Incorrect username being registered by freeradius

classic Classic list List threaded Threaded
8 messages Options
| Threaded
Open this post in threaded view
|

Incorrect username being registered by freeradius

daniel.pena
Hi everyone,

My freeradius (FreeRADIUS Version 3.0.12) sometimes accept users and logs at postgre some username that just don’t exist at Active Directory. I just couldn’t debug and stopped at dead end now.
Here to illustrate:
Mon Jun 22 18:35:06 2020 : Auth: (82485)   Login OK: [flaviol] (from client AP-SD1-A07-Q04 port 0 via TLS tunnel)
Mon Jun 22 18:35:06 2020 : Auth: (82486) Login OK: [flaviol] (from client AP-SD1-A07-Q04 port 2 cli E0-5F-45-###)
-[ RECORD 1 ]------+---------------------------------
radacctid          | 5993772
acctsessionid      | 38ED2133-00000040
acctuniqueid       | 2e3edbe1aa2069c36ac67cf96384219c
username           | e05f4588a57d
groupname          |
realm              |
nasipaddress       | 10.34.27.223
nasportid          | 2
nasporttype        | Wireless-802.11
acctstarttime      | 2020-06-22 18:35:05-03
acctupdatetime     | 2020-06-22 18:35:05-03
acctstoptime       | 2020-06-22 18:35:05-03



Mon Jun 22 19:04:09 2020 : Auth: (89109)   Login OK: [flaviol] (from client AP-SD2-A07-Q04 port 0 via TLS tunnel)
Mon Jun 22 19:04:09 2020 : Auth: (89111) Login OK: [flaviol] (from client AP-SD2-A07-Q04 port 1 cli E0-5F-45-###)
-[ RECORD 1 ]------+---------------------------------
radacctid          | 5994474
acctsessionid      | 38FCC022-00000000
acctuniqueid       | c980c8b18ff062712f838541c50d9d83
username           | flaviol
realm              |
nasipaddress       | 10.34.58.220
nasportid          | 1
nasporttype        | Wireless-802.11
acctstarttime      | 2020-06-22 19:04:09-03
acctupdatetime     | 2020-06-22 19:04:11-03
acctstoptime       | 2020-06-22 19:04:11-03


Both entries are from the same device (same MAC address), received Login OK, but the first one got that string as username. Client is not the same. But there is a lot of entries with the correct username for that client.
The odd thing is when it happens, the same string appears to the that user all the time. For other user, a different string appears and it will be always the same.

Sorry, but this is a difficult problem to explain... Even the title of thread was difficult to choose =[
Anyway, can anyone help me debug this problem?


# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 9.12 (stretch)
Release:        9.12
Codename:       stretch
# dpkg -l freeradius
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                     Version           Architecture      Description
+++-========================-=================-=================-=====================================================
ii  freeradius               3.0.12+dfsg-5+deb amd64             high-performance and highly configurable RADIUS serve
#




