Re: Anamoly in TLS Session Resumption

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Re: Anamoly in TLS Session Resumption

Users mailing list
I should have specified that we are using FreeRADIUS Version 3.0.20

Doug

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Anamoly in TLS Session Resumption

Alan DeKok-2


> On Feb 19, 2021, at 10:08 AM, Doug Wussler via Freeradius-Users <[hidden email]> wrote:
>
> I should have specified that we are using FreeRADIUS Version 3.0.20

  Your message was discarded because it was >1M of HTML stuff.  And the wrong form of debug output.

  http://wiki.freeradius.org/list-help

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Anamoly in TLS Session Resumption

Users mailing list
In reply to this post by Users mailing list
We are using FreeRADIUS Version 3.0.20.

I have an anamoly in TLS Session Resumption using a Windows 10 laptop.  I have not been able to reproduce this using other clients.  While this appears to be bad behavior by Windows, I'm also asking if this unexpected supplicant behavior might reveal some undesirable behavior on the part of freeradius.  

I deleted all TLS session cache records and restarted the server.  In packet (2) you see the supplicant request a cached session, which is not found, so a full authentication takes place in packets (1) through (10).

I then "forget" the network on the client, which I would expect would also delete any record of a previous TLS session, and then I reauthenticate to the network, which requires entering a username/password (but, sadly, does not require me to trust the server's certificate).

At this point I would expect to see a full re-auth but in packet (13) you see the supplicant request a cached session, which is found and restored.  In packet (14) the server declares a successful session resumption on its end and sends an Access-Challenge.  But in packet (15) we then see:

eap_peap: Client rejected our response.  The password is probably incorrect
eap_peap: Client rejected session resumption.  Re-starting full authentication

We then proceed through the inner-tunnel and do the full re-auth but we are still using the resumed session ID along with the attributes cached from that session. In the final packet (19), we see "&request:EAP-Session-Resumed := 1"  

This all came to my attention because I was originally using Cached-Session-Policy with the += operator.  I ended up with duplicate session-state entries for Cached-Session-Policy, and, when that policy happened to change between authentications, one of those Cached-Session-Policy values was wrong.

We can't do anything about the bad Windows behavior, but do you consider it appropriate for freeradius to handle a rejected session resumption this way?

