Guest User

Untitled

a guest
Feb 11th, 2016
668
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 268.66 KB | None | 0 0
  1. Copyright (C) 1999-2015 The FreeRADIUS server project and contributors
  2. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
  3. PARTICULAR PURPOSE
  4. You may redistribute copies of FreeRADIUS under the terms of the
  5. GNU General Public License
  6. For more information about these matters, see the file named COPYRIGHT
  7. Starting - reading configuration files ...
  8. including dictionary file /usr/share/freeradius/dictionary
  9. including dictionary file /usr/share/freeradius/dictionary.dhcp
  10. including dictionary file /usr/share/freeradius/dictionary.vqp
  11. including dictionary file /etc/raddb/dictionary
  12. including configuration file /etc/raddb/radiusd.conf
  13. including configuration file /etc/raddb/proxy.conf
  14. including files in directory /etc/raddb/clients.d/
  15. including configuration file /etc/raddb/clients.d/WISM12.conf
  16. including configuration file /etc/raddb/clients.d/WISM3.conf
  17. including configuration file /etc/raddb/clients.d/WISM1.conf
  18. including configuration file /etc/raddb/clients.d/monitor.conf
  19. including configuration file /etc/raddb/clients.d/WISM5-HA.conf
  20. including configuration file /etc/raddb/clients.d/WISM2.conf
  21. including configuration file /etc/raddb/clients.d/WISM4.conf
  22. including configuration file /etc/raddb/clients.d/WISM1-HA.conf
  23. including configuration file /etc/raddb/clients.d/WISM4-HA.conf
  24. including configuration file /etc/raddb/clients.d/WISM7.conf
  25. including configuration file /etc/raddb/clients.d/WISM6-HA.conf
  26. including configuration file /etc/raddb/clients.d/WISM9.conf
  27. including configuration file /etc/raddb/clients.d/WISM6.conf
  28. including configuration file /etc/raddb/clients.d/WISM5.conf
  29. including configuration file /etc/raddb/clients.d/WISM7-HA.conf
  30. including configuration file /etc/raddb/clients.d/WISM2-HA.conf
  31. including configuration file /etc/raddb/clients.d/WISM3-HA.conf
  32. including configuration file /etc/raddb/clients.d/WISM8.conf
  33. including configuration file /etc/raddb/clients.d/localhost.conf
  34. including files in directory /etc/raddb/mods-enabled/
  35. including configuration file /etc/raddb/mods-enabled/unpack
  36. including configuration file /etc/raddb/mods-enabled/utf8
  37. including configuration file /etc/raddb/mods-enabled/passwd
  38. including configuration file /etc/raddb/mods-enabled/eduroaminfo
  39. including configuration file /etc/raddb/mods-enabled/unix
  40. including configuration file /etc/raddb/mods-enabled/uobdetail
  41. including configuration file /etc/raddb/mods-enabled/uobsql-write
  42. including configuration file /etc/raddb/mods-config/uobsql-write-queries.conf
  43. including configuration file /etc/raddb/mods-enabled/dynamic_clients
  44. including configuration file /etc/raddb/mods-enabled/exec
  45. including configuration file /etc/raddb/mods-enabled/always
  46. including configuration file /etc/raddb/mods-enabled/preprocess
  47. including configuration file /etc/raddb/mods-enabled/cache_eap
  48. including configuration file /etc/raddb/mods-enabled/sradutmp
  49. including configuration file /etc/raddb/mods-enabled/radutmp
  50. including configuration file /etc/raddb/mods-enabled/logtofile
  51. including configuration file /etc/raddb/mods-enabled/eduroamlioneap
  52. including configuration file /etc/raddb/mods-enabled/mschap
  53. including configuration file /etc/raddb/mods-enabled/ntlm_auth
  54. including configuration file /etc/raddb/mods-enabled/eduroamvlan
  55. including configuration file /etc/raddb/mods-enabled/realm
  56. including configuration file /etc/raddb/mods-enabled/uobsql
  57. including configuration file /etc/raddb/mods-config/uobsql-queries.conf
  58. including configuration file /etc/raddb/mods-enabled/files
  59. including configuration file /etc/raddb/mods-enabled/dhcp
  60. including configuration file /etc/raddb/mods-enabled/digest
  61. including configuration file /etc/raddb/mods-enabled/soh
  62. including configuration file /etc/raddb/mods-enabled/echo
  63. including configuration file /etc/raddb/mods-enabled/cache-vlan
  64. including configuration file /etc/raddb/mods-enabled/detail.log
  65. including configuration file /etc/raddb/mods-enabled/files-eduroam
  66. including configuration file /etc/raddb/mods-enabled/chap
  67. including configuration file /etc/raddb/mods-enabled/replicate
  68. including configuration file /etc/raddb/mods-enabled/cache-ntlm
  69. including configuration file /etc/raddb/mods-enabled/expr
  70. including configuration file /etc/raddb/mods-enabled/eduroameap
  71. including configuration file /etc/raddb/mods-enabled/eduroamlioneap-old
  72. including configuration file /etc/raddb/mods-enabled/expiration
  73. including configuration file /etc/raddb/mods-enabled/eduroammschap
  74. including configuration file /etc/raddb/mods-enabled/attr_filter
  75. including configuration file /etc/raddb/mods-enabled/logtosyslog
  76. including configuration file /etc/raddb/mods-enabled/pap
  77. including configuration file /etc/raddb/mods-enabled/detail
  78. including configuration file /etc/raddb/mods-enabled/linelog
  79. including configuration file /etc/raddb/mods-enabled/logintime
  80. including configuration file /etc/raddb/templates.conf
  81. including files in directory /etc/raddb/policy.d/
  82. including configuration file /etc/raddb/policy.d/policies
  83. including configuration file /etc/raddb/policy.d/cui
  84. including configuration file /etc/raddb/policy.d/operator-name
  85. including configuration file /etc/raddb/policy.d/canonicalization
  86. including configuration file /etc/raddb/policy.d/get-ssid
  87. including configuration file /etc/raddb/policy.d/dhcp
  88. including configuration file /etc/raddb/policy.d/eduroam-realm-checks.conf
  89. including configuration file /etc/raddb/policy.d/filter
  90. including configuration file /etc/raddb/policy.d/debug
  91. including configuration file /etc/raddb/policy.d/accounting
  92. including configuration file /etc/raddb/policy.d/eap
  93. including configuration file /etc/raddb/policy.d/control
  94. including configuration file /etc/raddb/policy.d/logchecker
  95. including files in directory /etc/raddb/sites-enabled/
  96. including configuration file /etc/raddb/sites-enabled/eduroam-inner
  97. including configuration file /etc/raddb/sites-enabled/eduroamlocal-auth
  98. including configuration file /etc/raddb/sites-enabled/status
  99. including files in directory /etc/raddb/statusclients.d/
  100. including configuration file /etc/raddb/statusclients.d/monitor.conf
  101. including configuration file /etc/raddb/statusclients.d/monitorv6.conf
  102. including configuration file /etc/raddb/statusclients.d/localhost.conf
  103. including configuration file /etc/raddb/sites-enabled/eduroamlion-inner
  104. main {
  105. security {
  106. user = "radiusd"
  107. group = "radiusd"
  108. allow_core_dumps = no
  109. }
  110. name = "radiusd"
  111. prefix = "/usr"
  112. localstatedir = "/var"
  113. logdir = "/var/log/radius"
  114. run_dir = "/var/run/radiusd"
  115. }
  116. main {
  117. name = "radiusd"
  118. prefix = "/usr"
  119. localstatedir = "/var"
  120. sbindir = "/usr/sbin"
  121. logdir = "/var/log/radius"
  122. run_dir = "/var/run/radiusd"
  123. libdir = "/usr/lib64/freeradius"
  124. radacctdir = "/var/log/radius/radacct"
  125. hostname_lookups = no
  126. max_request_time = 30
  127. cleanup_delay = 5
  128. max_requests = 4096
  129. pidfile = "/var/run/radiusd/radiusd.pid"
  130. checkrad = "/usr/sbin/checkrad"
  131. debug_level = 0
  132. proxy_requests = yes
  133. log {
  134. stripped_names = no
  135. auth = no
  136. auth_badpass = no
  137. auth_goodpass = no
  138. colourise = yes
  139. msg_denied = "You are already logged in - access denied"
  140. }
  141. resources {
  142. }
  143. security {
  144. max_attributes = 200
  145. reject_delay = 1.000000
  146. status_server = yes
  147. }
  148. }
  149. radiusd: #### Loading Realms and Home Servers ####
  150. home_server jrs0 {
  151. ipaddr = 194.82.174.185
  152. port = 1812
  153. type = "auth+acct"
  154. proto = "udp"
  155. secret = <<< secret >>>
  156. response_window = 30.000000
  157. response_timeouts = 1
  158. max_outstanding = 65536
  159. zombie_period = 40
  160. status_check = "none"
  161. ping_interval = 30
  162. check_timeout = 4
  163. num_answers_to_alive = 3
  164. revive_interval = 300
  165. limit {
  166. max_connections = 16
  167. max_requests = 0
  168. lifetime = 0
  169. idle_timeout = 0
  170. }
  171. coa {
  172. irt = 2
  173. mrt = 16
  174. mrc = 5
  175. mrd = 30
  176. }
  177. }
  178. home_server jrs0v6 {
  179. ipv6addr = 2001:630:1:128::185
  180. port = 1812
  181. type = "auth+acct"
  182. proto = "udp"
  183. secret = <<< secret >>>
  184. response_window = 30.000000
  185. response_timeouts = 1
  186. max_outstanding = 65536
  187. zombie_period = 40
  188. status_check = "none"
  189. ping_interval = 30
  190. check_timeout = 4
  191. num_answers_to_alive = 3
  192. revive_interval = 300
  193. limit {
  194. max_connections = 16
  195. max_requests = 0
  196. lifetime = 0
  197. idle_timeout = 0
  198. }
  199. coa {
  200. irt = 2
  201. mrt = 16
  202. mrc = 5
  203. mrd = 30
  204. }
  205. }
  206. home_server jrs1 {
  207. ipaddr = 194.83.56.233
  208. port = 1812
  209. type = "auth+acct"
  210. proto = "udp"
  211. secret = <<< secret >>>
  212. response_window = 30.000000
  213. response_timeouts = 1
  214. max_outstanding = 65536
  215. zombie_period = 40
  216. status_check = "none"
  217. ping_interval = 30
  218. check_timeout = 4
  219. num_answers_to_alive = 3
  220. revive_interval = 300
  221. limit {
  222. max_connections = 16
  223. max_requests = 0
  224. lifetime = 0
  225. idle_timeout = 0
  226. }
  227. coa {
  228. irt = 2
  229. mrt = 16
  230. mrc = 5
  231. mrd = 30
  232. }
  233. }
  234. home_server jrs1v6 {
  235. ipv6addr = 2001:630:1:12a::233
  236. port = 1812
  237. type = "auth+acct"
  238. proto = "udp"
  239. secret = <<< secret >>>
  240. response_window = 30.000000
  241. response_timeouts = 1
  242. max_outstanding = 65536
  243. zombie_period = 40
  244. status_check = "none"
  245. ping_interval = 30
  246. check_timeout = 4
  247. num_answers_to_alive = 3
  248. revive_interval = 300
  249. limit {
  250. max_connections = 16
  251. max_requests = 0
  252. lifetime = 0
  253. idle_timeout = 0
  254. }
  255. coa {
  256. irt = 2
  257. mrt = 16
  258. mrc = 5
  259. mrd = 30
  260. }
  261. }
  262. home_server jrs2 {
  263. ipaddr = 194.83.56.249
  264. port = 1812
  265. type = "auth+acct"
  266. proto = "udp"
  267. secret = <<< secret >>>
  268. response_window = 30.000000
  269. response_timeouts = 1
  270. max_outstanding = 65536
  271. zombie_period = 40
  272. status_check = "none"
  273. ping_interval = 30
  274. check_timeout = 4
  275. num_answers_to_alive = 3
  276. revive_interval = 300
  277. limit {
  278. max_connections = 16
  279. max_requests = 0
  280. lifetime = 0
  281. idle_timeout = 0
  282. }
  283. coa {
  284. irt = 2
  285. mrt = 16
  286. mrc = 5
  287. mrd = 30
  288. }
  289. }
  290. home_server jrs2v6 {
  291. ipv6addr = 2001:630:1:129::249
  292. port = 1812
  293. type = "auth+acct"
  294. proto = "udp"
  295. secret = <<< secret >>>
  296. response_window = 30.000000
  297. response_timeouts = 1
  298. max_outstanding = 65536
  299. zombie_period = 40
  300. status_check = "none"
  301. ping_interval = 30
  302. check_timeout = 4
  303. num_answers_to_alive = 3
  304. revive_interval = 300
  305. limit {
  306. max_connections = 16
  307. max_requests = 0
  308. lifetime = 0
  309. idle_timeout = 0
  310. }
  311. coa {
  312. irt = 2
  313. mrt = 16
  314. mrc = 5
  315. mrd = 30
  316. }
  317. }
  318. home_server radius-dev {
  319. ipaddr = 137.222.7.119
  320. port = 16006
  321. type = "auth+acct"
  322. proto = "udp"
  323. secret = <<< secret >>>
  324. response_window = 30.000000
  325. response_timeouts = 1
  326. max_outstanding = 65536
  327. zombie_period = 40
  328. status_check = "none"
  329. ping_interval = 30
  330. check_timeout = 4
  331. num_answers_to_alive = 3
  332. revive_interval = 300
  333. limit {
  334. max_connections = 16
  335. max_requests = 0
  336. lifetime = 0
  337. idle_timeout = 0
  338. }
  339. coa {
  340. irt = 2
  341. mrt = 16
  342. mrc = 5
  343. mrd = 30
  344. }
  345. }
  346. home_server radius-dev-v6 {
  347. ipv6addr = 2001:630:e4:81:137:222:7:119
  348. port = 16006
  349. type = "auth+acct"
  350. proto = "udp"
  351. secret = <<< secret >>>
  352. response_window = 30.000000
  353. response_timeouts = 1
  354. max_outstanding = 65536
  355. zombie_period = 40
  356. status_check = "none"
  357. ping_interval = 30
  358. check_timeout = 4
  359. num_answers_to_alive = 3
  360. revive_interval = 300
  361. limit {
  362. max_connections = 16
  363. max_requests = 0
  364. lifetime = 0
  365. idle_timeout = 0
  366. }
  367. coa {
  368. irt = 2
  369. mrt = 16
  370. mrc = 5
  371. mrd = 30
  372. }
  373. }
  374. realm LOCAL {
  375. }
  376. realm bris.ac.uk {
  377. }
  378. realm bristol.ac.uk {
  379. }
  380. home_server_pool dev {
  381. type = fail-over
  382. home_server = radius-dev
  383. home_server = radius-dev-v6
  384. }
  385. realm dev {
  386. pool = dev
  387. }
  388. home_server_pool jrs {
  389. type = fail-over
  390. home_server = jrs1v6
  391. home_server = jrs2v6
  392. home_server = jrs1
  393. home_server = jrs0v6
  394. home_server = jrs2
  395. home_server = jrs0
  396. }
  397. realm jrs {
  398. pool = jrs
  399. nostrip
  400. }
  401. realm lion.bristol.ac.uk {
  402. }
  403. realm my.bristol.ac.uk {
  404. }
  405. radiusd: #### Loading Clients ####
  406. client WISM12 {
  407. ipaddr = 172.17.107.212
  408. require_message_authenticator = no
  409. secret = <<< secret >>>
  410. shortname = "WISM12"
  411. nas_type = "cisco"
  412. limit {
  413. max_connections = 16
  414. lifetime = 0
  415. idle_timeout = 30
  416. }
  417. }
  418. client WISM3 {
  419. ipaddr = 172.17.107.203
  420. require_message_authenticator = no
  421. secret = <<< secret >>>
  422. shortname = "WISM3"
  423. nas_type = "cisco"
  424. limit {
  425. max_connections = 16
  426. lifetime = 0
  427. idle_timeout = 30
  428. }
  429. }
  430. client WISM1 {
  431. ipaddr = 172.17.107.201
  432. require_message_authenticator = no
  433. secret = <<< secret >>>
  434. shortname = "WISM1"
  435. nas_type = "cisco"
  436. limit {
  437. max_connections = 16
  438. lifetime = 0
  439. idle_timeout = 30
  440. }
  441. }
  442. client monitor {
  443. ipaddr = 137.222.7.147
  444. require_message_authenticator = no
  445. secret = <<< secret >>>
  446. shortname = "monitor"
  447. nas_type = "other"
  448. limit {
  449. max_connections = 16
  450. lifetime = 0
  451. idle_timeout = 30
  452. }
  453. }
  454. client WISM5-HA {
  455. ipaddr = 172.17.107.105
  456. require_message_authenticator = no
  457. secret = <<< secret >>>
  458. shortname = "WISM5-HA"
  459. nas_type = "cisco"
  460. limit {
  461. max_connections = 16
  462. lifetime = 0
  463. idle_timeout = 30
  464. }
  465. }
  466. client WISM2 {
  467. ipaddr = 172.17.107.202
  468. require_message_authenticator = no
  469. secret = <<< secret >>>
  470. shortname = "WISM2"
  471. nas_type = "cisco"
  472. limit {
  473. max_connections = 16
  474. lifetime = 0
  475. idle_timeout = 30
  476. }
  477. }
  478. client WISM4 {
  479. ipaddr = 172.17.107.204
  480. require_message_authenticator = no
  481. secret = <<< secret >>>
  482. shortname = "WISM4"
  483. nas_type = "cisco"
  484. limit {
  485. max_connections = 16
  486. lifetime = 0
  487. idle_timeout = 30
  488. }
  489. }
  490. client WISM1-HA {
  491. ipaddr = 172.17.107.101
  492. require_message_authenticator = no
  493. secret = <<< secret >>>
  494. shortname = "WISM1-HA"
  495. nas_type = "cisco"
  496. limit {
  497. max_connections = 16
  498. lifetime = 0
  499. idle_timeout = 30
  500. }
  501. }
  502. client WISM4-HA {
  503. ipaddr = 172.17.107.104
  504. require_message_authenticator = no
  505. secret = <<< secret >>>
  506. shortname = "WISM4-HA"
  507. nas_type = "cisco"
  508. limit {
  509. max_connections = 16
  510. lifetime = 0
  511. idle_timeout = 30
  512. }
  513. }
  514. client WISM7 {
  515. ipaddr = 172.17.107.207
  516. require_message_authenticator = no
  517. secret = <<< secret >>>
  518. shortname = "WISM7"
  519. nas_type = "cisco"
  520. limit {
  521. max_connections = 16
  522. lifetime = 0
  523. idle_timeout = 30
  524. }
  525. }
  526. client WISM6-HA {
  527. ipaddr = 172.17.107.106
  528. require_message_authenticator = no
  529. secret = <<< secret >>>
  530. shortname = "WISM6-HA"
  531. nas_type = "cisco"
  532. limit {
  533. max_connections = 16
  534. lifetime = 0
  535. idle_timeout = 30
  536. }
  537. }
  538. client WISM9 {
  539. ipaddr = 172.17.107.209
  540. require_message_authenticator = no
  541. secret = <<< secret >>>
  542. shortname = "WISM9"
  543. nas_type = "cisco"
  544. limit {
  545. max_connections = 16
  546. lifetime = 0
  547. idle_timeout = 30
  548. }
  549. }
  550. client WISM6 {
  551. ipaddr = 172.17.107.206
  552. require_message_authenticator = no
  553. secret = <<< secret >>>
  554. shortname = "WISM6"
  555. nas_type = "cisco"
  556. limit {
  557. max_connections = 16
  558. lifetime = 0
  559. idle_timeout = 30
  560. }
  561. }
  562. client WISM5 {
  563. ipaddr = 172.17.107.205
  564. require_message_authenticator = no
  565. secret = <<< secret >>>
  566. shortname = "WISM5"
  567. nas_type = "cisco"
  568. limit {
  569. max_connections = 16
  570. lifetime = 0
  571. idle_timeout = 30
  572. }
  573. }
  574. client WISM7-HA {
  575. ipaddr = 172.17.107.107
  576. require_message_authenticator = no
  577. secret = <<< secret >>>
  578. shortname = "WISM7-HA"
  579. nas_type = "cisco"
  580. limit {
  581. max_connections = 16
  582. lifetime = 0
  583. idle_timeout = 30
  584. }
  585. }
  586. client WISM2-HA {
  587. ipaddr = 172.17.107.102
  588. require_message_authenticator = no
  589. secret = <<< secret >>>
  590. shortname = "WISM2-HA"
  591. nas_type = "cisco"
  592. limit {
  593. max_connections = 16
  594. lifetime = 0
  595. idle_timeout = 30
  596. }
  597. }
  598. client WISM3-HA {
  599. ipaddr = 172.17.107.103
  600. require_message_authenticator = no
  601. secret = <<< secret >>>
  602. shortname = "WISM3-HA"
  603. nas_type = "cisco"
  604. limit {
  605. max_connections = 16
  606. lifetime = 0
  607. idle_timeout = 30
  608. }
  609. }
  610. client WISM8 {
  611. ipaddr = 172.17.107.208
  612. require_message_authenticator = no
  613. secret = <<< secret >>>
  614. shortname = "WISM8"
  615. nas_type = "cisco"
  616. limit {
  617. max_connections = 16
  618. lifetime = 0
  619. idle_timeout = 30
  620. }
  621. }
  622. client localhost {
  623. ipaddr = 127.0.0.1
  624. require_message_authenticator = no
  625. secret = <<< secret >>>
  626. shortname = "localhost"
  627. nas_type = "other"
  628. limit {
  629. max_connections = 16
  630. lifetime = 0
  631. idle_timeout = 30
  632. }
  633. }
  634. Debugger not attached
  635. # Creating Auth-Type = files-eduroam
  636. # Creating Auth-Type = eduroameap
  637. # Creating Autz-Type = Status-Server
  638. # Creating Acct-Type = Status-Server
  639. # Creating Auth-Type = eduroamlioneap
  640. # Creating Auth-Type = eduroamlioneap-old
  641. radiusd: #### Instantiating modules ####
  642. # Loaded module rlm_unpack
  643. # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
