tlscache

classic Classic list List threaded Threaded
9 messages Options
| Threaded
Open this post in threaded view
|

tlscache

Munroe Sollog
I'm trying to enable tls caching on my radius server.  the radius -X output
is included below.  I'm also including some additional information for
reference.  Looking at the debug output I see where the cache config is
loaded and it looks right to me.  I don't see any errors around it.

I'm expecting to see a file in the tlscache folder after a successful auth,
however the folder remains empty.

# freeradius -v

radiusd: FreeRADIUS Version 3.0.17, for host x86_64-pc-linux-gnu, built on
Apr 22 2019 at 21:23:36

FreeRADIUS Version 3.0.17


# ls -al /var/lib/radiusd

total 12

drwxr-xr-x  3 freerad freerad 4096 Aug 29 12:27 .

drwxr-xr-x 29 root    root    4096 Aug 29 12:26 ..

drwxr-xr-x  2 freerad freerad 4096 Aug 29 12:27 tlscache
=============radius -X output=============

Ready to process requests

(0) Received Access-Request Id 0 from 128.180.10.10:37390 to
128.180.1.12:1812 length 126

(0)   User-Name = "x19a19"

(0)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(0)   Framed-MTU = 1400

(0)   NAS-Port-Type = Wireless-802.11

(0)   Service-Type = Framed-User

(0)   Connect-Info = "CONNECT 11Mbps 802.11b"

(0)   NAS-IP-Address = 128.180.10.10

(0)   EAP-Message = 0x0257000b01783139613139

(0)   Message-Authenticator = 0x3a48dc0be2decd0e236d376f69ffe48a

(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(0)   authorize {

(0)     policy filter_username {

(0)       if (&User-Name) {

(0)       if (&User-Name)  -> TRUE

(0)       if (&User-Name)  {

(0)         if (&User-Name =~ / /) {

(0)         if (&User-Name =~ / /)  -> FALSE

(0)         if (&User-Name =~ /@[^@]*@/ ) {

(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(0)         if (&User-Name =~ /\.\./ ) {

(0)         if (&User-Name =~ /\.\./ )  -> FALSE

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(0)         if (&User-Name =~ /\.$/)  {

(0)         if (&User-Name =~ /\.$/)   -> FALSE

(0)         if (&User-Name =~ /@\./)  {

(0)         if (&User-Name =~ /@\./)   -> FALSE

(0)       } # if (&User-Name)  = notfound

(0)     } # policy filter_username = notfound

(0)     [preprocess] = ok

(0)     [mschap] = noop

(0) suffix: Checking for suffix after "@"

(0) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(0) suffix: No such realm "NULL"

(0)     [suffix] = noop

(0) eap: Peer sent EAP Response (code 2) ID 87 length 11

(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize

(0)     [eap] = ok

(0)   } # authorize = ok

(0) Found Auth-Type = eap

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0)   authenticate {

(0) eap: Peer sent packet with method EAP Identity (1)

(0) eap: Calling submodule eap_peap to process data

(0) eap_peap: Initiating new EAP-TLS session

(0) eap_peap: [eaptls start] = request

(0) eap: Sending EAP Request (code 1) ID 88 length 6

(0) eap: EAP session adding &reply:State = 0xd5cab529d592ace4

(0)     [eap] = handled

(0)   } # authenticate = handled

(0) Using Post-Auth-Type Challenge

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0)   Challenge { ... } # empty sub-section is ignored

(0) Sent Access-Challenge Id 0 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(0)   EAP-Message = 0x015800061920

(0)   Message-Authenticator = 0x00000000000000000000000000000000

(0)   State = 0xd5cab529d592ace4f6d40de07aff4d01

(0) Finished request

Waking up in 4.9 seconds.

(1) Received Access-Request Id 1 from 128.180.10.10:37390 to
128.180.1.12:1812 length 333

(1)   User-Name = "x19a19"

(1)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(1)   Framed-MTU = 1400

(1)   NAS-Port-Type = Wireless-802.11

(1)   Service-Type = Framed-User

(1)   Connect-Info = "CONNECT 11Mbps 802.11b"

(1)   NAS-IP-Address = 128.180.10.10

(1)   EAP-Message =
0x025800c81980000000be16030100b9010000b50303132d25755eaabb15aee43b60d657ccc2cc1fd1edb3aae7d48eaabd8658411197000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b00

(1)   State = 0xd5cab529d592ace4f6d40de07aff4d01

(1)   Message-Authenticator = 0xbd4519f715be469fa75c83986884eab7

(1) session-state: No cached attributes

(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(1)   authorize {

(1)     policy filter_username {

(1)       if (&User-Name) {

(1)       if (&User-Name)  -> TRUE

(1)       if (&User-Name)  {

(1)         if (&User-Name =~ / /) {

(1)         if (&User-Name =~ / /)  -> FALSE

(1)         if (&User-Name =~ /@[^@]*@/ ) {

(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(1)         if (&User-Name =~ /\.\./ ) {

(1)         if (&User-Name =~ /\.\./ )  -> FALSE

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(1)         if (&User-Name =~ /\.$/)  {

(1)         if (&User-Name =~ /\.$/)   -> FALSE

(1)         if (&User-Name =~ /@\./)  {

(1)         if (&User-Name =~ /@\./)   -> FALSE

(1)       } # if (&User-Name)  = notfound

(1)     } # policy filter_username = notfound

(1)     [preprocess] = ok

(1)     [mschap] = noop

(1) suffix: Checking for suffix after "@"

(1) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(1) suffix: No such realm "NULL"

(1)     [suffix] = noop

(1) eap: Peer sent EAP Response (code 2) ID 88 length 200

(1) eap: Continuing tunnel setup

(1)     [eap] = ok

(1)   } # authorize = ok

(1) Found Auth-Type = eap

(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(1)   authenticate {

(1) eap: Expiring EAP session with state 0xd5cab529d592ace4

(1) eap: Finished EAP session with state 0xd5cab529d592ace4

(1) eap: Previous EAP request found for state 0xd5cab529d592ace4, released
from the list

(1) eap: Peer sent packet with method EAP PEAP (25)

(1) eap: Calling submodule eap_peap to process data

(1) eap_peap: Continuing EAP-TLS

(1) eap_peap: Peer indicated complete TLS record size will be 190 bytes

(1) eap_peap: Got complete TLS record (190 bytes)

(1) eap_peap: [eaptls verify] = length included

(1) eap_peap: (other): before SSL initialization

(1) eap_peap: TLS_accept: before SSL initialization

(1) eap_peap: TLS_accept: before SSL initialization

(1) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 00b9]

(1) eap_peap: TLS_accept: SSLv3/TLS read client hello

(1) eap_peap: >>> send TLS 1.2  [length 003d]

(1) eap_peap: TLS_accept: SSLv3/TLS write server hello

(1) eap_peap: >>> send TLS 1.2  [length 02ff]

(1) eap_peap: TLS_accept: SSLv3/TLS write certificate

(1) eap_peap: >>> send TLS 1.2  [length 014d]

(1) eap_peap: TLS_accept: SSLv3/TLS write key exchange

(1) eap_peap: >>> send TLS 1.2  [length 0004]

(1) eap_peap: TLS_accept: SSLv3/TLS write server done

(1) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server
done

(1) eap_peap: In SSL Handshake Phase

(1) eap_peap: In SSL Accept mode

(1) eap_peap: [eaptls process] = handled

(1) eap: Sending EAP Request (code 1) ID 89 length 1004

(1) eap: EAP session adding &reply:State = 0xd5cab529d493ace4

(1)     [eap] = handled

(1)   } # authenticate = handled

(1) Using Post-Auth-Type Challenge

(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(1)   Challenge { ... } # empty sub-section is ignored

(1) Sent Access-Challenge Id 1 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(1)   EAP-Message =
0x015903ec19c0000004a1160303003d020000390303dd83be8c2d3373ce58eee72115d28fd891a538ba5fcf3717444f574e4752440100c030000011ff01000100000b0004030001020017000016030302ff0b0002fb0002f80002f5308202f1308201d9a00302010202146434b6d539827cbeb8e5394cc7

(1)   Message-Authenticator = 0x00000000000000000000000000000000

(1)   State = 0xd5cab529d493ace4f6d40de07aff4d01

(1) Finished request

Waking up in 4.9 seconds.