Doug

(1) Received Access-Request Id 64 from w.x.y.z:54989 to a.b.c.e:1812 length 201
(1)   User-Name = "myUsername"
(1)   NAS-IP-Address = a.b.c.d
(1)   NAS-Port = 0
(1)   NAS-Identifier = "w.x.y.z"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Calling-Station-Id = "Calling-MAC"
(1)   Called-Station-Id = "Called-MAC"
(1)   Service-Type = Framed-User
(1)   Framed-MTU = 1100
(1)   EAP-Message = 0x0201000d016d616e74686f6e79
(1)   Aruba-Essid-Name = "FSUCoreX"
(1)   Aruba-Location-Id = "303H-mark"
(1)   Aruba-AP-Group = "RAP-VoIP"
(1)   Aruba-Device-Type = "Win 10"
(1)   Message-Authenticator = 0x68c94109b228a1962fd060c64c8863cb
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(1)   authorize {
(1) fsu-bad-passwords: EXPAND %{User-Name}
(1) fsu-bad-passwords:    --> myUsername
(1)     [fsu-bad-passwords] = noop
(1)     if (ok) {
(1)     if (ok)  -> FALSE
(1)     policy rewrite_calling_station_id {
(1)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(1)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(1)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(1)         update request {
(1)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(1)              --> Calling-MAC
(1)         } # update request = noop
(1)         [updated] = updated
(1)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(1)       ... skipping else: Preceding "if" was taken
(1)     } # policy rewrite_calling_station_id = updated
(1) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(1) fsu-bad-macs:    --> Calling-MAC
(1)     [fsu-bad-macs] = noop
(1)     if (ok) {
(1)     if (ok)  -> FALSE
(1)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(1)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(1)     if (&User-Name =~ /^host\//) {
(1)     if (&User-Name =~ /^host\//)  -> FALSE
(1)     if ( &User-Name =~ /\s/ ) {
(1)     if ( &User-Name =~ /\s/ )  -> FALSE
(1)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(1)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(1)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(1)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(1)     if ( &User-Name =~ /@my\.fsu$/i ) {
(1)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(1) ntdomain: Checking for prefix before "\"
(1) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(1)     [ntdomain] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(1) suffix: Found realm "NULL"
(1) suffix: Adding Stripped-User-Name = "myUsername"
(1) suffix: Adding Realm = "NULL"
(1) suffix: Authentication realm is LOCAL
(1)     [suffix] = ok
(1)     update request {
(1)     } # update request = noop
(1) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(1) fsu-rsa-macs:    --> Calling-MAC
(1)     [fsu-rsa-macs] = noop
(1)     if (ok) {
(1)     if (ok)  -> FALSE
(1)     else {
(1) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(1) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(1)       [fsu-rsa-atwpa-aruba] = noop
(1)       if (ok) {
(1)       if (ok)  -> FALSE
(1)       else {
(1) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(1) fsu-rsa-atwpa-cisco:    -->
(1)         [fsu-rsa-atwpa-cisco] = noop
(1)         if (ok) {
(1)         if (ok)  -> FALSE
(1)       } # else = noop
(1)     } # else = noop
(1)     if (&request:Hint == "RSA") {
(1)     if (&request:Hint == "RSA")  -> FALSE
(1)     else {
(1) fsu-eap: Peer sent EAP Response (code 2) ID 1 length 13
(1) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(1)       [fsu-eap] = ok
(1)     } # else = ok
(1)   } # authorize = ok
(1) Found Auth-Type = fsu-eap
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(1)   Auth-Type fsu-eap {
(1) fsu-eap: Peer sent packet with method EAP Identity (1)
(1) fsu-eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new TLS session
(1) eap_peap: [eaptls start] = request
(1) fsu-eap: Sending EAP Request (code 1) ID 2 length 6
(1) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbad1e41c
(1)     [fsu-eap] = handled
(1)   } # Auth-Type fsu-eap = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(1)   Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 64 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(1)   EAP-Message = 0x010200061920
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0xbad3fd1bbad1e41c1c1cd17260df3cc0
(1) Finished request
(2) Received Access-Request Id 65 from w.x.y.z:54989 to a.b.c.e:1812 length 410
(2)   User-Name = "myUsername"
(2)   NAS-IP-Address = a.b.c.d
(2)   NAS-Port = 0
(2)   NAS-Identifier = "w.x.y.z"
(2)   NAS-Port-Type = Wireless-802.11
(2)   Calling-Station-Id = "Calling-MAC"
(2)   Called-Station-Id = "Called-MAC"
(2)   Service-Type = Framed-User
(2)   Framed-MTU = 1100
(2)   EAP-Message = 0x020200cc1980000000c216030300bd010000b90303602ed1269d888ec609f78e833194c064fd67012fbf825e56a50a8f228ad5760620478d25582f53a1dd580e9752f084466abf68961ab46bd12bc4085e1601e959cb002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(2)   State = 0xbad3fd1bbad1e41c1c1cd17260df3cc0
(2)   Aruba-Essid-Name = "FSUCoreX"
(2)   Aruba-Location-Id = "303H-mark"
(2)   Aruba-AP-Group = "RAP-VoIP"
(2)   Aruba-Device-Type = "Win 10"
(2)   Message-Authenticator = 0x018d8b6ea89b296c73c9cdd13c86ffdc
(2) session-state: No cached attributes
(2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(2)   authorize {
(2) fsu-bad-passwords: EXPAND %{User-Name}
(2) fsu-bad-passwords:    --> myUsername
(2)     [fsu-bad-passwords] = noop
(2)     if (ok) {
(2)     if (ok)  -> FALSE
(2)     policy rewrite_calling_station_id {
(2)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(2)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(2)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(2)         update request {
(2)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(2)              --> Calling-MAC
(2)         } # update request = noop
(2)         [updated] = updated
(2)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(2)       ... skipping else: Preceding "if" was taken
(2)     } # policy rewrite_calling_station_id = updated
(2) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(2) fsu-bad-macs:    --> Calling-MAC
(2)     [fsu-bad-macs] = noop
(2)     if (ok) {
(2)     if (ok)  -> FALSE
(2)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(2)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(2)     if (&User-Name =~ /^host\//) {
(2)     if (&User-Name =~ /^host\//)  -> FALSE
(2)     if ( &User-Name =~ /\s/ ) {
(2)     if ( &User-Name =~ /\s/ )  -> FALSE
(2)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(2)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(2)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(2)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(2)     if ( &User-Name =~ /@my\.fsu$/i ) {
(2)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(2) ntdomain: Checking for prefix before "\"
(2) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(2)     [ntdomain] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(2) suffix: Found realm "NULL"
(2) suffix: Adding Stripped-User-Name = "myUsername"
(2) suffix: Adding Realm = "NULL"
(2) suffix: Authentication realm is LOCAL
(2)     [suffix] = ok
(2)     update request {
(2)     } # update request = noop
(2) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(2) fsu-rsa-macs:    --> Calling-MAC
(2)     [fsu-rsa-macs] = noop
(2)     if (ok) {
(2)     if (ok)  -> FALSE
(2)     else {
(2) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(2) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(2)       [fsu-rsa-atwpa-aruba] = noop
(2)       if (ok) {
(2)       if (ok)  -> FALSE
(2)       else {
(2) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(2) fsu-rsa-atwpa-cisco:    -->
(2)         [fsu-rsa-atwpa-cisco] = noop
(2)         if (ok) {
(2)         if (ok)  -> FALSE
(2)       } # else = noop
(2)     } # else = noop
(2)     if (&request:Hint == "RSA") {
(2)     if (&request:Hint == "RSA")  -> FALSE
(2)     else {
(2) fsu-eap: Peer sent EAP Response (code 2) ID 2 length 204
(2) fsu-eap: Continuing tunnel setup
(2)       [fsu-eap] = ok
(2)     } # else = ok
(2)   } # authorize = ok
(2) Found Auth-Type = fsu-eap
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(2)   Auth-Type fsu-eap {
(2) fsu-eap: Expiring EAP session with state 0xbad3fd1bbad1e41c
(2) fsu-eap: Finished EAP session with state 0xbad3fd1bbad1e41c
(2) fsu-eap: Previous EAP request found for state 0xbad3fd1bbad1e41c, released from the list
(2) fsu-eap: Peer sent packet with method EAP PEAP (25)
(2) fsu-eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 194 bytes
(2) eap_peap: Got complete TLS record (194 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: Peer requested cached session: 478d25582f53a1dd580e9752f084466abf68961ab46bd12bc4085e1601e959cb
(2) : eap_peap: No persisted session file /var/log/radius/tlscache/478d25582f53a1dd580e9752f084466abf68961ab46bd12bc4085e1601e959cb.asn1: No such file or directory
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(2) eap_peap: TLS - In Handshake Phase
(2) eap_peap: TLS - got 2767 bytes of data
(2) eap_peap: [eaptls process] = handled
(2) fsu-eap: Sending EAP Request (code 1) ID 3 length 1024
(2) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbbd0e41c
(2)     [fsu-eap] = handled
(2)   } # Auth-Type fsu-eap = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(2)   Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 65 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(2)   EAP-Message = 0x0103040019c000000acf160303005d020000590303931ef82c320593388fd052f008b384446eb7d423cfa3d8be2f14ff3355cca4b620422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5cc02b000011ff01000100000b0004030001020017000016030309c50b0009c10009be00060630820602308205a7a003020102021026a74309e2eaafaf31ae5776e74c05d3300a06082a8648ce3d040302308195310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313d303b060355040313345365637469676f20454343204f7267616e697a6174696f6e2056616c69646174696f6e2053656375726520536572766572204341301e170d3230303830333030303030305a170d3232303830333233353935395a30820103310b3009060355040613025553310e300c06035504
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0xbad3fd1bbbd0e41c1c1cd17260df3cc0
(2) Finished request
(3) Received Access-Request Id 66 from w.x.y.z:54989 to a.b.c.e:1812 length 212
(3)   User-Name = "myUsername"
(3)   NAS-IP-Address = a.b.c.d
(3)   NAS-Port = 0
(3)   NAS-Identifier = "w.x.y.z"
(3)   NAS-Port-Type = Wireless-802.11
(3)   Calling-Station-Id = "Calling-MAC"
(3)   Called-Station-Id = "Called-MAC"
(3)   Service-Type = Framed-User
(3)   Framed-MTU = 1100
(3)   EAP-Message = 0x020300061900
(3)   State = 0xbad3fd1bbbd0e41c1c1cd17260df3cc0
(3)   Aruba-Essid-Name = "FSUCoreX"
(3)   Aruba-Location-Id = "303H-mark"
(3)   Aruba-AP-Group = "RAP-VoIP"
(3)   Aruba-Device-Type = "Win 10"
(3)   Message-Authenticator = 0x989102d3ae927fa2abce294f1cc7210d
(3) session-state: No cached attributes
(3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(3)   authorize {
(3) fsu-bad-passwords: EXPAND %{User-Name}
(3) fsu-bad-passwords:    --> myUsername
(3)     [fsu-bad-passwords] = noop
(3)     if (ok) {
(3)     if (ok)  -> FALSE
(3)     policy rewrite_calling_station_id {
(3)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(3)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(3)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(3)         update request {
(3)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(3)              --> Calling-MAC
(3)         } # update request = noop
(3)         [updated] = updated
(3)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(3)       ... skipping else: Preceding "if" was taken
(3)     } # policy rewrite_calling_station_id = updated
(3) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(3) fsu-bad-macs:    --> Calling-MAC
(3)     [fsu-bad-macs] = noop
(3)     if (ok) {
(3)     if (ok)  -> FALSE
(3)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(3)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(3)     if (&User-Name =~ /^host\//) {
(3)     if (&User-Name =~ /^host\//)  -> FALSE
(3)     if ( &User-Name =~ /\s/ ) {
(3)     if ( &User-Name =~ /\s/ )  -> FALSE
(3)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(3)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(3)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(3)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(3)     if ( &User-Name =~ /@my\.fsu$/i ) {
(3)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(3) ntdomain: Checking for prefix before "\"
(3) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(3)     [ntdomain] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(3) suffix: Found realm "NULL"
(3) suffix: Adding Stripped-User-Name = "myUsername"
(3) suffix: Adding Realm = "NULL"
(3) suffix: Authentication realm is LOCAL
(3)     [suffix] = ok
(3)     update request {
(3)     } # update request = noop
(3) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(3) fsu-rsa-macs:    --> Calling-MAC
(3)     [fsu-rsa-macs] = noop
(3)     if (ok) {
(3)     if (ok)  -> FALSE
(3)     else {
(3) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(3) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(3)       [fsu-rsa-atwpa-aruba] = noop
(3)       if (ok) {
(3)       if (ok)  -> FALSE
(3)       else {
(3) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(3) fsu-rsa-atwpa-cisco:    -->
(3)         [fsu-rsa-atwpa-cisco] = noop
(3)         if (ok) {
(3)         if (ok)  -> FALSE
(3)       } # else = noop
(3)     } # else = noop
(3)     if (&request:Hint == "RSA") {
(3)     if (&request:Hint == "RSA")  -> FALSE
(3)     else {
(3) fsu-eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) fsu-eap: Continuing tunnel setup
(3)       [fsu-eap] = ok
(3)     } # else = ok
(3)   } # authorize = ok
(3) Found Auth-Type = fsu-eap
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(3)   Auth-Type fsu-eap {
(3) fsu-eap: Expiring EAP session with state 0xbad3fd1bbbd0e41c
(3) fsu-eap: Finished EAP session with state 0xbad3fd1bbbd0e41c
(3) fsu-eap: Previous EAP request found for state 0xbad3fd1bbbd0e41c, released from the list
(3) fsu-eap: Peer sent packet with method EAP PEAP (25)
(3) fsu-eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) fsu-eap: Sending EAP Request (code 1) ID 4 length 1020
(3) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bb8d7e41c
(3)     [fsu-eap] = handled
(3)   } # Auth-Type fsu-eap = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(3)   Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 66 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(3)   EAP-Message = 0x010403fc194006082b060105050730028649687474703a2f2f6372742e7365637469676f2e636f6d2f5365637469676f4543434f7267616e697a6174696f6e56616c69646174696f6e53656375726553657276657243412e637274302306082b060105050730018617687474703a2f2f6f6373702e7365637469676f2e636f6d3082017e060a2b06010401d6790204020482016e0482016a016800760046a555eb75fa912030b5a28969f4f37d112c4174befd49b885abf2fc70fe6d4700000173b4480f2d00000403004730450220289e527367d0857731154954f296721f9f37ef06d36eda0b0710dab4c3ca2fd2022100e212a014409ae8c4ba4f407a7070e714b2e7659f80a65af2a53ef9f39e06ccad007500dfa55eab68824f1f6cadeeb85f4e3e5aeacda212a46a5e8e3b12c020445c2a7300000173b4480f5e000004030046304402201c27dade36cab76fc20bd7888116d1c28e29360f798cc1141dc8562e857b509a02207b5c44654ee0a9c94e1390763ca3
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0xbad3fd1bb8d7e41c1c1cd17260df3cc0
(3) Finished request
(4) Received Access-Request Id 67 from w.x.y.z:54989 to a.b.c.e:1812 length 212
(4)   User-Name = "myUsername"
(4)   NAS-IP-Address = a.b.c.d
(4)   NAS-Port = 0
(4)   NAS-Identifier = "w.x.y.z"
(4)   NAS-Port-Type = Wireless-802.11
(4)   Calling-Station-Id = "Calling-MAC"
(4)   Called-Station-Id = "Called-MAC"
(4)   Service-Type = Framed-User
(4)   Framed-MTU = 1100
(4)   EAP-Message = 0x020400061900
(4)   State = 0xbad3fd1bb8d7e41c1c1cd17260df3cc0
(4)   Aruba-Essid-Name = "FSUCoreX"
(4)   Aruba-Location-Id = "303H-mark"
(4)   Aruba-AP-Group = "RAP-VoIP"
(4)   Aruba-Device-Type = "Win 10"
(4)   Message-Authenticator = 0x3698f3bc788ccfe70c7c1b09e167ff81
(4) session-state: No cached attributes
(4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(4)   authorize {
(4) fsu-bad-passwords: EXPAND %{User-Name}
(4) fsu-bad-passwords:    --> myUsername
(4)     [fsu-bad-passwords] = noop
(4)     if (ok) {
(4)     if (ok)  -> FALSE
(4)     policy rewrite_calling_station_id {
(4)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(4)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(4)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(4)         update request {
(4)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(4)              --> Calling-MAC
(4)         } # update request = noop
(4)         [updated] = updated
(4)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(4)       ... skipping else: Preceding "if" was taken
(4)     } # policy rewrite_calling_station_id = updated
(4) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(4) fsu-bad-macs:    --> Calling-MAC
(4)     [fsu-bad-macs] = noop
(4)     if (ok) {
(4)     if (ok)  -> FALSE
(4)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(4)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(4)     if (&User-Name =~ /^host\//) {
(4)     if (&User-Name =~ /^host\//)  -> FALSE
(4)     if ( &User-Name =~ /\s/ ) {
(4)     if ( &User-Name =~ /\s/ )  -> FALSE
(4)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(4)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(4)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(4)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(4)     if ( &User-Name =~ /@my\.fsu$/i ) {
(4)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(4) ntdomain: Checking for prefix before "\"
(4) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(4)     [ntdomain] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(4) suffix: Found realm "NULL"
(4) suffix: Adding Stripped-User-Name = "myUsername"
(4) suffix: Adding Realm = "NULL"
(4) suffix: Authentication realm is LOCAL
(4)     [suffix] = ok
(4)     update request {
(4)     } # update request = noop
(4) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(4) fsu-rsa-macs:    --> Calling-MAC
(4)     [fsu-rsa-macs] = noop
(4)     if (ok) {
(4)     if (ok)  -> FALSE
(4)     else {
(4) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(4) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(4)       [fsu-rsa-atwpa-aruba] = noop
(4)       if (ok) {
(4)       if (ok)  -> FALSE
(4)       else {
(4) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(4) fsu-rsa-atwpa-cisco:    -->
(4)         [fsu-rsa-atwpa-cisco] = noop
(4)         if (ok) {
(4)         if (ok)  -> FALSE
(4)       } # else = noop
(4)     } # else = noop
(4)     if (&request:Hint == "RSA") {
(4)     if (&request:Hint == "RSA")  -> FALSE
(4)     else {
(4) fsu-eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) fsu-eap: Continuing tunnel setup
(4)       [fsu-eap] = ok
(4)     } # else = ok
(4)   } # authorize = ok
(4) Found Auth-Type = fsu-eap
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(4)   Auth-Type fsu-eap {
(4) fsu-eap: Expiring EAP session with state 0xbad3fd1bb8d7e41c
(4) fsu-eap: Finished EAP session with state 0xbad3fd1bb8d7e41c
(4) fsu-eap: Previous EAP request found for state 0xbad3fd1bb8d7e41c, released from the list
(4) fsu-eap: Peer sent packet with method EAP PEAP (25)
(4) fsu-eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer ACKed our handshake fragment
(4) eap_peap: [eaptls verify] = request
(4) eap_peap: [eaptls process] = handled
(4) fsu-eap: Sending EAP Request (code 1) ID 5 length 745
(4) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bb9d6e41c
(4)     [fsu-eap] = handled
(4)   } # Auth-Type fsu-eap = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(4)   Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 67 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(4)   EAP-Message = 0x010502e9190006072a8648ce3d020106082a8648ce3d030107034200049c8e5c0a616fa158a3d0d5cefafc44f9ffba061e7b161a721f42d30ab266cdfb0f4972214d27b1afdd873a5cfe687aa8184d2f49efc24b02c5a16719f16d6339a382016e3082016a301f0603551d230418301680143ae10986d4cf19c29676744976dce035c663639a301d0603551d0e041604144d4aefc446b312ad4f4e9ab159e251ab08107808300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020230500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737445434343657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b0601050507300286336874
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0xbad3fd1bb9d6e41c1c1cd17260df3cc0
(4) Finished request
(5) Received Access-Request Id 68 from w.x.y.z:54989 to a.b.c.e:1812 length 342
(5)   User-Name = "myUsername"
(5)   NAS-IP-Address = a.b.c.d
(5)   NAS-Port = 0
(5)   NAS-Identifier = "w.x.y.z"
(5)   NAS-Port-Type = Wireless-802.11
(5)   Calling-Station-Id = "Calling-MAC"
(5)   Called-Station-Id = "Called-MAC"
(5)   Service-Type = Framed-User
(5)   Framed-MTU = 1100
(5)   EAP-Message = 0x0205008819800000007e16030300461000004241044d601518295cc957a589f6af50ba6fdb09db67090661cc9d393bd8adac0306fabec728fd8d3a566e56b18258956648fc03ddd2cba0d449d5c8f707dd63984fbb14030300010116030300280000000000000000e4ed788d8b79fbf52f838b98a845ffe9a50b58bbef917334728f28828c245327
(5)   State = 0xbad3fd1bb9d6e41c1c1cd17260df3cc0
(5)   Aruba-Essid-Name = "FSUCoreX"
(5)   Aruba-Location-Id = "303H-mark"
(5)   Aruba-AP-Group = "RAP-VoIP"
(5)   Aruba-Device-Type = "Win 10"
(5)   Message-Authenticator = 0x249cb5193fd1494a9d8b9912fa5af320
(5) session-state: No cached attributes
(5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(5)   authorize {
(5) fsu-bad-passwords: EXPAND %{User-Name}
(5) fsu-bad-passwords:    --> myUsername