  644. # Loaded module rlm_utf8
  645. # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
  646. # Loaded module rlm_passwd
  647. # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
  648. passwd etc_passwd {
  649. filename = "/etc/passwd"
  650. format = "*User-Name:Crypt-Password:"
  651. delimiter = ":"
  652. ignore_nislike = no
  653. ignore_empty = yes
  654. allow_multiple_keys = no
  655. hash_size = 100
  656. }
  657. # Loaded module rlm_linelog
  658. # Loading module "eduroaminfo" from file /etc/raddb/mods-enabled/eduroaminfo
  659. linelog eduroaminfo {
  660. filename = "syslog"
  661. escape_filenames = no
  662. syslog_facility = "user"
  663. syslog_severity = "info"
  664. permissions = 384
  665. format = "X,%{User-Name},%{Calling-Station-Id},%{Module-Failure-Message},%{reply:MS-CHAP-Error},%{config:Auth-Type},%{Virtual-Server}[%{Virtual-Server}.%{%{UOB-Info-Type}:-UNKN}}]"
  666. reference = "%{Virtual-Server}.%{%{UOB-Info-Type}:-UNKN}"
  667. }
  668. # Loaded module rlm_unix
  669. # Loading module "unix" from file /etc/raddb/mods-enabled/unix
  670. unix {
  671. radwtmp = "/var/log/radius/radwtmp"
  672. }
  673. Creating attribute Unix-Group
  674. # Loaded module rlm_detail
  675. # Loading module "uob_detail" from file /etc/raddb/mods-enabled/uobdetail
  676. detail uob_detail {
  677. filename = "/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/detail.log"
  678. header = "%t"
  679. permissions = 416
  680. locking = no
  681. escape_filenames = no
  682. log_packet_header = no
  683. }
  684. # Loading module "uob_auth_log" from file /etc/raddb/mods-enabled/uobdetail
  685. detail uob_auth_log {
  686. filename = "/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log"
  687. header = "%t"
  688. permissions = 384
  689. locking = no
  690. escape_filenames = no
  691. log_packet_header = yes
  692. }
  693. # Loading module "uob_auth_log_password" from file /etc/raddb/mods-enabled/uobdetail
  694. detail uob_auth_log_password {
  695. filename = "/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log"
  696. header = "%t"
  697. permissions = 384
  698. locking = no
  699. escape_filenames = no
  700. log_packet_header = no
  701. }
  702. # Loading module "uob_reply_log" from file /etc/raddb/mods-enabled/uobdetail
  703. detail uob_reply_log {
  704. filename = "/var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/reply-detail.log"
  705. header = "%t"
  706. permissions = 384
  707. locking = no
  708. escape_filenames = no
  709. log_packet_header = no
  710. }
  711. # Loading module "uob_pre_proxy_log" from file /etc/raddb/mods-enabled/uobdetail
  712. detail uob_pre_proxy_log {
  713. filename = "/var/log/radius/radacct/%{%{Virtual-Server}:-DEFAULT}/pre-proxy-detail.log"
  714. header = "%t"
  715. permissions = 384
  716. locking = no
  717. escape_filenames = no
  718. log_packet_header = no
  719. }
  720. # Loading module "uob_post_proxy_log" from file /etc/raddb/mods-enabled/uobdetail
  721. detail uob_post_proxy_log {
  722. filename = "/var/log/radius/radacct/%{%{Virtual-Server}:-DEFAULT}/post-proxy-detail.log"
  723. header = "%t"
  724. permissions = 384
  725. locking = no
  726. escape_filenames = no
  727. log_packet_header = no
  728. }
  729. # Loaded module rlm_sql
  730. # Loading module "uobsql-write" from file /etc/raddb/mods-enabled/uobsql-write
  731. sql uobsql-write {
  732. driver = "rlm_sql_mysql"
  733. server = "db-write.nomadic-core.bris.ac.uk"
  734. port = 3306
  735. login = "radiusd"
  736. password = <<< secret >>>
  737. radius_db = "radius"
  738. read_groups = yes
  739. read_profiles = yes
  740. read_clients = no
  741. delete_stale_sessions = yes
  742. sql_user_name = "%{%{Stripped-User-Name}:-%{User-Name}}"
  743. default_user_profile = ""
  744. client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
  745. authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
  746. authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
  747. authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{uobsql-write-sql-Group}' ORDER BY id"
  748. authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{uobsql-write-sql-Group}' ORDER BY id"
  749. group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
  750. simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
  751. safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  752. accounting {
  753. reference = "%{tolower:type.%{Acct-Status-Type}.query}"
  754. type {
  755. accounting-on {
  756. query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'"
  757. }
  758. accounting-off {
  759. query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'"
  760. }
  761. start {
  762. query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, virtual_server, radius_server, vlan, strippedusername) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', '%S', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Virtual-Server}', '%{Packet-Dst-IP-Address}', '%{Tunnel-Private-Group-Id}', SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))"
  763. }
  764. interim-update {
  765. query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = '%S', acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
  766. }
  767. stop {
  768. query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
  769. }
  770. }
  771. }
  772. post-auth {
  773. reference = ".query"
  774. query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
  775. }
  776. }
  777. rlm_sql (uobsql-write): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
  778. Creating attribute uobsql-write-SQL-Group
  779. # Loaded module rlm_dynamic_clients
  780. # Loading module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients
  781. # Loaded module rlm_exec
  782. # Loading module "exec" from file /etc/raddb/mods-enabled/exec
  783. exec {
  784. wait = no
  785. input_pairs = "request"
  786. shell_escape = yes
  787. timeout = 10
  788. }
  789. # Loaded module rlm_always
  790. # Loading module "reject" from file /etc/raddb/mods-enabled/always
  791. always reject {
  792. rcode = "reject"
  793. simulcount = 0
  794. mpp = no
  795. }
  796. # Loading module "fail" from file /etc/raddb/mods-enabled/always
  797. always fail {
  798. rcode = "fail"
  799. simulcount = 0
  800. mpp = no
  801. }
  802. # Loading module "ok" from file /etc/raddb/mods-enabled/always
  803. always ok {
  804. rcode = "ok"
  805. simulcount = 0
  806. mpp = no
  807. }
  808. # Loading module "handled" from file /etc/raddb/mods-enabled/always
  809. always handled {
  810. rcode = "handled"
  811. simulcount = 0
  812. mpp = no
  813. }
  814. # Loading module "invalid" from file /etc/raddb/mods-enabled/always
  815. always invalid {
  816. rcode = "invalid"
  817. simulcount = 0
  818. mpp = no
  819. }
  820. # Loading module "userlock" from file /etc/raddb/mods-enabled/always
  821. always userlock {
  822. rcode = "userlock"
  823. simulcount = 0
  824. mpp = no
  825. }
  826. # Loading module "notfound" from file /etc/raddb/mods-enabled/always
  827. always notfound {
  828. rcode = "notfound"
  829. simulcount = 0
  830. mpp = no
  831. }
  832. # Loading module "noop" from file /etc/raddb/mods-enabled/always
  833. always noop {
  834. rcode = "noop"
  835. simulcount = 0
  836. mpp = no
  837. }
  838. # Loading module "updated" from file /etc/raddb/mods-enabled/always
  839. always updated {
  840. rcode = "updated"
  841. simulcount = 0
  842. mpp = no
  843. }
  844. # Loaded module rlm_preprocess
  845. # Loading module "preprocess" from file /etc/raddb/mods-enabled/preprocess
  846. preprocess {
  847. huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups"
  848. hints = "/etc/raddb/mods-config/preprocess/hints"
  849. with_ascend_hack = no
  850. ascend_channels_per_line = 23
  851. with_ntdomain_hack = no
  852. with_specialix_jetstream_hack = no
  853. with_cisco_vsa_hack = no
  854. with_alvarion_vsa_hack = no
  855. }
  856. # Loaded module rlm_cache
  857. # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
  858. cache cache_eap {
  859. driver = "rlm_cache_rbtree"
  860. key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
  861. ttl = 15
  862. max_entries = 0
  863. epoch = 0
  864. add_stats = no
  865. }
  866. # Loaded module rlm_radutmp
  867. # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
  868. radutmp sradutmp {
  869. filename = "/var/log/radius/sradutmp"
  870. username = "%{User-Name}"
  871. case_sensitive = yes
  872. check_with_nas = yes
  873. permissions = 420
  874. caller_id = no
  875. }
  876. # Loading module "radutmp" from file /etc/raddb/mods-enabled/radutmp
  877. radutmp {
  878. filename = "/var/log/radius/radutmp"
  879. username = "%{User-Name}"
  880. case_sensitive = yes
  881. check_with_nas = yes
  882. permissions = 384
  883. caller_id = yes
  884. }
  885. # Loading module "logtofile" from file /etc/raddb/mods-enabled/logtofile
  886. linelog logtofile {
  887. filename = "/var/log/radius/radiusd-%{%{Virtual-Server}:-DEFAULT}.log"
  888. escape_filenames = no
  889. syslog_severity = "info"
  890. permissions = 384
  891. format = ""
  892. reference = "logtofile.%{%{reply:Packet-Type}:-format}"
  893. }
  894. # Loaded module rlm_eap
  895. # Loading module "eduroamlioneap" from file /etc/raddb/mods-enabled/eduroamlioneap
  896. eap eduroamlioneap {
  897. default_eap_type = "peap"
  898. timer_expire = 60
  899. ignore_unknown_eap_types = no
  900. cisco_accounting_username_bug = no
  901. max_sessions = 4096
  902. }
  903. # Loaded module rlm_mschap
  904. # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
  905. mschap {
  906. use_mppe = yes
  907. require_encryption = no
  908. require_strong = no
  909. with_ntdomain_hack = yes
  910. passchange {
  911. }
  912. allow_retry = yes
  913. }
  914. # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
  915. exec ntlm_auth {
  916. wait = yes
  917. program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
  918. shell_escape = yes
  919. }
  920. # Loading module "eduroamvlan" from file /etc/raddb/mods-enabled/eduroamvlan
  921. cache eduroamvlan {
  922. driver = "rlm_cache_rbtree"
  923. key = "%{Calling-Station-Id}"
  924. ttl = 600
  925. max_entries = 0
  926. epoch = 0
  927. add_stats = no
  928. }
  929. # Loaded module rlm_realm
  930. # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
  931. realm IPASS {
  932. format = "prefix"
  933. delimiter = "/"
  934. ignore_default = no
  935. ignore_null = no
  936. }
  937. # Loading module "suffix" from file /etc/raddb/mods-enabled/realm
  938. realm suffix {
  939. format = "suffix"
  940. delimiter = "@"
  941. ignore_default = no
  942. ignore_null = no
  943. }
  944. # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
  945. realm realmpercent {
  946. format = "suffix"
  947. delimiter = "%"
  948. ignore_default = no
  949. ignore_null = no
  950. }
  951. # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
  952. realm ntdomain {
  953. format = "prefix"
  954. delimiter = "\"
  955. ignore_default = no
  956. ignore_null = no
  957. }
  958. # Loading module "uobsql" from file /etc/raddb/mods-enabled/uobsql
  959. sql uobsql {
  960. driver = "rlm_sql_mysql"
  961. server = "db.nomadic-core.bris.ac.uk"
  962. port = 3306
  963. login = "radiusd"
  964. password = <<< secret >>>
  965. radius_db = "radius"
  966. read_groups = yes
  967. read_profiles = yes
  968. read_clients = no
  969. delete_stale_sessions = yes
  970. sql_user_name = "%{%{Stripped-User-Name}:-%{User-Name}}"
  971. default_user_profile = ""
  972. client_query = "SELECT id, nasname, shortname, type, secret, server FROM nas"
  973. authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id"
  974. authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id"
  975. authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{uobsql-sql-Group}' ORDER BY id"
  976. authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{uobsql-sql-Group}' ORDER BY id"
  977. group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority"
  978. simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL"
  979. safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  980. accounting {
  981. reference = "%{tolower:type.%{Acct-Status-Type}.query}"
  982. type {
  983. accounting-on {
  984. query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'"
  985. }
  986. accounting-off {
  987. query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{integer:Event-Timestamp}' - UNIX_TIMESTAMP(acctstarttime), acctterminatecause = '%{%{Acct-Terminate-Cause}:-NAS-Reboot}' WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'"
  988. }
  989. start {
  990. query = "INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctupdatetime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, virtual_server, radius_server, vlan, strippedusername) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{%{NAS-Port-ID}:-%{NAS-Port}}', '%{NAS-Port-Type}', '%S', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Virtual-Server}', '%{Packet-Dst-IP-Address}', '%{Tunnel-Private-Group-Id}', SUBSTRING_INDEX('%{SQL-User-Name}', '@', 1))"
  991. }
  992. interim-update {
  993. query = "UPDATE radacct SET acctupdatetime = (@acctupdatetime_old:=acctupdatetime), acctupdatetime = '%S', acctinterval = %{integer:Event-Timestamp} - UNIX_TIMESTAMP(@acctupdatetime_old), framedipaddress = '%{Framed-IP-Address}', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
  994. }
  995. stop {
  996. query = "UPDATE radacct SET acctstoptime = '%S', acctsessiontime = %{%{Acct-Session-Time}:-NULL}, acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', connectinfo_stop = '%{Connect-Info}' WHERE AcctUniqueId = '%{Acct-Unique-Session-Id}'"
  997. }
  998. }
  999. }
  1000. post-auth {
  1001. reference = ".query"
  1002. query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')"
  1003. }
  1004. }
  1005. rlm_sql (uobsql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
  1006. Creating attribute uobsql-SQL-Group
  1007. # Loaded module rlm_files
  1008. # Loading module "files" from file /etc/raddb/mods-enabled/files
  1009. files {
  1010. filename = "/etc/raddb/mods-config/files/authorize"
  1011. acctusersfile = "/etc/raddb/mods-config/files/accounting"
  1012. preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
  1013. }
  1014. # Loaded module rlm_dhcp
  1015. # Loading module "dhcp" from file /etc/raddb/mods-enabled/dhcp
  1016. # Loaded module rlm_digest
  1017. # Loading module "digest" from file /etc/raddb/mods-enabled/digest
  1018. # Loaded module rlm_soh
  1019. # Loading module "soh" from file /etc/raddb/mods-enabled/soh
  1020. soh {
  1021. dhcp = yes
  1022. }
  1023. # Loading module "echo" from file /etc/raddb/mods-enabled/echo
  1024. exec echo {
  1025. wait = yes
  1026. program = "/bin/echo %{User-Name}"
  1027. input_pairs = "request"
  1028. output_pairs = "reply"
  1029. shell_escape = yes
  1030. }
  1031. # Loading module "cache-vlan" from file /etc/raddb/mods-enabled/cache-vlan
  1032. cache cache-vlan {
  1033. driver = "rlm_cache_rbtree"
  1034. key = "%{Calling-Station-Id}"
  1035. ttl = 3600
  1036. max_entries = 0
  1037. epoch = 0
  1038. add_stats = no
  1039. }
  1040. # Loading module "auth_log" from file /etc/raddb/mods-enabled/detail.log
  1041. detail auth_log {
  1042. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"
  1043. header = "%t"
  1044. permissions = 384
  1045. locking = no
  1046. escape_filenames = no
  1047. log_packet_header = no
  1048. }
  1049. # Loading module "reply_log" from file /etc/raddb/mods-enabled/detail.log
  1050. detail reply_log {
  1051. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"
  1052. header = "%t"
  1053. permissions = 384
  1054. locking = no
  1055. escape_filenames = no
  1056. log_packet_header = no
  1057. }
  1058. # Loading module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  1059. detail pre_proxy_log {
  1060. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"
  1061. header = "%t"
  1062. permissions = 384
  1063. locking = no
  1064. escape_filenames = no
  1065. log_packet_header = no
  1066. }
  1067. # Loading module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  1068. detail post_proxy_log {
  1069. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"
  1070. header = "%t"
  1071. permissions = 384
  1072. locking = no
  1073. escape_filenames = no
  1074. log_packet_header = no
  1075. }
  1076. # Loading module "files-eduroam" from file /etc/raddb/mods-enabled/files-eduroam
  1077. files files-eduroam {
  1078. usersfile = "/etc/raddb/users.d/users-eduroam"
  1079. }
  1080. # Loaded module rlm_chap
  1081. # Loading module "chap" from file /etc/raddb/mods-enabled/chap
  1082. # Loaded module rlm_replicate
  1083. # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
  1084. # Loading module "cache-ntlm" from file /etc/raddb/mods-enabled/cache-ntlm
  1085. cache cache-ntlm {
  1086. driver = "rlm_cache_rbtree"
  1087. key = "%{User-Name}"
  1088. ttl = 3600
  1089. max_entries = 0
  1090. epoch = 0
  1091. add_stats = no
  1092. }
  1093. # Loaded module rlm_expr
  1094. # Loading module "expr" from file /etc/raddb/mods-enabled/expr
  1095. expr {
  1096. safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  1097. }
  1098. # Loading module "eduroameap" from file /etc/raddb/mods-enabled/eduroameap
  1099. eap eduroameap {
  1100. default_eap_type = "peap"
  1101. timer_expire = 60
  1102. ignore_unknown_eap_types = no
  1103. cisco_accounting_username_bug = no
  1104. max_sessions = 4096
  1105. }
  1106. # Loading module "eduroamlioneap-old" from file /etc/raddb/mods-enabled/eduroamlioneap-old
  1107. eap eduroamlioneap-old {
  1108. default_eap_type = "peap"
  1109. timer_expire = 60
  1110. ignore_unknown_eap_types = no
  1111. cisco_accounting_username_bug = no
  1112. max_sessions = 4096
  1113. }
  1114. # Loaded module rlm_expiration
  1115. # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
  1116. # Loading module "eduroammschap" from file /etc/raddb/mods-enabled/eduroammschap
  1117. mschap eduroammschap {
  1118. use_mppe = yes
  1119. require_encryption = no
  1120. require_strong = no
  1121. with_ntdomain_hack = yes
  1122. ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{eduroammschap:User-Name}} --challenge=%{eduroammschap:Challenge} --nt-response=%{eduroammschap:NT-Response} "
  1123. passchange {
  1124. }
  1125. allow_retry = no
  1126. retry_msg = "Verify username and re-enter your password"
  1127. }
  1128. # Loaded module rlm_attr_filter
  1129. # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
  1130. attr_filter attr_filter.post-proxy {
  1131. filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
  1132. key = "%{Realm}"
  1133. relaxed = no
  1134. }
  1135. # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
  1136. attr_filter attr_filter.pre-proxy {
  1137. filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
  1138. key = "%{Realm}"
  1139. relaxed = no
  1140. }
  1141. # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
  1142. attr_filter attr_filter.access_reject {
  1143. filename = "/etc/raddb/mods-config/attr_filter/access_reject"
  1144. key = "%{User-Name}"
  1145. relaxed = no
  1146. }
  1147. # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
  1148. attr_filter attr_filter.access_challenge {
  1149. filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
  1150. key = "%{User-Name}"
  1151. relaxed = no
  1152. }
  1153. # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
  1154. attr_filter attr_filter.accounting_response {
  1155. filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
  1156. key = "%{User-Name}"
  1157. relaxed = no
  1158. }
