)     } # policy split_username_nai = updated
(11056)     [preprocess] = ok
(11056) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11056) auth_log:    --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11056) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11056) auth_log: EXPAND %t
(11056) auth_log:    --> Wed Jun 24 15:00:27 2020
(11056)     [auth_log] = ok
(11056)     [chap] = noop
(11056)     [mschap] = noop
(11056)     [digest] = noop
(11056) suffix: Checking for suffix after "@"
(11056) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11056) suffix: No such realm "NULL"
(11056)     [suffix] = noop
(11056) eap: Peer sent EAP Response (code 2) ID 8 length 37
(11056) eap: Continuing tunnel setup
(11056)     [eap] = ok
(11056)   } # authorize = ok
(11056) Found Auth-Type = eap
(11056) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11056)   authenticate {
(11056) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11056) eap: Finished EAP session with state 0xbb52a0a1bc5ab9af
(11056) eap: Previous EAP request found for state 0xbb52a0a1bc5ab9af, released from the list
(11056) eap: Peer sent packet with method EAP PEAP (25)
(11056) eap: Calling submodule eap_peap to process data
(11056) eap_peap: Continuing EAP-TLS
(11056) eap_peap: [eaptls verify] = ok
(11056) eap_peap: Done initial handshake
(11056) eap_peap: [eaptls process] = ok
(11056) eap_peap: Session established.  Decoding tunneled attributes
(11056) eap_peap: PEAP state phase2
(11056) eap_peap: EAP method MSCHAPv2 (26)
(11056) eap_peap: Got tunneled request
(11056) eap_peap:   EAP-Message = 0x020800061a03
(11056) eap_peap: Setting User-Name to denisson.magalhaes
(11056) eap_peap: Sending tunneled request to inner-tunnel
(11056) eap_peap:   EAP-Message = 0x020800061a03
(11056) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(11056) eap_peap:   User-Name = "denisson.magalhaes"
(11056) eap_peap:   State = 0x42859db4438d87cc3b9481c4f9ea1542
(11056) Virtual server inner-tunnel received request
(11056)   EAP-Message = 0x020800061a03
(11056)   FreeRADIUS-Proxied-To = 127.0.0.1
(11056)   User-Name = "denisson.magalhaes"
(11056)   State = 0x42859db4438d87cc3b9481c4f9ea1542
(11056) WARNING: Outer User-Name is not anonymized.  User privacy is compromised.
(11056) server inner-tunnel {
(11056)   session-state: No cached attributes
(11056)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11056)     authorize {
(11056)       policy filter_username {
(11056)         if (&User-Name) {
(11056)         if (&User-Name)  -> TRUE
(11056)         if (&User-Name)  {
(11056)           if (&User-Name != "%{tolower:%{User-Name}}") {
(11056)           EXPAND %{tolower:%{User-Name}}
(11056)              --> denisson.magalhaes
(11056)           if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(11056)           if (&User-Name =~ /\// ) {
(11056)           if (&User-Name =~ /\// )  -> FALSE
(11056)           if (&User-Name =~ / /) {
(11056)           if (&User-Name =~ / /)  -> FALSE
(11056)           if (&User-Name =~ /@[^@]*@/ ) {
(11056)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(11056)           if (&User-Name =~ /\.\./ ) {
(11056)           if (&User-Name =~ /\.\./ )  -> FALSE
(11056)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(11056)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(11056)           if (&User-Name =~ /\.$/)  {
(11056)           if (&User-Name =~ /\.$/)   -> FALSE
(11056)           if (&User-Name =~ /@\./)  {
(11056)           if (&User-Name =~ /@\./)   -> FALSE
(11056)         } # if (&User-Name)  = notfound
(11056)       } # policy filter_username = notfound
(11056)       policy split_username_nai {
(11056)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11056)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(11056)         if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(11056)           update request {
(11056)             EXPAND %{1}
(11056)                --> denisson.magalhaes
(11056)             &Stripped-User-Name := denisson.magalhaes
(11056)             EXPAND %{3}
(11056)                -->
(11056)             &Stripped-User-Domain =
(11056)           } # update request = noop
(11056)           [updated] = updated
(11056)         } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(11056)         ... skipping else: Preceding "if" was taken
(11056)       } # policy split_username_nai = updated
(11056)       [chap] = noop
(11056)       [mschap] = noop
(11056) suffix: Checking for suffix after "@"
(11056) suffix: No '@' in User-Name = "denisson.magalhaes", looking up realm NULL
(11056) suffix: No such realm "NULL"
(11056)       [suffix] = noop
(11056)       update control {
(11056)         &Proxy-To-Realm := LOCAL
(11056)       } # update control = noop
