API tools faq
paste
Advertisement
Guest User

success

a guest
May 20th, 2016
589
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 49.21 KB | None | 0 0
raw download clone embed print report
  1.  
  2. (461) Received Access-Request Id 230 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
  3. (461) User-Name = "vkratsberg"
  4. (461) NAS-Port = 358
  5. (461) EAP-Message = 0x0200000f01766b7261747362657267
  6. (461) Message-Authenticator = 0x7ab870de8cac56743e39682d189e8467
  7. (461) Acct-Session-Id = "8O2.1x81bb08a50008e754"
  8. (461) NAS-Port-Id = "ge-3/0/6.0"
  9. (461) Calling-Station-Id = "00-e0-4c-b8-16-4d"
  10. (461) Called-Station-Id = "ec-3e-f7-68-35-00"
  11. (461) NAS-IP-Address = 10.8.0.111
  12. (461) NAS-Identifier = "nyc-access-sw011"
  13. (461) NAS-Port-Type = Ethernet
  14. (461) # Executing section authorize from file /etc/raddb/sites-enabled/default
  15. (461) authorize {
  16. (461) policy filter_username {
  17. (461) if (&User-Name) {
  18. (461) if (&User-Name) -> TRUE
  19. (461) if (&User-Name) {
  20. (461) if (&User-Name =~ / /) {
  21. (461) if (&User-Name =~ / /) -> FALSE
  22. (461) if (&User-Name =~ /@[^@]*@/ ) {
  23. (461) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  24. (461) if (&User-Name =~ /\.\./ ) {
  25. (461) if (&User-Name =~ /\.\./ ) -> FALSE
  26. (461) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  27. (461) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  28. (461) if (&User-Name =~ /\.$/) {
  29. (461) if (&User-Name =~ /\.$/) -> FALSE
  30. (461) if (&User-Name =~ /@\./) {
  31. (461) if (&User-Name =~ /@\./) -> FALSE
  32. (461) } # if (&User-Name) = notfound
  33. (461) } # policy filter_username = notfound
  34. (461) [preprocess] = ok
  35. (461) [chap] = noop
  36. (461) [mschap] = noop
  37. (461) [digest] = noop
  38. (461) suffix: Checking for suffix after "@"
  39. (461) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
  40. (461) suffix: No such realm "NULL"
  41. (461) [suffix] = noop
  42. (461) eap: Peer sent EAP Response (code 2) ID 0 length 15
  43. (461) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  44. (461) [eap] = ok
  45. (461) } # authorize = ok
  46. (461) Found Auth-Type = eap
  47. (461) # Executing group from file /etc/raddb/sites-enabled/default
  48. (461) authenticate {
  49. (461) eap: Peer sent packet with method EAP Identity (1)
  50. (461) eap: Calling submodule eap_peap to process data
  51. (461) eap_peap: Initiating new EAP-TLS session
  52. (461) eap_peap: [eaptls start] = request
  53. (461) eap: Sending EAP Request (code 1) ID 1 length 6
  54. (461) eap: EAP session adding &reply:State = 0xfece9bc1fecf8204
  55. (461) [eap] = handled
  56. (461) } # authenticate = handled
  57. (461) Using Post-Auth-Type Challenge
  58. (461) Post-Auth-Type sub-section not found. Ignoring.
  59. (461) # Executing group from file /etc/raddb/sites-enabled/default
  60. (461) Sent Access-Challenge Id 230 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
  61. (461) EAP-Message = 0x010100061920
  62. (461) Message-Authenticator = 0x00000000000000000000000000000000
  63. (461) State = 0xfece9bc1fecf8204e5f72135a1474252
  64. (461) Finished request
  65. Waking up in 4.9 seconds.
  66. (462) Received Access-Request Id 231 from 10.8.0.111:58432 to 10.8.64.155:1812 length 195
  67. (462) User-Name = "vkratsberg"
  68. (462) NAS-Port = 358
  69. (462) State = 0xfece9bc1fecf8204e5f72135a1474252
  70. (462) EAP-Message = 0x0202000f01766b7261747362657267
  71. (462) Message-Authenticator = 0x987d24687229e5a0df4d03a347269eab
  72. (462) Acct-Session-Id = "8O2.1x81bb08a50008e754"
  73. (462) NAS-Port-Id = "ge-3/0/6.0"
  74. (462) Calling-Station-Id = "00-e0-4c-b8-16-4d"
  75. (462) Called-Station-Id = "ec-3e-f7-68-35-00"
  76. (462) NAS-IP-Address = 10.8.0.111
  77. (462) NAS-Identifier = "nyc-access-sw011"
  78. (462) NAS-Port-Type = Ethernet
  79. (462) session-state: No cached attributes
  80. (462) # Executing section authorize from file /etc/raddb/sites-enabled/default
  81. (462) authorize {
  82. (462) policy filter_username {
  83. (462) if (&User-Name) {
  84. (462) if (&User-Name) -> TRUE
  85. (462) if (&User-Name) {
  86. (462) if (&User-Name =~ / /) {
  87. (462) if (&User-Name =~ / /) -> FALSE
  88. (462) if (&User-Name =~ /@[^@]*@/ ) {
  89. (462) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  90. (462) if (&User-Name =~ /\.\./ ) {
  91. (462) if (&User-Name =~ /\.\./ ) -> FALSE
  92. (462) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  93. (462) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  94. (462) if (&User-Name =~ /\.$/) {
  95. (462) if (&User-Name =~ /\.$/) -> FALSE
  96. (462) if (&User-Name =~ /@\./) {
  97. (462) if (&User-Name =~ /@\./) -> FALSE
  98. (462) } # if (&User-Name) = notfound
  99. (462) } # policy filter_username = notfound
  100. (462) [preprocess] = ok
  101. (462) [chap] = noop
  102. (462) [mschap] = noop
  103. (462) [digest] = noop
  104. (462) suffix: Checking for suffix after "@"
  105. (462) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
  106. (462) suffix: No such realm "NULL"
  107. (462) [suffix] = noop
  108. (462) eap: Peer sent EAP Response (code 2) ID 2 length 15
  109. (462) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  110. (462) [eap] = ok
  111. (462) } # authorize = ok
  112. (462) Found Auth-Type = eap
  113. (462) # Executing group from file /etc/raddb/sites-enabled/default
  114. (462) authenticate {
  115. (462) eap: Peer sent packet with method EAP Identity (1)
  116. (462) eap: Calling submodule eap_peap to process data
  117. (462) eap_peap: Initiating new EAP-TLS session
  118. (462) eap_peap: [eaptls start] = request
  119. (462) eap: Sending EAP Request (code 1) ID 3 length 6
  120. (462) eap: EAP session adding &reply:State = 0x4e4e9ffd4e4d8685
  121. (462) [eap] = handled
  122. (462) } # authenticate = handled
  123. (462) Using Post-Auth-Type Challenge
  124. (462) Post-Auth-Type sub-section not found. Ignoring.