=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.06.22 22:51:13 =~=~=~=~=~=~=~=~=~=~=~=
freeradius -X
FreeRADIUS Version 3.0.12
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/3.0/dictionary
including configuration file /etc/freeradius/3.0/radiusd.conf
including configuration file /etc/freeradius/3.0/proxy.conf
including configuration file /etc/freeradius/3.0/clients.conf
including files in directory /etc/freeradius/3.0/mods-enabled/
including configuration file /etc/freeradius/3.0/mods-enabled/realm
including configuration file /etc/freeradius/3.0/mods-enabled/digest
including configuration file /etc/freeradius/3.0/mods-enabled/exec
including configuration file /etc/freeradius/3.0/mods-enabled/linelog
including configuration file /etc/freeradius/3.0/mods-enabled/passwd
including configuration file /etc/freeradius/3.0/mods-enabled/eap
including configuration file /etc/freeradius/3.0/mods-enabled/unix
including configuration file /etc/freeradius/3.0/mods-enabled/pap
including configuration file /etc/freeradius/3.0/mods-enabled/detail.log
including configuration file /etc/freeradius/3.0/mods-enabled/chap
including configuration file /etc/freeradius/3.0/mods-enabled/expr
including configuration file /etc/freeradius/3.0/mods-enabled/date
including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp
including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/3.0/mods-enabled/utf8
including configuration file /etc/freeradius/3.0/mods-enabled/unpack
including configuration file /etc/freeradius/3.0/mods-enabled/soh
including configuration file /etc/freeradius/3.0/mods-enabled/radutmp
including configuration file /etc/freeradius/3.0/mods-enabled/preprocess
including configuration file /etc/freeradius/3.0/mods-enabled/expiration
including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter
including configuration file /etc/freeradius/3.0/mods-enabled/sql
including configuration file /etc/freeradius/3.0/mods-config/sql/main/postgresql/queries.conf
including configuration file /etc/freeradius/3.0/mods-enabled/always
including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap
including configuration file /etc/freeradius/3.0/mods-enabled/mschap
including configuration file /etc/freeradius/3.0/mods-enabled/files
including configuration file /etc/freeradius/3.0/mods-enabled/echo
including configuration file /etc/freeradius/3.0/mods-enabled/detail
including configuration file /etc/freeradius/3.0/mods-enabled/logintime
including configuration file /etc/freeradius/3.0/mods-enabled/replicate
including files in directory /etc/freeradius/3.0/policy.d/
including configuration file /etc/freeradius/3.0/policy.d/eap
including configuration file /etc/freeradius/3.0/policy.d/filter
including configuration file /etc/freeradius/3.0/policy.d/cui
including configuration file /etc/freeradius/3.0/policy.d/accounting
including configuration file /etc/freeradius/3.0/policy.d/operator-name
including configuration file /etc/freeradius/3.0/policy.d/dhcp
including configuration file /etc/freeradius/3.0/policy.d/abfab-tr
including configuration file /etc/freeradius/3.0/policy.d/canonicalization
including configuration file /etc/freeradius/3.0/policy.d/debug
including configuration file /etc/freeradius/3.0/policy.d/control
including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids
including files in directory /etc/freeradius/3.0/sites-enabled/
including configuration file /etc/freeradius/3.0/sites-enabled/control-socket
including configuration file /etc/freeradius/3.0/sites-enabled/default
including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/3.0/sites-enabled/status
main {
 security {
  user = "freerad"
  group = "freerad"
  allow_core_dumps = no
 }
        name = "freeradius"
        prefix = "/usr"
        localstatedir = "/var"
        logdir = "/var/log/freeradius"
        run_dir = "/var/run/freeradius"
}
main {
        name = "freeradius"
        prefix = "/usr"
        localstatedir = "/var"
        sbindir = "/usr/sbin"
        logdir = "/var/log/freeradius"
        run_dir = "/var/run/freeradius"
        libdir = "/usr/lib/freeradius"
        radacctdir = "/var/log/freeradius/radacct"
        hostname_lookups = no
        max_request_time = 30
        cleanup_delay = 5
        max_requests = 204800
        pidfile = "/var/run/freeradius/freeradius.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
  stripped_names = no
  auth = yes
  auth_badpass = no
  auth_goodpass = no
  colourise = yes
  msg_denied = "You are already logged in - access denied"
 }
 resources {
 }
 security {
  max_attributes = 200
  reject_delay = 1.000000
  status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
  retry_delay = 5
  retry_count = 3
  default_fallback = no
  dead_time = 120
  wake_all_if_all_dead = no
 }
 home_server localhost {
  ipaddr = 127.0.0.1
  port = 1812
  type = "auth"
  secret = <<< secret >>>
  response_window = 20.000000
  response_timeouts = 1
  max_outstanding = 65536
  zombie_period = 40
  status_check = "status-server"
  ping_interval = 30
  check_interval = 30
  check_timeout = 4
  num_answers_to_alive = 3
  revive_interval = 120
  limit {
  max_connections = 16
  max_requests = 0
  lifetime = 0
  idle_timeout = 0
  }
  coa {
  irt = 2
  mrt = 16
  mrc = 5
  mrd = 30
  }
 }
 home_server_pool my_auth_failover {
        type = fail-over
        home_server = localhost
 }
 realm example.com {
        auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
  ipaddr = 127.0.0.1
  require_message_authenticator = no
  secret = <<< secret >>>
  nas_type = "other"
  proto = "*"
  limit {
  max_connections = 16
  lifetime = 0
  idle_timeout = 30
  }
 }
 client localhost_ipv6 {
  ipv6addr = ::1
  require_message_authenticator = no
  secret = <<< secret >>>
  limit {
  max_connections = 16
  lifetime = 0
  idle_timeout = 30
  }
 }
Debugger not attached
 # Creating Auth-Type = mschap
 # Creating Auth-Type = digest
 # Creating Auth-Type = eap
 # Creating Auth-Type = NTLM_AUTH
 # Creating Auth-Type = PAP
 # Creating Auth-Type = CHAP
 # Creating Auth-Type = MS-CHAP
 # Creating Acct-Type = Status-Server
 # Creating Autz-Type = Status-Server
radiusd: #### Instantiating modules ####
 modules {
  # Loaded module rlm_realm
  # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
  realm IPASS {
  format = "prefix"
  delimiter = "/"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
  realm suffix {
  format = "suffix"
  delimiter = "@"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
  realm realmpercent {
  format = "suffix"
  delimiter = "%"
  ignore_default = no
  ignore_null = no
  }
  # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
  realm ntdomain {
  format = "prefix"
  delimiter = "\\"
  ignore_default = no
  ignore_null = no
  }
  # Loaded module rlm_digest
  # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest
  # Loaded module rlm_exec
  # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec
  exec {
  wait = no
  input_pairs = "request"
  shell_escape = yes
  timeout = 10
  }
  # Loaded module rlm_linelog
  # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
  linelog {
  filename = "/var/log/freeradius/linelog"
  escape_filenames = no
  syslog_severity = "notice"
  permissions = 384
  format = "This is a log message for %{User-Name}"
  reference = "messages.%{%{reply:Packet-Type}:-default}"
  }
  # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
  linelog log_accounting {
  filename = "/var/log/freeradius/linelog-accounting"
  escape_filenames = no
  syslog_severity = "notice"
  permissions = 384
  format = ""
  reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  }
  # Loaded module rlm_passwd
  # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
  passwd etc_passwd {
  filename = "/etc/passwd"
  format = "*User-Name:Crypt-Password:"
  delimiter = ":"
  ignore_nislike = no
  ignore_empty = yes
  allow_multiple_keys = no
  hash_size = 100
  }
  # Loaded module rlm_eap
  # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
  eap {
  default_eap_type = "md5"
  timer_expire = 60
  ignore_unknown_eap_types = no
  cisco_accounting_username_bug = no
  max_sessions = 204800
  }
  # Loaded module rlm_unix
  # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix
  unix {
  radwtmp = "/var/log/freeradius/radwtmp"
  }
Creating attribute Unix-Group
  # Loaded module rlm_pap
  # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
  pap {
  normalise = yes
  }
  # Loaded module rlm_detail
  # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail auth_log {
  filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail reply_log {
  filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail pre_proxy_log {
  filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  detail post_proxy_log {
  filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loaded module rlm_chap
  # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap
  # Loaded module rlm_expr
  # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr
  expr {
  safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  }
  # Loaded module rlm_date
  # Loading module "date" from file /etc/freeradius/3.0/mods-enabled/date
  date {
  format = "%a, %d-%m-%Y %H:%M:%S"
  }
  # Loaded module rlm_dynamic_clients
  # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients
  # Loaded module rlm_radutmp
  # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp
  radutmp sradutmp {
  filename = "/var/log/freeradius/sradutmp"
  username = "%{User-Name}"
  case_sensitive = yes
  check_with_nas = yes
  permissions = 420
  caller_id = no
  }
  # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth
  exec ntlm_auth {
  wait = yes
  program = "/usr/bin/ntlm_auth --request-nt-key --domain=MPDFT --username=%{mschap:User-Name} --password=%{User-Password}"
  shell_escape = yes
  }
  # Loaded module rlm_utf8
  # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8
  # Loaded module rlm_unpack
  # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack
  # Loaded module rlm_soh
  # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh
  soh {
  dhcp = yes
  }
  # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp
  radutmp {
  filename = "/var/log/freeradius/radutmp"
  username = "%{User-Name}"
  case_sensitive = yes
  check_with_nas = yes
  permissions = 384
  caller_id = yes
  }
  # Loaded module rlm_preprocess
  # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
  preprocess {
  huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"
  hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"
  with_ascend_hack = no
  ascend_channels_per_line = 23
  with_ntdomain_hack = no
  with_specialix_jetstream_hack = no
  with_cisco_vsa_hack = no
  with_alvarion_vsa_hack = no
  }
  # Loaded module rlm_expiration
  # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
  # Loaded module rlm_attr_filter
  # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.post-proxy {
  filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"
  key = "%{Realm}"
  relaxed = no
  }
  # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.pre-proxy {
  filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"
  key = "%{Realm}"
  relaxed = no
  }
  # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.access_reject {
  filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"
  key = "%{User-Name}"
  relaxed = no
  }
  # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.access_challenge {
  filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"
  key = "%{User-Name}"
  relaxed = no
  }
  # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
  attr_filter attr_filter.accounting_response {
  filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"
  key = "%{User-Name}"
  relaxed = no
  }
  # Loaded module rlm_sql
  # Loading module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
  sql {
  driver = "rlm_sql_postgresql"
  server = "localhost"
  port = 5432
  login = "radius"
  password = <<< secret >>>
  radius_db = "radius"
  read_groups = yes
  read_profiles = yes
  read_clients = yes
  delete_stale_sessions = yes
  sql_user_name = "%{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}"
  default_user_profile = ""
  client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
  authorize_check_query = "SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id"
  authorize_reply_query = "SELECT id, UserName, Attribute, Value, Op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id"
  authorize_group_check_query = "SELECT id, GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName = '%{SQL-Group}' ORDER BY id"
  authorize_group_reply_query = "SELECT id, GroupName, Attribute, Value, op FROM radgroupreply WHERE GroupName = '%{SQL-Group}' ORDER BY id"
  group_membership_query = "SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority"
  simul_count_query = "SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL"
  simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime IS NULL"
  safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
   accounting {
    reference = "%{tolower:type.%{%{Acct-Status-Type}:-none}.query}"
    type {
     accounting-on {
      query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))), AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE AcctStopTime IS NULL AND NASIPAddress= '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <= '%S'::timestamp"
     }
     accounting-off {
      query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime))), AcctTerminateCause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE AcctStopTime IS NULL AND NASIPAddress= '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}' AND AcctStartTime <= '%S'::timestamp"
     }
     start {
      query = "INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)"
     }
     interim-update {
      query = "UPDATE radacct SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, AcctSessionTime = %{%{Acct-Session-Time}:-NULL}, AcctInterval = (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM (COALESCE(AcctUpdateTime, AcctStartTime)))), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint) WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL"
     }
     stop {
      query = "UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctSessionTime = COALESCE(%{%{Acct-Session-Time}:-NULL}, (%{integer:Event-Timestamp} - EXTRACT(EPOCH FROM(AcctStartTime)))), AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), AcctTerminateCause = '%{Acct-Terminate-Cause}', FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, ConnectInfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}' AND AcctStopTime IS NULL"
     }
    }
   }
   post-auth {
    reference = ".query"
    query = "INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{integer:Event-Timestamp}))"
   }
  }
rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
Creating attribute SQL-Group
  # Loaded module rlm_always
  # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always
  always reject {
  rcode = "reject"
  simulcount = 0
  mpp = no
  }
  # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always
  always fail {
  rcode = "fail"
  simulcount = 0
  mpp = no
  }
  # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always
  always ok {
  rcode = "ok"
  simulcount = 0
  mpp = no
  }
  # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always
  always handled {
  rcode = "handled"
  simulcount = 0
  mpp = no
  }
  # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
  always invalid {
  rcode = "invalid"
  simulcount = 0
  mpp = no
  }
  # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
  always userlock {
  rcode = "userlock"
  simulcount = 0
  mpp = no
  }
  # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
  always notfound {
  rcode = "notfound"
  simulcount = 0
  mpp = no
  }
  # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always
  always noop {
  rcode = "noop"
  simulcount = 0
  mpp = no
  }
  # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always
  always updated {
  rcode = "updated"
  simulcount = 0
  mpp = no
  }
  # Loaded module rlm_cache
  # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
  cache cache_eap {
  driver = "rlm_cache_rbtree"
  key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
  ttl = 15
  max_entries = 0
  epoch = 0
  add_stats = no
  }
  # Loaded module rlm_mschap
  # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
  mschap {
  use_mppe = yes
  require_encryption = no
  require_strong = no
  with_ntdomain_hack = yes
   passchange {
    ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
    ntlm_auth_username = "username: %{mschap:User-Name}"
    ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
   }
  allow_retry = yes
  }
  # Loaded module rlm_files
  # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files
  files {
  filename = "/etc/freeradius/3.0/mods-config/files/authorize"
  acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"
  preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"
  }
  # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo
  exec echo {
  wait = yes
  program = "/bin/echo %{User-Name}"
  input_pairs = "request"
  output_pairs = "reply"
  shell_escape = yes
  }
  # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
  detail {
  filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail"
  header = "%t"
  permissions = 384
  locking = no
  escape_filenames = no
  log_packet_header = no
  }
  # Loaded module rlm_logintime
  # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
  logintime {
  minimum_timeout = 60
  }
  # Loaded module rlm_replicate
  # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate
  instantiate {
  # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime
  }
  # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm
  # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog
  # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog
  # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
   # Linked to sub-module rlm_eap_md5
   # Linked to sub-module rlm_eap_leap
   # Linked to sub-module rlm_eap_gtc
   gtc {
    challenge = "Password: "
    auth_type = "PAP"
   }
   # Linked to sub-module rlm_eap_tls
   tls {
    tls = "tls-common"
   }
   tls-config tls-common {
    verify_depth = 0
    ca_path = "/etc/freeradius/3.0/certs"
    pem_file_type = yes
    private_key_file = "/etc/ssl/private/ssl-cert-snakeoil.key"
    certificate_file = "/etc/ssl/certs/ssl-cert-snakeoil.pem"
    ca_file = "/etc/ssl/certs/ca-certificates.crt"
    private_key_password = <<< secret >>>
    dh_file = "/etc/freeradius/3.0/certs/dh"
    fragment_size = 1024
    include_length = yes
    auto_chain = yes
    check_crl = no
    check_all_crl = no
    cipher_list = "DEFAULT"
    ecdh_curve = "prime256v1"
    cache {
    enable = yes
    lifetime = 24
    max_entries = 255
    }
    verify {
    skip_if_ocsp_ok = no
    }
    ocsp {
    enable = no
    override_cert_url = yes
    url = "http://127.0.0.1/ocsp/"
    use_nonce = yes
    timeout = 0
    softfail = no
    }
   }
   # Linked to sub-module rlm_eap_ttls
   ttls {
    tls = "tls-common"
    default_eap_type = "md5"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    virtual_server = "inner-tunnel"
    include_length = yes
    require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_peap
   peap {
    tls = "tls-common"
    default_eap_type = "mschapv2"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    proxy_tunneled_request_as_eap = yes
    virtual_server = "inner-tunnel"
    soh = no
    require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_mschapv2
   mschapv2 {
    with_ntdomain_hack = no
    send_error = no
   }
  # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap
  # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
  # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log
  # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints
  # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration
  # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy
  # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy
  # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject
/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
  # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge
  # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter
reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response
  # Instantiating module "sql" from file /etc/freeradius/3.0/mods-enabled/sql
   postgresql {
    send_application_name = no
   }
rlm_sql (sql): Attempting to connect to database "radius"
rlm_sql (sql): Initialising connection pool
   pool {
    start = 5
    min = 3
    max = 32
    spare = 10
    uses = 0
    lifetime = 0
    cleanup_interval = 30
    idle_timeout = 60
    retry_delay = 30
    spread = no
   }
rlm_sql (sql): Opening additional connection (0), 1 of 32 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius'
Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13108
rlm_sql (sql): Opening additional connection (1), 1 of 31 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius'
Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13109
rlm_sql (sql): Opening additional connection (2), 1 of 30 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius'
Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13110
rlm_sql (sql): Opening additional connection (3), 1 of 29 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius'
Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13111
rlm_sql (sql): Opening additional connection (4), 1 of 28 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius'
Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13112
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Reserved connection (0)
rlm_sql (sql): Executing select query: SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 179 , fields = 6
rlm_sql (sql): Adding client 10.34.158.220 (AP-AGC-A03-220) to global clients list
rlm_sql (10.34.158.220): Client "AP-AGC-A03-220" (sql) added
rlm_sql (sql): Adding client 10.34.158.221 (AP-AGC-A03-221) to global clients list
rlm_sql (10.34.158.221): Client "AP-AGC-A03-221" (sql) added
rlm_sql (sql): Adding client 10.35.93.224 (AP-BR2-A01-Q01) to global clients list
rlm_sql (10.35.93.224): Client "AP-BR2-A01-Q01" (sql) added
rlm_sql (sql): Adding client 10.35.93.225 (AP-BR2-A01-Q02) to global clients list
rlm_sql (10.35.93.225): Client "AP-BR2-A01-Q02" (sql) added
rlm_sql (sql): Adding client 10.35.93.226 (AP-BR2-A01-Q03) to global clients list
rlm_sql (10.35.93.226): Client "AP-BR2-A01-Q03" (sql) added
rlm_sql (sql): Adding client 10.35.93.227 (AP-BR2-A01-Q04) to global clients list
rlm_sql (10.35.93.227): Client "AP-BR2-A01-Q04" (sql) added
rlm_sql (sql): Adding client 10.35.93.228 (AP-BR2-A02-Q01) to global clients list
rlm_sql (10.35.93.228): Client "AP-BR2-A02-Q01" (sql) added
rlm_sql (sql): Adding client 10.35.93.229 (AP-BR2-A02-Q02) to global clients list
rlm_sql (10.35.93.229): Client "AP-BR2-A02-Q02" (sql) added
rlm_sql (sql): Adding client 10.35.93.230 (AP-BR2-A02-Q03) to global clients list
rlm_sql (10.35.93.230): Client "AP-BR2-A02-Q03" (sql) added
rlm_sql (sql): Adding client 10.35.93.231 (AP-BR2-A02-Q04) to global clients list
rlm_sql (10.35.93.231): Client "AP-BR2-A02-Q04" (sql) added
rlm_sql (sql): Adding client 10.35.93.223 (AP-BR2-TER-223) to global clients list
rlm_sql (10.35.93.223): Client "AP-BR2-TER-223" (sql) added
rlm_sql (sql): Adding client 10.35.93.221 (AP-BR2-TER-Q02) to global clients list
rlm_sql (10.35.93.221): Client "AP-BR2-TER-Q02" (sql) added
rlm_sql (sql): Adding client 10.35.93.222 (AP-BR2-TER-Q03) to global clients list
rlm_sql (10.35.93.222): Client "AP-BR2-TER-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.82.220 (AP-BRZ-TER-220) to global clients list
rlm_sql (10.34.82.220): Client "AP-BRZ-TER-220" (sql) added
rlm_sql (sql): Adding client 10.34.82.221 (AP-BRZ-TER-221) to global clients list
rlm_sql (10.34.82.221): Client "AP-BRZ-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.82.222 (AP-BRZ-TER-222) to global clients list
rlm_sql (10.34.82.222): Client "AP-BRZ-TER-222" (sql) added
rlm_sql (sql): Adding client 10.34.87.220 (AP-CEI-A01-220) to global clients list
rlm_sql (10.34.87.220): Client "AP-CEI-A01-220" (sql) added
rlm_sql (sql): Adding client 10.34.87.222 (AP-CEI-A01-222) to global clients list
rlm_sql (10.34.87.222): Client "AP-CEI-A01-222" (sql) added
rlm_sql (sql): Adding client 10.34.87.224 (AP-CEI-SUB-224) to global clients list
rlm_sql (10.34.87.224): Client "AP-CEI-SUB-224" (sql) added
rlm_sql (sql): Adding client 10.34.87.221 (AP-CEI-TER-221) to global clients list
rlm_sql (10.34.87.221): Client "AP-CEI-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.87.223 (AP-CEI-TER-223) to global clients list
rlm_sql (10.34.87.223): Client "AP-CEI-TER-223" (sql) added
rlm_sql (sql): Adding client 10.34.92.225 (AP-CRI-A01-225) to global clients list
rlm_sql (10.34.92.225): Client "AP-CRI-A01-225" (sql) added
rlm_sql (sql): Adding client 10.34.92.226 (AP-CRI-A01-226) to global clients list
rlm_sql (10.34.92.226): Client "AP-CRI-A01-226" (sql) added
rlm_sql (sql): Adding client 10.34.92.223 (AP-CRI-A02-223) to global clients list
rlm_sql (10.34.92.223): Client "AP-CRI-A02-223" (sql) added
rlm_sql (sql): Adding client 10.34.92.227 (AP-CRI-A02-227) to global clients list
rlm_sql (10.34.92.227): Client "AP-CRI-A02-227" (sql) added
rlm_sql (sql): Adding client 10.34.92.234 (AP-CRI-A02-234) to global clients list
rlm_sql (10.34.92.234): Client "AP-CRI-A02-234" (sql) added
rlm_sql (sql): Adding client 10.34.97.221 (AP-GAM-A01-221) to global clients list
rlm_sql (10.34.97.221): Client "AP-GAM-A01-221" (sql) added
rlm_sql (sql): Adding client 10.34.97.223 (AP-GAM-A01-223) to global clients list
rlm_sql (10.34.97.223): Client "AP-GAM-A01-223" (sql) added
rlm_sql (sql): Adding client 10.34.97.220 (AP-GAM-SUB-220) to global clients list
rlm_sql (10.34.97.220): Client "AP-GAM-SUB-220" (sql) added
rlm_sql (sql): Adding client 10.34.97.222 (AP-GAM-TER-222) to global clients list
rlm_sql (10.34.97.222): Client "AP-GAM-TER-222" (sql) added
rlm_sql (sql): Adding client 10.34.102.220 (AP-GAR-A01-220) to global clients list
rlm_sql (10.34.102.220): Client "AP-GAR-A01-220" (sql) added
rlm_sql (sql): Adding client 10.34.117.221 (AP-INF-A01-221) to global clients list
rlm_sql (10.34.117.221): Client "AP-INF-A01-221" (sql) added
rlm_sql (sql): Adding client 10.34.117.222 (AP-INF-A01-222) to global clients list
rlm_sql (10.34.117.222): Client "AP-INF-A01-222" (sql) added
rlm_sql (sql): Adding client 10.34.121.100 (AP-INF-SUB-121) to global clients list
rlm_sql (10.34.121.100): Client "AP-INF-SUB-121" (sql) added
rlm_sql (sql): Adding client 10.34.117.224 (AP-INF-SUB-224) to global clients list
rlm_sql (10.34.117.224): Client "AP-INF-SUB-224" (sql) added
rlm_sql (sql): Adding client 10.34.117.225 (AP-INF-SUB-225) to global clients list
rlm_sql (10.34.117.225): Client "AP-INF-SUB-225" (sql) added
rlm_sql (sql): Adding client 10.34.117.220 (AP-INF-TER-220) to global clients list
rlm_sql (10.34.117.220): Client "AP-INF-TER-220" (sql) added
rlm_sql (sql): Adding client 10.34.117.223 (AP-INF-TER-223) to global clients list
rlm_sql (10.34.117.223): Client "AP-INF-TER-223" (sql) added
rlm_sql (sql): Adding client 10.34.177.220 (AP-NAI-A01-220) to global clients list
rlm_sql (10.34.177.220): Client "AP-NAI-A01-220" (sql) added
rlm_sql (sql): Adding client 10.34.127.221 (AP-PAR-A01-221) to global clients list
rlm_sql (10.34.127.221): Client "AP-PAR-A01-221" (sql) added
rlm_sql (sql): Adding client 10.34.127.224 (AP-PAR-A01-224) to global clients list
rlm_sql (10.34.127.224): Client "AP-PAR-A01-224" (sql) added
rlm_sql (sql): Adding client 10.34.127.223 (AP-PAR-SUB-223) to global clients list
rlm_sql (10.34.127.223): Client "AP-PAR-SUB-223" (sql) added
rlm_sql (sql): Adding client 10.34.127.225 (AP-PAR-SUB-225) to global clients list
rlm_sql (10.34.127.225): Client "AP-PAR-SUB-225" (sql) added
rlm_sql (sql): Adding client 10.34.127.220 (AP-PAR-TER-220) to global clients list
rlm_sql (10.34.127.220): Client "AP-PAR-TER-220" (sql) added
rlm_sql (sql): Adding client 10.34.127.222 (AP-PAR-TER-222) to global clients list
rlm_sql (10.34.127.222): Client "AP-PAR-TER-222" (sql) added
rlm_sql (sql): Adding client 10.34.132.222 (AP-PLA-A01-222) to global clients list
rlm_sql (10.34.132.222): Client "AP-PLA-A01-222" (sql) added
rlm_sql (sql): Adding client 10.34.132.223 (AP-PLA-A01-223) to global clients list
rlm_sql (10.34.132.223): Client "AP-PLA-A01-223" (sql) added
rlm_sql (sql): Adding client 10.34.132.224 (AP-PLA-SUB-224) to global clients list
rlm_sql (10.34.132.224): Client "AP-PLA-SUB-224" (sql) added
rlm_sql (sql): Adding client 10.34.132.220 (AP-PLA-TER-220) to global clients list
rlm_sql (10.34.132.220): Client "AP-PLA-TER-220" (sql) added
rlm_sql (sql): Adding client 10.34.132.221 (AP-PLA-TER-221) to global clients list
rlm_sql (10.34.132.221): Client "AP-PLA-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.187.222 (AP-REM-A01-222) to global clients list
rlm_sql (10.34.187.222): Client "AP-REM-A01-222" (sql) added
rlm_sql (sql): Adding client 10.34.187.223 (AP-REM-A01-223) to global clients list
rlm_sql (10.34.187.223): Client "AP-REM-A01-223" (sql) added
rlm_sql (sql): Adding client 10.34.187.220 (AP-REM-SUB-220) to global clients list
rlm_sql (10.34.187.220): Client "AP-REM-SUB-220" (sql) added
rlm_sql (sql): Adding client 10.34.187.221 (AP-REM-TER-221) to global clients list
rlm_sql (10.34.187.221): Client "AP-REM-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.137.223 (AP-SAM-A01-223) to global clients list
rlm_sql (10.34.137.223): Client "AP-SAM-A01-223" (sql) added
rlm_sql (sql): Adding client 10.34.137.224 (AP-SAM-A01-224) to global clients list
rlm_sql (10.34.137.224): Client "AP-SAM-A01-224" (sql) added
rlm_sql (sql): Adding client 10.34.137.222 (AP-SAM-SUB-222) to global clients list
rlm_sql (10.34.137.222): Client "AP-SAM-SUB-222" (sql) added
rlm_sql (sql): Adding client 10.34.137.225 (AP-SAM-SUB-225) to global clients list
rlm_sql (10.34.137.225): Client "AP-SAM-SUB-225" (sql) added
rlm_sql (sql): Adding client 10.34.137.226 (AP-SAM-SUB-226) to global clients list
rlm_sql (10.34.137.226): Client "AP-SAM-SUB-226" (sql) added
rlm_sql (sql): Adding client 10.34.137.220 (AP-SAM-TER-220) to global clients list
rlm_sql (10.34.137.220): Client "AP-SAM-TER-220" (sql) added
rlm_sql (sql): Adding client 10.34.137.221 (AP-SAM-TER-221) to global clients list
rlm_sql (10.34.137.221): Client "AP-SAM-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.9.222 (AP-SD1-A01-Q01) to global clients list
rlm_sql (10.34.9.222): Client "AP-SD1-A01-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.9.223 (AP-SD1-A01-Q02) to global clients list
rlm_sql (10.34.9.223): Client "AP-SD1-A01-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.9.220 (AP-SD1-A01-Q03) to global clients list
rlm_sql (10.34.9.220): Client "AP-SD1-A01-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.9.221 (AP-SD1-A01-Q04) to global clients list
rlm_sql (10.34.9.221): Client "AP-SD1-A01-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.12.222 (AP-SD1-A02-Q01) to global clients list
rlm_sql (10.34.12.222): Client "AP-SD1-A02-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.12.223 (AP-SD1-A02-Q02) to global clients list
rlm_sql (10.34.12.223): Client "AP-SD1-A02-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.12.220 (AP-SD1-A02-Q03) to global clients list
rlm_sql (10.34.12.220): Client "AP-SD1-A02-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.12.221 (AP-SD1-A02-Q04) to global clients list
rlm_sql (10.34.12.221): Client "AP-SD1-A02-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.15.221 (AP-SD1-A03-Q01) to global clients list
rlm_sql (10.34.15.221): Client "AP-SD1-A03-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.15.220 (AP-SD1-A03-Q02) to global clients list
rlm_sql (10.34.15.220): Client "AP-SD1-A03-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.15.223 (AP-SD1-A03-Q03) to global clients list
rlm_sql (10.34.15.223): Client "AP-SD1-A03-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.15.222 (AP-SD1-A03-Q04) to global clients list
rlm_sql (10.34.15.222): Client "AP-SD1-A03-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.18.222 (AP-SD1-A04-Q01) to global clients list
rlm_sql (10.34.18.222): Client "AP-SD1-A04-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.18.223 (AP-SD1-A04-Q02) to global clients list
rlm_sql (10.34.18.223): Client "AP-SD1-A04-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.18.220 (AP-SD1-A04-Q03) to global clients list
rlm_sql (10.34.18.220): Client "AP-SD1-A04-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.21.223 (AP-SD1-A05-Q01) to global clients list
rlm_sql (10.34.21.223): Client "AP-SD1-A05-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.21.222 (AP-SD1-A05-Q02) to global clients list
rlm_sql (10.34.21.222): Client "AP-SD1-A05-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.21.221 (AP-SD1-A05-Q03) to global clients list
rlm_sql (10.34.21.221): Client "AP-SD1-A05-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.21.220 (AP-SD1-A05-Q04) to global clients list
rlm_sql (10.34.21.220): Client "AP-SD1-A05-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.24.223 (AP-SD1-A06-Q01) to global clients list
rlm_sql (10.34.24.223): Client "AP-SD1-A06-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.24.222 (AP-SD1-A06-Q02) to global clients list
rlm_sql (10.34.24.222): Client "AP-SD1-A06-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.24.221 (AP-SD1-A06-Q03) to global clients list
rlm_sql (10.34.24.221): Client "AP-SD1-A06-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.24.220 (AP-SD1-A06-Q04) to global clients list
rlm_sql (10.34.24.220): Client "AP-SD1-A06-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.27.220 (AP-SD1-A07-Q01) to global clients list
rlm_sql (10.34.27.220): Client "AP-SD1-A07-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.27.221 (AP-SD1-A07-Q02) to global clients list
rlm_sql (10.34.27.221): Client "AP-SD1-A07-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.27.222 (AP-SD1-A07-Q03) to global clients list
rlm_sql (10.34.27.222): Client "AP-SD1-A07-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.27.223 (AP-SD1-A07-Q04) to global clients list
rlm_sql (10.34.27.223): Client "AP-SD1-A07-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.30.220 (AP-SD1-A08-Q01) to global clients list
rlm_sql (10.34.30.220): Client "AP-SD1-A08-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.30.221 (AP-SD1-A08-Q02) to global clients list
rlm_sql (10.34.30.221): Client "AP-SD1-A08-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.30.222 (AP-SD1-A08-Q03) to global clients list
rlm_sql (10.34.30.222): Client "AP-SD1-A08-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.30.223 (AP-SD1-A08-Q04) to global clients list
rlm_sql (10.34.30.223): Client "AP-SD1-A08-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.33.221 (AP-SD1-A09-Q01) to global clients list
rlm_sql (10.34.33.221): Client "AP-SD1-A09-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.33.220 (AP-SD1-A09-Q02) to global clients list
rlm_sql (10.34.33.220): Client "AP-SD1-A09-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.33.222 (AP-SD1-A09-Q03) to global clients list
rlm_sql (10.34.33.222): Client "AP-SD1-A09-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.33.223 (AP-SD1-A09-Q04) to global clients list
rlm_sql (10.34.33.223): Client "AP-SD1-A09-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.7.220 (AP-SD1-MEZ-220) to global clients list
rlm_sql (10.34.7.220): Client "AP-SD1-MEZ-220" (sql) added
rlm_sql (sql): Adding client 10.34.5.220 (AP-SD1-SUB-Q02) to global clients list
rlm_sql (10.34.5.220): Client "AP-SD1-SUB-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.5.223 (AP-SD1-SUB-Q03) to global clients list
rlm_sql (10.34.5.223): Client "AP-SD1-SUB-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.5.222 (AP-SD1-SUB-Q04) to global clients list
rlm_sql (10.34.5.222): Client "AP-SD1-SUB-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.7.221 (AP-SD1-TER-221) to global clients list
rlm_sql (10.34.7.221): Client "AP-SD1-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.7.222 (AP-SD1-TER-222) to global clients list
rlm_sql (10.34.7.222): Client "AP-SD1-TER-222" (sql) added
rlm_sql (sql): Adding client 10.34.7.223 (AP-SD1-TER-223) to global clients list
rlm_sql (10.34.7.223): Client "AP-SD1-TER-223" (sql) added
rlm_sql (sql): Adding client 10.34.7.224 (AP-SD1-TER-224) to global clients list
rlm_sql (10.34.7.224): Client "AP-SD1-TER-224" (sql) added
rlm_sql (sql): Adding client 10.34.40.222 (AP-SD2-A01-Q01) to global clients list
rlm_sql (10.34.40.222): Client "AP-SD2-A01-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.40.223 (AP-SD2-A01-Q02) to global clients list
rlm_sql (10.34.40.223): Client "AP-SD2-A01-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.40.221 (AP-SD2-A01-Q03) to global clients list
rlm_sql (10.34.40.221): Client "AP-SD2-A01-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.40.220 (AP-SD2-A01-Q04) to global clients list
rlm_sql (10.34.40.220): Client "AP-SD2-A01-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.43.222 (AP-SD2-A02-Q01) to global clients list
rlm_sql (10.34.43.222): Client "AP-SD2-A02-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.43.223 (AP-SD2-A02-Q02) to global clients list
rlm_sql (10.34.43.223): Client "AP-SD2-A02-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.43.221 (AP-SD2-A02-Q03) to global clients list
rlm_sql (10.34.43.221): Client "AP-SD2-A02-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.43.220 (AP-SD2-A02-Q04) to global clients list
rlm_sql (10.34.43.220): Client "AP-SD2-A02-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.46.222 (AP-SD2-A03-Q01) to global clients list
rlm_sql (10.34.46.222): Client "AP-SD2-A03-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.46.223 (AP-SD2-A03-Q02) to global clients list
rlm_sql (10.34.46.223): Client "AP-SD2-A03-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.46.221 (AP-SD2-A03-Q03) to global clients list
rlm_sql (10.34.46.221): Client "AP-SD2-A03-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.46.220 (AP-SD2-A03-Q04) to global clients list
rlm_sql (10.34.46.220): Client "AP-SD2-A03-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.49.222 (AP-SD2-A04-Q01) to global clients list
rlm_sql (10.34.49.222): Client "AP-SD2-A04-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.49.223 (AP-SD2-A04-Q02) to global clients list
rlm_sql (10.34.49.223): Client "AP-SD2-A04-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.49.221 (AP-SD2-A04-Q03) to global clients list
rlm_sql (10.34.49.221): Client "AP-SD2-A04-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.49.220 (AP-SD2-A04-Q04) to global clients list
rlm_sql (10.34.49.220): Client "AP-SD2-A04-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.52.222 (AP-SD2-A05-Q01) to global clients list
rlm_sql (10.34.52.222): Client "AP-SD2-A05-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.52.223 (AP-SD2-A05-Q02) to global clients list
rlm_sql (10.34.52.223): Client "AP-SD2-A05-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.52.221 (AP-SD2-A05-Q03) to global clients list
rlm_sql (10.34.52.221): Client "AP-SD2-A05-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.52.220 (AP-SD2-A05-Q04) to global clients list
rlm_sql (10.34.52.220): Client "AP-SD2-A05-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.55.222 (AP-SD2-A06-Q01) to global clients list
rlm_sql (10.34.55.222): Client "AP-SD2-A06-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.55.223 (AP-SD2-A06-Q02) to global clients list
rlm_sql (10.34.55.223): Client "AP-SD2-A06-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.55.221 (AP-SD2-A06-Q03) to global clients list
rlm_sql (10.34.55.221): Client "AP-SD2-A06-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.55.220 (AP-SD2-A06-Q04) to global clients list
rlm_sql (10.34.55.220): Client "AP-SD2-A06-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.58.222 (AP-SD2-A07-Q01) to global clients list
rlm_sql (10.34.58.222): Client "AP-SD2-A07-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.58.223 (AP-SD2-A07-Q02) to global clients list
rlm_sql (10.34.58.223): Client "AP-SD2-A07-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.58.221 (AP-SD2-A07-Q03) to global clients list
rlm_sql (10.34.58.221): Client "AP-SD2-A07-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.58.220 (AP-SD2-A07-Q04) to global clients list
rlm_sql (10.34.58.220): Client "AP-SD2-A07-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.61.222 (AP-SD2-A08-Q01) to global clients list
rlm_sql (10.34.61.222): Client "AP-SD2-A08-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.61.223 (AP-SD2-A08-Q02) to global clients list
rlm_sql (10.34.61.223): Client "AP-SD2-A08-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.61.221 (AP-SD2-A08-Q03) to global clients list
rlm_sql (10.34.61.221): Client "AP-SD2-A08-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.61.220 (AP-SD2-A08-Q04) to global clients list
rlm_sql (10.34.61.220): Client "AP-SD2-A08-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.64.222 (AP-SD2-A09-Q01) to global clients list
rlm_sql (10.34.64.222): Client "AP-SD2-A09-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.64.223 (AP-SD2-A09-Q02) to global clients list
rlm_sql (10.34.64.223): Client "AP-SD2-A09-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.64.221 (AP-SD2-A09-Q03) to global clients list
rlm_sql (10.34.64.221): Client "AP-SD2-A09-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.64.220 (AP-SD2-A09-Q04) to global clients list
rlm_sql (10.34.64.220): Client "AP-SD2-A09-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.38.221 (AP-SD2-MEZ-Q01) to global clients list
rlm_sql (10.34.38.221): Client "AP-SD2-MEZ-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.38.220 (AP-SD2-MEZ-Q04) to global clients list
rlm_sql (10.34.38.220): Client "AP-SD2-MEZ-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.36.219 (AP-SD2-S02-Q01) to global clients list
rlm_sql (10.34.36.219): Client "AP-SD2-S02-Q01" (sql) added
rlm_sql (sql): Adding client 10.34.36.220 (AP-SD2-SUB-220) to global clients list
rlm_sql (10.34.36.220): Client "AP-SD2-SUB-220" (sql) added
rlm_sql (sql): Adding client 10.34.36.222 (AP-SD2-TER-Q02) to global clients list
rlm_sql (10.34.36.222): Client "AP-SD2-TER-Q02" (sql) added
rlm_sql (sql): Adding client 10.34.36.221 (AP-SD2-TER-Q03) to global clients list
rlm_sql (10.34.36.221): Client "AP-SD2-TER-Q03" (sql) added
rlm_sql (sql): Adding client 10.34.36.224 (AP-SD2-TER-Q04) to global clients list
rlm_sql (10.34.36.224): Client "AP-SD2-TER-Q04" (sql) added
rlm_sql (sql): Adding client 10.34.147.219 (AP-SEB-A01-219) to global clients list
rlm_sql (10.34.147.219): Client "AP-SEB-A01-219" (sql) added
rlm_sql (sql): Adding client 10.34.147.222 (AP-SEB-A01-222) to global clients list
rlm_sql (10.34.147.222): Client "AP-SEB-A01-222" (sql) added
rlm_sql (sql): Adding client 10.34.147.224 (AP-SEB-A01-224) to global clients list
rlm_sql (10.34.147.224): Client "AP-SEB-A01-224" (sql) added
rlm_sql (sql): Adding client 10.34.147.225 (AP-SEB-A01-225) to global clients list
rlm_sql (10.34.147.225): Client "AP-SEB-A01-225" (sql) added
rlm_sql (sql): Adding client 10.34.147.223 (AP-SEB-SUB-223) to global clients list
rlm_sql (10.34.147.223): Client "AP-SEB-SUB-223" (sql) added
rlm_sql (sql): Adding client 10.34.147.227 (AP-SEB-SUB-227) to global clients list
rlm_sql (10.34.147.227): Client "AP-SEB-SUB-227" (sql) added
rlm_sql (sql): Adding client 10.34.147.218 (AP-SEB-TER-218) to global clients list
rlm_sql (10.34.147.218): Client "AP-SEB-TER-218" (sql) added
rlm_sql (sql): Adding client 10.34.147.220 (AP-SEB-TER-220) to global clients list
rlm_sql (10.34.147.220): Client "AP-SEB-TER-220" (sql) added
rlm_sql (sql): Adding client 10.34.147.221 (AP-SEB-TER-221) to global clients list
rlm_sql (10.34.147.221): Client "AP-SEB-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.147.226 (AP-SEB-TER-226) to global clients list
rlm_sql (10.34.147.226): Client "AP-SEB-TER-226" (sql) added
rlm_sql (sql): Adding client 10.34.152.219 (AP-SOB-A02-219) to global clients list
rlm_sql (10.34.152.219): Client "AP-SOB-A02-219" (sql) added
rlm_sql (sql): Adding client 10.34.152.221 (AP-SOB-TER-221) to global clients list
rlm_sql (10.34.152.221): Client "AP-SOB-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.142.220 (AP-STA-A01-220) to global clients list
rlm_sql (10.34.142.220): Client "AP-STA-A01-220" (sql) added
rlm_sql (sql): Adding client 10.34.142.223 (AP-STA-A01-223) to global clients list
rlm_sql (10.34.142.223): Client "AP-STA-A01-223" (sql) added
rlm_sql (sql): Adding client 10.34.142.222 (AP-STA-SUB-222) to global clients list
rlm_sql (10.34.142.222): Client "AP-STA-SUB-222" (sql) added
rlm_sql (sql): Adding client 10.34.142.221 (AP-STA-TER-221) to global clients list
rlm_sql (10.34.142.221): Client "AP-STA-TER-221" (sql) added
rlm_sql (sql): Adding client 10.34.157.220 (AP-TAG-A01-220) to global clients list
rlm_sql (10.34.157.220): Client "AP-TAG-A01-220" (sql) added
rlm_sql (sql): Adding client 10.34.157.221 (AP-TAG-A01-221) to global clients list
rlm_sql (10.34.157.221): Client "AP-TAG-A01-221" (sql) added
rlm_sql (sql): Adding client 10.34.157.224 (AP-TAG-SUB-224) to global clients list
rlm_sql (10.34.157.224): Client "AP-TAG-SUB-224" (sql) added
rlm_sql (sql): Adding client 10.34.157.223 (AP-TAG-TER-223) to global clients list
rlm_sql (10.34.157.223): Client "AP-TAG-TER-223" (sql) added
rlm_sql (sql): Adding client 10.34.182.220 (AP-TJ-GUA-220) to global clients list
rlm_sql (10.34.182.220): Client "AP-TJ-GUA-220" (sql) added
rlm_sql (sql): Adding client 10.34.157.222 (AP-TAG-TER-222) to global clients list
rlm_sql (10.34.157.222): Client "AP-TAG-TER-222" (sql) added
rlm_sql (sql): Adding client 10.34.240.20 (nagios) to global clients list
rlm_sql (10.34.240.20): Client "nagios" (sql) added
rlm_sql (sql): Adding client 10.34.241.56 (nagios2) to global clients list
rlm_sql (10.34.241.56): Client "nagios2" (sql) added
rlm_sql (sql): Adding client 10.34.173.10 (nagiosCont) to global clients list
rlm_sql (10.34.173.10): Client "nagiosCont" (sql) added
rlm_sql (sql): Adding client 10.34.5.221 (AP-SD1-SUB-Q01) to global clients list
rlm_sql (10.34.5.221): Client "AP-SD1-SUB-Q01" (sql) added
rlm_sql (sql): Adding client 10.35.93.220 (AP-BR2-S01-220) to global clients list
rlm_sql (10.35.93.220): Client "AP-BR2-S01-220" (sql) added
rlm_sql (sql): Adding client 10.34.152.220 (AP-SOB-A01-220) to global clients list
rlm_sql (10.34.152.220): Client "AP-SOB-A01-220" (sql) added
rlm_sql (sql): Adding client 10.35.36.201 (AP-SD2-S02-201) to global clients list
rlm_sql (10.35.36.201): Client "AP-SD2-S02-201" (sql) added
rlm_sql (sql): Adding client 10.34.97.219 (AP-GAM-S01-219) to global clients list
rlm_sql (10.34.97.219): Client "AP-GAM-S01-219" (sql) added
rlm_sql (sql): Adding client 10.34.97.224 (AP-GAM-TER-224) to global clients list
rlm_sql (10.34.97.224): Client "AP-GAM-TER-224" (sql) added
rlm_sql (sql): Adding client 10.34.36.223 (AP-SD2-S01-Q01) to global clients list
rlm_sql (10.34.36.223): Client "AP-SD2-S01-Q01" (sql) added
rlm_sql (sql): Released connection (0)
rlm_sql (sql): Need 5 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (5), 1 of 27 pending slots used
rlm_sql_postgresql: Connecting using parameters: dbname='radius' host='localhost' port=5432 user='radius' password='senhadoradius'
Connected to database 'radius' on 'localhost' server version 90617, protocol version 3, backend PID 13113
  # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always
  # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
  # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap
rlm_mschap (mschap): Initialising connection pool
   pool {
    start = 5
    min = 3
    max = 32
    spare = 10
    uses = 0
    lifetime = 86400
    cleanup_interval = 300
    idle_timeout = 600
    retry_delay = 30
    spread = no
   }
rlm_mschap (mschap): Opening additional connection (0), 1 of 32 pending slots used
rlm_mschap (mschap): Opening additional connection (1), 1 of 31 pending slots used
rlm_mschap (mschap): Opening additional connection (2), 1 of 30 pending slots used
rlm_mschap (mschap): Opening additional connection (3), 1 of 29 pending slots used
rlm_mschap (mschap): Opening additional connection (4), 1 of 28 pending slots used
rlm_mschap (mschap): authenticating directly to winbind
  # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files
reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize
reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting
reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy
  # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail
rlm_detail (detail): 'User-Password' suppressed, will not appear in detail output
 } # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server default { # from file /etc/freeradius/3.0/sites-enabled/default
 # Loading authenticate {...}
 # Loading authorize {...}
Ignoring "ldap" (see raddb/mods-available/README.rst)
 # Loading preacct {...}
 # Loading accounting {...}
 # Loading session {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading session {...}
 # Loading pre-proxy {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
} # server inner-tunnel
server status { # from file /etc/freeradius/3.0/sites-enabled/status
 # Loading authorize {...}
} # server status
radiusd: #### Opening IP addresses and Ports ####
listen {
  type = "control"
 listen {
  socket = "/var/run/freeradius/freeradius.sock"
  mode = "rw"
  peercred = yes
 }
}
listen {
  type = "auth"
  ipaddr = *
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "acct"
  ipaddr = *
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "auth"
  ipv6addr = ::
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "acct"
  ipv6addr = ::
  port = 0
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
}
listen {
  type = "auth"
  ipaddr = 127.0.0.1
  port = 18120
}
listen {
  type = "status"
  ipaddr = 127.0.0.1
  port = 18121
  client admin {
  ipaddr = 127.0.0.1
  require_message_authenticator = no
  secret = <<< secret >>>
   limit {
    max_connections = 16
    lifetime = 0
    idle_timeout = 30
   }
  }
}
Listening on command file /var/run/freeradius/freeradius.sock
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on status address 127.0.0.1 port 18121 bound to server status
Listening on proxy address * port 54845
Listening on proxy address :: port 40154
Ready to process requests

