How to disable machine authentication

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

How to disable machine authentication

daniel.pena
Is it possible?

I tried in users file:
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT        Group == "disabled", Auth-Type := Reject
#               Reply-Message = "Your account has been disabled."
#
DEFAULT Group == "Domain Computers", Auth-Type := Reject
                Reply-Message = "Autenticacao de maquinas desabilitada."

DEFAULT Group == "TodasContasEspeciais", Auth-Type := Reject
                Reply-Message = "Autenticacao de contas de servico desabilitada."

Domain Computers doesnt work. TodasContasEspeciais Works fine.

This entry here works fine too:
DEFAULT         Group == "domain users", Simultaneous-Use := 2
                Idle-Timeout := 300,
                Fall-Through = Yes



Logs, if needed. (Sorry for another post so soon... I solved a lot of problems but some...)

(83533) Received Access-Request Id 116 from 10.34.177.220:37268 to 10.34.242.3:1812 length 296
(83533)   User-Name = "host/n65144.mpdft.gov.br"
(83533)   NAS-IP-Address = 10.34.177.220
(83533)   NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83533)   NAS-Port-Id = "00000001"
(83533)   Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83533)   NAS-Port-Type = Wireless-802.11
(83533)   Event-Timestamp = "Jun 23 2020 13:47:23 -03"
(83533)   Service-Type = Framed-User
(83533)   Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83533)   Connect-Info = "CONNECT 0Mbps 802.11b"
(83533)   Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83533)   Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83533)   WLAN-Pairwise-Cipher = 1027076
(83533)   WLAN-Group-Cipher = 1027076
(83533)   WLAN-AKM-Suite = 1027073
(83533)   Framed-MTU = 1400
(83533)   EAP-Message = 0x02bf001d01686f73742f6e36353134342e6d706466742e676f762e6272
(83533)   Message-Authenticator = 0x7c8882b39ec98c99e1110bdf525b977f
(83533) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83533)   authorize {
(83533)     policy filter_username {
(83533)       if (&User-Name) {
(83533)       if (&User-Name)  -> TRUE
(83533)       if (&User-Name)  {
(83533)         if (&User-Name != "%{tolower:%{User-Name}}") {
(83533)         EXPAND %{tolower:%{User-Name}}
(83533)            --> host/n65144.mpdft.gov.br
(83533)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(83533)         if (&User-Name =~ / /) {
(83533)         if (&User-Name =~ / /)  -> FALSE
(83533)         if (&User-Name =~ /@[^@]*@/ ) {
(83533)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(83533)         if (&User-Name =~ /\.\./ ) {
(83533)         if (&User-Name =~ /\.\./ )  -> FALSE
(83533)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(83533)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(83533)         if (&User-Name =~ /\.$/)  {
(83533)         if (&User-Name =~ /\.$/)   -> FALSE
(83533)         if (&User-Name =~ /@\./)  {
(83533)         if (&User-Name =~ /@\./)   -> FALSE
(83533)       } # if (&User-Name)  = notfound
(83533)     } # policy filter_username = notfound
(83533)     [preprocess] = ok
(83533) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83533) auth_log:    --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83533) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83533) auth_log: EXPAND %t
(83533) auth_log:    --> Tue Jun 23 13:47:25 2020
(83533)     [auth_log] = ok
(83533)     [chap] = noop
(83533)     [mschap] = noop
(83533)     [digest] = noop
(83533) suffix: Checking for suffix after "@"
(83533) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83533) suffix: No such realm "NULL"
(83533)     [suffix] = noop
(83533) eap: Peer sent EAP Response (code 2) ID 191 length 29
(83533) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(83533)     [eap] = ok
(83533)   } # authorize = ok
(83533) Found Auth-Type = eap
(83533) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83533)   authenticate {
(83533) eap: Peer sent packet with method EAP Identity (1)
(83533) eap: Calling submodule eap_md5 to process data
(83533) eap_md5: Issuing MD5 Challenge
(83533) eap: Sending EAP Request (code 1) ID 192 length 22
(83533) eap: EAP session adding &reply:State = 0x592274a559e270cf
(83533)     [eap] = handled
(83533)   } # authenticate = handled
(83533) Using Post-Auth-Type Challenge
(83533) Post-Auth-Type sub-section not found.  Ignoring.
(83533) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83533) Sent Access-Challenge Id 116 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83533)   EAP-Message = 0x01c00016041005768a2deba77dd47f9bb481032d785f
(83533)   Message-Authenticator = 0x00000000000000000000000000000000
(83533)   State = 0x592274a559e270cf5d11088ba56bbac4
(83533) Finished request
(83534) Received Access-Request Id 117 from 10.34.177.220:37268 to 10.34.242.3:1812 length 291
(83534)   User-Name = "host/n65144.mpdft.gov.br"
(83534)   NAS-IP-Address = 10.34.177.220
(83534)   NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83534)   NAS-Port-Id = "00000001"
(83534)   Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83534)   NAS-Port-Type = Wireless-802.11
(83534)   Event-Timestamp = "Jun 23 2020 13:47:23 -03"
(83534)   Service-Type = Framed-User
(83534)   Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83534)   Connect-Info = "CONNECT 0Mbps 802.11b"
(83534)   Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83534)   Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83534)   WLAN-Pairwise-Cipher = 1027076
(83534)   WLAN-Group-Cipher = 1027076
(83534)   WLAN-AKM-Suite = 1027073
(83534)   Framed-MTU = 1400
(83534)   EAP-Message = 0x02c000060319
(83534)   State = 0x592274a559e270cf5d11088ba56bbac4
(83534)   Message-Authenticator = 0x255275434bb38a137ce44e1cdbbd154d
(83534) session-state: No cached attributes
(83534) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83534)   authorize {
(83534)     policy filter_username {
(83534)       if (&User-Name) {
(83534)       if (&User-Name)  -> TRUE
(83534)       if (&User-Name)  {
(83534)         if (&User-Name != "%{tolower:%{User-Name}}") {
(83534)         EXPAND %{tolower:%{User-Name}}
(83534)            --> host/n65144.mpdft.gov.br
(83534)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(83534)         if (&User-Name =~ / /) {
(83534)         if (&User-Name =~ / /)  -> FALSE
(83534)         if (&User-Name =~ /@[^@]*@/ ) {
(83534)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(83534)         if (&User-Name =~ /\.\./ ) {
(83534)         if (&User-Name =~ /\.\./ )  -> FALSE
(83534)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(83534)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(83534)         if (&User-Name =~ /\.$/)  {
(83534)         if (&User-Name =~ /\.$/)   -> FALSE
(83534)         if (&User-Name =~ /@\./)  {
(83534)         if (&User-Name =~ /@\./)   -> FALSE
(83534)       } # if (&User-Name)  = notfound
(83534)     } # policy filter_username = notfound
(83534)     [preprocess] = ok
(83534) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83534) auth_log:    --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83534) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83534) auth_log: EXPAND %t
(83534) auth_log:    --> Tue Jun 23 13:47:25 2020
(83534)     [auth_log] = ok
(83534)     [chap] = noop
(83534)     [mschap] = noop
(83534)     [digest] = noop
(83534) suffix: Checking for suffix after "@"
(83534) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83534) suffix: No such realm "NULL"
(83534)     [suffix] = noop
(83534) eap: Peer sent EAP Response (code 2) ID 192 length 6
(83534) eap: No EAP Start, assuming it's an on-going EAP conversation
(83534)     [eap] = updated
(83534) files: Failed resolving UID: No error
(83534) files: Failed resolving UID: No error
(83534) files: Failed resolving UID: No error
(83534) files: Failed resolving UID: No error
(83534) files: Failed resolving UID: No error
(83534)     [files] = noop
(83534) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83534) sql:    --> host/n65144.mpdft.gov.br
(83534) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83534) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(83534) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83534) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83534) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(83534) sql:    --> SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83534) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83534) sql: User not found in any groups
(83534)     [sql] = notfound
(83534)     [expiration] = noop
(83534)     [logintime] = noop
(83534)     if (ok) {
(83534)     if (ok)  -> FALSE
(83534) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(83534) pap: WARNING: Authentication will fail unless a "known good" password is available
(83534)     [pap] = noop
(83534)   } # authorize = updated
(83534) Found Auth-Type = eap
(83534) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83534)   authenticate {
(83534) eap: Expiring EAP session with state 0x9017180393030136
(83534) eap: Finished EAP session with state 0x592274a559e270cf
(83534) eap: Previous EAP request found for state 0x592274a559e270cf, released from the list
(83534) eap: Peer sent packet with method EAP NAK (3)
(83534) eap: Found mutually acceptable type PEAP (25)
(83534) eap: Calling submodule eap_peap to process data
(83534) eap_peap: Initiating new EAP-TLS session
(83534) eap_peap: [eaptls start] = request
(83534) eap: Sending EAP Request (code 1) ID 193 length 6
(83534) eap: EAP session adding &reply:State = 0x592274a558e36dcf
(83534)     [eap] = handled
(83534)   } # authenticate = handled
(83534) Using Post-Auth-Type Challenge
(83534) Post-Auth-Type sub-section not found.  Ignoring.
(83534) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83534) Sent Access-Challenge Id 117 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83534)   EAP-Message = 0x01c100061920
(83534)   Message-Authenticator = 0x00000000000000000000000000000000
(83534)   State = 0x592274a558e36dcf5d11088ba56bbac4
(83534) Finished request
(83535) Received Access-Request Id 118 from 10.34.177.220:37268 to 10.34.242.3:1812 length 451
(83535)   User-Name = "host/n65144.mpdft.gov.br"
(83535)   NAS-IP-Address = 10.34.177.220
(83535)   NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83535)   NAS-Port-Id = "00000001"