  125. (462) # Executing group from file /etc/raddb/sites-enabled/default
  126. (462) Sent Access-Challenge Id 231 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
  127. (462) EAP-Message = 0x010300061920
  128. (462) Message-Authenticator = 0x00000000000000000000000000000000
  129. (462) State = 0x4e4e9ffd4e4d8685e2c45c149088adba
  130. (462) Finished request
  131. (463) Received Access-Request Id 232 from 10.8.0.111:58432 to 10.8.64.155:1812 length 311
  132. (463) User-Name = "vkratsberg"
  133. (463) NAS-Port = 358
  134. (463) State = 0x4e4e9ffd4e4d8685e2c45c149088adba
  135. (463) EAP-Message = 0x020300831980000000791603010074010000700301573f5133bbe7a9e4c0a3c440db4c397bb6e9d332e8b94372feb435853f07af0700002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000
  136. (463) Message-Authenticator = 0x00f4f2d31a4f7d21e85ee6d3b425d869
  137. (463) Acct-Session-Id = "8O2.1x81bb08a50008e754"
  138. (463) NAS-Port-Id = "ge-3/0/6.0"
  139. (463) Calling-Station-Id = "00-e0-4c-b8-16-4d"
  140. (463) Called-Station-Id = "ec-3e-f7-68-35-00"
  141. (463) NAS-IP-Address = 10.8.0.111
  142. (463) NAS-Identifier = "nyc-access-sw011"
  143. (463) NAS-Port-Type = Ethernet
  144. (463) session-state: No cached attributes
  145. (463) # Executing section authorize from file /etc/raddb/sites-enabled/default
  146. (463) authorize {
  147. (463) policy filter_username {
  148. (463) if (&User-Name) {
  149. (463) if (&User-Name) -> TRUE
  150. (463) if (&User-Name) {
  151. (463) if (&User-Name =~ / /) {
  152. (463) if (&User-Name =~ / /) -> FALSE
  153. (463) if (&User-Name =~ /@[^@]*@/ ) {
  154. (463) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  155. (463) if (&User-Name =~ /\.\./ ) {
  156. (463) if (&User-Name =~ /\.\./ ) -> FALSE
  157. (463) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  158. (463) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  159. (463) if (&User-Name =~ /\.$/) {
  160. (463) if (&User-Name =~ /\.$/) -> FALSE
  161. (463) if (&User-Name =~ /@\./) {
  162. (463) if (&User-Name =~ /@\./) -> FALSE
  163. (463) } # if (&User-Name) = notfound
  164. (463) } # policy filter_username = notfound
  165. (463) [preprocess] = ok
  166. (463) [chap] = noop
  167. (463) [mschap] = noop
  168. (463) [digest] = noop
  169. (463) suffix: Checking for suffix after "@"
  170. (463) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
  171. (463) suffix: No such realm "NULL"
  172. (463) [suffix] = noop
  173. (463) eap: Peer sent EAP Response (code 2) ID 3 length 131
  174. (463) eap: Continuing tunnel setup
  175. (463) [eap] = ok
  176. (463) } # authorize = ok
  177. (463) Found Auth-Type = eap
  178. (463) # Executing group from file /etc/raddb/sites-enabled/default
  179. (463) authenticate {
  180. (463) eap: Expiring EAP session with state 0xfece9bc1fecf8204
  181. (463) eap: Finished EAP session with state 0x4e4e9ffd4e4d8685
  182. (463) eap: Previous EAP request found for state 0x4e4e9ffd4e4d8685, released from the list
  183. (463) eap: Peer sent packet with method EAP PEAP (25)
  184. (463) eap: Calling submodule eap_peap to process data
  185. (463) eap_peap: Continuing EAP-TLS
  186. (463) eap_peap: Peer indicated complete TLS record size will be 121 bytes
  187. (463) eap_peap: Got complete TLS record (121 bytes)
  188. (463) eap_peap: [eaptls verify] = length included
  189. (463) eap_peap: (other): before/accept initialization
  190. (463) eap_peap: TLS_accept: before/accept initialization
  191. (463) eap_peap: <<< recv TLS 1.0 Handshake [length 0074], ClientHello
  192. (463) eap_peap: TLS_accept: SSLv3 read client hello A
  193. (463) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
  194. (463) eap_peap: TLS_accept: SSLv3 write server hello A
  195. (463) eap_peap: >>> send TLS 1.0 Handshake [length 08d3], Certificate
  196. (463) eap_peap: TLS_accept: SSLv3 write certificate A
  197. (463) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
  198. (463) eap_peap: TLS_accept: SSLv3 write key exchange A
  199. (463) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
  200. (463) eap_peap: TLS_accept: SSLv3 write server done A
  201. (463) eap_peap: TLS_accept: SSLv3 flush data
  202. (463) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
  203. (463) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
  204. (463) eap_peap: In SSL Handshake Phase
  205. (463) eap_peap: In SSL Accept mode
  206. (463) eap_peap: [eaptls process] = handled
  207. (463) eap: Sending EAP Request (code 1) ID 4 length 1004
  208. (463) eap: EAP session adding &reply:State = 0x4e4e9ffd4f4a8685
  209. (463) [eap] = handled
  210. (463) } # authenticate = handled
  211. (463) Using Post-Auth-Type Challenge
  212. (463) Post-Auth-Type sub-section not found. Ignoring.
  213. (463) # Executing group from file /etc/raddb/sites-enabled/default
  214. (463) Sent Access-Challenge Id 232 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
  215. (463) EAP-Message = 0x010403ec19c000000a8f1603010059020000550301573f51336c2421755e0079c2580b2f3bc2b3e8abfc6bc4d8bd9db4800411891d20db7e18d3097fb50d6e524ed64ab6b79186bcde72dc80088c7a5200b90b528660c01400000dff01000100000b00040300010216030108d30b0008cf0008cc0003de
  216. (463) Message-Authenticator = 0x00000000000000000000000000000000
  217. (463) State = 0x4e4e9ffd4f4a8685e2c45c149088adba
  218. (463) Finished request
  219. (464) Received Access-Request Id 233 from 10.8.0.111:58432 to 10.8.64.155:1812 length 186
  220. (464) User-Name = "vkratsberg"
  221. (464) NAS-Port = 358
  222. (464) State = 0x4e4e9ffd4f4a8685e2c45c149088adba
  223. (464) EAP-Message = 0x020400061900
  224. (464) Message-Authenticator = 0xa09e3e5a65cd793a2338fa9599cd8cf9
  225. (464) Acct-Session-Id = "8O2.1x81bb08a50008e754"
  226. (464) NAS-Port-Id = "ge-3/0/6.0"
  227. (464) Calling-Station-Id = "00-e0-4c-b8-16-4d"
  228. (464) Called-Station-Id = "ec-3e-f7-68-35-00"
  229. (464) NAS-IP-Address = 10.8.0.111
  230. (464) NAS-Identifier = "nyc-access-sw011"
  231. (464) NAS-Port-Type = Ethernet
  232. (464) session-state: No cached attributes
  233. (464) # Executing section authorize from file /etc/raddb/sites-enabled/default
  234. (464) authorize {
  235. (464) policy filter_username {
  236. (464) if (&User-Name) {
  237. (464) if (&User-Name) -> TRUE
  238. (464) if (&User-Name) {
  239. (464) if (&User-Name =~ / /) {
  240. (464) if (&User-Name =~ / /) -> FALSE
  241. (464) if (&User-Name =~ /@[^@]*@/ ) {
  242. (464) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  243. (464) if (&User-Name =~ /\.\./ ) {
  244. (464) if (&User-Name =~ /\.\./ ) -> FALSE
  245. (464) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  246. (464) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  247. (464) if (&User-Name =~ /\.$/) {
  248. (464) if (&User-Name =~ /\.$/) -> FALSE
  249. (464) if (&User-Name =~ /@\./) {
  250. (464) if (&User-Name =~ /@\./) -> FALSE
  251. (464) } # if (&User-Name) = notfound
  252. (464) } # policy filter_username = notfound
  253. (464) [preprocess] = ok
  254. (464) [chap] = noop
  255. (464) [mschap] = noop
  256. (464) [digest] = noop
  257. (464) suffix: Checking for suffix after "@"
  258. (464) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
  259. (464) suffix: No such realm "NULL"
  260. (464) [suffix] = noop
  261. (464) eap: Peer sent EAP Response (code 2) ID 4 length 6
  262. (464) eap: Continuing tunnel setup
  263. (464) [eap] = ok
  264. (464) } # authorize = ok
  265. (464) Found Auth-Type = eap
  266. (464) # Executing group from file /etc/raddb/sites-enabled/default
  267. (464) authenticate {
  268. (464) eap: Expiring EAP session with state 0xfece9bc1fecf8204
  269. (464) eap: Finished EAP session with state 0x4e4e9ffd4f4a8685
  270. (464) eap: Previous EAP request found for state 0x4e4e9ffd4f4a8685, released from the list
  271. (464) eap: Peer sent packet with method EAP PEAP (25)
  272. (464) eap: Calling submodule eap_peap to process data
  273. (464) eap_peap: Continuing EAP-TLS
  274. (464) eap_peap: Peer ACKed our handshake fragment
  275. (464) eap_peap: [eaptls verify] = request
  276. (464) eap_peap: [eaptls process] = handled
  277. (464) eap: Sending EAP Request (code 1) ID 5 length 1000
  278. (464) eap: EAP session adding &reply:State = 0x4e4e9ffd4c4b8685
  279. (464) [eap] = handled
  280. (464) } # authenticate = handled
  281. (464) Using Post-Auth-Type Challenge
  282. (464) Post-Auth-Type sub-section not found. Ignoring.
