Untitled

[root@radius001 vkratsberg]# radiusd -X
Server was built with:
  accounting               : yes
  authentication           : yes
  ascend-binary-attributes : yes
  coa                      : yes
  control-socket           : yes
  detail                   : yes
  dhcp                     : yes
  dynamic-clients          : yes
  osfc2                    : no
  proxy                    : yes
  regex-pcre               : yes
  regex-posix              : no
  regex-posix-extended     : no
  session-management       : yes
  stats                    : yes
  tcp                      : yes
  threads                  : yes
  tls                      : yes
  unlang                   : yes
  vmps                     : yes
  developer                : no
Server core libs:
  freeradius-server        : 3.0.11
  talloc                   : 2.0.*
  ssl                      : 1.0.1e release
  pcre                     : 8.32 2012-11-30
Endianness:
  little
Compilation flags:
  cppflags :
  cflags   : -I/root/rpmbuild/BUILD/freeradius-server-3.0.11 -I/root/rpmbuild/BUILD/freeradius-server-3.0.11/src -include /root/rpmbuild/BUILD/freeradius-server-3.0.11/src/freeradius-devel/autoconf.h -include /root/rpmbuild/BUILD/freeradius-server-3.0.11/src/freeradius-devel/build.h -include /root/rpmbuild/BUILD/freeradius-server-3.0.11/src/freeradius-devel/features.h -include /root/rpmbuild/BUILD/freeradius-server-3.0.11/src/freeradius-devel/radpaths.h -fno-strict-aliasing -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Wall -std=c99 -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -DNDEBUG -DIS_MODULE=1
  ldflags  :  -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
  libs     : -lcrypto -lssl -ltalloc -lpcre -lnsl -lresolv -ldl -lpthread -lreadline

Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/mschap
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/ldap
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/unpack
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/abfab-tr
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/cui
including configuration file /etc/raddb/policy.d/debug
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/operator-name
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
 security {
 	user = "radiusd"
 	group = "radiusd"
 	allow_core_dumps = no
 }
	name = "radiusd"
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/radius"
	run_dir = "/var/run/radiusd"
}
main {
	name = "radiusd"
	prefix = "/usr"
	localstatedir = "/var"
	sbindir = "/usr/sbin"
	logdir = "/var/log/radius"
	run_dir = "/var/run/radiusd"
	libdir = "/usr/lib64/freeradius"
	radacctdir = "/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 16384
	pidfile = "/var/run/radiusd/radiusd.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log {
 	stripped_names = no
 	auth = no
 	auth_badpass = no
 	auth_goodpass = no
 	colourise = yes
 	msg_denied = "You are already logged in - access denied"
 }
 resources {
 }
 security {
 	max_attributes = 200
 	reject_delay = 1.000000
 	status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
 	retry_delay = 5
 	retry_count = 3
 	default_fallback = no
 	dead_time = 120
 	wake_all_if_all_dead = no
 }
 home_server localhost {
 	ipaddr = 127.0.0.1
 	port = 1812
 	type = "auth"
 	secret = <<< secret >>>
 	response_window = 20.000000
 	response_timeouts = 1
 	max_outstanding = 65536
 	zombie_period = 40
 	status_check = "status-server"
 	ping_interval = 30
 	check_interval = 30
 	check_timeout = 4
 	num_answers_to_alive = 3
 	revive_interval = 120
  limit {
  	max_connections = 16
  	max_requests = 0
  	lifetime = 0
  	idle_timeout = 0
  }
  coa {
  	irt = 2
  	mrt = 16
  	mrc = 5
  	mrd = 30
  }
 }
 home_server_pool my_auth_failover {
	type = fail-over
	home_server = localhost
 }
 realm example.com {
	auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
 	ipv4addr = 127.0.0.1
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	nas_type = "other"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
 client 192.168.10.0/24 {
 	ipv4addr = 192.168.10.0/24
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	shortname = "nyc-mgmt-network"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
 client 10.120.8.0/24 {
 	ipv4addr = 10.120.8.0/24
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	shortname = "da-oob-internal"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
 client 10.120.225.0/24 {
 	ipv4addr = 10.120.225.0/24
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	shortname = "da-mgmt-network"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
 client 10.120.22.0/24 {
 	ipv4addr = 10.120.22.0/24
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	shortname = "da3-int-transit-net"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
 client 10.100.124.0/22 {
 	ipv4addr = 10.100.124.0/22
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	shortname = "peer1-mgmt-network"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
 client 10.8.0.0/24 {
 	ipv4addr = 10.8.0.0/24
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	shortname = "nyc-hq"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
 client 10.150.0.0/16 {
 	ipv4addr = 10.150.0.0/16
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	shortname = "dublin-corp"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
 client 10.126.0.0/16 {
 	ipv4addr = 10.126.0.0/16
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	shortname = "portland-corp"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
 client 10.100.0.0/24 {
 	ipv4addr = 10.100.0.0/24
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	shortname = "peer1-loopbacks"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
 client 10.120.0.0/24 {
 	ipv4addr = 10.120.0.0/24
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	shortname = "dallas-loopbacks"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
 client 10.100.72.100/32 {
 	ipv4addr = 10.100.72.100
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	shortname = "peer1-wlc-master"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
 client 192.168.1.68 {
 	ipv4addr = 192.168.1.68
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	shortname = "admin01"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
 client 192.168.1.8 {
 	ipv4addr = 192.168.1.8
 	require_message_authenticator = no
 	secret = <<< secret >>>
 	shortname = "admin08"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
Debugger not attached
 # Creating Auth-Type = PAP
 # Creating Auth-Type = CHAP
 # Creating Auth-Type = MS-CHAP
 # Creating Auth-Type = digest
 # Creating Auth-Type = eap
radiusd: #### Instantiating modules ####
 modules {
  # Loaded module rlm_logintime
  # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
  logintime {
  	minimum_timeout = 60
  }
  # Loaded module rlm_mschap
  # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
  mschap {
  	use_mppe = yes
  	require_encryption = no
  	require_strong = no
  	with_ntdomain_hack = yes
   passchange {
   }
  	allow_retry = yes
  }
  # Loaded module rlm_passwd
  # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
  passwd etc_passwd {
  	filename = "/etc/passwd"
  	format = "*User-Name:Crypt-Password:"
  	delimiter = ":"
  	ignore_nislike = no
  	ignore_empty = yes
  	allow_multiple_keys = no
  	hash_size = 100
  }
  # Loaded module rlm_preprocess
  # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
  preprocess {
  	huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
  	hints = "/etc/raddb/mods-config/preprocess/hints"
  	with_ascend_hack = no
  	ascend_channels_per_line = 23
  	with_ntdomain_hack = no
  	with_specialix_jetstream_hack = no
  	with_cisco_vsa_hack = no
  	with_alvarion_vsa_hack = no
  }
  # Loaded module rlm_radutmp
  # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
  radutmp {
  	filename = "/var/log/radius/radutmp"
  	username = "%{User-Name}"
  	case_sensitive = yes
  	check_with_nas = yes
  	permissions = 384
  	caller_id = yes
  }
  # Loaded module rlm_soh
  # Loading module "soh" from file /etc/raddb/mods-enabled/soh
  soh {
  	dhcp = yes
  }
  # Loaded module rlm_unix
  # Loading module "unix" from file /etc/raddb/mods-enabled/unix
  unix {
  	radwtmp = "/var/log/radius/radwtmp"
  }
Creating attribute Unix-Group
  # Loaded module rlm_utf8
  # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
  # Loaded module rlm_ldap
  # Loading module "ldap" from file /etc/raddb/mods-enabled/ldap
  ldap {
  	server = "ldap001.008.jfk.corp.squarespace.net"
  	port = 636
  	identity = "cn=directory manager"
  	password = <<< secret >>>
   sasl {
   }
   user {
   	scope = "sub"
   	access_positive = yes
    sasl {
    }
   }
   group {
   	filter = "(objectClass=GroupOfNames)"
   	scope = "sub"
   	name_attribute = "cn"
   	membership_attribute = "memberOf"
   	membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
   	cacheable_name = no
   	cacheable_dn = no
   }
   client {
   	filter = "(objectClass=frClient)"
   	scope = "sub"
   	base_dn = "dc=sq,dc=net"
   }
   profile {
   }
   options {
   	ldap_debug = 40
   	chase_referrals = yes
   	rebind = yes
   	net_timeout = 1
   	res_timeout = 20
   	srv_timelimit = 20
   	idle = 60
   	probes = 3
   	interval = 3
   }
   tls {
   	start_tls = no
   	require_cert = "allow"
   }
  }
Creating attribute LDAP-Group
  # Loaded module rlm_always
  # Loading module "reject" from file /etc/raddb/mods-enabled/always
  always reject {
  	rcode = "reject"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "fail" from file /etc/raddb/mods-enabled/always
  always fail {
  	rcode = "fail"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "ok" from file /etc/raddb/mods-enabled/always
  always ok {
  	rcode = "ok"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "handled" from file /etc/raddb/mods-enabled/always
  always handled {
  	rcode = "handled"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "invalid" from file /etc/raddb/mods-enabled/always
  always invalid {
  	rcode = "invalid"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "userlock" from file /etc/raddb/mods-enabled/always
  always userlock {
  	rcode = "userlock"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "notfound" from file /etc/raddb/mods-enabled/always
  always notfound {
  	rcode = "notfound"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "noop" from file /etc/raddb/mods-enabled/always
  always noop {
  	rcode = "noop"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "updated" from file /etc/raddb/mods-enabled/always
  always updated {
  	rcode = "updated"
  	simulcount = 0
  	mpp = no
  }
  # Loaded module rlm_attr_filter
  # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.post-proxy {
  	filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
  	key = "%{Realm}"
  	relaxed = no
  }
  # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.pre-proxy {
  	filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
  	key = "%{Realm}"
  	relaxed = no
  }
  # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.access_reject {
  	filename = "/etc/raddb/mods-config/attr_filter/access_reject"
  	key = "%{User-Name}"
  	relaxed = no
  }
  # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.access_challenge {
  	filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
  	key = "%{User-Name}"
  	relaxed = no
  }
  # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.accounting_response {
  	filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
  	key = "%{User-Name}"
  	relaxed = no
  }
  # Loaded module rlm_cache
  # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
  cache cache_eap {
  	driver = "rlm_cache_rbtree"
  	key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
  	ttl = 15
  	max_entries = 0
  	epoch = 0
  	add_stats = no
  }
  # Loaded module rlm_chap
  # Loading module "chap" from file /etc/raddb/mods-enabled/chap
  # Loaded module rlm_detail
  # Loading module "detail" from file /etc/raddb/mods-enabled/detail
  detail {
  	filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
  detail auth_log {
  	filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
  detail reply_log {
  	filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  detail pre_proxy_log {
  	filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  detail post_proxy_log {
  	filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
  	header = "%t"
  	permissions = 384
  	locking = no
  	escape_filenames = no
  	log_packet_header = no
  }
  # Loaded module rlm_dhcp
  # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
  # Loaded module rlm_digest
  # Loading module "digest" from file /etc/raddb/mods-enabled/digest
  # Loaded module rlm_dynamic_clients
  # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
  # Loaded module rlm_eap
  # Loading module "eap" from file /etc/raddb/mods-enabled/eap
  eap {
  	default_eap_type = "peap"
  	timer_expire = 60
  	ignore_unknown_eap_types = no
  	cisco_accounting_username_bug = no
  	max_sessions = 16384
  }
  # Loaded module rlm_exec
  # Loading module "echo" from file /etc/raddb/mods-enabled/echo
  exec echo {
  	wait = yes
  	program = "/bin/echo %{User-Name}"
  	input_pairs = "request"
  	output_pairs = "reply"
  	shell_escape = yes
  }
  # Loading module "exec" from file /etc/raddb/mods-enabled/exec
  exec {
  	wait = no
  	input_pairs = "request"
  	shell_escape = yes
  	timeout = 10
  }
  # Loaded module rlm_expiration
  # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
  # Loaded module rlm_expr
  # Loading module "expr" from file /etc/raddb/mods-enabled/expr
  expr {
  	safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  }
  # Loaded module rlm_files
  # Loading module "files" from file /etc/raddb/mods-enabled/files
  files {
  	filename = "/etc/raddb/mods-config/files/authorize"
  	acctusersfile = "/etc/raddb/mods-config/files/accounting"
  	preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
  }
  # Loaded module rlm_linelog
  # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
  linelog {
  	filename = "/var/log/radius/linelog"
  	escape_filenames = no
  	syslog_severity = "info"
  	permissions = 384
  	format = "This is a log message for %{User-Name}"
  	reference = "messages.%{%{reply:Packet-Type}:-default}"
  }
  # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
  linelog log_accounting {
  	filename = "/var/log/radius/linelog-accounting"
  	escape_filenames = no
  	syslog_severity = "info"
  	permissions = 384
  	format = ""
  	reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  }
  # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
  exec ntlm_auth {
  	wait = yes
  	program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
  	shell_escape = yes
  }
  # Loaded module rlm_pap
  # Loading module "pap" from file /etc/raddb/mods-enabled/pap
  pap {
  	normalise = yes
  }
  # Loaded module rlm_realm
  # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
  realm IPASS {
  	format = "prefix"
  	delimiter = "/"
  	ignore_default = no
  	ignore_null = no
  }
  # Loading module "suffix" from file /etc/raddb/mods-enabled/realm
  realm suffix {
  	format = "suffix"
  	delimiter = "@"
  	ignore_default = no
  	ignore_null = no
  }
  # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
  realm realmpercent {
  	format = "suffix"
  	delimiter = "%"
  	ignore_default = no
  	ignore_null = no
  }
  # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
  realm ntdomain {
  	format = "prefix"
  	delimiter = "\\"
  	ignore_default = no
  	ignore_null = no
  }
  # Loaded module rlm_replicate
  # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
  # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
  radutmp sradutmp {
  	filename = "/var/log/radius/sradutmp"
  	username = "%{User-Name}"
  	case_sensitive = yes
  	check_with_nas = yes
  	permissions = 420
  	caller_id = no
  }
  # Loaded module rlm_unpack
  # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
  instantiate {
  }
  # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
  # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
  # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
reading pairlist file /etc/raddb/mods-config/preprocess/hints
  # Instantiating module "ldap" from file /etc/raddb/mods-enabled/ldap
rlm_ldap: libldap vendor: OpenLDAP, version: 20440
   accounting {
   	reference = "%{tolower:type.%{Acct-Status-Type}}"
   }
   post-auth {
   	reference = "."
   }
rlm_ldap (ldap): Initialising connection pool
   pool {
   	start = 5
   	min = 4
   	max = 32
   	spare = 3
   	uses = 0
   	lifetime = 0
   	cleanup_interval = 30
   	idle_timeout = 60
   	retry_delay = 1
   	spread = no
   }
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldap://ldap001.008.jfk.corp.squarespace.net:636
TLS: certificate [CN=sqnet CA,DC=sq,DC=net] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
rlm_ldap (ldap): Connecting to ldap://ldap001.008.jfk.corp.squarespace.net:636
TLS: certificate [CN=sqnet CA,DC=sq,DC=net] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
rlm_ldap (ldap): Connecting to ldap://ldap001.008.jfk.corp.squarespace.net:636
TLS: certificate [CN=sqnet CA,DC=sq,DC=net] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
rlm_ldap (ldap): Connecting to ldap://ldap001.008.jfk.corp.squarespace.net:636
TLS: certificate [CN=sqnet CA,DC=sq,DC=net] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
rlm_ldap (ldap): Connecting to ldap://ldap001.008.jfk.corp.squarespace.net:636
TLS: certificate [CN=sqnet CA,DC=sq,DC=net] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
  # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
  # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
  # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
  # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
  # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
  # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
  # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
  # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
  # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
  # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
  # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
  # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" 	found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" 	found in filter list for realm "DEFAULT".
  # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
  # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
  # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
  # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
  # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
  # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
  # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
   # Linked to sub-module rlm_eap_md5
   # Linked to sub-module rlm_eap_leap
   # Linked to sub-module rlm_eap_gtc
   gtc {
   	challenge = "Password: "
   	auth_type = "PAP"
   }
   # Linked to sub-module rlm_eap_tls
   tls {
   	tls = "tls-common"
   }
   tls-config tls-common {
   	verify_depth = 0
   	ca_path = "/etc/raddb/certs"
   	pem_file_type = yes
   	private_key_file = "/etc/raddb/certs/server.pem"
   	certificate_file = "/etc/raddb/certs/server.pem"
   	ca_file = "/etc/raddb/certs/ca.pem"
   	private_key_password = <<< secret >>>
   	dh_file = "/etc/raddb/certs/dh"
   	fragment_size = 1024
   	include_length = yes
   	auto_chain = yes
   	check_crl = no
   	check_all_crl = no
   	cipher_list = "DEFAULT"
   	ecdh_curve = "prime256v1"
    cache {
    	enable = yes
    	lifetime = 24
    	name = "EAP module"
    	max_entries = 255
    	persist_dir = "/var/log/radius/tlscache"
    }
    verify {
    	skip_if_ocsp_ok = no
    }
    ocsp {
    	enable = no
    	override_cert_url = yes
    	url = "http://127.0.0.1/ocsp/"
    	use_nonce = yes
    	timeout = 0
    	softfail = no
    }
   }
   # Linked to sub-module rlm_eap_ttls
   ttls {
   	tls = "tls-common"
   	default_eap_type = "md5"
   	copy_request_to_tunnel = no
   	use_tunneled_reply = no
   	virtual_server = "inner-tunnel"
   	include_length = yes
   	require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_peap
   peap {
   	tls = "tls-common"
   	default_eap_type = "gtc"
   	copy_request_to_tunnel = yes
   	use_tunneled_reply = yes
   	proxy_tunneled_request_as_eap = yes
   	virtual_server = "inner-tunnel"
   	soh = no
   	require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_mschapv2
   mschapv2 {
   	with_ntdomain_hack = no
   	send_error = no
   }
  # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
  # Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
  # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
  # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
  # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
  # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
  # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
  # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
  # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
 } # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/raddb/radiusd.conf
} # server
server default { # from file /etc/raddb/sites-enabled/default
 # Loading authenticate {...}
 # Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
 # Loading preacct {...}
 # Loading accounting {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
} # server default
server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading session {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
  	type = "auth"
  	ipaddr = *
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
  	type = "acct"
  	ipaddr = *
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
  	type = "auth"
  	ipv6addr = ::
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
  	type = "acct"
  	ipv6addr = ::
  	port = 0
   limit {
   	max_connections = 16
   	lifetime = 0
   	idle_timeout = 30
   }
}
listen {
  	type = "auth"
  	ipaddr = 127.0.0.1
  	port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 54354
Listening on proxy address :: port 27487
Ready to process requests
(0) Received Access-Request Id 246 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(0)   User-Name = "vkratsberg"
(0)   NAS-Port = 358
(0)   EAP-Message = 0x0200000f01766b7261747362657267
(0)   Message-Authenticator = 0xb89efc2cc1abebf5ffd633797ff669bf
(0)   Acct-Session-Id = "8O2.1x81bb0d44000d7362"
(0)   NAS-Port-Id = "ge-3/0/6.0"
(0)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(0)   Called-Station-Id = "ec-3e-f7-68-35-00"
(0)   NAS-IP-Address = 10.8.0.111
(0)   NAS-Identifier = "nyc-access-sw011"
(0)   NAS-Port-Type = Ethernet
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 15
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: Initiating new EAP-TLS session
(0) eap_peap: Flushing SSL sessions (of #0)
(0) eap_peap: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0xe721f8dae720e117
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 246 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(0)   EAP-Message = 0x010100061920
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xe721f8dae720e1179a644c3cc02883a2
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 247 from 10.8.0.111:58432 to 10.8.64.155:1812 length 311
(1)   User-Name = "vkratsberg"
(1)   NAS-Port = 358
(1)   State = 0xe721f8dae720e1179a644c3cc02883a2
(1)   EAP-Message = 0x020100831980000000791603010074010000700301574f326b30922faf147cb949ddf0cbc1608f156910c4891daba2da78c0012f2500002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000
(1)   Message-Authenticator = 0x92c928be321780c070953f067f2bcc5a
(1)   Acct-Session-Id = "8O2.1x81bb0d44000d7362"
(1)   NAS-Port-Id = "ge-3/0/6.0"
(1)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(1)   Called-Station-Id = "ec-3e-f7-68-35-00"
(1)   NAS-IP-Address = 10.8.0.111
(1)   NAS-Identifier = "nyc-access-sw011"
(1)   NAS-Port-Type = Ethernet
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 131
(1) eap: Continuing tunnel setup
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0xe721f8dae720e117
(1) eap: Finished EAP session with state 0xe721f8dae720e117
(1) eap: Previous EAP request found for state 0xe721f8dae720e117, released from the list
(1) eap: Peer sent packet with method EAP PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Continuing EAP-TLS
(1) eap_peap: Peer indicated complete TLS record size will be 121 bytes
(1) eap_peap: Got complete TLS record (121 bytes)
(1) eap_peap: [eaptls verify] = length included
(1) eap_peap: (other): before/accept initialization
(1) eap_peap: TLS_accept: before/accept initialization
(1) eap_peap: <<< recv TLS 1.0 Handshake [length 0074], ClientHello
(1) eap_peap: TLS_accept: SSLv3 read client hello A
(1) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(1) eap_peap: TLS_accept: SSLv3 write server hello A
(1) eap_peap: >>> send TLS 1.0 Handshake [length 08d3], Certificate
(1) eap_peap: TLS_accept: SSLv3 write certificate A
(1) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
(1) eap_peap: TLS_accept: SSLv3 write key exchange A
(1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
(1) eap_peap: TLS_accept: SSLv3 write server done A
(1) eap_peap: TLS_accept: SSLv3 flush data
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
(1) eap_peap: In SSL Handshake Phase
(1) eap_peap: In SSL Accept mode
(1) eap_peap: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 2 length 1004
(1) eap: EAP session adding &reply:State = 0xe721f8dae623e117
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found.  Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 247 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(1)   EAP-Message = 0x010203ec19c000000a8f1603010059020000550301574f326b5b8bdfe21962f4b15feab76dfff1608f4550d6c7ec711ba829fa39be2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b00040300010216030108d30b0008cf0008cc0003de
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0xe721f8dae623e1179a644c3cc02883a2
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 248 from 10.8.0.111:58432 to 10.8.64.155:1812 length 186
(2)   User-Name = "vkratsberg"
(2)   NAS-Port = 358
(2)   State = 0xe721f8dae623e1179a644c3cc02883a2
(2)   EAP-Message = 0x020200061900
(2)   Message-Authenticator = 0x0f3eb5380fe7aad1791a9f9f12fe2599
(2)   Acct-Session-Id = "8O2.1x81bb0d44000d7362"
(2)   NAS-Port-Id = "ge-3/0/6.0"
(2)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(2)   Called-Station-Id = "ec-3e-f7-68-35-00"
(2)   NAS-IP-Address = 10.8.0.111
(2)   NAS-Identifier = "nyc-access-sw011"
(2)   NAS-Port-Type = Ethernet
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 6
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0xe721f8dae623e117
(2) eap: Finished EAP session with state 0xe721f8dae623e117
(2) eap: Previous EAP request found for state 0xe721f8dae623e117, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer ACKed our handshake fragment
(2) eap_peap: [eaptls verify] = request
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1000
(2) eap: EAP session adding &reply:State = 0xe721f8dae522e117
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found.  Ignoring.
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Sent Access-Challenge Id 248 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(2)   EAP-Message = 0x010303e8194071b3e01fba836beb308838d89bad205ba49eed992e3a4596342e22389d433838315b3c6acafe13be2310ff184f7b1592c03985a3eca0b8bd82f686b760386efb8c0043dc607c9614ccb808ce132b4a7e847d38c06156a9f284cc6abfafb474747db131a41870fc6e970004e8308204e430
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0xe721f8dae522e1179a644c3cc02883a2
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 249 from 10.8.0.111:58432 to 10.8.64.155:1812 length 186
(3)   User-Name = "vkratsberg"
(3)   NAS-Port = 358
(3)   State = 0xe721f8dae522e1179a644c3cc02883a2
(3)   EAP-Message = 0x020300061900
(3)   Message-Authenticator = 0x7ccdf906b92ee738420697a4cb608339
(3)   Acct-Session-Id = "8O2.1x81bb0d44000d7362"
(3)   NAS-Port-Id = "ge-3/0/6.0"
(3)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(3)   Called-Station-Id = "ec-3e-f7-68-35-00"
(3)   NAS-IP-Address = 10.8.0.111
(3)   NAS-Identifier = "nyc-access-sw011"
(3)   NAS-Port-Type = Ethernet
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0xe721f8dae522e117
(3) eap: Finished EAP session with state 0xe721f8dae522e117
(3) eap: Previous EAP request found for state 0xe721f8dae522e117, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 721
(3) eap: EAP session adding &reply:State = 0xe721f8dae425e117
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found.  Ignoring.
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3) Sent Access-Challenge Id 249 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(3)   EAP-Message = 0x010402d1190020417574686f72697479820900b4af48428be30b7f300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d010105050003820101
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0xe721f8dae425e1179a644c3cc02883a2
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 250 from 10.8.0.111:58432 to 10.8.64.155:1812 length 324
(4)   User-Name = "vkratsberg"
(4)   NAS-Port = 358
(4)   State = 0xe721f8dae425e1179a644c3cc02883a2
(4)   EAP-Message = 0x020400901980000000861603010046100000424104c1250c18eaf43a2b61ee83151279192b20c3ea7f39702cca42b5744691486f4ad54b31a264c9da016e4990df45488fc19c15fc1313ff60514e809aecff60012a14030100010116030100305a889b5b623e54e33410b9ab45da9e0e81b1163608e3d8
(4)   Message-Authenticator = 0xaaac0b9d426ac3877cfbb79f8e162b8c
(4)   Acct-Session-Id = "8O2.1x81bb0d44000d7362"
(4)   NAS-Port-Id = "ge-3/0/6.0"
(4)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(4)   Called-Station-Id = "ec-3e-f7-68-35-00"
(4)   NAS-IP-Address = 10.8.0.111
(4)   NAS-Identifier = "nyc-access-sw011"
(4)   NAS-Port-Type = Ethernet
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 144
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0xe721f8dae425e117
(4) eap: Finished EAP session with state 0xe721f8dae425e117
(4) eap: Previous EAP request found for state 0xe721f8dae425e117, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 134 bytes
(4) eap_peap: Got complete TLS record (134 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
(4) eap_peap: TLS_accept: SSLv3 read client key exchange A
(4) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3 read finished A
(4) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(4) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(4) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(4) eap_peap: TLS_accept: SSLv3 write finished A
(4) eap_peap: TLS_accept: SSLv3 flush data
(4) eap_peap: Serialising session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a, and storing in cache
(4) eap_peap: WARNING: Wrote session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a to /var/log/radius/tlscache/99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a.asn1 (134 bytes)
(4) eap_peap: (other): SSL negotiation finished successfully
(4) eap_peap: SSL Connection Established
(4) eap_peap: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 65
(4) eap: EAP session adding &reply:State = 0xe721f8dae324e117
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) Post-Auth-Type sub-section not found.  Ignoring.
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4) Sent Access-Challenge Id 250 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(4)   EAP-Message = 0x0105004119001403010001011603010030ac3cbd3d597b1b6365d686d3d45870db33e14597cb7ea942183039828c7f8483ccf0dd81b9a0d7feb0e9f69ed34af2e9
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0xe721f8dae324e1179a644c3cc02883a2
(4) Finished request
Waking up in 4.9 seconds.
(5) Received Access-Request Id 251 from 10.8.0.111:58432 to 10.8.64.155:1812 length 186
(5)   User-Name = "vkratsberg"
(5)   NAS-Port = 358
(5)   State = 0xe721f8dae324e1179a644c3cc02883a2
(5)   EAP-Message = 0x020500061900
(5)   Message-Authenticator = 0x724930df1cf0366b8de3bb2a09e1ff05
(5)   Acct-Session-Id = "8O2.1x81bb0d44000d7362"
(5)   NAS-Port-Id = "ge-3/0/6.0"
(5)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(5)   Called-Station-Id = "ec-3e-f7-68-35-00"
(5)   NAS-IP-Address = 10.8.0.111
(5)   NAS-Identifier = "nyc-access-sw011"
(5)   NAS-Port-Type = Ethernet
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 6
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0xe721f8dae324e117
(5) eap: Finished EAP session with state 0xe721f8dae324e117
(5) eap: Previous EAP request found for state 0xe721f8dae324e117, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer ACKed our handshake fragment.  handshake is finished
(5) eap_peap: [eaptls verify] = success
(5) eap_peap: [eaptls process] = success
(5) eap_peap: Session established.  Decoding tunneled attributes
(5) eap_peap: PEAP state TUNNEL ESTABLISHED
(5) eap: Sending EAP Request (code 1) ID 6 length 43
(5) eap: EAP session adding &reply:State = 0xe721f8dae227e117
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) Post-Auth-Type sub-section not found.  Ignoring.
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5) Sent Access-Challenge Id 251 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(5)   EAP-Message = 0x0106002b1900170301002056f567a54752822c0a583972ee87155b418f97bd51bb8b130316079b67a58623
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0xe721f8dae227e1179a644c3cc02883a2
(5) Finished request
Waking up in 4.9 seconds.
(6) Received Access-Request Id 252 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(6)   User-Name = "vkratsberg"
(6)   NAS-Port = 358
(6)   State = 0xe721f8dae227e1179a644c3cc02883a2
(6)   EAP-Message = 0x0206002b19001703010020ddb9728c27cf976fd0dc12a7fdc6a27b26b30f63ac10466da958a621d447399f
(6)   Message-Authenticator = 0xfe1193072b7a947a71fac2d9c3f2875e
(6)   Acct-Session-Id = "8O2.1x81bb0d44000d7362"
(6)   NAS-Port-Id = "ge-3/0/6.0"
(6)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(6)   Called-Station-Id = "ec-3e-f7-68-35-00"
(6)   NAS-IP-Address = 10.8.0.111
(6)   NAS-Identifier = "nyc-access-sw011"
(6)   NAS-Port-Type = Ethernet
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6)   authorize {
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> TRUE
(6)       if (&User-Name)  {
(6)         if (&User-Name =~ / /) {
(6)         if (&User-Name =~ / /)  -> FALSE
(6)         if (&User-Name =~ /@[^@]*@/ ) {
(6)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)         if (&User-Name =~ /\.\./ ) {
(6)         if (&User-Name =~ /\.\./ )  -> FALSE
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)         if (&User-Name =~ /\.$/)  {
(6)         if (&User-Name =~ /\.$/)   -> FALSE
(6)         if (&User-Name =~ /@\./)  {
(6)         if (&User-Name =~ /@\./)   -> FALSE
(6)       } # if (&User-Name)  = notfound
(6)     } # policy filter_username = notfound
(6)     [preprocess] = ok
(6)     [chap] = noop
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)     [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 43
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0xe721f8dae227e117
(6) eap: Finished EAP session with state 0xe721f8dae227e117
(6) eap: Previous EAP request found for state 0xe721f8dae227e117, released from the list
(6) eap: Peer sent packet with method EAP PEAP (25)
(6) eap: Calling submodule eap_peap to process data
(6) eap_peap: Continuing EAP-TLS
(6) eap_peap: [eaptls verify] = ok
(6) eap_peap: Done initial handshake
(6) eap_peap: [eaptls process] = ok
(6) eap_peap: Session established.  Decoding tunneled attributes
(6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
(6) eap_peap: Identity - vkratsberg
(6) eap_peap: Got inner identity 'vkratsberg'
(6) eap_peap: Setting default EAP type for tunneled EAP session
(6) eap_peap: Got tunneled request
(6) eap_peap:   EAP-Message = 0x0206000f01766b7261747362657267
(6) eap_peap: Setting User-Name to vkratsberg
(6) eap_peap: Sending tunneled request to inner-tunnel
(6) eap_peap:   EAP-Message = 0x0206000f01766b7261747362657267
(6) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_peap:   User-Name = "vkratsberg"
(6) eap_peap:   NAS-Port = 358
(6) eap_peap:   Acct-Session-Id = "8O2.1x81bb0d44000d7362"
(6) eap_peap:   NAS-Port-Id = "ge-3/0/6.0"
(6) eap_peap:   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(6) eap_peap:   Called-Station-Id = "ec-3e-f7-68-35-00"
(6) eap_peap:   NAS-IP-Address = 10.8.0.111
(6) eap_peap:   NAS-Identifier = "nyc-access-sw011"
(6) eap_peap:   NAS-Port-Type = Ethernet
(6) eap_peap:   Event-Timestamp = "Jun  1 2016 19:07:24 GMT"
(6) Virtual server inner-tunnel received request
(6)   EAP-Message = 0x0206000f01766b7261747362657267
(6)   FreeRADIUS-Proxied-To = 127.0.0.1
(6)   User-Name = "vkratsberg"
(6)   NAS-Port = 358
(6)   Acct-Session-Id = "8O2.1x81bb0d44000d7362"
(6)   NAS-Port-Id = "ge-3/0/6.0"
(6)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(6)   Called-Station-Id = "ec-3e-f7-68-35-00"
(6)   NAS-IP-Address = 10.8.0.111
(6)   NAS-Identifier = "nyc-access-sw011"
(6)   NAS-Port-Type = Ethernet
(6)   Event-Timestamp = "Jun  1 2016 19:07:24 GMT"
(6) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(6) server inner-tunnel {
(6)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(6)     authorize {
(6)       policy filter_username {
(6)         if (&User-Name) {
(6)         if (&User-Name)  -> TRUE
(6)         if (&User-Name)  {
(6)           if (&User-Name =~ / /) {
(6)           if (&User-Name =~ / /)  -> FALSE
(6)           if (&User-Name =~ /@[^@]*@/ ) {
(6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)           if (&User-Name =~ /\.\./ ) {
(6)           if (&User-Name =~ /\.\./ )  -> FALSE
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)           if (&User-Name =~ /\.$/)  {
(6)           if (&User-Name =~ /\.$/)   -> FALSE
(6)           if (&User-Name =~ /@\./)  {
(6)           if (&User-Name =~ /@\./)   -> FALSE
(6)         } # if (&User-Name)  = notfound
(6)       } # policy filter_username = notfound
(6)       [chap] = noop
(6)       [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)       [suffix] = noop
(6)       update control {
(6)         &Proxy-To-Realm := LOCAL
(6)       } # update control = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 15
(6) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6)       [eap] = ok
(6)     } # authorize = ok
(6)   Found Auth-Type = eap
(6)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6)     authenticate {
(6) eap: Peer sent packet with method EAP Identity (1)
(6) eap: Calling submodule eap_gtc to process data
(6) eap_gtc: EXPAND Password:
(6) eap_gtc:    --> Password:
(6) eap: Sending EAP Request (code 1) ID 7 length 15
(6) eap: EAP session adding &reply:State = 0x87b0b2d287b7b427
(6)       [eap] = handled
(6)     } # authenticate = handled
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6)   EAP-Message = 0x0107000f0650617373776f72643a20
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0x87b0b2d287b7b4274c2169b0b4f0842a
(6) eap_peap: Got tunneled reply code 11
(6) eap_peap:   EAP-Message = 0x0107000f0650617373776f72643a20
(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap:   State = 0x87b0b2d287b7b4274c2169b0b4f0842a
(6) eap_peap: Got tunneled reply RADIUS code 11
(6) eap_peap:   EAP-Message = 0x0107000f0650617373776f72643a20
(6) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(6) eap_peap:   State = 0x87b0b2d287b7b4274c2169b0b4f0842a
(6) eap_peap: Got tunneled Access-Challenge
(6) eap: Sending EAP Request (code 1) ID 7 length 43
(6) eap: EAP session adding &reply:State = 0xe721f8dae126e117
(6)     [eap] = handled
(6)   } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) Post-Auth-Type sub-section not found.  Ignoring.
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6) Sent Access-Challenge Id 252 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(6)   EAP-Message = 0x0107002b19001703010020873bc3876cff111054fe6fe985150bff6183a303583ab84619cf13812cabf36a
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6)   State = 0xe721f8dae126e1179a644c3cc02883a2
(6) Finished request
Waking up in 4.8 seconds.
(7) Received Access-Request Id 253 from 10.8.0.111:58432 to 10.8.64.155:1812 length 239
(7)   User-Name = "vkratsberg"
(7)   NAS-Port = 358
(7)   State = 0xe721f8dae126e1179a644c3cc02883a2
(7)   EAP-Message = 0x0207003b19001703010030fef5c11d287c93e1ce63d1ce6594bed3d1e37618dad69a62914e08b0083a649d96861476e5a8f5c57029fe6ec334866a
(7)   Message-Authenticator = 0x604bda28407c5da700ab0335a6bb9dcd
(7)   Acct-Session-Id = "8O2.1x81bb0d44000d7362"
(7)   NAS-Port-Id = "ge-3/0/6.0"
(7)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(7)   Called-Station-Id = "ec-3e-f7-68-35-00"
(7)   NAS-IP-Address = 10.8.0.111
(7)   NAS-Identifier = "nyc-access-sw011"
(7)   NAS-Port-Type = Ethernet
(7) session-state: No cached attributes
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 59
(7) eap: Continuing tunnel setup
(7)     [eap] = ok
(7)   } # authorize = ok
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0x87b0b2d287b7b427
(7) eap: Finished EAP session with state 0xe721f8dae126e117
(7) eap: Previous EAP request found for state 0xe721f8dae126e117, released from the list
(7) eap: Peer sent packet with method EAP PEAP (25)
(7) eap: Calling submodule eap_peap to process data
(7) eap_peap: Continuing EAP-TLS
(7) eap_peap: [eaptls verify] = ok
(7) eap_peap: Done initial handshake
(7) eap_peap: [eaptls process] = ok
(7) eap_peap: Session established.  Decoding tunneled attributes
(7) eap_peap: PEAP state phase2
(7) eap_peap: EAP method GTC (6)
(7) eap_peap: Got tunneled request
(7) eap_peap:   EAP-Message = 0x02070010065b566b726174313938335d
(7) eap_peap: Setting User-Name to vkratsberg
(7) eap_peap: Sending tunneled request to inner-tunnel
(7) eap_peap:   EAP-Message = 0x02070010065b566b726174313938335d
(7) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(7) eap_peap:   User-Name = "vkratsberg"
(7) eap_peap:   State = 0x87b0b2d287b7b4274c2169b0b4f0842a
(7) eap_peap:   NAS-Port = 358
(7) eap_peap:   Acct-Session-Id = "8O2.1x81bb0d44000d7362"
(7) eap_peap:   NAS-Port-Id = "ge-3/0/6.0"
(7) eap_peap:   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(7) eap_peap:   Called-Station-Id = "ec-3e-f7-68-35-00"
(7) eap_peap:   NAS-IP-Address = 10.8.0.111
(7) eap_peap:   NAS-Identifier = "nyc-access-sw011"
(7) eap_peap:   NAS-Port-Type = Ethernet
(7) eap_peap:   Event-Timestamp = "Jun  1 2016 19:07:24 GMT"
(7) Virtual server inner-tunnel received request
(7)   EAP-Message = 0x02070010065b566b726174313938335d
(7)   FreeRADIUS-Proxied-To = 127.0.0.1
(7)   User-Name = "vkratsberg"
(7)   State = 0x87b0b2d287b7b4274c2169b0b4f0842a
(7)   NAS-Port = 358
(7)   Acct-Session-Id = "8O2.1x81bb0d44000d7362"
(7)   NAS-Port-Id = "ge-3/0/6.0"
(7)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(7)   Called-Station-Id = "ec-3e-f7-68-35-00"
(7)   NAS-IP-Address = 10.8.0.111
(7)   NAS-Identifier = "nyc-access-sw011"
(7)   NAS-Port-Type = Ethernet
(7)   Event-Timestamp = "Jun  1 2016 19:07:24 GMT"
(7) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(7) server inner-tunnel {
(7)   session-state: No cached attributes
(7)   # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
(7)     authorize {
(7)       policy filter_username {
(7)         if (&User-Name) {
(7)         if (&User-Name)  -> TRUE
(7)         if (&User-Name)  {
(7)           if (&User-Name =~ / /) {
(7)           if (&User-Name =~ / /)  -> FALSE
(7)           if (&User-Name =~ /@[^@]*@/ ) {
(7)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)           if (&User-Name =~ /\.\./ ) {
(7)           if (&User-Name =~ /\.\./ )  -> FALSE
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)           if (&User-Name =~ /\.$/)  {
(7)           if (&User-Name =~ /\.$/)   -> FALSE
(7)           if (&User-Name =~ /@\./)  {
(7)           if (&User-Name =~ /@\./)   -> FALSE
(7)         } # if (&User-Name)  = notfound
(7)       } # policy filter_username = notfound
(7)       [chap] = noop
(7)       [mschap] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)       [suffix] = noop
(7)       update control {
(7)         &Proxy-To-Realm := LOCAL
(7)       } # update control = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 16
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)       [eap] = updated
(7) files: Searching for user in group "juniper-admins"
rlm_ldap (ldap): Reserved connection (0)
(7) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(7) files:    --> (uid=vkratsberg)
(7) files: Performing search in "dc=sq,dc=net" with filter "(uid=vkratsberg)", scope "sub"
(7) files: Waiting for search result...
(7) files: User object found at DN "uid=vkratsberg,ou=people,dc=sq,dc=net"
(7) files: Checking for user in group objects
(7) files:   EXPAND (&(cn=juniper-admins)(objectClass=GroupOfNames)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(7) files:      --> (&(cn=juniper-admins)(objectClass=GroupOfNames)(|(member=uid\3dvkratsberg\2cou\3dpeople\2cdc\3dsq\2cdc\3dnet)(memberUid=vkratsberg)))
(7) files:   Performing search in "dc=sq,dc=net" with filter "(&(cn=juniper-admins)(objectClass=GroupOfNames)(|(member=uid\3dvkratsberg\2cou\3dpeople\2cdc\3dsq\2cdc\3dnet)(memberUid=vkratsberg)))", scope "sub"
(7) files:   Waiting for search result...
(7) files: User found in group object "dc=sq,dc=net"
rlm_ldap (ldap): Released connection (0)
(7) files: users: Matched entry DEFAULT at line 98
(7)       [files] = ok
rlm_ldap (ldap): Reserved connection (1)
(7) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(7) ldap:    --> (uid=vkratsberg)
(7) ldap: Performing search in "dc=sq,dc=net" with filter "(uid=vkratsberg)", scope "sub"
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN "uid=vkratsberg,ou=people,dc=sq,dc=net"
(7) ldap: Processing user attributes
(7) ldap: control:Password-With-Header += '{SSHA}Qen1MM87QS4nPktGhWkyE3ECTjucBhAp+Ce+Ug=='
rlm_ldap (ldap): Released connection (1)
(7)       [ldap] = updated
(7)       [expiration] = noop
(7)       [logintime] = noop
(7) pap: Converted: Password-With-Header -> SSHA1-Password
(7) pap: Removing &control:Password-With-Header
(7) pap: Normalizing SSHA1-Password from base64 encoding, 40 bytes -> 28 bytes
(7) pap: WARNING: Auth-Type already set.  Not setting to PAP
(7)       [pap] = noop
(7)     } # authorize = updated
(7)   Found Auth-Type = eap
(7)   # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7)     authenticate {
(7) eap: Expiring EAP session with state 0x87b0b2d287b7b427
(7) eap: Finished EAP session with state 0x87b0b2d287b7b427
(7) eap: Previous EAP request found for state 0x87b0b2d287b7b427, released from the list
(7) eap: Peer sent packet with method EAP GTC (6)
(7) eap: Calling submodule eap_gtc to process data
(7) eap_gtc: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7) eap_gtc:   Auth-Type PAP {
(7) pap: Login attempt with password
(7) pap: Comparing with "known-good" SSHA-Password
(7) pap: User authenticated successfully
(7)     [pap] = ok
(7)   } # Auth-Type PAP = ok
(7) eap: Sending EAP Success (code 3) ID 7 length 4
(7) eap: Freeing handler
(7)       [eap] = ok
(7)     } # authenticate = ok
(7)   # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
(7)     post-auth { ... } # empty sub-section is ignored
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7)   Service-Type = Login-User
(7)   Idle-Timeout = 600
(7)   Juniper-Local-User-Name = "admin"
(7)   Tunnel-Type = VLAN
(7)   Tunnel-Medium-Type = IEEE-802
(7)   Tunnel-Private-Group-Id = "810"
(7)   EAP-Message = 0x03070004
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   User-Name = "vkratsberg"
(7) eap_peap: Got tunneled reply code 2
(7) eap_peap:   Service-Type = Login-User
(7) eap_peap:   Idle-Timeout = 600
(7) eap_peap:   Juniper-Local-User-Name = "admin"
(7) eap_peap:   Tunnel-Type = VLAN
(7) eap_peap:   Tunnel-Medium-Type = IEEE-802
(7) eap_peap:   Tunnel-Private-Group-Id = "810"
(7) eap_peap:   EAP-Message = 0x03070004
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   User-Name = "vkratsberg"
(7) eap_peap: Got tunneled reply RADIUS code 2
(7) eap_peap:   Service-Type = Login-User
(7) eap_peap:   Idle-Timeout = 600
(7) eap_peap:   Juniper-Local-User-Name = "admin"
(7) eap_peap:   Tunnel-Type = VLAN
(7) eap_peap:   Tunnel-Medium-Type = IEEE-802
(7) eap_peap:   Tunnel-Private-Group-Id = "810"
(7) eap_peap:   EAP-Message = 0x03070004
(7) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_peap:   User-Name = "vkratsberg"
(7) eap_peap: Tunneled authentication was successful
(7) eap_peap: SUCCESS
(7) eap_peap: Saving tunneled attributes for later
(7) eap: Sending EAP Request (code 1) ID 8 length 43
(7) eap: EAP session adding &reply:State = 0xe721f8dae029e117
(7)     [eap] = handled
(7)   } # authenticate = handled
(7) Using Post-Auth-Type Challenge
(7) Post-Auth-Type sub-section not found.  Ignoring.
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7) Sent Access-Challenge Id 253 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(7)   EAP-Message = 0x0108002b19001703010020025fedbb3790032cfa67fe09a2bab06883e023fe82f902bbcfcdefb9212dd17e
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0xe721f8dae029e1179a644c3cc02883a2
(7) Finished request
Waking up in 4.8 seconds.
(8) Received Access-Request Id 254 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(8)   User-Name = "vkratsberg"
(8)   NAS-Port = 358
(8)   State = 0xe721f8dae029e1179a644c3cc02883a2
(8)   EAP-Message = 0x0208002b19001703010020c9240fab3671ae74178e617b4f1f6314f87f24f2f60d7ab866c7f10839047e45
(8)   Message-Authenticator = 0x6dfc9fd768d69c5339baff7e6d71b717
(8)   Acct-Session-Id = "8O2.1x81bb0d44000d7362"
(8)   NAS-Port-Id = "ge-3/0/6.0"
(8)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(8)   Called-Station-Id = "ec-3e-f7-68-35-00"
(8)   NAS-IP-Address = 10.8.0.111
(8)   NAS-Identifier = "nyc-access-sw011"
(8)   NAS-Port-Type = Ethernet
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8)   authorize {
(8)     policy filter_username {
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = notfound
(8)     } # policy filter_username = notfound
(8)     [preprocess] = ok
(8)     [chap] = noop
(8)     [mschap] = noop
(8)     [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 8 length 43
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0xe721f8dae029e117
(8) eap: Finished EAP session with state 0xe721f8dae029e117
(8) eap: Previous EAP request found for state 0xe721f8dae029e117, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state send tlv success
(8) eap_peap: Received EAP-TLV response
(8) eap_peap: Success
(8) eap_peap: Using saved attributes from the original Access-Accept
(8) eap_peap:   Service-Type = Login-User
(8) eap_peap:   Idle-Timeout = 600
(8) eap_peap:   Juniper-Local-User-Name = "admin"
(8) eap_peap:   Tunnel-Type = VLAN
(8) eap_peap:   Tunnel-Medium-Type = IEEE-802
(8) eap_peap:   Tunnel-Private-Group-Id = "810"
(8) eap_peap:   User-Name = "vkratsberg"
(8) eap_peap:     caching User-Name = "vkratsberg"
(8) eap_peap: Saving session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a in the disk cache
(8) eap: Sending EAP Success (code 3) ID 8 length 4
(8) eap: Freeing handler
(8)     [eap] = ok
(8)   } # authenticate = ok
(8) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(8)   post-auth {
(8)     update {
(8)       No attributes updated
(8)     } # update = noop
(8)     [exec] = noop
(8)     policy remove_reply_message_if_eap {
(8)       if (&reply:EAP-Message && &reply:Reply-Message) {
(8)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(8)       else {
(8)         [noop] = noop
(8)       } # else = noop
(8)     } # policy remove_reply_message_if_eap = noop
(8)   } # post-auth = noop
(8) Sent Access-Accept Id 254 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(8)   Service-Type = Login-User
(8)   Idle-Timeout = 600
(8)   Juniper-Local-User-Name = "admin"
(8)   Tunnel-Type = VLAN
(8)   Tunnel-Medium-Type = IEEE-802
(8)   Tunnel-Private-Group-Id = "810"
(8)   User-Name = "vkratsberg"
(8)   MS-MPPE-Recv-Key = 0x4407702097430f113d9d0b814d00e2c69bfba71e5f75c136ab61ec3630b50085
(8)   MS-MPPE-Send-Key = 0x32ecd245ae2b1650df5e25493fea60185f21347cde19e913f161548bec10a863
(8)   EAP-Message = 0x03080004
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8) Finished request
Waking up in 4.8 seconds.
(9) Received Access-Request Id 255 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(9)   User-Name = "vkratsberg"
(9)   NAS-Port = 358
(9)   EAP-Message = 0x0209000f01766b7261747362657267
(9)   Message-Authenticator = 0xd831bac52483090c0d25ae02fa0763f6
(9)   Acct-Session-Id = "8O2.1x81bb0d450002d013"
(9)   NAS-Port-Id = "ge-3/0/6.0"
(9)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(9)   Called-Station-Id = "ec-3e-f7-68-35-00"
(9)   NAS-IP-Address = 10.8.0.111
(9)   NAS-Identifier = "nyc-access-sw011"
(9)   NAS-Port-Type = Ethernet
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9)   authorize {
(9)     policy filter_username {
(9)       if (&User-Name) {
(9)       if (&User-Name)  -> TRUE
(9)       if (&User-Name)  {
(9)         if (&User-Name =~ / /) {
(9)         if (&User-Name =~ / /)  -> FALSE
(9)         if (&User-Name =~ /@[^@]*@/ ) {
(9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(9)         if (&User-Name =~ /\.\./ ) {
(9)         if (&User-Name =~ /\.\./ )  -> FALSE
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(9)         if (&User-Name =~ /\.$/)  {
(9)         if (&User-Name =~ /\.$/)   -> FALSE
(9)         if (&User-Name =~ /@\./)  {
(9)         if (&User-Name =~ /@\./)   -> FALSE
(9)       } # if (&User-Name)  = notfound
(9)     } # policy filter_username = notfound
(9)     [preprocess] = ok
(9)     [chap] = noop
(9)     [mschap] = noop
(9)     [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(9) suffix: No such realm "NULL"
(9)     [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 9 length 15
(9) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(9)     [eap] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9)   authenticate {
(9) eap: Peer sent packet with method EAP Identity (1)
(9) eap: Calling submodule eap_peap to process data
(9) eap_peap: Initiating new EAP-TLS session
(9) eap_peap: [eaptls start] = request
(9) eap: Sending EAP Request (code 1) ID 10 length 6
(9) eap: EAP session adding &reply:State = 0xa33a74bda3306da1
(9)     [eap] = handled
(9)   } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found.  Ignoring.
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9) Sent Access-Challenge Id 255 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(9)   EAP-Message = 0x010a00061920
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   State = 0xa33a74bda3306da1dff5d7e4439606fe
(9) Finished request
Waking up in 4.7 seconds.
(10) Received Access-Request Id 1 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(10)   User-Name = "vkratsberg"
(10)   NAS-Port = 358
(10)   State = 0xa33a74bda3306da1dff5d7e4439606fe
(10)   EAP-Message = 0x020a00a31980000000991603010094010000900301574f326c30365abeacad84468c67339e70e8f66e471287389dbdfc6e474c68f12099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(10)   Message-Authenticator = 0xb0ad288b154b2794a4eef7c2e43b6ece
(10)   Acct-Session-Id = "8O2.1x81bb0d450002d013"
(10)   NAS-Port-Id = "ge-3/0/6.0"
(10)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(10)   Called-Station-Id = "ec-3e-f7-68-35-00"
(10)   NAS-IP-Address = 10.8.0.111
(10)   NAS-Identifier = "nyc-access-sw011"
(10)   NAS-Port-Type = Ethernet
(10) session-state: No cached attributes
(10) # Executing section authorize from file /etc/raddb/sites-enabled/default
(10)   authorize {
(10)     policy filter_username {
(10)       if (&User-Name) {
(10)       if (&User-Name)  -> TRUE
(10)       if (&User-Name)  {
(10)         if (&User-Name =~ / /) {
(10)         if (&User-Name =~ / /)  -> FALSE
(10)         if (&User-Name =~ /@[^@]*@/ ) {
(10)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(10)         if (&User-Name =~ /\.\./ ) {
(10)         if (&User-Name =~ /\.\./ )  -> FALSE
(10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(10)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(10)         if (&User-Name =~ /\.$/)  {
(10)         if (&User-Name =~ /\.$/)   -> FALSE
(10)         if (&User-Name =~ /@\./)  {
(10)         if (&User-Name =~ /@\./)   -> FALSE
(10)       } # if (&User-Name)  = notfound
(10)     } # policy filter_username = notfound
(10)     [preprocess] = ok
(10)     [chap] = noop
(10)     [mschap] = noop
(10)     [digest] = noop
(10) suffix: Checking for suffix after "@"
(10) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(10) suffix: No such realm "NULL"
(10)     [suffix] = noop
(10) eap: Peer sent EAP Response (code 2) ID 10 length 163
(10) eap: Continuing tunnel setup
(10)     [eap] = ok
(10)   } # authorize = ok
(10) Found Auth-Type = eap
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10)   authenticate {
(10) eap: Expiring EAP session with state 0xa33a74bda3306da1
(10) eap: Finished EAP session with state 0xa33a74bda3306da1
(10) eap: Previous EAP request found for state 0xa33a74bda3306da1, released from the list
(10) eap: Peer sent packet with method EAP PEAP (25)
(10) eap: Calling submodule eap_peap to process data
(10) eap_peap: Continuing EAP-TLS
(10) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(10) eap_peap: Got complete TLS record (153 bytes)
(10) eap_peap: [eaptls verify] = length included
(10) eap_peap: (other): before/accept initialization
(10) eap_peap: TLS_accept: before/accept initialization
(10) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(10) eap_peap: TLS_accept: SSLv3 read client hello A
(10) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(10) eap_peap: TLS_accept: SSLv3 write server hello A
(10) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(10) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(10) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(10) eap_peap: TLS_accept: SSLv3 write finished A
(10) eap_peap: TLS_accept: SSLv3 flush data
(10) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(10) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(10) eap_peap: In SSL Handshake Phase
(10) eap_peap: In SSL Accept mode
(10) eap_peap: [eaptls process] = handled
(10) eap: Sending EAP Request (code 1) ID 11 length 159
(10) eap: EAP session adding &reply:State = 0xa33a74bda2316da1
(10)     [eap] = handled
(10)   } # authenticate = handled
(10) Using Post-Auth-Type Challenge
(10) Post-Auth-Type sub-section not found.  Ignoring.
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10) Sent Access-Challenge Id 1 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(10)   EAP-Message = 0x010b009f19001603010059020000550301574f326ce812a7f012816d171f700cd8264471d9e844cb6c33652b96f96ecb8c2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b0004030001021403010001011603010030d370054b05724f00
(10)   Message-Authenticator = 0x00000000000000000000000000000000
(10)   State = 0xa33a74bda2316da1dff5d7e4439606fe
(10) Finished request
Waking up in 4.7 seconds.
(11) Received Access-Request Id 2 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(11)   User-Name = "vkratsberg"
(11)   NAS-Port = 358
(11)   State = 0xa33a74bda2316da1dff5d7e4439606fe
(11)   EAP-Message = 0x020b004519800000003b1403010001011603010030b20992043586ac11f69f14f058e2d316081fa71b44d992be784e5e1c6c073ab9211f62fc05375eccf5ff45f7c51d8652
(11)   Message-Authenticator = 0x55422bb82a8a476c47e35cea3023a169
(11)   Acct-Session-Id = "8O2.1x81bb0d450002d013"
(11)   NAS-Port-Id = "ge-3/0/6.0"
(11)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(11)   Called-Station-Id = "ec-3e-f7-68-35-00"
(11)   NAS-IP-Address = 10.8.0.111
(11)   NAS-Identifier = "nyc-access-sw011"
(11)   NAS-Port-Type = Ethernet
(11) session-state: No cached attributes
(11) # Executing section authorize from file /etc/raddb/sites-enabled/default
(11)   authorize {
(11)     policy filter_username {
(11)       if (&User-Name) {
(11)       if (&User-Name)  -> TRUE
(11)       if (&User-Name)  {
(11)         if (&User-Name =~ / /) {
(11)         if (&User-Name =~ / /)  -> FALSE
(11)         if (&User-Name =~ /@[^@]*@/ ) {
(11)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(11)         if (&User-Name =~ /\.\./ ) {
(11)         if (&User-Name =~ /\.\./ )  -> FALSE
(11)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(11)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(11)         if (&User-Name =~ /\.$/)  {
(11)         if (&User-Name =~ /\.$/)   -> FALSE
(11)         if (&User-Name =~ /@\./)  {
(11)         if (&User-Name =~ /@\./)   -> FALSE
(11)       } # if (&User-Name)  = notfound
(11)     } # policy filter_username = notfound
(11)     [preprocess] = ok
(11)     [chap] = noop
(11)     [mschap] = noop
(11)     [digest] = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(11) suffix: No such realm "NULL"
(11)     [suffix] = noop
(11) eap: Peer sent EAP Response (code 2) ID 11 length 69
(11) eap: Continuing tunnel setup
(11)     [eap] = ok
(11)   } # authorize = ok
(11) Found Auth-Type = eap
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11)   authenticate {
(11) eap: Expiring EAP session with state 0xa33a74bda2316da1
(11) eap: Finished EAP session with state 0xa33a74bda2316da1
(11) eap: Previous EAP request found for state 0xa33a74bda2316da1, released from the list
(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: Continuing EAP-TLS
(11) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(11) eap_peap: Got complete TLS record (59 bytes)
(11) eap_peap: [eaptls verify] = length included
(11) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(11) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(11) eap_peap: TLS_accept: SSLv3 read finished A
(11) eap_peap: (other): SSL negotiation finished successfully
(11) eap_peap: SSL Connection Established
(11) eap_peap: SSL Application Data
(11) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(11) eap_peap:   reply:User-Name = "vkratsberg"
(11) eap_peap: [eaptls process] = success
(11) eap_peap: Session established.  Decoding tunneled attributes
(11) eap_peap: PEAP state TUNNEL ESTABLISHED
(11) eap_peap: Skipping Phase2 because of session resumption
(11) eap_peap: SUCCESS
(11) eap: Sending EAP Request (code 1) ID 12 length 43
(11) eap: EAP session adding &reply:State = 0xa33a74bda1366da1
(11)     [eap] = handled
(11)   } # authenticate = handled
(11) Using Post-Auth-Type Challenge
(11) Post-Auth-Type sub-section not found.  Ignoring.