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Incorrect username being registered by freeradius

Alan DeKok-2
On Jun 22, 2020, at 10:04 PM, Daniel Guimaraes Pena <[hidden email]> wrote:
>
> Hi everyone,
>
> My freeradius (FreeRADIUS Version 3.0.12) sometimes accept users and logs at postgre some username that just don’t exist at Active Directory. I just couldn’t debug and stopped at dead end now.

  FreeRADIUS doesn't accept *any* users by default.  So if it accepts a user name, it's because your local system is configured to accept them.

> Here to illustrate:
> Mon Jun 22 18:35:06 2020 : Auth: (82485)   Login OK: [flaviol] (from client AP-SD1-A07-Q04 port 0 via TLS tunnel)
> Mon Jun 22 18:35:06 2020 : Auth: (82486) Login OK: [flaviol] (from client AP-SD1-A07-Q04 port 2 cli E0-5F-45-###)
> -[ RECORD 1 ]------+---------------------------------
> radacctid          | 5993772
> acctsessionid      | 38ED2133-00000040
> acctuniqueid       | 2e3edbe1aa2069c36ac67cf96384219c
> username           | e05f4588a57d

  That looks like a MAC address.

> Both entries are from the same device (same MAC address),

   So what's the MAC address?

> received Login OK, but the first one got that string as username. Client is not the same. But there is a lot of entries with the correct username for that client.
> The odd thing is when it happens, the same string appears to the that user all the time. For other user, a different string appears and it will be always the same.

  Yes, likely because it's the MAC address of the device.

> Sorry, but this is a difficult problem to explain... Even the title of thread was difficult to choose =[
> Anyway, can anyone help me debug this problem?
>
>
> # lsb_release -a

  None of that matters.

> =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.06.22 22:51:13 =~=~=~=~=~=~=~=~=~=~=~=
> freeradius -X
> ...
> Ready to process requests

  And... nothing.

  How can we debug the server when you don't provide debug logs?

  Read this:  http://wiki.freeradius.org/list-help

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RES: Incorrect username being registered by freeradius

daniel.pena
Thanks for anwaring, Alan, you were right: that is his MAC Address.

Sorry for that missing debug... I had just restarted server and lost all logs.

Until this moment, no mac address appeared at radacct table, so I don’t have debug for that yet.
For this, if I may ask, why user is registered in radacct table with mac address but in radius log appears his real username?

