thewruck

FreeRADIUS Output

Nov 2nd, 2016
80
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 159.13 KB | None | 0 0
  1. login as: root
  2. Authenticating with public key "FBMI radius Pass Phrase" from agent
  3. Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64)
  4.  
  5.  * Documentation:  https://help.ubuntu.com
  6.  * Management:     https://landscape.canonical.com
  7.  * Support:        https://ubuntu.com/advantage
  8.  
  9. Last login: Wed Nov  2 11:25:05 2016 from 10.168.108.41
  10. root@penguin:~# samba -V
  11. Version 4.3.11-Ubuntu
  12. root@penguin:~# radiusd -X
  13. FreeRADIUS Version 3.0.12
  14. Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
  15. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
  16. PARTICULAR PURPOSE
  17. You may redistribute copies of FreeRADIUS under the terms of the
  18. GNU General Public License
  19. For more information about these matters, see the file named COPYRIGHT
  20. Starting - reading configuration files ...
  21. including dictionary file /usr/local/share/freeradius/dictionary
  22. including dictionary file /usr/local/share/freeradius/dictionary.dhcp
  23. including dictionary file /usr/local/share/freeradius/dictionary.vqp
  24. including dictionary file /usr/local/etc/raddb/dictionary
  25. including configuration file /usr/local/etc/raddb/radiusd.conf
  26. including configuration file /usr/local/etc/raddb/proxy.conf
  27. including configuration file /usr/local/etc/raddb/clients.conf
  28. including files in directory /usr/local/etc/raddb/mods-enabled/
  29. including configuration file /usr/local/etc/raddb/mods-enabled/digest
  30. including configuration file /usr/local/etc/raddb/mods-enabled/passwd
  31. including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
  32. including configuration file /usr/local/etc/raddb/mods-enabled/echo
  33. including configuration file /usr/local/etc/raddb/mods-enabled/replicate
  34. including configuration file /usr/local/etc/raddb/mods-enabled/soh
  35. including configuration file /usr/local/etc/raddb/mods-enabled/chap
  36. including configuration file /usr/local/etc/raddb/mods-enabled/files
  37. including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
  38. including configuration file /usr/local/etc/raddb/mods-enabled/linelog
  39. including configuration file /usr/local/etc/raddb/mods-enabled/logintime
  40. including configuration file /usr/local/etc/raddb/mods-enabled/exec
  41. including configuration file /usr/local/etc/raddb/mods-enabled/dhcp
  42. including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
  43. including configuration file /usr/local/etc/raddb/mods-enabled/mschap_hbs
  44. including configuration file /usr/local/etc/raddb/mods-enabled/unpack
  45. including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
  46. including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
  47. including configuration file /usr/local/etc/raddb/mods-enabled/eap
  48. including configuration file /usr/local/etc/raddb/mods-enabled/mschap_hac
  49. including configuration file /usr/local/etc/raddb/mods-enabled/ldap
  50. including configuration file /usr/local/etc/raddb/mods-enabled/unix
  51. including configuration file /usr/local/etc/raddb/mods-enabled/mschap_fbc
  52. including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
  53. including configuration file /usr/local/etc/raddb/mods-enabled/expiration
  54. including configuration file /usr/local/etc/raddb/mods-enabled/expr
  55. including configuration file /usr/local/etc/raddb/mods-enabled/realm
  56. including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
  57. including configuration file /usr/local/etc/raddb/mods-enabled/always
  58. including configuration file /usr/local/etc/raddb/mods-enabled/mschap_cbs
  59. including configuration file /usr/local/etc/raddb/mods-enabled/date
  60. including configuration file /usr/local/etc/raddb/mods-enabled/utf8
  61. including configuration file /usr/local/etc/raddb/mods-enabled/pap
  62. including configuration file /usr/local/etc/raddb/mods-enabled/detail
  63. including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
  64. including files in directory /usr/local/etc/raddb/policy.d/
  65. including configuration file /usr/local/etc/raddb/policy.d/debug
  66. including configuration file /usr/local/etc/raddb/policy.d/control
  67. including configuration file /usr/local/etc/raddb/policy.d/filter
  68. including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
  69. including configuration file /usr/local/etc/raddb/policy.d/canonicalization
  70. including configuration file /usr/local/etc/raddb/policy.d/dhcp
  71. including configuration file /usr/local/etc/raddb/policy.d/accounting
  72. including configuration file /usr/local/etc/raddb/policy.d/cui
  73. including configuration file /usr/local/etc/raddb/policy.d/eap
  74. including configuration file /usr/local/etc/raddb/policy.d/operator-name
  75. including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
  76. including files in directory /usr/local/etc/raddb/sites-enabled/
  77. including configuration file /usr/local/etc/raddb/sites-enabled/default
  78. including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  79. main {
  80.  security {
  81.         allow_core_dumps = no
  82.  }
  83.         name = "radiusd"
  84.         prefix = "/usr/local"
  85.         localstatedir = "/usr/local/var"
  86.         logdir = "/usr/local/var/log/radius"
  87.         run_dir = "/usr/local/var/run/radiusd"
  88. }
  89. main {
  90.         name = "radiusd"
  91.         prefix = "/usr/local"
  92.         localstatedir = "/usr/local/var"
  93.         sbindir = "/usr/local/sbin"
  94.         logdir = "/usr/local/var/log/radius"
  95.         run_dir = "/usr/local/var/run/radiusd"
  96.         libdir = "/usr/local/lib"
  97.         radacctdir = "/usr/local/var/log/radius/radacct"
  98.         hostname_lookups = no
  99.         max_request_time = 30
  100.         cleanup_delay = 5
  101.         max_requests = 16384
  102.         pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
  103.         checkrad = "/usr/local/sbin/checkrad"
  104.         debug_level = 0
  105.         proxy_requests = yes
  106.  log {
  107.         stripped_names = no
  108.         auth = no
  109.         auth_badpass = no
  110.         auth_goodpass = no
  111.         colourise = yes
  112.         msg_denied = "You are already logged in - access denied"
  113.  }
  114.  resources {
  115.  }
  116.  security {
  117.         max_attributes = 200
  118.         reject_delay = 1.000000
  119.         status_server = yes
  120.         allow_vulnerable_openssl = "CVE-2016-6304"
  121.  }
  122. }
  123. radiusd: #### Loading Realms and Home Servers ####
  124.  proxy server {
  125.         retry_delay = 5
  126.         retry_count = 3
  127.         default_fallback = no
  128.         dead_time = 120
  129.         wake_all_if_all_dead = no
  130.  }
  131.  home_server localhost {
  132.         ipaddr = 127.0.0.1
  133.         port = 1812
  134.         type = "auth"
  135.         secret = <<< secret >>>
  136.         response_window = 20.000000
  137.         response_timeouts = 1
  138.         max_outstanding = 65536
  139.         zombie_period = 40
  140.         status_check = "status-server"
  141.         ping_interval = 30
  142.         check_interval = 30
  143.         check_timeout = 4
  144.         num_answers_to_alive = 3
  145.         revive_interval = 120
  146.   limit {
  147.         max_connections = 16
  148.         max_requests = 0
  149.         lifetime = 0
  150.         idle_timeout = 0
  151.   }
  152.   coa {
  153.         irt = 2
  154.         mrt = 16
  155.         mrc = 5
  156.         mrd = 30
  157.   }
  158.  }
  159.  home_server_pool my_auth_failover {
  160.         type = fail-over
  161.         home_server = localhost
  162.  }
  163.  realm example.com {
  164.         auth_pool = my_auth_failover
  165.  }
  166.  realm LOCAL {
  167.  }
  168. radiusd: #### Loading Clients ####
  169.  client Aruba {
  170.         ipaddr = 10.168.149.99
  171.         require_message_authenticator = no
  172.         secret = <<< secret >>>
  173.   limit {
  174.         max_connections = 16
  175.         lifetime = 0
  176.         idle_timeout = 30
  177.   }
  178.  }
  179.  client localhost {
  180.         ipaddr = 127.0.0.1
  181.         require_message_authenticator = no
  182.         secret = <<< secret >>>
  183.         nas_type = "other"
  184.         proto = "*"
  185.   limit {
  186.         max_connections = 16
  187.         lifetime = 0
  188.         idle_timeout = 30
  189.   }
  190.  }
  191.  client localhost_ipv6 {
  192.         ipv6addr = ::1
  193.         require_message_authenticator = no
  194.         secret = <<< secret >>>
  195.   limit {
  196.         max_connections = 16
  197.         lifetime = 0
  198.         idle_timeout = 30
  199.   }
  200.  }
  201. Debugger not attached
  202.  # Creating Auth-Type = digest
  203.  # Creating Auth-Type = eap
  204.  # Creating Auth-Type = PAP
  205.  # Creating Auth-Type = CHAP
  206.  # Creating Auth-Type = MS-CHAP
  207.  # Creating Auth-Type = LDAP
  208. radiusd: #### Instantiating modules ####
  209.  modules {
  210.   # Loaded module rlm_digest
  211.   # Loading module "digest" from file /usr/local/etc/raddb/mods-enabled/digest
  212.   # Loaded module rlm_passwd
  213.   # Loading module "etc_passwd" from file /usr/local/etc/raddb/mods-enabled/pass                                                                                                                                                             wd
  214.   passwd etc_passwd {
  215.         filename = "/etc/passwd"
  216.         format = "*User-Name:Crypt-Password:"
  217.         delimiter = ":"
  218.         ignore_nislike = no
  219.         ignore_empty = yes
  220.         allow_multiple_keys = no
  221.         hash_size = 100
  222.   }
  223.   # Loaded module rlm_exec
  224.   # Loading module "ntlm_auth1" from file /usr/local/etc/raddb/mods-enabled/ntlm                                                                                                                                                             _auth
  225.   exec ntlm_auth1 {
  226.         wait = yes
  227.         program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --usern                                                                                                                                                             ame=%{mschap_fbc:User-Name} --password=%{User-Password}"
  228.         shell_escape = yes
  229.   }
  230.   # Loading module "echo" from file /usr/local/etc/raddb/mods-enabled/echo
  231.   exec echo {
  232.         wait = yes
  233.         program = "/bin/echo %{User-Name}"
  234.         input_pairs = "request"
  235.         output_pairs = "reply"
  236.         shell_escape = yes
  237.   }
  238.   # Loaded module rlm_replicate
  239.   # Loading module "replicate" from file /usr/local/etc/raddb/mods-enabled/repli                                                                                                                                                             cate
  240.   # Loaded module rlm_soh
  241.   # Loading module "soh" from file /usr/local/etc/raddb/mods-enabled/soh
  242.   soh {
  243.         dhcp = yes
  244.   }
  245.   # Loaded module rlm_chap
  246.   # Loading module "chap" from file /usr/local/etc/raddb/mods-enabled/chap
  247.   # Loaded module rlm_files
  248.   # Loading module "files" from file /usr/local/etc/raddb/mods-enabled/files
  249.   files {
  250.         filename = "/usr/local/etc/raddb/mods-config/files/authorize"
  251.         acctusersfile = "/usr/local/etc/raddb/mods-config/files/accounting"
  252.         preproxy_usersfile = "/usr/local/etc/raddb/mods-config/files/pre-proxy"
  253.   }
  254.   # Loaded module rlm_detail
  255.   # Loading module "auth_log" from file /usr/local/etc/raddb/mods-enabled/detail                                                                                                                                                             .log
  256.   detail auth_log {
  257.         filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}                                                                                                                                                             :-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
  258.         header = "%t"
  259.         permissions = 384
  260.         locking = no
  261.         escape_filenames = no
  262.         log_packet_header = no
  263.   }
  264.   # Loading module "reply_log" from file /usr/local/etc/raddb/mods-enabled/detai                                                                                                                                                             l.log
  265.   detail reply_log {
  266.         filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}                                                                                                                                                             :-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
  267.         header = "%t"
  268.         permissions = 384
  269.         locking = no
  270.         escape_filenames = no
  271.         log_packet_header = no
  272.   }
  273.   # Loading module "pre_proxy_log" from file /usr/local/etc/raddb/mods-enabled/d                                                                                                                                                             etail.log
  274.   detail pre_proxy_log {
  275.         filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}                                                                                                                                                             :-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
  276.         header = "%t"
  277.         permissions = 384
  278.         locking = no
  279.         escape_filenames = no
  280.         log_packet_header = no
  281.   }
  282.   # Loading module "post_proxy_log" from file /usr/local/etc/raddb/mods-enabled/                                                                                                                                                             detail.log
  283.   detail post_proxy_log {
  284.         filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}                                                                                                                                                             :-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
  285.         header = "%t"
  286.         permissions = 384
  287.         locking = no
  288.         escape_filenames = no
  289.         log_packet_header = no
  290.   }
  291.   # Loaded module rlm_linelog
  292.   # Loading module "linelog" from file /usr/local/etc/raddb/mods-enabled/linelog
  293.   linelog {
  294.         filename = "/usr/local/var/log/radius/linelog"
  295.         escape_filenames = no
  296.         syslog_severity = "info"
  297.         permissions = 384
  298.         format = "This is a log message for %{User-Name}"
  299.         reference = "messages.%{%{reply:Packet-Type}:-default}"
  300.   }
  301.   # Loading module "log_accounting" from file /usr/local/etc/raddb/mods-enabled/                                                                                                                                                             linelog
  302.   linelog log_accounting {
  303.         filename = "/usr/local/var/log/radius/linelog-accounting"
  304.         escape_filenames = no
  305.         syslog_severity = "info"
  306.         permissions = 384
  307.         format = ""
  308.         reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  309.   }
  310.   # Loaded module rlm_logintime
  311.   # Loading module "logintime" from file /usr/local/etc/raddb/mods-enabled/login                                                                                                                                                             time
  312.   logintime {
  313.         minimum_timeout = 60
  314.   }
  315.   # Loading module "exec" from file /usr/local/etc/raddb/mods-enabled/exec
  316.   exec {
  317.         wait = no
  318.         input_pairs = "request"
  319.         shell_escape = yes
  320.         timeout = 10
  321.   }
  322.   # Loaded module rlm_dhcp
  323.   # Loading module "dhcp" from file /usr/local/etc/raddb/mods-enabled/dhcp
  324.   # Loaded module rlm_radutmp
  325.   # Loading module "radutmp" from file /usr/local/etc/raddb/mods-enabled/radutmp
  326.   radutmp {
  327.         filename = "/usr/local/var/log/radius/radutmp"
  328.         username = "%{User-Name}"
  329.         case_sensitive = yes
  330.         check_with_nas = yes
  331.         permissions = 384
  332.         caller_id = yes
  333.   }
  334.   # Loaded module rlm_mschap
  335.   # Loading module "mschap_hbs" from file /usr/local/etc/raddb/mods-enabled/msch                                                                                                                                                             ap_hbs
  336.   mschap mschap_hbs {
  337.         use_mppe = yes
  338.         require_encryption = no
  339.         require_strong = no
  340.         with_ntdomain_hack = yes
  341.         ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=hbs.fbcexample                                                                                                                                                             .com --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{                                                                                                                                                             mschap_hbs:Challenge}:-00} --nt-response=%{%{mschap_hbs:NT-Response}:-00} --requ                                                                                                                                                             ire-membership-of='fbcexample\\LDAP_WiFi'"
  342.    passchange {
  343.    }
  344.         allow_retry = yes
  345.   }
  346.   # Loaded module rlm_unpack
  347.   # Loading module "unpack" from file /usr/local/etc/raddb/mods-enabled/unpack
  348.   # Loaded module rlm_attr_filter
  349.   # Loading module "attr_filter.post-proxy" from file /usr/local/etc/raddb/mods-                                                                                                                                                             enabled/attr_filter
  350.   attr_filter attr_filter.post-proxy {
  351.         filename = "/usr/local/etc/raddb/mods-config/attr_filter/post-proxy"
  352.         key = "%{Realm}"
  353.         relaxed = no
  354.   }
  355.   # Loading module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/mods-e                                                                                                                                                             nabled/attr_filter
  356.   attr_filter attr_filter.pre-proxy {
  357.         filename = "/usr/local/etc/raddb/mods-config/attr_filter/pre-proxy"
  358.         key = "%{Realm}"
  359.         relaxed = no
  360.   }
  361.   # Loading module "attr_filter.access_reject" from file /usr/local/etc/raddb/mo                                                                                                                                                             ds-enabled/attr_filter
  362.   attr_filter attr_filter.access_reject {
  363.         filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_reject"
  364.         key = "%{User-Name}"
  365.         relaxed = no
  366.   }
  367.   # Loading module "attr_filter.access_challenge" from file /usr/local/etc/raddb                                                                                                                                                             /mods-enabled/attr_filter
  368.   attr_filter attr_filter.access_challenge {
  369.         filename = "/usr/local/etc/raddb/mods-config/attr_filter/access_challeng                                                                                                                                                             e"
  370.         key = "%{User-Name}"
  371.         relaxed = no
  372.   }
  373.   # Loading module "attr_filter.accounting_response" from file /usr/local/etc/ra                                                                                                                                                             ddb/mods-enabled/attr_filter
  374.   attr_filter attr_filter.accounting_response {
  375.         filename = "/usr/local/etc/raddb/mods-config/attr_filter/accounting_resp                                                                                                                                                             onse"
  376.         key = "%{User-Name}"
  377.         relaxed = no
  378.   }
  379.   # Loaded module rlm_dynamic_clients
  380.   # Loading module "dynamic_clients" from file /usr/local/etc/raddb/mods-enabled                                                                                                                                                             /dynamic_clients
  381.   # Loaded module rlm_eap
  382.   # Loading module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
  383.   eap {
  384.         default_eap_type = "peap"
  385.         timer_expire = 60
  386.         ignore_unknown_eap_types = no
  387.         cisco_accounting_username_bug = no
  388.         max_sessions = 16384
  389.   }
  390.   # Loading module "mschap_hac" from file /usr/local/etc/raddb/mods-enabled/msch                                                                                                                                                             ap_hac
  391.   mschap mschap_hac {
  392.         use_mppe = yes
  393.         require_encryption = no
  394.         require_strong = no
  395.         with_ntdomain_hack = yes
  396.         ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=hac.fbcexample                                                                                                                                                             .com --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{                                                                                                                                                             mschap_hac:Challenge}:-00} --nt-response=%{%{mschap_hac:NT-Response}:-00}  --req                                                                                                                                                             uire-membership-of=fbcexample\\LDAP_WiFi"
  397.    passchange {
  398.    }
  399.         allow_retry = yes
  400.   }
  401.   # Loaded module rlm_ldap
  402.   # Loading module "ldap" from file /usr/local/etc/raddb/mods-enabled/ldap
  403.   ldap {
  404.         server = "10.168.109.12"
  405.         identity = "CN=free radius,OU=Service Accounts,DC=fbcexample,DC=com"
  406.         password = <<< secret >>>
  407.    sasl {
  408.    }
  409.    user {
  410.         scope = "sub"
  411.         access_positive = yes
  412.     sasl {
  413.     }
  414.    }
  415.    group {
  416.         filter = "(objectClass=posixGroup)"
  417.         scope = "sub"
  418.         name_attribute = "cn"
  419.         membership_attribute = "memberOf"
  420.         cacheable_name = no
  421.         cacheable_dn = no
  422.    }
  423.    client {
  424.         filter = "(objectClass=radiusClient)"
  425.         scope = "sub"
  426.         base_dn = "DC=fbcexample,DC=com"
  427.    }
  428.    profile {
  429.    }
  430.    options {
  431.         ldap_debug = 40
  432.         chase_referrals = yes
  433.         rebind = yes
  434.         net_timeout = 1
  435.         res_timeout = 10
  436.         srv_timelimit = 3
  437.         idle = 60
  438.         probes = 3
  439.         interval = 3
  440.    }
  441.    tls {
  442.         start_tls = no
  443.    }
  444.   }
  445. Creating attribute LDAP-Group
  446.   # Loaded module rlm_unix
  447.   # Loading module "unix" from file /usr/local/etc/raddb/mods-enabled/unix
  448.   unix {
  449.         radwtmp = "/usr/local/var/log/radius/radwtmp"
  450.   }
  451. Creating attribute Unix-Group
  452.   # Loading module "mschap_fbc" from file /usr/local/etc/raddb/mods-enabled/msch                                                                                                                                                             ap_fbc
  453.   mschap mschap_fbc {
  454.         use_mppe = yes
  455.         require_encryption = no
  456.         require_strong = no
  457.         with_ntdomain_hack = yes
  458.         ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=fbcexample --u                                                                                                                                                             sername=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap_f                                                                                                                                                             bc:Challenge}:-00} --nt-response=%{%{mschap_fbc:NT-Response}:-00}  --require-mem                                                                                                                                                             bership-of='fbcexample\\LDAP_WiFi'"
  459.    passchange {
  460.    }
  461.         allow_retry = yes
  462.   }
  463.   # Loaded module rlm_cache
  464.   # Loading module "cache_eap" from file /usr/local/etc/raddb/mods-enabled/cache                                                                                                                                                             _eap
  465.   cache cache_eap {
  466.         driver = "rlm_cache_rbtree"
  467.         key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
  468.         ttl = 15
  469.         max_entries = 0
  470.         epoch = 0
  471.         add_stats = no
  472.   }
  473.   # Loaded module rlm_expiration
  474.   # Loading module "expiration" from file /usr/local/etc/raddb/mods-enabled/expi                                                                                                                                                             ration
  475.   # Loaded module rlm_expr
  476.   # Loading module "expr" from file /usr/local/etc/raddb/mods-enabled/expr
  477.   expr {
  478.         safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ                                                                                                                                                             0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  479.   }
  480.   # Loaded module rlm_realm
  481.   # Loading module "IPASS" from file /usr/local/etc/raddb/mods-enabled/realm
  482.   realm IPASS {
  483.         format = "prefix"
  484.         delimiter = "/"
  485.         ignore_default = no
  486.         ignore_null = no
  487.   }
  488.   # Loading module "suffix" from file /usr/local/etc/raddb/mods-enabled/realm
  489.   realm suffix {
  490.         format = "suffix"
  491.         delimiter = "@"
  492.         ignore_default = no
  493.         ignore_null = no
  494.   }
  495.   # Loading module "realmpercent" from file /usr/local/etc/raddb/mods-enabled/re                                                                                                                                                             alm
  496.   realm realmpercent {
  497.         format = "suffix"
  498.         delimiter = "%"
  499.         ignore_default = no
  500.         ignore_null = no
  501.   }
  502.   # Loading module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/realm
  503.   realm ntdomain {
  504.         format = "prefix"
  505.         delimiter = "\\"
  506.        ignore_default = no
  507.        ignore_null = no
  508.  }
  509.  # Loaded module rlm_preprocess
  510.  # Loading module "preprocess" from file /usr/local/etc/raddb/mods-enabled/prep                                                                                                                                                             rocess
  511.  preprocess {
  512.        huntgroups = "/usr/local/etc/raddb/mods-config/preprocess/huntgroups"
  513.        hints = "/usr/local/etc/raddb/mods-config/preprocess/hints"
  514.        with_ascend_hack = no
  515.        ascend_channels_per_line = 23
  516.        with_ntdomain_hack = no
  517.        with_specialix_jetstream_hack = no
  518.        with_cisco_vsa_hack = no
  519.        with_alvarion_vsa_hack = no
  520.  }
  521.  # Loaded module rlm_always
  522.  # Loading module "reject" from file /usr/local/etc/raddb/mods-enabled/always
  523.  always reject {
  524.        rcode = "reject"
  525.        simulcount = 0
  526.        mpp = no
  527.  }
  528.  # Loading module "fail" from file /usr/local/etc/raddb/mods-enabled/always
  529.  always fail {
  530.        rcode = "fail"
  531.        simulcount = 0
  532.        mpp = no
  533.  }
  534.  # Loading module "ok" from file /usr/local/etc/raddb/mods-enabled/always
  535.  always ok {
  536.        rcode = "ok"
  537.        simulcount = 0
  538.        mpp = no
  539.  }
  540.  # Loading module "handled" from file /usr/local/etc/raddb/mods-enabled/always
  541.  always handled {
  542.        rcode = "handled"
  543.        simulcount = 0
  544.        mpp = no
  545.  }
  546.  # Loading module "invalid" from file /usr/local/etc/raddb/mods-enabled/always
  547.  always invalid {
  548.        rcode = "invalid"
  549.        simulcount = 0
  550.        mpp = no
  551.  }
  552.  # Loading module "userlock" from file /usr/local/etc/raddb/mods-enabled/always
  553.  always userlock {
  554.        rcode = "userlock"
  555.        simulcount = 0
  556.        mpp = no
  557.  }
  558.  # Loading module "notfound" from file /usr/local/etc/raddb/mods-enabled/always
  559.  always notfound {
  560.        rcode = "notfound"
  561.        simulcount = 0
  562.        mpp = no
  563.  }
  564.  # Loading module "noop" from file /usr/local/etc/raddb/mods-enabled/always
  565.  always noop {
  566.        rcode = "noop"
  567.        simulcount = 0
  568.        mpp = no
  569.  }
  570.  # Loading module "updated" from file /usr/local/etc/raddb/mods-enabled/always
  571.  always updated {
  572.        rcode = "updated"
  573.        simulcount = 0
  574.        mpp = no
  575.  }
  576.  # Loading module "mschap_cbs" from file /usr/local/etc/raddb/mods-enabled/msch                                                                                                                                                             ap_cbs
  577.  mschap mschap_cbs {
  578.        use_mppe = yes
  579.        require_encryption = no
  580.        require_strong = no
  581.        with_ntdomain_hack = yes
  582.        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=cbs.fbcexample                                                                                                                                                             .com --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{                                                                                                                                                             mschap_cbs:Challenge}:-00} --nt-response=%{%{mschap_cbs:NT-Response}:-00} --requ                                                                                                                                                             ire-membership-of='fbcexample\\LDAP_WiFi'"
  583.   passchange {
  584.   }
  585.        allow_retry = yes
  586.  }
  587.  # Loaded module rlm_date
  588.  # Loading module "date" from file /usr/local/etc/raddb/mods-enabled/date
  589.  date {
  590.        format = "%b %e %Y %H:%M:%S %Z"
  591.  }
  592.  # Loaded module rlm_utf8
  593.  # Loading module "utf8" from file /usr/local/etc/raddb/mods-enabled/utf8
  594.  # Loaded module rlm_pap
  595.  # Loading module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
  596.  pap {
  597.        normalise = yes
  598.  }
  599.  # Loading module "detail" from file /usr/local/etc/raddb/mods-enabled/detail
  600.  detail {
  601.        filename = "/usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}                                                                                                                                                             :-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
  602.        header = "%t"
  603.        permissions = 384
  604.        locking = no
  605.        escape_filenames = no
  606.        log_packet_header = no
  607.  }
  608.  # Loading module "sradutmp" from file /usr/local/etc/raddb/mods-enabled/sradut                                                                                                                                                             mp
  609.  radutmp sradutmp {
  610.        filename = "/usr/local/var/log/radius/sradutmp"
  611.        username = "%{User-Name}"
  612.        case_sensitive = yes
  613.        check_with_nas = yes
  614.        permissions = 420
  615.        caller_id = no
  616.  }
  617.  instantiate {
  618.  }
  619.  # Instantiating module "etc_passwd" from file /usr/local/etc/raddb/mods-enable                                                                                                                                                             d/passwd
  620. rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  621.  # Instantiating module "files" from file /usr/local/etc/raddb/mods-enabled/fil                                                                                                                                                             es
  622. reading pairlist file /usr/local/etc/raddb/mods-config/files/authorize
  623. reading pairlist file /usr/local/etc/raddb/mods-config/files/accounting
  624. reading pairlist file /usr/local/etc/raddb/mods-config/files/pre-proxy
  625.  # Instantiating module "auth_log" from file /usr/local/etc/raddb/mods-enabled/                                                                                                                                                             detail.log
  626. rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail out                                                                                                                                                             put
  627.  # Instantiating module "reply_log" from file /usr/local/etc/raddb/mods-enabled                                                                                                                                                             /detail.log
  628.  # Instantiating module "pre_proxy_log" from file /usr/local/etc/raddb/mods-ena                                                                                                                                                             bled/detail.log
  629.  # Instantiating module "post_proxy_log" from file /usr/local/etc/raddb/mods-en                                                                                                                                                             abled/detail.log
  630.  # Instantiating module "linelog" from file /usr/local/etc/raddb/mods-enabled/l                                                                                                                                                             inelog
  631.  # Instantiating module "log_accounting" from file /usr/local/etc/raddb/mods-en                                                                                                                                                             abled/linelog
  632.  # Instantiating module "logintime" from file /usr/local/etc/raddb/mods-enabled                                                                                                                                                             /logintime
  633.  # Instantiating module "mschap_hbs" from file /usr/local/etc/raddb/mods-enable                                                                                                                                                             d/mschap_hbs
  634. rlm_mschap (mschap_hbs): authenticating by calling 'ntlm_auth'
  635.  # Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb                                                                                                                                                             /mods-enabled/attr_filter
  636. reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/post-proxy
  637.  # Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/                                                                                                                                                             mods-enabled/attr_filter
  638. reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/pre-proxy
  639.  # Instantiating module "attr_filter.access_reject" from file /usr/local/etc/ra                                                                                                                                                             ddb/mods-enabled/attr_filter
  640. reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_reject
  641. [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "Free                                                                                                                                                             RADIUS-Response-Delay"  found in filter list for realm "DEFAULT".