  283. (464) # Executing group from file /etc/raddb/sites-enabled/default
  284. (464) Sent Access-Challenge Id 233 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
  285. (464) EAP-Message = 0x010503e81940a985a92e8776b026aa0ca6454d39c8092f1777cb7717bafde9e0586c2db6953cbc1d0dc6dc89a54698f1474daa14ed35c2d76278209bed31b5b6f844db7500fb233337267f13341548de9a5a3219a57eaa7be8fbdc5048ac8060c257cf4e7bb8b599e15e02700609010004e8308204e430
  286. (464) Message-Authenticator = 0x00000000000000000000000000000000
  287. (464) State = 0x4e4e9ffd4c4b8685e2c45c149088adba
  288. (464) Finished request
  289. (465) Received Access-Request Id 234 from 10.8.0.111:58432 to 10.8.64.155:1812 length 186
  290. (465) User-Name = "vkratsberg"
  291. (465) NAS-Port = 358
  292. (465) State = 0x4e4e9ffd4c4b8685e2c45c149088adba
  293. (465) EAP-Message = 0x020500061900
  294. (465) Message-Authenticator = 0xdc458eeffc7a8ddec5a8557fd82287df
  295. (465) Acct-Session-Id = "8O2.1x81bb08a50008e754"
  296. (465) NAS-Port-Id = "ge-3/0/6.0"
  297. (465) Calling-Station-Id = "00-e0-4c-b8-16-4d"
  298. (465) Called-Station-Id = "ec-3e-f7-68-35-00"
  299. (465) NAS-IP-Address = 10.8.0.111
  300. (465) NAS-Identifier = "nyc-access-sw011"
  301. (465) NAS-Port-Type = Ethernet
  302. (465) session-state: No cached attributes
  303. (465) # Executing section authorize from file /etc/raddb/sites-enabled/default
  304. (465) authorize {
  305. (465) policy filter_username {
  306. (465) if (&User-Name) {
  307. (465) if (&User-Name) -> TRUE
  308. (465) if (&User-Name) {
  309. (465) if (&User-Name =~ / /) {
  310. (465) if (&User-Name =~ / /) -> FALSE
  311. (465) if (&User-Name =~ /@[^@]*@/ ) {
  312. (465) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  313. (465) if (&User-Name =~ /\.\./ ) {
  314. (465) if (&User-Name =~ /\.\./ ) -> FALSE
  315. (465) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  316. (465) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  317. (465) if (&User-Name =~ /\.$/) {
  318. (465) if (&User-Name =~ /\.$/) -> FALSE
  319. (465) if (&User-Name =~ /@\./) {
  320. (465) if (&User-Name =~ /@\./) -> FALSE
  321. (465) } # if (&User-Name) = notfound
  322. (465) } # policy filter_username = notfound
  323. (465) [preprocess] = ok
  324. (465) [chap] = noop
  325. (465) [mschap] = noop
  326. (465) [digest] = noop
  327. (465) suffix: Checking for suffix after "@"
  328. (465) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
  329. (465) suffix: No such realm "NULL"
  330. (465) [suffix] = noop
  331. (465) eap: Peer sent EAP Response (code 2) ID 5 length 6
  332. (465) eap: Continuing tunnel setup
  333. (465) [eap] = ok
  334. (465) } # authorize = ok
  335. (465) Found Auth-Type = eap
  336. (465) # Executing group from file /etc/raddb/sites-enabled/default
  337. (465) authenticate {
  338. (465) eap: Expiring EAP session with state 0xfece9bc1fecf8204
  339. (465) eap: Finished EAP session with state 0x4e4e9ffd4c4b8685
  340. (465) eap: Previous EAP request found for state 0x4e4e9ffd4c4b8685, released from the list
  341. (465) eap: Peer sent packet with method EAP PEAP (25)
  342. (465) eap: Calling submodule eap_peap to process data
  343. (465) eap_peap: Continuing EAP-TLS
  344. (465) eap_peap: Peer ACKed our handshake fragment
  345. (465) eap_peap: [eaptls verify] = request
  346. (465) eap_peap: [eaptls process] = handled
  347. (465) eap: Sending EAP Request (code 1) ID 6 length 721
  348. (465) eap: EAP session adding &reply:State = 0x4e4e9ffd4d488685
  349. (465) [eap] = handled
  350. (465) } # authenticate = handled
  351. (465) Using Post-Auth-Type Challenge
  352. (465) Post-Auth-Type sub-section not found. Ignoring.
  353. (465) # Executing group from file /etc/raddb/sites-enabled/default
  354. (465) Sent Access-Challenge Id 234 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
  355. (465) EAP-Message = 0x010602d1190020417574686f72697479820900cd92931e3c4b4509300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d010105050003820101