And this one here, that is NOT a mac address:
[local]:5432 radius@radius=> select * from radacct where radacctid = '6000795';
-[ RECORD 1 ]------+---------------------------------
radacctid          | 6000795
acctsessionid      | 38EBA713-00000041
acctuniqueid       | 6b521bf17a61aa914f0f67b33c558e07
username           | 347117
groupname          |
realm              |
nasipaddress       | 10.34.15.221
nasportid          | 2
nasporttype        | Wireless-802.11
acctstarttime      | 2020-06-23 11:18:40-03
acctupdatetime     | 2020-06-23 11:18:40-03
acctstoptime       |
acctinterval       |
acctsessiontime    | 0
acctauthentic      | RADIUS
connectinfo_start  | CONNECT 54Mbps 802.11g
connectinfo_stop   |
acctinputoctets    | 0
acctoutputoctets   | 0
calledstationid    | 5C-D9-98-14-37-48:MPDFT
callingstationid   | 48-49-C7-71-79-66
acctterminatecause |
servicetype        |
framedprotocol     |
framedipaddress    |

Time: 4.267 ms
[local]:5432 radius@radius=>


Reading debug, real login is "luciana.nogueira"
Here the debug log for this entry:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.06.23 12:21:07 =~=~=~=~=~=~=~=~=~=~=~=
grep -E "\(4925[7-9]\)|\(4926[0-7]\)" debug.log
(49257) Received Access-Request Id 151 from 10.34.15.221:1384 to 10.34.242.3:1812 length 151
(49257)   User-Name = "347117"
(49257)   NAS-IP-Address = 10.34.15.221
(49257)   NAS-Port = 2
(49257)   Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49257)   Calling-Station-Id = "48-49-C7-71-79-66"
(49257)   Framed-MTU = 1400
(49257)   NAS-Port-Type = Wireless-802.11
(49257)   Connect-Info = "CONNECT 54Mbps 802.11g"
(49257)   EAP-Message = 0x0200000b01333437313137
(49257)   Message-Authenticator = 0x05d29ff74e6c4903b1ab83208153a6ad
(49257) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49257)   authorize {
(49257)     policy filter_username {
(49257)       if (&User-Name) {
(49257)       if (&User-Name)  -> TRUE
(49257)       if (&User-Name)  {
(49257)         if (&User-Name != "%{tolower:%{User-Name}}") {
(49257)         EXPAND %{tolower:%{User-Name}}
(49257)            --> 347117
(49257)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(49257)         if (&User-Name =~ / /) {
(49257)         if (&User-Name =~ / /)  -> FALSE
(49257)         if (&User-Name =~ /@[^@]*@/ ) {
(49257)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(49257)         if (&User-Name =~ /\.\./ ) {
(49257)         if (&User-Name =~ /\.\./ )  -> FALSE
(49257)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(49257)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(49257)         if (&User-Name =~ /\.$/)  {
(49257)         if (&User-Name =~ /\.$/)   -> FALSE
(49257)         if (&User-Name =~ /@\./)  {
(49257)         if (&User-Name =~ /@\./)   -> FALSE
(49257)       } # if (&User-Name)  = notfound
(49257)     } # policy filter_username = notfound
(49257)     [preprocess] = ok
(49257) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49257) auth_log:    --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49257) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49257) auth_log: EXPAND %t
(49257) auth_log:    --> Tue Jun 23 11:18:40 2020
(49257)     [auth_log] = ok
(49257)     [chap] = noop
(49257)     [mschap] = noop
(49257)     [digest] = noop
(49257) suffix: Checking for suffix after "@"
(49257) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49257) suffix: No such realm "NULL"
(49257)     [suffix] = noop
(49257) eap: Peer sent EAP Response (code 2) ID 0 length 11
(49257) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(49257)     [eap] = ok
(49257)   } # authorize = ok
(49257) Found Auth-Type = eap
(49257) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49257)   authenticate {
(49257) eap: Peer sent packet with method EAP Identity (1)
(49257) eap: Calling submodule eap_md5 to process data
(49257) eap_md5: Issuing MD5 Challenge
(49257) eap: Sending EAP Request (code 1) ID 1 length 22
(49257) eap: EAP session adding &reply:State = 0x343264483433605b
(49257)     [eap] = handled
(49257)   } # authenticate = handled
(49257) Using Post-Auth-Type Challenge
(49257) Post-Auth-Type sub-section not found.  Ignoring.
(49257) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49257) Sent Access-Challenge Id 151 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49257)   EAP-Message = 0x010100160410f293b8de33b4c8cebe98befea9b4bfc6
(49257)   Message-Authenticator = 0x00000000000000000000000000000000
(49257)   State = 0x343264483433605baa04a227c6849a7d
(49257) Finished request
(49258) Received Access-Request Id 152 from 10.34.15.221:1384 to 10.34.242.3:1812 length 164
(49258)   User-Name = "347117"
(49258)   NAS-IP-Address = 10.34.15.221
(49258)   NAS-Port = 2
(49258)   Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49258)   Calling-Station-Id = "48-49-C7-71-79-66"
(49258)   Framed-MTU = 1400
(49258)   NAS-Port-Type = Wireless-802.11
(49258)   Connect-Info = "CONNECT 54Mbps 802.11g"
(49258)   EAP-Message = 0x020100060319
(49258)   State = 0x343264483433605baa04a227c6849a7d
(49258)   Message-Authenticator = 0x2e74fdc7c9c9592fc2232375736fd39e
(49258) session-state: No cached attributes
(49258) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49258)   authorize {
(49258)     policy filter_username {
(49258)       if (&User-Name) {
(49258)       if (&User-Name)  -> TRUE
(49258)       if (&User-Name)  {
(49258)         if (&User-Name != "%{tolower:%{User-Name}}") {
(49258)         EXPAND %{tolower:%{User-Name}}
(49258)            --> 347117
(49258)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(49258)         if (&User-Name =~ / /) {
(49258)         if (&User-Name =~ / /)  -> FALSE
(49258)         if (&User-Name =~ /@[^@]*@/ ) {
(49258)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(49258)         if (&User-Name =~ /\.\./ ) {
(49258)         if (&User-Name =~ /\.\./ )  -> FALSE
(49258)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(49258)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(49258)         if (&User-Name =~ /\.$/)  {
(49258)         if (&User-Name =~ /\.$/)   -> FALSE
(49258)         if (&User-Name =~ /@\./)  {
(49258)         if (&User-Name =~ /@\./)   -> FALSE
(49258)       } # if (&User-Name)  = notfound
(49258)     } # policy filter_username = notfound
(49258)     [preprocess] = ok
(49258) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49258) auth_log:    --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49258) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49258) auth_log: EXPAND %t
(49258) auth_log:    --> Tue Jun 23 11:18:40 2020
(49258)     [auth_log] = ok
(49258)     [chap] = noop
(49258)     [mschap] = noop
(49258)     [digest] = noop
(49258) suffix: Checking for suffix after "@"
(49258) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49258) suffix: No such realm "NULL"
(49258)     [suffix] = noop
(49258) eap: Peer sent EAP Response (code 2) ID 1 length 6
(49258) eap: No EAP Start, assuming it's an on-going EAP conversation
(49258)     [eap] = updated
(49258) files: Failed resolving UID: No error
(49258) files: Failed resolving UID: No error
(49258) files: Failed resolving UID: No error
(49258) files: Failed resolving UID: No error
(49258) files: Failed resolving UID: No error
(49258)     [files] = noop
(49258) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(49258) sql:    --> 347117
(49258) sql: SQL-User-Name set to '347117'
(49258) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(49258) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '347117' ORDER BY id
(49258) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '347117' ORDER BY id
(49258) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(49258) sql:    --> SELECT GroupName FROM radusergroup WHERE UserName='347117' ORDER BY priority
(49258) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='347117' ORDER BY priority
(49258) sql: User not found in any groups
(49258)     [sql] = notfound
(49258)     [expiration] = noop
(49258)     [logintime] = noop
(49258)     if (ok) {
(49258)     if (ok)  -> FALSE
(49258) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(49258) pap: WARNING: Authentication will fail unless a "known good" password is available
(49258)     [pap] = noop
(49258)   } # authorize = updated
(49258) Found Auth-Type = eap
(49258) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49258)   authenticate {
(49258) eap: Expiring EAP session with state 0x9e6734429e602efe
(49258) eap: Finished EAP session with state 0x343264483433605b
(49258) eap: Previous EAP request found for state 0x343264483433605b, released from the list
(49258) eap: Peer sent packet with method EAP NAK (3)
(49258) eap: Found mutually acceptable type PEAP (25)
(49258) eap: Calling submodule eap_peap to process data
(49258) eap_peap: Initiating new EAP-TLS session
(49258) eap_peap: [eaptls start] = request
(49258) eap: Sending EAP Request (code 1) ID 2 length 6
(49258) eap: EAP session adding &reply:State = 0x3432644835307d5b
(49258)     [eap] = handled
(49258)   } # authenticate = handled
(49258) Using Post-Auth-Type Challenge
(49258) Post-Auth-Type sub-section not found.  Ignoring.
(49258) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49258) Sent Access-Challenge Id 152 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49258)   EAP-Message = 0x010200061920
(49258)   Message-Authenticator = 0x00000000000000000000000000000000
(49258)   State = 0x3432644835307d5baa04a227c6849a7d
(49258) Finished request
(49259) Received Access-Request Id 153 from 10.34.15.221:1384 to 10.34.242.3:1812 length 326
(49259)   User-Name = "347117"
(49259)   NAS-IP-Address = 10.34.15.221
(49259)   NAS-Port = 2
(49259)   Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49259)   Calling-Station-Id = "48-49-C7-71-79-66"
(49259)   Framed-MTU = 1400
(49259)   NAS-Port-Type = Wireless-802.11
(49259)   Connect-Info = "CONNECT 54Mbps 802.11g"
(49259)   EAP-Message = 0x020200a819800000009e1603010099010000950303262d96da74efd8b3abd9ea487f3eefd244880121eafd4d7ae21333a470c9fa8000003cc02cc030009fc02bc02f009ec00ac024c014c0280039006bc009c023c013c02700330067c007c011009d009c0035003d002f003c00050004000a00ff010000
(49259)   State = 0x3432644835307d5baa04a227c6849a7d
(49259)   Message-Authenticator = 0x50041aeb08622f23641026170cf40598
(49259) session-state: No cached attributes
(49259) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49259)   authorize {
(49259)     policy filter_username {
(49259)       if (&User-Name) {
(49259)       if (&User-Name)  -> TRUE
(49259)       if (&User-Name)  {
(49259)         if (&User-Name != "%{tolower:%{User-Name}}") {
(49259)         EXPAND %{tolower:%{User-Name}}
(49259)            --> 347117
(49259)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(49259)         if (&User-Name =~ / /) {
(49259)         if (&User-Name =~ / /)  -> FALSE
(49259)         if (&User-Name =~ /@[^@]*@/ ) {
(49259)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(49259)         if (&User-Name =~ /\.\./ ) {
(49259)         if (&User-Name =~ /\.\./ )  -> FALSE
(49259)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(49259)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(49259)         if (&User-Name =~ /\.$/)  {
(49259)         if (&User-Name =~ /\.$/)   -> FALSE
(49259)         if (&User-Name =~ /@\./)  {
(49259)         if (&User-Name =~ /@\./)   -> FALSE
(49259)       } # if (&User-Name)  = notfound
(49259)     } # policy filter_username = notfound
(49259)     [preprocess] = ok
(49259) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49259) auth_log:    --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49259) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49259) auth_log: EXPAND %t
(49259) auth_log:    --> Tue Jun 23 11:18:40 2020
(49259)     [auth_log] = ok
(49259)     [chap] = noop
(49259)     [mschap] = noop
(49259)     [digest] = noop
(49259) suffix: Checking for suffix after "@"
(49259) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49259) suffix: No such realm "NULL"
(49259)     [suffix] = noop
(49259) eap: Peer sent EAP Response (code 2) ID 2 length 168
(49259) eap: Continuing tunnel setup
(49259)     [eap] = ok
(49259)   } # authorize = ok
(49259) Found Auth-Type = eap
(49259) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49259)   authenticate {
(49259) eap: Expiring EAP session with state 0x9e6734429e602efe
(49259) eap: Finished EAP session with state 0x3432644835307d5b
(49259) eap: Previous EAP request found for state 0x3432644835307d5b, released from the list
(49259) eap: Peer sent packet with method EAP PEAP (25)
(49259) eap: Calling submodule eap_peap to process data
(49259) eap_peap: Continuing EAP-TLS
(49259) eap_peap: Peer indicated complete TLS record size will be 158 bytes
(49259) eap_peap: Got complete TLS record (158 bytes)
(49259) eap_peap: [eaptls verify] = length included
(49259) eap_peap: (other): before SSL initialization
(49259) eap_peap: TLS_accept: before SSL initialization
(49259) eap_peap: TLS_accept: before SSL initialization
(49259) eap_peap: <<< recv TLS 1.2  [length 0099]
(49259) eap_peap: TLS_accept: SSLv3/TLS read client hello
(49259) eap_peap: >>> send TLS 1.2  [length 003d]
(49259) eap_peap: TLS_accept: SSLv3/TLS write server hello
(49259) eap_peap: >>> send TLS 1.2  [length 0309]
(49259) eap_peap: TLS_accept: SSLv3/TLS write certificate
(49259) eap_peap: >>> send TLS 1.2  [length 014d]
(49259) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(49259) eap_peap: >>> send TLS 1.2  [length 0004]
(49259) eap_peap: TLS_accept: SSLv3/TLS write server done
(49259) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(49259) eap_peap: In SSL Handshake Phase
(49259) eap_peap: In SSL Accept mode
(49259) eap_peap: [eaptls process] = handled
(49259) eap: Sending EAP Request (code 1) ID 3 length 1004
(49259) eap: EAP session adding &reply:State = 0x3432644836317d5b
(49259)     [eap] = handled
(49259)   } # authenticate = handled
(49259) Using Post-Auth-Type Challenge
(49259) Post-Auth-Type sub-section not found.  Ignoring.
(49259) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49259) Sent Access-Challenge Id 153 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49259)   EAP-Message = 0x010303ec19c0000004ab160303003d020000390303f241d7c71827a10f2a9b2a858a6aa1d49a9d9ac5b04e7214afadfd6e9e950a4500c030000011ff01000100000b0004030001020017000016030303090b0003050003020002ff308202fb308201e3a003020102020900c2aeeb1715cab80a300d0609
(49259)   Message-Authenticator = 0x00000000000000000000000000000000
(49259)   State = 0x3432644836317d5baa04a227c6849a7d
(49259) Finished request
(49260) Received Access-Request Id 154 from 10.34.15.221:1384 to 10.34.242.3:1812 length 164
(49260)   User-Name = "347117"
(49260)   NAS-IP-Address = 10.34.15.221
(49260)   NAS-Port = 2
(49260)   Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49260)   Calling-Station-Id = "48-49-C7-71-79-66"
(49260)   Framed-MTU = 1400
(49260)   NAS-Port-Type = Wireless-802.11
(49260)   Connect-Info = "CONNECT 54Mbps 802.11g"
(49260)   EAP-Message = 0x020300061900
(49260)   State = 0x3432644836317d5baa04a227c6849a7d
(49260)   Message-Authenticator = 0x1f873dbabab484975e0fafe17930a45a
(49260) session-state: No cached attributes
(49260) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49260)   authorize {
(49260)     policy filter_username {
(49260)       if (&User-Name) {
(49260)       if (&User-Name)  -> TRUE
(49260)       if (&User-Name)  {
(49260)         if (&User-Name != "%{tolower:%{User-Name}}") {
(49260)         EXPAND %{tolower:%{User-Name}}
(49260)            --> 347117
(49260)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(49260)         if (&User-Name =~ / /) {
(49260)         if (&User-Name =~ / /)  -> FALSE
(49260)         if (&User-Name =~ /@[^@]*@/ ) {
(49260)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(49260)         if (&User-Name =~ /\.\./ ) {
(49260)         if (&User-Name =~ /\.\./ )  -> FALSE
(49260)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(49260)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(49260)         if (&User-Name =~ /\.$/)  {
(49260)         if (&User-Name =~ /\.$/)   -> FALSE
(49260)         if (&User-Name =~ /@\./)  {
(49260)         if (&User-Name =~ /@\./)   -> FALSE
(49260)       } # if (&User-Name)  = notfound
(49260)     } # policy filter_username = notfound
(49260)     [preprocess] = ok
(49260) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49260) auth_log:    --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49260) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49260) auth_log: EXPAND %t
(49260) auth_log:    --> Tue Jun 23 11:18:40 2020
(49260)     [auth_log] = ok
(49260)     [chap] = noop
(49260)     [mschap] = noop
(49260)     [digest] = noop
(49260) suffix: Checking for suffix after "@"
(49260) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49260) suffix: No such realm "NULL"
(49260)     [suffix] = noop
(49260) eap: Peer sent EAP Response (code 2) ID 3 length 6
(49260) eap: Continuing tunnel setup
(49260)     [eap] = ok
(49260)   } # authorize = ok
(49260) Found Auth-Type = eap
(49260) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49260)   authenticate {
(49260) eap: Expiring EAP session with state 0x9e6734429e602efe
(49260) eap: Finished EAP session with state 0x3432644836317d5b
(49260) eap: Previous EAP request found for state 0x3432644836317d5b, released from the list
(49260) eap: Peer sent packet with method EAP PEAP (25)
(49260) eap: Calling submodule eap_peap to process data
(49260) eap_peap: Continuing EAP-TLS
(49260) eap_peap: Peer ACKed our handshake fragment
(49260) eap_peap: [eaptls verify] = request
(49260) eap_peap: [eaptls process] = handled
(49260) eap: Sending EAP Request (code 1) ID 4 length 207
(49260) eap: EAP session adding &reply:State = 0x3432644837367d5b
(49260)     [eap] = handled
(49260)   } # authenticate = handled
(49260) Using Post-Auth-Type Challenge
(49260) Post-Auth-Type sub-section not found.  Ignoring.
(49260) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49260) Sent Access-Challenge Id 154 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49260)   EAP-Message = 0x010400cf1900305906ade17209efbcdb1498025ff3d98879761462b514b58ec19daff0e28525b8909274c327a5b9f22c77451d049714cbe1b8e95e49ff1eb91889a006f05bba93c0807640ba9eeb989f8c432facb809700019a772e41794c376b7529859d9e66686b46b10ac8917506a28b5c755f6f8b1
(49260)   Message-Authenticator = 0x00000000000000000000000000000000
(49260)   State = 0x3432644837367d5baa04a227c6849a7d
(49260) Finished request
(49261) Received Access-Request Id 155 from 10.34.15.221:1384 to 10.34.242.3:1812 length 294
(49261)   User-Name = "347117"
(49261)   NAS-IP-Address = 10.34.15.221
(49261)   NAS-Port = 2
(49261)   Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49261)   Calling-Station-Id = "48-49-C7-71-79-66"
(49261)   Framed-MTU = 1400
(49261)   NAS-Port-Type = Wireless-802.11
(49261)   Connect-Info = "CONNECT 54Mbps 802.11g"
(49261)   EAP-Message = 0x0204008819800000007e1603030046100000424104e347c229d4720d030776a26d2195a9d2619346feaa947b8d43fe9fad8481577166a001a8d60a615e17594c4f5d1c555f15ad394a27ea517bd9a9ee202255842914030300010116030300280000000000000000129345887899d05232b771b7479ff7
(49261)   State = 0x3432644837367d5baa04a227c6849a7d
(49261)   Message-Authenticator = 0x8f80e28e4efc8628917e8dcbe18e0622
(49261) session-state: No cached attributes
(49261) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49261)   authorize {
(49261)     policy filter_username {
(49261)       if (&User-Name) {
(49261)       if (&User-Name)  -> TRUE
(49261)       if (&User-Name)  {
(49261)         if (&User-Name != "%{tolower:%{User-Name}}") {
(49261)         EXPAND %{tolower:%{User-Name}}
(49261)            --> 347117
(49261)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(49261)         if (&User-Name =~ / /) {
(49261)         if (&User-Name =~ / /)  -> FALSE
(49261)         if (&User-Name =~ /@[^@]*@/ ) {
(49261)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(49261)         if (&User-Name =~ /\.\./ ) {
(49261)         if (&User-Name =~ /\.\./ )  -> FALSE
(49261)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(49261)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(49261)         if (&User-Name =~ /\.$/)  {
(49261)         if (&User-Name =~ /\.$/)   -> FALSE
(49261)         if (&User-Name =~ /@\./)  {
(49261)         if (&User-Name =~ /@\./)   -> FALSE
(49261)       } # if (&User-Name)  = notfound
(49261)     } # policy filter_username = notfound
(49261)     [preprocess] = ok
(49261) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49261) auth_log:    --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49261) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49261) auth_log: EXPAND %t
(49261) auth_log:    --> Tue Jun 23 11:18:40 2020
(49261)     [auth_log] = ok
(49261)     [chap] = noop
(49261)     [mschap] = noop
(49261)     [digest] = noop
(49261) suffix: Checking for suffix after "@"
(49261) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49261) suffix: No such realm "NULL"
(49261)     [suffix] = noop
(49261) eap: Peer sent EAP Response (code 2) ID 4 length 136
(49261) eap: Continuing tunnel setup
(49261)     [eap] = ok
(49261)   } # authorize = ok
(49261) Found Auth-Type = eap
(49261) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49261)   authenticate {
(49261) eap: Expiring EAP session with state 0x9e6734429e602efe
(49261) eap: Finished EAP session with state 0x3432644837367d5b
(49261) eap: Previous EAP request found for state 0x3432644837367d5b, released from the list
(49261) eap: Peer sent packet with method EAP PEAP (25)
(49261) eap: Calling submodule eap_peap to process data
(49261) eap_peap: Continuing EAP-TLS
(49261) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(49261) eap_peap: Got complete TLS record (126 bytes)
(49261) eap_peap: [eaptls verify] = length included
(49261) eap_peap: TLS_accept: SSLv3/TLS write server done
(49261) eap_peap: <<< recv TLS 1.2  [length 0046]
(49261) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(49261) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(49261) eap_peap: <<< recv TLS 1.2  [length 0010]
(49261) eap_peap: TLS_accept: SSLv3/TLS read finished
(49261) eap_peap: >>> send TLS 1.2  [length 0001]
(49261) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(49261) eap_peap: >>> send TLS 1.2  [length 0010]
(49261) eap_peap: TLS_accept: SSLv3/TLS write finished
(49261) eap_peap: (other): SSL negotiation finished successfully
(49261) eap_peap: SSL Connection Established
(49261) eap_peap: [eaptls process] = handled
(49261) eap: Sending EAP Request (code 1) ID 5 length 57
(49261) eap: EAP session adding &reply:State = 0x3432644830377d5b
(49261)     [eap] = handled
(49261)   } # authenticate = handled
(49261) Using Post-Auth-Type Challenge
(49261) Post-Auth-Type sub-section not found.  Ignoring.