(2) Received Access-Request Id 2 from 128.180.10.10:37390 to
128.180.1.12:1812 length 139

(2)   User-Name = "x19a19"

(2)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(2)   Framed-MTU = 1400

(2)   NAS-Port-Type = Wireless-802.11

(2)   Service-Type = Framed-User

(2)   Connect-Info = "CONNECT 11Mbps 802.11b"

(2)   NAS-IP-Address = 128.180.10.10

(2)   EAP-Message = 0x025900061900

(2)   State = 0xd5cab529d493ace4f6d40de07aff4d01

(2)   Message-Authenticator = 0x7b647a04b11930721a7fe202c4e2db1d

(2) session-state: No cached attributes

(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(2)   authorize {

(2)     policy filter_username {

(2)       if (&User-Name) {

(2)       if (&User-Name)  -> TRUE

(2)       if (&User-Name)  {

(2)         if (&User-Name =~ / /) {

(2)         if (&User-Name =~ / /)  -> FALSE

(2)         if (&User-Name =~ /@[^@]*@/ ) {

(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(2)         if (&User-Name =~ /\.\./ ) {

(2)         if (&User-Name =~ /\.\./ )  -> FALSE

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(2)         if (&User-Name =~ /\.$/)  {

(2)         if (&User-Name =~ /\.$/)   -> FALSE

(2)         if (&User-Name =~ /@\./)  {

(2)         if (&User-Name =~ /@\./)   -> FALSE

(2)       } # if (&User-Name)  = notfound

(2)     } # policy filter_username = notfound

(2)     [preprocess] = ok

(2)     [mschap] = noop

(2) suffix: Checking for suffix after "@"

(2) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(2) suffix: No such realm "NULL"

(2)     [suffix] = noop

(2) eap: Peer sent EAP Response (code 2) ID 89 length 6

(2) eap: Continuing tunnel setup

(2)     [eap] = ok

(2)   } # authorize = ok

(2) Found Auth-Type = eap

(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(2)   authenticate {

(2) eap: Expiring EAP session with state 0xd5cab529d493ace4

(2) eap: Finished EAP session with state 0xd5cab529d493ace4

(2) eap: Previous EAP request found for state 0xd5cab529d493ace4, released
from the list

(2) eap: Peer sent packet with method EAP PEAP (25)

(2) eap: Calling submodule eap_peap to process data

(2) eap_peap: Continuing EAP-TLS

(2) eap_peap: Peer ACKed our handshake fragment

(2) eap_peap: [eaptls verify] = request

(2) eap_peap: [eaptls process] = handled

(2) eap: Sending EAP Request (code 1) ID 90 length 197

(2) eap: EAP session adding &reply:State = 0xd5cab529d790ace4

(2)     [eap] = handled

(2)   } # authenticate = handled

(2) Using Post-Auth-Type Challenge

(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(2)   Challenge { ... } # empty sub-section is ignored

(2) Sent Access-Challenge Id 2 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(2)   EAP-Message =
0x015a00c519009514387a2a99cbc5bc7bf00cd5a29c255b83772ba796b69dae86ff9b01f62cd587cd98518e7b3476015a262ecd457d3d4907b7ea5078d7f296d2f954319aa2bff38c213fd16268b2602ae9b69d9e89420a7a7232915386dac92e9f835425586551deb8019cfb47aca33d279ff611294f8b

(2)   Message-Authenticator = 0x00000000000000000000000000000000

(2)   State = 0xd5cab529d790ace4f6d40de07aff4d01

(2) Finished request

Waking up in 4.9 seconds.

(3) Received Access-Request Id 3 from 128.180.10.10:37390 to
128.180.1.12:1812 length 269

(3)   User-Name = "x19a19"

(3)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(3)   Framed-MTU = 1400

(3)   NAS-Port-Type = Wireless-802.11

(3)   Service-Type = Framed-User

(3)   Connect-Info = "CONNECT 11Mbps 802.11b"

(3)   NAS-IP-Address = 128.180.10.10

(3)   EAP-Message =
0x025a008819800000007e1603030046100000424104fc5bb0a7a1c6d364acac1b9577d6da13d37ae7f5be2269a13a2dd8ff073c07355810fe52fe84b6478bf08c55e531ced723650d13c9c3eb6b6ccd8b9a303640be140303000101160303002850823d0b0711a0e3ca25a3d3c0b0608532302156d36f93

(3)   State = 0xd5cab529d790ace4f6d40de07aff4d01

(3)   Message-Authenticator = 0xb228fa99ab9bc2c005e4a529b3e61308

(3) session-state: No cached attributes

(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(3)   authorize {

(3)     policy filter_username {

(3)       if (&User-Name) {

(3)       if (&User-Name)  -> TRUE

(3)       if (&User-Name)  {

(3)         if (&User-Name =~ / /) {

(3)         if (&User-Name =~ / /)  -> FALSE

(3)         if (&User-Name =~ /@[^@]*@/ ) {

(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(3)         if (&User-Name =~ /\.\./ ) {

(3)         if (&User-Name =~ /\.\./ )  -> FALSE

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(3)         if (&User-Name =~ /\.$/)  {

(3)         if (&User-Name =~ /\.$/)   -> FALSE

(3)         if (&User-Name =~ /@\./)  {

(3)         if (&User-Name =~ /@\./)   -> FALSE

(3)       } # if (&User-Name)  = notfound

(3)     } # policy filter_username = notfound

(3)     [preprocess] = ok

(3)     [mschap] = noop

(3) suffix: Checking for suffix after "@"

(3) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(3) suffix: No such realm "NULL"

(3)     [suffix] = noop

(3) eap: Peer sent EAP Response (code 2) ID 90 length 136

(3) eap: Continuing tunnel setup

(3)     [eap] = ok

(3)   } # authorize = ok

(3) Found Auth-Type = eap

(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(3)   authenticate {

(3) eap: Expiring EAP session with state 0xd5cab529d790ace4

(3) eap: Finished EAP session with state 0xd5cab529d790ace4

(3) eap: Previous EAP request found for state 0xd5cab529d790ace4, released
from the list

(3) eap: Peer sent packet with method EAP PEAP (25)

(3) eap: Calling submodule eap_peap to process data

(3) eap_peap: Continuing EAP-TLS

(3) eap_peap: Peer indicated complete TLS record size will be 126 bytes

(3) eap_peap: Got complete TLS record (126 bytes)

(3) eap_peap: [eaptls verify] = length included

(3) eap_peap: TLS_accept: SSLv3/TLS write server done

(3) eap_peap: <<< recv TLS 1.2  [length 0046]