  1159. # Loading module "filter.attrs.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
  1160. attr_filter filter.attrs.accounting_response {
  1161. filename = "/etc/raddb/mods-config/attr_filter/attrs.accounting_response"
  1162. key = "%{User-Name}"
  1163. relaxed = no
  1164. }
  1165. # Loading module "filter.eduroamlocal-a_accept" from file /etc/raddb/mods-enabled/attr_filter
  1166. attr_filter filter.eduroamlocal-a_accept {
  1167. filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-a_accept"
  1168. key = "%{User-Name}"
  1169. relaxed = no
  1170. }
  1171. # Loading module "filter.eduroamlocal-a_challenge" from file /etc/raddb/mods-enabled/attr_filter
  1172. attr_filter filter.eduroamlocal-a_challenge {
  1173. filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-a_challenge"
  1174. key = "%{User-Name}"
  1175. relaxed = no
  1176. }
  1177. # Loading module "filter.eduroamlocal-a_reject" from file /etc/raddb/mods-enabled/attr_filter
  1178. attr_filter filter.eduroamlocal-a_reject {
  1179. filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-a_reject"
  1180. key = "%{User-Name}"
  1181. relaxed = no
  1182. }
  1183. # Loading module "filter.eduroamlocal-post_proxy" from file /etc/raddb/mods-enabled/attr_filter
  1184. attr_filter filter.eduroamlocal-post_proxy {
  1185. filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-post_proxy"
  1186. key = "%{User-Name}"
  1187. relaxed = no
  1188. }
  1189. # Loading module "filter.eduroamlocal-pre_proxy" from file /etc/raddb/mods-enabled/attr_filter
  1190. attr_filter filter.eduroamlocal-pre_proxy {
  1191. filename = "/etc/raddb/mods-config/attr_filter/eduroamlocal-pre_proxy"
  1192. key = "%{User-Name}"
  1193. relaxed = no
  1194. }
  1195. # Loading module "logtosyslog" from file /etc/raddb/mods-enabled/logtosyslog
  1196. linelog logtosyslog {
  1197. filename = "syslog"
  1198. escape_filenames = no
  1199. syslog_facility = "local5"
  1200. syslog_severity = "info"
  1201. permissions = 384
  1202. format = ""
  1203. reference = "logtosyslog.%{%{reply:Packet-Type}:-format}"
  1204. }
  1205. # Loaded module rlm_pap
  1206. # Loading module "pap" from file /etc/raddb/mods-enabled/pap
  1207. pap {
  1208. normalise = yes
  1209. }
  1210. # Loading module "detail" from file /etc/raddb/mods-enabled/detail
  1211. detail {
  1212. filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
  1213. header = "%t"
  1214. permissions = 384
  1215. locking = no
  1216. escape_filenames = no
  1217. log_packet_header = no
  1218. }
  1219. # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
  1220. linelog {
  1221. filename = "/var/log/radius/linelog"
  1222. escape_filenames = no
  1223. syslog_severity = "info"
  1224. permissions = 384
  1225. format = "This is a log message for %{User-Name}"
  1226. reference = "messages.%{%{reply:Packet-Type}:-default}"
  1227. }
  1228. # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
  1229. linelog log_accounting {
  1230. filename = "/var/log/radius/linelog-accounting"
  1231. escape_filenames = no
  1232. syslog_severity = "info"
  1233. permissions = 384
  1234. format = ""
  1235. reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  1236. }
  1237. # Loaded module rlm_logintime
  1238. # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
  1239. logintime {
  1240. minimum_timeout = 60
  1241. }
  1242. instantiate {
  1243. }
  1244. modules {
  1245. # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
  1246. rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  1247. # Instantiating module "eduroaminfo" from file /etc/raddb/mods-enabled/eduroaminfo
  1248. # Instantiating module "uob_detail" from file /etc/raddb/mods-enabled/uobdetail
  1249. rlm_detail (uob_detail): 'User-Password' suppressed, will not appear in detail output
  1250. # Instantiating module "uob_auth_log" from file /etc/raddb/mods-enabled/uobdetail
  1251. rlm_detail (uob_auth_log): 'User-Password' suppressed, will not appear in detail output
  1252. # Instantiating module "uob_auth_log_password" from file /etc/raddb/mods-enabled/uobdetail
  1253. # Instantiating module "uob_reply_log" from file /etc/raddb/mods-enabled/uobdetail
  1254. # Instantiating module "uob_pre_proxy_log" from file /etc/raddb/mods-enabled/uobdetail
  1255. # Instantiating module "uob_post_proxy_log" from file /etc/raddb/mods-enabled/uobdetail
  1256. # Instantiating module "uobsql-write" from file /etc/raddb/mods-enabled/uobsql-write
  1257. rlm_sql_mysql: libmysql version: 5.5.44-MariaDB
  1258. mysql {
  1259. tls {
  1260. }
  1261. warnings = "auto"
  1262. }
  1263. rlm_sql (uobsql-write): Attempting to connect to database "radius"
  1264. rlm_sql (uobsql-write): Initialising connection pool
  1265. pool {
  1266. start = 1
  1267. min = 1
  1268. max = 2
  1269. spare = 1
  1270. uses = 10000
  1271. lifetime = 300
  1272. cleanup_interval = 30
  1273. idle_timeout = 60
  1274. retry_delay = 60
  1275. spread = no
  1276. }
  1277. rlm_sql (uobsql-write): Opening additional connection (0), 1 of 2 pending slots used
  1278. rlm_sql_mysql: Starting connect to MySQL server
  1279. rlm_sql_mysql: Connected to database 'radius' on db-write.nomadic-core.bris.ac.uk via TCP/IP, server version 5.5.47-MariaDB-wsrep-log, protocol version 10
  1280. # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
  1281. # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
  1282. # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
  1283. # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
  1284. # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
  1285. # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
  1286. # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
  1287. # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
  1288. # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
  1289. # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess
  1290. reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups
  1291. reading pairlist file /etc/raddb/mods-config/preprocess/hints
  1292. # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
  1293. rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
  1294. # Instantiating module "logtofile" from file /etc/raddb/mods-enabled/logtofile
  1295. # Instantiating module "eduroamlioneap" from file /etc/raddb/mods-enabled/eduroamlioneap
  1296. # Linked to sub-module rlm_eap_md5
  1297. # Linked to sub-module rlm_eap_leap
  1298. # Linked to sub-module rlm_eap_gtc
  1299. gtc {
  1300. challenge = "Password: "
  1301. auth_type = "PAP"
  1302. }
  1303. # Linked to sub-module rlm_eap_tls
  1304. tls {
  1305. tls = "tls-common"
  1306. }
  1307. tls-config tls-common {
  1308. rsa_key_exchange = no
  1309. dh_key_exchange = yes
  1310. rsa_key_length = 512
  1311. dh_key_length = 512
  1312. verify_depth = 0
  1313. ca_path = "/etc/raddb/certs"
  1314. pem_file_type = yes
  1315. private_key_file = "/etc/raddb/certs/eduroam.wireless.bris.ac.uk.key"
  1316. certificate_file = "/etc/raddb/certs/eduroam.wireless.bris.ac.uk-cert.pem"
  1317. ca_file = "/etc/raddb/certs/uob-net-ca.pem"
  1318. dh_file = "/etc/raddb/certs/dh"
  1319. fragment_size = 1024
  1320. include_length = yes
  1321. check_crl = no
  1322. check_all_crl = no
  1323. cipher_list = "DEFAULT"
  1324. ecdh_curve = "prime256v1"
  1325. cache {
  1326. enable = yes
  1327. lifetime = 24
  1328. name = "elln"
  1329. max_entries = 20000
  1330. }
  1331. verify {
  1332. }
  1333. ocsp {
  1334. enable = no
  1335. override_cert_url = yes
  1336. url = "http://127.0.0.1/ocsp/"
  1337. use_nonce = yes
  1338. timeout = 0
  1339. softfail = no
  1340. }
  1341. }
  1342. # Linked to sub-module rlm_eap_ttls
  1343. ttls {
  1344. tls = "tls-common"
  1345. default_eap_type = "mschapv2"
  1346. copy_request_to_tunnel = yes
  1347. use_tunneled_reply = yes
  1348. virtual_server = "eduroamlion-inner"
  1349. include_length = yes
  1350. require_client_cert = no
  1351. }
  1352. tls: Using cached TLS configuration from previous invocation
  1353. # Linked to sub-module rlm_eap_peap
  1354. peap {
  1355. tls = "tls-common"
  1356. default_eap_type = "mschapv2"
  1357. copy_request_to_tunnel = yes
  1358. use_tunneled_reply = yes
  1359. proxy_tunneled_request_as_eap = yes
  1360. virtual_server = "eduroamlion-inner"
  1361. soh = no
  1362. require_client_cert = no
  1363. }
  1364. tls: Using cached TLS configuration from previous invocation
  1365. # Linked to sub-module rlm_eap_mschapv2
  1366. mschapv2 {
  1367. with_ntdomain_hack = no
  1368. send_error = no
  1369. }
  1370. # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
  1371. rlm_mschap (mschap): using internal authentication
  1372. # Instantiating module "eduroamvlan" from file /etc/raddb/mods-enabled/eduroamvlan
  1373. rlm_cache (eduroamvlan): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
  1374. # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
  1375. # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
  1376. # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
  1377. # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
  1378. # Instantiating module "uobsql" from file /etc/raddb/mods-enabled/uobsql
  1379. mysql {
  1380. tls {
  1381. }
  1382. warnings = "auto"
  1383. }
  1384. rlm_sql (uobsql): Attempting to connect to database "radius"
  1385. rlm_sql (uobsql): Initialising connection pool
  1386. pool {
  1387. start = 1
  1388. min = 1
  1389. max = 8
  1390. spare = 1
  1391. uses = 10000
  1392. lifetime = 300
  1393. cleanup_interval = 30
  1394. idle_timeout = 60
  1395. retry_delay = 60
  1396. spread = no
  1397. }
  1398. rlm_sql (uobsql): Opening additional connection (0), 1 of 8 pending slots used
  1399. rlm_sql_mysql: Starting connect to MySQL server
  1400. rlm_sql_mysql: Connected to database 'radius' on db.nomadic-core.bris.ac.uk via TCP/IP, server version 5.5.47-MariaDB-wsrep-log, protocol version 10
  1401. # Instantiating module "files" from file /etc/raddb/mods-enabled/files
  1402. reading pairlist file /etc/raddb/mods-config/files/authorize
  1403. reading pairlist file /etc/raddb/mods-config/files/accounting
  1404. reading pairlist file /etc/raddb/mods-config/files/pre-proxy
  1405. # Instantiating module "cache-vlan" from file /etc/raddb/mods-enabled/cache-vlan
  1406. rlm_cache (cache-vlan): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
  1407. # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log
  1408. rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
  1409. # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log
  1410. # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  1411. # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log
  1412. # Instantiating module "files-eduroam" from file /etc/raddb/mods-enabled/files-eduroam
  1413. reading pairlist file /etc/raddb/users.d/users-eduroam
  1414. # Instantiating module "cache-ntlm" from file /etc/raddb/mods-enabled/cache-ntlm
  1415. rlm_cache (cache-ntlm): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
  1416. # Instantiating module "eduroameap" from file /etc/raddb/mods-enabled/eduroameap
  1417. # Linked to sub-module rlm_eap_md5
  1418. # Linked to sub-module rlm_eap_leap
  1419. # Linked to sub-module rlm_eap_gtc
  1420. gtc {
  1421. challenge = "Password: "
  1422. auth_type = "PAP"
  1423. }
  1424. # Linked to sub-module rlm_eap_tls
  1425. tls {
  1426. tls = "tls-common"
  1427. }
  1428. tls-config tls-common {
  1429. rsa_key_exchange = no
  1430. dh_key_exchange = yes
  1431. rsa_key_length = 512
  1432. dh_key_length = 512
  1433. verify_depth = 0
  1434. ca_path = "/etc/raddb/certs"
  1435. pem_file_type = yes
  1436. private_key_file = "/etc/raddb/certs/eduroam.wireless.bris.ac.uk.key"
  1437. certificate_file = "/etc/raddb/certs/eduroam.wireless.bris.ac.uk-cert.pem"
  1438. ca_file = "/etc/raddb/certs/uob-net-ca.pem"
  1439. dh_file = "/etc/raddb/certs/dh"
  1440. fragment_size = 1024
  1441. include_length = yes
  1442. check_crl = no
  1443. check_all_crl = no
  1444. cipher_list = "DEFAULT:!ADH:!SSLv2"
  1445. ecdh_curve = "prime256v1"
  1446. cache {
  1447. enable = no
  1448. lifetime = 24
  1449. name = "eduroamshaca"
  1450. max_entries = 20000
  1451. }
  1452. verify {
  1453. }
  1454. ocsp {
  1455. enable = no
  1456. override_cert_url = yes
  1457. url = "http://127.0.0.1/ocsp/"
  1458. use_nonce = yes
  1459. timeout = 0
  1460. softfail = no
  1461. }
  1462. }
  1463. # Linked to sub-module rlm_eap_ttls
  1464. ttls {
  1465. tls = "tls-common"
  1466. default_eap_type = "mschapv2"
  1467. copy_request_to_tunnel = yes
  1468. use_tunneled_reply = yes
  1469. virtual_server = "eduroam-inner"
  1470. include_length = yes
  1471. require_client_cert = no
  1472. }
  1473. tls: Using cached TLS configuration from previous invocation
  1474. # Linked to sub-module rlm_eap_peap
  1475. peap {
  1476. tls = "tls-common"
  1477. default_eap_type = "mschapv2"
  1478. copy_request_to_tunnel = yes
  1479. use_tunneled_reply = yes
  1480. proxy_tunneled_request_as_eap = yes
  1481. virtual_server = "eduroam-inner"
  1482. soh = no
  1483. require_client_cert = no
  1484. }
  1485. tls: Using cached TLS configuration from previous invocation
  1486. # Linked to sub-module rlm_eap_mschapv2
  1487. mschapv2 {
  1488. with_ntdomain_hack = no
  1489. send_error = yes
  1490. }
  1491. # Instantiating module "eduroamlioneap-old" from file /etc/raddb/mods-enabled/eduroamlioneap-old
  1492. # Linked to sub-module rlm_eap_md5
  1493. # Linked to sub-module rlm_eap_leap
  1494. # Linked to sub-module rlm_eap_gtc
  1495. gtc {
  1496. challenge = "Password: "
  1497. auth_type = "PAP"
  1498. }
  1499. # Linked to sub-module rlm_eap_tls
  1500. tls {
  1501. tls = "tls-common"
  1502. }
  1503. tls-config tls-common {
  1504. rsa_key_exchange = no
  1505. dh_key_exchange = yes
  1506. rsa_key_length = 512
  1507. dh_key_length = 512
  1508. verify_depth = 0
  1509. ca_path = "/etc/raddb/certs"
  1510. pem_file_type = yes
  1511. private_key_file = "/etc/raddb/certs/eduroam.wireless.key"
  1512. certificate_file = "/etc/raddb/certs/eduroam.wireless-cert.pem"
  1513. ca_file = "/etc/raddb/certs/uob-net-ca.pem"
  1514. dh_file = "/etc/raddb/certs/dh"
  1515. fragment_size = 1024
  1516. include_length = yes
  1517. check_crl = no
  1518. check_all_crl = no
  1519. cipher_list = "DEFAULT"
  1520. ecdh_curve = "prime256v1"
  1521. cache {
  1522. enable = yes
  1523. lifetime = 24
  1524. name = "elln"
  1525. max_entries = 20000
  1526. }
  1527. verify {
  1528. }
  1529. ocsp {
  1530. enable = no
  1531. override_cert_url = yes
  1532. url = "http://127.0.0.1/ocsp/"
  1533. use_nonce = yes
  1534. timeout = 0
  1535. softfail = no
  1536. }
  1537. }
  1538. # Linked to sub-module rlm_eap_ttls
  1539. ttls {
  1540. tls = "tls-common"
  1541. default_eap_type = "mschapv2"
  1542. copy_request_to_tunnel = yes
  1543. use_tunneled_reply = yes
  1544. virtual_server = "eduroamlion-inner"
  1545. include_length = yes
  1546. require_client_cert = no
  1547. }
  1548. tls: Using cached TLS configuration from previous invocation
  1549. # Linked to sub-module rlm_eap_peap
  1550. peap {
  1551. tls = "tls-common"
  1552. default_eap_type = "mschapv2"
  1553. copy_request_to_tunnel = yes
  1554. use_tunneled_reply = yes
  1555. proxy_tunneled_request_as_eap = yes
  1556. virtual_server = "eduroamlion-inner"
  1557. soh = no
  1558. require_client_cert = no
  1559. }
  1560. tls: Using cached TLS configuration from previous invocation
  1561. # Linked to sub-module rlm_eap_mschapv2
  1562. mschapv2 {
  1563. with_ntdomain_hack = no
  1564. send_error = no
  1565. }
  1566. # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
  1567. # Instantiating module "eduroammschap" from file /etc/raddb/mods-enabled/eduroammschap
  1568. rlm_mschap (eduroammschap): authenticating by calling 'ntlm_auth'
  1569. # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
  1570. reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
  1571. # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
  1572. reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
  1573. # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
  1574. reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
  1575. [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
  1576. [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
  1577. # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
  1578. reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
  1579. # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
  1580. reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
  1581. # Instantiating module "filter.attrs.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
  1582. reading pairlist file /etc/raddb/mods-config/attr_filter/attrs.accounting_response
  1583. # Instantiating module "filter.eduroamlocal-a_accept" from file /etc/raddb/mods-enabled/attr_filter
  1584. reading pairlist file /etc/raddb/mods-config/attr_filter/eduroamlocal-a_accept
  1585. # Instantiating module "filter.eduroamlocal-a_challenge" from file /etc/raddb/mods-enabled/attr_filter
  1586. reading pairlist file /etc/raddb/mods-config/attr_filter/eduroamlocal-a_challenge
  1587. # Instantiating module "filter.eduroamlocal-a_reject" from file /etc/raddb/mods-enabled/attr_filter
  1588. reading pairlist file /etc/raddb/mods-config/attr_filter/eduroamlocal-a_reject
  1589. # Instantiating module "filter.eduroamlocal-post_proxy" from file /etc/raddb/mods-enabled/attr_filter
  1590. reading pairlist file /etc/raddb/mods-config/attr_filter/eduroamlocal-post_proxy
  1591. # Instantiating module "filter.eduroamlocal-pre_proxy" from file /etc/raddb/mods-enabled/attr_filter
  1592. reading pairlist file /etc/raddb/mods-config/attr_filter/eduroamlocal-pre_proxy
  1593. # Instantiating module "logtosyslog" from file /etc/raddb/mods-enabled/logtosyslog
  1594. # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
  1595. # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail
  1596. # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
  1597. # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
  1598. # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
  1599. } # modules
  1600. radiusd: #### Loading Virtual Servers ####
  1601. server { # from file /etc/raddb/radiusd.conf
  1602. } # server
  1603. server eduroam-inner { # from file /etc/raddb/sites-enabled/eduroam-inner
  1604. # Loading authenticate {...}
  1605. # Loading authorize {...}
  1606. # Loading preacct {...}
  1607. # Loading accounting {...}
  1608. # Loading post-proxy {...}
  1609. # Loading post-auth {...}
  1610. } # server eduroam-inner
  1611. server eduroamlocal-auth { # from file /etc/raddb/sites-enabled/eduroamlocal-auth
  1612. # Loading authenticate {...}
  1613. # Loading authorize {...}
  1614. # Loading preacct {...}
  1615. # Loading pre-proxy {...}
  1616. # Loading post-proxy {...}
  1617. # Loading post-auth {...}
  1618. } # server eduroamlocal-auth
  1619. server status { # from file /etc/raddb/sites-enabled/status
  1620. # Loading authorize {...}
  1621. } # server status
  1622. server eduroamlion-inner { # from file /etc/raddb/sites-enabled/eduroamlion-inner
  1623. # Loading authenticate {...}
  1624. # Loading authorize {...}
  1625. # Loading post-proxy {...}
  1626. # Loading post-auth {...}
  1627. } # server eduroamlion-inner
  1628. radiusd: #### Opening IP addresses and Ports ####
  1629. listen {
  1630. type = "auth"
  1631. ipaddr = *
  1632. port = 16006
  1633. }
  1634. listen {
  1635. type = "status"
  1636. ipaddr = *
  1637. port = 18120
  1638. client monitor {
  1639. ipaddr = 137.222.7.147
  1640. require_message_authenticator = no
  1641. secret = <<< secret >>>