  356. (465) Message-Authenticator = 0x00000000000000000000000000000000
  357. (465) State = 0x4e4e9ffd4d488685e2c45c149088adba
  358. (465) Finished request
  359. (461) Cleaning up request packet ID 230 with timestamp +249
  360. Waking up in 4.9 seconds.
  361. (466) Received Access-Request Id 235 from 10.8.0.111:58432 to 10.8.64.155:1812 length 324
  362. (466) User-Name = "vkratsberg"
  363. (466) NAS-Port = 358
  364. (466) State = 0x4e4e9ffd4d488685e2c45c149088adba
  365. (466) EAP-Message = 0x020600901980000000861603010046100000424104d782c2b1129e78bc5acfff77fb8a9629b40a690211cee44753cba7e714a1bc189b7505b870b22b007adff2914302d80e6b26e99199389883b085449dd343d6c51403010001011603010030876f6d4aa698bff9d98de1d5edda415c462a0e95b2984a
  366. (466) Message-Authenticator = 0xbd60eb5c3b154c485b8d2bb5845e10cf
  367. (466) Acct-Session-Id = "8O2.1x81bb08a50008e754"
  368. (466) NAS-Port-Id = "ge-3/0/6.0"
  369. (466) Calling-Station-Id = "00-e0-4c-b8-16-4d"
  370. (466) Called-Station-Id = "ec-3e-f7-68-35-00"
  371. (466) NAS-IP-Address = 10.8.0.111
  372. (466) NAS-Identifier = "nyc-access-sw011"
  373. (466) NAS-Port-Type = Ethernet
  374. (466) session-state: No cached attributes
  375. (466) # Executing section authorize from file /etc/raddb/sites-enabled/default
  376. (466) authorize {
  377. (466) policy filter_username {
  378. (466) if (&User-Name) {
  379. (466) if (&User-Name) -> TRUE
  380. (466) if (&User-Name) {
  381. (466) if (&User-Name =~ / /) {
  382. (466) if (&User-Name =~ / /) -> FALSE
  383. (466) if (&User-Name =~ /@[^@]*@/ ) {
  384. (466) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  385. (466) if (&User-Name =~ /\.\./ ) {
  386. (466) if (&User-Name =~ /\.\./ ) -> FALSE
  387. (466) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  388. (466) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  389. (466) if (&User-Name =~ /\.$/) {
  390. (466) if (&User-Name =~ /\.$/) -> FALSE
  391. (466) if (&User-Name =~ /@\./) {
  392. (466) if (&User-Name =~ /@\./) -> FALSE
  393. (466) } # if (&User-Name) = notfound
  394. (466) } # policy filter_username = notfound
  395. (466) [preprocess] = ok
  396. (466) [chap] = noop
  397. (466) [mschap] = noop
  398. (466) [digest] = noop
  399. (466) suffix: Checking for suffix after "@"
  400. (466) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
  401. (466) suffix: No such realm "NULL"
  402. (466) [suffix] = noop
  403. (466) eap: Peer sent EAP Response (code 2) ID 6 length 144
  404. (466) eap: Continuing tunnel setup
  405. (466) [eap] = ok
  406. (466) } # authorize = ok
  407. (466) Found Auth-Type = eap
  408. (466) # Executing group from file /etc/raddb/sites-enabled/default
  409. (466) authenticate {
  410. (466) eap: Expiring EAP session with state 0xfece9bc1fecf8204
  411. (466) eap: Finished EAP session with state 0x4e4e9ffd4d488685
  412. (466) eap: Previous EAP request found for state 0x4e4e9ffd4d488685, released from the list
  413. (466) eap: Peer sent packet with method EAP PEAP (25)
  414. (466) eap: Calling submodule eap_peap to process data
  415. (466) eap_peap: Continuing EAP-TLS
  416. (466) eap_peap: Peer indicated complete TLS record size will be 134 bytes
  417. (466) eap_peap: Got complete TLS record (134 bytes)
  418. (466) eap_peap: [eaptls verify] = length included
  419. (466) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
  420. (466) eap_peap: TLS_accept: SSLv3 read client key exchange A
  421. (466) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
  422. (466) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
  423. (466) eap_peap: TLS_accept: SSLv3 read finished A
  424. (466) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
  425. (466) eap_peap: TLS_accept: SSLv3 write change cipher spec A
  426. (466) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
  427. (466) eap_peap: TLS_accept: SSLv3 write finished A
  428. (466) eap_peap: TLS_accept: SSLv3 flush data
  429. (466) eap_peap: (other): SSL negotiation finished successfully
  430. (466) eap_peap: SSL Connection Established
  431. (466) eap_peap: [eaptls process] = handled
  432. (466) eap: Sending EAP Request (code 1) ID 7 length 65
  433. (466) eap: EAP session adding &reply:State = 0x4e4e9ffd4a498685
  434. (466) [eap] = handled
  435. (466) } # authenticate = handled
  436. (466) Using Post-Auth-Type Challenge
  437. (466) Post-Auth-Type sub-section not found. Ignoring.
  438. (466) # Executing group from file /etc/raddb/sites-enabled/default
  439. (466) Sent Access-Challenge Id 235 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
  440. (466) EAP-Message = 0x0107004119001403010001011603010030736ace44ff96b30e7bcba8f48ddf50af12928a3f7a27e8a1908a31060fe79c4fb46deab2aa818c7a1ddb8fde7834627d
  441. (466) Message-Authenticator = 0x00000000000000000000000000000000
  442. (466) State = 0x4e4e9ffd4a498685e2c45c149088adba
  443. (466) Finished request
  444. Waking up in 4.9 seconds.
  445. (467) Received Access-Request Id 236 from 10.8.0.111:58432 to 10.8.64.155:1812 length 186
  446. (467) User-Name = "vkratsberg"
  447. (467) NAS-Port = 358
  448. (467) State = 0x4e4e9ffd4a498685e2c45c149088adba
  449. (467) EAP-Message = 0x020700061900
  450. (467) Message-Authenticator = 0x24531edb1114905b1c75d629e483a189
  451. (467) Acct-Session-Id = "8O2.1x81bb08a50008e754"
  452. (467) NAS-Port-Id = "ge-3/0/6.0"
  453. (467) Calling-Station-Id = "00-e0-4c-b8-16-4d"
  454. (467) Called-Station-Id = "ec-3e-f7-68-35-00"
  455. (467) NAS-IP-Address = 10.8.0.111
  456. (467) NAS-Identifier = "nyc-access-sw011"
  457. (467) NAS-Port-Type = Ethernet
  458. (467) session-state: No cached attributes
  459. (467) # Executing section authorize from file /etc/raddb/sites-enabled/default
  460. (467) authorize {
  461. (467) policy filter_username {
  462. (467) if (&User-Name) {
  463. (467) if (&User-Name) -> TRUE
  464. (467) if (&User-Name) {
  465. (467) if (&User-Name =~ / /) {
  466. (467) if (&User-Name =~ / /) -> FALSE
  467. (467) if (&User-Name =~ /@[^@]*@/ ) {
  468. (467) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  469. (467) if (&User-Name =~ /\.\./ ) {
  470. (467) if (&User-Name =~ /\.\./ ) -> FALSE
  471. (467) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  472. (467) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  473. (467) if (&User-Name =~ /\.$/) {
  474. (467) if (&User-Name =~ /\.$/) -> FALSE
  475. (467) if (&User-Name =~ /@\./) {
  476. (467) if (&User-Name =~ /@\./) -> FALSE
  477. (467) } # if (&User-Name) = notfound
  478. (467) } # policy filter_username = notfound
  479. (467) [preprocess] = ok
  480. (467) [chap] = noop
  481. (467) [mschap] = noop
  482. (467) [digest] = noop
  483. (467) suffix: Checking for suffix after "@"
  484. (467) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
  485. (467) suffix: No such realm "NULL"
  486. (467) [suffix] = noop
  487. (467) eap: Peer sent EAP Response (code 2) ID 7 length 6
  488. (467) eap: Continuing tunnel setup
  489. (467) [eap] = ok
  490. (467) } # authorize = ok
  491. (467) Found Auth-Type = eap
  492. (467) # Executing group from file /etc/raddb/sites-enabled/default
  493. (467) authenticate {
  494. (467) eap: Expiring EAP session with state 0xfece9bc1fecf8204
  495. (467) eap: Finished EAP session with state 0x4e4e9ffd4a498685
  496. (467) eap: Previous EAP request found for state 0x4e4e9ffd4a498685, released from the list
  497. (467) eap: Peer sent packet with method EAP PEAP (25)
  498. (467) eap: Calling submodule eap_peap to process data
  499. (467) eap_peap: Continuing EAP-TLS
  500. (467) eap_peap: Peer ACKed our handshake fragment. handshake is finished
  501. (467) eap_peap: [eaptls verify] = success
  502. (467) eap_peap: [eaptls process] = success
  503. (467) eap_peap: Session established. Decoding tunneled attributes
  504. (467) eap_peap: PEAP state TUNNEL ESTABLISHED
  505. (467) eap: Sending EAP Request (code 1) ID 8 length 43
  506. (467) eap: EAP session adding &reply:State = 0x4e4e9ffd4b468685
  507. (467) [eap] = handled
  508. (467) } # authenticate = handled
  509. (467) Using Post-Auth-Type Challenge
  510. (467) Post-Auth-Type sub-section not found. Ignoring.