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) Sent Access-Challenge Id 2 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(11)   User-Name = "vkratsberg"
(11)   EAP-Message = 0x010c002b190017030100205c2915677db37e408f1414e59450886dd5bb6ed134179f311a340e3f190388c9
(11)   Message-Authenticator = 0x00000000000000000000000000000000
(11)   State = 0xa33a74bda1366da1dff5d7e4439606fe
(11) Finished request
Waking up in 4.6 seconds.
(12) Received Access-Request Id 3 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(12)   User-Name = "vkratsberg"
(12)   NAS-Port = 358
(12)   State = 0xa33a74bda1366da1dff5d7e4439606fe
(12)   EAP-Message = 0x020c002b190017030100209151e868e023925c541607eab1e820cfcb6d5bd11b0f57df3b15129577d73262
(12)   Message-Authenticator = 0x77865c625fc4d52bb16a8b8fe154e2dc
(12)   Acct-Session-Id = "8O2.1x81bb0d450002d013"
(12)   NAS-Port-Id = "ge-3/0/6.0"
(12)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(12)   Called-Station-Id = "ec-3e-f7-68-35-00"
(12)   NAS-IP-Address = 10.8.0.111
(12)   NAS-Identifier = "nyc-access-sw011"
(12)   NAS-Port-Type = Ethernet
(12) session-state: No cached attributes
(12) # Executing section authorize from file /etc/raddb/sites-enabled/default
(12)   authorize {
(12)     policy filter_username {
(12)       if (&User-Name) {
(12)       if (&User-Name)  -> TRUE
(12)       if (&User-Name)  {
(12)         if (&User-Name =~ / /) {
(12)         if (&User-Name =~ / /)  -> FALSE
(12)         if (&User-Name =~ /@[^@]*@/ ) {
(12)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(12)         if (&User-Name =~ /\.\./ ) {
(12)         if (&User-Name =~ /\.\./ )  -> FALSE
(12)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(12)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(12)         if (&User-Name =~ /\.$/)  {
(12)         if (&User-Name =~ /\.$/)   -> FALSE
(12)         if (&User-Name =~ /@\./)  {
(12)         if (&User-Name =~ /@\./)   -> FALSE
(12)       } # if (&User-Name)  = notfound
(12)     } # policy filter_username = notfound
(12)     [preprocess] = ok
(12)     [chap] = noop
(12)     [mschap] = noop
(12)     [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(12) suffix: No such realm "NULL"
(12)     [suffix] = noop
(12) eap: Peer sent EAP Response (code 2) ID 12 length 43
(12) eap: Continuing tunnel setup
(12)     [eap] = ok
(12)   } # authorize = ok
(12) Found Auth-Type = eap
(12) # Executing group from file /etc/raddb/sites-enabled/default
(12)   authenticate {
(12) eap: Expiring EAP session with state 0xa33a74bda1366da1
(12) eap: Finished EAP session with state 0xa33a74bda1366da1
(12) eap: Previous EAP request found for state 0xa33a74bda1366da1, released from the list
(12) eap: Peer sent packet with method EAP PEAP (25)
(12) eap: Calling submodule eap_peap to process data
(12) eap_peap: Continuing EAP-TLS
(12) eap_peap: [eaptls verify] = ok
(12) eap_peap: Done initial handshake
(12) eap_peap: [eaptls process] = ok
(12) eap_peap: Session established.  Decoding tunneled attributes
(12) eap_peap: PEAP state send tlv success
(12) eap_peap: Received EAP-TLV response
(12) eap_peap: Success
(12) eap_peap: No saved attributes in the original Access-Accept
(12) eap: Sending EAP Success (code 3) ID 12 length 4
(12) eap: Freeing handler
(12)     [eap] = ok
(12)   } # authenticate = ok
(12) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(12)   post-auth {
(12)     update {
(12)       No attributes updated
(12)     } # update = noop
(12)     [exec] = noop
(12)     policy remove_reply_message_if_eap {
(12)       if (&reply:EAP-Message && &reply:Reply-Message) {
(12)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(12)       else {
(12)         [noop] = noop
(12)       } # else = noop
(12)     } # policy remove_reply_message_if_eap = noop
(12)   } # post-auth = noop
(12) Sent Access-Accept Id 3 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(12)   MS-MPPE-Recv-Key = 0x70f1123cf3f625c98595aa20ca09cbc5ddb148866cbbe05d7dda9cfb9d9d1067
(12)   MS-MPPE-Send-Key = 0x77ad48361f34a5f080d16af5ed8ba6faa06fd96eaefd262e86ecc8caebe2609e
(12)   EAP-Message = 0x030c0004
(12)   Message-Authenticator = 0x00000000000000000000000000000000
(12)   User-Name = "vkratsberg"
(12) Finished request
Waking up in 4.6 seconds.
(13) Received Access-Request Id 4 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(13)   User-Name = "vkratsberg"
(13)   NAS-Port = 358
(13)   EAP-Message = 0x020d000f01766b7261747362657267
(13)   Message-Authenticator = 0x1922ee11ae9c1eaca6e26a21872dd08f
(13)   Acct-Session-Id = "8O2.1x81bb0d460004464c"
(13)   NAS-Port-Id = "ge-3/0/6.0"
(13)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(13)   Called-Station-Id = "ec-3e-f7-68-35-00"
(13)   NAS-IP-Address = 10.8.0.111
(13)   NAS-Identifier = "nyc-access-sw011"
(13)   NAS-Port-Type = Ethernet
(13) # Executing section authorize from file /etc/raddb/sites-enabled/default
(13)   authorize {
(13)     policy filter_username {
(13)       if (&User-Name) {
(13)       if (&User-Name)  -> TRUE
(13)       if (&User-Name)  {
(13)         if (&User-Name =~ / /) {
(13)         if (&User-Name =~ / /)  -> FALSE
(13)         if (&User-Name =~ /@[^@]*@/ ) {
(13)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(13)         if (&User-Name =~ /\.\./ ) {
(13)         if (&User-Name =~ /\.\./ )  -> FALSE
(13)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(13)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(13)         if (&User-Name =~ /\.$/)  {
(13)         if (&User-Name =~ /\.$/)   -> FALSE
(13)         if (&User-Name =~ /@\./)  {
(13)         if (&User-Name =~ /@\./)   -> FALSE
(13)       } # if (&User-Name)  = notfound
(13)     } # policy filter_username = notfound
(13)     [preprocess] = ok
(13)     [chap] = noop
(13)     [mschap] = noop
(13)     [digest] = noop
(13) suffix: Checking for suffix after "@"
(13) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(13) suffix: No such realm "NULL"
(13)     [suffix] = noop
(13) eap: Peer sent EAP Response (code 2) ID 13 length 15
(13) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(13)     [eap] = ok
(13)   } # authorize = ok
(13) Found Auth-Type = eap
(13) # Executing group from file /etc/raddb/sites-enabled/default
(13)   authenticate {
(13) eap: Peer sent packet with method EAP Identity (1)
(13) eap: Calling submodule eap_peap to process data
(13) eap_peap: Initiating new EAP-TLS session
(13) eap_peap: [eaptls start] = request
(13) eap: Sending EAP Request (code 1) ID 14 length 6
(13) eap: EAP session adding &reply:State = 0xfde6745dfde86d7e
(13)     [eap] = handled
(13)   } # authenticate = handled
(13) Using Post-Auth-Type Challenge
(13) Post-Auth-Type sub-section not found.  Ignoring.
(13) # Executing group from file /etc/raddb/sites-enabled/default
(13) Sent Access-Challenge Id 4 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(13)   EAP-Message = 0x010e00061920
(13)   Message-Authenticator = 0x00000000000000000000000000000000
(13)   State = 0xfde6745dfde86d7e6e19918736dd611b
(13) Finished request
Waking up in 4.6 seconds.
(14) Received Access-Request Id 5 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(14)   User-Name = "vkratsberg"
(14)   NAS-Port = 358
(14)   State = 0xfde6745dfde86d7e6e19918736dd611b
(14)   EAP-Message = 0x020e00a31980000000991603010094010000900301574f326c1df9e7c48acf9cf81f51f727ddbdc82b5f8f4f4b15d51969cb14be5d2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(14)   Message-Authenticator = 0xac463993e42ea895ec771cd32be8f5fa
(14)   Acct-Session-Id = "8O2.1x81bb0d460004464c"
(14)   NAS-Port-Id = "ge-3/0/6.0"
(14)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(14)   Called-Station-Id = "ec-3e-f7-68-35-00"
(14)   NAS-IP-Address = 10.8.0.111
(14)   NAS-Identifier = "nyc-access-sw011"
(14)   NAS-Port-Type = Ethernet
(14) session-state: No cached attributes
(14) # Executing section authorize from file /etc/raddb/sites-enabled/default
(14)   authorize {
(14)     policy filter_username {
(14)       if (&User-Name) {
(14)       if (&User-Name)  -> TRUE
(14)       if (&User-Name)  {
(14)         if (&User-Name =~ / /) {
(14)         if (&User-Name =~ / /)  -> FALSE
(14)         if (&User-Name =~ /@[^@]*@/ ) {
(14)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(14)         if (&User-Name =~ /\.\./ ) {
(14)         if (&User-Name =~ /\.\./ )  -> FALSE
(14)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(14)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(14)         if (&User-Name =~ /\.$/)  {
(14)         if (&User-Name =~ /\.$/)   -> FALSE
(14)         if (&User-Name =~ /@\./)  {
(14)         if (&User-Name =~ /@\./)   -> FALSE
(14)       } # if (&User-Name)  = notfound
(14)     } # policy filter_username = notfound
(14)     [preprocess] = ok
(14)     [chap] = noop
(14)     [mschap] = noop
(14)     [digest] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(14) suffix: No such realm "NULL"
(14)     [suffix] = noop
(14) eap: Peer sent EAP Response (code 2) ID 14 length 163
(14) eap: Continuing tunnel setup
(14)     [eap] = ok
(14)   } # authorize = ok
(14) Found Auth-Type = eap
(14) # Executing group from file /etc/raddb/sites-enabled/default
(14)   authenticate {
(14) eap: Expiring EAP session with state 0xfde6745dfde86d7e
(14) eap: Finished EAP session with state 0xfde6745dfde86d7e
(14) eap: Previous EAP request found for state 0xfde6745dfde86d7e, released from the list
(14) eap: Peer sent packet with method EAP PEAP (25)
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: Continuing EAP-TLS
(14) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(14) eap_peap: Got complete TLS record (153 bytes)
(14) eap_peap: [eaptls verify] = length included
(14) eap_peap: (other): before/accept initialization
(14) eap_peap: TLS_accept: before/accept initialization
(14) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(14) eap_peap: TLS_accept: SSLv3 read client hello A
(14) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(14) eap_peap: TLS_accept: SSLv3 write server hello A
(14) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(14) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(14) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(14) eap_peap: TLS_accept: SSLv3 write finished A
(14) eap_peap: TLS_accept: SSLv3 flush data
(14) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(14) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(14) eap_peap: In SSL Handshake Phase
(14) eap_peap: In SSL Accept mode
(14) eap_peap: [eaptls process] = handled
(14) eap: Sending EAP Request (code 1) ID 15 length 159
(14) eap: EAP session adding &reply:State = 0xfde6745dfce96d7e
(14)     [eap] = handled
(14)   } # authenticate = handled
(14) Using Post-Auth-Type Challenge
(14) Post-Auth-Type sub-section not found.  Ignoring.
(14) # Executing group from file /etc/raddb/sites-enabled/default
(14) Sent Access-Challenge Id 5 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(14)   EAP-Message = 0x010f009f19001603010059020000550301574f326c3ff4b4cb4053c9a605c10918af76bb2db0706077fe5de5a58cd4961e2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b0004030001021403010001011603010030659008e3341f0746
(14)   Message-Authenticator = 0x00000000000000000000000000000000
(14)   State = 0xfde6745dfce96d7e6e19918736dd611b
(14) Finished request
Waking up in 4.6 seconds.
(15) Received Access-Request Id 6 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(15)   User-Name = "vkratsberg"
(15)   NAS-Port = 358
(15)   State = 0xfde6745dfce96d7e6e19918736dd611b
(15)   EAP-Message = 0x020f004519800000003b1403010001011603010030dd7eae50c3b92d1a76a3901251bfcfdf8aef65b964497971ff1b06884ed396cad68432b1a7e1900185216fff671936da
(15)   Message-Authenticator = 0x9ac2ae88a6d2c721f8b27abc1349a9bb
(15)   Acct-Session-Id = "8O2.1x81bb0d460004464c"
(15)   NAS-Port-Id = "ge-3/0/6.0"
(15)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(15)   Called-Station-Id = "ec-3e-f7-68-35-00"
(15)   NAS-IP-Address = 10.8.0.111
(15)   NAS-Identifier = "nyc-access-sw011"
(15)   NAS-Port-Type = Ethernet
(15) session-state: No cached attributes
(15) # Executing section authorize from file /etc/raddb/sites-enabled/default
(15)   authorize {
(15)     policy filter_username {
(15)       if (&User-Name) {
(15)       if (&User-Name)  -> TRUE
(15)       if (&User-Name)  {
(15)         if (&User-Name =~ / /) {
(15)         if (&User-Name =~ / /)  -> FALSE
(15)         if (&User-Name =~ /@[^@]*@/ ) {
(15)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(15)         if (&User-Name =~ /\.\./ ) {
(15)         if (&User-Name =~ /\.\./ )  -> FALSE
(15)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(15)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(15)         if (&User-Name =~ /\.$/)  {
(15)         if (&User-Name =~ /\.$/)   -> FALSE
(15)         if (&User-Name =~ /@\./)  {
(15)         if (&User-Name =~ /@\./)   -> FALSE
(15)       } # if (&User-Name)  = notfound
(15)     } # policy filter_username = notfound
(15)     [preprocess] = ok
(15)     [chap] = noop
(15)     [mschap] = noop
(15)     [digest] = noop
(15) suffix: Checking for suffix after "@"
(15) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(15) suffix: No such realm "NULL"
(15)     [suffix] = noop
(15) eap: Peer sent EAP Response (code 2) ID 15 length 69
(15) eap: Continuing tunnel setup
(15)     [eap] = ok
(15)   } # authorize = ok
(15) Found Auth-Type = eap
(15) # Executing group from file /etc/raddb/sites-enabled/default
(15)   authenticate {
(15) eap: Expiring EAP session with state 0xfde6745dfce96d7e
(15) eap: Finished EAP session with state 0xfde6745dfce96d7e
(15) eap: Previous EAP request found for state 0xfde6745dfce96d7e, released from the list
(15) eap: Peer sent packet with method EAP PEAP (25)
(15) eap: Calling submodule eap_peap to process data
(15) eap_peap: Continuing EAP-TLS
(15) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(15) eap_peap: Got complete TLS record (59 bytes)
(15) eap_peap: [eaptls verify] = length included
(15) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(15) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(15) eap_peap: TLS_accept: SSLv3 read finished A
(15) eap_peap: (other): SSL negotiation finished successfully
(15) eap_peap: SSL Connection Established
(15) eap_peap: SSL Application Data
(15) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(15) eap_peap:   reply:User-Name = "vkratsberg"
(15) eap_peap: [eaptls process] = success
(15) eap_peap: Session established.  Decoding tunneled attributes
(15) eap_peap: PEAP state TUNNEL ESTABLISHED
(15) eap_peap: Skipping Phase2 because of session resumption
(15) eap_peap: SUCCESS
(15) eap: Sending EAP Request (code 1) ID 16 length 43
(15) eap: EAP session adding &reply:State = 0xfde6745dfff66d7e
(15)     [eap] = handled
(15)   } # authenticate = handled
(15) Using Post-Auth-Type Challenge
(15) Post-Auth-Type sub-section not found.  Ignoring.
(15) # Executing group from file /etc/raddb/sites-enabled/default
(15) Sent Access-Challenge Id 6 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(15)   User-Name = "vkratsberg"
(15)   EAP-Message = 0x0110002b1900170301002050059b69f8578c9e321fea9fe7e47a2abc4d9c013b60af85a03c295994952060
(15)   Message-Authenticator = 0x00000000000000000000000000000000
(15)   State = 0xfde6745dfff66d7e6e19918736dd611b
(15) Finished request
Waking up in 4.6 seconds.
(16) Received Access-Request Id 7 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(16)   User-Name = "vkratsberg"
(16)   NAS-Port = 358
(16)   State = 0xfde6745dfff66d7e6e19918736dd611b
(16)   EAP-Message = 0x0210002b190017030100207c5bb7a16a448b263de5c14d22c3c52c5f98e7af7a3fab60fbc8768ee307741e
(16)   Message-Authenticator = 0x0a2fdfd514eb5d9f7bbb7ad80f28ba16
(16)   Acct-Session-Id = "8O2.1x81bb0d460004464c"
(16)   NAS-Port-Id = "ge-3/0/6.0"
(16)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(16)   Called-Station-Id = "ec-3e-f7-68-35-00"
(16)   NAS-IP-Address = 10.8.0.111
(16)   NAS-Identifier = "nyc-access-sw011"
(16)   NAS-Port-Type = Ethernet
(16) session-state: No cached attributes
(16) # Executing section authorize from file /etc/raddb/sites-enabled/default
(16)   authorize {
(16)     policy filter_username {
(16)       if (&User-Name) {
(16)       if (&User-Name)  -> TRUE
(16)       if (&User-Name)  {
(16)         if (&User-Name =~ / /) {
(16)         if (&User-Name =~ / /)  -> FALSE
(16)         if (&User-Name =~ /@[^@]*@/ ) {
(16)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(16)         if (&User-Name =~ /\.\./ ) {
(16)         if (&User-Name =~ /\.\./ )  -> FALSE
(16)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(16)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(16)         if (&User-Name =~ /\.$/)  {
(16)         if (&User-Name =~ /\.$/)   -> FALSE
(16)         if (&User-Name =~ /@\./)  {
(16)         if (&User-Name =~ /@\./)   -> FALSE
(16)       } # if (&User-Name)  = notfound
(16)     } # policy filter_username = notfound
(16)     [preprocess] = ok
(16)     [chap] = noop
(16)     [mschap] = noop
(16)     [digest] = noop
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(16) suffix: No such realm "NULL"
(16)     [suffix] = noop
(16) eap: Peer sent EAP Response (code 2) ID 16 length 43
(16) eap: Continuing tunnel setup
(16)     [eap] = ok
(16)   } # authorize = ok
(16) Found Auth-Type = eap
(16) # Executing group from file /etc/raddb/sites-enabled/default
(16)   authenticate {
(16) eap: Expiring EAP session with state 0xfde6745dfff66d7e
(16) eap: Finished EAP session with state 0xfde6745dfff66d7e
(16) eap: Previous EAP request found for state 0xfde6745dfff66d7e, released from the list
(16) eap: Peer sent packet with method EAP PEAP (25)
(16) eap: Calling submodule eap_peap to process data
(16) eap_peap: Continuing EAP-TLS
(16) eap_peap: [eaptls verify] = ok
(16) eap_peap: Done initial handshake
(16) eap_peap: [eaptls process] = ok
(16) eap_peap: Session established.  Decoding tunneled attributes
(16) eap_peap: PEAP state send tlv success
(16) eap_peap: Received EAP-TLV response
(16) eap_peap: Success
(16) eap_peap: No saved attributes in the original Access-Accept
(16) eap: Sending EAP Success (code 3) ID 16 length 4
(16) eap: Freeing handler
(16)     [eap] = ok
(16)   } # authenticate = ok
(16) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(16)   post-auth {
(16)     update {
(16)       No attributes updated
(16)     } # update = noop
(16)     [exec] = noop
(16)     policy remove_reply_message_if_eap {
(16)       if (&reply:EAP-Message && &reply:Reply-Message) {
(16)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(16)       else {
(16)         [noop] = noop
(16)       } # else = noop
(16)     } # policy remove_reply_message_if_eap = noop
(16)   } # post-auth = noop
(16) Sent Access-Accept Id 7 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(16)   MS-MPPE-Recv-Key = 0xcd696be2e952af6bf5a7969e26ab5138e1b741ec2abeb7e6c9b21bc4ce1f9a83
(16)   MS-MPPE-Send-Key = 0x0bef77c93be1a066cfe13b3a2dbf247e35622734ff8ba74a6519a94a7163ce5a
(16)   EAP-Message = 0x03100004
(16)   Message-Authenticator = 0x00000000000000000000000000000000
(16)   User-Name = "vkratsberg"
(16) Finished request
Waking up in 4.6 seconds.
(17) Received Access-Request Id 8 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(17)   User-Name = "vkratsberg"
(17)   NAS-Port = 358
(17)   EAP-Message = 0x0211000f01766b7261747362657267
(17)   Message-Authenticator = 0x7ba9afce80fa83f49b043a0883817791
(17)   Acct-Session-Id = "8O2.1x81bb0d470005f5b4"
(17)   NAS-Port-Id = "ge-3/0/6.0"
(17)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(17)   Called-Station-Id = "ec-3e-f7-68-35-00"
(17)   NAS-IP-Address = 10.8.0.111
(17)   NAS-Identifier = "nyc-access-sw011"
(17)   NAS-Port-Type = Ethernet
(17) # Executing section authorize from file /etc/raddb/sites-enabled/default
(17)   authorize {
(17)     policy filter_username {
(17)       if (&User-Name) {
(17)       if (&User-Name)  -> TRUE
(17)       if (&User-Name)  {
(17)         if (&User-Name =~ / /) {
(17)         if (&User-Name =~ / /)  -> FALSE
(17)         if (&User-Name =~ /@[^@]*@/ ) {
(17)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(17)         if (&User-Name =~ /\.\./ ) {
(17)         if (&User-Name =~ /\.\./ )  -> FALSE
(17)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(17)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(17)         if (&User-Name =~ /\.$/)  {
(17)         if (&User-Name =~ /\.$/)   -> FALSE
(17)         if (&User-Name =~ /@\./)  {
(17)         if (&User-Name =~ /@\./)   -> FALSE
(17)       } # if (&User-Name)  = notfound
(17)     } # policy filter_username = notfound
(17)     [preprocess] = ok
(17)     [chap] = noop
(17)     [mschap] = noop
(17)     [digest] = noop
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(17) suffix: No such realm "NULL"
(17)     [suffix] = noop
(17) eap: Peer sent EAP Response (code 2) ID 17 length 15
(17) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(17)     [eap] = ok
(17)   } # authorize = ok
(17) Found Auth-Type = eap
(17) # Executing group from file /etc/raddb/sites-enabled/default
(17)   authenticate {
(17) eap: Peer sent packet with method EAP Identity (1)
(17) eap: Calling submodule eap_peap to process data
(17) eap_peap: Initiating new EAP-TLS session
(17) eap_peap: [eaptls start] = request
(17) eap: Sending EAP Request (code 1) ID 18 length 6
(17) eap: EAP session adding &reply:State = 0x44ca6f3a44d876e4
(17)     [eap] = handled
(17)   } # authenticate = handled
(17) Using Post-Auth-Type Challenge
(17) Post-Auth-Type sub-section not found.  Ignoring.
(17) # Executing group from file /etc/raddb/sites-enabled/default
(17) Sent Access-Challenge Id 8 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(17)   EAP-Message = 0x011200061920
(17)   Message-Authenticator = 0x00000000000000000000000000000000
(17)   State = 0x44ca6f3a44d876e4ff37eb6528393cac
(17) Finished request
Waking up in 4.5 seconds.
(18) Received Access-Request Id 9 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(18)   User-Name = "vkratsberg"
(18)   NAS-Port = 358
(18)   State = 0x44ca6f3a44d876e4ff37eb6528393cac
(18)   EAP-Message = 0x021200a31980000000991603010094010000900301574f326c3a0fc57a882c0d766ce7b473324e057718e062d031b42d918067ecab2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(18)   Message-Authenticator = 0xf2d4c75a217e7f1bf48b52b46eb03ddd
(18)   Acct-Session-Id = "8O2.1x81bb0d470005f5b4"
(18)   NAS-Port-Id = "ge-3/0/6.0"
(18)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(18)   Called-Station-Id = "ec-3e-f7-68-35-00"
(18)   NAS-IP-Address = 10.8.0.111
(18)   NAS-Identifier = "nyc-access-sw011"
(18)   NAS-Port-Type = Ethernet
(18) session-state: No cached attributes
(18) # Executing section authorize from file /etc/raddb/sites-enabled/default
(18)   authorize {
(18)     policy filter_username {
(18)       if (&User-Name) {
(18)       if (&User-Name)  -> TRUE
(18)       if (&User-Name)  {
(18)         if (&User-Name =~ / /) {
(18)         if (&User-Name =~ / /)  -> FALSE
(18)         if (&User-Name =~ /@[^@]*@/ ) {
(18)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(18)         if (&User-Name =~ /\.\./ ) {
(18)         if (&User-Name =~ /\.\./ )  -> FALSE
(18)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(18)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(18)         if (&User-Name =~ /\.$/)  {
(18)         if (&User-Name =~ /\.$/)   -> FALSE
(18)         if (&User-Name =~ /@\./)  {
(18)         if (&User-Name =~ /@\./)   -> FALSE
(18)       } # if (&User-Name)  = notfound
(18)     } # policy filter_username = notfound
(18)     [preprocess] = ok
(18)     [chap] = noop
(18)     [mschap] = noop
(18)     [digest] = noop
(18) suffix: Checking for suffix after "@"
(18) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(18) suffix: No such realm "NULL"
(18)     [suffix] = noop
(18) eap: Peer sent EAP Response (code 2) ID 18 length 163
(18) eap: Continuing tunnel setup
(18)     [eap] = ok
(18)   } # authorize = ok
(18) Found Auth-Type = eap
(18) # Executing group from file /etc/raddb/sites-enabled/default
(18)   authenticate {
(18) eap: Expiring EAP session with state 0x44ca6f3a44d876e4
(18) eap: Finished EAP session with state 0x44ca6f3a44d876e4
(18) eap: Previous EAP request found for state 0x44ca6f3a44d876e4, released from the list
(18) eap: Peer sent packet with method EAP PEAP (25)
(18) eap: Calling submodule eap_peap to process data
(18) eap_peap: Continuing EAP-TLS
(18) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(18) eap_peap: Got complete TLS record (153 bytes)
(18) eap_peap: [eaptls verify] = length included
(18) eap_peap: (other): before/accept initialization
(18) eap_peap: TLS_accept: before/accept initialization
(18) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(18) eap_peap: TLS_accept: SSLv3 read client hello A
(18) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(18) eap_peap: TLS_accept: SSLv3 write server hello A
(18) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(18) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(18) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(18) eap_peap: TLS_accept: SSLv3 write finished A
(18) eap_peap: TLS_accept: SSLv3 flush data
(18) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(18) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(18) eap_peap: In SSL Handshake Phase
(18) eap_peap: In SSL Accept mode
(18) eap_peap: [eaptls process] = handled
(18) eap: Sending EAP Request (code 1) ID 19 length 159
(18) eap: EAP session adding &reply:State = 0x44ca6f3a45d976e4
(18)     [eap] = handled
(18)   } # authenticate = handled
(18) Using Post-Auth-Type Challenge
(18) Post-Auth-Type sub-section not found.  Ignoring.
(18) # Executing group from file /etc/raddb/sites-enabled/default
(18) Sent Access-Challenge Id 9 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(18)   EAP-Message = 0x0113009f19001603010059020000550301574f326ce091ddb07d9de9af704b68253bee4fd1fda1fffa2d1d267cd5cac8502099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b0004030001021403010001011603010030a2f7eff79d463f93
(18)   Message-Authenticator = 0x00000000000000000000000000000000
(18)   State = 0x44ca6f3a45d976e4ff37eb6528393cac
(18) Finished request
Waking up in 4.5 seconds.
(19) Received Access-Request Id 10 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(19)   User-Name = "vkratsberg"
(19)   NAS-Port = 358
(19)   State = 0x44ca6f3a45d976e4ff37eb6528393cac
(19)   EAP-Message = 0x0213004519800000003b1403010001011603010030184f7b64d1c63e0eb50e3b20beb53201044718c24bf0cb689a1758d489b51d537332b5cc068858e3c36b2c6b127c9505
(19)   Message-Authenticator = 0x315f22fad7d7912a429d6ce8419c2746
(19)   Acct-Session-Id = "8O2.1x81bb0d470005f5b4"
(19)   NAS-Port-Id = "ge-3/0/6.0"
(19)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(19)   Called-Station-Id = "ec-3e-f7-68-35-00"
(19)   NAS-IP-Address = 10.8.0.111
(19)   NAS-Identifier = "nyc-access-sw011"
(19)   NAS-Port-Type = Ethernet
(19) session-state: No cached attributes
(19) # Executing section authorize from file /etc/raddb/sites-enabled/default
(19)   authorize {
(19)     policy filter_username {
(19)       if (&User-Name) {
(19)       if (&User-Name)  -> TRUE
(19)       if (&User-Name)  {
(19)         if (&User-Name =~ / /) {
(19)         if (&User-Name =~ / /)  -> FALSE
(19)         if (&User-Name =~ /@[^@]*@/ ) {
(19)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(19)         if (&User-Name =~ /\.\./ ) {
(19)         if (&User-Name =~ /\.\./ )  -> FALSE
(19)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(19)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(19)         if (&User-Name =~ /\.$/)  {
(19)         if (&User-Name =~ /\.$/)   -> FALSE
(19)         if (&User-Name =~ /@\./)  {
(19)         if (&User-Name =~ /@\./)   -> FALSE
(19)       } # if (&User-Name)  = notfound
(19)     } # policy filter_username = notfound
(19)     [preprocess] = ok
(19)     [chap] = noop
(19)     [mschap] = noop
(19)     [digest] = noop
(19) suffix: Checking for suffix after "@"
(19) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(19) suffix: No such realm "NULL"
(19)     [suffix] = noop
(19) eap: Peer sent EAP Response (code 2) ID 19 length 69
(19) eap: Continuing tunnel setup
(19)     [eap] = ok
(19)   } # authorize = ok
(19) Found Auth-Type = eap
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19)   authenticate {
(19) eap: Expiring EAP session with state 0x44ca6f3a45d976e4
(19) eap: Finished EAP session with state 0x44ca6f3a45d976e4
(19) eap: Previous EAP request found for state 0x44ca6f3a45d976e4, released from the list
(19) eap: Peer sent packet with method EAP PEAP (25)
(19) eap: Calling submodule eap_peap to process data
(19) eap_peap: Continuing EAP-TLS
(19) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(19) eap_peap: Got complete TLS record (59 bytes)
(19) eap_peap: [eaptls verify] = length included
(19) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(19) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(19) eap_peap: TLS_accept: SSLv3 read finished A
(19) eap_peap: (other): SSL negotiation finished successfully
(19) eap_peap: SSL Connection Established
(19) eap_peap: SSL Application Data
(19) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(19) eap_peap:   reply:User-Name = "vkratsberg"
(19) eap_peap: [eaptls process] = success
(19) eap_peap: Session established.  Decoding tunneled attributes
(19) eap_peap: PEAP state TUNNEL ESTABLISHED
(19) eap_peap: Skipping Phase2 because of session resumption
(19) eap_peap: SUCCESS
(19) eap: Sending EAP Request (code 1) ID 20 length 43
(19) eap: EAP session adding &reply:State = 0x44ca6f3a46de76e4
(19)     [eap] = handled
(19)   } # authenticate = handled
(19) Using Post-Auth-Type Challenge
(19) Post-Auth-Type sub-section not found.  Ignoring.
(19) # Executing group from file /etc/raddb/sites-enabled/default
(19) Sent Access-Challenge Id 10 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(19)   User-Name = "vkratsberg"
(19)   EAP-Message = 0x0114002b190017030100201bca8add14ecbe8ed176b28cc0b8e9f4c6e413fd85df1d1737dea39fc8d0a093
(19)   Message-Authenticator = 0x00000000000000000000000000000000
(19)   State = 0x44ca6f3a46de76e4ff37eb6528393cac
(19) Finished request
Waking up in 4.5 seconds.
(20) Received Access-Request Id 11 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(20)   User-Name = "vkratsberg"
(20)   NAS-Port = 358
(20)   State = 0x44ca6f3a46de76e4ff37eb6528393cac
(20)   EAP-Message = 0x0214002b19001703010020e214918046e10d5671bb71256abb3fbaee6760fbf6d866c08d16422a2bb1e01e
(20)   Message-Authenticator = 0xeced8bdf37099cec4a7cd8aa86a9e45b
(20)   Acct-Session-Id = "8O2.1x81bb0d470005f5b4"
(20)   NAS-Port-Id = "ge-3/0/6.0"
(20)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(20)   Called-Station-Id = "ec-3e-f7-68-35-00"
(20)   NAS-IP-Address = 10.8.0.111
(20)   NAS-Identifier = "nyc-access-sw011"
(20)   NAS-Port-Type = Ethernet
(20) session-state: No cached attributes
(20) # Executing section authorize from file /etc/raddb/sites-enabled/default
(20)   authorize {
(20)     policy filter_username {
(20)       if (&User-Name) {
(20)       if (&User-Name)  -> TRUE
(20)       if (&User-Name)  {
(20)         if (&User-Name =~ / /) {
(20)         if (&User-Name =~ / /)  -> FALSE
(20)         if (&User-Name =~ /@[^@]*@/ ) {
(20)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(20)         if (&User-Name =~ /\.\./ ) {
(20)         if (&User-Name =~ /\.\./ )  -> FALSE
(20)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(20)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(20)         if (&User-Name =~ /\.$/)  {
(20)         if (&User-Name =~ /\.$/)   -> FALSE
(20)         if (&User-Name =~ /@\./)  {
(20)         if (&User-Name =~ /@\./)   -> FALSE
(20)       } # if (&User-Name)  = notfound
(20)     } # policy filter_username = notfound
(20)     [preprocess] = ok
(20)     [chap] = noop
(20)     [mschap] = noop
(20)     [digest] = noop
(20) suffix: Checking for suffix after "@"
(20) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(20) suffix: No such realm "NULL"
(20)     [suffix] = noop
(20) eap: Peer sent EAP Response (code 2) ID 20 length 43
(20) eap: Continuing tunnel setup
(20)     [eap] = ok
(20)   } # authorize = ok
(20) Found Auth-Type = eap
(20) # Executing group from file /etc/raddb/sites-enabled/default
(20)   authenticate {
(20) eap: Expiring EAP session with state 0x44ca6f3a46de76e4
(20) eap: Finished EAP session with state 0x44ca6f3a46de76e4
(20) eap: Previous EAP request found for state 0x44ca6f3a46de76e4, released from the list
(20) eap: Peer sent packet with method EAP PEAP (25)
(20) eap: Calling submodule eap_peap to process data
(20) eap_peap: Continuing EAP-TLS
(20) eap_peap: [eaptls verify] = ok
(20) eap_peap: Done initial handshake
(20) eap_peap: [eaptls process] = ok
(20) eap_peap: Session established.  Decoding tunneled attributes
(20) eap_peap: PEAP state send tlv success
(20) eap_peap: Received EAP-TLV response
(20) eap_peap: Success
(20) eap_peap: No saved attributes in the original Access-Accept
(20) eap: Sending EAP Success (code 3) ID 20 length 4
(20) eap: Freeing handler
(20)     [eap] = ok
(20)   } # authenticate = ok
(20) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(20)   post-auth {
(20)     update {
(20)       No attributes updated
(20)     } # update = noop
(20)     [exec] = noop
(20)     policy remove_reply_message_if_eap {
(20)       if (&reply:EAP-Message && &reply:Reply-Message) {
(20)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(20)       else {
(20)         [noop] = noop
(20)       } # else = noop
(20)     } # policy remove_reply_message_if_eap = noop
(20)   } # post-auth = noop
(20) Sent Access-Accept Id 11 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(20)   MS-MPPE-Recv-Key = 0x0fef644301abcfd1f5d25e302ba472c53538853ed6d23bc8ae73ff5f348abcf0
(20)   MS-MPPE-Send-Key = 0xa1e7ea71dda36df797dfb804fb3636d248b09bf2c8b77bfbc9498c2b69997ffd
(20)   EAP-Message = 0x03140004
(20)   Message-Authenticator = 0x00000000000000000000000000000000
(20)   User-Name = "vkratsberg"
(20) Finished request
Waking up in 4.5 seconds.
(21) Received Access-Request Id 12 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(21)   User-Name = "vkratsberg"
(21)   NAS-Port = 358
(21)   EAP-Message = 0x0215000f01766b7261747362657267
(21)   Message-Authenticator = 0x0e186cd18887d3cdccba628ba59377ba
(21)   Acct-Session-Id = "8O2.1x81bb0d4800078a7b"
(21)   NAS-Port-Id = "ge-3/0/6.0"
(21)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(21)   Called-Station-Id = "ec-3e-f7-68-35-00"
(21)   NAS-IP-Address = 10.8.0.111
(21)   NAS-Identifier = "nyc-access-sw011"
(21)   NAS-Port-Type = Ethernet
(21) # Executing section authorize from file /etc/raddb/sites-enabled/default
(21)   authorize {
(21)     policy filter_username {
(21)       if (&User-Name) {
(21)       if (&User-Name)  -> TRUE
(21)       if (&User-Name)  {
(21)         if (&User-Name =~ / /) {
(21)         if (&User-Name =~ / /)  -> FALSE
(21)         if (&User-Name =~ /@[^@]*@/ ) {
(21)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(21)         if (&User-Name =~ /\.\./ ) {
(21)         if (&User-Name =~ /\.\./ )  -> FALSE
(21)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(21)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(21)         if (&User-Name =~ /\.$/)  {
(21)         if (&User-Name =~ /\.$/)   -> FALSE
(21)         if (&User-Name =~ /@\./)  {
(21)         if (&User-Name =~ /@\./)   -> FALSE
(21)       } # if (&User-Name)  = notfound
(21)     } # policy filter_username = notfound
(21)     [preprocess] = ok
(21)     [chap] = noop
(21)     [mschap] = noop
(21)     [digest] = noop
(21) suffix: Checking for suffix after "@"
(21) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(21) suffix: No such realm "NULL"
(21)     [suffix] = noop
(21) eap: Peer sent EAP Response (code 2) ID 21 length 15
(21) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(21)     [eap] = ok
(21)   } # authorize = ok
(21) Found Auth-Type = eap
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21)   authenticate {
(21) eap: Peer sent packet with method EAP Identity (1)
(21) eap: Calling submodule eap_peap to process data
(21) eap_peap: Initiating new EAP-TLS session
(21) eap_peap: [eaptls start] = request
(21) eap: Sending EAP Request (code 1) ID 22 length 6
(21) eap: EAP session adding &reply:State = 0xf0e6d560f0f0cc2a
(21)     [eap] = handled
(21)   } # authenticate = handled
(21) Using Post-Auth-Type Challenge
(21) Post-Auth-Type sub-section not found.  Ignoring.
(21) # Executing group from file /etc/raddb/sites-enabled/default
(21) Sent Access-Challenge Id 12 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(21)   EAP-Message = 0x011600061920
(21)   Message-Authenticator = 0x00000000000000000000000000000000
(21)   State = 0xf0e6d560f0f0cc2aab89e5d26fcde553
(21) Finished request
Waking up in 4.4 seconds.
(22) Received Access-Request Id 13 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(22)   User-Name = "vkratsberg"
(22)   NAS-Port = 358
(22)   State = 0xf0e6d560f0f0cc2aab89e5d26fcde553
(22)   EAP-Message = 0x021600a31980000000991603010094010000900301574f326c23a31c7fa0c3b8889c71fc0d559408959ad0c953ae51e33cc81fcc472099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(22)   Message-Authenticator = 0x96f0865eda84745bf69712f26e0972bb
(22)   Acct-Session-Id = "8O2.1x81bb0d4800078a7b"
(22)   NAS-Port-Id = "ge-3/0/6.0"
(22)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(22)   Called-Station-Id = "ec-3e-f7-68-35-00"
(22)   NAS-IP-Address = 10.8.0.111
(22)   NAS-Identifier = "nyc-access-sw011"
(22)   NAS-Port-Type = Ethernet
(22) session-state: No cached attributes
(22) # Executing section authorize from file /etc/raddb/sites-enabled/default
(22)   authorize {
(22)     policy filter_username {
(22)       if (&User-Name) {
(22)       if (&User-Name)  -> TRUE
(22)       if (&User-Name)  {
(22)         if (&User-Name =~ / /) {
(22)         if (&User-Name =~ / /)  -> FALSE
(22)         if (&User-Name =~ /@[^@]*@/ ) {
(22)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(22)         if (&User-Name =~ /\.\./ ) {
(22)         if (&User-Name =~ /\.\./ )  -> FALSE
(22)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(22)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(22)         if (&User-Name =~ /\.$/)  {
(22)         if (&User-Name =~ /\.$/)   -> FALSE
(22)         if (&User-Name =~ /@\./)  {
(22)         if (&User-Name =~ /@\./)   -> FALSE
(22)       } # if (&User-Name)  = notfound
(22)     } # policy filter_username = notfound
(22)     [preprocess] = ok
(22)     [chap] = noop
(22)     [mschap] = noop
(22)     [digest] = noop
(22) suffix: Checking for suffix after "@"
(22) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(22) suffix: No such realm "NULL"
(22)     [suffix] = noop
(22) eap: Peer sent EAP Response (code 2) ID 22 length 163
(22) eap: Continuing tunnel setup
(22)     [eap] = ok
(22)   } # authorize = ok
(22) Found Auth-Type = eap
(22) # Executing group from file /etc/raddb/sites-enabled/default
(22)   authenticate {
(22) eap: Expiring EAP session with state 0xf0e6d560f0f0cc2a
(22) eap: Finished EAP session with state 0xf0e6d560f0f0cc2a
(22) eap: Previous EAP request found for state 0xf0e6d560f0f0cc2a, released from the list
(22) eap: Peer sent packet with method EAP PEAP (25)
(22) eap: Calling submodule eap_peap to process data
(22) eap_peap: Continuing EAP-TLS
(22) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(22) eap_peap: Got complete TLS record (153 bytes)
(22) eap_peap: [eaptls verify] = length included
(22) eap_peap: (other): before/accept initialization
(22) eap_peap: TLS_accept: before/accept initialization
(22) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(22) eap_peap: TLS_accept: SSLv3 read client hello A
(22) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(22) eap_peap: TLS_accept: SSLv3 write server hello A
(22) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(22) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(22) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(22) eap_peap: TLS_accept: SSLv3 write finished A
(22) eap_peap: TLS_accept: SSLv3 flush data
(22) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(22) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(22) eap_peap: In SSL Handshake Phase
(22) eap_peap: In SSL Accept mode
(22) eap_peap: [eaptls process] = handled
(22) eap: Sending EAP Request (code 1) ID 23 length 159
(22) eap: EAP session adding &reply:State = 0xf0e6d560f1f1cc2a
(22)     [eap] = handled
(22)   } # authenticate = handled
(22) Using Post-Auth-Type Challenge
(22) Post-Auth-Type sub-section not found.  Ignoring.
(22) # Executing group from file /etc/raddb/sites-enabled/default
(22) Sent Access-Challenge Id 13 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(22)   EAP-Message = 0x0117009f19001603010059020000550301574f326cd8a52106c33e43945915f8827e666f09f099dfa2edec34269ddac0a32099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b000403000102140301000101160301003003d8cb3570f0d397
(22)   Message-Authenticator = 0x00000000000000000000000000000000
(22)   State = 0xf0e6d560f1f1cc2aab89e5d26fcde553
(22) Finished request
Waking up in 4.4 seconds.
(23) Received Access-Request Id 14 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(23)   User-Name = "vkratsberg"
(23)   NAS-Port = 358
(23)   State = 0xf0e6d560f1f1cc2aab89e5d26fcde553
(23)   EAP-Message = 0x0217004519800000003b1403010001011603010030243211fe368d140c419f1c4247297510b1fa01f51522dfdf7071758ae998ea4d53a2c3eaa9978cb4083186280f4ac13e
(23)   Message-Authenticator = 0xc1a55ed96d331ff9472851af6e96e2ca
(23)   Acct-Session-Id = "8O2.1x81bb0d4800078a7b"
(23)   NAS-Port-Id = "ge-3/0/6.0"
(23)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(23)   Called-Station-Id = "ec-3e-f7-68-35-00"
(23)   NAS-IP-Address = 10.8.0.111
(23)   NAS-Identifier = "nyc-access-sw011"
(23)   NAS-Port-Type = Ethernet
(23) session-state: No cached attributes
(23) # Executing section authorize from file /etc/raddb/sites-enabled/default
(23)   authorize {
(23)     policy filter_username {
(23)       if (&User-Name) {
(23)       if (&User-Name)  -> TRUE
(23)       if (&User-Name)  {
(23)         if (&User-Name =~ / /) {
(23)         if (&User-Name =~ / /)  -> FALSE
(23)         if (&User-Name =~ /@[^@]*@/ ) {
(23)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(23)         if (&User-Name =~ /\.\./ ) {
(23)         if (&User-Name =~ /\.\./ )  -> FALSE
(23)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(23)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(23)         if (&User-Name =~ /\.$/)  {
(23)         if (&User-Name =~ /\.$/)   -> FALSE
(23)         if (&User-Name =~ /@\./)  {
(23)         if (&User-Name =~ /@\./)   -> FALSE
(23)       } # if (&User-Name)  = notfound
(23)     } # policy filter_username = notfound
(23)     [preprocess] = ok
(23)     [chap] = noop
(23)     [mschap] = noop
(23)     [digest] = noop
(23) suffix: Checking for suffix after "@"
(23) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(23) suffix: No such realm "NULL"
(23)     [suffix] = noop
(23) eap: Peer sent EAP Response (code 2) ID 23 length 69
(23) eap: Continuing tunnel setup
(23)     [eap] = ok
(23)   } # authorize = ok
(23) Found Auth-Type = eap
(23) # Executing group from file /etc/raddb/sites-enabled/default
(23)   authenticate {
(23) eap: Expiring EAP session with state 0xf0e6d560f1f1cc2a
(23) eap: Finished EAP session with state 0xf0e6d560f1f1cc2a
(23) eap: Previous EAP request found for state 0xf0e6d560f1f1cc2a, released from the list
(23) eap: Peer sent packet with method EAP PEAP (25)
(23) eap: Calling submodule eap_peap to process data
(23) eap_peap: Continuing EAP-TLS
(23) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(23) eap_peap: Got complete TLS record (59 bytes)
(23) eap_peap: [eaptls verify] = length included
(23) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(23) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(23) eap_peap: TLS_accept: SSLv3 read finished A
(23) eap_peap: (other): SSL negotiation finished successfully
(23) eap_peap: SSL Connection Established
(23) eap_peap: SSL Application Data
(23) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(23) eap_peap:   reply:User-Name = "vkratsberg"
(23) eap_peap: [eaptls process] = success
(23) eap_peap: Session established.  Decoding tunneled attributes
(23) eap_peap: PEAP state TUNNEL ESTABLISHED
(23) eap_peap: Skipping Phase2 because of session resumption
(23) eap_peap: SUCCESS
(23) eap: Sending EAP Request (code 1) ID 24 length 43
(23) eap: EAP session adding &reply:State = 0xf0e6d560f2fecc2a
(23)     [eap] = handled
(23)   } # authenticate = handled
(23) Using Post-Auth-Type Challenge
(23) Post-Auth-Type sub-section not found.  Ignoring.
(23) # Executing group from file /etc/raddb/sites-enabled/default
(23) Sent Access-Challenge Id 14 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(23)   User-Name = "vkratsberg"
(23)   EAP-Message = 0x0118002b19001703010020837c09c73efe941cd36e97c0a8a8e8ca8a56fe274a4397030b70ceab33622718
(23)   Message-Authenticator = 0x00000000000000000000000000000000
(23)   State = 0xf0e6d560f2fecc2aab89e5d26fcde553
(23) Finished request
Waking up in 4.4 seconds.
(24) Received Access-Request Id 15 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(24)   User-Name = "vkratsberg"
(24)   NAS-Port = 358
(24)   State = 0xf0e6d560f2fecc2aab89e5d26fcde553
(24)   EAP-Message = 0x0218002b190017030100200c38a3612331e3250a2f86958b80162d4344ef2a5e53501dc1eecae5c4c865f9
(24)   Message-Authenticator = 0x57c231efe11834bf4264622dfa814040
(24)   Acct-Session-Id = "8O2.1x81bb0d4800078a7b"
(24)   NAS-Port-Id = "ge-3/0/6.0"
(24)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(24)   Called-Station-Id = "ec-3e-f7-68-35-00"
(24)   NAS-IP-Address = 10.8.0.111
(24)   NAS-Identifier = "nyc-access-sw011"
(24)   NAS-Port-Type = Ethernet
(24) session-state: No cached attributes
(24) # Executing section authorize from file /etc/raddb/sites-enabled/default
(24)   authorize {
(24)     policy filter_username {
(24)       if (&User-Name) {
(24)       if (&User-Name)  -> TRUE
(24)       if (&User-Name)  {
(24)         if (&User-Name =~ / /) {
(24)         if (&User-Name =~ / /)  -> FALSE
(24)         if (&User-Name =~ /@[^@]*@/ ) {
(24)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(24)         if (&User-Name =~ /\.\./ ) {
(24)         if (&User-Name =~ /\.\./ )  -> FALSE
(24)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(24)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(24)         if (&User-Name =~ /\.$/)  {
(24)         if (&User-Name =~ /\.$/)   -> FALSE
(24)         if (&User-Name =~ /@\./)  {
(24)         if (&User-Name =~ /@\./)   -> FALSE
(24)       } # if (&User-Name)  = notfound
(24)     } # policy filter_username = notfound
(24)     [preprocess] = ok
(24)     [chap] = noop
(24)     [mschap] = noop
(24)     [digest] = noop
(24) suffix: Checking for suffix after "@"
(24) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(24) suffix: No such realm "NULL"
(24)     [suffix] = noop
(24) eap: Peer sent EAP Response (code 2) ID 24 length 43
(24) eap: Continuing tunnel setup
(24)     [eap] = ok
(24)   } # authorize = ok
(24) Found Auth-Type = eap
(24) # Executing group from file /etc/raddb/sites-enabled/default
(24)   authenticate {
(24) eap: Expiring EAP session with state 0xf0e6d560f2fecc2a
(24) eap: Finished EAP session with state 0xf0e6d560f2fecc2a
(24) eap: Previous EAP request found for state 0xf0e6d560f2fecc2a, released from the list
(24) eap: Peer sent packet with method EAP PEAP (25)
(24) eap: Calling submodule eap_peap to process data
(24) eap_peap: Continuing EAP-TLS
(24) eap_peap: [eaptls verify] = ok
(24) eap_peap: Done initial handshake
(24) eap_peap: [eaptls process] = ok
(24) eap_peap: Session established.  Decoding tunneled attributes
(24) eap_peap: PEAP state send tlv success
(24) eap_peap: Received EAP-TLV response
(24) eap_peap: Success
(24) eap_peap: No saved attributes in the original Access-Accept
(24) eap: Sending EAP Success (code 3) ID 24 length 4
(24) eap: Freeing handler
(24)     [eap] = ok
(24)   } # authenticate = ok
(24) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(24)   post-auth {
(24)     update {
(24)       No attributes updated
(24)     } # update = noop
(24)     [exec] = noop
(24)     policy remove_reply_message_if_eap {
(24)       if (&reply:EAP-Message && &reply:Reply-Message) {
(24)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(24)       else {
(24)         [noop] = noop
(24)       } # else = noop
(24)     } # policy remove_reply_message_if_eap = noop
(24)   } # post-auth = noop
(24) Sent Access-Accept Id 15 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(24)   MS-MPPE-Recv-Key = 0xb524f3a5887dfd9882390fd9d17a26b3975a335e86451a5f3318598be804b97a
(24)   MS-MPPE-Send-Key = 0x2b49f04d9622ae5c8985f6aee66e497d276d90b52119c52f7c426b87cad5e8cf
(24)   EAP-Message = 0x03180004
(24)   Message-Authenticator = 0x00000000000000000000000000000000
(24)   User-Name = "vkratsberg"
(24) Finished request
Waking up in 4.4 seconds.
(25) Received Access-Request Id 16 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(25)   User-Name = "vkratsberg"
(25)   NAS-Port = 358
(25)   EAP-Message = 0x0219000f01766b7261747362657267
(25)   Message-Authenticator = 0x9a5b4d6a48d4aa930319d5250983ba50
(25)   Acct-Session-Id = "8O2.1x81bb0d49000928ce"
(25)   NAS-Port-Id = "ge-3/0/6.0"
(25)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(25)   Called-Station-Id = "ec-3e-f7-68-35-00"
(25)   NAS-IP-Address = 10.8.0.111
(25)   NAS-Identifier = "nyc-access-sw011"
(25)   NAS-Port-Type = Ethernet
(25) # Executing section authorize from file /etc/raddb/sites-enabled/default
(25)   authorize {
(25)     policy filter_username {
(25)       if (&User-Name) {
(25)       if (&User-Name)  -> TRUE
(25)       if (&User-Name)  {
(25)         if (&User-Name =~ / /) {
(25)         if (&User-Name =~ / /)  -> FALSE
(25)         if (&User-Name =~ /@[^@]*@/ ) {
(25)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(25)         if (&User-Name =~ /\.\./ ) {
(25)         if (&User-Name =~ /\.\./ )  -> FALSE
(25)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(25)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(25)         if (&User-Name =~ /\.$/)  {
(25)         if (&User-Name =~ /\.$/)   -> FALSE
(25)         if (&User-Name =~ /@\./)  {
(25)         if (&User-Name =~ /@\./)   -> FALSE
(25)       } # if (&User-Name)  = notfound
(25)     } # policy filter_username = notfound
(25)     [preprocess] = ok
(25)     [chap] = noop
(25)     [mschap] = noop
(25)     [digest] = noop
(25) suffix: Checking for suffix after "@"
(25) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(25) suffix: No such realm "NULL"
(25)     [suffix] = noop
(25) eap: Peer sent EAP Response (code 2) ID 25 length 15
(25) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(25)     [eap] = ok
(25)   } # authorize = ok
(25) Found Auth-Type = eap
(25) # Executing group from file /etc/raddb/sites-enabled/default
(25)   authenticate {
(25) eap: Peer sent packet with method EAP Identity (1)
(25) eap: Calling submodule eap_peap to process data
(25) eap_peap: Initiating new EAP-TLS session
(25) eap_peap: [eaptls start] = request
(25) eap: Sending EAP Request (code 1) ID 26 length 6
(25) eap: EAP session adding &reply:State = 0x110c79271116602f
(25)     [eap] = handled
(25)   } # authenticate = handled
(25) Using Post-Auth-Type Challenge
(25) Post-Auth-Type sub-section not found.  Ignoring.
(25) # Executing group from file /etc/raddb/sites-enabled/default
(25) Sent Access-Challenge Id 16 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(25)   EAP-Message = 0x011a00061920
(25)   Message-Authenticator = 0x00000000000000000000000000000000
(25)   State = 0x110c79271116602ff7adbfea110bff9a
(25) Finished request
Waking up in 4.3 seconds.
(26) Received Access-Request Id 17 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(26)   User-Name = "vkratsberg"
(26)   NAS-Port = 358
(26)   State = 0x110c79271116602ff7adbfea110bff9a
(26)   EAP-Message = 0x021a00a31980000000991603010094010000900301574f326ca714e609b45a642cdda0285df1e458b2b1304a195d83c13b6a0b4ec82099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(26)   Message-Authenticator = 0xc0f45e01a6b25657839320191922ce9c
(26)   Acct-Session-Id = "8O2.1x81bb0d49000928ce"
(26)   NAS-Port-Id = "ge-3/0/6.0"
(26)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(26)   Called-Station-Id = "ec-3e-f7-68-35-00"
(26)   NAS-IP-Address = 10.8.0.111
(26)   NAS-Identifier = "nyc-access-sw011"
(26)   NAS-Port-Type = Ethernet
(26) session-state: No cached attributes
(26) # Executing section authorize from file /etc/raddb/sites-enabled/default
(26)   authorize {
(26)     policy filter_username {
(26)       if (&User-Name) {
(26)       if (&User-Name)  -> TRUE
(26)       if (&User-Name)  {
(26)         if (&User-Name =~ / /) {
(26)         if (&User-Name =~ / /)  -> FALSE
(26)         if (&User-Name =~ /@[^@]*@/ ) {
(26)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(26)         if (&User-Name =~ /\.\./ ) {
(26)         if (&User-Name =~ /\.\./ )  -> FALSE
(26)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(26)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(26)         if (&User-Name =~ /\.$/)  {
(26)         if (&User-Name =~ /\.$/)   -> FALSE
(26)         if (&User-Name =~ /@\./)  {
(26)         if (&User-Name =~ /@\./)   -> FALSE
(26)       } # if (&User-Name)  = notfound
(26)     } # policy filter_username = notfound
(26)     [preprocess] = ok
(26)     [chap] = noop
(26)     [mschap] = noop
(26)     [digest] = noop
(26) suffix: Checking for suffix after "@"
(26) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(26) suffix: No such realm "NULL"
(26)     [suffix] = noop
(26) eap: Peer sent EAP Response (code 2) ID 26 length 163
(26) eap: Continuing tunnel setup
(26)     [eap] = ok
(26)   } # authorize = ok
(26) Found Auth-Type = eap
(26) # Executing group from file /etc/raddb/sites-enabled/default
(26)   authenticate {
(26) eap: Expiring EAP session with state 0x110c79271116602f
(26) eap: Finished EAP session with state 0x110c79271116602f
(26) eap: Previous EAP request found for state 0x110c79271116602f, released from the list
(26) eap: Peer sent packet with method EAP PEAP (25)
(26) eap: Calling submodule eap_peap to process data
(26) eap_peap: Continuing EAP-TLS
(26) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(26) eap_peap: Got complete TLS record (153 bytes)
(26) eap_peap: [eaptls verify] = length included
(26) eap_peap: (other): before/accept initialization
(26) eap_peap: TLS_accept: before/accept initialization
(26) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(26) eap_peap: TLS_accept: SSLv3 read client hello A
(26) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(26) eap_peap: TLS_accept: SSLv3 write server hello A
(26) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(26) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(26) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(26) eap_peap: TLS_accept: SSLv3 write finished A
(26) eap_peap: TLS_accept: SSLv3 flush data
(26) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(26) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(26) eap_peap: In SSL Handshake Phase
(26) eap_peap: In SSL Accept mode
(26) eap_peap: [eaptls process] = handled
(26) eap: Sending EAP Request (code 1) ID 27 length 159
(26) eap: EAP session adding &reply:State = 0x110c79271017602f
(26)     [eap] = handled
(26)   } # authenticate = handled
(26) Using Post-Auth-Type Challenge
(26) Post-Auth-Type sub-section not found.  Ignoring.
