Perl script error when testing locally

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

Perl script error when testing locally

bhp1
Hello again, I'm trying to follow the tutorial from this site
<https://kerker.website/freeradiusgmail802-1x%E8%A8%AD%E5%AE%9Apop3s/> (it's
in chinese but it's pretty understandable if you translate it) basically
using a perl script for authentication against gmail accounts using POP3.
So far I have reached to the part where it tests the script locally and the
error occurs, I haven't yet reached to the part where it configures the eap
file to EAP-GTC for the 802.1X.

Even though it's not in the tutorial I still added the user in the users
file anyway and the error is still there.

This is the output I get when doing radtest locally:

(0) Received Access-Request Id 63 from 127.0.0.1:41319 to 127.0.0.1:1812
length 93
(0)   User-Name = "[hidden email]"
(0)   User-Password = "password"
(0)   NAS-IP-Address = 146.83.124.26
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0xf081ea4e44b9ed006a1316a93828157f
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "gmail.com" for User-Name = "
[hidden email]"
(0) suffix: Found realm "gmail.com"
(0) suffix: Adding Realm = "gmail.com"
(0) suffix: Authentication realm is LOCAL
(0)     [suffix] = ok
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password
is available
(0)     [pap] = noop
(0)     if (!control:Auth-Type && User-Password){
(0)     if (!control:Auth-Type && User-Password) -> TRUE
(0)     if (!control:Auth-Type && User-Password) {
(0)       update control {
(0)         Auth-Type := Perl
(0)       } # update control = noop
(0)     } # if (!control:Auth-Type && User-Password) = noop
(0)   } # authorize = ok
(0) Found Auth-Type = Perl
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Auth-Type Perl {
(0) perl:   $RAD_REQUEST{'User-Name'} = &request:User-Name -> '
[hidden email]'
(0) perl:   $RAD_REQUEST{'User-Password'} = &request:User-Password ->
'password'
(0) perl:   $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address ->
'146.83.124.26'
(0) perl:   $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '0'
(0) perl:   $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp ->
'sep 22 2020 18:33:00 -03'
(0) perl:   $RAD_REQUEST{'Message-Authenticator'} =
&request:Message-Authenticator -> '0xf081ea4e44b9ed006a1316a93828157f'
(0) perl:   $RAD_REQUEST{'Realm'} = &request:Realm -> 'gmail.com'
(0) perl:   $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl'
(0) perl:   $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl'
POP3 <- +OK Gpop ready for requests from 146.83.124.26 d17mb25011424qvc
 at /etc/freeradius/3.0/mods-config/perl/pop3.pl line 149.
POP3 -> QUIT
 at /etc/freeradius/3.0/mods-config/perl/pop3.pl line 149.
POP3 <- +OK Bye d17mb25011424qvc
 at /etc/freeradius/3.0/mods-config/perl/pop3.pl line 149.
(0) perl: &request:Realm = $RAD_REQUEST{'Realm'} -> 'gmail.com'
(0) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> '
[hidden email]'
(0) perl: &request:Message-Authenticator =
$RAD_REQUEST{'Message-Authenticator'} ->
'0xf081ea4e44b9ed006a1316a93828157f'
(0) perl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '0'
(0) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} ->
'146.83.124.26'
(0) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} ->
'password'
(0) perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} ->
'sep 22 2020 18:33:00 -03'
(0) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl'
(0)     [perl] = reject
(0)   } # Auth-Type Perl = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 63 from 127.0.0.1:1812 to 127.0.0.1:41319 length
20

Thank you in advance.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Perl script error when testing locally

Alan DeKok-2

> On Sep 22, 2020, at 5:40 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <[hidden email]> wrote:
>
> Hello again, I'm trying to follow the tutorial from this site
> <https://kerker.website/freeradiusgmail802-1x%E8%A8%AD%E5%AE%9Apop3s/> (it's
> in chinese but it's pretty understandable if you translate it) basically
> using a perl script for authentication against gmail accounts using POP3.

  If you have a Perl script which does pop3 authentication, it should be straightforward to run it in FreeRADIUS.

> So far I have reached to the part where it tests the script locally and the
> error occurs, I haven't yet reached to the part where it configures the eap
> file to EAP-GTC for the 802.1X.
>
> Even though it's not in the tutorial I still added the user in the users
> file anyway and the error is still there.

  OK...

> This is the output I get when doing radtest locally:
> ...
> (0) Found Auth-Type = Perl
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0)   Auth-Type Perl {
> (0) perl:   $RAD_REQUEST{'User-Name'} = &request:User-Name -> '
> [hidden email]'
> (0) perl:   $RAD_REQUEST{'User-Password'} = &request:User-Password ->
> 'password'
> (0) perl:   $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address ->
> '146.83.124.26'
> (0) perl:   $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '0'
> (0) perl:   $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp ->
> 'sep 22 2020 18:33:00 -03'
> (0) perl:   $RAD_REQUEST{'Message-Authenticator'} =
> &request:Message-Authenticator -> '0xf081ea4e44b9ed006a1316a93828157f'
> (0) perl:   $RAD_REQUEST{'Realm'} = &request:Realm -> 'gmail.com'
> (0) perl:   $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl'
> (0) perl:   $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl'
> POP3 <- +OK Gpop ready for requests from 146.83.124.26 d17mb25011424qvc
> at /etc/freeradius/3.0/mods-config/perl/pop3.pl line 149.
> POP3 -> QUIT
> at /etc/freeradius/3.0/mods-config/perl/pop3.pl line 149.
> POP3 <- +OK Bye d17mb25011424qvc
> at /etc/freeradius/3.0/mods-config/perl/pop3.pl line 149.

   And that doesn't show anything about what the Perl script did.

> (0)     [perl] = reject

  But the Perl script rejected the user.

  You have to add debugging to the Perl script, so it tells you what it's doing, and why things are going wrong.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Perl script error when testing locally

bhp1
>   If you have a Perl script which does pop3 authentication, it should be
straightforward to run it in FreeRADIUS.
Sorry, I don't know what you meant by that.
> But the Perl script rejected the user.

Ok so I was testing some things in a virtual machine and realized
something. I did the exact same configuration that in the server and
radtest locally was sucessful in the VM but not in the server. And that's
when I noticed that whenever I used radtest [gmail acc] [password]
localhost 0 testing123 the output I recieved had the localhost IP address
as NAS-IP-Address and this was successful without adding the user to the
users file. However when running the same command in the server the
NAS-IP-Address was the IP of the server and not localhost (the same happens
with user bob) and gets rejected, but it's successful if you add the mail
and password in the users file.

Basically, in VM: $radtest [hidden email] password localhost 0 testing123

Sent Access-Request Id 28 from 0.0.0.0:48005 to 127.0.0.1:1812 length 81
        User-Name = "[hidden email]"
        User-Password = "password"
        NAS-IP-Address = *127.0.0.1*
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "password"
Received Access-Accept Id 28 from 127.0.0.1:1812 to 0.0.0.0:0 length 31

In the server:  $radtest [hidden email] password localhost 0 testing123

Sent Access-Request Id 113 from 0.0.0.0:41244 to 127.0.0.1:1812 length 81
        User-Name = "[hidden email]"
        User-Password = "password"
        NAS-IP-Address = *146.83.124.26*
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "password"
Received Access-Reject Id 113 from 127.0.0.1:1812 to 0.0.0.0:0 length 20

This might be a dumb question but why does this happen and how can I change
it? I tried adding the server as a client but it doesn't work. Or how can I
edit the users file so it accept all request from any gmail account without
having to add all the accounts?





El mié., 23 sept. 2020 a las 8:42, Alan DeKok (<[hidden email]>)
escribió:

>
> > On Sep 22, 2020, at 5:40 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <
> [hidden email]> wrote:
> >
> > Hello again, I'm trying to follow the tutorial from this site
> > <https://kerker.website/freeradiusgmail802-1x%E8%A8%AD%E5%AE%9Apop3s/>
> (it's
> > in chinese but it's pretty understandable if you translate it) basically
> > using a perl script for authentication against gmail accounts using POP3.
>
>   If you have a Perl script which does pop3 authentication, it should be
> straightforward to run it in FreeRADIUS.
>
> > So far I have reached to the part where it tests the script locally and
> the
> > error occurs, I haven't yet reached to the part where it configures the
> eap
> > file to EAP-GTC for the 802.1X.
> >
> > Even though it's not in the tutorial I still added the user in the users
> > file anyway and the error is still there.
>
>   OK...
>
> > This is the output I get when doing radtest locally:
> > ...
> > (0) Found Auth-Type = Perl
> > (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> > (0)   Auth-Type Perl {
> > (0) perl:   $RAD_REQUEST{'User-Name'} = &request:User-Name -> '
> > [hidden email]'
> > (0) perl:   $RAD_REQUEST{'User-Password'} = &request:User-Password ->
> > 'password'
> > (0) perl:   $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address ->
> > '146.83.124.26'
> > (0) perl:   $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '0'
> > (0) perl:   $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp ->
> > 'sep 22 2020 18:33:00 -03'
> > (0) perl:   $RAD_REQUEST{'Message-Authenticator'} =
> > &request:Message-Authenticator -> '0xf081ea4e44b9ed006a1316a93828157f'
> > (0) perl:   $RAD_REQUEST{'Realm'} = &request:Realm -> 'gmail.com'
> > (0) perl:   $RAD_CHECK{'Auth-Type'} = &control:Auth-Type -> 'Perl'
> > (0) perl:   $RAD_CONFIG{'Auth-Type'} = &control:Auth-Type -> 'Perl'
> > POP3 <- +OK Gpop ready for requests from 146.83.124.26 d17mb25011424qvc
> > at /etc/freeradius/3.0/mods-config/perl/pop3.pl line 149.
> > POP3 -> QUIT
> > at /etc/freeradius/3.0/mods-config/perl/pop3.pl line 149.
> > POP3 <- +OK Bye d17mb25011424qvc
> > at /etc/freeradius/3.0/mods-config/perl/pop3.pl line 149.
>
>    And that doesn't show anything about what the Perl script did.
>
> > (0)     [perl] = reject
>
>   But the Perl script rejected the user.
>
>   You have to add debugging to the Perl script, so it tells you what it's
> doing, and why things are going wrong.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Perl script error when testing locally

Alan DeKok-2


> On Sep 24, 2020, at 9:26 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <[hidden email]> wrote:
>
>>  If you have a Perl script which does pop3 authentication, it should be
> > straightforward to run it in FreeRADIUS.
> Sorry, I don't know what you meant by that.

  It's a Perl script... if you can run it from the command line, you can tell FreeRADIUS to load the same script.  Maybe with some modifications, but that's it.

  There's no magic here.

>> But the Perl script rejected the user.
>
> Ok so I was testing some things in a virtual machine and realized
> something. I did the exact same configuration that in the server and
> radtest locally was sucessful in the VM but not in the server. And that's
> when I noticed that whenever I used radtest [gmail acc] [password]
> localhost 0 testing123 the output I recieved had the localhost IP address
> as NAS-IP-Address and this was successful without adding the user to the
> users file. However when running the same command in the server the
> NAS-IP-Address was the IP of the server and not localhost (the same happens
> with user bob) and gets rejected,

  So... something *else* in the configuration is broken.  You added local rules which set the password for the user, but only if the packet includes the correct NAS-IP-Address.

  i.e. you edited the server configuration so that packets using one NAS-IP-Address work, and packets using another NAS-IP-Address fail.

  We don't know the IP of your RADIUS server.  So we didn't create that configuration.  The default configuration doesn't contain these rules.

  So... what did you change, and why?  It's your configuration.  You should know that.

> but it's successful if you add the mail
> and password in the users file.

  That is sort of how the RADIUS server works... if you add a username && password, that's user gets authenticated with that password.

> Basically, in VM: $radtest [hidden email] password localhost 0 testing123

  And all of that is useless.  I have NO idea why people are so insistent on looking at *client* output when they're trying to debug the *server*.

  ALL of the documentation says to run the server in debugging mode.  Then READ It.  If you're not clear on what it means, POST IT to the list.  ALL OF IT.