  1642. shortname = "monitor"
  1643. limit {
  1644. max_connections = 16
  1645. lifetime = 0
  1646. idle_timeout = 30
  1647. }
  1648. }
  1649. client monitorv6 {
  1650. ipv6addr = 2001:630:e4:81:137:222:7:147
  1651. require_message_authenticator = no
  1652. secret = <<< secret >>>
  1653. shortname = "monitorv6"
  1654. limit {
  1655. max_connections = 16
  1656. lifetime = 0
  1657. idle_timeout = 30
  1658. }
  1659. }
  1660. client localhost {
  1661. ipaddr = 127.0.0.1
  1662. require_message_authenticator = no
  1663. secret = <<< secret >>>
  1664. shortname = "localhost"
  1665. limit {
  1666. max_connections = 16
  1667. lifetime = 0
  1668. idle_timeout = 30
  1669. }
  1670. }
  1671. }
  1672. Listening on auth address * port 16006 bound to server eduroamlocal-auth
  1673. Listening on status address * port 18120 bound to server status
  1674. Listening on proxy address * port 36699
  1675. Ready to process requests
  1676. (0) Received Access-Request Id 117 from 172.17.107.208:32770 to 137.222.8.128:16006 length 298
  1677. (0) User-Name = "rh13054@my.bristol.ac.uk"
  1678. (0) Chargeable-User-Identity = 0x00
  1679. (0) Location-Capable = Civix-Location
  1680. (0) Calling-Station-Id = "cc:20:e8:94:41:5a"
  1681. (0) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  1682. (0) NAS-Port = 13
  1683. (0) Cisco-AVPair = "audit-session-id=ac116bd00000245356bc96f8"
  1684. (0) Acct-Session-Id = "56bc96f8/cc:20:e8:94:41:5a/8989"
  1685. (0) NAS-IP-Address = 172.17.107.208
  1686. (0) NAS-Identifier = "wism8"
  1687. (0) Airespace-Wlan-Id = 1
  1688. (0) Service-Type = Framed-User
  1689. (0) Framed-MTU = 1300
  1690. (0) NAS-Port-Type = Wireless-802.11
  1691. (0) Tunnel-Type:0 = VLAN
  1692. (0) Tunnel-Medium-Type:0 = IEEE-802
  1693. (0) Tunnel-Private-Group-Id:0 = "448"
  1694. (0) EAP-Message = 0x0201001d0172683133303534406d792e62726973746f6c2e61632e756b
  1695. (0) Message-Authenticator = 0x8bbcfcc5458efc4cd1a6b79c564eb077
  1696. (0) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  1697. (0) authorize {
  1698. (0) policy rewrite_calling_station_id {
  1699. (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  1700. (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  1701. (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  1702. (0) update request {
  1703. (0) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  1704. (0) --> CC-20-E8-94-41-5A
  1705. (0) &Calling-Station-Id := CC-20-E8-94-41-5A
  1706. (0) } # update request = noop
  1707. (0) [updated] = updated
  1708. (0) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  1709. (0) ... skipping else for request 0: Preceding "if" was taken
  1710. (0) } # policy rewrite_calling_station_id = updated
  1711. (0) policy wism-checks {
  1712. (0) if (Service-Type == "NAS-Prompt-User") {
  1713. (0) if (Service-Type == "NAS-Prompt-User") -> FALSE
  1714. (0) } # policy wism-checks = updated
  1715. (0) [preprocess] = ok
  1716. (0) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  1717. (0) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  1718. (0) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  1719. (0) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  1720. (0) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  1721. (0) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  1722. (0) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  1723. (0) suffix: Checking for suffix after "@"
  1724. (0) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rh13054@my.bristol.ac.uk"
  1725. (0) suffix: Found realm "my.bristol.ac.uk"
  1726. (0) suffix: Adding Stripped-User-Name = "rh13054"
  1727. (0) suffix: Adding Realm = "my.bristol.ac.uk"
  1728. (0) suffix: Authentication realm is LOCAL
  1729. (0) [suffix] = ok
  1730. (0) update request {
  1731. (0) Realm := "my.bristol.ac.uk"
  1732. (0) } # update request = noop
  1733. (0) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  1734. (0) ... skipping elsif for request 0: Preceding "if" was taken
  1735. (0) ... skipping else for request 0: Preceding "if" was taken
  1736. (0) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  1737. (0) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  1738. (0) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  1739. (0) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  1740. (0) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  1741. (0) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  1742. (0) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  1743. (0) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  1744. (0) else {
  1745. (0) eduroameap: Peer sent EAP Response (code 2) ID 1 length 29
  1746. (0) eduroameap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  1747. (0) [eduroameap] = ok
  1748. (0) } # else = ok
  1749. (0) } # authorize = updated
  1750. (0) Found Auth-Type = eduroameap
  1751. (0) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  1752. (0) Auth-Type eduroameap {
  1753. (0) eduroameap: Peer sent packet with method EAP Identity (1)
  1754. (0) eduroameap: Calling submodule eap_peap to process data
  1755. (0) eap_peap: Initiating new EAP-TLS session
  1756. (0) eap_peap: [eaptls start] = request
  1757. (0) eduroameap: Sending EAP Request (code 1) ID 2 length 6
  1758. (0) eduroameap: EAP session adding &reply:State = 0x981efa54981ce373
  1759. (0) [eduroameap] = handled
  1760. (0) if (handled && (Response-Packet-Type == Access-Challenge)) {
  1761. (0) EXPAND Response-Packet-Type
  1762. (0) --> Access-Challenge
  1763. (0) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  1764. (0) if (handled && (Response-Packet-Type == Access-Challenge)) {
  1765. (0) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  1766. (0) filter.eduroamlocal-a_challenge: --> rh13054@my.bristol.ac.uk
  1767. (0) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  1768. (0) [filter.eduroamlocal-a_challenge.post-auth] = updated
  1769. (0) [handled] = handled
  1770. (0) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  1771. (0) } # Auth-Type eduroameap = handled
  1772. (0) Using Post-Auth-Type Challenge
  1773. (0) Post-Auth-Type sub-section not found. Ignoring.
  1774. (0) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  1775. (0) Sent Access-Challenge Id 117 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  1776. (0) EAP-Message = 0x010200061920
  1777. (0) Message-Authenticator = 0x00000000000000000000000000000000
  1778. (0) State = 0x981efa54981ce373e1f53dd3e32d7728
  1779. (0) Finished request
  1780. Waking up in 4.9 seconds.
  1781. (1) Received Access-Request Id 118 from 172.17.107.208:32770 to 137.222.8.128:16006 length 462
  1782. (1) User-Name = "rh13054@my.bristol.ac.uk"
  1783. (1) Chargeable-User-Identity = 0x00
  1784. (1) Location-Capable = Civix-Location
  1785. (1) Calling-Station-Id = "cc:20:e8:94:41:5a"
  1786. (1) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  1787. (1) NAS-Port = 13
  1788. (1) Cisco-AVPair = "audit-session-id=ac116bd00000245356bc96f8"
  1789. (1) Acct-Session-Id = "56bc96f8/cc:20:e8:94:41:5a/8989"
  1790. (1) NAS-IP-Address = 172.17.107.208
  1791. (1) NAS-Identifier = "wism8"
  1792. (1) Airespace-Wlan-Id = 1
  1793. (1) Service-Type = Framed-User
  1794. (1) Framed-MTU = 1300
  1795. (1) NAS-Port-Type = Wireless-802.11
  1796. (1) Tunnel-Type:0 = VLAN
  1797. (1) Tunnel-Medium-Type:0 = IEEE-802
  1798. (1) Tunnel-Private-Group-Id:0 = "448"
  1799. (1) EAP-Message = 0x020200af1980000000a516030100a00100009c030156bc96f86353775ba32ac8684dd6a78bf8769a0bc7baa4e732b0f1b15f630332204cce26d6a08c5a4411626708a5a75ea642868be8ed3aea79c0836e810b7a51f6003400ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c01200
  1800. (1) State = 0x981efa54981ce373e1f53dd3e32d7728
  1801. (1) Message-Authenticator = 0xeff71ac975525ab1aefc4b3bbf9f6ffd
  1802. (1) session-state: No cached attributes
  1803. (1) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  1804. (1) authorize {
  1805. (1) policy rewrite_calling_station_id {
  1806. (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  1807. (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  1808. (1) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  1809. (1) update request {
  1810. (1) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  1811. (1) --> CC-20-E8-94-41-5A
  1812. (1) &Calling-Station-Id := CC-20-E8-94-41-5A
  1813. (1) } # update request = noop
  1814. (1) [updated] = updated
  1815. (1) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  1816. (1) ... skipping else for request 1: Preceding "if" was taken
  1817. (1) } # policy rewrite_calling_station_id = updated
  1818. (1) policy wism-checks {
  1819. (1) if (Service-Type == "NAS-Prompt-User") {
  1820. (1) if (Service-Type == "NAS-Prompt-User") -> FALSE
  1821. (1) } # policy wism-checks = updated
  1822. (1) [preprocess] = ok
  1823. (1) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  1824. (1) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  1825. (1) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  1826. (1) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  1827. (1) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  1828. (1) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  1829. (1) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  1830. (1) suffix: Checking for suffix after "@"
  1831. (1) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rh13054@my.bristol.ac.uk"
  1832. (1) suffix: Found realm "my.bristol.ac.uk"
  1833. (1) suffix: Adding Stripped-User-Name = "rh13054"
  1834. (1) suffix: Adding Realm = "my.bristol.ac.uk"
  1835. (1) suffix: Authentication realm is LOCAL
  1836. (1) [suffix] = ok
  1837. (1) update request {
  1838. (1) Realm := "my.bristol.ac.uk"
  1839. (1) } # update request = noop
  1840. (1) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  1841. (1) ... skipping elsif for request 1: Preceding "if" was taken
  1842. (1) ... skipping else for request 1: Preceding "if" was taken
  1843. (1) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  1844. (1) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  1845. (1) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  1846. (1) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  1847. (1) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  1848. (1) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  1849. (1) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  1850. (1) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  1851. (1) else {
  1852. (1) eduroameap: Peer sent EAP Response (code 2) ID 2 length 175
  1853. (1) eduroameap: Continuing tunnel setup
  1854. (1) [eduroameap] = ok
  1855. (1) } # else = ok
  1856. (1) } # authorize = updated
  1857. (1) Found Auth-Type = eduroameap
  1858. (1) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  1859. (1) Auth-Type eduroameap {
  1860. (1) eduroameap: Expiring EAP session with state 0x981efa54981ce373
  1861. (1) eduroameap: Finished EAP session with state 0x981efa54981ce373
  1862. (1) eduroameap: Previous EAP request found for state 0x981efa54981ce373, released from the list
  1863. (1) eduroameap: Peer sent packet with method EAP PEAP (25)
  1864. (1) eduroameap: Calling submodule eap_peap to process data
  1865. (1) eap_peap: Continuing EAP-TLS
  1866. (1) eap_peap: Peer indicated complete TLS record size will be 165 bytes
  1867. (1) eap_peap: Got complete TLS record (165 bytes)
  1868. (1) eap_peap: [eaptls verify] = length included
  1869. (1) eap_peap: (other): before/accept initialization
  1870. (1) eap_peap: TLS_accept: before/accept initialization
  1871. (1) eap_peap: <<< TLS 1.0 Handshake [length 00a0], ClientHello
  1872. (1) eap_peap: TLS_accept: SSLv3 read client hello A
  1873. (1) eap_peap: >>> TLS 1.0 Handshake [length 0039], ServerHello
  1874. (1) eap_peap: TLS_accept: SSLv3 write server hello A
  1875. (1) eap_peap: >>> TLS 1.0 Handshake [length 0962], Certificate
  1876. (1) eap_peap: TLS_accept: SSLv3 write certificate A
  1877. (1) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
  1878. (1) eap_peap: TLS_accept: SSLv3 write key exchange A
  1879. (1) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
  1880. (1) eap_peap: TLS_accept: SSLv3 write server done A
  1881. (1) eap_peap: TLS_accept: SSLv3 flush data
  1882. (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
  1883. (1) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
  1884. (1) eap_peap: In SSL Handshake Phase
  1885. (1) eap_peap: In SSL Accept mode
  1886. (1) eap_peap: [eaptls process] = handled
  1887. (1) eduroameap: Sending EAP Request (code 1) ID 3 length 1004
  1888. (1) eduroameap: EAP session adding &reply:State = 0x981efa54991de373
  1889. (1) [eduroameap] = handled
  1890. (1) if (handled && (Response-Packet-Type == Access-Challenge)) {
  1891. (1) EXPAND Response-Packet-Type
  1892. (1) --> Access-Challenge
  1893. (1) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  1894. (1) if (handled && (Response-Packet-Type == Access-Challenge)) {
  1895. (1) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  1896. (1) filter.eduroamlocal-a_challenge: --> rh13054@my.bristol.ac.uk
  1897. (1) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  1898. (1) [filter.eduroamlocal-a_challenge.post-auth] = updated
  1899. (1) [handled] = handled
  1900. (1) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  1901. (1) } # Auth-Type eduroameap = handled
  1902. (1) Using Post-Auth-Type Challenge
  1903. (1) Post-Auth-Type sub-section not found. Ignoring.
  1904. (1) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  1905. (1) Sent Access-Challenge Id 118 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  1906. (1) EAP-Message = 0x010303ec19c000000afe160301003902000035030156bc96f869b38bfaa2d1a13e658b3d86aa4d87f742918f290b268daaae3af28200c01400000dff01000100000b00040300010216030109620b00095e00095b00041e3082041a30820302a0030201020203100018300d06092a864886f70d01010505
  1907. (1) Message-Authenticator = 0x00000000000000000000000000000000
  1908. (1) State = 0x981efa54991de373e1f53dd3e32d7728
  1909. (1) Finished request
  1910. Waking up in 4.9 seconds.
  1911. (2) Received Access-Request Id 119 from 172.17.107.208:32770 to 137.222.8.128:16006 length 293
  1912. (2) User-Name = "rh13054@my.bristol.ac.uk"
  1913. (2) Chargeable-User-Identity = 0x00
  1914. (2) Location-Capable = Civix-Location
  1915. (2) Calling-Station-Id = "cc:20:e8:94:41:5a"
  1916. (2) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  1917. (2) NAS-Port = 13
  1918. (2) Cisco-AVPair = "audit-session-id=ac116bd00000245356bc96f8"
  1919. (2) Acct-Session-Id = "56bc96f8/cc:20:e8:94:41:5a/8989"
  1920. (2) NAS-IP-Address = 172.17.107.208
  1921. (2) NAS-Identifier = "wism8"
  1922. (2) Airespace-Wlan-Id = 1
  1923. (2) Service-Type = Framed-User
  1924. (2) Framed-MTU = 1300
  1925. (2) NAS-Port-Type = Wireless-802.11
  1926. (2) Tunnel-Type:0 = VLAN
  1927. (2) Tunnel-Medium-Type:0 = IEEE-802
  1928. (2) Tunnel-Private-Group-Id:0 = "448"
  1929. (2) EAP-Message = 0x020300061900
  1930. (2) State = 0x981efa54991de373e1f53dd3e32d7728
  1931. (2) Message-Authenticator = 0x1e63c92959288648d0e1fdc5e20b953d
  1932. (2) session-state: No cached attributes
  1933. (2) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  1934. (2) authorize {
  1935. (2) policy rewrite_calling_station_id {
  1936. (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  1937. (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  1938. (2) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  1939. (2) update request {
  1940. (2) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  1941. (2) --> CC-20-E8-94-41-5A
  1942. (2) &Calling-Station-Id := CC-20-E8-94-41-5A
  1943. (2) } # update request = noop
  1944. (2) [updated] = updated
  1945. (2) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  1946. (2) ... skipping else for request 2: Preceding "if" was taken
  1947. (2) } # policy rewrite_calling_station_id = updated
  1948. (2) policy wism-checks {
  1949. (2) if (Service-Type == "NAS-Prompt-User") {
  1950. (2) if (Service-Type == "NAS-Prompt-User") -> FALSE
  1951. (2) } # policy wism-checks = updated
  1952. (2) [preprocess] = ok
  1953. (2) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  1954. (2) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  1955. (2) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  1956. (2) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  1957. (2) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  1958. (2) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  1959. (2) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  1960. (2) suffix: Checking for suffix after "@"
  1961. (2) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rh13054@my.bristol.ac.uk"
  1962. (2) suffix: Found realm "my.bristol.ac.uk"
  1963. (2) suffix: Adding Stripped-User-Name = "rh13054"
  1964. (2) suffix: Adding Realm = "my.bristol.ac.uk"
  1965. (2) suffix: Authentication realm is LOCAL
  1966. (2) [suffix] = ok
  1967. (2) update request {
  1968. (2) Realm := "my.bristol.ac.uk"
  1969. (2) } # update request = noop
  1970. (2) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  1971. (2) ... skipping elsif for request 2: Preceding "if" was taken
  1972. (2) ... skipping else for request 2: Preceding "if" was taken
  1973. (2) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  1974. (2) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  1975. (2) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  1976. (2) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  1977. (2) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  1978. (2) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  1979. (2) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  1980. (2) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  1981. (2) else {
  1982. (2) eduroameap: Peer sent EAP Response (code 2) ID 3 length 6
  1983. (2) eduroameap: Continuing tunnel setup
  1984. (2) [eduroameap] = ok
  1985. (2) } # else = ok
  1986. (2) } # authorize = updated
  1987. (2) Found Auth-Type = eduroameap
  1988. (2) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  1989. (2) Auth-Type eduroameap {
  1990. (2) eduroameap: Expiring EAP session with state 0x981efa54991de373
  1991. (2) eduroameap: Finished EAP session with state 0x981efa54991de373
  1992. (2) eduroameap: Previous EAP request found for state 0x981efa54991de373, released from the list
  1993. (2) eduroameap: Peer sent packet with method EAP PEAP (25)
  1994. (2) eduroameap: Calling submodule eap_peap to process data
  1995. (2) eap_peap: Continuing EAP-TLS
  1996. (2) eap_peap: Peer ACKed our handshake fragment
  1997. (2) eap_peap: [eaptls verify] = request
  1998. (2) eap_peap: [eaptls process] = handled
  1999. (2) eduroameap: Sending EAP Request (code 1) ID 4 length 1000
  2000. (2) eduroameap: EAP session adding &reply:State = 0x981efa549a1ae373
  2001. (2) [eduroameap] = handled
  2002. (2) if (handled && (Response-Packet-Type == Access-Challenge)) {
  2003. (2) EXPAND Response-Packet-Type
  2004. (2) --> Access-Challenge
  2005. (2) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  2006. (2) if (handled && (Response-Packet-Type == Access-Challenge)) {
  2007. (2) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  2008. (2) filter.eduroamlocal-a_challenge: --> rh13054@my.bristol.ac.uk
  2009. (2) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  2010. (2) [filter.eduroamlocal-a_challenge.post-auth] = updated
  2011. (2) [handled] = handled
  2012. (2) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  2013. (2) } # Auth-Type eduroameap = handled
  2014. (2) Using Post-Auth-Type Challenge
  2015. (2) Post-Auth-Type sub-section not found. Ignoring.