(5)     [fsu-bad-passwords] = noop
(5)     if (ok) {
(5)     if (ok)  -> FALSE
(5)     policy rewrite_calling_station_id {
(5)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(5)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(5)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(5)         update request {
(5)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(5)              --> Calling-MAC
(5)         } # update request = noop
(5)         [updated] = updated
(5)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(5)       ... skipping else: Preceding "if" was taken
(5)     } # policy rewrite_calling_station_id = updated
(5) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(5) fsu-bad-macs:    --> Calling-MAC
(5)     [fsu-bad-macs] = noop
(5)     if (ok) {
(5)     if (ok)  -> FALSE
(5)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(5)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(5)     if (&User-Name =~ /^host\//) {
(5)     if (&User-Name =~ /^host\//)  -> FALSE
(5)     if ( &User-Name =~ /\s/ ) {
(5)     if ( &User-Name =~ /\s/ )  -> FALSE
(5)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(5)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(5)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(5)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(5)     if ( &User-Name =~ /@my\.fsu$/i ) {
(5)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(5) ntdomain: Checking for prefix before "\"
(5) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(5)     [ntdomain] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(5) suffix: Found realm "NULL"
(5) suffix: Adding Stripped-User-Name = "myUsername"
(5) suffix: Adding Realm = "NULL"
(5) suffix: Authentication realm is LOCAL
(5)     [suffix] = ok
(5)     update request {
(5)     } # update request = noop
(5) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(5) fsu-rsa-macs:    --> Calling-MAC
(5)     [fsu-rsa-macs] = noop
(5)     if (ok) {
(5)     if (ok)  -> FALSE
(5)     else {
(5) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(5) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(5)       [fsu-rsa-atwpa-aruba] = noop
(5)       if (ok) {
(5)       if (ok)  -> FALSE
(5)       else {
(5) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(5) fsu-rsa-atwpa-cisco:    -->
(5)         [fsu-rsa-atwpa-cisco] = noop
(5)         if (ok) {
(5)         if (ok)  -> FALSE
(5)       } # else = noop
(5)     } # else = noop
(5)     if (&request:Hint == "RSA") {
(5)     if (&request:Hint == "RSA")  -> FALSE
(5)     else {
(5) fsu-eap: Peer sent EAP Response (code 2) ID 5 length 136
(5) fsu-eap: Continuing tunnel setup
(5)       [fsu-eap] = ok
(5)     } # else = ok
(5)   } # authorize = ok
(5) Found Auth-Type = fsu-eap
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(5)   Auth-Type fsu-eap {
(5) fsu-eap: Expiring EAP session with state 0xbad3fd1bb9d6e41c
(5) fsu-eap: Finished EAP session with state 0xbad3fd1bb9d6e41c
(5) fsu-eap: Previous EAP request found for state 0xbad3fd1bb9d6e41c, released from the list
(5) fsu-eap: Peer sent packet with method EAP PEAP (25)
(5) fsu-eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 126 bytes
(5) eap_peap: Got complete TLS record (126 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: TLS_accept: SSLv3/TLS write server done
(5) eap_peap: TLS_accept: SSLv3/TLS read client key exchange
(5) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(5) eap_peap: TLS_accept: SSLv3/TLS read finished
(5) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(5) eap_peap: TLS_accept: SSLv3/TLS write finished
(5) eap_peap: Serialising session 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c, and storing in cache
(5) : eap_peap: Wrote session 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c to /var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1 (149 bytes)
(5) eap_peap: (other): SSL negotiation finished successfully
(5) eap_peap: TLS - Connection Established
(5) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(5) eap_peap: TLS-Session-Version = "TLS 1.2"
(5) eap_peap: TLS - got 51 bytes of data
(5) eap_peap: [eaptls process] = handled
(5) fsu-eap: Sending EAP Request (code 1) ID 6 length 57
(5) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbed5e41c
(5)     [fsu-eap] = handled
(5)   } # Auth-Type fsu-eap = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(5)   Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5)   TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(5)   TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(5)   TLS-Session-Version = "TLS 1.2"
(5) Sent Access-Challenge Id 68 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(5)   EAP-Message = 0x0106003919001403030001011603030028b7cf4af33aedeba1fff80ce3d934b51a5d1673ffd272096bc1c0e67566bd54c3d9e98aa7892a05ca
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0xbad3fd1bbed5e41c1c1cd17260df3cc0
(5) Finished request
(6) Received Access-Request Id 69 from w.x.y.z:54989 to a.b.c.e:1812 length 212
(6)   User-Name = "myUsername"
(6)   NAS-IP-Address = a.b.c.d
(6)   NAS-Port = 0
(6)   NAS-Identifier = "w.x.y.z"
(6)   NAS-Port-Type = Wireless-802.11
(6)   Calling-Station-Id = "Calling-MAC"
(6)   Called-Station-Id = "Called-MAC"
(6)   Service-Type = Framed-User
(6)   Framed-MTU = 1100
(6)   EAP-Message = 0x020600061900
(6)   State = 0xbad3fd1bbed5e41c1c1cd17260df3cc0
(6)   Aruba-Essid-Name = "FSUCoreX"
(6)   Aruba-Location-Id = "303H-mark"
(6)   Aruba-AP-Group = "RAP-VoIP"
(6)   Aruba-Device-Type = "Win 10"
(6)   Message-Authenticator = 0xa13a4c03acd0a8a3de7fd344f477f378
(6) Restoring &session-state
(6)   &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(6)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(6)   &session-state:TLS-Session-Version = "TLS 1.2"
(6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(6)   authorize {
(6) fsu-bad-passwords: EXPAND %{User-Name}
(6) fsu-bad-passwords:    --> myUsername
(6)     [fsu-bad-passwords] = noop
(6)     if (ok) {
(6)     if (ok)  -> FALSE
(6)     policy rewrite_calling_station_id {
(6)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(6)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(6)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(6)         update request {
(6)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(6)              --> Calling-MAC
(6)         } # update request = noop
(6)         [updated] = updated
(6)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(6)       ... skipping else: Preceding "if" was taken
(6)     } # policy rewrite_calling_station_id = updated
(6) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(6) fsu-bad-macs:    --> Calling-MAC
(6)     [fsu-bad-macs] = noop
(6)     if (ok) {
(6)     if (ok)  -> FALSE
(6)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(6)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(6)     if (&User-Name =~ /^host\//) {
(6)     if (&User-Name =~ /^host\//)  -> FALSE
(6)     if ( &User-Name =~ /\s/ ) {
(6)     if ( &User-Name =~ /\s/ )  -> FALSE
(6)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(6)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(6)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(6)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(6)     if ( &User-Name =~ /@my\.fsu$/i ) {
(6)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(6) ntdomain: Checking for prefix before "\"
(6) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(6)     [ntdomain] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(6) suffix: Found realm "NULL"
(6) suffix: Adding Stripped-User-Name = "myUsername"
(6) suffix: Adding Realm = "NULL"
(6) suffix: Authentication realm is LOCAL
(6)     [suffix] = ok
(6)     update request {
(6)     } # update request = noop
(6) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(6) fsu-rsa-macs:    --> Calling-MAC
(6)     [fsu-rsa-macs] = noop
(6)     if (ok) {
(6)     if (ok)  -> FALSE
(6)     else {
(6) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(6) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(6)       [fsu-rsa-atwpa-aruba] = noop
(6)       if (ok) {
(6)       if (ok)  -> FALSE
(6)       else {
(6) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(6) fsu-rsa-atwpa-cisco:    -->
(6)         [fsu-rsa-atwpa-cisco] = noop
(6)         if (ok) {
(6)         if (ok)  -> FALSE
(6)       } # else = noop
(6)     } # else = noop
(6)     if (&request:Hint == "RSA") {
(6)     if (&request:Hint == "RSA")  -> FALSE
(6)     else {
(6) fsu-eap: Peer sent EAP Response (code 2) ID 6 length 6
(6) fsu-eap: Continuing tunnel setup
(6)       [fsu-eap] = ok
(6)     } # else = ok
(6)   } # authorize = ok
(6) Found Auth-Type = fsu-eap
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(6)   Auth-Type fsu-eap {
(6) fsu-eap: Expiring EAP session with state 0xbad3fd1bbed5e41c
(6) fsu-eap: Finished EAP session with state 0xbad3fd1bbed5e41c
(6) fsu-eap: Previous EAP request found for state 0xbad3fd1bbed5e41c, released from the list
(6) fsu-eap: Peer sent packet with method EAP PEAP (25)
(6) fsu-eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(6) eap_peap: [eaptls verify] = success
(6) eap_peap: [eaptls process] = success
(6) eap_peap: Session established.  Decoding tunneled attributes
(6) eap_peap: PEAP state TUNNEL ESTABLISHED
(6) fsu-eap: Sending EAP Request (code 1) ID 7 length 40
(6) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbfd4e41c
(6)     [fsu-eap] = handled
(6)   } # Auth-Type fsu-eap = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(6)   Challenge { ... } # empty sub-section is ignored
(6) session-state: Saving cached attributes
(6)   TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(6)   TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(6)   TLS-Session-Version = "TLS 1.2"
(6) Sent Access-Challenge Id 69 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(6)   EAP-Message = 0x010700281900170303001db7cf4af33aedeba2b21f528c211bf694c96d96a9f46043f8a3d4b25e39
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0xbad3fd1bbfd4e41c1c1cd17260df3cc0
(6) Finished request
(7) Received Access-Request Id 70 from w.x.y.z:54989 to a.b.c.e:1812 length 250
(7)   User-Name = "myUsername"
(7)   NAS-IP-Address = a.b.c.d
(7)   NAS-Port = 0
(7)   NAS-Identifier = "w.x.y.z"
(7)   NAS-Port-Type = Wireless-802.11
(7)   Calling-Station-Id = "Calling-MAC"
(7)   Called-Station-Id = "Called-MAC"
(7)   Service-Type = Framed-User
(7)   Framed-MTU = 1100
(7)   EAP-Message = 0x0207002c190017030300210000000000000001c5ef41f3042d7ba531433825f82a73cb4687ce9eb328fa6a3b
(7)   State = 0xbad3fd1bbfd4e41c1c1cd17260df3cc0
(7)   Aruba-Essid-Name = "FSUCoreX"
(7)   Aruba-Location-Id = "303H-mark"
(7)   Aruba-AP-Group = "RAP-VoIP"
(7)   Aruba-Device-Type = "Win 10"
(7)   Message-Authenticator = 0x007cfcc7b4f70a34ef867accfd218ae4
(7) Restoring &session-state
(7)   &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(7)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(7)   &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(7)   authorize {
(7) fsu-bad-passwords: EXPAND %{User-Name}
(7) fsu-bad-passwords:    --> myUsername
(7)     [fsu-bad-passwords] = noop
(7)     if (ok) {
(7)     if (ok)  -> FALSE
(7)     policy rewrite_calling_station_id {
(7)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(7)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(7)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(7)         update request {
(7)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(7)              --> Calling-MAC
(7)         } # update request = noop
(7)         [updated] = updated
(7)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(7)       ... skipping else: Preceding "if" was taken
(7)     } # policy rewrite_calling_station_id = updated
(7) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(7) fsu-bad-macs:    --> Calling-MAC
(7)     [fsu-bad-macs] = noop
(7)     if (ok) {
(7)     if (ok)  -> FALSE
(7)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(7)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(7)     if (&User-Name =~ /^host\//) {
(7)     if (&User-Name =~ /^host\//)  -> FALSE
(7)     if ( &User-Name =~ /\s/ ) {
(7)     if ( &User-Name =~ /\s/ )  -> FALSE
(7)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(7)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(7)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(7)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(7)     if ( &User-Name =~ /@my\.fsu$/i ) {
(7)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(7) ntdomain: Checking for prefix before "\"
(7) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(7)     [ntdomain] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(7) suffix: Found realm "NULL"
(7) suffix: Adding Stripped-User-Name = "myUsername"
(7) suffix: Adding Realm = "NULL"
(7) suffix: Authentication realm is LOCAL
(7)     [suffix] = ok
(7)     update request {
(7)     } # update request = noop
(7) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(7) fsu-rsa-macs:    --> Calling-MAC
(7)     [fsu-rsa-macs] = noop
(7)     if (ok) {
(7)     if (ok)  -> FALSE
(7)     else {
(7) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(7) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(7)       [fsu-rsa-atwpa-aruba] = noop
(7)       if (ok) {
(7)       if (ok)  -> FALSE
(7)       else {
(7) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(7) fsu-rsa-atwpa-cisco:    -->
(7)         [fsu-rsa-atwpa-cisco] = noop
(7)         if (ok) {
(7)         if (ok)  -> FALSE
(7)       } # else = noop
(7)     } # else = noop
(7)     if (&request:Hint == "RSA") {
(7)     if (&request:Hint == "RSA")  -> FALSE
(7)     else {
(7) fsu-eap: Peer sent EAP Response (code 2) ID 7 length 44
(7) fsu-eap: Continuing tunnel setup
(7)       [fsu-eap] = ok
(7)     } # else = ok
(7)   } # authorize = ok
(7) Found Auth-Type = fsu-eap
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(7)   Auth-Type fsu-eap {
(7) fsu-eap: Expiring EAP session with state 0xbad3fd1bbfd4e41c
(7) fsu-eap: Finished EAP session with state 0xbad3fd1bbfd4e41c
(7) fsu-eap: Previous EAP request found for state 0xbad3fd1bbfd4e41c, released from the list
(7) fsu-eap: Peer sent packet with method EAP PEAP (25)
(7) fsu-eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(7) eap_peap: Identity - myUsername
(7) eap_peap: Got inner identity 'myUsername'
(7) eap_peap: Setting default EAP type for tunneled EAP session
(7) eap_peap: Got tunneled request
(7) eap_peap:   EAP-Message = 0x0207000d016d616e74686f6e79
(7) eap_peap: Setting User-Name to myUsername
(7) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(7) eap_peap:   EAP-Message = 0x0207000d016d616e74686f6e79
(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap:   User-Name = "myUsername"
(7) Virtual server fsu-peap-inner-tunnel received request
(7)   EAP-Message = 0x0207000d016d616e74686f6e79
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "myUsername"
(7) : Outer and inner identities are the same.  User privacy is compromised.
(7) server fsu-peap-inner-tunnel {
(7)   # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(7)     authorize {
(7)       if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(7)       if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(7)       if ( &User-Name =~ /\s/ ) {
(7)       if ( &User-Name =~ /\s/ )  -> FALSE
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(7) suffix: Found realm "NULL"
(7) suffix: Adding Stripped-User-Name = "myUsername"
(7) suffix: Adding Realm = "NULL"
(7) suffix: Authentication realm is LOCAL
(7)       [suffix] = ok
(7)       update {
(7)         EXPAND %{Client-Shortname}
(7)            --> Cam2
(7)       } # update = noop
(7) fsu-eap: Peer sent EAP Response (code 2) ID 7 length 13
(7) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(7)       [fsu-eap] = ok
(7)     } # authorize = ok
(7)   Found Auth-Type = fsu-eap
(7)   # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(7)     Auth-Type fsu-eap {
(7) fsu-eap: Peer sent packet with method EAP Identity (1)
(7) fsu-eap: Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2: Issuing Challenge
(7) fsu-eap: Sending EAP Request (code 1) ID 8 length 42
(7) fsu-eap: EAP session adding &reply:State = 0xbdbe91b7bdb68b3a
(7)       [fsu-eap] = handled
(7)     } # Auth-Type fsu-eap = handled
(7) } # server fsu-peap-inner-tunnel
(7) Virtual server sending reply
(7)   EAP-Message = 0x0108002a1a01080025109baa445450222aec1beb19ba94ed03b56673755f6561705f6d73636861707632
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0xbdbe91b7bdb68b3a7f0fbe650d998692
(7) eap_peap: Got tunneled reply code 11
(7) eap_peap:   EAP-Message = 0x0108002a1a01080025109baa445450222aec1beb19ba94ed03b56673755f6561705f6d73636861707632
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   State = 0xbdbe91b7bdb68b3a7f0fbe650d998692
(7) eap_peap: Got tunneled Access-Challenge
(7) fsu-eap: Sending EAP Request (code 1) ID 8 length 73
(7) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbcdbe41c
(7)     [fsu-eap] = handled
(7)   } # Auth-Type fsu-eap = handled
(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(7)   Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7)   TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(7)   TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(7)   TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 70 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(7)   EAP-Message = 0x010800491900170303003eb7cf4af33aedeba3cdd5c7ba70a4cc7d7cfd8a0762d9c26bc5ae93b4658121503793b363b4ed6304e0c4123a93536e70452c368f535ba3bad20de5e823a4
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0xbad3fd1bbcdbe41c1c1cd17260df3cc0
(7) Finished request
(8) Received Access-Request Id 71 from w.x.y.z:54989 to a.b.c.e:1812 length 304
(8)   User-Name = "myUsername"
(8)   NAS-IP-Address = a.b.c.d
(8)   NAS-Port = 0
(8)   NAS-Identifier = "w.x.y.z"
(8)   NAS-Port-Type = Wireless-802.11
(8)   Calling-Station-Id = "Calling-MAC"
(8)   Called-Station-Id = "Called-MAC"
(8)   Service-Type = Framed-User
(8)   Framed-MTU = 1100
(8)   EAP-Message = 0x020800621900170303005700000000000000028e27ce3a53464fde6326d09354698180aa53531ef4ca995a0ac159eb57b93070a23c5c40141bb0731e014889a5ff565ce9acc558fac42bd7c6373f1c2e52351836e75fd99d8944e0338b0d9d637118
(8)   State = 0xbad3fd1bbcdbe41c1c1cd17260df3cc0
(8)   Aruba-Essid-Name = "FSUCoreX"
(8)   Aruba-Location-Id = "303H-mark"
(8)   Aruba-AP-Group = "RAP-VoIP"
(8)   Aruba-Device-Type = "Win 10"
(8)   Message-Authenticator = 0xf6ff0643a9eed31b5cecf30091547c5a
(8) Restoring &session-state
(8)   &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(8)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(8)   &session-state:TLS-Session-Version = "TLS 1.2"
(8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(8)   authorize {
(8) fsu-bad-passwords: EXPAND %{User-Name}
(8) fsu-bad-passwords:    --> myUsername
(8)     [fsu-bad-passwords] = noop
(8)     if (ok) {
(8)     if (ok)  -> FALSE
(8)     policy rewrite_calling_station_id {
(8)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(8)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(8)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(8)         update request {
(8)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(8)              --> Calling-MAC
(8)         } # update request = noop
(8)         [updated] = updated
(8)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(8)       ... skipping else: Preceding "if" was taken
(8)     } # policy rewrite_calling_station_id = updated
(8) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(8) fsu-bad-macs:    --> Calling-MAC
(8)     [fsu-bad-macs] = noop
(8)     if (ok) {
(8)     if (ok)  -> FALSE
(8)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(8)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(8)     if (&User-Name =~ /^host\//) {
(8)     if (&User-Name =~ /^host\//)  -> FALSE
(8)     if ( &User-Name =~ /\s/ ) {
(8)     if ( &User-Name =~ /\s/ )  -> FALSE
(8)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(8)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(8)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(8)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(8)     if ( &User-Name =~ /@my\.fsu$/i ) {
(8)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(8) ntdomain: Checking for prefix before "\"
(8) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(8)     [ntdomain] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(8) suffix: Found realm "NULL"
(8) suffix: Adding Stripped-User-Name = "myUsername"
(8) suffix: Adding Realm = "NULL"
(8) suffix: Authentication realm is LOCAL
(8)     [suffix] = ok
(8)     update request {
(8)     } # update request = noop
(8) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(8) fsu-rsa-macs:    --> Calling-MAC
(8)     [fsu-rsa-macs] = noop
(8)     if (ok) {
(8)     if (ok)  -> FALSE
(8)     else {
(8) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(8) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(8)       [fsu-rsa-atwpa-aruba] = noop
(8)       if (ok) {
(8)       if (ok)  -> FALSE
(8)       else {
(8) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(8) fsu-rsa-atwpa-cisco:    -->
(8)         [fsu-rsa-atwpa-cisco] = noop
(8)         if (ok) {
(8)         if (ok)  -> FALSE
(8)       } # else = noop
(8)     } # else = noop
(8)     if (&request:Hint == "RSA") {
(8)     if (&request:Hint == "RSA")  -> FALSE
(8)     else {
(8) fsu-eap: Peer sent EAP Response (code 2) ID 8 length 98
(8) fsu-eap: Continuing tunnel setup
(8)       [fsu-eap] = ok
(8)     } # else = ok
(8)   } # authorize = ok
(8) Found Auth-Type = fsu-eap
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(8)   Auth-Type fsu-eap {