  You're working hard to do every EXCEPT what the documentation says to do.  Why?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Perl script error when testing locally

bhp1
Hey Alan, sorry for the trouble. I want debug the script like you told me
in your first response so I looked into the documentation
https://wiki.freeradius.org/modules/Rlm_perl

However it seems that my freeradius is not built because I can't find any
rlm_perl file. My version of freeradius is "FreeRADIUS Version 3.0.16, for
host x86_64-pc-linux-gnu, built on Apr 17 2019" can you guide me into
setting the debug for the script?

Another question: In the tutorial there is no need to create any users in
the users file, however I've seen people setting Auth-Type there, I have
only modified the perl, default, and inner-tunnel files. Is it necessary to
use Auth-Type in the users file if the authentication info is in the
default and inner-tunel files?

This is the debug I get when adding "DEFAULT Auth-type := perl" into the
users file

(0) Received Access-Request Id 225 from 192.168.128.34:39135 to
146.83.124.26:1812 length 401
(0)   User-Name = "[hidden email]"
(0)   NAS-IP-Address = 192.168.128.34
(0)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Service-Type = Framed-User
(0)   NAS-Port = 1
(0)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(0)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 57 / Channel: 6"
(0)   Acct-Session-Id = "4A25A54837C27AEE"
(0)   Acct-Multi-Session-Id = "9B376A4223EDB7C1"
(0)   WLAN-Pairwise-Cipher = 1027076
(0)   WLAN-Group-Cipher = 1027074
(0)   WLAN-AKM-Suite = 1027073
(0)   WLAN-Group-Mgmt-Cipher = 1027078
(0)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(0)   Attr-26.29671.3 = 0x41502d56312d536f706f727465
(0)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(0)   Meraki-Device-Name = "AP-V1-Soporte"
(0)   Framed-MTU = 1400
(0)   EAP-Message = 0x0232001001776966694075636e2e636c
(0)   Message-Authenticator = 0xa68c411d72591cae60941b92339cdc75
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"
(0) suffix: No such realm "ucn.cl"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 50 length 16
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 51 length 6
(0) eap: EAP session adding &reply:State = 0xbe3287d8be019e17
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 225 from 146.83.124.26:1812 to
192.168.128.34:39135 length 0
(0)   EAP-Message = 0x013300061920
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xbe3287d8be019e17d53d25d4ed3e92cc
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 226 from 192.168.128.34:39135 to
146.83.124.26:1812 length 569
(1)   User-Name = "[hidden email]"
(1)   NAS-IP-Address = 192.168.128.34
(1)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Service-Type = Framed-User
(1)   NAS-Port = 1
(1)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(1)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 56 / Channel: 6"
(1)   Acct-Session-Id = "4A25A54837C27AEE"
(1)   Acct-Multi-Session-Id = "9B376A4223EDB7C1"
(1)   WLAN-Pairwise-Cipher = 1027076
(1)   WLAN-Group-Cipher = 1027074
(1)   WLAN-AKM-Suite = 1027073
(1)   WLAN-Group-Mgmt-Cipher = 1027078
(1)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(1)   Attr-26.29671.3 = 0x41502d56312d536f706f727465
(1)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(1)   Meraki-Device-Name = "AP-V1-Soporte"
(1)   Framed-MTU = 1400
(1)   EAP-Message =
0x023300a619800000009c16030300970100009303035f6fd5a116236c3ad072cab86c6633e80c2cba2d3eba041ca77f9969d4cd27f200002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d
(1)   State = 0xbe3287d8be019e17d53d25d4ed3e92cc
(1)   Message-Authenticator = 0x70b430c44dc0223eeffbf4a461feaa1e
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"
(1) suffix: No such realm "ucn.cl"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 51 length 166
(1) eap: Continuing tunnel setup
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0xbe3287d8be019e17
(1) eap: Finished EAP session with state 0xbe3287d8be019e17
(1) eap: Previous EAP request found for state 0xbe3287d8be019e17, released
from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 156 bytes
(1) eap_peap: Got complete TLS record (156 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: TLS_accept: before SSL initialization
(1) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0097]
(1) eap_peap: TLS_accept: SSLv3/TLS read client hello
(1) eap_peap: >>> send TLS 1.2  [length 003d]
(1) eap_peap: TLS_accept: SSLv3/TLS write server hello
(1) eap_peap: >>> send TLS 1.2  [length 0302]
(1) eap_peap: TLS_accept: SSLv3/TLS write certificate
(1) eap_peap: >>> send TLS 1.2  [length 014d]
(1) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(1) eap_peap: >>> send TLS 1.2  [length 0004]
(1) eap_peap: TLS_accept: SSLv3/TLS write server done
(1) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 52 length 1004
(1) eap: EAP session adding &reply:State = 0xbe3287d8bf069e17
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 226 from 146.83.124.26:1812 to
192.168.128.34:39135 length 0
(1)   EAP-Message =
0x013403ec19c0000004a4160303003d0200003903036e154e4915de52516c17cf408a06f99a670a3b50aac05c6f3b26df830701bf2c00c030000011ff01000100000b0004030001020017000016030303020b0002fe0002fb0002f8308202f4308201dca00302010202147b86828007dd65cd4945e2b1e8
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0xbe3287d8bf069e17d53d25d4ed3e92cc
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 227 from 192.168.128.34:39135 to
146.83.124.26:1812 length 409
(2)   User-Name = "[hidden email]"
(2)   NAS-IP-Address = 192.168.128.34
(2)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(2)   NAS-Port-Type = Wireless-802.11
(2)   Service-Type = Framed-User
(2)   NAS-Port = 1
(2)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(2)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 59 / Channel: 6"
(2)   Acct-Session-Id = "4A25A54837C27AEE"
(2)   Acct-Multi-Session-Id = "9B376A4223EDB7C1"
(2)   WLAN-Pairwise-Cipher = 1027076
(2)   WLAN-Group-Cipher = 1027074
(2)   WLAN-AKM-Suite = 1027073
(2)   WLAN-Group-Mgmt-Cipher = 1027078
(2)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(2)   Attr-26.29671.3 = 0x41502d56312d536f706f727465
(2)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(2)   Meraki-Device-Name = "AP-V1-Soporte"
(2)   Framed-MTU = 1400
(2)   EAP-Message = 0x023400061900
(2)   State = 0xbe3287d8bf069e17d53d25d4ed3e92cc
(2)   Message-Authenticator = 0x11562e7bdea56d1ebfa5b1f7e9946f40
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"
(2) suffix: No such realm "ucn.cl"
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 52 length 6
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0xbe3287d8bf069e17
(2) eap: Finished EAP session with state 0xbe3287d8bf069e17
(2) eap: Previous EAP request found for state 0xbe3287d8bf069e17, released
from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 53 length 200
(2) eap: EAP session adding &reply:State = 0xbe3287d8bc079e17
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 227 from 146.83.124.26:1812 to
192.168.128.34:39135 length 0
(2)   EAP-Message =
0x013500c81900b2537e36e34bbfd41cd623e11161bfd195e26f3e2661034c829b88a36d4db03012a40148fadc35efeceb571d964395e934ff1ee1749a8229793c8b0d4384ffff3a24ba3695143ba88ed57bdfd5fd522f63bed37b4c208e75a34a25046dd018cb9ed62f9f63e041b5653a461561831fb272
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0xbe3287d8bc079e17d53d25d4ed3e92cc
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 228 from 192.168.128.34:39135 to
146.83.124.26:1812 length 539
(3)   User-Name = "[hidden email]"
(3)   NAS-IP-Address = 192.168.128.34
(3)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(3)   NAS-Port-Type = Wireless-802.11
(3)   Service-Type = Framed-User
(3)   NAS-Port = 1
(3)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(3)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 57 / Channel: 6"
(3)   Acct-Session-Id = "4A25A54837C27AEE"
(3)   Acct-Multi-Session-Id = "9B376A4223EDB7C1"
(3)   WLAN-Pairwise-Cipher = 1027076
(3)   WLAN-Group-Cipher = 1027074
(3)   WLAN-AKM-Suite = 1027073
(3)   WLAN-Group-Mgmt-Cipher = 1027078
(3)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(3)   Attr-26.29671.3 = 0x41502d56312d536f706f727465
(3)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(3)   Meraki-Device-Name = "AP-V1-Soporte"
(3)   Framed-MTU = 1400
(3)   EAP-Message =
0x0235008819800000007e16030300461000004241042307a597b9b273cc233709636cd0447db7d4b086714adef8bc57ec2b3da45d9d99f0a36a6cf2a176c210ac8f84f318c6d44b2eb732e2e0ef61b643976781423b140303000101160303002800000000000000009b5cb21b65da785cc3e452846f5d6d
(3)   State = 0xbe3287d8bc079e17d53d25d4ed3e92cc
(3)   Message-Authenticator = 0x99034d2bc046457d261c411dd34b5786
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"
(3) suffix: No such realm "ucn.cl"
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 53 length 136
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0xbe3287d8bc079e17
(3) eap: Finished EAP session with state 0xbe3287d8bc079e17
(3) eap: Previous EAP request found for state 0xbe3287d8bc079e17, released
from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(3) eap_peap: Got complete TLS record (126 bytes)
(3) eap_peap: [eaptls verify] = length included
(3) eap_peap: TLS_accept: SSLv3/TLS write server done
(3) eap_peap: <<< recv TLS 1.2  [length 0046]
(3) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(3) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(3) eap_peap: <<< recv TLS 1.2  [length 0010]
(3) eap_peap: TLS_accept: SSLv3/TLS read finished
(3) eap_peap: >>> send TLS 1.2  [length 0001]
(3) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(3) eap_peap: >>> send TLS 1.2  [length 0010]
(3) eap_peap: TLS_accept: SSLv3/TLS write finished
(3) eap_peap: (other): SSL negotiation finished successfully
(3) eap_peap: SSL Connection Established
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 54 length 57
(3) eap: EAP session adding &reply:State = 0xbe3287d8bd049e17
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 228 from 146.83.124.26:1812 to
192.168.128.34:39135 length 0
(3)   EAP-Message =
0x01360039190014030300010116030300288c3e77d5349c8e2f62583af5d783453bd16b6336af7f7e0587def2bff8fc8b5a76218d2a98dbc262
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0xbe3287d8bd049e17d53d25d4ed3e92cc
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 229 from 192.168.128.34:39135 to
146.83.124.26:1812 length 409
(4)   User-Name = "[hidden email]"
(4)   NAS-IP-Address = 192.168.128.34
(4)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(4)   NAS-Port-Type = Wireless-802.11
(4)   Service-Type = Framed-User
(4)   NAS-Port = 1
(4)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(4)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 57 / Channel: 6"
(4)   Acct-Session-Id = "4A25A54837C27AEE"
(4)   Acct-Multi-Session-Id = "9B376A4223EDB7C1"
(4)   WLAN-Pairwise-Cipher = 1027076
(4)   WLAN-Group-Cipher = 1027074
(4)   WLAN-AKM-Suite = 1027073
(4)   WLAN-Group-Mgmt-Cipher = 1027078
(4)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(4)   Attr-26.29671.3 = 0x41502d56312d536f706f727465
(4)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(4)   Meraki-Device-Name = "AP-V1-Soporte"
(4)   Framed-MTU = 1400
(4)   EAP-Message = 0x023600061900
(4)   State = 0xbe3287d8bd049e17d53d25d4ed3e92cc
(4)   Message-Authenticator = 0xf250133722573b7d77212ef09bf6e652
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"
(4) suffix: No such realm "ucn.cl"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 54 length 6
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0xbe3287d8bd049e17
(4) eap: Finished EAP session with state 0xbe3287d8bd049e17
(4) eap: Previous EAP request found for state 0xbe3287d8bd049e17, released
from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(4) eap_peap: [eaptls verify] = success
(4) eap_peap: [eaptls process] = success
(4) eap_peap: Session established.  Decoding tunneled attributes
(4) eap_peap: PEAP state TUNNEL ESTABLISHED
(4) eap: Sending EAP Request (code 1) ID 55 length 40
(4) eap: EAP session adding &reply:State = 0xbe3287d8ba059e17
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 229 from 146.83.124.26:1812 to
192.168.128.34:39135 length 0
(4)   EAP-Message =
0x013700281900170303001d8c3e77d5349c8e30345da27aa3b6e6d3b8fe3fbc34b91bf7b09188991a
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0xbe3287d8ba059e17d53d25d4ed3e92cc
(4) Finished request
Waking up in 3.1 seconds.
(5) Received Access-Request Id 230 from 192.168.128.34:39135 to
146.83.124.26:1812 length 450
(5)   User-Name = "[hidden email]"
(5)   NAS-IP-Address = 192.168.128.34
(5)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(5)   NAS-Port-Type = Wireless-802.11
(5)   Service-Type = Framed-User
(5)   NAS-Port = 1
(5)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(5)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 59 / Channel: 6"
(5)   Acct-Session-Id = "4A25A54837C27AEE"
(5)   Acct-Multi-Session-Id = "9B376A4223EDB7C1"
(5)   WLAN-Pairwise-Cipher = 1027076
(5)   WLAN-Group-Cipher = 1027074
(5)   WLAN-AKM-Suite = 1027073
(5)   WLAN-Group-Mgmt-Cipher = 1027078
(5)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(5)   Attr-26.29671.3 = 0x41502d56312d536f706f727465
(5)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(5)   Meraki-Device-Name = "AP-V1-Soporte"
(5)   Framed-MTU = 1400
(5)   EAP-Message =
0x0237002f1900170303002400000000000000018f6ecdd91239f55b54a3fbb836f085dd9caf7ae762026cd9f0cdebea
(5)   State = 0xbe3287d8ba059e17d53d25d4ed3e92cc
(5)   Message-Authenticator = 0xd31ccd03124e30195bf3561cbdb7819d