  2016. (2) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2017. (2) Sent Access-Challenge Id 119 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  2018. (2) EAP-Message = 0x010403e819401d2cf1d58f4dba2bd1120d6bedf8276592c881c781799b8f10ae54cb4827b40eb2cf8e47257082cc86b3a2942093f979c9fcd6717ee8896d352f6646c54e584c3a798453deeaf94dbe01ea370644beb43f63b6834155f52416c1c5262706477100b872f8c00c2c836a82b31c164acf9482
  2019. (2) Message-Authenticator = 0x00000000000000000000000000000000
  2020. (2) State = 0x981efa549a1ae373e1f53dd3e32d7728
  2021. (2) Finished request
  2022. Waking up in 4.9 seconds.
  2023. (3) Received Access-Request Id 120 from 172.17.107.208:32770 to 137.222.8.128:16006 length 293
  2024. (3) User-Name = "rh13054@my.bristol.ac.uk"
  2025. (3) Chargeable-User-Identity = 0x00
  2026. (3) Location-Capable = Civix-Location
  2027. (3) Calling-Station-Id = "cc:20:e8:94:41:5a"
  2028. (3) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  2029. (3) NAS-Port = 13
  2030. (3) Cisco-AVPair = "audit-session-id=ac116bd00000245356bc96f8"
  2031. (3) Acct-Session-Id = "56bc96f8/cc:20:e8:94:41:5a/8989"
  2032. (3) NAS-IP-Address = 172.17.107.208
  2033. (3) NAS-Identifier = "wism8"
  2034. (3) Airespace-Wlan-Id = 1
  2035. (3) Service-Type = Framed-User
  2036. (3) Framed-MTU = 1300
  2037. (3) NAS-Port-Type = Wireless-802.11
  2038. (3) Tunnel-Type:0 = VLAN
  2039. (3) Tunnel-Medium-Type:0 = IEEE-802
  2040. (3) Tunnel-Private-Group-Id:0 = "448"
  2041. (3) EAP-Message = 0x020400061900
  2042. (3) State = 0x981efa549a1ae373e1f53dd3e32d7728
  2043. (3) Message-Authenticator = 0x0de50fe04d0fed307db9b2d6849ca955
  2044. (3) session-state: No cached attributes
  2045. (3) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2046. (3) authorize {
  2047. (3) policy rewrite_calling_station_id {
  2048. (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2049. (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  2050. (3) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2051. (3) update request {
  2052. (3) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  2053. (3) --> CC-20-E8-94-41-5A
  2054. (3) &Calling-Station-Id := CC-20-E8-94-41-5A
  2055. (3) } # update request = noop
  2056. (3) [updated] = updated
  2057. (3) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  2058. (3) ... skipping else for request 3: Preceding "if" was taken
  2059. (3) } # policy rewrite_calling_station_id = updated
  2060. (3) policy wism-checks {
  2061. (3) if (Service-Type == "NAS-Prompt-User") {
  2062. (3) if (Service-Type == "NAS-Prompt-User") -> FALSE
  2063. (3) } # policy wism-checks = updated
  2064. (3) [preprocess] = ok
  2065. (3) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  2066. (3) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  2067. (3) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  2068. (3) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  2069. (3) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  2070. (3) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  2071. (3) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  2072. (3) suffix: Checking for suffix after "@"
  2073. (3) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rh13054@my.bristol.ac.uk"
  2074. (3) suffix: Found realm "my.bristol.ac.uk"
  2075. (3) suffix: Adding Stripped-User-Name = "rh13054"
  2076. (3) suffix: Adding Realm = "my.bristol.ac.uk"
  2077. (3) suffix: Authentication realm is LOCAL
  2078. (3) [suffix] = ok
  2079. (3) update request {
  2080. (3) Realm := "my.bristol.ac.uk"
  2081. (3) } # update request = noop
  2082. (3) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  2083. (3) ... skipping elsif for request 3: Preceding "if" was taken
  2084. (3) ... skipping else for request 3: Preceding "if" was taken
  2085. (3) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  2086. (3) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2087. (3) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  2088. (3) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2089. (3) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  2090. (3) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2091. (3) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  2092. (3) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  2093. (3) else {
  2094. (3) eduroameap: Peer sent EAP Response (code 2) ID 4 length 6
  2095. (3) eduroameap: Continuing tunnel setup
  2096. (3) [eduroameap] = ok
  2097. (3) } # else = ok
  2098. (3) } # authorize = updated
  2099. (3) Found Auth-Type = eduroameap
  2100. (3) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2101. (3) Auth-Type eduroameap {
  2102. (3) eduroameap: Expiring EAP session with state 0x981efa549a1ae373
  2103. (3) eduroameap: Finished EAP session with state 0x981efa549a1ae373
  2104. (3) eduroameap: Previous EAP request found for state 0x981efa549a1ae373, released from the list
  2105. (3) eduroameap: Peer sent packet with method EAP PEAP (25)
  2106. (3) eduroameap: Calling submodule eap_peap to process data
  2107. (3) eap_peap: Continuing EAP-TLS
  2108. (3) eap_peap: Peer ACKed our handshake fragment
  2109. (3) eap_peap: [eaptls verify] = request
  2110. (3) eap_peap: [eaptls process] = handled
  2111. (3) eduroameap: Sending EAP Request (code 1) ID 5 length 832
  2112. (3) eduroameap: EAP session adding &reply:State = 0x981efa549b1be373
  2113. (3) [eduroameap] = handled
  2114. (3) if (handled && (Response-Packet-Type == Access-Challenge)) {
  2115. (3) EXPAND Response-Packet-Type
  2116. (3) --> Access-Challenge
  2117. (3) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  2118. (3) if (handled && (Response-Packet-Type == Access-Challenge)) {
  2119. (3) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  2120. (3) filter.eduroamlocal-a_challenge: --> rh13054@my.bristol.ac.uk
  2121. (3) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  2122. (3) [filter.eduroamlocal-a_challenge.post-auth] = updated
  2123. (3) [handled] = handled
  2124. (3) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  2125. (3) } # Auth-Type eduroameap = handled
  2126. (3) Using Post-Auth-Type Challenge
  2127. (3) Post-Auth-Type sub-section not found. Ignoring.
  2128. (3) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2129. (3) Sent Access-Challenge Id 120 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  2130. (3) EAP-Message = 0x010503401900c1311e301c060355040a1315556e6976657273697479206f662042726973746f6c311f301d060355040b1316495420536572766963657320284e6574776f726b73293129302706092a864886f70d010901161a736572766963652d6465736b4062726973746f6c2e61632e756b3110300e
  2131. (3) Message-Authenticator = 0x00000000000000000000000000000000
  2132. (3) State = 0x981efa549b1be373e1f53dd3e32d7728
  2133. (3) Finished request
  2134. Waking up in 4.9 seconds.
  2135. (4) Received Access-Request Id 121 from 172.17.107.208:32770 to 137.222.8.128:16006 length 431
  2136. (4) User-Name = "rh13054@my.bristol.ac.uk"
  2137. (4) Chargeable-User-Identity = 0x00
  2138. (4) Location-Capable = Civix-Location
  2139. (4) Calling-Station-Id = "cc:20:e8:94:41:5a"
  2140. (4) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  2141. (4) NAS-Port = 13
  2142. (4) Cisco-AVPair = "audit-session-id=ac116bd00000245356bc96f8"
  2143. (4) Acct-Session-Id = "56bc96f8/cc:20:e8:94:41:5a/8989"
  2144. (4) NAS-IP-Address = 172.17.107.208
  2145. (4) NAS-Identifier = "wism8"
  2146. (4) Airespace-Wlan-Id = 1
  2147. (4) Service-Type = Framed-User
  2148. (4) Framed-MTU = 1300
  2149. (4) NAS-Port-Type = Wireless-802.11
  2150. (4) Tunnel-Type:0 = VLAN
  2151. (4) Tunnel-Medium-Type:0 = IEEE-802
  2152. (4) Tunnel-Private-Group-Id:0 = "448"
  2153. (4) EAP-Message = 0x020500901980000000861603010046100000424104071ffe5365c1f3368d2a2cac0d32bb3a3110dba5129d45d1064aa9dc76e2c123a3ca7156fe2a8911580f7871a57edece0eedfdc099d135c841c0cd4ad8222df614030100010116030100300546a6f2702bb054f409567ff99a0496c6a86d4b876a26
  2154. (4) State = 0x981efa549b1be373e1f53dd3e32d7728
  2155. (4) Message-Authenticator = 0x07e74609a90f6701d8699f514c3e6546
  2156. (4) session-state: No cached attributes
  2157. (4) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2158. (4) authorize {
  2159. (4) policy rewrite_calling_station_id {
  2160. (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2161. (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  2162. (4) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2163. (4) update request {
  2164. (4) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  2165. (4) --> CC-20-E8-94-41-5A
  2166. (4) &Calling-Station-Id := CC-20-E8-94-41-5A
  2167. (4) } # update request = noop
  2168. (4) [updated] = updated
  2169. (4) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  2170. (4) ... skipping else for request 4: Preceding "if" was taken
  2171. (4) } # policy rewrite_calling_station_id = updated
  2172. (4) policy wism-checks {
  2173. (4) if (Service-Type == "NAS-Prompt-User") {
  2174. (4) if (Service-Type == "NAS-Prompt-User") -> FALSE
  2175. (4) } # policy wism-checks = updated
  2176. (4) [preprocess] = ok
  2177. (4) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  2178. (4) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  2179. (4) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  2180. (4) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  2181. (4) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  2182. (4) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  2183. (4) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  2184. (4) suffix: Checking for suffix after "@"
  2185. (4) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rh13054@my.bristol.ac.uk"
  2186. (4) suffix: Found realm "my.bristol.ac.uk"
  2187. (4) suffix: Adding Stripped-User-Name = "rh13054"
  2188. (4) suffix: Adding Realm = "my.bristol.ac.uk"
  2189. (4) suffix: Authentication realm is LOCAL
  2190. (4) [suffix] = ok
  2191. (4) update request {
  2192. (4) Realm := "my.bristol.ac.uk"
  2193. (4) } # update request = noop
  2194. (4) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  2195. (4) ... skipping elsif for request 4: Preceding "if" was taken
  2196. (4) ... skipping else for request 4: Preceding "if" was taken
  2197. (4) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  2198. (4) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2199. (4) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  2200. (4) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2201. (4) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  2202. (4) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2203. (4) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  2204. (4) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  2205. (4) else {
  2206. (4) eduroameap: Peer sent EAP Response (code 2) ID 5 length 144
  2207. (4) eduroameap: Continuing tunnel setup
  2208. (4) [eduroameap] = ok
  2209. (4) } # else = ok
  2210. (4) } # authorize = updated
  2211. (4) Found Auth-Type = eduroameap
  2212. (4) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2213. (4) Auth-Type eduroameap {
  2214. (4) eduroameap: Expiring EAP session with state 0x981efa549b1be373
  2215. (4) eduroameap: Finished EAP session with state 0x981efa549b1be373
  2216. (4) eduroameap: Previous EAP request found for state 0x981efa549b1be373, released from the list
  2217. (4) eduroameap: Peer sent packet with method EAP PEAP (25)
  2218. (4) eduroameap: Calling submodule eap_peap to process data
  2219. (4) eap_peap: Continuing EAP-TLS
  2220. (4) eap_peap: Peer indicated complete TLS record size will be 134 bytes
  2221. (4) eap_peap: Got complete TLS record (134 bytes)
  2222. (4) eap_peap: [eaptls verify] = length included
  2223. (4) eap_peap: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
  2224. (4) eap_peap: TLS_accept: SSLv3 read client key exchange A
  2225. (4) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  2226. (4) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished
  2227. (4) eap_peap: TLS_accept: SSLv3 read finished A
  2228. (4) eap_peap: >>> TLS 1.0 ChangeCipherSpec [length 0001]
  2229. (4) eap_peap: TLS_accept: SSLv3 write change cipher spec A
  2230. (4) eap_peap: >>> TLS 1.0 Handshake [length 0010], Finished
  2231. (4) eap_peap: TLS_accept: SSLv3 write finished A
  2232. (4) eap_peap: TLS_accept: SSLv3 flush data
  2233. (4) eap_peap: (other): SSL negotiation finished successfully
  2234. (4) eap_peap: SSL Connection Established
  2235. (4) eap_peap: [eaptls process] = handled
  2236. (4) eduroameap: Sending EAP Request (code 1) ID 6 length 65
  2237. (4) eduroameap: EAP session adding &reply:State = 0x981efa549c18e373
  2238. (4) [eduroameap] = handled
  2239. (4) if (handled && (Response-Packet-Type == Access-Challenge)) {
  2240. (4) EXPAND Response-Packet-Type
  2241. (4) --> Access-Challenge
  2242. (4) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  2243. (4) if (handled && (Response-Packet-Type == Access-Challenge)) {
  2244. (4) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  2245. (4) filter.eduroamlocal-a_challenge: --> rh13054@my.bristol.ac.uk
  2246. (4) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  2247. (4) [filter.eduroamlocal-a_challenge.post-auth] = updated
  2248. (4) [handled] = handled
  2249. (4) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  2250. (4) } # Auth-Type eduroameap = handled
  2251. (4) Using Post-Auth-Type Challenge
  2252. (4) Post-Auth-Type sub-section not found. Ignoring.
  2253. (4) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2254. (4) Sent Access-Challenge Id 121 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  2255. (4) EAP-Message = 0x0106004119001403010001011603010030fb8c87ae43555ceef1162d1400c0885cd27b9d9ba6b6213dd22e2a864d873531a93a32c87593af7f4226e61dbe8cfd40
  2256. (4) Message-Authenticator = 0x00000000000000000000000000000000
  2257. (4) State = 0x981efa549c18e373e1f53dd3e32d7728
  2258. (4) Finished request
  2259. Waking up in 4.8 seconds.
  2260. (5) Received Access-Request Id 122 from 172.17.107.208:32770 to 137.222.8.128:16006 length 293
  2261. (5) User-Name = "rh13054@my.bristol.ac.uk"
  2262. (5) Chargeable-User-Identity = 0x00
  2263. (5) Location-Capable = Civix-Location
  2264. (5) Calling-Station-Id = "cc:20:e8:94:41:5a"
  2265. (5) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  2266. (5) NAS-Port = 13
  2267. (5) Cisco-AVPair = "audit-session-id=ac116bd00000245356bc96f8"
  2268. (5) Acct-Session-Id = "56bc96f8/cc:20:e8:94:41:5a/8989"
  2269. (5) NAS-IP-Address = 172.17.107.208
  2270. (5) NAS-Identifier = "wism8"
  2271. (5) Airespace-Wlan-Id = 1
  2272. (5) Service-Type = Framed-User
  2273. (5) Framed-MTU = 1300
  2274. (5) NAS-Port-Type = Wireless-802.11
  2275. (5) Tunnel-Type:0 = VLAN
  2276. (5) Tunnel-Medium-Type:0 = IEEE-802
  2277. (5) Tunnel-Private-Group-Id:0 = "448"
  2278. (5) EAP-Message = 0x020600061900
  2279. (5) State = 0x981efa549c18e373e1f53dd3e32d7728
  2280. (5) Message-Authenticator = 0xbe5923b1e2f0b41fb535cd11788c0709
  2281. (5) session-state: No cached attributes
  2282. (5) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2283. (5) authorize {
  2284. (5) policy rewrite_calling_station_id {
  2285. (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2286. (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  2287. (5) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2288. (5) update request {
  2289. (5) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  2290. (5) --> CC-20-E8-94-41-5A
  2291. (5) &Calling-Station-Id := CC-20-E8-94-41-5A
  2292. (5) } # update request = noop
  2293. (5) [updated] = updated
  2294. (5) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  2295. (5) ... skipping else for request 5: Preceding "if" was taken
  2296. (5) } # policy rewrite_calling_station_id = updated
  2297. (5) policy wism-checks {
  2298. (5) if (Service-Type == "NAS-Prompt-User") {
  2299. (5) if (Service-Type == "NAS-Prompt-User") -> FALSE
  2300. (5) } # policy wism-checks = updated
  2301. (5) [preprocess] = ok
  2302. (5) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  2303. (5) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  2304. (5) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  2305. (5) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  2306. (5) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  2307. (5) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  2308. (5) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  2309. (5) suffix: Checking for suffix after "@"
  2310. (5) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rh13054@my.bristol.ac.uk"
  2311. (5) suffix: Found realm "my.bristol.ac.uk"
  2312. (5) suffix: Adding Stripped-User-Name = "rh13054"
  2313. (5) suffix: Adding Realm = "my.bristol.ac.uk"
  2314. (5) suffix: Authentication realm is LOCAL
  2315. (5) [suffix] = ok
  2316. (5) update request {
  2317. (5) Realm := "my.bristol.ac.uk"
  2318. (5) } # update request = noop
  2319. (5) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  2320. (5) ... skipping elsif for request 5: Preceding "if" was taken
  2321. (5) ... skipping else for request 5: Preceding "if" was taken
  2322. (5) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  2323. (5) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2324. (5) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  2325. (5) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2326. (5) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  2327. (5) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2328. (5) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  2329. (5) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  2330. (5) else {
  2331. (5) eduroameap: Peer sent EAP Response (code 2) ID 6 length 6
  2332. (5) eduroameap: Continuing tunnel setup
  2333. (5) [eduroameap] = ok
  2334. (5) } # else = ok
  2335. (5) } # authorize = updated
  2336. (5) Found Auth-Type = eduroameap
  2337. (5) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2338. (5) Auth-Type eduroameap {
  2339. (5) eduroameap: Expiring EAP session with state 0x981efa549c18e373
  2340. (5) eduroameap: Finished EAP session with state 0x981efa549c18e373
  2341. (5) eduroameap: Previous EAP request found for state 0x981efa549c18e373, released from the list
  2342. (5) eduroameap: Peer sent packet with method EAP PEAP (25)
  2343. (5) eduroameap: Calling submodule eap_peap to process data
  2344. (5) eap_peap: Continuing EAP-TLS
  2345. (5) eap_peap: Peer ACKed our handshake fragment. handshake is finished
  2346. (5) eap_peap: [eaptls verify] = success
  2347. (5) eap_peap: [eaptls process] = success
  2348. (5) eap_peap: Session established. Decoding tunneled attributes
  2349. (5) eap_peap: PEAP state TUNNEL ESTABLISHED
  2350. (5) eduroameap: Sending EAP Request (code 1) ID 7 length 43
  2351. (5) eduroameap: EAP session adding &reply:State = 0x981efa549d19e373
  2352. (5) [eduroameap] = handled
  2353. (5) if (handled && (Response-Packet-Type == Access-Challenge)) {
  2354. (5) EXPAND Response-Packet-Type
  2355. (5) --> Access-Challenge
  2356. (5) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  2357. (5) if (handled && (Response-Packet-Type == Access-Challenge)) {
  2358. (5) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  2359. (5) filter.eduroamlocal-a_challenge: --> rh13054@my.bristol.ac.uk
  2360. (5) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  2361. (5) [filter.eduroamlocal-a_challenge.post-auth] = updated
  2362. (5) [handled] = handled
  2363. (5) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  2364. (5) } # Auth-Type eduroameap = handled
  2365. (5) Using Post-Auth-Type Challenge
  2366. (5) Post-Auth-Type sub-section not found. Ignoring.