(26) # Executing group from file /etc/raddb/sites-enabled/default
(26) Sent Access-Challenge Id 17 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(26)   EAP-Message = 0x011b009f19001603010059020000550301574f326c8e75f12e505168fb938361d9141c3fd76c763496dec34ec3d9ca8fc22099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b0004030001021403010001011603010030f597c73cc4c1d6ff
(26)   Message-Authenticator = 0x00000000000000000000000000000000
(26)   State = 0x110c79271017602ff7adbfea110bff9a
(26) Finished request
Waking up in 4.3 seconds.
(27) Received Access-Request Id 18 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(27)   User-Name = "vkratsberg"
(27)   NAS-Port = 358
(27)   State = 0x110c79271017602ff7adbfea110bff9a
(27)   EAP-Message = 0x021b004519800000003b1403010001011603010030618446dc99b641aa96929373b2fa66a2658c660ebc7a336a4e4581cf7c3037b4a9d98bdf7cf1daab3767556d771c7758
(27)   Message-Authenticator = 0xa8e2f9026cd9ee34312224279ccc6689
(27)   Acct-Session-Id = "8O2.1x81bb0d49000928ce"
(27)   NAS-Port-Id = "ge-3/0/6.0"
(27)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(27)   Called-Station-Id = "ec-3e-f7-68-35-00"
(27)   NAS-IP-Address = 10.8.0.111
(27)   NAS-Identifier = "nyc-access-sw011"
(27)   NAS-Port-Type = Ethernet
(27) session-state: No cached attributes
(27) # Executing section authorize from file /etc/raddb/sites-enabled/default
(27)   authorize {
(27)     policy filter_username {
(27)       if (&User-Name) {
(27)       if (&User-Name)  -> TRUE
(27)       if (&User-Name)  {
(27)         if (&User-Name =~ / /) {
(27)         if (&User-Name =~ / /)  -> FALSE
(27)         if (&User-Name =~ /@[^@]*@/ ) {
(27)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(27)         if (&User-Name =~ /\.\./ ) {
(27)         if (&User-Name =~ /\.\./ )  -> FALSE
(27)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(27)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(27)         if (&User-Name =~ /\.$/)  {
(27)         if (&User-Name =~ /\.$/)   -> FALSE
(27)         if (&User-Name =~ /@\./)  {
(27)         if (&User-Name =~ /@\./)   -> FALSE
(27)       } # if (&User-Name)  = notfound
(27)     } # policy filter_username = notfound
(27)     [preprocess] = ok
(27)     [chap] = noop
(27)     [mschap] = noop
(27)     [digest] = noop
(27) suffix: Checking for suffix after "@"
(27) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(27) suffix: No such realm "NULL"
(27)     [suffix] = noop
(27) eap: Peer sent EAP Response (code 2) ID 27 length 69
(27) eap: Continuing tunnel setup
(27)     [eap] = ok
(27)   } # authorize = ok
(27) Found Auth-Type = eap
(27) # Executing group from file /etc/raddb/sites-enabled/default
(27)   authenticate {
(27) eap: Expiring EAP session with state 0x110c79271017602f
(27) eap: Finished EAP session with state 0x110c79271017602f
(27) eap: Previous EAP request found for state 0x110c79271017602f, released from the list
(27) eap: Peer sent packet with method EAP PEAP (25)
(27) eap: Calling submodule eap_peap to process data
(27) eap_peap: Continuing EAP-TLS
(27) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(27) eap_peap: Got complete TLS record (59 bytes)
(27) eap_peap: [eaptls verify] = length included
(27) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(27) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(27) eap_peap: TLS_accept: SSLv3 read finished A
(27) eap_peap: (other): SSL negotiation finished successfully
(27) eap_peap: SSL Connection Established
(27) eap_peap: SSL Application Data
(27) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(27) eap_peap:   reply:User-Name = "vkratsberg"
(27) eap_peap: [eaptls process] = success
(27) eap_peap: Session established.  Decoding tunneled attributes
(27) eap_peap: PEAP state TUNNEL ESTABLISHED
(27) eap_peap: Skipping Phase2 because of session resumption
(27) eap_peap: SUCCESS
(27) eap: Sending EAP Request (code 1) ID 28 length 43
(27) eap: EAP session adding &reply:State = 0x110c79271310602f
(27)     [eap] = handled
(27)   } # authenticate = handled
(27) Using Post-Auth-Type Challenge
(27) Post-Auth-Type sub-section not found.  Ignoring.
(27) # Executing group from file /etc/raddb/sites-enabled/default
(27) Sent Access-Challenge Id 18 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(27)   User-Name = "vkratsberg"
(27)   EAP-Message = 0x011c002b1900170301002058e79b37eedb1665968e76e967e0f13315c6e1a420f0a2aeabf9ec7e19c57ad9
(27)   Message-Authenticator = 0x00000000000000000000000000000000
(27)   State = 0x110c79271310602ff7adbfea110bff9a
(27) Finished request
Waking up in 4.3 seconds.
(28) Received Access-Request Id 19 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(28)   User-Name = "vkratsberg"
(28)   NAS-Port = 358
(28)   State = 0x110c79271310602ff7adbfea110bff9a
(28)   EAP-Message = 0x021c002b19001703010020bb379d67f269c5cc50afd816b36604d9322c41e706fd2d6b47766946042e9a11
(28)   Message-Authenticator = 0x9f32e1d54db007cdee32171678d08e1e
(28)   Acct-Session-Id = "8O2.1x81bb0d49000928ce"
(28)   NAS-Port-Id = "ge-3/0/6.0"
(28)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(28)   Called-Station-Id = "ec-3e-f7-68-35-00"
(28)   NAS-IP-Address = 10.8.0.111
(28)   NAS-Identifier = "nyc-access-sw011"
(28)   NAS-Port-Type = Ethernet
(28) session-state: No cached attributes
(28) # Executing section authorize from file /etc/raddb/sites-enabled/default
(28)   authorize {
(28)     policy filter_username {
(28)       if (&User-Name) {
(28)       if (&User-Name)  -> TRUE
(28)       if (&User-Name)  {
(28)         if (&User-Name =~ / /) {
(28)         if (&User-Name =~ / /)  -> FALSE
(28)         if (&User-Name =~ /@[^@]*@/ ) {
(28)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(28)         if (&User-Name =~ /\.\./ ) {
(28)         if (&User-Name =~ /\.\./ )  -> FALSE
(28)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(28)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(28)         if (&User-Name =~ /\.$/)  {
(28)         if (&User-Name =~ /\.$/)   -> FALSE
(28)         if (&User-Name =~ /@\./)  {
(28)         if (&User-Name =~ /@\./)   -> FALSE
(28)       } # if (&User-Name)  = notfound
(28)     } # policy filter_username = notfound
(28)     [preprocess] = ok
(28)     [chap] = noop
(28)     [mschap] = noop
(28)     [digest] = noop
(28) suffix: Checking for suffix after "@"
(28) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(28) suffix: No such realm "NULL"
(28)     [suffix] = noop
(28) eap: Peer sent EAP Response (code 2) ID 28 length 43
(28) eap: Continuing tunnel setup
(28)     [eap] = ok
(28)   } # authorize = ok
(28) Found Auth-Type = eap
(28) # Executing group from file /etc/raddb/sites-enabled/default
(28)   authenticate {
(28) eap: Expiring EAP session with state 0x110c79271310602f
(28) eap: Finished EAP session with state 0x110c79271310602f
(28) eap: Previous EAP request found for state 0x110c79271310602f, released from the list
(28) eap: Peer sent packet with method EAP PEAP (25)
(28) eap: Calling submodule eap_peap to process data
(28) eap_peap: Continuing EAP-TLS
(28) eap_peap: [eaptls verify] = ok
(28) eap_peap: Done initial handshake
(28) eap_peap: [eaptls process] = ok
(28) eap_peap: Session established.  Decoding tunneled attributes
(28) eap_peap: PEAP state send tlv success
(28) eap_peap: Received EAP-TLV response
(28) eap_peap: Success
(28) eap_peap: No saved attributes in the original Access-Accept
(28) eap: Sending EAP Success (code 3) ID 28 length 4
(28) eap: Freeing handler
(28)     [eap] = ok
(28)   } # authenticate = ok
(28) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(28)   post-auth {
(28)     update {
(28)       No attributes updated
(28)     } # update = noop
(28)     [exec] = noop
(28)     policy remove_reply_message_if_eap {
(28)       if (&reply:EAP-Message && &reply:Reply-Message) {
(28)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(28)       else {
(28)         [noop] = noop
(28)       } # else = noop
(28)     } # policy remove_reply_message_if_eap = noop
(28)   } # post-auth = noop
(28) Sent Access-Accept Id 19 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(28)   MS-MPPE-Recv-Key = 0x3621273efbdd3aed9912b0bc07adfca7c5fd80c0ee515e2c9f6852f05084c4b4
(28)   MS-MPPE-Send-Key = 0x44d681bc2ee43475fc8b476541c24187c617074acadf12f1b58fb19f4630b68f
(28)   EAP-Message = 0x031c0004
(28)   Message-Authenticator = 0x00000000000000000000000000000000
(28)   User-Name = "vkratsberg"
(28) Finished request
Waking up in 4.3 seconds.
(29) Received Access-Request Id 20 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(29)   User-Name = "vkratsberg"
(29)   NAS-Port = 358
(29)   EAP-Message = 0x021d000f01766b7261747362657267
(29)   Message-Authenticator = 0x0bf718a22310a58701b6d72a0765de3a
(29)   Acct-Session-Id = "8O2.1x81bb0d4a000ac6a9"
(29)   NAS-Port-Id = "ge-3/0/6.0"
(29)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(29)   Called-Station-Id = "ec-3e-f7-68-35-00"
(29)   NAS-IP-Address = 10.8.0.111
(29)   NAS-Identifier = "nyc-access-sw011"
(29)   NAS-Port-Type = Ethernet
(29) # Executing section authorize from file /etc/raddb/sites-enabled/default
(29)   authorize {
(29)     policy filter_username {
(29)       if (&User-Name) {
(29)       if (&User-Name)  -> TRUE
(29)       if (&User-Name)  {
(29)         if (&User-Name =~ / /) {
(29)         if (&User-Name =~ / /)  -> FALSE
(29)         if (&User-Name =~ /@[^@]*@/ ) {
(29)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(29)         if (&User-Name =~ /\.\./ ) {
(29)         if (&User-Name =~ /\.\./ )  -> FALSE
(29)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(29)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(29)         if (&User-Name =~ /\.$/)  {
(29)         if (&User-Name =~ /\.$/)   -> FALSE
(29)         if (&User-Name =~ /@\./)  {
(29)         if (&User-Name =~ /@\./)   -> FALSE
(29)       } # if (&User-Name)  = notfound
(29)     } # policy filter_username = notfound
(29)     [preprocess] = ok
(29)     [chap] = noop
(29)     [mschap] = noop
(29)     [digest] = noop
(29) suffix: Checking for suffix after "@"
(29) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(29) suffix: No such realm "NULL"
(29)     [suffix] = noop
(29) eap: Peer sent EAP Response (code 2) ID 29 length 15
(29) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(29)     [eap] = ok
(29)   } # authorize = ok
(29) Found Auth-Type = eap
(29) # Executing group from file /etc/raddb/sites-enabled/default
(29)   authenticate {
(29) eap: Peer sent packet with method EAP Identity (1)
(29) eap: Calling submodule eap_peap to process data
(29) eap_peap: Initiating new EAP-TLS session
(29) eap_peap: [eaptls start] = request
(29) eap: Sending EAP Request (code 1) ID 30 length 6
(29) eap: EAP session adding &reply:State = 0xd2885a52d2964376
(29)     [eap] = handled
(29)   } # authenticate = handled
(29) Using Post-Auth-Type Challenge
(29) Post-Auth-Type sub-section not found.  Ignoring.
(29) # Executing group from file /etc/raddb/sites-enabled/default
(29) Sent Access-Challenge Id 20 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(29)   EAP-Message = 0x011e00061920
(29)   Message-Authenticator = 0x00000000000000000000000000000000
(29)   State = 0xd2885a52d2964376545752d93dc397a8
(29) Finished request
Waking up in 4.2 seconds.
(30) Received Access-Request Id 21 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(30)   User-Name = "vkratsberg"
(30)   NAS-Port = 358
(30)   State = 0xd2885a52d2964376545752d93dc397a8
(30)   EAP-Message = 0x021e00a31980000000991603010094010000900301574f326cd4ca59c5429f1dc1c5de1bd7e1d9c368d9b887b5e2290513111db3a12099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(30)   Message-Authenticator = 0xf3ed116a7066a8395bc9e2d2cc7507bd
(30)   Acct-Session-Id = "8O2.1x81bb0d4a000ac6a9"
(30)   NAS-Port-Id = "ge-3/0/6.0"
(30)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(30)   Called-Station-Id = "ec-3e-f7-68-35-00"
(30)   NAS-IP-Address = 10.8.0.111
(30)   NAS-Identifier = "nyc-access-sw011"
(30)   NAS-Port-Type = Ethernet
(30) session-state: No cached attributes
(30) # Executing section authorize from file /etc/raddb/sites-enabled/default
(30)   authorize {
(30)     policy filter_username {
(30)       if (&User-Name) {
(30)       if (&User-Name)  -> TRUE
(30)       if (&User-Name)  {
(30)         if (&User-Name =~ / /) {
(30)         if (&User-Name =~ / /)  -> FALSE
(30)         if (&User-Name =~ /@[^@]*@/ ) {
(30)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(30)         if (&User-Name =~ /\.\./ ) {
(30)         if (&User-Name =~ /\.\./ )  -> FALSE
(30)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(30)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(30)         if (&User-Name =~ /\.$/)  {
(30)         if (&User-Name =~ /\.$/)   -> FALSE
(30)         if (&User-Name =~ /@\./)  {
(30)         if (&User-Name =~ /@\./)   -> FALSE
(30)       } # if (&User-Name)  = notfound
(30)     } # policy filter_username = notfound
(30)     [preprocess] = ok
(30)     [chap] = noop
(30)     [mschap] = noop
(30)     [digest] = noop
(30) suffix: Checking for suffix after "@"
(30) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(30) suffix: No such realm "NULL"
(30)     [suffix] = noop
(30) eap: Peer sent EAP Response (code 2) ID 30 length 163
(30) eap: Continuing tunnel setup
(30)     [eap] = ok
(30)   } # authorize = ok
(30) Found Auth-Type = eap
(30) # Executing group from file /etc/raddb/sites-enabled/default
(30)   authenticate {
(30) eap: Expiring EAP session with state 0xd2885a52d2964376
(30) eap: Finished EAP session with state 0xd2885a52d2964376
(30) eap: Previous EAP request found for state 0xd2885a52d2964376, released from the list
(30) eap: Peer sent packet with method EAP PEAP (25)
(30) eap: Calling submodule eap_peap to process data
(30) eap_peap: Continuing EAP-TLS
(30) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(30) eap_peap: Got complete TLS record (153 bytes)
(30) eap_peap: [eaptls verify] = length included
(30) eap_peap: (other): before/accept initialization
(30) eap_peap: TLS_accept: before/accept initialization
(30) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(30) eap_peap: TLS_accept: SSLv3 read client hello A
(30) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(30) eap_peap: TLS_accept: SSLv3 write server hello A
(30) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(30) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(30) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(30) eap_peap: TLS_accept: SSLv3 write finished A
(30) eap_peap: TLS_accept: SSLv3 flush data
(30) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(30) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(30) eap_peap: In SSL Handshake Phase
(30) eap_peap: In SSL Accept mode
(30) eap_peap: [eaptls process] = handled
(30) eap: Sending EAP Request (code 1) ID 31 length 159
(30) eap: EAP session adding &reply:State = 0xd2885a52d3974376
(30)     [eap] = handled
(30)   } # authenticate = handled
(30) Using Post-Auth-Type Challenge
(30) Post-Auth-Type sub-section not found.  Ignoring.
(30) # Executing group from file /etc/raddb/sites-enabled/default
(30) Sent Access-Challenge Id 21 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(30)   EAP-Message = 0x011f009f19001603010059020000550301574f326cda3867bcd795f50a86b04be846291829096d281f5f2ef4b709ce5f7d2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b0004030001021403010001011603010030dfd361cbc37a1f90
(30)   Message-Authenticator = 0x00000000000000000000000000000000
(30)   State = 0xd2885a52d3974376545752d93dc397a8
(30) Finished request
Waking up in 4.2 seconds.
(31) Received Access-Request Id 22 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(31)   User-Name = "vkratsberg"
(31)   NAS-Port = 358
(31)   State = 0xd2885a52d3974376545752d93dc397a8
(31)   EAP-Message = 0x021f004519800000003b1403010001011603010030b972837fc92c5754aa92d4f9c3a9d183fe149e704182dd6d574d222dc752b3bc94e9e66b28be9fc3e4bc1e1dacd7f266
(31)   Message-Authenticator = 0x3b07473a2361b0abe0a91d2016b0c6eb
(31)   Acct-Session-Id = "8O2.1x81bb0d4a000ac6a9"
(31)   NAS-Port-Id = "ge-3/0/6.0"
(31)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(31)   Called-Station-Id = "ec-3e-f7-68-35-00"
(31)   NAS-IP-Address = 10.8.0.111
(31)   NAS-Identifier = "nyc-access-sw011"
(31)   NAS-Port-Type = Ethernet
(31) session-state: No cached attributes
(31) # Executing section authorize from file /etc/raddb/sites-enabled/default
(31)   authorize {
(31)     policy filter_username {
(31)       if (&User-Name) {
(31)       if (&User-Name)  -> TRUE
(31)       if (&User-Name)  {
(31)         if (&User-Name =~ / /) {
(31)         if (&User-Name =~ / /)  -> FALSE
(31)         if (&User-Name =~ /@[^@]*@/ ) {
(31)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(31)         if (&User-Name =~ /\.\./ ) {
(31)         if (&User-Name =~ /\.\./ )  -> FALSE
(31)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(31)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(31)         if (&User-Name =~ /\.$/)  {
(31)         if (&User-Name =~ /\.$/)   -> FALSE
(31)         if (&User-Name =~ /@\./)  {
(31)         if (&User-Name =~ /@\./)   -> FALSE
(31)       } # if (&User-Name)  = notfound
(31)     } # policy filter_username = notfound
(31)     [preprocess] = ok
(31)     [chap] = noop
(31)     [mschap] = noop
(31)     [digest] = noop
(31) suffix: Checking for suffix after "@"
(31) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(31) suffix: No such realm "NULL"
(31)     [suffix] = noop
(31) eap: Peer sent EAP Response (code 2) ID 31 length 69
(31) eap: Continuing tunnel setup
(31)     [eap] = ok
(31)   } # authorize = ok
(31) Found Auth-Type = eap
(31) # Executing group from file /etc/raddb/sites-enabled/default
(31)   authenticate {
(31) eap: Expiring EAP session with state 0xd2885a52d3974376
(31) eap: Finished EAP session with state 0xd2885a52d3974376
(31) eap: Previous EAP request found for state 0xd2885a52d3974376, released from the list
(31) eap: Peer sent packet with method EAP PEAP (25)
(31) eap: Calling submodule eap_peap to process data
(31) eap_peap: Continuing EAP-TLS
(31) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(31) eap_peap: Got complete TLS record (59 bytes)
(31) eap_peap: [eaptls verify] = length included
(31) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(31) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(31) eap_peap: TLS_accept: SSLv3 read finished A
(31) eap_peap: (other): SSL negotiation finished successfully
(31) eap_peap: SSL Connection Established
(31) eap_peap: SSL Application Data
(31) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(31) eap_peap:   reply:User-Name = "vkratsberg"
(31) eap_peap: [eaptls process] = success
(31) eap_peap: Session established.  Decoding tunneled attributes
(31) eap_peap: PEAP state TUNNEL ESTABLISHED
(31) eap_peap: Skipping Phase2 because of session resumption
(31) eap_peap: SUCCESS
(31) eap: Sending EAP Request (code 1) ID 32 length 43
(31) eap: EAP session adding &reply:State = 0xd2885a52d0a84376
(31)     [eap] = handled
(31)   } # authenticate = handled
(31) Using Post-Auth-Type Challenge
(31) Post-Auth-Type sub-section not found.  Ignoring.
(31) # Executing group from file /etc/raddb/sites-enabled/default
(31) Sent Access-Challenge Id 22 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(31)   User-Name = "vkratsberg"
(31)   EAP-Message = 0x0120002b19001703010020dd5e6e61ca4379e57614c0501f9f596212e31b3a860e1ef395b3ea474f2d2b67
(31)   Message-Authenticator = 0x00000000000000000000000000000000
(31)   State = 0xd2885a52d0a84376545752d93dc397a8
(31) Finished request
Waking up in 4.1 seconds.
(32) Received Access-Request Id 23 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(32)   User-Name = "vkratsberg"
(32)   NAS-Port = 358
(32)   State = 0xd2885a52d0a84376545752d93dc397a8
(32)   EAP-Message = 0x0220002b19001703010020fb4681f677a704daf9123b7e062c4b772bf97872b00c3531b327df02e8b5f9fa
(32)   Message-Authenticator = 0xa57af92b0dd0ab1122ffce6df8d4e166
(32)   Acct-Session-Id = "8O2.1x81bb0d4a000ac6a9"
(32)   NAS-Port-Id = "ge-3/0/6.0"
(32)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(32)   Called-Station-Id = "ec-3e-f7-68-35-00"
(32)   NAS-IP-Address = 10.8.0.111
(32)   NAS-Identifier = "nyc-access-sw011"
(32)   NAS-Port-Type = Ethernet
(32) session-state: No cached attributes
(32) # Executing section authorize from file /etc/raddb/sites-enabled/default
(32)   authorize {
(32)     policy filter_username {
(32)       if (&User-Name) {
(32)       if (&User-Name)  -> TRUE
(32)       if (&User-Name)  {
(32)         if (&User-Name =~ / /) {
(32)         if (&User-Name =~ / /)  -> FALSE
(32)         if (&User-Name =~ /@[^@]*@/ ) {
(32)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(32)         if (&User-Name =~ /\.\./ ) {
(32)         if (&User-Name =~ /\.\./ )  -> FALSE
(32)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(32)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(32)         if (&User-Name =~ /\.$/)  {
(32)         if (&User-Name =~ /\.$/)   -> FALSE
(32)         if (&User-Name =~ /@\./)  {
(32)         if (&User-Name =~ /@\./)   -> FALSE
(32)       } # if (&User-Name)  = notfound
(32)     } # policy filter_username = notfound
(32)     [preprocess] = ok
(32)     [chap] = noop
(32)     [mschap] = noop
(32)     [digest] = noop
(32) suffix: Checking for suffix after "@"
(32) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(32) suffix: No such realm "NULL"
(32)     [suffix] = noop
(32) eap: Peer sent EAP Response (code 2) ID 32 length 43
(32) eap: Continuing tunnel setup
(32)     [eap] = ok
(32)   } # authorize = ok
(32) Found Auth-Type = eap
(32) # Executing group from file /etc/raddb/sites-enabled/default
(32)   authenticate {
(32) eap: Expiring EAP session with state 0xd2885a52d0a84376
(32) eap: Finished EAP session with state 0xd2885a52d0a84376
(32) eap: Previous EAP request found for state 0xd2885a52d0a84376, released from the list
(32) eap: Peer sent packet with method EAP PEAP (25)
(32) eap: Calling submodule eap_peap to process data
(32) eap_peap: Continuing EAP-TLS
(32) eap_peap: [eaptls verify] = ok
(32) eap_peap: Done initial handshake
(32) eap_peap: [eaptls process] = ok
(32) eap_peap: Session established.  Decoding tunneled attributes
(32) eap_peap: PEAP state send tlv success
(32) eap_peap: Received EAP-TLV response
(32) eap_peap: Success
(32) eap_peap: No saved attributes in the original Access-Accept
(32) eap: Sending EAP Success (code 3) ID 32 length 4
(32) eap: Freeing handler
(32)     [eap] = ok
(32)   } # authenticate = ok
(32) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(32)   post-auth {
(32)     update {
(32)       No attributes updated
(32)     } # update = noop
(32)     [exec] = noop
(32)     policy remove_reply_message_if_eap {
(32)       if (&reply:EAP-Message && &reply:Reply-Message) {
(32)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(32)       else {
(32)         [noop] = noop
(32)       } # else = noop
(32)     } # policy remove_reply_message_if_eap = noop
(32)   } # post-auth = noop
(32) Sent Access-Accept Id 23 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(32)   MS-MPPE-Recv-Key = 0xb2ed765cf6de9d9b34f2feb2399638c5b75e43cb2a2581e37f5ccd53e14d5a98
(32)   MS-MPPE-Send-Key = 0xf534950e5ea84cfb54047852d28dca3a52b19019096ab82ea346c87b06a8d391
(32)   EAP-Message = 0x03200004
(32)   Message-Authenticator = 0x00000000000000000000000000000000
(32)   User-Name = "vkratsberg"
(32) Finished request
Waking up in 4.1 seconds.
(33) Received Access-Request Id 24 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(33)   User-Name = "vkratsberg"
(33)   NAS-Port = 358
(33)   EAP-Message = 0x0221000f01766b7261747362657267
(33)   Message-Authenticator = 0xb4931dcf6df7b5d16dd721eeea119428
(33)   Acct-Session-Id = "8O2.1x81bb0d4b000c65b7"
(33)   NAS-Port-Id = "ge-3/0/6.0"
(33)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(33)   Called-Station-Id = "ec-3e-f7-68-35-00"
(33)   NAS-IP-Address = 10.8.0.111
(33)   NAS-Identifier = "nyc-access-sw011"
(33)   NAS-Port-Type = Ethernet
(33) # Executing section authorize from file /etc/raddb/sites-enabled/default
(33)   authorize {
(33)     policy filter_username {
(33)       if (&User-Name) {
(33)       if (&User-Name)  -> TRUE
(33)       if (&User-Name)  {
(33)         if (&User-Name =~ / /) {
(33)         if (&User-Name =~ / /)  -> FALSE
(33)         if (&User-Name =~ /@[^@]*@/ ) {
(33)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(33)         if (&User-Name =~ /\.\./ ) {
(33)         if (&User-Name =~ /\.\./ )  -> FALSE
(33)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(33)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(33)         if (&User-Name =~ /\.$/)  {
(33)         if (&User-Name =~ /\.$/)   -> FALSE
(33)         if (&User-Name =~ /@\./)  {
(33)         if (&User-Name =~ /@\./)   -> FALSE
(33)       } # if (&User-Name)  = notfound
(33)     } # policy filter_username = notfound
(33)     [preprocess] = ok
(33)     [chap] = noop
(33)     [mschap] = noop
(33)     [digest] = noop
(33) suffix: Checking for suffix after "@"
(33) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(33) suffix: No such realm "NULL"
(33)     [suffix] = noop
(33) eap: Peer sent EAP Response (code 2) ID 33 length 15
(33) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(33)     [eap] = ok
(33)   } # authorize = ok
(33) Found Auth-Type = eap
(33) # Executing group from file /etc/raddb/sites-enabled/default
(33)   authenticate {
(33) eap: Peer sent packet with method EAP Identity (1)
(33) eap: Calling submodule eap_peap to process data
(33) eap_peap: Initiating new EAP-TLS session
(33) eap_peap: [eaptls start] = request
(33) eap: Sending EAP Request (code 1) ID 34 length 6
(33) eap: EAP session adding &reply:State = 0x095ceadf097ef362
(33)     [eap] = handled
(33)   } # authenticate = handled
(33) Using Post-Auth-Type Challenge
(33) Post-Auth-Type sub-section not found.  Ignoring.
(33) # Executing group from file /etc/raddb/sites-enabled/default
(33) Sent Access-Challenge Id 24 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(33)   EAP-Message = 0x012200061920
(33)   Message-Authenticator = 0x00000000000000000000000000000000
(33)   State = 0x095ceadf097ef362810f8898caf11f54
(33) Finished request
Waking up in 4.1 seconds.
(34) Received Access-Request Id 25 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(34)   User-Name = "vkratsberg"
(34)   NAS-Port = 358
(34)   State = 0x095ceadf097ef362810f8898caf11f54
(34)   EAP-Message = 0x022200a31980000000991603010094010000900301574f326cf0f20df0830ea738d811eb9fa16e4c902846ac23fa80d0fdb639e3812099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(34)   Message-Authenticator = 0xc863fd55fdb0704a51aa92fc7d5effff
(34)   Acct-Session-Id = "8O2.1x81bb0d4b000c65b7"
(34)   NAS-Port-Id = "ge-3/0/6.0"
(34)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(34)   Called-Station-Id = "ec-3e-f7-68-35-00"
(34)   NAS-IP-Address = 10.8.0.111
(34)   NAS-Identifier = "nyc-access-sw011"
(34)   NAS-Port-Type = Ethernet
(34) session-state: No cached attributes
(34) # Executing section authorize from file /etc/raddb/sites-enabled/default
(34)   authorize {
(34)     policy filter_username {
(34)       if (&User-Name) {
(34)       if (&User-Name)  -> TRUE
(34)       if (&User-Name)  {
(34)         if (&User-Name =~ / /) {
(34)         if (&User-Name =~ / /)  -> FALSE
(34)         if (&User-Name =~ /@[^@]*@/ ) {
(34)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(34)         if (&User-Name =~ /\.\./ ) {
(34)         if (&User-Name =~ /\.\./ )  -> FALSE
(34)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(34)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(34)         if (&User-Name =~ /\.$/)  {
(34)         if (&User-Name =~ /\.$/)   -> FALSE
(34)         if (&User-Name =~ /@\./)  {
(34)         if (&User-Name =~ /@\./)   -> FALSE
(34)       } # if (&User-Name)  = notfound
(34)     } # policy filter_username = notfound
(34)     [preprocess] = ok
(34)     [chap] = noop
(34)     [mschap] = noop
(34)     [digest] = noop
(34) suffix: Checking for suffix after "@"
(34) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(34) suffix: No such realm "NULL"
(34)     [suffix] = noop
(34) eap: Peer sent EAP Response (code 2) ID 34 length 163
(34) eap: Continuing tunnel setup
(34)     [eap] = ok
(34)   } # authorize = ok
(34) Found Auth-Type = eap
(34) # Executing group from file /etc/raddb/sites-enabled/default
(34)   authenticate {
(34) eap: Expiring EAP session with state 0x095ceadf097ef362
(34) eap: Finished EAP session with state 0x095ceadf097ef362
(34) eap: Previous EAP request found for state 0x095ceadf097ef362, released from the list
(34) eap: Peer sent packet with method EAP PEAP (25)
(34) eap: Calling submodule eap_peap to process data
(34) eap_peap: Continuing EAP-TLS
(34) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(34) eap_peap: Got complete TLS record (153 bytes)
(34) eap_peap: [eaptls verify] = length included
(34) eap_peap: (other): before/accept initialization
(34) eap_peap: TLS_accept: before/accept initialization
(34) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(34) eap_peap: TLS_accept: SSLv3 read client hello A
(34) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(34) eap_peap: TLS_accept: SSLv3 write server hello A
(34) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(34) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(34) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(34) eap_peap: TLS_accept: SSLv3 write finished A
(34) eap_peap: TLS_accept: SSLv3 flush data
(34) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(34) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(34) eap_peap: In SSL Handshake Phase
(34) eap_peap: In SSL Accept mode
(34) eap_peap: [eaptls process] = handled
(34) eap: Sending EAP Request (code 1) ID 35 length 159
(34) eap: EAP session adding &reply:State = 0x095ceadf087ff362
(34)     [eap] = handled
(34)   } # authenticate = handled
(34) Using Post-Auth-Type Challenge
(34) Post-Auth-Type sub-section not found.  Ignoring.
(34) # Executing group from file /etc/raddb/sites-enabled/default
(34) Sent Access-Challenge Id 25 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(34)   EAP-Message = 0x0123009f19001603010059020000550301574f326c82eec841c6007702ae4fb34bc0f5260c4f8f4d5a02a081ac8deb1ecc2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b00040300010214030100010116030100307d983a49ea00147a
(34)   Message-Authenticator = 0x00000000000000000000000000000000
(34)   State = 0x095ceadf087ff362810f8898caf11f54
(34) Finished request
Waking up in 4.1 seconds.
(35) Received Access-Request Id 26 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(35)   User-Name = "vkratsberg"
(35)   NAS-Port = 358
(35)   State = 0x095ceadf087ff362810f8898caf11f54
(35)   EAP-Message = 0x0223004519800000003b1403010001011603010030e3d84e94cae7801ff16d738e05b6beb397e59280577b80ad6ceb6b074f9dc2271fd5b3b8da5905d225e100742e732158
(35)   Message-Authenticator = 0x1fdd52c7103a1da71df74d8577e48ba8
(35)   Acct-Session-Id = "8O2.1x81bb0d4b000c65b7"
(35)   NAS-Port-Id = "ge-3/0/6.0"
(35)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(35)   Called-Station-Id = "ec-3e-f7-68-35-00"
(35)   NAS-IP-Address = 10.8.0.111
(35)   NAS-Identifier = "nyc-access-sw011"
(35)   NAS-Port-Type = Ethernet
(35) session-state: No cached attributes
(35) # Executing section authorize from file /etc/raddb/sites-enabled/default
(35)   authorize {
(35)     policy filter_username {
(35)       if (&User-Name) {
(35)       if (&User-Name)  -> TRUE
(35)       if (&User-Name)  {
(35)         if (&User-Name =~ / /) {
(35)         if (&User-Name =~ / /)  -> FALSE
(35)         if (&User-Name =~ /@[^@]*@/ ) {
(35)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(35)         if (&User-Name =~ /\.\./ ) {
(35)         if (&User-Name =~ /\.\./ )  -> FALSE
(35)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(35)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(35)         if (&User-Name =~ /\.$/)  {
(35)         if (&User-Name =~ /\.$/)   -> FALSE
(35)         if (&User-Name =~ /@\./)  {
(35)         if (&User-Name =~ /@\./)   -> FALSE
(35)       } # if (&User-Name)  = notfound
(35)     } # policy filter_username = notfound
(35)     [preprocess] = ok
(35)     [chap] = noop
(35)     [mschap] = noop
(35)     [digest] = noop
(35) suffix: Checking for suffix after "@"
(35) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(35) suffix: No such realm "NULL"
(35)     [suffix] = noop
(35) eap: Peer sent EAP Response (code 2) ID 35 length 69
(35) eap: Continuing tunnel setup
(35)     [eap] = ok
(35)   } # authorize = ok
(35) Found Auth-Type = eap
(35) # Executing group from file /etc/raddb/sites-enabled/default
(35)   authenticate {
(35) eap: Expiring EAP session with state 0x095ceadf087ff362
(35) eap: Finished EAP session with state 0x095ceadf087ff362
(35) eap: Previous EAP request found for state 0x095ceadf087ff362, released from the list
(35) eap: Peer sent packet with method EAP PEAP (25)
(35) eap: Calling submodule eap_peap to process data
(35) eap_peap: Continuing EAP-TLS
(35) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(35) eap_peap: Got complete TLS record (59 bytes)
(35) eap_peap: [eaptls verify] = length included
(35) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(35) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(35) eap_peap: TLS_accept: SSLv3 read finished A
(35) eap_peap: (other): SSL negotiation finished successfully
(35) eap_peap: SSL Connection Established
(35) eap_peap: SSL Application Data
(35) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(35) eap_peap:   reply:User-Name = "vkratsberg"
(35) eap_peap: [eaptls process] = success
(35) eap_peap: Session established.  Decoding tunneled attributes
(35) eap_peap: PEAP state TUNNEL ESTABLISHED
(35) eap_peap: Skipping Phase2 because of session resumption
(35) eap_peap: SUCCESS
(35) eap: Sending EAP Request (code 1) ID 36 length 43
(35) eap: EAP session adding &reply:State = 0x095ceadf0b78f362
(35)     [eap] = handled
(35)   } # authenticate = handled
(35) Using Post-Auth-Type Challenge
(35) Post-Auth-Type sub-section not found.  Ignoring.
(35) # Executing group from file /etc/raddb/sites-enabled/default
(35) Sent Access-Challenge Id 26 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(35)   User-Name = "vkratsberg"
(35)   EAP-Message = 0x0124002b1900170301002093edbfae278625a51c3774e1e2c271033a3f8258c9e6767cab4461b187faacfd
(35)   Message-Authenticator = 0x00000000000000000000000000000000
(35)   State = 0x095ceadf0b78f362810f8898caf11f54
(35) Finished request
Waking up in 4.0 seconds.
(36) Received Access-Request Id 27 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(36)   User-Name = "vkratsberg"
(36)   NAS-Port = 358
(36)   State = 0x095ceadf0b78f362810f8898caf11f54
(36)   EAP-Message = 0x0224002b1900170301002099f69b23615978362a67fb47eb1a0b0e3d8d4c1fde05b6d5dcc71c2866354fe7
(36)   Message-Authenticator = 0xed2e5494b58c5e3105a9cf322d667380
(36)   Acct-Session-Id = "8O2.1x81bb0d4b000c65b7"
(36)   NAS-Port-Id = "ge-3/0/6.0"
(36)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(36)   Called-Station-Id = "ec-3e-f7-68-35-00"
(36)   NAS-IP-Address = 10.8.0.111
(36)   NAS-Identifier = "nyc-access-sw011"
(36)   NAS-Port-Type = Ethernet
(36) session-state: No cached attributes
(36) # Executing section authorize from file /etc/raddb/sites-enabled/default
(36)   authorize {
(36)     policy filter_username {
(36)       if (&User-Name) {
(36)       if (&User-Name)  -> TRUE
(36)       if (&User-Name)  {
(36)         if (&User-Name =~ / /) {
(36)         if (&User-Name =~ / /)  -> FALSE
(36)         if (&User-Name =~ /@[^@]*@/ ) {
(36)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(36)         if (&User-Name =~ /\.\./ ) {
(36)         if (&User-Name =~ /\.\./ )  -> FALSE
(36)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(36)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(36)         if (&User-Name =~ /\.$/)  {
(36)         if (&User-Name =~ /\.$/)   -> FALSE
(36)         if (&User-Name =~ /@\./)  {
(36)         if (&User-Name =~ /@\./)   -> FALSE
(36)       } # if (&User-Name)  = notfound
(36)     } # policy filter_username = notfound
(36)     [preprocess] = ok
(36)     [chap] = noop
(36)     [mschap] = noop
(36)     [digest] = noop
(36) suffix: Checking for suffix after "@"
(36) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(36) suffix: No such realm "NULL"
(36)     [suffix] = noop
(36) eap: Peer sent EAP Response (code 2) ID 36 length 43
(36) eap: Continuing tunnel setup
(36)     [eap] = ok
(36)   } # authorize = ok
(36) Found Auth-Type = eap
(36) # Executing group from file /etc/raddb/sites-enabled/default
(36)   authenticate {
(36) eap: Expiring EAP session with state 0x095ceadf0b78f362
(36) eap: Finished EAP session with state 0x095ceadf0b78f362
(36) eap: Previous EAP request found for state 0x095ceadf0b78f362, released from the list
(36) eap: Peer sent packet with method EAP PEAP (25)
(36) eap: Calling submodule eap_peap to process data
(36) eap_peap: Continuing EAP-TLS
(36) eap_peap: [eaptls verify] = ok
(36) eap_peap: Done initial handshake
(36) eap_peap: [eaptls process] = ok
(36) eap_peap: Session established.  Decoding tunneled attributes
(36) eap_peap: PEAP state send tlv success
(36) eap_peap: Received EAP-TLV response
(36) eap_peap: Success
(36) eap_peap: No saved attributes in the original Access-Accept
(36) eap: Sending EAP Success (code 3) ID 36 length 4
(36) eap: Freeing handler
(36)     [eap] = ok
(36)   } # authenticate = ok
(36) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(36)   post-auth {
(36)     update {
(36)       No attributes updated
(36)     } # update = noop
(36)     [exec] = noop
(36)     policy remove_reply_message_if_eap {
(36)       if (&reply:EAP-Message && &reply:Reply-Message) {
(36)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(36)       else {
(36)         [noop] = noop
(36)       } # else = noop
(36)     } # policy remove_reply_message_if_eap = noop
(36)   } # post-auth = noop
(36) Sent Access-Accept Id 27 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(36)   MS-MPPE-Recv-Key = 0xf60289063c10983063604ae7fa7376db61446b5c5cc785f0c5b665a3170969ed
(36)   MS-MPPE-Send-Key = 0xbb14a8f4d446cd2601f080dbc2ba08e6c36ca4aa1380b44af13465bad4ff26f2
(36)   EAP-Message = 0x03240004
(36)   Message-Authenticator = 0x00000000000000000000000000000000
(36)   User-Name = "vkratsberg"
(36) Finished request
Waking up in 4.0 seconds.
(37) Received Access-Request Id 28 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(37)   User-Name = "vkratsberg"
(37)   NAS-Port = 358
(37)   EAP-Message = 0x0225000f01766b7261747362657267
(37)   Message-Authenticator = 0x136217906f8656aab1ef54ce63813e54
(37)   Acct-Session-Id = "8O2.1x81bb0d4c000e01e3"
(37)   NAS-Port-Id = "ge-3/0/6.0"
(37)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(37)   Called-Station-Id = "ec-3e-f7-68-35-00"
(37)   NAS-IP-Address = 10.8.0.111
(37)   NAS-Identifier = "nyc-access-sw011"
(37)   NAS-Port-Type = Ethernet
(37) # Executing section authorize from file /etc/raddb/sites-enabled/default
(37)   authorize {
(37)     policy filter_username {
(37)       if (&User-Name) {
(37)       if (&User-Name)  -> TRUE
(37)       if (&User-Name)  {
(37)         if (&User-Name =~ / /) {
(37)         if (&User-Name =~ / /)  -> FALSE
(37)         if (&User-Name =~ /@[^@]*@/ ) {
(37)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(37)         if (&User-Name =~ /\.\./ ) {
(37)         if (&User-Name =~ /\.\./ )  -> FALSE
(37)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(37)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(37)         if (&User-Name =~ /\.$/)  {
(37)         if (&User-Name =~ /\.$/)   -> FALSE
(37)         if (&User-Name =~ /@\./)  {
(37)         if (&User-Name =~ /@\./)   -> FALSE
(37)       } # if (&User-Name)  = notfound
(37)     } # policy filter_username = notfound
(37)     [preprocess] = ok
(37)     [chap] = noop
(37)     [mschap] = noop
(37)     [digest] = noop
(37) suffix: Checking for suffix after "@"
(37) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(37) suffix: No such realm "NULL"
(37)     [suffix] = noop
(37) eap: Peer sent EAP Response (code 2) ID 37 length 15
(37) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(37)     [eap] = ok
(37)   } # authorize = ok
(37) Found Auth-Type = eap
(37) # Executing group from file /etc/raddb/sites-enabled/default
(37)   authenticate {
(37) eap: Peer sent packet with method EAP Identity (1)
(37) eap: Calling submodule eap_peap to process data
(37) eap_peap: Initiating new EAP-TLS session
(37) eap_peap: [eaptls start] = request
(37) eap: Sending EAP Request (code 1) ID 38 length 6
(37) eap: EAP session adding &reply:State = 0x79d0a5d979f6bcc3
(37)     [eap] = handled
(37)   } # authenticate = handled
(37) Using Post-Auth-Type Challenge
(37) Post-Auth-Type sub-section not found.  Ignoring.
(37) # Executing group from file /etc/raddb/sites-enabled/default
(37) Sent Access-Challenge Id 28 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(37)   EAP-Message = 0x012600061920
(37)   Message-Authenticator = 0x00000000000000000000000000000000
(37)   State = 0x79d0a5d979f6bcc3769e604cf21419ad
(37) Finished request
Waking up in 4.0 seconds.
(38) Received Access-Request Id 29 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(38)   User-Name = "vkratsberg"
(38)   NAS-Port = 358
(38)   State = 0x79d0a5d979f6bcc3769e604cf21419ad
(38)   EAP-Message = 0x022600a31980000000991603010094010000900301574f326c6c0f1a682cc822a8003c8c74ad90247feacedf4a61d479953ea526062099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(38)   Message-Authenticator = 0x357680eede82660d722334287064b813
(38)   Acct-Session-Id = "8O2.1x81bb0d4c000e01e3"
(38)   NAS-Port-Id = "ge-3/0/6.0"
(38)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(38)   Called-Station-Id = "ec-3e-f7-68-35-00"
(38)   NAS-IP-Address = 10.8.0.111
(38)   NAS-Identifier = "nyc-access-sw011"
(38)   NAS-Port-Type = Ethernet
(38) session-state: No cached attributes
(38) # Executing section authorize from file /etc/raddb/sites-enabled/default
(38)   authorize {
(38)     policy filter_username {
(38)       if (&User-Name) {
(38)       if (&User-Name)  -> TRUE
(38)       if (&User-Name)  {
(38)         if (&User-Name =~ / /) {
(38)         if (&User-Name =~ / /)  -> FALSE
(38)         if (&User-Name =~ /@[^@]*@/ ) {
(38)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(38)         if (&User-Name =~ /\.\./ ) {
(38)         if (&User-Name =~ /\.\./ )  -> FALSE
(38)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(38)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(38)         if (&User-Name =~ /\.$/)  {
(38)         if (&User-Name =~ /\.$/)   -> FALSE
(38)         if (&User-Name =~ /@\./)  {
(38)         if (&User-Name =~ /@\./)   -> FALSE
(38)       } # if (&User-Name)  = notfound
(38)     } # policy filter_username = notfound
(38)     [preprocess] = ok
(38)     [chap] = noop
(38)     [mschap] = noop
(38)     [digest] = noop
(38) suffix: Checking for suffix after "@"
(38) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(38) suffix: No such realm "NULL"
(38)     [suffix] = noop
(38) eap: Peer sent EAP Response (code 2) ID 38 length 163
(38) eap: Continuing tunnel setup
(38)     [eap] = ok
(38)   } # authorize = ok
(38) Found Auth-Type = eap
(38) # Executing group from file /etc/raddb/sites-enabled/default
(38)   authenticate {
(38) eap: Expiring EAP session with state 0x79d0a5d979f6bcc3
(38) eap: Finished EAP session with state 0x79d0a5d979f6bcc3
(38) eap: Previous EAP request found for state 0x79d0a5d979f6bcc3, released from the list
(38) eap: Peer sent packet with method EAP PEAP (25)
(38) eap: Calling submodule eap_peap to process data
(38) eap_peap: Continuing EAP-TLS
(38) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(38) eap_peap: Got complete TLS record (153 bytes)
(38) eap_peap: [eaptls verify] = length included
(38) eap_peap: (other): before/accept initialization
(38) eap_peap: TLS_accept: before/accept initialization
(38) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(38) eap_peap: TLS_accept: SSLv3 read client hello A
(38) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(38) eap_peap: TLS_accept: SSLv3 write server hello A
(38) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(38) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(38) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(38) eap_peap: TLS_accept: SSLv3 write finished A
(38) eap_peap: TLS_accept: SSLv3 flush data
(38) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(38) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(38) eap_peap: In SSL Handshake Phase
(38) eap_peap: In SSL Accept mode
(38) eap_peap: [eaptls process] = handled
(38) eap: Sending EAP Request (code 1) ID 39 length 159
(38) eap: EAP session adding &reply:State = 0x79d0a5d978f7bcc3
(38)     [eap] = handled
(38)   } # authenticate = handled
(38) Using Post-Auth-Type Challenge
(38) Post-Auth-Type sub-section not found.  Ignoring.
(38) # Executing group from file /etc/raddb/sites-enabled/default
(38) Sent Access-Challenge Id 29 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(38)   EAP-Message = 0x0127009f19001603010059020000550301574f326c61949196d1437eca9556a53a1b649fd474f80d70f1edab64d73688202099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b00040300010214030100010116030100308b35fdb75d53bfc5
(38)   Message-Authenticator = 0x00000000000000000000000000000000
(38)   State = 0x79d0a5d978f7bcc3769e604cf21419ad
(38) Finished request
Waking up in 4.0 seconds.
(39) Received Access-Request Id 30 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(39)   User-Name = "vkratsberg"
(39)   NAS-Port = 358
(39)   State = 0x79d0a5d978f7bcc3769e604cf21419ad
(39)   EAP-Message = 0x0227004519800000003b14030100010116030100302875202cb964174f39321d936418fdf06e537693a67d65b08115b5b97eb9d8831547e36cd0321a4a24c9d2703a9dcca5
(39)   Message-Authenticator = 0x791a6e4fa3b5040cff6cbb2d5190d4a3
(39)   Acct-Session-Id = "8O2.1x81bb0d4c000e01e3"
(39)   NAS-Port-Id = "ge-3/0/6.0"
(39)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(39)   Called-Station-Id = "ec-3e-f7-68-35-00"
(39)   NAS-IP-Address = 10.8.0.111
(39)   NAS-Identifier = "nyc-access-sw011"
(39)   NAS-Port-Type = Ethernet
(39) session-state: No cached attributes
(39) # Executing section authorize from file /etc/raddb/sites-enabled/default
(39)   authorize {
(39)     policy filter_username {
(39)       if (&User-Name) {
(39)       if (&User-Name)  -> TRUE
(39)       if (&User-Name)  {
(39)         if (&User-Name =~ / /) {
(39)         if (&User-Name =~ / /)  -> FALSE
(39)         if (&User-Name =~ /@[^@]*@/ ) {
(39)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(39)         if (&User-Name =~ /\.\./ ) {
(39)         if (&User-Name =~ /\.\./ )  -> FALSE
(39)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(39)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(39)         if (&User-Name =~ /\.$/)  {
(39)         if (&User-Name =~ /\.$/)   -> FALSE
(39)         if (&User-Name =~ /@\./)  {
(39)         if (&User-Name =~ /@\./)   -> FALSE
(39)       } # if (&User-Name)  = notfound
(39)     } # policy filter_username = notfound
(39)     [preprocess] = ok
(39)     [chap] = noop
(39)     [mschap] = noop
(39)     [digest] = noop
(39) suffix: Checking for suffix after "@"
(39) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(39) suffix: No such realm "NULL"
(39)     [suffix] = noop
(39) eap: Peer sent EAP Response (code 2) ID 39 length 69
(39) eap: Continuing tunnel setup
(39)     [eap] = ok
(39)   } # authorize = ok
(39) Found Auth-Type = eap
(39) # Executing group from file /etc/raddb/sites-enabled/default
(39)   authenticate {
(39) eap: Expiring EAP session with state 0x79d0a5d978f7bcc3
(39) eap: Finished EAP session with state 0x79d0a5d978f7bcc3
(39) eap: Previous EAP request found for state 0x79d0a5d978f7bcc3, released from the list
(39) eap: Peer sent packet with method EAP PEAP (25)
(39) eap: Calling submodule eap_peap to process data
(39) eap_peap: Continuing EAP-TLS
(39) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(39) eap_peap: Got complete TLS record (59 bytes)
(39) eap_peap: [eaptls verify] = length included
(39) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(39) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(39) eap_peap: TLS_accept: SSLv3 read finished A
(39) eap_peap: (other): SSL negotiation finished successfully
(39) eap_peap: SSL Connection Established
(39) eap_peap: SSL Application Data
(39) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(39) eap_peap:   reply:User-Name = "vkratsberg"
(39) eap_peap: [eaptls process] = success
(39) eap_peap: Session established.  Decoding tunneled attributes
(39) eap_peap: PEAP state TUNNEL ESTABLISHED
(39) eap_peap: Skipping Phase2 because of session resumption
(39) eap_peap: SUCCESS
(39) eap: Sending EAP Request (code 1) ID 40 length 43
(39) eap: EAP session adding &reply:State = 0x79d0a5d97bf8bcc3
(39)     [eap] = handled
(39)   } # authenticate = handled
(39) Using Post-Auth-Type Challenge
(39) Post-Auth-Type sub-section not found.  Ignoring.
(39) # Executing group from file /etc/raddb/sites-enabled/default
(39) Sent Access-Challenge Id 30 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(39)   User-Name = "vkratsberg"
(39)   EAP-Message = 0x0128002b1900170301002097569bbd462b03cfcbc792fe81b6149dddc67571fe5018d7463652cf0b51f885
(39)   Message-Authenticator = 0x00000000000000000000000000000000
(39)   State = 0x79d0a5d97bf8bcc3769e604cf21419ad
(39) Finished request
Waking up in 3.9 seconds.
(40) Received Access-Request Id 31 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(40)   User-Name = "vkratsberg"
(40)   NAS-Port = 358
(40)   State = 0x79d0a5d97bf8bcc3769e604cf21419ad
(40)   EAP-Message = 0x0228002b19001703010020a0733e6098d3f481b13c5bb7b8472c123dc0d777d071a2bf46662fc6d2819317
(40)   Message-Authenticator = 0x174f98792551e5c2e015a1f31cb82d68
(40)   Acct-Session-Id = "8O2.1x81bb0d4c000e01e3"
(40)   NAS-Port-Id = "ge-3/0/6.0"
(40)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(40)   Called-Station-Id = "ec-3e-f7-68-35-00"
(40)   NAS-IP-Address = 10.8.0.111
(40)   NAS-Identifier = "nyc-access-sw011"
(40)   NAS-Port-Type = Ethernet
(40) session-state: No cached attributes
(40) # Executing section authorize from file /etc/raddb/sites-enabled/default
(40)   authorize {
(40)     policy filter_username {
(40)       if (&User-Name) {
(40)       if (&User-Name)  -> TRUE
(40)       if (&User-Name)  {
(40)         if (&User-Name =~ / /) {
(40)         if (&User-Name =~ / /)  -> FALSE
(40)         if (&User-Name =~ /@[^@]*@/ ) {
(40)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(40)         if (&User-Name =~ /\.\./ ) {
(40)         if (&User-Name =~ /\.\./ )  -> FALSE
(40)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(40)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(40)         if (&User-Name =~ /\.$/)  {
(40)         if (&User-Name =~ /\.$/)   -> FALSE
(40)         if (&User-Name =~ /@\./)  {
(40)         if (&User-Name =~ /@\./)   -> FALSE
(40)       } # if (&User-Name)  = notfound
(40)     } # policy filter_username = notfound
(40)     [preprocess] = ok
(40)     [chap] = noop
(40)     [mschap] = noop
(40)     [digest] = noop
(40) suffix: Checking for suffix after "@"
(40) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(40) suffix: No such realm "NULL"
(40)     [suffix] = noop
(40) eap: Peer sent EAP Response (code 2) ID 40 length 43
(40) eap: Continuing tunnel setup
(40)     [eap] = ok
(40)   } # authorize = ok
(40) Found Auth-Type = eap
(40) # Executing group from file /etc/raddb/sites-enabled/default
(40)   authenticate {
(40) eap: Expiring EAP session with state 0x79d0a5d97bf8bcc3
(40) eap: Finished EAP session with state 0x79d0a5d97bf8bcc3
(40) eap: Previous EAP request found for state 0x79d0a5d97bf8bcc3, released from the list
(40) eap: Peer sent packet with method EAP PEAP (25)
(40) eap: Calling submodule eap_peap to process data
(40) eap_peap: Continuing EAP-TLS
(40) eap_peap: [eaptls verify] = ok
(40) eap_peap: Done initial handshake
(40) eap_peap: [eaptls process] = ok
(40) eap_peap: Session established.  Decoding tunneled attributes
(40) eap_peap: PEAP state send tlv success
(40) eap_peap: Received EAP-TLV response
(40) eap_peap: Success
(40) eap_peap: No saved attributes in the original Access-Accept
(40) eap: Sending EAP Success (code 3) ID 40 length 4
(40) eap: Freeing handler
(40)     [eap] = ok
(40)   } # authenticate = ok
(40) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(40)   post-auth {
(40)     update {
(40)       No attributes updated
(40)     } # update = noop
(40)     [exec] = noop
(40)     policy remove_reply_message_if_eap {
(40)       if (&reply:EAP-Message && &reply:Reply-Message) {
(40)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(40)       else {
(40)         [noop] = noop
(40)       } # else = noop
(40)     } # policy remove_reply_message_if_eap = noop
(40)   } # post-auth = noop
(40) Sent Access-Accept Id 31 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(40)   MS-MPPE-Recv-Key = 0x6c0f5d00cda3bf5ea32042cc0932f2d486d3b357caf747a3be7bd1a13071d568
(40)   MS-MPPE-Send-Key = 0x1f4b7cd5e090534cc7461ef79d4420bbb1f4debd11f77b95720e978cdf4a533c
(40)   EAP-Message = 0x03280004
(40)   Message-Authenticator = 0x00000000000000000000000000000000
(40)   User-Name = "vkratsberg"
(40) Finished request
Waking up in 3.9 seconds.