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"
(5) suffix: No such realm "ucn.cl"
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 55 length 47
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0xbe3287d8ba059e17
(5) eap: Finished EAP session with state 0xbe3287d8ba059e17
(5) eap: Previous EAP request found for state 0xbe3287d8ba059e17, released
from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: [eaptls verify] = ok
(5) eap_peap: Done initial handshake
(5) eap_peap: [eaptls process] = ok
(5) eap_peap: Session established.  Decoding tunneled attributes
(5) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(5) eap_peap: Identity - [hidden email]
(5) eap_peap: Got inner identity '[hidden email]'
(5) eap_peap: Setting default EAP type for tunneled EAP session
(5) eap_peap: Got tunneled request
(5) eap_peap:   EAP-Message = 0x0237001001776966694075636e2e636c
(5) eap_peap: Setting User-Name to [hidden email]
(5) eap_peap: Sending tunneled request to inner-tunnel
(5) eap_peap:   EAP-Message = 0x0237001001776966694075636e2e636c
(5) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(5) eap_peap:   User-Name = "[hidden email]"
(5) Virtual server inner-tunnel received request
(5)   EAP-Message = 0x0237001001776966694075636e2e636c
(5)   FreeRADIUS-Proxied-To = 127.0.0.1
(5)   User-Name = "[hidden email]"
(5) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(5) server inner-tunnel {
(5)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5)     authorize {
(5)       policy filter_username {
(5)         if (&User-Name) {
(5)         if (&User-Name)  -> TRUE
(5)         if (&User-Name)  {
(5)           if (&User-Name =~ / /) {
(5)           if (&User-Name =~ / /)  -> FALSE
(5)           if (&User-Name =~ /@[^@]*@/ ) {
(5)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)           if (&User-Name =~ /\.\./ ) {
(5)           if (&User-Name =~ /\.\./ )  -> FALSE
(5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(5)           if (&User-Name =~ /\.$/)  {
(5)           if (&User-Name =~ /\.$/)   -> FALSE
(5)           if (&User-Name =~ /@\./)  {
(5)           if (&User-Name =~ /@\./)   -> FALSE
(5)         } # if (&User-Name)  = notfound
(5)       } # policy filter_username = notfound
(5)       [chap] = noop
(5)       [mschap] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"
(5) suffix: No such realm "ucn.cl"
(5)       [suffix] = noop
(5)       update control {
(5)         &Proxy-To-Realm := LOCAL
(5)       } # update control = noop
(5) eap: Peer sent EAP Response (code 2) ID 55 length 16
(5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(5)       [eap] = ok
(5)     } # authorize = ok
(5)   Found Auth-Type = eap
(5)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(5)     authenticate {
(5) eap: Peer sent packet with method EAP Identity (1)
(5) eap: Calling submodule eap_gtc to process data
(5) eap_gtc: EXPAND Password:
(5) eap_gtc:    --> Password:
(5) eap: Sending EAP Request (code 1) ID 56 length 15
(5) eap: EAP session adding &reply:State = 0xe2b7c3f6e28fc511
(5)       [eap] = handled
(5)     } # authenticate = handled
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5)   EAP-Message = 0x0138000f0650617373776f72643a20
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0xe2b7c3f6e28fc5119e7be4a0e5b4d0b5
(5) eap_peap: Got tunneled reply code 11
(5) eap_peap:   EAP-Message = 0x0138000f0650617373776f72643a20
(5) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(5) eap_peap:   State = 0xe2b7c3f6e28fc5119e7be4a0e5b4d0b5
(5) eap_peap: Got tunneled reply RADIUS code 11
(5) eap_peap:   EAP-Message = 0x0138000f0650617373776f72643a20
(5) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(5) eap_peap:   State = 0xe2b7c3f6e28fc5119e7be4a0e5b4d0b5
(5) eap_peap: Got tunneled Access-Challenge
(5) eap: Sending EAP Request (code 1) ID 56 length 46
(5) eap: EAP session adding &reply:State = 0xbe3287d8bb0a9e17
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 230 from 146.83.124.26:1812 to
192.168.128.34:39135 length 0
(5)   EAP-Message =
0x0138002e190017030300238c3e77d5349c8e3104e1459e343ecf80b944f6189125f9cca25673e74bcb1dfa13948c
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0xbe3287d8bb0a9e17d53d25d4ed3e92cc
(5) Finished request
Waking up in 3.1 seconds.
(6) Received Access-Request Id 231 from 192.168.128.34:39135 to
146.83.124.26:1812 length 440
(6)   User-Name = "[hidden email]"
(6)   NAS-IP-Address = 192.168.128.34
(6)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(6)   NAS-Port-Type = Wireless-802.11
(6)   Service-Type = Framed-User
(6)   NAS-Port = 1
(6)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(6)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 56 / Channel: 6"
(6)   Acct-Session-Id = "4A25A54837C27AEE"
(6)   Acct-Multi-Session-Id = "9B376A4223EDB7C1"
(6)   WLAN-Pairwise-Cipher = 1027076
(6)   WLAN-Group-Cipher = 1027074
(6)   WLAN-AKM-Suite = 1027073
(6)   WLAN-Group-Mgmt-Cipher = 1027078
(6)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(6)   Attr-26.29671.3 = 0x41502d56312d536f706f727465
(6)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(6)   Meraki-Device-Name = "AP-V1-Soporte"
(6)   Framed-MTU = 1400
(6)   EAP-Message =
0x023800251900170303001a00000000000000021cac97495f504f4062d14dee34ce4a3088be
(6)   State = 0xbe3287d8bb0a9e17d53d25d4ed3e92cc
(6)   Message-Authenticator = 0x41a83c3c747a2e43eb827a5d57f6ccfc
(6) session-state: No cached attributes
(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(6)   authorize {
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> TRUE
(6)       if (&User-Name)  {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /)  -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ )  -> FALSE
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(6)         if (&User-Name =~ /\.$/)  {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./)  {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name)  = notfound
(6)     } # policy filter_username = notfound
(6)     [preprocess] = ok
(6)     [chap] = noop
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"
(6) suffix: No such realm "ucn.cl"
(6)     [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 56 length 37
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0xe2b7c3f6e28fc511
(6) eap: Finished EAP session with state 0xbe3287d8bb0a9e17
(6) eap: Previous EAP request found for state 0xbe3287d8bb0a9e17, released
from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established.  Decoding tunneled attributes
(6) eap_peap: PEAP state phase2
(6) eap_peap: EAP method NAK (3)
(6) eap_peap: Got tunneled request
(6) eap_peap:   EAP-Message = 0x02380006031a
(6) eap_peap: Setting User-Name to [hidden email]
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap:   EAP-Message = 0x02380006031a
(6) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap:   User-Name = "[hidden email]"
(6) eap_peap:   State = 0xe2b7c3f6e28fc5119e7be4a0e5b4d0b5
(6) Virtual server inner-tunnel received request
(6)   EAP-Message = 0x02380006031a
(6)   FreeRADIUS-Proxied-To = 127.0.0.1
(6)   User-Name = "[hidden email]"
(6)   State = 0xe2b7c3f6e28fc5119e7be4a0e5b4d0b5
(6) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(6) server inner-tunnel {
(6)   session-state: No cached attributes
(6)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(6)     authorize {
(6)       policy filter_username {
(6)         if (&User-Name) {
(6)         if (&User-Name)  -> TRUE
(6)         if (&User-Name)  {
(6)           if (&User-Name =~ / /) {
(6)           if (&User-Name =~ / /)  -> FALSE
(6)           if (&User-Name =~ /@[^@]*@/ ) {
(6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)           if (&User-Name =~ /\.\./ ) {
(6)           if (&User-Name =~ /\.\./ )  -> FALSE
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(6)           if (&User-Name =~ /\.$/)  {
(6)           if (&User-Name =~ /\.$/)   -> FALSE
(6)           if (&User-Name =~ /@\./)  {
(6)           if (&User-Name =~ /@\./)   -> FALSE
(6)         } # if (&User-Name)  = notfound
(6)       } # policy filter_username = notfound
(6)       [chap] = noop
(6)       [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"
(6) suffix: No such realm "ucn.cl"
(6)       [suffix] = noop
(6)       update control {
(6)         &Proxy-To-Realm := LOCAL
(6)       } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 56 length 6
(6) eap: No EAP Start, assuming it's an on-going EAP conversation
(6)       [eap] = updated
(6) files: users: Matched entry DEFAULT at line 6
(6)       [files] = ok
(6)       [expiration] = noop
(6)       [logintime] = noop
(6)       [pap] = noop
(6)     } # authorize = updated
(6)   Found Auth-Type = Perl
(6)   Auth-Type sub-section not found.  Ignoring.
(6)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(6)   Failed to authenticate the user
(6)   Using Post-Auth-Type Reject
(6)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(6)     Post-Auth-Type REJECT {
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject:    --> [hidden email]
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6)       [attr_filter.access_reject] = updated
(6)       update outer.session-state {
(6)         No attributes updated
(6)       } # update outer.session-state = noop
(6)     } # Post-Auth-Type REJECT = updated
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) eap_peap: Got tunneled reply code 3
(6) eap_peap: Got tunneled reply RADIUS code 3
(6) eap_peap: Tunneled authentication was rejected
(6) eap_peap: FAILURE
(6) eap: Sending EAP Request (code 1) ID 57 length 46
(6) eap: EAP session adding &reply:State = 0xbe3287d8b80b9e17
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6)   Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 231 from 146.83.124.26:1812 to
192.168.128.34:39135 length 0
(6)   EAP-Message =
0x0139002e190017030300238c3e77d5349c8e32d6ca3a9b03de1a9d598af354a2b5a0ffa693028a4603810a6a636a
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0xbe3287d8b80b9e17d53d25d4ed3e92cc
(6) Finished request
Waking up in 3.1 seconds.
(7) Received Access-Request Id 232 from 192.168.128.34:39135 to
146.83.124.26:1812 length 449
(7)   User-Name = "[hidden email]"
(7)   NAS-IP-Address = 192.168.128.34
(7)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"
(7)   NAS-Port-Type = Wireless-802.11
(7)   Service-Type = Framed-User
(7)   NAS-Port = 1
(7)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"
(7)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 59 / Channel: 6"
(7)   Acct-Session-Id = "4A25A54837C27AEE"
(7)   Acct-Multi-Session-Id = "9B376A4223EDB7C1"
(7)   WLAN-Pairwise-Cipher = 1027076
(7)   WLAN-Group-Cipher = 1027074
(7)   WLAN-AKM-Suite = 1027073
(7)   WLAN-Group-Mgmt-Cipher = 1027078
(7)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373
(7)   Attr-26.29671.3 = 0x41502d56312d536f706f727465
(7)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649
(7)   Meraki-Device-Name = "AP-V1-Soporte"
(7)   Framed-MTU = 1400
(7)   EAP-Message =
0x0239002e190017030300230000000000000003615fbcaddee81e2f9c7c17d32c21d594e0264b256a8296b8738214
(7)   State = 0xbe3287d8b80b9e17d53d25d4ed3e92cc
(7)   Message-Authenticator = 0x7dcf7aa29be880baebb100d40c138ee7
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"
(7) suffix: No such realm "ucn.cl"
(7)     [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 57 length 46
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0xe2b7c3f6e28fc511
(7) eap: Finished EAP session with state 0xbe3287d8b80b9e17
(7) eap: Previous EAP request found for state 0xbe3287d8b80b9e17, released
from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state send tlv failure
(7) eap_peap: Received EAP-TLV response
(7) eap_peap:   ERROR: The users session was previously rejected: returning
reject (again.)
(7) eap_peap:   This means you need to read the PREVIOUS messages in the
debug output
(7) eap_peap:   to find out the reason why the user was rejected
(7) eap_peap:   Look for "reject" or "fail".  Those earlier messages will
tell you
(7) eap_peap:   what went wrong, and how to fix the problem
(7) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module
failed
(7) eap: Sending EAP Failure (code 4) ID 57 length 4
(7) eap: Failed in EAP select
(7)     [eap] = invalid
(7)   } # authenticate = invalid
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7)   Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject:    --> [hidden email]
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7)     [attr_filter.access_reject] = updated
(7)     [eap] = noop
(7)     policy remove_reply_message_if_eap {
(7)       if (&reply:EAP-Message && &reply:Reply-Message) {
(7)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(7)       else {
(7)         [noop] = noop
(7)       } # else = noop
(7)     } # policy remove_reply_message_if_eap = noop
(7)   } # Post-Auth-Type REJECT = updated
(7) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(7) Sending delayed response
(7) Sent Access-Reject Id 232 from 146.83.124.26:1812 to
192.168.128.34:39135 length 44
(7)   EAP-Message = 0x04390004
(7)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.0 seconds.
(0) Cleaning up request packet ID 225 with timestamp +61
(1) Cleaning up request packet ID 226 with timestamp +61
(2) Cleaning up request packet ID 227 with timestamp +61
(3) Cleaning up request packet ID 228 with timestamp +61
Waking up in 1.8 seconds.
(4) Cleaning up request packet ID 229 with timestamp +63
(5) Cleaning up request packet ID 230 with timestamp +63
(6) Cleaning up request packet ID 231 with timestamp +63
(7) Cleaning up request packet ID 232 with timestamp +63