(83535)   Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83535)   NAS-Port-Type = Wireless-802.11
(83535)   Event-Timestamp = "Jun 23 2020 13:47:23 -03"
(83535)   Service-Type = Framed-User
(83535)   Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83535)   Connect-Info = "CONNECT 0Mbps 802.11b"
(83535)   Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83535)   Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83535)   WLAN-Pairwise-Cipher = 1027076
(83535)   WLAN-Group-Cipher = 1027076
(83535)   WLAN-AKM-Suite = 1027073
(83535)   Framed-MTU = 1400
(83535)   EAP-Message = 0x02c100a619800000009c16030300970100009303035ef232201f924dbda3d2ec6cfae7c1dd5d52c00d55fa1bc32d9736d6302f8c6c00002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d
(83535)   State = 0x592274a558e36dcf5d11088ba56bbac4
(83535)   Message-Authenticator = 0xe12affe4dba2b169cdc68ff635c36fb5
(83535) session-state: No cached attributes
(83535) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83535)   authorize {
(83535)     policy filter_username {
(83535)       if (&User-Name) {
(83535)       if (&User-Name)  -> TRUE
(83535)       if (&User-Name)  {
(83535)         if (&User-Name != "%{tolower:%{User-Name}}") {
(83535)         EXPAND %{tolower:%{User-Name}}
(83535)            --> host/n65144.mpdft.gov.br
(83535)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(83535)         if (&User-Name =~ / /) {
(83535)         if (&User-Name =~ / /)  -> FALSE
(83535)         if (&User-Name =~ /@[^@]*@/ ) {
(83535)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(83535)         if (&User-Name =~ /\.\./ ) {
(83535)         if (&User-Name =~ /\.\./ )  -> FALSE
(83535)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(83535)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(83535)         if (&User-Name =~ /\.$/)  {
(83535)         if (&User-Name =~ /\.$/)   -> FALSE
(83535)         if (&User-Name =~ /@\./)  {
(83535)         if (&User-Name =~ /@\./)   -> FALSE
(83535)       } # if (&User-Name)  = notfound
(83535)     } # policy filter_username = notfound
(83535)     [preprocess] = ok
(83535) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83535) auth_log:    --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83535) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83535) auth_log: EXPAND %t
(83535) auth_log:    --> Tue Jun 23 13:47:25 2020
(83535)     [auth_log] = ok
(83535)     [chap] = noop
(83535)     [mschap] = noop
(83535)     [digest] = noop
(83535) suffix: Checking for suffix after "@"
(83535) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83535) suffix: No such realm "NULL"
(83535)     [suffix] = noop
(83535) eap: Peer sent EAP Response (code 2) ID 193 length 166
(83535) eap: Continuing tunnel setup
(83535)     [eap] = ok
(83535)   } # authorize = ok
(83535) Found Auth-Type = eap
(83535) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83535)   authenticate {
(83535) eap: Expiring EAP session with state 0x9017180393030136
(83535) eap: Finished EAP session with state 0x592274a558e36dcf
(83535) eap: Previous EAP request found for state 0x592274a558e36dcf, released from the list
(83535) eap: Peer sent packet with method EAP PEAP (25)
(83535) eap: Calling submodule eap_peap to process data
(83535) eap_peap: Continuing EAP-TLS
(83535) eap_peap: Peer indicated complete TLS record size will be 156 bytes
(83535) eap_peap: Got complete TLS record (156 bytes)
(83535) eap_peap: [eaptls verify] = length included
(83535) eap_peap: (other): before SSL initialization
(83535) eap_peap: TLS_accept: before SSL initialization
(83535) eap_peap: TLS_accept: before SSL initialization
(83535) eap_peap: <<< recv TLS 1.2  [length 0097]
(83535) eap_peap: TLS_accept: SSLv3/TLS read client hello
(83535) eap_peap: >>> send TLS 1.2  [length 003d]
(83535) eap_peap: TLS_accept: SSLv3/TLS write server hello
(83535) eap_peap: >>> send TLS 1.2  [length 0309]
(83535) eap_peap: TLS_accept: SSLv3/TLS write certificate
(83535) eap_peap: >>> send TLS 1.2  [length 014d]
(83535) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(83535) eap_peap: >>> send TLS 1.2  [length 0004]
(83535) eap_peap: TLS_accept: SSLv3/TLS write server done
(83535) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(83535) eap_peap: In SSL Handshake Phase
(83535) eap_peap: In SSL Accept mode
(83535) eap_peap: [eaptls process] = handled
(83535) eap: Sending EAP Request (code 1) ID 194 length 1004
(83535) eap: EAP session adding &reply:State = 0x592274a55be06dcf
(83535)     [eap] = handled
(83535)   } # authenticate = handled
(83535) Using Post-Auth-Type Challenge
(83535) Post-Auth-Type sub-section not found.  Ignoring.
(83535) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83535) Sent Access-Challenge Id 118 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83535)   EAP-Message = 0x01c203ec19c0000004ab160303003d0200003903039308bda32e5a82ed478ea55a2e3b34d753ba6e340f36dcfffba42072b5d3038700c030000011ff01000100000b0004030001020017000016030303090b0003050003020002ff308202fb308201e3a003020102020900c2aeeb1715cab80a300d0609
(83535)   Message-Authenticator = 0x00000000000000000000000000000000
(83535)   State = 0x592274a55be06dcf5d11088ba56bbac4
(83535) Finished request
(83536) Received Access-Request Id 119 from 10.34.177.220:37268 to 10.34.242.3:1812 length 291
(83536)   User-Name = "host/n65144.mpdft.gov.br"
(83536)   NAS-IP-Address = 10.34.177.220
(83536)   NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83536)   NAS-Port-Id = "00000001"
(83536)   Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83536)   NAS-Port-Type = Wireless-802.11
(83536)   Event-Timestamp = "Jun 23 2020 13:47:23 -03"
(83536)   Service-Type = Framed-User
(83536)   Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83536)   Connect-Info = "CONNECT 0Mbps 802.11b"
(83536)   Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83536)   Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83536)   WLAN-Pairwise-Cipher = 1027076
(83536)   WLAN-Group-Cipher = 1027076
(83536)   WLAN-AKM-Suite = 1027073
(83536)   Framed-MTU = 1400
(83536)   EAP-Message = 0x02c200061900
(83536)   State = 0x592274a55be06dcf5d11088ba56bbac4
(83536)   Message-Authenticator = 0x75aeeb98b14c048409007526e8333933
(83536) session-state: No cached attributes
(83536) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83536)   authorize {
(83536)     policy filter_username {
(83536)       if (&User-Name) {
(83536)       if (&User-Name)  -> TRUE
(83536)       if (&User-Name)  {
(83536)         if (&User-Name != "%{tolower:%{User-Name}}") {
(83536)         EXPAND %{tolower:%{User-Name}}
(83536)            --> host/n65144.mpdft.gov.br
(83536)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(83536)         if (&User-Name =~ / /) {
(83536)         if (&User-Name =~ / /)  -> FALSE
(83536)         if (&User-Name =~ /@[^@]*@/ ) {
(83536)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(83536)         if (&User-Name =~ /\.\./ ) {
(83536)         if (&User-Name =~ /\.\./ )  -> FALSE
(83536)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(83536)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(83536)         if (&User-Name =~ /\.$/)  {
(83536)         if (&User-Name =~ /\.$/)   -> FALSE
(83536)         if (&User-Name =~ /@\./)  {
(83536)         if (&User-Name =~ /@\./)   -> FALSE
(83536)       } # if (&User-Name)  = notfound
(83536)     } # policy filter_username = notfound
(83536)     [preprocess] = ok
(83536) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83536) auth_log:    --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83536) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83536) auth_log: EXPAND %t
(83536) auth_log:    --> Tue Jun 23 13:47:25 2020
(83536)     [auth_log] = ok
(83536)     [chap] = noop
(83536)     [mschap] = noop
(83536)     [digest] = noop
(83536) suffix: Checking for suffix after "@"
(83536) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83536) suffix: No such realm "NULL"
(83536)     [suffix] = noop
(83536) eap: Peer sent EAP Response (code 2) ID 194 length 6
(83536) eap: Continuing tunnel setup
(83536)     [eap] = ok
(83536)   } # authorize = ok
(83536) Found Auth-Type = eap
(83536) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83536)   authenticate {
(83536) eap: Expiring EAP session with state 0x9017180393030136
(83536) eap: Finished EAP session with state 0x592274a55be06dcf
(83536) eap: Previous EAP request found for state 0x592274a55be06dcf, released from the list
(83536) eap: Peer sent packet with method EAP PEAP (25)
(83536) eap: Calling submodule eap_peap to process data
(83536) eap_peap: Continuing EAP-TLS
(83536) eap_peap: Peer ACKed our handshake fragment
(83536) eap_peap: [eaptls verify] = request
(83536) eap_peap: [eaptls process] = handled
(83536) eap: Sending EAP Request (code 1) ID 195 length 207
(83536) eap: EAP session adding &reply:State = 0x592274a55ae16dcf
(83536)     [eap] = handled
(83536)   } # authenticate = handled
(83536) Using Post-Auth-Type Challenge
(83536) Post-Auth-Type sub-section not found.  Ignoring.
(83536) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83536) Sent Access-Challenge Id 119 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83536)   EAP-Message = 0x01c300cf19003adad27975fdfa785ffac44ee108d8838b13e1123beab2b8798afd3e35cd995637b894ae0e18112d45144eba479ff30dc4e993ff3f295c8c064c8d46e7e064f5730fc35330cdfec07f886298dba50e9d2d2aaa6aac6198571a6155afbbdc35ebcd32d90dc658f48e3a273e031294d34abf
(83536)   Message-Authenticator = 0x00000000000000000000000000000000
(83536)   State = 0x592274a55ae16dcf5d11088ba56bbac4
(83536) Finished request
(83537) Received Access-Request Id 120 from 10.34.177.220:37268 to 10.34.242.3:1812 length 421
(83537)   User-Name = "host/n65144.mpdft.gov.br"
(83537)   NAS-IP-Address = 10.34.177.220
(83537)   NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83537)   NAS-Port-Id = "00000001"
(83537)   Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83537)   NAS-Port-Type = Wireless-802.11
(83537)   Event-Timestamp = "Jun 23 2020 13:47:23 -03"
(83537)   Service-Type = Framed-User
(83537)   Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83537)   Connect-Info = "CONNECT 0Mbps 802.11b"
(83537)   Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83537)   Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83537)   WLAN-Pairwise-Cipher = 1027076
(83537)   WLAN-Group-Cipher = 1027076