(41) Received Access-Request Id 32 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(41)   User-Name = "vkratsberg"
(41)   NAS-Port = 358
(41)   EAP-Message = 0x0229000f01766b7261747362657267
(41)   Message-Authenticator = 0x8d40fa57f6a725fa0cb4f95e274b930e
(41)   Acct-Session-Id = "8O2.1x81bb0d4d000057d6"
(41)   NAS-Port-Id = "ge-3/0/6.0"
(41)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(41)   Called-Station-Id = "ec-3e-f7-68-35-00"
(41)   NAS-IP-Address = 10.8.0.111
(41)   NAS-Identifier = "nyc-access-sw011"
(41)   NAS-Port-Type = Ethernet
(41) # Executing section authorize from file /etc/raddb/sites-enabled/default
(41)   authorize {
(41)     policy filter_username {
(41)       if (&User-Name) {
(41)       if (&User-Name)  -> TRUE
(41)       if (&User-Name)  {
(41)         if (&User-Name =~ / /) {
(41)         if (&User-Name =~ / /)  -> FALSE
(41)         if (&User-Name =~ /@[^@]*@/ ) {
(41)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(41)         if (&User-Name =~ /\.\./ ) {
(41)         if (&User-Name =~ /\.\./ )  -> FALSE
(41)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(41)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(41)         if (&User-Name =~ /\.$/)  {
(41)         if (&User-Name =~ /\.$/)   -> FALSE
(41)         if (&User-Name =~ /@\./)  {
(41)         if (&User-Name =~ /@\./)   -> FALSE
(41)       } # if (&User-Name)  = notfound
(41)     } # policy filter_username = notfound
(41)     [preprocess] = ok
(41)     [chap] = noop
(41)     [mschap] = noop
(41)     [digest] = noop
(41) suffix: Checking for suffix after "@"
(41) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(41) suffix: No such realm "NULL"
(41)     [suffix] = noop
(41) eap: Peer sent EAP Response (code 2) ID 41 length 15
(41) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(41)     [eap] = ok
(41)   } # authorize = ok
(41) Found Auth-Type = eap
(41) # Executing group from file /etc/raddb/sites-enabled/default
(41)   authenticate {
(41) eap: Peer sent packet with method EAP Identity (1)
(41) eap: Calling submodule eap_peap to process data
(41) eap_peap: Initiating new EAP-TLS session
(41) eap_peap: [eaptls start] = request
(41) eap: Sending EAP Request (code 1) ID 42 length 6
(41) eap: EAP session adding &reply:State = 0xe096d129e0bcc8ee
(41)     [eap] = handled
(41)   } # authenticate = handled
(41) Using Post-Auth-Type Challenge
(41) Post-Auth-Type sub-section not found.  Ignoring.
(41) # Executing group from file /etc/raddb/sites-enabled/default
(41) Sent Access-Challenge Id 32 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(41)   EAP-Message = 0x012a00061920
(41)   Message-Authenticator = 0x00000000000000000000000000000000
(41)   State = 0xe096d129e0bcc8eef5c532e15d409219
(41) Finished request
Waking up in 3.9 seconds.
(42) Received Access-Request Id 33 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(42)   User-Name = "vkratsberg"
(42)   NAS-Port = 358
(42)   State = 0xe096d129e0bcc8eef5c532e15d409219
(42)   EAP-Message = 0x022a00a31980000000991603010094010000900301574f326d4fb9106762b446d26f045f81d7fc7b8b1724111a6c4044b3bc59a7ef2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(42)   Message-Authenticator = 0x9c35dd441c6de34809a84d97c5bb5f13
(42)   Acct-Session-Id = "8O2.1x81bb0d4d000057d6"
(42)   NAS-Port-Id = "ge-3/0/6.0"
(42)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(42)   Called-Station-Id = "ec-3e-f7-68-35-00"
(42)   NAS-IP-Address = 10.8.0.111
(42)   NAS-Identifier = "nyc-access-sw011"
(42)   NAS-Port-Type = Ethernet
(42) session-state: No cached attributes
(42) # Executing section authorize from file /etc/raddb/sites-enabled/default
(42)   authorize {
(42)     policy filter_username {
(42)       if (&User-Name) {
(42)       if (&User-Name)  -> TRUE
(42)       if (&User-Name)  {
(42)         if (&User-Name =~ / /) {
(42)         if (&User-Name =~ / /)  -> FALSE
(42)         if (&User-Name =~ /@[^@]*@/ ) {
(42)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(42)         if (&User-Name =~ /\.\./ ) {
(42)         if (&User-Name =~ /\.\./ )  -> FALSE
(42)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(42)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(42)         if (&User-Name =~ /\.$/)  {
(42)         if (&User-Name =~ /\.$/)   -> FALSE
(42)         if (&User-Name =~ /@\./)  {
(42)         if (&User-Name =~ /@\./)   -> FALSE
(42)       } # if (&User-Name)  = notfound
(42)     } # policy filter_username = notfound
(42)     [preprocess] = ok
(42)     [chap] = noop
(42)     [mschap] = noop
(42)     [digest] = noop
(42) suffix: Checking for suffix after "@"
(42) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(42) suffix: No such realm "NULL"
(42)     [suffix] = noop
(42) eap: Peer sent EAP Response (code 2) ID 42 length 163
(42) eap: Continuing tunnel setup
(42)     [eap] = ok
(42)   } # authorize = ok
(42) Found Auth-Type = eap
(42) # Executing group from file /etc/raddb/sites-enabled/default
(42)   authenticate {
(42) eap: Expiring EAP session with state 0xe096d129e0bcc8ee
(42) eap: Finished EAP session with state 0xe096d129e0bcc8ee
(42) eap: Previous EAP request found for state 0xe096d129e0bcc8ee, released from the list
(42) eap: Peer sent packet with method EAP PEAP (25)
(42) eap: Calling submodule eap_peap to process data
(42) eap_peap: Continuing EAP-TLS
(42) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(42) eap_peap: Got complete TLS record (153 bytes)
(42) eap_peap: [eaptls verify] = length included
(42) eap_peap: (other): before/accept initialization
(42) eap_peap: TLS_accept: before/accept initialization
(42) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(42) eap_peap: TLS_accept: SSLv3 read client hello A
(42) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(42) eap_peap: TLS_accept: SSLv3 write server hello A
(42) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(42) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(42) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(42) eap_peap: TLS_accept: SSLv3 write finished A
(42) eap_peap: TLS_accept: SSLv3 flush data
(42) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(42) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(42) eap_peap: In SSL Handshake Phase
(42) eap_peap: In SSL Accept mode
(42) eap_peap: [eaptls process] = handled
(42) eap: Sending EAP Request (code 1) ID 43 length 159
(42) eap: EAP session adding &reply:State = 0xe096d129e1bdc8ee
(42)     [eap] = handled
(42)   } # authenticate = handled
(42) Using Post-Auth-Type Challenge
(42) Post-Auth-Type sub-section not found.  Ignoring.
(42) # Executing group from file /etc/raddb/sites-enabled/default
(42) Sent Access-Challenge Id 33 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(42)   EAP-Message = 0x012b009f19001603010059020000550301574f326dddd5ee40085648581169894c7de8a8de09b0322c842ed4773f318b9f2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b0004030001021403010001011603010030c94edb4dbf1baf6b
(42)   Message-Authenticator = 0x00000000000000000000000000000000
(42)   State = 0xe096d129e1bdc8eef5c532e15d409219
(42) Finished request
Waking up in 3.9 seconds.
(43) Received Access-Request Id 34 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(43)   User-Name = "vkratsberg"
(43)   NAS-Port = 358
(43)   State = 0xe096d129e1bdc8eef5c532e15d409219
(43)   EAP-Message = 0x022b004519800000003b1403010001011603010030802813146e895f712cc357be5a4a44bc5038e7999468c3b9739bbf630ac95b568e51c58864e8ef1e6b837c917e0ae134
(43)   Message-Authenticator = 0xb9c7827980640823db4a91855bde8e71
(43)   Acct-Session-Id = "8O2.1x81bb0d4d000057d6"
(43)   NAS-Port-Id = "ge-3/0/6.0"
(43)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(43)   Called-Station-Id = "ec-3e-f7-68-35-00"
(43)   NAS-IP-Address = 10.8.0.111
(43)   NAS-Identifier = "nyc-access-sw011"
(43)   NAS-Port-Type = Ethernet
(43) session-state: No cached attributes
(43) # Executing section authorize from file /etc/raddb/sites-enabled/default
(43)   authorize {
(43)     policy filter_username {
(43)       if (&User-Name) {
(43)       if (&User-Name)  -> TRUE
(43)       if (&User-Name)  {
(43)         if (&User-Name =~ / /) {
(43)         if (&User-Name =~ / /)  -> FALSE
(43)         if (&User-Name =~ /@[^@]*@/ ) {
(43)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(43)         if (&User-Name =~ /\.\./ ) {
(43)         if (&User-Name =~ /\.\./ )  -> FALSE
(43)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(43)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(43)         if (&User-Name =~ /\.$/)  {
(43)         if (&User-Name =~ /\.$/)   -> FALSE
(43)         if (&User-Name =~ /@\./)  {
(43)         if (&User-Name =~ /@\./)   -> FALSE
(43)       } # if (&User-Name)  = notfound
(43)     } # policy filter_username = notfound
(43)     [preprocess] = ok
(43)     [chap] = noop
(43)     [mschap] = noop
(43)     [digest] = noop
(43) suffix: Checking for suffix after "@"
(43) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(43) suffix: No such realm "NULL"
(43)     [suffix] = noop
(43) eap: Peer sent EAP Response (code 2) ID 43 length 69
(43) eap: Continuing tunnel setup
(43)     [eap] = ok
(43)   } # authorize = ok
(43) Found Auth-Type = eap
(43) # Executing group from file /etc/raddb/sites-enabled/default
(43)   authenticate {
(43) eap: Expiring EAP session with state 0xe096d129e1bdc8ee
(43) eap: Finished EAP session with state 0xe096d129e1bdc8ee
(43) eap: Previous EAP request found for state 0xe096d129e1bdc8ee, released from the list
(43) eap: Peer sent packet with method EAP PEAP (25)
(43) eap: Calling submodule eap_peap to process data
(43) eap_peap: Continuing EAP-TLS
(43) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(43) eap_peap: Got complete TLS record (59 bytes)
(43) eap_peap: [eaptls verify] = length included
(43) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(43) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(43) eap_peap: TLS_accept: SSLv3 read finished A
(43) eap_peap: (other): SSL negotiation finished successfully
(43) eap_peap: SSL Connection Established
(43) eap_peap: SSL Application Data
(43) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(43) eap_peap:   reply:User-Name = "vkratsberg"
(43) eap_peap: [eaptls process] = success
(43) eap_peap: Session established.  Decoding tunneled attributes
(43) eap_peap: PEAP state TUNNEL ESTABLISHED
(43) eap_peap: Skipping Phase2 because of session resumption
(43) eap_peap: SUCCESS
(43) eap: Sending EAP Request (code 1) ID 44 length 43
(43) eap: EAP session adding &reply:State = 0xe096d129e2bac8ee
(43)     [eap] = handled
(43)   } # authenticate = handled
(43) Using Post-Auth-Type Challenge
(43) Post-Auth-Type sub-section not found.  Ignoring.
(43) # Executing group from file /etc/raddb/sites-enabled/default
(43) Sent Access-Challenge Id 34 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(43)   User-Name = "vkratsberg"
(43)   EAP-Message = 0x012c002b190017030100202d3175bd6f30bf51474b134c95a19b3a431b238d739dbf0da70f09fd1b88a41e
(43)   Message-Authenticator = 0x00000000000000000000000000000000
(43)   State = 0xe096d129e2bac8eef5c532e15d409219
(43) Finished request
Waking up in 3.8 seconds.
(44) Received Access-Request Id 35 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(44)   User-Name = "vkratsberg"
(44)   NAS-Port = 358
(44)   State = 0xe096d129e2bac8eef5c532e15d409219
(44)   EAP-Message = 0x022c002b19001703010020741228bcbf7c38839f7d0a6af041af1c7eb525cc4c3e77013ad6c2907ec9f2ee
(44)   Message-Authenticator = 0x9753f3c218dd66347017ae0ded257afc
(44)   Acct-Session-Id = "8O2.1x81bb0d4d000057d6"
(44)   NAS-Port-Id = "ge-3/0/6.0"
(44)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(44)   Called-Station-Id = "ec-3e-f7-68-35-00"
(44)   NAS-IP-Address = 10.8.0.111
(44)   NAS-Identifier = "nyc-access-sw011"
(44)   NAS-Port-Type = Ethernet
(44) session-state: No cached attributes
(44) # Executing section authorize from file /etc/raddb/sites-enabled/default
(44)   authorize {
(44)     policy filter_username {
(44)       if (&User-Name) {
(44)       if (&User-Name)  -> TRUE
(44)       if (&User-Name)  {
(44)         if (&User-Name =~ / /) {
(44)         if (&User-Name =~ / /)  -> FALSE
(44)         if (&User-Name =~ /@[^@]*@/ ) {
(44)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(44)         if (&User-Name =~ /\.\./ ) {
(44)         if (&User-Name =~ /\.\./ )  -> FALSE
(44)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(44)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(44)         if (&User-Name =~ /\.$/)  {
(44)         if (&User-Name =~ /\.$/)   -> FALSE
(44)         if (&User-Name =~ /@\./)  {
(44)         if (&User-Name =~ /@\./)   -> FALSE
(44)       } # if (&User-Name)  = notfound
(44)     } # policy filter_username = notfound
(44)     [preprocess] = ok
(44)     [chap] = noop
(44)     [mschap] = noop
(44)     [digest] = noop
(44) suffix: Checking for suffix after "@"
(44) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(44) suffix: No such realm "NULL"
(44)     [suffix] = noop
(44) eap: Peer sent EAP Response (code 2) ID 44 length 43
(44) eap: Continuing tunnel setup
(44)     [eap] = ok
(44)   } # authorize = ok
(44) Found Auth-Type = eap
(44) # Executing group from file /etc/raddb/sites-enabled/default
(44)   authenticate {
(44) eap: Expiring EAP session with state 0xe096d129e2bac8ee
(44) eap: Finished EAP session with state 0xe096d129e2bac8ee
(44) eap: Previous EAP request found for state 0xe096d129e2bac8ee, released from the list
(44) eap: Peer sent packet with method EAP PEAP (25)
(44) eap: Calling submodule eap_peap to process data
(44) eap_peap: Continuing EAP-TLS
(44) eap_peap: [eaptls verify] = ok
(44) eap_peap: Done initial handshake
(44) eap_peap: [eaptls process] = ok
(44) eap_peap: Session established.  Decoding tunneled attributes
(44) eap_peap: PEAP state send tlv success
(44) eap_peap: Received EAP-TLV response
(44) eap_peap: Success
(44) eap_peap: No saved attributes in the original Access-Accept
(44) eap: Sending EAP Success (code 3) ID 44 length 4
(44) eap: Freeing handler
(44)     [eap] = ok
(44)   } # authenticate = ok
(44) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(44)   post-auth {
(44)     update {
(44)       No attributes updated
(44)     } # update = noop
(44)     [exec] = noop
(44)     policy remove_reply_message_if_eap {
(44)       if (&reply:EAP-Message && &reply:Reply-Message) {
(44)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(44)       else {
(44)         [noop] = noop
(44)       } # else = noop
(44)     } # policy remove_reply_message_if_eap = noop
(44)   } # post-auth = noop
(44) Sent Access-Accept Id 35 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(44)   MS-MPPE-Recv-Key = 0x86af294eff1feb0b17d14bdf679a1854d36cb36dc18ff961842dd3bd7df8b2b7
(44)   MS-MPPE-Send-Key = 0xc781165b35f9d842f89d9370c25ab5d1fe73552f835dc0894faa311f54345669
(44)   EAP-Message = 0x032c0004
(44)   Message-Authenticator = 0x00000000000000000000000000000000
(44)   User-Name = "vkratsberg"
(44) Finished request
Waking up in 3.8 seconds.
(45) Received Access-Request Id 36 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(45)   User-Name = "vkratsberg"
(45)   NAS-Port = 358
(45)   EAP-Message = 0x022d000f01766b7261747362657267
(45)   Message-Authenticator = 0x133aa25966b0bea5a9b01b952927d700
(45)   Acct-Session-Id = "8O2.1x81bb0d4e0001f90b"
(45)   NAS-Port-Id = "ge-3/0/6.0"
(45)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(45)   Called-Station-Id = "ec-3e-f7-68-35-00"
(45)   NAS-IP-Address = 10.8.0.111
(45)   NAS-Identifier = "nyc-access-sw011"
(45)   NAS-Port-Type = Ethernet
(45) # Executing section authorize from file /etc/raddb/sites-enabled/default
(45)   authorize {
(45)     policy filter_username {
(45)       if (&User-Name) {
(45)       if (&User-Name)  -> TRUE
(45)       if (&User-Name)  {
(45)         if (&User-Name =~ / /) {
(45)         if (&User-Name =~ / /)  -> FALSE
(45)         if (&User-Name =~ /@[^@]*@/ ) {
(45)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(45)         if (&User-Name =~ /\.\./ ) {
(45)         if (&User-Name =~ /\.\./ )  -> FALSE
(45)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(45)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(45)         if (&User-Name =~ /\.$/)  {
(45)         if (&User-Name =~ /\.$/)   -> FALSE
(45)         if (&User-Name =~ /@\./)  {
(45)         if (&User-Name =~ /@\./)   -> FALSE
(45)       } # if (&User-Name)  = notfound
(45)     } # policy filter_username = notfound
(45)     [preprocess] = ok
(45)     [chap] = noop
(45)     [mschap] = noop
(45)     [digest] = noop
(45) suffix: Checking for suffix after "@"
(45) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(45) suffix: No such realm "NULL"
(45)     [suffix] = noop
(45) eap: Peer sent EAP Response (code 2) ID 45 length 15
(45) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(45)     [eap] = ok
(45)   } # authorize = ok
(45) Found Auth-Type = eap
(45) # Executing group from file /etc/raddb/sites-enabled/default
(45)   authenticate {
(45) eap: Peer sent packet with method EAP Identity (1)
(45) eap: Calling submodule eap_peap to process data
(45) eap_peap: Initiating new EAP-TLS session
(45) eap_peap: [eaptls start] = request
(45) eap: Sending EAP Request (code 1) ID 46 length 6
(45) eap: EAP session adding &reply:State = 0xbb22d88bbb0cc1ec
(45)     [eap] = handled
(45)   } # authenticate = handled
(45) Using Post-Auth-Type Challenge
(45) Post-Auth-Type sub-section not found.  Ignoring.
(45) # Executing group from file /etc/raddb/sites-enabled/default
(45) Sent Access-Challenge Id 36 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(45)   EAP-Message = 0x012e00061920
(45)   Message-Authenticator = 0x00000000000000000000000000000000
(45)   State = 0xbb22d88bbb0cc1ec0daea853d9277695
(45) Finished request
Waking up in 3.8 seconds.
(46) Received Access-Request Id 37 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(46)   User-Name = "vkratsberg"
(46)   NAS-Port = 358
(46)   State = 0xbb22d88bbb0cc1ec0daea853d9277695
(46)   EAP-Message = 0x022e00a31980000000991603010094010000900301574f326d833216bed987cc0d9db82d841b27f02780c0aa8272402bc9fdc5fef52099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(46)   Message-Authenticator = 0xe0315dac47990763d3dfa9a956edab6f
(46)   Acct-Session-Id = "8O2.1x81bb0d4e0001f90b"
(46)   NAS-Port-Id = "ge-3/0/6.0"
(46)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(46)   Called-Station-Id = "ec-3e-f7-68-35-00"
(46)   NAS-IP-Address = 10.8.0.111
(46)   NAS-Identifier = "nyc-access-sw011"
(46)   NAS-Port-Type = Ethernet
(46) session-state: No cached attributes
(46) # Executing section authorize from file /etc/raddb/sites-enabled/default
(46)   authorize {
(46)     policy filter_username {
(46)       if (&User-Name) {
(46)       if (&User-Name)  -> TRUE
(46)       if (&User-Name)  {
(46)         if (&User-Name =~ / /) {
(46)         if (&User-Name =~ / /)  -> FALSE
(46)         if (&User-Name =~ /@[^@]*@/ ) {
(46)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(46)         if (&User-Name =~ /\.\./ ) {
(46)         if (&User-Name =~ /\.\./ )  -> FALSE
(46)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(46)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(46)         if (&User-Name =~ /\.$/)  {
(46)         if (&User-Name =~ /\.$/)   -> FALSE
(46)         if (&User-Name =~ /@\./)  {
(46)         if (&User-Name =~ /@\./)   -> FALSE
(46)       } # if (&User-Name)  = notfound
(46)     } # policy filter_username = notfound
(46)     [preprocess] = ok
(46)     [chap] = noop
(46)     [mschap] = noop
(46)     [digest] = noop
(46) suffix: Checking for suffix after "@"
(46) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(46) suffix: No such realm "NULL"
(46)     [suffix] = noop
(46) eap: Peer sent EAP Response (code 2) ID 46 length 163
(46) eap: Continuing tunnel setup
(46)     [eap] = ok
(46)   } # authorize = ok
(46) Found Auth-Type = eap
(46) # Executing group from file /etc/raddb/sites-enabled/default
(46)   authenticate {
(46) eap: Expiring EAP session with state 0xbb22d88bbb0cc1ec
(46) eap: Finished EAP session with state 0xbb22d88bbb0cc1ec
(46) eap: Previous EAP request found for state 0xbb22d88bbb0cc1ec, released from the list
(46) eap: Peer sent packet with method EAP PEAP (25)
(46) eap: Calling submodule eap_peap to process data
(46) eap_peap: Continuing EAP-TLS
(46) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(46) eap_peap: Got complete TLS record (153 bytes)
(46) eap_peap: [eaptls verify] = length included
(46) eap_peap: (other): before/accept initialization
(46) eap_peap: TLS_accept: before/accept initialization
(46) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(46) eap_peap: TLS_accept: SSLv3 read client hello A
(46) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(46) eap_peap: TLS_accept: SSLv3 write server hello A
(46) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(46) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(46) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(46) eap_peap: TLS_accept: SSLv3 write finished A
(46) eap_peap: TLS_accept: SSLv3 flush data
(46) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(46) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(46) eap_peap: In SSL Handshake Phase
(46) eap_peap: In SSL Accept mode
(46) eap_peap: [eaptls process] = handled
(46) eap: Sending EAP Request (code 1) ID 47 length 159
(46) eap: EAP session adding &reply:State = 0xbb22d88bba0dc1ec
(46)     [eap] = handled
(46)   } # authenticate = handled
(46) Using Post-Auth-Type Challenge
(46) Post-Auth-Type sub-section not found.  Ignoring.
(46) # Executing group from file /etc/raddb/sites-enabled/default
(46) Sent Access-Challenge Id 37 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(46)   EAP-Message = 0x012f009f19001603010059020000550301574f326d4c2e696a34f8fe4cf21f937d89bf70b900f714d1cdf8960972dc98702099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b0004030001021403010001011603010030a57d903b53eca507
(46)   Message-Authenticator = 0x00000000000000000000000000000000
(46)   State = 0xbb22d88bba0dc1ec0daea853d9277695
(46) Finished request
Waking up in 3.8 seconds.
(47) Received Access-Request Id 38 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(47)   User-Name = "vkratsberg"
(47)   NAS-Port = 358
(47)   State = 0xbb22d88bba0dc1ec0daea853d9277695
(47)   EAP-Message = 0x022f004519800000003b140301000101160301003031098749c2e4ab9c453ad07d77c36b1065c82ba467b5fba5987e6afc47d049640829519003e35b03218af72e0f61bd08
(47)   Message-Authenticator = 0x62810a312b2d68e2889e2e19998fccab
(47)   Acct-Session-Id = "8O2.1x81bb0d4e0001f90b"
(47)   NAS-Port-Id = "ge-3/0/6.0"
(47)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(47)   Called-Station-Id = "ec-3e-f7-68-35-00"
(47)   NAS-IP-Address = 10.8.0.111
(47)   NAS-Identifier = "nyc-access-sw011"
(47)   NAS-Port-Type = Ethernet
(47) session-state: No cached attributes
(47) # Executing section authorize from file /etc/raddb/sites-enabled/default
(47)   authorize {
(47)     policy filter_username {
(47)       if (&User-Name) {
(47)       if (&User-Name)  -> TRUE
(47)       if (&User-Name)  {
(47)         if (&User-Name =~ / /) {
(47)         if (&User-Name =~ / /)  -> FALSE
(47)         if (&User-Name =~ /@[^@]*@/ ) {
(47)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(47)         if (&User-Name =~ /\.\./ ) {
(47)         if (&User-Name =~ /\.\./ )  -> FALSE
(47)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(47)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(47)         if (&User-Name =~ /\.$/)  {
(47)         if (&User-Name =~ /\.$/)   -> FALSE
(47)         if (&User-Name =~ /@\./)  {
(47)         if (&User-Name =~ /@\./)   -> FALSE
(47)       } # if (&User-Name)  = notfound
(47)     } # policy filter_username = notfound
(47)     [preprocess] = ok
(47)     [chap] = noop
(47)     [mschap] = noop
(47)     [digest] = noop
(47) suffix: Checking for suffix after "@"
(47) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(47) suffix: No such realm "NULL"
(47)     [suffix] = noop
(47) eap: Peer sent EAP Response (code 2) ID 47 length 69
(47) eap: Continuing tunnel setup
(47)     [eap] = ok
(47)   } # authorize = ok
(47) Found Auth-Type = eap
(47) # Executing group from file /etc/raddb/sites-enabled/default
(47)   authenticate {
(47) eap: Expiring EAP session with state 0xbb22d88bba0dc1ec
(47) eap: Finished EAP session with state 0xbb22d88bba0dc1ec
(47) eap: Previous EAP request found for state 0xbb22d88bba0dc1ec, released from the list
(47) eap: Peer sent packet with method EAP PEAP (25)
(47) eap: Calling submodule eap_peap to process data
(47) eap_peap: Continuing EAP-TLS
(47) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(47) eap_peap: Got complete TLS record (59 bytes)
(47) eap_peap: [eaptls verify] = length included
(47) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(47) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(47) eap_peap: TLS_accept: SSLv3 read finished A
(47) eap_peap: (other): SSL negotiation finished successfully
(47) eap_peap: SSL Connection Established
(47) eap_peap: SSL Application Data
(47) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(47) eap_peap:   reply:User-Name = "vkratsberg"
(47) eap_peap: [eaptls process] = success
(47) eap_peap: Session established.  Decoding tunneled attributes
(47) eap_peap: PEAP state TUNNEL ESTABLISHED
(47) eap_peap: Skipping Phase2 because of session resumption
(47) eap_peap: SUCCESS
(47) eap: Sending EAP Request (code 1) ID 48 length 43
(47) eap: EAP session adding &reply:State = 0xbb22d88bb912c1ec
(47)     [eap] = handled
(47)   } # authenticate = handled
(47) Using Post-Auth-Type Challenge
(47) Post-Auth-Type sub-section not found.  Ignoring.
(47) # Executing group from file /etc/raddb/sites-enabled/default
(47) Sent Access-Challenge Id 38 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(47)   User-Name = "vkratsberg"
(47)   EAP-Message = 0x0130002b19001703010020c589507085af18d8812e7fed915a49787ca00f77f9ef1048e730b86aacb0944c
(47)   Message-Authenticator = 0x00000000000000000000000000000000
(47)   State = 0xbb22d88bb912c1ec0daea853d9277695
(47) Finished request
Waking up in 3.7 seconds.
(48) Received Access-Request Id 39 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(48)   User-Name = "vkratsberg"
(48)   NAS-Port = 358
(48)   State = 0xbb22d88bb912c1ec0daea853d9277695
(48)   EAP-Message = 0x0230002b19001703010020680d9bf581ea552b159f38479c6836999194cbc71d1e44dfa395748209fbf94f
(48)   Message-Authenticator = 0x53013f799e0f827a5b33eb185c284019
(48)   Acct-Session-Id = "8O2.1x81bb0d4e0001f90b"
(48)   NAS-Port-Id = "ge-3/0/6.0"
(48)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(48)   Called-Station-Id = "ec-3e-f7-68-35-00"
(48)   NAS-IP-Address = 10.8.0.111
(48)   NAS-Identifier = "nyc-access-sw011"
(48)   NAS-Port-Type = Ethernet
(48) session-state: No cached attributes
(48) # Executing section authorize from file /etc/raddb/sites-enabled/default
(48)   authorize {
(48)     policy filter_username {
(48)       if (&User-Name) {
(48)       if (&User-Name)  -> TRUE
(48)       if (&User-Name)  {
(48)         if (&User-Name =~ / /) {
(48)         if (&User-Name =~ / /)  -> FALSE
(48)         if (&User-Name =~ /@[^@]*@/ ) {
(48)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(48)         if (&User-Name =~ /\.\./ ) {
(48)         if (&User-Name =~ /\.\./ )  -> FALSE
(48)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(48)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(48)         if (&User-Name =~ /\.$/)  {
(48)         if (&User-Name =~ /\.$/)   -> FALSE
(48)         if (&User-Name =~ /@\./)  {
(48)         if (&User-Name =~ /@\./)   -> FALSE
(48)       } # if (&User-Name)  = notfound
(48)     } # policy filter_username = notfound
(48)     [preprocess] = ok
(48)     [chap] = noop
(48)     [mschap] = noop
(48)     [digest] = noop
(48) suffix: Checking for suffix after "@"
(48) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(48) suffix: No such realm "NULL"
(48)     [suffix] = noop
(48) eap: Peer sent EAP Response (code 2) ID 48 length 43
(48) eap: Continuing tunnel setup
(48)     [eap] = ok
(48)   } # authorize = ok
(48) Found Auth-Type = eap
(48) # Executing group from file /etc/raddb/sites-enabled/default
(48)   authenticate {
(48) eap: Expiring EAP session with state 0xbb22d88bb912c1ec
(48) eap: Finished EAP session with state 0xbb22d88bb912c1ec
(48) eap: Previous EAP request found for state 0xbb22d88bb912c1ec, released from the list
(48) eap: Peer sent packet with method EAP PEAP (25)
(48) eap: Calling submodule eap_peap to process data
(48) eap_peap: Continuing EAP-TLS
(48) eap_peap: [eaptls verify] = ok
(48) eap_peap: Done initial handshake
(48) eap_peap: [eaptls process] = ok
(48) eap_peap: Session established.  Decoding tunneled attributes
(48) eap_peap: PEAP state send tlv success
(48) eap_peap: Received EAP-TLV response
(48) eap_peap: Success
(48) eap_peap: No saved attributes in the original Access-Accept
(48) eap: Sending EAP Success (code 3) ID 48 length 4
(48) eap: Freeing handler
(48)     [eap] = ok
(48)   } # authenticate = ok
(48) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(48)   post-auth {
(48)     update {
(48)       No attributes updated
(48)     } # update = noop
(48)     [exec] = noop
(48)     policy remove_reply_message_if_eap {
(48)       if (&reply:EAP-Message && &reply:Reply-Message) {
(48)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(48)       else {
(48)         [noop] = noop
(48)       } # else = noop
(48)     } # policy remove_reply_message_if_eap = noop
(48)   } # post-auth = noop
(48) Sent Access-Accept Id 39 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(48)   MS-MPPE-Recv-Key = 0xa3b469b6dec5ad90e9201fa1de5f62ce9f993145af5d4df2507ea35b3c125ede
(48)   MS-MPPE-Send-Key = 0xad5999c5609a511f84da92420a4648e6c34b61a7ff2fc0158134a1cbd8c09272
(48)   EAP-Message = 0x03300004
(48)   Message-Authenticator = 0x00000000000000000000000000000000
(48)   User-Name = "vkratsberg"
(48) Finished request
Waking up in 3.7 seconds.
(49) Received Access-Request Id 40 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(49)   User-Name = "vkratsberg"
(49)   NAS-Port = 358
(49)   EAP-Message = 0x0231000f01766b7261747362657267
(49)   Message-Authenticator = 0x0ea42681b52823ee1548d995b2b5edfe
(49)   Acct-Session-Id = "8O2.1x81bb0d4f0003957f"
(49)   NAS-Port-Id = "ge-3/0/6.0"
(49)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(49)   Called-Station-Id = "ec-3e-f7-68-35-00"
(49)   NAS-IP-Address = 10.8.0.111
(49)   NAS-Identifier = "nyc-access-sw011"
(49)   NAS-Port-Type = Ethernet
(49) # Executing section authorize from file /etc/raddb/sites-enabled/default
(49)   authorize {
(49)     policy filter_username {
(49)       if (&User-Name) {
(49)       if (&User-Name)  -> TRUE
(49)       if (&User-Name)  {
(49)         if (&User-Name =~ / /) {
(49)         if (&User-Name =~ / /)  -> FALSE
(49)         if (&User-Name =~ /@[^@]*@/ ) {
(49)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(49)         if (&User-Name =~ /\.\./ ) {
(49)         if (&User-Name =~ /\.\./ )  -> FALSE
(49)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(49)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(49)         if (&User-Name =~ /\.$/)  {
(49)         if (&User-Name =~ /\.$/)   -> FALSE
(49)         if (&User-Name =~ /@\./)  {
(49)         if (&User-Name =~ /@\./)   -> FALSE
(49)       } # if (&User-Name)  = notfound
(49)     } # policy filter_username = notfound
(49)     [preprocess] = ok
(49)     [chap] = noop
(49)     [mschap] = noop
(49)     [digest] = noop
(49) suffix: Checking for suffix after "@"
(49) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(49) suffix: No such realm "NULL"
(49)     [suffix] = noop
(49) eap: Peer sent EAP Response (code 2) ID 49 length 15
(49) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(49)     [eap] = ok
(49)   } # authorize = ok
(49) Found Auth-Type = eap
(49) # Executing group from file /etc/raddb/sites-enabled/default
(49)   authenticate {
(49) eap: Peer sent packet with method EAP Identity (1)
(49) eap: Calling submodule eap_peap to process data
(49) eap_peap: Initiating new EAP-TLS session
(49) eap_peap: [eaptls start] = request
(49) eap: Sending EAP Request (code 1) ID 50 length 6
(49) eap: EAP session adding &reply:State = 0x76c5d8c076f7c13b
(49)     [eap] = handled
(49)   } # authenticate = handled
(49) Using Post-Auth-Type Challenge
(49) Post-Auth-Type sub-section not found.  Ignoring.
(49) # Executing group from file /etc/raddb/sites-enabled/default
(49) Sent Access-Challenge Id 40 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(49)   EAP-Message = 0x013200061920
(49)   Message-Authenticator = 0x00000000000000000000000000000000
(49)   State = 0x76c5d8c076f7c13ba0c7a7eb35cfa4bf
(49) Finished request
Waking up in 3.7 seconds.
(50) Received Access-Request Id 41 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(50)   User-Name = "vkratsberg"
(50)   NAS-Port = 358
(50)   State = 0x76c5d8c076f7c13ba0c7a7eb35cfa4bf
(50)   EAP-Message = 0x023200a31980000000991603010094010000900301574f326d85a91e2953e271f7e069fe6193c4d2324f32b57fbaeaaeb56c1bd6a32099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(50)   Message-Authenticator = 0xa95681efa726c6d19795f757a9c989d1
(50)   Acct-Session-Id = "8O2.1x81bb0d4f0003957f"
(50)   NAS-Port-Id = "ge-3/0/6.0"
(50)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(50)   Called-Station-Id = "ec-3e-f7-68-35-00"
(50)   NAS-IP-Address = 10.8.0.111
(50)   NAS-Identifier = "nyc-access-sw011"
(50)   NAS-Port-Type = Ethernet
(50) session-state: No cached attributes
(50) # Executing section authorize from file /etc/raddb/sites-enabled/default
(50)   authorize {
(50)     policy filter_username {
(50)       if (&User-Name) {
(50)       if (&User-Name)  -> TRUE
(50)       if (&User-Name)  {
(50)         if (&User-Name =~ / /) {
(50)         if (&User-Name =~ / /)  -> FALSE
(50)         if (&User-Name =~ /@[^@]*@/ ) {
(50)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(50)         if (&User-Name =~ /\.\./ ) {
(50)         if (&User-Name =~ /\.\./ )  -> FALSE
(50)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(50)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(50)         if (&User-Name =~ /\.$/)  {
(50)         if (&User-Name =~ /\.$/)   -> FALSE
(50)         if (&User-Name =~ /@\./)  {
(50)         if (&User-Name =~ /@\./)   -> FALSE
(50)       } # if (&User-Name)  = notfound
(50)     } # policy filter_username = notfound
(50)     [preprocess] = ok
(50)     [chap] = noop
(50)     [mschap] = noop
(50)     [digest] = noop
(50) suffix: Checking for suffix after "@"
(50) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(50) suffix: No such realm "NULL"
(50)     [suffix] = noop
(50) eap: Peer sent EAP Response (code 2) ID 50 length 163
(50) eap: Continuing tunnel setup
(50)     [eap] = ok
(50)   } # authorize = ok
(50) Found Auth-Type = eap
(50) # Executing group from file /etc/raddb/sites-enabled/default
(50)   authenticate {
(50) eap: Expiring EAP session with state 0x76c5d8c076f7c13b
(50) eap: Finished EAP session with state 0x76c5d8c076f7c13b
(50) eap: Previous EAP request found for state 0x76c5d8c076f7c13b, released from the list
(50) eap: Peer sent packet with method EAP PEAP (25)
(50) eap: Calling submodule eap_peap to process data
(50) eap_peap: Continuing EAP-TLS
(50) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(50) eap_peap: Got complete TLS record (153 bytes)
(50) eap_peap: [eaptls verify] = length included
(50) eap_peap: (other): before/accept initialization
(50) eap_peap: TLS_accept: before/accept initialization
(50) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(50) eap_peap: TLS_accept: SSLv3 read client hello A
(50) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(50) eap_peap: TLS_accept: SSLv3 write server hello A
(50) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(50) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(50) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(50) eap_peap: TLS_accept: SSLv3 write finished A
(50) eap_peap: TLS_accept: SSLv3 flush data
(50) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(50) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(50) eap_peap: In SSL Handshake Phase
(50) eap_peap: In SSL Accept mode
(50) eap_peap: [eaptls process] = handled
(50) eap: Sending EAP Request (code 1) ID 51 length 159
(50) eap: EAP session adding &reply:State = 0x76c5d8c077f6c13b
(50)     [eap] = handled
(50)   } # authenticate = handled
(50) Using Post-Auth-Type Challenge
(50) Post-Auth-Type sub-section not found.  Ignoring.
(50) # Executing group from file /etc/raddb/sites-enabled/default
(50) Sent Access-Challenge Id 41 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(50)   EAP-Message = 0x0133009f19001603010059020000550301574f326ddd003b1a03ccc09b83d371749b21d4a1d3be09cef6363de198ad97622099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b0004030001021403010001011603010030c36917198e7b2557
(50)   Message-Authenticator = 0x00000000000000000000000000000000
(50)   State = 0x76c5d8c077f6c13ba0c7a7eb35cfa4bf
(50) Finished request
Waking up in 3.6 seconds.
(51) Received Access-Request Id 42 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(51)   User-Name = "vkratsberg"
(51)   NAS-Port = 358
(51)   State = 0x76c5d8c077f6c13ba0c7a7eb35cfa4bf
(51)   EAP-Message = 0x0233004519800000003b14030100010116030100302e82b56b9a9508d0ce7073a7a04e19bf66a1f2821da3854488d0da09d8c8ed830ebce48cdbfb1cb621f3dd0f1218c6e5
(51)   Message-Authenticator = 0x81914a4e69201577bbd491cb4512b6df
(51)   Acct-Session-Id = "8O2.1x81bb0d4f0003957f"
(51)   NAS-Port-Id = "ge-3/0/6.0"
(51)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(51)   Called-Station-Id = "ec-3e-f7-68-35-00"
(51)   NAS-IP-Address = 10.8.0.111
(51)   NAS-Identifier = "nyc-access-sw011"
(51)   NAS-Port-Type = Ethernet
(51) session-state: No cached attributes
(51) # Executing section authorize from file /etc/raddb/sites-enabled/default
(51)   authorize {
(51)     policy filter_username {
(51)       if (&User-Name) {
(51)       if (&User-Name)  -> TRUE
(51)       if (&User-Name)  {
(51)         if (&User-Name =~ / /) {
(51)         if (&User-Name =~ / /)  -> FALSE
(51)         if (&User-Name =~ /@[^@]*@/ ) {
(51)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(51)         if (&User-Name =~ /\.\./ ) {
(51)         if (&User-Name =~ /\.\./ )  -> FALSE
(51)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(51)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(51)         if (&User-Name =~ /\.$/)  {
(51)         if (&User-Name =~ /\.$/)   -> FALSE
(51)         if (&User-Name =~ /@\./)  {
(51)         if (&User-Name =~ /@\./)   -> FALSE
(51)       } # if (&User-Name)  = notfound
(51)     } # policy filter_username = notfound
(51)     [preprocess] = ok
(51)     [chap] = noop
(51)     [mschap] = noop
(51)     [digest] = noop
(51) suffix: Checking for suffix after "@"
(51) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(51) suffix: No such realm "NULL"
(51)     [suffix] = noop
(51) eap: Peer sent EAP Response (code 2) ID 51 length 69
(51) eap: Continuing tunnel setup
(51)     [eap] = ok
(51)   } # authorize = ok
(51) Found Auth-Type = eap
(51) # Executing group from file /etc/raddb/sites-enabled/default
(51)   authenticate {
(51) eap: Expiring EAP session with state 0x76c5d8c077f6c13b
(51) eap: Finished EAP session with state 0x76c5d8c077f6c13b
(51) eap: Previous EAP request found for state 0x76c5d8c077f6c13b, released from the list
(51) eap: Peer sent packet with method EAP PEAP (25)
(51) eap: Calling submodule eap_peap to process data
(51) eap_peap: Continuing EAP-TLS
(51) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(51) eap_peap: Got complete TLS record (59 bytes)
(51) eap_peap: [eaptls verify] = length included
(51) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(51) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(51) eap_peap: TLS_accept: SSLv3 read finished A
(51) eap_peap: (other): SSL negotiation finished successfully
(51) eap_peap: SSL Connection Established
(51) eap_peap: SSL Application Data
(51) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(51) eap_peap:   reply:User-Name = "vkratsberg"
(51) eap_peap: [eaptls process] = success
(51) eap_peap: Session established.  Decoding tunneled attributes
(51) eap_peap: PEAP state TUNNEL ESTABLISHED
(51) eap_peap: Skipping Phase2 because of session resumption
(51) eap_peap: SUCCESS
(51) eap: Sending EAP Request (code 1) ID 52 length 43
(51) eap: EAP session adding &reply:State = 0x76c5d8c074f1c13b
(51)     [eap] = handled
(51)   } # authenticate = handled
(51) Using Post-Auth-Type Challenge
(51) Post-Auth-Type sub-section not found.  Ignoring.
(51) # Executing group from file /etc/raddb/sites-enabled/default
(51) Sent Access-Challenge Id 42 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(51)   User-Name = "vkratsberg"
(51)   EAP-Message = 0x0134002b19001703010020623b84f659bea3f26d1d1a8ce08d484249a4474dc4fe2e0cd9215793c3a339b0
(51)   Message-Authenticator = 0x00000000000000000000000000000000
(51)   State = 0x76c5d8c074f1c13ba0c7a7eb35cfa4bf
(51) Finished request
Waking up in 3.6 seconds.
(52) Received Access-Request Id 43 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(52)   User-Name = "vkratsberg"
(52)   NAS-Port = 358
(52)   State = 0x76c5d8c074f1c13ba0c7a7eb35cfa4bf
(52)   EAP-Message = 0x0234002b19001703010020db4c97cff98404dd6e175fae3b3eccc694c1695d4ea44ae9b22527f64072c57b
(52)   Message-Authenticator = 0x55b4345e947d1ef8ae6a18cc63504c5b
(52)   Acct-Session-Id = "8O2.1x81bb0d4f0003957f"
(52)   NAS-Port-Id = "ge-3/0/6.0"
(52)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(52)   Called-Station-Id = "ec-3e-f7-68-35-00"
(52)   NAS-IP-Address = 10.8.0.111
(52)   NAS-Identifier = "nyc-access-sw011"
(52)   NAS-Port-Type = Ethernet
(52) session-state: No cached attributes
(52) # Executing section authorize from file /etc/raddb/sites-enabled/default
(52)   authorize {
(52)     policy filter_username {
(52)       if (&User-Name) {
(52)       if (&User-Name)  -> TRUE
(52)       if (&User-Name)  {
(52)         if (&User-Name =~ / /) {
(52)         if (&User-Name =~ / /)  -> FALSE
(52)         if (&User-Name =~ /@[^@]*@/ ) {
(52)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(52)         if (&User-Name =~ /\.\./ ) {
(52)         if (&User-Name =~ /\.\./ )  -> FALSE
(52)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(52)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(52)         if (&User-Name =~ /\.$/)  {
(52)         if (&User-Name =~ /\.$/)   -> FALSE
(52)         if (&User-Name =~ /@\./)  {
(52)         if (&User-Name =~ /@\./)   -> FALSE
(52)       } # if (&User-Name)  = notfound
(52)     } # policy filter_username = notfound
(52)     [preprocess] = ok
(52)     [chap] = noop
(52)     [mschap] = noop
(52)     [digest] = noop
(52) suffix: Checking for suffix after "@"
(52) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(52) suffix: No such realm "NULL"
(52)     [suffix] = noop
(52) eap: Peer sent EAP Response (code 2) ID 52 length 43
(52) eap: Continuing tunnel setup
(52)     [eap] = ok
(52)   } # authorize = ok
(52) Found Auth-Type = eap
(52) # Executing group from file /etc/raddb/sites-enabled/default
(52)   authenticate {
(52) eap: Expiring EAP session with state 0x76c5d8c074f1c13b
(52) eap: Finished EAP session with state 0x76c5d8c074f1c13b
(52) eap: Previous EAP request found for state 0x76c5d8c074f1c13b, released from the list
(52) eap: Peer sent packet with method EAP PEAP (25)
(52) eap: Calling submodule eap_peap to process data
(52) eap_peap: Continuing EAP-TLS
(52) eap_peap: [eaptls verify] = ok
(52) eap_peap: Done initial handshake
(52) eap_peap: [eaptls process] = ok
(52) eap_peap: Session established.  Decoding tunneled attributes
(52) eap_peap: PEAP state send tlv success
(52) eap_peap: Received EAP-TLV response
(52) eap_peap: Success
(52) eap_peap: No saved attributes in the original Access-Accept
(52) eap: Sending EAP Success (code 3) ID 52 length 4
(52) eap: Freeing handler
(52)     [eap] = ok
(52)   } # authenticate = ok
(52) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(52)   post-auth {
(52)     update {
(52)       No attributes updated
(52)     } # update = noop
(52)     [exec] = noop
(52)     policy remove_reply_message_if_eap {
(52)       if (&reply:EAP-Message && &reply:Reply-Message) {
(52)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(52)       else {
(52)         [noop] = noop
(52)       } # else = noop
(52)     } # policy remove_reply_message_if_eap = noop
(52)   } # post-auth = noop
(52) Sent Access-Accept Id 43 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(52)   MS-MPPE-Recv-Key = 0x932285bcd7c58c20db855c39b4c0f277fbe43462a9452f42fa040dc75ed84ef7
(52)   MS-MPPE-Send-Key = 0x55416a6fea0c16d7a423b7705fa000617569c20f80efeb51b0b89fbf454cfda7
(52)   EAP-Message = 0x03340004
(52)   Message-Authenticator = 0x00000000000000000000000000000000
(52)   User-Name = "vkratsberg"
(52) Finished request
Waking up in 3.6 seconds.
(53) Received Access-Request Id 44 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(53)   User-Name = "vkratsberg"
(53)   NAS-Port = 358
(53)   EAP-Message = 0x0235000f01766b7261747362657267
(53)   Message-Authenticator = 0x82736aa78dc0a8fad373a25c355d9d44
(53)   Acct-Session-Id = "8O2.1x81bb0d5000053f2e"
(53)   NAS-Port-Id = "ge-3/0/6.0"
(53)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(53)   Called-Station-Id = "ec-3e-f7-68-35-00"
(53)   NAS-IP-Address = 10.8.0.111
(53)   NAS-Identifier = "nyc-access-sw011"
(53)   NAS-Port-Type = Ethernet
(53) # Executing section authorize from file /etc/raddb/sites-enabled/default
(53)   authorize {
(53)     policy filter_username {
(53)       if (&User-Name) {
(53)       if (&User-Name)  -> TRUE
(53)       if (&User-Name)  {
(53)         if (&User-Name =~ / /) {
(53)         if (&User-Name =~ / /)  -> FALSE
(53)         if (&User-Name =~ /@[^@]*@/ ) {
(53)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(53)         if (&User-Name =~ /\.\./ ) {
(53)         if (&User-Name =~ /\.\./ )  -> FALSE
(53)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(53)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(53)         if (&User-Name =~ /\.$/)  {
(53)         if (&User-Name =~ /\.$/)   -> FALSE
(53)         if (&User-Name =~ /@\./)  {
(53)         if (&User-Name =~ /@\./)   -> FALSE
(53)       } # if (&User-Name)  = notfound
(53)     } # policy filter_username = notfound
(53)     [preprocess] = ok
(53)     [chap] = noop
(53)     [mschap] = noop
(53)     [digest] = noop
(53) suffix: Checking for suffix after "@"
(53) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(53) suffix: No such realm "NULL"
(53)     [suffix] = noop
(53) eap: Peer sent EAP Response (code 2) ID 53 length 15
(53) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(53)     [eap] = ok
(53)   } # authorize = ok
(53) Found Auth-Type = eap
(53) # Executing group from file /etc/raddb/sites-enabled/default
(53)   authenticate {
(53) eap: Peer sent packet with method EAP Identity (1)
(53) eap: Calling submodule eap_peap to process data
(53) eap_peap: Initiating new EAP-TLS session
(53) eap_peap: [eaptls start] = request
(53) eap: Sending EAP Request (code 1) ID 54 length 6
(53) eap: EAP session adding &reply:State = 0xe38f814ee3b99824
(53)     [eap] = handled
(53)   } # authenticate = handled
(53) Using Post-Auth-Type Challenge
(53) Post-Auth-Type sub-section not found.  Ignoring.
(53) # Executing group from file /etc/raddb/sites-enabled/default
(53) Sent Access-Challenge Id 44 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(53)   EAP-Message = 0x013600061920
(53)   Message-Authenticator = 0x00000000000000000000000000000000
(53)   State = 0xe38f814ee3b99824453889093340d24c
(53) Finished request
Waking up in 3.5 seconds.
(54) Received Access-Request Id 45 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(54)   User-Name = "vkratsberg"
(54)   NAS-Port = 358
(54)   State = 0xe38f814ee3b99824453889093340d24c
(54)   EAP-Message = 0x023600a31980000000991603010094010000900301574f326de9676a029041169797ecebbd3d23c4a6c1d0c26db0c3e4b685ddf5682099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(54)   Message-Authenticator = 0xb8a75001f187872f2db8fd1581d32f8a
(54)   Acct-Session-Id = "8O2.1x81bb0d5000053f2e"
(54)   NAS-Port-Id = "ge-3/0/6.0"
(54)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(54)   Called-Station-Id = "ec-3e-f7-68-35-00"
(54)   NAS-IP-Address = 10.8.0.111
(54)   NAS-Identifier = "nyc-access-sw011"
(54)   NAS-Port-Type = Ethernet
(54) session-state: No cached attributes
(54) # Executing section authorize from file /etc/raddb/sites-enabled/default
(54)   authorize {
(54)     policy filter_username {
(54)       if (&User-Name) {
(54)       if (&User-Name)  -> TRUE
(54)       if (&User-Name)  {
(54)         if (&User-Name =~ / /) {
(54)         if (&User-Name =~ / /)  -> FALSE
(54)         if (&User-Name =~ /@[^@]*@/ ) {
(54)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(54)         if (&User-Name =~ /\.\./ ) {
(54)         if (&User-Name =~ /\.\./ )  -> FALSE
(54)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(54)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(54)         if (&User-Name =~ /\.$/)  {
(54)         if (&User-Name =~ /\.$/)   -> FALSE
(54)         if (&User-Name =~ /@\./)  {
(54)         if (&User-Name =~ /@\./)   -> FALSE
(54)       } # if (&User-Name)  = notfound
(54)     } # policy filter_username = notfound
(54)     [preprocess] = ok
(54)     [chap] = noop
(54)     [mschap] = noop
(54)     [digest] = noop
(54) suffix: Checking for suffix after "@"
(54) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(54) suffix: No such realm "NULL"
(54)     [suffix] = noop
(54) eap: Peer sent EAP Response (code 2) ID 54 length 163
(54) eap: Continuing tunnel setup
(54)     [eap] = ok
(54)   } # authorize = ok
(54) Found Auth-Type = eap
(54) # Executing group from file /etc/raddb/sites-enabled/default
(54)   authenticate {
(54) eap: Expiring EAP session with state 0xe38f814ee3b99824
(54) eap: Finished EAP session with state 0xe38f814ee3b99824
(54) eap: Previous EAP request found for state 0xe38f814ee3b99824, released from the list
(54) eap: Peer sent packet with method EAP PEAP (25)
(54) eap: Calling submodule eap_peap to process data
(54) eap_peap: Continuing EAP-TLS
(54) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(54) eap_peap: Got complete TLS record (153 bytes)
(54) eap_peap: [eaptls verify] = length included
(54) eap_peap: (other): before/accept initialization
(54) eap_peap: TLS_accept: before/accept initialization
(54) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(54) eap_peap: TLS_accept: SSLv3 read client hello A
(54) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(54) eap_peap: TLS_accept: SSLv3 write server hello A
(54) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(54) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(54) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(54) eap_peap: TLS_accept: SSLv3 write finished A
(54) eap_peap: TLS_accept: SSLv3 flush data
(54) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(54) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(54) eap_peap: In SSL Handshake Phase
(54) eap_peap: In SSL Accept mode
(54) eap_peap: [eaptls process] = handled
(54) eap: Sending EAP Request (code 1) ID 55 length 159
(54) eap: EAP session adding &reply:State = 0xe38f814ee2b89824
(54)     [eap] = handled
(54)   } # authenticate = handled
(54) Using Post-Auth-Type Challenge
(54) Post-Auth-Type sub-section not found.  Ignoring.
(54) # Executing group from file /etc/raddb/sites-enabled/default
(54) Sent Access-Challenge Id 45 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(54)   EAP-Message = 0x0137009f19001603010059020000550301574f326d77af95cae2cfe695f7a1dec76af5b0ba0e92b87621bb4c38c349e5982099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b000403000102140301000101160301003063b007accca03a6f
(54)   Message-Authenticator = 0x00000000000000000000000000000000
(54)   State = 0xe38f814ee2b89824453889093340d24c
(54) Finished request
Waking up in 3.5 seconds.
(55) Received Access-Request Id 46 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(55)   User-Name = "vkratsberg"
(55)   NAS-Port = 358
(55)   State = 0xe38f814ee2b89824453889093340d24c
(55)   EAP-Message = 0x0237004519800000003b140301000101160301003077eff6e5a57f4e7c60aa6c5b4d7d0e9ff792a6803875e3c4232f03107292f5338d1d062a8453936e03de39a951a29898
(55)   Message-Authenticator = 0x4a5a00fbab06cdf41a2655b297a12782
(55)   Acct-Session-Id = "8O2.1x81bb0d5000053f2e"
(55)   NAS-Port-Id = "ge-3/0/6.0"
(55)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(55)   Called-Station-Id = "ec-3e-f7-68-35-00"
(55)   NAS-IP-Address = 10.8.0.111
(55)   NAS-Identifier = "nyc-access-sw011"
(55)   NAS-Port-Type = Ethernet
(55) session-state: No cached attributes
(55) # Executing section authorize from file /etc/raddb/sites-enabled/default
(55)   authorize {
(55)     policy filter_username {
(55)       if (&User-Name) {
(55)       if (&User-Name)  -> TRUE
(55)       if (&User-Name)  {
(55)         if (&User-Name =~ / /) {
(55)         if (&User-Name =~ / /)  -> FALSE
(55)         if (&User-Name =~ /@[^@]*@/ ) {
(55)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(55)         if (&User-Name =~ /\.\./ ) {
(55)         if (&User-Name =~ /\.\./ )  -> FALSE
(55)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(55)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(55)         if (&User-Name =~ /\.$/)  {
(55)         if (&User-Name =~ /\.$/)   -> FALSE
(55)         if (&User-Name =~ /@\./)  {
(55)         if (&User-Name =~ /@\./)   -> FALSE
(55)       } # if (&User-Name)  = notfound
(55)     } # policy filter_username = notfound
(55)     [preprocess] = ok
(55)     [chap] = noop
(55)     [mschap] = noop
(55)     [digest] = noop
(55) suffix: Checking for suffix after "@"
(55) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(55) suffix: No such realm "NULL"
(55)     [suffix] = noop
(55) eap: Peer sent EAP Response (code 2) ID 55 length 69
(55) eap: Continuing tunnel setup
(55)     [eap] = ok
(55)   } # authorize = ok
(55) Found Auth-Type = eap
(55) # Executing group from file /etc/raddb/sites-enabled/default
(55)   authenticate {
(55) eap: Expiring EAP session with state 0xe38f814ee2b89824
(55) eap: Finished EAP session with state 0xe38f814ee2b89824
(55) eap: Previous EAP request found for state 0xe38f814ee2b89824, released from the list
(55) eap: Peer sent packet with method EAP PEAP (25)
(55) eap: Calling submodule eap_peap to process data
(55) eap_peap: Continuing EAP-TLS
(55) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(55) eap_peap: Got complete TLS record (59 bytes)
(55) eap_peap: [eaptls verify] = length included
(55) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(55) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(55) eap_peap: TLS_accept: SSLv3 read finished A
(55) eap_peap: (other): SSL negotiation finished successfully
(55) eap_peap: SSL Connection Established
(55) eap_peap: SSL Application Data
(55) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(55) eap_peap:   reply:User-Name = "vkratsberg"
(55) eap_peap: [eaptls process] = success
(55) eap_peap: Session established.  Decoding tunneled attributes
(55) eap_peap: PEAP state TUNNEL ESTABLISHED
(55) eap_peap: Skipping Phase2 because of session resumption
(55) eap_peap: SUCCESS
(55) eap: Sending EAP Request (code 1) ID 56 length 43
(55) eap: EAP session adding &reply:State = 0xe38f814ee1b79824
(55)     [eap] = handled
(55)   } # authenticate = handled
(55) Using Post-Auth-Type Challenge
(55) Post-Auth-Type sub-section not found.  Ignoring.
(55) # Executing group from file /etc/raddb/sites-enabled/default
(55) Sent Access-Challenge Id 46 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(55)   User-Name = "vkratsberg"
(55)   EAP-Message = 0x0138002b19001703010020c5f054c28065478d68f06579a936e1b0221804d798db8dc9fabead925b5eda82
(55)   Message-Authenticator = 0x00000000000000000000000000000000
(55)   State = 0xe38f814ee1b79824453889093340d24c
(55) Finished request
Waking up in 3.5 seconds.