  2367. (5) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2368. (5) Sent Access-Challenge Id 122 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  2369. (5) EAP-Message = 0x0107002b190017030100206cf97756d79cb2b86784ccbe440a0656afd972de26868be461ee174eed4d57d4
  2370. (5) Message-Authenticator = 0x00000000000000000000000000000000
  2371. (5) State = 0x981efa549d19e373e1f53dd3e32d7728
  2372. (5) Finished request
  2373. Waking up in 4.8 seconds.
  2374. (6) Received Access-Request Id 123 from 172.17.107.208:32770 to 137.222.8.128:16006 length 346
  2375. (6) User-Name = "rh13054@my.bristol.ac.uk"
  2376. (6) Chargeable-User-Identity = 0x00
  2377. (6) Location-Capable = Civix-Location
  2378. (6) Calling-Station-Id = "cc:20:e8:94:41:5a"
  2379. (6) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  2380. (6) NAS-Port = 13
  2381. (6) Cisco-AVPair = "audit-session-id=ac116bd00000245356bc96f8"
  2382. (6) Acct-Session-Id = "56bc96f8/cc:20:e8:94:41:5a/8989"
  2383. (6) NAS-IP-Address = 172.17.107.208
  2384. (6) NAS-Identifier = "wism8"
  2385. (6) Airespace-Wlan-Id = 1
  2386. (6) Service-Type = Framed-User
  2387. (6) Framed-MTU = 1300
  2388. (6) NAS-Port-Type = Wireless-802.11
  2389. (6) Tunnel-Type:0 = VLAN
  2390. (6) Tunnel-Medium-Type:0 = IEEE-802
  2391. (6) Tunnel-Private-Group-Id:0 = "448"
  2392. (6) EAP-Message = 0x0207003b190017030100301233d05d6d8e6580fa58af09e273fdc701024a107ed1123308800faed5432384e90366259726f392fa1385e2bce77e50
  2393. (6) State = 0x981efa549d19e373e1f53dd3e32d7728
  2394. (6) Message-Authenticator = 0x7ae184660efe3838d1beadbceb1b8e52
  2395. (6) session-state: No cached attributes
  2396. (6) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2397. (6) authorize {
  2398. (6) policy rewrite_calling_station_id {
  2399. (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2400. (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  2401. (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2402. (6) update request {
  2403. (6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  2404. (6) --> CC-20-E8-94-41-5A
  2405. (6) &Calling-Station-Id := CC-20-E8-94-41-5A
  2406. (6) } # update request = noop
  2407. (6) [updated] = updated
  2408. (6) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  2409. (6) ... skipping else for request 6: Preceding "if" was taken
  2410. (6) } # policy rewrite_calling_station_id = updated
  2411. (6) policy wism-checks {
  2412. (6) if (Service-Type == "NAS-Prompt-User") {
  2413. (6) if (Service-Type == "NAS-Prompt-User") -> FALSE
  2414. (6) } # policy wism-checks = updated
  2415. (6) [preprocess] = ok
  2416. (6) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  2417. (6) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  2418. (6) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  2419. (6) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  2420. (6) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  2421. (6) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  2422. (6) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  2423. (6) suffix: Checking for suffix after "@"
  2424. (6) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rh13054@my.bristol.ac.uk"
  2425. (6) suffix: Found realm "my.bristol.ac.uk"
  2426. (6) suffix: Adding Stripped-User-Name = "rh13054"
  2427. (6) suffix: Adding Realm = "my.bristol.ac.uk"
  2428. (6) suffix: Authentication realm is LOCAL
  2429. (6) [suffix] = ok
  2430. (6) update request {
  2431. (6) Realm := "my.bristol.ac.uk"
  2432. (6) } # update request = noop
  2433. (6) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  2434. (6) ... skipping elsif for request 6: Preceding "if" was taken
  2435. (6) ... skipping else for request 6: Preceding "if" was taken
  2436. (6) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  2437. (6) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2438. (6) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  2439. (6) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2440. (6) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  2441. (6) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2442. (6) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  2443. (6) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  2444. (6) else {
  2445. (6) eduroameap: Peer sent EAP Response (code 2) ID 7 length 59
  2446. (6) eduroameap: Continuing tunnel setup
  2447. (6) [eduroameap] = ok
  2448. (6) } # else = ok
  2449. (6) } # authorize = updated
  2450. (6) Found Auth-Type = eduroameap
  2451. (6) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2452. (6) Auth-Type eduroameap {
  2453. (6) eduroameap: Expiring EAP session with state 0x981efa549d19e373
  2454. (6) eduroameap: Finished EAP session with state 0x981efa549d19e373
  2455. (6) eduroameap: Previous EAP request found for state 0x981efa549d19e373, released from the list
  2456. (6) eduroameap: Peer sent packet with method EAP PEAP (25)
  2457. (6) eduroameap: Calling submodule eap_peap to process data
  2458. (6) eap_peap: Continuing EAP-TLS
  2459. (6) eap_peap: [eaptls verify] = ok
  2460. (6) eap_peap: Done initial handshake
  2461. (6) eap_peap: [eaptls process] = ok
  2462. (6) eap_peap: Session established. Decoding tunneled attributes
  2463. (6) eap_peap: PEAP state WAITING FOR INNER IDENTITY
  2464. (6) eap_peap: Identity - rh13054@my.bristol.ac.uk
  2465. (6) eap_peap: Got inner identity 'rh13054@my.bristol.ac.uk'
  2466. (6) eap_peap: Setting default EAP type for tunneled EAP session
  2467. (6) eap_peap: Got tunneled request
  2468. (6) eap_peap: EAP-Message = 0x0207001d0172683133303534406d792e62726973746f6c2e61632e756b
  2469. (6) eap_peap: Setting User-Name to rh13054@my.bristol.ac.uk
  2470. (6) eap_peap: Sending tunneled request to eduroam-inner
  2471. (6) eap_peap: EAP-Message = 0x0207001d0172683133303534406d792e62726973746f6c2e61632e756b
  2472. (6) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
  2473. (6) eap_peap: User-Name = "rh13054@my.bristol.ac.uk"
  2474. (6) eap_peap: Chargeable-User-Identity = 0x00
  2475. (6) eap_peap: Location-Capable = Civix-Location
  2476. (6) eap_peap: Calling-Station-Id := "CC-20-E8-94-41-5A"
  2477. (6) eap_peap: Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  2478. (6) eap_peap: NAS-Port = 13
  2479. (6) eap_peap: Acct-Session-Id = "56bc96f8/cc:20:e8:94:41:5a/8989"
  2480. (6) eap_peap: NAS-IP-Address = 172.17.107.208
  2481. (6) eap_peap: NAS-Identifier = "wism8"
  2482. (6) eap_peap: Service-Type = Framed-User
  2483. (6) eap_peap: Framed-MTU = 1300
  2484. (6) eap_peap: NAS-Port-Type = Wireless-802.11
  2485. (6) eap_peap: Tunnel-Type:0 = VLAN
  2486. (6) eap_peap: Tunnel-Medium-Type:0 = IEEE-802
  2487. (6) eap_peap: Tunnel-Private-Group-Id:0 = "448"
  2488. (6) eap_peap: Event-Timestamp = "Feb 11 2016 14:13:13 UTC"
  2489. (6) Virtual server eduroam-inner received request
  2490. (6) EAP-Message = 0x0207001d0172683133303534406d792e62726973746f6c2e61632e756b
  2491. (6) FreeRADIUS-Proxied-To = 127.0.0.1
  2492. (6) User-Name = "rh13054@my.bristol.ac.uk"
  2493. (6) Chargeable-User-Identity = 0x00
  2494. (6) Location-Capable = Civix-Location
  2495. (6) Calling-Station-Id := "CC-20-E8-94-41-5A"
  2496. (6) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  2497. (6) NAS-Port = 13
  2498. (6) Acct-Session-Id = "56bc96f8/cc:20:e8:94:41:5a/8989"
  2499. (6) NAS-IP-Address = 172.17.107.208
  2500. (6) NAS-Identifier = "wism8"
  2501. (6) Service-Type = Framed-User
  2502. (6) Framed-MTU = 1300
  2503. (6) NAS-Port-Type = Wireless-802.11
  2504. (6) Tunnel-Type:0 = VLAN
  2505. (6) Tunnel-Medium-Type:0 = IEEE-802
  2506. (6) Tunnel-Private-Group-Id:0 = "448"
  2507. (6) Event-Timestamp = "Feb 11 2016 14:13:13 UTC"
  2508. (6) server eduroam-inner {
  2509. (6) # Executing section authorize from file /etc/raddb/sites-enabled/eduroam-inner
  2510. (6) authorize {
  2511. (6) policy rewrite_calling_station_id {
  2512. (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2513. (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  2514. (6) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2515. (6) update request {
  2516. (6) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  2517. (6) --> CC-20-E8-94-41-5A
  2518. (6) &Calling-Station-Id := CC-20-E8-94-41-5A
  2519. (6) } # update request = noop
  2520. (6) [updated] = updated
  2521. (6) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  2522. (6) ... skipping else for request 6: Preceding "if" was taken
  2523. (6) } # policy rewrite_calling_station_id = updated
  2524. (6) [preprocess] = ok
  2525. (6) uob_auth_log: EXPAND /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
  2526. (6) uob_auth_log: --> /var/log/radius/radacct/eduroam-inner/auth-detail.log
  2527. (6) uob_auth_log: /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log expands to /var/log/radius/radacct/eduroam-inner/auth-detail.log
  2528. (6) uob_auth_log: EXPAND %t
  2529. (6) uob_auth_log: --> Thu Feb 11 14:13:13 2016
  2530. (6) [uob_auth_log] = ok
  2531. (6) suffix: Checking for suffix after "@"
  2532. (6) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rh13054@my.bristol.ac.uk"
  2533. (6) suffix: Found realm "my.bristol.ac.uk"
  2534. (6) suffix: Adding Stripped-User-Name = "rh13054"
  2535. (6) suffix: Adding Realm = "my.bristol.ac.uk"
  2536. (6) suffix: Authentication realm is LOCAL
  2537. (6) [suffix] = ok
  2538. (6) [files-eduroam] = noop
  2539. (6) [eduroammschap] = noop
  2540. (6) if (User-Name !~ /^iser-linauth(@bris\\.ac\\.uk|@bristol\\.ac\\.uk)?$/){
  2541. (6) if (User-Name !~ /^iser-linauth(@bris\\.ac\\.uk|@bristol\\.ac\\.uk)?$/) -> TRUE
  2542. (6) if (User-Name !~ /^iser-linauth(@bris\\.ac\\.uk|@bristol\\.ac\\.uk)?$/) {
  2543. (6) if (User-Name !~ /^((UOB|uob)\\\\\\\\?)?[[:lower:]]{2}[[:lower:][:digit:]-]{2,16}(@bris\\.ac\\.uk|@(my\\.)?bristol\\.ac\\.uk)?\\$?$/){
  2544. (6) if (User-Name !~ /^((UOB|uob)\\\\\\\\?)?[[:lower:]]{2}[[:lower:][:digit:]-]{2,16}(@bris\\.ac\\.uk|@(my\\.)?bristol\\.ac\\.uk)?\\$?$/) -> FALSE
  2545. (6) } # if (User-Name !~ /^iser-linauth(@bris\\.ac\\.uk|@bristol\\.ac\\.uk)?$/) = updated
  2546. (6) eduroameap: Peer sent EAP Response (code 2) ID 7 length 29
  2547. (6) eduroameap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  2548. (6) [eduroameap] = ok
  2549. (6) } # authorize = ok
  2550. (6) Found Auth-Type = eduroameap
  2551. (6) # Executing group from file /etc/raddb/sites-enabled/eduroam-inner
  2552. (6) Auth-Type eduroameap {
  2553. (6) eduroameap: Peer sent packet with method EAP Identity (1)
  2554. (6) eduroameap: Calling submodule eap_mschapv2 to process data
  2555. (6) eap_mschapv2: Issuing Challenge
  2556. (6) eduroameap: Sending EAP Request (code 1) ID 8 length 43
  2557. (6) eduroameap: EAP session adding &reply:State = 0x919d8f369195952f
  2558. (6) [eduroameap] = handled
  2559. (6) } # Auth-Type eduroameap = handled
  2560. (6) } # server eduroam-inner
  2561. (6) Virtual server sending reply
  2562. (6) EAP-Message = 0x0108002b1a01080026103ff6e5c357de7914777777ca314634f1667265657261646975732d332e302e3130
  2563. (6) Message-Authenticator = 0x00000000000000000000000000000000
  2564. (6) State = 0x919d8f369195952f63fe725e61e48555
  2565. (6) eap_peap: Got tunneled reply code 11
  2566. (6) eap_peap: EAP-Message = 0x0108002b1a01080026103ff6e5c357de7914777777ca314634f1667265657261646975732d332e302e3130
  2567. (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
  2568. (6) eap_peap: State = 0x919d8f369195952f63fe725e61e48555
  2569. (6) eap_peap: Got tunneled reply RADIUS code 11
  2570. (6) eap_peap: EAP-Message = 0x0108002b1a01080026103ff6e5c357de7914777777ca314634f1667265657261646975732d332e302e3130
  2571. (6) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
  2572. (6) eap_peap: State = 0x919d8f369195952f63fe725e61e48555
  2573. (6) eap_peap: Got tunneled Access-Challenge
  2574. (6) eduroameap: Sending EAP Request (code 1) ID 8 length 75
  2575. (6) eduroameap: EAP session adding &reply:State = 0x981efa549e16e373
  2576. (6) [eduroameap] = handled
  2577. (6) if (handled && (Response-Packet-Type == Access-Challenge)) {
  2578. (6) EXPAND Response-Packet-Type
  2579. (6) --> Access-Challenge
  2580. (6) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  2581. (6) if (handled && (Response-Packet-Type == Access-Challenge)) {
  2582. (6) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  2583. (6) filter.eduroamlocal-a_challenge: --> rh13054@my.bristol.ac.uk
  2584. (6) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  2585. (6) [filter.eduroamlocal-a_challenge.post-auth] = updated
  2586. (6) [handled] = handled
  2587. (6) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  2588. (6) } # Auth-Type eduroameap = handled
  2589. (6) Using Post-Auth-Type Challenge
  2590. (6) Post-Auth-Type sub-section not found. Ignoring.