(83537)   WLAN-AKM-Suite = 1027073
(83537)   Framed-MTU = 1400
(83537)   EAP-Message = 0x02c3008819800000007e1603030046100000424104ca73327a1aa86d548f1bab867288bf53e4bb907e877b520127d42986a20dc91111d47d38caadab01d14914ea7fecb7f982b3ad50f1706ca7ac7508604badfa501403030001011603030028000000000000000074fe6c972b1cbfe176c9161a99d6ee
(83537)   State = 0x592274a55ae16dcf5d11088ba56bbac4
(83537)   Message-Authenticator = 0x13188abc81665fe76a84d5ae53be2694
(83537) session-state: No cached attributes
(83537) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83537)   authorize {
(83537)     policy filter_username {
(83537)       if (&User-Name) {
(83537)       if (&User-Name)  -> TRUE
(83537)       if (&User-Name)  {
(83537)         if (&User-Name != "%{tolower:%{User-Name}}") {
(83537)         EXPAND %{tolower:%{User-Name}}
(83537)            --> host/n65144.mpdft.gov.br
(83537)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(83537)         if (&User-Name =~ / /) {
(83537)         if (&User-Name =~ / /)  -> FALSE
(83537)         if (&User-Name =~ /@[^@]*@/ ) {
(83537)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(83537)         if (&User-Name =~ /\.\./ ) {
(83537)         if (&User-Name =~ /\.\./ )  -> FALSE
(83537)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(83537)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(83537)         if (&User-Name =~ /\.$/)  {
(83537)         if (&User-Name =~ /\.$/)   -> FALSE
(83537)         if (&User-Name =~ /@\./)  {
(83537)         if (&User-Name =~ /@\./)   -> FALSE
(83537)       } # if (&User-Name)  = notfound
(83537)     } # policy filter_username = notfound
(83537)     [preprocess] = ok
(83537) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83537) auth_log:    --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83537) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83537) auth_log: EXPAND %t
(83537) auth_log:    --> Tue Jun 23 13:47:25 2020
(83537)     [auth_log] = ok
(83537)     [chap] = noop
(83537)     [mschap] = noop
(83537)     [digest] = noop
(83537) suffix: Checking for suffix after "@"
(83537) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83537) suffix: No such realm "NULL"
(83537)     [suffix] = noop
(83537) eap: Peer sent EAP Response (code 2) ID 195 length 136
(83537) eap: Continuing tunnel setup
(83537)     [eap] = ok
(83537)   } # authorize = ok
(83537) Found Auth-Type = eap
(83537) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83537)   authenticate {
(83537) eap: Expiring EAP session with state 0x9017180393030136
(83537) eap: Finished EAP session with state 0x592274a55ae16dcf
(83537) eap: Previous EAP request found for state 0x592274a55ae16dcf, released from the list
(83537) eap: Peer sent packet with method EAP PEAP (25)
(83537) eap: Calling submodule eap_peap to process data
(83537) eap_peap: Continuing EAP-TLS
(83537) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(83537) eap_peap: Got complete TLS record (126 bytes)
(83537) eap_peap: [eaptls verify] = length included
(83537) eap_peap: TLS_accept: SSLv3/TLS write server done
(83537) eap_peap: <<< recv TLS 1.2  [length 0046]
(83537) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(83537) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(83537) eap_peap: <<< recv TLS 1.2  [length 0010]
(83537) eap_peap: TLS_accept: SSLv3/TLS read finished
(83537) eap_peap: >>> send TLS 1.2  [length 0001]
(83537) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(83537) eap_peap: >>> send TLS 1.2  [length 0010]
(83537) eap_peap: TLS_accept: SSLv3/TLS write finished
(83537) eap_peap: (other): SSL negotiation finished successfully
(83537) eap_peap: SSL Connection Established
(83537) eap_peap: [eaptls process] = handled
(83537) eap: Sending EAP Request (code 1) ID 196 length 57
(83537) eap: EAP session adding &reply:State = 0x592274a55de66dcf
(83537)     [eap] = handled
(83537)   } # authenticate = handled
(83537) Using Post-Auth-Type Challenge
(83537) Post-Auth-Type sub-section not found.  Ignoring.
(83537) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83537) Sent Access-Challenge Id 120 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83537)   EAP-Message = 0x01c4003919001403030001011603030028fb13cb712244c06c9b03a1b435796e337e52fd31841ccd87539254fce0bde1743fdf2c63be546af0
(83537)   Message-Authenticator = 0x00000000000000000000000000000000
(83537)   State = 0x592274a55de66dcf5d11088ba56bbac4
(83537) Finished request
(83538) Received Access-Request Id 121 from 10.34.177.220:37268 to 10.34.242.3:1812 length 291
(83538)   User-Name = "host/n65144.mpdft.gov.br"
(83538)   NAS-IP-Address = 10.34.177.220
(83538)   NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83538)   NAS-Port-Id = "00000001"
(83538)   Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83538)   NAS-Port-Type = Wireless-802.11
(83538)   Event-Timestamp = "Jun 23 2020 13:47:24 -03"
(83538)   Service-Type = Framed-User
(83538)   Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83538)   Connect-Info = "CONNECT 0Mbps 802.11b"
(83538)   Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83538)   Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83538)   WLAN-Pairwise-Cipher = 1027076
(83538)   WLAN-Group-Cipher = 1027076
(83538)   WLAN-AKM-Suite = 1027073
(83538)   Framed-MTU = 1400
(83538)   EAP-Message = 0x02c400061900
(83538)   State = 0x592274a55de66dcf5d11088ba56bbac4
(83538)   Message-Authenticator = 0x039c283f11ffbfe1b00e0453467c8cea
(83538) session-state: No cached attributes
(83538) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83538)   authorize {
(83538)     policy filter_username {
(83538)       if (&User-Name) {
(83538)       if (&User-Name)  -> TRUE
(83538)       if (&User-Name)  {
(83538)         if (&User-Name != "%{tolower:%{User-Name}}") {
(83538)         EXPAND %{tolower:%{User-Name}}
(83538)            --> host/n65144.mpdft.gov.br
(83538)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(83538)         if (&User-Name =~ / /) {
(83538)         if (&User-Name =~ / /)  -> FALSE
(83538)         if (&User-Name =~ /@[^@]*@/ ) {
(83538)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(83538)         if (&User-Name =~ /\.\./ ) {
(83538)         if (&User-Name =~ /\.\./ )  -> FALSE
(83538)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(83538)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(83538)         if (&User-Name =~ /\.$/)  {
(83538)         if (&User-Name =~ /\.$/)   -> FALSE
(83538)         if (&User-Name =~ /@\./)  {
(83538)         if (&User-Name =~ /@\./)   -> FALSE
(83538)       } # if (&User-Name)  = notfound
(83538)     } # policy filter_username = notfound
(83538)     [preprocess] = ok
(83538) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83538) auth_log:    --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83538) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83538) auth_log: EXPAND %t
(83538) auth_log:    --> Tue Jun 23 13:47:25 2020
(83538)     [auth_log] = ok
(83538)     [chap] = noop
(83538)     [mschap] = noop
(83538)     [digest] = noop
(83538) suffix: Checking for suffix after "@"
(83538) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83538) suffix: No such realm "NULL"
(83538)     [suffix] = noop
(83538) eap: Peer sent EAP Response (code 2) ID 196 length 6
(83538) eap: Continuing tunnel setup
(83538)     [eap] = ok
(83538)   } # authorize = ok
(83538) Found Auth-Type = eap
(83538) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83538)   authenticate {
(83538) eap: Expiring EAP session with state 0x9017180393030136
(83538) eap: Finished EAP session with state 0x592274a55de66dcf
(83538) eap: Previous EAP request found for state 0x592274a55de66dcf, released from the list
(83538) eap: Peer sent packet with method EAP PEAP (25)
(83538) eap: Calling submodule eap_peap to process data
(83538) eap_peap: Continuing EAP-TLS
(83538) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(83538) eap_peap: [eaptls verify] = success
(83538) eap_peap: [eaptls process] = success
(83538) eap_peap: Session established.  Decoding tunneled attributes
(83538) eap_peap: PEAP state TUNNEL ESTABLISHED
(83538) eap: Sending EAP Request (code 1) ID 197 length 40
(83538) eap: EAP session adding &reply:State = 0x592274a55ce76dcf
(83538)     [eap] = handled
(83538)   } # authenticate = handled
(83538) Using Post-Auth-Type Challenge
(83538) Post-Auth-Type sub-section not found.  Ignoring.
(83538) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83538) Sent Access-Challenge Id 121 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83538)   EAP-Message = 0x01c500281900170303001dfb13cb712244c06dd3b3319eda935797571c500deb4e259f6c76c7fd82
(83538)   Message-Authenticator = 0x00000000000000000000000000000000
(83538)   State = 0x592274a55ce76dcf5d11088ba56bbac4
(83538) Finished request
(83539) Received Access-Request Id 122 from 10.34.177.220:37268 to 10.34.242.3:1812 length 345
(83539)   User-Name = "host/n65144.mpdft.gov.br"
(83539)   NAS-IP-Address = 10.34.177.220
(83539)   NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83539)   NAS-Port-Id = "00000001"
(83539)   Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83539)   NAS-Port-Type = Wireless-802.11
(83539)   Event-Timestamp = "Jun 23 2020 13:47:24 -03"
(83539)   Service-Type = Framed-User
(83539)   Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83539)   Connect-Info = "CONNECT 0Mbps 802.11b"
(83539)   Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83539)   Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83539)   WLAN-Pairwise-Cipher = 1027076
(83539)   WLAN-Group-Cipher = 1027076
(83539)   WLAN-AKM-Suite = 1027073
(83539)   Framed-MTU = 1400
(83539)   EAP-Message = 0x02c5003c1900170303003100000000000000019e684626cfe0b3f0d0437b3374b0ca4957085fe2da28a7496a052aa8648f75adddf043780ba025962c
(83539)   State = 0x592274a55ce76dcf5d11088ba56bbac4
(83539)   Message-Authenticator = 0xd669040d031f113bf06fc26177e7970f
(83539) session-state: No cached attributes
(83539) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83539)   authorize {
(83539)     policy filter_username {
(83539)       if (&User-Name) {
(83539)       if (&User-Name)  -> TRUE
(83539)       if (&User-Name)  {
(83539)         if (&User-Name != "%{tolower:%{User-Name}}") {
(83539)         EXPAND %{tolower:%{User-Name}}
(83539)            --> host/n65144.mpdft.gov.br