(3) eap_peap: TLS_accept: SSLv3/TLS read client key exchange

(3) eap_peap: TLS_accept: SSLv3/TLS read change cipher spec

(3) eap_peap: <<< recv TLS 1.2  [length 0010]

(3) eap_peap: TLS_accept: SSLv3/TLS read finished

(3) eap_peap: >>> send TLS 1.2  [length 0001]

(3) eap_peap: TLS_accept: SSLv3/TLS write change cipher spec

(3) eap_peap: >>> send TLS 1.2  [length 0010]

(3) eap_peap: TLS_accept: SSLv3/TLS write finished

(3) eap_peap: (other): SSL negotiation finished successfully

(3) eap_peap: SSL Connection Established

(3) eap_peap: [eaptls process] = handled

(3) eap: Sending EAP Request (code 1) ID 91 length 57

(3) eap: EAP session adding &reply:State = 0xd5cab529d691ace4

(3)     [eap] = handled

(3)   } # authenticate = handled

(3) Using Post-Auth-Type Challenge

(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(3)   Challenge { ... } # empty sub-section is ignored

(3) Sent Access-Challenge Id 3 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(3)   EAP-Message =
0x015b0039190014030300010116030300284d99b5c3c5193bcc51b4aa1ed19ca2be71cfdb79c560a09d671240792b6456674737f95c176ab1d7

(3)   Message-Authenticator = 0x00000000000000000000000000000000

(3)   State = 0xd5cab529d691ace4f6d40de07aff4d01

(3) Finished request

Waking up in 4.9 seconds.

(4) Received Access-Request Id 4 from 128.180.10.10:37390 to
128.180.1.12:1812 length 139

(4)   User-Name = "x19a19"

(4)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(4)   Framed-MTU = 1400

(4)   NAS-Port-Type = Wireless-802.11

(4)   Service-Type = Framed-User

(4)   Connect-Info = "CONNECT 11Mbps 802.11b"

(4)   NAS-IP-Address = 128.180.10.10

(4)   EAP-Message = 0x025b00061900

(4)   State = 0xd5cab529d691ace4f6d40de07aff4d01

(4)   Message-Authenticator = 0xf00cd599fd7c7eb90b7e5382f9f10bde

(4) session-state: No cached attributes

(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(4)   authorize {

(4)     policy filter_username {

(4)       if (&User-Name) {

(4)       if (&User-Name)  -> TRUE

(4)       if (&User-Name)  {

(4)         if (&User-Name =~ / /) {

(4)         if (&User-Name =~ / /)  -> FALSE

(4)         if (&User-Name =~ /@[^@]*@/ ) {

(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(4)         if (&User-Name =~ /\.\./ ) {

(4)         if (&User-Name =~ /\.\./ )  -> FALSE

(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(4)         if (&User-Name =~ /\.$/)  {

(4)         if (&User-Name =~ /\.$/)   -> FALSE

(4)         if (&User-Name =~ /@\./)  {

(4)         if (&User-Name =~ /@\./)   -> FALSE

(4)       } # if (&User-Name)  = notfound

(4)     } # policy filter_username = notfound

(4)     [preprocess] = ok

(4)     [mschap] = noop

(4) suffix: Checking for suffix after "@"

(4) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(4) suffix: No such realm "NULL"

(4)     [suffix] = noop

(4) eap: Peer sent EAP Response (code 2) ID 91 length 6

(4) eap: Continuing tunnel setup

(4)     [eap] = ok

(4)   } # authorize = ok

(4) Found Auth-Type = eap

(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(4)   authenticate {

(4) eap: Expiring EAP session with state 0xd5cab529d691ace4

(4) eap: Finished EAP session with state 0xd5cab529d691ace4

(4) eap: Previous EAP request found for state 0xd5cab529d691ace4, released
from the list

(4) eap: Peer sent packet with method EAP PEAP (25)

(4) eap: Calling submodule eap_peap to process data

(4) eap_peap: Continuing EAP-TLS

(4) eap_peap: Peer ACKed our handshake fragment.  handshake is finished

(4) eap_peap: [eaptls verify] = success

(4) eap_peap: [eaptls process] = success

(4) eap_peap: Session established.  Decoding tunneled attributes

(4) eap_peap: PEAP state TUNNEL ESTABLISHED

(4) eap: Sending EAP Request (code 1) ID 92 length 40

(4) eap: EAP session adding &reply:State = 0xd5cab529d196ace4

(4)     [eap] = handled

(4)   } # authenticate = handled

(4) Using Post-Auth-Type Challenge

(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(4)   Challenge { ... } # empty sub-section is ignored

(4) Sent Access-Challenge Id 4 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(4)   EAP-Message =
0x015c00281900170303001d4d99b5c3c5193bcd9137302e88e4ffe708354e681dbf61a648e63395ac

(4)   Message-Authenticator = 0x00000000000000000000000000000000

(4)   State = 0xd5cab529d196ace4f6d40de07aff4d01

(4) Finished request

Waking up in 4.9 seconds.

(5) Received Access-Request Id 5 from 128.180.10.10:37390 to
128.180.1.12:1812 length 175

(5)   User-Name = "x19a19"

(5)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(5)   Framed-MTU = 1400

(5)   NAS-Port-Type = Wireless-802.11

(5)   Service-Type = Framed-User

(5)   Connect-Info = "CONNECT 11Mbps 802.11b"

(5)   NAS-IP-Address = 128.180.10.10

(5)   EAP-Message =
0x025c002a1900170303001f50823d0b0711a0e49fe1c10b3d17b529a59955d132202ac16d913e01a58e73

(5)   State = 0xd5cab529d196ace4f6d40de07aff4d01

(5)   Message-Authenticator = 0x3f6f9dcc52fc81ba4a45772b1c6ffc6b

(5) session-state: No cached attributes

(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(5)   authorize {

(5)     policy filter_username {

(5)       if (&User-Name) {

(5)       if (&User-Name)  -> TRUE

(5)       if (&User-Name)  {

(5)         if (&User-Name =~ / /) {

(5)         if (&User-Name =~ / /)  -> FALSE

(5)         if (&User-Name =~ /@[^@]*@/ ) {

(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(5)         if (&User-Name =~ /\.\./ ) {

(5)         if (&User-Name =~ /\.\./ )  -> FALSE

(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(5)         if (&User-Name =~ /\.$/)  {

(5)         if (&User-Name =~ /\.$/)   -> FALSE

(5)         if (&User-Name =~ /@\./)  {

(5)         if (&User-Name =~ /@\./)   -> FALSE

(5)       } # if (&User-Name)  = notfound

(5)     } # policy filter_username = notfound

(5)     [preprocess] = ok

(5)     [mschap] = noop

(5) suffix: Checking for suffix after "@"

(5) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(5) suffix: No such realm "NULL"

(5)     [suffix] = noop

(5) eap: Peer sent EAP Response (code 2) ID 92 length 42

(5) eap: Continuing tunnel setup

(5)     [eap] = ok

(5)   } # authorize = ok

(5) Found Auth-Type = eap

(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(5)   authenticate {

(5) eap: Expiring EAP session with state 0xd5cab529d196ace4

(5) eap: Finished EAP session with state 0xd5cab529d196ace4

(5) eap: Previous EAP request found for state 0xd5cab529d196ace4, released
from the list

(5) eap: Peer sent packet with method EAP PEAP (25)