(49261) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49261) Sent Access-Challenge Id 155 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49261)   EAP-Message = 0x01050039190014030300010116030300288ad05ce60e5ee56aa8fd940dbf64fb565398577f45d3a8687b23d15f21a95ece7c4c893f88783014
(49261)   Message-Authenticator = 0x00000000000000000000000000000000
(49261)   State = 0x3432644830377d5baa04a227c6849a7d
(49261) Finished request
(49262) Received Access-Request Id 156 from 10.34.15.221:1384 to 10.34.242.3:1812 length 164
(49262)   User-Name = "347117"
(49262)   NAS-IP-Address = 10.34.15.221
(49262)   NAS-Port = 2
(49262)   Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49262)   Calling-Station-Id = "48-49-C7-71-79-66"
(49262)   Framed-MTU = 1400
(49262)   NAS-Port-Type = Wireless-802.11
(49262)   Connect-Info = "CONNECT 54Mbps 802.11g"
(49262)   EAP-Message = 0x020500061900
(49262)   State = 0x3432644830377d5baa04a227c6849a7d
(49262)   Message-Authenticator = 0x9a71a530fc4e39a0cda671f47b038d60
(49262) session-state: No cached attributes
(49262) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49262)   authorize {
(49262)     policy filter_username {
(49262)       if (&User-Name) {
(49262)       if (&User-Name)  -> TRUE
(49262)       if (&User-Name)  {
(49262)         if (&User-Name != "%{tolower:%{User-Name}}") {
(49262)         EXPAND %{tolower:%{User-Name}}
(49262)            --> 347117
(49262)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(49262)         if (&User-Name =~ / /) {
(49262)         if (&User-Name =~ / /)  -> FALSE
(49262)         if (&User-Name =~ /@[^@]*@/ ) {
(49262)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(49262)         if (&User-Name =~ /\.\./ ) {
(49262)         if (&User-Name =~ /\.\./ )  -> FALSE
(49262)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(49262)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(49262)         if (&User-Name =~ /\.$/)  {
(49262)         if (&User-Name =~ /\.$/)   -> FALSE
(49262)         if (&User-Name =~ /@\./)  {
(49262)         if (&User-Name =~ /@\./)   -> FALSE
(49262)       } # if (&User-Name)  = notfound
(49262)     } # policy filter_username = notfound
(49262)     [preprocess] = ok
(49262) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49262) auth_log:    --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49262) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49262) auth_log: EXPAND %t
(49262) auth_log:    --> Tue Jun 23 11:18:40 2020
(49262)     [auth_log] = ok
(49262)     [chap] = noop
(49262)     [mschap] = noop
(49262)     [digest] = noop
(49262) suffix: Checking for suffix after "@"
(49262) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49262) suffix: No such realm "NULL"
(49262)     [suffix] = noop
(49262) eap: Peer sent EAP Response (code 2) ID 5 length 6
(49262) eap: Continuing tunnel setup
(49262)     [eap] = ok
(49262)   } # authorize = ok
(49262) Found Auth-Type = eap
(49262) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49262)   authenticate {
(49262) eap: Expiring EAP session with state 0x9e6734429e602efe
(49262) eap: Finished EAP session with state 0x3432644830377d5b
(49262) eap: Previous EAP request found for state 0x3432644830377d5b, released from the list
(49262) eap: Peer sent packet with method EAP PEAP (25)
(49262) eap: Calling submodule eap_peap to process data
(49262) eap_peap: Continuing EAP-TLS
(49262) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(49262) eap_peap: [eaptls verify] = success
(49262) eap_peap: [eaptls process] = success
(49262) eap_peap: Session established.  Decoding tunneled attributes
(49262) eap_peap: PEAP state TUNNEL ESTABLISHED
(49262) eap: Sending EAP Request (code 1) ID 6 length 40
(49262) eap: EAP session adding &reply:State = 0x3432644831347d5b
(49262)     [eap] = handled
(49262)   } # authenticate = handled
(49262) Using Post-Auth-Type Challenge
(49262) Post-Auth-Type sub-section not found.  Ignoring.
(49262) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49262) Sent Access-Challenge Id 156 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49262)   EAP-Message = 0x010600281900170303001d8ad05ce60e5ee56b04ae2e2e3b80438ad90309abe6117ae0e5da1b62b4
(49262)   Message-Authenticator = 0x00000000000000000000000000000000
(49262)   State = 0x3432644831347d5baa04a227c6849a7d
(49262) Finished request
(49263) Received Access-Request Id 157 from 10.34.15.221:1384 to 10.34.242.3:1812 length 210
(49263)   User-Name = "347117"
(49263)   NAS-IP-Address = 10.34.15.221
(49263)   NAS-Port = 2
(49263)   Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49263)   Calling-Station-Id = "48-49-C7-71-79-66"
(49263)   Framed-MTU = 1400
(49263)   NAS-Port-Type = Wireless-802.11
(49263)   Connect-Info = "CONNECT 54Mbps 802.11g"
(49263)   EAP-Message = 0x0206003419001703030029000000000000000128fd4cc44d77dddfae0f69a41d8c6d206cad6d4b0935736eb8e7051c2e6845eeff
(49263)   State = 0x3432644831347d5baa04a227c6849a7d
(49263)   Message-Authenticator = 0x8eb9fb4fd0d08a9bab42661adcc8d699
(49263) session-state: No cached attributes
(49263) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49263)   authorize {
(49263)     policy filter_username {
(49263)       if (&User-Name) {
(49263)       if (&User-Name)  -> TRUE
(49263)       if (&User-Name)  {
(49263)         if (&User-Name != "%{tolower:%{User-Name}}") {
(49263)         EXPAND %{tolower:%{User-Name}}
(49263)            --> 347117
(49263)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(49263)         if (&User-Name =~ / /) {
(49263)         if (&User-Name =~ / /)  -> FALSE
(49263)         if (&User-Name =~ /@[^@]*@/ ) {
(49263)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(49263)         if (&User-Name =~ /\.\./ ) {
(49263)         if (&User-Name =~ /\.\./ )  -> FALSE
(49263)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(49263)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(49263)         if (&User-Name =~ /\.$/)  {
(49263)         if (&User-Name =~ /\.$/)   -> FALSE
(49263)         if (&User-Name =~ /@\./)  {
(49263)         if (&User-Name =~ /@\./)   -> FALSE
(49263)       } # if (&User-Name)  = notfound
(49263)     } # policy filter_username = notfound
(49263)     [preprocess] = ok
(49263) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49263) auth_log:    --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49263) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49263) auth_log: EXPAND %t
(49263) auth_log:    --> Tue Jun 23 11:18:40 2020
(49263)     [auth_log] = ok
(49263)     [chap] = noop
(49263)     [mschap] = noop
(49263)     [digest] = noop
(49263) suffix: Checking for suffix after "@"
(49263) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49263) suffix: No such realm "NULL"
(49263)     [suffix] = noop
(49263) eap: Peer sent EAP Response (code 2) ID 6 length 52
(49263) eap: Continuing tunnel setup
(49263)     [eap] = ok
(49263)   } # authorize = ok
(49263) Found Auth-Type = eap
(49263) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49263)   authenticate {
(49263) eap: Expiring EAP session with state 0x9e6734429e602efe
(49263) eap: Finished EAP session with state 0x3432644831347d5b
(49263) eap: Previous EAP request found for state 0x3432644831347d5b, released from the list
(49263) eap: Peer sent packet with method EAP PEAP (25)
(49263) eap: Calling submodule eap_peap to process data
(49263) eap_peap: Continuing EAP-TLS
(49263) eap_peap: [eaptls verify] = ok
(49263) eap_peap: Done initial handshake
(49263) eap_peap: [eaptls process] = ok
(49263) eap_peap: Session established.  Decoding tunneled attributes
(49263) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(49263) eap_peap: Identity - luciana.nogueira
(49263) eap_peap: Got inner identity 'luciana.nogueira'
(49263) eap_peap: Setting default EAP type for tunneled EAP session
(49263) eap_peap: Got tunneled request
(49263) eap_peap:   EAP-Message = 0x02060015016c756369616e612e6e6f677565697261
(49263) eap_peap: Setting User-Name to luciana.nogueira
(49263) eap_peap: Sending tunneled request to inner-tunnel
(49263) eap_peap:   EAP-Message = 0x02060015016c756369616e612e6e6f677565697261
(49263) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(49263) eap_peap:   User-Name = "luciana.nogueira"
(49263) Virtual server inner-tunnel received request
(49263)   EAP-Message = 0x02060015016c756369616e612e6e6f677565697261
(49263)   FreeRADIUS-Proxied-To = 127.0.0.1
(49263)   User-Name = "luciana.nogueira"
(49263) WARNING: Outer User-Name is not anonymized.  User privacy is compromised.
(49263) server inner-tunnel {
(49263)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49263)     authorize {
(49263)       policy filter_username {
(49263)         if (&User-Name) {
(49263)         if (&User-Name)  -> TRUE
(49263)         if (&User-Name)  {
(49263)           if (&User-Name != "%{tolower:%{User-Name}}") {
(49263)           EXPAND %{tolower:%{User-Name}}
(49263)              --> luciana.nogueira
(49263)           if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(49263)           if (&User-Name =~ / /) {
(49263)           if (&User-Name =~ / /)  -> FALSE
(49263)           if (&User-Name =~ /@[^@]*@/ ) {
(49263)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(49263)           if (&User-Name =~ /\.\./ ) {
(49263)           if (&User-Name =~ /\.\./ )  -> FALSE
(49263)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(49263)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(49263)           if (&User-Name =~ /\.$/)  {
(49263)           if (&User-Name =~ /\.$/)   -> FALSE
(49263)           if (&User-Name =~ /@\./)  {
(49263)           if (&User-Name =~ /@\./)   -> FALSE
(49263)         } # if (&User-Name)  = notfound
(49263)       } # policy filter_username = notfound
(49263)       [chap] = noop
(49263)       [mschap] = noop
(49263) suffix: Checking for suffix after "@"
(49263) suffix: No '@' in User-Name = "luciana.nogueira", looking up realm NULL
(49263) suffix: No such realm "NULL"
(49263)       [suffix] = noop
(49263)       update control {
(49263)         &Proxy-To-Realm := LOCAL
(49263)       } # update control = noop
(49263) eap: Peer sent EAP Response (code 2) ID 6 length 21
(49263) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(49263)       [eap] = ok
(49263)     } # authorize = ok
(49263)   Found Auth-Type = eap
(49263)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49263)     authenticate {
(49263) eap: Peer sent packet with method EAP Identity (1)
(49263) eap: Calling submodule eap_mschapv2 to process data
(49263) eap_mschapv2: Issuing Challenge
(49263) eap: Sending EAP Request (code 1) ID 7 length 43
(49263) eap: EAP session adding &reply:State = 0x214671d321416b6e
(49263)       [eap] = handled
(49263)     } # authenticate = handled
(49263) } # server inner-tunnel
(49263) Virtual server sending reply
(49263)   EAP-Message = 0x0107002b1a01070026109a0612b5b180d839a6e75523a82f49ec667265657261646975732d332e302e3132
(49263)   Message-Authenticator = 0x00000000000000000000000000000000
(49263)   State = 0x214671d321416b6e6c123acd822f47ac
(49263) eap_peap: Got tunneled reply code 11
(49263) eap_peap:   EAP-Message = 0x0107002b1a01070026109a0612b5b180d839a6e75523a82f49ec667265657261646975732d332e302e3132
(49263) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(49263) eap_peap:   State = 0x214671d321416b6e6c123acd822f47ac
(49263) eap_peap: Got tunneled reply RADIUS code 11
(49263) eap_peap:   EAP-Message = 0x0107002b1a01070026109a0612b5b180d839a6e75523a82f49ec667265657261646975732d332e302e3132
(49263) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(49263) eap_peap:   State = 0x214671d321416b6e6c123acd822f47ac
(49263) eap_peap: Got tunneled Access-Challenge
(49263) eap: Sending EAP Request (code 1) ID 7 length 74
(49263) eap: EAP session adding &reply:State = 0x3432644832357d5b
(49263)     [eap] = handled
(49263)   } # authenticate = handled
(49263) Using Post-Auth-Type Challenge
(49263) Post-Auth-Type sub-section not found.  Ignoring.
(49263) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49263) Sent Access-Challenge Id 157 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49263)   EAP-Message = 0x0107004a1900170303003f8ad05ce60e5ee56c153fb28473439215526db8736ab97058edf5170bf7b140e9d16783b78ce6e18c1cb2d3fa04bb51df1ecdc736140a04d7d4e797dc3229c3
(49263)   Message-Authenticator = 0x00000000000000000000000000000000
(49263)   State = 0x3432644832357d5baa04a227c6849a7d
(49263) Finished request
(49264) Received Access-Request Id 158 from 10.34.15.221:1384 to 10.34.242.3:1812 length 264
(49264)   User-Name = "347117"
(49264)   NAS-IP-Address = 10.34.15.221
(49264)   NAS-Port = 2
(49264)   Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49264)   Calling-Station-Id = "48-49-C7-71-79-66"
(49264)   Framed-MTU = 1400
(49264)   NAS-Port-Type = Wireless-802.11
(49264)   Connect-Info = "CONNECT 54Mbps 802.11g"
(49264)   EAP-Message = 0x0207006a1900170303005f0000000000000002d9c7a4e9ae59cfe3d90af91aa0aee002c3b4dc78422285bc88a8e33d7ffa1e58aa98f6fac7d72b4dbffe3a3b4aeccaeaa42df4ab91e78e2aeee31026e98609cd8b51b88663710a6bb29088279292a2cb18a4259c051294
(49264)   State = 0x3432644832357d5baa04a227c6849a7d
(49264)   Message-Authenticator = 0x4b17fd5d5a9b8fd97344948d8a46de86
(49264) session-state: No cached attributes
(49264) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49264)   authorize {
(49264)     policy filter_username {
(49264)       if (&User-Name) {
(49264)       if (&User-Name)  -> TRUE
(49264)       if (&User-Name)  {
(49264)         if (&User-Name != "%{tolower:%{User-Name}}") {
(49264)         EXPAND %{tolower:%{User-Name}}
(49264)            --> 347117
(49264)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(49264)         if (&User-Name =~ / /) {
(49264)         if (&User-Name =~ / /)  -> FALSE
(49264)         if (&User-Name =~ /@[^@]*@/ ) {
(49264)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(49264)         if (&User-Name =~ /\.\./ ) {
(49264)         if (&User-Name =~ /\.\./ )  -> FALSE
(49264)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(49264)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(49264)         if (&User-Name =~ /\.$/)  {
(49264)         if (&User-Name =~ /\.$/)   -> FALSE
(49264)         if (&User-Name =~ /@\./)  {
(49264)         if (&User-Name =~ /@\./)   -> FALSE
(49264)       } # if (&User-Name)  = notfound
(49264)     } # policy filter_username = notfound
(49264)     [preprocess] = ok
(49264) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49264) auth_log:    --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49264) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49264) auth_log: EXPAND %t
(49264) auth_log:    --> Tue Jun 23 11:18:40 2020
(49264)     [auth_log] = ok
(49264)     [chap] = noop
(49264)     [mschap] = noop
(49264)     [digest] = noop
(49264) suffix: Checking for suffix after "@"
(49264) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49264) suffix: No such realm "NULL"
(49264)     [suffix] = noop
(49264) eap: Peer sent EAP Response (code 2) ID 7 length 106
(49264) eap: Continuing tunnel setup
(49264)     [eap] = ok
(49264)   } # authorize = ok
(49264) Found Auth-Type = eap
(49264) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49264)   authenticate {
(49264) eap: Expiring EAP session with state 0x9e6734429e602efe
(49264) eap: Finished EAP session with state 0x3432644832357d5b
(49264) eap: Previous EAP request found for state 0x3432644832357d5b, released from the list
(49264) eap: Peer sent packet with method EAP PEAP (25)
(49264) eap: Calling submodule eap_peap to process data
(49264) eap_peap: Continuing EAP-TLS
(49264) eap_peap: [eaptls verify] = ok
(49264) eap_peap: Done initial handshake
(49264) eap_peap: [eaptls process] = ok
(49264) eap_peap: Session established.  Decoding tunneled attributes
(49264) eap_peap: PEAP state phase2
(49264) eap_peap: EAP method MSCHAPv2 (26)
(49264) eap_peap: Got tunneled request
(49264) eap_peap:   EAP-Message = 0x0207004b1a02070046317d5d43a19660ebbee7c397f7438f711a00000000000000004fa6868fa93a73fa085c7782f38db715816854ca6d1cc81b006c756369616e612e6e6f677565697261
(49264) eap_peap: Setting User-Name to luciana.nogueira
(49264) eap_peap: Sending tunneled request to inner-tunnel
(49264) eap_peap:   EAP-Message = 0x0207004b1a02070046317d5d43a19660ebbee7c397f7438f711a00000000000000004fa6868fa93a73fa085c7782f38db715816854ca6d1cc81b006c756369616e612e6e6f677565697261
(49264) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(49264) eap_peap:   User-Name = "luciana.nogueira"
(49264) eap_peap:   State = 0x214671d321416b6e6c123acd822f47ac
(49264) Virtual server inner-tunnel received request
(49264)   EAP-Message = 0x0207004b1a02070046317d5d43a19660ebbee7c397f7438f711a00000000000000004fa6868fa93a73fa085c7782f38db715816854ca6d1cc81b006c756369616e612e6e6f677565697261
(49264)   FreeRADIUS-Proxied-To = 127.0.0.1
(49264)   User-Name = "luciana.nogueira"
(49264)   State = 0x214671d321416b6e6c123acd822f47ac
(49264) WARNING: Outer User-Name is not anonymized.  User privacy is compromised.
(49264) server inner-tunnel {
(49264)   session-state: No cached attributes
(49264)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49264)     authorize {
(49264)       policy filter_username {
(49264)         if (&User-Name) {
(49264)         if (&User-Name)  -> TRUE
(49264)         if (&User-Name)  {
(49264)           if (&User-Name != "%{tolower:%{User-Name}}") {
(49264)           EXPAND %{tolower:%{User-Name}}
(49264)              --> luciana.nogueira
(49264)           if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(49264)           if (&User-Name =~ / /) {
(49264)           if (&User-Name =~ / /)  -> FALSE
(49264)           if (&User-Name =~ /@[^@]*@/ ) {
(49264)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(49264)           if (&User-Name =~ /\.\./ ) {
(49264)           if (&User-Name =~ /\.\./ )  -> FALSE
(49264)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(49264)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(49264)           if (&User-Name =~ /\.$/)  {
(49264)           if (&User-Name =~ /\.$/)   -> FALSE
(49264)           if (&User-Name =~ /@\./)  {
(49264)           if (&User-Name =~ /@\./)   -> FALSE
(49264)         } # if (&User-Name)  = notfound
(49264)       } # policy filter_username = notfound
(49264)       [chap] = noop
(49264)       [mschap] = noop
(49264) suffix: Checking for suffix after "@"
(49264) suffix: No '@' in User-Name = "luciana.nogueira", looking up realm NULL
(49264) suffix: No such realm "NULL"
(49264)       [suffix] = noop
(49264)       update control {
(49264)         &Proxy-To-Realm := LOCAL
(49264)       } # update control = noop
(49264) eap: Peer sent EAP Response (code 2) ID 7 length 75
(49264) eap: No EAP Start, assuming it's an on-going EAP conversation
(49264)       [eap] = updated
(49264) files: users: Matched entry DEFAULT at line 90
(49264)       [files] = ok
(49264) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(49264) sql:    --> luciana.nogueira
(49264) sql: SQL-User-Name set to 'luciana.nogueira'
(49264) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(49264) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'luciana.nogueira' ORDER BY id
(49264) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'luciana.nogueira' ORDER BY id
(49264) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(49264) sql:    --> SELECT GroupName FROM radusergroup WHERE UserName='luciana.nogueira' ORDER BY priority
(49264) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='luciana.nogueira' ORDER BY priority
(49264) sql: User not found in any groups
(49264)       [sql] = notfound
(49264)       [expiration] = noop
(49264)       [logintime] = noop
(49264)       [pap] = noop
(49264)     } # authorize = updated
(49264)   Found Auth-Type = eap
(49264)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49264)     authenticate {
(49264) eap: Expiring EAP session with state 0x9e6734429e602efe
(49264) eap: Finished EAP session with state 0x214671d321416b6e
(49264) eap: Previous EAP request found for state 0x214671d321416b6e, released from the list
(49264) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(49264) eap: Calling submodule eap_mschapv2 to process data
(49264) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49264) eap_mschapv2:   authenticate {
(49264) mschap: Creating challenge hash with username: luciana.nogueira
(49264) mschap: Client is using MS-CHAPv2
(49264) mschap: EXPAND %{mschap:User-Name}
(49264) mschap:    --> luciana.nogueira
(49264) mschap: ERROR: No NT-Domain was found in the User-Name
(49264) mschap: EXPAND %{mschap:NT-Domain}
(49264) mschap:    -->
(49264) mschap: sending authentication request user='luciana.nogueira' domain=''
(49264) mschap: Authenticated successfully
(49264) mschap: Adding MS-CHAPv2 MPPE keys
(49264)     [mschap] = ok
(49264)   } # authenticate = ok
(49264) MSCHAP Success
(49264) eap: Sending EAP Request (code 1) ID 8 length 51
(49264) eap: EAP session adding &reply:State = 0x214671d3204e6b6e
(49264)       [eap] = handled
(49264)     } # authenticate = handled
(49264) } # server inner-tunnel
(49264) Virtual server sending reply
(49264)   Idle-Timeout = 300
(49264)   EAP-Message = 0x010800331a0307002e533d37324435314333433134354231383437464635313334414535453342374531304436323434453630
(49264)   Message-Authenticator = 0x00000000000000000000000000000000
(49264)   State = 0x214671d3204e6b6e6c123acd822f47ac
(49264) eap_peap: Got tunneled reply code 11
(49264) eap_peap:   Idle-Timeout = 300
(49264) eap_peap:   EAP-Message = 0x010800331a0307002e533d37324435314333433134354231383437464635313334414535453342374531304436323434453630
(49264) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(49264) eap_peap:   State = 0x214671d3204e6b6e6c123acd822f47ac
(49264) eap_peap: Got tunneled reply RADIUS code 11
(49264) eap_peap:   Idle-Timeout = 300
(49264) eap_peap:   EAP-Message = 0x010800331a0307002e533d37324435314333433134354231383437464635313334414535453342374531304436323434453630
(49264) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(49264) eap_peap:   State = 0x214671d3204e6b6e6c123acd822f47ac
(49264) eap_peap: Got tunneled Access-Challenge
(49264) eap: Sending EAP Request (code 1) ID 8 length 82
(49264) eap: EAP session adding &reply:State = 0x34326448333a7d5b
(49264)     [eap] = handled
(49264)   } # authenticate = handled
(49264) Using Post-Auth-Type Challenge
(49264) Post-Auth-Type sub-section not found.  Ignoring.
(49264) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49264) Sent Access-Challenge Id 158 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49264)   EAP-Message = 0x01080052190017030300478ad05ce60e5ee56dce23340a3be2c962cc4f7d1ee8e7ae9aef666bf4fac4aa03796c641f3b59020ff440d471af287ef622a0fb7b6e3775db7348671ab310c104c57ca5045628d7
(49264)   Message-Authenticator = 0x00000000000000000000000000000000
(49264)   State = 0x34326448333a7d5baa04a227c6849a7d
(49264) Finished request
(49265) Received Access-Request Id 159 from 10.34.15.221:1384 to 10.34.242.3:1812 length 195
(49265)   User-Name = "347117"