  511. (467) # Executing group from file /etc/raddb/sites-enabled/default
  512. (467) Sent Access-Challenge Id 236 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
  513. (467) EAP-Message = 0x0108002b19001703010020a18d7dfd32101e93d301d56908b1359cc7991b779e990d7aa2e9c1bba66d2d86
  514. (467) Message-Authenticator = 0x00000000000000000000000000000000
  515. (467) State = 0x4e4e9ffd4b468685e2c45c149088adba
  516. (467) Finished request
  517. Waking up in 4.9 seconds.
  518. (468) Received Access-Request Id 237 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
  519. (468) User-Name = "vkratsberg"
  520. (468) NAS-Port = 358
  521. (468) State = 0x4e4e9ffd4b468685e2c45c149088adba
  522. (468) EAP-Message = 0x0208002b190017030100205f5f0b95bf01bd889b459f3b760eda6f70d2577871cb4b04e7a029b1a20d1c3c
  523. (468) Message-Authenticator = 0x3f60c5a3560a0098d9bb4bb6022f9fa7
  524. (468) Acct-Session-Id = "8O2.1x81bb08a50008e754"
  525. (468) NAS-Port-Id = "ge-3/0/6.0"
  526. (468) Calling-Station-Id = "00-e0-4c-b8-16-4d"
  527. (468) Called-Station-Id = "ec-3e-f7-68-35-00"
  528. (468) NAS-IP-Address = 10.8.0.111
  529. (468) NAS-Identifier = "nyc-access-sw011"
  530. (468) NAS-Port-Type = Ethernet
  531. (468) session-state: No cached attributes
  532. (468) # Executing section authorize from file /etc/raddb/sites-enabled/default
  533. (468) authorize {
  534. (468) policy filter_username {
  535. (468) if (&User-Name) {
  536. (468) if (&User-Name) -> TRUE
  537. (468) if (&User-Name) {
  538. (468) if (&User-Name =~ / /) {
  539. (468) if (&User-Name =~ / /) -> FALSE
  540. (468) if (&User-Name =~ /@[^@]*@/ ) {
  541. (468) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  542. (468) if (&User-Name =~ /\.\./ ) {
  543. (468) if (&User-Name =~ /\.\./ ) -> FALSE
  544. (468) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  545. (468) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  546. (468) if (&User-Name =~ /\.$/) {
  547. (468) if (&User-Name =~ /\.$/) -> FALSE
  548. (468) if (&User-Name =~ /@\./) {
  549. (468) if (&User-Name =~ /@\./) -> FALSE
  550. (468) } # if (&User-Name) = notfound
  551. (468) } # policy filter_username = notfound
  552. (468) [preprocess] = ok
  553. (468) [chap] = noop
  554. (468) [mschap] = noop
  555. (468) [digest] = noop
  556. (468) suffix: Checking for suffix after "@"
  557. (468) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
  558. (468) suffix: No such realm "NULL"
  559. (468) [suffix] = noop
  560. (468) eap: Peer sent EAP Response (code 2) ID 8 length 43
  561. (468) eap: Continuing tunnel setup
  562. (468) [eap] = ok
  563. (468) } # authorize = ok
  564. (468) Found Auth-Type = eap
  565. (468) # Executing group from file /etc/raddb/sites-enabled/default
  566. (468) authenticate {
  567. (468) eap: Expiring EAP session with state 0xfece9bc1fecf8204
  568. (468) eap: Finished EAP session with state 0x4e4e9ffd4b468685
  569. (468) eap: Previous EAP request found for state 0x4e4e9ffd4b468685, released from the list
  570. (468) eap: Peer sent packet with method EAP PEAP (25)
  571. (468) eap: Calling submodule eap_peap to process data
  572. (468) eap_peap: Continuing EAP-TLS
  573. (468) eap_peap: [eaptls verify] = ok
  574. (468) eap_peap: Done initial handshake
  575. (468) eap_peap: [eaptls process] = ok
  576. (468) eap_peap: Session established. Decoding tunneled attributes
  577. (468) eap_peap: PEAP state WAITING FOR INNER IDENTITY
  578. (468) eap_peap: Identity - vkratsberg
  579. (468) eap_peap: Got inner identity 'vkratsberg'
  580. (468) eap_peap: Setting default EAP type for tunneled EAP session
  581. (468) eap_peap: Got tunneled request
  582. (468) eap_peap: EAP-Message = 0x0208000f01766b7261747362657267
  583. (468) eap_peap: Setting User-Name to vkratsberg
  584. (468) eap_peap: Sending tunneled request to inner-tunnel
  585. (468) eap_peap: EAP-Message = 0x0208000f01766b7261747362657267
  586. (468) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
  587. (468) eap_peap: User-Name = "vkratsberg"
  588. (468) Virtual server inner-tunnel received request
  589. (468) EAP-Message = 0x0208000f01766b7261747362657267
  590. (468) FreeRADIUS-Proxied-To = 127.0.0.1
  591. (468) User-Name = "vkratsberg"
  592. (468) WARNING: Outer and inner identities are the same. User privacy is compromised.
  593. (468) server inner-tunnel {
  594. (468) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
  595. (468) authorize {
  596. (468) policy filter_username {
  597. (468) if (&User-Name) {
  598. (468) if (&User-Name) -> TRUE
  599. (468) if (&User-Name) {
  600. (468) if (&User-Name =~ / /) {
  601. (468) if (&User-Name =~ / /) -> FALSE
  602. (468) if (&User-Name =~ /@[^@]*@/ ) {
  603. (468) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  604. (468) if (&User-Name =~ /\.\./ ) {
  605. (468) if (&User-Name =~ /\.\./ ) -> FALSE
  606. (468) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  607. (468) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  608. (468) if (&User-Name =~ /\.$/) {
  609. (468) if (&User-Name =~ /\.$/) -> FALSE
  610. (468) if (&User-Name =~ /@\./) {
  611. (468) if (&User-Name =~ /@\./) -> FALSE
  612. (468) } # if (&User-Name) = notfound
  613. (468) } # policy filter_username = notfound
  614. (468) [chap] = noop
  615. (468) [mschap] = noop
  616. (468) suffix: Checking for suffix after "@"
  617. (468) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
  618. (468) suffix: No such realm "NULL"
  619. (468) [suffix] = noop
  620. (468) update control {
  621. (468) &Proxy-To-Realm := LOCAL
  622. (468) } # update control = noop
  623. (468) eap: Peer sent EAP Response (code 2) ID 8 length 15
  624. (468) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  625. (468) [eap] = ok
  626. (468) } # authorize = ok
  627. (468) Found Auth-Type = eap
  628. (468) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
  629. (468) authenticate {
  630. (468) eap: Peer sent packet with method EAP Identity (1)
  631. (468) eap: Calling submodule eap_gtc to process data
  632. (468) eap_gtc: EXPAND Password:
  633. (468) eap_gtc: --> Password:
  634. (468) eap: Sending EAP Request (code 1) ID 9 length 15
  635. (468) eap: EAP session adding &reply:State = 0xf0df1f11f0d6199d
  636. (468) [eap] = handled
  637. (468) } # authenticate = handled
  638. (468) } # server inner-tunnel
  639. (468) Virtual server sending reply
  640. (468) EAP-Message = 0x0109000f0650617373776f72643a20
  641. (468) Message-Authenticator = 0x00000000000000000000000000000000
  642. (468) State = 0xf0df1f11f0d6199d13916c06ec84bce5
  643. (468) eap_peap: Got tunneled reply code 11
  644. (468) eap_peap: EAP-Message = 0x0109000f0650617373776f72643a20
  645. (468) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
  646. (468) eap_peap: State = 0xf0df1f11f0d6199d13916c06ec84bce5
  647. (468) eap_peap: Got tunneled reply RADIUS code 11
  648. (468) eap_peap: EAP-Message = 0x0109000f0650617373776f72643a20
  649. (468) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
  650. (468) eap_peap: State = 0xf0df1f11f0d6199d13916c06ec84bce5
  651. (468) eap_peap: Got tunneled Access-Challenge
  652. (468) eap: Sending EAP Request (code 1) ID 9 length 43
  653. (468) eap: EAP session adding &reply:State = 0x4e4e9ffd48478685
  654. (468) [eap] = handled
  655. (468) } # authenticate = handled
  656. (468) Using Post-Auth-Type Challenge
  657. (468) Post-Auth-Type sub-section not found. Ignoring.