(11056) eap: Peer sent EAP Response (code 2) ID 8 length 6
(11056) eap: No EAP Start, assuming it's an on-going EAP conversation
(11056)       [eap] = updated
(11056) files: users: Matched entry DEFAULT at line 90
(11056)       [files] = ok
(11056) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(11056) sql:    --> denisson.magalhaes
(11056) sql: SQL-User-Name set to 'denisson.magalhaes'
(11056) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(11056) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'denisson.magalhaes' ORDER BY id
(11056) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'denisson.magalhaes' ORDER BY id
(11056) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(11056) sql:    --> SELECT GroupName FROM radusergroup WHERE UserName='denisson.magalhaes' ORDER BY priority
(11056) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='denisson.magalhaes' ORDER BY priority
(11056) sql: User not found in any groups
(11056)       [sql] = notfound
(11056)       [expiration] = noop
(11056)       [logintime] = noop
(11056)       [pap] = noop
(11056)     } # authorize = updated
(11056)   Found Auth-Type = eap
(11056)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11056)     authenticate {
(11056) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11056) eap: Finished EAP session with state 0x42859db4438d87cc
(11056) eap: Previous EAP request found for state 0x42859db4438d87cc, released from the list
(11056) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(11056) eap: Calling submodule eap_mschapv2 to process data
(11056) eap: Sending EAP Success (code 3) ID 8 length 4
(11056) eap: Freeing handler
(11056)       [eap] = ok
(11056)     } # authenticate = ok
(11056)   # Executing section session from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11056)     session {
(11056) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(11056) sql:    --> denisson.magalhaes
(11056) sql: SQL-User-Name set to 'denisson.magalhaes'
(11056) sql: EXPAND SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL
(11056) sql:    --> SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='denisson.magalhaes' AND CallingStationId<>'A8-16-D0-C6-45-D3' AND AcctStopTime IS NULL
(11056) sql: Executing select query: SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='denisson.magalhaes' AND CallingStationId<>'A8-16-D0-C6-45-D3' AND AcctStopTime IS NULL
(11056)       [sql] = ok
(11056)     } # session = ok
(11056)   # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(11056)     post-auth {
(11056) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail
(11056) reply_log:    --> /var/log/freeradius/radacct/10.34.27.220/reply-detail
(11056) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail expands to /var/log/freeradius/radacct/10.34.27.220/reply-detail
(11056) reply_log: EXPAND %t
(11056) reply_log:    --> Wed Jun 24 15:00:27 2020
(11056)       [reply_log] = ok
(11056)       update outer.session-state {
(11056)         User-Name := &request:User-Name -> 'denisson.magalhaes'
(11056)       } # update outer.session-state = noop
(11056)     } # post-auth = ok
(11056)   Login OK: [denisson.magalhaes] (from client AP-SD1-A07-Q01 port 0 via TLS tunnel)
(11056) } # server inner-tunnel
(11056) Virtual server sending reply
(11056)   Idle-Timeout = 300
(11056)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(11056)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(11056)   MS-MPPE-Send-Key = 0x6e195124f599fe1fae1ed036f5c66547
(11056)   MS-MPPE-Recv-Key = 0x1595c5858cee7d4fefedf94fa1423200
(11056)   EAP-Message = 0x03080004
(11056)   Message-Authenticator = 0x00000000000000000000000000000000
(11056)   Stripped-User-Name := "denisson.magalhaes"
(11056) eap_peap: Got tunneled reply code 2
(11056) eap_peap:   Idle-Timeout = 300
(11056) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(11056) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(11056) eap_peap:   MS-MPPE-Send-Key = 0x6e195124f599fe1fae1ed036f5c66547
(11056) eap_peap:   MS-MPPE-Recv-Key = 0x1595c5858cee7d4fefedf94fa1423200
(11056) eap_peap:   EAP-Message = 0x03080004
(11056) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(11056) eap_peap:   Stripped-User-Name := "denisson.magalhaes"
(11056) eap_peap: Got tunneled reply RADIUS code 2
(11056) eap_peap:   Idle-Timeout = 300
(11056) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(11056) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(11056) eap_peap:   MS-MPPE-Send-Key = 0x6e195124f599fe1fae1ed036f5c66547
(11056) eap_peap:   MS-MPPE-Recv-Key = 0x1595c5858cee7d4fefedf94fa1423200
(11056) eap_peap:   EAP-Message = 0x03080004
(11056) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(11056) eap_peap:   Stripped-User-Name := "denisson.magalhaes"
(11056) eap_peap: Tunneled authentication was successful