(8) fsu-eap: Expiring EAP session with state 0xbdbe91b7bdb68b3a
(8) fsu-eap: Finished EAP session with state 0xbad3fd1bbcdbe41c
(8) fsu-eap: Previous EAP request found for state 0xbad3fd1bbcdbe41c, released from the list
(8) fsu-eap: Peer sent packet with method EAP PEAP (25)
(8) fsu-eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message = 0x020800431a0208003e31833b15c9f3ef2852172280a74b6713570000000000000000744a1ec95ae0b4188d19786bca156b494eaeded4cf6c1848006d616e74686f6e79
(8) eap_peap: Setting User-Name to myUsername
(8) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(8) eap_peap:   EAP-Message = 0x020800431a0208003e31833b15c9f3ef2852172280a74b6713570000000000000000744a1ec95ae0b4188d19786bca156b494eaeded4cf6c1848006d616e74686f6e79
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = "myUsername"
(8) eap_peap:   State = 0xbdbe91b7bdb68b3a7f0fbe650d998692
(8) Virtual server fsu-peap-inner-tunnel received request
(8)   EAP-Message = 0x020800431a0208003e31833b15c9f3ef2852172280a74b6713570000000000000000744a1ec95ae0b4188d19786bca156b494eaeded4cf6c1848006d616e74686f6e79
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = "myUsername"
(8)   State = 0xbdbe91b7bdb68b3a7f0fbe650d998692
(8) : Outer and inner identities are the same.  User privacy is compromised.
(8) server fsu-peap-inner-tunnel {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(8)     authorize {
(8)       if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(8)       if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(8)       if ( &User-Name =~ /\s/ ) {
(8)       if ( &User-Name =~ /\s/ )  -> FALSE
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(8) suffix: Found realm "NULL"
(8) suffix: Adding Stripped-User-Name = "myUsername"
(8) suffix: Adding Realm = "NULL"
(8) suffix: Authentication realm is LOCAL
(8)       [suffix] = ok
(8)       update {
(8)         EXPAND %{Client-Shortname}
(8)            --> Cam2
(8)       } # update = noop
(8) fsu-eap: Peer sent EAP Response (code 2) ID 8 length 67
(8) fsu-eap: No EAP Start, assuming it's an on-going EAP conversation
(8)       [fsu-eap] = updated
(8)       if ( &EAP-Message =~ /^0x02..00061a..$/ ) {
(8)       if ( &EAP-Message =~ /^0x02..00061a..$/ )  -> FALSE
(8)       if ( &User-Name =~ /^host\/(COB-RBA[A-Za-z0-9-]+)(\.fsu\.edu)*$/i) {
(8)       if ( &User-Name =~ /^host\/(COB-RBA[A-Za-z0-9-]+)(\.fsu\.edu)*$/i)  -> FALSE
(8)       elsif (&User-Name =~ /^host\/([A-Z]{2,5}-A-[0-9A-Z]{6,7})(\.fsu\.edu)*$/) {
(8)       elsif (&User-Name =~ /^host\/([A-Z]{2,5}-A-[0-9A-Z]{6,7})(\.fsu\.edu)*$/)  -> FALSE
(8)       elsif ( (&request:Realm) && (&request:Realm == "devices") ) {
(8)       elsif ( (&request:Realm) && (&request:Realm == "devices") )  -> FALSE
(8)       else {
(8) fsu-ldap-people: EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(!(uid=lib-guest*)))
(8) fsu-ldap-people:    --> (&(uid=myUsername)(!(uid=lib-guest*)))
(8) fsu-ldap-people: Performing search in "ou=people,dc=fsu,dc=edu" with filter "(&(uid=myUsername)(!(uid=lib-guest*)))", scope "sub"
(8) fsu-ldap-people: Waiting for search result...
(8) fsu-ldap-people: User object found at DN "uid=myUsername,ou=People,dc=fsu,dc=edu"
(8) fsu-ldap-people: Processing user attributes
(8)         [fsu-ldap-people] = updated
(8)         if (notfound) {
(8)         if (notfound)  -> FALSE
(8)         if ( &reply:My-Local-fsuEduWINStatus ) {
(8)         if ( &reply:My-Local-fsuEduWINStatus )  -> FALSE
(8) fsu-pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(8) : fsu-pap: Auth-Type already set.  Not setting to PAP
(8)         [fsu-pap] = noop
(8)         update control {
(8)         } # update control = noop
(8)         if ( (&reply:My-Local-VLAN) && (!&reply:My-Local-employeeStatus) ) {
(8)         if ( (&reply:My-Local-VLAN) && (!&reply:My-Local-employeeStatus) )  -> FALSE
(8)         if (&reply:My-Local-fsuEduAppRoles) {
(8)         if (&reply:My-Local-fsuEduAppRoles)  -> TRUE
(8)         if (&reply:My-Local-fsuEduAppRoles)  {
(8)           if ((!&reply:My-Local-VLAN) && (&Client-Shortname !~ /^P/)) {
(8)           if ((!&reply:My-Local-VLAN) && (&Client-Shortname !~ /^P/))  -> FALSE
(8)           update {
(8)           } # update = noop
(8)         } # if (&reply:My-Local-fsuEduAppRoles)  = noop
(8)         if ((!&reply:My-Local-employeeStatus) && (!&reply:My-Local-VLAN)) {
(8)         if ((!&reply:My-Local-employeeStatus) && (!&reply:My-Local-VLAN))  -> FALSE
(8)         elsif (!&reply:My-Local-VLAN) {
(8)         elsif (!&reply:My-Local-VLAN)  -> FALSE
(8) fsu-cache-ldap-people-inner-tunnel-attributes: EXPAND %{User-Name}
(8) fsu-cache-ldap-people-inner-tunnel-attributes:    --> myUsername
(8) fsu-cache-ldap-people-inner-tunnel-attributes: No cache entry found for "myUsername"
(8) fsu-cache-ldap-people-inner-tunnel-attributes: Creating new cache entry
(8) fsu-cache-ldap-people-inner-tunnel-attributes:   &reply:My-Local-VLAN := &reply:My-Local-VLAN -> 'vlan1'
(8) fsu-cache-ldap-people-inner-tunnel-attributes: Merging cache entry into request
(8) fsu-cache-ldap-people-inner-tunnel-attributes:   &reply:My-Local-VLAN := "vlan1"
(8) fsu-cache-ldap-people-inner-tunnel-attributes: Committed entry, TTL 10 seconds
(8)         [fsu-cache-ldap-people-inner-tunnel-attributes] = updated
(8)       } # else = updated
(8)     } # authorize = updated
(8)   Found Auth-Type = fsu-eap
(8)   # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(8)     Auth-Type fsu-eap {
(8) fsu-eap: Expiring EAP session with state 0xbdbe91b7bdb68b3a
(8) fsu-eap: Finished EAP session with state 0xbdbe91b7bdb68b3a
(8) fsu-eap: Previous EAP request found for state 0xbdbe91b7bdb68b3a, released from the list
(8) fsu-eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) fsu-eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(8) eap_mschapv2:   Auth-Type MS-CHAP {
(8) fsu-mschap-winbind: Found NT-Password
(8) fsu-mschap-winbind: Creating challenge hash with username: myUsername
(8) fsu-mschap-winbind: Client is using MS-CHAPv2
(8) fsu-mschap-winbind: Adding MS-CHAPv2 MPPE keys
(8) eap_mschapv2:     [fsu-mschap-winbind] = ok
(8) eap_mschapv2:   } # Auth-Type MS-CHAP = ok
(8) eap_mschapv2: MSCHAP Success
(8) fsu-eap: Sending EAP Request (code 1) ID 9 length 51
(8) fsu-eap: EAP session adding &reply:State = 0xbdbe91b7bcb78b3a
(8)       [fsu-eap] = handled
(8)     } # Auth-Type fsu-eap = handled
(8) } # server fsu-peap-inner-tunnel
(8) Virtual server sending reply
(8)   My-Local-employeeStatus = "Active"
(8)   My-Local-VLAN = "vlan1"
(8)   EAP-Message = 0x010900331a0308002e533d41393935354644354538374432394630414132383239393242333033343041313045414634313145
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0xbdbe91b7bcb78b3a7f0fbe650d998692
(8) eap_peap: Got tunneled reply code 11
(8) eap_peap:   My-Local-employeeStatus = "Active"
(8) eap_peap:   My-Local-VLAN = "vlan1"
(8) eap_peap:   EAP-Message = 0x010900331a0308002e533d41393935354644354538374432394630414132383239393242333033343041313045414634313145
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap:   State = 0xbdbe91b7bcb78b3a7f0fbe650d998692
(8) eap_peap: Got tunneled Access-Challenge
(8) fsu-eap: Sending EAP Request (code 1) ID 9 length 82
(8) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bbddae41c
(8)     [fsu-eap] = handled
(8)   } # Auth-Type fsu-eap = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(8)   Challenge { ... } # empty sub-section is ignored
(8) session-state: Saving cached attributes
(8)   TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(8)   TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(8)   TLS-Session-Version = "TLS 1.2"
(8) Sent Access-Challenge Id 71 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(8)   EAP-Message = 0x0109005219001703030047b7cf4af33aedeba476f0ca80606e3598427bd6060b0e2f916bcffa2c3fc9c58dd50f86471e0cf17757762211678028238727728422349caf8dfcce26ca5e11e712af3dfe455357
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0xbad3fd1bbddae41c1c1cd17260df3cc0
(8) Finished request
(9) Received Access-Request Id 72 from w.x.y.z:54989 to a.b.c.e:1812 length 243
(9)   User-Name = "myUsername"
(9)   NAS-IP-Address = a.b.c.d
(9)   NAS-Port = 0
(9)   NAS-Identifier = "w.x.y.z"
(9)   NAS-Port-Type = Wireless-802.11
(9)   Calling-Station-Id = "Calling-MAC"
(9)   Called-Station-Id = "Called-MAC"
(9)   Service-Type = Framed-User
(9)   Framed-MTU = 1100
(9)   EAP-Message = 0x020900251900170303001a00000000000000030d1699cbaf6586c78b66fceffb50df5f09e8
(9)   State = 0xbad3fd1bbddae41c1c1cd17260df3cc0
(9)   Aruba-Essid-Name = "FSUCoreX"
(9)   Aruba-Location-Id = "303H-mark"
(9)   Aruba-AP-Group = "RAP-VoIP"
(9)   Aruba-Device-Type = "Win 10"
(9)   Message-Authenticator = 0xdf62b863a702c3f6c3695ae393531b03
(9) Restoring &session-state
(9)   &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(9)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(9)   &session-state:TLS-Session-Version = "TLS 1.2"
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(9)   authorize {
(9) fsu-bad-passwords: EXPAND %{User-Name}
(9) fsu-bad-passwords:    --> myUsername
(9)     [fsu-bad-passwords] = noop
(9)     if (ok) {
(9)     if (ok)  -> FALSE
(9)     policy rewrite_calling_station_id {
(9)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(9)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(9)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(9)         update request {
(9)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(9)              --> Calling-MAC
(9)         } # update request = noop
(9)         [updated] = updated
(9)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(9)       ... skipping else: Preceding "if" was taken
(9)     } # policy rewrite_calling_station_id = updated
(9) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(9) fsu-bad-macs:    --> Calling-MAC
(9)     [fsu-bad-macs] = noop
(9)     if (ok) {
(9)     if (ok)  -> FALSE
(9)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(9)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(9)     if (&User-Name =~ /^host\//) {
(9)     if (&User-Name =~ /^host\//)  -> FALSE
(9)     if ( &User-Name =~ /\s/ ) {
(9)     if ( &User-Name =~ /\s/ )  -> FALSE
(9)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(9)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(9)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(9)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(9)     if ( &User-Name =~ /@my\.fsu$/i ) {
(9)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(9) ntdomain: Checking for prefix before "\"
(9) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(9)     [ntdomain] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(9) suffix: Found realm "NULL"
(9) suffix: Adding Stripped-User-Name = "myUsername"
(9) suffix: Adding Realm = "NULL"
(9) suffix: Authentication realm is LOCAL
(9)     [suffix] = ok
(9)     update request {
(9)     } # update request = noop
(9) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(9) fsu-rsa-macs:    --> Calling-MAC
(9)     [fsu-rsa-macs] = noop
(9)     if (ok) {
(9)     if (ok)  -> FALSE
(9)     else {
(9) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(9) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(9)       [fsu-rsa-atwpa-aruba] = noop
(9)       if (ok) {
(9)       if (ok)  -> FALSE
(9)       else {
(9) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(9) fsu-rsa-atwpa-cisco:    -->
(9)         [fsu-rsa-atwpa-cisco] = noop
(9)         if (ok) {
(9)         if (ok)  -> FALSE
(9)       } # else = noop
(9)     } # else = noop
(9)     if (&request:Hint == "RSA") {
(9)     if (&request:Hint == "RSA")  -> FALSE
(9)     else {
(9) fsu-eap: Peer sent EAP Response (code 2) ID 9 length 37
(9) fsu-eap: Continuing tunnel setup
(9)       [fsu-eap] = ok
(9)     } # else = ok
(9)   } # authorize = ok
(9) Found Auth-Type = fsu-eap
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(9)   Auth-Type fsu-eap {
(9) fsu-eap: Expiring EAP session with state 0xbdbe91b7bcb78b3a
(9) fsu-eap: Finished EAP session with state 0xbad3fd1bbddae41c
(9) fsu-eap: Previous EAP request found for state 0xbad3fd1bbddae41c, released from the list
(9) fsu-eap: Peer sent packet with method EAP PEAP (25)
(9) fsu-eap: Calling submodule eap_peap to process data
(9) eap_peap: Continuing EAP-TLS
(9) eap_peap: [eaptls verify] = ok
(9) eap_peap: Done initial handshake
(9) eap_peap: [eaptls process] = ok
(9) eap_peap: Session established.  Decoding tunneled attributes
(9) eap_peap: PEAP state phase2
(9) eap_peap: EAP method MSCHAPv2 (26)
(9) eap_peap: Got tunneled request
(9) eap_peap:   EAP-Message = 0x020900061a03
(9) eap_peap: Setting User-Name to myUsername
(9) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(9) eap_peap:   EAP-Message = 0x020900061a03
(9) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(9) eap_peap:   User-Name = "myUsername"
(9) eap_peap:   State = 0xbdbe91b7bcb78b3a7f0fbe650d998692
(9) Virtual server fsu-peap-inner-tunnel received request
(9)   EAP-Message = 0x020900061a03
(9)   FreeRADIUS-Proxied-To = 127.0.0.1
(9)   User-Name = "myUsername"
(9)   State = 0xbdbe91b7bcb78b3a7f0fbe650d998692
(9) : Outer and inner identities are the same.  User privacy is compromised.
(9) server fsu-peap-inner-tunnel {
(9)   session-state: No cached attributes
(9)   # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(9)     authorize {
(9)       if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(9)       if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(9)       if ( &User-Name =~ /\s/ ) {
(9)       if ( &User-Name =~ /\s/ )  -> FALSE
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(9) suffix: Found realm "NULL"
(9) suffix: Adding Stripped-User-Name = "myUsername"
(9) suffix: Adding Realm = "NULL"
(9) suffix: Authentication realm is LOCAL
(9)       [suffix] = ok
(9)       update {
(9)         EXPAND %{Client-Shortname}
(9)            --> Cam2
(9)       } # update = noop
(9) fsu-eap: Peer sent EAP Response (code 2) ID 9 length 6
(9) fsu-eap: No EAP Start, assuming it's an on-going EAP conversation
(9)       [fsu-eap] = updated
(9)       if ( &EAP-Message =~ /^0x02..00061a..$/ ) {
(9)       if ( &EAP-Message =~ /^0x02..00061a..$/ )  -> TRUE
(9)       if ( &EAP-Message =~ /^0x02..00061a..$/ )  {
(9)         policy fsu-peap-cache-policy {
(9)           if ( &User-Name =~ /@devices/ ){
(9)           if ( &User-Name =~ /@devices/ ) -> FALSE
(9)           else {
(9) fsu-cache-ldap-people-inner-tunnel-attributes: EXPAND %{User-Name}
(9) fsu-cache-ldap-people-inner-tunnel-attributes:    --> myUsername
(9) fsu-cache-ldap-people-inner-tunnel-attributes: Found entry for "myUsername"
(9) fsu-cache-ldap-people-inner-tunnel-attributes: Merging cache entry into request
(9) fsu-cache-ldap-people-inner-tunnel-attributes:   &reply:My-Local-VLAN := "vlan1"
(9)             [fsu-cache-ldap-people-inner-tunnel-attributes] = ok
(9)             if (updated) {
(9)             if (updated)  -> FALSE
(9)             elsif (noop) {
(9)             elsif (noop)  -> FALSE
(9)             elsif (ok) {
(9)             elsif (ok)  -> TRUE
(9)             elsif (ok)  {
(9)               update control {
(9)               } # update control = noop
(9)             } # elsif (ok)  = noop
(9)             ... skipping else: Preceding "if" was taken
(9)           } # else = ok
(9)         } # policy fsu-peap-cache-policy = ok
(9)         return
(9)       } # if ( &EAP-Message =~ /^0x02..00061a..$/ )  = ok
(9)     } # authorize = updated
(9)   Found Auth-Type = fsu-eap
(9)   # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(9)     Auth-Type fsu-eap {
(9) fsu-eap: Expiring EAP session with state 0xbdbe91b7bcb78b3a
(9) fsu-eap: Finished EAP session with state 0xbdbe91b7bcb78b3a
(9) fsu-eap: Previous EAP request found for state 0xbdbe91b7bcb78b3a, released from the list
(9) fsu-eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) fsu-eap: Calling submodule eap_mschapv2 to process data
(9) fsu-eap: Sending EAP Success (code 3) ID 9 length 4
(9) fsu-eap: Freeing handler
(9)       [fsu-eap] = ok
(9)     } # Auth-Type fsu-eap = ok
(9)   # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(9)     post-auth {
(9)       update reply {
(9)       } # update reply = noop
(9)       update outer.session-state {
(9)       } # update outer.session-state = noop
(9)     } # post-auth = noop
(9)   EXPAND %{My-Local-SSID} %{My-Local-AP} %{My-Local-Group} %{My-Local-Device} %{reply:My-Local-VLAN}
(9)      -->     vlan1
(9) } # server fsu-peap-inner-tunnel
(9) Virtual server sending reply
(9)   My-Local-VLAN = "vlan1"
(9) eap_peap: Got tunneled reply code 2
(9) eap_peap:   My-Local-VLAN = "vlan1"
(9) eap_peap: Tunneled authentication was successful
(9) eap_peap: SUCCESS
(9) eap_peap: Saving tunneled attributes for later
(9) fsu-eap: Sending EAP Request (code 1) ID 10 length 46
(9) fsu-eap: EAP session adding &reply:State = 0xbad3fd1bb2d9e41c
(9)     [fsu-eap] = handled
(9)   } # Auth-Type fsu-eap = handled
(9) Using Post-Auth-Type Challenge
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(9)   Challenge { ... } # empty sub-section is ignored
(9) session-state: Saving cached attributes
(9)   TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(9)   TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(9)   TLS-Session-Version = "TLS 1.2"
(9)   My-Local-VLAN := "vlan1"
(9) Sent Access-Challenge Id 72 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(9)   EAP-Message = 0x010a002e19001703030023b7cf4af33aedeba505c51c2e3171961fb71fe7fbd0c5c4e9758095d7bc824aa3c086c1
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   State = 0xbad3fd1bb2d9e41c1c1cd17260df3cc0
(9) Finished request
(10) Received Access-Request Id 73 from w.x.y.z:54989 to a.b.c.e:1812 length 252
(10)   User-Name = "myUsername"
(10)   NAS-IP-Address = a.b.c.d
(10)   NAS-Port = 0
(10)   NAS-Identifier = "w.x.y.z"
(10)   NAS-Port-Type = Wireless-802.11
(10)   Calling-Station-Id = "Calling-MAC"
(10)   Called-Station-Id = "Called-MAC"
(10)   Service-Type = Framed-User
(10)   Framed-MTU = 1100
(10)   EAP-Message = 0x020a002e190017030300230000000000000004de7c7a2af3bccdc1ab6fbe745bd674fade6975f3841b77dd0bc828
(10)   State = 0xbad3fd1bb2d9e41c1c1cd17260df3cc0
(10)   Aruba-Essid-Name = "FSUCoreX"
(10)   Aruba-Location-Id = "303H-mark"
(10)   Aruba-AP-Group = "RAP-VoIP"
(10)   Aruba-Device-Type = "Win 10"
(10)   Message-Authenticator = 0x5e7f2636fe8c9843ebeac76225d66d1b
(10) Restoring &session-state
(10)   &session-state:TLS-Cache-Filename = "/var/log/radius/tlscache/422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c.asn1"
(10)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(10)   &session-state:TLS-Session-Version = "TLS 1.2"
(10)   &session-state:My-Local-VLAN := "vlan1"
(10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(10)   authorize {
(10) fsu-bad-passwords: EXPAND %{User-Name}
(10) fsu-bad-passwords:    --> myUsername
(10)     [fsu-bad-passwords] = noop
(10)     if (ok) {
(10)     if (ok)  -> FALSE
(10)     policy rewrite_calling_station_id {
(10)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(10)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(10)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(10)         update request {
(10)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(10)              --> Calling-MAC
(10)         } # update request = noop
(10)         [updated] = updated
(10)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(10)       ... skipping else: Preceding "if" was taken
(10)     } # policy rewrite_calling_station_id = updated
(10) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(10) fsu-bad-macs:    --> Calling-MAC
(10)     [fsu-bad-macs] = noop
(10)     if (ok) {
(10)     if (ok)  -> FALSE
(10)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(10)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(10)     if (&User-Name =~ /^host\//) {
(10)     if (&User-Name =~ /^host\//)  -> FALSE
(10)     if ( &User-Name =~ /\s/ ) {
(10)     if ( &User-Name =~ /\s/ )  -> FALSE
(10)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(10)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(10)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(10)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(10)     if ( &User-Name =~ /@my\.fsu$/i ) {
(10)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(10) ntdomain: Checking for prefix before "\"
(10) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(10)     [ntdomain] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(10) suffix: Found realm "NULL"
(10) suffix: Adding Stripped-User-Name = "myUsername"
(10) suffix: Adding Realm = "NULL"
(10) suffix: Authentication realm is LOCAL
(10)     [suffix] = ok
(10)     update request {
(10)     } # update request = noop
(10) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(10) fsu-rsa-macs:    --> Calling-MAC
(10)     [fsu-rsa-macs] = noop
(10)     if (ok) {
(10)     if (ok)  -> FALSE
(10)     else {
(10) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(10) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(10)       [fsu-rsa-atwpa-aruba] = noop
(10)       if (ok) {
(10)       if (ok)  -> FALSE
(10)       else {
(10) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(10) fsu-rsa-atwpa-cisco:    -->
(10)         [fsu-rsa-atwpa-cisco] = noop
(10)         if (ok) {
(10)         if (ok)  -> FALSE
(10)       } # else = noop
(10)     } # else = noop
(10)     if (&request:Hint == "RSA") {
(10)     if (&request:Hint == "RSA")  -> FALSE
(10)     else {
(10) fsu-eap: Peer sent EAP Response (code 2) ID 10 length 46
(10) fsu-eap: Continuing tunnel setup
(10)       [fsu-eap] = ok
(10)     } # else = ok
(10)   } # authorize = ok
(10) Found Auth-Type = fsu-eap
(10) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(10)   Auth-Type fsu-eap {