And this is the output without anything in the users file (like the
tutorial)

(0) Received Access-Request Id 233 from 192.168.128.34:39135 to
146.83.124.26:1812 length 401

(0)   User-Name = "[hidden email]"

(0)   NAS-IP-Address = 192.168.128.34

(0)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(0)   NAS-Port-Type = Wireless-802.11

(0)   Service-Type = Framed-User

(0)   NAS-Port = 1

(0)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(0)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 59 / Channel: 6"

(0)   Acct-Session-Id = "23B63E3CCB9D303A"

(0)   Acct-Multi-Session-Id = "D2CFCA267CC6A1B1"

(0)   WLAN-Pairwise-Cipher = 1027076

(0)   WLAN-Group-Cipher = 1027074

(0)   WLAN-AKM-Suite = 1027073

(0)   WLAN-Group-Mgmt-Cipher = 1027078

(0)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(0)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(0)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(0)   Meraki-Device-Name = "AP-V1-Soporte"

(0)   Framed-MTU = 1400

(0)   EAP-Message = 0x0215001001776966694075636e2e636c

(0)   Message-Authenticator = 0x8dd238936888555d416ce50161d4a51e

(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(0)   authorize {

(0)     policy filter_username {

(0)       if (&User-Name) {

(0)       if (&User-Name)  -> TRUE

(0)       if (&User-Name)  {

(0)         if (&User-Name =~ / /) {

(0)         if (&User-Name =~ / /)  -> FALSE

(0)         if (&User-Name =~ /@[^@]*@/ ) {

(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(0)         if (&User-Name =~ /\.\./ ) {

(0)         if (&User-Name =~ /\.\./ )  -> FALSE

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(0)         if (&User-Name =~ /\.$/)  {

(0)         if (&User-Name =~ /\.$/)   -> FALSE

(0)         if (&User-Name =~ /@\./)  {

(0)         if (&User-Name =~ /@\./)   -> FALSE

(0)       } # if (&User-Name)  = notfound

(0)     } # policy filter_username = notfound

(0)     [preprocess] = ok

(0)     [chap] = noop

(0)     [mschap] = noop

(0)     [digest] = noop

(0) suffix: Checking for suffix after "@"

(0) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(0) suffix: No such realm "ucn.cl"

(0)     [suffix] = noop

(0) eap: Peer sent EAP Response (code 2) ID 21 length 16

(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize

(0)     [eap] = ok

(0)   } # authorize = ok

(0) Found Auth-Type = eap

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0)   authenticate {

(0) eap: Peer sent packet with method EAP Identity (1)

(0) eap: Calling submodule eap_peap to process data

(0) eap_peap: Initiating new EAP-TLS session

(0) eap_peap: [eaptls start] = request

(0) eap: Sending EAP Request (code 1) ID 22 length 6

(0) eap: EAP session adding &reply:State = 0x6ad69de36ac084d4

(0)     [eap] = handled

(0)   } # authenticate = handled

(0) Using Post-Auth-Type Challenge

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0)   Challenge { ... } # empty sub-section is ignored

(0) Sent Access-Challenge Id 233 from 146.83.124.26:1812 to
192.168.128.34:39135 length 0

(0)   EAP-Message = 0x011600061920

(0)   Message-Authenticator = 0x00000000000000000000000000000000

(0)   State = 0x6ad69de36ac084d46d2973b34eeb86b0

(0) Finished request

Waking up in 4.9 seconds.

(1) Received Access-Request Id 234 from 192.168.128.34:39135 to
146.83.124.26:1812 length 569

(1)   User-Name = "[hidden email]"

(1)   NAS-IP-Address = 192.168.128.34

(1)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(1)   NAS-Port-Type = Wireless-802.11

(1)   Service-Type = Framed-User

(1)   NAS-Port = 1

(1)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(1)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 56 / Channel: 6"

(1)   Acct-Session-Id = "23B63E3CCB9D303A"

(1)   Acct-Multi-Session-Id = "D2CFCA267CC6A1B1"

(1)   WLAN-Pairwise-Cipher = 1027076

(1)   WLAN-Group-Cipher = 1027074

(1)   WLAN-AKM-Suite = 1027073

(1)   WLAN-Group-Mgmt-Cipher = 1027078

(1)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(1)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(1)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(1)   Meraki-Device-Name = "AP-V1-Soporte"

(1)   Framed-MTU = 1400

(1)   EAP-Message =
0x021600a619800000009c16030300970100009303035f6fd6edbe6bd2a4ffffa547c0e4e14592a91d3675f372cccfb622521d15008100002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d

(1)   State = 0x6ad69de36ac084d46d2973b34eeb86b0

(1)   Message-Authenticator = 0xee340f5c4665c8a86e5f7ccbe3047a02

(1) session-state: No cached attributes

(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(1)   authorize {

(1)     policy filter_username {

(1)       if (&User-Name) {

(1)       if (&User-Name)  -> TRUE

(1)       if (&User-Name)  {

(1)         if (&User-Name =~ / /) {

(1)         if (&User-Name =~ / /)  -> FALSE

(1)         if (&User-Name =~ /@[^@]*@/ ) {

(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(1)         if (&User-Name =~ /\.\./ ) {

(1)         if (&User-Name =~ /\.\./ )  -> FALSE

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(1)         if (&User-Name =~ /\.$/)  {

(1)         if (&User-Name =~ /\.$/)   -> FALSE

(1)         if (&User-Name =~ /@\./)  {

(1)         if (&User-Name =~ /@\./)   -> FALSE

(1)       } # if (&User-Name)  = notfound

(1)     } # policy filter_username = notfound

(1)     [preprocess] = ok

(1)     [chap] = noop

(1)     [mschap] = noop

(1)     [digest] = noop

(1) suffix: Checking for suffix after "@"

(1) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(1) suffix: No such realm "ucn.cl"

(1)     [suffix] = noop

(1) eap: Peer sent EAP Response (code 2) ID 22 length 166

(1) eap: Continuing tunnel setup

(1)     [eap] = ok

(1)   } # authorize = ok

(1) Found Auth-Type = eap

(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(1)   authenticate {

(1) eap: Expiring EAP session with state 0x6ad69de36ac084d4

(1) eap: Finished EAP session with state 0x6ad69de36ac084d4

(1) eap: Previous EAP request found for state 0x6ad69de36ac084d4, released
from the list

(1) eap: Peer sent packet with method EAP PEAP (25)

(1) eap: Calling submodule eap_peap to process data

(1) eap_peap: Continuing EAP-TLS

(1) eap_peap: Peer indicated complete TLS record size will be 156 bytes

(1) eap_peap: Got complete TLS record (156 bytes)

(1) eap_peap: [eaptls verify] = length included

(1) eap_peap: (other): before SSL initialization

(1) eap_peap: TLS_accept: before SSL initialization

(1) eap_peap: TLS_accept: before SSL initialization

(1) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0097]

(1) eap_peap: TLS_accept: SSLv3/TLS read client hello

(1) eap_peap: >>> send TLS 1.2  [length 003d]

(1) eap_peap: TLS_accept: SSLv3/TLS write server hello

(1) eap_peap: >>> send TLS 1.2  [length 0302]

(1) eap_peap: TLS_accept: SSLv3/TLS write certificate

(1) eap_peap: >>> send TLS 1.2  [length 014d]

(1) eap_peap: TLS_accept: SSLv3/TLS write key exchange

(1) eap_peap: >>> send TLS 1.2  [length 0004]

(1) eap_peap: TLS_accept: SSLv3/TLS write server done

(1) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done

(1) eap_peap: In SSL Handshake Phase

(1) eap_peap: In SSL Accept mode

(1) eap_peap: [eaptls process] = handled

(1) eap: Sending EAP Request (code 1) ID 23 length 1004

(1) eap: EAP session adding &reply:State = 0x6ad69de36bc184d4

(1)     [eap] = handled

(1)   } # authenticate = handled

(1) Using Post-Auth-Type Challenge

(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(1)   Challenge { ... } # empty sub-section is ignored

(1) Sent Access-Challenge Id 234 from 146.83.124.26:1812 to
192.168.128.34:39135 length 0

(1)   EAP-Message =
0x011703ec19c0000004a4160303003d02000039030376a744862e1aa8e551923d46047090ee28e8834b27f89e4d3721123b746aa8b100c030000011ff01000100000b0004030001020017000016030303020b0002fe0002fb0002f8308202f4308201dca00302010202147b86828007dd65cd4945e2b1e8

(1)   Message-Authenticator = 0x00000000000000000000000000000000

(1)   State = 0x6ad69de36bc184d46d2973b34eeb86b0

(1) Finished request

Waking up in 4.9 seconds.