  642. [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "Free                                                                                                                                                             RADIUS-Response-Delay-USec"     found in filter list for realm "DEFAULT".
  643.  # Instantiating module "attr_filter.access_challenge" from file /usr/local/etc                                                                                                                                                             /raddb/mods-enabled/attr_filter
  644. reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/access_challe                                                                                                                                                             nge
  645.  # Instantiating module "attr_filter.accounting_response" from file /usr/local/                                                                                                                                                             etc/raddb/mods-enabled/attr_filter
  646. reading pairlist file /usr/local/etc/raddb/mods-config/attr_filter/accounting_re                                                                                                                                                             sponse
  647.  # Instantiating module "eap" from file /usr/local/etc/raddb/mods-enabled/eap
  648.   # Linked to sub-module rlm_eap_md5
  649.   # Linked to sub-module rlm_eap_leap
  650.   # Linked to sub-module rlm_eap_gtc
  651.   gtc {
  652.        challenge = "Password: "
  653.        auth_type = "PAP"
  654.   }
  655.   # Linked to sub-module rlm_eap_tls
  656.   tls {
  657.        tls = "tls-common"
  658.   }
  659.   tls-config tls-common {
  660.        verify_depth = 0
  661.        ca_path = "/usr/local/etc/raddb/certs"
  662.        pem_file_type = yes
  663.        private_key_file = "/usr/local/etc/raddb/certs/server.pem"
  664.        certificate_file = "/usr/local/etc/raddb/certs/server.pem"
  665.        ca_file = "/usr/local/etc/raddb/certs/ca.pem"
  666.        private_key_password = <<< secret >>>
  667.        dh_file = "/usr/local/etc/raddb/certs/dh"
  668.        random_file = "/dev/urandom"
  669.        fragment_size = 1024
  670.        include_length = yes
  671.        auto_chain = yes
  672.        check_crl = no
  673.        check_all_crl = no
  674.        cipher_list = "DEFAULT"
  675.        ecdh_curve = "prime256v1"
  676.    cache {
  677.        enable = yes
  678.        lifetime = 24
  679.        max_entries = 255
  680.    }
  681.    verify {
  682.        skip_if_ocsp_ok = no
  683.    }
  684.    ocsp {
  685.        enable = no
  686.        override_cert_url = yes
  687.        url = "http://127.0.0.1/ocsp/"
  688.        use_nonce = yes
  689.        timeout = 0
  690.        softfail = no
  691.    }
  692.   }
  693.   # Linked to sub-module rlm_eap_ttls
  694.   ttls {
  695.        tls = "tls-common"
  696.        default_eap_type = "md5"
  697.        copy_request_to_tunnel = no
  698.        use_tunneled_reply = no
  699.        virtual_server = "inner-tunnel"
  700.        include_length = yes
  701.        require_client_cert = no
  702.   }
  703. tls: Using cached TLS configuration from previous invocation
  704.   # Linked to sub-module rlm_eap_peap
  705.   peap {
  706.        tls = "tls-common"
  707.        default_eap_type = "mschapv2"
  708.        copy_request_to_tunnel = no
  709.        use_tunneled_reply = no
  710.        proxy_tunneled_request_as_eap = yes
  711.        virtual_server = "inner-tunnel"
  712.        soh = no
  713.        require_client_cert = no
  714.   }
  715. tls: Using cached TLS configuration from previous invocation
  716.   # Linked to sub-module rlm_eap_mschapv2
  717.   mschapv2 {
  718.        with_ntdomain_hack = no
  719.        send_error = no
  720.   }
  721.  # Instantiating module "mschap_hac" from file /usr/local/etc/raddb/mods-enable                                                                                                                                                             d/mschap_hac
  722. rlm_mschap (mschap_hac): authenticating by calling 'ntlm_auth'
  723.  # Instantiating module "ldap" from file /usr/local/etc/raddb/mods-enabled/ldap
  724. rlm_ldap: libldap vendor: OpenLDAP, version: 20442
  725.   accounting {
  726.        reference = "%{tolower:type.%{Acct-Status-Type}}"
  727.   }
  728.   post-auth {
  729.        reference = "."
  730.   }
  731. rlm_ldap (ldap): Initialising connection pool
  732.   pool {
  733.        start = 5
  734.        min = 3
  735.        max = 32
  736.        spare = 10
  737.        uses = 0
  738.        lifetime = 0
  739.        cleanup_interval = 30
  740.        idle_timeout = 60
  741.        retry_delay = 30
  742.        spread = no
  743.   }
  744. rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
  745. rlm_ldap (ldap): Connecting to ldap://10.168.109.12:389
  746. rlm_ldap (ldap): Waiting for bind result...
  747. rlm_ldap (ldap): Bind successful
  748. rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
  749. rlm_ldap (ldap): Connecting to ldap://10.168.109.12:389
  750. rlm_ldap (ldap): Waiting for bind result...
  751. rlm_ldap (ldap): Bind successful
  752. rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
  753. rlm_ldap (ldap): Connecting to ldap://10.168.109.12:389
  754. rlm_ldap (ldap): Waiting for bind result...
  755. rlm_ldap (ldap): Bind successful
  756. rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
  757. rlm_ldap (ldap): Connecting to ldap://10.168.109.12:389
  758. rlm_ldap (ldap): Waiting for bind result...
  759. rlm_ldap (ldap): Bind successful
  760. rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
  761. rlm_ldap (ldap): Connecting to ldap://10.168.109.12:389
  762. rlm_ldap (ldap): Waiting for bind result...
  763. rlm_ldap (ldap): Bind successful
  764.  # Instantiating module "mschap_fbc" from file /usr/local/etc/raddb/mods-enable                                                                                                                                                             d/mschap_fbc
  765. rlm_mschap (mschap_fbc): authenticating by calling 'ntlm_auth'
  766.  # Instantiating module "cache_eap" from file /usr/local/etc/raddb/mods-enabled                                                                                                                                                             /cache_eap
  767. rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded                                                                                                                                                              and linked
  768.  # Instantiating module "expiration" from file /usr/local/etc/raddb/mods-enable                                                                                                                                                             d/expiration
  769.  # Instantiating module "IPASS" from file /usr/local/etc/raddb/mods-enabled/rea                                                                                                                                                             lm
  770.  # Instantiating module "suffix" from file /usr/local/etc/raddb/mods-enabled/re                                                                                                                                                             alm
  771.  # Instantiating module "realmpercent" from file /usr/local/etc/raddb/mods-enab                                                                                                                                                             led/realm
  772.  # Instantiating module "ntdomain" from file /usr/local/etc/raddb/mods-enabled/                                                                                                                                                             realm
  773.  # Instantiating module "preprocess" from file /usr/local/etc/raddb/mods-enable                                                                                                                                                             d/preprocess
  774. reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/huntgroups
  775. reading pairlist file /usr/local/etc/raddb/mods-config/preprocess/hints
  776.  # Instantiating module "reject" from file /usr/local/etc/raddb/mods-enabled/al                                                                                                                                                             ways
  777.  # Instantiating module "fail" from file /usr/local/etc/raddb/mods-enabled/alwa                                                                                                                                                             ys
  778.  # Instantiating module "ok" from file /usr/local/etc/raddb/mods-enabled/always
  779.  # Instantiating module "handled" from file /usr/local/etc/raddb/mods-enabled/a                                                                                                                                                             lways
  780.  # Instantiating module "invalid" from file /usr/local/etc/raddb/mods-enabled/a                                                                                                                                                             lways
  781.  # Instantiating module "userlock" from file /usr/local/etc/raddb/mods-enabled/                                                                                                                                                             always
  782.  # Instantiating module "notfound" from file /usr/local/etc/raddb/mods-enabled/                                                                                                                                                             always
  783.  # Instantiating module "noop" from file /usr/local/etc/raddb/mods-enabled/alwa                                                                                                                                                             ys
  784.  # Instantiating module "updated" from file /usr/local/etc/raddb/mods-enabled/a                                                                                                                                                             lways
  785.  # Instantiating module "mschap_cbs" from file /usr/local/etc/raddb/mods-enable                                                                                                                                                             d/mschap_cbs
  786. rlm_mschap (mschap_cbs): authenticating by calling 'ntlm_auth'
  787.  # Instantiating module "pap" from file /usr/local/etc/raddb/mods-enabled/pap
  788.  # Instantiating module "detail" from file /usr/local/etc/raddb/mods-enabled/de                                                                                                                                                             tail
  789. } # modules
  790. radiusd: #### Loading Virtual Servers ####
  791. server { # from file /usr/local/etc/raddb/radiusd.conf
  792. } # server
  793. server default { # from file /usr/local/etc/raddb/sites-enabled/default
  794. # Loading authenticate {...}
  795. # Loading authorize {...}
  796. Ignoring "sql" (see raddb/mods-available/README.rst)
  797. # Loading preacct {...}
  798. # Loading accounting {...}
  799. # Loading post-proxy {...}
  800. # Loading post-auth {...}
  801. } # server default
  802. server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunne                                                                                                                                                             l
  803. # Loading authenticate {...}
  804. # Loading authorize {...}
  805. # Loading session {...}
  806. # Loading post-proxy {...}
  807. # Loading post-auth {...}
  808. } # server inner-tunnel
  809. radiusd: #### Opening IP addresses and Ports ####
  810. listen {
  811.        type = "auth"
  812.        ipaddr = *
  813.        port = 0
  814.   limit {
  815.        max_connections = 16
  816.        lifetime = 0
  817.        idle_timeout = 30
  818.   }
  819. }
  820. listen {
  821.        type = "acct"
  822.        ipaddr = *
  823.        port = 0
  824.   limit {
  825.        max_connections = 16
  826.        lifetime = 0
  827.        idle_timeout = 30
  828.   }
  829. }
  830. listen {
  831.        type = "auth"
  832.        ipv6addr = ::
  833.        port = 0
  834.   limit {
  835.        max_connections = 16
  836.        lifetime = 0
  837.        idle_timeout = 30
  838.   }
  839. }
  840. listen {
  841.        type = "acct"
  842.        ipv6addr = ::
  843.        port = 0
  844.   limit {
  845.        max_connections = 16
  846.        lifetime = 0
  847.        idle_timeout = 30
  848.   }
  849. }
  850. listen {
  851.        type = "auth"
  852.        ipaddr = 127.0.0.1
  853.        port = 18120
  854. }
  855. Listening on auth address * port 1812 bound to server default
  856. Listening on acct address * port 1813 bound to server default
  857. Listening on auth address :: port 1812 bound to server default
  858. Listening on acct address :: port 1813 bound to server default
  859. Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
  860. Listening on proxy address * port 51077
  861. Listening on proxy address :: port 38969
  862. Ready to process requests
  863.  
  864.  
  865.  
  866.  
  867.  
  868.  
  869.  
  870.  
  871. DONE LOADING
  872.  
  873.  
  874.  
  875.  
  876.  
  877.  
  878.  
  879.  
  880.  
  881. (0) Received Access-Request Id 111 from 10.168.149.99:33240 to 10.168.109.39:1812 length 218
  882. (0)   User-Name = "host/FBC-2007.fbcexample.com"
  883. (0)   NAS-IP-Address = 10.168.149.99
  884. (0)   NAS-Port = 0
  885. (0)   NAS-Identifier = "10.168.149.99"
  886. (0)   NAS-Port-Type = Wireless-802.11
  887. (0)   Calling-Station-Id = "C0335E160E17"
  888. (0)   Called-Station-Id = "000B866DC9CC"
  889. (0)   Service-Type = Login-User
  890. (0)   Framed-MTU = 1100
  891. (0)   EAP-Message = 0x0201002101686f73742f4642432d323030372e66626368616d6d6f6e642e636f6d
  892. (0)   Aruba-Essid-Name = "Testnet"
  893. (0)   Aruba-Location-Id = "FBC-2103"
  894. (0)   Aruba-AP-Group = "FBC"
  895. (0)   Message-Authenticator = 0xe8156c70f328ebe0d03721fa4d256f73
  896. (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  897. (0)   authorize {
  898. (0)     policy filter_username {
  899. (0)       if (&User-Name) {
  900. (0)       if (&User-Name)  -> TRUE
  901. (0)       if (&User-Name)  {
  902. (0)         if (&User-Name =~ / /) {
  903. (0)         if (&User-Name =~ / /)  -> FALSE
  904. (0)         if (&User-Name =~ /@[^@]*@/ ) {
  905. (0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  906. (0)         if (&User-Name =~ /\.\./ ) {
  907. (0)         if (&User-Name =~ /\.\./ )  -> FALSE
  908. (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  909. (0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  910. (0)         if (&User-Name =~ /\.$/)  {
  911. (0)         if (&User-Name =~ /\.$/)   -> FALSE
  912. (0)         if (&User-Name =~ /@\./)  {
  913. (0)         if (&User-Name =~ /@\./)   -> FALSE
  914. (0)       } # if (&User-Name)  = notfound
  915. (0)     } # policy filter_username = notfound
  916. (0)     [preprocess] = ok
  917. (0)     [chap] = noop
  918. (0)     [mschap_fbc] = noop
  919. (0)     [mschap_hac] = noop
  920. (0)     [mschap_hbs] = noop
  921. (0)     [mschap_cbs] = noop
  922. (0)     [digest] = noop
  923. (0) suffix: Checking for suffix after "@"
  924. (0) suffix: No '@' in User-Name = "host/FBC-2007.fbcexample.com", looking up realm NULL
  925. (0) suffix: No such realm "NULL"
  926. (0)     [suffix] = noop
  927. (0) eap: Peer sent EAP Response (code 2) ID 1 length 33
  928. (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  929. (0)     [eap] = ok
  930. (0)   } # authorize = ok
  931. (0) Found Auth-Type = eap
  932. (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  933. (0)   authenticate {
  934. (0) eap: Peer sent packet with method EAP Identity (1)
  935. (0) eap: Calling submodule eap_peap to process data
  936. (0) eap_peap: Initiating new EAP-TLS session
  937. (0) eap_peap: Flushing SSL sessions (of #0)
  938. (0) eap_peap: [eaptls start] = request
  939. (0) eap: Sending EAP Request (code 1) ID 2 length 6
  940. (0) eap: EAP session adding &reply:State = 0x9c1879469c1a60a4
  941. (0)     [eap] = handled
  942. (0)   } # authenticate = handled
  943. (0) Using Post-Auth-Type Challenge
  944. (0) Post-Auth-Type sub-section not found.  Ignoring.