  2591. (6) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2592. (6) Sent Access-Challenge Id 123 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  2593. (6) EAP-Message = 0x0108004b19001703010040ba882905412b3d92ccda457800ce66a2669d77c43c022e8c0b51c277caf9a7dde4e215fc2fc9d8926324ffe7978fa46a36238350a0e51ca9f919a0db781364f8
  2594. (6) Message-Authenticator = 0x00000000000000000000000000000000
  2595. (6) State = 0x981efa549e16e373e1f53dd3e32d7728
  2596. (6) Finished request
  2597. Waking up in 4.8 seconds.
  2598. (7) Received Access-Request Id 124 from 172.17.107.208:32770 to 137.222.8.128:16006 length 410
  2599. (7) User-Name = "rh13054@my.bristol.ac.uk"
  2600. (7) Chargeable-User-Identity = 0x00
  2601. (7) Location-Capable = Civix-Location
  2602. (7) Calling-Station-Id = "cc:20:e8:94:41:5a"
  2603. (7) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  2604. (7) NAS-Port = 13
  2605. (7) Cisco-AVPair = "audit-session-id=ac116bd00000245356bc96f8"
  2606. (7) Acct-Session-Id = "56bc96f8/cc:20:e8:94:41:5a/8989"
  2607. (7) NAS-IP-Address = 172.17.107.208
  2608. (7) NAS-Identifier = "wism8"
  2609. (7) Airespace-Wlan-Id = 1
  2610. (7) Service-Type = Framed-User
  2611. (7) Framed-MTU = 1300
  2612. (7) NAS-Port-Type = Wireless-802.11
  2613. (7) Tunnel-Type:0 = VLAN
  2614. (7) Tunnel-Medium-Type:0 = IEEE-802
  2615. (7) Tunnel-Private-Group-Id:0 = "448"
  2616. (7) EAP-Message = 0x0208007b190017030100704e4be0a34824500b96c26bb60b675383c8ba8b98794f451453751318a31172dda0900a844b61e7dcfecd5c4c4751f743789902077d2ab31ea0ca9dfb693fb95e0332fdae4831729cb8d4dd63ea8000299fc654b3b10687c0ddbadab3b5e6a3af7eca094c5752ac1060dc0c0b
  2617. (7) State = 0x981efa549e16e373e1f53dd3e32d7728
  2618. (7) Message-Authenticator = 0xe98f5b5301e0c21c17162d2a96f0aaff
  2619. (7) session-state: No cached attributes
  2620. (7) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2621. (7) authorize {
  2622. (7) policy rewrite_calling_station_id {
  2623. (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2624. (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  2625. (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2626. (7) update request {
  2627. (7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  2628. (7) --> CC-20-E8-94-41-5A
  2629. (7) &Calling-Station-Id := CC-20-E8-94-41-5A
  2630. (7) } # update request = noop
  2631. (7) [updated] = updated
  2632. (7) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  2633. (7) ... skipping else for request 7: Preceding "if" was taken
  2634. (7) } # policy rewrite_calling_station_id = updated
  2635. (7) policy wism-checks {
  2636. (7) if (Service-Type == "NAS-Prompt-User") {
  2637. (7) if (Service-Type == "NAS-Prompt-User") -> FALSE
  2638. (7) } # policy wism-checks = updated
  2639. (7) [preprocess] = ok
  2640. (7) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  2641. (7) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  2642. (7) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  2643. (7) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  2644. (7) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  2645. (7) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  2646. (7) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  2647. (7) suffix: Checking for suffix after "@"
  2648. (7) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rh13054@my.bristol.ac.uk"
  2649. (7) suffix: Found realm "my.bristol.ac.uk"
  2650. (7) suffix: Adding Stripped-User-Name = "rh13054"
  2651. (7) suffix: Adding Realm = "my.bristol.ac.uk"
  2652. (7) suffix: Authentication realm is LOCAL
  2653. (7) [suffix] = ok
  2654. (7) update request {
  2655. (7) Realm := "my.bristol.ac.uk"
  2656. (7) } # update request = noop
  2657. (7) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  2658. (7) ... skipping elsif for request 7: Preceding "if" was taken
  2659. (7) ... skipping else for request 7: Preceding "if" was taken
  2660. (7) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  2661. (7) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2662. (7) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  2663. (7) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2664. (7) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  2665. (7) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2666. (7) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  2667. (7) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  2668. (7) else {
  2669. (7) eduroameap: Peer sent EAP Response (code 2) ID 8 length 123
  2670. (7) eduroameap: Continuing tunnel setup
  2671. (7) [eduroameap] = ok
  2672. (7) } # else = ok
  2673. (7) } # authorize = updated
  2674. (7) Found Auth-Type = eduroameap
  2675. (7) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2676. (7) Auth-Type eduroameap {
  2677. (7) eduroameap: Expiring EAP session with state 0x919d8f369195952f
  2678. (7) eduroameap: Finished EAP session with state 0x981efa549e16e373
  2679. (7) eduroameap: Previous EAP request found for state 0x981efa549e16e373, released from the list
  2680. (7) eduroameap: Peer sent packet with method EAP PEAP (25)
  2681. (7) eduroameap: Calling submodule eap_peap to process data
  2682. (7) eap_peap: Continuing EAP-TLS
  2683. (7) eap_peap: [eaptls verify] = ok
  2684. (7) eap_peap: Done initial handshake
  2685. (7) eap_peap: [eaptls process] = ok
  2686. (7) eap_peap: Session established. Decoding tunneled attributes
  2687. (7) eap_peap: PEAP state phase2
  2688. (7) eap_peap: EAP method MSCHAPv2 (26)
  2689. (7) eap_peap: Got tunneled request
  2690. (7) eap_peap: EAP-Message = 0x020800531a0208004e31c7cbbb991ce348f1ff1866ef40bea17e00000000000000009ea229ea1709d1b8a5d828c7555340f6d22d6a5896e282520072683133303534406d792e62726973746f6c2e61632e756b
  2691. (7) eap_peap: Setting User-Name to rh13054@my.bristol.ac.uk
  2692. (7) eap_peap: Sending tunneled request to eduroam-inner
  2693. (7) eap_peap: EAP-Message = 0x020800531a0208004e31c7cbbb991ce348f1ff1866ef40bea17e00000000000000009ea229ea1709d1b8a5d828c7555340f6d22d6a5896e282520072683133303534406d792e62726973746f6c2e61632e756b
  2694. (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
  2695. (7) eap_peap: User-Name = "rh13054@my.bristol.ac.uk"
  2696. (7) eap_peap: State = 0x919d8f369195952f63fe725e61e48555
  2697. (7) eap_peap: Chargeable-User-Identity = 0x00
  2698. (7) eap_peap: Location-Capable = Civix-Location
  2699. (7) eap_peap: Calling-Station-Id := "CC-20-E8-94-41-5A"
  2700. (7) eap_peap: Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  2701. (7) eap_peap: NAS-Port = 13
  2702. (7) eap_peap: Acct-Session-Id = "56bc96f8/cc:20:e8:94:41:5a/8989"
  2703. (7) eap_peap: NAS-IP-Address = 172.17.107.208
  2704. (7) eap_peap: NAS-Identifier = "wism8"
  2705. (7) eap_peap: Service-Type = Framed-User
  2706. (7) eap_peap: Framed-MTU = 1300
  2707. (7) eap_peap: NAS-Port-Type = Wireless-802.11
  2708. (7) eap_peap: Tunnel-Type:0 = VLAN
  2709. (7) eap_peap: Tunnel-Medium-Type:0 = IEEE-802
  2710. (7) eap_peap: Tunnel-Private-Group-Id:0 = "448"
  2711. (7) eap_peap: Event-Timestamp = "Feb 11 2016 14:13:13 UTC"
  2712. (7) Virtual server eduroam-inner received request
  2713. (7) EAP-Message = 0x020800531a0208004e31c7cbbb991ce348f1ff1866ef40bea17e00000000000000009ea229ea1709d1b8a5d828c7555340f6d22d6a5896e282520072683133303534406d792e62726973746f6c2e61632e756b
  2714. (7) FreeRADIUS-Proxied-To = 127.0.0.1
  2715. (7) User-Name = "rh13054@my.bristol.ac.uk"
  2716. (7) State = 0x919d8f369195952f63fe725e61e48555
  2717. (7) Chargeable-User-Identity = 0x00
  2718. (7) Location-Capable = Civix-Location
  2719. (7) Calling-Station-Id := "CC-20-E8-94-41-5A"
  2720. (7) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  2721. (7) NAS-Port = 13
  2722. (7) Acct-Session-Id = "56bc96f8/cc:20:e8:94:41:5a/8989"
  2723. (7) NAS-IP-Address = 172.17.107.208
  2724. (7) NAS-Identifier = "wism8"
  2725. (7) Service-Type = Framed-User
  2726. (7) Framed-MTU = 1300
  2727. (7) NAS-Port-Type = Wireless-802.11
  2728. (7) Tunnel-Type:0 = VLAN
  2729. (7) Tunnel-Medium-Type:0 = IEEE-802
  2730. (7) Tunnel-Private-Group-Id:0 = "448"
  2731. (7) Event-Timestamp = "Feb 11 2016 14:13:13 UTC"
  2732. (7) server eduroam-inner {
  2733. (7) session-state: No cached attributes
  2734. (7) # Executing section authorize from file /etc/raddb/sites-enabled/eduroam-inner
  2735. (7) authorize {
  2736. (7) policy rewrite_calling_station_id {
  2737. (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2738. (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  2739. (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2740. (7) update request {
  2741. (7) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  2742. (7) --> CC-20-E8-94-41-5A
  2743. (7) &Calling-Station-Id := CC-20-E8-94-41-5A
  2744. (7) } # update request = noop
  2745. (7) [updated] = updated
  2746. (7) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  2747. (7) ... skipping else for request 7: Preceding "if" was taken
  2748. (7) } # policy rewrite_calling_station_id = updated
  2749. (7) [preprocess] = ok
  2750. (7) uob_auth_log: EXPAND /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
  2751. (7) uob_auth_log: --> /var/log/radius/radacct/eduroam-inner/auth-detail.log
  2752. (7) uob_auth_log: /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log expands to /var/log/radius/radacct/eduroam-inner/auth-detail.log
  2753. (7) uob_auth_log: EXPAND %t
  2754. (7) uob_auth_log: --> Thu Feb 11 14:13:13 2016
  2755. (7) [uob_auth_log] = ok
  2756. (7) suffix: Checking for suffix after "@"
  2757. (7) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rh13054@my.bristol.ac.uk"
  2758. (7) suffix: Found realm "my.bristol.ac.uk"
  2759. (7) suffix: Adding Stripped-User-Name = "rh13054"
  2760. (7) suffix: Adding Realm = "my.bristol.ac.uk"
  2761. (7) suffix: Authentication realm is LOCAL
  2762. (7) [suffix] = ok
  2763. (7) [files-eduroam] = noop
  2764. (7) [eduroammschap] = noop
  2765. (7) if (User-Name !~ /^iser-linauth(@bris\\.ac\\.uk|@bristol\\.ac\\.uk)?$/){
  2766. (7) if (User-Name !~ /^iser-linauth(@bris\\.ac\\.uk|@bristol\\.ac\\.uk)?$/) -> TRUE
  2767. (7) if (User-Name !~ /^iser-linauth(@bris\\.ac\\.uk|@bristol\\.ac\\.uk)?$/) {
  2768. (7) if (User-Name !~ /^((UOB|uob)\\\\\\\\?)?[[:lower:]]{2}[[:lower:][:digit:]-]{2,16}(@bris\\.ac\\.uk|@(my\\.)?bristol\\.ac\\.uk)?\\$?$/){
  2769. (7) if (User-Name !~ /^((UOB|uob)\\\\\\\\?)?[[:lower:]]{2}[[:lower:][:digit:]-]{2,16}(@bris\\.ac\\.uk|@(my\\.)?bristol\\.ac\\.uk)?\\$?$/) -> FALSE
  2770. (7) } # if (User-Name !~ /^iser-linauth(@bris\\.ac\\.uk|@bristol\\.ac\\.uk)?$/) = updated
  2771. (7) eduroameap: Peer sent EAP Response (code 2) ID 8 length 83
  2772. (7) eduroameap: No EAP Start, assuming it's an on-going EAP conversation
  2773. (7) [eduroameap] = updated
  2774. (7) } # authorize = updated
  2775. (7) Found Auth-Type = eduroameap
  2776. (7) # Executing group from file /etc/raddb/sites-enabled/eduroam-inner
  2777. (7) Auth-Type eduroameap {
  2778. (7) eduroameap: Expiring EAP session with state 0x919d8f369195952f
  2779. (7) eduroameap: Finished EAP session with state 0x919d8f369195952f
  2780. (7) eduroameap: Previous EAP request found for state 0x919d8f369195952f, released from the list
  2781. (7) eduroameap: Peer sent packet with method EAP MSCHAPv2 (26)
  2782. (7) eduroameap: Calling submodule eap_mschapv2 to process data
  2783. (7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/eduroam-inner
  2784. (7) eap_mschapv2: Auth-Type MS-CHAP {
  2785. (7) eduroammschap: Creating challenge hash with username: rh13054@my.bristol.ac.uk
  2786. (7) eduroammschap: Client is using MS-CHAPv2
  2787. (7) eduroammschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{eduroammschap:User-Name}} --challenge=%{eduroammschap:Challenge} --nt-response=%{eduroammschap:NT-Response} :
  2788. (7) eduroammschap: EXPAND --username=%{%{Stripped-User-Name}:-%{eduroammschap:User-Name}}
  2789. (7) eduroammschap: --> --username=rh13054
  2790. (7) eduroammschap: Creating challenge hash with username: rh13054@my.bristol.ac.uk
  2791. (7) eduroammschap: EXPAND --challenge=%{eduroammschap:Challenge}
  2792. (7) eduroammschap: --> --challenge=14803cbc058dde66
  2793. (7) eduroammschap: EXPAND --nt-response=%{eduroammschap:NT-Response}
  2794. (7) eduroammschap: --> --nt-response=9ea229ea1709d1b8a5d828c7555340f6d22d6a5896e28252
  2795. (7) eduroammschap: Program returned code (0) and output 'NT_KEY: 252E89FC8DE92B6AE425EDECD096F0AD'
  2796. (7) eduroammschap: Adding MS-CHAPv2 MPPE keys
  2797. (7) [eduroammschap] = ok
  2798. (7) if (reject) {
  2799. (7) if (reject) -> FALSE
  2800. (7) } # Auth-Type MS-CHAP = ok
  2801. (7) MSCHAP Success
  2802. (7) eduroameap: Sending EAP Request (code 1) ID 9 length 51
  2803. (7) eduroameap: EAP session adding &reply:State = 0x919d8f369094952f
  2804. (7) [eduroameap] = handled
  2805. (7) } # Auth-Type eduroameap = handled
  2806. (7) } # server eduroam-inner
  2807. (7) Virtual server sending reply
  2808. (7) EAP-Message = 0x010900331a0308002e533d44344142343543313042303538324336433436324532444242393636353136424545344246464137
  2809. (7) Message-Authenticator = 0x00000000000000000000000000000000
  2810. (7) State = 0x919d8f369094952f63fe725e61e48555
  2811. (7) eap_peap: Got tunneled reply code 11
  2812. (7) eap_peap: EAP-Message = 0x010900331a0308002e533d44344142343543313042303538324336433436324532444242393636353136424545344246464137
  2813. (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
  2814. (7) eap_peap: State = 0x919d8f369094952f63fe725e61e48555
  2815. (7) eap_peap: Got tunneled reply RADIUS code 11
  2816. (7) eap_peap: EAP-Message = 0x010900331a0308002e533d44344142343543313042303538324336433436324532444242393636353136424545344246464137
  2817. (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
  2818. (7) eap_peap: State = 0x919d8f369094952f63fe725e61e48555
  2819. (7) eap_peap: Got tunneled Access-Challenge
  2820. (7) eduroameap: Sending EAP Request (code 1) ID 9 length 91
  2821. (7) eduroameap: EAP session adding &reply:State = 0x981efa549f17e373
  2822. (7) [eduroameap] = handled
  2823. (7) if (handled && (Response-Packet-Type == Access-Challenge)) {
  2824. (7) EXPAND Response-Packet-Type
  2825. (7) --> Access-Challenge
  2826. (7) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  2827. (7) if (handled && (Response-Packet-Type == Access-Challenge)) {
  2828. (7) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  2829. (7) filter.eduroamlocal-a_challenge: --> rh13054@my.bristol.ac.uk
  2830. (7) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  2831. (7) [filter.eduroamlocal-a_challenge.post-auth] = updated
  2832. (7) [handled] = handled
  2833. (7) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  2834. (7) } # Auth-Type eduroameap = handled
  2835. (7) Using Post-Auth-Type Challenge
  2836. (7) Post-Auth-Type sub-section not found. Ignoring.
  2837. (7) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2838. (7) Sent Access-Challenge Id 124 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  2839. (7) EAP-Message = 0x0109005b19001703010050144e8cce642b12a0d27a5884f1d6d58cfb21ab1c255ba9f846888593d8dcc354a20e911f3e365cf415aae07f34ff8f452f62f1749bcfdef3d9ec341fa4b8a12e8c8ee6e047e716b8ca8519ba802c4be5