  658. (468) # Executing group from file /etc/raddb/sites-enabled/default
  659. (468) Sent Access-Challenge Id 237 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
  660. (468) EAP-Message = 0x0109002b1900170301002026f5417ad3bffd840c78367ae06d2ed416e72d7b24d8acacd7dbc257cd631de5
  661. (468) Message-Authenticator = 0x00000000000000000000000000000000
  662. (468) State = 0x4e4e9ffd48478685e2c45c149088adba
  663. (468) Finished request
  664. Waking up in 4.9 seconds.
  665. (469) Received Access-Request Id 238 from 10.8.0.111:58432 to 10.8.64.155:1812 length 239
  666. (469) User-Name = "vkratsberg"
  667. (469) NAS-Port = 358
  668. (469) State = 0x4e4e9ffd48478685e2c45c149088adba
  669. (469) EAP-Message = 0x0209003b190017030100308a00021a3a6ecf1043e62fd0f64588d10ca3e48730dc81be4a1e5359fdbf6526d302768d3a9030ea6867182c0d93c043
  670. (469) Message-Authenticator = 0xfc4826ee27ce3626ca5c971e2f8b0a1c
  671. (469) Acct-Session-Id = "8O2.1x81bb08a50008e754"
  672. (469) NAS-Port-Id = "ge-3/0/6.0"
  673. (469) Calling-Station-Id = "00-e0-4c-b8-16-4d"
  674. (469) Called-Station-Id = "ec-3e-f7-68-35-00"
  675. (469) NAS-IP-Address = 10.8.0.111
  676. (469) NAS-Identifier = "nyc-access-sw011"
  677. (469) NAS-Port-Type = Ethernet
  678. (469) session-state: No cached attributes
  679. (469) # Executing section authorize from file /etc/raddb/sites-enabled/default
  680. (469) authorize {
  681. (469) policy filter_username {
  682. (469) if (&User-Name) {
  683. (469) if (&User-Name) -> TRUE
  684. (469) if (&User-Name) {
  685. (469) if (&User-Name =~ / /) {
  686. (469) if (&User-Name =~ / /) -> FALSE
  687. (469) if (&User-Name =~ /@[^@]*@/ ) {
  688. (469) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  689. (469) if (&User-Name =~ /\.\./ ) {
  690. (469) if (&User-Name =~ /\.\./ ) -> FALSE
  691. (469) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  692. (469) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  693. (469) if (&User-Name =~ /\.$/) {
  694. (469) if (&User-Name =~ /\.$/) -> FALSE
  695. (469) if (&User-Name =~ /@\./) {
  696. (469) if (&User-Name =~ /@\./) -> FALSE
  697. (469) } # if (&User-Name) = notfound
  698. (469) } # policy filter_username = notfound
  699. (469) [preprocess] = ok
  700. (469) [chap] = noop
  701. (469) [mschap] = noop
  702. (469) [digest] = noop
  703. (469) suffix: Checking for suffix after "@"
  704. (469) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
  705. (469) suffix: No such realm "NULL"
  706. (469) [suffix] = noop
  707. (469) eap: Peer sent EAP Response (code 2) ID 9 length 59
  708. (469) eap: Continuing tunnel setup
  709. (469) [eap] = ok
  710. (469) } # authorize = ok
  711. (469) Found Auth-Type = eap
  712. (469) # Executing group from file /etc/raddb/sites-enabled/default
  713. (469) authenticate {
  714. (469) eap: Expiring EAP session with state 0xfece9bc1fecf8204
  715. (469) eap: Finished EAP session with state 0x4e4e9ffd48478685
  716. (469) eap: Previous EAP request found for state 0x4e4e9ffd48478685, released from the list
  717. (469) eap: Peer sent packet with method EAP PEAP (25)
  718. (469) eap: Calling submodule eap_peap to process data
  719. (469) eap_peap: Continuing EAP-TLS
  720. (469) eap_peap: [eaptls verify] = ok
  721. (469) eap_peap: Done initial handshake
  722. (469) eap_peap: [eaptls process] = ok
  723. (469) eap_peap: Session established. Decoding tunneled attributes
  724. (469) eap_peap: PEAP state phase2
  725. (469) eap_peap: EAP method GTC (6)
  726. (469) eap_peap: Got tunneled request
  727. (469) eap_peap: EAP-Message = 0x02090010065b566b726174313938335d
  728. (469) eap_peap: Setting User-Name to vkratsberg
  729. (469) eap_peap: Sending tunneled request to inner-tunnel
  730. (469) eap_peap: EAP-Message = 0x02090010065b566b726174313938335d
  731. (469) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
  732. (469) eap_peap: User-Name = "vkratsberg"
  733. (469) eap_peap: State = 0xf0df1f11f0d6199d13916c06ec84bce5
  734. (469) Virtual server inner-tunnel received request
  735. (469) EAP-Message = 0x02090010065b566b726174313938335d
  736. (469) FreeRADIUS-Proxied-To = 127.0.0.1
  737. (469) User-Name = "vkratsberg"
  738. (469) State = 0xf0df1f11f0d6199d13916c06ec84bce5
  739. (469) WARNING: Outer and inner identities are the same. User privacy is compromised.