(11056) eap_peap: SUCCESS
(11056) eap: Sending EAP Request (code 1) ID 9 length 46
(11056) eap: EAP session adding &reply:State = 0xbb52a0a1b35bb9af
(11056)     [eap] = handled
(11056)   } # authenticate = handled
(11056) Using Post-Auth-Type Challenge
(11056) Post-Auth-Type sub-section not found.  Ignoring.
(11056) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11056) session-state: Saving cached attributes
(11056)   User-Name := "denisson.magalhaes"
(11056) Sent Access-Challenge Id 147 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11056)   EAP-Message = 0x0109002e190017030300238995cd8a7649265810e5b3e27abcad75ff296090e62e67146c82208d190ceeacb5d460
(11056)   Message-Authenticator = 0x00000000000000000000000000000000
(11056)   State = 0xbb52a0a1b35bb9afa6d420c8f1230505
(11056) Finished request
(11057) Received Access-Request Id 148 from 10.34.27.220:3489 to 10.34.242.3:1812 length 203
(11057)   User-Name = "mpdft"
(11057)   NAS-IP-Address = 10.34.27.220
(11057)   NAS-Port = 2
(11057)   Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11057)   Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11057)   Framed-MTU = 1400
(11057)   NAS-Port-Type = Wireless-802.11
(11057)   Connect-Info = "CONNECT 54Mbps 802.11g"
(11057)   EAP-Message = 0x0209002e1900170303002300000000000000042a5735c1019043f4750eb742ccd3d54f92363af7bf12b2cdada0db
(11057)   State = 0xbb52a0a1b35bb9afa6d420c8f1230505
(11057)   Message-Authenticator = 0xb335bdc2af14c15b83e0f5d023601714
(11057) Restoring &session-state
(11057)   &session-state:User-Name := "denisson.magalhaes"
(11057) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(11057)   authorize {
(11057)     policy filter_username {
(11057)       if (&User-Name) {
(11057)       if (&User-Name)  -> TRUE
(11057)       if (&User-Name)  {
(11057)         if (&User-Name != "%{tolower:%{User-Name}}") {
(11057)         EXPAND %{tolower:%{User-Name}}
(11057)            --> mpdft
(11057)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(11057)         if (&User-Name =~ /\// ) {
(11057)         if (&User-Name =~ /\// )  -> FALSE
(11057)         if (&User-Name =~ / /) {
(11057)         if (&User-Name =~ / /)  -> FALSE
(11057)         if (&User-Name =~ /@[^@]*@/ ) {
(11057)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(11057)         if (&User-Name =~ /\.\./ ) {
(11057)         if (&User-Name =~ /\.\./ )  -> FALSE
(11057)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(11057)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(11057)         if (&User-Name =~ /\.$/)  {
(11057)         if (&User-Name =~ /\.$/)   -> FALSE
(11057)         if (&User-Name =~ /@\./)  {
(11057)         if (&User-Name =~ /@\./)   -> FALSE
(11057)       } # if (&User-Name)  = notfound
(11057)     } # policy filter_username = notfound
(11057)     policy split_username_nai {
(11057)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11057)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(11057)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(11057)         update request {
(11057)           EXPAND %{1}
(11057)              --> mpdft
(11057)           &Stripped-User-Name := mpdft
(11057)           EXPAND %{3}
(11057)              -->
(11057)           &Stripped-User-Domain =
(11057)         } # update request = noop
(11057)         [updated] = updated
(11057)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(11057)       ... skipping else: Preceding "if" was taken
(11057)     } # policy split_username_nai = updated
(11057)     [preprocess] = ok
(11057) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(11057) auth_log:    --> /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11057) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.27.220/auth-detail
(11057) auth_log: EXPAND %t
(11057) auth_log:    --> Wed Jun 24 15:00:27 2020
(11057)     [auth_log] = ok
(11057)     [chap] = noop
(11057)     [mschap] = noop
(11057)     [digest] = noop
(11057) suffix: Checking for suffix after "@"
(11057) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11057) suffix: No such realm "NULL"
(11057)     [suffix] = noop
(11057) eap: Peer sent EAP Response (code 2) ID 9 length 46
(11057) eap: Continuing tunnel setup
(11057)     [eap] = ok
(11057)   } # authorize = ok
(11057) Found Auth-Type = eap
(11057) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(11057)   authenticate {
(11057) eap: Expiring EAP session with state 0x663165b2651a7c1c
(11057) eap: Finished EAP session with state 0xbb52a0a1b35bb9af
(11057) eap: Previous EAP request found for state 0xbb52a0a1b35bb9af, released from the list
(11057) eap: Peer sent packet with method EAP PEAP (25)
(11057) eap: Calling submodule eap_peap to process data
(11057) eap_peap: Continuing EAP-TLS
(11057) eap_peap: [eaptls verify] = ok