  945. (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  946. (0) Sent Access-Challenge Id 111 from 10.168.109.39:1812 to 10.168.149.99:33240 length 0
  947. (0)   EAP-Message = 0x010200061920
  948. (0)   Message-Authenticator = 0x00000000000000000000000000000000
  949. (0)   State = 0x9c1879469c1a60a4861a78f51320a634
  950. (0) Finished request
  951. Waking up in 4.9 seconds.
  952. (1) Received Access-Request Id 112 from 10.168.149.99:33240 to 10.168.109.39:1812 length 385
  953. (1)   User-Name = "host/FBC-2007.fbcexample.com"
  954. (1)   NAS-IP-Address = 10.168.149.99
  955. (1)   NAS-Port = 0
  956. (1)   NAS-Identifier = "10.168.149.99"
  957. (1)   NAS-Port-Type = Wireless-802.11
  958. (1)   Calling-Station-Id = "C0335E160E17"
  959. (1)   Called-Station-Id = "000B866DC9CC"
  960. (1)   Service-Type = Login-User
  961. (1)   Framed-MTU = 1100
  962. (1)   EAP-Message = 0x020200b61980000000ac16030300a7010000a30303581a16368f6d2594d5faaee3731b97add7cce5976fd8c992a5699065bc384e7500003cc02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c01300390033009d009c003d003c0035002f000a006a004000380032001300050004010000
  963. (1)   State = 0x9c1879469c1a60a4861a78f51320a634
  964. (1)   Aruba-Essid-Name = "Testnet"
  965. (1)   Aruba-Location-Id = "FBC-2103"
  966. (1)   Aruba-AP-Group = "FBC"
  967. (1)   Message-Authenticator = 0x87a1aa971c96a09b6b6f939431ecea10
  968. (1) session-state: No cached attributes
  969. (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  970. (1)   authorize {
  971. (1)     policy filter_username {
  972. (1)       if (&User-Name) {
  973. (1)       if (&User-Name)  -> TRUE
  974. (1)       if (&User-Name)  {
  975. (1)         if (&User-Name =~ / /) {
  976. (1)         if (&User-Name =~ / /)  -> FALSE
  977. (1)         if (&User-Name =~ /@[^@]*@/ ) {
  978. (1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  979. (1)         if (&User-Name =~ /\.\./ ) {
  980. (1)         if (&User-Name =~ /\.\./ )  -> FALSE
  981. (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  982. (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  983. (1)         if (&User-Name =~ /\.$/)  {
  984. (1)         if (&User-Name =~ /\.$/)   -> FALSE
  985. (1)         if (&User-Name =~ /@\./)  {
  986. (1)         if (&User-Name =~ /@\./)   -> FALSE
  987. (1)       } # if (&User-Name)  = notfound
  988. (1)     } # policy filter_username = notfound
  989. (1)     [preprocess] = ok
  990. (1)     [chap] = noop
  991. (1)     [mschap_fbc] = noop
  992. (1)     [mschap_hac] = noop
  993. (1)     [mschap_hbs] = noop
  994. (1)     [mschap_cbs] = noop
  995. (1)     [digest] = noop
  996. (1) suffix: Checking for suffix after "@"
  997. (1) suffix: No '@' in User-Name = "host/FBC-2007.fbcexample.com", looking up realm NULL
  998. (1) suffix: No such realm "NULL"
  999. (1)     [suffix] = noop
  1000. (1) eap: Peer sent EAP Response (code 2) ID 2 length 182
  1001. (1) eap: Continuing tunnel setup
  1002. (1)     [eap] = ok
  1003. (1)   } # authorize = ok
  1004. (1) Found Auth-Type = eap
  1005. (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1006. (1)   authenticate {
  1007. (1) eap: Expiring EAP session with state 0x9c1879469c1a60a4
  1008. (1) eap: Finished EAP session with state 0x9c1879469c1a60a4
  1009. (1) eap: Previous EAP request found for state 0x9c1879469c1a60a4, released from the list
  1010. (1) eap: Peer sent packet with method EAP PEAP (25)
  1011. (1) eap: Calling submodule eap_peap to process data
  1012. (1) eap_peap: Continuing EAP-TLS
  1013. (1) eap_peap: Peer indicated complete TLS record size will be 172 bytes
  1014. (1) eap_peap: Got complete TLS record (172 bytes)
  1015. (1) eap_peap: [eaptls verify] = length included
  1016. (1) eap_peap: (other): before/accept initialization
  1017. (1) eap_peap: TLS_accept: before/accept initialization
  1018. (1) eap_peap: <<< recv TLS 1.2  [length 00a7]
  1019. (1) eap_peap: TLS_accept: unknown state
  1020. (1) eap_peap: >>> send TLS 1.2  [length 0059]
  1021. (1) eap_peap: TLS_accept: unknown state
  1022. (1) eap_peap: >>> send TLS 1.2  [length 08be]
  1023. (1) eap_peap: TLS_accept: unknown state
  1024. (1) eap_peap: >>> send TLS 1.2  [length 014d]
  1025. (1) eap_peap: TLS_accept: unknown state
  1026. (1) eap_peap: >>> send TLS 1.2  [length 0004]
  1027. (1) eap_peap: TLS_accept: unknown state
  1028. (1) eap_peap: TLS_accept: unknown state
  1029. (1) eap_peap: TLS_accept: unknown state
  1030. (1) eap_peap: TLS_accept: Need to read more data: unknown state
  1031. (1) eap_peap: TLS_accept: Need to read more data: unknown state
  1032. (1) eap_peap: In SSL Handshake Phase
  1033. (1) eap_peap: In SSL Accept mode
  1034. (1) eap_peap: [eaptls process] = handled
  1035. (1) eap: Sending EAP Request (code 1) ID 3 length 1004
  1036. (1) eap: EAP session adding &reply:State = 0x9c1879469d1b60a4
  1037. (1)     [eap] = handled
  1038. (1)   } # authenticate = handled
  1039. (1) Using Post-Auth-Type Challenge
  1040. (1) Post-Auth-Type sub-section not found.  Ignoring.
  1041. (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1042. (1) Sent Access-Challenge Id 112 from 10.168.109.39:1812 to 10.168.149.99:33240 length 0
  1043. (1)   EAP-Message = 0x010303ec19c000000a7c160303005902000055030316b58a86014a574803a5917a7619b9bed60f79713e4d92eb933bea51fbc14b0820942ba95fc4f50210ffaff7f1db6e4988de62b9cd67d1e582bfdfbb347c280cc7c03000000dff01000100000b00040300010216030308be0b0008ba0008b70003db
  1044. (1)   Message-Authenticator = 0x00000000000000000000000000000000
  1045. (1)   State = 0x9c1879469d1b60a4861a78f51320a634
  1046. (1) Finished request
  1047. Waking up in 4.9 seconds.
  1048. (2) Received Access-Request Id 113 from 10.168.149.99:33240 to 10.168.109.39:1812 length 209
  1049. (2)   User-Name = "host/FBC-2007.fbcexample.com"
  1050. (2)   NAS-IP-Address = 10.168.149.99
  1051. (2)   NAS-Port = 0
  1052. (2)   NAS-Identifier = "10.168.149.99"
  1053. (2)   NAS-Port-Type = Wireless-802.11
  1054. (2)   Calling-Station-Id = "C0335E160E17"
  1055. (2)   Called-Station-Id = "000B866DC9CC"
  1056. (2)   Service-Type = Login-User
  1057. (2)   Framed-MTU = 1100
  1058. (2)   EAP-Message = 0x020300061900
  1059. (2)   State = 0x9c1879469d1b60a4861a78f51320a634
  1060. (2)   Aruba-Essid-Name = "Testnet"
  1061. (2)   Aruba-Location-Id = "FBC-2103"
  1062. (2)   Aruba-AP-Group = "FBC"
  1063. (2)   Message-Authenticator = 0xab6c2d611d5e6db595d5d50478d88fdc
  1064. (2) session-state: No cached attributes
  1065. (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1066. (2)   authorize {
  1067. (2)     policy filter_username {
  1068. (2)       if (&User-Name) {
  1069. (2)       if (&User-Name)  -> TRUE
  1070. (2)       if (&User-Name)  {
  1071. (2)         if (&User-Name =~ / /) {
  1072. (2)         if (&User-Name =~ / /)  -> FALSE
  1073. (2)         if (&User-Name =~ /@[^@]*@/ ) {
  1074. (2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  1075. (2)         if (&User-Name =~ /\.\./ ) {
  1076. (2)         if (&User-Name =~ /\.\./ )  -> FALSE
  1077. (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  1078. (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  1079. (2)         if (&User-Name =~ /\.$/)  {
  1080. (2)         if (&User-Name =~ /\.$/)   -> FALSE
  1081. (2)         if (&User-Name =~ /@\./)  {
  1082. (2)         if (&User-Name =~ /@\./)   -> FALSE
  1083. (2)       } # if (&User-Name)  = notfound
  1084. (2)     } # policy filter_username = notfound
  1085. (2)     [preprocess] = ok
  1086. (2)     [chap] = noop
  1087. (2)     [mschap_fbc] = noop
  1088. (2)     [mschap_hac] = noop
  1089. (2)     [mschap_hbs] = noop
  1090. (2)     [mschap_cbs] = noop
  1091. (2)     [digest] = noop
  1092. (2) suffix: Checking for suffix after "@"
  1093. (2) suffix: No '@' in User-Name = "host/FBC-2007.fbcexample.com", looking up realm NULL
  1094. (2) suffix: No such realm "NULL"
  1095. (2)     [suffix] = noop
  1096. (2) eap: Peer sent EAP Response (code 2) ID 3 length 6
  1097. (2) eap: Continuing tunnel setup
  1098. (2)     [eap] = ok
  1099. (2)   } # authorize = ok
  1100. (2) Found Auth-Type = eap
  1101. (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1102. (2)   authenticate {
  1103. (2) eap: Expiring EAP session with state 0x9c1879469d1b60a4
  1104. (2) eap: Finished EAP session with state 0x9c1879469d1b60a4
  1105. (2) eap: Previous EAP request found for state 0x9c1879469d1b60a4, released from the list
  1106. (2) eap: Peer sent packet with method EAP PEAP (25)
  1107. (2) eap: Calling submodule eap_peap to process data
  1108. (2) eap_peap: Continuing EAP-TLS
  1109. (2) eap_peap: Peer ACKed our handshake fragment
  1110. (2) eap_peap: [eaptls verify] = request
  1111. (2) eap_peap: [eaptls process] = handled
  1112. (2) eap: Sending EAP Request (code 1) ID 4 length 1000
  1113. (2) eap: EAP session adding &reply:State = 0x9c1879469e1c60a4
  1114. (2)     [eap] = handled
  1115. (2)   } # authenticate = handled
  1116. (2) Using Post-Auth-Type Challenge
  1117. (2) Post-Auth-Type sub-section not found.  Ignoring.
  1118. (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1119. (2) Sent Access-Challenge Id 113 from 10.168.109.39:1812 to 10.168.149.99:33240 length 0
  1120. (2)   EAP-Message = 0x010403e8194011a8e7c1e27393a346149fb1639e1304ff78a88f8fa230137fd87b47f8bc022ab208d74616992c217d84c16e609fc97c061b00a95d113885a5560268e2d5dae8e0b34facb1d8d3df51af1969d21ad174554bf3cf49642df9ebc917d33bae29018bf8778c4b3f0004d6308204d2308203ba
  1121. (2)   Message-Authenticator = 0x00000000000000000000000000000000
  1122. (2)   State = 0x9c1879469e1c60a4861a78f51320a634
  1123. (2) Finished request
  1124. Waking up in 4.9 seconds.
  1125. (3) Received Access-Request Id 114 from 10.168.149.99:33240 to 10.168.109.39:1812 length 209
  1126. (3)   User-Name = "host/FBC-2007.fbcexample.com"
  1127. (3)   NAS-IP-Address = 10.168.149.99
  1128. (3)   NAS-Port = 0
  1129. (3)   NAS-Identifier = "10.168.149.99"
  1130. (3)   NAS-Port-Type = Wireless-802.11
  1131. (3)   Calling-Station-Id = "C0335E160E17"
  1132. (3)   Called-Station-Id = "000B866DC9CC"
  1133. (3)   Service-Type = Login-User
  1134. (3)   Framed-MTU = 1100
  1135. (3)   EAP-Message = 0x020400061900
  1136. (3)   State = 0x9c1879469e1c60a4861a78f51320a634
  1137. (3)   Aruba-Essid-Name = "Testnet"
  1138. (3)   Aruba-Location-Id = "FBC-2103"
  1139. (3)   Aruba-AP-Group = "FBC"
  1140. (3)   Message-Authenticator = 0x713439b95aea0acde30416f3ee81ba37
  1141. (3) session-state: No cached attributes
  1142. (3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1143. (3)   authorize {
  1144. (3)     policy filter_username {
  1145. (3)       if (&User-Name) {
  1146. (3)       if (&User-Name)  -> TRUE
  1147. (3)       if (&User-Name)  {
  1148. (3)         if (&User-Name =~ / /) {
  1149. (3)         if (&User-Name =~ / /)  -> FALSE
  1150. (3)         if (&User-Name =~ /@[^@]*@/ ) {
  1151. (3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  1152. (3)         if (&User-Name =~ /\.\./ ) {
  1153. (3)         if (&User-Name =~ /\.\./ )  -> FALSE
  1154. (3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  1155. (3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  1156. (3)         if (&User-Name =~ /\.$/)  {
  1157. (3)         if (&User-Name =~ /\.$/)   -> FALSE
  1158. (3)         if (&User-Name =~ /@\./)  {
  1159. (3)         if (&User-Name =~ /@\./)   -> FALSE
  1160. (3)       } # if (&User-Name)  = notfound
  1161. (3)     } # policy filter_username = notfound
  1162. (3)     [preprocess] = ok
  1163. (3)     [chap] = noop
  1164. (3)     [mschap_fbc] = noop
  1165. (3)     [mschap_hac] = noop
  1166. (3)     [mschap_hbs] = noop
  1167. (3)     [mschap_cbs] = noop
  1168. (3)     [digest] = noop
  1169. (3) suffix: Checking for suffix after "@"
  1170. (3) suffix: No '@' in User-Name = "host/FBC-2007.fbcexample.com", looking up realm NULL
  1171. (3) suffix: No such realm "NULL"
  1172. (3)     [suffix] = noop
  1173. (3) eap: Peer sent EAP Response (code 2) ID 4 length 6
  1174. (3) eap: Continuing tunnel setup
  1175. (3)     [eap] = ok
  1176. (3)   } # authorize = ok
  1177. (3) Found Auth-Type = eap
  1178. (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1179. (3)   authenticate {
  1180. (3) eap: Expiring EAP session with state 0x9c1879469e1c60a4
  1181. (3) eap: Finished EAP session with state 0x9c1879469e1c60a4
  1182. (3) eap: Previous EAP request found for state 0x9c1879469e1c60a4, released from the list
  1183. (3) eap: Peer sent packet with method EAP PEAP (25)
  1184. (3) eap: Calling submodule eap_peap to process data
  1185. (3) eap_peap: Continuing EAP-TLS
  1186. (3) eap_peap: Peer ACKed our handshake fragment
  1187. (3) eap_peap: [eaptls verify] = request
  1188. (3) eap_peap: [eaptls process] = handled
  1189. (3) eap: Sending EAP Request (code 1) ID 5 length 702
  1190. (3) eap: EAP session adding &reply:State = 0x9c1879469f1d60a4
  1191. (3)     [eap] = handled
  1192. (3)   } # authenticate = handled
  1193. (3) Using Post-Auth-Type Challenge
  1194. (3) Post-Auth-Type sub-section not found.  Ignoring.
  1195. (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1196. (3) Sent Access-Challenge Id 114 from 10.168.109.39:1812 to 10.168.149.99:33240 length 0
  1197. (3)   EAP-Message = 0x010502be1900300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100706bdef08ab24a28fb45ef114b73dc360c440688
  1198. (3)   Message-Authenticator = 0x00000000000000000000000000000000
  1199. (3)   State = 0x9c1879469f1d60a4861a78f51320a634
  1200. (3) Finished request
  1201. Waking up in 4.9 seconds.
  1202. (4) Received Access-Request Id 115 from 10.168.149.99:33240 to 10.168.109.39:1812 length 339
  1203. (4)   User-Name = "host/FBC-2007.fbcexample.com"
  1204. (4)   NAS-IP-Address = 10.168.149.99
  1205. (4)   NAS-Port = 0
  1206. (4)   NAS-Identifier = "10.168.149.99"
  1207. (4)   NAS-Port-Type = Wireless-802.11
  1208. (4)   Calling-Station-Id = "C0335E160E17"
  1209. (4)   Called-Station-Id = "000B866DC9CC"
  1210. (4)   Service-Type = Login-User
  1211. (4)   Framed-MTU = 1100
  1212. (4)   EAP-Message = 0x0205008819800000007e1603030046100000424104ddc79e4af94da68fd8d0140f1bb076c99f95dda18b2d7ee91ee0c898ce7c88cdf6e60352beb4d030b8cef10b8e6feef92da6415eac1ce7545361c88b3d88213a140303000101160303002800000000000000007bb7865eddd8d6d6c2dd7b87d2747d
  1213. (4)   State = 0x9c1879469f1d60a4861a78f51320a634
  1214. (4)   Aruba-Essid-Name = "Testnet"
  1215. (4)   Aruba-Location-Id = "FBC-2103"
  1216. (4)   Aruba-AP-Group = "FBC"
  1217. (4)   Message-Authenticator = 0xca28c7ab123166b734f0ec922fbcfbee
  1218. (4) session-state: No cached attributes
  1219. (4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1220. (4)   authorize {
  1221. (4)     policy filter_username {
  1222. (4)       if (&User-Name) {
  1223. (4)       if (&User-Name)  -> TRUE
  1224. (4)       if (&User-Name)  {
  1225. (4)         if (&User-Name =~ / /) {
  1226. (4)         if (&User-Name =~ / /)  -> FALSE
  1227. (4)         if (&User-Name =~ /@[^@]*@/ ) {
  1228. (4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  1229. (4)         if (&User-Name =~ /\.\./ ) {
  1230. (4)         if (&User-Name =~ /\.\./ )  -> FALSE
  1231. (4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  1232. (4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  1233. (4)         if (&User-Name =~ /\.$/)  {
  1234. (4)         if (&User-Name =~ /\.$/)   -> FALSE
  1235. (4)         if (&User-Name =~ /@\./)  {
  1236. (4)         if (&User-Name =~ /@\./)   -> FALSE
  1237. (4)       } # if (&User-Name)  = notfound
  1238. (4)     } # policy filter_username = notfound
  1239. (4)     [preprocess] = ok
  1240. (4)     [chap] = noop
  1241. (4)     [mschap_fbc] = noop
  1242. (4)     [mschap_hac] = noop
  1243. (4)     [mschap_hbs] = noop
  1244. (4)     [mschap_cbs] = noop
  1245. (4)     [digest] = noop
  1246. (4) suffix: Checking for suffix after "@"
  1247. (4) suffix: No '@' in User-Name = "host/FBC-2007.fbcexample.com", looking up realm NULL
  1248. (4) suffix: No such realm "NULL"
  1249. (4)     [suffix] = noop
  1250. (4) eap: Peer sent EAP Response (code 2) ID 5 length 136
  1251. (4) eap: Continuing tunnel setup
  1252. (4)     [eap] = ok
  1253. (4)   } # authorize = ok
  1254. (4) Found Auth-Type = eap
  1255. (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1256. (4)   authenticate {
  1257. (4) eap: Expiring EAP session with state 0x9c1879469f1d60a4
  1258. (4) eap: Finished EAP session with state 0x9c1879469f1d60a4
  1259. (4) eap: Previous EAP request found for state 0x9c1879469f1d60a4, released from the list
  1260. (4) eap: Peer sent packet with method EAP PEAP (25)
  1261. (4) eap: Calling submodule eap_peap to process data
  1262. (4) eap_peap: Continuing EAP-TLS
  1263. (4) eap_peap: Peer indicated complete TLS record size will be 126 bytes
  1264. (4) eap_peap: Got complete TLS record (126 bytes)
  1265. (4) eap_peap: [eaptls verify] = length included
  1266. (4) eap_peap: <<< recv TLS 1.2  [length 0046]
  1267. (4) eap_peap: TLS_accept: unknown state
  1268. (4) eap_peap: TLS_accept: unknown state
  1269. (4) eap_peap: <<< recv TLS 1.2  [length 0001]
  1270. (4) eap_peap: <<< recv TLS 1.2  [length 0010]
  1271. (4) eap_peap: TLS_accept: unknown state
  1272. (4) eap_peap: >>> send TLS 1.2  [length 0001]
  1273. (4) eap_peap: TLS_accept: unknown state
  1274. (4) eap_peap: >>> send TLS 1.2  [length 0010]
  1275. (4) eap_peap: TLS_accept: unknown state
  1276. (4) eap_peap: TLS_accept: unknown state
  1277. (4) eap_peap: (other): SSL negotiation finished successfully
  1278. (4) eap_peap: SSL Connection Established
  1279. (4) eap_peap: [eaptls process] = handled
  1280. (4) eap: Sending EAP Request (code 1) ID 6 length 57
  1281. (4) eap: EAP session adding &reply:State = 0x9c187946981e60a4
  1282. (4)     [eap] = handled
  1283. (4)   } # authenticate = handled
  1284. (4) Using Post-Auth-Type Challenge
  1285. (4) Post-Auth-Type sub-section not found.  Ignoring.
  1286. (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1287. (4) Sent Access-Challenge Id 115 from 10.168.109.39:1812 to 10.168.149.99:33240 length 0
  1288. (4)   EAP-Message = 0x0106003919001403030001011603030028570a86b772a74a60ce455cdf8e16bdb26598e515dddc9c0631b365981f906a8a1e10692dfee48e6f
  1289. (4)   Message-Authenticator = 0x00000000000000000000000000000000
  1290. (4)   State = 0x9c187946981e60a4861a78f51320a634
  1291. (4) Finished request
  1292. Waking up in 4.9 seconds.
  1293. (5) Received Access-Request Id 116 from 10.168.149.99:33240 to 10.168.109.39:1812 length 209
  1294. (5)   User-Name = "host/FBC-2007.fbcexample.com"
  1295. (5)   NAS-IP-Address = 10.168.149.99
  1296. (5)   NAS-Port = 0
  1297. (5)   NAS-Identifier = "10.168.149.99"
  1298. (5)   NAS-Port-Type = Wireless-802.11
  1299. (5)   Calling-Station-Id = "C0335E160E17"
  1300. (5)   Called-Station-Id = "000B866DC9CC"
  1301. (5)   Service-Type = Login-User
  1302. (5)   Framed-MTU = 1100
  1303. (5)   EAP-Message = 0x020600061900
  1304. (5)   State = 0x9c187946981e60a4861a78f51320a634
  1305. (5)   Aruba-Essid-Name = "Testnet"
  1306. (5)   Aruba-Location-Id = "FBC-2103"
  1307. (5)   Aruba-AP-Group = "FBC"
  1308. (5)   Message-Authenticator = 0x7aab59fe48d064233cd413c2e97ce0ec
  1309. (5) session-state: No cached attributes
  1310. (5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1311. (5)   authorize {
  1312. (5)     policy filter_username {
  1313. (5)       if (&User-Name) {
  1314. (5)       if (&User-Name)  -> TRUE
  1315. (5)       if (&User-Name)  {
  1316. (5)         if (&User-Name =~ / /) {
  1317. (5)         if (&User-Name =~ / /)  -> FALSE
  1318. (5)         if (&User-Name =~ /@[^@]*@/ ) {
  1319. (5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  1320. (5)         if (&User-Name =~ /\.\./ ) {
  1321. (5)         if (&User-Name =~ /\.\./ )  -> FALSE
  1322. (5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  1323. (5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  1324. (5)         if (&User-Name =~ /\.$/)  {
  1325. (5)         if (&User-Name =~ /\.$/)   -> FALSE
  1326. (5)         if (&User-Name =~ /@\./)  {
  1327. (5)         if (&User-Name =~ /@\./)   -> FALSE
  1328. (5)       } # if (&User-Name)  = notfound
  1329. (5)     } # policy filter_username = notfound
  1330. (5)     [preprocess] = ok
  1331. (5)     [chap] = noop
  1332. (5)     [mschap_fbc] = noop
  1333. (5)     [mschap_hac] = noop
  1334. (5)     [mschap_hbs] = noop
  1335. (5)     [mschap_cbs] = noop
  1336. (5)     [digest] = noop
  1337. (5) suffix: Checking for suffix after "@"
  1338. (5) suffix: No '@' in User-Name = "host/FBC-2007.fbcexample.com", looking up realm NULL
  1339. (5) suffix: No such realm "NULL"
  1340. (5)     [suffix] = noop
  1341. (5) eap: Peer sent EAP Response (code 2) ID 6 length 6
  1342. (5) eap: Continuing tunnel setup
  1343. (5)     [eap] = ok
  1344. (5)   } # authorize = ok
  1345. (5) Found Auth-Type = eap
  1346. (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1347. (5)   authenticate {
  1348. (5) eap: Expiring EAP session with state 0x9c187946981e60a4
  1349. (5) eap: Finished EAP session with state 0x9c187946981e60a4
  1350. (5) eap: Previous EAP request found for state 0x9c187946981e60a4, released from the list
  1351. (5) eap: Peer sent packet with method EAP PEAP (25)
  1352. (5) eap: Calling submodule eap_peap to process data
  1353. (5) eap_peap: Continuing EAP-TLS
  1354. (5) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
  1355. (5) eap_peap: [eaptls verify] = success
  1356. (5) eap_peap: [eaptls process] = success
  1357. (5) eap_peap: Session established.  Decoding tunneled attributes
  1358. (5) eap_peap: PEAP state TUNNEL ESTABLISHED
  1359. (5) eap: Sending EAP Request (code 1) ID 7 length 40
  1360. (5) eap: EAP session adding &reply:State = 0x9c187946991f60a4
  1361. (5)     [eap] = handled
  1362. (5)   } # authenticate = handled
  1363. (5) Using Post-Auth-Type Challenge
  1364. (5) Post-Auth-Type sub-section not found.  Ignoring.