  740. (469) server inner-tunnel {
  741. (469) session-state: No cached attributes
  742. (469) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
  743. (469) authorize {
  744. (469) policy filter_username {
  745. (469) if (&User-Name) {
  746. (469) if (&User-Name) -> TRUE
  747. (469) if (&User-Name) {
  748. (469) if (&User-Name =~ / /) {
  749. (469) if (&User-Name =~ / /) -> FALSE
  750. (469) if (&User-Name =~ /@[^@]*@/ ) {
  751. (469) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  752. (469) if (&User-Name =~ /\.\./ ) {
  753. (469) if (&User-Name =~ /\.\./ ) -> FALSE
  754. (469) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  755. (469) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  756. (469) if (&User-Name =~ /\.$/) {
  757. (469) if (&User-Name =~ /\.$/) -> FALSE
  758. (469) if (&User-Name =~ /@\./) {
  759. (469) if (&User-Name =~ /@\./) -> FALSE
  760. (469) } # if (&User-Name) = notfound
  761. (469) } # policy filter_username = notfound
  762. (469) [chap] = noop
  763. (469) [mschap] = noop
  764. (469) suffix: Checking for suffix after "@"
  765. (469) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
  766. (469) suffix: No such realm "NULL"
  767. (469) [suffix] = noop
  768. (469) update control {
  769. (469) &Proxy-To-Realm := LOCAL
  770. (469) } # update control = noop
  771. (469) eap: Peer sent EAP Response (code 2) ID 9 length 16
  772. (469) eap: No EAP Start, assuming it's an on-going EAP conversation
  773. (469) [eap] = updated
  774. (469) files: Searching for user in group "juniper-admins"
  775. rlm_ldap (ldap): Reserved connection (13)
  776. (469) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
  777. (469) files: --> (uid=vkratsberg)
  778. (469) files: Performing search in "dc=sq,dc=net" with filter "(uid=vkratsberg)", scope "sub"
  779. (469) files: Waiting for search result...
  780. (469) files: User object found at DN "uid=vkratsberg,ou=people,dc=sq,dc=net"
  781. (469) files: Checking for user in group objects
  782. (469) files: EXPAND (&(cn=juniper-admins)(objectClass=GroupOfNames)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
  783. (469) files: --> (&(cn=juniper-admins)(objectClass=GroupOfNames)(|(member=uid\3dvkratsberg\2cou\3dpeople\2cdc\3dsq\2cdc\3dnet)(memberUid=vkratsberg)))
  784. (469) files: Performing search in "dc=sq,dc=net" with filter "(&(cn=juniper-admins)(objectClass=GroupOfNames)(|(member=uid\3dvkratsberg\2cou\3dpeople\2cdc\3dsq\2cdc\3dnet)(memberUid=vkratsberg)))", scope "sub"
  785. (469) files: Waiting for search result...
  786. (469) files: User found in group object "dc=sq,dc=net"
  787. rlm_ldap (ldap): Released connection (13)
  788. rlm_ldap (ldap): Need 2 more connections to reach 3 spares
  789. rlm_ldap (ldap): Opening additional connection (14), 1 of 30 pending slots used
  790. rlm_ldap (ldap): Connecting to ldap://ldap001.008.jfk.corp.squarespace.net:636
  791. TLS: certificate [CN=sqnet CA,DC=sq,DC=net] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
  792. rlm_ldap (ldap): Waiting for bind result...
  793. rlm_ldap (ldap): Bind successful
  794. (469) files: users: Matched entry DEFAULT at line 98
  795. (469) [files] = ok
  796. rlm_ldap (ldap): Reserved connection (12)
  797. (469) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
  798. (469) ldap: --> (uid=vkratsberg)
  799. (469) ldap: Performing search in "dc=sq,dc=net" with filter "(uid=vkratsberg)", scope "sub"
  800. (469) ldap: Waiting for search result...
  801. (469) ldap: User object found at DN "uid=vkratsberg,ou=people,dc=sq,dc=net"
  802. (469) ldap: Processing user attributes
  803. (469) ldap: control:Password-With-Header += '{SSHA}Qen1MM87QS4nPktGhWkyE3ECTjucBhAp+Ce+Ug=='
  804. rlm_ldap (ldap): Released connection (12)
  805. rlm_ldap (ldap): Need 1 more connections to reach 3 spares
  806. rlm_ldap (ldap): Opening additional connection (15), 1 of 29 pending slots used
  807. rlm_ldap (ldap): Connecting to ldap://ldap001.008.jfk.corp.squarespace.net:636
  808. TLS: certificate [CN=sqnet CA,DC=sq,DC=net] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
  809. rlm_ldap (ldap): Waiting for bind result...
  810. rlm_ldap (ldap): Bind successful
  811. (469) [ldap] = updated
  812. (469) [expiration] = noop
  813. (469) [logintime] = noop
  814. (469) pap: Converted: Password-With-Header -> SSHA1-Password
  815. (469) pap: Removing &control:Password-With-Header
  816. (469) pap: Normalizing SSHA1-Password from base64 encoding, 40 bytes -> 28 bytes
  817. (469) pap: WARNING: Auth-Type already set. Not setting to PAP
  818. (469) [pap] = noop
  819. (469) } # authorize = updated
  820. (469) Found Auth-Type = eap
  821. (469) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
  822. (469) authenticate {
  823. (469) eap: Expiring EAP session with state 0xfece9bc1fecf8204
  824. (469) eap: Finished EAP session with state 0xf0df1f11f0d6199d
  825. (469) eap: Previous EAP request found for state 0xf0df1f11f0d6199d, released from the list
  826. (469) eap: Peer sent packet with method EAP GTC (6)
  827. (469) eap: Calling submodule eap_gtc to process data
  828. (469) eap_gtc: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
  829. (469) eap_gtc: Auth-Type PAP {
  830. (469) pap: Login attempt with password
  831. (469) pap: Comparing with "known-good" SSHA-Password
  832. (469) pap: User authenticated successfully
  833. (469) [pap] = ok
  834. (469) } # Auth-Type PAP = ok
  835. (469) eap: Sending EAP Success (code 3) ID 9 length 4
  836. (469) eap: Freeing handler
  837. (469) [eap] = ok
  838. (469) } # authenticate = ok
  839. (469) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
  840. (469) post-auth { ... } # empty sub-section is ignored
  841. (469) } # server inner-tunnel
  842. (469) Virtual server sending reply
  843. (469) Service-Type = Login-User
  844. (469) Idle-Timeout = 600
  845. (469) Juniper-Local-User-Name = "admin"
  846. (469) Tunnel-Type = VLAN
  847. (469) Tunnel-Medium-Type = IEEE-802
  848. (469) Tunnel-Private-Group-Id = "810"
  849. (469) EAP-Message = 0x03090004
  850. (469) Message-Authenticator = 0x00000000000000000000000000000000
  851. (469) User-Name = "vkratsberg"
  852. (469) eap_peap: Got tunneled reply code 2
  853. (469) eap_peap: Service-Type = Login-User
  854. (469) eap_peap: Idle-Timeout = 600
  855. (469) eap_peap: Juniper-Local-User-Name = "admin"
  856. (469) eap_peap: Tunnel-Type = VLAN
  857. (469) eap_peap: Tunnel-Medium-Type = IEEE-802
  858. (469) eap_peap: Tunnel-Private-Group-Id = "810"
  859. (469) eap_peap: EAP-Message = 0x03090004
  860. (469) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
  861. (469) eap_peap: User-Name = "vkratsberg"
  862. (469) eap_peap: Got tunneled reply RADIUS code 2
  863. (469) eap_peap: Service-Type = Login-User
  864. (469) eap_peap: Idle-Timeout = 600
  865. (469) eap_peap: Juniper-Local-User-Name = "admin"
  866. (469) eap_peap: Tunnel-Type = VLAN
  867. (469) eap_peap: Tunnel-Medium-Type = IEEE-802
  868. (469) eap_peap: Tunnel-Private-Group-Id = "810"
  869. (469) eap_peap: EAP-Message = 0x03090004
  870. (469) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
  871. (469) eap_peap: User-Name = "vkratsberg"
  872. (469) eap_peap: Tunneled authentication was successful
  873. (469) eap_peap: SUCCESS
  874. (469) eap_peap: Saving tunneled attributes for later
  875. (469) eap: Sending EAP Request (code 1) ID 10 length 43
  876. (469) eap: EAP session adding &reply:State = 0x4e4e9ffd49448685
  877. (469) [eap] = handled
  878. (469) } # authenticate = handled
  879. (469) Using Post-Auth-Type Challenge
  880. (469) Post-Auth-Type sub-section not found. Ignoring.