(2) Received Access-Request Id 235 from 192.168.128.34:39135 to
146.83.124.26:1812 length 409

(2)   User-Name = "[hidden email]"

(2)   NAS-IP-Address = 192.168.128.34

(2)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(2)   NAS-Port-Type = Wireless-802.11

(2)   Service-Type = Framed-User

(2)   NAS-Port = 1

(2)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(2)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 58 / Channel: 6"

(2)   Acct-Session-Id = "23B63E3CCB9D303A"

(2)   Acct-Multi-Session-Id = "D2CFCA267CC6A1B1"

(2)   WLAN-Pairwise-Cipher = 1027076

(2)   WLAN-Group-Cipher = 1027074

(2)   WLAN-AKM-Suite = 1027073

(2)   WLAN-Group-Mgmt-Cipher = 1027078

(2)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(2)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(2)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(2)   Meraki-Device-Name = "AP-V1-Soporte"

(2)   Framed-MTU = 1400

(2)   EAP-Message = 0x021700061900

(2)   State = 0x6ad69de36bc184d46d2973b34eeb86b0

(2)   Message-Authenticator = 0x3a4f384e954bd460d74e79bfff5769c3

(2) session-state: No cached attributes

(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(2)   authorize {

(2)     policy filter_username {

(2)       if (&User-Name) {

(2)       if (&User-Name)  -> TRUE

(2)       if (&User-Name)  {

(2)         if (&User-Name =~ / /) {

(2)         if (&User-Name =~ / /)  -> FALSE

(2)         if (&User-Name =~ /@[^@]*@/ ) {

(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(2)         if (&User-Name =~ /\.\./ ) {

(2)         if (&User-Name =~ /\.\./ )  -> FALSE

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(2)         if (&User-Name =~ /\.$/)  {

(2)         if (&User-Name =~ /\.$/)   -> FALSE

(2)         if (&User-Name =~ /@\./)  {

(2)         if (&User-Name =~ /@\./)   -> FALSE

(2)       } # if (&User-Name)  = notfound

(2)     } # policy filter_username = notfound

(2)     [preprocess] = ok

(2)     [chap] = noop

(2)     [mschap] = noop

(2)     [digest] = noop

(2) suffix: Checking for suffix after "@"

(2) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(2) suffix: No such realm "ucn.cl"

(2)     [suffix] = noop

(2) eap: Peer sent EAP Response (code 2) ID 23 length 6

(2) eap: Continuing tunnel setup

(2)     [eap] = ok

(2)   } # authorize = ok

(2) Found Auth-Type = eap

(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(2)   authenticate {

(2) eap: Expiring EAP session with state 0x6ad69de36bc184d4

(2) eap: Finished EAP session with state 0x6ad69de36bc184d4

(2) eap: Previous EAP request found for state 0x6ad69de36bc184d4, released
from the list

(2) eap: Peer sent packet with method EAP PEAP (25)

(2) eap: Calling submodule eap_peap to process data

(2) eap_peap: Continuing EAP-TLS

(2) eap_peap: Peer ACKed our handshake fragment

(2) eap_peap: [eaptls verify] = request

(2) eap_peap: [eaptls process] = handled

(2) eap: Sending EAP Request (code 1) ID 24 length 200

(2) eap: EAP session adding &reply:State = 0x6ad69de368ce84d4

(2)     [eap] = handled

(2)   } # authenticate = handled

(2) Using Post-Auth-Type Challenge

(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(2)   Challenge { ... } # empty sub-section is ignored

(2) Sent Access-Challenge Id 235 from 146.83.124.26:1812 to
192.168.128.34:39135 length 0

(2)   EAP-Message =
0x011800c81900444c65413d39c91a3f03992d12e0cf4b0a1b5a9fcde4c888afa0fc3589594087e009becc0d6a31adf43d3f30793550ec081bc59642d5b71583ec131ec1433d4646d9e051860ca570c0ba3babef73f21c640db1add8ef45ed00ee8b70b4fbd298df33f628fcd29b46cc4fb59569e8a07dd4

(2)   Message-Authenticator = 0x00000000000000000000000000000000

(2)   State = 0x6ad69de368ce84d46d2973b34eeb86b0

(2) Finished request

Waking up in 4.9 seconds.

(3) Received Access-Request Id 236 from 192.168.128.34:39135 to
146.83.124.26:1812 length 539

(3)   User-Name = "[hidden email]"

(3)   NAS-IP-Address = 192.168.128.34

(3)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(3)   NAS-Port-Type = Wireless-802.11

(3)   Service-Type = Framed-User

(3)   NAS-Port = 1

(3)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(3)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 56 / Channel: 6"

(3)   Acct-Session-Id = "23B63E3CCB9D303A"

(3)   Acct-Multi-Session-Id = "D2CFCA267CC6A1B1"

(3)   WLAN-Pairwise-Cipher = 1027076

(3)   WLAN-Group-Cipher = 1027074

(3)   WLAN-AKM-Suite = 1027073

(3)   WLAN-Group-Mgmt-Cipher = 1027078

(3)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(3)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(3)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(3)   Meraki-Device-Name = "AP-V1-Soporte"

(3)   Framed-MTU = 1400

(3)   EAP-Message =
0x0218008819800000007e160303004610000042410485e9fffe687c209d9b67963b680a6227fdb998f81e9570ec54586ebdc2c5ff48475ee98fd551c40e598e0b260acf021d5a6c5437038c62adcfbe31f4ac2c0e0b14030300010116030300280000000000000000b3930e73af6cc97c197e1d5a4c327c

(3)   State = 0x6ad69de368ce84d46d2973b34eeb86b0

(3)   Message-Authenticator = 0x1cca575a0826f96e99e8b780a238c818

(3) session-state: No cached attributes

(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(3)   authorize {

(3)     policy filter_username {

(3)       if (&User-Name) {

(3)       if (&User-Name)  -> TRUE

(3)       if (&User-Name)  {

(3)         if (&User-Name =~ / /) {

(3)         if (&User-Name =~ / /)  -> FALSE

(3)         if (&User-Name =~ /@[^@]*@/ ) {

(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(3)         if (&User-Name =~ /\.\./ ) {

(3)         if (&User-Name =~ /\.\./ )  -> FALSE

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(3)         if (&User-Name =~ /\.$/)  {

(3)         if (&User-Name =~ /\.$/)   -> FALSE

(3)         if (&User-Name =~ /@\./)  {

(3)         if (&User-Name =~ /@\./)   -> FALSE

(3)       } # if (&User-Name)  = notfound

(3)     } # policy filter_username = notfound

(3)     [preprocess] = ok

(3)     [chap] = noop

(3)     [mschap] = noop

(3)     [digest] = noop

(3) suffix: Checking for suffix after "@"

(3) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(3) suffix: No such realm "ucn.cl"

(3)     [suffix] = noop

(3) eap: Peer sent EAP Response (code 2) ID 24 length 136

(3) eap: Continuing tunnel setup

(3)     [eap] = ok

(3)   } # authorize = ok

(3) Found Auth-Type = eap

(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(3)   authenticate {

(3) eap: Expiring EAP session with state 0x6ad69de368ce84d4

(3) eap: Finished EAP session with state 0x6ad69de368ce84d4

(3) eap: Previous EAP request found for state 0x6ad69de368ce84d4, released
from the list

(3) eap: Peer sent packet with method EAP PEAP (25)

(3) eap: Calling submodule eap_peap to process data

(3) eap_peap: Continuing EAP-TLS

(3) eap_peap: Peer indicated complete TLS record size will be 126 bytes

(3) eap_peap: Got complete TLS record (126 bytes)

(3) eap_peap: [eaptls verify] = length included

(3) eap_peap: TLS_accept: SSLv3/TLS write server done

(3) eap_peap: <<< recv TLS 1.2  [length 0046]

(3) eap_peap: TLS_accept: SSLv3/TLS read client key exchange

(3) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec

(3) eap_peap: <<< recv TLS 1.2  [length 0010]

(3) eap_peap: TLS_accept: SSLv3/TLS read finished

(3) eap_peap: >>> send TLS 1.2  [length 0001]

(3) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec

(3) eap_peap: >>> send TLS 1.2  [length 0010]

(3) eap_peap: TLS_accept: SSLv3/TLS write finished

(3) eap_peap: (other): SSL negotiation finished successfully

(3) eap_peap: SSL Connection Established

(3) eap_peap: [eaptls process] = handled

(3) eap: Sending EAP Request (code 1) ID 25 length 57

(3) eap: EAP session adding &reply:State = 0x6ad69de369cf84d4

(3)     [eap] = handled

(3)   } # authenticate = handled

(3) Using Post-Auth-Type Challenge

(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(3)   Challenge { ... } # empty sub-section is ignored

(3) Sent Access-Challenge Id 236 from 146.83.124.26:1812 to
192.168.128.34:39135 length 0

(3)   EAP-Message =
0x0119003919001403030001011603030028f78c11b0ef5a70f07f3e47207a02b3c4b3c1ffbc4d1f87d3ee8d30100070d389e575de8ac372c617

(3)   Message-Authenticator = 0x00000000000000000000000000000000

(3)   State = 0x6ad69de369cf84d46d2973b34eeb86b0

(3) Finished request

Waking up in 4.9 seconds.

(4) Received Access-Request Id 237 from 192.168.128.34:39135 to
146.83.124.26:1812 length 409

(4)   User-Name = "[hidden email]"

(4)   NAS-IP-Address = 192.168.128.34

(4)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(4)   NAS-Port-Type = Wireless-802.11

(4)   Service-Type = Framed-User

(4)   NAS-Port = 1

(4)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(4)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 56 / Channel: 6"

(4)   Acct-Session-Id = "23B63E3CCB9D303A"

(4)   Acct-Multi-Session-Id = "D2CFCA267CC6A1B1"

(4)   WLAN-Pairwise-Cipher = 1027076

(4)   WLAN-Group-Cipher = 1027074

(4)   WLAN-AKM-Suite = 1027073

(4)   WLAN-Group-Mgmt-Cipher = 1027078

(4)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(4)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(4)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(4)   Meraki-Device-Name = "AP-V1-Soporte"

(4)   Framed-MTU = 1400

(4)   EAP-Message = 0x021900061900

(4)   State = 0x6ad69de369cf84d46d2973b34eeb86b0

(4)   Message-Authenticator = 0x527b607bdf79a41a4ead8fb439e209ae

(4) session-state: No cached attributes

(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(4)   authorize {

(4)     policy filter_username {

(4)       if (&User-Name) {

(4)       if (&User-Name)  -> TRUE

(4)       if (&User-Name)  {

(4)         if (&User-Name =~ / /) {

(4)         if (&User-Name =~ / /)  -> FALSE

(4)         if (&User-Name =~ /@[^@]*@/ ) {

(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(4)         if (&User-Name =~ /\.\./ ) {

(4)         if (&User-Name =~ /\.\./ )  -> FALSE

(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(4)         if (&User-Name =~ /\.$/)  {

(4)         if (&User-Name =~ /\.$/)   -> FALSE

(4)         if (&User-Name =~ /@\./)  {

(4)         if (&User-Name =~ /@\./)   -> FALSE

(4)       } # if (&User-Name)  = notfound

(4)     } # policy filter_username = notfound

(4)     [preprocess] = ok

(4)     [chap] = noop

(4)     [mschap] = noop

(4)     [digest] = noop

(4) suffix: Checking for suffix after "@"

(4) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(4) suffix: No such realm "ucn.cl"

(4)     [suffix] = noop

(4) eap: Peer sent EAP Response (code 2) ID 25 length 6

(4) eap: Continuing tunnel setup

(4)     [eap] = ok

(4)   } # authorize = ok

(4) Found Auth-Type = eap

(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(4)   authenticate {

(4) eap: Expiring EAP session with state 0x6ad69de369cf84d4

(4) eap: Finished EAP session with state 0x6ad69de369cf84d4

(4) eap: Previous EAP request found for state 0x6ad69de369cf84d4, released
from the list

(4) eap: Peer sent packet with method EAP PEAP (25)

(4) eap: Calling submodule eap_peap to process data

(4) eap_peap: Continuing EAP-TLS

(4) eap_peap: Peer ACKed our handshake fragment.  handshake is finished

(4) eap_peap: [eaptls verify] = success

(4) eap_peap: [eaptls process] = success

(4) eap_peap: Session established.  Decoding tunneled attributes

(4) eap_peap: PEAP state TUNNEL ESTABLISHED

(4) eap: Sending EAP Request (code 1) ID 26 length 40

(4) eap: EAP session adding &reply:State = 0x6ad69de36ecc84d4

(4)     [eap] = handled

(4)   } # authenticate = handled

(4) Using Post-Auth-Type Challenge

(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(4)   Challenge { ... } # empty sub-section is ignored

(4) Sent Access-Challenge Id 237 from 146.83.124.26:1812 to
192.168.128.34:39135 length 0

(4)   EAP-Message =
0x011a00281900170303001df78c11b0ef5a70f19808dcc71088b35221975d9fd11d000e5f9d5034e9

(4)   Message-Authenticator = 0x00000000000000000000000000000000

(4)   State = 0x6ad69de36ecc84d46d2973b34eeb86b0

(4) Finished request

Waking up in 3.2 seconds.