  1365. (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1366. (5) Sent Access-Challenge Id 116 from 10.168.109.39:1812 to 10.168.149.99:33240 length 0
  1367. (5)   EAP-Message = 0x010700281900170303001d570a86b772a74a610dd9c3e15861539e046f6c6f9c522a9a5e670e377e
  1368. (5)   Message-Authenticator = 0x00000000000000000000000000000000
  1369. (5)   State = 0x9c187946991f60a4861a78f51320a634
  1370. (5) Finished request
  1371. Waking up in 3.5 seconds.
  1372. (6) Received Access-Request Id 117 from 10.168.149.99:33240 to 10.168.109.39:1812 length 267
  1373. (6)   User-Name = "host/FBC-2007.fbcexample.com"
  1374. (6)   NAS-IP-Address = 10.168.149.99
  1375. (6)   NAS-Port = 0
  1376. (6)   NAS-Identifier = "10.168.149.99"
  1377. (6)   NAS-Port-Type = Wireless-802.11
  1378. (6)   Calling-Station-Id = "C0335E160E17"
  1379. (6)   Called-Station-Id = "000B866DC9CC"
  1380. (6)   Service-Type = Login-User
  1381. (6)   Framed-MTU = 1100
  1382. (6)   EAP-Message = 0x02070040190017030300350000000000000001fb3132605d0afa6a49f41513db416674a4f6393cfd525d464423f35b16d3532725f52255969761c6860ee998ae
  1383. (6)   State = 0x9c187946991f60a4861a78f51320a634
  1384. (6)   Aruba-Essid-Name = "Testnet"
  1385. (6)   Aruba-Location-Id = "FBC-2103"
  1386. (6)   Aruba-AP-Group = "FBC"
  1387. (6)   Message-Authenticator = 0x42080da9c0b0a931c5e749a68fccdf2d
  1388. (6) session-state: No cached attributes
  1389. (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1390. (6)   authorize {
  1391. (6)     policy filter_username {
  1392. (6)       if (&User-Name) {
  1393. (6)       if (&User-Name)  -> TRUE
  1394. (6)       if (&User-Name)  {
  1395. (6)         if (&User-Name =~ / /) {
  1396. (6)         if (&User-Name =~ / /)  -> FALSE
  1397. (6)         if (&User-Name =~ /@[^@]*@/ ) {
  1398. (6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  1399. (6)         if (&User-Name =~ /\.\./ ) {
  1400. (6)         if (&User-Name =~ /\.\./ )  -> FALSE
  1401. (6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  1402. (6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  1403. (6)         if (&User-Name =~ /\.$/)  {
  1404. (6)         if (&User-Name =~ /\.$/)   -> FALSE
  1405. (6)         if (&User-Name =~ /@\./)  {
  1406. (6)         if (&User-Name =~ /@\./)   -> FALSE
  1407. (6)       } # if (&User-Name)  = notfound
  1408. (6)     } # policy filter_username = notfound
  1409. (6)     [preprocess] = ok
  1410. (6)     [chap] = noop
  1411. (6)     [mschap_fbc] = noop
  1412. (6)     [mschap_hac] = noop
  1413. (6)     [mschap_hbs] = noop
  1414. (6)     [mschap_cbs] = noop
  1415. (6)     [digest] = noop
  1416. (6) suffix: Checking for suffix after "@"
  1417. (6) suffix: No '@' in User-Name = "host/FBC-2007.fbcexample.com", looking up realm NULL
  1418. (6) suffix: No such realm "NULL"
  1419. (6)     [suffix] = noop
  1420. (6) eap: Peer sent EAP Response (code 2) ID 7 length 64
  1421. (6) eap: Continuing tunnel setup
  1422. (6)     [eap] = ok
  1423. (6)   } # authorize = ok
  1424. (6) Found Auth-Type = eap
  1425. (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1426. (6)   authenticate {
  1427. (6) eap: Expiring EAP session with state 0x9c187946991f60a4
  1428. (6) eap: Finished EAP session with state 0x9c187946991f60a4
  1429. (6) eap: Previous EAP request found for state 0x9c187946991f60a4, released from the list
  1430. (6) eap: Peer sent packet with method EAP PEAP (25)
  1431. (6) eap: Calling submodule eap_peap to process data
  1432. (6) eap_peap: Continuing EAP-TLS
  1433. (6) eap_peap: [eaptls verify] = ok
  1434. (6) eap_peap: Done initial handshake
  1435. (6) eap_peap: [eaptls process] = ok
  1436. (6) eap_peap: Session established.  Decoding tunneled attributes
  1437. (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
  1438. (6) eap_peap: Identity - host/FBC-2007.fbcexample.com
  1439. (6) eap_peap: Got inner identity 'host/FBC-2007.fbcexample.com'
  1440. (6) eap_peap: Setting default EAP type for tunneled EAP session
  1441. (6) eap_peap: Got tunneled request
  1442. (6) eap_peap:   EAP-Message = 0x0207002101686f73742f4642432d323030372e66626368616d6d6f6e642e636f6d
  1443. (6) eap_peap: Setting User-Name to host/FBC-2007.fbcexample.com
  1444. (6) eap_peap: Sending tunneled request to inner-tunnel
  1445. (6) eap_peap:   EAP-Message = 0x0207002101686f73742f4642432d323030372e66626368616d6d6f6e642e636f6d
  1446. (6) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
  1447. (6) eap_peap:   User-Name = "host/FBC-2007.fbcexample.com"
  1448. (6) Virtual server inner-tunnel received request
  1449. (6)   EAP-Message = 0x0207002101686f73742f4642432d323030372e66626368616d6d6f6e642e636f6d
  1450. (6)   FreeRADIUS-Proxied-To = 127.0.0.1
  1451. (6)   User-Name = "host/FBC-2007.fbcexample.com"
  1452. (6) WARNING: Outer and inner identities are the same.  User privacy is compromised.
  1453. (6) server inner-tunnel {
  1454. (6)   # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  1455. (6)     authorize {
  1456. (6)       policy filter_username {
  1457. (6)         if (&User-Name) {
  1458. (6)         if (&User-Name)  -> TRUE
  1459. (6)         if (&User-Name)  {
  1460. (6)           if (&User-Name =~ / /) {
  1461. (6)           if (&User-Name =~ / /)  -> FALSE
  1462. (6)           if (&User-Name =~ /@[^@]*@/ ) {
  1463. (6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  1464. (6)           if (&User-Name =~ /\.\./ ) {
  1465. (6)           if (&User-Name =~ /\.\./ )  -> FALSE
  1466. (6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  1467. (6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  1468. (6)           if (&User-Name =~ /\.$/)  {
  1469. (6)           if (&User-Name =~ /\.$/)   -> FALSE
  1470. (6)           if (&User-Name =~ /@\./)  {
  1471. (6)           if (&User-Name =~ /@\./)   -> FALSE
  1472. (6)         } # if (&User-Name)  = notfound
  1473. (6)       } # policy filter_username = notfound
  1474. (6)       [chap] = noop
  1475. (6)       [mschap_fbc] = noop
  1476. (6)       [mschap_hac] = noop
  1477. (6)       [mschap_hbs] = noop
  1478. (6)       [mschap_cbs] = noop
  1479. (6) suffix: Checking for suffix after "@"
  1480. (6) suffix: No '@' in User-Name = "host/FBC-2007.fbcexample.com", looking up realm NULL
  1481. (6) suffix: No such realm "NULL"
  1482. (6)       [suffix] = noop
  1483. (6)       update control {
  1484. (6)         &Proxy-To-Realm := LOCAL
  1485. (6)       } # update control = noop
  1486. (6) eap: Peer sent EAP Response (code 2) ID 7 length 33
  1487. (6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  1488. (6)       [eap] = ok
  1489. (6)     } # authorize = ok
  1490. (6)   Found Auth-Type = eap
  1491. (6)   # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  1492. (6)     authenticate {
  1493. (6) eap: Peer sent packet with method EAP Identity (1)
  1494. (6) eap: Calling submodule eap_mschapv2 to process data
  1495. (6) eap_mschapv2: Issuing Challenge
  1496. (6) eap: Sending EAP Request (code 1) ID 8 length 43
  1497. (6) eap: EAP session adding &reply:State = 0xd0e0a42fd0e8be1d
  1498. (6)       [eap] = handled
  1499. (6)     } # authenticate = handled
  1500. (6) } # server inner-tunnel
  1501. (6) Virtual server sending reply
  1502. (6)   EAP-Message = 0x0108002b1a0108002610feae9608bb379f29c05355f3125612bc667265657261646975732d332e302e3132
  1503. (6)   Message-Authenticator = 0x00000000000000000000000000000000
  1504. (6)   State = 0xd0e0a42fd0e8be1d6bcf733b96e786eb
  1505. (6) eap_peap: Got tunneled reply code 11
  1506. (6) eap_peap:   EAP-Message = 0x0108002b1a0108002610feae9608bb379f29c05355f3125612bc667265657261646975732d332e302e3132
  1507. (6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
  1508. (6) eap_peap:   State = 0xd0e0a42fd0e8be1d6bcf733b96e786eb
  1509. (6) eap_peap: Got tunneled reply RADIUS code 11
  1510. (6) eap_peap:   EAP-Message = 0x0108002b1a0108002610feae9608bb379f29c05355f3125612bc667265657261646975732d332e302e3132
  1511. (6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
  1512. (6) eap_peap:   State = 0xd0e0a42fd0e8be1d6bcf733b96e786eb
  1513. (6) eap_peap: Got tunneled Access-Challenge
  1514. (6) eap: Sending EAP Request (code 1) ID 8 length 74
  1515. (6) eap: EAP session adding &reply:State = 0x9c1879469a1060a4
  1516. (6)     [eap] = handled
  1517. (6)   } # authenticate = handled
  1518. (6) Using Post-Auth-Type Challenge
  1519. (6) Post-Auth-Type sub-section not found.  Ignoring.
  1520. (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1521. (6) Sent Access-Challenge Id 117 from 10.168.109.39:1812 to 10.168.149.99:33240 length 0
  1522. (6)   EAP-Message = 0x0108004a1900170303003f570a86b772a74a625e875c6347c75e83c2bfe4a1adc9a6597df1c3441898e6c373c522d3ac24583365399eb0bd567523dad600b3723489d853b4a12723a018
  1523. (6)   Message-Authenticator = 0x00000000000000000000000000000000
  1524. (6)   State = 0x9c1879469a1060a4861a78f51320a634
  1525. (6) Finished request
  1526. Waking up in 3.5 seconds.
  1527. (7) Received Access-Request Id 118 from 10.168.149.99:33240 to 10.168.109.39:1812 length 321
  1528. (7)   User-Name = "host/FBC-2007.fbcexample.com"
  1529. (7)   NAS-IP-Address = 10.168.149.99
  1530. (7)   NAS-Port = 0
  1531. (7)   NAS-Identifier = "10.168.149.99"
  1532. (7)   NAS-Port-Type = Wireless-802.11
  1533. (7)   Calling-Station-Id = "C0335E160E17"
  1534. (7)   Called-Station-Id = "000B866DC9CC"
  1535. (7)   Service-Type = Login-User
  1536. (7)   Framed-MTU = 1100
  1537. (7)   EAP-Message = 0x020800761900170303006b0000000000000002a2cf27a1c9ead490ed4b2c96513e6ea968b34819356566077930fdfdea9c50360476e85459e894c6f66f4fda45c36d3911b93bab1196f8ec3ac8310ca77ff4b54ec81ad06ca52ffde8a3daf0bf2fbe4d8d1f6bfa91339d6e5f816415c7b386153bccaf
  1538. (7)   State = 0x9c1879469a1060a4861a78f51320a634
  1539. (7)   Aruba-Essid-Name = "Testnet"
  1540. (7)   Aruba-Location-Id = "FBC-2103"
  1541. (7)   Aruba-AP-Group = "FBC"
  1542. (7)   Message-Authenticator = 0x4cad1ffac9781c9f8baf0a3748dd5288
  1543. (7) session-state: No cached attributes
  1544. (7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1545. (7)   authorize {
  1546. (7)     policy filter_username {
  1547. (7)       if (&User-Name) {
  1548. (7)       if (&User-Name)  -> TRUE
  1549. (7)       if (&User-Name)  {
  1550. (7)         if (&User-Name =~ / /) {
  1551. (7)         if (&User-Name =~ / /)  -> FALSE
  1552. (7)         if (&User-Name =~ /@[^@]*@/ ) {
  1553. (7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  1554. (7)         if (&User-Name =~ /\.\./ ) {
  1555. (7)         if (&User-Name =~ /\.\./ )  -> FALSE
  1556. (7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  1557. (7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  1558. (7)         if (&User-Name =~ /\.$/)  {
  1559. (7)         if (&User-Name =~ /\.$/)   -> FALSE
  1560. (7)         if (&User-Name =~ /@\./)  {
  1561. (7)         if (&User-Name =~ /@\./)   -> FALSE
  1562. (7)       } # if (&User-Name)  = notfound
  1563. (7)     } # policy filter_username = notfound
  1564. (7)     [preprocess] = ok
  1565. (7)     [chap] = noop
  1566. (7)     [mschap_fbc] = noop
  1567. (7)     [mschap_hac] = noop
  1568. (7)     [mschap_hbs] = noop
  1569. (7)     [mschap_cbs] = noop
  1570. (7)     [digest] = noop
  1571. (7) suffix: Checking for suffix after "@"
  1572. (7) suffix: No '@' in User-Name = "host/FBC-2007.fbcexample.com", looking up realm NULL
  1573. (7) suffix: No such realm "NULL"
  1574. (7)     [suffix] = noop
  1575. (7) eap: Peer sent EAP Response (code 2) ID 8 length 118
  1576. (7) eap: Continuing tunnel setup
  1577. (7)     [eap] = ok
  1578. (7)   } # authorize = ok
  1579. (7) Found Auth-Type = eap
  1580. (7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1581. (7)   authenticate {
  1582. (7) eap: Expiring EAP session with state 0xd0e0a42fd0e8be1d
  1583. (7) eap: Finished EAP session with state 0x9c1879469a1060a4
  1584. (7) eap: Previous EAP request found for state 0x9c1879469a1060a4, released from the list
  1585. (7) eap: Peer sent packet with method EAP PEAP (25)
  1586. (7) eap: Calling submodule eap_peap to process data
  1587. (7) eap_peap: Continuing EAP-TLS
  1588. (7) eap_peap: [eaptls verify] = ok
  1589. (7) eap_peap: Done initial handshake
  1590. (7) eap_peap: [eaptls process] = ok
  1591. (7) eap_peap: Session established.  Decoding tunneled attributes
  1592. (7) eap_peap: PEAP state phase2
  1593. (7) eap_peap: EAP method MSCHAPv2 (26)
  1594. (7) eap_peap: Got tunneled request
  1595. (7) eap_peap:   EAP-Message = 0x020800571a0208005231ae84e182b00e66c868e19492ba489a5f0000000000000000890af10856073a5636482d4644932eaf632c1bf2e74aee6700686f73742f4642432d323030372e66626368616d6d6f6e642e636f6d
  1596. (7) eap_peap: Setting User-Name to host/FBC-2007.fbcexample.com
  1597. (7) eap_peap: Sending tunneled request to inner-tunnel
  1598. (7) eap_peap:   EAP-Message = 0x020800571a0208005231ae84e182b00e66c868e19492ba489a5f0000000000000000890af10856073a5636482d4644932eaf632c1bf2e74aee6700686f73742f4642432d323030372e66626368616d6d6f6e642e636f6d
  1599. (7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
  1600. (7) eap_peap:   User-Name = "host/FBC-2007.fbcexample.com"
  1601. (7) eap_peap:   State = 0xd0e0a42fd0e8be1d6bcf733b96e786eb
  1602. (7) Virtual server inner-tunnel received request
  1603. (7)   EAP-Message = 0x020800571a0208005231ae84e182b00e66c868e19492ba489a5f0000000000000000890af10856073a5636482d4644932eaf632c1bf2e74aee6700686f73742f4642432d323030372e66626368616d6d6f6e642e636f6d
  1604. (7)   FreeRADIUS-Proxied-To = 127.0.0.1
  1605. (7)   User-Name = "host/FBC-2007.fbcexample.com"
  1606. (7)   State = 0xd0e0a42fd0e8be1d6bcf733b96e786eb
  1607. (7) WARNING: Outer and inner identities are the same.  User privacy is compromised.
  1608. (7) server inner-tunnel {
  1609. (7)   session-state: No cached attributes
  1610. (7)   # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  1611. (7)     authorize {
  1612. (7)       policy filter_username {
  1613. (7)         if (&User-Name) {
  1614. (7)         if (&User-Name)  -> TRUE
  1615. (7)         if (&User-Name)  {
  1616. (7)           if (&User-Name =~ / /) {
  1617. (7)           if (&User-Name =~ / /)  -> FALSE
  1618. (7)           if (&User-Name =~ /@[^@]*@/ ) {
  1619. (7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  1620. (7)           if (&User-Name =~ /\.\./ ) {
  1621. (7)           if (&User-Name =~ /\.\./ )  -> FALSE
  1622. (7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  1623. (7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  1624. (7)           if (&User-Name =~ /\.$/)  {
  1625. (7)           if (&User-Name =~ /\.$/)   -> FALSE
  1626. (7)           if (&User-Name =~ /@\./)  {
  1627. (7)           if (&User-Name =~ /@\./)   -> FALSE
  1628. (7)         } # if (&User-Name)  = notfound
  1629. (7)       } # policy filter_username = notfound
  1630. (7)       [chap] = noop
  1631. (7)       [mschap_fbc] = noop
  1632. (7)       [mschap_hac] = noop
  1633. (7)       [mschap_hbs] = noop
  1634. (7)       [mschap_cbs] = noop
  1635. (7) suffix: Checking for suffix after "@"
  1636. (7) suffix: No '@' in User-Name = "host/FBC-2007.fbcexample.com", looking up realm NULL
  1637. (7) suffix: No such realm "NULL"
  1638. (7)       [suffix] = noop
  1639. (7)       update control {
  1640. (7)         &Proxy-To-Realm := LOCAL
  1641. (7)       } # update control = noop
  1642. (7) eap: Peer sent EAP Response (code 2) ID 8 length 87
  1643. (7) eap: No EAP Start, assuming it's an on-going EAP conversation
  1644. (7)       [eap] = updated
  1645. (7)       [files] = noop
  1646. rlm_ldap (ldap): Reserved connection (0)
  1647. (7) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
  1648. (7) ldap:    --> (sAMAccountName=host/FBC-2007.fbcexample.com)
  1649. (7) ldap: Performing search in "DC=fbcexample,DC=com" with filter "(sAMAccountName=host/FBC-2007.fbcexample.com)", scope "sub"
  1650. (7) ldap: Waiting for search result...
  1651. rlm_ldap (ldap): Rebinding to URL ldap://hbs.fbcexample.com/DC=hbs,DC=fbcexample,DC=com
  1652. rlm_ldap (ldap): Waiting for bind result...
  1653. rlm_ldap (ldap): Rebinding to URL ldap://hac.fbcexample.com/DC=hac,DC=fbcexample,DC=com
  1654. rlm_ldap (ldap): Waiting for bind result...
  1655. rlm_ldap (ldap): Rebinding to URL ldap://cbs.fbcexample.com/DC=cbs,DC=fbcexample,DC=com
  1656. rlm_ldap (ldap): Waiting for bind result...
  1657. rlm_ldap (ldap): Rebinding to URL ldap://fbcexample.com/CN=Configuration,DC=fbcexample,DC=com
  1658. rlm_ldap (ldap): Waiting for bind result...
  1659. Unable to chase referral "ldap://LimitLogin.fbcexample.com/DC=LimitLogin,DC=fbcexample,DC=com" (-1: Can't contact LDAP server)
  1660. rlm_ldap (ldap): Bind successful
  1661. Unable to chase referral "ldap://ForestDnsZones.fbcexample.com/DC=ForestDnsZones,DC=fbcexample,DC=com" (-1: Can't contact LDAP server)
  1662. rlm_ldap (ldap): Bind successful
  1663. rlm_ldap (ldap): Bind successful
  1664. rlm_ldap (ldap): Bind successful
  1665. more than 5 referral hops (dropping)
  1666. Unable to chase referral "ldap://DomainDnsZones.cbs.fbcexample.com/DC=DomainDnsZones,DC=cbs,DC=fbcexample,DC=com" (-1: Can't contact LDAP server)
  1667. rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.hac.fbcexample.com/DC=DomainDnsZones,DC=hac,DC=fbcexample,DC=com
  1668. rlm_ldap (ldap): Waiting for bind result...
  1669. more than 5 referral hops (dropping)
  1670. rlm_ldap (ldap): Bind successful
  1671. (7) ldap: Search returned no results
  1672. rlm_ldap (ldap): Deleting connection (0)
  1673. rlm_ldap (ldap): Need 6 more connections to reach 10 spares
  1674. rlm_ldap (ldap): Opening additional connection (5), 1 of 28 pending slots used
  1675. rlm_ldap (ldap): Connecting to ldap://10.168.109.12:389
  1676. rlm_ldap (ldap): Waiting for bind result...