  881. (469) # Executing group from file /etc/raddb/sites-enabled/default
  882. (469) Sent Access-Challenge Id 238 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
  883. (469) EAP-Message = 0x010a002b1900170301002052841017c0fb9a037645f9700f6561dd0b59a6156d963ded9973bdfa581e03d5
  884. (469) Message-Authenticator = 0x00000000000000000000000000000000
  885. (469) State = 0x4e4e9ffd49448685e2c45c149088adba
  886. (469) Finished request
  887. Waking up in 2.8 seconds.
  888. (470) Received Access-Request Id 239 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
  889. (470) User-Name = "vkratsberg"
  890. (470) NAS-Port = 358
  891. (470) State = 0x4e4e9ffd49448685e2c45c149088adba
  892. (470) EAP-Message = 0x020a002b1900170301002032bb95765a4a991bf842da499825ee17be132e0f2c2133a8ec348c6f9598ddc0
  893. (470) Message-Authenticator = 0xd38ca916b5ce9adf61930c120dde81e0
  894. (470) Acct-Session-Id = "8O2.1x81bb08a50008e754"
  895. (470) NAS-Port-Id = "ge-3/0/6.0"
  896. (470) Calling-Station-Id = "00-e0-4c-b8-16-4d"
  897. (470) Called-Station-Id = "ec-3e-f7-68-35-00"
  898. (470) NAS-IP-Address = 10.8.0.111
  899. (470) NAS-Identifier = "nyc-access-sw011"
  900. (470) NAS-Port-Type = Ethernet
  901. (470) session-state: No cached attributes
  902. (470) # Executing section authorize from file /etc/raddb/sites-enabled/default
  903. (470) authorize {
  904. (470) policy filter_username {
  905. (470) if (&User-Name) {
  906. (470) if (&User-Name) -> TRUE
  907. (470) if (&User-Name) {
  908. (470) if (&User-Name =~ / /) {
  909. (470) if (&User-Name =~ / /) -> FALSE
  910. (470) if (&User-Name =~ /@[^@]*@/ ) {
  911. (470) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  912. (470) if (&User-Name =~ /\.\./ ) {
  913. (470) if (&User-Name =~ /\.\./ ) -> FALSE
  914. (470) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  915. (470) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  916. (470) if (&User-Name =~ /\.$/) {
  917. (470) if (&User-Name =~ /\.$/) -> FALSE
  918. (470) if (&User-Name =~ /@\./) {
  919. (470) if (&User-Name =~ /@\./) -> FALSE
  920. (470) } # if (&User-Name) = notfound
  921. (470) } # policy filter_username = notfound
  922. (470) [preprocess] = ok
  923. (470) [chap] = noop
  924. (470) [mschap] = noop
  925. (470) [digest] = noop
  926. (470) suffix: Checking for suffix after "@"
  927. (470) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
  928. (470) suffix: No such realm "NULL"
  929. (470) [suffix] = noop
  930. (470) eap: Peer sent EAP Response (code 2) ID 10 length 43
  931. (470) eap: Continuing tunnel setup
  932. (470) [eap] = ok
  933. (470) } # authorize = ok
  934. (470) Found Auth-Type = eap
  935. (470) # Executing group from file /etc/raddb/sites-enabled/default
  936. (470) authenticate {
  937. (470) eap: Expiring EAP session with state 0xfece9bc1fecf8204
  938. (470) eap: Finished EAP session with state 0x4e4e9ffd49448685
  939. (470) eap: Previous EAP request found for state 0x4e4e9ffd49448685, released from the list
  940. (470) eap: Peer sent packet with method EAP PEAP (25)
  941. (470) eap: Calling submodule eap_peap to process data
  942. (470) eap_peap: Continuing EAP-TLS
  943. (470) eap_peap: [eaptls verify] = ok
  944. (470) eap_peap: Done initial handshake
  945. (470) eap_peap: [eaptls process] = ok
  946. (470) eap_peap: Session established. Decoding tunneled attributes
  947. (470) eap_peap: PEAP state send tlv success
  948. (470) eap_peap: Received EAP-TLV response
  949. (470) eap_peap: Success
  950. (470) eap_peap: Using saved attributes from the original Access-Accept
  951. (470) eap_peap: Service-Type = Login-User
  952. (470) eap_peap: Idle-Timeout = 600
  953. (470) eap_peap: Juniper-Local-User-Name = "admin"
  954. (470) eap_peap: Tunnel-Type = VLAN
  955. (470) eap_peap: Tunnel-Medium-Type = IEEE-802
  956. (470) eap_peap: Tunnel-Private-Group-Id = "810"
  957. (470) eap_peap: User-Name = "vkratsberg"
  958. (470) eap_peap: caching User-Name = "vkratsberg"
  959. (470) eap_peap: Failed to find 'persist_dir' in TLS configuration. Session will not be cached on disk.
  960. (470) eap: Sending EAP Success (code 3) ID 10 length 4
  961. (470) eap: Freeing handler
  962. (470) [eap] = ok
  963. (470) } # authenticate = ok
  964. (470) # Executing section post-auth from file /etc/raddb/sites-enabled/default
  965. (470) post-auth {
  966. (470) update {
  967. (470) No attributes updated
  968. (470) } # update = noop
  969. (470) [exec] = noop
  970. (470) policy remove_reply_message_if_eap {
  971. (470) if (&reply:EAP-Message && &reply:Reply-Message) {
  972. (470) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
  973. (470) else {
  974. (470) [noop] = noop
  975. (470) } # else = noop
  976. (470) } # policy remove_reply_message_if_eap = noop
  977. (470) } # post-auth = noop
  978. (470) Sent Access-Accept Id 239 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
  979. (470) Service-Type = Login-User
  980. (470) Idle-Timeout = 600
  981. (470) Juniper-Local-User-Name = "admin"
  982. (470) Tunnel-Type = VLAN
  983. (470) Tunnel-Medium-Type = IEEE-802
  984. (470) Tunnel-Private-Group-Id = "810"
  985. (470) User-Name = "vkratsberg"
  986. (470) MS-MPPE-Recv-Key = 0x2c95cb81f5a82111803f40f7ed33e3c1f81a3ea922e2ba460972da52ba4ae71b
  987. (470) MS-MPPE-Send-Key = 0xdc512fa7dda8277dada82e409d0082705ff3d4ba52db225b7c335c46bf0a0371
  988. (470) EAP-Message = 0x030a0004
  989. (470) Message-Authenticator = 0x00000000000000000000000000000000
  990. (470) Finished request
  991. Waking up in 2.8 seconds.
  992. (462) Cleaning up request packet ID 231 with timestamp +254
  993. (463) Cleaning up request packet ID 232 with timestamp +254
  994. (464) Cleaning up request packet ID 233 with timestamp +254
  995. (465) Cleaning up request packet ID 234 with timestamp +254
  996. (466) Cleaning up request packet ID 235 with timestamp +254
  997. (467) Cleaning up request packet ID 236 with timestamp +254
  998. (468) Cleaning up request packet ID 237 with timestamp +254
  999. Waking up in 2.0 seconds.
  1000. (469) Cleaning up request packet ID 238 with timestamp +254
  1001. (470) Cleaning up request packet ID 239 with timestamp +256
  1002. Ready to process requests
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!