(5) Received Access-Request Id 238 from 192.168.128.34:39135 to
146.83.124.26:1812 length 450

(5)   User-Name = "[hidden email]"

(5)   NAS-IP-Address = 192.168.128.34

(5)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(5)   NAS-Port-Type = Wireless-802.11

(5)   Service-Type = Framed-User

(5)   NAS-Port = 1

(5)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(5)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 59 / Channel: 6"

(5)   Acct-Session-Id = "23B63E3CCB9D303A"

(5)   Acct-Multi-Session-Id = "D2CFCA267CC6A1B1"

(5)   WLAN-Pairwise-Cipher = 1027076

(5)   WLAN-Group-Cipher = 1027074

(5)   WLAN-AKM-Suite = 1027073

(5)   WLAN-Group-Mgmt-Cipher = 1027078

(5)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(5)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(5)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(5)   Meraki-Device-Name = "AP-V1-Soporte"

(5)   Framed-MTU = 1400

(5)   EAP-Message =
0x021a002f1900170303002400000000000000015be4b0038f810ebc0471036a59f620b95f62c382078d0faee2358b5f

(5)   State = 0x6ad69de36ecc84d46d2973b34eeb86b0

(5)   Message-Authenticator = 0x6b3df7c2248e6201f5834ee5b695fe04

(5) session-state: No cached attributes

(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(5)   authorize {

(5)     policy filter_username {

(5)       if (&User-Name) {

(5)       if (&User-Name)  -> TRUE

(5)       if (&User-Name)  {

(5)         if (&User-Name =~ / /) {

(5)         if (&User-Name =~ / /)  -> FALSE

(5)         if (&User-Name =~ /@[^@]*@/ ) {

(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(5)         if (&User-Name =~ /\.\./ ) {

(5)         if (&User-Name =~ /\.\./ )  -> FALSE

(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(5)         if (&User-Name =~ /\.$/)  {

(5)         if (&User-Name =~ /\.$/)   -> FALSE

(5)         if (&User-Name =~ /@\./)  {

(5)         if (&User-Name =~ /@\./)   -> FALSE

(5)       } # if (&User-Name)  = notfound

(5)     } # policy filter_username = notfound

(5)     [preprocess] = ok

(5)     [chap] = noop

(5)     [mschap] = noop

(5)     [digest] = noop

(5) suffix: Checking for suffix after "@"

(5) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(5) suffix: No such realm "ucn.cl"

(5)     [suffix] = noop

(5) eap: Peer sent EAP Response (code 2) ID 26 length 47

(5) eap: Continuing tunnel setup

(5)     [eap] = ok

(5)   } # authorize = ok

(5) Found Auth-Type = eap

(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(5)   authenticate {

(5) eap: Expiring EAP session with state 0x6ad69de36ecc84d4

(5) eap: Finished EAP session with state 0x6ad69de36ecc84d4

(5) eap: Previous EAP request found for state 0x6ad69de36ecc84d4, released
from the list

(5) eap: Peer sent packet with method EAP PEAP (25)

(5) eap: Calling submodule eap_peap to process data

(5) eap_peap: Continuing EAP-TLS

(5) eap_peap: [eaptls verify] = ok

(5) eap_peap: Done initial handshake

(5) eap_peap: [eaptls process] = ok

(5) eap_peap: Session established.  Decoding tunneled attributes

(5) eap_peap: PEAP state WAITING FOR INNER IDENTITY

(5) eap_peap: Identity - [hidden email]

(5) eap_peap: Got inner identity '[hidden email]'

(5) eap_peap: Setting default EAP type for tunneled EAP session

(5) eap_peap: Got tunneled request

(5) eap_peap:   EAP-Message = 0x021a001001776966694075636e2e636c

(5) eap_peap: Setting User-Name to [hidden email]

(5) eap_peap: Sending tunneled request to inner-tunnel

(5) eap_peap:   EAP-Message = 0x021a001001776966694075636e2e636c

(5) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1

(5) eap_peap:   User-Name = "[hidden email]"

(5) Virtual server inner-tunnel received request

(5)   EAP-Message = 0x021a001001776966694075636e2e636c

(5)   FreeRADIUS-Proxied-To = 127.0.0.1

(5)   User-Name = "[hidden email]"

(5) WARNING: Outer and inner identities are the same.  User privacy is
compromised.

(5) server inner-tunnel {

(5)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(5)     authorize {

(5)       policy filter_username {

(5)         if (&User-Name) {

(5)         if (&User-Name)  -> TRUE

(5)         if (&User-Name)  {

(5)           if (&User-Name =~ / /) {

(5)           if (&User-Name =~ / /)  -> FALSE

(5)           if (&User-Name =~ /@[^@]*@/ ) {

(5)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(5)           if (&User-Name =~ /\.\./ ) {

(5)           if (&User-Name =~ /\.\./ )  -> FALSE

(5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE

(5)           if (&User-Name =~ /\.$/)  {

(5)           if (&User-Name =~ /\.$/)   -> FALSE

(5)           if (&User-Name =~ /@\./)  {

(5)           if (&User-Name =~ /@\./)   -> FALSE

(5)         } # if (&User-Name)  = notfound

(5)       } # policy filter_username = notfound

(5)       [chap] = noop

(5)       [mschap] = noop

(5) suffix: Checking for suffix after "@"

(5) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(5) suffix: No such realm "ucn.cl"

(5)       [suffix] = noop

(5)       update control {

(5)         &Proxy-To-Realm := LOCAL

(5)       } # update control = noop

(5) eap: Peer sent EAP Response (code 2) ID 26 length 16

(5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize

(5)       [eap] = ok

(5)     } # authorize = ok

(5)   Found Auth-Type = eap

(5)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(5)     authenticate {

(5) eap: Peer sent packet with method EAP Identity (1)

(5) eap: Calling submodule eap_gtc to process data

(5) eap_gtc: EXPAND Password:

(5) eap_gtc:    --> Password:

(5) eap: Sending EAP Request (code 1) ID 27 length 15

(5) eap: EAP session adding &reply:State = 0xd7cb9988d7d09f6c

(5)       [eap] = handled

(5)     } # authenticate = handled

(5) } # server inner-tunnel

(5) Virtual server sending reply

(5)   EAP-Message = 0x011b000f0650617373776f72643a20

(5)   Message-Authenticator = 0x00000000000000000000000000000000

(5)   State = 0xd7cb9988d7d09f6cbc011ffc4c1837c6

(5) eap_peap: Got tunneled reply code 11

(5) eap_peap:   EAP-Message = 0x011b000f0650617373776f72643a20

(5) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(5) eap_peap:   State = 0xd7cb9988d7d09f6cbc011ffc4c1837c6

(5) eap_peap: Got tunneled reply RADIUS code 11

(5) eap_peap:   EAP-Message = 0x011b000f0650617373776f72643a20

(5) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(5) eap_peap:   State = 0xd7cb9988d7d09f6cbc011ffc4c1837c6

(5) eap_peap: Got tunneled Access-Challenge

(5) eap: Sending EAP Request (code 1) ID 27 length 46

(5) eap: EAP session adding &reply:State = 0x6ad69de36fcd84d4

(5)     [eap] = handled

(5)   } # authenticate = handled

(5) Using Post-Auth-Type Challenge

(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(5)   Challenge { ... } # empty sub-section is ignored

(5) Sent Access-Challenge Id 238 from 146.83.124.26:1812 to
192.168.128.34:39135 length 0

(5)   EAP-Message =
0x011b002e19001703030023f78c11b0ef5a70f2687e33c1b77be383f86d5b2f47fa678b105760e894a1df71575d35

(5)   Message-Authenticator = 0x00000000000000000000000000000000

(5)   State = 0x6ad69de36fcd84d46d2973b34eeb86b0

(5) Finished request

Waking up in 3.2 seconds.

(6) Received Access-Request Id 239 from 192.168.128.34:39135 to
146.83.124.26:1812 length 440

(6)   User-Name = "[hidden email]"

(6)   NAS-IP-Address = 192.168.128.34

(6)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(6)   NAS-Port-Type = Wireless-802.11

(6)   Service-Type = Framed-User

(6)   NAS-Port = 1

(6)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(6)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 58 / Channel: 6"

(6)   Acct-Session-Id = "23B63E3CCB9D303A"

(6)   Acct-Multi-Session-Id = "D2CFCA267CC6A1B1"

(6)   WLAN-Pairwise-Cipher = 1027076

(6)   WLAN-Group-Cipher = 1027074

(6)   WLAN-AKM-Suite = 1027073

(6)   WLAN-Group-Mgmt-Cipher = 1027078

(6)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(6)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(6)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(6)   Meraki-Device-Name = "AP-V1-Soporte"

(6)   Framed-MTU = 1400

(6)   EAP-Message =
0x021b00251900170303001a00000000000000022174921174271e19d71271da29e503c17a05

(6)   State = 0x6ad69de36fcd84d46d2973b34eeb86b0

(6)   Message-Authenticator = 0x17697a1ac272270792eb2f0bf1cd519b

(6) session-state: No cached attributes

(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(6)   authorize {

(6)     policy filter_username {

(6)       if (&User-Name) {

(6)       if (&User-Name)  -> TRUE

(6)       if (&User-Name)  {

(6)         if (&User-Name =~ / /) {

(6)         if (&User-Name =~ / /)  -> FALSE

(6)         if (&User-Name =~ /@[^@]*@/ ) {

(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(6)         if (&User-Name =~ /\.\./ ) {

(6)         if (&User-Name =~ /\.\./ )  -> FALSE

(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(6)         if (&User-Name =~ /\.$/)  {

(6)         if (&User-Name =~ /\.$/)   -> FALSE

(6)         if (&User-Name =~ /@\./)  {

(6)         if (&User-Name =~ /@\./)   -> FALSE

(6)       } # if (&User-Name)  = notfound

(6)     } # policy filter_username = notfound

(6)     [preprocess] = ok

(6)     [chap] = noop

(6)     [mschap] = noop

(6)     [digest] = noop

(6) suffix: Checking for suffix after "@"

(6) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(6) suffix: No such realm "ucn.cl"

(6)     [suffix] = noop

(6) eap: Peer sent EAP Response (code 2) ID 27 length 37

(6) eap: Continuing tunnel setup

(6)     [eap] = ok

(6)   } # authorize = ok

(6) Found Auth-Type = eap

(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(6)   authenticate {

(6) eap: Expiring EAP session with state 0xd7cb9988d7d09f6c

(6) eap: Finished EAP session with state 0x6ad69de36fcd84d4

(6) eap: Previous EAP request found for state 0x6ad69de36fcd84d4, released
from the list

(6) eap: Peer sent packet with method EAP PEAP (25)

(6) eap: Calling submodule eap_peap to process data

(6) eap_peap: Continuing EAP-TLS

(6) eap_peap: [eaptls verify] = ok

(6) eap_peap: Done initial handshake

(6) eap_peap: [eaptls process] = ok

(6) eap_peap: Session established.  Decoding tunneled attributes

(6) eap_peap: PEAP state phase2

(6) eap_peap: EAP method NAK (3)

(6) eap_peap: Got tunneled request

(6) eap_peap:   EAP-Message = 0x021b0006031a

(6) eap_peap: Setting User-Name to [hidden email]

(6) eap_peap: Sending tunneled request to inner-tunnel

(6) eap_peap:   EAP-Message = 0x021b0006031a

(6) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1

(6) eap_peap:   User-Name = "[hidden email]"

(6) eap_peap:   State = 0xd7cb9988d7d09f6cbc011ffc4c1837c6

(6) Virtual server inner-tunnel received request

(6)   EAP-Message = 0x021b0006031a

(6)   FreeRADIUS-Proxied-To = 127.0.0.1

(6)   User-Name = "[hidden email]"

(6)   State = 0xd7cb9988d7d09f6cbc011ffc4c1837c6

(6) WARNING: Outer and inner identities are the same.  User privacy is
compromised.