(5) eap: Calling submodule eap_peap to process data

(5) eap_peap: Continuing EAP-TLS

(5) eap_peap: [eaptls verify] = ok

(5) eap_peap: Done initial handshake

(5) eap_peap: [eaptls process] = ok

(5) eap_peap: Session established.  Decoding tunneled attributes

(5) eap_peap: PEAP state WAITING FOR INNER IDENTITY

(5) eap_peap: Identity - x19a19

(5) eap_peap: Got inner identity 'x19a19'

(5) eap_peap: Setting default EAP type for tunneled EAP session

(5) eap_peap: Got tunneled request

(5) eap_peap:   EAP-Message = 0x025c000b01783139613139

(5) eap_peap: Setting User-Name to x19a19

(5) eap_peap: Sending tunneled request to inner-tunnel

(5) eap_peap:   EAP-Message = 0x025c000b01783139613139

(5) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1

(5) eap_peap:   User-Name = "x19a19"

(5) Virtual server inner-tunnel received request

(5)   EAP-Message = 0x025c000b01783139613139

(5)   FreeRADIUS-Proxied-To = 127.0.0.1

(5)   User-Name = "x19a19"

(5) WARNING: Outer and inner identities are the same.  User privacy is
compromised.

(5) server inner-tunnel {

(5)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(5)     authorize {

(5)       policy filter_username {

(5)         if (&User-Name) {

(5)         if (&User-Name)  -> TRUE

(5)         if (&User-Name)  {

(5)           if (&User-Name =~ / /) {

(5)           if (&User-Name =~ / /)  -> FALSE

(5)           if (&User-Name =~ /@[^@]*@/ ) {

(5)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(5)           if (&User-Name =~ /\.\./ ) {

(5)           if (&User-Name =~ /\.\./ )  -> FALSE

(5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(5)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE

(5)           if (&User-Name =~ /\.$/)  {

(5)           if (&User-Name =~ /\.$/)   -> FALSE

(5)           if (&User-Name =~ /@\./)  {

(5)           if (&User-Name =~ /@\./)   -> FALSE

(5)         } # if (&User-Name)  = notfound

(5)       } # policy filter_username = notfound

(5)       [chap] = noop

(5)       [mschap] = noop

(5) suffix: Checking for suffix after "@"

(5) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(5) suffix: No such realm "NULL"

(5)       [suffix] = noop

(5)       update control {

(5)         &Proxy-To-Realm := LOCAL

(5)       } # update control = noop

(5) eap: Peer sent EAP Response (code 2) ID 92 length 11

(5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize

(5)       [eap] = ok

(5)     } # authorize = ok

(5)   Found Auth-Type = eap

(5)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(5)     authenticate {

(5) eap: Peer sent packet with method EAP Identity (1)

(5) eap: Calling submodule eap_mschapv2 to process data

(5) eap_mschapv2: Issuing Challenge

(5) eap: Sending EAP Request (code 1) ID 93 length 43

(5) eap: EAP session adding &reply:State = 0x97ebaf3b97b6b5d2

(5)       [eap] = handled

(5)     } # authenticate = handled

(5) } # server inner-tunnel

(5) Virtual server sending reply

(5)   EAP-Message =
0x015d002b1a015d0026107c13a4105e1039e486e7f86a4e2d4b9c667265657261646975732d332e302e3137

(5)   Message-Authenticator = 0x00000000000000000000000000000000

(5)   State = 0x97ebaf3b97b6b5d21f4ac90eaae0ae9c

(5) eap_peap: Got tunneled reply code 11

(5) eap_peap:   EAP-Message =
0x015d002b1a015d0026107c13a4105e1039e486e7f86a4e2d4b9c667265657261646975732d332e302e3137

(5) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(5) eap_peap:   State = 0x97ebaf3b97b6b5d21f4ac90eaae0ae9c

(5) eap_peap: Got tunneled reply RADIUS code 11

(5) eap_peap:   EAP-Message =
0x015d002b1a015d0026107c13a4105e1039e486e7f86a4e2d4b9c667265657261646975732d332e302e3137

(5) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(5) eap_peap:   State = 0x97ebaf3b97b6b5d21f4ac90eaae0ae9c

(5) eap_peap: Got tunneled Access-Challenge

(5) eap: Sending EAP Request (code 1) ID 93 length 74

(5) eap: EAP session adding &reply:State = 0xd5cab529d097ace4

(5)     [eap] = handled

(5)   } # authenticate = handled

(5) Using Post-Auth-Type Challenge

(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(5)   Challenge { ... } # empty sub-section is ignored

(5) Sent Access-Challenge Id 5 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(5)   EAP-Message =
0x015d004a1900170303003f4d99b5c3c5193bced34dea26eb084492b33e0c0a8590d44411cccab329b81d25a3bb5c6eb0b98906ef940b0afff59de07f275f1743963056a5e713fdb5f1ae

(5)   Message-Authenticator = 0x00000000000000000000000000000000

(5)   State = 0xd5cab529d097ace4f6d40de07aff4d01

(5) Finished request

Waking up in 4.9 seconds.

(6) Received Access-Request Id 6 from 128.180.10.10:37390 to
128.180.1.12:1812 length 229

(6)   User-Name = "x19a19"

(6)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(6)   Framed-MTU = 1400

(6)   NAS-Port-Type = Wireless-802.11

(6)   Service-Type = Framed-User

(6)   Connect-Info = "CONNECT 11Mbps 802.11b"

(6)   NAS-IP-Address = 128.180.10.10

(6)   EAP-Message =
0x025d00601900170303005550823d0b0711a0e5c1ab4673218f7703e98d7ae9be258bb253344c2b53be68a837fd1f45e10d7a14397b7f051e20d1c55158b3638b42b8acfb55492ce8a90ba4f38da594d8dd9148ed0e509eee492ac6e9ab270a94

(6)   State = 0xd5cab529d097ace4f6d40de07aff4d01

(6)   Message-Authenticator = 0xcd8033c23d61a2240a845706bbc692e2

(6) session-state: No cached attributes

(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(6)   authorize {

(6)     policy filter_username {

(6)       if (&User-Name) {

(6)       if (&User-Name)  -> TRUE

(6)       if (&User-Name)  {

(6)         if (&User-Name =~ / /) {

(6)         if (&User-Name =~ / /)  -> FALSE

(6)         if (&User-Name =~ /@[^@]*@/ ) {

(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(6)         if (&User-Name =~ /\.\./ ) {

(6)         if (&User-Name =~ /\.\./ )  -> FALSE

(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(6)         if (&User-Name =~ /\.$/)  {

(6)         if (&User-Name =~ /\.$/)   -> FALSE

(6)         if (&User-Name =~ /@\./)  {

(6)         if (&User-Name =~ /@\./)   -> FALSE

(6)       } # if (&User-Name)  = notfound

(6)     } # policy filter_username = notfound

(6)     [preprocess] = ok

(6)     [mschap] = noop

(6) suffix: Checking for suffix after "@"

(6) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(6) suffix: No such realm "NULL"

(6)     [suffix] = noop

(6) eap: Peer sent EAP Response (code 2) ID 93 length 96

(6) eap: Continuing tunnel setup

(6)     [eap] = ok

(6)   } # authorize = ok

(6) Found Auth-Type = eap

(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(6)   authenticate {

(6) eap: Expiring EAP session with state 0x97ebaf3b97b6b5d2

(6) eap: Finished EAP session with state 0xd5cab529d097ace4

(6) eap: Previous EAP request found for state 0xd5cab529d097ace4, released
from the list