(83539)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(83539)         if (&User-Name =~ / /) {
(83539)         if (&User-Name =~ / /)  -> FALSE
(83539)         if (&User-Name =~ /@[^@]*@/ ) {
(83539)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(83539)         if (&User-Name =~ /\.\./ ) {
(83539)         if (&User-Name =~ /\.\./ )  -> FALSE
(83539)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(83539)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(83539)         if (&User-Name =~ /\.$/)  {
(83539)         if (&User-Name =~ /\.$/)   -> FALSE
(83539)         if (&User-Name =~ /@\./)  {
(83539)         if (&User-Name =~ /@\./)   -> FALSE
(83539)       } # if (&User-Name)  = notfound
(83539)     } # policy filter_username = notfound
(83539)     [preprocess] = ok
(83539) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83539) auth_log:    --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83539) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83539) auth_log: EXPAND %t
(83539) auth_log:    --> Tue Jun 23 13:47:25 2020
(83539)     [auth_log] = ok
(83539)     [chap] = noop
(83539)     [mschap] = noop
(83539)     [digest] = noop
(83539) suffix: Checking for suffix after "@"
(83539) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83539) suffix: No such realm "NULL"
(83539)     [suffix] = noop
(83539) eap: Peer sent EAP Response (code 2) ID 197 length 60
(83539) eap: Continuing tunnel setup
(83539)     [eap] = ok
(83539)   } # authorize = ok
(83539) Found Auth-Type = eap
(83539) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83539)   authenticate {
(83539) eap: Expiring EAP session with state 0x9017180393030136
(83539) eap: Finished EAP session with state 0x592274a55ce76dcf
(83539) eap: Previous EAP request found for state 0x592274a55ce76dcf, released from the list
(83539) eap: Peer sent packet with method EAP PEAP (25)
(83539) eap: Calling submodule eap_peap to process data
(83539) eap_peap: Continuing EAP-TLS
(83539) eap_peap: [eaptls verify] = ok
(83539) eap_peap: Done initial handshake
(83539) eap_peap: [eaptls process] = ok
(83539) eap_peap: Session established.  Decoding tunneled attributes
(83539) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(83539) eap_peap: Identity - host/n65144.mpdft.gov.br
(83539) eap_peap: Got inner identity 'host/n65144.mpdft.gov.br'
(83539) eap_peap: Setting default EAP type for tunneled EAP session
(83539) eap_peap: Got tunneled request
(83539) eap_peap:   EAP-Message = 0x02c5001d01686f73742f6e36353134342e6d706466742e676f762e6272
(83539) eap_peap: Setting User-Name to host/n65144.mpdft.gov.br
(83539) eap_peap: Sending tunneled request to inner-tunnel
(83539) eap_peap:   EAP-Message = 0x02c5001d01686f73742f6e36353134342e6d706466742e676f762e6272
(83539) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(83539) eap_peap:   User-Name = "host/n65144.mpdft.gov.br"
(83539) Virtual server inner-tunnel received request
(83539)   EAP-Message = 0x02c5001d01686f73742f6e36353134342e6d706466742e676f762e6272
(83539)   FreeRADIUS-Proxied-To = 127.0.0.1
(83539)   User-Name = "host/n65144.mpdft.gov.br"
(83539) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(83539) server inner-tunnel {
(83539)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83539)     authorize {
(83539)       policy filter_username {
(83539)         if (&User-Name) {
(83539)         if (&User-Name)  -> TRUE
(83539)         if (&User-Name)  {
(83539)           if (&User-Name != "%{tolower:%{User-Name}}") {
(83539)           EXPAND %{tolower:%{User-Name}}
(83539)              --> host/n65144.mpdft.gov.br
(83539)           if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(83539)           if (&User-Name =~ / /) {
(83539)           if (&User-Name =~ / /)  -> FALSE
(83539)           if (&User-Name =~ /@[^@]*@/ ) {
(83539)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(83539)           if (&User-Name =~ /\.\./ ) {
(83539)           if (&User-Name =~ /\.\./ )  -> FALSE
(83539)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(83539)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(83539)           if (&User-Name =~ /\.$/)  {
(83539)           if (&User-Name =~ /\.$/)   -> FALSE
(83539)           if (&User-Name =~ /@\./)  {
(83539)           if (&User-Name =~ /@\./)   -> FALSE
(83539)         } # if (&User-Name)  = notfound
(83539)       } # policy filter_username = notfound
(83539)       [chap] = noop
(83539)       [mschap] = noop
(83539) suffix: Checking for suffix after "@"
(83539) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83539) suffix: No such realm "NULL"
(83539)       [suffix] = noop
(83539)       update control {
(83539)         &Proxy-To-Realm := LOCAL
(83539)       } # update control = noop
(83539) eap: Peer sent EAP Response (code 2) ID 197 length 29
(83539) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(83539)       [eap] = ok
(83539)     } # authorize = ok
(83539)   Found Auth-Type = eap
(83539)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83539)     authenticate {
(83539) eap: Peer sent packet with method EAP Identity (1)
(83539) eap: Calling submodule eap_mschapv2 to process data
(83539) eap_mschapv2: Issuing Challenge
(83539) eap: Sending EAP Request (code 1) ID 198 length 43
(83539) eap: EAP session adding &reply:State = 0x3abf883e3a79928a
(83539)       [eap] = handled
(83539)     } # authenticate = handled
(83539) } # server inner-tunnel
(83539) Virtual server sending reply
(83539)   EAP-Message = 0x01c6002b1a01c6002610b9b128aa24ba92e070ab7c4b77a08adc667265657261646975732d332e302e3132
(83539)   Message-Authenticator = 0x00000000000000000000000000000000
(83539)   State = 0x3abf883e3a79928a4508626b4c893c09
(83539) eap_peap: Got tunneled reply code 11
(83539) eap_peap:   EAP-Message = 0x01c6002b1a01c6002610b9b128aa24ba92e070ab7c4b77a08adc667265657261646975732d332e302e3132
(83539) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(83539) eap_peap:   State = 0x3abf883e3a79928a4508626b4c893c09
(83539) eap_peap: Got tunneled reply RADIUS code 11
(83539) eap_peap:   EAP-Message = 0x01c6002b1a01c6002610b9b128aa24ba92e070ab7c4b77a08adc667265657261646975732d332e302e3132
(83539) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(83539) eap_peap:   State = 0x3abf883e3a79928a4508626b4c893c09
(83539) eap_peap: Got tunneled Access-Challenge
(83539) eap: Sending EAP Request (code 1) ID 198 length 74
(83539) eap: EAP session adding &reply:State = 0x592274a55fe46dcf
(83539)     [eap] = handled
(83539)   } # authenticate = handled
(83539) Using Post-Auth-Type Challenge
(83539) Post-Auth-Type sub-section not found.  Ignoring.
(83539) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83539) Sent Access-Challenge Id 122 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83539)   EAP-Message = 0x01c6004a1900170303003ffb13cb712244c06e54a5366995c39bdc1107aafc963bcbefefa5912d6b2b1ae5eb5108197757709c9aae011a2ddbf372662fc09dd88087fb1e9bb0f2978db4
(83539)   Message-Authenticator = 0x00000000000000000000000000000000
(83539)   State = 0x592274a55fe46dcf5d11088ba56bbac4
(83539) Finished request
(83540) Received Access-Request Id 123 from 10.34.177.220:37268 to 10.34.242.3:1812 length 399
(83540)   User-Name = "host/n65144.mpdft.gov.br"
(83540)   NAS-IP-Address = 10.34.177.220
(83540)   NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83540)   NAS-Port-Id = "00000001"
(83540)   Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83540)   NAS-Port-Type = Wireless-802.11
(83540)   Event-Timestamp = "Jun 23 2020 13:47:24 -03"
(83540)   Service-Type = Framed-User
(83540)   Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83540)   Connect-Info = "CONNECT 0Mbps 802.11b"
(83540)   Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83540)   Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83540)   WLAN-Pairwise-Cipher = 1027076
(83540)   WLAN-Group-Cipher = 1027076
(83540)   WLAN-AKM-Suite = 1027073
(83540)   Framed-MTU = 1400
(83540)   EAP-Message = 0x02c600721900170303006700000000000000021552c7414a6fe33963587194385413497356adaccb7d04280027aee00ff540e05eed36464f01c0e63d44edf60788f9e825b052378b1c052d4cd743622358e5780eade74a4113b0ac7efc5a15f9a5af8688350db96638d52ca7c4b4b1645a0a
(83540)   State = 0x592274a55fe46dcf5d11088ba56bbac4
(83540)   Message-Authenticator = 0x66ccd547f1f593cdda006e7b27c1d398
(83540) session-state: No cached attributes
(83540) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83540)   authorize {
(83540)     policy filter_username {
(83540)       if (&User-Name) {
(83540)       if (&User-Name)  -> TRUE
(83540)       if (&User-Name)  {
(83540)         if (&User-Name != "%{tolower:%{User-Name}}") {
(83540)         EXPAND %{tolower:%{User-Name}}
(83540)            --> host/n65144.mpdft.gov.br
(83540)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(83540)         if (&User-Name =~ / /) {
(83540)         if (&User-Name =~ / /)  -> FALSE
(83540)         if (&User-Name =~ /@[^@]*@/ ) {
(83540)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(83540)         if (&User-Name =~ /\.\./ ) {
(83540)         if (&User-Name =~ /\.\./ )  -> FALSE
(83540)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(83540)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(83540)         if (&User-Name =~ /\.$/)  {
(83540)         if (&User-Name =~ /\.$/)   -> FALSE
(83540)         if (&User-Name =~ /@\./)  {
(83540)         if (&User-Name =~ /@\./)   -> FALSE
(83540)       } # if (&User-Name)  = notfound
(83540)     } # policy filter_username = notfound
(83540)     [preprocess] = ok
(83540) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83540) auth_log:    --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83540) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83540) auth_log: EXPAND %t
(83540) auth_log:    --> Tue Jun 23 13:47:25 2020
(83540)     [auth_log] = ok
(83540)     [chap] = noop
(83540)     [mschap] = noop
(83540)     [digest] = noop
(83540) suffix: Checking for suffix after "@"
(83540) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83540) suffix: No such realm "NULL"
(83540)     [suffix] = noop
(83540) eap: Peer sent EAP Response (code 2) ID 198 length 114
(83540) eap: Continuing tunnel setup
(83540)     [eap] = ok
(83540)   } # authorize = ok
(83540) Found Auth-Type = eap
(83540) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83540)   authenticate {
(83540) eap: Expiring EAP session with state 0x9017180393030136