(56) Received Access-Request Id 47 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(56)   User-Name = "vkratsberg"
(56)   NAS-Port = 358
(56)   State = 0xe38f814ee1b79824453889093340d24c
(56)   EAP-Message = 0x0238002b190017030100207fdc47e69c28e6238989f44a055e1ff09833558f1814aa4cdd7fef3db9635cf4
(56)   Message-Authenticator = 0x6b48a41014b7acbe96038ad4cda36478
(56)   Acct-Session-Id = "8O2.1x81bb0d5000053f2e"
(56)   NAS-Port-Id = "ge-3/0/6.0"
(56)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(56)   Called-Station-Id = "ec-3e-f7-68-35-00"
(56)   NAS-IP-Address = 10.8.0.111
(56)   NAS-Identifier = "nyc-access-sw011"
(56)   NAS-Port-Type = Ethernet
(56) session-state: No cached attributes
(56) # Executing section authorize from file /etc/raddb/sites-enabled/default
(56)   authorize {
(56)     policy filter_username {
(56)       if (&User-Name) {
(56)       if (&User-Name)  -> TRUE
(56)       if (&User-Name)  {
(56)         if (&User-Name =~ / /) {
(56)         if (&User-Name =~ / /)  -> FALSE
(56)         if (&User-Name =~ /@[^@]*@/ ) {
(56)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(56)         if (&User-Name =~ /\.\./ ) {
(56)         if (&User-Name =~ /\.\./ )  -> FALSE
(56)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(56)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(56)         if (&User-Name =~ /\.$/)  {
(56)         if (&User-Name =~ /\.$/)   -> FALSE
(56)         if (&User-Name =~ /@\./)  {
(56)         if (&User-Name =~ /@\./)   -> FALSE
(56)       } # if (&User-Name)  = notfound
(56)     } # policy filter_username = notfound
(56)     [preprocess] = ok
(56)     [chap] = noop
(56)     [mschap] = noop
(56)     [digest] = noop
(56) suffix: Checking for suffix after "@"
(56) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(56) suffix: No such realm "NULL"
(56)     [suffix] = noop
(56) eap: Peer sent EAP Response (code 2) ID 56 length 43
(56) eap: Continuing tunnel setup
(56)     [eap] = ok
(56)   } # authorize = ok
(56) Found Auth-Type = eap
(56) # Executing group from file /etc/raddb/sites-enabled/default
(56)   authenticate {
(56) eap: Expiring EAP session with state 0xe38f814ee1b79824
(56) eap: Finished EAP session with state 0xe38f814ee1b79824
(56) eap: Previous EAP request found for state 0xe38f814ee1b79824, released from the list
(56) eap: Peer sent packet with method EAP PEAP (25)
(56) eap: Calling submodule eap_peap to process data
(56) eap_peap: Continuing EAP-TLS
(56) eap_peap: [eaptls verify] = ok
(56) eap_peap: Done initial handshake
(56) eap_peap: [eaptls process] = ok
(56) eap_peap: Session established.  Decoding tunneled attributes
(56) eap_peap: PEAP state send tlv success
(56) eap_peap: Received EAP-TLV response
(56) eap_peap: Success
(56) eap_peap: No saved attributes in the original Access-Accept
(56) eap: Sending EAP Success (code 3) ID 56 length 4
(56) eap: Freeing handler
(56)     [eap] = ok
(56)   } # authenticate = ok
(56) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(56)   post-auth {
(56)     update {
(56)       No attributes updated
(56)     } # update = noop
(56)     [exec] = noop
(56)     policy remove_reply_message_if_eap {
(56)       if (&reply:EAP-Message && &reply:Reply-Message) {
(56)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(56)       else {
(56)         [noop] = noop
(56)       } # else = noop
(56)     } # policy remove_reply_message_if_eap = noop
(56)   } # post-auth = noop
(56) Sent Access-Accept Id 47 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(56)   MS-MPPE-Recv-Key = 0x18c5f71f2fd4c934d01d6ee707ac7168290e85f5092e420111e4c5db8f83bbc3
(56)   MS-MPPE-Send-Key = 0x6eea8aa3442f6533ee471373c90f5c198a3a7879b45eb8315ceb2058d6e04b56
(56)   EAP-Message = 0x03380004
(56)   Message-Authenticator = 0x00000000000000000000000000000000
(56)   User-Name = "vkratsberg"
(56) Finished request
Waking up in 3.5 seconds.
(57) Received Access-Request Id 48 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(57)   User-Name = "vkratsberg"
(57)   NAS-Port = 358
(57)   EAP-Message = 0x0239000f01766b7261747362657267
(57)   Message-Authenticator = 0x793172938258d0381ef68f45181fadb9
(57)   Acct-Session-Id = "8O2.1x81bb0d510006dc2d"
(57)   NAS-Port-Id = "ge-3/0/6.0"
(57)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(57)   Called-Station-Id = "ec-3e-f7-68-35-00"
(57)   NAS-IP-Address = 10.8.0.111
(57)   NAS-Identifier = "nyc-access-sw011"
(57)   NAS-Port-Type = Ethernet
(57) # Executing section authorize from file /etc/raddb/sites-enabled/default
(57)   authorize {
(57)     policy filter_username {
(57)       if (&User-Name) {
(57)       if (&User-Name)  -> TRUE
(57)       if (&User-Name)  {
(57)         if (&User-Name =~ / /) {
(57)         if (&User-Name =~ / /)  -> FALSE
(57)         if (&User-Name =~ /@[^@]*@/ ) {
(57)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(57)         if (&User-Name =~ /\.\./ ) {
(57)         if (&User-Name =~ /\.\./ )  -> FALSE
(57)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(57)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(57)         if (&User-Name =~ /\.$/)  {
(57)         if (&User-Name =~ /\.$/)   -> FALSE
(57)         if (&User-Name =~ /@\./)  {
(57)         if (&User-Name =~ /@\./)   -> FALSE
(57)       } # if (&User-Name)  = notfound
(57)     } # policy filter_username = notfound
(57)     [preprocess] = ok
(57)     [chap] = noop
(57)     [mschap] = noop
(57)     [digest] = noop
(57) suffix: Checking for suffix after "@"
(57) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(57) suffix: No such realm "NULL"
(57)     [suffix] = noop
(57) eap: Peer sent EAP Response (code 2) ID 57 length 15
(57) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(57)     [eap] = ok
(57)   } # authorize = ok
(57) Found Auth-Type = eap
(57) # Executing group from file /etc/raddb/sites-enabled/default
(57)   authenticate {
(57) eap: Peer sent packet with method EAP Identity (1)
(57) eap: Calling submodule eap_peap to process data
(57) eap_peap: Initiating new EAP-TLS session
(57) eap_peap: [eaptls start] = request
(57) eap: Sending EAP Request (code 1) ID 58 length 6
(57) eap: EAP session adding &reply:State = 0x6f6bbe6e6f51a7e1
(57)     [eap] = handled
(57)   } # authenticate = handled
(57) Using Post-Auth-Type Challenge
(57) Post-Auth-Type sub-section not found.  Ignoring.
(57) # Executing group from file /etc/raddb/sites-enabled/default
(57) Sent Access-Challenge Id 48 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(57)   EAP-Message = 0x013a00061920
(57)   Message-Authenticator = 0x00000000000000000000000000000000
(57)   State = 0x6f6bbe6e6f51a7e11f767033cd338cbf
(57) Finished request
Waking up in 3.4 seconds.
(58) Received Access-Request Id 49 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(58)   User-Name = "vkratsberg"
(58)   NAS-Port = 358
(58)   State = 0x6f6bbe6e6f51a7e11f767033cd338cbf
(58)   EAP-Message = 0x023a00a31980000000991603010094010000900301574f326d93e95ede32a12eb54bd97ef966ff8fe469eee5ed2934ca2bd308a84f2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(58)   Message-Authenticator = 0x07089c7bfbd0f172ed729f93bf03e0dc
(58)   Acct-Session-Id = "8O2.1x81bb0d510006dc2d"
(58)   NAS-Port-Id = "ge-3/0/6.0"
(58)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(58)   Called-Station-Id = "ec-3e-f7-68-35-00"
(58)   NAS-IP-Address = 10.8.0.111
(58)   NAS-Identifier = "nyc-access-sw011"
(58)   NAS-Port-Type = Ethernet
(58) session-state: No cached attributes
(58) # Executing section authorize from file /etc/raddb/sites-enabled/default
(58)   authorize {
(58)     policy filter_username {
(58)       if (&User-Name) {
(58)       if (&User-Name)  -> TRUE
(58)       if (&User-Name)  {
(58)         if (&User-Name =~ / /) {
(58)         if (&User-Name =~ / /)  -> FALSE
(58)         if (&User-Name =~ /@[^@]*@/ ) {
(58)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(58)         if (&User-Name =~ /\.\./ ) {
(58)         if (&User-Name =~ /\.\./ )  -> FALSE
(58)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(58)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(58)         if (&User-Name =~ /\.$/)  {
(58)         if (&User-Name =~ /\.$/)   -> FALSE
(58)         if (&User-Name =~ /@\./)  {
(58)         if (&User-Name =~ /@\./)   -> FALSE
(58)       } # if (&User-Name)  = notfound
(58)     } # policy filter_username = notfound
(58)     [preprocess] = ok
(58)     [chap] = noop
(58)     [mschap] = noop
(58)     [digest] = noop
(58) suffix: Checking for suffix after "@"
(58) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(58) suffix: No such realm "NULL"
(58)     [suffix] = noop
(58) eap: Peer sent EAP Response (code 2) ID 58 length 163
(58) eap: Continuing tunnel setup
(58)     [eap] = ok
(58)   } # authorize = ok
(58) Found Auth-Type = eap
(58) # Executing group from file /etc/raddb/sites-enabled/default
(58)   authenticate {
(58) eap: Expiring EAP session with state 0x6f6bbe6e6f51a7e1
(58) eap: Finished EAP session with state 0x6f6bbe6e6f51a7e1
(58) eap: Previous EAP request found for state 0x6f6bbe6e6f51a7e1, released from the list
(58) eap: Peer sent packet with method EAP PEAP (25)
(58) eap: Calling submodule eap_peap to process data
(58) eap_peap: Continuing EAP-TLS
(58) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(58) eap_peap: Got complete TLS record (153 bytes)
(58) eap_peap: [eaptls verify] = length included
(58) eap_peap: (other): before/accept initialization
(58) eap_peap: TLS_accept: before/accept initialization
(58) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(58) eap_peap: TLS_accept: SSLv3 read client hello A
(58) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(58) eap_peap: TLS_accept: SSLv3 write server hello A
(58) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(58) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(58) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(58) eap_peap: TLS_accept: SSLv3 write finished A
(58) eap_peap: TLS_accept: SSLv3 flush data
(58) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(58) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(58) eap_peap: In SSL Handshake Phase
(58) eap_peap: In SSL Accept mode
(58) eap_peap: [eaptls process] = handled
(58) eap: Sending EAP Request (code 1) ID 59 length 159
(58) eap: EAP session adding &reply:State = 0x6f6bbe6e6e50a7e1
(58)     [eap] = handled
(58)   } # authenticate = handled
(58) Using Post-Auth-Type Challenge
(58) Post-Auth-Type sub-section not found.  Ignoring.
(58) # Executing group from file /etc/raddb/sites-enabled/default
(58) Sent Access-Challenge Id 49 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(58)   EAP-Message = 0x013b009f19001603010059020000550301574f326da57bbe3214cf519003758eb78380553275bb42de20da982fef55e0662099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b0004030001021403010001011603010030a9d478404417e277
(58)   Message-Authenticator = 0x00000000000000000000000000000000
(58)   State = 0x6f6bbe6e6e50a7e11f767033cd338cbf
(58) Finished request
Waking up in 3.4 seconds.
(59) Received Access-Request Id 50 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(59)   User-Name = "vkratsberg"
(59)   NAS-Port = 358
(59)   State = 0x6f6bbe6e6e50a7e11f767033cd338cbf
(59)   EAP-Message = 0x023b004519800000003b1403010001011603010030e5f46bae78ccde594c32ac2ff16a47a1524cd99f86fbb62713a68b30175969303923fe46becc9ffb439d325a502c1f19
(59)   Message-Authenticator = 0x7bde304a0da52068173eeed1f40be504
(59)   Acct-Session-Id = "8O2.1x81bb0d510006dc2d"
(59)   NAS-Port-Id = "ge-3/0/6.0"
(59)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(59)   Called-Station-Id = "ec-3e-f7-68-35-00"
(59)   NAS-IP-Address = 10.8.0.111
(59)   NAS-Identifier = "nyc-access-sw011"
(59)   NAS-Port-Type = Ethernet
(59) session-state: No cached attributes
(59) # Executing section authorize from file /etc/raddb/sites-enabled/default
(59)   authorize {
(59)     policy filter_username {
(59)       if (&User-Name) {
(59)       if (&User-Name)  -> TRUE
(59)       if (&User-Name)  {
(59)         if (&User-Name =~ / /) {
(59)         if (&User-Name =~ / /)  -> FALSE
(59)         if (&User-Name =~ /@[^@]*@/ ) {
(59)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(59)         if (&User-Name =~ /\.\./ ) {
(59)         if (&User-Name =~ /\.\./ )  -> FALSE
(59)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(59)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(59)         if (&User-Name =~ /\.$/)  {
(59)         if (&User-Name =~ /\.$/)   -> FALSE
(59)         if (&User-Name =~ /@\./)  {
(59)         if (&User-Name =~ /@\./)   -> FALSE
(59)       } # if (&User-Name)  = notfound
(59)     } # policy filter_username = notfound
(59)     [preprocess] = ok
(59)     [chap] = noop
(59)     [mschap] = noop
(59)     [digest] = noop
(59) suffix: Checking for suffix after "@"
(59) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(59) suffix: No such realm "NULL"
(59)     [suffix] = noop
(59) eap: Peer sent EAP Response (code 2) ID 59 length 69
(59) eap: Continuing tunnel setup
(59)     [eap] = ok
(59)   } # authorize = ok
(59) Found Auth-Type = eap
(59) # Executing group from file /etc/raddb/sites-enabled/default
(59)   authenticate {
(59) eap: Expiring EAP session with state 0x6f6bbe6e6e50a7e1
(59) eap: Finished EAP session with state 0x6f6bbe6e6e50a7e1
(59) eap: Previous EAP request found for state 0x6f6bbe6e6e50a7e1, released from the list
(59) eap: Peer sent packet with method EAP PEAP (25)
(59) eap: Calling submodule eap_peap to process data
(59) eap_peap: Continuing EAP-TLS
(59) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(59) eap_peap: Got complete TLS record (59 bytes)
(59) eap_peap: [eaptls verify] = length included
(59) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(59) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(59) eap_peap: TLS_accept: SSLv3 read finished A
(59) eap_peap: (other): SSL negotiation finished successfully
(59) eap_peap: SSL Connection Established
(59) eap_peap: SSL Application Data
(59) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(59) eap_peap:   reply:User-Name = "vkratsberg"
(59) eap_peap: [eaptls process] = success
(59) eap_peap: Session established.  Decoding tunneled attributes
(59) eap_peap: PEAP state TUNNEL ESTABLISHED
(59) eap_peap: Skipping Phase2 because of session resumption
(59) eap_peap: SUCCESS
(59) eap: Sending EAP Request (code 1) ID 60 length 43
(59) eap: EAP session adding &reply:State = 0x6f6bbe6e6d57a7e1
(59)     [eap] = handled
(59)   } # authenticate = handled
(59) Using Post-Auth-Type Challenge
(59) Post-Auth-Type sub-section not found.  Ignoring.
(59) # Executing group from file /etc/raddb/sites-enabled/default
(59) Sent Access-Challenge Id 50 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(59)   User-Name = "vkratsberg"
(59)   EAP-Message = 0x013c002b19001703010020b9d85a2549efc11658af8aae756154dc444a1e69d1660fe1eb3e50804b780bb3
(59)   Message-Authenticator = 0x00000000000000000000000000000000
(59)   State = 0x6f6bbe6e6d57a7e11f767033cd338cbf
(59) Finished request
Waking up in 3.4 seconds.
(60) Received Access-Request Id 51 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(60)   User-Name = "vkratsberg"
(60)   NAS-Port = 358
(60)   State = 0x6f6bbe6e6d57a7e11f767033cd338cbf
(60)   EAP-Message = 0x023c002b1900170301002049ea7fd7e0621d700842b08289b3dfa95607b9e48bbb5765fd262dbe7d5bb8b1
(60)   Message-Authenticator = 0x2a9795feeffcca20844d49ee52fc66ba
(60)   Acct-Session-Id = "8O2.1x81bb0d510006dc2d"
(60)   NAS-Port-Id = "ge-3/0/6.0"
(60)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(60)   Called-Station-Id = "ec-3e-f7-68-35-00"
(60)   NAS-IP-Address = 10.8.0.111
(60)   NAS-Identifier = "nyc-access-sw011"
(60)   NAS-Port-Type = Ethernet
(60) session-state: No cached attributes
(60) # Executing section authorize from file /etc/raddb/sites-enabled/default
(60)   authorize {
(60)     policy filter_username {
(60)       if (&User-Name) {
(60)       if (&User-Name)  -> TRUE
(60)       if (&User-Name)  {
(60)         if (&User-Name =~ / /) {
(60)         if (&User-Name =~ / /)  -> FALSE
(60)         if (&User-Name =~ /@[^@]*@/ ) {
(60)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(60)         if (&User-Name =~ /\.\./ ) {
(60)         if (&User-Name =~ /\.\./ )  -> FALSE
(60)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(60)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(60)         if (&User-Name =~ /\.$/)  {
(60)         if (&User-Name =~ /\.$/)   -> FALSE
(60)         if (&User-Name =~ /@\./)  {
(60)         if (&User-Name =~ /@\./)   -> FALSE
(60)       } # if (&User-Name)  = notfound
(60)     } # policy filter_username = notfound
(60)     [preprocess] = ok
(60)     [chap] = noop
(60)     [mschap] = noop
(60)     [digest] = noop
(60) suffix: Checking for suffix after "@"
(60) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(60) suffix: No such realm "NULL"
(60)     [suffix] = noop
(60) eap: Peer sent EAP Response (code 2) ID 60 length 43
(60) eap: Continuing tunnel setup
(60)     [eap] = ok
(60)   } # authorize = ok
(60) Found Auth-Type = eap
(60) # Executing group from file /etc/raddb/sites-enabled/default
(60)   authenticate {
(60) eap: Expiring EAP session with state 0x6f6bbe6e6d57a7e1
(60) eap: Finished EAP session with state 0x6f6bbe6e6d57a7e1
(60) eap: Previous EAP request found for state 0x6f6bbe6e6d57a7e1, released from the list
(60) eap: Peer sent packet with method EAP PEAP (25)
(60) eap: Calling submodule eap_peap to process data
(60) eap_peap: Continuing EAP-TLS
(60) eap_peap: [eaptls verify] = ok
(60) eap_peap: Done initial handshake
(60) eap_peap: [eaptls process] = ok
(60) eap_peap: Session established.  Decoding tunneled attributes
(60) eap_peap: PEAP state send tlv success
(60) eap_peap: Received EAP-TLV response
(60) eap_peap: Success
(60) eap_peap: No saved attributes in the original Access-Accept
(60) eap: Sending EAP Success (code 3) ID 60 length 4
(60) eap: Freeing handler
(60)     [eap] = ok
(60)   } # authenticate = ok
(60) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(60)   post-auth {
(60)     update {
(60)       No attributes updated
(60)     } # update = noop
(60)     [exec] = noop
(60)     policy remove_reply_message_if_eap {
(60)       if (&reply:EAP-Message && &reply:Reply-Message) {
(60)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(60)       else {
(60)         [noop] = noop
(60)       } # else = noop
(60)     } # policy remove_reply_message_if_eap = noop
(60)   } # post-auth = noop
(60) Sent Access-Accept Id 51 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(60)   MS-MPPE-Recv-Key = 0x8aa7347baf67f97f0da852d10fa36092f272af0bac8a6ac712bb3904d5d7dced
(60)   MS-MPPE-Send-Key = 0x5262aac3db1264ff69063b091a171ae42b433480dff128b2bb93673caa860566
(60)   EAP-Message = 0x033c0004
(60)   Message-Authenticator = 0x00000000000000000000000000000000
(60)   User-Name = "vkratsberg"
(60) Finished request
Waking up in 3.4 seconds.
(61) Received Access-Request Id 52 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(61)   User-Name = "vkratsberg"
(61)   NAS-Port = 358
(61)   EAP-Message = 0x023d000f01766b7261747362657267
(61)   Message-Authenticator = 0x34be0adc2459cb807c96c2a7eb6a2ab5
(61)   Acct-Session-Id = "8O2.1x81bb0d5200087afa"
(61)   NAS-Port-Id = "ge-3/0/6.0"
(61)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(61)   Called-Station-Id = "ec-3e-f7-68-35-00"
(61)   NAS-IP-Address = 10.8.0.111
(61)   NAS-Identifier = "nyc-access-sw011"
(61)   NAS-Port-Type = Ethernet
(61) # Executing section authorize from file /etc/raddb/sites-enabled/default
(61)   authorize {
(61)     policy filter_username {
(61)       if (&User-Name) {
(61)       if (&User-Name)  -> TRUE
(61)       if (&User-Name)  {
(61)         if (&User-Name =~ / /) {
(61)         if (&User-Name =~ / /)  -> FALSE
(61)         if (&User-Name =~ /@[^@]*@/ ) {
(61)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(61)         if (&User-Name =~ /\.\./ ) {
(61)         if (&User-Name =~ /\.\./ )  -> FALSE
(61)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(61)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(61)         if (&User-Name =~ /\.$/)  {
(61)         if (&User-Name =~ /\.$/)   -> FALSE
(61)         if (&User-Name =~ /@\./)  {
(61)         if (&User-Name =~ /@\./)   -> FALSE
(61)       } # if (&User-Name)  = notfound
(61)     } # policy filter_username = notfound
(61)     [preprocess] = ok
(61)     [chap] = noop
(61)     [mschap] = noop
(61)     [digest] = noop
(61) suffix: Checking for suffix after "@"
(61) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(61) suffix: No such realm "NULL"
(61)     [suffix] = noop
(61) eap: Peer sent EAP Response (code 2) ID 61 length 15
(61) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(61)     [eap] = ok
(61)   } # authorize = ok
(61) Found Auth-Type = eap
(61) # Executing group from file /etc/raddb/sites-enabled/default
(61)   authenticate {
(61) eap: Peer sent packet with method EAP Identity (1)
(61) eap: Calling submodule eap_peap to process data
(61) eap_peap: Initiating new EAP-TLS session
(61) eap_peap: [eaptls start] = request
(61) eap: Sending EAP Request (code 1) ID 62 length 6
(61) eap: EAP session adding &reply:State = 0x57aceeaa5792f7b7
(61)     [eap] = handled
(61)   } # authenticate = handled
(61) Using Post-Auth-Type Challenge
(61) Post-Auth-Type sub-section not found.  Ignoring.
(61) # Executing group from file /etc/raddb/sites-enabled/default
(61) Sent Access-Challenge Id 52 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(61)   EAP-Message = 0x013e00061920
(61)   Message-Authenticator = 0x00000000000000000000000000000000
(61)   State = 0x57aceeaa5792f7b7b72270d892469f43
(61) Finished request
Waking up in 3.3 seconds.
(62) Received Access-Request Id 53 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(62)   User-Name = "vkratsberg"
(62)   NAS-Port = 358
(62)   State = 0x57aceeaa5792f7b7b72270d892469f43
(62)   EAP-Message = 0x023e00a31980000000991603010094010000900301574f326dcd167c61aa83ad91d3a8839285b93e02ca8ae70e21739124f0c18ec32099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(62)   Message-Authenticator = 0x0c3b16905d46c6376a737398808d1087
(62)   Acct-Session-Id = "8O2.1x81bb0d5200087afa"
(62)   NAS-Port-Id = "ge-3/0/6.0"
(62)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(62)   Called-Station-Id = "ec-3e-f7-68-35-00"
(62)   NAS-IP-Address = 10.8.0.111
(62)   NAS-Identifier = "nyc-access-sw011"
(62)   NAS-Port-Type = Ethernet
(62) session-state: No cached attributes
(62) # Executing section authorize from file /etc/raddb/sites-enabled/default
(62)   authorize {
(62)     policy filter_username {
(62)       if (&User-Name) {
(62)       if (&User-Name)  -> TRUE
(62)       if (&User-Name)  {
(62)         if (&User-Name =~ / /) {
(62)         if (&User-Name =~ / /)  -> FALSE
(62)         if (&User-Name =~ /@[^@]*@/ ) {
(62)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(62)         if (&User-Name =~ /\.\./ ) {
(62)         if (&User-Name =~ /\.\./ )  -> FALSE
(62)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(62)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(62)         if (&User-Name =~ /\.$/)  {
(62)         if (&User-Name =~ /\.$/)   -> FALSE
(62)         if (&User-Name =~ /@\./)  {
(62)         if (&User-Name =~ /@\./)   -> FALSE
(62)       } # if (&User-Name)  = notfound
(62)     } # policy filter_username = notfound
(62)     [preprocess] = ok
(62)     [chap] = noop
(62)     [mschap] = noop
(62)     [digest] = noop
(62) suffix: Checking for suffix after "@"
(62) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(62) suffix: No such realm "NULL"
(62)     [suffix] = noop
(62) eap: Peer sent EAP Response (code 2) ID 62 length 163
(62) eap: Continuing tunnel setup
(62)     [eap] = ok
(62)   } # authorize = ok
(62) Found Auth-Type = eap
(62) # Executing group from file /etc/raddb/sites-enabled/default
(62)   authenticate {
(62) eap: Expiring EAP session with state 0x57aceeaa5792f7b7
(62) eap: Finished EAP session with state 0x57aceeaa5792f7b7
(62) eap: Previous EAP request found for state 0x57aceeaa5792f7b7, released from the list
(62) eap: Peer sent packet with method EAP PEAP (25)
(62) eap: Calling submodule eap_peap to process data
(62) eap_peap: Continuing EAP-TLS
(62) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(62) eap_peap: Got complete TLS record (153 bytes)
(62) eap_peap: [eaptls verify] = length included
(62) eap_peap: (other): before/accept initialization
(62) eap_peap: TLS_accept: before/accept initialization
(62) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(62) eap_peap: TLS_accept: SSLv3 read client hello A
(62) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(62) eap_peap: TLS_accept: SSLv3 write server hello A
(62) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(62) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(62) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(62) eap_peap: TLS_accept: SSLv3 write finished A
(62) eap_peap: TLS_accept: SSLv3 flush data
(62) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(62) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(62) eap_peap: In SSL Handshake Phase
(62) eap_peap: In SSL Accept mode
(62) eap_peap: [eaptls process] = handled
(62) eap: Sending EAP Request (code 1) ID 63 length 159
(62) eap: EAP session adding &reply:State = 0x57aceeaa5693f7b7
(62)     [eap] = handled
(62)   } # authenticate = handled
(62) Using Post-Auth-Type Challenge
(62) Post-Auth-Type sub-section not found.  Ignoring.
(62) # Executing group from file /etc/raddb/sites-enabled/default
(62) Sent Access-Challenge Id 53 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(62)   EAP-Message = 0x013f009f19001603010059020000550301574f326dec67cc224630c134aa89a546995cde634350f15b16df70948e2cf8102099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b0004030001021403010001011603010030d0609dd353ade661
(62)   Message-Authenticator = 0x00000000000000000000000000000000
(62)   State = 0x57aceeaa5693f7b7b72270d892469f43
(62) Finished request
Waking up in 3.3 seconds.
(63) Received Access-Request Id 54 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(63)   User-Name = "vkratsberg"
(63)   NAS-Port = 358
(63)   State = 0x57aceeaa5693f7b7b72270d892469f43
(63)   EAP-Message = 0x023f004519800000003b1403010001011603010030ce0a73a05747bd9d2a1ea739d9c1834f305452f97ca0f478d2c43f9f776e4e29ac52af77d4b75f45c3459a55117c0374
(63)   Message-Authenticator = 0xdd3c67f031b12608ebb19009d1a6b099
(63)   Acct-Session-Id = "8O2.1x81bb0d5200087afa"
(63)   NAS-Port-Id = "ge-3/0/6.0"
(63)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(63)   Called-Station-Id = "ec-3e-f7-68-35-00"
(63)   NAS-IP-Address = 10.8.0.111
(63)   NAS-Identifier = "nyc-access-sw011"
(63)   NAS-Port-Type = Ethernet
(63) session-state: No cached attributes
(63) # Executing section authorize from file /etc/raddb/sites-enabled/default
(63)   authorize {
(63)     policy filter_username {
(63)       if (&User-Name) {
(63)       if (&User-Name)  -> TRUE
(63)       if (&User-Name)  {
(63)         if (&User-Name =~ / /) {
(63)         if (&User-Name =~ / /)  -> FALSE
(63)         if (&User-Name =~ /@[^@]*@/ ) {
(63)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(63)         if (&User-Name =~ /\.\./ ) {
(63)         if (&User-Name =~ /\.\./ )  -> FALSE
(63)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(63)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(63)         if (&User-Name =~ /\.$/)  {
(63)         if (&User-Name =~ /\.$/)   -> FALSE
(63)         if (&User-Name =~ /@\./)  {
(63)         if (&User-Name =~ /@\./)   -> FALSE
(63)       } # if (&User-Name)  = notfound
(63)     } # policy filter_username = notfound
(63)     [preprocess] = ok
(63)     [chap] = noop
(63)     [mschap] = noop
(63)     [digest] = noop
(63) suffix: Checking for suffix after "@"
(63) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(63) suffix: No such realm "NULL"
(63)     [suffix] = noop
(63) eap: Peer sent EAP Response (code 2) ID 63 length 69
(63) eap: Continuing tunnel setup
(63)     [eap] = ok
(63)   } # authorize = ok
(63) Found Auth-Type = eap
(63) # Executing group from file /etc/raddb/sites-enabled/default
(63)   authenticate {
(63) eap: Expiring EAP session with state 0x57aceeaa5693f7b7
(63) eap: Finished EAP session with state 0x57aceeaa5693f7b7
(63) eap: Previous EAP request found for state 0x57aceeaa5693f7b7, released from the list
(63) eap: Peer sent packet with method EAP PEAP (25)
(63) eap: Calling submodule eap_peap to process data
(63) eap_peap: Continuing EAP-TLS
(63) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(63) eap_peap: Got complete TLS record (59 bytes)
(63) eap_peap: [eaptls verify] = length included
(63) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(63) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(63) eap_peap: TLS_accept: SSLv3 read finished A
(63) eap_peap: (other): SSL negotiation finished successfully
(63) eap_peap: SSL Connection Established
(63) eap_peap: SSL Application Data
(63) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(63) eap_peap:   reply:User-Name = "vkratsberg"
(63) eap_peap: [eaptls process] = success
(63) eap_peap: Session established.  Decoding tunneled attributes
(63) eap_peap: PEAP state TUNNEL ESTABLISHED
(63) eap_peap: Skipping Phase2 because of session resumption
(63) eap_peap: SUCCESS
(63) eap: Sending EAP Request (code 1) ID 64 length 43
(63) eap: EAP session adding &reply:State = 0x57aceeaa55ecf7b7
(63)     [eap] = handled
(63)   } # authenticate = handled
(63) Using Post-Auth-Type Challenge
(63) Post-Auth-Type sub-section not found.  Ignoring.
(63) # Executing group from file /etc/raddb/sites-enabled/default
(63) Sent Access-Challenge Id 54 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(63)   User-Name = "vkratsberg"
(63)   EAP-Message = 0x0140002b190017030100205e5e2a713a1f39ebfda45b0f0addd50a0e23be968a2afe5b4a5670812df60658
(63)   Message-Authenticator = 0x00000000000000000000000000000000
(63)   State = 0x57aceeaa55ecf7b7b72270d892469f43
(63) Finished request
Waking up in 3.3 seconds.
(64) Received Access-Request Id 55 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(64)   User-Name = "vkratsberg"
(64)   NAS-Port = 358
(64)   State = 0x57aceeaa55ecf7b7b72270d892469f43
(64)   EAP-Message = 0x0240002b19001703010020cb3a13240986fb1b832afd3ff8ebbc219ee1c59b9f7972026d432f530c946aa4
(64)   Message-Authenticator = 0xc1e23fb71c890025575bbe8902722cd8
(64)   Acct-Session-Id = "8O2.1x81bb0d5200087afa"
(64)   NAS-Port-Id = "ge-3/0/6.0"
(64)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(64)   Called-Station-Id = "ec-3e-f7-68-35-00"
(64)   NAS-IP-Address = 10.8.0.111
(64)   NAS-Identifier = "nyc-access-sw011"
(64)   NAS-Port-Type = Ethernet
(64) session-state: No cached attributes
(64) # Executing section authorize from file /etc/raddb/sites-enabled/default
(64)   authorize {
(64)     policy filter_username {
(64)       if (&User-Name) {
(64)       if (&User-Name)  -> TRUE
(64)       if (&User-Name)  {
(64)         if (&User-Name =~ / /) {
(64)         if (&User-Name =~ / /)  -> FALSE
(64)         if (&User-Name =~ /@[^@]*@/ ) {
(64)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(64)         if (&User-Name =~ /\.\./ ) {
(64)         if (&User-Name =~ /\.\./ )  -> FALSE
(64)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(64)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(64)         if (&User-Name =~ /\.$/)  {
(64)         if (&User-Name =~ /\.$/)   -> FALSE
(64)         if (&User-Name =~ /@\./)  {
(64)         if (&User-Name =~ /@\./)   -> FALSE
(64)       } # if (&User-Name)  = notfound
(64)     } # policy filter_username = notfound
(64)     [preprocess] = ok
(64)     [chap] = noop
(64)     [mschap] = noop
(64)     [digest] = noop
(64) suffix: Checking for suffix after "@"
(64) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(64) suffix: No such realm "NULL"
(64)     [suffix] = noop
(64) eap: Peer sent EAP Response (code 2) ID 64 length 43
(64) eap: Continuing tunnel setup
(64)     [eap] = ok
(64)   } # authorize = ok
(64) Found Auth-Type = eap
(64) # Executing group from file /etc/raddb/sites-enabled/default
(64)   authenticate {
(64) eap: Expiring EAP session with state 0x57aceeaa55ecf7b7
(64) eap: Finished EAP session with state 0x57aceeaa55ecf7b7
(64) eap: Previous EAP request found for state 0x57aceeaa55ecf7b7, released from the list
(64) eap: Peer sent packet with method EAP PEAP (25)
(64) eap: Calling submodule eap_peap to process data
(64) eap_peap: Continuing EAP-TLS
(64) eap_peap: [eaptls verify] = ok
(64) eap_peap: Done initial handshake
(64) eap_peap: [eaptls process] = ok
(64) eap_peap: Session established.  Decoding tunneled attributes
(64) eap_peap: PEAP state send tlv success
(64) eap_peap: Received EAP-TLV response
(64) eap_peap: Success
(64) eap_peap: No saved attributes in the original Access-Accept
(64) eap: Sending EAP Success (code 3) ID 64 length 4
(64) eap: Freeing handler
(64)     [eap] = ok
(64)   } # authenticate = ok
(64) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(64)   post-auth {
(64)     update {
(64)       No attributes updated
(64)     } # update = noop
(64)     [exec] = noop
(64)     policy remove_reply_message_if_eap {
(64)       if (&reply:EAP-Message && &reply:Reply-Message) {
(64)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(64)       else {
(64)         [noop] = noop
(64)       } # else = noop
(64)     } # policy remove_reply_message_if_eap = noop
(64)   } # post-auth = noop
(64) Sent Access-Accept Id 55 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(64)   MS-MPPE-Recv-Key = 0x6fa79b0136c08897beb9fe648b56ebc65929548529cc1b983cc5cb6b03326799
(64)   MS-MPPE-Send-Key = 0x1c896d04e161423acb8144331b442c8630f0ea25f1322295f06c1cef699762f2
(64)   EAP-Message = 0x03400004
(64)   Message-Authenticator = 0x00000000000000000000000000000000
(64)   User-Name = "vkratsberg"
(64) Finished request
Waking up in 3.3 seconds.
(65) Received Access-Request Id 56 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(65)   User-Name = "vkratsberg"
(65)   NAS-Port = 358
(65)   EAP-Message = 0x0241000f01766b7261747362657267
(65)   Message-Authenticator = 0x3cc29f14a29b137bfb8cfaf58d4c4653
(65)   Acct-Session-Id = "8O2.1x81bb0d53000a1377"
(65)   NAS-Port-Id = "ge-3/0/6.0"
(65)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(65)   Called-Station-Id = "ec-3e-f7-68-35-00"
(65)   NAS-IP-Address = 10.8.0.111
(65)   NAS-Identifier = "nyc-access-sw011"
(65)   NAS-Port-Type = Ethernet
(65) # Executing section authorize from file /etc/raddb/sites-enabled/default
(65)   authorize {
(65)     policy filter_username {
(65)       if (&User-Name) {
(65)       if (&User-Name)  -> TRUE
(65)       if (&User-Name)  {
(65)         if (&User-Name =~ / /) {
(65)         if (&User-Name =~ / /)  -> FALSE
(65)         if (&User-Name =~ /@[^@]*@/ ) {
(65)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(65)         if (&User-Name =~ /\.\./ ) {
(65)         if (&User-Name =~ /\.\./ )  -> FALSE
(65)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(65)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(65)         if (&User-Name =~ /\.$/)  {
(65)         if (&User-Name =~ /\.$/)   -> FALSE
(65)         if (&User-Name =~ /@\./)  {
(65)         if (&User-Name =~ /@\./)   -> FALSE
(65)       } # if (&User-Name)  = notfound
(65)     } # policy filter_username = notfound
(65)     [preprocess] = ok
(65)     [chap] = noop
(65)     [mschap] = noop
(65)     [digest] = noop
(65) suffix: Checking for suffix after "@"
(65) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(65) suffix: No such realm "NULL"
(65)     [suffix] = noop
(65) eap: Peer sent EAP Response (code 2) ID 65 length 15
(65) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(65)     [eap] = ok
(65)   } # authorize = ok
(65) Found Auth-Type = eap
(65) # Executing group from file /etc/raddb/sites-enabled/default
(65)   authenticate {
(65) eap: Peer sent packet with method EAP Identity (1)
(65) eap: Calling submodule eap_peap to process data
(65) eap_peap: Initiating new EAP-TLS session
(65) eap_peap: [eaptls start] = request
(65) eap: Sending EAP Request (code 1) ID 66 length 6
(65) eap: EAP session adding &reply:State = 0xfe8dafbafecfb65a
(65)     [eap] = handled
(65)   } # authenticate = handled
(65) Using Post-Auth-Type Challenge
(65) Post-Auth-Type sub-section not found.  Ignoring.
(65) # Executing group from file /etc/raddb/sites-enabled/default
(65) Sent Access-Challenge Id 56 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(65)   EAP-Message = 0x014200061920
(65)   Message-Authenticator = 0x00000000000000000000000000000000
(65)   State = 0xfe8dafbafecfb65ac77a79af0b8d9b3d
(65) Finished request
Waking up in 3.2 seconds.
(66) Received Access-Request Id 57 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(66)   User-Name = "vkratsberg"
(66)   NAS-Port = 358
(66)   State = 0xfe8dafbafecfb65ac77a79af0b8d9b3d
(66)   EAP-Message = 0x024200a31980000000991603010094010000900301574f326d5e00408d94a19321b8db9b8d3a28abc60b818d6e534139293e63b74f2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(66)   Message-Authenticator = 0x9ff8671234776fde53c90fa64a9de80b
(66)   Acct-Session-Id = "8O2.1x81bb0d53000a1377"
(66)   NAS-Port-Id = "ge-3/0/6.0"
(66)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(66)   Called-Station-Id = "ec-3e-f7-68-35-00"
(66)   NAS-IP-Address = 10.8.0.111
(66)   NAS-Identifier = "nyc-access-sw011"
(66)   NAS-Port-Type = Ethernet
(66) session-state: No cached attributes
(66) # Executing section authorize from file /etc/raddb/sites-enabled/default
(66)   authorize {
(66)     policy filter_username {
(66)       if (&User-Name) {
(66)       if (&User-Name)  -> TRUE
(66)       if (&User-Name)  {
(66)         if (&User-Name =~ / /) {
(66)         if (&User-Name =~ / /)  -> FALSE
(66)         if (&User-Name =~ /@[^@]*@/ ) {
(66)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(66)         if (&User-Name =~ /\.\./ ) {
(66)         if (&User-Name =~ /\.\./ )  -> FALSE
(66)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(66)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(66)         if (&User-Name =~ /\.$/)  {
(66)         if (&User-Name =~ /\.$/)   -> FALSE
(66)         if (&User-Name =~ /@\./)  {
(66)         if (&User-Name =~ /@\./)   -> FALSE
(66)       } # if (&User-Name)  = notfound
(66)     } # policy filter_username = notfound
(66)     [preprocess] = ok
(66)     [chap] = noop
(66)     [mschap] = noop
(66)     [digest] = noop
(66) suffix: Checking for suffix after "@"
(66) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(66) suffix: No such realm "NULL"
(66)     [suffix] = noop
(66) eap: Peer sent EAP Response (code 2) ID 66 length 163
(66) eap: Continuing tunnel setup
(66)     [eap] = ok
(66)   } # authorize = ok
(66) Found Auth-Type = eap
(66) # Executing group from file /etc/raddb/sites-enabled/default
(66)   authenticate {
(66) eap: Expiring EAP session with state 0xfe8dafbafecfb65a
(66) eap: Finished EAP session with state 0xfe8dafbafecfb65a
(66) eap: Previous EAP request found for state 0xfe8dafbafecfb65a, released from the list
(66) eap: Peer sent packet with method EAP PEAP (25)
(66) eap: Calling submodule eap_peap to process data
(66) eap_peap: Continuing EAP-TLS
(66) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(66) eap_peap: Got complete TLS record (153 bytes)
(66) eap_peap: [eaptls verify] = length included
(66) eap_peap: (other): before/accept initialization
(66) eap_peap: TLS_accept: before/accept initialization
(66) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(66) eap_peap: TLS_accept: SSLv3 read client hello A
(66) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(66) eap_peap: TLS_accept: SSLv3 write server hello A
(66) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(66) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(66) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(66) eap_peap: TLS_accept: SSLv3 write finished A
(66) eap_peap: TLS_accept: SSLv3 flush data
(66) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(66) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(66) eap_peap: In SSL Handshake Phase
(66) eap_peap: In SSL Accept mode
(66) eap_peap: [eaptls process] = handled
(66) eap: Sending EAP Request (code 1) ID 67 length 159
(66) eap: EAP session adding &reply:State = 0xfe8dafbaffceb65a
(66)     [eap] = handled
(66)   } # authenticate = handled
(66) Using Post-Auth-Type Challenge
(66) Post-Auth-Type sub-section not found.  Ignoring.
(66) # Executing group from file /etc/raddb/sites-enabled/default
(66) Sent Access-Challenge Id 57 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(66)   EAP-Message = 0x0143009f19001603010059020000550301574f326d464750283d9b4e99580965692c2bd1a3e47ce939f76472189e9543b82099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b00040300010214030100010116030100300c0c255b678a7037
(66)   Message-Authenticator = 0x00000000000000000000000000000000
(66)   State = 0xfe8dafbaffceb65ac77a79af0b8d9b3d
(66) Finished request
Waking up in 3.2 seconds.
(67) Received Access-Request Id 58 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(67)   User-Name = "vkratsberg"
(67)   NAS-Port = 358
(67)   State = 0xfe8dafbaffceb65ac77a79af0b8d9b3d
(67)   EAP-Message = 0x0243004519800000003b14030100010116030100304bfcf850b7e4a93fc76b318dd6aa0d4a45a99a3dbac0313f103447c231c60834a1ad97c5ae7dd91bdb0ce1ee73b00443
(67)   Message-Authenticator = 0x6e4e81982e17d9ea70a348f77b8e34f8
(67)   Acct-Session-Id = "8O2.1x81bb0d53000a1377"
(67)   NAS-Port-Id = "ge-3/0/6.0"
(67)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(67)   Called-Station-Id = "ec-3e-f7-68-35-00"
(67)   NAS-IP-Address = 10.8.0.111
(67)   NAS-Identifier = "nyc-access-sw011"
(67)   NAS-Port-Type = Ethernet
(67) session-state: No cached attributes
(67) # Executing section authorize from file /etc/raddb/sites-enabled/default
(67)   authorize {
(67)     policy filter_username {
(67)       if (&User-Name) {
(67)       if (&User-Name)  -> TRUE
(67)       if (&User-Name)  {
(67)         if (&User-Name =~ / /) {
(67)         if (&User-Name =~ / /)  -> FALSE
(67)         if (&User-Name =~ /@[^@]*@/ ) {
(67)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(67)         if (&User-Name =~ /\.\./ ) {
(67)         if (&User-Name =~ /\.\./ )  -> FALSE
(67)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(67)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(67)         if (&User-Name =~ /\.$/)  {
(67)         if (&User-Name =~ /\.$/)   -> FALSE
(67)         if (&User-Name =~ /@\./)  {
(67)         if (&User-Name =~ /@\./)   -> FALSE
(67)       } # if (&User-Name)  = notfound
(67)     } # policy filter_username = notfound
(67)     [preprocess] = ok
(67)     [chap] = noop
(67)     [mschap] = noop
(67)     [digest] = noop
(67) suffix: Checking for suffix after "@"
(67) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(67) suffix: No such realm "NULL"
(67)     [suffix] = noop
(67) eap: Peer sent EAP Response (code 2) ID 67 length 69
(67) eap: Continuing tunnel setup
(67)     [eap] = ok
(67)   } # authorize = ok
(67) Found Auth-Type = eap
(67) # Executing group from file /etc/raddb/sites-enabled/default
(67)   authenticate {
(67) eap: Expiring EAP session with state 0xfe8dafbaffceb65a
(67) eap: Finished EAP session with state 0xfe8dafbaffceb65a
(67) eap: Previous EAP request found for state 0xfe8dafbaffceb65a, released from the list
(67) eap: Peer sent packet with method EAP PEAP (25)
(67) eap: Calling submodule eap_peap to process data
(67) eap_peap: Continuing EAP-TLS
(67) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(67) eap_peap: Got complete TLS record (59 bytes)
(67) eap_peap: [eaptls verify] = length included
(67) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(67) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(67) eap_peap: TLS_accept: SSLv3 read finished A
(67) eap_peap: (other): SSL negotiation finished successfully
(67) eap_peap: SSL Connection Established
(67) eap_peap: SSL Application Data
(67) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(67) eap_peap:   reply:User-Name = "vkratsberg"
(67) eap_peap: [eaptls process] = success
(67) eap_peap: Session established.  Decoding tunneled attributes
(67) eap_peap: PEAP state TUNNEL ESTABLISHED
(67) eap_peap: Skipping Phase2 because of session resumption
(67) eap_peap: SUCCESS
(67) eap: Sending EAP Request (code 1) ID 68 length 43
(67) eap: EAP session adding &reply:State = 0xfe8dafbafcc9b65a
(67)     [eap] = handled
(67)   } # authenticate = handled
(67) Using Post-Auth-Type Challenge
(67) Post-Auth-Type sub-section not found.  Ignoring.
(67) # Executing group from file /etc/raddb/sites-enabled/default
(67) Sent Access-Challenge Id 58 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(67)   User-Name = "vkratsberg"
(67)   EAP-Message = 0x0144002b1900170301002032d12755e2a63e11975f128c4bdd15d6e6382290c9110d8ed89f08de949a6ab5
(67)   Message-Authenticator = 0x00000000000000000000000000000000
(67)   State = 0xfe8dafbafcc9b65ac77a79af0b8d9b3d
(67) Finished request
Waking up in 3.2 seconds.
(68) Received Access-Request Id 59 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(68)   User-Name = "vkratsberg"
(68)   NAS-Port = 358
(68)   State = 0xfe8dafbafcc9b65ac77a79af0b8d9b3d
(68)   EAP-Message = 0x0244002b1900170301002049db1e969d180f72c9c064c59ac9dfbdaec30eb93fd6ae4e12d26c477fe5c77c
(68)   Message-Authenticator = 0x40a728bea5f40a11c540c21b72f2382b
(68)   Acct-Session-Id = "8O2.1x81bb0d53000a1377"
(68)   NAS-Port-Id = "ge-3/0/6.0"
(68)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(68)   Called-Station-Id = "ec-3e-f7-68-35-00"
(68)   NAS-IP-Address = 10.8.0.111
(68)   NAS-Identifier = "nyc-access-sw011"
(68)   NAS-Port-Type = Ethernet
(68) session-state: No cached attributes
(68) # Executing section authorize from file /etc/raddb/sites-enabled/default
(68)   authorize {
(68)     policy filter_username {
(68)       if (&User-Name) {
(68)       if (&User-Name)  -> TRUE
(68)       if (&User-Name)  {
(68)         if (&User-Name =~ / /) {
(68)         if (&User-Name =~ / /)  -> FALSE
(68)         if (&User-Name =~ /@[^@]*@/ ) {
(68)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(68)         if (&User-Name =~ /\.\./ ) {
(68)         if (&User-Name =~ /\.\./ )  -> FALSE
(68)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(68)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(68)         if (&User-Name =~ /\.$/)  {
(68)         if (&User-Name =~ /\.$/)   -> FALSE
(68)         if (&User-Name =~ /@\./)  {
(68)         if (&User-Name =~ /@\./)   -> FALSE
(68)       } # if (&User-Name)  = notfound
(68)     } # policy filter_username = notfound
(68)     [preprocess] = ok
(68)     [chap] = noop
(68)     [mschap] = noop
(68)     [digest] = noop
(68) suffix: Checking for suffix after "@"
(68) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(68) suffix: No such realm "NULL"
(68)     [suffix] = noop
(68) eap: Peer sent EAP Response (code 2) ID 68 length 43
(68) eap: Continuing tunnel setup
(68)     [eap] = ok
(68)   } # authorize = ok
(68) Found Auth-Type = eap
(68) # Executing group from file /etc/raddb/sites-enabled/default
(68)   authenticate {
(68) eap: Expiring EAP session with state 0xfe8dafbafcc9b65a
(68) eap: Finished EAP session with state 0xfe8dafbafcc9b65a
(68) eap: Previous EAP request found for state 0xfe8dafbafcc9b65a, released from the list
(68) eap: Peer sent packet with method EAP PEAP (25)
(68) eap: Calling submodule eap_peap to process data
(68) eap_peap: Continuing EAP-TLS
(68) eap_peap: [eaptls verify] = ok
(68) eap_peap: Done initial handshake
(68) eap_peap: [eaptls process] = ok
(68) eap_peap: Session established.  Decoding tunneled attributes
(68) eap_peap: PEAP state send tlv success
(68) eap_peap: Received EAP-TLV response
(68) eap_peap: Success
(68) eap_peap: No saved attributes in the original Access-Accept
(68) eap: Sending EAP Success (code 3) ID 68 length 4
(68) eap: Freeing handler
(68)     [eap] = ok
(68)   } # authenticate = ok
(68) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(68)   post-auth {
(68)     update {
(68)       No attributes updated
(68)     } # update = noop
(68)     [exec] = noop
(68)     policy remove_reply_message_if_eap {
(68)       if (&reply:EAP-Message && &reply:Reply-Message) {
(68)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(68)       else {
(68)         [noop] = noop
(68)       } # else = noop
(68)     } # policy remove_reply_message_if_eap = noop
(68)   } # post-auth = noop
(68) Sent Access-Accept Id 59 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(68)   MS-MPPE-Recv-Key = 0xa1eee8bd2421fb9ea02e144b267609db07f970bdf59e415bf150d7a2c4252de0
(68)   MS-MPPE-Send-Key = 0x15200fbbbee699b046cea7ce7f1727453e7f5755ffb6d0c6a25d003058ce9e37
(68)   EAP-Message = 0x03440004
(68)   Message-Authenticator = 0x00000000000000000000000000000000
(68)   User-Name = "vkratsberg"
(68) Finished request
Waking up in 3.2 seconds.
(69) Received Access-Request Id 60 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(69)   User-Name = "vkratsberg"
(69)   NAS-Port = 358
(69)   EAP-Message = 0x0245000f01766b7261747362657267
(69)   Message-Authenticator = 0xc5c45fb74c6fdb77b6fea0c5b8baf3a4
(69)   Acct-Session-Id = "8O2.1x81bb0d54000bb4f9"
(69)   NAS-Port-Id = "ge-3/0/6.0"
(69)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(69)   Called-Station-Id = "ec-3e-f7-68-35-00"
(69)   NAS-IP-Address = 10.8.0.111
(69)   NAS-Identifier = "nyc-access-sw011"
(69)   NAS-Port-Type = Ethernet
(69) # Executing section authorize from file /etc/raddb/sites-enabled/default
(69)   authorize {
(69)     policy filter_username {
(69)       if (&User-Name) {
(69)       if (&User-Name)  -> TRUE
(69)       if (&User-Name)  {
(69)         if (&User-Name =~ / /) {
(69)         if (&User-Name =~ / /)  -> FALSE
(69)         if (&User-Name =~ /@[^@]*@/ ) {
(69)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(69)         if (&User-Name =~ /\.\./ ) {
(69)         if (&User-Name =~ /\.\./ )  -> FALSE
(69)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(69)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(69)         if (&User-Name =~ /\.$/)  {
(69)         if (&User-Name =~ /\.$/)   -> FALSE
(69)         if (&User-Name =~ /@\./)  {
(69)         if (&User-Name =~ /@\./)   -> FALSE
(69)       } # if (&User-Name)  = notfound
(69)     } # policy filter_username = notfound
(69)     [preprocess] = ok
(69)     [chap] = noop
(69)     [mschap] = noop
(69)     [digest] = noop
(69) suffix: Checking for suffix after "@"
(69) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(69) suffix: No such realm "NULL"
(69)     [suffix] = noop
(69) eap: Peer sent EAP Response (code 2) ID 69 length 15
(69) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(69)     [eap] = ok
(69)   } # authorize = ok
(69) Found Auth-Type = eap
(69) # Executing group from file /etc/raddb/sites-enabled/default
(69)   authenticate {
(69) eap: Peer sent packet with method EAP Identity (1)
(69) eap: Calling submodule eap_peap to process data
(69) eap_peap: Initiating new EAP-TLS session
(69) eap_peap: [eaptls start] = request
(69) eap: Sending EAP Request (code 1) ID 70 length 6
(69) eap: EAP session adding &reply:State = 0x16405a97160643cb
(69)     [eap] = handled
(69)   } # authenticate = handled
(69) Using Post-Auth-Type Challenge
(69) Post-Auth-Type sub-section not found.  Ignoring.
(69) # Executing group from file /etc/raddb/sites-enabled/default
(69) Sent Access-Challenge Id 60 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(69)   EAP-Message = 0x014600061920
(69)   Message-Authenticator = 0x00000000000000000000000000000000
(69)   State = 0x16405a97160643cbdc52d8e6ea59e6f3
(69) Finished request
Waking up in 3.1 seconds.
(70) Received Access-Request Id 61 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(70)   User-Name = "vkratsberg"
(70)   NAS-Port = 358
(70)   State = 0x16405a97160643cbdc52d8e6ea59e6f3
(70)   EAP-Message = 0x024600a31980000000991603010094010000900301574f326ded0373c50f31519b62b833dc782497e6e335239bce48a0b9610b934f2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(70)   Message-Authenticator = 0xedcc55e235d015f4d3329e99ad60a8cf
(70)   Acct-Session-Id = "8O2.1x81bb0d54000bb4f9"
(70)   NAS-Port-Id = "ge-3/0/6.0"
(70)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(70)   Called-Station-Id = "ec-3e-f7-68-35-00"
(70)   NAS-IP-Address = 10.8.0.111
(70)   NAS-Identifier = "nyc-access-sw011"
(70)   NAS-Port-Type = Ethernet
(70) session-state: No cached attributes
(70) # Executing section authorize from file /etc/raddb/sites-enabled/default
(70)   authorize {
(70)     policy filter_username {
(70)       if (&User-Name) {
(70)       if (&User-Name)  -> TRUE
(70)       if (&User-Name)  {
(70)         if (&User-Name =~ / /) {
(70)         if (&User-Name =~ / /)  -> FALSE
(70)         if (&User-Name =~ /@[^@]*@/ ) {
(70)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(70)         if (&User-Name =~ /\.\./ ) {
(70)         if (&User-Name =~ /\.\./ )  -> FALSE
(70)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(70)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(70)         if (&User-Name =~ /\.$/)  {
(70)         if (&User-Name =~ /\.$/)   -> FALSE
(70)         if (&User-Name =~ /@\./)  {
(70)         if (&User-Name =~ /@\./)   -> FALSE
(70)       } # if (&User-Name)  = notfound
(70)     } # policy filter_username = notfound
(70)     [preprocess] = ok
(70)     [chap] = noop
(70)     [mschap] = noop
(70)     [digest] = noop
(70) suffix: Checking for suffix after "@"
(70) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(70) suffix: No such realm "NULL"
(70)     [suffix] = noop
(70) eap: Peer sent EAP Response (code 2) ID 70 length 163
(70) eap: Continuing tunnel setup
(70)     [eap] = ok
(70)   } # authorize = ok
(70) Found Auth-Type = eap
(70) # Executing group from file /etc/raddb/sites-enabled/default
(70)   authenticate {
(70) eap: Expiring EAP session with state 0x16405a97160643cb
(70) eap: Finished EAP session with state 0x16405a97160643cb
(70) eap: Previous EAP request found for state 0x16405a97160643cb, released from the list
(70) eap: Peer sent packet with method EAP PEAP (25)
(70) eap: Calling submodule eap_peap to process data
(70) eap_peap: Continuing EAP-TLS
(70) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(70) eap_peap: Got complete TLS record (153 bytes)
(70) eap_peap: [eaptls verify] = length included
(70) eap_peap: (other): before/accept initialization
(70) eap_peap: TLS_accept: before/accept initialization
(70) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(70) eap_peap: TLS_accept: SSLv3 read client hello A
(70) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(70) eap_peap: TLS_accept: SSLv3 write server hello A
(70) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(70) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(70) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(70) eap_peap: TLS_accept: SSLv3 write finished A
(70) eap_peap: TLS_accept: SSLv3 flush data
(70) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(70) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(70) eap_peap: In SSL Handshake Phase
(70) eap_peap: In SSL Accept mode
(70) eap_peap: [eaptls process] = handled
(70) eap: Sending EAP Request (code 1) ID 71 length 159
(70) eap: EAP session adding &reply:State = 0x16405a97170743cb
(70)     [eap] = handled
(70)   } # authenticate = handled
(70) Using Post-Auth-Type Challenge
(70) Post-Auth-Type sub-section not found.  Ignoring.