(49265)   NAS-IP-Address = 10.34.15.221
(49265)   NAS-Port = 2
(49265)   Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49265)   Calling-Station-Id = "48-49-C7-71-79-66"
(49265)   Framed-MTU = 1400
(49265)   NAS-Port-Type = Wireless-802.11
(49265)   Connect-Info = "CONNECT 54Mbps 802.11g"
(49265)   EAP-Message = 0x020800251900170303001a00000000000000031247ab59722d1f524f21b21b65b88b21dc63
(49265)   State = 0x34326448333a7d5baa04a227c6849a7d
(49265)   Message-Authenticator = 0x4e23dd00e538823df81cfcd85802e7d5
(49265) session-state: No cached attributes
(49265) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49265)   authorize {
(49265)     policy filter_username {
(49265)       if (&User-Name) {
(49265)       if (&User-Name)  -> TRUE
(49265)       if (&User-Name)  {
(49265)         if (&User-Name != "%{tolower:%{User-Name}}") {
(49265)         EXPAND %{tolower:%{User-Name}}
(49265)            --> 347117
(49265)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(49265)         if (&User-Name =~ / /) {
(49265)         if (&User-Name =~ / /)  -> FALSE
(49265)         if (&User-Name =~ /@[^@]*@/ ) {
(49265)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(49265)         if (&User-Name =~ /\.\./ ) {
(49265)         if (&User-Name =~ /\.\./ )  -> FALSE
(49265)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(49265)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(49265)         if (&User-Name =~ /\.$/)  {
(49265)         if (&User-Name =~ /\.$/)   -> FALSE
(49265)         if (&User-Name =~ /@\./)  {
(49265)         if (&User-Name =~ /@\./)   -> FALSE
(49265)       } # if (&User-Name)  = notfound
(49265)     } # policy filter_username = notfound
(49265)     [preprocess] = ok
(49265) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49265) auth_log:    --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49265) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49265) auth_log: EXPAND %t
(49265) auth_log:    --> Tue Jun 23 11:18:40 2020
(49265)     [auth_log] = ok
(49265)     [chap] = noop
(49265)     [mschap] = noop
(49265)     [digest] = noop
(49265) suffix: Checking for suffix after "@"
(49265) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49265) suffix: No such realm "NULL"
(49265)     [suffix] = noop
(49265) eap: Peer sent EAP Response (code 2) ID 8 length 37
(49265) eap: Continuing tunnel setup
(49265)     [eap] = ok
(49265)   } # authorize = ok
(49265) Found Auth-Type = eap
(49265) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49265)   authenticate {
(49265) eap: Expiring EAP session with state 0x9e6734429e602efe
(49265) eap: Finished EAP session with state 0x34326448333a7d5b
(49265) eap: Previous EAP request found for state 0x34326448333a7d5b, released from the list
(49265) eap: Peer sent packet with method EAP PEAP (25)
(49265) eap: Calling submodule eap_peap to process data
(49265) eap_peap: Continuing EAP-TLS
(49265) eap_peap: [eaptls verify] = ok
(49265) eap_peap: Done initial handshake
(49265) eap_peap: [eaptls process] = ok
(49265) eap_peap: Session established.  Decoding tunneled attributes
(49265) eap_peap: PEAP state phase2
(49265) eap_peap: EAP method MSCHAPv2 (26)
(49265) eap_peap: Got tunneled request
(49265) eap_peap:   EAP-Message = 0x020800061a03
(49265) eap_peap: Setting User-Name to luciana.nogueira
(49265) eap_peap: Sending tunneled request to inner-tunnel
(49265) eap_peap:   EAP-Message = 0x020800061a03
(49265) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(49265) eap_peap:   User-Name = "luciana.nogueira"
(49265) eap_peap:   State = 0x214671d3204e6b6e6c123acd822f47ac
(49265) Virtual server inner-tunnel received request
(49265)   EAP-Message = 0x020800061a03
(49265)   FreeRADIUS-Proxied-To = 127.0.0.1
(49265)   User-Name = "luciana.nogueira"
(49265)   State = 0x214671d3204e6b6e6c123acd822f47ac
(49265) WARNING: Outer User-Name is not anonymized.  User privacy is compromised.
(49265) server inner-tunnel {
(49265)   session-state: No cached attributes
(49265)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49265)     authorize {
(49265)       policy filter_username {
(49265)         if (&User-Name) {
(49265)         if (&User-Name)  -> TRUE
(49265)         if (&User-Name)  {
(49265)           if (&User-Name != "%{tolower:%{User-Name}}") {
(49265)           EXPAND %{tolower:%{User-Name}}
(49265)              --> luciana.nogueira
(49265)           if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(49265)           if (&User-Name =~ / /) {
(49265)           if (&User-Name =~ / /)  -> FALSE
(49265)           if (&User-Name =~ /@[^@]*@/ ) {
(49265)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(49265)           if (&User-Name =~ /\.\./ ) {
(49265)           if (&User-Name =~ /\.\./ )  -> FALSE
(49265)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(49265)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(49265)           if (&User-Name =~ /\.$/)  {
(49265)           if (&User-Name =~ /\.$/)   -> FALSE
(49265)           if (&User-Name =~ /@\./)  {
(49265)           if (&User-Name =~ /@\./)   -> FALSE
(49265)         } # if (&User-Name)  = notfound
(49265)       } # policy filter_username = notfound
(49265)       [chap] = noop
(49265)       [mschap] = noop
(49265) suffix: Checking for suffix after "@"
(49265) suffix: No '@' in User-Name = "luciana.nogueira", looking up realm NULL
(49265) suffix: No such realm "NULL"
(49265)       [suffix] = noop
(49265)       update control {
(49265)         &Proxy-To-Realm := LOCAL
(49265)       } # update control = noop
(49265) eap: Peer sent EAP Response (code 2) ID 8 length 6
(49265) eap: No EAP Start, assuming it's an on-going EAP conversation
(49265)       [eap] = updated
(49265) files: users: Matched entry DEFAULT at line 90
(49265)       [files] = ok
(49265) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(49265) sql:    --> luciana.nogueira
(49265) sql: SQL-User-Name set to 'luciana.nogueira'
(49265) sql: EXPAND SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id
(49265) sql:    --> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'luciana.nogueira' ORDER BY id
(49265) sql: Executing select query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'luciana.nogueira' ORDER BY id
(49265) sql: EXPAND SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority
(49265) sql:    --> SELECT GroupName FROM radusergroup WHERE UserName='luciana.nogueira' ORDER BY priority
(49265) sql: Executing select query: SELECT GroupName FROM radusergroup WHERE UserName='luciana.nogueira' ORDER BY priority
(49265) sql: User not found in any groups
(49265)       [sql] = notfound
(49265)       [expiration] = noop
(49265)       [logintime] = noop
(49265)       [pap] = noop
(49265)     } # authorize = updated
(49265)   Found Auth-Type = eap
(49265)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49265)     authenticate {
(49265) eap: Expiring EAP session with state 0x9e6734429e602efe
(49265) eap: Finished EAP session with state 0x214671d3204e6b6e
(49265) eap: Previous EAP request found for state 0x214671d3204e6b6e, released from the list
(49265) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(49265) eap: Calling submodule eap_mschapv2 to process data
(49265) eap: Sending EAP Success (code 3) ID 8 length 4
(49265) eap: Freeing handler
(49265)       [eap] = ok
(49265)     } # authenticate = ok
(49265)   # Executing section session from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49265)     session {
(49265) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(49265) sql:    --> luciana.nogueira
(49265) sql: SQL-User-Name set to 'luciana.nogueira'
(49265) sql: EXPAND SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='%{SQL-User-Name}' AND CallingStationId<>'%{outer.request:Calling-Station-Id}' AND AcctStopTime IS NULL
(49265) sql:    --> SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='luciana.nogueira' AND CallingStationId<>'48-49-C7-71-79-66' AND AcctStopTime IS NULL
(49265) sql: Executing select query: SELECT COUNT(distinct callingstationid) FROM radacct WHERE UserName='luciana.nogueira' AND CallingStationId<>'48-49-C7-71-79-66' AND AcctStopTime IS NULL
(49265)       [sql] = ok
(49265)     } # session = ok
(49265)   # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(49265)     post-auth {
(49265) reply_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail
(49265) reply_log:    --> /var/log/freeradius/radacct/10.34.15.221/reply-detail
(49265) reply_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail expands to /var/log/freeradius/radacct/10.34.15.221/reply-detail
(49265) reply_log: EXPAND %t
(49265) reply_log:    --> Tue Jun 23 11:18:40 2020
(49265)       [reply_log] = ok
(49265)     } # post-auth = ok
(49265)   Login OK: [luciana.nogueira] (from client AP-SD1-A03-Q01 port 0 via TLS tunnel)
(49265) } # server inner-tunnel
(49265) Virtual server sending reply
(49265)   Idle-Timeout = 300
(49265)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(49265)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(49265)   MS-MPPE-Send-Key = 0x0442265aeb85be20654b653f432e0880
(49265)   MS-MPPE-Recv-Key = 0x1e4c074598ed6ae313dab160b53e5d6c
(49265)   EAP-Message = 0x03080004
(49265)   Message-Authenticator = 0x00000000000000000000000000000000
(49265)   User-Name = "luciana.nogueira"
(49265) eap_peap: Got tunneled reply code 2
(49265) eap_peap:   Idle-Timeout = 300
(49265) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(49265) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(49265) eap_peap:   MS-MPPE-Send-Key = 0x0442265aeb85be20654b653f432e0880
(49265) eap_peap:   MS-MPPE-Recv-Key = 0x1e4c074598ed6ae313dab160b53e5d6c
(49265) eap_peap:   EAP-Message = 0x03080004
(49265) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(49265) eap_peap:   User-Name = "luciana.nogueira"
(49265) eap_peap: Got tunneled reply RADIUS code 2
(49265) eap_peap:   Idle-Timeout = 300
(49265) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(49265) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(49265) eap_peap:   MS-MPPE-Send-Key = 0x0442265aeb85be20654b653f432e0880
(49265) eap_peap:   MS-MPPE-Recv-Key = 0x1e4c074598ed6ae313dab160b53e5d6c
(49265) eap_peap:   EAP-Message = 0x03080004
(49265) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(49265) eap_peap:   User-Name = "luciana.nogueira"
(49265) eap_peap: Tunneled authentication was successful
(49265) eap_peap: SUCCESS
(49265) eap: Sending EAP Request (code 1) ID 9 length 46
(49265) eap: EAP session adding &reply:State = 0x343264483c3b7d5b
(49265)     [eap] = handled
(49265)   } # authenticate = handled
(49265) Using Post-Auth-Type Challenge
(49265) Post-Auth-Type sub-section not found.  Ignoring.
(49265) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49265) Sent Access-Challenge Id 159 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49265)   EAP-Message = 0x0109002e190017030300238ad05ce60e5ee56e3f85995ad4d9fa3e7353121ef0323fdf5e8a60cf3b9b554a80d3dd
(49265)   Message-Authenticator = 0x00000000000000000000000000000000
(49265)   State = 0x343264483c3b7d5baa04a227c6849a7d
(49265) Finished request
(49266) Received Access-Request Id 160 from 10.34.15.221:1384 to 10.34.242.3:1812 length 204
(49266)   User-Name = "347117"
(49266)   NAS-IP-Address = 10.34.15.221
(49266)   NAS-Port = 2
(49266)   Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49266)   Calling-Station-Id = "48-49-C7-71-79-66"
(49266)   Framed-MTU = 1400
(49266)   NAS-Port-Type = Wireless-802.11
(49266)   Connect-Info = "CONNECT 54Mbps 802.11g"
(49266)   EAP-Message = 0x0209002e190017030300230000000000000004c778ad733d5b70db3716819554f83810f465ba77cd7845e575c9ff
(49266)   State = 0x343264483c3b7d5baa04a227c6849a7d
(49266)   Message-Authenticator = 0x855882f09e771e57421e4a41f6ea470c
(49266) session-state: No cached attributes
(49266) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(49266)   authorize {
(49266)     policy filter_username {
(49266)       if (&User-Name) {
(49266)       if (&User-Name)  -> TRUE
(49266)       if (&User-Name)  {
(49266)         if (&User-Name != "%{tolower:%{User-Name}}") {
(49266)         EXPAND %{tolower:%{User-Name}}
(49266)            --> 347117
(49266)         if (&User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(49266)         if (&User-Name =~ / /) {
(49266)         if (&User-Name =~ / /)  -> FALSE
(49266)         if (&User-Name =~ /@[^@]*@/ ) {
(49266)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(49266)         if (&User-Name =~ /\.\./ ) {
(49266)         if (&User-Name =~ /\.\./ )  -> FALSE
(49266)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(49266)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(49266)         if (&User-Name =~ /\.$/)  {
(49266)         if (&User-Name =~ /\.$/)   -> FALSE
(49266)         if (&User-Name =~ /@\./)  {
(49266)         if (&User-Name =~ /@\./)   -> FALSE
(49266)       } # if (&User-Name)  = notfound
(49266)     } # policy filter_username = notfound
(49266)     [preprocess] = ok
(49266) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail
(49266) auth_log:    --> /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49266) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail expands to /var/log/freeradius/radacct/10.34.15.221/auth-detail
(49266) auth_log: EXPAND %t
(49266) auth_log:    --> Tue Jun 23 11:18:40 2020
(49266)     [auth_log] = ok
(49266)     [chap] = noop
(49266)     [mschap] = noop
(49266)     [digest] = noop
(49266) suffix: Checking for suffix after "@"
(49266) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49266) suffix: No such realm "NULL"
(49266)     [suffix] = noop
(49266) eap: Peer sent EAP Response (code 2) ID 9 length 46
(49266) eap: Continuing tunnel setup
(49266)     [eap] = ok
(49266)   } # authorize = ok
(49266) Found Auth-Type = eap
(49266) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(49266)   authenticate {
(49266) eap: Expiring EAP session with state 0x9e6734429e602efe
(49266) eap: Finished EAP session with state 0x343264483c3b7d5b
(49266) eap: Previous EAP request found for state 0x343264483c3b7d5b, released from the list
(49266) eap: Peer sent packet with method EAP PEAP (25)
(49266) eap: Calling submodule eap_peap to process data
(49266) eap_peap: Continuing EAP-TLS
(49266) eap_peap: [eaptls verify] = ok
(49266) eap_peap: Done initial handshake
(49266) eap_peap: [eaptls process] = ok
(49266) eap_peap: Session established.  Decoding tunneled attributes
(49266) eap_peap: PEAP state send tlv success
(49266) eap_peap: Received EAP-TLV response
(49266) eap_peap: Success
(49266) eap: Sending EAP Success (code 3) ID 9 length 4
(49266) eap: Freeing handler
(49266)     [eap] = ok
(49266)   } # authenticate = ok
(49266) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(49266)   post-auth {
(49266)     update {
(49266)       No attributes updated
(49266)     } # update = noop
(49266) sql: EXPAND .query
(49266) sql:    --> .query
(49266) sql: Using query template 'query'
(49266) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(49266) sql:    --> 347117
(49266) sql: SQL-User-Name set to '347117'
(49266) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', '%{Called-Station-Id}', '%{Calling-Station-Id}', TO_TIMESTAMP(%{integer:Event-Timestamp}))
(49266) sql:    --> INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('347117', 'Chap-Password', 'Access-Accept', '5C-D9-98-14-37-48:MPDFT', '48-49-C7-71-79-66', TO_TIMESTAMP(1592921920))
(49266) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, calledstationid, callingstationid, authdate) VALUES('347117', 'Chap-Password', 'Access-Accept', '5C-D9-98-14-37-48:MPDFT', '48-49-C7-71-79-66', TO_TIMESTAMP(1592921920))
(49266) sql: SQL query returned: success
(49266) sql: 1 record(s) updated
(49266)     [sql] = ok
(49266)     [exec] = noop
(49266)     policy remove_reply_message_if_eap {
(49266)       if (&reply:EAP-Message && &reply:Reply-Message) {
(49266)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(49266)       else {
(49266)         [noop] = noop
(49266)       } # else = noop
(49266)     } # policy remove_reply_message_if_eap = noop
(49266)   } # post-auth = ok
(49266) Login OK: [347117] (from client AP-SD1-A03-Q01 port 2 cli 48-49-C7-71-79-66)
(49266) Sent Access-Accept Id 160 from 10.34.242.3:1812 to 10.34.15.221:1384 length 0
(49266)   MS-MPPE-Recv-Key = 0x542d83c1eb40f8c303c2eb8158cb7e7db2151c3568559646f0ae6cc2b4834cdc
(49266)   MS-MPPE-Send-Key = 0xe5c545e00159f5d356a41a506a2bfdda247960a2b6a0044c7bf9037a48336c63
(49266)   EAP-Message = 0x03090004
(49266)   Message-Authenticator = 0x00000000000000000000000000000000
(49266)   User-Name = "347117"
(49266) Finished request
(49267) Received Accounting-Request Id 161 from 10.34.15.221:1386 to 10.34.242.3:1813 length 145
(49267)   Acct-Session-Id = "38EBA713-00000041"
(49267)   Acct-Status-Type = Start
(49267)   Acct-Authentic = RADIUS
(49267)   User-Name = "347117"
(49267)   NAS-IP-Address = 10.34.15.221
(49267)   NAS-Port = 2
(49267)   Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
(49267)   Calling-Station-Id = "48-49-C7-71-79-66"
(49267)   NAS-Port-Type = Wireless-802.11
(49267)   Connect-Info = "CONNECT 54Mbps 802.11g"
(49267) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(49267)   preacct {
(49267)     [preprocess] = ok
(49267)     update request {
(49267)       EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}
(49267)          --> 1592921920
(49267)       FreeRADIUS-Acct-Session-Start-Time = Jun 23 2020 11:18:40 -03
(49267)     } # update request = noop
(49267)     policy acct_unique {
(49267)       update request {
(49267)         Tmp-String-9 := "ai:"
(49267)       } # update request = noop
(49267)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&     ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(49267)       EXPAND %{hex:&Class}
(49267)          -->
(49267)       EXPAND ^%{hex:&Tmp-String-9}
(49267)          --> ^61693a
(49267)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&     ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE
(49267)       else {
(49267)         update request {
(49267)           EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{Calling-Station-Id}}
(49267)              --> 6b521bf17a61aa914f0f67b33c558e07
(49267)           &Acct-Unique-Session-Id := 6b521bf17a61aa914f0f67b33c558e07
(49267)         } # update request = noop
(49267)       } # else = noop
(49267)     } # policy acct_unique = noop
(49267) suffix: Checking for suffix after "@"
(49267) suffix: No '@' in User-Name = "347117", looking up realm NULL
(49267) suffix: No such realm "NULL"
(49267)     [suffix] = noop
(49267) files: acct_users: Matched entry DEFAULT at line 22
(49267) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(49267) files:    --> 347117
(49267)     [files] = ok
(49267)   } # preacct = ok
(49267) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(49267)   accounting {
(49267) log_accounting: EXPAND Accounting-Request.%{%{Acct-Status-Type}:-unknown}
(49267) log_accounting:    --> Accounting-Request.Start
(49267) log_accounting: EXPAND %{date:Event-Timestamp} Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})
(49267) log_accounting:    --> Tue, 23-06-2020 11:18:40 Connect: [347117] (did 5C-D9-98-14-37-48:MPDFT cli 48-49-C7-71-79-66 port 2 ip )
(49267) log_accounting: EXPAND /var/log/freeradius/linelog-accounting
(49267) log_accounting:    --> /var/log/freeradius/linelog-accounting
(49267)     [log_accounting] = ok
(49267) sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query}
(49267) sql:    --> type.start.query
(49267) sql: Using query template 'query'
(49267) sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(49267) sql:    --> 347117
(49267) sql: SQL-User-Name set to '347117'
(49267) sql: EXPAND INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)
(49267) sql:    --> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('38EBA713-00000041', '6b521bf17a61aa914f0f67b33c558e07', '347117', NULLIF('', ''), '10.34.15.221', NULLIF('2', ''), 'Wireless-802.11', TO_TIMESTAMP(1592921920), TO_TIMESTAMP(1592921920), NULL, 0, 'RADIUS', 'CONNECT 54Mbps 802.11g', NULL, 0, 0, '5C-D9-98-14-37-48:MPDFT', '48-49-C7-71-79-66', NULL, '', '', NULLIF('', '')::inet)
(49267) sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('38EBA713-00000041', '6b521bf17a61aa914f0f67b33c558e07', '347117', NULLIF('', ''), '10.34.15.221', NULLIF('2', ''), 'Wireless-802.11', TO_TIMESTAMP(1592921920), TO_TIMESTAMP(1592921920), NULL, 0, 'RADIUS', 'CONNECT 54Mbps 802.11g', NULL, 0, 0, '5C-D9-98-14-37-48:MPDFT', '48-49-C7-71-79-66', NULL, '', '', NULLIF('', '')::inet)
(49267) sql: SQL query returned: success
(49267) sql: 1 record(s) updated
(49267)     [sql] = ok
(49267)     if (&request:Acct-Status-Type == start) {
(49267)     if (&request:Acct-Status-Type == start)  -> TRUE
(49267)     if (&request:Acct-Status-Type == start)  {
(49267)       EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(49267)          --> 347117
(49267)       SQL-User-Name set to '347117'
(49267)       Executing query: UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(1592921920), AcctUpdateTime = TO_TIMESTAMP(1592921920), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = 'CONNECT 54Mbps 802.11g' WHERE UserName = '347117' AND AcctUniqueId <> '6b521bf17a61aa914f0f67b33c558e07' AND CallingStationId = '48-49-C7-71-79-66' AND AcctStopTime IS NULL
(49267)       SQL query affected no rows
(49267)       EXPAND %{sql:UPDATE radacct SET AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}), AcctTerminateCause = 'Stalled-session', ConnectInfo_stop = '%{Connect-Info}' WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}' AND AcctUniqueId <> '%{Acct-Unique-Session-Id}' AND CallingStationId = '%{Calling-Station-Id}' AND AcctStopTime IS NULL}
(49267)          -->
(49267)     } # if (&request:Acct-Status-Type == start)  = ok
(49267)     [exec] = noop
(49267) attr_filter.accounting_response: EXPAND %{User-Name}
(49267) attr_filter.accounting_response:    --> 347117
(49267) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(49267)     [attr_filter.accounting_response] = updated
(49267)   } # accounting = updated
(49267) Sent Accounting-Response Id 161 from 10.34.242.3:1813 to 10.34.15.221:1386 length 0
(49267) Finished request
(49267) Cleaning up request packet ID 161 with timestamp +43054
(49257) Cleaning up request packet ID 151 with timestamp +43054
(49258) Cleaning up request packet ID 152 with timestamp +43054
(49259) Cleaning up request packet ID 153 with timestamp +43054
(49260) Cleaning up request packet ID 154 with timestamp +43054
(49261) Cleaning up request packet ID 155 with timestamp +43054
(49262) Cleaning up request packet ID 156 with timestamp +43054
(49263) Cleaning up request packet ID 157 with timestamp +43054
(49264) Cleaning up request packet ID 158 with timestamp +43054
(49265) Cleaning up request packet ID 159 with timestamp +43054
(49266) Cleaning up request packet ID 160 with timestamp +43054
root@vp2-seg-008:/var/log/freeradius#