(10) fsu-eap: Expiring EAP session with state 0xbad3fd1bb2d9e41c
(10) fsu-eap: Finished EAP session with state 0xbad3fd1bb2d9e41c
(10) fsu-eap: Previous EAP request found for state 0xbad3fd1bb2d9e41c, released from the list
(10) fsu-eap: Peer sent packet with method EAP PEAP (25)
(10) fsu-eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: [eaptls verify] = ok
(10) eap_peap: Done initial handshake
(10) eap_peap: [eaptls process] = ok
(10) eap_peap: Session established.  Decoding tunneled attributes
(10) eap_peap: PEAP state send tlv success
(10) eap_peap: Received EAP-TLV response
(10) eap_peap: Success
(10) eap_peap: Using saved attributes from the original Access-Accept
(10) eap_peap:   My-Local-VLAN = "vlan1"
(10) eap_peap:     caching Stripped-User-Name = "myUsername"
(10) eap_peap:     caching My-Local-VLAN = "vlan1"
(10) eap_peap: Saving session 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c in the disk cache
(10) fsu-eap: Sending EAP Success (code 3) ID 10 length 4
(10) fsu-eap: Freeing handler
(10)     [fsu-eap] = ok
(10)   } # Auth-Type fsu-eap = ok
(10) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(10)   post-auth {
(10)     update reply {
(10)     } # update reply = noop
(10)     if ( &reply:My-Local-VLAN == "student" ) {
(10)     if ( &reply:My-Local-VLAN == "student" )  -> FALSE
(10)     policy fsu-SSID-and-VLAN-policy {
(10)       update {
(10)       } # update = noop
(10)       if ( &Aruba-Essid-Name ) {
(10)       if ( &Aruba-Essid-Name )  -> TRUE
(10)       if ( &Aruba-Essid-Name )  {
(10)         update {
(10)         } # update = noop
(10)         if ( &My-Local-AP =~ /^(.*?)(\.wireless)?(\.fsu\.edu)$/i ) {
(10)         if ( &My-Local-AP =~ /^(.*?)(\.wireless)?(\.fsu\.edu)$/i )  -> FALSE
(10)         if ( &My-Local-Group =~ /^(.+) (.+$)/ ) {
(10)         if ( &My-Local-Group =~ /^(.+) (.+$)/ )  -> FALSE
(10)       } # if ( &Aruba-Essid-Name )  = noop
(10)       ... skipping elsif: Preceding "if" was taken
(10)       ... skipping elsif: Preceding "if" was taken
(10)       ... skipping else: Preceding "if" was taken
(10)       if (( !&My-Local-Device ) || ( &My-Local-Device == '' )) {
(10)       if (( !&My-Local-Device ) || ( &My-Local-Device == '' ))  -> FALSE
(10)       elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) {
(10)       elsif ( &My-Local-Device =~ /^(.+) (.+$)/ )  -> TRUE
(10)       elsif ( &My-Local-Device =~ /^(.+) (.+$)/ )  {
(10)         update {
(10)           EXPAND %{1}_%{2}
(10)              --> Win_10
(10)         } # update = noop
(10)       } # elsif ( &My-Local-Device =~ /^(.+) (.+$)/ )  = noop
(10)     } # policy fsu-SSID-and-VLAN-policy = noop
(10)   } # post-auth = noop
(10) EXPAND %{My-Local-SSID} %{My-Local-AP} %{My-Local-Group} %{My-Local-Device} %{reply:My-Local-VLAN}
(10)    --> FSUCoreX 303H-mark RAP-VoIP Win_10 vlan1
(10) Sent Access-Accept Id 73 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(10)   MS-MPPE-Recv-Key = 0x76c1709fb1a884db3c1dae08502e387b4ee3509699ba64fb2ac819dcd7cb9cf2
(10)   MS-MPPE-Send-Key = 0x69113d50de374c367959ece9c252df752318770766c2fcd944e19608a88cd587
(10)   EAP-Message = 0x030a0004
(10)   Message-Authenticator = 0x00000000000000000000000000000000
(10)   User-Name = "myUsername"
(10)   Aruba-User-Vlan := vlan1
(10) Finished request
(1) Cleaning up request packet ID 64 with timestamp +100
(2) Cleaning up request packet ID 65 with timestamp +100
(3) Cleaning up request packet ID 66 with timestamp +100
(4) Cleaning up request packet ID 67 with timestamp +100
(5) Cleaning up request packet ID 68 with timestamp +100
(6) Cleaning up request packet ID 69 with timestamp +100
(7) Cleaning up request packet ID 70 with timestamp +100
(8) Cleaning up request packet ID 71 with timestamp +101
(9) Cleaning up request packet ID 72 with timestamp +101
(10) Cleaning up request packet ID 73 with timestamp +101
(12) Received Access-Request Id 75 from w.x.y.z:54989 to a.b.c.e:1812 length 201
(12)   User-Name = "myUsername"
(12)   NAS-IP-Address = a.b.c.d
(12)   NAS-Port = 0
(12)   NAS-Identifier = "w.x.y.z"
(12)   NAS-Port-Type = Wireless-802.11
(12)   Calling-Station-Id = "Calling-MAC"
(12)   Called-Station-Id = "Called-MAC"
(12)   Service-Type = Framed-User
(12)   Framed-MTU = 1100
(12)   EAP-Message = 0x0201000d016d616e74686f6e79
(12)   Aruba-Essid-Name = "FSUCoreX"
(12)   Aruba-Location-Id = "303H-mark"
(12)   Aruba-AP-Group = "RAP-VoIP"
(12)   Aruba-Device-Type = "Win 10"
(12)   Message-Authenticator = 0xfba1cd2bb95371c14c3b6dec0b816152
(12) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(12)   authorize {
(12) fsu-bad-passwords: EXPAND %{User-Name}
(12) fsu-bad-passwords:    --> myUsername
(12)     [fsu-bad-passwords] = noop
(12)     if (ok) {
(12)     if (ok)  -> FALSE
(12)     policy rewrite_calling_station_id {
(12)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(12)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(12)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(12)         update request {
(12)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(12)              --> Calling-MAC
(12)         } # update request = noop
(12)         [updated] = updated
(12)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(12)       ... skipping else: Preceding "if" was taken
(12)     } # policy rewrite_calling_station_id = updated
(12) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(12) fsu-bad-macs:    --> Calling-MAC
(12)     [fsu-bad-macs] = noop
(12)     if (ok) {
(12)     if (ok)  -> FALSE
(12)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(12)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(12)     if (&User-Name =~ /^host\//) {
(12)     if (&User-Name =~ /^host\//)  -> FALSE
(12)     if ( &User-Name =~ /\s/ ) {
(12)     if ( &User-Name =~ /\s/ )  -> FALSE
(12)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(12)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(12)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(12)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(12)     if ( &User-Name =~ /@my\.fsu$/i ) {
(12)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(12) ntdomain: Checking for prefix before "\"
(12) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(12)     [ntdomain] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(12) suffix: Found realm "NULL"
(12) suffix: Adding Stripped-User-Name = "myUsername"
(12) suffix: Adding Realm = "NULL"
(12) suffix: Authentication realm is LOCAL
(12)     [suffix] = ok
(12)     update request {
(12)     } # update request = noop
(12) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(12) fsu-rsa-macs:    --> Calling-MAC
(12)     [fsu-rsa-macs] = noop
(12)     if (ok) {
(12)     if (ok)  -> FALSE
(12)     else {
(12) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(12) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(12)       [fsu-rsa-atwpa-aruba] = noop
(12)       if (ok) {
(12)       if (ok)  -> FALSE
(12)       else {
(12) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(12) fsu-rsa-atwpa-cisco:    -->
(12)         [fsu-rsa-atwpa-cisco] = noop
(12)         if (ok) {
(12)         if (ok)  -> FALSE
(12)       } # else = noop
(12)     } # else = noop
(12)     if (&request:Hint == "RSA") {
(12)     if (&request:Hint == "RSA")  -> FALSE
(12)     else {
(12) fsu-eap: Peer sent EAP Response (code 2) ID 1 length 13
(12) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(12)       [fsu-eap] = ok
(12)     } # else = ok
(12)   } # authorize = ok
(12) Found Auth-Type = fsu-eap
(12) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(12)   Auth-Type fsu-eap {
(12) fsu-eap: Peer sent packet with method EAP Identity (1)
(12) fsu-eap: Calling submodule eap_peap to process data
(12) eap_peap: Initiating new TLS session
(12) eap_peap: [eaptls start] = request
(12) fsu-eap: Sending EAP Request (code 1) ID 2 length 6
(12) fsu-eap: EAP session adding &reply:State = 0xed876281ed857bf6
(12)     [fsu-eap] = handled
(12)   } # Auth-Type fsu-eap = handled
(12) Using Post-Auth-Type Challenge
(12) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(12)   Challenge { ... } # empty sub-section is ignored
(12) Sent Access-Challenge Id 75 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(12)   EAP-Message = 0x010200061920
(12)   Message-Authenticator = 0x00000000000000000000000000000000
(12)   State = 0xed876281ed857bf64bfe7e94b8bee491
(12) Finished request
(13) Received Access-Request Id 76 from w.x.y.z:54989 to a.b.c.e:1812 length 410
(13)   User-Name = "myUsername"
(13)   NAS-IP-Address = a.b.c.d
(13)   NAS-Port = 0
(13)   NAS-Identifier = "w.x.y.z"
(13)   NAS-Port-Type = Wireless-802.11
(13)   Calling-Station-Id = "Calling-MAC"
(13)   Called-Station-Id = "Called-MAC"
(13)   Service-Type = Framed-User
(13)   Framed-MTU = 1100
(13)   EAP-Message = 0x020200cc1980000000c216030300bd010000b90303602ed14ac1f2d653bd77e58e5213aeb2b1761c505dae0f91b5abafddc637c96f20422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(13)   State = 0xed876281ed857bf64bfe7e94b8bee491
(13)   Aruba-Essid-Name = "FSUCoreX"
(13)   Aruba-Location-Id = "303H-mark"
(13)   Aruba-AP-Group = "RAP-VoIP"
(13)   Aruba-Device-Type = "Win 10"
(13)   Message-Authenticator = 0x535aa1354009ea5836ccfd33734fcc8c
(13) session-state: No cached attributes
(13) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(13)   authorize {
(13) fsu-bad-passwords: EXPAND %{User-Name}
(13) fsu-bad-passwords:    --> myUsername
(13)     [fsu-bad-passwords] = noop
(13)     if (ok) {
(13)     if (ok)  -> FALSE
(13)     policy rewrite_calling_station_id {
(13)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(13)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(13)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(13)         update request {
(13)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(13)              --> Calling-MAC
(13)         } # update request = noop
(13)         [updated] = updated
(13)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(13)       ... skipping else: Preceding "if" was taken
(13)     } # policy rewrite_calling_station_id = updated
(13) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(13) fsu-bad-macs:    --> Calling-MAC
(13)     [fsu-bad-macs] = noop
(13)     if (ok) {
(13)     if (ok)  -> FALSE
(13)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(13)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(13)     if (&User-Name =~ /^host\//) {
(13)     if (&User-Name =~ /^host\//)  -> FALSE
(13)     if ( &User-Name =~ /\s/ ) {
(13)     if ( &User-Name =~ /\s/ )  -> FALSE
(13)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(13)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(13)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(13)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(13)     if ( &User-Name =~ /@my\.fsu$/i ) {
(13)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(13) ntdomain: Checking for prefix before "\"
(13) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(13)     [ntdomain] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(13) suffix: Found realm "NULL"
(13) suffix: Adding Stripped-User-Name = "myUsername"
(13) suffix: Adding Realm = "NULL"
(13) suffix: Authentication realm is LOCAL
(13)     [suffix] = ok
(13)     update request {
(13)     } # update request = noop
(13) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(13) fsu-rsa-macs:    --> Calling-MAC
(13)     [fsu-rsa-macs] = noop
(13)     if (ok) {
(13)     if (ok)  -> FALSE
(13)     else {
(13) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(13) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(13)       [fsu-rsa-atwpa-aruba] = noop
(13)       if (ok) {
(13)       if (ok)  -> FALSE
(13)       else {
(13) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(13) fsu-rsa-atwpa-cisco:    -->
(13)         [fsu-rsa-atwpa-cisco] = noop
(13)         if (ok) {
(13)         if (ok)  -> FALSE
(13)       } # else = noop
(13)     } # else = noop
(13)     if (&request:Hint == "RSA") {
(13)     if (&request:Hint == "RSA")  -> FALSE
(13)     else {
(13) fsu-eap: Peer sent EAP Response (code 2) ID 2 length 204
(13) fsu-eap: Continuing tunnel setup
(13)       [fsu-eap] = ok
(13)     } # else = ok
(13)   } # authorize = ok
(13) Found Auth-Type = fsu-eap
(13) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(13)   Auth-Type fsu-eap {
(13) fsu-eap: Expiring EAP session with state 0xed876281ed857bf6
(13) fsu-eap: Finished EAP session with state 0xed876281ed857bf6
(13) fsu-eap: Previous EAP request found for state 0xed876281ed857bf6, released from the list
(13) fsu-eap: Peer sent packet with method EAP PEAP (25)
(13) fsu-eap: Calling submodule eap_peap to process data
(13) eap_peap: Continuing EAP-TLS
(13) eap_peap: Peer indicated complete TLS record size will be 194 bytes
(13) eap_peap: Got complete TLS record (194 bytes)
(13) eap_peap: [eaptls verify] = length included
(13) eap_peap: (other): before SSL initialization
(13) eap_peap: TLS_accept: before SSL initialization
(13) eap_peap: TLS_accept: before SSL initialization
(13) eap_peap: Peer requested cached session: 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c
(13) eap_peap: Successfully restored session 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c
(13) eap_peap:   reply:Stripped-User-Name = "myUsername"
(13) eap_peap:   reply:My-Local-VLAN = "vlan1"
(13) eap_peap: TLS_accept: SSLv3/TLS read client hello
(13) eap_peap: TLS_accept: SSLv3/TLS write server hello
(13) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec
(13) eap_peap: TLS_accept: SSLv3/TLS write finished
(13) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write finished
(13) eap_peap: TLS - In Handshake Phase
(13) eap_peap: TLS - got 141 bytes of data
(13) eap_peap: [eaptls process] = handled
(13) fsu-eap: Sending EAP Request (code 1) ID 3 length 147
(13) fsu-eap: EAP session adding &reply:State = 0xed876281ec847bf6
(13)     [fsu-eap] = handled
(13)   } # Auth-Type fsu-eap = handled
(13) Using Post-Auth-Type Challenge
(13) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(13)   Challenge { ... } # empty sub-section is ignored
(13) Sent Access-Challenge Id 76 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(13)   EAP-Message = 0x0103009319001603030055020000510303535c075d9ba79179c49631cfbe31ff45262678a833b2ae1c34e0949ff5ee853a20422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5cc02b000009ff0100010000170000140303000101160303002889c27588c852f56c61f9f2cf794234739860a9e037ffa2c8089ad130dbba4b5d4877e410b28dcf32
(13)   Message-Authenticator = 0x00000000000000000000000000000000
(13)   State = 0xed876281ec847bf64bfe7e94b8bee491
(13) Finished request
(14) Received Access-Request Id 77 from w.x.y.z:54989 to a.b.c.e:1812 length 267
(14)   User-Name = "myUsername"
(14)   NAS-IP-Address = a.b.c.d
(14)   NAS-Port = 0
(14)   NAS-Identifier = "w.x.y.z"
(14)   NAS-Port-Type = Wireless-802.11
(14)   Calling-Station-Id = "Calling-MAC"
(14)   Called-Station-Id = "Called-MAC"
(14)   Service-Type = Framed-User
(14)   Framed-MTU = 1100
(14)   EAP-Message = 0x0203003d198000000033140303000101160303002800000000000000008e96422f1c79714e1d0364108107f26591d1473152a392a5e62afcf078383caf
(14)   State = 0xed876281ec847bf64bfe7e94b8bee491
(14)   Aruba-Essid-Name = "FSUCoreX"
(14)   Aruba-Location-Id = "303H-mark"
(14)   Aruba-AP-Group = "RAP-VoIP"
(14)   Aruba-Device-Type = "Win 10"
(14)   Message-Authenticator = 0x8ecf71006fe00b92f9384c908fb856aa
(14) session-state: No cached attributes
(14) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(14)   authorize {
(14) fsu-bad-passwords: EXPAND %{User-Name}
(14) fsu-bad-passwords:    --> myUsername
(14)     [fsu-bad-passwords] = noop
(14)     if (ok) {
(14)     if (ok)  -> FALSE
(14)     policy rewrite_calling_station_id {
(14)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(14)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(14)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(14)         update request {
(14)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(14)              --> Calling-MAC
(14)         } # update request = noop
(14)         [updated] = updated
(14)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(14)       ... skipping else: Preceding "if" was taken
(14)     } # policy rewrite_calling_station_id = updated
(14) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(14) fsu-bad-macs:    --> Calling-MAC
(14)     [fsu-bad-macs] = noop
(14)     if (ok) {
(14)     if (ok)  -> FALSE
(14)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(14)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(14)     if (&User-Name =~ /^host\//) {
(14)     if (&User-Name =~ /^host\//)  -> FALSE
(14)     if ( &User-Name =~ /\s/ ) {
(14)     if ( &User-Name =~ /\s/ )  -> FALSE
(14)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(14)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(14)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(14)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(14)     if ( &User-Name =~ /@my\.fsu$/i ) {
(14)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(14) ntdomain: Checking for prefix before "\"
(14) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(14)     [ntdomain] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(14) suffix: Found realm "NULL"
(14) suffix: Adding Stripped-User-Name = "myUsername"
(14) suffix: Adding Realm = "NULL"
(14) suffix: Authentication realm is LOCAL
(14)     [suffix] = ok
(14)     update request {
(14)     } # update request = noop
(14) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(14) fsu-rsa-macs:    --> Calling-MAC
(14)     [fsu-rsa-macs] = noop
(14)     if (ok) {
(14)     if (ok)  -> FALSE
(14)     else {
(14) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(14) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(14)       [fsu-rsa-atwpa-aruba] = noop
(14)       if (ok) {
(14)       if (ok)  -> FALSE
(14)       else {
(14) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(14) fsu-rsa-atwpa-cisco:    -->
(14)         [fsu-rsa-atwpa-cisco] = noop
(14)         if (ok) {
(14)         if (ok)  -> FALSE
(14)       } # else = noop
(14)     } # else = noop
(14)     if (&request:Hint == "RSA") {
(14)     if (&request:Hint == "RSA")  -> FALSE
(14)     else {
(14) fsu-eap: Peer sent EAP Response (code 2) ID 3 length 61
(14) fsu-eap: Continuing tunnel setup
(14)       [fsu-eap] = ok
(14)     } # else = ok
(14)   } # authorize = ok
(14) Found Auth-Type = fsu-eap
(14) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(14)   Auth-Type fsu-eap {
(14) fsu-eap: Expiring EAP session with state 0xed876281ec847bf6
(14) fsu-eap: Finished EAP session with state 0xed876281ec847bf6
(14) fsu-eap: Previous EAP request found for state 0xed876281ec847bf6, released from the list
(14) fsu-eap: Peer sent packet with method EAP PEAP (25)
(14) fsu-eap: Calling submodule eap_peap to process data
(14) eap_peap: Continuing EAP-TLS
(14) eap_peap: Peer indicated complete TLS record size will be 51 bytes
(14) eap_peap: Got complete TLS record (51 bytes)
(14) eap_peap: [eaptls verify] = length included
(14) eap_peap: TLS_accept: SSLv3/TLS write finished
(14) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec
(14) eap_peap: TLS_accept: SSLv3/TLS read finished
(14) eap_peap: (other): SSL negotiation finished successfully
(14) eap_peap: TLS - Connection Established
(14) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(14) eap_peap: TLS-Session-Version = "TLS 1.2"
(14) eap_peap: TLS - Application data.
(14) eap_peap: Adding cached attributes from session 422008cb2218eec0c9b9213653c1024e54e214c181dd0ef4731faa91f9095c5c
(14) eap_peap:   &reply:Stripped-User-Name = "myUsername"
(14) eap_peap:   &session-state:My-Local-VLAN = "vlan1"
(14) eap_peap: [eaptls process] = success
(14) eap_peap: Session established.  Decoding tunneled attributes
(14) eap_peap: PEAP state TUNNEL ESTABLISHED
(14) eap_peap: Skipping Phase2 because of session resumption
(14) eap_peap: SUCCESS
(14) fsu-eap: Sending EAP Request (code 1) ID 4 length 46
(14) fsu-eap: EAP session adding &reply:State = 0xed876281ef837bf6
(14)     [fsu-eap] = handled
(14)   } # Auth-Type fsu-eap = handled
(14) Using Post-Auth-Type Challenge
(14) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(14)   Challenge { ... } # empty sub-section is ignored
(14) session-state: Saving cached attributes
(14)   TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(14)   TLS-Session-Version = "TLS 1.2"
(14)   My-Local-VLAN = "vlan1"
(14) Sent Access-Challenge Id 77 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(14)   EAP-Message = 0x0104002e1900170303002389c27588c852f56d03998abf7aa436f822de6761ff8fa87d41936d48062a9435b3d6b6
(14)   Message-Authenticator = 0x00000000000000000000000000000000
(14)   State = 0xed876281ef837bf64bfe7e94b8bee491
(14) Finished request
(15) Received Access-Request Id 78 from w.x.y.z:54989 to a.b.c.e:1812 length 252
(15)   User-Name = "myUsername"
(15)   NAS-IP-Address = a.b.c.d
(15)   NAS-Port = 0
(15)   NAS-Identifier = "w.x.y.z"
(15)   NAS-Port-Type = Wireless-802.11
(15)   Calling-Station-Id = "Calling-MAC"
(15)   Called-Station-Id = "Called-MAC"
(15)   Service-Type = Framed-User
(15)   Framed-MTU = 1100
(15)   EAP-Message = 0x0204002e190017030300230000000000000001df1ace71998c697ac31fb2855c4002515ba65690aab44afcc4278e
(15)   State = 0xed876281ef837bf64bfe7e94b8bee491
(15)   Aruba-Essid-Name = "FSUCoreX"
(15)   Aruba-Location-Id = "303H-mark"
(15)   Aruba-AP-Group = "RAP-VoIP"
(15)   Aruba-Device-Type = "Win 10"
(15)   Message-Authenticator = 0x8f6ecf737fe491dfb9ce940b13a95d3d
(15) Restoring &session-state
(15)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(15)   &session-state:TLS-Session-Version = "TLS 1.2"
(15)   &session-state:My-Local-VLAN = "vlan1"