(6) server inner-tunnel {

(6)   session-state: No cached attributes

(6)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(6)     authorize {

(6)       policy filter_username {

(6)         if (&User-Name) {

(6)         if (&User-Name)  -> TRUE

(6)         if (&User-Name)  {

(6)           if (&User-Name =~ / /) {

(6)           if (&User-Name =~ / /)  -> FALSE

(6)           if (&User-Name =~ /@[^@]*@/ ) {

(6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(6)           if (&User-Name =~ /\.\./ ) {

(6)           if (&User-Name =~ /\.\./ )  -> FALSE

(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE

(6)           if (&User-Name =~ /\.$/)  {

(6)           if (&User-Name =~ /\.$/)   -> FALSE

(6)           if (&User-Name =~ /@\./)  {

(6)           if (&User-Name =~ /@\./)   -> FALSE

(6)         } # if (&User-Name)  = notfound

(6)       } # policy filter_username = notfound

(6)       [chap] = noop

(6)       [mschap] = noop

(6) suffix: Checking for suffix after "@"

(6) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(6) suffix: No such realm "ucn.cl"

(6)       [suffix] = noop

(6)       update control {

(6)         &Proxy-To-Realm := LOCAL

(6)       } # update control = noop

(6) eap: Peer sent EAP Response (code 2) ID 27 length 6

(6) eap: No EAP Start, assuming it's an on-going EAP conversation

(6)       [eap] = updated

(6)       [files] = noop

(6)       [expiration] = noop

(6)       [logintime] = noop

(6)       [pap] = noop

(6)     } # authorize = updated

(6)   Found Auth-Type = eap

(6)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(6)     authenticate {

(6) eap: Expiring EAP session with state 0xd7cb9988d7d09f6c

(6) eap: Finished EAP session with state 0xd7cb9988d7d09f6c

(6) eap: Previous EAP request found for state 0xd7cb9988d7d09f6c, released
from the list

(6) eap: Peer sent packet with method EAP NAK (3)

(6) eap: Found mutually acceptable type MSCHAPv2 (26)

(6) eap: Calling submodule eap_mschapv2 to process data

(6) eap_mschapv2: Issuing Challenge

(6) eap: Sending EAP Request (code 1) ID 28 length 43

(6) eap: EAP session adding &reply:State = 0xd7cb9988d6d7836c

(6)       [eap] = handled

(6)     } # authenticate = handled

(6) } # server inner-tunnel

(6) Virtual server sending reply

(6)   EAP-Message =
0x011c002b1a011c002610c913d976ec31369fef6c84c78edbec4c667265657261646975732d332e302e3136

(6)   Message-Authenticator = 0x00000000000000000000000000000000

(6)   State = 0xd7cb9988d6d7836cbc011ffc4c1837c6

(6) eap_peap: Got tunneled reply code 11

(6) eap_peap:   EAP-Message =
0x011c002b1a011c002610c913d976ec31369fef6c84c78edbec4c667265657261646975732d332e302e3136

(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(6) eap_peap:   State = 0xd7cb9988d6d7836cbc011ffc4c1837c6

(6) eap_peap: Got tunneled reply RADIUS code 11

(6) eap_peap:   EAP-Message =
0x011c002b1a011c002610c913d976ec31369fef6c84c78edbec4c667265657261646975732d332e302e3136

(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(6) eap_peap:   State = 0xd7cb9988d6d7836cbc011ffc4c1837c6

(6) eap_peap: Got tunneled Access-Challenge

(6) eap: Sending EAP Request (code 1) ID 28 length 74

(6) eap: EAP session adding &reply:State = 0x6ad69de36cca84d4

(6)     [eap] = handled

(6)   } # authenticate = handled

(6) Using Post-Auth-Type Challenge

(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(6)   Challenge { ... } # empty sub-section is ignored

(6) Sent Access-Challenge Id 239 from 146.83.124.26:1812 to
192.168.128.34:39135 length 0

(6)   EAP-Message =
0x011c004a1900170303003ff78c11b0ef5a70f3645ddb1c566bbbe40c14311163f5678fe96c4c0f59a59ee92c6dc12e91a2c83380af8fd7b2c7e29fec5be7f62512ffac2470f709c5801b

(6)   Message-Authenticator = 0x00000000000000000000000000000000

(6)   State = 0x6ad69de36cca84d46d2973b34eeb86b0

(6) Finished request

Waking up in 3.2 seconds.

(7) Received Access-Request Id 240 from 192.168.128.34:39135 to
146.83.124.26:1812 length 504

(7)   User-Name = "[hidden email]"

(7)   NAS-IP-Address = 192.168.128.34

(7)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(7)   NAS-Port-Type = Wireless-802.11

(7)   Service-Type = Framed-User

(7)   NAS-Port = 1

(7)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(7)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 56 / Channel: 6"

(7)   Acct-Session-Id = "23B63E3CCB9D303A"

(7)   Acct-Multi-Session-Id = "D2CFCA267CC6A1B1"

(7)   WLAN-Pairwise-Cipher = 1027076

(7)   WLAN-Group-Cipher = 1027074

(7)   WLAN-AKM-Suite = 1027073

(7)   WLAN-Group-Mgmt-Cipher = 1027078

(7)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(7)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(7)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(7)   Meraki-Device-Name = "AP-V1-Soporte"

(7)   Framed-MTU = 1400

(7)   EAP-Message =
0x021c00651900170303005a0000000000000003076f0970d6c7ef028a7a0cd4d2b29f5f743f27ad30b7917764773fbb61eb8e7216ca8a2e9dfbebb302a65ea624a5e472f89ebf891acd48bb768d23278f550c3029b2c2e9693ee8764f035d1de2d6f6fb5309

(7)   State = 0x6ad69de36cca84d46d2973b34eeb86b0

(7)   Message-Authenticator = 0xcf56fbac4a5ad153343e3c9b99c31ec4

(7) session-state: No cached attributes

(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(7)   authorize {

(7)     policy filter_username {

(7)       if (&User-Name) {

(7)       if (&User-Name)  -> TRUE

(7)       if (&User-Name)  {

(7)         if (&User-Name =~ / /) {

(7)         if (&User-Name =~ / /)  -> FALSE

(7)         if (&User-Name =~ /@[^@]*@/ ) {

(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(7)         if (&User-Name =~ /\.\./ ) {

(7)         if (&User-Name =~ /\.\./ )  -> FALSE

(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(7)         if (&User-Name =~ /\.$/)  {

(7)         if (&User-Name =~ /\.$/)   -> FALSE

(7)         if (&User-Name =~ /@\./)  {

(7)         if (&User-Name =~ /@\./)   -> FALSE

(7)       } # if (&User-Name)  = notfound

(7)     } # policy filter_username = notfound

(7)     [preprocess] = ok

(7)     [chap] = noop

(7)     [mschap] = noop

(7)     [digest] = noop

(7) suffix: Checking for suffix after "@"

(7) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(7) suffix: No such realm "ucn.cl"

(7)     [suffix] = noop

(7) eap: Peer sent EAP Response (code 2) ID 28 length 101

(7) eap: Continuing tunnel setup

(7)     [eap] = ok

(7)   } # authorize = ok

(7) Found Auth-Type = eap

(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(7)   authenticate {

(7) eap: Expiring EAP session with state 0xd7cb9988d6d7836c

(7) eap: Finished EAP session with state 0x6ad69de36cca84d4

(7) eap: Previous EAP request found for state 0x6ad69de36cca84d4, released
from the list

(7) eap: Peer sent packet with method EAP PEAP (25)

(7) eap: Calling submodule eap_peap to process data

(7) eap_peap: Continuing EAP-TLS

(7) eap_peap: [eaptls verify] = ok

(7) eap_peap: Done initial handshake

(7) eap_peap: [eaptls process] = ok

(7) eap_peap: Session established.  Decoding tunneled attributes

(7) eap_peap: PEAP state phase2

(7) eap_peap: EAP method MSCHAPv2 (26)

(7) eap_peap: Got tunneled request

(7) eap_peap:   EAP-Message =
0x021c00461a021c004131ab048fa3db377388ecc5be4a9dc872fc00000000000000001b7c2d6891b5b524d381a3223525e574d0d88d1990d6418900776966694075636e2e636c

(7) eap_peap: Setting User-Name to [hidden email]

(7) eap_peap: Sending tunneled request to inner-tunnel

(7) eap_peap:   EAP-Message =
0x021c00461a021c004131ab048fa3db377388ecc5be4a9dc872fc00000000000000001b7c2d6891b5b524d381a3223525e574d0d88d1990d6418900776966694075636e2e636c

(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1

(7) eap_peap:   User-Name = "[hidden email]"

(7) eap_peap:   State = 0xd7cb9988d6d7836cbc011ffc4c1837c6

(7) Virtual server inner-tunnel received request

(7)   EAP-Message =
0x021c00461a021c004131ab048fa3db377388ecc5be4a9dc872fc00000000000000001b7c2d6891b5b524d381a3223525e574d0d88d1990d6418900776966694075636e2e636c

(7)   FreeRADIUS-Proxied-To = 127.0.0.1

(7)   User-Name = "[hidden email]"

(7)   State = 0xd7cb9988d6d7836cbc011ffc4c1837c6

(7) WARNING: Outer and inner identities are the same.  User privacy is
compromised.

(7) server inner-tunnel {

(7)   session-state: No cached attributes

(7)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(7)     authorize {

(7)       policy filter_username {

(7)         if (&User-Name) {

(7)         if (&User-Name)  -> TRUE

(7)         if (&User-Name)  {

(7)           if (&User-Name =~ / /) {

(7)           if (&User-Name =~ / /)  -> FALSE

(7)           if (&User-Name =~ /@[^@]*@/ ) {

(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(7)           if (&User-Name =~ /\.\./ ) {

(7)           if (&User-Name =~ /\.\./ )  -> FALSE

(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE

(7)           if (&User-Name =~ /\.$/)  {

(7)           if (&User-Name =~ /\.$/)   -> FALSE

(7)           if (&User-Name =~ /@\./)  {

(7)           if (&User-Name =~ /@\./)   -> FALSE

(7)         } # if (&User-Name)  = notfound

(7)       } # policy filter_username = notfound

(7)       [chap] = noop

(7)       [mschap] = noop

(7) suffix: Checking for suffix after "@"

(7) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(7) suffix: No such realm "ucn.cl"

(7)       [suffix] = noop

(7)       update control {

(7)         &Proxy-To-Realm := LOCAL

(7)       } # update control = noop

(7) eap: Peer sent EAP Response (code 2) ID 28 length 70

(7) eap: No EAP Start, assuming it's an on-going EAP conversation

(7)       [eap] = updated

(7)       [files] = noop

(7)       [expiration] = noop

(7)       [logintime] = noop

(7)       [pap] = noop

(7)     } # authorize = updated

(7)   Found Auth-Type = eap

(7)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(7)     authenticate {

(7) eap: Expiring EAP session with state 0xd7cb9988d6d7836c

(7) eap: Finished EAP session with state 0xd7cb9988d6d7836c

(7) eap: Previous EAP request found for state 0xd7cb9988d6d7836c, released
from the list

(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)

(7) eap: Calling submodule eap_mschapv2 to process data

(7) eap_mschapv2: # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(7) eap_mschapv2:   authenticate {

(7) mschap: WARNING: No Cleartext-Password configured.  Cannot create
NT-Password

(7) mschap: WARNING: No Cleartext-Password configured.  Cannot create
LM-Password

(7) mschap: Creating challenge hash with username: [hidden email]

(7) mschap: Client is using MS-CHAPv2

(7) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication

(7) mschap: ERROR: MS-CHAP2-Response is incorrect

(7)     [mschap] = reject

(7)   } # authenticate = reject

(7) eap: Sending EAP Failure (code 4) ID 28 length 4

(7) eap: Freeing handler

(7)       [eap] = reject

(7)     } # authenticate = reject

(7)   Failed to authenticate the user

(7)   Using Post-Auth-Type Reject

(7)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(7)     Post-Auth-Type REJECT {

(7) attr_filter.access_reject: EXPAND %{User-Name}

(7) attr_filter.access_reject:    --> [hidden email]

(7) attr_filter.access_reject: Matched entry DEFAULT at line 11

(7)       [attr_filter.access_reject] = updated

(7)       update outer.session-state {

(7)         &Module-Failure-Message := &request:Module-Failure-Message ->
'mschap: FAILED: No NT/LM-Password.  Cannot perform authentication'