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RES: Incorrect username being registered by freeradius

Alan DeKok-2
On Jun 23, 2020, at 11:34 AM, Daniel Guimaraes Pena <[hidden email]> wrote:
>
> Thanks for anwaring, Alan, you were right: that is his MAC Address.

  Good.

> Until this moment, no mac address appeared at radacct table, so I don’t have debug for that yet.
> For this, if I may ask, why user is registered in radacct table with mac address but in radius log appears his real username?

  Because the NAS sends accounting packets which contain the MAC address in the User-Name field.  And, it sends authentication packets which contain the real name in the User-Name field.

  FreeRADIUS does NOT control this.  It's at the mercy of whatever the NAS sends.

> Reading debug, real login is "luciana.nogueira"
> Here the debug log for this entry:
> =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.06.23 12:21:07 =~=~=~=~=~=~=~=~=~=~=~=
> grep -E "\(4925[7-9]\)|\(4926[0-7]\)" debug.log
> (49257) Received Access-Request Id 151 from 10.34.15.221:1384 to 10.34.242.3:1812 length 151
> (49257)   User-Name = "347117"
> (49257)   NAS-IP-Address = 10.34.15.221
> (49257)   NAS-Port = 2
> (49257)   Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
> (49257)   Calling-Station-Id = "48-49-C7-71-79-66"
> (49257)   Framed-MTU = 1400
> (49257)   NAS-Port-Type = Wireless-802.11
> (49257)   Connect-Info = "CONNECT 54Mbps 802.11g"
> (49257)   EAP-Message = 0x0200000b01333437313137

  The end-user machine is creating that EAP-Message.  Which contains "34717" as the name.  i.e. hex 333437313137 is "34717"

  In order to fix that, you need to fix the end users machine to send a real name.  There is nothing you can do to the NAS or FreeRADIUS to fix this issue.

  Generally, the outer user name should be something like "@example.com", or "anonymous".

  The inner-tunnel is receiving the name "luciana.nogueira", which is fine.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RES: RES: Incorrect username being registered by freeradius

daniel.pena
I understang...

Well, I thought something for these two problems, but before try to implement them, I would like your opinion, if possible:

FIRST: for the problem of outer username being different from inner-tunnel.
Is it possible do something like this?
IF inner-tunnel-username <> outer-username
        Set outer-username equal to innet-tunnel-username
Does this solution can cause crazy inserts at radacct table or cause user to receive deny access to wifi?

SECOND: for the problema of mac address being registered at radacct table:
I will try to create some check at username for account packets like this:
IF username is equal to calling-station-id(in lowercase and without "-")
        Then set username to (select username from radacct where calling-station-id = 'MAC' and username <> 'wrong mac string' limit 1;)



Thanks!! I hope you don’t get angry with me for doing this mass =P

-----Mensagem original-----
De: Freeradius-Users <freeradius-users-bounces+daniel.pena=[hidden email]> Em nome de Alan DeKok
Enviada em: terça-feira, 23 de junho de 2020 12:47
Para: FreeRadius users mailing list <[hidden email]>
Assunto: Re: RES: Incorrect username being registered by freeradius

On Jun 23, 2020, at 11:34 AM, Daniel Guimaraes Pena <[hidden email]> wrote:
>
> Thanks for anwaring, Alan, you were right: that is his MAC Address.

  Good.

> Until this moment, no mac address appeared at radacct table, so I don’t have debug for that yet.
> For this, if I may ask, why user is registered in radacct table with mac address but in radius log appears his real username?

  Because the NAS sends accounting packets which contain the MAC address in the User-Name field.  And, it sends authentication packets which contain the real name in the User-Name field.

  FreeRADIUS does NOT control this.  It's at the mercy of whatever the NAS sends.

> Reading debug, real login is "luciana.nogueira"
> Here the debug log for this entry:
> =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.06.23 12:21:07
> =~=~=~=~=~=~=~=~=~=~=~= grep -E "\(4925[7-9]\)|\(4926[0-7]\)"
> debug.log
> (49257) Received Access-Request Id 151 from 10.34.15.221:1384 to 10.34.242.3:1812 length 151
> (49257)   User-Name = "347117"
> (49257)   NAS-IP-Address = 10.34.15.221
> (49257)   NAS-Port = 2
> (49257)   Called-Station-Id = "5C-D9-98-14-37-48:MPDFT"
> (49257)   Calling-Station-Id = "48-49-C7-71-79-66"
> (49257)   Framed-MTU = 1400
> (49257)   NAS-Port-Type = Wireless-802.11
> (49257)   Connect-Info = "CONNECT 54Mbps 802.11g"
> (49257)   EAP-Message = 0x0200000b01333437313137

  The end-user machine is creating that EAP-Message.  Which contains "34717" as the name.  i.e. hex 333437313137 is "34717"

  In order to fix that, you need to fix the end users machine to send a real name.  There is nothing you can do to the NAS or FreeRADIUS to fix this issue.

  Generally, the outer user name should be something like "@example.com", or "anonymous".