(11057) eap_peap: Done initial handshake
(11057) eap_peap: [eaptls process] = ok
(11057) eap_peap: Session established.  Decoding tunneled attributes
(11057) eap_peap: PEAP state send tlv success
(11057) eap_peap: Received EAP-TLV response
(11057) eap_peap: Success
(11057) eap: Sending EAP Success (code 3) ID 9 length 4
(11057) eap: Freeing handler
(11057)     [eap] = ok
(11057)   } # authenticate = ok
(11057) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(11057)   post-auth {
(11057)     update {
(11057)       &reply::User-Name += &session-state:User-Name[*] -> 'denisson.magalhaes'
(11057)     } # update = noop
(11057) sql: EXPAND .query
(11057) sql:    --> .query
(11057) sql: Using query template 'query'
(11057) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(11057) sql:    --> mpdft
(11057) sql: SQL-User-Name set to 'mpdft'
(11057) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{SQL-User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{%{integer:Event-Timestamp}:-NOW()}))
(11057) sql:    --> INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('mpdft', 'Chap-Password', 'Access-Accept', '5C-D9-98-14-22-88:MPDFT', 'A8-16-D0-C6-45-D3', TO_TIMESTAMP(1593021627))
(11057) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('mpdft', 'Chap-Password', 'Access-Accept', '5C-D9-98-14-22-88:MPDFT', 'A8-16-D0-C6-45-D3', TO_TIMESTAMP(1593021627))
(11057) sql: SQL query returned: success
(11057) sql: 1 record(s) updated
(11057)     [sql] = ok
(11057)     [exec] = noop
(11057)     policy remove_reply_message_if_eap {
(11057)       if (&reply:EAP-Message && &reply:Reply-Message) {
(11057)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(11057)       else {
(11057)         [noop] = noop
(11057)       } # else = noop
(11057)     } # policy remove_reply_message_if_eap = noop
(11057)   } # post-auth = ok
(11057) Login OK: [mpdft] (from client AP-SD1-A07-Q01 port 2 cli A8-16-D0-C6-45-D3)
(11057) Sent Access-Accept Id 148 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
(11057)   MS-MPPE-Recv-Key = 0xbafc3f0b8b2ee70c827cea2182df7129b67364884f6e0fa5221f8dbbd5ce911c
(11057)   MS-MPPE-Send-Key = 0x70a6a9086da56a737960ddfdc624c60cd5cbcf5de4e547b0691b74df50815224
(11057)   EAP-Message = 0x03090004
(11057)   Message-Authenticator = 0x00000000000000000000000000000000
(11057)   User-Name += "denisson.magalhaes"
(11057) Finished request
(11058) Received Accounting-Request Id 149 from 10.34.27.220:3491 to 10.34.242.3:1813 length 144
(11058)   Acct-Session-Id = "38D550D0-00000013"
(11058)   Acct-Status-Type = Start
(11058)   Acct-Authentic = RADIUS
(11058)   User-Name = "mpdft"
(11058)   NAS-IP-Address = 10.34.27.220
(11058)   NAS-Port = 2
(11058)   Called-Station-Id = "5C-D9-98-14-22-88:MPDFT"
(11058)   Calling-Station-Id = "A8-16-D0-C6-45-D3"
(11058)   NAS-Port-Type = Wireless-802.11
(11058)   Connect-Info = "CONNECT 54Mbps 802.11g"
(11058) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(11058)   preacct {
(11058)     [preprocess] = ok
(11058)     policy split_username_nai {
(11058)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(11058)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(11058)       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(11058)         update request {
(11058)           EXPAND %{1}
(11058)              --> mpdft
(11058)           &Stripped-User-Name := mpdft
(11058)           EXPAND %{3}
(11058)              -->
(11058)           &Stripped-User-Domain =
(11058)         } # update request = noop
(11058)         [updated] = updated
(11058)       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(11058)       ... skipping else: Preceding "if" was taken
(11058)     } # policy split_username_nai = updated
(11058)     update request {
(11058)       EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}
(11058)          --> 1593021627
(11058)       FreeRADIUS-Acct-Session-Start-Time = Jun 24 2020 15:00:27 -03
(11058)     } # update request = noop
(11058)     policy acct_unique {
(11058)       update request {
(11058)         Tmp-String-9 := "ai:"
(11058)       } # update request = noop
(11058)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&     ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(11058)       EXPAND %{hex:&Class}
(11058)          -->
(11058)       EXPAND ^%{hex:&Tmp-String-9}
(11058)          --> ^61693a
(11058)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&     ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE
(11058)       else {
(11058)         update request {
(11058)           EXPAND %{Acct-Session-ID}
(11058)              --> 38D550D0-00000013
(11058)           &Acct-Unique-Session-Id := 38D550D0-00000013
(11058)           EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(11058)              --> mpdft