(6) eap: Peer sent packet with method EAP PEAP (25)

(6) eap: Calling submodule eap_peap to process data

(6) eap_peap: Continuing EAP-TLS

(6) eap_peap: [eaptls verify] = ok

(6) eap_peap: Done initial handshake

(6) eap_peap: [eaptls process] = ok

(6) eap_peap: Session established.  Decoding tunneled attributes

(6) eap_peap: PEAP state phase2

(6) eap_peap: EAP method MSCHAPv2 (26)

(6) eap_peap: Got tunneled request

(6) eap_peap:   EAP-Message =
0x025d00411a025d003c31e0ecf5de1b0eaa47a2fae06c0ea80a06000000000000000061407f8eb8e26fb9e634cbed4006b3f6280b910bfaaf75c600783139613139

(6) eap_peap: Setting User-Name to x19a19

(6) eap_peap: Sending tunneled request to inner-tunnel

(6) eap_peap:   EAP-Message =
0x025d00411a025d003c31e0ecf5de1b0eaa47a2fae06c0ea80a06000000000000000061407f8eb8e26fb9e634cbed4006b3f6280b910bfaaf75c600783139613139

(6) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1

(6) eap_peap:   User-Name = "x19a19"

(6) eap_peap:   State = 0x97ebaf3b97b6b5d21f4ac90eaae0ae9c

(6) Virtual server inner-tunnel received request

(6)   EAP-Message =
0x025d00411a025d003c31e0ecf5de1b0eaa47a2fae06c0ea80a06000000000000000061407f8eb8e26fb9e634cbed4006b3f6280b910bfaaf75c600783139613139

(6)   FreeRADIUS-Proxied-To = 127.0.0.1

(6)   User-Name = "x19a19"

(6)   State = 0x97ebaf3b97b6b5d21f4ac90eaae0ae9c

(6) WARNING: Outer and inner identities are the same.  User privacy is
compromised.

(6) server inner-tunnel {

(6)   session-state: No cached attributes

(6)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(6)     authorize {

(6)       policy filter_username {

(6)         if (&User-Name) {

(6)         if (&User-Name)  -> TRUE

(6)         if (&User-Name)  {

(6)           if (&User-Name =~ / /) {

(6)           if (&User-Name =~ / /)  -> FALSE

(6)           if (&User-Name =~ /@[^@]*@/ ) {

(6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(6)           if (&User-Name =~ /\.\./ ) {

(6)           if (&User-Name =~ /\.\./ )  -> FALSE

(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE

(6)           if (&User-Name =~ /\.$/)  {

(6)           if (&User-Name =~ /\.$/)   -> FALSE

(6)           if (&User-Name =~ /@\./)  {

(6)           if (&User-Name =~ /@\./)   -> FALSE

(6)         } # if (&User-Name)  = notfound

(6)       } # policy filter_username = notfound

(6)       [chap] = noop

(6)       [mschap] = noop

(6) suffix: Checking for suffix after "@"

(6) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(6) suffix: No such realm "NULL"

(6)       [suffix] = noop

(6)       update control {

(6)         &Proxy-To-Realm := LOCAL

(6)       } # update control = noop

(6) eap: Peer sent EAP Response (code 2) ID 93 length 65

(6) eap: No EAP Start, assuming it's an on-going EAP conversation

(6)       [eap] = updated

(6)       [files] = noop

(6)       [expiration] = noop

(6)       [logintime] = noop

(6)       [pap] = noop

(6)     } # authorize = updated

(6)   Found Auth-Type = eap

(6)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(6)     authenticate {

(6) eap: Expiring EAP session with state 0x97ebaf3b97b6b5d2

(6) eap: Finished EAP session with state 0x97ebaf3b97b6b5d2

(6) eap: Previous EAP request found for state 0x97ebaf3b97b6b5d2, released
from the list

(6) eap: Peer sent packet with method EAP MSCHAPv2 (26)

(6) eap: Calling submodule eap_mschapv2 to process data

(6) eap_mschapv2: # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(6) eap_mschapv2:   authenticate {

(6) mschap: Creating challenge hash with username: x19a19

(6) mschap: Client is using MS-CHAPv2

(6) mschap: EXPAND %{mschap:User-Name}

(6) mschap:    --> x19a19

rlm_mschap (mschap): Reserved connection (0)

(6) mschap: sending authentication request user='x19a19' domain='AD'

rlm_mschap (mschap): Released connection (0)

Need 5 more connections to reach 10 spares

rlm_mschap (mschap): Opening additional connection (5), 1 of 27 pending
slots used

(6) mschap: Authenticated successfully

(6) mschap: Adding MS-CHAPv2 MPPE keys

(6)     [mschap] = ok

(6)   } # authenticate = ok

(6) MSCHAP Success

(6) eap: Sending EAP Request (code 1) ID 94 length 51

(6) eap: EAP session adding &reply:State = 0x97ebaf3b96b5b5d2

(6)       [eap] = handled

(6)     } # authenticate = handled

(6) } # server inner-tunnel

(6) Virtual server sending reply

(6)   EAP-Message =
0x015e00331a035d002e533d32364236443532434631443937453031424333314332343541464438364431304133363037454234

(6)   Message-Authenticator = 0x00000000000000000000000000000000

(6)   State = 0x97ebaf3b96b5b5d21f4ac90eaae0ae9c

(6) eap_peap: Got tunneled reply code 11

(6) eap_peap:   EAP-Message =
0x015e00331a035d002e533d32364236443532434631443937453031424333314332343541464438364431304133363037454234

(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(6) eap_peap:   State = 0x97ebaf3b96b5b5d21f4ac90eaae0ae9c

(6) eap_peap: Got tunneled reply RADIUS code 11

(6) eap_peap:   EAP-Message =
0x015e00331a035d002e533d32364236443532434631443937453031424333314332343541464438364431304133363037454234

(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(6) eap_peap:   State = 0x97ebaf3b96b5b5d21f4ac90eaae0ae9c

(6) eap_peap: Got tunneled Access-Challenge

(6) eap: Sending EAP Request (code 1) ID 94 length 82

(6) eap: EAP session adding &reply:State = 0xd5cab529d394ace4

(6)     [eap] = handled

(6)   } # authenticate = handled

(6) Using Post-Auth-Type Challenge

(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(6)   Challenge { ... } # empty sub-section is ignored

(6) Sent Access-Challenge Id 6 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(6)   EAP-Message =
0x015e0052190017030300474d99b5c3c5193bcfed6bc205bbb3e97baa83ae82f585e2f28775992d1da91a9e8cba0c1a820eee27064fc71137c771a15c648a1dc5e69d794a37d671a294003a83ce621e4c9ca8

(6)   Message-Authenticator = 0x00000000000000000000000000000000

(6)   State = 0xd5cab529d394ace4f6d40de07aff4d01

(6) Finished request

Waking up in 4.9 seconds.