  1677. rlm_ldap (ldap): Bind successful
  1678. (7)       [ldap] = notfound
  1679. (7)       [expiration] = noop
  1680. (7)       [logintime] = noop
  1681. (7)       [pap] = noop
  1682. (7)     } # authorize = updated
  1683. (7)   Found Auth-Type = eap
  1684. (7)   # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  1685. (7)     authenticate {
  1686. (7) eap: Expiring EAP session with state 0xd0e0a42fd0e8be1d
  1687. (7) eap: Finished EAP session with state 0xd0e0a42fd0e8be1d
  1688. (7) eap: Previous EAP request found for state 0xd0e0a42fd0e8be1d, released from the list
  1689. (7) eap: Peer sent packet with method EAP MSCHAPv2 (26)
  1690. (7) eap: Calling submodule eap_mschapv2 to process data
  1691. (7) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  1692. (7) eap_mschapv2:   Auth-Type MS-CHAP {
  1693. (7) mschap_fbc: Creating challenge hash with username: host/FBC-2007.fbcexample.com
  1694. (7) mschap_fbc: Client is using MS-CHAPv2
  1695. (7) mschap_fbc: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=fbcexample --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap_fbc:Challenge}:-00} --nt-response=%{%{mschap_fbc:NT-Response}:-00}  --require-membership-of='fbcexample\\LDAP_WiFi':
  1696. (7) mschap_fbc: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
  1697. (7) mschap_fbc:    --> --username=host/FBC-2007.fbcexample.com
  1698. (7) mschap_fbc: Creating challenge hash with username: host/FBC-2007.fbcexample.com
  1699. (7) mschap_fbc: EXPAND --challenge=%{%{mschap_fbc:Challenge}:-00}
  1700. (7) mschap_fbc:    --> --challenge=dc3f35abd8ca2037
  1701. (7) mschap_fbc: EXPAND --nt-response=%{%{mschap_fbc:NT-Response}:-00}
  1702. (7) mschap_fbc:    --> --nt-response=890af10856073a5636482d4644932eaf632c1bf2e74aee67
  1703. (7) mschap_fbc: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
  1704. (7) mschap_fbc: External script failed
  1705. (7) mschap_fbc: ERROR: External script says: Logon failure (0xc000006d)
  1706. (7) mschap_fbc: ERROR: MS-CHAP2-Response is incorrect
  1707. (7)     [mschap_fbc] = reject
  1708. (7)     if (reject){
  1709. (7)     if (reject) -> TRUE
  1710. (7)     if (reject) {
  1711. (7) mschap_hac: Creating challenge hash with username: host/FBC-2007.fbcexample.com
  1712. (7) mschap_hac: Client is using MS-CHAPv2
  1713. (7) mschap_hac: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=hac.fbcexample.com --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap_hac:Challenge}:-00} --nt-response=%{%{mschap_hac:NT-Response}:-00}  --require-membership-of=fbcexample\\LDAP_WiFi:
  1714. (7) mschap_hac: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
  1715. (7) mschap_hac:    --> --username=host/FBC-2007.fbcexample.com
  1716. (7) mschap_hac: Creating challenge hash with username: host/FBC-2007.fbcexample.com
  1717. (7) mschap_hac: EXPAND --challenge=%{%{mschap_hac:Challenge}:-00}
  1718. (7) mschap_hac:    --> --challenge=dc3f35abd8ca2037
  1719. (7) mschap_hac: EXPAND --nt-response=%{%{mschap_hac:NT-Response}:-00}
  1720. (7) mschap_hac:    --> --nt-response=890af10856073a5636482d4644932eaf632c1bf2e74aee67
  1721. (7) mschap_hac: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
  1722. (7) mschap_hac: External script failed
  1723. (7) mschap_hac: ERROR: External script says: Logon failure (0xc000006d)
  1724. (7) mschap_hac: ERROR: MS-CHAP2-Response is incorrect
  1725. (7)       [mschap_hac] = reject
  1726. (7)     } # if (reject) = reject
  1727. (7)     if (reject){
  1728. (7)     if (reject) -> TRUE
  1729. (7)     if (reject) {
  1730. (7) mschap_hbs: Creating challenge hash with username: host/FBC-2007.fbcexample.com
  1731. (7) mschap_hbs: Client is using MS-CHAPv2
  1732. (7) mschap_hbs: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=hbs.fbcexample.com --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap_hbs:Challenge}:-00} --nt-response=%{%{mschap_hbs:NT-Response}:-00} --require-membership-of='fbcexample\\LDAP_WiFi':
  1733. (7) mschap_hbs: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
  1734. (7) mschap_hbs:    --> --username=host/FBC-2007.fbcexample.com
  1735. (7) mschap_hbs: Creating challenge hash with username: host/FBC-2007.fbcexample.com
  1736. (7) mschap_hbs: EXPAND --challenge=%{%{mschap_hbs:Challenge}:-00}
  1737. (7) mschap_hbs:    --> --challenge=dc3f35abd8ca2037
  1738. (7) mschap_hbs: EXPAND --nt-response=%{%{mschap_hbs:NT-Response}:-00}
  1739. (7) mschap_hbs:    --> --nt-response=890af10856073a5636482d4644932eaf632c1bf2e74aee67
  1740. (7) mschap_hbs: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
  1741. (7) mschap_hbs: External script failed
  1742. (7) mschap_hbs: ERROR: External script says: Logon failure (0xc000006d)
  1743. (7) mschap_hbs: ERROR: MS-CHAP2-Response is incorrect
  1744. (7)       [mschap_hbs] = reject
  1745. (7)     } # if (reject) = reject
  1746. (7)     if (reject){
  1747. (7)     if (reject) -> TRUE
  1748. (7)     if (reject) {
  1749. (7) mschap_cbs: Creating challenge hash with username: host/FBC-2007.fbcexample.com
  1750. (7) mschap_cbs: Client is using MS-CHAPv2
  1751. (7) mschap_cbs: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=cbs.fbcexample.com --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap_cbs:Challenge}:-00} --nt-response=%{%{mschap_cbs:NT-Response}:-00} --require-membership-of='fbcexample\\LDAP_WiFi':
  1752. (7) mschap_cbs: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
  1753. (7) mschap_cbs:    --> --username=host/FBC-2007.fbcexample.com
  1754. (7) mschap_cbs: Creating challenge hash with username: host/FBC-2007.fbcexample.com
  1755. (7) mschap_cbs: EXPAND --challenge=%{%{mschap_cbs:Challenge}:-00}
  1756. (7) mschap_cbs:    --> --challenge=dc3f35abd8ca2037
  1757. (7) mschap_cbs: EXPAND --nt-response=%{%{mschap_cbs:NT-Response}:-00}
  1758. (7) mschap_cbs:    --> --nt-response=890af10856073a5636482d4644932eaf632c1bf2e74aee67
  1759. (7) mschap_cbs: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
  1760. (7) mschap_cbs: External script failed
  1761. (7) mschap_cbs: ERROR: External script says: Logon failure (0xc000006d)
  1762. (7) mschap_cbs: ERROR: MS-CHAP2-Response is incorrect
  1763. (7)       [mschap_cbs] = reject
  1764. (7)     } # if (reject) = reject
  1765. (7)   } # Auth-Type MS-CHAP = reject
  1766. (7) eap: Sending EAP Failure (code 4) ID 8 length 4
  1767. (7) eap: Freeing handler
  1768. (7)       [eap] = reject
  1769. (7)     } # authenticate = reject
  1770. (7)   Failed to authenticate the user
  1771. (7)   Using Post-Auth-Type Reject
  1772. (7)   # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  1773. (7)     Post-Auth-Type REJECT {
  1774. (7) attr_filter.access_reject: EXPAND %{User-Name}
  1775. (7) attr_filter.access_reject:    --> host/FBC-2007.fbcexample.com
  1776. (7) attr_filter.access_reject: Matched entry DEFAULT at line 11
  1777. (7)       [attr_filter.access_reject] = updated
  1778. (7)       update outer.session-state {
  1779. (7)         &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap_fbc: Program returned code (1) and output \'Logon failure (0xc000006d)\''
  1780. (7)       } # update outer.session-state = noop
  1781. (7)     } # Post-Auth-Type REJECT = updated
  1782. (7) } # server inner-tunnel
  1783. (7) Virtual server sending reply
  1784. (7)   MS-CHAP-Error = "\010E=691 R=1 C=c1831391dfbef9d40ef1ec69601601d2 V=3 M=Authentication failed"
  1785. (7)   MS-CHAP-Error = "\010E=691 R=1 C=1e29c3f691a9b3cecf42f848b88183d5 V=3 M=Authentication failed"
  1786. (7)   MS-CHAP-Error = "\010E=691 R=1 C=35a55fc249ce19fa9fa51b0e5fcbc3a2 V=3 M=Authentication failed"
  1787. (7)   MS-CHAP-Error = "\010E=691 R=1 C=93f08729da2382ec7c638f308ad85718 V=3 M=Authentication failed"
  1788. (7)   EAP-Message = 0x04080004
  1789. (7)   Message-Authenticator = 0x00000000000000000000000000000000
  1790. (7) eap_peap: Got tunneled reply code 3
  1791. (7) eap_peap:   MS-CHAP-Error = "\010E=691 R=1 C=c1831391dfbef9d40ef1ec69601601d2 V=3 M=Authentication failed"
  1792. (7) eap_peap:   MS-CHAP-Error = "\010E=691 R=1 C=1e29c3f691a9b3cecf42f848b88183d5 V=3 M=Authentication failed"
  1793. (7) eap_peap:   MS-CHAP-Error = "\010E=691 R=1 C=35a55fc249ce19fa9fa51b0e5fcbc3a2 V=3 M=Authentication failed"
  1794. (7) eap_peap:   MS-CHAP-Error = "\010E=691 R=1 C=93f08729da2382ec7c638f308ad85718 V=3 M=Authentication failed"
  1795. (7) eap_peap:   EAP-Message = 0x04080004
  1796. (7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
  1797. (7) eap_peap: Got tunneled reply RADIUS code 3
  1798. (7) eap_peap:   MS-CHAP-Error = "\010E=691 R=1 C=c1831391dfbef9d40ef1ec69601601d2 V=3 M=Authentication failed"
  1799. (7) eap_peap:   MS-CHAP-Error = "\010E=691 R=1 C=1e29c3f691a9b3cecf42f848b88183d5 V=3 M=Authentication failed"
  1800. (7) eap_peap:   MS-CHAP-Error = "\010E=691 R=1 C=35a55fc249ce19fa9fa51b0e5fcbc3a2 V=3 M=Authentication failed"
  1801. (7) eap_peap:   MS-CHAP-Error = "\010E=691 R=1 C=93f08729da2382ec7c638f308ad85718 V=3 M=Authentication failed"
  1802. (7) eap_peap:   EAP-Message = 0x04080004
  1803. (7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
  1804. (7) eap_peap: Tunneled authentication was rejected
  1805. (7) eap_peap: FAILURE
  1806. (7) eap: Sending EAP Request (code 1) ID 9 length 46
  1807. (7) eap: EAP session adding &reply:State = 0x9c1879469b1160a4
  1808. (7)     [eap] = handled
  1809. (7)   } # authenticate = handled
  1810. (7) Using Post-Auth-Type Challenge
  1811. (7) Post-Auth-Type sub-section not found.  Ignoring.
  1812. (7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1813. (7) session-state: Saving cached attributes
  1814. (7)   Module-Failure-Message := "mschap_fbc: Program returned code (1) and output 'Logon failure (0xc000006d)'"
  1815. (7) Sent Access-Challenge Id 118 from 10.168.109.39:1812 to 10.168.149.99:33240 length 0
  1816. (7)   EAP-Message = 0x0109002e19001703030023570a86b772a74a63bb878f77a33b64c3a7ee7f3ae76e306ed2de839b34b99964119227
  1817. (7)   Message-Authenticator = 0x00000000000000000000000000000000
  1818. (7)   State = 0x9c1879469b1160a4861a78f51320a634
  1819. (7) Finished request
  1820. Waking up in 0.2 seconds.
  1821. (8) Received Access-Request Id 119 from 10.168.149.99:33240 to 10.168.109.39:1812 length 249
  1822. (8)   User-Name = "host/FBC-2007.fbcexample.com"
  1823. (8)   NAS-IP-Address = 10.168.149.99
  1824. (8)   NAS-Port = 0
  1825. (8)   NAS-Identifier = "10.168.149.99"
  1826. (8)   NAS-Port-Type = Wireless-802.11
  1827. (8)   Calling-Station-Id = "C0335E160E17"
  1828. (8)   Called-Station-Id = "000B866DC9CC"
  1829. (8)   Service-Type = Login-User
  1830. (8)   Framed-MTU = 1100
  1831. (8)   EAP-Message = 0x0209002e190017030300230000000000000003681e53e8ba57bc68a2e500cc24a0d3cadfe1a840827112d6c119c8
  1832. (8)   State = 0x9c1879469b1160a4861a78f51320a634
  1833. (8)   Aruba-Essid-Name = "Testnet"
  1834. (8)   Aruba-Location-Id = "FBC-2103"
  1835. (8)   Aruba-AP-Group = "FBC"
  1836. (8)   Message-Authenticator = 0xb19542437a2258435a249ea19aa4bfc6
  1837. (8) Restoring &session-state
  1838. (8)   &session-state:Module-Failure-Message := "mschap_fbc: Program returned code (1) and output 'Logon failure (0xc000006d)'"
  1839. (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1840. (8)   authorize {
  1841. (8)     policy filter_username {
  1842. (8)       if (&User-Name) {
  1843. (8)       if (&User-Name)  -> TRUE
  1844. (8)       if (&User-Name)  {
  1845. (8)         if (&User-Name =~ / /) {
  1846. (8)         if (&User-Name =~ / /)  -> FALSE
  1847. (8)         if (&User-Name =~ /@[^@]*@/ ) {
  1848. (8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  1849. (8)         if (&User-Name =~ /\.\./ ) {
  1850. (8)         if (&User-Name =~ /\.\./ )  -> FALSE
  1851. (8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  1852. (8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  1853. (8)         if (&User-Name =~ /\.$/)  {
  1854. (8)         if (&User-Name =~ /\.$/)   -> FALSE
  1855. (8)         if (&User-Name =~ /@\./)  {
  1856. (8)         if (&User-Name =~ /@\./)   -> FALSE
  1857. (8)       } # if (&User-Name)  = notfound
  1858. (8)     } # policy filter_username = notfound
  1859. (8)     [preprocess] = ok
  1860. (8)     [chap] = noop
  1861. (8)     [mschap_fbc] = noop
  1862. (8)     [mschap_hac] = noop
  1863. (8)     [mschap_hbs] = noop
  1864. (8)     [mschap_cbs] = noop
  1865. (8)     [digest] = noop
  1866. (8) suffix: Checking for suffix after "@"
  1867. (8) suffix: No '@' in User-Name = "host/FBC-2007.fbcexample.com", looking up realm NULL
  1868. (8) suffix: No such realm "NULL"
  1869. (8)     [suffix] = noop
  1870. (8) eap: Peer sent EAP Response (code 2) ID 9 length 46
  1871. (8) eap: Continuing tunnel setup
  1872. (8)     [eap] = ok
  1873. (8)   } # authorize = ok
  1874. (8) Found Auth-Type = eap
  1875. (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1876. (8)   authenticate {
  1877. (8) eap: Expiring EAP session with state 0x9c1879469b1160a4
  1878. (8) eap: Finished EAP session with state 0x9c1879469b1160a4
  1879. (8) eap: Previous EAP request found for state 0x9c1879469b1160a4, released from the list
  1880. (8) eap: Peer sent packet with method EAP PEAP (25)
  1881. (8) eap: Calling submodule eap_peap to process data
  1882. (8) eap_peap: Continuing EAP-TLS
  1883. (8) eap_peap: [eaptls verify] = ok
  1884. (8) eap_peap: Done initial handshake
  1885. (8) eap_peap: [eaptls process] = ok
  1886. (8) eap_peap: Session established.  Decoding tunneled attributes
  1887. (8) eap_peap: PEAP state send tlv failure
  1888. (8) eap_peap: Received EAP-TLV response
  1889. (8) eap_peap:   The users session was previously rejected: returning reject (again.)
  1890. (8) eap_peap:   This means you need to read the PREVIOUS messages in the debug output
  1891. (8) eap_peap:   to find out the reason why the user was rejected
  1892. (8) eap_peap:   Look for "reject" or "fail".  Those earlier messages will tell you
  1893. (8) eap_peap:   what went wrong, and how to fix the problem
  1894. (8) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
  1895. (8) eap: Sending EAP Failure (code 4) ID 9 length 4
  1896. (8) eap: Failed in EAP select
  1897. (8)     [eap] = invalid
  1898. (8)   } # authenticate = invalid
  1899. (8) Failed to authenticate the user
  1900. (8) Using Post-Auth-Type Reject
  1901. (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1902. (8)   Post-Auth-Type REJECT {
  1903. (8) attr_filter.access_reject: EXPAND %{User-Name}
  1904. (8) attr_filter.access_reject:    --> host/FBC-2007.fbcexample.com
  1905. (8) attr_filter.access_reject: Matched entry DEFAULT at line 11
  1906. (8)     [attr_filter.access_reject] = updated
  1907. (8)     [eap] = noop
  1908. (8)     policy remove_reply_message_if_eap {
  1909. (8)       if (&reply:EAP-Message && &reply:Reply-Message) {
  1910. (8)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
  1911. (8)       else {
  1912. (8)         [noop] = noop
  1913. (8)       } # else = noop
  1914. (8)     } # policy remove_reply_message_if_eap = noop
  1915. (8)   } # Post-Auth-Type REJECT = updated
  1916. (8) Delaying response for 1.000000 seconds
  1917. Waking up in 0.1 seconds.
  1918. (0) Cleaning up request packet ID 111 with timestamp +16
  1919. (1) Cleaning up request packet ID 112 with timestamp +16
  1920. (2) Cleaning up request packet ID 113 with timestamp +16
  1921. (3) Cleaning up request packet ID 114 with timestamp +16
  1922. (4) Cleaning up request packet ID 115 with timestamp +16
  1923. Waking up in 0.6 seconds.
  1924. (8) Sending delayed response
  1925. (8) Sent Access-Reject Id 119 from 10.168.109.39:1812 to 10.168.149.99:33240 length 44
  1926. (8)   EAP-Message = 0x04090004
  1927. (8)   Message-Authenticator = 0x00000000000000000000000000000000
  1928. Waking up in 0.6 seconds.
  1929. (5) Cleaning up request packet ID 116 with timestamp +18
  1930. (6) Cleaning up request packet ID 117 with timestamp +18
  1931. Waking up in 3.2 seconds.
  1932. (9) Received Access-Request Id 120 from 10.168.149.99:33240 to 10.168.109.39:1812 length 208
  1933. (9)   User-Name = "FBCEXAMPLE\\daniel.radius"
  1934. (9)   NAS-IP-Address = 10.168.149.99
  1935. (9)   NAS-Port = 0
  1936. (9)   NAS-Identifier = "10.168.149.99"
  1937. (9)   NAS-Port-Type = Wireless-802.11
  1938. (9)   Calling-Station-Id = "C0335E160E17"
  1939. (9)   Called-Station-Id = "000B866DC9CC"
  1940. (9)   Service-Type = Login-User
  1941. (9)   Framed-MTU = 1100
  1942. (9)   EAP-Message = 0x0201001c0146424348414d4d4f4e445c64616e69656c2e777275636b
  1943. (9)   Aruba-Essid-Name = "Testnet"
  1944. (9)   Aruba-Location-Id = "FBC-2103"
  1945. (9)   Aruba-AP-Group = "FBC"
  1946. (9)   Message-Authenticator = 0x48660cf5e0ae605076c24f0cb4703293
  1947. (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1948. (9)   authorize {
  1949. (9)     policy filter_username {
  1950. (9)       if (&User-Name) {
  1951. (9)       if (&User-Name)  -> TRUE
  1952. (9)       if (&User-Name)  {
  1953. (9)         if (&User-Name =~ / /) {
  1954. (9)         if (&User-Name =~ / /)  -> FALSE
  1955. (9)         if (&User-Name =~ /@[^@]*@/ ) {
  1956. (9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  1957. (9)         if (&User-Name =~ /\.\./ ) {
  1958. (9)         if (&User-Name =~ /\.\./ )  -> FALSE
  1959. (9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  1960. (9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  1961. (9)         if (&User-Name =~ /\.$/)  {
  1962. (9)         if (&User-Name =~ /\.$/)   -> FALSE
  1963. (9)         if (&User-Name =~ /@\./)  {
  1964. (9)         if (&User-Name =~ /@\./)   -> FALSE
  1965. (9)       } # if (&User-Name)  = notfound
  1966. (9)     } # policy filter_username = notfound
  1967. (9)     [preprocess] = ok
  1968. (9)     [chap] = noop
  1969. (9)     [mschap_fbc] = noop
  1970. (9)     [mschap_hac] = noop
  1971. (9)     [mschap_hbs] = noop
  1972. (9)     [mschap_cbs] = noop
  1973. (9)     [digest] = noop
  1974. (9) suffix: Checking for suffix after "@"
  1975. (9) suffix: No '@' in User-Name = "FBCEXAMPLE\daniel.radius", looking up realm NULL
  1976. (9) suffix: No such realm "NULL"
  1977. (9)     [suffix] = noop
  1978. (9) eap: Peer sent EAP Response (code 2) ID 1 length 28
  1979. (9) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  1980. (9)     [eap] = ok
  1981. (9)   } # authorize = ok
  1982. (9) Found Auth-Type = eap
  1983. (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1984. (9)   authenticate {
  1985. (9) eap: Peer sent packet with method EAP Identity (1)
  1986. (9) eap: Calling submodule eap_peap to process data
  1987. (9) eap_peap: Initiating new EAP-TLS session
  1988. (9) eap_peap: [eaptls start] = request
  1989. (9) eap: Sending EAP Request (code 1) ID 2 length 6
  1990. (9) eap: EAP session adding &reply:State = 0x47e4fe3d47e6e7f3
  1991. (9)     [eap] = handled
  1992. (9)   } # authenticate = handled
  1993. (9) Using Post-Auth-Type Challenge
  1994. (9) Post-Auth-Type sub-section not found.  Ignoring.