(11058)           &Acct-Unique-Session-Id := mpdft
(11058)           EXPAND %{md5:%{%{Stripped-User-Name}:-%{User-Name}},%{Acct-Session-ID},%{Calling-Station-Id}}
(11058)              --> 1c92c41b581f7829c15ebabed38f906d
(11058)           &Acct-Unique-Session-Id := 1c92c41b581f7829c15ebabed38f906d
(11058)         } # update request = noop
(11058)       } # else = noop
(11058)     } # policy acct_unique = noop
(11058) suffix: Checking for suffix after "@"
(11058) suffix: No '@' in User-Name = "mpdft", looking up realm NULL
(11058) suffix: No such realm "NULL"
(11058)     [suffix] = noop
(11058) files: acct_users: Matched entry DEFAULT at line 22
(11058) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(11058) files:    --> mpdft
(11058)     [files] = ok
(11058)   } # preacct = updated
(11058) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(11058)   accounting {
(11058) log_accounting: EXPAND Accounting-Request.%{%{Acct-Status-Type}:-unknown}
(11058) log_accounting:    --> Accounting-Request.Start
(11058) log_accounting: EXPAND %{date:Event-Timestamp} Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})
(11058) log_accounting:    --> Wed, 24-06-2020 15:00:27 Connect: [mpdft] (did 5C-D9-98-14-22-88:MPDFT cli A8-16-D0-C6-45-D3 port 2 ip )
(11058) log_accounting: EXPAND /var/log/freeradius/linelog-accounting
(11058) log_accounting:    --> /var/log/freeradius/linelog-accounting
(11058)     [log_accounting] = ok
(11058) sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query}
(11058) sql:    --> type.start.query
(11058) sql: Using query template 'query'
(11058) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(11058) sql:    --> mpdft
(11058) sql: SQL-User-Name set to 'mpdft'
(11058) sql: EXPAND INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)
(11058) sql:    --> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('38D550D0-00000013', '1c92c41b581f7829c15ebabed38f906d', 'mpdft', NULLIF('', ''), '10.34.27.220', NULLIF('2', ''), 'Wireless-802.11', TO_TIMESTAMP(1593021627), TO_TIMESTAMP(1593021627), NULL, 0, 'RADIUS', 'CONNECT 54Mbps 802.11g', NULL, 0, 0, '5C-D9-98-14-22-88:MPDFT', 'A8-16-D0-C6-45-D3', NULL, '', '', NULLIF('', '')::inet)
(11058) sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('38D550D0-00000013', '1c92c41b581f7829c15ebabed38f906d', 'mpdft', NULLIF('', ''), '10.34.27.220', NULLIF('2', ''), 'Wireless-802.11', TO_TIMESTAMP(1593021627), TO_TIMESTAMP(1593021627), NULL, 0, 'RADIUS', 'CONNECT 54Mbps 802.11g', NULL, 0, 0, '5C-D9-98-14-22-88:MPDFT', 'A8-16-D0-C6-45-D3', NULL, '', '', NULLIF('', '')::inet)
(11058) sql: SQL query returned: success
(11058) sql: 1 record(s) updated
(11058)     [sql] = ok
(11058)     if (&request:Acct-Status-Type == start) {
(11058)     if (&request:Acct-Status-Type == start)  -> TRUE
(11058)     if (&request:Acct-Status-Type == start)  {
(11058)       EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(11058)          --> mpdft
(11058)       SQL-User-Name set to 'mpdft'
(11058)       Executing query: UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(1593021627), AcctUpdateTime = TO_TIMESTAMP(1593021627), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = 'CONNECT 54Mbps 802.11g' WHERE UserName = 'mpdft' AND AcctUniqueId <> '1c92c41b581f7829c15ebabed38f906d' AND CallingStationId = 'A8-16-D0-C6-45-D3' AND AcctStopTime IS NULL
(11058)       SQL query affected no rows
(11058)       EXPAND %{sql:UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = '%{Connect-Info}' WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' AND CallingStationId = '%{Calling-Station-Id}' AND AcctStopTime IS NULL}
(11058)          -->
(11058)     } # if (&request:Acct-Status-Type == start)  = ok
(11058)     [exec] = noop
(11058) attr_filter.accounting_response: EXPAND %{User-Name}
(11058) attr_filter.accounting_response:    --> mpdft
(11058) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(11058)     [attr_filter.accounting_response] = updated
(11058)   } # accounting = updated
(11058) Sent Accounting-Response Id 149 from 10.34.242.3:1813 to 10.34.27.220:3491 length 0
(11058) Finished request
(11058) Cleaning up request packet ID 149 with timestamp +2547
(11048) Cleaning up request packet ID 139 with timestamp +2547
(11049) Cleaning up request packet ID 140 with timestamp +2547
(11050) Cleaning up request packet ID 141 with timestamp +2547
(11051) Cleaning up request packet ID 142 with timestamp +2547
(11052) Cleaning up request packet ID 143 with timestamp +2547
(11053) Cleaning up request packet ID 144 with timestamp +2547
(11054) Cleaning up request packet ID 145 with timestamp +2547
(11055) Cleaning up request packet ID 146 with timestamp +2547
(11056) Cleaning up request packet ID 147 with timestamp +2547
(11057) Cleaning up request packet ID 148 with timestamp +2547