(15) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(15)   authorize {
(15) fsu-bad-passwords: EXPAND %{User-Name}
(15) fsu-bad-passwords:    --> myUsername
(15)     [fsu-bad-passwords] = noop
(15)     if (ok) {
(15)     if (ok)  -> FALSE
(15)     policy rewrite_calling_station_id {
(15)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(15)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(15)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(15)         update request {
(15)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(15)              --> Calling-MAC
(15)         } # update request = noop
(15)         [updated] = updated
(15)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(15)       ... skipping else: Preceding "if" was taken
(15)     } # policy rewrite_calling_station_id = updated
(15) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(15) fsu-bad-macs:    --> Calling-MAC
(15)     [fsu-bad-macs] = noop
(15)     if (ok) {
(15)     if (ok)  -> FALSE
(15)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(15)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(15)     if (&User-Name =~ /^host\//) {
(15)     if (&User-Name =~ /^host\//)  -> FALSE
(15)     if ( &User-Name =~ /\s/ ) {
(15)     if ( &User-Name =~ /\s/ )  -> FALSE
(15)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(15)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(15)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(15)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(15)     if ( &User-Name =~ /@my\.fsu$/i ) {
(15)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(15) ntdomain: Checking for prefix before "\"
(15) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(15)     [ntdomain] = noop
(15) suffix: Checking for suffix after "@"
(15) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(15) suffix: Found realm "NULL"
(15) suffix: Adding Stripped-User-Name = "myUsername"
(15) suffix: Adding Realm = "NULL"
(15) suffix: Authentication realm is LOCAL
(15)     [suffix] = ok
(15)     update request {
(15)     } # update request = noop
(15) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(15) fsu-rsa-macs:    --> Calling-MAC
(15)     [fsu-rsa-macs] = noop
(15)     if (ok) {
(15)     if (ok)  -> FALSE
(15)     else {
(15) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(15) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(15)       [fsu-rsa-atwpa-aruba] = noop
(15)       if (ok) {
(15)       if (ok)  -> FALSE
(15)       else {
(15) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(15) fsu-rsa-atwpa-cisco:    -->
(15)         [fsu-rsa-atwpa-cisco] = noop
(15)         if (ok) {
(15)         if (ok)  -> FALSE
(15)       } # else = noop
(15)     } # else = noop
(15)     if (&request:Hint == "RSA") {
(15)     if (&request:Hint == "RSA")  -> FALSE
(15)     else {
(15) fsu-eap: Peer sent EAP Response (code 2) ID 4 length 46
(15) fsu-eap: Continuing tunnel setup
(15)       [fsu-eap] = ok
(15)     } # else = ok
(15)   } # authorize = ok
(15) Found Auth-Type = fsu-eap
(15) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(15)   Auth-Type fsu-eap {
(15) fsu-eap: Expiring EAP session with state 0xed876281ef837bf6
(15) fsu-eap: Finished EAP session with state 0xed876281ef837bf6
(15) fsu-eap: Previous EAP request found for state 0xed876281ef837bf6, released from the list
(15) fsu-eap: Peer sent packet with method EAP PEAP (25)
(15) fsu-eap: Calling submodule eap_peap to process data
(15) eap_peap: Continuing EAP-TLS
(15) eap_peap: [eaptls verify] = ok
(15) eap_peap: Done initial handshake
(15) eap_peap: [eaptls process] = ok
(15) eap_peap: Session established.  Decoding tunneled attributes
(15) eap_peap: PEAP state send tlv success
(15) eap_peap: Received EAP-TLV response
(15) eap_peap: Client rejected our response.  The password is probably incorrect
(15) eap_peap: Client rejected session resumption.  Re-starting full authentication
(15) fsu-eap: Sending EAP Request (code 1) ID 5 length 40
(15) fsu-eap: EAP session adding &reply:State = 0xed876281ee827bf6
(15)     [fsu-eap] = handled
(15)   } # Auth-Type fsu-eap = handled
(15) Using Post-Auth-Type Challenge
(15) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(15)   Challenge { ... } # empty sub-section is ignored
(15) session-state: Saving cached attributes
(15)   TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(15)   TLS-Session-Version = "TLS 1.2"
(15)   My-Local-VLAN = "vlan1"
(15) Sent Access-Challenge Id 78 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(15)   EAP-Message = 0x010500281900170303001d89c27588c852f56eae73f7eeb5abced29ab24cd1c66e6aee6ff95dde12
(15)   Message-Authenticator = 0x00000000000000000000000000000000
(15)   State = 0xed876281ee827bf64bfe7e94b8bee491
(15) Finished request
(16) Received Access-Request Id 79 from w.x.y.z:54989 to a.b.c.e:1812 length 250
(16)   User-Name = "myUsername"
(16)   NAS-IP-Address = a.b.c.d
(16)   NAS-Port = 0
(16)   NAS-Identifier = "w.x.y.z"
(16)   NAS-Port-Type = Wireless-802.11
(16)   Calling-Station-Id = "Calling-MAC"
(16)   Called-Station-Id = "Called-MAC"
(16)   Service-Type = Framed-User
(16)   Framed-MTU = 1100
(16)   EAP-Message = 0x0205002c19001703030021000000000000000282558f8dd6938dc7f2fc9e87fe2dbd243191b612d5c9595c1d
(16)   State = 0xed876281ee827bf64bfe7e94b8bee491
(16)   Aruba-Essid-Name = "FSUCoreX"
(16)   Aruba-Location-Id = "303H-mark"
(16)   Aruba-AP-Group = "RAP-VoIP"
(16)   Aruba-Device-Type = "Win 10"
(16)   Message-Authenticator = 0x0323fd4fec32900b263af0272dba6948
(16) Restoring &session-state
(16)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(16)   &session-state:TLS-Session-Version = "TLS 1.2"
(16)   &session-state:My-Local-VLAN = "vlan1"
(16) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(16)   authorize {
(16) fsu-bad-passwords: EXPAND %{User-Name}
(16) fsu-bad-passwords:    --> myUsername
(16)     [fsu-bad-passwords] = noop
(16)     if (ok) {
(16)     if (ok)  -> FALSE
(16)     policy rewrite_calling_station_id {
(16)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(16)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(16)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(16)         update request {
(16)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(16)              --> Calling-MAC
(16)         } # update request = noop
(16)         [updated] = updated
(16)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(16)       ... skipping else: Preceding "if" was taken
(16)     } # policy rewrite_calling_station_id = updated
(16) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(16) fsu-bad-macs:    --> Calling-MAC
(16)     [fsu-bad-macs] = noop
(16)     if (ok) {
(16)     if (ok)  -> FALSE
(16)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(16)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(16)     if (&User-Name =~ /^host\//) {
(16)     if (&User-Name =~ /^host\//)  -> FALSE
(16)     if ( &User-Name =~ /\s/ ) {
(16)     if ( &User-Name =~ /\s/ )  -> FALSE
(16)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(16)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(16)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(16)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(16)     if ( &User-Name =~ /@my\.fsu$/i ) {
(16)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(16) ntdomain: Checking for prefix before "\"
(16) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(16)     [ntdomain] = noop
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(16) suffix: Found realm "NULL"
(16) suffix: Adding Stripped-User-Name = "myUsername"
(16) suffix: Adding Realm = "NULL"
(16) suffix: Authentication realm is LOCAL
(16)     [suffix] = ok
(16)     update request {
(16)     } # update request = noop
(16) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(16) fsu-rsa-macs:    --> Calling-MAC
(16)     [fsu-rsa-macs] = noop
(16)     if (ok) {
(16)     if (ok)  -> FALSE
(16)     else {
(16) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(16) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(16)       [fsu-rsa-atwpa-aruba] = noop
(16)       if (ok) {
(16)       if (ok)  -> FALSE
(16)       else {
(16) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(16) fsu-rsa-atwpa-cisco:    -->
(16)         [fsu-rsa-atwpa-cisco] = noop
(16)         if (ok) {
(16)         if (ok)  -> FALSE
(16)       } # else = noop
(16)     } # else = noop
(16)     if (&request:Hint == "RSA") {
(16)     if (&request:Hint == "RSA")  -> FALSE
(16)     else {
(16) fsu-eap: Peer sent EAP Response (code 2) ID 5 length 44
(16) fsu-eap: Continuing tunnel setup
(16)       [fsu-eap] = ok
(16)     } # else = ok
(16)   } # authorize = ok
(16) Found Auth-Type = fsu-eap
(16) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(16)   Auth-Type fsu-eap {
(16) fsu-eap: Expiring EAP session with state 0xed876281ee827bf6
(16) fsu-eap: Finished EAP session with state 0xed876281ee827bf6
(16) fsu-eap: Previous EAP request found for state 0xed876281ee827bf6, released from the list
(16) fsu-eap: Peer sent packet with method EAP PEAP (25)
(16) fsu-eap: Calling submodule eap_peap to process data
(16) eap_peap: Continuing EAP-TLS
(16) eap_peap: [eaptls verify] = ok
(16) eap_peap: Done initial handshake
(16) eap_peap: [eaptls process] = ok
(16) eap_peap: Session established.  Decoding tunneled attributes
(16) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(16) eap_peap: Identity - myUsername
(16) eap_peap: Got inner identity 'myUsername'
(16) eap_peap: Setting default EAP type for tunneled EAP session
(16) eap_peap: Got tunneled request
(16) eap_peap:   EAP-Message = 0x0205000d016d616e74686f6e79
(16) eap_peap: Setting User-Name to myUsername
(16) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(16) eap_peap:   EAP-Message = 0x0205000d016d616e74686f6e79
(16) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(16) eap_peap:   User-Name = "myUsername"
(16) Virtual server fsu-peap-inner-tunnel received request
(16)   EAP-Message = 0x0205000d016d616e74686f6e79
(16)   FreeRADIUS-Proxied-To = 127.0.0.1
(16)   User-Name = "myUsername"
(16)G: Outer and inner identities are the same.  User privacy is compromised.
(16) server fsu-peap-inner-tunnel {
(16)   # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(16)     authorize {
(16)       if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(16)       if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(16)       if ( &User-Name =~ /\s/ ) {
(16)       if ( &User-Name =~ /\s/ )  -> FALSE
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(16) suffix: Found realm "NULL"
(16) suffix: Adding Stripped-User-Name = "myUsername"
(16) suffix: Adding Realm = "NULL"
(16) suffix: Authentication realm is LOCAL
(16)       [suffix] = ok
(16)       update {
(16)         EXPAND %{Client-Shortname}
(16)            --> Cam2
(16)       } # update = noop
(16) fsu-eap: Peer sent EAP Response (code 2) ID 5 length 13
(16) fsu-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(16)       [fsu-eap] = ok
(16)     } # authorize = ok
(16)   Found Auth-Type = fsu-eap
(16)   # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(16)     Auth-Type fsu-eap {
(16) fsu-eap: Peer sent packet with method EAP Identity (1)
(16) fsu-eap: Calling submodule eap_mschapv2 to process data
(16) eap_mschapv2: Issuing Challenge
(16) fsu-eap: Sending EAP Request (code 1) ID 6 length 42
(16) fsu-eap: EAP session adding &reply:State = 0x6295751762936f56
(16)       [fsu-eap] = handled
(16)     } # Auth-Type fsu-eap = handled
(16) } # server fsu-peap-inner-tunnel
(16) Virtual server sending reply
(16)   EAP-Message = 0x0106002a1a01060025109f50784156a46729b0cf55b725fe519e6673755f6561705f6d73636861707632
(16)   Message-Authenticator = 0x00000000000000000000000000000000
(16)   State = 0x6295751762936f5699fbad14c2f8e6da
(16) eap_peap: Got tunneled reply code 11
(16) eap_peap:   EAP-Message = 0x0106002a1a01060025109f50784156a46729b0cf55b725fe519e6673755f6561705f6d73636861707632
(16) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(16) eap_peap:   State = 0x6295751762936f5699fbad14c2f8e6da
(16) eap_peap: Got tunneled Access-Challenge
(16) fsu-eap: Sending EAP Request (code 1) ID 6 length 73
(16) fsu-eap: EAP session adding &reply:State = 0xed876281e9817bf6
(16)     [fsu-eap] = handled
(16)   } # Auth-Type fsu-eap = handled
(16) Using Post-Auth-Type Challenge
(16) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(16)   Challenge { ... } # empty sub-section is ignored
(16) session-state: Saving cached attributes
(16)   TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(16)   TLS-Session-Version = "TLS 1.2"
(16)   My-Local-VLAN = "vlan1"
(16) Sent Access-Challenge Id 79 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(16)   EAP-Message = 0x010600491900170303003e89c27588c852f56f98c1d1a9fa6d0cc0a1e10e32209323a00f2555899d0c5b91cfa2736c4e76b4e6395920f98ab9de29bc0d8add2be3043afcff649388d1
(16)   Message-Authenticator = 0x00000000000000000000000000000000
(16)   State = 0xed876281e9817bf64bfe7e94b8bee491
(16) Finished request
(17) Received Access-Request Id 80 from w.x.y.z:54989 to a.b.c.e:1812 length 304
(17)   User-Name = "myUsername"
(17)   NAS-IP-Address = a.b.c.d
(17)   NAS-Port = 0
(17)   NAS-Identifier = "w.x.y.z"
(17)   NAS-Port-Type = Wireless-802.11
(17)   Calling-Station-Id = "Calling-MAC"
(17)   Called-Station-Id = "Called-MAC"
(17)   Service-Type = Framed-User
(17)   Framed-MTU = 1100
(17)   EAP-Message = 0x02060062190017030300570000000000000003b9e70fd69206a3d7a95ab9ac375fe2dc092d419ab0150d028624f3aef3776408b084186a1725af7691dfa0111e22d0016deef88177d33c53ade442ae16ea9b365f036d82f0a5b06eae811cc7eee242
(17)   State = 0xed876281e9817bf64bfe7e94b8bee491
(17)   Aruba-Essid-Name = "FSUCoreX"
(17)   Aruba-Location-Id = "303H-mark"
(17)   Aruba-AP-Group = "RAP-VoIP"
(17)   Aruba-Device-Type = "Win 10"
(17)   Message-Authenticator = 0xd65c14c6e79e81442cb62c7af5845f07
(17) Restoring &session-state
(17)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(17)   &session-state:TLS-Session-Version = "TLS 1.2"
(17)   &session-state:My-Local-VLAN = "vlan1"
(17) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(17)   authorize {
(17) fsu-bad-passwords: EXPAND %{User-Name}
(17) fsu-bad-passwords:    --> myUsername
(17)     [fsu-bad-passwords] = noop
(17)     if (ok) {
(17)     if (ok)  -> FALSE
(17)     policy rewrite_calling_station_id {
(17)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(17)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(17)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(17)         update request {
(17)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(17)              --> Calling-MAC
(17)         } # update request = noop
(17)         [updated] = updated
(17)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(17)       ... skipping else: Preceding "if" was taken
(17)     } # policy rewrite_calling_station_id = updated
(17) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(17) fsu-bad-macs:    --> Calling-MAC
(17)     [fsu-bad-macs] = noop
(17)     if (ok) {
(17)     if (ok)  -> FALSE
(17)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(17)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(17)     if (&User-Name =~ /^host\//) {
(17)     if (&User-Name =~ /^host\//)  -> FALSE
(17)     if ( &User-Name =~ /\s/ ) {
(17)     if ( &User-Name =~ /\s/ )  -> FALSE
(17)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(17)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(17)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(17)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(17)     if ( &User-Name =~ /@my\.fsu$/i ) {
(17)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(17) ntdomain: Checking for prefix before "\"
(17) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(17)     [ntdomain] = noop
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(17) suffix: Found realm "NULL"
(17) suffix: Adding Stripped-User-Name = "myUsername"
(17) suffix: Adding Realm = "NULL"
(17) suffix: Authentication realm is LOCAL
(17)     [suffix] = ok
(17)     update request {
(17)     } # update request = noop
(17) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(17) fsu-rsa-macs:    --> Calling-MAC
(17)     [fsu-rsa-macs] = noop
(17)     if (ok) {
(17)     if (ok)  -> FALSE
(17)     else {
(17) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(17) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(17)       [fsu-rsa-atwpa-aruba] = noop
(17)       if (ok) {
(17)       if (ok)  -> FALSE
(17)       else {
(17) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(17) fsu-rsa-atwpa-cisco:    -->
(17)         [fsu-rsa-atwpa-cisco] = noop
(17)         if (ok) {
(17)         if (ok)  -> FALSE
(17)       } # else = noop
(17)     } # else = noop
(17)     if (&request:Hint == "RSA") {
(17)     if (&request:Hint == "RSA")  -> FALSE
(17)     else {
(17) fsu-eap: Peer sent EAP Response (code 2) ID 6 length 98
(17) fsu-eap: Continuing tunnel setup
(17)       [fsu-eap] = ok
(17)     } # else = ok
(17)   } # authorize = ok
(17) Found Auth-Type = fsu-eap
(17) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(17)   Auth-Type fsu-eap {
(17) fsu-eap: Expiring EAP session with state 0x6295751762936f56
(17) fsu-eap: Finished EAP session with state 0xed876281e9817bf6
(17) fsu-eap: Previous EAP request found for state 0xed876281e9817bf6, released from the list
(17) fsu-eap: Peer sent packet with method EAP PEAP (25)
(17) fsu-eap: Calling submodule eap_peap to process data
(17) eap_peap: Continuing EAP-TLS
(17) eap_peap: [eaptls verify] = ok
(17) eap_peap: Done initial handshake
(17) eap_peap: [eaptls process] = ok
(17) eap_peap: Session established.  Decoding tunneled attributes
(17) eap_peap: PEAP state phase2
(17) eap_peap: EAP method MSCHAPv2 (26)
(17) eap_peap: Got tunneled request
(17) eap_peap:   EAP-Message = 0x020600431a0206003e315f7e3ca3f8250759d5875f3b03820d250000000000000000bd11aaca3c823d8c2cd3779eb03a248abe0580965b154b9d006d616e74686f6e79
(17) eap_peap: Setting User-Name to myUsername
(17) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(17) eap_peap:   EAP-Message = 0x020600431a0206003e315f7e3ca3f8250759d5875f3b03820d250000000000000000bd11aaca3c823d8c2cd3779eb03a248abe0580965b154b9d006d616e74686f6e79
(17) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(17) eap_peap:   User-Name = "myUsername"
(17) eap_peap:   State = 0x6295751762936f5699fbad14c2f8e6da
(17) Virtual server fsu-peap-inner-tunnel received request
(17)   EAP-Message = 0x020600431a0206003e315f7e3ca3f8250759d5875f3b03820d250000000000000000bd11aaca3c823d8c2cd3779eb03a248abe0580965b154b9d006d616e74686f6e79
(17)   FreeRADIUS-Proxied-To = 127.0.0.1
(17)   User-Name = "myUsername"
(17)   State = 0x6295751762936f5699fbad14c2f8e6da
(17)G: Outer and inner identities are the same.  User privacy is compromised.
(17) server fsu-peap-inner-tunnel {
(17)   session-state: No cached attributes
(17)   # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(17)     authorize {
(17)       if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(17)       if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(17)       if ( &User-Name =~ /\s/ ) {
(17)       if ( &User-Name =~ /\s/ )  -> FALSE
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(17) suffix: Found realm "NULL"
(17) suffix: Adding Stripped-User-Name = "myUsername"
(17) suffix: Adding Realm = "NULL"
(17) suffix: Authentication realm is LOCAL
(17)       [suffix] = ok
(17)       update {
(17)         EXPAND %{Client-Shortname}
(17)            --> Cam2
(17)       } # update = noop
(17) fsu-eap: Peer sent EAP Response (code 2) ID 6 length 67
(17) fsu-eap: No EAP Start, assuming it's an on-going EAP conversation
(17)       [fsu-eap] = updated
(17)       if ( &EAP-Message =~ /^0x02..00061a..$/ ) {
(17)       if ( &EAP-Message =~ /^0x02..00061a..$/ )  -> FALSE
(17)       if ( &User-Name =~ /^host\/(COB-RBA[A-Za-z0-9-]+)(\.fsu\.edu)*$/i) {
(17)       if ( &User-Name =~ /^host\/(COB-RBA[A-Za-z0-9-]+)(\.fsu\.edu)*$/i)  -> FALSE
(17)       elsif (&User-Name =~ /^host\/([A-Z]{2,5}-A-[0-9A-Z]{6,7})(\.fsu\.edu)*$/) {
(17)       elsif (&User-Name =~ /^host\/([A-Z]{2,5}-A-[0-9A-Z]{6,7})(\.fsu\.edu)*$/)  -> FALSE
(17)       elsif ( (&request:Realm) && (&request:Realm == "devices") ) {
(17)       elsif ( (&request:Realm) && (&request:Realm == "devices") )  -> FALSE
(17)       else {
(17) fsu-ldap-people: EXPAND (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(!(uid=lib-guest*)))
(17) fsu-ldap-people:    --> (&(uid=myUsername)(!(uid=lib-guest*)))
(17) fsu-ldap-people: Performing search in "ou=people,dc=fsu,dc=edu" with filter "(&(uid=myUsername)(!(uid=lib-guest*)))", scope "sub"
(17) fsu-ldap-people: Waiting for search result...
(17) fsu-ldap-people: User object found at DN "uid=myUsername,ou=People,dc=fsu,dc=edu"
(17) fsu-ldap-people: Processing user attributes
(17)         [fsu-ldap-people] = updated
(17)         if (notfound) {
(17)         if (notfound)  -> FALSE
(17)         if ( &reply:My-Local-fsuEduWINStatus ) {
(17)         if ( &reply:My-Local-fsuEduWINStatus )  -> FALSE
(17) fsu-pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(17)G: fsu-pap: Auth-Type already set.  Not setting to PAP
(17)         [fsu-pap] = noop
(17)         update control {
(17)         } # update control = noop
(17)         if ( (&reply:My-Local-VLAN) && (!&reply:My-Local-employeeStatus) ) {
(17)         if ( (&reply:My-Local-VLAN) && (!&reply:My-Local-employeeStatus) )  -> FALSE
(17)         if (&reply:My-Local-fsuEduAppRoles) {
(17)         if (&reply:My-Local-fsuEduAppRoles)  -> TRUE
(17)         if (&reply:My-Local-fsuEduAppRoles)  {
(17)           if ((!&reply:My-Local-VLAN) && (&Client-Shortname !~ /^P/)) {
(17)           if ((!&reply:My-Local-VLAN) && (&Client-Shortname !~ /^P/))  -> FALSE