(7)       } # update outer.session-state = noop

(7)     } # Post-Auth-Type REJECT = updated

(7) } # server inner-tunnel

(7) Virtual server sending reply

(7)   MS-CHAP-Error = "\034E=691 R=1 C=5a4bb43eb35ed2e205c477227990bfba V=3
M=Authentication rejected"

(7)   EAP-Message = 0x041c0004

(7)   Message-Authenticator = 0x00000000000000000000000000000000

(7) eap_peap: Got tunneled reply code 3

(7) eap_peap:   MS-CHAP-Error = "\034E=691 R=1
C=5a4bb43eb35ed2e205c477227990bfba V=3 M=Authentication rejected"

(7) eap_peap:   EAP-Message = 0x041c0004

(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(7) eap_peap: Got tunneled reply RADIUS code 3

(7) eap_peap:   MS-CHAP-Error = "\034E=691 R=1
C=5a4bb43eb35ed2e205c477227990bfba V=3 M=Authentication rejected"

(7) eap_peap:   EAP-Message = 0x041c0004

(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(7) eap_peap: Tunneled authentication was rejected

(7) eap_peap: FAILURE

(7) eap: Sending EAP Request (code 1) ID 29 length 46

(7) eap: EAP session adding &reply:State = 0x6ad69de36dcb84d4

(7)     [eap] = handled

(7)   } # authenticate = handled

(7) Using Post-Auth-Type Challenge

(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(7)   Challenge { ... } # empty sub-section is ignored

(7) session-state: Saving cached attributes

(7)   Module-Failure-Message := "mschap: FAILED: No NT/LM-Password.  Cannot
perform authentication"

(7) Sent Access-Challenge Id 240 from 146.83.124.26:1812 to
192.168.128.34:39135 length 0

(7)   EAP-Message =
0x011d002e19001703030023f78c11b0ef5a70f49af45c0e369fe8daf948bf41add8e543ad8adf9db255610e28aa2b

(7)   Message-Authenticator = 0x00000000000000000000000000000000

(7)   State = 0x6ad69de36dcb84d46d2973b34eeb86b0

(7) Finished request

Waking up in 3.2 seconds.

(8) Received Access-Request Id 241 from 192.168.128.34:39135 to
146.83.124.26:1812 length 449

(8)   User-Name = "[hidden email]"

(8)   NAS-IP-Address = 192.168.128.34

(8)   Called-Station-Id = "36-18-0A-7B-A4-6E:Red Radius"

(8)   NAS-Port-Type = Wireless-802.11

(8)   Service-Type = Framed-User

(8)   NAS-Port = 1

(8)   Calling-Station-Id = "E4-6F-13-2C-A4-C3"

(8)   Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 59 / Channel: 6"

(8)   Acct-Session-Id = "23B63E3CCB9D303A"

(8)   Acct-Multi-Session-Id = "D2CFCA267CC6A1B1"

(8)   WLAN-Pairwise-Cipher = 1027076

(8)   WLAN-Group-Cipher = 1027074

(8)   WLAN-AKM-Suite = 1027073

(8)   WLAN-Group-Mgmt-Cipher = 1027078

(8)   Attr-26.29671.2 =
0x55434e20416e746f66616761737461202d2053574150202d20776972656c657373

(8)   Attr-26.29671.3 = 0x41502d56312d536f706f727465

(8)   Attr-26.29671.4 =
0x20414c554d4e4f5320454455524f414d2046554e43494f4e4152494f5320524144495553205445434e49434f53205649

(8)   Meraki-Device-Name = "AP-V1-Soporte"

(8)   Framed-MTU = 1400

(8)   EAP-Message =
0x021d002e19001703030023000000000000000463bc7cf7f04b6ad6d4ddab033589c578f326342327fc79aca56807

(8)   State = 0x6ad69de36dcb84d46d2973b34eeb86b0

(8)   Message-Authenticator = 0x2336ed602fc775bed0cc3efec5a813e1

(8) Restoring &session-state

(8)   &session-state:Module-Failure-Message := "mschap: FAILED: No
NT/LM-Password.  Cannot perform authentication"

(8) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(8)   authorize {

(8)     policy filter_username {

(8)       if (&User-Name) {

(8)       if (&User-Name)  -> TRUE

(8)       if (&User-Name)  {

(8)         if (&User-Name =~ / /) {

(8)         if (&User-Name =~ / /)  -> FALSE

(8)         if (&User-Name =~ /@[^@]*@/ ) {

(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(8)         if (&User-Name =~ /\.\./ ) {

(8)         if (&User-Name =~ /\.\./ )  -> FALSE

(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(8)         if (&User-Name =~ /\.$/)  {

(8)         if (&User-Name =~ /\.$/)   -> FALSE

(8)         if (&User-Name =~ /@\./)  {

(8)         if (&User-Name =~ /@\./)   -> FALSE

(8)       } # if (&User-Name)  = notfound

(8)     } # policy filter_username = notfound

(8)     [preprocess] = ok

(8)     [chap] = noop

(8)     [mschap] = noop

(8)     [digest] = noop

(8) suffix: Checking for suffix after "@"

(8) suffix: Looking up realm "ucn.cl" for User-Name = "[hidden email]"

(8) suffix: No such realm "ucn.cl"

(8)     [suffix] = noop

(8) eap: Peer sent EAP Response (code 2) ID 29 length 46

(8) eap: Continuing tunnel setup

(8)     [eap] = ok

(8)   } # authorize = ok

(8) Found Auth-Type = eap

(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(8)   authenticate {

(8) eap: Expiring EAP session with state 0x6ad69de36dcb84d4

(8) eap: Finished EAP session with state 0x6ad69de36dcb84d4

(8) eap: Previous EAP request found for state 0x6ad69de36dcb84d4, released
from the list

(8) eap: Peer sent packet with method EAP PEAP (25)

(8) eap: Calling submodule eap_peap to process data

(8) eap_peap: Continuing EAP-TLS

(8) eap_peap: [eaptls verify] = ok

(8) eap_peap: Done initial handshake

(8) eap_peap: [eaptls process] = ok

(8) eap_peap: Session established.  Decoding tunneled attributes

(8) eap_peap: PEAP state send tlv failure

(8) eap_peap: Received EAP-TLV response

(8) eap_peap:   ERROR: The users session was previously rejected: returning
reject (again.)

(8) eap_peap:   This means you need to read the PREVIOUS messages in the
debug output

(8) eap_peap:   to find out the reason why the user was rejected

(8) eap_peap:   Look for "reject" or "fail".  Those earlier messages will
tell you

(8) eap_peap:   what went wrong, and how to fix the problem

(8) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module
failed

(8) eap: Sending EAP Failure (code 4) ID 29 length 4

(8) eap: Failed in EAP select

(8)     [eap] = invalid

(8)   } # authenticate = invalid

(8) Failed to authenticate the user

(8) Using Post-Auth-Type Reject

(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(8)   Post-Auth-Type REJECT {

(8) attr_filter.access_reject: EXPAND %{User-Name}

(8) attr_filter.access_reject:    --> [hidden email]

(8) attr_filter.access_reject: Matched entry DEFAULT at line 11

(8)     [attr_filter.access_reject] = updated

(8)     [eap] = noop

(8)     policy remove_reply_message_if_eap {

(8)       if (&reply:EAP-Message && &reply:Reply-Message) {

(8)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(8)       else {

(8)         [noop] = noop

(8)       } # else = noop

(8)     } # policy remove_reply_message_if_eap = noop

(8)   } # Post-Auth-Type REJECT = updated

(8) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(8) Sending delayed response

(8) Sent Access-Reject Id 241 from 146.83.124.26:1812 to
192.168.128.34:39135 length 44

(8)   EAP-Message = 0x041d0004

(8)   Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 2.1 seconds.

(0) Cleaning up request packet ID 233 with timestamp +20

(1) Cleaning up request packet ID 234 with timestamp +20

(2) Cleaning up request packet ID 235 with timestamp +20

(3) Cleaning up request packet ID 236 with timestamp +20

Waking up in 1.7 seconds.

(4) Cleaning up request packet ID 237 with timestamp +22

(5) Cleaning up request packet ID 238 with timestamp +22

(6) Cleaning up request packet ID 239 with timestamp +22

(7) Cleaning up request packet ID 240 with timestamp +22

(8) Cleaning up request packet ID 241 with timestamp +22



El vie., 25 sept. 2020 a las 9:13, Alan DeKok (<[hidden email]>)
escribió:

>
>
> > On Sep 24, 2020, at 9:26 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <
> [hidden email]> wrote:
> >
> >>  If you have a Perl script which does pop3 authentication, it should be
> > > straightforward to run it in FreeRADIUS.
> > Sorry, I don't know what you meant by that.
>
>   It's a Perl script... if you can run it from the command line, you can
> tell FreeRADIUS to load the same script.  Maybe with some modifications,
> but that's it.
>
>   There's no magic here.
>
> >> But the Perl script rejected the user.
> >
> > Ok so I was testing some things in a virtual machine and realized
> > something. I did the exact same configuration that in the server and
> > radtest locally was sucessful in the VM but not in the server. And that's
> > when I noticed that whenever I used radtest [gmail acc] [password]
> > localhost 0 testing123 the output I recieved had the localhost IP address
> > as NAS-IP-Address and this was successful without adding the user to the
> > users file. However when running the same command in the server the
> > NAS-IP-Address was the IP of the server and not localhost (the same
> happens
> > with user bob) and gets rejected,
>
>   So... something *else* in the configuration is broken.  You added local
> rules which set the password for the user, but only if the packet includes
> the correct NAS-IP-Address.
>
>   i.e. you edited the server configuration so that packets using one
> NAS-IP-Address work, and packets using another NAS-IP-Address fail.
>
>   We don't know the IP of your RADIUS server.  So we didn't create that
> configuration.  The default configuration doesn't contain these rules.
>
>   So... what did you change, and why?  It's your configuration.  You
> should know that.
>
> > but it's successful if you add the mail
> > and password in the users file.
>
>   That is sort of how the RADIUS server works... if you add a username &&
> password, that's user gets authenticated with that password.
>
> > Basically, in VM: $radtest [hidden email] password localhost 0 testing123
>
>   And all of that is useless.  I have NO idea why people are so insistent
> on looking at *client* output when they're trying to debug the *server*.
>
>   ALL of the documentation says to run the server in debugging mode.  Then
> READ It.  If you're not clear on what it means, POST IT to the list.  ALL
> OF IT.
>
>   You're working hard to do every EXCEPT what the documentation says to
> do.  Why?
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Perl script error when testing locally

Alan DeKok-2
On Sep 26, 2020, at 8:11 PM, HORMAZABAL PI�ONES BARBARA FRANCISCA <[hidden email]> wrote:
>
> Hey Alan, sorry for the trouble. I want debug the script like you told me
> in your first response so I looked into the documentation
> https://wiki.freeradius.org/modules/Rlm_perl
>
> However it seems that my freeradius is not built because I can't find any
> rlm_perl file. My version of freeradius is "FreeRADIUS Version 3.0.16, for
> host x86_64-pc-linux-gnu, built on Apr 17 2019" can you guide me into
> setting the debug for the script?

  The Perl script can print debug information to standard output.  Or to files.  It's just a Perl script.  There's nothing magical about it.

  As for the rlm_perl plugin, see your OS distribution for the correct package.  Or, use the packages at http://packages.networkradius.com

> Another question: In the tutorial there is no need to create any users in
> the users file, however I've seen people setting Auth-Type there, I have
> only modified the perl, default, and inner-tunnel files. Is it necessary to
> use Auth-Type in the users file if the authentication info is in the
> default and inner-tunel files?

  No.

> This is the debug I get when adding "DEFAULT Auth-type := perl" into the
> users file
...
> (1) eap: Peer sent packet with method EAP PEAP (25)

  You can't do authentication against gmail with PEAP.  It's impossible.
> ...
> (6) files: users: Matched entry DEFAULT at line 6
> (6)       [files] = ok
> (6)       [expiration] = noop
> (6)       [logintime] = noop
> (6)       [pap] = noop
> (6)     } # authorize = updated
> (6)   Found Auth-Type = Perl
> (6)   Auth-Type sub-section not found.  Ignoring.

  That's pretty clear.  You set "Auth-Type = Perl", but you didn't configure "perl" in the "authenticate" section.

  I'm not sure what you expected it to do there.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html