  1995. (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1996. (9) Sent Access-Challenge Id 120 from 10.168.109.39:1812 to 10.168.149.99:33240 length 0
  1997. (9)   EAP-Message = 0x010200061920
  1998. (9)   Message-Authenticator = 0x00000000000000000000000000000000
  1999. (9)   State = 0x47e4fe3d47e6e7f39737dc8eeb024c67
  2000. (9) Finished request
  2001. Waking up in 0.2 seconds.
  2002. (10) Received Access-Request Id 121 from 10.168.149.99:33240 to 10.168.109.39:1812 length 380
  2003. (10)   User-Name = "FBCEXAMPLE\\daniel.radius"
  2004. (10)   NAS-IP-Address = 10.168.149.99
  2005. (10)   NAS-Port = 0
  2006. (10)   NAS-Identifier = "10.168.149.99"
  2007. (10)   NAS-Port-Type = Wireless-802.11
  2008. (10)   Calling-Station-Id = "C0335E160E17"
  2009. (10)   Called-Station-Id = "000B866DC9CC"
  2010. (10)   Service-Type = Login-User
  2011. (10)   Framed-MTU = 1100
  2012. (10)   EAP-Message = 0x020200b61980000000ac16030300a7010000a30303581a16408b2e56f10901eb7c0b9b45b1e335750ff20b815d84bcfc0f7f32a8d900003cc02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c01300390033009d009c003d003c0035002f000a006a004000380032001300050004010000
  2013. (10)   State = 0x47e4fe3d47e6e7f39737dc8eeb024c67
  2014. (10)   Aruba-Essid-Name = "Testnet"
  2015. (10)   Aruba-Location-Id = "FBC-2103"
  2016. (10)   Aruba-AP-Group = "FBC"
  2017. (10)   Message-Authenticator = 0xa68f1dfaf700d635d39c377ee0ae99c8
  2018. (10) session-state: No cached attributes
  2019. (10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  2020. (10)   authorize {
  2021. (10)     policy filter_username {
  2022. (10)       if (&User-Name) {
  2023. (10)       if (&User-Name)  -> TRUE
  2024. (10)       if (&User-Name)  {
  2025. (10)         if (&User-Name =~ / /) {
  2026. (10)         if (&User-Name =~ / /)  -> FALSE
  2027. (10)         if (&User-Name =~ /@[^@]*@/ ) {
  2028. (10)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  2029. (10)         if (&User-Name =~ /\.\./ ) {
  2030. (10)         if (&User-Name =~ /\.\./ )  -> FALSE
  2031. (10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  2032. (10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  2033. (10)         if (&User-Name =~ /\.$/)  {
  2034. (10)         if (&User-Name =~ /\.$/)   -> FALSE
  2035. (10)         if (&User-Name =~ /@\./)  {
  2036. (10)         if (&User-Name =~ /@\./)   -> FALSE
  2037. (10)       } # if (&User-Name)  = notfound
  2038. (10)     } # policy filter_username = notfound
  2039. (10)     [preprocess] = ok
  2040. (10)     [chap] = noop
  2041. (10)     [mschap_fbc] = noop
  2042. (10)     [mschap_hac] = noop
  2043. (10)     [mschap_hbs] = noop
  2044. (10)     [mschap_cbs] = noop
  2045. (10)     [digest] = noop
  2046. (10) suffix: Checking for suffix after "@"
  2047. (10) suffix: No '@' in User-Name = "FBCEXAMPLE\daniel.radius", looking up realm NULL
  2048. (10) suffix: No such realm "NULL"
  2049. (10)     [suffix] = noop
  2050. (10) eap: Peer sent EAP Response (code 2) ID 2 length 182
  2051. (10) eap: Continuing tunnel setup
  2052. (10)     [eap] = ok
  2053. (10)   } # authorize = ok
  2054. (10) Found Auth-Type = eap
  2055. (10) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  2056. (10)   authenticate {
  2057. (10) eap: Expiring EAP session with state 0x47e4fe3d47e6e7f3
  2058. (10) eap: Finished EAP session with state 0x47e4fe3d47e6e7f3
  2059. (10) eap: Previous EAP request found for state 0x47e4fe3d47e6e7f3, released from the list
  2060. (10) eap: Peer sent packet with method EAP PEAP (25)
  2061. (10) eap: Calling submodule eap_peap to process data
  2062. (10) eap_peap: Continuing EAP-TLS
  2063. (10) eap_peap: Peer indicated complete TLS record size will be 172 bytes
  2064. (10) eap_peap: Got complete TLS record (172 bytes)
  2065. (10) eap_peap: [eaptls verify] = length included
  2066. (10) eap_peap: (other): before/accept initialization
  2067. (10) eap_peap: TLS_accept: before/accept initialization
  2068. (10) eap_peap: <<< recv TLS 1.2  [length 00a7]
  2069. (10) eap_peap: TLS_accept: unknown state
  2070. (10) eap_peap: >>> send TLS 1.2  [length 0059]
  2071. (10) eap_peap: TLS_accept: unknown state
  2072. (10) eap_peap: >>> send TLS 1.2  [length 08be]
  2073. (10) eap_peap: TLS_accept: unknown state
  2074. (10) eap_peap: >>> send TLS 1.2  [length 014d]
  2075. (10) eap_peap: TLS_accept: unknown state
  2076. (10) eap_peap: >>> send TLS 1.2  [length 0004]
  2077. (10) eap_peap: TLS_accept: unknown state
  2078. (10) eap_peap: TLS_accept: unknown state
  2079. (10) eap_peap: TLS_accept: unknown state
  2080. (10) eap_peap: TLS_accept: Need to read more data: unknown state
  2081. (10) eap_peap: TLS_accept: Need to read more data: unknown state
  2082. (10) eap_peap: In SSL Handshake Phase
  2083. (10) eap_peap: In SSL Accept mode
  2084. (10) eap_peap: [eaptls process] = handled
  2085. (10) eap: Sending EAP Request (code 1) ID 3 length 1004
  2086. (10) eap: EAP session adding &reply:State = 0x47e4fe3d46e7e7f3
  2087. (10)     [eap] = handled
  2088. (10)   } # authenticate = handled
  2089. (10) Using Post-Auth-Type Challenge
  2090. (10) Post-Auth-Type sub-section not found.  Ignoring.
  2091. (10) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  2092. (10) Sent Access-Challenge Id 121 from 10.168.109.39:1812 to 10.168.149.99:33240 length 0
  2093. (10)   EAP-Message = 0x010303ec19c000000a7c1603030059020000550303c217ea996f916752244dcdaf1bf0fd866f2954fc095a4ff06a89190393f79f0e20365df402a8bad811f34877ce186b5ded20adbfe8adb795394dba15d0607bd6a5c03000000dff01000100000b00040300010216030308be0b0008ba0008b70003db
  2094. (10)   Message-Authenticator = 0x00000000000000000000000000000000
  2095. (10)   State = 0x47e4fe3d46e7e7f39737dc8eeb024c67
  2096. (10) Finished request
  2097. Waking up in 0.2 seconds.
  2098. (11) Received Access-Request Id 122 from 10.168.149.99:33240 to 10.168.109.39:1812 length 204
  2099. (11)   User-Name = "FBCEXAMPLE\\daniel.radius"
  2100. (11)   NAS-IP-Address = 10.168.149.99
  2101. (11)   NAS-Port = 0
  2102. (11)   NAS-Identifier = "10.168.149.99"
  2103. (11)   NAS-Port-Type = Wireless-802.11
  2104. (11)   Calling-Station-Id = "C0335E160E17"
  2105. (11)   Called-Station-Id = "000B866DC9CC"
  2106. (11)   Service-Type = Login-User
  2107. (11)   Framed-MTU = 1100
  2108. (11)   EAP-Message = 0x020300061900
  2109. (11)   State = 0x47e4fe3d46e7e7f39737dc8eeb024c67
  2110. (11)   Aruba-Essid-Name = "Testnet"
  2111. (11)   Aruba-Location-Id = "FBC-2103"
  2112. (11)   Aruba-AP-Group = "FBC"
  2113. (11)   Message-Authenticator = 0xc08a7ab0dcf2f0e5664b98b868c01ec7
  2114. (11) session-state: No cached attributes
  2115. (11) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  2116. (11)   authorize {
  2117. (11)     policy filter_username {
  2118. (11)       if (&User-Name) {
  2119. (11)       if (&User-Name)  -> TRUE
  2120. (11)       if (&User-Name)  {
  2121. (11)         if (&User-Name =~ / /) {
  2122. (11)         if (&User-Name =~ / /)  -> FALSE
  2123. (11)         if (&User-Name =~ /@[^@]*@/ ) {
  2124. (11)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  2125. (11)         if (&User-Name =~ /\.\./ ) {
  2126. (11)         if (&User-Name =~ /\.\./ )  -> FALSE
  2127. (11)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  2128. (11)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  2129. (11)         if (&User-Name =~ /\.$/)  {
  2130. (11)         if (&User-Name =~ /\.$/)   -> FALSE
  2131. (11)         if (&User-Name =~ /@\./)  {
  2132. (11)         if (&User-Name =~ /@\./)   -> FALSE
  2133. (11)       } # if (&User-Name)  = notfound
  2134. (11)     } # policy filter_username = notfound
  2135. (11)     [preprocess] = ok
  2136. (11)     [chap] = noop
  2137. (11)     [mschap_fbc] = noop
  2138. (11)     [mschap_hac] = noop
  2139. (11)     [mschap_hbs] = noop
  2140. (11)     [mschap_cbs] = noop
  2141. (11)     [digest] = noop
  2142. (11) suffix: Checking for suffix after "@"
  2143. (11) suffix: No '@' in User-Name = "FBCEXAMPLE\daniel.radius", looking up realm NULL
  2144. (11) suffix: No such realm "NULL"
  2145. (11)     [suffix] = noop
  2146. (11) eap: Peer sent EAP Response (code 2) ID 3 length 6
  2147. (11) eap: Continuing tunnel setup
  2148. (11)     [eap] = ok
  2149. (11)   } # authorize = ok
  2150. (11) Found Auth-Type = eap
  2151. (11) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  2152. (11)   authenticate {
  2153. (11) eap: Expiring EAP session with state 0x47e4fe3d46e7e7f3
  2154. (11) eap: Finished EAP session with state 0x47e4fe3d46e7e7f3
  2155. (11) eap: Previous EAP request found for state 0x47e4fe3d46e7e7f3, released from the list
  2156. (11) eap: Peer sent packet with method EAP PEAP (25)
  2157. (11) eap: Calling submodule eap_peap to process data
  2158. (11) eap_peap: Continuing EAP-TLS
  2159. (11) eap_peap: Peer ACKed our handshake fragment
  2160. (11) eap_peap: [eaptls verify] = request
  2161. (11) eap_peap: [eaptls process] = handled
  2162. (11) eap: Sending EAP Request (code 1) ID 4 length 1000
  2163. (11) eap: EAP session adding &reply:State = 0x47e4fe3d45e0e7f3
  2164. (11)     [eap] = handled
  2165. (11)   } # authenticate = handled
  2166. (11) Using Post-Auth-Type Challenge
  2167. (11) Post-Auth-Type sub-section not found.  Ignoring.
  2168. (11) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  2169. (11) Sent Access-Challenge Id 122 from 10.168.109.39:1812 to 10.168.149.99:33240 length 0
  2170. (11)   EAP-Message = 0x010403e8194011a8e7c1e27393a346149fb1639e1304ff78a88f8fa230137fd87b47f8bc022ab208d74616992c217d84c16e609fc97c061b00a95d113885a5560268e2d5dae8e0b34facb1d8d3df51af1969d21ad174554bf3cf49642df9ebc917d33bae29018bf8778c4b3f0004d6308204d2308203ba
  2171. (11)   Message-Authenticator = 0x00000000000000000000000000000000
  2172. (11)   State = 0x47e4fe3d45e0e7f39737dc8eeb024c67
  2173. (11) Finished request
  2174. Waking up in 0.2 seconds.
  2175. (12) Received Access-Request Id 123 from 10.168.149.99:33240 to 10.168.109.39:1812 length 204
  2176. (12)   User-Name = "FBCEXAMPLE\\daniel.radius"
  2177. (12)   NAS-IP-Address = 10.168.149.99
  2178. (12)   NAS-Port = 0
  2179. (12)   NAS-Identifier = "10.168.149.99"
  2180. (12)   NAS-Port-Type = Wireless-802.11
  2181. (12)   Calling-Station-Id = "C0335E160E17"
  2182. (12)   Called-Station-Id = "000B866DC9CC"
  2183. (12)   Service-Type = Login-User
  2184. (12)   Framed-MTU = 1100
  2185. (12)   EAP-Message = 0x020400061900
  2186. (12)   State = 0x47e4fe3d45e0e7f39737dc8eeb024c67
  2187. (12)   Aruba-Essid-Name = "Testnet"
  2188. (12)   Aruba-Location-Id = "FBC-2103"
  2189. (12)   Aruba-AP-Group = "FBC"
  2190. (12)   Message-Authenticator = 0x4a3434989816923881c5ad0ac52801c0
  2191. (12) session-state: No cached attributes
  2192. (12) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  2193. (12)   authorize {
  2194. (12)     policy filter_username {
  2195. (12)       if (&User-Name) {
  2196. (12)       if (&User-Name)  -> TRUE
  2197. (12)       if (&User-Name)  {
  2198. (12)         if (&User-Name =~ / /) {
  2199. (12)         if (&User-Name =~ / /)  -> FALSE
  2200. (12)         if (&User-Name =~ /@[^@]*@/ ) {
  2201. (12)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  2202. (12)         if (&User-Name =~ /\.\./ ) {
  2203. (12)         if (&User-Name =~ /\.\./ )  -> FALSE
  2204. (12)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  2205. (12)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  2206. (12)         if (&User-Name =~ /\.$/)  {
  2207. (12)         if (&User-Name =~ /\.$/)   -> FALSE
  2208. (12)         if (&User-Name =~ /@\./)  {
  2209. (12)         if (&User-Name =~ /@\./)   -> FALSE
  2210. (12)       } # if (&User-Name)  = notfound
  2211. (12)     } # policy filter_username = notfound
  2212. (12)     [preprocess] = ok
  2213. (12)     [chap] = noop
  2214. (12)     [mschap_fbc] = noop
  2215. (12)     [mschap_hac] = noop
  2216. (12)     [mschap_hbs] = noop
  2217. (12)     [mschap_cbs] = noop
  2218. (12)     [digest] = noop
  2219. (12) suffix: Checking for suffix after "@"
  2220. (12) suffix: No '@' in User-Name = "FBCEXAMPLE\daniel.radius", looking up realm NULL
  2221. (12) suffix: No such realm "NULL"
  2222. (12)     [suffix] = noop
  2223. (12) eap: Peer sent EAP Response (code 2) ID 4 length 6
  2224. (12) eap: Continuing tunnel setup
  2225. (12)     [eap] = ok
  2226. (12)   } # authorize = ok
  2227. (12) Found Auth-Type = eap
  2228. (12) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  2229. (12)   authenticate {
  2230. (12) eap: Expiring EAP session with state 0x47e4fe3d45e0e7f3
  2231. (12) eap: Finished EAP session with state 0x47e4fe3d45e0e7f3
  2232. (12) eap: Previous EAP request found for state 0x47e4fe3d45e0e7f3, released from the list
  2233. (12) eap: Peer sent packet with method EAP PEAP (25)
  2234. (12) eap: Calling submodule eap_peap to process data
  2235. (12) eap_peap: Continuing EAP-TLS
  2236. (12) eap_peap: Peer ACKed our handshake fragment
  2237. (12) eap_peap: [eaptls verify] = request
  2238. (12) eap_peap: [eaptls process] = handled
  2239. (12) eap: Sending EAP Request (code 1) ID 5 length 702
  2240. (12) eap: EAP session adding &reply:State = 0x47e4fe3d44e1e7f3
  2241. (12)     [eap] = handled
  2242. (12)   } # authenticate = handled
  2243. (12) Using Post-Auth-Type Challenge
  2244. (12) Post-Auth-Type sub-section not found.  Ignoring.
  2245. (12) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  2246. (12) Sent Access-Challenge Id 123 from 10.168.109.39:1812 to 10.168.149.99:33240 length 0
  2247. (12)   EAP-Message = 0x010502be1900300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100706bdef08ab24a28fb45ef114b73dc360c440688
  2248. (12)   Message-Authenticator = 0x00000000000000000000000000000000
  2249. (12)   State = 0x47e4fe3d44e1e7f39737dc8eeb024c67
  2250. (12) Finished request
  2251. Waking up in 0.2 seconds.
  2252. (13) Received Access-Request Id 124 from 10.168.149.99:33240 to 10.168.109.39:1812 length 334
  2253. (13)   User-Name = "FBCEXAMPLE\\daniel.radius"
  2254. (13)   NAS-IP-Address = 10.168.149.99
  2255. (13)   NAS-Port = 0
  2256. (13)   NAS-Identifier = "10.168.149.99"
  2257. (13)   NAS-Port-Type = Wireless-802.11
  2258. (13)   Calling-Station-Id = "C0335E160E17"
  2259. (13)   Called-Station-Id = "000B866DC9CC"
  2260. (13)   Service-Type = Login-User
  2261. (13)   Framed-MTU = 1100
  2262. (13)   EAP-Message = 0x0205008819800000007e160303004610000042410469d02066dc1d395a83336d860bbb19c3e49d5c0486a755f05f7168b20905dc0808756bdfd2083fed58c055ae8cfc3f3b2425b6893d70ce9e82ced8a77410ec231403030001011603030028000000000000000090b38152f982b43da51e485ff31e93
  2263. (13)   State = 0x47e4fe3d44e1e7f39737dc8eeb024c67
  2264. (13)   Aruba-Essid-Name = "Testnet"
  2265. (13)   Aruba-Location-Id = "FBC-2103"
  2266. (13)   Aruba-AP-Group = "FBC"
  2267. (13)   Message-Authenticator = 0xc29b5630e38e4b1be55176ac3a9d137f
  2268. (13) session-state: No cached attributes
  2269. (13) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  2270. (13)   authorize {
  2271. (13)     policy filter_username {
  2272. (13)       if (&User-Name) {
  2273. (13)       if (&User-Name)  -> TRUE
  2274. (13)       if (&User-Name)  {
  2275. (13)         if (&User-Name =~ / /) {
  2276. (13)         if (&User-Name =~ / /)  -> FALSE
  2277. (13)         if (&User-Name =~ /@[^@]*@/ ) {
  2278. (13)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  2279. (13)         if (&User-Name =~ /\.\./ ) {
  2280. (13)         if (&User-Name =~ /\.\./ )  -> FALSE
  2281. (13)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  2282. (13)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  2283. (13)         if (&User-Name =~ /\.$/)  {
  2284. (13)         if (&User-Name =~ /\.$/)   -> FALSE
  2285. (13)         if (&User-Name =~ /@\./)  {
  2286. (13)         if (&User-Name =~ /@\./)   -> FALSE
  2287. (13)       } # if (&User-Name)  = notfound
  2288. (13)     } # policy filter_username = notfound
  2289. (13)     [preprocess] = ok
  2290. (13)     [chap] = noop
  2291. (13)     [mschap_fbc] = noop
  2292. (13)     [mschap_hac] = noop
  2293. (13)     [mschap_hbs] = noop
  2294. (13)     [mschap_cbs] = noop
  2295. (13)     [digest] = noop
  2296. (13) suffix: Checking for suffix after "@"
  2297. (13) suffix: No '@' in User-Name = "FBCEXAMPLE\daniel.radius", looking up realm NULL
  2298. (13) suffix: No such realm "NULL"
  2299. (13)     [suffix] = noop
  2300. (13) eap: Peer sent EAP Response (code 2) ID 5 length 136
  2301. (13) eap: Continuing tunnel setup
  2302. (13)     [eap] = ok
  2303. (13)   } # authorize = ok
  2304. (13) Found Auth-Type = eap
  2305. (13) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  2306. (13)   authenticate {
  2307. (13) eap: Expiring EAP session with state 0x47e4fe3d44e1e7f3
  2308. (13) eap: Finished EAP session with state 0x47e4fe3d44e1e7f3
  2309. (13) eap: Previous EAP request found for state 0x47e4fe3d44e1e7f3, released from the list
  2310. (13) eap: Peer sent packet with method EAP PEAP (25)
  2311. (13) eap: Calling submodule eap_peap to process data
  2312. (13) eap_peap: Continuing EAP-TLS
  2313. (13) eap_peap: Peer indicated complete TLS record size will be 126 bytes
  2314. (13) eap_peap: Got complete TLS record (126 bytes)
  2315. (13) eap_peap: [eaptls verify] = length included
  2316. (13) eap_peap: <<< recv TLS 1.2  [length 0046]
  2317. (13) eap_peap: TLS_accept: unknown state
  2318. (13) eap_peap: TLS_accept: unknown state
  2319. (13) eap_peap: <<< recv TLS 1.2  [length 0001]
  2320. (13) eap_peap: <<< recv TLS 1.2  [length 0010]
  2321. (13) eap_peap: TLS_accept: unknown state
  2322. (13) eap_peap: >>> send TLS 1.2  [length 0001]
  2323. (13) eap_peap: TLS_accept: unknown state
  2324. (13) eap_peap: >>> send TLS 1.2  [length 0010]
  2325. (13) eap_peap: TLS_accept: unknown state
  2326. (13) eap_peap: TLS_accept: unknown state
  2327. (13) eap_peap: (other): SSL negotiation finished successfully
  2328. (13) eap_peap: SSL Connection Established
  2329. (13) eap_peap: [eaptls process] = handled
  2330. (13) eap: Sending EAP Request (code 1) ID 6 length 57
  2331. (13) eap: EAP session adding &reply:State = 0x47e4fe3d43e2e7f3
  2332. (13)     [eap] = handled
  2333. (13)   } # authenticate = handled
  2334. (13) Using Post-Auth-Type Challenge
  2335. (13) Post-Auth-Type sub-section not found.  Ignoring.
  2336. (13) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  2337. (13) Sent Access-Challenge Id 124 from 10.168.109.39:1812 to 10.168.149.99:33240 length 0
  2338. (13)   EAP-Message = 0x01060039190014030300010116030300281ed9e340415001df71ba910873f0749f4a688b33d3ec3078be77f13907c7a33bbaca40862e64e026
  2339. (13)   Message-Authenticator = 0x00000000000000000000000000000000
  2340. (13)   State = 0x47e4fe3d43e2e7f39737dc8eeb024c67
  2341. (13) Finished request
  2342. Waking up in 0.2 seconds.
  2343. (7) Cleaning up request packet ID 118 with timestamp +18
  2344. (8) Cleaning up request packet ID 119 with timestamp +21
  2345. Waking up in 4.6 seconds.
  2346. (9) Cleaning up request packet ID 120 with timestamp +26
  2347. (10) Cleaning up request packet ID 121 with timestamp +26
  2348. (11) Cleaning up request packet ID 122 with timestamp +26
  2349. (12) Cleaning up request packet ID 123 with timestamp +26
  2350. (13) Cleaning up request packet ID 124 with timestamp +26
  2351. Ready to process requests
  2352. (14) Received Access-Request Id 125 from 10.168.149.99:33240 to 10.168.109.39:1812 length 204
  2353. (14)   User-Name = "FBCEXAMPLE\\daniel.radius"
  2354. (14)   NAS-IP-Address = 10.168.149.99
  2355. (14)   NAS-Port = 0
  2356. (14)   NAS-Identifier = "10.168.149.99"
  2357. (14)   NAS-Port-Type = Wireless-802.11
  2358. (14)   Calling-Station-Id = "C0335E160E17"
  2359. (14)   Called-Station-Id = "000B866DC9CC"
  2360. (14)   Service-Type = Login-User
  2361. (14)   Framed-MTU = 1100
  2362. (14)   EAP-Message = 0x020600061900
  2363. (14)   State = 0x47e4fe3d43e2e7f39737dc8eeb024c67
  2364. (14)   Aruba-Essid-Name = "Testnet"
  2365. (14)   Aruba-Location-Id = "FBC-2103"
  2366. (14)   Aruba-AP-Group = "FBC"
  2367. (14)   Message-Authenticator = 0x6621ff3b6e70bd2f7126c78498e10c67
  2368. (14) session-state: No cached attributes
  2369. (14) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  2370. (14)   authorize {
  2371. (14)     policy filter_username {
  2372. (14)       if (&User-Name) {
  2373. (14)       if (&User-Name)  -> TRUE
  2374. (14)       if (&User-Name)  {
  2375. (14)         if (&User-Name =~ / /) {
  2376. (14)         if (&User-Name =~ / /)  -> FALSE
  2377. (14)         if (&User-Name =~ /@[^@]*@/ ) {
  2378. (14)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  2379. (14)         if (&User-Name =~ /\.\./ ) {
  2380. (14)         if (&User-Name =~ /\.\./ )  -> FALSE
  2381. (14)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  2382. (14)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  2383. (14)         if (&User-Name =~ /\.$/)  {
  2384. (14)         if (&User-Name =~ /\.$/)   -> FALSE
  2385. (14)         if (&User-Name =~ /@\./)  {
  2386. (14)         if (&User-Name =~ /@\./)   -> FALSE
  2387. (14)       } # if (&User-Name)  = notfound
  2388. (14)     } # policy filter_username = notfound
  2389. (14)     [preprocess] = ok
  2390. (14)     [chap] = noop
  2391. (14)     [mschap_fbc] = noop
  2392. (14)     [mschap_hac] = noop
  2393. (14)     [mschap_hbs] = noop
  2394. (14)     [mschap_cbs] = noop
  2395. (14)     [digest] = noop
  2396. (14) suffix: Checking for suffix after "@"
  2397. (14) suffix: No '@' in User-Name = "FBCEXAMPLE\daniel.radius", looking up realm NULL
  2398. (14) suffix: No such realm "NULL"
  2399. (14)     [suffix] = noop
  2400. (14) eap: Peer sent EAP Response (code 2) ID 6 length 6
  2401. (14) eap: Continuing tunnel setup
  2402. (14)     [eap] = ok
  2403. (14)   } # authorize = ok
  2404. (14) Found Auth-Type = eap
  2405. (14) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  2406. (14)   authenticate {
  2407. (14) eap: Expiring EAP session with state 0x47e4fe3d43e2e7f3
  2408. (14) eap: Finished EAP session with state 0x47e4fe3d43e2e7f3
  2409. (14) eap: Previous EAP request found for state 0x47e4fe3d43e2e7f3, released from the list
  2410. (14) eap: Peer sent packet with method EAP PEAP (25)
  2411. (14) eap: Calling submodule eap_peap to process data
  2412. (14) eap_peap: Continuing EAP-TLS
  2413. (14) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
  2414. (14) eap_peap: [eaptls verify] = success
  2415. (14) eap_peap: [eaptls process] = success
  2416. (14) eap_peap: Session established.  Decoding tunneled attributes
  2417. (14) eap_peap: PEAP state TUNNEL ESTABLISHED
  2418. (14) eap: Sending EAP Request (code 1) ID 7 length 40
  2419. (14) eap: EAP session adding &reply:State = 0x47e4fe3d42e3e7f3
  2420. (14)     [eap] = handled
  2421. (14)   } # authenticate = handled
  2422. (14) Using Post-Auth-Type Challenge
  2423. (14) Post-Auth-Type sub-section not found.  Ignoring.