(7) Received Access-Request Id 7 from 128.180.10.10:37390 to
128.180.1.12:1812 length 170

(7)   User-Name = "x19a19"

(7)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(7)   Framed-MTU = 1400

(7)   NAS-Port-Type = Wireless-802.11

(7)   Service-Type = Framed-User

(7)   Connect-Info = "CONNECT 11Mbps 802.11b"

(7)   NAS-IP-Address = 128.180.10.10

(7)   EAP-Message =
0x025e00251900170303001a50823d0b0711a0e6d862f400ba40e4e3346eb03ba1666f089bdb

(7)   State = 0xd5cab529d394ace4f6d40de07aff4d01

(7)   Message-Authenticator = 0x2187a05fc656d964f49bac68b0d01e1f

(7) session-state: No cached attributes

(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(7)   authorize {

(7)     policy filter_username {

(7)       if (&User-Name) {

(7)       if (&User-Name)  -> TRUE

(7)       if (&User-Name)  {

(7)         if (&User-Name =~ / /) {

(7)         if (&User-Name =~ / /)  -> FALSE

(7)         if (&User-Name =~ /@[^@]*@/ ) {

(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(7)         if (&User-Name =~ /\.\./ ) {

(7)         if (&User-Name =~ /\.\./ )  -> FALSE

(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(7)         if (&User-Name =~ /\.$/)  {

(7)         if (&User-Name =~ /\.$/)   -> FALSE

(7)         if (&User-Name =~ /@\./)  {

(7)         if (&User-Name =~ /@\./)   -> FALSE

(7)       } # if (&User-Name)  = notfound

(7)     } # policy filter_username = notfound

(7)     [preprocess] = ok

(7)     [mschap] = noop

(7) suffix: Checking for suffix after "@"

(7) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(7) suffix: No such realm "NULL"

(7)     [suffix] = noop

(7) eap: Peer sent EAP Response (code 2) ID 94 length 37

(7) eap: Continuing tunnel setup

(7)     [eap] = ok

(7)   } # authorize = ok

(7) Found Auth-Type = eap

(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(7)   authenticate {

(7) eap: Expiring EAP session with state 0x97ebaf3b96b5b5d2

(7) eap: Finished EAP session with state 0xd5cab529d394ace4

(7) eap: Previous EAP request found for state 0xd5cab529d394ace4, released
from the list

(7) eap: Peer sent packet with method EAP PEAP (25)

(7) eap: Calling submodule eap_peap to process data

(7) eap_peap: Continuing EAP-TLS

(7) eap_peap: [eaptls verify] = ok

(7) eap_peap: Done initial handshake

(7) eap_peap: [eaptls process] = ok

(7) eap_peap: Session established.  Decoding tunneled attributes

(7) eap_peap: PEAP state phase2

(7) eap_peap: EAP method MSCHAPv2 (26)

(7) eap_peap: Got tunneled request

(7) eap_peap:   EAP-Message = 0x025e00061a03

(7) eap_peap: Setting User-Name to x19a19

(7) eap_peap: Sending tunneled request to inner-tunnel

(7) eap_peap:   EAP-Message = 0x025e00061a03

(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1

(7) eap_peap:   User-Name = "x19a19"

(7) eap_peap:   State = 0x97ebaf3b96b5b5d21f4ac90eaae0ae9c

(7) Virtual server inner-tunnel received request

(7)   EAP-Message = 0x025e00061a03

(7)   FreeRADIUS-Proxied-To = 127.0.0.1

(7)   User-Name = "x19a19"

(7)   State = 0x97ebaf3b96b5b5d21f4ac90eaae0ae9c

(7) WARNING: Outer and inner identities are the same.  User privacy is
compromised.

(7) server inner-tunnel {

(7)   session-state: No cached attributes

(7)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(7)     authorize {

(7)       policy filter_username {

(7)         if (&User-Name) {

(7)         if (&User-Name)  -> TRUE

(7)         if (&User-Name)  {

(7)           if (&User-Name =~ / /) {

(7)           if (&User-Name =~ / /)  -> FALSE

(7)           if (&User-Name =~ /@[^@]*@/ ) {

(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(7)           if (&User-Name =~ /\.\./ ) {

(7)           if (&User-Name =~ /\.\./ )  -> FALSE

(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE

(7)           if (&User-Name =~ /\.$/)  {

(7)           if (&User-Name =~ /\.$/)   -> FALSE

(7)           if (&User-Name =~ /@\./)  {

(7)           if (&User-Name =~ /@\./)   -> FALSE

(7)         } # if (&User-Name)  = notfound

(7)       } # policy filter_username = notfound

(7)       [chap] = noop

(7)       [mschap] = noop

(7) suffix: Checking for suffix after "@"

(7) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(7) suffix: No such realm "NULL"

(7)       [suffix] = noop

(7)       update control {

(7)         &Proxy-To-Realm := LOCAL

(7)       } # update control = noop

(7) eap: Peer sent EAP Response (code 2) ID 94 length 6

(7) eap: No EAP Start, assuming it's an on-going EAP conversation

(7)       [eap] = updated

(7)       [files] = noop

(7)       [expiration] = noop

(7)       [logintime] = noop

(7)       [pap] = noop

(7)     } # authorize = updated

(7)   Found Auth-Type = eap

(7)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(7)     authenticate {

(7) eap: Expiring EAP session with state 0x97ebaf3b96b5b5d2

(7) eap: Finished EAP session with state 0x97ebaf3b96b5b5d2

(7) eap: Previous EAP request found for state 0x97ebaf3b96b5b5d2, released
from the list

(7) eap: Peer sent packet with method EAP MSCHAPv2 (26)

(7) eap: Calling submodule eap_mschapv2 to process data

(7) eap: Sending EAP Success (code 3) ID 94 length 4

(7) eap: Freeing handler

(7)       [eap] = ok

(7)     } # authenticate = ok

(7)   # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel

(7)     post-auth {

(7)       if (0) {

(7)       if (0)  -> FALSE

(7)     } # post-auth = noop

(7)   Login OK: [x19a19] (from client newguy port 0 via TLS tunnel)

(7) } # server inner-tunnel

(7) Virtual server sending reply

(7)   MS-MPPE-Encryption-Policy = Encryption-Allowed

(7)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

(7)   MS-MPPE-Send-Key = 0x3dbd0e514b1011ad90ebe00e330e8c11

(7)   MS-MPPE-Recv-Key = 0xd49ea8ea1406bcc4b9177cfd006a0a4d

(7)   EAP-Message = 0x035e0004

(7)   Message-Authenticator = 0x00000000000000000000000000000000

(7)   User-Name = "x19a19"

(7) eap_peap: Got tunneled reply code 2

(7) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed

(7) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

(7) eap_peap:   MS-MPPE-Send-Key = 0x3dbd0e514b1011ad90ebe00e330e8c11

(7) eap_peap:   MS-MPPE-Recv-Key = 0xd49ea8ea1406bcc4b9177cfd006a0a4d

(7) eap_peap:   EAP-Message = 0x035e0004

(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(7) eap_peap:   User-Name = "x19a19"

(7) eap_peap: Got tunneled reply RADIUS code 2

(7) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed

(7) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed

(7) eap_peap:   MS-MPPE-Send-Key = 0x3dbd0e514b1011ad90ebe00e330e8c11

(7) eap_peap:   MS-MPPE-Recv-Key = 0xd49ea8ea1406bcc4b9177cfd006a0a4d

(7) eap_peap:   EAP-Message = 0x035e0004

(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000

(7) eap_peap:   User-Name = "x19a19"

(7) eap_peap: Tunneled authentication was successful

(7) eap_peap: SUCCESS

(7) eap_peap: Saving tunneled attributes for later

(7) eap: Sending EAP Request (code 1) ID 95 length 46

(7) eap: EAP session adding &reply:State = 0xd5cab529d295ace4

(7)     [eap] = handled

(7)   } # authenticate = handled

(7) Using Post-Auth-Type Challenge

(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(7)   Challenge { ... } # empty sub-section is ignored

(7) Sent Access-Challenge Id 7 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(7)   EAP-Message =
0x015f002e190017030300234d99b5c3c5193bd0e3e0b11c153c0a53c5faf2042fe8196c9af5cb39839e67021928c9

(7)   Message-Authenticator = 0x00000000000000000000000000000000

(7)   State = 0xd5cab529d295ace4f6d40de07aff4d01

(7) Finished request

Waking up in 4.9 seconds.