(17)           update {
(17)           } # update = noop
(17)         } # if (&reply:My-Local-fsuEduAppRoles)  = noop
(17)         if ((!&reply:My-Local-employeeStatus) && (!&reply:My-Local-VLAN)) {
(17)         if ((!&reply:My-Local-employeeStatus) && (!&reply:My-Local-VLAN))  -> FALSE
(17)         elsif (!&reply:My-Local-VLAN) {
(17)         elsif (!&reply:My-Local-VLAN)  -> FALSE
(17) fsu-cache-ldap-people-inner-tunnel-attributes: EXPAND %{User-Name}
(17) fsu-cache-ldap-people-inner-tunnel-attributes:    --> myUsername
(17) fsu-cache-ldap-people-inner-tunnel-attributes: No cache entry found for "myUsername"
(17) fsu-cache-ldap-people-inner-tunnel-attributes: Creating new cache entry
(17) fsu-cache-ldap-people-inner-tunnel-attributes:   &reply:My-Local-VLAN := &reply:My-Local-VLAN -> 'vlan2'
(17) fsu-cache-ldap-people-inner-tunnel-attributes: Merging cache entry into request
(17) fsu-cache-ldap-people-inner-tunnel-attributes:   &reply:My-Local-VLAN := "vlan2"
(17) fsu-cache-ldap-people-inner-tunnel-attributes: Committed entry, TTL 10 seconds
(17)         [fsu-cache-ldap-people-inner-tunnel-attributes] = updated
(17)       } # else = updated
(17)     } # authorize = updated
(17)   Found Auth-Type = fsu-eap
(17)   # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(17)     Auth-Type fsu-eap {
(17) fsu-eap: Expiring EAP session with state 0x6295751762936f56
(17) fsu-eap: Finished EAP session with state 0x6295751762936f56
(17) fsu-eap: Previous EAP request found for state 0x6295751762936f56, released from the list
(17) fsu-eap: Peer sent packet with method EAP MSCHAPv2 (26)
(17) fsu-eap: Calling submodule eap_mschapv2 to process data
(17) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(17) eap_mschapv2:   Auth-Type MS-CHAP {
(17) fsu-mschap-winbind: Found NT-Password
(17) fsu-mschap-winbind: Creating challenge hash with username: myUsername
(17) fsu-mschap-winbind: Client is using MS-CHAPv2
(17) fsu-mschap-winbind: Adding MS-CHAPv2 MPPE keys
(17) eap_mschapv2:     [fsu-mschap-winbind] = ok
(17) eap_mschapv2:   } # Auth-Type MS-CHAP = ok
(17) eap_mschapv2: MSCHAP Success
(17) fsu-eap: Sending EAP Request (code 1) ID 7 length 51
(17) fsu-eap: EAP session adding &reply:State = 0x6295751763926f56
(17)       [fsu-eap] = handled
(17)     } # Auth-Type fsu-eap = handled
(17) } # server fsu-peap-inner-tunnel
(17) Virtual server sending reply
(17)   My-Local-employeeStatus = "Active"
(17)   My-Local-VLAN = "vlan2"
(17)   EAP-Message = 0x010700331a0306002e533d30453232363542464230323643314536413241423936443939354644443543343538423931444235
(17)   Message-Authenticator = 0x00000000000000000000000000000000
(17)   State = 0x6295751763926f5699fbad14c2f8e6da
(17) eap_peap: Got tunneled reply code 11
(17) eap_peap:   My-Local-employeeStatus = "Active"
(17) eap_peap:   My-Local-VLAN = "vlan2"
(17) eap_peap:   EAP-Message = 0x010700331a0306002e533d30453232363542464230323643314536413241423936443939354644443543343538423931444235
(17) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(17) eap_peap:   State = 0x6295751763926f5699fbad14c2f8e6da
(17) eap_peap: Got tunneled Access-Challenge
(17) fsu-eap: Sending EAP Request (code 1) ID 7 length 82
(17) fsu-eap: EAP session adding &reply:State = 0xed876281e8807bf6
(17)     [fsu-eap] = handled
(17)   } # Auth-Type fsu-eap = handled
(17) Using Post-Auth-Type Challenge
(17) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(17)   Challenge { ... } # empty sub-section is ignored
(17) session-state: Saving cached attributes
(17)   TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(17)   TLS-Session-Version = "TLS 1.2"
(17)   My-Local-VLAN = "vlan1"
(17) Sent Access-Challenge Id 80 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(17)   EAP-Message = 0x010700521900170303004789c27588c852f57045aba025448705421526a0428cd53ca921a53102d6ba99fb07e81bab3ab01057cf487def2a59e6022f25e43177c85bed11c9d233cd9d04307552cca530e3f2
(17)   Message-Authenticator = 0x00000000000000000000000000000000
(17)   State = 0xed876281e8807bf64bfe7e94b8bee491
(17) Finished request
(18) Received Access-Request Id 81 from w.x.y.z:54989 to a.b.c.e:1812 length 243
(18)   User-Name = "myUsername"
(18)   NAS-IP-Address = a.b.c.d
(18)   NAS-Port = 0
(18)   NAS-Identifier = "w.x.y.z"
(18)   NAS-Port-Type = Wireless-802.11
(18)   Calling-Station-Id = "Calling-MAC"
(18)   Called-Station-Id = "Called-MAC"
(18)   Service-Type = Framed-User
(18)   Framed-MTU = 1100
(18)   EAP-Message = 0x020700251900170303001a00000000000000048d403c8866333c3a2458917f40809eb5d560
(18)   State = 0xed876281e8807bf64bfe7e94b8bee491
(18)   Aruba-Essid-Name = "FSUCoreX"
(18)   Aruba-Location-Id = "303H-mark"
(18)   Aruba-AP-Group = "RAP-VoIP"
(18)   Aruba-Device-Type = "Win 10"
(18)   Message-Authenticator = 0x652291c2e70a5b6b3eaeccfb35ec9c3e
(18) Restoring &session-state
(18)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(18)   &session-state:TLS-Session-Version = "TLS 1.2"
(18)   &session-state:My-Local-VLAN = "vlan1"
(18) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(18)   authorize {
(18) fsu-bad-passwords: EXPAND %{User-Name}
(18) fsu-bad-passwords:    --> myUsername
(18)     [fsu-bad-passwords] = noop
(18)     if (ok) {
(18)     if (ok)  -> FALSE
(18)     policy rewrite_calling_station_id {
(18)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(18)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(18)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(18)         update request {
(18)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(18)              --> Calling-MAC
(18)         } # update request = noop
(18)         [updated] = updated
(18)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(18)       ... skipping else: Preceding "if" was taken
(18)     } # policy rewrite_calling_station_id = updated
(18) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(18) fsu-bad-macs:    --> Calling-MAC
(18)     [fsu-bad-macs] = noop
(18)     if (ok) {
(18)     if (ok)  -> FALSE
(18)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(18)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(18)     if (&User-Name =~ /^host\//) {
(18)     if (&User-Name =~ /^host\//)  -> FALSE
(18)     if ( &User-Name =~ /\s/ ) {
(18)     if ( &User-Name =~ /\s/ )  -> FALSE
(18)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(18)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(18)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(18)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(18)     if ( &User-Name =~ /@my\.fsu$/i ) {
(18)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(18) ntdomain: Checking for prefix before "\"
(18) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(18)     [ntdomain] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(18) suffix: Found realm "NULL"
(18) suffix: Adding Stripped-User-Name = "myUsername"
(18) suffix: Adding Realm = "NULL"
(18) suffix: Authentication realm is LOCAL
(18)     [suffix] = ok
(18)     update request {
(18)     } # update request = noop
(18) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(18) fsu-rsa-macs:    --> Calling-MAC
(18)     [fsu-rsa-macs] = noop
(18)     if (ok) {
(18)     if (ok)  -> FALSE
(18)     else {
(18) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(18) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(18)       [fsu-rsa-atwpa-aruba] = noop
(18)       if (ok) {
(18)       if (ok)  -> FALSE
(18)       else {
(18) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(18) fsu-rsa-atwpa-cisco:    -->
(18)         [fsu-rsa-atwpa-cisco] = noop
(18)         if (ok) {
(18)         if (ok)  -> FALSE
(18)       } # else = noop
(18)     } # else = noop
(18)     if (&request:Hint == "RSA") {
(18)     if (&request:Hint == "RSA")  -> FALSE
(18)     else {
(18) fsu-eap: Peer sent EAP Response (code 2) ID 7 length 37
(18) fsu-eap: Continuing tunnel setup
(18)       [fsu-eap] = ok
(18)     } # else = ok
(18)   } # authorize = ok
(18) Found Auth-Type = fsu-eap
(18) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(18)   Auth-Type fsu-eap {
(18) fsu-eap: Expiring EAP session with state 0x6295751763926f56
(18) fsu-eap: Finished EAP session with state 0xed876281e8807bf6
(18) fsu-eap: Previous EAP request found for state 0xed876281e8807bf6, released from the list
(18) fsu-eap: Peer sent packet with method EAP PEAP (25)
(18) fsu-eap: Calling submodule eap_peap to process data
(18) eap_peap: Continuing EAP-TLS
(18) eap_peap: [eaptls verify] = ok
(18) eap_peap: Done initial handshake
(18) eap_peap: [eaptls process] = ok
(18) eap_peap: Session established.  Decoding tunneled attributes
(18) eap_peap: PEAP state phase2
(18) eap_peap: EAP method MSCHAPv2 (26)
(18) eap_peap: Got tunneled request
(18) eap_peap:   EAP-Message = 0x020700061a03
(18) eap_peap: Setting User-Name to myUsername
(18) eap_peap: Sending tunneled request to fsu-peap-inner-tunnel
(18) eap_peap:   EAP-Message = 0x020700061a03
(18) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(18) eap_peap:   User-Name = "myUsername"
(18) eap_peap:   State = 0x6295751763926f5699fbad14c2f8e6da
(18) Virtual server fsu-peap-inner-tunnel received request
(18)   EAP-Message = 0x020700061a03
(18)   FreeRADIUS-Proxied-To = 127.0.0.1
(18)   User-Name = "myUsername"
(18)   State = 0x6295751763926f5699fbad14c2f8e6da
(18)G: Outer and inner identities are the same.  User privacy is compromised.
(18) server fsu-peap-inner-tunnel {
(18)   session-state: No cached attributes
(18)   # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(18)     authorize {
(18)       if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(18)       if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(18)       if ( &User-Name =~ /\s/ ) {
(18)       if ( &User-Name =~ /\s/ )  -> FALSE
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(18) suffix: Found realm "NULL"
(18) suffix: Adding Stripped-User-Name = "myUsername"
(18) suffix: Adding Realm = "NULL"
(18) suffix: Authentication realm is LOCAL
(18)       [suffix] = ok
(18)       update {
(18)         EXPAND %{Client-Shortname}
(18)            --> Cam2
(18)       } # update = noop
(18) fsu-eap: Peer sent EAP Response (code 2) ID 7 length 6
(18) fsu-eap: No EAP Start, assuming it's an on-going EAP conversation
(18)       [fsu-eap] = updated
(18)       if ( &EAP-Message =~ /^0x02..00061a..$/ ) {
(18)       if ( &EAP-Message =~ /^0x02..00061a..$/ )  -> TRUE
(18)       if ( &EAP-Message =~ /^0x02..00061a..$/ )  {
(18)         policy fsu-peap-cache-policy {
(18)           if ( &User-Name =~ /@devices/ ){
(18)           if ( &User-Name =~ /@devices/ ) -> FALSE
(18)           else {
(18) fsu-cache-ldap-people-inner-tunnel-attributes: EXPAND %{User-Name}
(18) fsu-cache-ldap-people-inner-tunnel-attributes:    --> myUsername
(18) fsu-cache-ldap-people-inner-tunnel-attributes: Found entry for "myUsername"
(18) fsu-cache-ldap-people-inner-tunnel-attributes: Merging cache entry into request
(18) fsu-cache-ldap-people-inner-tunnel-attributes:   &reply:My-Local-VLAN := "vlan2"
(18)             [fsu-cache-ldap-people-inner-tunnel-attributes] = ok
(18)             if (updated) {
(18)             if (updated)  -> FALSE
(18)             elsif (noop) {
(18)             elsif (noop)  -> FALSE
(18)             elsif (ok) {
(18)             elsif (ok)  -> TRUE
(18)             elsif (ok)  {
(18)               update control {
(18)               } # update control = noop
(18)             } # elsif (ok)  = noop
(18)             ... skipping else: Preceding "if" was taken
(18)           } # else = ok
(18)         } # policy fsu-peap-cache-policy = ok
(18)         return
(18)       } # if ( &EAP-Message =~ /^0x02..00061a..$/ )  = ok
(18)     } # authorize = updated
(18)   Found Auth-Type = fsu-eap
(18)   # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(18)     Auth-Type fsu-eap {
(18) fsu-eap: Expiring EAP session with state 0x6295751763926f56
(18) fsu-eap: Finished EAP session with state 0x6295751763926f56
(18) fsu-eap: Previous EAP request found for state 0x6295751763926f56, released from the list
(18) fsu-eap: Peer sent packet with method EAP MSCHAPv2 (26)
(18) fsu-eap: Calling submodule eap_mschapv2 to process data
(18) fsu-eap: Sending EAP Success (code 3) ID 7 length 4
(18) fsu-eap: Freeing handler
(18)       [fsu-eap] = ok
(18)     } # Auth-Type fsu-eap = ok
(18)   # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/fsu-peap-inner-tunnel
(18)     post-auth {
(18)       update reply {
(18)       } # update reply = noop
(18)       update outer.session-state {
(18)       } # update outer.session-state = noop
(18)     } # post-auth = noop
(18)   EXPAND %{My-Local-SSID} %{My-Local-AP} %{My-Local-Group} %{My-Local-Device} %{reply:My-Local-VLAN}
(18)      -->     vlan2
(18) } # server fsu-peap-inner-tunnel
(18) Virtual server sending reply
(18)   My-Local-VLAN = "vlan2"
(18) eap_peap: Got tunneled reply code 2
(18) eap_peap:   My-Local-VLAN = "vlan2"
(18) eap_peap: Tunneled authentication was successful
(18) eap_peap: SUCCESS
(18) eap_peap: Saving tunneled attributes for later
(18) fsu-eap: Sending EAP Request (code 1) ID 8 length 46
(18) fsu-eap: EAP session adding &reply:State = 0xed876281eb8f7bf6
(18)     [fsu-eap] = handled
(18)   } # Auth-Type fsu-eap = handled
(18) Using Post-Auth-Type Challenge
(18) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(18)   Challenge { ... } # empty sub-section is ignored
(18) session-state: Saving cached attributes
(18)   TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(18)   TLS-Session-Version = "TLS 1.2"
(18)   My-Local-VLAN := "vlan2"
(18) Sent Access-Challenge Id 81 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(18)   EAP-Message = 0x0108002e1900170303002389c27588c852f5715e6c41502105700e5214de10b96118258b9bc05e08f83024124f92
(18)   Message-Authenticator = 0x00000000000000000000000000000000
(18)   State = 0xed876281eb8f7bf64bfe7e94b8bee491
(18) Finished request
(19) Received Access-Request Id 82 from w.x.y.z:54989 to a.b.c.e:1812 length 252
(19)   User-Name = "myUsername"
(19)   NAS-IP-Address = a.b.c.d
(19)   NAS-Port = 0
(19)   NAS-Identifier = "w.x.y.z"
(19)   NAS-Port-Type = Wireless-802.11
(19)   Calling-Station-Id = "Calling-MAC"
(19)   Called-Station-Id = "Called-MAC"
(19)   Service-Type = Framed-User
(19)   Framed-MTU = 1100
(19)   EAP-Message = 0x0208002e190017030300230000000000000005b340395d206b4b01c23ec16546b856e439347ccfb389a5358bf72a
(19)   State = 0xed876281eb8f7bf64bfe7e94b8bee491
(19)   Aruba-Essid-Name = "FSUCoreX"
(19)   Aruba-Location-Id = "303H-mark"
(19)   Aruba-AP-Group = "RAP-VoIP"
(19)   Aruba-Device-Type = "Win 10"
(19)   Message-Authenticator = 0x627c9e1982dd68cca2ae68b38deb7992
(19) Restoring &session-state
(19)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-ECDSA-AES128-GCM-SHA256"
(19)   &session-state:TLS-Session-Version = "TLS 1.2"
(19)   &session-state:My-Local-VLAN := "vlan2"
(19) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(19)   authorize {
(19) fsu-bad-passwords: EXPAND %{User-Name}
(19) fsu-bad-passwords:    --> myUsername
(19)     [fsu-bad-passwords] = noop
(19)     if (ok) {
(19)     if (ok)  -> FALSE
(19)     policy rewrite_calling_station_id {
(19)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(19)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(19)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(19)         update request {
(19)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(19)              --> Calling-MAC
(19)         } # update request = noop
(19)         [updated] = updated
(19)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(19)       ... skipping else: Preceding "if" was taken
(19)     } # policy rewrite_calling_station_id = updated
(19) fsu-bad-macs: EXPAND %{Calling-Station-ID}
(19) fsu-bad-macs:    --> Calling-MAC
(19)     [fsu-bad-macs] = noop
(19)     if (ok) {
(19)     if (ok)  -> FALSE
(19)     if ( ( ! &User-Name ) || ( &User-Name == "" ) ) {
(19)     if ( ( ! &User-Name ) || ( &User-Name == "" ) )  -> FALSE
(19)     if (&User-Name =~ /^host\//) {
(19)     if (&User-Name =~ /^host\//)  -> FALSE
(19)     if ( &User-Name =~ /\s/ ) {
(19)     if ( &User-Name =~ /\s/ )  -> FALSE
(19)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i )) {
(19)     if (( &User-Name =~ /^.*\\/ ) && ( &User-Name !~ /^med\\/i ))  -> FALSE
(19)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i)) {
(19)     if ((&User-Name =~ /@med.fsu.edu/i)  || (&User-Name =~ /@wlan\.[[:alnum:]]+\.[[:alnum:]]+\.3gppnetwork\.org$/i))  -> FALSE
(19)     if ( &User-Name =~ /@my\.fsu$/i ) {
(19)     if ( &User-Name =~ /@my\.fsu$/i )  -> FALSE
(19) ntdomain: Checking for prefix before "\"
(19) ntdomain: No '\' in User-Name = "myUsername", skipping NULL due to config.
(19)     [ntdomain] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "myUsername", looking up realm NULL
(19) suffix: Found realm "NULL"
(19) suffix: Adding Stripped-User-Name = "myUsername"
(19) suffix: Adding Realm = "NULL"
(19) suffix: Authentication realm is LOCAL
(19)     [suffix] = ok
(19)     update request {
(19)     } # update request = noop
(19) fsu-rsa-macs: EXPAND %{Calling-Station-ID}
(19) fsu-rsa-macs:    --> Calling-MAC
(19)     [fsu-rsa-macs] = noop
(19)     if (ok) {
(19)     if (ok)  -> FALSE
(19)     else {
(19) fsu-rsa-atwpa-aruba: EXPAND %{Aruba-Essid-Name}
(19) fsu-rsa-atwpa-aruba:    --> FSUCoreX
(19)       [fsu-rsa-atwpa-aruba] = noop
(19)       if (ok) {
(19)       if (ok)  -> FALSE
(19)       else {
(19) fsu-rsa-atwpa-cisco: EXPAND %{Airespace-Wlan-Id}
(19) fsu-rsa-atwpa-cisco:    -->
(19)         [fsu-rsa-atwpa-cisco] = noop
(19)         if (ok) {
(19)         if (ok)  -> FALSE
(19)       } # else = noop
(19)     } # else = noop
(19)     if (&request:Hint == "RSA") {
(19)     if (&request:Hint == "RSA")  -> FALSE
(19)     else {
(19) fsu-eap: Peer sent EAP Response (code 2) ID 8 length 46
(19) fsu-eap: Continuing tunnel setup
(19)       [fsu-eap] = ok
(19)     } # else = ok
(19)   } # authorize = ok
(19) Found Auth-Type = fsu-eap
(19) # Executing group from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(19)   Auth-Type fsu-eap {
(19) fsu-eap: Expiring EAP session with state 0xed876281eb8f7bf6
(19) fsu-eap: Finished EAP session with state 0xed876281eb8f7bf6
(19) fsu-eap: Previous EAP request found for state 0xed876281eb8f7bf6, released from the list
(19) fsu-eap: Peer sent packet with method EAP PEAP (25)
(19) fsu-eap: Calling submodule eap_peap to process data
(19) eap_peap: Continuing EAP-TLS
(19) eap_peap: [eaptls verify] = ok
(19) eap_peap: Done initial handshake
(19) eap_peap: [eaptls process] = ok
(19) eap_peap: Session established.  Decoding tunneled attributes
(19) eap_peap: PEAP state send tlv success
(19) eap_peap: Received EAP-TLV response
(19) eap_peap: Success
(19) eap_peap: Using saved attributes from the original Access-Accept
(19) eap_peap:   My-Local-VLAN = "vlan2"
(19) eap_peap:   &request:EAP-Session-Resumed := 1
(19) fsu-eap: Sending EAP Success (code 3) ID 8 length 4
(19) fsu-eap: Freeing handler
(19)     [fsu-eap] = ok
(19)   } # Auth-Type fsu-eap = ok
(19) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/fsu-peap-1812
(19)   post-auth {
(19)     update reply {
(19)     } # update reply = noop
(19)     if ( &reply:My-Local-VLAN == "student" ) {
(19)     if ( &reply:My-Local-VLAN == "student" )  -> FALSE
(19)     policy fsu-SSID-and-VLAN-policy {
(19)       update {
(19)       } # update = noop
(19)       if ( &Aruba-Essid-Name ) {
(19)       if ( &Aruba-Essid-Name )  -> TRUE
(19)       if ( &Aruba-Essid-Name )  {
(19)         update {
(19)         } # update = noop
(19)         if ( &My-Local-AP =~ /^(.*?)(\.wireless)?(\.fsu\.edu)$/i ) {
(19)         if ( &My-Local-AP =~ /^(.*?)(\.wireless)?(\.fsu\.edu)$/i )  -> FALSE
(19)         if ( &My-Local-Group =~ /^(.+) (.+$)/ ) {
(19)         if ( &My-Local-Group =~ /^(.+) (.+$)/ )  -> FALSE
(19)       } # if ( &Aruba-Essid-Name )  = noop
(19)       ... skipping elsif: Preceding "if" was taken
(19)       ... skipping elsif: Preceding "if" was taken
(19)       ... skipping else: Preceding "if" was taken
(19)       if (( !&My-Local-Device ) || ( &My-Local-Device == '' )) {
(19)       if (( !&My-Local-Device ) || ( &My-Local-Device == '' ))  -> FALSE
(19)       elsif ( &My-Local-Device =~ /^(.+) (.+$)/ ) {
(19)       elsif ( &My-Local-Device =~ /^(.+) (.+$)/ )  -> TRUE
(19)       elsif ( &My-Local-Device =~ /^(.+) (.+$)/ )  {
(19)         update {
(19)           EXPAND %{1}_%{2}
(19)              --> Win_10
(19)         } # update = noop
(19)       } # elsif ( &My-Local-Device =~ /^(.+) (.+$)/ )  = noop
(19)     } # policy fsu-SSID-and-VLAN-policy = noop
(19)   } # post-auth = noop
(19) EXPAND %{My-Local-SSID} %{My-Local-AP} %{My-Local-Group} %{My-Local-Device} %{reply:My-Local-VLAN}
(19)    --> FSUCoreX 303H-mark RAP-VoIP Win_10 vlan2
(19) Sent Access-Accept Id 82 from a.b.c.e:1812 to w.x.y.z:54989 length 0
(19)   MS-MPPE-Recv-Key = 0xfc57aa43d0064c088b6c4375f15801b657c140dce3bbf3f12d588b495c095e46
(19)   MS-MPPE-Send-Key = 0x27eb19dc16c19e8d22e9feb7c2b80cc7bc2840f2569955a368777696ef4d8bb6
(19)   EAP-Message = 0x03080004
(19)   Message-Authenticator = 0x00000000000000000000000000000000
(19)   User-Name = "myUsername"
(19)   Aruba-User-Vlan := vlan2
(19) Finished request
(12) Cleaning up request packet ID 75 with timestamp +136
(13) Cleaning up request packet ID 76 with timestamp +136
(14) Cleaning up request packet ID 77 with timestamp +137
(15) Cleaning up request packet ID 78 with timestamp +137
(16) Cleaning up request packet ID 79 with timestamp +137
(17) Cleaning up request packet ID 80 with timestamp +137
(18) Cleaning up request packet ID 81 with timestamp +137
(19) Cleaning up request packet ID 82 with timestamp +137