  The inner-tunnel is receiving the name "luciana.nogueira", which is fine.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RES: Incorrect username being registered by freeradius

Alan Buxey
hi,

> FIRST: for the problem of outer username being different from inner-tunnel.
> Is it possible do something like this?
> IF inner-tunnel-username <> outer-username
>         Set outer-username equal to innet-tunnel-username
> Does this solution can cause crazy inserts at radacct table or cause user to receive deny access to wifi?

the inner username if different to the outer, is usually for
privacy/anonymous - you dont want to expose the inner username to the
NAS - and doing so may break EAP anyway.   this si where you would
probably want to use eg CUI (Chargeable User Identity) in your
Access-Accept packet - and then use the CUI for the accounting packets

> SECOND: for the problema of mac address being registered at radacct table:

first, try looking at the NAS configuration and checking if you can
adjust how it does the Acct update packets. I guess your Acct start
packet is fine, its the account update that is being borked. maybe
related to any mobility option your NAS platform has?

> I will try to create some check at username for account packets like this:
> IF username is equal to calling-station-id(in lowercase and without "-")
>         Then set username to (select username from radacct where calling-station-id = 'MAC' and username <> 'wrong mac string' limit 1;)

you could do something like that but its a big hit on the DB . you
already know the CSI from the first successful authentication as this
is temporal
data so you might want to record that key pair in a simple REDIS/etc
DB instead rather than hitting the live accounting tables.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: RES: RES: Incorrect username being registered by freeradius

Alan DeKok-2
In reply to this post by daniel.pena
On Jun 23, 2020, at 12:47 PM, Daniel Guimaraes Pena <[hidden email]> wrote:
> Well, I thought something for these two problems, but before try to implement them, I would like your opinion, if possible:
>
> FIRST: for the problem of outer username being different from inner-tunnel.
> Is it possible do something like this?
> IF inner-tunnel-username <> outer-username
> Set outer-username equal to innet-tunnel-username
> Does this solution can cause crazy inserts at radacct table or cause user to receive deny access to wifi?

  It will break things.

  Instead of working around broken systems, you should just fix the broken systems.

> SECOND: for the problema of mac address being registered at radacct table:
> I will try to create some check at username for account packets like this:
> IF username is equal to calling-station-id(in lowercase and without "-")
> Then set username to (select username from radacct where calling-station-id = 'MAC' and username <> 'wrong mac string' limit 1;)

  The solution is to just set the User-Name in the Access-Accept reply.  The NAS *should* use that in later accounting requests:

post-auth {
        ...

        update reply {
                User-Name := &request:User-Name
        }
}

> Thanks!! I hope you don’t get angry with me for doing this mass =P

  Nope.  My frustration is with people who ask question, and argue with the answers.  So long as you're trying to understand, I'm happy to help.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RES: RES: RES: Incorrect username being registered by freeradius

daniel.pena
Thanks Dekok and Buxey for helping me.

As I used Dekok's suggestion of updating outer.session-state from the other topic (CUI thing), I discovered that I was NOT setting Stripped-User-Name just because that policy was NOT mentioned anywhere of VS default and inner-tunnel.

Reading that code, it was clear to me that I could "fix" MAC addr in user name of broken NAS (you see, only a few packets of these few NASes was arriving wrong)
So, I enabled splitting username from realm and used code of MAC canonicalization to fix MAC user problem:

user-as-mac-regexp = '([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})'

rewrite_username {
        if (&User-name && (&User-Name =~ /^${policy.user-as-mac-regexp}$/i)) {
                update request {
                        &User-Name := "%{sql:SELECT username from radacct \
                                WHERE CallingStationId = '%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}' \
                                ORDER BY radacctid limit 1}"
                }
                updated
        }
        else {
                noop
        }
}


Did some copy and paste with a little substitution...
Then, inserted rewrite_username before split_username_nai filter at preacct section and that is it.
From, 9417 packets, only one, for now, had the problem and was fixed (server running for 48min until this moment)

(8907) Thu Jun 25 14:43:59 2020: Debug: Received Accounting-Request Id 192 from 10.34.5.223:1829 to 10.34.242.3:1813 length 151
(8907) Thu Jun 25 14:43:59 2020: Debug:   Acct-Session-Id = "386D9BFB-0000015C"
(8907) Thu Jun 25 14:43:59 2020: Debug:   Acct-Status-Type = Start
(8907) Thu Jun 25 14:43:59 2020: Debug:   Acct-Authentic = RADIUS
(8907) Thu Jun 25 14:43:59 2020: Debug:   User-Name = "a8b86e23fca1"
(8907) Thu Jun 25 14:43:59 2020: Debug:   NAS-IP-Address = 10.34.5.223
(8907) Thu Jun 25 14:43:59 2020: Debug:   NAS-Port = 2
(8907) Thu Jun 25 14:43:59 2020: Debug:   Called-Station-Id = "5C-D9-98-14-14-78:MPDFT"
(8907) Thu Jun 25 14:43:59 2020: Debug:   Calling-Station-Id = "A8-B8-6E-23-FC-A1"
(8907) Thu Jun 25 14:43:59 2020: Debug:   NAS-Port-Type = Wireless-802.11
(8907) Thu Jun 25 14:43:59 2020: Debug:   Connect-Info = "CONNECT 54Mbps 802.11g"
(8907) Thu Jun 25 14:43:59 2020: Debug: # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(8907) Thu Jun 25 14:43:59 2020: Debug:   preacct {
(8907) Thu Jun 25 14:43:59 2020: Debug:     [preprocess] = ok
(8907) Thu Jun 25 14:43:59 2020: Debug:     policy rewrite_username {
(8907) Thu Jun 25 14:43:59 2020: Debug:       if (&User-name && (&User-Name =~ /^([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})$/i)) {
(8907) Thu Jun 25 14:43:59 2020: Debug:       if (&User-name && (&User-Name =~ /^([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})$/i))  -> TRUE
(8907) Thu Jun 25 14:43:59 2020: Debug:       if (&User-name && (&User-Name =~ /^([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})$/i))  {
(8907) Thu Jun 25 14:43:59 2020: Debug:         update request {
(8907) Thu Jun 25 14:43:59 2020: Debug:           EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(8907) Thu Jun 25 14:43:59 2020: Debug:              --> a8b86e23fca1
(8907) Thu Jun 25 14:43:59 2020: Debug:           SQL-User-Name set to 'a8b86e23fca1'
(8907) Thu Jun 25 14:43:59 2020: Debug:           Executing select query: SELECT username from radacct                          WHERE CallingStationId = 'A8-B8-6E-23-FC-A1'                            ORDER BY radacctid limit 1
(8907) Thu Jun 25 14:43:59 2020: Debug:           EXPAND %{sql:SELECT username from radacct                             WHERE CallingStationId = '%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}'                             ORDER BY radacctid limit 1}
(8907) Thu Jun 25 14:43:59 2020: Debug:              --> alex.dalton
(8907) Thu Jun 25 14:43:59 2020: Debug:         } # update request = noop
(8907) Thu Jun 25 14:43:59 2020: Debug:         [updated] = updated
(8907) Thu Jun 25 14:43:59 2020: Debug:       } # if (&User-name && (&User-Name =~ /^([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})$/i))  = updated
(8907) Thu Jun 25 14:43:59 2020: Debug:       ... skipping else: Preceding "if" was taken
(8907) Thu Jun 25 14:43:59 2020: Debug:     } # policy rewrite_username = updated
(8907) Thu Jun 25 14:43:59 2020: Debug:     policy split_username_nai {
(8907) Thu Jun 25 14:43:59 2020: Debug:       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(8907) Thu Jun 25 14:43:59 2020: Debug:       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(8907) Thu Jun 25 14:43:59 2020: Debug:       if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(8907) Thu Jun 25 14:43:59 2020: Debug:         update request {
(8907) Thu Jun 25 14:43:59 2020: Debug:           EXPAND %{1}
(8907) Thu Jun 25 14:43:59 2020: Debug:              --> alex.dalton
(8907) Thu Jun 25 14:43:59 2020: Debug:           EXPAND %{3}
(8907) Thu Jun 25 14:43:59 2020: Debug:              -->
(8907) Thu Jun 25 14:43:59 2020: Debug:         } # update request = noop
(8907) Thu Jun 25 14:43:59 2020: Debug:         [updated] = updated
(8907) Thu Jun 25 14:43:59 2020: Debug:       } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(8907) Thu Jun 25 14:43:59 2020: Debug:       ... skipping else: Preceding "if" was taken
(8907) Thu Jun 25 14:43:59 2020: Debug:     } # policy split_username_nai = updated
(8907) Thu Jun 25 14:43:59 2020: Debug:     update request {
(8907) Thu Jun 25 14:43:59 2020: Debug:       EXPAND %{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}
(8907) Thu Jun 25 14:43:59 2020: Debug:          --> 1593107039
(8907) Thu Jun 25 14:43:59 2020: Debug:     } # update request = noop
(8907) Thu Jun 25 14:43:59 2020: Debug:     policy acct_unique {
(8907) Thu Jun 25 14:43:59 2020: Debug:       update request {
(8907) Thu Jun 25 14:43:59 2020: Debug:       } # update request = noop
(8907) Thu Jun 25 14:43:59 2020: Debug:       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&           ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(8907) Thu Jun 25 14:43:59 2020: Debug:       EXPAND %{hex:&Class}
(8907) Thu Jun 25 14:43:59 2020: Debug:          -->
(8907) Thu Jun 25 14:43:59 2020: Debug:       EXPAND ^%{hex:&Tmp-String-9}
(8907) Thu Jun 25 14:43:59 2020: Debug:          --> ^61693a
(8907) Thu Jun 25 14:43:59 2020: Debug:       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&           ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE
(8907) Thu Jun 25 14:43:59 2020: Debug:       else {
(8907) Thu Jun 25 14:43:59 2020: Debug:         update request {
(8907) Thu Jun 25 14:43:59 2020: Debug:           EXPAND %{Acct-Session-ID}
(8907) Thu Jun 25 14:43:59 2020: Debug:              --> 386D9BFB-0000015C
(8907) Thu Jun 25 14:43:59 2020: Debug:           EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(8907) Thu Jun 25 14:43:59 2020: Debug:              --> alex.dalton
(8907) Thu Jun 25 14:43:59 2020: Debug:           EXPAND %{md5:%{%{Stripped-User-Name}:-%{User-Name}},%{Acct-Session-ID},%{Calling-Station-Id}}
(8907) Thu Jun 25 14:43:59 2020: Debug:              --> d07a1728ff39147a452a960d300c989e
(8907) Thu Jun 25 14:43:59 2020: Debug:         } # update request = noop
(8907) Thu Jun 25 14:43:59 2020: Debug:       } # else = noop
(8907) Thu Jun 25 14:43:59 2020: Debug:     } # policy acct_unique = noop
(8907) Thu Jun 25 14:43:59 2020: Debug: suffix: Checking for suffix after "@"
(8907) Thu Jun 25 14:43:59 2020: Debug: suffix: No '@' in User-Name = "alex.dalton", looking up realm NULL
(8907) Thu Jun 25 14:43:59 2020: Debug: suffix: No such realm "NULL"
(8907) Thu Jun 25 14:43:59 2020: Debug:     [suffix] = noop
(8907) Thu Jun 25 14:43:59 2020: Debug: files: acct_users: Matched entry DEFAULT at line 22
(8907) Thu Jun 25 14:43:59 2020: Debug: files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(8907) Thu Jun 25 14:43:59 2020: Debug: files:    --> alex.dalton
(8907) Thu Jun 25 14:43:59 2020: Debug:     [files] = ok
(8907) Thu Jun 25 14:43:59 2020: Debug:   } # preacct = updated
(8907) Thu Jun 25 14:43:59 2020: Debug: # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(8907) Thu Jun 25 14:43:59 2020: Debug:   accounting {
(8907) Thu Jun 25 14:43:59 2020: Debug: log_accounting: EXPAND Accounting-Request.%{%{Acct-Status-Type}:-unknown}
(8907) Thu Jun 25 14:43:59 2020: Debug: log_accounting:    --> Accounting-Request.Start
(8907) Thu Jun 25 14:43:59 2020: Debug: log_accounting: EXPAND %{date:Event-Timestamp} Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})
(8907) Thu Jun 25 14:43:59 2020: Debug: log_accounting:    --> Thu, 25-06-2020 14:43:59 Connect: [alex.dalton] (did 5C-D9-98-14-14-78:MPDFT cli A8-B8-6E-23-FC-A1 port 2 ip )
(8907) Thu Jun 25 14:43:59 2020: Debug: log_accounting: EXPAND /var/log/freeradius/linelog-accounting
(8907) Thu Jun 25 14:43:59 2020: Debug: log_accounting:    --> /var/log/freeradius/linelog-accounting
(8907) Thu Jun 25 14:43:59 2020: Debug:     [log_accounting] = ok
(8907) Thu Jun 25 14:43:59 2020: Debug: sql: EXPAND %{tolower:type.%{%{Acct-Status-Type}:-none}.query}
(8907) Thu Jun 25 14:43:59 2020: Debug: sql:    --> type.start.query
(8907) Thu Jun 25 14:43:59 2020: Debug: sql: Using query template 'query'
(8907) Thu Jun 25 14:43:59 2020: Debug: sql: EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(8907) Thu Jun 25 14:43:59 2020: Debug: sql:    --> alex.dalton
(8907) Thu Jun 25 14:43:59 2020: Debug: sql: SQL-User-Name set to 'alex.dalton'
(8907) Thu Jun 25 14:43:59 2020: Debug: sql: EXPAND INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}}', NULLIF('%{%{NAS-Port-ID}:-%{NAS-Port}}', ''), '%{NAS-Port-Type}', TO_TIMESTAMP(%{integer:Event-Timestamp}), TO_TIMESTAMP(%{integer:Event-Timestamp}), NULL, 0, '%{Acct-Authentic}', '%{Connect-Info}', NULL, 0, 0, '%{Called-Station-Id}', '%{Calling-Station-Id}', NULL, '%{Service-Type}', '%{Framed-Protocol}', NULLIF('%{Framed-IP-Address}', '')::inet)
(8907) Thu Jun 25 14:43:59 2020: Debug: sql:    --> INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('386D9BFB-0000015C', 'd07a1728ff39147a452a960d300c989e', 'alex.dalton', NULLIF('', ''), '10.34.5.223', NULLIF('2', ''), 'Wireless-802.11', TO_TIMESTAMP(1593107039), TO_TIMESTAMP(1593107039), NULL, 0, 'RADIUS', 'CONNECT 54Mbps 802.11g', NULL, 0, 0, '5C-D9-98-14-14-78:MPDFT', 'A8-B8-6E-23-FC-A1', NULL, '', '', NULLIF('', '')::inet)
(8907) Thu Jun 25 14:43:59 2020: Debug: sql: Executing query: INSERT INTO radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctUpdateTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_Stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIpAddress) VALUES('386D9BFB-0000015C', 'd07a1728ff39147a452a960d300c989e', 'alex.dalton', NULLIF('', ''), '10.34.5.223', NULLIF('2', ''), 'Wireless-802.11', TO_TIMESTAMP(1593107039), TO_TIMESTAMP(1593107039), NULL, 0, 'RADIUS', 'CONNECT 54Mbps 802.11g', NULL, 0, 0, '5C-D9-98-14-14-78:MPDFT', 'A8-B8-6E-23-FC-A1', NULL, '', '', NULLIF('', '')::inet)
(8907) Thu Jun 25 14:43:59 2020: Debug: sql: SQL query returned: success
(8907) Thu Jun 25 14:43:59 2020: Debug: sql: 1 record(s) updated
(8907) Thu Jun 25 14:43:59 2020: Debug:     [sql] = ok
(8907) Thu Jun 25 14:43:59 2020: Debug:     if (&request:Acct-Status-Type == start) {
(8907) Thu Jun 25 14:43:59 2020: Debug:     if (&request:Acct-Status-Type == start)  -> TRUE
(8907) Thu Jun 25 14:43:59 2020: Debug:     if (&request:Acct-Status-Type == start)  {
(8907) Thu Jun 25 14:43:59 2020: Debug:       EXPAND %{tolower:%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}}
(8907) Thu Jun 25 14:43:59 2020: Debug:          --> alex.dalton
(8907) Thu Jun 25 14:43:59 2020: Debug:       SQL-User-Name set to 'alex.dalton'
(8907) Thu Jun 25 14:43:59 2020: Debug:       Executing query: UPDATE radacct                   SET                             AcctStopTime = TO_TIMESTAMP(1593107039),                                AcctUpdateTime = TO_TIMESTAMP(1593107039),                           AcctTerminateCause = 'Stalled-session',                                 ConnectInfo_stop = 'CONNECT 54Mbps 802.11g'                     WHERE UserName = 'alex.dalton'                  AND AcctUniqueId <> 'd07a1728ff39147a452a960d300c989e'                       AND CallingStationId = 'A8-B8-6E-23-FC-A1'                      AND AcctStopTime IS NULL
(8907) Thu Jun 25 14:43:59 2020: Debug:       SQL query affected no rows
(8907) Thu Jun 25 14:43:59 2020: Debug:       EXPAND %{sql:UPDATE radacct                       SET                             AcctStopTime = TO_TIMESTAMP(%{integer:Event-Timestamp}),                                AcctUpdateTime = TO_TIMESTAMP(%{integer:Event-Timestamp}),                           AcctTerminateCause = 'Stalled-session',                                 ConnectInfo_stop = '%{Connect-Info}'                    WHERE UserName = '%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}'                         AND AcctUniqueId <> '%{Acct-Unique-Session-Id}'                         AND CallingStationId = '%{Calling-Station-Id}'                  AND AcctStopTime IS NULL}
(8907) Thu Jun 25 14:43:59 2020: Debug:          -->
(8907) Thu Jun 25 14:43:59 2020: Debug:     } # if (&request:Acct-Status-Type == start)  = ok
(8907) Thu Jun 25 14:43:59 2020: Debug:     [exec] = noop
(8907) Thu Jun 25 14:43:59 2020: Debug: attr_filter.accounting_response: EXPAND %{User-Name}
(8907) Thu Jun 25 14:43:59 2020: Debug: attr_filter.accounting_response:    --> alex.dalton
(8907) Thu Jun 25 14:43:59 2020: Debug: attr_filter.accounting_response: Matched entry DEFAULT at line 12
(8907) Thu Jun 25 14:43:59 2020: Debug:     [attr_filter.accounting_response] = updated
(8907) Thu Jun 25 14:43:59 2020: Debug:   } # accounting = updated
(8907) Thu Jun 25 14:43:59 2020: Debug: Sent Accounting-Response Id 192 from 10.34.242.3:1813 to 10.34.5.223:1829 length 0
(8907) Thu Jun 25 14:43:59 2020: Debug: Finished request
(8907) Thu Jun 25 14:43:59 2020: Debug: Cleaning up request packet ID 192 with timestamp +2160




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html