  2424. (14) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  2425. (14) Sent Access-Challenge Id 125 from 10.168.109.39:1812 to 10.168.149.99:33240 length 0
  2426. (14)   EAP-Message = 0x010700281900170303001d1ed9e340415001e0e242a9354b723f3fac7f668b1cb76c3792b39659a8
  2427. (14)   Message-Authenticator = 0x00000000000000000000000000000000
  2428. (14)   State = 0x47e4fe3d42e3e7f39737dc8eeb024c67
  2429. (14) Finished request
  2430. Waking up in 4.9 seconds.
  2431. (15) Received Access-Request Id 126 from 10.168.149.99:33240 to 10.168.109.39:1812 length 257
  2432. (15)   User-Name = "FBCEXAMPLE\\daniel.radius"
  2433. (15)   NAS-IP-Address = 10.168.149.99
  2434. (15)   NAS-Port = 0
  2435. (15)   NAS-Identifier = "10.168.149.99"
  2436. (15)   NAS-Port-Type = Wireless-802.11
  2437. (15)   Calling-Station-Id = "C0335E160E17"
  2438. (15)   Called-Station-Id = "000B866DC9CC"
  2439. (15)   Service-Type = Login-User
  2440. (15)   Framed-MTU = 1100
  2441. (15)   EAP-Message = 0x0207003b190017030300300000000000000001f1b223d4118db7a82d0b2b85211815ab38efb4d4aa244610d175fd411c38424dc952702c78b4f31a
  2442. (15)   State = 0x47e4fe3d42e3e7f39737dc8eeb024c67
  2443. (15)   Aruba-Essid-Name = "Testnet"
  2444. (15)   Aruba-Location-Id = "FBC-2103"
  2445. (15)   Aruba-AP-Group = "FBC"
  2446. (15)   Message-Authenticator = 0x1c66aa55f176f57b6334e12595141220
  2447. (15) session-state: No cached attributes
  2448. (15) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  2449. (15)   authorize {
  2450. (15)     policy filter_username {
  2451. (15)       if (&User-Name) {
  2452. (15)       if (&User-Name)  -> TRUE
  2453. (15)       if (&User-Name)  {
  2454. (15)         if (&User-Name =~ / /) {
  2455. (15)         if (&User-Name =~ / /)  -> FALSE
  2456. (15)         if (&User-Name =~ /@[^@]*@/ ) {
  2457. (15)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  2458. (15)         if (&User-Name =~ /\.\./ ) {
  2459. (15)         if (&User-Name =~ /\.\./ )  -> FALSE
  2460. (15)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  2461. (15)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  2462. (15)         if (&User-Name =~ /\.$/)  {
  2463. (15)         if (&User-Name =~ /\.$/)   -> FALSE
  2464. (15)         if (&User-Name =~ /@\./)  {
  2465. (15)         if (&User-Name =~ /@\./)   -> FALSE
  2466. (15)       } # if (&User-Name)  = notfound
  2467. (15)     } # policy filter_username = notfound
  2468. (15)     [preprocess] = ok
  2469. (15)     [chap] = noop
  2470. (15)     [mschap_fbc] = noop
  2471. (15)     [mschap_hac] = noop
  2472. (15)     [mschap_hbs] = noop
  2473. (15)     [mschap_cbs] = noop
  2474. (15)     [digest] = noop
  2475. (15) suffix: Checking for suffix after "@"
  2476. (15) suffix: No '@' in User-Name = "FBCEXAMPLE\daniel.radius", looking up realm NULL
  2477. (15) suffix: No such realm "NULL"
  2478. (15)     [suffix] = noop
  2479. (15) eap: Peer sent EAP Response (code 2) ID 7 length 59
  2480. (15) eap: Continuing tunnel setup
  2481. (15)     [eap] = ok
  2482. (15)   } # authorize = ok
  2483. (15) Found Auth-Type = eap
  2484. (15) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  2485. (15)   authenticate {
  2486. (15) eap: Expiring EAP session with state 0x47e4fe3d42e3e7f3
  2487. (15) eap: Finished EAP session with state 0x47e4fe3d42e3e7f3
  2488. (15) eap: Previous EAP request found for state 0x47e4fe3d42e3e7f3, released from the list
  2489. (15) eap: Peer sent packet with method EAP PEAP (25)
  2490. (15) eap: Calling submodule eap_peap to process data
  2491. (15) eap_peap: Continuing EAP-TLS
  2492. (15) eap_peap: [eaptls verify] = ok
  2493. (15) eap_peap: Done initial handshake
  2494. (15) eap_peap: [eaptls process] = ok
  2495. (15) eap_peap: Session established.  Decoding tunneled attributes
  2496. (15) eap_peap: PEAP state WAITING FOR INNER IDENTITY
  2497. (15) eap_peap: Identity - FBCEXAMPLE\daniel.radius
  2498. (15) eap_peap: Got inner identity 'FBCEXAMPLE\daniel.radius'
  2499. (15) eap_peap: Setting default EAP type for tunneled EAP session
  2500. (15) eap_peap: Got tunneled request
  2501. (15) eap_peap:   EAP-Message = 0x0207001c0146424348414d4d4f4e445c64616e69656c2e777275636b
  2502. (15) eap_peap: Setting User-Name to FBCEXAMPLE\daniel.radius
  2503. (15) eap_peap: Sending tunneled request to inner-tunnel
  2504. (15) eap_peap:   EAP-Message = 0x0207001c0146424348414d4d4f4e445c64616e69656c2e777275636b
  2505. (15) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
  2506. (15) eap_peap:   User-Name = "FBCEXAMPLE\\daniel.radius"
  2507. (15) Virtual server inner-tunnel received request
  2508. (15)   EAP-Message = 0x0207001c0146424348414d4d4f4e445c64616e69656c2e777275636b
  2509. (15)   FreeRADIUS-Proxied-To = 127.0.0.1
  2510. (15)   User-Name = "FBCEXAMPLE\\daniel.radius"
  2511. (15) WARNING: Outer and inner identities are the same.  User privacy is compromised.
  2512. (15) server inner-tunnel {
  2513. (15)   # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  2514. (15)     authorize {
  2515. (15)       policy filter_username {
  2516. (15)         if (&User-Name) {
  2517. (15)         if (&User-Name)  -> TRUE
  2518. (15)         if (&User-Name)  {
  2519. (15)           if (&User-Name =~ / /) {
  2520. (15)           if (&User-Name =~ / /)  -> FALSE
  2521. (15)           if (&User-Name =~ /@[^@]*@/ ) {
  2522. (15)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  2523. (15)           if (&User-Name =~ /\.\./ ) {
  2524. (15)           if (&User-Name =~ /\.\./ )  -> FALSE
  2525. (15)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  2526. (15)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  2527. (15)           if (&User-Name =~ /\.$/)  {
  2528. (15)           if (&User-Name =~ /\.$/)   -> FALSE
  2529. (15)           if (&User-Name =~ /@\./)  {
  2530. (15)           if (&User-Name =~ /@\./)   -> FALSE
  2531. (15)         } # if (&User-Name)  = notfound
  2532. (15)       } # policy filter_username = notfound
  2533. (15)       [chap] = noop
  2534. (15)       [mschap_fbc] = noop
  2535. (15)       [mschap_hac] = noop
  2536. (15)       [mschap_hbs] = noop
  2537. (15)       [mschap_cbs] = noop
  2538. (15) suffix: Checking for suffix after "@"
  2539. (15) suffix: No '@' in User-Name = "FBCEXAMPLE\daniel.radius", looking up realm NULL
  2540. (15) suffix: No such realm "NULL"
  2541. (15)       [suffix] = noop
  2542. (15)       update control {
  2543. (15)         &Proxy-To-Realm := LOCAL
  2544. (15)       } # update control = noop
  2545. (15) eap: Peer sent EAP Response (code 2) ID 7 length 28
  2546. (15) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  2547. (15)       [eap] = ok
  2548. (15)     } # authorize = ok
  2549. (15)   Found Auth-Type = eap
  2550. (15)   # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  2551. (15)     authenticate {
  2552. (15) eap: Peer sent packet with method EAP Identity (1)
  2553. (15) eap: Calling submodule eap_mschapv2 to process data
  2554. (15) eap_mschapv2: Issuing Challenge
  2555. (15) eap: Sending EAP Request (code 1) ID 8 length 43
  2556. (15) eap: EAP session adding &reply:State = 0x2dd385462ddb9fc9
  2557. (15)       [eap] = handled
  2558. (15)     } # authenticate = handled
  2559. (15) } # server inner-tunnel
  2560. (15) Virtual server sending reply
  2561. (15)   EAP-Message = 0x0108002b1a0108002610a8752c82adb718e1c1baab940a11bc66667265657261646975732d332e302e3132
  2562. (15)   Message-Authenticator = 0x00000000000000000000000000000000
  2563. (15)   State = 0x2dd385462ddb9fc952bb1d757e6ccda3
  2564. (15) eap_peap: Got tunneled reply code 11
  2565. (15) eap_peap:   EAP-Message = 0x0108002b1a0108002610a8752c82adb718e1c1baab940a11bc66667265657261646975732d332e302e3132
  2566. (15) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
  2567. (15) eap_peap:   State = 0x2dd385462ddb9fc952bb1d757e6ccda3
  2568. (15) eap_peap: Got tunneled reply RADIUS code 11
  2569. (15) eap_peap:   EAP-Message = 0x0108002b1a0108002610a8752c82adb718e1c1baab940a11bc66667265657261646975732d332e302e3132
  2570. (15) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
  2571. (15) eap_peap:   State = 0x2dd385462ddb9fc952bb1d757e6ccda3
  2572. (15) eap_peap: Got tunneled Access-Challenge
  2573. (15) eap: Sending EAP Request (code 1) ID 8 length 74
  2574. (15) eap: EAP session adding &reply:State = 0x47e4fe3d41ece7f3
  2575. (15)     [eap] = handled
  2576. (15)   } # authenticate = handled
  2577. (15) Using Post-Auth-Type Challenge
  2578. (15) Post-Auth-Type sub-section not found.  Ignoring.
  2579. (15) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  2580. (15) Sent Access-Challenge Id 126 from 10.168.109.39:1812 to 10.168.149.99:33240 length 0
  2581. (15)   EAP-Message = 0x0108004a1900170303003f1ed9e340415001e13e4d4223e2f6bc92de29c995c61bd9c942fb93b08a1f0b75ec5dad30c081942ce8a1fe59919bdcd259379cf0fde53eaa1046826a06f4a0
  2582. (15)   Message-Authenticator = 0x00000000000000000000000000000000
  2583. (15)   State = 0x47e4fe3d41ece7f39737dc8eeb024c67
  2584. (15) Finished request
  2585. Waking up in 4.9 seconds.
  2586. (16) Received Access-Request Id 127 from 10.168.149.99:33240 to 10.168.109.39:1812 length 311
  2587. (16)   User-Name = "FBCEXAMPLE\\daniel.radius"
  2588. (16)   NAS-IP-Address = 10.168.149.99
  2589. (16)   NAS-Port = 0
  2590. (16)   NAS-Identifier = "10.168.149.99"
  2591. (16)   NAS-Port-Type = Wireless-802.11
  2592. (16)   Calling-Station-Id = "C0335E160E17"
  2593. (16)   Called-Station-Id = "000B866DC9CC"
  2594. (16)   Service-Type = Login-User
  2595. (16)   Framed-MTU = 1100
  2596. (16)   EAP-Message = 0x0208007119001703030066000000000000000253d5b1023faf0e738da4bc6dfdd1c2b1201423532101a7db35f64a5556d05c8d471e2559deebe7a0b94c8ef4373d3cf57048f449f9fedb47ae802a9590ac1625b2dff0718c31b11bf50f44baab297a5ae6de97dbc2cdf8fff01c9f8dc80a
  2597. (16)   State = 0x47e4fe3d41ece7f39737dc8eeb024c67
  2598. (16)   Aruba-Essid-Name = "Testnet"
  2599. (16)   Aruba-Location-Id = "FBC-2103"
  2600. (16)   Aruba-AP-Group = "FBC"
  2601. (16)   Message-Authenticator = 0x6e1fc246c0e114f2889cb3cabd518eef
  2602. (16) session-state: No cached attributes
  2603. (16) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  2604. (16)   authorize {
  2605. (16)     policy filter_username {
  2606. (16)       if (&User-Name) {
  2607. (16)       if (&User-Name)  -> TRUE
  2608. (16)       if (&User-Name)  {
  2609. (16)         if (&User-Name =~ / /) {
  2610. (16)         if (&User-Name =~ / /)  -> FALSE
  2611. (16)         if (&User-Name =~ /@[^@]*@/ ) {
  2612. (16)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  2613. (16)         if (&User-Name =~ /\.\./ ) {
  2614. (16)         if (&User-Name =~ /\.\./ )  -> FALSE
  2615. (16)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  2616. (16)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  2617. (16)         if (&User-Name =~ /\.$/)  {
  2618. (16)         if (&User-Name =~ /\.$/)   -> FALSE
  2619. (16)         if (&User-Name =~ /@\./)  {
  2620. (16)         if (&User-Name =~ /@\./)   -> FALSE
  2621. (16)       } # if (&User-Name)  = notfound
  2622. (16)     } # policy filter_username = notfound
  2623. (16)     [preprocess] = ok
  2624. (16)     [chap] = noop
  2625. (16)     [mschap_fbc] = noop
  2626. (16)     [mschap_hac] = noop
  2627. (16)     [mschap_hbs] = noop
  2628. (16)     [mschap_cbs] = noop
  2629. (16)     [digest] = noop
  2630. (16) suffix: Checking for suffix after "@"
  2631. (16) suffix: No '@' in User-Name = "FBCEXAMPLE\daniel.radius", looking up realm NULL
  2632. (16) suffix: No such realm "NULL"
  2633. (16)     [suffix] = noop
  2634. (16) eap: Peer sent EAP Response (code 2) ID 8 length 113
  2635. (16) eap: Continuing tunnel setup
  2636. (16)     [eap] = ok
  2637. (16)   } # authorize = ok
  2638. (16) Found Auth-Type = eap
  2639. (16) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  2640. (16)   authenticate {
  2641. (16) eap: Expiring EAP session with state 0x2dd385462ddb9fc9
  2642. (16) eap: Finished EAP session with state 0x47e4fe3d41ece7f3
  2643. (16) eap: Previous EAP request found for state 0x47e4fe3d41ece7f3, released from the list
  2644. (16) eap: Peer sent packet with method EAP PEAP (25)
  2645. (16) eap: Calling submodule eap_peap to process data
  2646. (16) eap_peap: Continuing EAP-TLS
  2647. (16) eap_peap: [eaptls verify] = ok
  2648. (16) eap_peap: Done initial handshake
  2649. (16) eap_peap: [eaptls process] = ok
  2650. (16) eap_peap: Session established.  Decoding tunneled attributes
  2651. (16) eap_peap: PEAP state phase2
  2652. (16) eap_peap: EAP method MSCHAPv2 (26)
  2653. (16) eap_peap: Got tunneled request
  2654. (16) eap_peap:   EAP-Message = 0x020800521a0208004d3161b47129046a3204efc7e0e3ee0af94a00000000000000006bdebf5ac39680b7070c457fefacbdc1596103429c14eb640046424348414d4d4f4e445c64616e69656c2e777275636b
  2655. (16) eap_peap: Setting User-Name to FBCEXAMPLE\daniel.radius
  2656. (16) eap_peap: Sending tunneled request to inner-tunnel
  2657. (16) eap_peap:   EAP-Message = 0x020800521a0208004d3161b47129046a3204efc7e0e3ee0af94a00000000000000006bdebf5ac39680b7070c457fefacbdc1596103429c14eb640046424348414d4d4f4e445c64616e69656c2e777275636b
  2658. (16) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
  2659. (16) eap_peap:   User-Name = "FBCEXAMPLE\\daniel.radius"
  2660. (16) eap_peap:   State = 0x2dd385462ddb9fc952bb1d757e6ccda3
  2661. (16) Virtual server inner-tunnel received request
  2662. (16)   EAP-Message = 0x020800521a0208004d3161b47129046a3204efc7e0e3ee0af94a00000000000000006bdebf5ac39680b7070c457fefacbdc1596103429c14eb640046424348414d4d4f4e445c64616e69656c2e777275636b
  2663. (16)   FreeRADIUS-Proxied-To = 127.0.0.1
  2664. (16)   User-Name = "FBCEXAMPLE\\daniel.radius"
  2665. (16)   State = 0x2dd385462ddb9fc952bb1d757e6ccda3
  2666. (16) WARNING: Outer and inner identities are the same.  User privacy is compromised.
  2667. (16) server inner-tunnel {
  2668. (16)   session-state: No cached attributes
  2669. (16)   # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  2670. (16)     authorize {
  2671. (16)       policy filter_username {
  2672. (16)         if (&User-Name) {
  2673. (16)         if (&User-Name)  -> TRUE
  2674. (16)         if (&User-Name)  {
  2675. (16)           if (&User-Name =~ / /) {
  2676. (16)           if (&User-Name =~ / /)  -> FALSE
  2677. (16)           if (&User-Name =~ /@[^@]*@/ ) {
  2678. (16)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  2679. (16)           if (&User-Name =~ /\.\./ ) {
  2680. (16)           if (&User-Name =~ /\.\./ )  -> FALSE
  2681. (16)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  2682. (16)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  2683. (16)           if (&User-Name =~ /\.$/)  {
  2684. (16)           if (&User-Name =~ /\.$/)   -> FALSE
  2685. (16)           if (&User-Name =~ /@\./)  {
  2686. (16)           if (&User-Name =~ /@\./)   -> FALSE
  2687. (16)         } # if (&User-Name)  = notfound
  2688. (16)       } # policy filter_username = notfound
  2689. (16)       [chap] = noop
  2690. (16)       [mschap_fbc] = noop
  2691. (16)       [mschap_hac] = noop
  2692. (16)       [mschap_hbs] = noop
  2693. (16)       [mschap_cbs] = noop
  2694. (16) suffix: Checking for suffix after "@"
  2695. (16) suffix: No '@' in User-Name = "FBCEXAMPLE\daniel.radius", looking up realm NULL
  2696. (16) suffix: No such realm "NULL"
  2697. (16)       [suffix] = noop
  2698. (16)       update control {
  2699. (16)         &Proxy-To-Realm := LOCAL
  2700. (16)       } # update control = noop
  2701. (16) eap: Peer sent EAP Response (code 2) ID 8 length 82
  2702. (16) eap: No EAP Start, assuming it's an on-going EAP conversation
  2703. (16)       [eap] = updated
  2704. (16)       [files] = noop
  2705. rlm_ldap (ldap): Reserved connection (1)
  2706. (16) ldap: EXPAND (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
  2707. (16) ldap:    --> (sAMAccountName=FBCEXAMPLE\5c5cdaniel.radius)
  2708. (16) ldap: Performing search in "DC=fbcexample,DC=com" with filter "(sAMAccountName=FBCEXAMPLE\5c5cdaniel.radius)", scope "sub"
  2709. (16) ldap: Waiting for search result...
  2710. rlm_ldap (ldap): Rebinding to URL ldap://hbs.fbcexample.com/DC=hbs,DC=fbcexample,DC=com
  2711. rlm_ldap (ldap): Waiting for bind result...
  2712. rlm_ldap (ldap): Rebinding to URL ldap://hac.fbcexample.com/DC=hac,DC=fbcexample,DC=com
  2713. rlm_ldap (ldap): Waiting for bind result...
  2714. rlm_ldap (ldap): Rebinding to URL ldap://cbs.fbcexample.com/DC=cbs,DC=fbcexample,DC=com
  2715. rlm_ldap (ldap): Waiting for bind result...
  2716. rlm_ldap (ldap): Rebinding to URL ldap://fbcexample.com/CN=Configuration,DC=fbcexample,DC=com
  2717. rlm_ldap (ldap): Waiting for bind result...
  2718. Unable to chase referral "ldap://LimitLogin.fbcexample.com/DC=LimitLogin,DC=fbcexample,DC=com" (-1: Can't contact LDAP server)
  2719. rlm_ldap (ldap): Bind successful
  2720. rlm_ldap (ldap): Bind successful
  2721. rlm_ldap (ldap): Bind successful
  2722. rlm_ldap (ldap): Bind successful
  2723. Unable to chase referral "ldap://ForestDnsZones.fbcexample.com/DC=ForestDnsZones,DC=fbcexample,DC=com" (-1: Can't contact LDAP server)
  2724. Unable to chase referral "ldap://DomainDnsZones.cbs.fbcexample.com/DC=DomainDnsZones,DC=cbs,DC=fbcexample,DC=com" (-1: Can't contact LDAP server)
  2725. rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.hac.fbcexample.com/DC=DomainDnsZones,DC=hac,DC=fbcexample,DC=com
  2726. rlm_ldap (ldap): Waiting for bind result...
  2727. rlm_ldap (ldap): Rebinding to URL ldap://DomainDnsZones.hbs.fbcexample.com/DC=DomainDnsZones,DC=hbs,DC=fbcexample,DC=com
  2728. rlm_ldap (ldap): Waiting for bind result...
  2729. more than 5 referral hops (dropping)
  2730. rlm_ldap (ldap): Bind successful
  2731. rlm_ldap (ldap): Bind successful
  2732. (16) ldap: Search returned no results
  2733. rlm_ldap (ldap): Deleting connection (1)
  2734. rlm_ldap (ldap): Need 6 more connections to reach 10 spares
  2735. rlm_ldap (ldap): Opening additional connection (6), 1 of 28 pending slots used
  2736. rlm_ldap (ldap): Connecting to ldap://10.168.109.12:389
  2737. rlm_ldap (ldap): Waiting for bind result...