(83540) eap: Finished EAP session with state 0x592274a55fe46dcf
(83540) eap: Previous EAP request found for state 0x592274a55fe46dcf, released from the list
(83540) eap: Peer sent packet with method EAP PEAP (25)
(83540) eap: Calling submodule eap_peap to process data
(83540) eap_peap: Continuing EAP-TLS
(83540) eap_peap: [eaptls verify] = ok
(83540) eap_peap: Done initial handshake
(83540) eap_peap: [eaptls process] = ok
(83540) eap_peap: Session established.  Decoding tunneled attributes
(83540) eap_peap: PEAP state phase2
(83540) eap_peap: EAP method MSCHAPv2 (26)
(83540) eap_peap: Got tunneled request
(83540) eap_peap:   EAP-Message = 0x02c600531a02c6004e31c12986135e032396fdb381d88618e8910000000000000000cf211f820ab47b827144a503af38f8e1156b1bd0a4c0abf100686f73742f6e36353134342e6d706466742e676f762e6272
(83540) eap_peap: Setting User-Name to host/n65144.mpdft.gov.br
(83540) eap_peap: Sending tunneled request to inner-tunnel
(83540) eap_peap:   EAP-Message = 0x02c600531a02c6004e31c12986135e032396fdb381d88618e8910000000000000000cf211f820ab47b827144a503af38f8e1156b1bd0a4c0abf100686f73742f6e36353134342e6d706466742e676f762e6272
(83540) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(83540) eap_peap:   User-Name = "host/n65144.mpdft.gov.br"
(83540) eap_peap:   State = 0x3abf883e3a79928a4508626b4c893c09
(83540) Virtual server inner-tunnel received request
(83540)   EAP-Message = 0x02c600531a02c6004e31c12986135e032396fdb381d88618e8910000000000000000cf211f820ab47b827144a503af38f8e1156b1bd0a4c0abf100686f73742f6e36353134342e6d706466742e676f762e6272
(83540)   FreeRADIUS-Proxied-To = 127.0.0.1
(83540)   User-Name = "host/n65144.mpdft.gov.br"
(83540)   State = 0x3abf883e3a79928a4508626b4c893c09
(83540) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(83540) server inner-tunnel {
(83540)   session-state: No cached attributes
(83540)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83540)     authorize {
(83540)       policy filter_username {
(83540)         if (&User-Name) {
(83540)         if (&User-Name)  -> TRUE
(83540)         if (&User-Name)  {
(83540)           if (&User-Name != "%{tolower:%{User-Name}}") {
(83540)           EXPAND %{tolower:%{User-Name}}
(83540)              --> host/n65144.mpdft.gov.br
(83540)           if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(83540)           if (&User-Name =~ / /) {
(83540)           if (&User-Name =~ / /)  -> FALSE
(83540)           if (&User-Name =~ /@[^@]*@/ ) {
(83540)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(83540)           if (&User-Name =~ /\.\./ ) {
(83540)           if (&User-Name =~ /\.\./ )  -> FALSE
(83540)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(83540)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(83540)           if (&User-Name =~ /\.$/)  {
(83540)           if (&User-Name =~ /\.$/)   -> FALSE
(83540)           if (&User-Name =~ /@\./)  {
(83540)           if (&User-Name =~ /@\./)   -> FALSE
(83540)         } # if (&User-Name)  = notfound
(83540)       } # policy filter_username = notfound
(83540)       [chap] = noop
(83540)       [mschap] = noop
(83540) suffix: Checking for suffix after "@"
(83540) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83540) suffix: No such realm "NULL"
(83540)       [suffix] = noop
(83540)       update control {
(83540)         &Proxy-To-Realm := LOCAL
(83540)       } # update control = noop
(83540) eap: Peer sent EAP Response (code 2) ID 198 length 83
(83540) eap: No EAP Start, assuming it's an on-going EAP conversation
(83540)       [eap] = updated
(83540) files: Failed resolving UID: No error
(83540) files: Failed resolving UID: No error
(83540) files: Failed resolving UID: No error
(83540) files: Failed resolving UID: No error
(83540) files: Failed resolving UID: No error
(83540)       [files] = noop
(83540) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83540) sql:    --> host/n65144.mpdft.gov.br
(83540) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83540) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(83540) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83540) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83540) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(83540) sql:    --> SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83540) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83540) sql: User not found in any groups
(83540)       [sql] = notfound
(83540)       [expiration] = noop
(83540)       [logintime] = noop
(83540)       [pap] = noop
(83540)     } # authorize = updated
(83540)   Found Auth-Type = eap
(83540)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83540)     authenticate {
(83540) eap: Expiring EAP session with state 0x9017180393030136
(83540) eap: Finished EAP session with state 0x3abf883e3a79928a
(83540) eap: Previous EAP request found for state 0x3abf883e3a79928a, released from the list
(83540) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(83540) eap: Calling submodule eap_mschapv2 to process data
(83540) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83540) eap_mschapv2:   authenticate {
(83540) mschap: Creating challenge hash with username: host/n65144.mpdft.gov.br
(83540) mschap: Client is using MS-CHAPv2
(83540) mschap: EXPAND %{mschap:User-Name}
(83540) mschap:    --> n65144$
(83540) mschap: EXPAND %{mschap:NT-Domain}
(83540) mschap:    --> mpdft
(83540) mschap: sending authentication request user='n65144$' domain='mpdft'
(83540) mschap: Authenticated successfully
(83540) mschap: Adding MS-CHAPv2 MPPE keys
(83540)     [mschap] = ok
(83540)   } # authenticate = ok
(83540) MSCHAP Success
(83540) eap: Sending EAP Request (code 1) ID 199 length 51
(83540) eap: EAP session adding &reply:State = 0x3abf883e3b78928a
(83540)       [eap] = handled
(83540)     } # authenticate = handled
(83540) } # server inner-tunnel
(83540) Virtual server sending reply
(83540)   EAP-Message = 0x01c700331a03c6002e533d31383637453133363631444632383631453734424233384633443336454339323045394531454541
(83540)   Message-Authenticator = 0x00000000000000000000000000000000
(83540)   State = 0x3abf883e3b78928a4508626b4c893c09
(83540) eap_peap: Got tunneled reply code 11
(83540) eap_peap:   EAP-Message = 0x01c700331a03c6002e533d31383637453133363631444632383631453734424233384633443336454339323045394531454541
(83540) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(83540) eap_peap:   State = 0x3abf883e3b78928a4508626b4c893c09
(83540) eap_peap: Got tunneled reply RADIUS code 11
(83540) eap_peap:   EAP-Message = 0x01c700331a03c6002e533d31383637453133363631444632383631453734424233384633443336454339323045394531454541
(83540) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(83540) eap_peap:   State = 0x3abf883e3b78928a4508626b4c893c09
(83540) eap_peap: Got tunneled Access-Challenge
(83540) eap: Sending EAP Request (code 1) ID 199 length 82
(83540) eap: EAP session adding &reply:State = 0x592274a55ee56dcf
(83540)     [eap] = handled
(83540)   } # authenticate = handled
(83540) Using Post-Auth-Type Challenge
(83540) Post-Auth-Type sub-section not found.  Ignoring.
(83540) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83540) Sent Access-Challenge Id 123 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83540)   EAP-Message = 0x01c7005219001703030047fb13cb712244c06fb9349c1a922348d032aa6f4c23c7d2f5143a72f99f00383819d97b9eb2ede7a3a9837f7deac267f4c81c6172bb7f9a4aae783a922eb875456f78c2ade1a752
(83540)   Message-Authenticator = 0x00000000000000000000000000000000
(83540)   State = 0x592274a55ee56dcf5d11088ba56bbac4
(83540) Finished request
(83541) Received Access-Request Id 124 from 10.34.177.220:37268 to 10.34.242.3:1812 length 322
(83541)   User-Name = "host/n65144.mpdft.gov.br"
(83541)   NAS-IP-Address = 10.34.177.220
(83541)   NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83541)   NAS-Port-Id = "00000001"
(83541)   Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83541)   NAS-Port-Type = Wireless-802.11
(83541)   Event-Timestamp = "Jun 23 2020 13:47:24 -03"
(83541)   Service-Type = Framed-User
(83541)   Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83541)   Connect-Info = "CONNECT 0Mbps 802.11b"
(83541)   Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83541)   Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83541)   WLAN-Pairwise-Cipher = 1027076
(83541)   WLAN-Group-Cipher = 1027076
(83541)   WLAN-AKM-Suite = 1027073
(83541)   Framed-MTU = 1400
(83541)   EAP-Message = 0x02c700251900170303001a0000000000000003331ad865b28d977d1e131e3443c76ac7ba97
(83541)   State = 0x592274a55ee56dcf5d11088ba56bbac4
(83541)   Message-Authenticator = 0x57e05acff1a9e398d34e97b0934830a6
(83541) session-state: No cached attributes
(83541) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83541)   authorize {
(83541)     policy filter_username {
(83541)       if (&User-Name) {
(83541)       if (&User-Name)  -> TRUE
(83541)       if (&User-Name)  {
(83541)         if (&User-Name != "%{tolower:%{User-Name}}") {
(83541)         EXPAND %{tolower:%{User-Name}}
(83541)            --> host/n65144.mpdft.gov.br
(83541)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(83541)         if (&User-Name =~ / /) {
(83541)         if (&User-Name =~ / /)  -> FALSE
(83541)         if (&User-Name =~ /@[^@]*@/ ) {
(83541)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(83541)         if (&User-Name =~ /\.\./ ) {
(83541)         if (&User-Name =~ /\.\./ )  -> FALSE
(83541)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(83541)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(83541)         if (&User-Name =~ /\.$/)  {
(83541)         if (&User-Name =~ /\.$/)   -> FALSE
(83541)         if (&User-Name =~ /@\./)  {
(83541)         if (&User-Name =~ /@\./)   -> FALSE
(83541)       } # if (&User-Name)  = notfound
(83541)     } # policy filter_username = notfound
(83541)     [preprocess] = ok
(83541) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83541) auth_log:    --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83541) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83541) auth_log: EXPAND %t
(83541) auth_log:    --> Tue Jun 23 13:47:25 2020
(83541)     [auth_log] = ok
(83541)     [chap] = noop
(83541)     [mschap] = noop
(83541)     [digest] = noop
(83541) suffix: Checking for suffix after "@"
(83541) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83541) suffix: No such realm "NULL"
(83541)     [suffix] = noop