(70) # Executing group from file /etc/raddb/sites-enabled/default
(70) Sent Access-Challenge Id 61 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(70)   EAP-Message = 0x0147009f19001603010059020000550301574f326dde250a6c3dadd39b4c4b8405c3d40823a7eff19e6ed78200488e1b342099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b00040300010214030100010116030100302599c3d9fb0c60e4
(70)   Message-Authenticator = 0x00000000000000000000000000000000
(70)   State = 0x16405a97170743cbdc52d8e6ea59e6f3
(70) Finished request
Waking up in 3.1 seconds.
(71) Received Access-Request Id 62 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(71)   User-Name = "vkratsberg"
(71)   NAS-Port = 358
(71)   State = 0x16405a97170743cbdc52d8e6ea59e6f3
(71)   EAP-Message = 0x0247004519800000003b140301000101160301003053ce23d79329179a745e5a5f89e3cdb0d4fc6a5a70ac7f0465419c5b17a153e295b98f0628c3ec1458fdd8f66f228244
(71)   Message-Authenticator = 0x197686627b0b75c27d3aa7e19a66a401
(71)   Acct-Session-Id = "8O2.1x81bb0d54000bb4f9"
(71)   NAS-Port-Id = "ge-3/0/6.0"
(71)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(71)   Called-Station-Id = "ec-3e-f7-68-35-00"
(71)   NAS-IP-Address = 10.8.0.111
(71)   NAS-Identifier = "nyc-access-sw011"
(71)   NAS-Port-Type = Ethernet
(71) session-state: No cached attributes
(71) # Executing section authorize from file /etc/raddb/sites-enabled/default
(71)   authorize {
(71)     policy filter_username {
(71)       if (&User-Name) {
(71)       if (&User-Name)  -> TRUE
(71)       if (&User-Name)  {
(71)         if (&User-Name =~ / /) {
(71)         if (&User-Name =~ / /)  -> FALSE
(71)         if (&User-Name =~ /@[^@]*@/ ) {
(71)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(71)         if (&User-Name =~ /\.\./ ) {
(71)         if (&User-Name =~ /\.\./ )  -> FALSE
(71)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(71)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(71)         if (&User-Name =~ /\.$/)  {
(71)         if (&User-Name =~ /\.$/)   -> FALSE
(71)         if (&User-Name =~ /@\./)  {
(71)         if (&User-Name =~ /@\./)   -> FALSE
(71)       } # if (&User-Name)  = notfound
(71)     } # policy filter_username = notfound
(71)     [preprocess] = ok
(71)     [chap] = noop
(71)     [mschap] = noop
(71)     [digest] = noop
(71) suffix: Checking for suffix after "@"
(71) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(71) suffix: No such realm "NULL"
(71)     [suffix] = noop
(71) eap: Peer sent EAP Response (code 2) ID 71 length 69
(71) eap: Continuing tunnel setup
(71)     [eap] = ok
(71)   } # authorize = ok
(71) Found Auth-Type = eap
(71) # Executing group from file /etc/raddb/sites-enabled/default
(71)   authenticate {
(71) eap: Expiring EAP session with state 0x16405a97170743cb
(71) eap: Finished EAP session with state 0x16405a97170743cb
(71) eap: Previous EAP request found for state 0x16405a97170743cb, released from the list
(71) eap: Peer sent packet with method EAP PEAP (25)
(71) eap: Calling submodule eap_peap to process data
(71) eap_peap: Continuing EAP-TLS
(71) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(71) eap_peap: Got complete TLS record (59 bytes)
(71) eap_peap: [eaptls verify] = length included
(71) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(71) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(71) eap_peap: TLS_accept: SSLv3 read finished A
(71) eap_peap: (other): SSL negotiation finished successfully
(71) eap_peap: SSL Connection Established
(71) eap_peap: SSL Application Data
(71) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(71) eap_peap:   reply:User-Name = "vkratsberg"
(71) eap_peap: [eaptls process] = success
(71) eap_peap: Session established.  Decoding tunneled attributes
(71) eap_peap: PEAP state TUNNEL ESTABLISHED
(71) eap_peap: Skipping Phase2 because of session resumption
(71) eap_peap: SUCCESS
(71) eap: Sending EAP Request (code 1) ID 72 length 43
(71) eap: EAP session adding &reply:State = 0x16405a97140843cb
(71)     [eap] = handled
(71)   } # authenticate = handled
(71) Using Post-Auth-Type Challenge
(71) Post-Auth-Type sub-section not found.  Ignoring.
(71) # Executing group from file /etc/raddb/sites-enabled/default
(71) Sent Access-Challenge Id 62 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(71)   User-Name = "vkratsberg"
(71)   EAP-Message = 0x0148002b19001703010020f949f9f785dea51bc4bfee9778ecc01d478805fc4bdd5d7e6374d138ad033042
(71)   Message-Authenticator = 0x00000000000000000000000000000000
(71)   State = 0x16405a97140843cbdc52d8e6ea59e6f3
(71) Finished request
Waking up in 3.1 seconds.
(72) Received Access-Request Id 63 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(72)   User-Name = "vkratsberg"
(72)   NAS-Port = 358
(72)   State = 0x16405a97140843cbdc52d8e6ea59e6f3
(72)   EAP-Message = 0x0248002b1900170301002045c27b88880839b5902f8f416d9118e9a3076d2947582bce0413783daf673c5d
(72)   Message-Authenticator = 0x44038631d8ffb2f32211ac82d5a7acfe
(72)   Acct-Session-Id = "8O2.1x81bb0d54000bb4f9"
(72)   NAS-Port-Id = "ge-3/0/6.0"
(72)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(72)   Called-Station-Id = "ec-3e-f7-68-35-00"
(72)   NAS-IP-Address = 10.8.0.111
(72)   NAS-Identifier = "nyc-access-sw011"
(72)   NAS-Port-Type = Ethernet
(72) session-state: No cached attributes
(72) # Executing section authorize from file /etc/raddb/sites-enabled/default
(72)   authorize {
(72)     policy filter_username {
(72)       if (&User-Name) {
(72)       if (&User-Name)  -> TRUE
(72)       if (&User-Name)  {
(72)         if (&User-Name =~ / /) {
(72)         if (&User-Name =~ / /)  -> FALSE
(72)         if (&User-Name =~ /@[^@]*@/ ) {
(72)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(72)         if (&User-Name =~ /\.\./ ) {
(72)         if (&User-Name =~ /\.\./ )  -> FALSE
(72)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(72)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(72)         if (&User-Name =~ /\.$/)  {
(72)         if (&User-Name =~ /\.$/)   -> FALSE
(72)         if (&User-Name =~ /@\./)  {
(72)         if (&User-Name =~ /@\./)   -> FALSE
(72)       } # if (&User-Name)  = notfound
(72)     } # policy filter_username = notfound
(72)     [preprocess] = ok
(72)     [chap] = noop
(72)     [mschap] = noop
(72)     [digest] = noop
(72) suffix: Checking for suffix after "@"
(72) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(72) suffix: No such realm "NULL"
(72)     [suffix] = noop
(72) eap: Peer sent EAP Response (code 2) ID 72 length 43
(72) eap: Continuing tunnel setup
(72)     [eap] = ok
(72)   } # authorize = ok
(72) Found Auth-Type = eap
(72) # Executing group from file /etc/raddb/sites-enabled/default
(72)   authenticate {
(72) eap: Expiring EAP session with state 0x16405a97140843cb
(72) eap: Finished EAP session with state 0x16405a97140843cb
(72) eap: Previous EAP request found for state 0x16405a97140843cb, released from the list
(72) eap: Peer sent packet with method EAP PEAP (25)
(72) eap: Calling submodule eap_peap to process data
(72) eap_peap: Continuing EAP-TLS
(72) eap_peap: [eaptls verify] = ok
(72) eap_peap: Done initial handshake
(72) eap_peap: [eaptls process] = ok
(72) eap_peap: Session established.  Decoding tunneled attributes
(72) eap_peap: PEAP state send tlv success
(72) eap_peap: Received EAP-TLV response
(72) eap_peap: Success
(72) eap_peap: No saved attributes in the original Access-Accept
(72) eap: Sending EAP Success (code 3) ID 72 length 4
(72) eap: Freeing handler
(72)     [eap] = ok
(72)   } # authenticate = ok
(72) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(72)   post-auth {
(72)     update {
(72)       No attributes updated
(72)     } # update = noop
(72)     [exec] = noop
(72)     policy remove_reply_message_if_eap {
(72)       if (&reply:EAP-Message && &reply:Reply-Message) {
(72)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(72)       else {
(72)         [noop] = noop
(72)       } # else = noop
(72)     } # policy remove_reply_message_if_eap = noop
(72)   } # post-auth = noop
(72) Sent Access-Accept Id 63 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(72)   MS-MPPE-Recv-Key = 0xfc87a9e6fce856350ec4eff5d60c88fc2e2daa0cea16b4d7036b426eb843c1e4
(72)   MS-MPPE-Send-Key = 0x335471765b3e8f65d2ab2e29c0c3700a80bdc86a2885cfb541e213b1cdee169b
(72)   EAP-Message = 0x03480004
(72)   Message-Authenticator = 0x00000000000000000000000000000000
(72)   User-Name = "vkratsberg"
(72) Finished request
Waking up in 3.1 seconds.
(73) Received Access-Request Id 64 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(73)   User-Name = "vkratsberg"
(73)   NAS-Port = 358
(73)   EAP-Message = 0x0249000f01766b7261747362657267
(73)   Message-Authenticator = 0xf769434e3b5dfaf788271676346ce18c
(73)   Acct-Session-Id = "8O2.1x81bb0d55000d4fce"
(73)   NAS-Port-Id = "ge-3/0/6.0"
(73)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(73)   Called-Station-Id = "ec-3e-f7-68-35-00"
(73)   NAS-IP-Address = 10.8.0.111
(73)   NAS-Identifier = "nyc-access-sw011"
(73)   NAS-Port-Type = Ethernet
(73) # Executing section authorize from file /etc/raddb/sites-enabled/default
(73)   authorize {
(73)     policy filter_username {
(73)       if (&User-Name) {
(73)       if (&User-Name)  -> TRUE
(73)       if (&User-Name)  {
(73)         if (&User-Name =~ / /) {
(73)         if (&User-Name =~ / /)  -> FALSE
(73)         if (&User-Name =~ /@[^@]*@/ ) {
(73)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(73)         if (&User-Name =~ /\.\./ ) {
(73)         if (&User-Name =~ /\.\./ )  -> FALSE
(73)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(73)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(73)         if (&User-Name =~ /\.$/)  {
(73)         if (&User-Name =~ /\.$/)   -> FALSE
(73)         if (&User-Name =~ /@\./)  {
(73)         if (&User-Name =~ /@\./)   -> FALSE
(73)       } # if (&User-Name)  = notfound
(73)     } # policy filter_username = notfound
(73)     [preprocess] = ok
(73)     [chap] = noop
(73)     [mschap] = noop
(73)     [digest] = noop
(73) suffix: Checking for suffix after "@"
(73) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(73) suffix: No such realm "NULL"
(73)     [suffix] = noop
(73) eap: Peer sent EAP Response (code 2) ID 73 length 15
(73) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(73)     [eap] = ok
(73)   } # authorize = ok
(73) Found Auth-Type = eap
(73) # Executing group from file /etc/raddb/sites-enabled/default
(73)   authenticate {
(73) eap: Peer sent packet with method EAP Identity (1)
(73) eap: Calling submodule eap_peap to process data
(73) eap_peap: Initiating new EAP-TLS session
(73) eap_peap: [eaptls start] = request
(73) eap: Sending EAP Request (code 1) ID 74 length 6
(73) eap: EAP session adding &reply:State = 0xd167dc94d12dc57b
(73)     [eap] = handled
(73)   } # authenticate = handled
(73) Using Post-Auth-Type Challenge
(73) Post-Auth-Type sub-section not found.  Ignoring.
(73) # Executing group from file /etc/raddb/sites-enabled/default
(73) Sent Access-Challenge Id 64 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(73)   EAP-Message = 0x014a00061920
(73)   Message-Authenticator = 0x00000000000000000000000000000000
(73)   State = 0xd167dc94d12dc57b201aa40f01521d06
(73) Finished request
Waking up in 3.0 seconds.
(74) Received Access-Request Id 65 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(74)   User-Name = "vkratsberg"
(74)   NAS-Port = 358
(74)   State = 0xd167dc94d12dc57b201aa40f01521d06
(74)   EAP-Message = 0x024a00a31980000000991603010094010000900301574f326dc129da943ec5a688b13705238bd023f1802d55948634bf2e369421c22099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(74)   Message-Authenticator = 0x03a182b876853449e208a64aa8b7971a
(74)   Acct-Session-Id = "8O2.1x81bb0d55000d4fce"
(74)   NAS-Port-Id = "ge-3/0/6.0"
(74)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(74)   Called-Station-Id = "ec-3e-f7-68-35-00"
(74)   NAS-IP-Address = 10.8.0.111
(74)   NAS-Identifier = "nyc-access-sw011"
(74)   NAS-Port-Type = Ethernet
(74) session-state: No cached attributes
(74) # Executing section authorize from file /etc/raddb/sites-enabled/default
(74)   authorize {
(74)     policy filter_username {
(74)       if (&User-Name) {
(74)       if (&User-Name)  -> TRUE
(74)       if (&User-Name)  {
(74)         if (&User-Name =~ / /) {
(74)         if (&User-Name =~ / /)  -> FALSE
(74)         if (&User-Name =~ /@[^@]*@/ ) {
(74)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(74)         if (&User-Name =~ /\.\./ ) {
(74)         if (&User-Name =~ /\.\./ )  -> FALSE
(74)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(74)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(74)         if (&User-Name =~ /\.$/)  {
(74)         if (&User-Name =~ /\.$/)   -> FALSE
(74)         if (&User-Name =~ /@\./)  {
(74)         if (&User-Name =~ /@\./)   -> FALSE
(74)       } # if (&User-Name)  = notfound
(74)     } # policy filter_username = notfound
(74)     [preprocess] = ok
(74)     [chap] = noop
(74)     [mschap] = noop
(74)     [digest] = noop
(74) suffix: Checking for suffix after "@"
(74) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(74) suffix: No such realm "NULL"
(74)     [suffix] = noop
(74) eap: Peer sent EAP Response (code 2) ID 74 length 163
(74) eap: Continuing tunnel setup
(74)     [eap] = ok
(74)   } # authorize = ok
(74) Found Auth-Type = eap
(74) # Executing group from file /etc/raddb/sites-enabled/default
(74)   authenticate {
(74) eap: Expiring EAP session with state 0xd167dc94d12dc57b
(74) eap: Finished EAP session with state 0xd167dc94d12dc57b
(74) eap: Previous EAP request found for state 0xd167dc94d12dc57b, released from the list
(74) eap: Peer sent packet with method EAP PEAP (25)
(74) eap: Calling submodule eap_peap to process data
(74) eap_peap: Continuing EAP-TLS
(74) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(74) eap_peap: Got complete TLS record (153 bytes)
(74) eap_peap: [eaptls verify] = length included
(74) eap_peap: (other): before/accept initialization
(74) eap_peap: TLS_accept: before/accept initialization
(74) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(74) eap_peap: TLS_accept: SSLv3 read client hello A
(74) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(74) eap_peap: TLS_accept: SSLv3 write server hello A
(74) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(74) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(74) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(74) eap_peap: TLS_accept: SSLv3 write finished A
(74) eap_peap: TLS_accept: SSLv3 flush data
(74) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(74) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(74) eap_peap: In SSL Handshake Phase
(74) eap_peap: In SSL Accept mode
(74) eap_peap: [eaptls process] = handled
(74) eap: Sending EAP Request (code 1) ID 75 length 159
(74) eap: EAP session adding &reply:State = 0xd167dc94d02cc57b
(74)     [eap] = handled
(74)   } # authenticate = handled
(74) Using Post-Auth-Type Challenge
(74) Post-Auth-Type sub-section not found.  Ignoring.
(74) # Executing group from file /etc/raddb/sites-enabled/default
(74) Sent Access-Challenge Id 65 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(74)   EAP-Message = 0x014b009f19001603010059020000550301574f326d73cd9c4714d41794459ee50564792d13f9e9b0bb06bc40a015f99a102099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b000403000102140301000101160301003002c08e0d285ecd7c
(74)   Message-Authenticator = 0x00000000000000000000000000000000
(74)   State = 0xd167dc94d02cc57b201aa40f01521d06
(74) Finished request
Waking up in 3.0 seconds.
(75) Received Access-Request Id 66 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(75)   User-Name = "vkratsberg"
(75)   NAS-Port = 358
(75)   State = 0xd167dc94d02cc57b201aa40f01521d06
(75)   EAP-Message = 0x024b004519800000003b14030100010116030100303f65d3f5297ea7929718915349d699b59fd357133e945969553b61042cfaa01eee3726ddb21c92f6fd735c7c2554d770
(75)   Message-Authenticator = 0x4e887e4c5b841e92ffab2aebc717f30f
(75)   Acct-Session-Id = "8O2.1x81bb0d55000d4fce"
(75)   NAS-Port-Id = "ge-3/0/6.0"
(75)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(75)   Called-Station-Id = "ec-3e-f7-68-35-00"
(75)   NAS-IP-Address = 10.8.0.111
(75)   NAS-Identifier = "nyc-access-sw011"
(75)   NAS-Port-Type = Ethernet
(75) session-state: No cached attributes
(75) # Executing section authorize from file /etc/raddb/sites-enabled/default
(75)   authorize {
(75)     policy filter_username {
(75)       if (&User-Name) {
(75)       if (&User-Name)  -> TRUE
(75)       if (&User-Name)  {
(75)         if (&User-Name =~ / /) {
(75)         if (&User-Name =~ / /)  -> FALSE
(75)         if (&User-Name =~ /@[^@]*@/ ) {
(75)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(75)         if (&User-Name =~ /\.\./ ) {
(75)         if (&User-Name =~ /\.\./ )  -> FALSE
(75)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(75)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(75)         if (&User-Name =~ /\.$/)  {
(75)         if (&User-Name =~ /\.$/)   -> FALSE
(75)         if (&User-Name =~ /@\./)  {
(75)         if (&User-Name =~ /@\./)   -> FALSE
(75)       } # if (&User-Name)  = notfound
(75)     } # policy filter_username = notfound
(75)     [preprocess] = ok
(75)     [chap] = noop
(75)     [mschap] = noop
(75)     [digest] = noop
(75) suffix: Checking for suffix after "@"
(75) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(75) suffix: No such realm "NULL"
(75)     [suffix] = noop
(75) eap: Peer sent EAP Response (code 2) ID 75 length 69
(75) eap: Continuing tunnel setup
(75)     [eap] = ok
(75)   } # authorize = ok
(75) Found Auth-Type = eap
(75) # Executing group from file /etc/raddb/sites-enabled/default
(75)   authenticate {
(75) eap: Expiring EAP session with state 0xd167dc94d02cc57b
(75) eap: Finished EAP session with state 0xd167dc94d02cc57b
(75) eap: Previous EAP request found for state 0xd167dc94d02cc57b, released from the list
(75) eap: Peer sent packet with method EAP PEAP (25)
(75) eap: Calling submodule eap_peap to process data
(75) eap_peap: Continuing EAP-TLS
(75) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(75) eap_peap: Got complete TLS record (59 bytes)
(75) eap_peap: [eaptls verify] = length included
(75) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(75) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(75) eap_peap: TLS_accept: SSLv3 read finished A
(75) eap_peap: (other): SSL negotiation finished successfully
(75) eap_peap: SSL Connection Established
(75) eap_peap: SSL Application Data
(75) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(75) eap_peap:   reply:User-Name = "vkratsberg"
(75) eap_peap: [eaptls process] = success
(75) eap_peap: Session established.  Decoding tunneled attributes
(75) eap_peap: PEAP state TUNNEL ESTABLISHED
(75) eap_peap: Skipping Phase2 because of session resumption
(75) eap_peap: SUCCESS
(75) eap: Sending EAP Request (code 1) ID 76 length 43
(75) eap: EAP session adding &reply:State = 0xd167dc94d32bc57b
(75)     [eap] = handled
(75)   } # authenticate = handled
(75) Using Post-Auth-Type Challenge
(75) Post-Auth-Type sub-section not found.  Ignoring.
(75) # Executing group from file /etc/raddb/sites-enabled/default
(75) Sent Access-Challenge Id 66 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(75)   User-Name = "vkratsberg"
(75)   EAP-Message = 0x014c002b19001703010020d7c984c0b472031cd46b6c01ad780ece118abf5c8ca60e1be938e2f956cf4339
(75)   Message-Authenticator = 0x00000000000000000000000000000000
(75)   State = 0xd167dc94d32bc57b201aa40f01521d06
(75) Finished request
Waking up in 3.0 seconds.
(76) Received Access-Request Id 67 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(76)   User-Name = "vkratsberg"
(76)   NAS-Port = 358
(76)   State = 0xd167dc94d32bc57b201aa40f01521d06
(76)   EAP-Message = 0x024c002b1900170301002007a475d010c4a839a6eb20c348e707d50fb68fed47e7eaa94cda48929b3331cd
(76)   Message-Authenticator = 0xd1280f1f0114e3d0bf8510113f0f183a
(76)   Acct-Session-Id = "8O2.1x81bb0d55000d4fce"
(76)   NAS-Port-Id = "ge-3/0/6.0"
(76)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(76)   Called-Station-Id = "ec-3e-f7-68-35-00"
(76)   NAS-IP-Address = 10.8.0.111
(76)   NAS-Identifier = "nyc-access-sw011"
(76)   NAS-Port-Type = Ethernet
(76) session-state: No cached attributes
(76) # Executing section authorize from file /etc/raddb/sites-enabled/default
(76)   authorize {
(76)     policy filter_username {
(76)       if (&User-Name) {
(76)       if (&User-Name)  -> TRUE
(76)       if (&User-Name)  {
(76)         if (&User-Name =~ / /) {
(76)         if (&User-Name =~ / /)  -> FALSE
(76)         if (&User-Name =~ /@[^@]*@/ ) {
(76)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(76)         if (&User-Name =~ /\.\./ ) {
(76)         if (&User-Name =~ /\.\./ )  -> FALSE
(76)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(76)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(76)         if (&User-Name =~ /\.$/)  {
(76)         if (&User-Name =~ /\.$/)   -> FALSE
(76)         if (&User-Name =~ /@\./)  {
(76)         if (&User-Name =~ /@\./)   -> FALSE
(76)       } # if (&User-Name)  = notfound
(76)     } # policy filter_username = notfound
(76)     [preprocess] = ok
(76)     [chap] = noop
(76)     [mschap] = noop
(76)     [digest] = noop
(76) suffix: Checking for suffix after "@"
(76) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(76) suffix: No such realm "NULL"
(76)     [suffix] = noop
(76) eap: Peer sent EAP Response (code 2) ID 76 length 43
(76) eap: Continuing tunnel setup
(76)     [eap] = ok
(76)   } # authorize = ok
(76) Found Auth-Type = eap
(76) # Executing group from file /etc/raddb/sites-enabled/default
(76)   authenticate {
(76) eap: Expiring EAP session with state 0xd167dc94d32bc57b
(76) eap: Finished EAP session with state 0xd167dc94d32bc57b
(76) eap: Previous EAP request found for state 0xd167dc94d32bc57b, released from the list
(76) eap: Peer sent packet with method EAP PEAP (25)
(76) eap: Calling submodule eap_peap to process data
(76) eap_peap: Continuing EAP-TLS
(76) eap_peap: [eaptls verify] = ok
(76) eap_peap: Done initial handshake
(76) eap_peap: [eaptls process] = ok
(76) eap_peap: Session established.  Decoding tunneled attributes
(76) eap_peap: PEAP state send tlv success
(76) eap_peap: Received EAP-TLV response
(76) eap_peap: Success
(76) eap_peap: No saved attributes in the original Access-Accept
(76) eap: Sending EAP Success (code 3) ID 76 length 4
(76) eap: Freeing handler
(76)     [eap] = ok
(76)   } # authenticate = ok
(76) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(76)   post-auth {
(76)     update {
(76)       No attributes updated
(76)     } # update = noop
(76)     [exec] = noop
(76)     policy remove_reply_message_if_eap {
(76)       if (&reply:EAP-Message && &reply:Reply-Message) {
(76)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(76)       else {
(76)         [noop] = noop
(76)       } # else = noop
(76)     } # policy remove_reply_message_if_eap = noop
(76)   } # post-auth = noop
(76) Sent Access-Accept Id 67 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(76)   MS-MPPE-Recv-Key = 0xdfe1a99c21727d8927ff9e0291b520c9f78344a806594516afc42989765e0b04
(76)   MS-MPPE-Send-Key = 0xc352ab3a6c3d054e841afd3fa09e45e1f78d7ac84fad183bfb87681f6e6a68e0
(76)   EAP-Message = 0x034c0004
(76)   Message-Authenticator = 0x00000000000000000000000000000000
(76)   User-Name = "vkratsberg"
(76) Finished request
Waking up in 3.0 seconds.
(77) Received Access-Request Id 68 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(77)   User-Name = "vkratsberg"
(77)   NAS-Port = 358
(77)   EAP-Message = 0x024d000f01766b7261747362657267
(77)   Message-Authenticator = 0x8c1650ca7e5cead1046b69bdb31df31f
(77)   Acct-Session-Id = "8O2.1x81bb0d56000eecd3"
(77)   NAS-Port-Id = "ge-3/0/6.0"
(77)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(77)   Called-Station-Id = "ec-3e-f7-68-35-00"
(77)   NAS-IP-Address = 10.8.0.111
(77)   NAS-Identifier = "nyc-access-sw011"
(77)   NAS-Port-Type = Ethernet
(77) # Executing section authorize from file /etc/raddb/sites-enabled/default
(77)   authorize {
(77)     policy filter_username {
(77)       if (&User-Name) {
(77)       if (&User-Name)  -> TRUE
(77)       if (&User-Name)  {
(77)         if (&User-Name =~ / /) {
(77)         if (&User-Name =~ / /)  -> FALSE
(77)         if (&User-Name =~ /@[^@]*@/ ) {
(77)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(77)         if (&User-Name =~ /\.\./ ) {
(77)         if (&User-Name =~ /\.\./ )  -> FALSE
(77)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(77)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(77)         if (&User-Name =~ /\.$/)  {
(77)         if (&User-Name =~ /\.$/)   -> FALSE
(77)         if (&User-Name =~ /@\./)  {
(77)         if (&User-Name =~ /@\./)   -> FALSE
(77)       } # if (&User-Name)  = notfound
(77)     } # policy filter_username = notfound
(77)     [preprocess] = ok
(77)     [chap] = noop
(77)     [mschap] = noop
(77)     [digest] = noop
(77) suffix: Checking for suffix after "@"
(77) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(77) suffix: No such realm "NULL"
(77)     [suffix] = noop
(77) eap: Peer sent EAP Response (code 2) ID 77 length 15
(77) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(77)     [eap] = ok
(77)   } # authorize = ok
(77) Found Auth-Type = eap
(77) # Executing group from file /etc/raddb/sites-enabled/default
(77)   authenticate {
(77) eap: Peer sent packet with method EAP Identity (1)
(77) eap: Calling submodule eap_peap to process data
(77) eap_peap: Initiating new EAP-TLS session
(77) eap_peap: [eaptls start] = request
(77) eap: Sending EAP Request (code 1) ID 78 length 6
(77) eap: EAP session adding &reply:State = 0xaebd2e8daef33777
(77)     [eap] = handled
(77)   } # authenticate = handled
(77) Using Post-Auth-Type Challenge
(77) Post-Auth-Type sub-section not found.  Ignoring.
(77) # Executing group from file /etc/raddb/sites-enabled/default
(77) Sent Access-Challenge Id 68 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(77)   EAP-Message = 0x014e00061920
(77)   Message-Authenticator = 0x00000000000000000000000000000000
(77)   State = 0xaebd2e8daef33777c82fafda3078c602
(77) Finished request
Waking up in 2.9 seconds.
(78) Received Access-Request Id 69 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(78)   User-Name = "vkratsberg"
(78)   NAS-Port = 358
(78)   State = 0xaebd2e8daef33777c82fafda3078c602
(78)   EAP-Message = 0x024e00a31980000000991603010094010000900301574f326d65cbbca47b72f0c7de01e347d5ababcb8979ed44d92ea1c37679d91a2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(78)   Message-Authenticator = 0x4e64d995b9e9b42e3cd839bb72e04105
(78)   Acct-Session-Id = "8O2.1x81bb0d56000eecd3"
(78)   NAS-Port-Id = "ge-3/0/6.0"
(78)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(78)   Called-Station-Id = "ec-3e-f7-68-35-00"
(78)   NAS-IP-Address = 10.8.0.111
(78)   NAS-Identifier = "nyc-access-sw011"
(78)   NAS-Port-Type = Ethernet
(78) session-state: No cached attributes
(78) # Executing section authorize from file /etc/raddb/sites-enabled/default
(78)   authorize {
(78)     policy filter_username {
(78)       if (&User-Name) {
(78)       if (&User-Name)  -> TRUE
(78)       if (&User-Name)  {
(78)         if (&User-Name =~ / /) {
(78)         if (&User-Name =~ / /)  -> FALSE
(78)         if (&User-Name =~ /@[^@]*@/ ) {
(78)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(78)         if (&User-Name =~ /\.\./ ) {
(78)         if (&User-Name =~ /\.\./ )  -> FALSE
(78)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(78)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(78)         if (&User-Name =~ /\.$/)  {
(78)         if (&User-Name =~ /\.$/)   -> FALSE
(78)         if (&User-Name =~ /@\./)  {
(78)         if (&User-Name =~ /@\./)   -> FALSE
(78)       } # if (&User-Name)  = notfound
(78)     } # policy filter_username = notfound
(78)     [preprocess] = ok
(78)     [chap] = noop
(78)     [mschap] = noop
(78)     [digest] = noop
(78) suffix: Checking for suffix after "@"
(78) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(78) suffix: No such realm "NULL"
(78)     [suffix] = noop
(78) eap: Peer sent EAP Response (code 2) ID 78 length 163
(78) eap: Continuing tunnel setup
(78)     [eap] = ok
(78)   } # authorize = ok
(78) Found Auth-Type = eap
(78) # Executing group from file /etc/raddb/sites-enabled/default
(78)   authenticate {
(78) eap: Expiring EAP session with state 0xaebd2e8daef33777
(78) eap: Finished EAP session with state 0xaebd2e8daef33777
(78) eap: Previous EAP request found for state 0xaebd2e8daef33777, released from the list
(78) eap: Peer sent packet with method EAP PEAP (25)
(78) eap: Calling submodule eap_peap to process data
(78) eap_peap: Continuing EAP-TLS
(78) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(78) eap_peap: Got complete TLS record (153 bytes)
(78) eap_peap: [eaptls verify] = length included
(78) eap_peap: (other): before/accept initialization
(78) eap_peap: TLS_accept: before/accept initialization
(78) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(78) eap_peap: TLS_accept: SSLv3 read client hello A
(78) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(78) eap_peap: TLS_accept: SSLv3 write server hello A
(78) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(78) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(78) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(78) eap_peap: TLS_accept: SSLv3 write finished A
(78) eap_peap: TLS_accept: SSLv3 flush data
(78) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(78) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(78) eap_peap: In SSL Handshake Phase
(78) eap_peap: In SSL Accept mode
(78) eap_peap: [eaptls process] = handled
(78) eap: Sending EAP Request (code 1) ID 79 length 159
(78) eap: EAP session adding &reply:State = 0xaebd2e8daff23777
(78)     [eap] = handled
(78)   } # authenticate = handled
(78) Using Post-Auth-Type Challenge
(78) Post-Auth-Type sub-section not found.  Ignoring.
(78) # Executing group from file /etc/raddb/sites-enabled/default
(78) Sent Access-Challenge Id 69 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(78)   EAP-Message = 0x014f009f19001603010059020000550301574f326d36d43e1e9ec8a25bd29cb3502606900058a0a33278ef5244ed531cf82099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b000403000102140301000101160301003016a989c8b30c1dea
(78)   Message-Authenticator = 0x00000000000000000000000000000000
(78)   State = 0xaebd2e8daff23777c82fafda3078c602
(78) Finished request
Waking up in 2.9 seconds.
(79) Received Access-Request Id 70 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(79)   User-Name = "vkratsberg"
(79)   NAS-Port = 358
(79)   State = 0xaebd2e8daff23777c82fafda3078c602
(79)   EAP-Message = 0x024f004519800000003b14030100010116030100308c067a64707f0a1e860d7c32e0af036b79e422b46dd1fccf6760aaf229a61012e25d50cc92550146fd66146d7c13a984
(79)   Message-Authenticator = 0xc8b35552c160107bae742dc0d390bac8
(79)   Acct-Session-Id = "8O2.1x81bb0d56000eecd3"
(79)   NAS-Port-Id = "ge-3/0/6.0"
(79)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(79)   Called-Station-Id = "ec-3e-f7-68-35-00"
(79)   NAS-IP-Address = 10.8.0.111
(79)   NAS-Identifier = "nyc-access-sw011"
(79)   NAS-Port-Type = Ethernet
(79) session-state: No cached attributes
(79) # Executing section authorize from file /etc/raddb/sites-enabled/default
(79)   authorize {
(79)     policy filter_username {
(79)       if (&User-Name) {
(79)       if (&User-Name)  -> TRUE
(79)       if (&User-Name)  {
(79)         if (&User-Name =~ / /) {
(79)         if (&User-Name =~ / /)  -> FALSE
(79)         if (&User-Name =~ /@[^@]*@/ ) {
(79)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(79)         if (&User-Name =~ /\.\./ ) {
(79)         if (&User-Name =~ /\.\./ )  -> FALSE
(79)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(79)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(79)         if (&User-Name =~ /\.$/)  {
(79)         if (&User-Name =~ /\.$/)   -> FALSE
(79)         if (&User-Name =~ /@\./)  {
(79)         if (&User-Name =~ /@\./)   -> FALSE
(79)       } # if (&User-Name)  = notfound
(79)     } # policy filter_username = notfound
(79)     [preprocess] = ok
(79)     [chap] = noop
(79)     [mschap] = noop
(79)     [digest] = noop
(79) suffix: Checking for suffix after "@"
(79) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(79) suffix: No such realm "NULL"
(79)     [suffix] = noop
(79) eap: Peer sent EAP Response (code 2) ID 79 length 69
(79) eap: Continuing tunnel setup
(79)     [eap] = ok
(79)   } # authorize = ok
(79) Found Auth-Type = eap
(79) # Executing group from file /etc/raddb/sites-enabled/default
(79)   authenticate {
(79) eap: Expiring EAP session with state 0xaebd2e8daff23777
(79) eap: Finished EAP session with state 0xaebd2e8daff23777
(79) eap: Previous EAP request found for state 0xaebd2e8daff23777, released from the list
(79) eap: Peer sent packet with method EAP PEAP (25)
(79) eap: Calling submodule eap_peap to process data
(79) eap_peap: Continuing EAP-TLS
(79) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(79) eap_peap: Got complete TLS record (59 bytes)
(79) eap_peap: [eaptls verify] = length included
(79) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(79) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(79) eap_peap: TLS_accept: SSLv3 read finished A
(79) eap_peap: (other): SSL negotiation finished successfully
(79) eap_peap: SSL Connection Established
(79) eap_peap: SSL Application Data
(79) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(79) eap_peap:   reply:User-Name = "vkratsberg"
(79) eap_peap: [eaptls process] = success
(79) eap_peap: Session established.  Decoding tunneled attributes
(79) eap_peap: PEAP state TUNNEL ESTABLISHED
(79) eap_peap: Skipping Phase2 because of session resumption
(79) eap_peap: SUCCESS
(79) eap: Sending EAP Request (code 1) ID 80 length 43
(79) eap: EAP session adding &reply:State = 0xaebd2e8daced3777
(79)     [eap] = handled
(79)   } # authenticate = handled
(79) Using Post-Auth-Type Challenge
(79) Post-Auth-Type sub-section not found.  Ignoring.
(79) # Executing group from file /etc/raddb/sites-enabled/default
(79) Sent Access-Challenge Id 70 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(79)   User-Name = "vkratsberg"
(79)   EAP-Message = 0x0150002b1900170301002099dbc1c60a2c0aebe44889209395d21d3be3f1348ecf6d1c30f40c0d43024167
(79)   Message-Authenticator = 0x00000000000000000000000000000000
(79)   State = 0xaebd2e8daced3777c82fafda3078c602
(79) Finished request
Waking up in 2.9 seconds.
(80) Received Access-Request Id 71 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(80)   User-Name = "vkratsberg"
(80)   NAS-Port = 358
(80)   State = 0xaebd2e8daced3777c82fafda3078c602
(80)   EAP-Message = 0x0250002b1900170301002027f86ad4dd415419dd2fa2b5d70205ff063e836bca320e9203647e21619fc81f
(80)   Message-Authenticator = 0x8f04ac87e244f54b5e0e778b50d64b5b
(80)   Acct-Session-Id = "8O2.1x81bb0d56000eecd3"
(80)   NAS-Port-Id = "ge-3/0/6.0"
(80)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(80)   Called-Station-Id = "ec-3e-f7-68-35-00"
(80)   NAS-IP-Address = 10.8.0.111
(80)   NAS-Identifier = "nyc-access-sw011"
(80)   NAS-Port-Type = Ethernet
(80) session-state: No cached attributes
(80) # Executing section authorize from file /etc/raddb/sites-enabled/default
(80)   authorize {
(80)     policy filter_username {
(80)       if (&User-Name) {
(80)       if (&User-Name)  -> TRUE
(80)       if (&User-Name)  {
(80)         if (&User-Name =~ / /) {
(80)         if (&User-Name =~ / /)  -> FALSE
(80)         if (&User-Name =~ /@[^@]*@/ ) {
(80)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(80)         if (&User-Name =~ /\.\./ ) {
(80)         if (&User-Name =~ /\.\./ )  -> FALSE
(80)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(80)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(80)         if (&User-Name =~ /\.$/)  {
(80)         if (&User-Name =~ /\.$/)   -> FALSE
(80)         if (&User-Name =~ /@\./)  {
(80)         if (&User-Name =~ /@\./)   -> FALSE
(80)       } # if (&User-Name)  = notfound
(80)     } # policy filter_username = notfound
(80)     [preprocess] = ok
(80)     [chap] = noop
(80)     [mschap] = noop
(80)     [digest] = noop
(80) suffix: Checking for suffix after "@"
(80) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(80) suffix: No such realm "NULL"
(80)     [suffix] = noop
(80) eap: Peer sent EAP Response (code 2) ID 80 length 43
(80) eap: Continuing tunnel setup
(80)     [eap] = ok
(80)   } # authorize = ok
(80) Found Auth-Type = eap
(80) # Executing group from file /etc/raddb/sites-enabled/default
(80)   authenticate {
(80) eap: Expiring EAP session with state 0xaebd2e8daced3777
(80) eap: Finished EAP session with state 0xaebd2e8daced3777
(80) eap: Previous EAP request found for state 0xaebd2e8daced3777, released from the list
(80) eap: Peer sent packet with method EAP PEAP (25)
(80) eap: Calling submodule eap_peap to process data
(80) eap_peap: Continuing EAP-TLS
(80) eap_peap: [eaptls verify] = ok
(80) eap_peap: Done initial handshake
(80) eap_peap: [eaptls process] = ok
(80) eap_peap: Session established.  Decoding tunneled attributes
(80) eap_peap: PEAP state send tlv success
(80) eap_peap: Received EAP-TLV response
(80) eap_peap: Success
(80) eap_peap: No saved attributes in the original Access-Accept
(80) eap: Sending EAP Success (code 3) ID 80 length 4
(80) eap: Freeing handler
(80)     [eap] = ok
(80)   } # authenticate = ok
(80) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(80)   post-auth {
(80)     update {
(80)       No attributes updated
(80)     } # update = noop
(80)     [exec] = noop
(80)     policy remove_reply_message_if_eap {
(80)       if (&reply:EAP-Message && &reply:Reply-Message) {
(80)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(80)       else {
(80)         [noop] = noop
(80)       } # else = noop
(80)     } # policy remove_reply_message_if_eap = noop
(80)   } # post-auth = noop
(80) Sent Access-Accept Id 71 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(80)   MS-MPPE-Recv-Key = 0x36e345f209ed0d0b9d81969dca9540331af6b48c91a0482b6e3fe9090bfc295a
(80)   MS-MPPE-Send-Key = 0xaa1cf11f4a3c219412a9747e1fb5dfa6150559372bc6386d3b727a3d7889dc12
(80)   EAP-Message = 0x03500004
(80)   Message-Authenticator = 0x00000000000000000000000000000000
(80)   User-Name = "vkratsberg"
(80) Finished request
Waking up in 2.9 seconds.
(81) Received Access-Request Id 72 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(81)   User-Name = "vkratsberg"
(81)   NAS-Port = 358
(81)   EAP-Message = 0x0251000f01766b7261747362657267
(81)   Message-Authenticator = 0x6a48641a1875f3e8c97554e620e2f36b
(81)   Acct-Session-Id = "8O2.1x81bb0d5700014886"
(81)   NAS-Port-Id = "ge-3/0/6.0"
(81)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(81)   Called-Station-Id = "ec-3e-f7-68-35-00"
(81)   NAS-IP-Address = 10.8.0.111
(81)   NAS-Identifier = "nyc-access-sw011"
(81)   NAS-Port-Type = Ethernet
(81) # Executing section authorize from file /etc/raddb/sites-enabled/default
(81)   authorize {
(81)     policy filter_username {
(81)       if (&User-Name) {
(81)       if (&User-Name)  -> TRUE
(81)       if (&User-Name)  {
(81)         if (&User-Name =~ / /) {
(81)         if (&User-Name =~ / /)  -> FALSE
(81)         if (&User-Name =~ /@[^@]*@/ ) {
(81)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(81)         if (&User-Name =~ /\.\./ ) {
(81)         if (&User-Name =~ /\.\./ )  -> FALSE
(81)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(81)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(81)         if (&User-Name =~ /\.$/)  {
(81)         if (&User-Name =~ /\.$/)   -> FALSE
(81)         if (&User-Name =~ /@\./)  {
(81)         if (&User-Name =~ /@\./)   -> FALSE
(81)       } # if (&User-Name)  = notfound
(81)     } # policy filter_username = notfound
(81)     [preprocess] = ok
(81)     [chap] = noop
(81)     [mschap] = noop
(81)     [digest] = noop
(81) suffix: Checking for suffix after "@"
(81) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(81) suffix: No such realm "NULL"
(81)     [suffix] = noop
(81) eap: Peer sent EAP Response (code 2) ID 81 length 15
(81) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(81)     [eap] = ok
(81)   } # authorize = ok
(81) Found Auth-Type = eap
(81) # Executing group from file /etc/raddb/sites-enabled/default
(81)   authenticate {
(81) eap: Peer sent packet with method EAP Identity (1)
(81) eap: Calling submodule eap_peap to process data
(81) eap_peap: Initiating new EAP-TLS session
(81) eap_peap: [eaptls start] = request
(81) eap: Sending EAP Request (code 1) ID 82 length 6
(81) eap: EAP session adding &reply:State = 0x124efabc121ce35a
(81)     [eap] = handled
(81)   } # authenticate = handled
(81) Using Post-Auth-Type Challenge
(81) Post-Auth-Type sub-section not found.  Ignoring.
(81) # Executing group from file /etc/raddb/sites-enabled/default
(81) Sent Access-Challenge Id 72 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(81)   EAP-Message = 0x015200061920
(81)   Message-Authenticator = 0x00000000000000000000000000000000
(81)   State = 0x124efabc121ce35a4b02bb1ea15ca589
(81) Finished request
Waking up in 2.8 seconds.
(82) Received Access-Request Id 73 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(82)   User-Name = "vkratsberg"
(82)   NAS-Port = 358
(82)   State = 0x124efabc121ce35a4b02bb1ea15ca589
(82)   EAP-Message = 0x025200a31980000000991603010094010000900301574f326eca09ecd960bd936e43c28961340daa426ca757911bc9acd549f29ebd2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(82)   Message-Authenticator = 0x5ec3578728b5a525bb4613cd7db52902
(82)   Acct-Session-Id = "8O2.1x81bb0d5700014886"
(82)   NAS-Port-Id = "ge-3/0/6.0"
(82)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(82)   Called-Station-Id = "ec-3e-f7-68-35-00"
(82)   NAS-IP-Address = 10.8.0.111
(82)   NAS-Identifier = "nyc-access-sw011"
(82)   NAS-Port-Type = Ethernet
(82) session-state: No cached attributes
(82) # Executing section authorize from file /etc/raddb/sites-enabled/default
(82)   authorize {
(82)     policy filter_username {
(82)       if (&User-Name) {
(82)       if (&User-Name)  -> TRUE
(82)       if (&User-Name)  {
(82)         if (&User-Name =~ / /) {
(82)         if (&User-Name =~ / /)  -> FALSE
(82)         if (&User-Name =~ /@[^@]*@/ ) {
(82)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(82)         if (&User-Name =~ /\.\./ ) {
(82)         if (&User-Name =~ /\.\./ )  -> FALSE
(82)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(82)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(82)         if (&User-Name =~ /\.$/)  {
(82)         if (&User-Name =~ /\.$/)   -> FALSE
(82)         if (&User-Name =~ /@\./)  {
(82)         if (&User-Name =~ /@\./)   -> FALSE
(82)       } # if (&User-Name)  = notfound
(82)     } # policy filter_username = notfound
(82)     [preprocess] = ok
(82)     [chap] = noop
(82)     [mschap] = noop
(82)     [digest] = noop
(82) suffix: Checking for suffix after "@"
(82) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(82) suffix: No such realm "NULL"
(82)     [suffix] = noop
(82) eap: Peer sent EAP Response (code 2) ID 82 length 163
(82) eap: Continuing tunnel setup
(82)     [eap] = ok
(82)   } # authorize = ok
(82) Found Auth-Type = eap
(82) # Executing group from file /etc/raddb/sites-enabled/default
(82)   authenticate {
(82) eap: Expiring EAP session with state 0x124efabc121ce35a
(82) eap: Finished EAP session with state 0x124efabc121ce35a
(82) eap: Previous EAP request found for state 0x124efabc121ce35a, released from the list
(82) eap: Peer sent packet with method EAP PEAP (25)
(82) eap: Calling submodule eap_peap to process data
(82) eap_peap: Continuing EAP-TLS
(82) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(82) eap_peap: Got complete TLS record (153 bytes)
(82) eap_peap: [eaptls verify] = length included
(82) eap_peap: (other): before/accept initialization
(82) eap_peap: TLS_accept: before/accept initialization
(82) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(82) eap_peap: TLS_accept: SSLv3 read client hello A
(82) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(82) eap_peap: TLS_accept: SSLv3 write server hello A
(82) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(82) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(82) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(82) eap_peap: TLS_accept: SSLv3 write finished A
(82) eap_peap: TLS_accept: SSLv3 flush data
(82) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(82) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(82) eap_peap: In SSL Handshake Phase
(82) eap_peap: In SSL Accept mode
(82) eap_peap: [eaptls process] = handled
(82) eap: Sending EAP Request (code 1) ID 83 length 159
(82) eap: EAP session adding &reply:State = 0x124efabc131de35a
(82)     [eap] = handled
(82)   } # authenticate = handled
(82) Using Post-Auth-Type Challenge
(82) Post-Auth-Type sub-section not found.  Ignoring.
(82) # Executing group from file /etc/raddb/sites-enabled/default
(82) Sent Access-Challenge Id 73 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(82)   EAP-Message = 0x0153009f19001603010059020000550301574f326e9251ffdf531d9e84e3b385da20583ec8cdd7c56ca39f91c6293f97a62099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b000403000102140301000101160301003078fb5e573a2c9413
(82)   Message-Authenticator = 0x00000000000000000000000000000000
(82)   State = 0x124efabc131de35a4b02bb1ea15ca589
(82) Finished request
Waking up in 2.8 seconds.
(83) Received Access-Request Id 74 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(83)   User-Name = "vkratsberg"
(83)   NAS-Port = 358
(83)   State = 0x124efabc131de35a4b02bb1ea15ca589
(83)   EAP-Message = 0x0253004519800000003b14030100010116030100301266e300ac421ba5d9e19f00ec51a61703c20fd932962ba25b22db8c55eec694fa229c39ab030858b40bbe4f9e6e9881
(83)   Message-Authenticator = 0xb615c1b8c117553d8244549e0c2c07e6
(83)   Acct-Session-Id = "8O2.1x81bb0d5700014886"
(83)   NAS-Port-Id = "ge-3/0/6.0"
(83)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(83)   Called-Station-Id = "ec-3e-f7-68-35-00"
(83)   NAS-IP-Address = 10.8.0.111
(83)   NAS-Identifier = "nyc-access-sw011"
(83)   NAS-Port-Type = Ethernet
(83) session-state: No cached attributes
(83) # Executing section authorize from file /etc/raddb/sites-enabled/default
(83)   authorize {
(83)     policy filter_username {
(83)       if (&User-Name) {
(83)       if (&User-Name)  -> TRUE
(83)       if (&User-Name)  {
(83)         if (&User-Name =~ / /) {
(83)         if (&User-Name =~ / /)  -> FALSE
(83)         if (&User-Name =~ /@[^@]*@/ ) {
(83)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(83)         if (&User-Name =~ /\.\./ ) {
(83)         if (&User-Name =~ /\.\./ )  -> FALSE
(83)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(83)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(83)         if (&User-Name =~ /\.$/)  {
(83)         if (&User-Name =~ /\.$/)   -> FALSE
(83)         if (&User-Name =~ /@\./)  {
(83)         if (&User-Name =~ /@\./)   -> FALSE
(83)       } # if (&User-Name)  = notfound
(83)     } # policy filter_username = notfound
(83)     [preprocess] = ok
(83)     [chap] = noop
(83)     [mschap] = noop
(83)     [digest] = noop
(83) suffix: Checking for suffix after "@"
(83) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(83) suffix: No such realm "NULL"
(83)     [suffix] = noop
(83) eap: Peer sent EAP Response (code 2) ID 83 length 69
(83) eap: Continuing tunnel setup
(83)     [eap] = ok
(83)   } # authorize = ok
(83) Found Auth-Type = eap
(83) # Executing group from file /etc/raddb/sites-enabled/default
(83)   authenticate {
(83) eap: Expiring EAP session with state 0x124efabc131de35a
(83) eap: Finished EAP session with state 0x124efabc131de35a
(83) eap: Previous EAP request found for state 0x124efabc131de35a, released from the list
(83) eap: Peer sent packet with method EAP PEAP (25)
(83) eap: Calling submodule eap_peap to process data
(83) eap_peap: Continuing EAP-TLS
(83) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(83) eap_peap: Got complete TLS record (59 bytes)
(83) eap_peap: [eaptls verify] = length included
(83) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(83) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(83) eap_peap: TLS_accept: SSLv3 read finished A
(83) eap_peap: (other): SSL negotiation finished successfully
(83) eap_peap: SSL Connection Established
(83) eap_peap: SSL Application Data
(83) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(83) eap_peap:   reply:User-Name = "vkratsberg"
(83) eap_peap: [eaptls process] = success
(83) eap_peap: Session established.  Decoding tunneled attributes
(83) eap_peap: PEAP state TUNNEL ESTABLISHED
(83) eap_peap: Skipping Phase2 because of session resumption
(83) eap_peap: SUCCESS
(83) eap: Sending EAP Request (code 1) ID 84 length 43
(83) eap: EAP session adding &reply:State = 0x124efabc101ae35a
(83)     [eap] = handled
(83)   } # authenticate = handled
(83) Using Post-Auth-Type Challenge
(83) Post-Auth-Type sub-section not found.  Ignoring.
(83) # Executing group from file /etc/raddb/sites-enabled/default
(83) Sent Access-Challenge Id 74 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(83)   User-Name = "vkratsberg"
(83)   EAP-Message = 0x0154002b190017030100207b833fb5009016b0056ddd1aafdda3ea598d45ea09e646aa38054068a1d5b1a2
(83)   Message-Authenticator = 0x00000000000000000000000000000000
(83)   State = 0x124efabc101ae35a4b02bb1ea15ca589
(83) Finished request
Waking up in 2.8 seconds.
(84) Received Access-Request Id 75 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(84)   User-Name = "vkratsberg"
(84)   NAS-Port = 358
(84)   State = 0x124efabc101ae35a4b02bb1ea15ca589
(84)   EAP-Message = 0x0254002b190017030100202e05bdd2b88e459668fa905c963fa8a23afa03d182f74c67de436ef6baeb4f7c
(84)   Message-Authenticator = 0xb74eb98025e64f3a7658bf29279ac41d
(84)   Acct-Session-Id = "8O2.1x81bb0d5700014886"
(84)   NAS-Port-Id = "ge-3/0/6.0"
(84)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(84)   Called-Station-Id = "ec-3e-f7-68-35-00"
(84)   NAS-IP-Address = 10.8.0.111
(84)   NAS-Identifier = "nyc-access-sw011"
(84)   NAS-Port-Type = Ethernet
(84) session-state: No cached attributes
(84) # Executing section authorize from file /etc/raddb/sites-enabled/default
(84)   authorize {
(84)     policy filter_username {
(84)       if (&User-Name) {
(84)       if (&User-Name)  -> TRUE
(84)       if (&User-Name)  {
(84)         if (&User-Name =~ / /) {
(84)         if (&User-Name =~ / /)  -> FALSE
(84)         if (&User-Name =~ /@[^@]*@/ ) {
(84)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(84)         if (&User-Name =~ /\.\./ ) {
(84)         if (&User-Name =~ /\.\./ )  -> FALSE
(84)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(84)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(84)         if (&User-Name =~ /\.$/)  {
(84)         if (&User-Name =~ /\.$/)   -> FALSE
(84)         if (&User-Name =~ /@\./)  {
(84)         if (&User-Name =~ /@\./)   -> FALSE
(84)       } # if (&User-Name)  = notfound
(84)     } # policy filter_username = notfound
(84)     [preprocess] = ok
(84)     [chap] = noop
(84)     [mschap] = noop
(84)     [digest] = noop
(84) suffix: Checking for suffix after "@"
(84) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(84) suffix: No such realm "NULL"
(84)     [suffix] = noop
(84) eap: Peer sent EAP Response (code 2) ID 84 length 43
(84) eap: Continuing tunnel setup
(84)     [eap] = ok
(84)   } # authorize = ok
(84) Found Auth-Type = eap
(84) # Executing group from file /etc/raddb/sites-enabled/default
(84)   authenticate {
(84) eap: Expiring EAP session with state 0x124efabc101ae35a
(84) eap: Finished EAP session with state 0x124efabc101ae35a
(84) eap: Previous EAP request found for state 0x124efabc101ae35a, released from the list
(84) eap: Peer sent packet with method EAP PEAP (25)
(84) eap: Calling submodule eap_peap to process data
(84) eap_peap: Continuing EAP-TLS
(84) eap_peap: [eaptls verify] = ok
(84) eap_peap: Done initial handshake
(84) eap_peap: [eaptls process] = ok
(84) eap_peap: Session established.  Decoding tunneled attributes
(84) eap_peap: PEAP state send tlv success
(84) eap_peap: Received EAP-TLV response
(84) eap_peap: Success
(84) eap_peap: No saved attributes in the original Access-Accept
(84) eap: Sending EAP Success (code 3) ID 84 length 4
(84) eap: Freeing handler
(84)     [eap] = ok
(84)   } # authenticate = ok
(84) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(84)   post-auth {
(84)     update {
(84)       No attributes updated
(84)     } # update = noop
(84)     [exec] = noop
(84)     policy remove_reply_message_if_eap {
(84)       if (&reply:EAP-Message && &reply:Reply-Message) {
(84)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(84)       else {
(84)         [noop] = noop
(84)       } # else = noop
(84)     } # policy remove_reply_message_if_eap = noop
(84)   } # post-auth = noop
(84) Sent Access-Accept Id 75 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(84)   MS-MPPE-Recv-Key = 0x9bc1b246fb71c4fe201e17ba2ebdcd0a4734b8b6e015516f3657923999dde66d
(84)   MS-MPPE-Send-Key = 0x8d49b1716e06afc30d789984faee36f7b40fb8e8271ab87cd3ca03b0255920ae
(84)   EAP-Message = 0x03540004
(84)   Message-Authenticator = 0x00000000000000000000000000000000
(84)   User-Name = "vkratsberg"
(84) Finished request
Waking up in 2.8 seconds.
(85) Received Access-Request Id 76 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(85)   User-Name = "vkratsberg"
(85)   NAS-Port = 358
(85)   EAP-Message = 0x0255000f01766b7261747362657267
(85)   Message-Authenticator = 0x0ac312fd287d347f488511266471d76f
(85)   Acct-Session-Id = "8O2.1x81bb0d580002eae1"
(85)   NAS-Port-Id = "ge-3/0/6.0"
(85)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(85)   Called-Station-Id = "ec-3e-f7-68-35-00"
(85)   NAS-IP-Address = 10.8.0.111
(85)   NAS-Identifier = "nyc-access-sw011"
(85)   NAS-Port-Type = Ethernet
(85) # Executing section authorize from file /etc/raddb/sites-enabled/default
(85)   authorize {
(85)     policy filter_username {
(85)       if (&User-Name) {
(85)       if (&User-Name)  -> TRUE
(85)       if (&User-Name)  {
(85)         if (&User-Name =~ / /) {
(85)         if (&User-Name =~ / /)  -> FALSE
(85)         if (&User-Name =~ /@[^@]*@/ ) {
(85)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(85)         if (&User-Name =~ /\.\./ ) {
(85)         if (&User-Name =~ /\.\./ )  -> FALSE
(85)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(85)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(85)         if (&User-Name =~ /\.$/)  {
(85)         if (&User-Name =~ /\.$/)   -> FALSE
(85)         if (&User-Name =~ /@\./)  {
(85)         if (&User-Name =~ /@\./)   -> FALSE
(85)       } # if (&User-Name)  = notfound
(85)     } # policy filter_username = notfound
(85)     [preprocess] = ok
(85)     [chap] = noop
(85)     [mschap] = noop
(85)     [digest] = noop
(85) suffix: Checking for suffix after "@"
(85) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(85) suffix: No such realm "NULL"
(85)     [suffix] = noop
(85) eap: Peer sent EAP Response (code 2) ID 85 length 15
(85) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(85)     [eap] = ok
(85)   } # authorize = ok
(85) Found Auth-Type = eap
(85) # Executing group from file /etc/raddb/sites-enabled/default
(85)   authenticate {
(85) eap: Peer sent packet with method EAP Identity (1)
(85) eap: Calling submodule eap_peap to process data
(85) eap_peap: Initiating new EAP-TLS session
(85) eap_peap: [eaptls start] = request
(85) eap: Sending EAP Request (code 1) ID 86 length 6
(85) eap: EAP session adding &reply:State = 0x3b7152a53b274b41
(85)     [eap] = handled
(85)   } # authenticate = handled
(85) Using Post-Auth-Type Challenge
(85) Post-Auth-Type sub-section not found.  Ignoring.