  2738. rlm_ldap (ldap): Bind successful
  2739. (16)       [ldap] = notfound
  2740. (16)       [expiration] = noop
  2741. (16)       [logintime] = noop
  2742. (16)       [pap] = noop
  2743. (16)     } # authorize = updated
  2744. (16)   Found Auth-Type = eap
  2745. (16)   # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  2746. (16)     authenticate {
  2747. (16) eap: Expiring EAP session with state 0x2dd385462ddb9fc9
  2748. (16) eap: Finished EAP session with state 0x2dd385462ddb9fc9
  2749. (16) eap: Previous EAP request found for state 0x2dd385462ddb9fc9, released from the list
  2750. (16) eap: Peer sent packet with method EAP MSCHAPv2 (26)
  2751. (16) eap: Calling submodule eap_mschapv2 to process data
  2752. (16) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  2753. (16) eap_mschapv2:   Auth-Type MS-CHAP {
  2754. (16) mschap_fbc: Creating challenge hash with username: daniel.radius
  2755. (16) mschap_fbc: Client is using MS-CHAPv2
  2756. (16) mschap_fbc: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=fbcexample --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap_fbc:Challenge}:-00} --nt-response=%{%{mschap_fbc:NT-Response}:-00}  --require-membership-of='fbcexample\\LDAP_WiFi':
  2757. (16) mschap_fbc: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
  2758. (16) mschap_fbc:    --> --username=FBCEXAMPLE\\daniel.radius
  2759. (16) mschap_fbc: Creating challenge hash with username: daniel.radius
  2760. (16) mschap_fbc: EXPAND --challenge=%{%{mschap_fbc:Challenge}:-00}
  2761. (16) mschap_fbc:    --> --challenge=63abafd041820bf2
  2762. (16) mschap_fbc: EXPAND --nt-response=%{%{mschap_fbc:NT-Response}:-00}
  2763. (16) mschap_fbc:    --> --nt-response=6bdebf5ac39680b7070c457fefacbdc1596103429c14eb64
  2764. (16) mschap_fbc: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
  2765. (16) mschap_fbc: External script failed
  2766. (16) mschap_fbc: ERROR: External script says: Logon failure (0xc000006d)
  2767. (16) mschap_fbc: ERROR: MS-CHAP2-Response is incorrect
  2768. (16)     [mschap_fbc] = reject
  2769. (16)     if (reject){
  2770. (16)     if (reject) -> TRUE
  2771. (16)     if (reject) {
  2772. (16) mschap_hac: Creating challenge hash with username: daniel.radius
  2773. (16) mschap_hac: Client is using MS-CHAPv2
  2774. (16) mschap_hac: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=hac.fbcexample.com --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap_hac:Challenge}:-00} --nt-response=%{%{mschap_hac:NT-Response}:-00}  --require-membership-of=fbcexample\\LDAP_WiFi:
  2775. (16) mschap_hac: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
  2776. (16) mschap_hac:    --> --username=FBCEXAMPLE\\daniel.radius
  2777. (16) mschap_hac: Creating challenge hash with username: daniel.radius
  2778. (16) mschap_hac: EXPAND --challenge=%{%{mschap_hac:Challenge}:-00}
  2779. (16) mschap_hac:    --> --challenge=63abafd041820bf2
  2780. (16) mschap_hac: EXPAND --nt-response=%{%{mschap_hac:NT-Response}:-00}
  2781. (16) mschap_hac:    --> --nt-response=6bdebf5ac39680b7070c457fefacbdc1596103429c14eb64
  2782. Domain specified in username (FBCEXAMPLE) doesn't match specified domain (hac.fbcexample.com)!
  2783.  
  2784. Usage: [OPTION...]
  2785.      --helper-protocol=helper protocol to use     operate as a stdio-based helper
  2786.      --username=STRING                            username
  2787.      --domain=STRING                              domain name
  2788.      --workstation=STRING                         workstation
  2789.      --challenge=STRING                           challenge (HEX encoded)
  2790.      --lm-response=STRING                         LM Response to the challenge (HEX encoded)
  2791.      --nt-response=STRING                         NT or NTLMv2 Response to the challenge (HEX encoded)
  2792.      --password=STRING                            User's plaintext password
  2793.      --request-lm-key                             Retrieve LM session key
  2794.      --request-nt-key                             Retrieve User (NT) session key
  2795.      --use-cached-creds                           Use cached credentials if no password is given
  2796.      --diagnostics                                Perform diagnostics on the authentication chain
  2797.      --require-membership-of=STRING               Require that a user be a member of this group (either name or SID) for authentication to succeed
  2798.      --pam-winbind-conf=STRING                    Require that request must set WBFLAG_PAM_CONTACT_TRUSTDOM when krb5 auth is required
  2799.      --target-service=STRING                      Target service (eg http)
  2800.      --target-hostname=STRING                     Target hostname
  2801.  
  2802. Help options:
  2803.  -?, --help                                       Show this help message
  2804.      --usage                                      Display brief usage message
  2805.  
  2806. Common samba config:
  2807.      --configfile=CONFIGFILE                      Use alternate configuration file
  2808.  
  2809. Common samba options:
  2810.  -V, --version                                    Print version
  2811.  
  2812. Common samba commandline config:
  2813.      --option=name=value                          Set smb.conf option from command line
  2814. (16) mschap_hac: ERROR: Program returned code (1) and output ''
  2815. (16) mschap_hac: External script failed
  2816. (16) mschap_hac: ERROR: External script says:
  2817. (16) mschap_hac: ERROR: MS-CHAP2-Response is incorrect
  2818. (16)       [mschap_hac] = reject
  2819. (16)     } # if (reject) = reject
  2820. (16)     if (reject){
  2821. (16)     if (reject) -> TRUE
  2822. (16)     if (reject) {
  2823. (16) mschap_hbs: Creating challenge hash with username: daniel.radius
  2824. (16) mschap_hbs: Client is using MS-CHAPv2
  2825. (16) mschap_hbs: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=hbs.fbcexample.com --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap_hbs:Challenge}:-00} --nt-response=%{%{mschap_hbs:NT-Response}:-00} --require-membership-of='fbcexample\\LDAP_WiFi':
  2826. (16) mschap_hbs: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
  2827. (16) mschap_hbs:    --> --username=FBCEXAMPLE\\daniel.radius
  2828. (16) mschap_hbs: Creating challenge hash with username: daniel.radius
  2829. (16) mschap_hbs: EXPAND --challenge=%{%{mschap_hbs:Challenge}:-00}
  2830. (16) mschap_hbs:    --> --challenge=63abafd041820bf2
  2831. (16) mschap_hbs: EXPAND --nt-response=%{%{mschap_hbs:NT-Response}:-00}
  2832. (16) mschap_hbs:    --> --nt-response=6bdebf5ac39680b7070c457fefacbdc1596103429c14eb64
  2833. Domain specified in username (FBCEXAMPLE) doesn't match specified domain (hbs.fbcexample.com)!
  2834.  
  2835. Usage: [OPTION...]
  2836.      --helper-protocol=helper protocol to use     operate as a stdio-based helper
  2837.      --username=STRING                            username
  2838.      --domain=STRING                              domain name
  2839.      --workstation=STRING                         workstation
  2840.      --challenge=STRING                           challenge (HEX encoded)
  2841.      --lm-response=STRING                         LM Response to the challenge (HEX encoded)
  2842.      --nt-response=STRING                         NT or NTLMv2 Response to the challenge (HEX encoded)
  2843.      --password=STRING                            User's plaintext password
  2844.      --request-lm-key                             Retrieve LM session key
  2845.      --request-nt-key                             Retrieve User (NT) session key
  2846.      --use-cached-creds                           Use cached credentials if no password is given
  2847.      --diagnostics                                Perform diagnostics on the authentication chain
  2848.      --require-membership-of=STRING               Require that a user be a member of this group (either name or SID) for authentication to succeed
  2849.      --pam-winbind-conf=STRING                    Require that request must set WBFLAG_PAM_CONTACT_TRUSTDOM when krb5 auth is required
  2850.      --target-service=STRING                      Target service (eg http)
  2851.      --target-hostname=STRING                     Target hostname
  2852.  
  2853. Help options:
  2854.  -?, --help                                       Show this help message
  2855.      --usage                                      Display brief usage message
  2856.  
  2857. Common samba config:
  2858.      --configfile=CONFIGFILE                      Use alternate configuration file
  2859.  
  2860. Common samba options:
  2861.  -V, --version                                    Print version
  2862.  
  2863. Common samba commandline config:
  2864.      --option=name=value                          Set smb.conf option from command line
  2865. (16) mschap_hbs: ERROR: Program returned code (1) and output ''
  2866. (16) mschap_hbs: External script failed
  2867. (16) mschap_hbs: ERROR: External script says:
  2868. (16) mschap_hbs: ERROR: MS-CHAP2-Response is incorrect
  2869. (16)       [mschap_hbs] = reject
  2870. (16)     } # if (reject) = reject
  2871. (16)     if (reject){
  2872. (16)     if (reject) -> TRUE
  2873. (16)     if (reject) {
  2874. (16) mschap_cbs: Creating challenge hash with username: daniel.radius
  2875. (16) mschap_cbs: Client is using MS-CHAPv2
  2876. (16) mschap_cbs: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=cbs.fbcexample.com --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap_cbs:Challenge}:-00} --nt-response=%{%{mschap_cbs:NT-Response}:-00} --require-membership-of='fbcexample\\LDAP_WiFi':
  2877. (16) mschap_cbs: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
  2878. (16) mschap_cbs:    --> --username=FBCEXAMPLE\\daniel.radius
  2879. (16) mschap_cbs: Creating challenge hash with username: daniel.radius
  2880. (16) mschap_cbs: EXPAND --challenge=%{%{mschap_cbs:Challenge}:-00}
  2881. (16) mschap_cbs:    --> --challenge=63abafd041820bf2
  2882. (16) mschap_cbs: EXPAND --nt-response=%{%{mschap_cbs:NT-Response}:-00}
  2883. (16) mschap_cbs:    --> --nt-response=6bdebf5ac39680b7070c457fefacbdc1596103429c14eb64
  2884. Domain specified in username (FBCEXAMPLE) doesn't match specified domain (cbs.fbcexample.com)!
  2885.  
  2886. Usage: [OPTION...]
  2887.      --helper-protocol=helper protocol to use     operate as a stdio-based helper
  2888.      --username=STRING                            username
  2889.      --domain=STRING                              domain name
  2890.      --workstation=STRING                         workstation
  2891.      --challenge=STRING                           challenge (HEX encoded)
  2892.      --lm-response=STRING                         LM Response to the challenge (HEX encoded)
  2893.      --nt-response=STRING                         NT or NTLMv2 Response to the challenge (HEX encoded)
  2894.      --password=STRING                            User's plaintext password
  2895.      --request-lm-key                             Retrieve LM session key
  2896.      --request-nt-key                             Retrieve User (NT) session key
  2897.      --use-cached-creds                           Use cached credentials if no password is given
  2898.      --diagnostics                                Perform diagnostics on the authentication chain
  2899.      --require-membership-of=STRING               Require that a user be a member of this group (either name or SID) for authentication to succeed
  2900.      --pam-winbind-conf=STRING                    Require that request must set WBFLAG_PAM_CONTACT_TRUSTDOM when krb5 auth is required
  2901.      --target-service=STRING                      Target service (eg http)
  2902.      --target-hostname=STRING                     Target hostname
  2903.  
  2904. Help options:
  2905.  -?, --help                                       Show this help message
  2906.      --usage                                      Display brief usage message
  2907.  
  2908. Common samba config:
  2909.      --configfile=CONFIGFILE                      Use alternate configuration file
  2910.  
  2911. Common samba options:
  2912.  -V, --version                                    Print version
  2913.  
  2914. Common samba commandline config:
  2915.      --option=name=value                          Set smb.conf option from command line
  2916. (16) mschap_cbs: ERROR: Program returned code (1) and output ''
  2917. (16) mschap_cbs: External script failed
  2918. (16) mschap_cbs: ERROR: External script says:
  2919. (16) mschap_cbs: ERROR: MS-CHAP2-Response is incorrect
  2920. (16)       [mschap_cbs] = reject
  2921. (16)     } # if (reject) = reject
  2922. (16)   } # Auth-Type MS-CHAP = reject
  2923. (16) eap: Sending EAP Failure (code 4) ID 8 length 4
  2924. (16) eap: Freeing handler
  2925. (16)       [eap] = reject
  2926. (16)     } # authenticate = reject
  2927. (16)   Failed to authenticate the user
  2928. (16)   Using Post-Auth-Type Reject
  2929. (16)   # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  2930. (16)     Post-Auth-Type REJECT {
  2931. (16) attr_filter.access_reject: EXPAND %{User-Name}
  2932. (16) attr_filter.access_reject:    --> FBCEXAMPLE\\daniel.radius
  2933. (16) attr_filter.access_reject: Matched entry DEFAULT at line 11
  2934. (16)       [attr_filter.access_reject] = updated
  2935. (16)       update outer.session-state {
  2936. (16)         &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap_fbc: Program returned code (1) and output \'Logon failure (0xc000006d)\''
  2937. (16)       } # update outer.session-state = noop
  2938. (16)     } # Post-Auth-Type REJECT = updated
  2939. (16) } # server inner-tunnel
  2940. (16) Virtual server sending reply
  2941. (16)   MS-CHAP-Error = "\010E=691 R=1 C=01df8d0d2186902ea16efe3b7ad97da4 V=3 M=Authentication failed"
  2942. (16)   MS-CHAP-Error = "\010E=691 R=1 C=a777d759e6e4a6a4d677a7d1d52a9c53 V=3 M=Authentication failed"
  2943. (16)   MS-CHAP-Error = "\010E=691 R=1 C=f86d0501557bbf2f50af2b3315ed1eb5 V=3 M=Authentication failed"
  2944. (16)   MS-CHAP-Error = "\010E=691 R=1 C=e8a9e81ed118c94ca3b2aad65b830b90 V=3 M=Authentication failed"
  2945. (16)   EAP-Message = 0x04080004
  2946. (16)   Message-Authenticator = 0x00000000000000000000000000000000
  2947. (16) eap_peap: Got tunneled reply code 3
  2948. (16) eap_peap:   MS-CHAP-Error = "\010E=691 R=1 C=01df8d0d2186902ea16efe3b7ad97da4 V=3 M=Authentication failed"
  2949. (16) eap_peap:   MS-CHAP-Error = "\010E=691 R=1 C=a777d759e6e4a6a4d677a7d1d52a9c53 V=3 M=Authentication failed"
  2950. (16) eap_peap:   MS-CHAP-Error = "\010E=691 R=1 C=f86d0501557bbf2f50af2b3315ed1eb5 V=3 M=Authentication failed"
  2951. (16) eap_peap:   MS-CHAP-Error = "\010E=691 R=1 C=e8a9e81ed118c94ca3b2aad65b830b90 V=3 M=Authentication failed"
  2952. (16) eap_peap:   EAP-Message = 0x04080004
  2953. (16) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
  2954. (16) eap_peap: Got tunneled reply RADIUS code 3
  2955. (16) eap_peap:   MS-CHAP-Error = "\010E=691 R=1 C=01df8d0d2186902ea16efe3b7ad97da4 V=3 M=Authentication failed"
  2956. (16) eap_peap:   MS-CHAP-Error = "\010E=691 R=1 C=a777d759e6e4a6a4d677a7d1d52a9c53 V=3 M=Authentication failed"
  2957. (16) eap_peap:   MS-CHAP-Error = "\010E=691 R=1 C=f86d0501557bbf2f50af2b3315ed1eb5 V=3 M=Authentication failed"
  2958. (16) eap_peap:   MS-CHAP-Error = "\010E=691 R=1 C=e8a9e81ed118c94ca3b2aad65b830b90 V=3 M=Authentication failed"
  2959. (16) eap_peap:   EAP-Message = 0x04080004
  2960. (16) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
  2961. (16) eap_peap: Tunneled authentication was rejected
  2962. (16) eap_peap: FAILURE
  2963. (16) eap: Sending EAP Request (code 1) ID 9 length 46
  2964. (16) eap: EAP session adding &reply:State = 0x47e4fe3d40ede7f3
  2965. (16)     [eap] = handled
  2966. (16)   } # authenticate = handled
  2967. (16) Using Post-Auth-Type Challenge
  2968. (16) Post-Auth-Type sub-section not found.  Ignoring.
  2969. (16) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  2970. (16) session-state: Saving cached attributes
  2971. (16)   Module-Failure-Message := "mschap_fbc: Program returned code (1) and output 'Logon failure (0xc000006d)'"
  2972. (16) Sent Access-Challenge Id 127 from 10.168.109.39:1812 to 10.168.149.99:33240 length 0
  2973. (16)   EAP-Message = 0x0109002e190017030300231ed9e340415001e2293bf44f910658e92eb682a427872079e54166d9aa423879ea8ed7
  2974. (16)   Message-Authenticator = 0x00000000000000000000000000000000
  2975. (16)   State = 0x47e4fe3d40ede7f39737dc8eeb024c67
  2976. (16) Finished request
  2977. Waking up in 2.8 seconds.
  2978. (17) Received Access-Request Id 128 from 10.168.149.99:33240 to 10.168.109.39:1812 length 244
  2979. (17)   User-Name = "FBCEXAMPLE\\daniel.radius"
  2980. (17)   NAS-IP-Address = 10.168.149.99
  2981. (17)   NAS-Port = 0
  2982. (17)   NAS-Identifier = "10.168.149.99"
  2983. (17)   NAS-Port-Type = Wireless-802.11
  2984. (17)   Calling-Station-Id = "C0335E160E17"
  2985. (17)   Called-Station-Id = "000B866DC9CC"
  2986. (17)   Service-Type = Login-User
  2987. (17)   Framed-MTU = 1100
  2988. (17)   EAP-Message = 0x0209002e19001703030023000000000000000318a2dcc6a1e26705c9ee920bbf852e4e3ac9b354085bc170a9bffc
  2989. (17)   State = 0x47e4fe3d40ede7f39737dc8eeb024c67
  2990. (17)   Aruba-Essid-Name = "Testnet"
  2991. (17)   Aruba-Location-Id = "FBC-2103"
  2992. (17)   Aruba-AP-Group = "FBC"
  2993. (17)   Message-Authenticator = 0x92fda2a50dfe5d0a59fc16d1717b035e
  2994. (17) Restoring &session-state
  2995. (17)   &session-state:Module-Failure-Message := "mschap_fbc: Program returned code (1) and output 'Logon failure (0xc000006d)'"
  2996. (17) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  2997. (17)   authorize {
  2998. (17)     policy filter_username {
  2999. (17)       if (&User-Name) {
  3000. (17)       if (&User-Name)  -> TRUE
  3001. (17)       if (&User-Name)  {
  3002. (17)         if (&User-Name =~ / /) {
  3003. (17)         if (&User-Name =~ / /)  -> FALSE
  3004. (17)         if (&User-Name =~ /@[^@]*@/ ) {
  3005. (17)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
  3006. (17)         if (&User-Name =~ /\.\./ ) {
  3007. (17)         if (&User-Name =~ /\.\./ )  -> FALSE
  3008. (17)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
  3009. (17)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
  3010. (17)         if (&User-Name =~ /\.$/)  {
  3011. (17)         if (&User-Name =~ /\.$/)   -> FALSE
  3012. (17)         if (&User-Name =~ /@\./)  {
  3013. (17)         if (&User-Name =~ /@\./)   -> FALSE
  3014. (17)       } # if (&User-Name)  = notfound
  3015. (17)     } # policy filter_username = notfound
  3016. (17)     [preprocess] = ok
  3017. (17)     [chap] = noop
  3018. (17)     [mschap_fbc] = noop
  3019. (17)     [mschap_hac] = noop
  3020. (17)     [mschap_hbs] = noop
  3021. (17)     [mschap_cbs] = noop
  3022. (17)     [digest] = noop
  3023. (17) suffix: Checking for suffix after "@"
  3024. (17) suffix: No '@' in User-Name = "FBCEXAMPLE\daniel.radius", looking up realm NULL
  3025. (17) suffix: No such realm "NULL"
  3026. (17)     [suffix] = noop
  3027. (17) eap: Peer sent EAP Response (code 2) ID 9 length 46
  3028. (17) eap: Continuing tunnel setup
  3029. (17)     [eap] = ok
  3030. (17)   } # authorize = ok
  3031. (17) Found Auth-Type = eap
  3032. (17) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  3033. (17)   authenticate {
  3034. (17) eap: Expiring EAP session with state 0x47e4fe3d40ede7f3
  3035. (17) eap: Finished EAP session with state 0x47e4fe3d40ede7f3
  3036. (17) eap: Previous EAP request found for state 0x47e4fe3d40ede7f3, released from the list
  3037. (17) eap: Peer sent packet with method EAP PEAP (25)
  3038. (17) eap: Calling submodule eap_peap to process data
  3039. (17) eap_peap: Continuing EAP-TLS
  3040. (17) eap_peap: [eaptls verify] = ok
  3041. (17) eap_peap: Done initial handshake
  3042. (17) eap_peap: [eaptls process] = ok
  3043. (17) eap_peap: Session established.  Decoding tunneled attributes
  3044. (17) eap_peap: PEAP state send tlv failure
  3045. (17) eap_peap: Received EAP-TLV response
  3046. (17) eap_peap:   The users session was previously rejected: returning reject (again.)
  3047. (17) eap_peap:   This means you need to read the PREVIOUS messages in the debug output
  3048. (17) eap_peap:   to find out the reason why the user was rejected
  3049. (17) eap_peap:   Look for "reject" or "fail".  Those earlier messages will tell you
  3050. (17) eap_peap:   what went wrong, and how to fix the problem
  3051. (17) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
  3052. (17) eap: Sending EAP Failure (code 4) ID 9 length 4
  3053. (17) eap: Failed in EAP select
  3054. (17)     [eap] = invalid
  3055. (17)   } # authenticate = invalid
  3056. (17) Failed to authenticate the user
  3057. (17) Using Post-Auth-Type Reject
  3058. (17) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  3059. (17)   Post-Auth-Type REJECT {
  3060. (17) attr_filter.access_reject: EXPAND %{User-Name}
  3061. (17) attr_filter.access_reject:    --> FBCEXAMPLE\\daniel.radius
  3062. (17) attr_filter.access_reject: Matched entry DEFAULT at line 11
  3063. (17)     [attr_filter.access_reject] = updated
  3064. (17)     [eap] = noop
  3065. (17)     policy remove_reply_message_if_eap {
  3066. (17)       if (&reply:EAP-Message && &reply:Reply-Message) {
  3067. (17)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
  3068. (17)       else {
  3069. (17)         [noop] = noop
  3070. (17)       } # else = noop
  3071. (17)     } # policy remove_reply_message_if_eap = noop
  3072. (17)   } # Post-Auth-Type REJECT = updated
  3073. (17) Delaying response for 1.000000 seconds
  3074. Waking up in 0.3 seconds.
  3075. Waking up in 0.6 seconds.
  3076. (17) Sending delayed response
  3077. (17) Sent Access-Reject Id 128 from 10.168.109.39:1812 to 10.168.149.99:33240 length 44
  3078. (17)   EAP-Message = 0x04090004
  3079. (17)   Message-Authenticator = 0x00000000000000000000000000000000
  3080. Waking up in 1.7 seconds.
  3081. (14) Cleaning up request packet ID 125 with timestamp +32
  3082. (15) Cleaning up request packet ID 126 with timestamp +32
  3083. Waking up in 2.1 seconds.
  3084. (16) Cleaning up request packet ID 127 with timestamp +32
  3085. (17) Cleaning up request packet ID 128 with timestamp +35
  3086. Ready to process requests
Add Comment
Please, Sign In to add comment