(83541) eap: Peer sent EAP Response (code 2) ID 199 length 37
(83541) eap: Continuing tunnel setup
(83541)     [eap] = ok
(83541)   } # authorize = ok
(83541) Found Auth-Type = eap
(83541) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83541)   authenticate {
(83541) eap: Expiring EAP session with state 0x9017180393030136
(83541) eap: Finished EAP session with state 0x592274a55ee56dcf
(83541) eap: Previous EAP request found for state 0x592274a55ee56dcf, released from the list
(83541) eap: Peer sent packet with method EAP PEAP (25)
(83541) eap: Calling submodule eap_peap to process data
(83541) eap_peap: Continuing EAP-TLS
(83541) eap_peap: [eaptls verify] = ok
(83541) eap_peap: Done initial handshake
(83541) eap_peap: [eaptls process] = ok
(83541) eap_peap: Session established.  Decoding tunneled attributes
(83541) eap_peap: PEAP state phase2
(83541) eap_peap: EAP method MSCHAPv2 (26)
(83541) eap_peap: Got tunneled request
(83541) eap_peap:   EAP-Message = 0x02c700061a03
(83541) eap_peap: Setting User-Name to host/n65144.mpdft.gov.br
(83541) eap_peap: Sending tunneled request to inner-tunnel
(83541) eap_peap:   EAP-Message = 0x02c700061a03
(83541) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(83541) eap_peap:   User-Name = "host/n65144.mpdft.gov.br"
(83541) eap_peap:   State = 0x3abf883e3b78928a4508626b4c893c09
(83541) Virtual server inner-tunnel received request
(83541)   EAP-Message = 0x02c700061a03
(83541)   FreeRADIUS-Proxied-To = 127.0.0.1
(83541)   User-Name = "host/n65144.mpdft.gov.br"
(83541)   State = 0x3abf883e3b78928a4508626b4c893c09
(83541) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(83541) server inner-tunnel {
(83541)   session-state: No cached attributes
(83541)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83541)     authorize {
(83541)       policy filter_username {
(83541)         if (&User-Name) {
(83541)         if (&User-Name)  -> TRUE
(83541)         if (&User-Name)  {
(83541)           if (&User-Name != "%{tolower:%{User-Name}}") {
(83541)           EXPAND %{tolower:%{User-Name}}
(83541)              --> host/n65144.mpdft.gov.br
(83541)           if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(83541)           if (&User-Name =~ / /) {
(83541)           if (&User-Name =~ / /)  -> FALSE
(83541)           if (&User-Name =~ /@[^@]*@/ ) {
(83541)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(83541)           if (&User-Name =~ /\.\./ ) {
(83541)           if (&User-Name =~ /\.\./ )  -> FALSE
(83541)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(83541)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(83541)           if (&User-Name =~ /\.$/)  {
(83541)           if (&User-Name =~ /\.$/)   -> FALSE
(83541)           if (&User-Name =~ /@\./)  {
(83541)           if (&User-Name =~ /@\./)   -> FALSE
(83541)         } # if (&User-Name)  = notfound
(83541)       } # policy filter_username = notfound
(83541)       [chap] = noop
(83541)       [mschap] = noop
(83541) suffix: Checking for suffix after "@"
(83541) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83541) suffix: No such realm "NULL"
(83541)       [suffix] = noop
(83541)       update control {
(83541)         &Proxy-To-Realm := LOCAL
(83541)       } # update control = noop
(83541) eap: Peer sent EAP Response (code 2) ID 199 length 6
(83541) eap: No EAP Start, assuming it's an on-going EAP conversation
(83541)       [eap] = updated
(83541) files: Failed resolving UID: No error
(83541) files: Failed resolving UID: No error
(83541) files: Failed resolving UID: No error
(83541) files: Failed resolving UID: No error
(83541) files: Failed resolving UID: No error
(83541)       [files] = noop
(83541) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83541) sql:    --> host/n65144.mpdft.gov.br
(83541) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83541) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(83541) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83541) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'host/n65144.mpdft.gov.br' ORDER BY id
(83541) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(83541) sql:    --> SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83541) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='host/n65144.mpdft.gov.br' ORDER BY priority
(83541) sql: User not found in any groups
(83541)       [sql] = notfound
(83541)       [expiration] = noop
(83541)       [logintime] = noop
(83541)       [pap] = noop
(83541)     } # authorize = updated
(83541)   Found Auth-Type = eap
(83541)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83541)     authenticate {
(83541) eap: Expiring EAP session with state 0x9017180393030136
(83541) eap: Finished EAP session with state 0x3abf883e3b78928a
(83541) eap: Previous EAP request found for state 0x3abf883e3b78928a, released from the list
(83541) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(83541) eap: Calling submodule eap_mschapv2 to process data
(83541) eap: Sending EAP Success (code 3) ID 199 length 4
(83541) eap: Freeing handler
(83541)       [eap] = ok
(83541)     } # authenticate = ok
(83541)   # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(83541)     post-auth {
(83541) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail
(83541) reply_log:    --> /var/log/freeradius/radacct/10.34.177.220/reply-detail
(83541) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail expands to /var/log/freeradius/radacct/10.34.177.220/reply-detail
(83541) reply_log: EXPAND %t
(83541) reply_log:    --> Tue Jun 23 13:47:25 2020
(83541)       [reply_log] = ok
(83541)     } # post-auth = ok
(83541)   Login OK: [host/n65144.mpdft.gov.br] (from client AP-NAI-A01-220 port 0 via TLS tunnel)
(83541) } # server inner-tunnel
(83541) Virtual server sending reply
(83541)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(83541)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(83541)   MS-MPPE-Send-Key = 0x9d6e9953035b644f28179ce33e138747
(83541)   MS-MPPE-Recv-Key = 0xe322c91d585221d8792d458de68d4cc4
(83541)   EAP-Message = 0x03c70004
(83541)   Message-Authenticator = 0x00000000000000000000000000000000
(83541)   User-Name = "host/n65144.mpdft.gov.br"
(83541) eap_peap: Got tunneled reply code 2
(83541) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(83541) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(83541) eap_peap:   MS-MPPE-Send-Key = 0x9d6e9953035b644f28179ce33e138747
(83541) eap_peap:   MS-MPPE-Recv-Key = 0xe322c91d585221d8792d458de68d4cc4
(83541) eap_peap:   EAP-Message = 0x03c70004
(83541) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(83541) eap_peap:   User-Name = "host/n65144.mpdft.gov.br"
(83541) eap_peap: Got tunneled reply RADIUS code 2
(83541) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(83541) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(83541) eap_peap:   MS-MPPE-Send-Key = 0x9d6e9953035b644f28179ce33e138747
(83541) eap_peap:   MS-MPPE-Recv-Key = 0xe322c91d585221d8792d458de68d4cc4
(83541) eap_peap:   EAP-Message = 0x03c70004
(83541) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(83541) eap_peap:   User-Name = "host/n65144.mpdft.gov.br"
(83541) eap_peap: Tunneled authentication was successful
(83541) eap_peap: SUCCESS
(83541) eap: Sending EAP Request (code 1) ID 200 length 46
(83541) eap: EAP session adding &reply:State = 0x592274a551ea6dcf
(83541)     [eap] = handled
(83541)   } # authenticate = handled
(83541) Using Post-Auth-Type Challenge
(83541) Post-Auth-Type sub-section not found.  Ignoring.
(83541) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83541) Sent Access-Challenge Id 124 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83541)   EAP-Message = 0x01c8002e19001703030023fb13cb712244c0706e6e84e2592d8fff1bee7760032145bba442c608ceedd4c750c687
(83541)   Message-Authenticator = 0x00000000000000000000000000000000
(83541)   State = 0x592274a551ea6dcf5d11088ba56bbac4
(83541) Finished request
(83542) Received Access-Request Id 125 from 10.34.177.220:37268 to 10.34.242.3:1812 length 331
(83542)   User-Name = "host/n65144.mpdft.gov.br"
(83542)   NAS-IP-Address = 10.34.177.220
(83542)   NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83542)   NAS-Port-Id = "00000001"
(83542)   Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83542)   NAS-Port-Type = Wireless-802.11
(83542)   Event-Timestamp = "Jun 23 2020 13:47:24 -03"
(83542)   Service-Type = Framed-User
(83542)   Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83542)   Connect-Info = "CONNECT 0Mbps 802.11b"
(83542)   Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83542)   Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83542)   WLAN-Pairwise-Cipher = 1027076
(83542)   WLAN-Group-Cipher = 1027076
(83542)   WLAN-AKM-Suite = 1027073
(83542)   Framed-MTU = 1400
(83542)   EAP-Message = 0x02c8002e190017030300230000000000000004db3dc05d0228ead2f3ceaf6f5db445f3463c81d6f596111a7e908d
(83542)   State = 0x592274a551ea6dcf5d11088ba56bbac4
(83542)   Message-Authenticator = 0xb85792e60ceecbb66116afddc05d25c5
(83542) session-state: No cached attributes
(83542) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(83542)   authorize {
(83542)     policy filter_username {
(83542)       if (&User-Name) {
(83542)       if (&User-Name)  -> TRUE
(83542)       if (&User-Name)  {
(83542)         if (&User-Name != "%{tolower:%{User-Name}}") {
(83542)         EXPAND %{tolower:%{User-Name}}
(83542)            --> host/n65144.mpdft.gov.br
(83542)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(83542)         if (&User-Name =~ / /) {
(83542)         if (&User-Name =~ / /)  -> FALSE
(83542)         if (&User-Name =~ /@[^@]*@/ ) {
(83542)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(83542)         if (&User-Name =~ /\.\./ ) {
(83542)         if (&User-Name =~ /\.\./ )  -> FALSE
(83542)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(83542)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(83542)         if (&User-Name =~ /\.$/)  {
(83542)         if (&User-Name =~ /\.$/)   -> FALSE
(83542)         if (&User-Name =~ /@\./)  {
(83542)         if (&User-Name =~ /@\./)   -> FALSE
(83542)       } # if (&User-Name)  = notfound
(83542)     } # policy filter_username = notfound
(83542)     [preprocess] = ok
(83542) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(83542) auth_log:    --> /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83542) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.177.220/auth-detail