(85) # Executing group from file /etc/raddb/sites-enabled/default
(85) Sent Access-Challenge Id 76 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(85)   EAP-Message = 0x015600061920
(85)   Message-Authenticator = 0x00000000000000000000000000000000
(85)   State = 0x3b7152a53b274b416fcd4be241112892
(85) Finished request
Waking up in 2.7 seconds.
(86) Received Access-Request Id 77 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(86)   User-Name = "vkratsberg"
(86)   NAS-Port = 358
(86)   State = 0x3b7152a53b274b416fcd4be241112892
(86)   EAP-Message = 0x025600a31980000000991603010094010000900301574f326ebb91bcf6cb8ace947cffb47307e3e9b83d2f27807b7aa1dbcd0762f62099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(86)   Message-Authenticator = 0x706d3f53ca731570a55ab25374759a48
(86)   Acct-Session-Id = "8O2.1x81bb0d580002eae1"
(86)   NAS-Port-Id = "ge-3/0/6.0"
(86)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(86)   Called-Station-Id = "ec-3e-f7-68-35-00"
(86)   NAS-IP-Address = 10.8.0.111
(86)   NAS-Identifier = "nyc-access-sw011"
(86)   NAS-Port-Type = Ethernet
(86) session-state: No cached attributes
(86) # Executing section authorize from file /etc/raddb/sites-enabled/default
(86)   authorize {
(86)     policy filter_username {
(86)       if (&User-Name) {
(86)       if (&User-Name)  -> TRUE
(86)       if (&User-Name)  {
(86)         if (&User-Name =~ / /) {
(86)         if (&User-Name =~ / /)  -> FALSE
(86)         if (&User-Name =~ /@[^@]*@/ ) {
(86)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(86)         if (&User-Name =~ /\.\./ ) {
(86)         if (&User-Name =~ /\.\./ )  -> FALSE
(86)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(86)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(86)         if (&User-Name =~ /\.$/)  {
(86)         if (&User-Name =~ /\.$/)   -> FALSE
(86)         if (&User-Name =~ /@\./)  {
(86)         if (&User-Name =~ /@\./)   -> FALSE
(86)       } # if (&User-Name)  = notfound
(86)     } # policy filter_username = notfound
(86)     [preprocess] = ok
(86)     [chap] = noop
(86)     [mschap] = noop
(86)     [digest] = noop
(86) suffix: Checking for suffix after "@"
(86) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(86) suffix: No such realm "NULL"
(86)     [suffix] = noop
(86) eap: Peer sent EAP Response (code 2) ID 86 length 163
(86) eap: Continuing tunnel setup
(86)     [eap] = ok
(86)   } # authorize = ok
(86) Found Auth-Type = eap
(86) # Executing group from file /etc/raddb/sites-enabled/default
(86)   authenticate {
(86) eap: Expiring EAP session with state 0x3b7152a53b274b41
(86) eap: Finished EAP session with state 0x3b7152a53b274b41
(86) eap: Previous EAP request found for state 0x3b7152a53b274b41, released from the list
(86) eap: Peer sent packet with method EAP PEAP (25)
(86) eap: Calling submodule eap_peap to process data
(86) eap_peap: Continuing EAP-TLS
(86) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(86) eap_peap: Got complete TLS record (153 bytes)
(86) eap_peap: [eaptls verify] = length included
(86) eap_peap: (other): before/accept initialization
(86) eap_peap: TLS_accept: before/accept initialization
(86) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(86) eap_peap: TLS_accept: SSLv3 read client hello A
(86) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(86) eap_peap: TLS_accept: SSLv3 write server hello A
(86) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(86) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(86) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(86) eap_peap: TLS_accept: SSLv3 write finished A
(86) eap_peap: TLS_accept: SSLv3 flush data
(86) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(86) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(86) eap_peap: In SSL Handshake Phase
(86) eap_peap: In SSL Accept mode
(86) eap_peap: [eaptls process] = handled
(86) eap: Sending EAP Request (code 1) ID 87 length 159
(86) eap: EAP session adding &reply:State = 0x3b7152a53a264b41
(86)     [eap] = handled
(86)   } # authenticate = handled
(86) Using Post-Auth-Type Challenge
(86) Post-Auth-Type sub-section not found.  Ignoring.
(86) # Executing group from file /etc/raddb/sites-enabled/default
(86) Sent Access-Challenge Id 77 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(86)   EAP-Message = 0x0157009f19001603010059020000550301574f326e23599f5a8f9ecc24f0407fd25fb73626febbe9feb50ecff65a0a670f2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b0004030001021403010001011603010030b2a30d96e7fa6513
(86)   Message-Authenticator = 0x00000000000000000000000000000000
(86)   State = 0x3b7152a53a264b416fcd4be241112892
(86) Finished request
Waking up in 2.7 seconds.
(87) Received Access-Request Id 78 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(87)   User-Name = "vkratsberg"
(87)   NAS-Port = 358
(87)   State = 0x3b7152a53a264b416fcd4be241112892
(87)   EAP-Message = 0x0257004519800000003b1403010001011603010030c576be4b2fc9ec7cbd9612c1b29bf931ef0bd9ee31bd2e5f474ba2b5d2e7c5403be1764d4a3f546b53eb45fad068590d
(87)   Message-Authenticator = 0x68e3cb2677fb8d8a7a46022cf5b55354
(87)   Acct-Session-Id = "8O2.1x81bb0d580002eae1"
(87)   NAS-Port-Id = "ge-3/0/6.0"
(87)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(87)   Called-Station-Id = "ec-3e-f7-68-35-00"
(87)   NAS-IP-Address = 10.8.0.111
(87)   NAS-Identifier = "nyc-access-sw011"
(87)   NAS-Port-Type = Ethernet
(87) session-state: No cached attributes
(87) # Executing section authorize from file /etc/raddb/sites-enabled/default
(87)   authorize {
(87)     policy filter_username {
(87)       if (&User-Name) {
(87)       if (&User-Name)  -> TRUE
(87)       if (&User-Name)  {
(87)         if (&User-Name =~ / /) {
(87)         if (&User-Name =~ / /)  -> FALSE
(87)         if (&User-Name =~ /@[^@]*@/ ) {
(87)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(87)         if (&User-Name =~ /\.\./ ) {
(87)         if (&User-Name =~ /\.\./ )  -> FALSE
(87)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(87)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(87)         if (&User-Name =~ /\.$/)  {
(87)         if (&User-Name =~ /\.$/)   -> FALSE
(87)         if (&User-Name =~ /@\./)  {
(87)         if (&User-Name =~ /@\./)   -> FALSE
(87)       } # if (&User-Name)  = notfound
(87)     } # policy filter_username = notfound
(87)     [preprocess] = ok
(87)     [chap] = noop
(87)     [mschap] = noop
(87)     [digest] = noop
(87) suffix: Checking for suffix after "@"
(87) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(87) suffix: No such realm "NULL"
(87)     [suffix] = noop
(87) eap: Peer sent EAP Response (code 2) ID 87 length 69
(87) eap: Continuing tunnel setup
(87)     [eap] = ok
(87)   } # authorize = ok
(87) Found Auth-Type = eap
(87) # Executing group from file /etc/raddb/sites-enabled/default
(87)   authenticate {
(87) eap: Expiring EAP session with state 0x3b7152a53a264b41
(87) eap: Finished EAP session with state 0x3b7152a53a264b41
(87) eap: Previous EAP request found for state 0x3b7152a53a264b41, released from the list
(87) eap: Peer sent packet with method EAP PEAP (25)
(87) eap: Calling submodule eap_peap to process data
(87) eap_peap: Continuing EAP-TLS
(87) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(87) eap_peap: Got complete TLS record (59 bytes)
(87) eap_peap: [eaptls verify] = length included
(87) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(87) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(87) eap_peap: TLS_accept: SSLv3 read finished A
(87) eap_peap: (other): SSL negotiation finished successfully
(87) eap_peap: SSL Connection Established
(87) eap_peap: SSL Application Data
(87) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(87) eap_peap:   reply:User-Name = "vkratsberg"
(87) eap_peap: [eaptls process] = success
(87) eap_peap: Session established.  Decoding tunneled attributes
(87) eap_peap: PEAP state TUNNEL ESTABLISHED
(87) eap_peap: Skipping Phase2 because of session resumption
(87) eap_peap: SUCCESS
(87) eap: Sending EAP Request (code 1) ID 88 length 43
(87) eap: EAP session adding &reply:State = 0x3b7152a539294b41
(87)     [eap] = handled
(87)   } # authenticate = handled
(87) Using Post-Auth-Type Challenge
(87) Post-Auth-Type sub-section not found.  Ignoring.
(87) # Executing group from file /etc/raddb/sites-enabled/default
(87) Sent Access-Challenge Id 78 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(87)   User-Name = "vkratsberg"
(87)   EAP-Message = 0x0158002b19001703010020a4a5da500e5e980a9e690dd27c048e0d36f2362c1e0110ef24494bcfe6adec53
(87)   Message-Authenticator = 0x00000000000000000000000000000000
(87)   State = 0x3b7152a539294b416fcd4be241112892
(87) Finished request
Waking up in 2.7 seconds.
(88) Received Access-Request Id 79 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(88)   User-Name = "vkratsberg"
(88)   NAS-Port = 358
(88)   State = 0x3b7152a539294b416fcd4be241112892
(88)   EAP-Message = 0x0258002b1900170301002026834beaea1c74d4d0925321c266ddc7cab8faa172c0a087aea18306bb70e34d
(88)   Message-Authenticator = 0xa1dfa2afac327a3168c21a689fce866c
(88)   Acct-Session-Id = "8O2.1x81bb0d580002eae1"
(88)   NAS-Port-Id = "ge-3/0/6.0"
(88)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(88)   Called-Station-Id = "ec-3e-f7-68-35-00"
(88)   NAS-IP-Address = 10.8.0.111
(88)   NAS-Identifier = "nyc-access-sw011"
(88)   NAS-Port-Type = Ethernet
(88) session-state: No cached attributes
(88) # Executing section authorize from file /etc/raddb/sites-enabled/default
(88)   authorize {
(88)     policy filter_username {
(88)       if (&User-Name) {
(88)       if (&User-Name)  -> TRUE
(88)       if (&User-Name)  {
(88)         if (&User-Name =~ / /) {
(88)         if (&User-Name =~ / /)  -> FALSE
(88)         if (&User-Name =~ /@[^@]*@/ ) {
(88)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(88)         if (&User-Name =~ /\.\./ ) {
(88)         if (&User-Name =~ /\.\./ )  -> FALSE
(88)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(88)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(88)         if (&User-Name =~ /\.$/)  {
(88)         if (&User-Name =~ /\.$/)   -> FALSE
(88)         if (&User-Name =~ /@\./)  {
(88)         if (&User-Name =~ /@\./)   -> FALSE
(88)       } # if (&User-Name)  = notfound
(88)     } # policy filter_username = notfound
(88)     [preprocess] = ok
(88)     [chap] = noop
(88)     [mschap] = noop
(88)     [digest] = noop
(88) suffix: Checking for suffix after "@"
(88) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(88) suffix: No such realm "NULL"
(88)     [suffix] = noop
(88) eap: Peer sent EAP Response (code 2) ID 88 length 43
(88) eap: Continuing tunnel setup
(88)     [eap] = ok
(88)   } # authorize = ok
(88) Found Auth-Type = eap
(88) # Executing group from file /etc/raddb/sites-enabled/default
(88)   authenticate {
(88) eap: Expiring EAP session with state 0x3b7152a539294b41
(88) eap: Finished EAP session with state 0x3b7152a539294b41
(88) eap: Previous EAP request found for state 0x3b7152a539294b41, released from the list
(88) eap: Peer sent packet with method EAP PEAP (25)
(88) eap: Calling submodule eap_peap to process data
(88) eap_peap: Continuing EAP-TLS
(88) eap_peap: [eaptls verify] = ok
(88) eap_peap: Done initial handshake
(88) eap_peap: [eaptls process] = ok
(88) eap_peap: Session established.  Decoding tunneled attributes
(88) eap_peap: PEAP state send tlv success
(88) eap_peap: Received EAP-TLV response
(88) eap_peap: Success
(88) eap_peap: No saved attributes in the original Access-Accept
(88) eap: Sending EAP Success (code 3) ID 88 length 4
(88) eap: Freeing handler
(88)     [eap] = ok
(88)   } # authenticate = ok
(88) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(88)   post-auth {
(88)     update {
(88)       No attributes updated
(88)     } # update = noop
(88)     [exec] = noop
(88)     policy remove_reply_message_if_eap {
(88)       if (&reply:EAP-Message && &reply:Reply-Message) {
(88)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(88)       else {
(88)         [noop] = noop
(88)       } # else = noop
(88)     } # policy remove_reply_message_if_eap = noop
(88)   } # post-auth = noop
(88) Sent Access-Accept Id 79 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(88)   MS-MPPE-Recv-Key = 0xe291261f2cc017d702e2dbdbaeabf9dd716cc62de3562da313f86c3e50e72749
(88)   MS-MPPE-Send-Key = 0x1c295f7506a85a11a19879d3ff8b6409796bbb1de7cdd94462b1ab2ebfc3766e
(88)   EAP-Message = 0x03580004
(88)   Message-Authenticator = 0x00000000000000000000000000000000
(88)   User-Name = "vkratsberg"
(88) Finished request
Waking up in 2.7 seconds.
(89) Received Access-Request Id 80 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(89)   User-Name = "vkratsberg"
(89)   NAS-Port = 358
(89)   EAP-Message = 0x0259000f01766b7261747362657267
(89)   Message-Authenticator = 0xbc0cbf1be3e746a67eb893c132ce3e79
(89)   Acct-Session-Id = "8O2.1x81bb0d5900048a0b"
(89)   NAS-Port-Id = "ge-3/0/6.0"
(89)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(89)   Called-Station-Id = "ec-3e-f7-68-35-00"
(89)   NAS-IP-Address = 10.8.0.111
(89)   NAS-Identifier = "nyc-access-sw011"
(89)   NAS-Port-Type = Ethernet
(89) # Executing section authorize from file /etc/raddb/sites-enabled/default
(89)   authorize {
(89)     policy filter_username {
(89)       if (&User-Name) {
(89)       if (&User-Name)  -> TRUE
(89)       if (&User-Name)  {
(89)         if (&User-Name =~ / /) {
(89)         if (&User-Name =~ / /)  -> FALSE
(89)         if (&User-Name =~ /@[^@]*@/ ) {
(89)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(89)         if (&User-Name =~ /\.\./ ) {
(89)         if (&User-Name =~ /\.\./ )  -> FALSE
(89)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(89)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(89)         if (&User-Name =~ /\.$/)  {
(89)         if (&User-Name =~ /\.$/)   -> FALSE
(89)         if (&User-Name =~ /@\./)  {
(89)         if (&User-Name =~ /@\./)   -> FALSE
(89)       } # if (&User-Name)  = notfound
(89)     } # policy filter_username = notfound
(89)     [preprocess] = ok
(89)     [chap] = noop
(89)     [mschap] = noop
(89)     [digest] = noop
(89) suffix: Checking for suffix after "@"
(89) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(89) suffix: No such realm "NULL"
(89)     [suffix] = noop
(89) eap: Peer sent EAP Response (code 2) ID 89 length 15
(89) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(89)     [eap] = ok
(89)   } # authorize = ok
(89) Found Auth-Type = eap
(89) # Executing group from file /etc/raddb/sites-enabled/default
(89)   authenticate {
(89) eap: Peer sent packet with method EAP Identity (1)
(89) eap: Calling submodule eap_peap to process data
(89) eap_peap: Initiating new EAP-TLS session
(89) eap_peap: [eaptls start] = request
(89) eap: Sending EAP Request (code 1) ID 90 length 6
(89) eap: EAP session adding &reply:State = 0x336ec4043334dd13
(89)     [eap] = handled
(89)   } # authenticate = handled
(89) Using Post-Auth-Type Challenge
(89) Post-Auth-Type sub-section not found.  Ignoring.
(89) # Executing group from file /etc/raddb/sites-enabled/default
(89) Sent Access-Challenge Id 80 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(89)   EAP-Message = 0x015a00061920
(89)   Message-Authenticator = 0x00000000000000000000000000000000
(89)   State = 0x336ec4043334dd13a800f7ee07e427da
(89) Finished request
Waking up in 2.6 seconds.
(90) Received Access-Request Id 81 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(90)   User-Name = "vkratsberg"
(90)   NAS-Port = 358
(90)   State = 0x336ec4043334dd13a800f7ee07e427da
(90)   EAP-Message = 0x025a00a31980000000991603010094010000900301574f326e301b7acd2ce94776019cbef3ea78f63e72a20feb2bdc424e59ff36892099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(90)   Message-Authenticator = 0xb1e174adad134e4ffd4e4c2f9e65ca7d
(90)   Acct-Session-Id = "8O2.1x81bb0d5900048a0b"
(90)   NAS-Port-Id = "ge-3/0/6.0"
(90)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(90)   Called-Station-Id = "ec-3e-f7-68-35-00"
(90)   NAS-IP-Address = 10.8.0.111
(90)   NAS-Identifier = "nyc-access-sw011"
(90)   NAS-Port-Type = Ethernet
(90) session-state: No cached attributes
(90) # Executing section authorize from file /etc/raddb/sites-enabled/default
(90)   authorize {
(90)     policy filter_username {
(90)       if (&User-Name) {
(90)       if (&User-Name)  -> TRUE
(90)       if (&User-Name)  {
(90)         if (&User-Name =~ / /) {
(90)         if (&User-Name =~ / /)  -> FALSE
(90)         if (&User-Name =~ /@[^@]*@/ ) {
(90)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(90)         if (&User-Name =~ /\.\./ ) {
(90)         if (&User-Name =~ /\.\./ )  -> FALSE
(90)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(90)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(90)         if (&User-Name =~ /\.$/)  {
(90)         if (&User-Name =~ /\.$/)   -> FALSE
(90)         if (&User-Name =~ /@\./)  {
(90)         if (&User-Name =~ /@\./)   -> FALSE
(90)       } # if (&User-Name)  = notfound
(90)     } # policy filter_username = notfound
(90)     [preprocess] = ok
(90)     [chap] = noop
(90)     [mschap] = noop
(90)     [digest] = noop
(90) suffix: Checking for suffix after "@"
(90) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(90) suffix: No such realm "NULL"
(90)     [suffix] = noop
(90) eap: Peer sent EAP Response (code 2) ID 90 length 163
(90) eap: Continuing tunnel setup
(90)     [eap] = ok
(90)   } # authorize = ok
(90) Found Auth-Type = eap
(90) # Executing group from file /etc/raddb/sites-enabled/default
(90)   authenticate {
(90) eap: Expiring EAP session with state 0x336ec4043334dd13
(90) eap: Finished EAP session with state 0x336ec4043334dd13
(90) eap: Previous EAP request found for state 0x336ec4043334dd13, released from the list
(90) eap: Peer sent packet with method EAP PEAP (25)
(90) eap: Calling submodule eap_peap to process data
(90) eap_peap: Continuing EAP-TLS
(90) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(90) eap_peap: Got complete TLS record (153 bytes)
(90) eap_peap: [eaptls verify] = length included
(90) eap_peap: (other): before/accept initialization
(90) eap_peap: TLS_accept: before/accept initialization
(90) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(90) eap_peap: TLS_accept: SSLv3 read client hello A
(90) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(90) eap_peap: TLS_accept: SSLv3 write server hello A
(90) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(90) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(90) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(90) eap_peap: TLS_accept: SSLv3 write finished A
(90) eap_peap: TLS_accept: SSLv3 flush data
(90) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(90) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(90) eap_peap: In SSL Handshake Phase
(90) eap_peap: In SSL Accept mode
(90) eap_peap: [eaptls process] = handled
(90) eap: Sending EAP Request (code 1) ID 91 length 159
(90) eap: EAP session adding &reply:State = 0x336ec4043235dd13
(90)     [eap] = handled
(90)   } # authenticate = handled
(90) Using Post-Auth-Type Challenge
(90) Post-Auth-Type sub-section not found.  Ignoring.
(90) # Executing group from file /etc/raddb/sites-enabled/default
(90) Sent Access-Challenge Id 81 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(90)   EAP-Message = 0x015b009f19001603010059020000550301574f326e5fac314cffe0bff4b2c9e50cafda3dfdc76f110b56b0adac324f7e382099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b00040300010214030100010116030100307b70bd88c1b729d5
(90)   Message-Authenticator = 0x00000000000000000000000000000000
(90)   State = 0x336ec4043235dd13a800f7ee07e427da
(90) Finished request
Waking up in 2.6 seconds.
(91) Received Access-Request Id 82 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(91)   User-Name = "vkratsberg"
(91)   NAS-Port = 358
(91)   State = 0x336ec4043235dd13a800f7ee07e427da
(91)   EAP-Message = 0x025b004519800000003b1403010001011603010030328179d00b4bffb8809784521fffdf920abc0bb8d7648ee02efc97cc2cc201989c478644da62dc2a9a0f8eac4c335e9d
(91)   Message-Authenticator = 0x16402ff5cd57e2ad1be37d9d11149e42
(91)   Acct-Session-Id = "8O2.1x81bb0d5900048a0b"
(91)   NAS-Port-Id = "ge-3/0/6.0"
(91)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(91)   Called-Station-Id = "ec-3e-f7-68-35-00"
(91)   NAS-IP-Address = 10.8.0.111
(91)   NAS-Identifier = "nyc-access-sw011"
(91)   NAS-Port-Type = Ethernet
(91) session-state: No cached attributes
(91) # Executing section authorize from file /etc/raddb/sites-enabled/default
(91)   authorize {
(91)     policy filter_username {
(91)       if (&User-Name) {
(91)       if (&User-Name)  -> TRUE
(91)       if (&User-Name)  {
(91)         if (&User-Name =~ / /) {
(91)         if (&User-Name =~ / /)  -> FALSE
(91)         if (&User-Name =~ /@[^@]*@/ ) {
(91)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(91)         if (&User-Name =~ /\.\./ ) {
(91)         if (&User-Name =~ /\.\./ )  -> FALSE
(91)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(91)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(91)         if (&User-Name =~ /\.$/)  {
(91)         if (&User-Name =~ /\.$/)   -> FALSE
(91)         if (&User-Name =~ /@\./)  {
(91)         if (&User-Name =~ /@\./)   -> FALSE
(91)       } # if (&User-Name)  = notfound
(91)     } # policy filter_username = notfound
(91)     [preprocess] = ok
(91)     [chap] = noop
(91)     [mschap] = noop
(91)     [digest] = noop
(91) suffix: Checking for suffix after "@"
(91) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(91) suffix: No such realm "NULL"
(91)     [suffix] = noop
(91) eap: Peer sent EAP Response (code 2) ID 91 length 69
(91) eap: Continuing tunnel setup
(91)     [eap] = ok
(91)   } # authorize = ok
(91) Found Auth-Type = eap
(91) # Executing group from file /etc/raddb/sites-enabled/default
(91)   authenticate {
(91) eap: Expiring EAP session with state 0x336ec4043235dd13
(91) eap: Finished EAP session with state 0x336ec4043235dd13
(91) eap: Previous EAP request found for state 0x336ec4043235dd13, released from the list
(91) eap: Peer sent packet with method EAP PEAP (25)
(91) eap: Calling submodule eap_peap to process data
(91) eap_peap: Continuing EAP-TLS
(91) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(91) eap_peap: Got complete TLS record (59 bytes)
(91) eap_peap: [eaptls verify] = length included
(91) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(91) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(91) eap_peap: TLS_accept: SSLv3 read finished A
(91) eap_peap: (other): SSL negotiation finished successfully
(91) eap_peap: SSL Connection Established
(91) eap_peap: SSL Application Data
(91) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(91) eap_peap:   reply:User-Name = "vkratsberg"
(91) eap_peap: [eaptls process] = success
(91) eap_peap: Session established.  Decoding tunneled attributes
(91) eap_peap: PEAP state TUNNEL ESTABLISHED
(91) eap_peap: Skipping Phase2 because of session resumption
(91) eap_peap: SUCCESS
(91) eap: Sending EAP Request (code 1) ID 92 length 43
(91) eap: EAP session adding &reply:State = 0x336ec4043132dd13
(91)     [eap] = handled
(91)   } # authenticate = handled
(91) Using Post-Auth-Type Challenge
(91) Post-Auth-Type sub-section not found.  Ignoring.
(91) # Executing group from file /etc/raddb/sites-enabled/default
(91) Sent Access-Challenge Id 82 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(91)   User-Name = "vkratsberg"
(91)   EAP-Message = 0x015c002b19001703010020f4b12f91d521c5412014b1d166d8d372f18d1e5ba22c985ee577732d24bf4945
(91)   Message-Authenticator = 0x00000000000000000000000000000000
(91)   State = 0x336ec4043132dd13a800f7ee07e427da
(91) Finished request
Waking up in 2.6 seconds.
(92) Received Access-Request Id 83 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(92)   User-Name = "vkratsberg"
(92)   NAS-Port = 358
(92)   State = 0x336ec4043132dd13a800f7ee07e427da
(92)   EAP-Message = 0x025c002b1900170301002085166d1d0b2d033d584aaaa25e3a332d752c4a744bfbf208973cc3d1c779be7d
(92)   Message-Authenticator = 0x8b4e507143f60fe7de2af0b3127673e7
(92)   Acct-Session-Id = "8O2.1x81bb0d5900048a0b"
(92)   NAS-Port-Id = "ge-3/0/6.0"
(92)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(92)   Called-Station-Id = "ec-3e-f7-68-35-00"
(92)   NAS-IP-Address = 10.8.0.111
(92)   NAS-Identifier = "nyc-access-sw011"
(92)   NAS-Port-Type = Ethernet
(92) session-state: No cached attributes
(92) # Executing section authorize from file /etc/raddb/sites-enabled/default
(92)   authorize {
(92)     policy filter_username {
(92)       if (&User-Name) {
(92)       if (&User-Name)  -> TRUE
(92)       if (&User-Name)  {
(92)         if (&User-Name =~ / /) {
(92)         if (&User-Name =~ / /)  -> FALSE
(92)         if (&User-Name =~ /@[^@]*@/ ) {
(92)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(92)         if (&User-Name =~ /\.\./ ) {
(92)         if (&User-Name =~ /\.\./ )  -> FALSE
(92)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(92)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(92)         if (&User-Name =~ /\.$/)  {
(92)         if (&User-Name =~ /\.$/)   -> FALSE
(92)         if (&User-Name =~ /@\./)  {
(92)         if (&User-Name =~ /@\./)   -> FALSE
(92)       } # if (&User-Name)  = notfound
(92)     } # policy filter_username = notfound
(92)     [preprocess] = ok
(92)     [chap] = noop
(92)     [mschap] = noop
(92)     [digest] = noop
(92) suffix: Checking for suffix after "@"
(92) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(92) suffix: No such realm "NULL"
(92)     [suffix] = noop
(92) eap: Peer sent EAP Response (code 2) ID 92 length 43
(92) eap: Continuing tunnel setup
(92)     [eap] = ok
(92)   } # authorize = ok
(92) Found Auth-Type = eap
(92) # Executing group from file /etc/raddb/sites-enabled/default
(92)   authenticate {
(92) eap: Expiring EAP session with state 0x336ec4043132dd13
(92) eap: Finished EAP session with state 0x336ec4043132dd13
(92) eap: Previous EAP request found for state 0x336ec4043132dd13, released from the list
(92) eap: Peer sent packet with method EAP PEAP (25)
(92) eap: Calling submodule eap_peap to process data
(92) eap_peap: Continuing EAP-TLS
(92) eap_peap: [eaptls verify] = ok
(92) eap_peap: Done initial handshake
(92) eap_peap: [eaptls process] = ok
(92) eap_peap: Session established.  Decoding tunneled attributes
(92) eap_peap: PEAP state send tlv success
(92) eap_peap: Received EAP-TLV response
(92) eap_peap: Success
(92) eap_peap: No saved attributes in the original Access-Accept
(92) eap: Sending EAP Success (code 3) ID 92 length 4
(92) eap: Freeing handler
(92)     [eap] = ok
(92)   } # authenticate = ok
(92) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(92)   post-auth {
(92)     update {
(92)       No attributes updated
(92)     } # update = noop
(92)     [exec] = noop
(92)     policy remove_reply_message_if_eap {
(92)       if (&reply:EAP-Message && &reply:Reply-Message) {
(92)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(92)       else {
(92)         [noop] = noop
(92)       } # else = noop
(92)     } # policy remove_reply_message_if_eap = noop
(92)   } # post-auth = noop
(92) Sent Access-Accept Id 83 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(92)   MS-MPPE-Recv-Key = 0xa6c546db07d18af2288bd6691d05d4a1f1798da0b652bf4e4a113e7b7c461613
(92)   MS-MPPE-Send-Key = 0xaf825fea97a6fb2b713387cc79e066a68f23b744d0979dfcac0e125383d48ce5
(92)   EAP-Message = 0x035c0004
(92)   Message-Authenticator = 0x00000000000000000000000000000000
(92)   User-Name = "vkratsberg"
(92) Finished request
Waking up in 2.6 seconds.
(93) Received Access-Request Id 84 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(93)   User-Name = "vkratsberg"
(93)   NAS-Port = 358
(93)   EAP-Message = 0x025d000f01766b7261747362657267
(93)   Message-Authenticator = 0xa447ac15cae1920618175e1b93ff058f
(93)   Acct-Session-Id = "8O2.1x81bb0d5a000623a8"
(93)   NAS-Port-Id = "ge-3/0/6.0"
(93)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(93)   Called-Station-Id = "ec-3e-f7-68-35-00"
(93)   NAS-IP-Address = 10.8.0.111
(93)   NAS-Identifier = "nyc-access-sw011"
(93)   NAS-Port-Type = Ethernet
(93) # Executing section authorize from file /etc/raddb/sites-enabled/default
(93)   authorize {
(93)     policy filter_username {
(93)       if (&User-Name) {
(93)       if (&User-Name)  -> TRUE
(93)       if (&User-Name)  {
(93)         if (&User-Name =~ / /) {
(93)         if (&User-Name =~ / /)  -> FALSE
(93)         if (&User-Name =~ /@[^@]*@/ ) {
(93)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(93)         if (&User-Name =~ /\.\./ ) {
(93)         if (&User-Name =~ /\.\./ )  -> FALSE
(93)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(93)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(93)         if (&User-Name =~ /\.$/)  {
(93)         if (&User-Name =~ /\.$/)   -> FALSE
(93)         if (&User-Name =~ /@\./)  {
(93)         if (&User-Name =~ /@\./)   -> FALSE
(93)       } # if (&User-Name)  = notfound
(93)     } # policy filter_username = notfound
(93)     [preprocess] = ok
(93)     [chap] = noop
(93)     [mschap] = noop
(93)     [digest] = noop
(93) suffix: Checking for suffix after "@"
(93) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(93) suffix: No such realm "NULL"
(93)     [suffix] = noop
(93) eap: Peer sent EAP Response (code 2) ID 93 length 15
(93) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(93)     [eap] = ok
(93)   } # authorize = ok
(93) Found Auth-Type = eap
(93) # Executing group from file /etc/raddb/sites-enabled/default
(93)   authenticate {
(93) eap: Peer sent packet with method EAP Identity (1)
(93) eap: Calling submodule eap_peap to process data
(93) eap_peap: Initiating new EAP-TLS session
(93) eap_peap: [eaptls start] = request
(93) eap: Sending EAP Request (code 1) ID 94 length 6
(93) eap: EAP session adding &reply:State = 0xbde7cbbabdb9d2df
(93)     [eap] = handled
(93)   } # authenticate = handled
(93) Using Post-Auth-Type Challenge
(93) Post-Auth-Type sub-section not found.  Ignoring.
(93) # Executing group from file /etc/raddb/sites-enabled/default
(93) Sent Access-Challenge Id 84 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(93)   EAP-Message = 0x015e00061920
(93)   Message-Authenticator = 0x00000000000000000000000000000000
(93)   State = 0xbde7cbbabdb9d2dfcbde6dec7edd0188
(93) Finished request
Waking up in 2.5 seconds.
(94) Received Access-Request Id 85 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(94)   User-Name = "vkratsberg"
(94)   NAS-Port = 358
(94)   State = 0xbde7cbbabdb9d2dfcbde6dec7edd0188
(94)   EAP-Message = 0x025e00a31980000000991603010094010000900301574f326e31adece178e9f81b036048de99aae537052b8338ca2f377a738112842099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(94)   Message-Authenticator = 0xdf7f65231a5d12e351ad18d9a59f8b54
(94)   Acct-Session-Id = "8O2.1x81bb0d5a000623a8"
(94)   NAS-Port-Id = "ge-3/0/6.0"
(94)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(94)   Called-Station-Id = "ec-3e-f7-68-35-00"
(94)   NAS-IP-Address = 10.8.0.111
(94)   NAS-Identifier = "nyc-access-sw011"
(94)   NAS-Port-Type = Ethernet
(94) session-state: No cached attributes
(94) # Executing section authorize from file /etc/raddb/sites-enabled/default
(94)   authorize {
(94)     policy filter_username {
(94)       if (&User-Name) {
(94)       if (&User-Name)  -> TRUE
(94)       if (&User-Name)  {
(94)         if (&User-Name =~ / /) {
(94)         if (&User-Name =~ / /)  -> FALSE
(94)         if (&User-Name =~ /@[^@]*@/ ) {
(94)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(94)         if (&User-Name =~ /\.\./ ) {
(94)         if (&User-Name =~ /\.\./ )  -> FALSE
(94)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(94)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(94)         if (&User-Name =~ /\.$/)  {
(94)         if (&User-Name =~ /\.$/)   -> FALSE
(94)         if (&User-Name =~ /@\./)  {
(94)         if (&User-Name =~ /@\./)   -> FALSE
(94)       } # if (&User-Name)  = notfound
(94)     } # policy filter_username = notfound
(94)     [preprocess] = ok
(94)     [chap] = noop
(94)     [mschap] = noop
(94)     [digest] = noop
(94) suffix: Checking for suffix after "@"
(94) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(94) suffix: No such realm "NULL"
(94)     [suffix] = noop
(94) eap: Peer sent EAP Response (code 2) ID 94 length 163
(94) eap: Continuing tunnel setup
(94)     [eap] = ok
(94)   } # authorize = ok
(94) Found Auth-Type = eap
(94) # Executing group from file /etc/raddb/sites-enabled/default
(94)   authenticate {
(94) eap: Expiring EAP session with state 0xbde7cbbabdb9d2df
(94) eap: Finished EAP session with state 0xbde7cbbabdb9d2df
(94) eap: Previous EAP request found for state 0xbde7cbbabdb9d2df, released from the list
(94) eap: Peer sent packet with method EAP PEAP (25)
(94) eap: Calling submodule eap_peap to process data
(94) eap_peap: Continuing EAP-TLS
(94) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(94) eap_peap: Got complete TLS record (153 bytes)
(94) eap_peap: [eaptls verify] = length included
(94) eap_peap: (other): before/accept initialization
(94) eap_peap: TLS_accept: before/accept initialization
(94) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(94) eap_peap: TLS_accept: SSLv3 read client hello A
(94) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(94) eap_peap: TLS_accept: SSLv3 write server hello A
(94) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(94) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(94) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(94) eap_peap: TLS_accept: SSLv3 write finished A
(94) eap_peap: TLS_accept: SSLv3 flush data
(94) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(94) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(94) eap_peap: In SSL Handshake Phase
(94) eap_peap: In SSL Accept mode
(94) eap_peap: [eaptls process] = handled
(94) eap: Sending EAP Request (code 1) ID 95 length 159
(94) eap: EAP session adding &reply:State = 0xbde7cbbabcb8d2df
(94)     [eap] = handled
(94)   } # authenticate = handled
(94) Using Post-Auth-Type Challenge
(94) Post-Auth-Type sub-section not found.  Ignoring.
(94) # Executing group from file /etc/raddb/sites-enabled/default
(94) Sent Access-Challenge Id 85 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(94)   EAP-Message = 0x015f009f19001603010059020000550301574f326e468c8ac247994e2e76c3cc38dbf0d90c6873b7d0e2835ddd82ea5a7f2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b00040300010214030100010116030100305adac9899fe87003
(94)   Message-Authenticator = 0x00000000000000000000000000000000
(94)   State = 0xbde7cbbabcb8d2dfcbde6dec7edd0188
(94) Finished request
Waking up in 2.5 seconds.
(95) Received Access-Request Id 86 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(95)   User-Name = "vkratsberg"
(95)   NAS-Port = 358
(95)   State = 0xbde7cbbabcb8d2dfcbde6dec7edd0188
(95)   EAP-Message = 0x025f004519800000003b14030100010116030100304fc2be6e26c19290d607cb6697e79b75d227c1652977c3c0494f9dadff32f2cc4136a62c97de18992a33c1a8df5e7b86
(95)   Message-Authenticator = 0x2bdfaebf7e7df10392ac31e52df42582
(95)   Acct-Session-Id = "8O2.1x81bb0d5a000623a8"
(95)   NAS-Port-Id = "ge-3/0/6.0"
(95)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(95)   Called-Station-Id = "ec-3e-f7-68-35-00"
(95)   NAS-IP-Address = 10.8.0.111
(95)   NAS-Identifier = "nyc-access-sw011"
(95)   NAS-Port-Type = Ethernet
(95) session-state: No cached attributes
(95) # Executing section authorize from file /etc/raddb/sites-enabled/default
(95)   authorize {
(95)     policy filter_username {
(95)       if (&User-Name) {
(95)       if (&User-Name)  -> TRUE
(95)       if (&User-Name)  {
(95)         if (&User-Name =~ / /) {
(95)         if (&User-Name =~ / /)  -> FALSE
(95)         if (&User-Name =~ /@[^@]*@/ ) {
(95)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(95)         if (&User-Name =~ /\.\./ ) {
(95)         if (&User-Name =~ /\.\./ )  -> FALSE
(95)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(95)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(95)         if (&User-Name =~ /\.$/)  {
(95)         if (&User-Name =~ /\.$/)   -> FALSE
(95)         if (&User-Name =~ /@\./)  {
(95)         if (&User-Name =~ /@\./)   -> FALSE
(95)       } # if (&User-Name)  = notfound
(95)     } # policy filter_username = notfound
(95)     [preprocess] = ok
(95)     [chap] = noop
(95)     [mschap] = noop
(95)     [digest] = noop
(95) suffix: Checking for suffix after "@"
(95) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(95) suffix: No such realm "NULL"
(95)     [suffix] = noop
(95) eap: Peer sent EAP Response (code 2) ID 95 length 69
(95) eap: Continuing tunnel setup
(95)     [eap] = ok
(95)   } # authorize = ok
(95) Found Auth-Type = eap
(95) # Executing group from file /etc/raddb/sites-enabled/default
(95)   authenticate {
(95) eap: Expiring EAP session with state 0xbde7cbbabcb8d2df
(95) eap: Finished EAP session with state 0xbde7cbbabcb8d2df
(95) eap: Previous EAP request found for state 0xbde7cbbabcb8d2df, released from the list
(95) eap: Peer sent packet with method EAP PEAP (25)
(95) eap: Calling submodule eap_peap to process data
(95) eap_peap: Continuing EAP-TLS
(95) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(95) eap_peap: Got complete TLS record (59 bytes)
(95) eap_peap: [eaptls verify] = length included
(95) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(95) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(95) eap_peap: TLS_accept: SSLv3 read finished A
(95) eap_peap: (other): SSL negotiation finished successfully
(95) eap_peap: SSL Connection Established
(95) eap_peap: SSL Application Data
(95) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(95) eap_peap:   reply:User-Name = "vkratsberg"
(95) eap_peap: [eaptls process] = success
(95) eap_peap: Session established.  Decoding tunneled attributes
(95) eap_peap: PEAP state TUNNEL ESTABLISHED
(95) eap_peap: Skipping Phase2 because of session resumption
(95) eap_peap: SUCCESS
(95) eap: Sending EAP Request (code 1) ID 96 length 43
(95) eap: EAP session adding &reply:State = 0xbde7cbbabf87d2df
(95)     [eap] = handled
(95)   } # authenticate = handled
(95) Using Post-Auth-Type Challenge
(95) Post-Auth-Type sub-section not found.  Ignoring.
(95) # Executing group from file /etc/raddb/sites-enabled/default
(95) Sent Access-Challenge Id 86 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(95)   User-Name = "vkratsberg"
(95)   EAP-Message = 0x0160002b1900170301002086aba8532d1f05c1a8d8559ed59a514f743470bff573c2b7a9696a7d10753e49
(95)   Message-Authenticator = 0x00000000000000000000000000000000
(95)   State = 0xbde7cbbabf87d2dfcbde6dec7edd0188
(95) Finished request
Waking up in 2.4 seconds.
(96) Received Access-Request Id 87 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(96)   User-Name = "vkratsberg"
(96)   NAS-Port = 358
(96)   State = 0xbde7cbbabf87d2dfcbde6dec7edd0188
(96)   EAP-Message = 0x0260002b190017030100209554142422bffaccc262c6dd19cfe3b6bc799dd79d3bd7d45ccb295234e6a71b
(96)   Message-Authenticator = 0x9276ff3b8e01eb61e56bd79b626c908e
(96)   Acct-Session-Id = "8O2.1x81bb0d5a000623a8"
(96)   NAS-Port-Id = "ge-3/0/6.0"
(96)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(96)   Called-Station-Id = "ec-3e-f7-68-35-00"
(96)   NAS-IP-Address = 10.8.0.111
(96)   NAS-Identifier = "nyc-access-sw011"
(96)   NAS-Port-Type = Ethernet
(96) session-state: No cached attributes
(96) # Executing section authorize from file /etc/raddb/sites-enabled/default
(96)   authorize {
(96)     policy filter_username {
(96)       if (&User-Name) {
(96)       if (&User-Name)  -> TRUE
(96)       if (&User-Name)  {
(96)         if (&User-Name =~ / /) {
(96)         if (&User-Name =~ / /)  -> FALSE
(96)         if (&User-Name =~ /@[^@]*@/ ) {
(96)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(96)         if (&User-Name =~ /\.\./ ) {
(96)         if (&User-Name =~ /\.\./ )  -> FALSE
(96)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(96)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(96)         if (&User-Name =~ /\.$/)  {
(96)         if (&User-Name =~ /\.$/)   -> FALSE
(96)         if (&User-Name =~ /@\./)  {
(96)         if (&User-Name =~ /@\./)   -> FALSE
(96)       } # if (&User-Name)  = notfound
(96)     } # policy filter_username = notfound
(96)     [preprocess] = ok
(96)     [chap] = noop
(96)     [mschap] = noop
(96)     [digest] = noop
(96) suffix: Checking for suffix after "@"
(96) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(96) suffix: No such realm "NULL"
(96)     [suffix] = noop
(96) eap: Peer sent EAP Response (code 2) ID 96 length 43
(96) eap: Continuing tunnel setup
(96)     [eap] = ok
(96)   } # authorize = ok
(96) Found Auth-Type = eap
(96) # Executing group from file /etc/raddb/sites-enabled/default
(96)   authenticate {
(96) eap: Expiring EAP session with state 0xbde7cbbabf87d2df
(96) eap: Finished EAP session with state 0xbde7cbbabf87d2df
(96) eap: Previous EAP request found for state 0xbde7cbbabf87d2df, released from the list
(96) eap: Peer sent packet with method EAP PEAP (25)
(96) eap: Calling submodule eap_peap to process data
(96) eap_peap: Continuing EAP-TLS
(96) eap_peap: [eaptls verify] = ok
(96) eap_peap: Done initial handshake
(96) eap_peap: [eaptls process] = ok
(96) eap_peap: Session established.  Decoding tunneled attributes
(96) eap_peap: PEAP state send tlv success
(96) eap_peap: Received EAP-TLV response
(96) eap_peap: Success
(96) eap_peap: No saved attributes in the original Access-Accept
(96) eap: Sending EAP Success (code 3) ID 96 length 4
(96) eap: Freeing handler
(96)     [eap] = ok
(96)   } # authenticate = ok
(96) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(96)   post-auth {
(96)     update {
(96)       No attributes updated
(96)     } # update = noop
(96)     [exec] = noop
(96)     policy remove_reply_message_if_eap {
(96)       if (&reply:EAP-Message && &reply:Reply-Message) {
(96)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(96)       else {
(96)         [noop] = noop
(96)       } # else = noop
(96)     } # policy remove_reply_message_if_eap = noop
(96)   } # post-auth = noop
(96) Sent Access-Accept Id 87 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(96)   MS-MPPE-Recv-Key = 0x7786c306b27af0b6a4cf9f7a3b663489f45f8e041dbac40682f4d79184b550cb
(96)   MS-MPPE-Send-Key = 0x5f9e02a9ba8aaa1dee69ee69c2e9fd0360d8ab777eff50d1b276e7409bec99ce
(96)   EAP-Message = 0x03600004
(96)   Message-Authenticator = 0x00000000000000000000000000000000
(96)   User-Name = "vkratsberg"
(96) Finished request
Waking up in 2.4 seconds.
(97) Received Access-Request Id 88 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(97)   User-Name = "vkratsberg"
(97)   NAS-Port = 358
(97)   EAP-Message = 0x0261000f01766b7261747362657267
(97)   Message-Authenticator = 0x58f388e0a9ff67b468bc5978073f1637
(97)   Acct-Session-Id = "8O2.1x81bb0d5b0007d8cd"
(97)   NAS-Port-Id = "ge-3/0/6.0"
(97)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(97)   Called-Station-Id = "ec-3e-f7-68-35-00"
(97)   NAS-IP-Address = 10.8.0.111
(97)   NAS-Identifier = "nyc-access-sw011"
(97)   NAS-Port-Type = Ethernet
(97) # Executing section authorize from file /etc/raddb/sites-enabled/default
(97)   authorize {
(97)     policy filter_username {
(97)       if (&User-Name) {
(97)       if (&User-Name)  -> TRUE
(97)       if (&User-Name)  {
(97)         if (&User-Name =~ / /) {
(97)         if (&User-Name =~ / /)  -> FALSE
(97)         if (&User-Name =~ /@[^@]*@/ ) {
(97)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(97)         if (&User-Name =~ /\.\./ ) {
(97)         if (&User-Name =~ /\.\./ )  -> FALSE
(97)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(97)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(97)         if (&User-Name =~ /\.$/)  {
(97)         if (&User-Name =~ /\.$/)   -> FALSE
(97)         if (&User-Name =~ /@\./)  {
(97)         if (&User-Name =~ /@\./)   -> FALSE
(97)       } # if (&User-Name)  = notfound
(97)     } # policy filter_username = notfound
(97)     [preprocess] = ok
(97)     [chap] = noop
(97)     [mschap] = noop
(97)     [digest] = noop
(97) suffix: Checking for suffix after "@"
(97) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(97) suffix: No such realm "NULL"
(97)     [suffix] = noop
(97) eap: Peer sent EAP Response (code 2) ID 97 length 15
(97) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(97)     [eap] = ok
(97)   } # authorize = ok
(97) Found Auth-Type = eap
(97) # Executing group from file /etc/raddb/sites-enabled/default
(97)   authenticate {
(97) eap: Peer sent packet with method EAP Identity (1)
(97) eap: Calling submodule eap_peap to process data
(97) eap_peap: Initiating new EAP-TLS session
(97) eap_peap: [eaptls start] = request
(97) eap: Sending EAP Request (code 1) ID 98 length 6
(97) eap: EAP session adding &reply:State = 0x0ef775070e956ce1
(97)     [eap] = handled
(97)   } # authenticate = handled
(97) Using Post-Auth-Type Challenge
(97) Post-Auth-Type sub-section not found.  Ignoring.
(97) # Executing group from file /etc/raddb/sites-enabled/default
(97) Sent Access-Challenge Id 88 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(97)   EAP-Message = 0x016200061920
(97)   Message-Authenticator = 0x00000000000000000000000000000000
(97)   State = 0x0ef775070e956ce179117bd9194657b5
(97) Finished request
Waking up in 2.4 seconds.
(98) Received Access-Request Id 89 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(98)   User-Name = "vkratsberg"
(98)   NAS-Port = 358
(98)   State = 0x0ef775070e956ce179117bd9194657b5
(98)   EAP-Message = 0x026200a31980000000991603010094010000900301574f326efccec6e5ecc7accdda8722cc9baa8f4f994b7a6696dec9ccbf7648582099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(98)   Message-Authenticator = 0x176d64340a988c8d1a489ea869509897
(98)   Acct-Session-Id = "8O2.1x81bb0d5b0007d8cd"
(98)   NAS-Port-Id = "ge-3/0/6.0"
(98)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(98)   Called-Station-Id = "ec-3e-f7-68-35-00"
(98)   NAS-IP-Address = 10.8.0.111
(98)   NAS-Identifier = "nyc-access-sw011"
(98)   NAS-Port-Type = Ethernet
(98) session-state: No cached attributes
(98) # Executing section authorize from file /etc/raddb/sites-enabled/default
(98)   authorize {
(98)     policy filter_username {
(98)       if (&User-Name) {
(98)       if (&User-Name)  -> TRUE
(98)       if (&User-Name)  {
(98)         if (&User-Name =~ / /) {
(98)         if (&User-Name =~ / /)  -> FALSE
(98)         if (&User-Name =~ /@[^@]*@/ ) {
(98)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(98)         if (&User-Name =~ /\.\./ ) {
(98)         if (&User-Name =~ /\.\./ )  -> FALSE
(98)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(98)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(98)         if (&User-Name =~ /\.$/)  {
(98)         if (&User-Name =~ /\.$/)   -> FALSE
(98)         if (&User-Name =~ /@\./)  {
(98)         if (&User-Name =~ /@\./)   -> FALSE
(98)       } # if (&User-Name)  = notfound
(98)     } # policy filter_username = notfound
(98)     [preprocess] = ok
(98)     [chap] = noop
(98)     [mschap] = noop
(98)     [digest] = noop
(98) suffix: Checking for suffix after "@"
(98) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(98) suffix: No such realm "NULL"
(98)     [suffix] = noop
(98) eap: Peer sent EAP Response (code 2) ID 98 length 163
(98) eap: Continuing tunnel setup
(98)     [eap] = ok
(98)   } # authorize = ok
(98) Found Auth-Type = eap
(98) # Executing group from file /etc/raddb/sites-enabled/default
(98)   authenticate {
(98) eap: Expiring EAP session with state 0x0ef775070e956ce1
(98) eap: Finished EAP session with state 0x0ef775070e956ce1
(98) eap: Previous EAP request found for state 0x0ef775070e956ce1, released from the list
(98) eap: Peer sent packet with method EAP PEAP (25)
(98) eap: Calling submodule eap_peap to process data
(98) eap_peap: Continuing EAP-TLS
(98) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(98) eap_peap: Got complete TLS record (153 bytes)
(98) eap_peap: [eaptls verify] = length included
(98) eap_peap: (other): before/accept initialization
(98) eap_peap: TLS_accept: before/accept initialization
(98) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(98) eap_peap: TLS_accept: SSLv3 read client hello A
(98) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(98) eap_peap: TLS_accept: SSLv3 write server hello A
(98) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(98) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(98) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(98) eap_peap: TLS_accept: SSLv3 write finished A
(98) eap_peap: TLS_accept: SSLv3 flush data
(98) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(98) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(98) eap_peap: In SSL Handshake Phase
(98) eap_peap: In SSL Accept mode
(98) eap_peap: [eaptls process] = handled
(98) eap: Sending EAP Request (code 1) ID 99 length 159
(98) eap: EAP session adding &reply:State = 0x0ef775070f946ce1
(98)     [eap] = handled
(98)   } # authenticate = handled
(98) Using Post-Auth-Type Challenge
(98) Post-Auth-Type sub-section not found.  Ignoring.
(98) # Executing group from file /etc/raddb/sites-enabled/default
(98) Sent Access-Challenge Id 89 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(98)   EAP-Message = 0x0163009f19001603010059020000550301574f326ed954ca27583241712982c85cf3220ae8265ea439252e32c53b234b042099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b000403000102140301000101160301003083ffd139b7bb092b
(98)   Message-Authenticator = 0x00000000000000000000000000000000
(98)   State = 0x0ef775070f946ce179117bd9194657b5
(98) Finished request
Waking up in 2.4 seconds.
(99) Received Access-Request Id 90 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(99)   User-Name = "vkratsberg"
(99)   NAS-Port = 358
(99)   State = 0x0ef775070f946ce179117bd9194657b5
(99)   EAP-Message = 0x0263004519800000003b1403010001011603010030ab5a05b483bb91ce2958d2ee445f19e3205d6817ae0bc60bf4fba4b2870b1794dba04b1ea01228947a3c6c8e5438464e
(99)   Message-Authenticator = 0x847833302e1716efbc3d9682c5151cc3
(99)   Acct-Session-Id = "8O2.1x81bb0d5b0007d8cd"
(99)   NAS-Port-Id = "ge-3/0/6.0"
(99)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(99)   Called-Station-Id = "ec-3e-f7-68-35-00"
(99)   NAS-IP-Address = 10.8.0.111
(99)   NAS-Identifier = "nyc-access-sw011"
(99)   NAS-Port-Type = Ethernet
(99) session-state: No cached attributes
(99) # Executing section authorize from file /etc/raddb/sites-enabled/default
(99)   authorize {
(99)     policy filter_username {
(99)       if (&User-Name) {
(99)       if (&User-Name)  -> TRUE
(99)       if (&User-Name)  {
(99)         if (&User-Name =~ / /) {
(99)         if (&User-Name =~ / /)  -> FALSE
(99)         if (&User-Name =~ /@[^@]*@/ ) {
(99)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(99)         if (&User-Name =~ /\.\./ ) {
(99)         if (&User-Name =~ /\.\./ )  -> FALSE
(99)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(99)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(99)         if (&User-Name =~ /\.$/)  {
(99)         if (&User-Name =~ /\.$/)   -> FALSE
(99)         if (&User-Name =~ /@\./)  {
(99)         if (&User-Name =~ /@\./)   -> FALSE
(99)       } # if (&User-Name)  = notfound
(99)     } # policy filter_username = notfound
(99)     [preprocess] = ok
(99)     [chap] = noop
(99)     [mschap] = noop
(99)     [digest] = noop
(99) suffix: Checking for suffix after "@"
(99) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(99) suffix: No such realm "NULL"
(99)     [suffix] = noop
(99) eap: Peer sent EAP Response (code 2) ID 99 length 69
(99) eap: Continuing tunnel setup
(99)     [eap] = ok
(99)   } # authorize = ok
(99) Found Auth-Type = eap
(99) # Executing group from file /etc/raddb/sites-enabled/default
(99)   authenticate {
(99) eap: Expiring EAP session with state 0x0ef775070f946ce1
(99) eap: Finished EAP session with state 0x0ef775070f946ce1
(99) eap: Previous EAP request found for state 0x0ef775070f946ce1, released from the list
(99) eap: Peer sent packet with method EAP PEAP (25)
(99) eap: Calling submodule eap_peap to process data
(99) eap_peap: Continuing EAP-TLS
(99) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(99) eap_peap: Got complete TLS record (59 bytes)
(99) eap_peap: [eaptls verify] = length included
(99) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(99) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(99) eap_peap: TLS_accept: SSLv3 read finished A
(99) eap_peap: (other): SSL negotiation finished successfully
(99) eap_peap: SSL Connection Established
(99) eap_peap: SSL Application Data
(99) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(99) eap_peap:   reply:User-Name = "vkratsberg"
(99) eap_peap: [eaptls process] = success
(99) eap_peap: Session established.  Decoding tunneled attributes
(99) eap_peap: PEAP state TUNNEL ESTABLISHED
(99) eap_peap: Skipping Phase2 because of session resumption
(99) eap_peap: SUCCESS
(99) eap: Sending EAP Request (code 1) ID 100 length 43
(99) eap: EAP session adding &reply:State = 0x0ef775070c936ce1
(99)     [eap] = handled
(99)   } # authenticate = handled
(99) Using Post-Auth-Type Challenge
(99) Post-Auth-Type sub-section not found.  Ignoring.
(99) # Executing group from file /etc/raddb/sites-enabled/default
(99) Sent Access-Challenge Id 90 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(99)   User-Name = "vkratsberg"
(99)   EAP-Message = 0x0164002b19001703010020fdbd2971cc86eb2ed52776050528515568931f6214381da5065d9c3cb87c3fc7
(99)   Message-Authenticator = 0x00000000000000000000000000000000
(99)   State = 0x0ef775070c936ce179117bd9194657b5
(99) Finished request
Waking up in 2.3 seconds.