(8) Received Access-Request Id 8 from 128.180.10.10:37390 to
128.180.1.12:1812 length 179

(8)   User-Name = "x19a19"

(8)   Calling-Station-Id = "00-0A-CD-31-6C-B4"

(8)   Framed-MTU = 1400

(8)   NAS-Port-Type = Wireless-802.11

(8)   Service-Type = Framed-User

(8)   Connect-Info = "CONNECT 11Mbps 802.11b"

(8)   NAS-IP-Address = 128.180.10.10

(8)   EAP-Message =
0x025f002e1900170303002350823d0b0711a0e7d347b3a8a91250f7493bf70002a55422ab652f6755c4548e415fe6

(8)   State = 0xd5cab529d295ace4f6d40de07aff4d01

(8)   Message-Authenticator = 0x1a6e7c8c91c24cf2f319ba78834bf0a3

(8) session-state: No cached attributes

(8) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default

(8)   authorize {

(8)     policy filter_username {

(8)       if (&User-Name) {

(8)       if (&User-Name)  -> TRUE

(8)       if (&User-Name)  {

(8)         if (&User-Name =~ / /) {

(8)         if (&User-Name =~ / /)  -> FALSE

(8)         if (&User-Name =~ /@[^@]*@/ ) {

(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(8)         if (&User-Name =~ /\.\./ ) {

(8)         if (&User-Name =~ /\.\./ )  -> FALSE

(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(8)         if (&User-Name =~ /\.$/)  {

(8)         if (&User-Name =~ /\.$/)   -> FALSE

(8)         if (&User-Name =~ /@\./)  {

(8)         if (&User-Name =~ /@\./)   -> FALSE

(8)       } # if (&User-Name)  = notfound

(8)     } # policy filter_username = notfound

(8)     [preprocess] = ok

(8)     [mschap] = noop

(8) suffix: Checking for suffix after "@"

(8) suffix: No '@' in User-Name = "x19a19", looking up realm NULL

(8) suffix: No such realm "NULL"

(8)     [suffix] = noop

(8) eap: Peer sent EAP Response (code 2) ID 95 length 46

(8) eap: Continuing tunnel setup

(8)     [eap] = ok

(8)   } # authorize = ok

(8) Found Auth-Type = eap

(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(8)   authenticate {

(8) eap: Expiring EAP session with state 0xd5cab529d295ace4

(8) eap: Finished EAP session with state 0xd5cab529d295ace4

(8) eap: Previous EAP request found for state 0xd5cab529d295ace4, released
from the list

(8) eap: Peer sent packet with method EAP PEAP (25)

(8) eap: Calling submodule eap_peap to process data

(8) eap_peap: Continuing EAP-TLS

(8) eap_peap: [eaptls verify] = ok

(8) eap_peap: Done initial handshake

(8) eap_peap: [eaptls process] = ok

(8) eap_peap: Session established.  Decoding tunneled attributes

(8) eap_peap: PEAP state send tlv success

(8) eap_peap: Received EAP-TLV response

(8) eap_peap: Success

(8) eap_peap: Using saved attributes from the original Access-Accept

(8) eap_peap:   User-Name = "x19a19"

(8) eap: Sending EAP Success (code 3) ID 95 length 4

(8) eap: Freeing handler

(8)     [eap] = ok

(8)   } # authenticate = ok

(8) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default

(8)   post-auth {

(8)     update {

(8)       No attributes updated

(8)     } # update = noop

(8)     [exec] = noop

(8)     policy remove_reply_message_if_eap {

(8)       if (&reply:EAP-Message && &reply:Reply-Message) {

(8)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(8)       else {

(8)         [noop] = noop

(8)       } # else = noop

(8)     } # policy remove_reply_message_if_eap = noop

(8)   } # post-auth = noop

(8) Login OK: [x19a19] (from client newguy port 0 cli 00-0A-CD-31-6C-B4)

(8) Sent Access-Accept Id 8 from 128.180.1.12:1812 to 128.180.10.10:37390
length 0

(8)   User-Name = "x19a19"

(8)   MS-MPPE-Recv-Key =
0xed9fcdc627d86a2652543851d8f6e2cc7aca7e941eaaac46904ea2d5cae72824

(8)   MS-MPPE-Send-Key =
0x8d5faa43ee07dc194f806593f94351a2c29933f4944df7044a49b984e13e65a3

(8)   EAP-Message = 0x035f0004

(8)   Message-Authenticator = 0x00000000000000000000000000000000

(8) Finished request

Waking up in 4.9 seconds.

(0) Cleaning up request packet ID 0 with timestamp +3

(1) Cleaning up request packet ID 1 with timestamp +3

(2) Cleaning up request packet ID 2 with timestamp +3

(3) Cleaning up request packet ID 3 with timestamp +3

(4) Cleaning up request packet ID 4 with timestamp +3

(5) Cleaning up request packet ID 5 with timestamp +3

(6) Cleaning up request packet ID 6 with timestamp +3

(7) Cleaning up request packet ID 7 with timestamp +3

(8) Cleaning up request packet ID 8 with timestamp +3

Ready to process requests


--
Munroe Sollog
Senior Network Engineer
[hidden email]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: tlscache

Alan DeKok-2
On Aug 29, 2019, at 1:01 PM, Munroe Sollog <[hidden email]> wrote:

>
> I'm trying to enable tls caching on my radius server.  the radius -X output
> is included below.  I'm also including some additional information for
> reference.  Looking at the debug output I see where the cache config is
> loaded and it looks right to me.  I don't see any errors around it.
>
> I'm expecting to see a file in the tlscache folder after a successful auth,
> however the folder remains empty.
>
> # freeradius -v
>
> radiusd: FreeRADIUS Version 3.0.17, for host x86_64-pc-linux-gnu, built on
> Apr 22 2019 at 21:23:36
>
> FreeRADIUS Version 3.0.17

  My $0.02 is to grab the v3.0.x branch from GitHub:

https://github.com/FreeRADIUS/freeradius-server/

  I know that the TLS cache worked at one point.  But when I tried using it recently, I found issues.  After some poking, the easiest thing to do was to update the code, docs, and examples.

  See the "cache" section of mods-available/eap in the file that's in GitHub

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: tlscache

Sven Hartge-5
In reply to this post by Munroe Sollog
On 29.08.19 19:01, Munroe Sollog wrote:

> # freeradius -v
>
> radiusd: FreeRADIUS Version 3.0.17, for host x86_64-pc-linux-gnu, built on
> Apr 22 2019 at 21:23:36
>
> FreeRADIUS Version 3.0.17
>

Is this a packaged version from Debian or Ubuntu or a self-compiled one?

If the first, then the tlscache code has been completely disabled at the
source level and will not work at all.

The latest 3.0.19 in Debian Unstable resolves this problem.

Grüße,
Sven.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (849 bytes) Download Attachment
| Threaded
Open this post in threaded view
|

Re: tlscache

Munroe Sollog
Ah, looking ~150 lines down in the changelog.Debian.gz I see a note about
it being disabled in 3.0.12.  Maybe the patch Debian added could have also
added some diagnostic output when someone tries to enable it perhaps
preventing a few days of wasted time.