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Anamoly in TLS Session Resumption

Alan DeKok-2
On Feb 19, 2021, at 1:42 PM, Doug Wussler via Freeradius-Users <[hidden email]> wrote:
> I have an anamoly in TLS Session Resumption using a Windows 10 laptop.  I have not been able to reproduce this using other clients.  While this appears to be bad behavior by Windows, I'm also asking if this unexpected supplicant behavior might reveal some undesirable behavior on the part of freeradius.  

  Maybe, maybe not.  If it's an issue in Windows, I was just talking today with the team in charge of the Microsoft supplicant, so this is timely.

> I deleted all TLS session cache records and restarted the server.  In packet (2) you see the supplicant request a cached session, which is not found, so a full authentication takes place in packets (1) through (10).

  OK.

> I then "forget" the network on the client, which I would expect would also delete any record of a previous TLS session,

  Maybe.  That all depends on how the internals work.  The TLS cache *may* depend on the network configuration, or it may be independent.

> and then I reauthenticate to the network, which requires entering a username/password (but, sadly, does not require me to trust the server's certificate).

  I suspect that means that the TLS system is caching the certificate & session, even if the network configuration has changed.

> At this point I would expect to see a full re-auth but in packet (13) you see the supplicant request a cached session, which is found and restored.  In packet (14) the server declares a successful session resumption on its end and sends an Access-Challenge.  But in packet (15) we then see:
>
> eap_peap: Client rejected our response.  The password is probably incorrect
> eap_peap: Client rejected session resumption.  Re-starting full authentication

  Yeah, it's not clear why that happens.  You can get logs out of Windows, but they're not always as clear as the FreeRADIUS ones!

> We then proceed through the inner-tunnel and do the full re-auth but we are still using the resumed session ID along with the attributes cached from that session. In the final packet (19), we see "&request:EAP-Session-Resumed := 1"  

  Hmm... that seems like an issue on the FreeRADIUS side.  It should definitely *not* set the session to be resumed, and it should likely delete the old cached session.

> This all came to my attention because I was originally using Cached-Session-Policy with the += operator.  I ended up with duplicate session-state entries for Cached-Session-Policy, and, when that policy happened to change between authentications, one of those Cached-Session-Policy values was wrong.

  I'm not clear how it gets *two* Cached-Session-Policy attributes.  The debug output doesn't show that it caches that attribute.

> We can't do anything about the bad Windows behavior, but do you consider it appropriate for freeradius to handle a rejected session resumption this way?

  Nope.

  I've pushed changes which should help, I think.  The PEAP module will now go "this session isn't resumed", and the main TLS cache code will treat the session as starting from scratch.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html