(83542) auth_log: EXPAND %t
(83542) auth_log:    --> Tue Jun 23 13:47:25 2020
(83542)     [auth_log] = ok
(83542)     [chap] = noop
(83542)     [mschap] = noop
(83542)     [digest] = noop
(83542) suffix: Checking for suffix after "@"
(83542) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83542) suffix: No such realm "NULL"
(83542)     [suffix] = noop
(83542) eap: Peer sent EAP Response (code 2) ID 200 length 46
(83542) eap: Continuing tunnel setup
(83542)     [eap] = ok
(83542)   } # authorize = ok
(83542) Found Auth-Type = eap
(83542) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(83542)   authenticate {
(83542) eap: Expiring EAP session with state 0x9017180393030136
(83542) eap: Finished EAP session with state 0x592274a551ea6dcf
(83542) eap: Previous EAP request found for state 0x592274a551ea6dcf, released from the list
(83542) eap: Peer sent packet with method EAP PEAP (25)
(83542) eap: Calling submodule eap_peap to process data
(83542) eap_peap: Continuing EAP-TLS
(83542) eap_peap: [eaptls verify] = ok
(83542) eap_peap: Done initial handshake
(83542) eap_peap: [eaptls process] = ok
(83542) eap_peap: Session established.  Decoding tunneled attributes
(83542) eap_peap: PEAP state send tlv success
(83542) eap_peap: Received EAP-TLV response
(83542) eap_peap: Success
(83542) eap: Sending EAP Success (code 3) ID 200 length 4
(83542) eap: Freeing handler
(83542)     [eap] = ok
(83542)   } # authenticate = ok
(83542) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(83542)   post-auth {
(83542)     update {
(83542)       No attributes updated
(83542)     } # update = noop
(83542) sql: EXPAND .query
(83542) sql:    --> .query
(83542) sql: Using query template 'query'
(83542) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83542) sql:    --> host/n65144.mpdft.gov.br
(83542) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83542) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{integer:Event-Timestamp}))
(83542) sql:    --> INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('host/n65144.mpdft.gov.br', 'Chap-Password', 'Access-Accept', '50-D4-F7-5B-96-CA:MPDFT', '5C-C9-D3-7C-98-79', TO_TIMESTAMP(1592930844))
(83542) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('host/n65144.mpdft.gov.br', 'Chap-Password', 'Access-Accept', '50-D4-F7-5B-96-CA:MPDFT', '5C-C9-D3-7C-98-79', TO_TIMESTAMP(1592930844))
(83542) sql: SQL query returned: success
(83542) sql: 1 record(s) updated
(83542)     [sql] = ok
(83542)     [exec] = noop
(83542)     policy remove_reply_message_if_eap {
(83542)       if (&reply:EAP-Message && &reply:Reply-Message) {
(83542)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(83542)       else {
(83542)         [noop] = noop
(83542)       } # else = noop
(83542)     } # policy remove_reply_message_if_eap = noop
(83542)   } # post-auth = ok
(83542) Login OK: [host/n65144.mpdft.gov.br] (from client AP-NAI-A01-220 port 0 cli 5C-C9-D3-7C-98-79)
(83542) Sent Access-Accept Id 125 from 10.34.242.3:1812 to 10.34.177.220:37268 length 0
(83542)   MS-MPPE-Recv-Key = 0xc67d0eee420d607c416ac6b9c783634d1566c5980653e2416d115bd4d80e7ad0
(83542)   MS-MPPE-Send-Key = 0xc2093b112098bd8a87cc2799b7cfbabf4a04e544efac9655d813d5cd83885a26
(83542)   EAP-Message = 0x03c80004
(83542)   Message-Authenticator = 0x00000000000000000000000000000000
(83542)   User-Name = "host/n65144.mpdft.gov.br"
(83542) Finished request
(83565) Received Accounting-Request Id 126 from 10.34.177.220:34685 to 10.34.242.3:1813 length 265
(83565)   Acct-Status-Type = Start
(83565)   Acct-Authentic = RADIUS
(83565)   User-Name = "host/n65144.mpdft.gov.br"
(83565)   NAS-IP-Address = 10.34.177.220
(83565)   NAS-Identifier = "TP-Link:50-D4-F7-5B-96-CA"
(83565)   NAS-Port-Id = "00000001"
(83565)   Called-Station-Id = "50-D4-F7-5B-96-CA:MPDFT"
(83565)   NAS-Port-Type = Wireless-802.11
(83565)   Event-Timestamp = "Jun 23 2020 13:47:27 -03"
(83565)   Service-Type = Framed-User
(83565)   Calling-Station-Id = "5C-C9-D3-7C-98-79"
(83565)   Connect-Info = "CONNECT 0Mbps 802.11b"
(83565)   Acct-Session-Id = "50d4f75b96ca-74D3D7E99FDF31B4"
(83565)   Acct-Multi-Session-Id = "BFD32763B61CDC83"
(83565)   WLAN-Pairwise-Cipher = 1027076
(83565)   WLAN-Group-Cipher = 1027076
(83565)   WLAN-AKM-Suite = 1027073
(83565)   Framed-IP-Address = 172.28.252.122
(83565)   Acct-Delay-Time = 0
(83565) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(83565)   preacct {
(83565)     [preprocess] = ok
(83565)     update request {
(83565)       EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}
(83565)          --> 1592930848
(83565)       FreeRADIUS-Acct-Session-Start-Time = Jun 23 2020 13:47:28 -03
(83565)     } # update request = noop
(83565)     policy acct_unique {
(83565)       update request {
(83565)         Tmp-String-9 := "ai:"
(83565)       } # update request = noop
(83565)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&     ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(83565)       EXPAND %{hex:&Class}
(83565)          -->
(83565)       EXPAND ^%{hex:&Tmp-String-9}
(83565)          --> ^61693a
(83565)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&     ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE
(83565)       else {
(83565)         update request {
(83565)           EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{Calling-Station-Id}}
(83565)              --> baf7ceacc097faf87151791ad22e16e8
(83565)           &Acct-Unique-Session-Id := baf7ceacc097faf87151791ad22e16e8
(83565)         } # update request = noop
(83565)       } # else = noop
(83565)     } # policy acct_unique = noop
(83565) suffix: Checking for suffix after "@"
(83565) suffix: No '@' in User-Name = "host/n65144.mpdft.gov.br", looking up realm NULL
(83565) suffix: No such realm "NULL"
(83565)     [suffix] = noop
(83565) files: acct_users: Matched entry DEFAULT at line 22
(83565) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(83565) files:    --> host/n65144.mpdft.gov.br
(83565)     [files] = ok
(83565)   } # preacct = ok
(83565) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(83565)   accounting {
(83565) log_accounting: EXPAND Accounting-Request.%{%{Acct-Status-Type}:-unknown}
(83565) log_accounting:    --> Accounting-Request.Start
(83565) log_accounting: EXPAND %{date:Event-Timestamp} Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})
(83565) log_accounting:    --> Tue, 23-06-2020 13:47:27 Connect: [host/n65144.mpdft.gov.br] (did 50-D4-F7-5B-96-CA:MPDFT cli 5C-C9-D3-7C-98-79 port  ip 172.28.252.122)
(83565) log_accounting: EXPAND /var/log/freeradius/linelog-accounting
(83565) log_accounting:    --> /var/log/freeradius/linelog-accounting
(83565)     [log_accounting] = ok
(83565) sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query}
(83565) sql:    --> type.start.query
(83565) sql: Using query template 'query'
(83565) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83565) sql:    --> host/n65144.mpdft.gov.br
(83565) sql: SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83565) sql: EXPAND INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)
(83565) sql:    --> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('50d4f75b96ca-74D3D7E99FDF31B4', 'baf7ceacc097faf87151791ad22e16e8', 'host/n65144.mpdft.gov.br', NULLIF('', ''), '10.34.177.220', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1592930847), TO_TIMESTAMP(1592930847), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '50-D4-F7-5B-96-CA:MPDFT', '5C-C9-D3-7C-98-79', NULL, 'Framed-User', '', NULLIF('172.28.252.122', '')::inet)
(83565) sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('50d4f75b96ca-74D3D7E99FDF31B4', 'baf7ceacc097faf87151791ad22e16e8', 'host/n65144.mpdft.gov.br', NULLIF('', ''), '10.34.177.220', NULLIF('00000001', ''), 'Wireless-802.11', TO_TIMESTAMP(1592930847), TO_TIMESTAMP(1592930847), NULL, 0, 'RADIUS', 'CONNECT 0Mbps 802.11b', NULL, 0, 0, '50-D4-F7-5B-96-CA:MPDFT', '5C-C9-D3-7C-98-79', NULL, 'Framed-User', '', NULLIF('172.28.252.122', '')::inet)
(83565) sql: SQL query returned: success
(83565) sql: 1 record(s) updated
(83565)     [sql] = ok
(83565)     if (&request:Acct-Status-Type == start) {
(83565)     if (&request:Acct-Status-Type == start)  -> TRUE
(83565)     if (&request:Acct-Status-Type == start)  {
(83565)       EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(83565)          --> host/n65144.mpdft.gov.br
(83565)       SQL-User-Name set to 'host/n65144.mpdft.gov.br'
(83565)       Executing query: UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(1592930847), AcctUpdateTime = TO_TIMESTAMP(1592930847), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = 'CONNECT 0Mbps 802.11b' WHERE UserName = 'host/n65144.mpdft.gov.br' AND AcctUniqueId <> 'baf7ceacc097faf87151791ad22e16e8' AND CallingStationId = '5C-C9-D3-7C-98-79' AND AcctStopTime IS NULL
(83565)       SQL query affected no rows
(83565)       EXPAND %{sql:UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = '%{Connect-Info}' WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' AND CallingStationId = '%{Calling-Station-Id}' AND AcctStopTime IS NULL}
(83565)          -->
(83565)     } # if (&request:Acct-Status-Type == start)  = ok
(83565)     [exec] = noop
(83565) attr_filter.accounting_response: EXPAND %{User-Name}
(83565) attr_filter.accounting_response:    --> host/n65144.mpdft.gov.br
(83565) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(83565)     [attr_filter.accounting_response] = updated
(83565)   } # accounting = updated
(83565) Sent Accounting-Response Id 126 from 10.34.242.3:1813 to 10.34.177.220:34685 length 0
(83565) Finished request
(83565) Cleaning up request packet ID 126 with timestamp +51982
(83533) Cleaning up request packet ID 116 with timestamp +51979
(83534) Cleaning up request packet ID 117 with timestamp +51979
(83535) Cleaning up request packet ID 118 with timestamp +51979
(83536) Cleaning up request packet ID 119 with timestamp +51979
(83537) Cleaning up request packet ID 120 with timestamp +51979
(83538) Cleaning up request packet ID 121 with timestamp +51979
(83539) Cleaning up request packet ID 122 with timestamp +51979
(83540) Cleaning up request packet ID 123 with timestamp +51979
(83541) Cleaning up request packet ID 124 with timestamp +51979
(83542) Cleaning up request packet ID 125 with timestamp +51979
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to disable machine authentication