============== MY INNER-TUNNEL VS ============
root@vp2-seg-008:/var/log/freeradius# grep -vE "#|^$" /etc/freeradius/3.0/sites-enabled/inner-tunnel | less

server inner-tunnel {
listen {
       ipaddr = 127.0.0.1
       port = 18120
       type = auth
}
authorize {
filter_username
split_username_nai
chap
mschap
suffix
update control {
&Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
sql
-ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
eap
}
session {
sql
}
post-auth {
reply_log
Post-Auth-Type REJECT {
attr_filter.access_reject
update outer.session-state {
&Module-Failure-Message := &request:Module-Failure-Message
}
}
update outer.session-state {
User-Name := &request:User-Name
}
}
pre-proxy {
pre_proxy_log
}
post-proxy {
filter_username
split_username_nai
post_proxy_log
eap
}




============== MY DEFAULT VS ============
root@vp2-seg-008:/var/log/freeradius# grep -vE "#|^$" /etc/freeradius/3.0/sites-enabled/default
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
listen {
type = auth
port = 0
limit {
      max_connections = 16
      lifetime = 0
      idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
filter_username
split_username_nai
preprocess
auth_log
chap
mschap
digest
suffix
eap {
ok = return
}
files
sql
-ldap
expiration
logintime
if (ok) {
update control {
MS-CHAP-Use-NTLM-Auth := No
}
}
pap
}
authenticate {
        Auth-Type NTLM_AUTH {
                ntlm_auth
        }
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
eap
}
preacct {
preprocess
split_username_nai
update request {
  FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}"
}
acct_unique
suffix
files
}
accounting {
log_accounting
sql
if (&request:Acct-Status-Type == start) {
%{sql:UPDATE radacct \
SET \
AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), \
AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), \
AcctTerminateCause = 'Stalled-session', \
ConnectInfo_stop = '%{Connect-Info}' \
WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' \
AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' \
AND CallingStationId = '%{Calling-Station-Id}' \
AND AcctStopTime IS NULL}
}
exec
attr_filter.accounting_response
Acct-Type Status-Server {
}
}
session {
sql
}
post-auth {
update {
&reply: += &session-state:
}
sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
}
pre-proxy {
}
post-proxy {
filter_username
split_username_nai
eap
}
}