On Fri, Aug 30, 2019 at 12:14 PM Sven Hartge <[hidden email]> wrote:

> On 29.08.19 19:01, Munroe Sollog wrote:
>
> > # freeradius -v
> >
> > radiusd: FreeRADIUS Version 3.0.17, for host x86_64-pc-linux-gnu, built
> on
> > Apr 22 2019 at 21:23:36
> >
> > FreeRADIUS Version 3.0.17
> >
>
> Is this a packaged version from Debian or Ubuntu or a self-compiled one?
>
> If the first, then the tlscache code has been completely disabled at the
> source level and will not work at all.
>
> The latest 3.0.19 in Debian Unstable resolves this problem.
>
> Grüße,
> Sven.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



--
Munroe Sollog
Senior Network Engineer
[hidden email]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: tlscache

Martin Pauly
Am 30.08.19 um 19:02 schrieb Munroe Sollog:
> Ah, looking ~150 lines down in the changelog.Debian.gz I see a note about
> it being disabled in 3.0.12.  Maybe the patch Debian added could have also
> added some diagnostic output when someone tries to enable it perhaps
> preventing a few days of wasted time.

That was the Debian way to deal with the auth bypass issue that had popped up
with tls_cache in 3.0.14 (AFAIR): They try to backport delta patches to
_whatever_ version Debian stable is shipping at the time (here: 3.0.12).
AFAIK, Ubuntu in turn draws on the Debian packages, but tries to provide
newer versions, i.e. 3.0.17 here. Looks newer, but seemingly has inherited
Debians "fix". So you end up with a pseudo-3.0.17 that has tls_cache
disabled the hard way while upstream things had been fixed very qickly in
FR 3.0.15.

One could get the impression that certain FR developers don't like this too much cf.
a similar discussion about openssl issues:
http://lists.freeradius.org/pipermail/freeradius-users/2017-September/088774.html
http://lists.freeradius.org/pipermail/freeradius-users/2017-September/088784.html

Watching this pseudo-3.0.17 thing really makes me think Alan&Alan are plain right.
While using Debian/Ubuntu as a base might save you some hassles, there are
serious limits to their approach. To run a productive FR server, either compile
yourself or get .debs from https://networkradius.com/freeradius-packages/

Cheers, Martin

--
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: [hidden email]
   D-35032 Marburg


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

smime.p7s (7K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: tlscache

Alan DeKok-2
On Sep 3, 2019, at 4:23 AM, Martin Pauly <[hidden email]> wrote:
> That was the Debian way to deal with the auth bypass issue that had popped up
> with tls_cache in 3.0.14 (AFAIR): They try to backport delta patches to
> _whatever_ version Debian stable is shipping at the time (here: 3.0.12).

  i.e. backport patches which they think are important.

  We patch those, plus things *we* think are important.  Like bug fixes.  Which is why we release new versions.

> AFAIK, Ubuntu in turn draws on the Debian packages, but tries to provide
> newer versions, i.e. 3.0.17 here. Looks newer, but seemingly has inherited
> Debians "fix". So you end up with a pseudo-3.0.17 that has tls_cache
> disabled the hard way while upstream things had been fixed very qickly in
> FR 3.0.15.

  If only these people could use "email" to ask us for help.  Typically they don't.

> One could get the impression that certain FR developers don't like this too much cf.
> a similar discussion about openssl issues:
> http://lists.freeradius.org/pipermail/freeradius-users/2017-September/088774.html
> http://lists.freeradius.org/pipermail/freeradius-users/2017-September/088784.html

  I understand that OS distributions hate upgrading.  But the result is a hatred for their end users.  They ship packages which are years out of date, and expect *us* to support them.

  My favourite is the RedHat customers who complain about bugs in 5 year-old versions of the server.  When they're told to use the Network RADIUS packages, they say "Oh we can't upgrade, we're buying support from RedHat!"

  Well, then either tell RedHat to stop being idiots and *support* you by fixing the bugs, OR stop paying RedHat for services which they're not providing.

  Those choices confuse people.

> Watching this pseudo-3.0.17 thing really makes me think Alan&Alan are plain right.

  That makes me happy.  :)

> While using Debian/Ubuntu as a base might save you some hassles, there are
> serious limits to their approach. To run a productive FR server, either compile
> yourself or get .debs from https://networkradius.com/freeradius-packages/

  That's why we provide the packages.  We want to have people use the latest releases, so those packages are available for free.  And unlike RedHat, we don't charge you money for providing 5 year-old software.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: tlscache

Users mailing list
Hai,

> > While using Debian/Ubuntu as a base might save you some
> hassles, there are
> > serious limits to their approach. To run a productive FR
> server, either compile
> > yourself or get .debs from
> https://networkradius.com/freeradius-packages/
>
>   That's why we provide the packages.  We want to have people
> use the latest releases, so those packages are available for
> free.  And unlike RedHat, we don't charge you money for
> providing 5 year-old software.
>
>   Alan DeKok.
>

Now i can only speak for Debian.
From above link, there are no sources available, i would like to have a look at the debian source of that.
I might learn something from it, any reason for not sharing the sources?

Also, as of about now.. We also have : http://fasttrack.debian.net/ 
A new repo for fast moving packages.


Greetz,

Louis




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: tlscache

Alan DeKok-2
On Sep 3, 2019, at 8:33 AM, L.P.H. van Belle via Freeradius-Users <[hidden email]> wrote

> Now i can only speak for Debian.
> From above link, there are no sources available, i would like to have a look at the debian source of that.

  See the "debian" directory of the server distribution.

> I might learn something from it, any reason for not sharing the sources?

  Everything is shared and is publicly available.  The corporate packages are built using docker images, using the docker scripts in "scripts/docker".

  We don't distribute *source* packages simply because we haven't bothered.  If someone submits patches to create debian "src" packages, then those can go into the main server distribution.

> Also, as of about now.. We also have : http://fasttrack.debian.net/ 
> A new repo for fast moving packages.

  That's good.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: tlscache

Users mailing list
Hai

> -----Oorspronkelijk bericht-----
> Van: Alan DeKok [mailto:[hidden email]]
> Verzonden: dinsdag 3 september 2019 14:40
> Aan: FreeRadius users mailing list
> CC: L.P.H. van Belle
> Onderwerp: Re: tlscache
>
> On Sep 3, 2019, at 8:33 AM, L.P.H. van Belle via
> Freeradius-Users <[hidden email]> wrote
>
> > Now i can only speak for Debian.
> > From above link, there are no sources available, i would
> like to have a look at the debian source of that.
>
>   See the "debian" directory of the server distribution.

Since im also packaging samba, i do know this yes.

>
> > I might learn something from it, any reason for not sharing
> the sources?
>
>   Everything is shared and is publicly available.  The
> corporate packages are built using docker images, using the
> docker scripts in "scripts/docker".
>
>   We don't distribute *source* packages simply because we
> haven't bothered.  If someone submits patches to create
> debian "src" packages, then those can go into the main server
> distribution.

Ok, i did some extra research,  noticed in the debian changelogs the line :
freeradius (3.0.19+dfsg-1) unstable; urgency=medium

 Removed:
     - disable-session-cache-CVE-2017-9148.patch

I already tested a rebuild from testing to buster that works fine, and easy rebuild.

Thanks again for the info.


Greetz,

Louis


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html