(100) Received Access-Request Id 91 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(100)   User-Name = "vkratsberg"
(100)   NAS-Port = 358
(100)   State = 0x0ef775070c936ce179117bd9194657b5
(100)   EAP-Message = 0x0264002b190017030100202a1330019d7788a6ac825321045878c0faa5f26c678518d57bdcbf8e06a4ab19
(100)   Message-Authenticator = 0x7c961d21efea8831fb499ba2ad73074d
(100)   Acct-Session-Id = "8O2.1x81bb0d5b0007d8cd"
(100)   NAS-Port-Id = "ge-3/0/6.0"
(100)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(100)   Called-Station-Id = "ec-3e-f7-68-35-00"
(100)   NAS-IP-Address = 10.8.0.111
(100)   NAS-Identifier = "nyc-access-sw011"
(100)   NAS-Port-Type = Ethernet
(100) session-state: No cached attributes
(100) # Executing section authorize from file /etc/raddb/sites-enabled/default
(100)   authorize {
(100)     policy filter_username {
(100)       if (&User-Name) {
(100)       if (&User-Name)  -> TRUE
(100)       if (&User-Name)  {
(100)         if (&User-Name =~ / /) {
(100)         if (&User-Name =~ / /)  -> FALSE
(100)         if (&User-Name =~ /@[^@]*@/ ) {
(100)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(100)         if (&User-Name =~ /\.\./ ) {
(100)         if (&User-Name =~ /\.\./ )  -> FALSE
(100)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(100)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(100)         if (&User-Name =~ /\.$/)  {
(100)         if (&User-Name =~ /\.$/)   -> FALSE
(100)         if (&User-Name =~ /@\./)  {
(100)         if (&User-Name =~ /@\./)   -> FALSE
(100)       } # if (&User-Name)  = notfound
(100)     } # policy filter_username = notfound
(100)     [preprocess] = ok
(100)     [chap] = noop
(100)     [mschap] = noop
(100)     [digest] = noop
(100) suffix: Checking for suffix after "@"
(100) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(100) suffix: No such realm "NULL"
(100)     [suffix] = noop
(100) eap: Peer sent EAP Response (code 2) ID 100 length 43
(100) eap: Continuing tunnel setup
(100)     [eap] = ok
(100)   } # authorize = ok
(100) Found Auth-Type = eap
(100) # Executing group from file /etc/raddb/sites-enabled/default
(100)   authenticate {
(100) eap: Expiring EAP session with state 0x0ef775070c936ce1
(100) eap: Finished EAP session with state 0x0ef775070c936ce1
(100) eap: Previous EAP request found for state 0x0ef775070c936ce1, released from the list
(100) eap: Peer sent packet with method EAP PEAP (25)
(100) eap: Calling submodule eap_peap to process data
(100) eap_peap: Continuing EAP-TLS
(100) eap_peap: [eaptls verify] = ok
(100) eap_peap: Done initial handshake
(100) eap_peap: [eaptls process] = ok
(100) eap_peap: Session established.  Decoding tunneled attributes
(100) eap_peap: PEAP state send tlv success
(100) eap_peap: Received EAP-TLV response
(100) eap_peap: Success
(100) eap_peap: No saved attributes in the original Access-Accept
(100) eap: Sending EAP Success (code 3) ID 100 length 4
(100) eap: Freeing handler
(100)     [eap] = ok
(100)   } # authenticate = ok
(100) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(100)   post-auth {
(100)     update {
(100)       No attributes updated
(100)     } # update = noop
(100)     [exec] = noop
(100)     policy remove_reply_message_if_eap {
(100)       if (&reply:EAP-Message && &reply:Reply-Message) {
(100)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(100)       else {
(100)         [noop] = noop
(100)       } # else = noop
(100)     } # policy remove_reply_message_if_eap = noop
(100)   } # post-auth = noop
(100) Sent Access-Accept Id 91 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(100)   MS-MPPE-Recv-Key = 0xa9a2f5da55800301aa5bd198852e5710834f05b4bf7826cca0b25cdd76350a2e
(100)   MS-MPPE-Send-Key = 0x24705b05c593045b88eeea8aa8f984876f0c3d9cdcb5aec1eebebee5c460e39c
(100)   EAP-Message = 0x03640004
(100)   Message-Authenticator = 0x00000000000000000000000000000000
(100)   User-Name = "vkratsberg"
(100) Finished request
Waking up in 2.3 seconds.
(101) Received Access-Request Id 92 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(101)   User-Name = "vkratsberg"
(101)   NAS-Port = 358
(101)   EAP-Message = 0x0265000f01766b7261747362657267
(101)   Message-Authenticator = 0x486e33a95d8bb1f999f6d312074008bb
(101)   Acct-Session-Id = "8O2.1x81bb0d5c0009723b"
(101)   NAS-Port-Id = "ge-3/0/6.0"
(101)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(101)   Called-Station-Id = "ec-3e-f7-68-35-00"
(101)   NAS-IP-Address = 10.8.0.111
(101)   NAS-Identifier = "nyc-access-sw011"
(101)   NAS-Port-Type = Ethernet
(101) # Executing section authorize from file /etc/raddb/sites-enabled/default
(101)   authorize {
(101)     policy filter_username {
(101)       if (&User-Name) {
(101)       if (&User-Name)  -> TRUE
(101)       if (&User-Name)  {
(101)         if (&User-Name =~ / /) {
(101)         if (&User-Name =~ / /)  -> FALSE
(101)         if (&User-Name =~ /@[^@]*@/ ) {
(101)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(101)         if (&User-Name =~ /\.\./ ) {
(101)         if (&User-Name =~ /\.\./ )  -> FALSE
(101)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(101)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(101)         if (&User-Name =~ /\.$/)  {
(101)         if (&User-Name =~ /\.$/)   -> FALSE
(101)         if (&User-Name =~ /@\./)  {
(101)         if (&User-Name =~ /@\./)   -> FALSE
(101)       } # if (&User-Name)  = notfound
(101)     } # policy filter_username = notfound
(101)     [preprocess] = ok
(101)     [chap] = noop
(101)     [mschap] = noop
(101)     [digest] = noop
(101) suffix: Checking for suffix after "@"
(101) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(101) suffix: No such realm "NULL"
(101)     [suffix] = noop
(101) eap: Peer sent EAP Response (code 2) ID 101 length 15
(101) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(101)     [eap] = ok
(101)   } # authorize = ok
(101) Found Auth-Type = eap
(101) # Executing group from file /etc/raddb/sites-enabled/default
(101)   authenticate {
(101) eap: Peer sent packet with method EAP Identity (1)
(101) eap: Calling submodule eap_peap to process data
(101) eap_peap: Initiating new EAP-TLS session
(101) eap_peap: [eaptls start] = request
(101) eap: Sending EAP Request (code 1) ID 102 length 6
(101) eap: EAP session adding &reply:State = 0xa1e59412a1838dae
(101)     [eap] = handled
(101)   } # authenticate = handled
(101) Using Post-Auth-Type Challenge
(101) Post-Auth-Type sub-section not found.  Ignoring.
(101) # Executing group from file /etc/raddb/sites-enabled/default
(101) Sent Access-Challenge Id 92 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(101)   EAP-Message = 0x016600061920
(101)   Message-Authenticator = 0x00000000000000000000000000000000
(101)   State = 0xa1e59412a1838dae5011ab286212f0a2
(101) Finished request
Waking up in 2.3 seconds.
(102) Received Access-Request Id 93 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(102)   User-Name = "vkratsberg"
(102)   NAS-Port = 358
(102)   State = 0xa1e59412a1838dae5011ab286212f0a2
(102)   EAP-Message = 0x026600a31980000000991603010094010000900301574f326eac32b7debef89e995985814720ea4d87baa473871947c863e66a96162099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(102)   Message-Authenticator = 0x9b02fce92b23f40b7bb5261ae21d47bb
(102)   Acct-Session-Id = "8O2.1x81bb0d5c0009723b"
(102)   NAS-Port-Id = "ge-3/0/6.0"
(102)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(102)   Called-Station-Id = "ec-3e-f7-68-35-00"
(102)   NAS-IP-Address = 10.8.0.111
(102)   NAS-Identifier = "nyc-access-sw011"
(102)   NAS-Port-Type = Ethernet
(102) session-state: No cached attributes
(102) # Executing section authorize from file /etc/raddb/sites-enabled/default
(102)   authorize {
(102)     policy filter_username {
(102)       if (&User-Name) {
(102)       if (&User-Name)  -> TRUE
(102)       if (&User-Name)  {
(102)         if (&User-Name =~ / /) {
(102)         if (&User-Name =~ / /)  -> FALSE
(102)         if (&User-Name =~ /@[^@]*@/ ) {
(102)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(102)         if (&User-Name =~ /\.\./ ) {
(102)         if (&User-Name =~ /\.\./ )  -> FALSE
(102)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(102)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(102)         if (&User-Name =~ /\.$/)  {
(102)         if (&User-Name =~ /\.$/)   -> FALSE
(102)         if (&User-Name =~ /@\./)  {
(102)         if (&User-Name =~ /@\./)   -> FALSE
(102)       } # if (&User-Name)  = notfound
(102)     } # policy filter_username = notfound
(102)     [preprocess] = ok
(102)     [chap] = noop
(102)     [mschap] = noop
(102)     [digest] = noop
(102) suffix: Checking for suffix after "@"
(102) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(102) suffix: No such realm "NULL"
(102)     [suffix] = noop
(102) eap: Peer sent EAP Response (code 2) ID 102 length 163
(102) eap: Continuing tunnel setup
(102)     [eap] = ok
(102)   } # authorize = ok
(102) Found Auth-Type = eap
(102) # Executing group from file /etc/raddb/sites-enabled/default
(102)   authenticate {
(102) eap: Expiring EAP session with state 0xa1e59412a1838dae
(102) eap: Finished EAP session with state 0xa1e59412a1838dae
(102) eap: Previous EAP request found for state 0xa1e59412a1838dae, released from the list
(102) eap: Peer sent packet with method EAP PEAP (25)
(102) eap: Calling submodule eap_peap to process data
(102) eap_peap: Continuing EAP-TLS
(102) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(102) eap_peap: Got complete TLS record (153 bytes)
(102) eap_peap: [eaptls verify] = length included
(102) eap_peap: (other): before/accept initialization
(102) eap_peap: TLS_accept: before/accept initialization
(102) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(102) eap_peap: TLS_accept: SSLv3 read client hello A
(102) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(102) eap_peap: TLS_accept: SSLv3 write server hello A
(102) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(102) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(102) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(102) eap_peap: TLS_accept: SSLv3 write finished A
(102) eap_peap: TLS_accept: SSLv3 flush data
(102) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(102) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(102) eap_peap: In SSL Handshake Phase
(102) eap_peap: In SSL Accept mode
(102) eap_peap: [eaptls process] = handled
(102) eap: Sending EAP Request (code 1) ID 103 length 159
(102) eap: EAP session adding &reply:State = 0xa1e59412a0828dae
(102)     [eap] = handled
(102)   } # authenticate = handled
(102) Using Post-Auth-Type Challenge
(102) Post-Auth-Type sub-section not found.  Ignoring.
(102) # Executing group from file /etc/raddb/sites-enabled/default
(102) Sent Access-Challenge Id 93 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(102)   EAP-Message = 0x0167009f19001603010059020000550301574f326e01708a5c29913d826436e0989220e833d953b690baf34b3193622e652099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b000403000102140301000101160301003006bd6ee9fc76ffbe
(102)   Message-Authenticator = 0x00000000000000000000000000000000
(102)   State = 0xa1e59412a0828dae5011ab286212f0a2
(102) Finished request
Waking up in 2.3 seconds.
(103) Received Access-Request Id 94 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(103)   User-Name = "vkratsberg"
(103)   NAS-Port = 358
(103)   State = 0xa1e59412a0828dae5011ab286212f0a2
(103)   EAP-Message = 0x0267004519800000003b1403010001011603010030c2245712f0d815e694e7e736f2e061e9382833358e6ac91744b71236b1e9239198614b7e410897a36df53e2d37e50770
(103)   Message-Authenticator = 0x5e01bf7d934b2cead813dcaa2438f9dc
(103)   Acct-Session-Id = "8O2.1x81bb0d5c0009723b"
(103)   NAS-Port-Id = "ge-3/0/6.0"
(103)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(103)   Called-Station-Id = "ec-3e-f7-68-35-00"
(103)   NAS-IP-Address = 10.8.0.111
(103)   NAS-Identifier = "nyc-access-sw011"
(103)   NAS-Port-Type = Ethernet
(103) session-state: No cached attributes
(103) # Executing section authorize from file /etc/raddb/sites-enabled/default
(103)   authorize {
(103)     policy filter_username {
(103)       if (&User-Name) {
(103)       if (&User-Name)  -> TRUE
(103)       if (&User-Name)  {
(103)         if (&User-Name =~ / /) {
(103)         if (&User-Name =~ / /)  -> FALSE
(103)         if (&User-Name =~ /@[^@]*@/ ) {
(103)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(103)         if (&User-Name =~ /\.\./ ) {
(103)         if (&User-Name =~ /\.\./ )  -> FALSE
(103)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(103)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(103)         if (&User-Name =~ /\.$/)  {
(103)         if (&User-Name =~ /\.$/)   -> FALSE
(103)         if (&User-Name =~ /@\./)  {
(103)         if (&User-Name =~ /@\./)   -> FALSE
(103)       } # if (&User-Name)  = notfound
(103)     } # policy filter_username = notfound
(103)     [preprocess] = ok
(103)     [chap] = noop
(103)     [mschap] = noop
(103)     [digest] = noop
(103) suffix: Checking for suffix after "@"
(103) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(103) suffix: No such realm "NULL"
(103)     [suffix] = noop
(103) eap: Peer sent EAP Response (code 2) ID 103 length 69
(103) eap: Continuing tunnel setup
(103)     [eap] = ok
(103)   } # authorize = ok
(103) Found Auth-Type = eap
(103) # Executing group from file /etc/raddb/sites-enabled/default
(103)   authenticate {
(103) eap: Expiring EAP session with state 0xa1e59412a0828dae
(103) eap: Finished EAP session with state 0xa1e59412a0828dae
(103) eap: Previous EAP request found for state 0xa1e59412a0828dae, released from the list
(103) eap: Peer sent packet with method EAP PEAP (25)
(103) eap: Calling submodule eap_peap to process data
(103) eap_peap: Continuing EAP-TLS
(103) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(103) eap_peap: Got complete TLS record (59 bytes)
(103) eap_peap: [eaptls verify] = length included
(103) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(103) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(103) eap_peap: TLS_accept: SSLv3 read finished A
(103) eap_peap: (other): SSL negotiation finished successfully
(103) eap_peap: SSL Connection Established
(103) eap_peap: SSL Application Data
(103) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(103) eap_peap:   reply:User-Name = "vkratsberg"
(103) eap_peap: [eaptls process] = success
(103) eap_peap: Session established.  Decoding tunneled attributes
(103) eap_peap: PEAP state TUNNEL ESTABLISHED
(103) eap_peap: Skipping Phase2 because of session resumption
(103) eap_peap: SUCCESS
(103) eap: Sending EAP Request (code 1) ID 104 length 43
(103) eap: EAP session adding &reply:State = 0xa1e59412a38d8dae
(103)     [eap] = handled
(103)   } # authenticate = handled
(103) Using Post-Auth-Type Challenge
(103) Post-Auth-Type sub-section not found.  Ignoring.
(103) # Executing group from file /etc/raddb/sites-enabled/default
(103) Sent Access-Challenge Id 94 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(103)   User-Name = "vkratsberg"
(103)   EAP-Message = 0x0168002b19001703010020749306659d50f1aadbc0be6e20f8d64d90d7eb203d8d95f19ca675e4c16b869b
(103)   Message-Authenticator = 0x00000000000000000000000000000000
(103)   State = 0xa1e59412a38d8dae5011ab286212f0a2
(103) Finished request
Waking up in 2.2 seconds.
(104) Received Access-Request Id 95 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(104)   User-Name = "vkratsberg"
(104)   NAS-Port = 358
(104)   State = 0xa1e59412a38d8dae5011ab286212f0a2
(104)   EAP-Message = 0x0268002b190017030100204d3fded86529396af2f51b5fd7a162f34faa3c7a2cbc76bf633e6099d950e8e2
(104)   Message-Authenticator = 0x8f877d90a1d855fe8ae15cea6f14dd4a
(104)   Acct-Session-Id = "8O2.1x81bb0d5c0009723b"
(104)   NAS-Port-Id = "ge-3/0/6.0"
(104)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(104)   Called-Station-Id = "ec-3e-f7-68-35-00"
(104)   NAS-IP-Address = 10.8.0.111
(104)   NAS-Identifier = "nyc-access-sw011"
(104)   NAS-Port-Type = Ethernet
(104) session-state: No cached attributes
(104) # Executing section authorize from file /etc/raddb/sites-enabled/default
(104)   authorize {
(104)     policy filter_username {
(104)       if (&User-Name) {
(104)       if (&User-Name)  -> TRUE
(104)       if (&User-Name)  {
(104)         if (&User-Name =~ / /) {
(104)         if (&User-Name =~ / /)  -> FALSE
(104)         if (&User-Name =~ /@[^@]*@/ ) {
(104)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(104)         if (&User-Name =~ /\.\./ ) {
(104)         if (&User-Name =~ /\.\./ )  -> FALSE
(104)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(104)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(104)         if (&User-Name =~ /\.$/)  {
(104)         if (&User-Name =~ /\.$/)   -> FALSE
(104)         if (&User-Name =~ /@\./)  {
(104)         if (&User-Name =~ /@\./)   -> FALSE
(104)       } # if (&User-Name)  = notfound
(104)     } # policy filter_username = notfound
(104)     [preprocess] = ok
(104)     [chap] = noop
(104)     [mschap] = noop
(104)     [digest] = noop
(104) suffix: Checking for suffix after "@"
(104) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(104) suffix: No such realm "NULL"
(104)     [suffix] = noop
(104) eap: Peer sent EAP Response (code 2) ID 104 length 43
(104) eap: Continuing tunnel setup
(104)     [eap] = ok
(104)   } # authorize = ok
(104) Found Auth-Type = eap
(104) # Executing group from file /etc/raddb/sites-enabled/default
(104)   authenticate {
(104) eap: Expiring EAP session with state 0xa1e59412a38d8dae
(104) eap: Finished EAP session with state 0xa1e59412a38d8dae
(104) eap: Previous EAP request found for state 0xa1e59412a38d8dae, released from the list
(104) eap: Peer sent packet with method EAP PEAP (25)
(104) eap: Calling submodule eap_peap to process data
(104) eap_peap: Continuing EAP-TLS
(104) eap_peap: [eaptls verify] = ok
(104) eap_peap: Done initial handshake
(104) eap_peap: [eaptls process] = ok
(104) eap_peap: Session established.  Decoding tunneled attributes
(104) eap_peap: PEAP state send tlv success
(104) eap_peap: Received EAP-TLV response
(104) eap_peap: Success
(104) eap_peap: No saved attributes in the original Access-Accept
(104) eap: Sending EAP Success (code 3) ID 104 length 4
(104) eap: Freeing handler
(104)     [eap] = ok
(104)   } # authenticate = ok
(104) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(104)   post-auth {
(104)     update {
(104)       No attributes updated
(104)     } # update = noop
(104)     [exec] = noop
(104)     policy remove_reply_message_if_eap {
(104)       if (&reply:EAP-Message && &reply:Reply-Message) {
(104)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(104)       else {
(104)         [noop] = noop
(104)       } # else = noop
(104)     } # policy remove_reply_message_if_eap = noop
(104)   } # post-auth = noop
(104) Sent Access-Accept Id 95 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(104)   MS-MPPE-Recv-Key = 0x2d7647d76f9bb8bc57b82f57c1b66403eccf38b4815b587108e8ce63342f99ae
(104)   MS-MPPE-Send-Key = 0x9a1e062a4cb178aba8bb4c4265eecfce402448473dd9f45a0c5a5c5eb830655f
(104)   EAP-Message = 0x03680004
(104)   Message-Authenticator = 0x00000000000000000000000000000000
(104)   User-Name = "vkratsberg"
(104) Finished request
Waking up in 2.2 seconds.
(105) Received Access-Request Id 96 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(105)   User-Name = "vkratsberg"
(105)   NAS-Port = 358
(105)   EAP-Message = 0x0269000f01766b7261747362657267
(105)   Message-Authenticator = 0xbbd349d455832827451036c0ba9fb2c3
(105)   Acct-Session-Id = "8O2.1x81bb0d5d000b119a"
(105)   NAS-Port-Id = "ge-3/0/6.0"
(105)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(105)   Called-Station-Id = "ec-3e-f7-68-35-00"
(105)   NAS-IP-Address = 10.8.0.111
(105)   NAS-Identifier = "nyc-access-sw011"
(105)   NAS-Port-Type = Ethernet
(105) # Executing section authorize from file /etc/raddb/sites-enabled/default
(105)   authorize {
(105)     policy filter_username {
(105)       if (&User-Name) {
(105)       if (&User-Name)  -> TRUE
(105)       if (&User-Name)  {
(105)         if (&User-Name =~ / /) {
(105)         if (&User-Name =~ / /)  -> FALSE
(105)         if (&User-Name =~ /@[^@]*@/ ) {
(105)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(105)         if (&User-Name =~ /\.\./ ) {
(105)         if (&User-Name =~ /\.\./ )  -> FALSE
(105)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(105)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(105)         if (&User-Name =~ /\.$/)  {
(105)         if (&User-Name =~ /\.$/)   -> FALSE
(105)         if (&User-Name =~ /@\./)  {
(105)         if (&User-Name =~ /@\./)   -> FALSE
(105)       } # if (&User-Name)  = notfound
(105)     } # policy filter_username = notfound
(105)     [preprocess] = ok
(105)     [chap] = noop
(105)     [mschap] = noop
(105)     [digest] = noop
(105) suffix: Checking for suffix after "@"
(105) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(105) suffix: No such realm "NULL"
(105)     [suffix] = noop
(105) eap: Peer sent EAP Response (code 2) ID 105 length 15
(105) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(105)     [eap] = ok
(105)   } # authorize = ok
(105) Found Auth-Type = eap
(105) # Executing group from file /etc/raddb/sites-enabled/default
(105)   authenticate {
(105) eap: Peer sent packet with method EAP Identity (1)
(105) eap: Calling submodule eap_peap to process data
(105) eap_peap: Initiating new EAP-TLS session
(105) eap_peap: [eaptls start] = request
(105) eap: Sending EAP Request (code 1) ID 106 length 6
(105) eap: EAP session adding &reply:State = 0xbe2c9d7bbe4684c3
(105)     [eap] = handled
(105)   } # authenticate = handled
(105) Using Post-Auth-Type Challenge
(105) Post-Auth-Type sub-section not found.  Ignoring.
(105) # Executing group from file /etc/raddb/sites-enabled/default
(105) Sent Access-Challenge Id 96 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(105)   EAP-Message = 0x016a00061920
(105)   Message-Authenticator = 0x00000000000000000000000000000000
(105)   State = 0xbe2c9d7bbe4684c3edab30e85aa3aae0
(105) Finished request
Waking up in 2.2 seconds.
(106) Received Access-Request Id 97 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(106)   User-Name = "vkratsberg"
(106)   NAS-Port = 358
(106)   State = 0xbe2c9d7bbe4684c3edab30e85aa3aae0
(106)   EAP-Message = 0x026a00a31980000000991603010094010000900301574f326ed57b42f061f883816ff54156ae2a4abe066a78de60fd57c2d7cae8d82099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(106)   Message-Authenticator = 0xd31acc721f0b3d821538c9b4bd3ae397
(106)   Acct-Session-Id = "8O2.1x81bb0d5d000b119a"
(106)   NAS-Port-Id = "ge-3/0/6.0"
(106)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(106)   Called-Station-Id = "ec-3e-f7-68-35-00"
(106)   NAS-IP-Address = 10.8.0.111
(106)   NAS-Identifier = "nyc-access-sw011"
(106)   NAS-Port-Type = Ethernet
(106) session-state: No cached attributes
(106) # Executing section authorize from file /etc/raddb/sites-enabled/default
(106)   authorize {
(106)     policy filter_username {
(106)       if (&User-Name) {
(106)       if (&User-Name)  -> TRUE
(106)       if (&User-Name)  {
(106)         if (&User-Name =~ / /) {
(106)         if (&User-Name =~ / /)  -> FALSE
(106)         if (&User-Name =~ /@[^@]*@/ ) {
(106)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(106)         if (&User-Name =~ /\.\./ ) {
(106)         if (&User-Name =~ /\.\./ )  -> FALSE
(106)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(106)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(106)         if (&User-Name =~ /\.$/)  {
(106)         if (&User-Name =~ /\.$/)   -> FALSE
(106)         if (&User-Name =~ /@\./)  {
(106)         if (&User-Name =~ /@\./)   -> FALSE
(106)       } # if (&User-Name)  = notfound
(106)     } # policy filter_username = notfound
(106)     [preprocess] = ok
(106)     [chap] = noop
(106)     [mschap] = noop
(106)     [digest] = noop
(106) suffix: Checking for suffix after "@"
(106) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(106) suffix: No such realm "NULL"
(106)     [suffix] = noop
(106) eap: Peer sent EAP Response (code 2) ID 106 length 163
(106) eap: Continuing tunnel setup
(106)     [eap] = ok
(106)   } # authorize = ok
(106) Found Auth-Type = eap
(106) # Executing group from file /etc/raddb/sites-enabled/default
(106)   authenticate {
(106) eap: Expiring EAP session with state 0xbe2c9d7bbe4684c3
(106) eap: Finished EAP session with state 0xbe2c9d7bbe4684c3
(106) eap: Previous EAP request found for state 0xbe2c9d7bbe4684c3, released from the list
(106) eap: Peer sent packet with method EAP PEAP (25)
(106) eap: Calling submodule eap_peap to process data
(106) eap_peap: Continuing EAP-TLS
(106) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(106) eap_peap: Got complete TLS record (153 bytes)
(106) eap_peap: [eaptls verify] = length included
(106) eap_peap: (other): before/accept initialization
(106) eap_peap: TLS_accept: before/accept initialization
(106) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(106) eap_peap: TLS_accept: SSLv3 read client hello A
(106) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(106) eap_peap: TLS_accept: SSLv3 write server hello A
(106) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(106) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(106) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(106) eap_peap: TLS_accept: SSLv3 write finished A
(106) eap_peap: TLS_accept: SSLv3 flush data
(106) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(106) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(106) eap_peap: In SSL Handshake Phase
(106) eap_peap: In SSL Accept mode
(106) eap_peap: [eaptls process] = handled
(106) eap: Sending EAP Request (code 1) ID 107 length 159
(106) eap: EAP session adding &reply:State = 0xbe2c9d7bbf4784c3
(106)     [eap] = handled
(106)   } # authenticate = handled
(106) Using Post-Auth-Type Challenge
(106) Post-Auth-Type sub-section not found.  Ignoring.
(106) # Executing group from file /etc/raddb/sites-enabled/default
(106) Sent Access-Challenge Id 97 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(106)   EAP-Message = 0x016b009f19001603010059020000550301574f326e3a70b8d14c9901bb28824121a37f8f03730bb8b96e7aa4eb7489796a2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b0004030001021403010001011603010030cb986b66a3e8c62e
(106)   Message-Authenticator = 0x00000000000000000000000000000000
(106)   State = 0xbe2c9d7bbf4784c3edab30e85aa3aae0
(106) Finished request
Waking up in 2.1 seconds.
(107) Received Access-Request Id 98 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(107)   User-Name = "vkratsberg"
(107)   NAS-Port = 358
(107)   State = 0xbe2c9d7bbf4784c3edab30e85aa3aae0
(107)   EAP-Message = 0x026b004519800000003b14030100010116030100308a2c7a63ab68270add3a163b497d3deca6fb32eac2fe6377c5beb9083666e766e507008163ddba8a97eedd8903f95e76
(107)   Message-Authenticator = 0x6add6c30cdd0c25d05756d793209dbf2
(107)   Acct-Session-Id = "8O2.1x81bb0d5d000b119a"
(107)   NAS-Port-Id = "ge-3/0/6.0"
(107)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(107)   Called-Station-Id = "ec-3e-f7-68-35-00"
(107)   NAS-IP-Address = 10.8.0.111
(107)   NAS-Identifier = "nyc-access-sw011"
(107)   NAS-Port-Type = Ethernet
(107) session-state: No cached attributes
(107) # Executing section authorize from file /etc/raddb/sites-enabled/default
(107)   authorize {
(107)     policy filter_username {
(107)       if (&User-Name) {
(107)       if (&User-Name)  -> TRUE
(107)       if (&User-Name)  {
(107)         if (&User-Name =~ / /) {
(107)         if (&User-Name =~ / /)  -> FALSE
(107)         if (&User-Name =~ /@[^@]*@/ ) {
(107)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(107)         if (&User-Name =~ /\.\./ ) {
(107)         if (&User-Name =~ /\.\./ )  -> FALSE
(107)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(107)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(107)         if (&User-Name =~ /\.$/)  {
(107)         if (&User-Name =~ /\.$/)   -> FALSE
(107)         if (&User-Name =~ /@\./)  {
(107)         if (&User-Name =~ /@\./)   -> FALSE
(107)       } # if (&User-Name)  = notfound
(107)     } # policy filter_username = notfound
(107)     [preprocess] = ok
(107)     [chap] = noop
(107)     [mschap] = noop
(107)     [digest] = noop
(107) suffix: Checking for suffix after "@"
(107) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(107) suffix: No such realm "NULL"
(107)     [suffix] = noop
(107) eap: Peer sent EAP Response (code 2) ID 107 length 69
(107) eap: Continuing tunnel setup
(107)     [eap] = ok
(107)   } # authorize = ok
(107) Found Auth-Type = eap
(107) # Executing group from file /etc/raddb/sites-enabled/default
(107)   authenticate {
(107) eap: Expiring EAP session with state 0xbe2c9d7bbf4784c3
(107) eap: Finished EAP session with state 0xbe2c9d7bbf4784c3
(107) eap: Previous EAP request found for state 0xbe2c9d7bbf4784c3, released from the list
(107) eap: Peer sent packet with method EAP PEAP (25)
(107) eap: Calling submodule eap_peap to process data
(107) eap_peap: Continuing EAP-TLS
(107) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(107) eap_peap: Got complete TLS record (59 bytes)
(107) eap_peap: [eaptls verify] = length included
(107) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(107) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(107) eap_peap: TLS_accept: SSLv3 read finished A
(107) eap_peap: (other): SSL negotiation finished successfully
(107) eap_peap: SSL Connection Established
(107) eap_peap: SSL Application Data
(107) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(107) eap_peap:   reply:User-Name = "vkratsberg"
(107) eap_peap: [eaptls process] = success
(107) eap_peap: Session established.  Decoding tunneled attributes
(107) eap_peap: PEAP state TUNNEL ESTABLISHED
(107) eap_peap: Skipping Phase2 because of session resumption
(107) eap_peap: SUCCESS
(107) eap: Sending EAP Request (code 1) ID 108 length 43
(107) eap: EAP session adding &reply:State = 0xbe2c9d7bbc4084c3
(107)     [eap] = handled
(107)   } # authenticate = handled
(107) Using Post-Auth-Type Challenge
(107) Post-Auth-Type sub-section not found.  Ignoring.
(107) # Executing group from file /etc/raddb/sites-enabled/default
(107) Sent Access-Challenge Id 98 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(107)   User-Name = "vkratsberg"
(107)   EAP-Message = 0x016c002b19001703010020292c3dc345c56d6877988b12764fe82273c760d99c0453618d4184c7b2f38019
(107)   Message-Authenticator = 0x00000000000000000000000000000000
(107)   State = 0xbe2c9d7bbc4084c3edab30e85aa3aae0
(107) Finished request
Waking up in 2.1 seconds.
(108) Received Access-Request Id 99 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(108)   User-Name = "vkratsberg"
(108)   NAS-Port = 358
(108)   State = 0xbe2c9d7bbc4084c3edab30e85aa3aae0
(108)   EAP-Message = 0x026c002b190017030100201914d6822257683c8cf3ee63fb8e9e140c805add2c15ff33e16b17f9020e13ba
(108)   Message-Authenticator = 0x0e0504e472b9a934a3d870d52b29cbd2
(108)   Acct-Session-Id = "8O2.1x81bb0d5d000b119a"
(108)   NAS-Port-Id = "ge-3/0/6.0"
(108)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(108)   Called-Station-Id = "ec-3e-f7-68-35-00"
(108)   NAS-IP-Address = 10.8.0.111
(108)   NAS-Identifier = "nyc-access-sw011"
(108)   NAS-Port-Type = Ethernet
(108) session-state: No cached attributes
(108) # Executing section authorize from file /etc/raddb/sites-enabled/default
(108)   authorize {
(108)     policy filter_username {
(108)       if (&User-Name) {
(108)       if (&User-Name)  -> TRUE
(108)       if (&User-Name)  {
(108)         if (&User-Name =~ / /) {
(108)         if (&User-Name =~ / /)  -> FALSE
(108)         if (&User-Name =~ /@[^@]*@/ ) {
(108)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(108)         if (&User-Name =~ /\.\./ ) {
(108)         if (&User-Name =~ /\.\./ )  -> FALSE
(108)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(108)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(108)         if (&User-Name =~ /\.$/)  {
(108)         if (&User-Name =~ /\.$/)   -> FALSE
(108)         if (&User-Name =~ /@\./)  {
(108)         if (&User-Name =~ /@\./)   -> FALSE
(108)       } # if (&User-Name)  = notfound
(108)     } # policy filter_username = notfound
(108)     [preprocess] = ok
(108)     [chap] = noop
(108)     [mschap] = noop
(108)     [digest] = noop
(108) suffix: Checking for suffix after "@"
(108) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(108) suffix: No such realm "NULL"
(108)     [suffix] = noop
(108) eap: Peer sent EAP Response (code 2) ID 108 length 43
(108) eap: Continuing tunnel setup
(108)     [eap] = ok
(108)   } # authorize = ok
(108) Found Auth-Type = eap
(108) # Executing group from file /etc/raddb/sites-enabled/default
(108)   authenticate {
(108) eap: Expiring EAP session with state 0xbe2c9d7bbc4084c3
(108) eap: Finished EAP session with state 0xbe2c9d7bbc4084c3
(108) eap: Previous EAP request found for state 0xbe2c9d7bbc4084c3, released from the list
(108) eap: Peer sent packet with method EAP PEAP (25)
(108) eap: Calling submodule eap_peap to process data
(108) eap_peap: Continuing EAP-TLS
(108) eap_peap: [eaptls verify] = ok
(108) eap_peap: Done initial handshake
(108) eap_peap: [eaptls process] = ok
(108) eap_peap: Session established.  Decoding tunneled attributes
(108) eap_peap: PEAP state send tlv success
(108) eap_peap: Received EAP-TLV response
(108) eap_peap: Success
(108) eap_peap: No saved attributes in the original Access-Accept
(108) eap: Sending EAP Success (code 3) ID 108 length 4
(108) eap: Freeing handler
(108)     [eap] = ok
(108)   } # authenticate = ok
(108) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(108)   post-auth {
(108)     update {
(108)       No attributes updated
(108)     } # update = noop
(108)     [exec] = noop
(108)     policy remove_reply_message_if_eap {
(108)       if (&reply:EAP-Message && &reply:Reply-Message) {
(108)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(108)       else {
(108)         [noop] = noop
(108)       } # else = noop
(108)     } # policy remove_reply_message_if_eap = noop
(108)   } # post-auth = noop
(108) Sent Access-Accept Id 99 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(108)   MS-MPPE-Recv-Key = 0x2b4fd37c9f9467d3da56115d2ef543ff3e2bf58a53dbcf85f4183f3357193bf1
(108)   MS-MPPE-Send-Key = 0xbdc8077c1f36c4075fccbd480de338e95828a16b455b62df765772729fc2db4d
(108)   EAP-Message = 0x036c0004
(108)   Message-Authenticator = 0x00000000000000000000000000000000
(108)   User-Name = "vkratsberg"
(108) Finished request
Waking up in 2.1 seconds.
(109) Received Access-Request Id 100 from 10.8.0.111:58432 to 10.8.64.155:1812 length 177
(109)   User-Name = "vkratsberg"
(109)   NAS-Port = 358
(109)   EAP-Message = 0x026d000f01766b7261747362657267
(109)   Message-Authenticator = 0x376548682ddb200c31a8e9cccfecca2d
(109)   Acct-Session-Id = "8O2.1x81bb0d5e000cc9c0"
(109)   NAS-Port-Id = "ge-3/0/6.0"
(109)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(109)   Called-Station-Id = "ec-3e-f7-68-35-00"
(109)   NAS-IP-Address = 10.8.0.111
(109)   NAS-Identifier = "nyc-access-sw011"
(109)   NAS-Port-Type = Ethernet
(109) # Executing section authorize from file /etc/raddb/sites-enabled/default
(109)   authorize {
(109)     policy filter_username {
(109)       if (&User-Name) {
(109)       if (&User-Name)  -> TRUE
(109)       if (&User-Name)  {
(109)         if (&User-Name =~ / /) {
(109)         if (&User-Name =~ / /)  -> FALSE
(109)         if (&User-Name =~ /@[^@]*@/ ) {
(109)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(109)         if (&User-Name =~ /\.\./ ) {
(109)         if (&User-Name =~ /\.\./ )  -> FALSE
(109)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(109)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(109)         if (&User-Name =~ /\.$/)  {
(109)         if (&User-Name =~ /\.$/)   -> FALSE
(109)         if (&User-Name =~ /@\./)  {
(109)         if (&User-Name =~ /@\./)   -> FALSE
(109)       } # if (&User-Name)  = notfound
(109)     } # policy filter_username = notfound
(109)     [preprocess] = ok
(109)     [chap] = noop
(109)     [mschap] = noop
(109)     [digest] = noop
(109) suffix: Checking for suffix after "@"
(109) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(109) suffix: No such realm "NULL"
(109)     [suffix] = noop
(109) eap: Peer sent EAP Response (code 2) ID 109 length 15
(109) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(109)     [eap] = ok
(109)   } # authorize = ok
(109) Found Auth-Type = eap
(109) # Executing group from file /etc/raddb/sites-enabled/default
(109)   authenticate {
(109) eap: Peer sent packet with method EAP Identity (1)
(109) eap: Calling submodule eap_peap to process data
(109) eap_peap: Initiating new EAP-TLS session
(109) eap_peap: [eaptls start] = request
(109) eap: Sending EAP Request (code 1) ID 110 length 6
(109) eap: EAP session adding &reply:State = 0xaada5d64aab4445c
(109)     [eap] = handled
(109)   } # authenticate = handled
(109) Using Post-Auth-Type Challenge
(109) Post-Auth-Type sub-section not found.  Ignoring.
(109) # Executing group from file /etc/raddb/sites-enabled/default
(109) Sent Access-Challenge Id 100 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(109)   EAP-Message = 0x016e00061920
(109)   Message-Authenticator = 0x00000000000000000000000000000000
(109)   State = 0xaada5d64aab4445c0e4dab1d815af132
(109) Finished request
Waking up in 2.1 seconds.
(110) Received Access-Request Id 101 from 10.8.0.111:58432 to 10.8.64.155:1812 length 343
(110)   User-Name = "vkratsberg"
(110)   NAS-Port = 358
(110)   State = 0xaada5d64aab4445c0e4dab1d815af132
(110)   EAP-Message = 0x026e00a31980000000991603010094010000900301574f326e0e52a97a84863cda1cc24800bdd252d34bc47ec5e9f77760a0263df92099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f00
(110)   Message-Authenticator = 0xf667ce39f57ab3c70e5626a55a18bbb3
(110)   Acct-Session-Id = "8O2.1x81bb0d5e000cc9c0"
(110)   NAS-Port-Id = "ge-3/0/6.0"
(110)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(110)   Called-Station-Id = "ec-3e-f7-68-35-00"
(110)   NAS-IP-Address = 10.8.0.111
(110)   NAS-Identifier = "nyc-access-sw011"
(110)   NAS-Port-Type = Ethernet
(110) session-state: No cached attributes
(110) # Executing section authorize from file /etc/raddb/sites-enabled/default
(110)   authorize {
(110)     policy filter_username {
(110)       if (&User-Name) {
(110)       if (&User-Name)  -> TRUE
(110)       if (&User-Name)  {
(110)         if (&User-Name =~ / /) {
(110)         if (&User-Name =~ / /)  -> FALSE
(110)         if (&User-Name =~ /@[^@]*@/ ) {
(110)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(110)         if (&User-Name =~ /\.\./ ) {
(110)         if (&User-Name =~ /\.\./ )  -> FALSE
(110)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(110)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(110)         if (&User-Name =~ /\.$/)  {
(110)         if (&User-Name =~ /\.$/)   -> FALSE
(110)         if (&User-Name =~ /@\./)  {
(110)         if (&User-Name =~ /@\./)   -> FALSE
(110)       } # if (&User-Name)  = notfound
(110)     } # policy filter_username = notfound
(110)     [preprocess] = ok
(110)     [chap] = noop
(110)     [mschap] = noop
(110)     [digest] = noop
(110) suffix: Checking for suffix after "@"
(110) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(110) suffix: No such realm "NULL"
(110)     [suffix] = noop
(110) eap: Peer sent EAP Response (code 2) ID 110 length 163
(110) eap: Continuing tunnel setup
(110)     [eap] = ok
(110)   } # authorize = ok
(110) Found Auth-Type = eap
(110) # Executing group from file /etc/raddb/sites-enabled/default
(110)   authenticate {
(110) eap: Expiring EAP session with state 0xaada5d64aab4445c
(110) eap: Finished EAP session with state 0xaada5d64aab4445c
(110) eap: Previous EAP request found for state 0xaada5d64aab4445c, released from the list
(110) eap: Peer sent packet with method EAP PEAP (25)
(110) eap: Calling submodule eap_peap to process data
(110) eap_peap: Continuing EAP-TLS
(110) eap_peap: Peer indicated complete TLS record size will be 153 bytes
(110) eap_peap: Got complete TLS record (153 bytes)
(110) eap_peap: [eaptls verify] = length included
(110) eap_peap: (other): before/accept initialization
(110) eap_peap: TLS_accept: before/accept initialization
(110) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
(110) eap_peap: TLS_accept: SSLv3 read client hello A
(110) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(110) eap_peap: TLS_accept: SSLv3 write server hello A
(110) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
(110) eap_peap: TLS_accept: SSLv3 write change cipher spec A
(110) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
(110) eap_peap: TLS_accept: SSLv3 write finished A
(110) eap_peap: TLS_accept: SSLv3 flush data
(110) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(110) eap_peap: TLS_accept: Need to read more data: SSLv3 read finished A
(110) eap_peap: In SSL Handshake Phase
(110) eap_peap: In SSL Accept mode
(110) eap_peap: [eaptls process] = handled
(110) eap: Sending EAP Request (code 1) ID 111 length 159
(110) eap: EAP session adding &reply:State = 0xaada5d64abb5445c
(110)     [eap] = handled
(110)   } # authenticate = handled
(110) Using Post-Auth-Type Challenge
(110) Post-Auth-Type sub-section not found.  Ignoring.
(110) # Executing group from file /etc/raddb/sites-enabled/default
(110) Sent Access-Challenge Id 101 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(110)   EAP-Message = 0x016f009f19001603010059020000550301574f326edf3149e245e6d1de6fa8ed3d66c2f7917e8e3f7f02939dd27740488d2099fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74ac01400000dff01000100000b000403000102140301000101160301003079a924797a39a905
(110)   Message-Authenticator = 0x00000000000000000000000000000000
(110)   State = 0xaada5d64abb5445c0e4dab1d815af132
(110) Finished request
Waking up in 2.0 seconds.
(111) Received Access-Request Id 102 from 10.8.0.111:58432 to 10.8.64.155:1812 length 249
(111)   User-Name = "vkratsberg"
(111)   NAS-Port = 358
(111)   State = 0xaada5d64abb5445c0e4dab1d815af132
(111)   EAP-Message = 0x026f004519800000003b1403010001011603010030fbc592ee25968942d0f1cf73d69287b0a88cd5d9424669649ee2a9784f53bd0967b09269193b3e5179614972b5342b27
(111)   Message-Authenticator = 0x36931fedd998bf65803938596a090ff8
(111)   Acct-Session-Id = "8O2.1x81bb0d5e000cc9c0"
(111)   NAS-Port-Id = "ge-3/0/6.0"
(111)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(111)   Called-Station-Id = "ec-3e-f7-68-35-00"
(111)   NAS-IP-Address = 10.8.0.111
(111)   NAS-Identifier = "nyc-access-sw011"
(111)   NAS-Port-Type = Ethernet
(111) session-state: No cached attributes
(111) # Executing section authorize from file /etc/raddb/sites-enabled/default
(111)   authorize {
(111)     policy filter_username {
(111)       if (&User-Name) {
(111)       if (&User-Name)  -> TRUE
(111)       if (&User-Name)  {
(111)         if (&User-Name =~ / /) {
(111)         if (&User-Name =~ / /)  -> FALSE
(111)         if (&User-Name =~ /@[^@]*@/ ) {
(111)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(111)         if (&User-Name =~ /\.\./ ) {
(111)         if (&User-Name =~ /\.\./ )  -> FALSE
(111)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(111)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(111)         if (&User-Name =~ /\.$/)  {
(111)         if (&User-Name =~ /\.$/)   -> FALSE
(111)         if (&User-Name =~ /@\./)  {
(111)         if (&User-Name =~ /@\./)   -> FALSE
(111)       } # if (&User-Name)  = notfound
(111)     } # policy filter_username = notfound
(111)     [preprocess] = ok
(111)     [chap] = noop
(111)     [mschap] = noop
(111)     [digest] = noop
(111) suffix: Checking for suffix after "@"
(111) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(111) suffix: No such realm "NULL"
(111)     [suffix] = noop
(111) eap: Peer sent EAP Response (code 2) ID 111 length 69
(111) eap: Continuing tunnel setup
(111)     [eap] = ok
(111)   } # authorize = ok
(111) Found Auth-Type = eap
(111) # Executing group from file /etc/raddb/sites-enabled/default
(111)   authenticate {
(111) eap: Expiring EAP session with state 0xaada5d64abb5445c
(111) eap: Finished EAP session with state 0xaada5d64abb5445c
(111) eap: Previous EAP request found for state 0xaada5d64abb5445c, released from the list
(111) eap: Peer sent packet with method EAP PEAP (25)
(111) eap: Calling submodule eap_peap to process data
(111) eap_peap: Continuing EAP-TLS
(111) eap_peap: Peer indicated complete TLS record size will be 59 bytes
(111) eap_peap: Got complete TLS record (59 bytes)
(111) eap_peap: [eaptls verify] = length included
(111) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
(111) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
(111) eap_peap: TLS_accept: SSLv3 read finished A
(111) eap_peap: (other): SSL negotiation finished successfully
(111) eap_peap: SSL Connection Established
(111) eap_peap: SSL Application Data
(111) eap_peap: Adding cached attributes from session 99fa3eb5d7d108e8e1047f8c78273aadc1bd2aa26caa1810320d84ad7442e74a
(111) eap_peap:   reply:User-Name = "vkratsberg"
(111) eap_peap: [eaptls process] = success
(111) eap_peap: Session established.  Decoding tunneled attributes
(111) eap_peap: PEAP state TUNNEL ESTABLISHED
(111) eap_peap: Skipping Phase2 because of session resumption
(111) eap_peap: SUCCESS
(111) eap: Sending EAP Request (code 1) ID 112 length 43
(111) eap: EAP session adding &reply:State = 0xaada5d64a8aa445c
(111)     [eap] = handled
(111)   } # authenticate = handled
(111) Using Post-Auth-Type Challenge
(111) Post-Auth-Type sub-section not found.  Ignoring.
(111) # Executing group from file /etc/raddb/sites-enabled/default
(111) Sent Access-Challenge Id 102 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(111)   User-Name = "vkratsberg"
(111)   EAP-Message = 0x0170002b19001703010020d52e2542c8168cee9986dd8c8470ed0c45db69a757078086e817c62f37245fc8
(111)   Message-Authenticator = 0x00000000000000000000000000000000
(111)   State = 0xaada5d64a8aa445c0e4dab1d815af132
(111) Finished request
Waking up in 2.0 seconds.
(112) Received Access-Request Id 103 from 10.8.0.111:58432 to 10.8.64.155:1812 length 223
(112)   User-Name = "vkratsberg"
(112)   NAS-Port = 358
(112)   State = 0xaada5d64a8aa445c0e4dab1d815af132
(112)   EAP-Message = 0x0270002b190017030100204c0678760c0c21cbc259d8dd695f63f8f3f2fe90cdc2b720ba253f47330f774a
(112)   Message-Authenticator = 0x6dda5137a7dd1cc16b60aaed6a6eb686
(112)   Acct-Session-Id = "8O2.1x81bb0d5e000cc9c0"
(112)   NAS-Port-Id = "ge-3/0/6.0"
(112)   Calling-Station-Id = "00-e0-4c-b8-16-4d"
(112)   Called-Station-Id = "ec-3e-f7-68-35-00"
(112)   NAS-IP-Address = 10.8.0.111
(112)   NAS-Identifier = "nyc-access-sw011"
(112)   NAS-Port-Type = Ethernet
(112) session-state: No cached attributes
(112) # Executing section authorize from file /etc/raddb/sites-enabled/default
(112)   authorize {
(112)     policy filter_username {
(112)       if (&User-Name) {
(112)       if (&User-Name)  -> TRUE
(112)       if (&User-Name)  {
(112)         if (&User-Name =~ / /) {
(112)         if (&User-Name =~ / /)  -> FALSE
(112)         if (&User-Name =~ /@[^@]*@/ ) {
(112)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(112)         if (&User-Name =~ /\.\./ ) {
(112)         if (&User-Name =~ /\.\./ )  -> FALSE
(112)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(112)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(112)         if (&User-Name =~ /\.$/)  {
(112)         if (&User-Name =~ /\.$/)   -> FALSE
(112)         if (&User-Name =~ /@\./)  {
(112)         if (&User-Name =~ /@\./)   -> FALSE
(112)       } # if (&User-Name)  = notfound
(112)     } # policy filter_username = notfound
(112)     [preprocess] = ok
(112)     [chap] = noop
(112)     [mschap] = noop
(112)     [digest] = noop
(112) suffix: Checking for suffix after "@"
(112) suffix: No '@' in User-Name = "vkratsberg", looking up realm NULL
(112) suffix: No such realm "NULL"
(112)     [suffix] = noop
(112) eap: Peer sent EAP Response (code 2) ID 112 length 43
(112) eap: Continuing tunnel setup
(112)     [eap] = ok
(112)   } # authorize = ok
(112) Found Auth-Type = eap
(112) # Executing group from file /etc/raddb/sites-enabled/default
(112)   authenticate {
(112) eap: Expiring EAP session with state 0xaada5d64a8aa445c
(112) eap: Finished EAP session with state 0xaada5d64a8aa445c
(112) eap: Previous EAP request found for state 0xaada5d64a8aa445c, released from the list
(112) eap: Peer sent packet with method EAP PEAP (25)
(112) eap: Calling submodule eap_peap to process data
(112) eap_peap: Continuing EAP-TLS
(112) eap_peap: [eaptls verify] = ok
(112) eap_peap: Done initial handshake
(112) eap_peap: [eaptls process] = ok
(112) eap_peap: Session established.  Decoding tunneled attributes
(112) eap_peap: PEAP state send tlv success
(112) eap_peap: Received EAP-TLV response
(112) eap_peap: Success
(112) eap_peap: No saved attributes in the original Access-Accept
(112) eap: Sending EAP Success (code 3) ID 112 length 4
(112) eap: Freeing handler
(112)     [eap] = ok
(112)   } # authenticate = ok
(112) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(112)   post-auth {
(112)     update {
(112)       No attributes updated
(112)     } # update = noop
(112)     [exec] = noop
(112)     policy remove_reply_message_if_eap {
(112)       if (&reply:EAP-Message && &reply:Reply-Message) {
(112)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(112)       else {
(112)         [noop] = noop
(112)       } # else = noop
(112)     } # policy remove_reply_message_if_eap = noop
(112)   } # post-auth = noop
(112) Sent Access-Accept Id 103 from 10.8.64.155:1812 to 10.8.0.111:58432 length 0
(112)   MS-MPPE-Recv-Key = 0x1da126c07ca0725ca7117902c3a61b8351f1f05faec418d818bb047ee2da11e5
(112)   MS-MPPE-Send-Key = 0x51632040239711bfa36327a2c3ca94f029f409ac5f83941227f44c9224c6f99e
(112)   EAP-Message = 0x03700004
(112)   Message-Authenticator = 0x00000000000000000000000000000000
(112)   User-Name = "vkratsberg"
(112) Finished request
Waking up in 2.0 seconds.
(0) Cleaning up request packet ID 246 with timestamp +6
(1) Cleaning up request packet ID 247 with timestamp +6
(2) Cleaning up request packet ID 248 with timestamp +6
(3) Cleaning up request packet ID 249 with timestamp +6
(4) Cleaning up request packet ID 250 with timestamp +7
(5) Cleaning up request packet ID 251 with timestamp +7
(6) Cleaning up request packet ID 252 with timestamp +7
(7) Cleaning up request packet ID 253 with timestamp +7
(8) Cleaning up request packet ID 254 with timestamp +7
Waking up in 0.1 seconds.
(9) Cleaning up request packet ID 255 with timestamp +7
(10) Cleaning up request packet ID 1 with timestamp +7
(11) Cleaning up request packet ID 2 with timestamp +7
(12) Cleaning up request packet ID 3 with timestamp +7
(13) Cleaning up request packet ID 4 with timestamp +7
(14) Cleaning up request packet ID 5 with timestamp +7
(15) Cleaning up request packet ID 6 with timestamp +7
(16) Cleaning up request packet ID 7 with timestamp +7
(17) Cleaning up request packet ID 8 with timestamp +7
(18) Cleaning up request packet ID 9 with timestamp +7
(19) Cleaning up request packet ID 10 with timestamp +7
(20) Cleaning up request packet ID 11 with timestamp +7
(21) Cleaning up request packet ID 12 with timestamp +7
(22) Cleaning up request packet ID 13 with timestamp +7
(23) Cleaning up request packet ID 14 with timestamp +7
(24) Cleaning up request packet ID 15 with timestamp +7
(25) Cleaning up request packet ID 16 with timestamp +7
(26) Cleaning up request packet ID 17 with timestamp +7
(27) Cleaning up request packet ID 18 with timestamp +7
(28) Cleaning up request packet ID 19 with timestamp +7
(29) Cleaning up request packet ID 20 with timestamp +7
(30) Cleaning up request packet ID 21 with timestamp +7
(31) Cleaning up request packet ID 22 with timestamp +7
(32) Cleaning up request packet ID 23 with timestamp +7
(33) Cleaning up request packet ID 24 with timestamp +7
(34) Cleaning up request packet ID 25 with timestamp +7
(35) Cleaning up request packet ID 26 with timestamp +7
(36) Cleaning up request packet ID 27 with timestamp +7
(37) Cleaning up request packet ID 28 with timestamp +7
(38) Cleaning up request packet ID 29 with timestamp +7
(39) Cleaning up request packet ID 30 with timestamp +7
(40) Cleaning up request packet ID 31 with timestamp +7
(41) Cleaning up request packet ID 32 with timestamp +8
(42) Cleaning up request packet ID 33 with timestamp +8
(43) Cleaning up request packet ID 34 with timestamp +8
(44) Cleaning up request packet ID 35 with timestamp +8
(45) Cleaning up request packet ID 36 with timestamp +8
(46) Cleaning up request packet ID 37 with timestamp +8
(47) Cleaning up request packet ID 38 with timestamp +8
(48) Cleaning up request packet ID 39 with timestamp +8
(49) Cleaning up request packet ID 40 with timestamp +8
(50) Cleaning up request packet ID 41 with timestamp +8
(51) Cleaning up request packet ID 42 with timestamp +8
(52) Cleaning up request packet ID 43 with timestamp +8
(53) Cleaning up request packet ID 44 with timestamp +8
(54) Cleaning up request packet ID 45 with timestamp +8
(55) Cleaning up request packet ID 46 with timestamp +8
(56) Cleaning up request packet ID 47 with timestamp +8
(57) Cleaning up request packet ID 48 with timestamp +8
(58) Cleaning up request packet ID 49 with timestamp +8
(59) Cleaning up request packet ID 50 with timestamp +8
(60) Cleaning up request packet ID 51 with timestamp +8
(61) Cleaning up request packet ID 52 with timestamp +8
(62) Cleaning up request packet ID 53 with timestamp +8
(63) Cleaning up request packet ID 54 with timestamp +8
(64) Cleaning up request packet ID 55 with timestamp +8
(65) Cleaning up request packet ID 56 with timestamp +8
(66) Cleaning up request packet ID 57 with timestamp +8
(67) Cleaning up request packet ID 58 with timestamp +8
(68) Cleaning up request packet ID 59 with timestamp +8
(69) Cleaning up request packet ID 60 with timestamp +8
(70) Cleaning up request packet ID 61 with timestamp +8
(71) Cleaning up request packet ID 62 with timestamp +8
(72) Cleaning up request packet ID 63 with timestamp +8
(73) Cleaning up request packet ID 64 with timestamp +8
(74) Cleaning up request packet ID 65 with timestamp +8
(75) Cleaning up request packet ID 66 with timestamp +8
(76) Cleaning up request packet ID 67 with timestamp +8
(77) Cleaning up request packet ID 68 with timestamp +8
(78) Cleaning up request packet ID 69 with timestamp +8
(79) Cleaning up request packet ID 70 with timestamp +9
(80) Cleaning up request packet ID 71 with timestamp +9
(81) Cleaning up request packet ID 72 with timestamp +9
(82) Cleaning up request packet ID 73 with timestamp +9
(83) Cleaning up request packet ID 74 with timestamp +9
(84) Cleaning up request packet ID 75 with timestamp +9
(85) Cleaning up request packet ID 76 with timestamp +9
(86) Cleaning up request packet ID 77 with timestamp +9
(87) Cleaning up request packet ID 78 with timestamp +9
(88) Cleaning up request packet ID 79 with timestamp +9
(89) Cleaning up request packet ID 80 with timestamp +9
(90) Cleaning up request packet ID 81 with timestamp +9
(91) Cleaning up request packet ID 82 with timestamp +9
(92) Cleaning up request packet ID 83 with timestamp +9
(93) Cleaning up request packet ID 84 with timestamp +9
(94) Cleaning up request packet ID 85 with timestamp +9
(95) Cleaning up request packet ID 86 with timestamp +9
(96) Cleaning up request packet ID 87 with timestamp +9
(97) Cleaning up request packet ID 88 with timestamp +9
(98) Cleaning up request packet ID 89 with timestamp +9
(99) Cleaning up request packet ID 90 with timestamp +9
(100) Cleaning up request packet ID 91 with timestamp +9
(101) Cleaning up request packet ID 92 with timestamp +9
(102) Cleaning up request packet ID 93 with timestamp +9
(103) Cleaning up request packet ID 94 with timestamp +9
(104) Cleaning up request packet ID 95 with timestamp +9
(105) Cleaning up request packet ID 96 with timestamp +9
(106) Cleaning up request packet ID 97 with timestamp +9
(107) Cleaning up request packet ID 98 with timestamp +9
(108) Cleaning up request packet ID 99 with timestamp +9
(109) Cleaning up request packet ID 100 with timestamp +9
(110) Cleaning up request packet ID 101 with timestamp +9
(111) Cleaning up request packet ID 102 with timestamp +9
(112) Cleaning up request packet ID 103 with timestamp +9
Ready to process requests