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RES: RES: How does CUI works? How does anonymous works? Im lost

Alan DeKok-2
On Jun 24, 2020, at 4:02 PM, Daniel Guimaraes Pena <[hidden email]> wrote:
> Talking to a user, I discovered how these outer users appears: configuring androids anonymous identity (obvius, I know, but I never tried it)

  Why doesn't Google do the right thing by default <sigh>.  It's not like this was documented a decade ago.

> Well, as I can't force them to left this field empty, I have to discover why these 0,1% is not working.
>
> Here is tow logs: working and one not working (at the botton, if needed, my inner-tunnel e default site-enabled)

  There's no need to post working logs, or configuration files.  They don't help 99.9% of the time.

> ============== DEBUG FOR !!!!NOT WORKING!!!! PACKET ============
> ...
> (11057) Sent Access-Accept Id 148 from 10.34.242.3:1812 to 10.34.27.220:3489 length 0
> (11057)   MS-MPPE-Recv-Key = 0xbafc3f0b8b2ee70c827cea2182df7129b67364884f6e0fa5221f8dbbd5ce911c
> (11057)   MS-MPPE-Send-Key = 0x70a6a9086da56a737960ddfdc624c60cd5cbcf5de4e547b0691b74df50815224
> (11057)   EAP-Message = 0x03090004
> (11057)   Message-Authenticator = 0x00000000000000000000000000000000
> (11057)   User-Name += "denisson.magalhaes"

  That works.

> (11057) Finished request
> (11058) Received Accounting-Request Id 149 from 10.34.27.220:3491 to 10.34.242.3:1813 length 144
> (11058)   Acct-Session-Id = "38D550D0-00000013"
> (11058)   Acct-Status-Type = Start
> (11058)   Acct-Authentic = RADIUS
> (11058)   User-Name = "mpdft"

  The NAS is ignoring the request to use the User-Name from the Access-Accept.  Throw the NAS in the garbage and buy one that works.

  i.e. no amount of poking FreeRADIUS will make a broken NAS do the right thing.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html