Alan DeKok-2
On Jun 23, 2020, at 6:22 PM, Daniel Guimaraes Pena <[hidden email]> wrote:
>
> Is it possible?

  Yes.

> I tried in users file:

  Don't "try" things.  Figure out what's going on, and write rules to match that,

> #
> # Deny access for a group of users.
> #
> # Note that there is NO 'Fall-Through' attribute, so the user will not
> # be given any additional resources.
> #
> #DEFAULT        Group == "disabled", Auth-Type := Reject
> #               Reply-Message = "Your account has been disabled."
> #
> DEFAULT Group == "Domain Computers", Auth-Type := Reject

  The "Group" attribute checks Unix groups.  Which usually don't have spaces in their names.

>                Reply-Message = "Autenticacao de maquinas desabilitada."
>
> DEFAULT Group == "TodasContasEspeciais", Auth-Type := Reject
>                Reply-Message = "Autenticacao de contas de servico desabilitada."
>
> Domain Computers doesnt work. TodasContasEspeciais Works fine.

  Maybe.  The debug output isn't clear.

> Logs, if needed. (Sorry for another post so soon... I solved a lot of problems but some...)

  Logs are almost always needed.

> (83533) Received Access-Request Id 116 from 10.34.177.220:37268 to 10.34.242.3:1812 length 296
> (83533)   User-Name = "host/n65144.mpdft.gov.br"

  Rejecting machine authentication is simple"

authorize {
        ...
        if (User-Name =~ /^host\//) {
                reject
        }
        ...

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RES: How to disable machine authentication

daniel.pena
Thanks in this solution =)
Just to report, I did your suggestion in filter policy, after "#  reject mixed case e.g. UseRNaMe" and its working perfectly
filter_username {
        if (&User-Name) {
                #
                #  negando autenticacao de maquina
                #
                if (&User-Name =~ /\// ) {
                        update request {
                                &Module-Failure-Message += 'Rejected: host authentication not allowed'
                        }
                        reject
                }

>  The "Group" attribute checks Unix groups.  Which usually don't have spaces in their names.
About this.. I understood that. (maybe not, but let's try):
For user "monitoramento" command "id monitoramento" shows:
........... 16777729(domain users),..........,10001(BUILTIN\users)

And this user hit this entry in users file:
DEFAULT         Group == "domain users", Simultaneous-Use := 2
                Idle-Timeout := 300

So, then I tried to do the same with computers...
Look:
root@vp2-seg-008:/var/log/freeradius# id M50880
id: ‘M50880’: no such user
root@vp2-seg-008:/var/log/freeradius#

But, when I put "$":
root@vp2-seg-008:/var/log/freeradius# id M50880$
uid=16884786(m50880$) gid=16777731(domain computers) groups=16777731(domain computers),16884786(m50880$)
root@vp2-seg-008:/var/log/freeradius#

And that’s why check for group domain computers does not work: lack of "$"

Thanks a lot for the help!

-----Mensagem original-----
De: Freeradius-Users <freeradius-users-bounces+daniel.pena=[hidden email]> Em nome de Alan DeKok
Enviada em: terça-feira, 23 de junho de 2020 20:57
Para: FreeRadius users mailing list <[hidden email]>
Assunto: Re: How to disable machine authentication

On Jun 23, 2020, at 6:22 PM, Daniel Guimaraes Pena <[hidden email]> wrote:
>
> Is it possible?

  Yes.

> I tried in users file:

  Don't "try" things.  Figure out what's going on, and write rules to match that,

> #
> # Deny access for a group of users.
> #
> # Note that there is NO 'Fall-Through' attribute, so the user will not
> # be given any additional resources.
> #
> #DEFAULT        Group == "disabled", Auth-Type := Reject
> #               Reply-Message = "Your account has been disabled."
> #
> DEFAULT Group == "Domain Computers", Auth-Type := Reject

  The "Group" attribute checks Unix groups.  Which usually don't have spaces in their names.

>                Reply-Message = "Autenticacao de maquinas desabilitada."
>
> DEFAULT Group == "TodasContasEspeciais", Auth-Type := Reject
>                Reply-Message = "Autenticacao de contas de servico desabilitada."
>
> Domain Computers doesnt work. TodasContasEspeciais Works fine.

  Maybe.  The debug output isn't clear.

> Logs, if needed. (Sorry for another post so soon... I solved a lot of
> problems but some...)

  Logs are almost always needed.

> (83533) Received Access-Request Id 116 from 10.34.177.220:37268 to 10.34.242.3:1812 length 296
> (83533)   User-Name = "host/n65144.mpdft.gov.br"

  Rejecting machine authentication is simple"

authorize {
        ...
        if (User-Name =~ /^host\//) {
                reject
        }
        ...

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html