  2840. (7) Message-Authenticator = 0x00000000000000000000000000000000
  2841. (7) State = 0x981efa549f17e373e1f53dd3e32d7728
  2842. (7) Finished request
  2843. Waking up in 4.7 seconds.
  2844. (8) Received Access-Request Id 125 from 172.17.107.208:32770 to 137.222.8.128:16006 length 330
  2845. (8) User-Name = "rh13054@my.bristol.ac.uk"
  2846. (8) Chargeable-User-Identity = 0x00
  2847. (8) Location-Capable = Civix-Location
  2848. (8) Calling-Station-Id = "cc:20:e8:94:41:5a"
  2849. (8) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  2850. (8) NAS-Port = 13
  2851. (8) Cisco-AVPair = "audit-session-id=ac116bd00000245356bc96f8"
  2852. (8) Acct-Session-Id = "56bc96f8/cc:20:e8:94:41:5a/8989"
  2853. (8) NAS-IP-Address = 172.17.107.208
  2854. (8) NAS-Identifier = "wism8"
  2855. (8) Airespace-Wlan-Id = 1
  2856. (8) Service-Type = Framed-User
  2857. (8) Framed-MTU = 1300
  2858. (8) NAS-Port-Type = Wireless-802.11
  2859. (8) Tunnel-Type:0 = VLAN
  2860. (8) Tunnel-Medium-Type:0 = IEEE-802
  2861. (8) Tunnel-Private-Group-Id:0 = "448"
  2862. (8) EAP-Message = 0x0209002b19001703010020e1dbd0fd5d8179f5e1c3679ab3448cd3a755787a38727b83ef72a23a9dca761a
  2863. (8) State = 0x981efa549f17e373e1f53dd3e32d7728
  2864. (8) Message-Authenticator = 0x04ed0520a1e86e807fe67ae52136ca65
  2865. (8) session-state: No cached attributes
  2866. (8) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2867. (8) authorize {
  2868. (8) policy rewrite_calling_station_id {
  2869. (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2870. (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  2871. (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2872. (8) update request {
  2873. (8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  2874. (8) --> CC-20-E8-94-41-5A
  2875. (8) &Calling-Station-Id := CC-20-E8-94-41-5A
  2876. (8) } # update request = noop
  2877. (8) [updated] = updated
  2878. (8) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  2879. (8) ... skipping else for request 8: Preceding "if" was taken
  2880. (8) } # policy rewrite_calling_station_id = updated
  2881. (8) policy wism-checks {
  2882. (8) if (Service-Type == "NAS-Prompt-User") {
  2883. (8) if (Service-Type == "NAS-Prompt-User") -> FALSE
  2884. (8) } # policy wism-checks = updated
  2885. (8) [preprocess] = ok
  2886. (8) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  2887. (8) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  2888. (8) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  2889. (8) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  2890. (8) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  2891. (8) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  2892. (8) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  2893. (8) suffix: Checking for suffix after "@"
  2894. (8) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rh13054@my.bristol.ac.uk"
  2895. (8) suffix: Found realm "my.bristol.ac.uk"
  2896. (8) suffix: Adding Stripped-User-Name = "rh13054"
  2897. (8) suffix: Adding Realm = "my.bristol.ac.uk"
  2898. (8) suffix: Authentication realm is LOCAL
  2899. (8) [suffix] = ok
  2900. (8) update request {
  2901. (8) Realm := "my.bristol.ac.uk"
  2902. (8) } # update request = noop
  2903. (8) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  2904. (8) ... skipping elsif for request 8: Preceding "if" was taken
  2905. (8) ... skipping else for request 8: Preceding "if" was taken
  2906. (8) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  2907. (8) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2908. (8) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  2909. (8) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2910. (8) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  2911. (8) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  2912. (8) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  2913. (8) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  2914. (8) else {
  2915. (8) eduroameap: Peer sent EAP Response (code 2) ID 9 length 43
  2916. (8) eduroameap: Continuing tunnel setup
  2917. (8) [eduroameap] = ok
  2918. (8) } # else = ok
  2919. (8) } # authorize = updated
  2920. (8) Found Auth-Type = eduroameap
  2921. (8) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  2922. (8) Auth-Type eduroameap {
  2923. (8) eduroameap: Expiring EAP session with state 0x919d8f369094952f
  2924. (8) eduroameap: Finished EAP session with state 0x981efa549f17e373
  2925. (8) eduroameap: Previous EAP request found for state 0x981efa549f17e373, released from the list
  2926. (8) eduroameap: Peer sent packet with method EAP PEAP (25)
  2927. (8) eduroameap: Calling submodule eap_peap to process data
  2928. (8) eap_peap: Continuing EAP-TLS
  2929. (8) eap_peap: [eaptls verify] = ok
  2930. (8) eap_peap: Done initial handshake
  2931. (8) eap_peap: [eaptls process] = ok
  2932. (8) eap_peap: Session established. Decoding tunneled attributes
  2933. (8) eap_peap: PEAP state phase2
  2934. (8) eap_peap: EAP method MSCHAPv2 (26)
  2935. (8) eap_peap: Got tunneled request
  2936. (8) eap_peap: EAP-Message = 0x020900061a03
  2937. (8) eap_peap: Setting User-Name to rh13054@my.bristol.ac.uk
  2938. (8) eap_peap: Sending tunneled request to eduroam-inner
  2939. (8) eap_peap: EAP-Message = 0x020900061a03
  2940. (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
  2941. (8) eap_peap: User-Name = "rh13054@my.bristol.ac.uk"
  2942. (8) eap_peap: State = 0x919d8f369094952f63fe725e61e48555
  2943. (8) eap_peap: Chargeable-User-Identity = 0x00
  2944. (8) eap_peap: Location-Capable = Civix-Location
  2945. (8) eap_peap: Calling-Station-Id := "CC-20-E8-94-41-5A"
  2946. (8) eap_peap: Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  2947. (8) eap_peap: NAS-Port = 13
  2948. (8) eap_peap: Acct-Session-Id = "56bc96f8/cc:20:e8:94:41:5a/8989"
  2949. (8) eap_peap: NAS-IP-Address = 172.17.107.208
  2950. (8) eap_peap: NAS-Identifier = "wism8"
  2951. (8) eap_peap: Service-Type = Framed-User
  2952. (8) eap_peap: Framed-MTU = 1300
  2953. (8) eap_peap: NAS-Port-Type = Wireless-802.11
  2954. (8) eap_peap: Tunnel-Type:0 = VLAN
  2955. (8) eap_peap: Tunnel-Medium-Type:0 = IEEE-802
  2956. (8) eap_peap: Tunnel-Private-Group-Id:0 = "448"
  2957. (8) eap_peap: Event-Timestamp = "Feb 11 2016 14:13:13 UTC"
  2958. (8) Virtual server eduroam-inner received request
  2959. (8) EAP-Message = 0x020900061a03
  2960. (8) FreeRADIUS-Proxied-To = 127.0.0.1
  2961. (8) User-Name = "rh13054@my.bristol.ac.uk"
  2962. (8) State = 0x919d8f369094952f63fe725e61e48555
  2963. (8) Chargeable-User-Identity = 0x00
  2964. (8) Location-Capable = Civix-Location
  2965. (8) Calling-Station-Id := "CC-20-E8-94-41-5A"
  2966. (8) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  2967. (8) NAS-Port = 13
  2968. (8) Acct-Session-Id = "56bc96f8/cc:20:e8:94:41:5a/8989"
  2969. (8) NAS-IP-Address = 172.17.107.208
  2970. (8) NAS-Identifier = "wism8"
  2971. (8) Service-Type = Framed-User
  2972. (8) Framed-MTU = 1300
  2973. (8) NAS-Port-Type = Wireless-802.11
  2974. (8) Tunnel-Type:0 = VLAN
  2975. (8) Tunnel-Medium-Type:0 = IEEE-802
  2976. (8) Tunnel-Private-Group-Id:0 = "448"
  2977. (8) Event-Timestamp = "Feb 11 2016 14:13:13 UTC"
  2978. (8) server eduroam-inner {
  2979. (8) session-state: No cached attributes
  2980. (8) # Executing section authorize from file /etc/raddb/sites-enabled/eduroam-inner
  2981. (8) authorize {
  2982. (8) policy rewrite_calling_station_id {
  2983. (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2984. (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  2985. (8) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  2986. (8) update request {
  2987. (8) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  2988. (8) --> CC-20-E8-94-41-5A
  2989. (8) &Calling-Station-Id := CC-20-E8-94-41-5A
  2990. (8) } # update request = noop
  2991. (8) [updated] = updated
  2992. (8) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  2993. (8) ... skipping else for request 8: Preceding "if" was taken
  2994. (8) } # policy rewrite_calling_station_id = updated
  2995. (8) [preprocess] = ok
  2996. (8) uob_auth_log: EXPAND /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
  2997. (8) uob_auth_log: --> /var/log/radius/radacct/eduroam-inner/auth-detail.log
  2998. (8) uob_auth_log: /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log expands to /var/log/radius/radacct/eduroam-inner/auth-detail.log
  2999. (8) uob_auth_log: EXPAND %t
  3000. (8) uob_auth_log: --> Thu Feb 11 14:13:13 2016
  3001. (8) [uob_auth_log] = ok
  3002. (8) suffix: Checking for suffix after "@"
  3003. (8) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rh13054@my.bristol.ac.uk"
  3004. (8) suffix: Found realm "my.bristol.ac.uk"
  3005. (8) suffix: Adding Stripped-User-Name = "rh13054"
  3006. (8) suffix: Adding Realm = "my.bristol.ac.uk"
  3007. (8) suffix: Authentication realm is LOCAL
  3008. (8) [suffix] = ok
  3009. (8) [files-eduroam] = noop
  3010. (8) [eduroammschap] = noop
  3011. (8) if (User-Name !~ /^iser-linauth(@bris\\.ac\\.uk|@bristol\\.ac\\.uk)?$/){
  3012. (8) if (User-Name !~ /^iser-linauth(@bris\\.ac\\.uk|@bristol\\.ac\\.uk)?$/) -> TRUE
  3013. (8) if (User-Name !~ /^iser-linauth(@bris\\.ac\\.uk|@bristol\\.ac\\.uk)?$/) {
  3014. (8) if (User-Name !~ /^((UOB|uob)\\\\\\\\?)?[[:lower:]]{2}[[:lower:][:digit:]-]{2,16}(@bris\\.ac\\.uk|@(my\\.)?bristol\\.ac\\.uk)?\\$?$/){
  3015. (8) if (User-Name !~ /^((UOB|uob)\\\\\\\\?)?[[:lower:]]{2}[[:lower:][:digit:]-]{2,16}(@bris\\.ac\\.uk|@(my\\.)?bristol\\.ac\\.uk)?\\$?$/) -> FALSE
  3016. (8) } # if (User-Name !~ /^iser-linauth(@bris\\.ac\\.uk|@bristol\\.ac\\.uk)?$/) = updated
  3017. (8) eduroameap: Peer sent EAP Response (code 2) ID 9 length 6
  3018. (8) eduroameap: No EAP Start, assuming it's an on-going EAP conversation
  3019. (8) [eduroameap] = updated
  3020. (8) } # authorize = updated
  3021. (8) Found Auth-Type = eduroameap
  3022. (8) # Executing group from file /etc/raddb/sites-enabled/eduroam-inner
  3023. (8) Auth-Type eduroameap {
  3024. (8) eduroameap: Expiring EAP session with state 0x919d8f369094952f
  3025. (8) eduroameap: Finished EAP session with state 0x919d8f369094952f
  3026. (8) eduroameap: Previous EAP request found for state 0x919d8f369094952f, released from the list
  3027. (8) eduroameap: Peer sent packet with method EAP MSCHAPv2 (26)
  3028. (8) eduroameap: Calling submodule eap_mschapv2 to process data
  3029. (8) eduroameap: Sending EAP Success (code 3) ID 9 length 4
  3030. (8) eduroameap: Freeing handler
  3031. (8) [eduroameap] = ok
  3032. (8) } # Auth-Type eduroameap = ok
  3033. (8) # Executing section post-auth from file /etc/raddb/sites-enabled/eduroam-inner
  3034. (8) post-auth {
  3035. (8) uob_reply_log: EXPAND /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/reply-detail.log
  3036. (8) uob_reply_log: --> /var/log/radius/radacct/eduroam-inner/reply-detail.log
  3037. (8) uob_reply_log: /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/reply-detail.log expands to /var/log/radius/radacct/eduroam-inner/reply-detail.log
  3038. (8) uob_reply_log: EXPAND %t
  3039. (8) uob_reply_log: --> Thu Feb 11 14:13:13 2016
  3040. (8) [uob_reply_log] = ok
  3041. (8) logtofile: EXPAND logtofile.%{%{reply:Packet-Type}:-format}
  3042. (8) logtofile: --> logtofile.Access-Accept
  3043. (8) logtofile: EXPAND /var/log/radius/radiusd-%{%{Virtual-Server}:-DEFAULT}.log
  3044. (8) logtofile: --> /var/log/radius/radiusd-eduroam-inner.log
  3045. (8) logtofile: EXPAND %t : Login OK: [%{User-Name}] (from client %{Client-Shortname} op %{%{Operator-Name}:-NULL} cli %{Calling-Station-Id} port %{Packet-Dst-Port})
  3046. (8) logtofile: --> Thu Feb 11 14:13:13 2016 : Login OK: [rh13054@my.bristol.ac.uk] (from client WISM8 op NULL cli CC-20-E8-94-41-5A port 0)
  3047. (8) [logtofile] = ok
  3048. (8) logtosyslog: EXPAND logtosyslog.%{%{reply:Packet-Type}:-format}
  3049. (8) logtosyslog: --> logtosyslog.Access-Accept
  3050. (8) logtosyslog: EXPAND %{Virtual-Server}: Login OK: [%{User-Name}] (from client %S cli %{Calling-Station-Id})
  3051. (8) logtosyslog: --> eduroam-inner: Login OK: [rh13054@my.bristol.ac.uk] (from client 2016-02-11 14:13:13 cli CC-20-E8-94-41-5A)
  3052. (8) [logtosyslog] = ok
  3053. (8) if (User-Name =~ /\\\\\\\\?([^\\\\]+)$/i) {
  3054. (8) if (User-Name =~ /\\\\\\\\?([^\\\\]+)$/i) -> FALSE
  3055. (8) else {
  3056. (8) if (User-Name =~ /^([[:alnum:]-]+)(@bris|@my\\.bris)?/){
  3057. (8) if (User-Name =~ /^([[:alnum:]-]+)(@bris|@my\\.bris)?/) -> TRUE
  3058. (8) if (User-Name =~ /^([[:alnum:]-]+)(@bris|@my\\.bris)?/) {
  3059. (8) update reply {
  3060. (8) EXPAND %{1}@bristol.ac.uk
  3061. (8) --> rh13054@bristol.ac.uk
  3062. (8) User-Name := rh13054@bristol.ac.uk
  3063. (8) } # update reply = noop
  3064. (8) } # if (User-Name =~ /^([[:alnum:]-]+)(@bris|@my\\.bris)?/) = noop
  3065. (8) } # else = noop
  3066. (8) } # post-auth = ok
  3067. (8) } # server eduroam-inner
  3068. (8) Virtual server sending reply
  3069. (8) MS-MPPE-Encryption-Policy = Encryption-Allowed
  3070. (8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
  3071. (8) MS-MPPE-Send-Key = 0x2e350d2d8dc43f08fa9621b5165b85d3
  3072. (8) MS-MPPE-Recv-Key = 0xaefb4ff611584aca7f1f34810296b266
  3073. (8) EAP-Message = 0x03090004
  3074. (8) Message-Authenticator = 0x00000000000000000000000000000000
  3075. (8) Stripped-User-Name = "rh13054"
  3076. (8) User-Name := "rh13054@bristol.ac.uk"
  3077. (8) eap_peap: Got tunneled reply code 2
  3078. (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
  3079. (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
  3080. (8) eap_peap: MS-MPPE-Send-Key = 0x2e350d2d8dc43f08fa9621b5165b85d3
  3081. (8) eap_peap: MS-MPPE-Recv-Key = 0xaefb4ff611584aca7f1f34810296b266
  3082. (8) eap_peap: EAP-Message = 0x03090004
  3083. (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
  3084. (8) eap_peap: Stripped-User-Name = "rh13054"
  3085. (8) eap_peap: User-Name := "rh13054@bristol.ac.uk"
  3086. (8) eap_peap: Got tunneled reply RADIUS code 2
  3087. (8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
  3088. (8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
  3089. (8) eap_peap: MS-MPPE-Send-Key = 0x2e350d2d8dc43f08fa9621b5165b85d3
  3090. (8) eap_peap: MS-MPPE-Recv-Key = 0xaefb4ff611584aca7f1f34810296b266
  3091. (8) eap_peap: EAP-Message = 0x03090004
  3092. (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
  3093. (8) eap_peap: Stripped-User-Name = "rh13054"
  3094. (8) eap_peap: User-Name := "rh13054@bristol.ac.uk"
  3095. (8) eap_peap: Tunneled authentication was successful
  3096. (8) eap_peap: SUCCESS
  3097. (8) eap_peap: Saving tunneled attributes for later
  3098. (8) eduroameap: Sending EAP Request (code 1) ID 10 length 43
  3099. (8) eduroameap: EAP session adding &reply:State = 0x981efa549014e373
  3100. (8) [eduroameap] = handled
  3101. (8) if (handled && (Response-Packet-Type == Access-Challenge)) {
  3102. (8) EXPAND Response-Packet-Type
  3103. (8) --> Access-Challenge
  3104. (8) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  3105. (8) if (handled && (Response-Packet-Type == Access-Challenge)) {
  3106. (8) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  3107. (8) filter.eduroamlocal-a_challenge: --> rh13054@my.bristol.ac.uk
  3108. (8) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  3109. (8) [filter.eduroamlocal-a_challenge.post-auth] = updated
  3110. (8) [handled] = handled
  3111. (8) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  3112. (8) } # Auth-Type eduroameap = handled
  3113. (8) Using Post-Auth-Type Challenge
  3114. (8) Post-Auth-Type sub-section not found. Ignoring.
  3115. (8) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3116. (8) Sent Access-Challenge Id 125 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  3117. (8) EAP-Message = 0x010a002b19001703010020644bcee70a2e15c09f90c8989a2bb3c7377e7befd677f508e7af102a4c7e17cd
  3118. (8) Message-Authenticator = 0x00000000000000000000000000000000
  3119. (8) State = 0x981efa549014e373e1f53dd3e32d7728
  3120. (8) Finished request
  3121. Waking up in 4.7 seconds.
  3122. (9) Received Access-Request Id 126 from 172.17.107.208:32770 to 137.222.8.128:16006 length 330
  3123. (9) User-Name = "rh13054@my.bristol.ac.uk"
  3124. (9) Chargeable-User-Identity = 0x00
  3125. (9) Location-Capable = Civix-Location
  3126. (9) Calling-Station-Id = "cc:20:e8:94:41:5a"
  3127. (9) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  3128. (9) NAS-Port = 13
  3129. (9) Cisco-AVPair = "audit-session-id=ac116bd00000245356bc96f8"
  3130. (9) Acct-Session-Id = "56bc96f8/cc:20:e8:94:41:5a/8989"
  3131. (9) NAS-IP-Address = 172.17.107.208
  3132. (9) NAS-Identifier = "wism8"
  3133. (9) Airespace-Wlan-Id = 1
  3134. (9) Service-Type = Framed-User
  3135. (9) Framed-MTU = 1300
  3136. (9) NAS-Port-Type = Wireless-802.11
  3137. (9) Tunnel-Type:0 = VLAN
  3138. (9) Tunnel-Medium-Type:0 = IEEE-802
  3139. (9) Tunnel-Private-Group-Id:0 = "448"
  3140. (9) EAP-Message = 0x020a002b190017030100206e9ba3848482639810407033735d6b25a9dd35a13bce020e7e8daf9060b68c0a
  3141. (9) State = 0x981efa549014e373e1f53dd3e32d7728
  3142. (9) Message-Authenticator = 0x60ddafc5864bc9eb197d537a200cb56a
  3143. (9) session-state: No cached attributes
  3144. (9) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3145. (9) authorize {
  3146. (9) policy rewrite_calling_station_id {
  3147. (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  3148. (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  3149. (9) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  3150. (9) update request {
  3151. (9) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  3152. (9) --> CC-20-E8-94-41-5A
  3153. (9) &Calling-Station-Id := CC-20-E8-94-41-5A
  3154. (9) } # update request = noop
  3155. (9) [updated] = updated
  3156. (9) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  3157. (9) ... skipping else for request 9: Preceding "if" was taken
  3158. (9) } # policy rewrite_calling_station_id = updated
  3159. (9) policy wism-checks {
  3160. (9) if (Service-Type == "NAS-Prompt-User") {
  3161. (9) if (Service-Type == "NAS-Prompt-User") -> FALSE
  3162. (9) } # policy wism-checks = updated
  3163. (9) [preprocess] = ok
  3164. (9) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  3165. (9) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  3166. (9) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  3167. (9) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  3168. (9) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  3169. (9) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  3170. (9) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  3171. (9) suffix: Checking for suffix after "@"
  3172. (9) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rh13054@my.bristol.ac.uk"
  3173. (9) suffix: Found realm "my.bristol.ac.uk"
  3174. (9) suffix: Adding Stripped-User-Name = "rh13054"
  3175. (9) suffix: Adding Realm = "my.bristol.ac.uk"
  3176. (9) suffix: Authentication realm is LOCAL
  3177. (9) [suffix] = ok
  3178. (9) update request {
  3179. (9) Realm := "my.bristol.ac.uk"
  3180. (9) } # update request = noop
  3181. (9) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  3182. (9) ... skipping elsif for request 9: Preceding "if" was taken
  3183. (9) ... skipping else for request 9: Preceding "if" was taken
  3184. (9) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  3185. (9) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3186. (9) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  3187. (9) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3188. (9) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  3189. (9) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3190. (9) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  3191. (9) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  3192. (9) else {
  3193. (9) eduroameap: Peer sent EAP Response (code 2) ID 10 length 43
  3194. (9) eduroameap: Continuing tunnel setup
  3195. (9) [eduroameap] = ok
  3196. (9) } # else = ok
  3197. (9) } # authorize = updated
  3198. (9) Found Auth-Type = eduroameap
  3199. (9) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3200. (9) Auth-Type eduroameap {
  3201. (9) eduroameap: Expiring EAP session with state 0x981efa549014e373
  3202. (9) eduroameap: Finished EAP session with state 0x981efa549014e373
  3203. (9) eduroameap: Previous EAP request found for state 0x981efa549014e373, released from the list
  3204. (9) eduroameap: Peer sent packet with method EAP PEAP (25)
  3205. (9) eduroameap: Calling submodule eap_peap to process data
  3206. (9) eap_peap: Continuing EAP-TLS
  3207. (9) eap_peap: [eaptls verify] = ok
  3208. (9) eap_peap: Done initial handshake
  3209. (9) eap_peap: [eaptls process] = ok
  3210. (9) eap_peap: Session established. Decoding tunneled attributes
  3211. (9) eap_peap: PEAP state send tlv success
  3212. (9) eap_peap: Received EAP-TLV response
  3213. (9) eap_peap: Success
  3214. (9) eap_peap: Using saved attributes from the original Access-Accept
  3215. (9) eap_peap: Stripped-User-Name = "rh13054"
  3216. (9) eap_peap: User-Name := "rh13054@bristol.ac.uk"
  3217. (9) eduroameap: Sending EAP Success (code 3) ID 10 length 4
  3218. (9) eduroameap: Freeing handler
  3219. (9) [eduroameap] = ok
  3220. (9) if (handled && (Response-Packet-Type == Access-Challenge)) {
  3221. (9) if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
  3222. (9) if (invalid) {
  3223. (9) if (invalid) -> FALSE
  3224. (9) if (fail) {
  3225. (9) if (fail) -> FALSE
  3226. (9) } # Auth-Type eduroameap = ok
  3227. (9) # Executing section post-auth from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3228. (9) post-auth {
  3229. (9) policy split_username_nai {
  3230. (9) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+.[-[:alnum:].]+))?$/)) {
  3231. (9) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+.[-[:alnum:].]+))?$/)) -> TRUE
  3232. (9) if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+.[-[:alnum:].]+))?$/)) {
  3233. (9) update request {
  3234. (9) EXPAND %{1}
  3235. (9) --> rh13054
  3236. (9) &Stripped-User-Name := rh13054
  3237. (9) EXPAND %{3}
  3238. (9) --> my.bristol.ac.uk
  3239. (9) &Stripped-User-Domain = my.bristol.ac.uk
  3240. (9) } # update request = noop
  3241. (9) [updated] = updated
  3242. (9) } # if (&User-Name && (&User-Name =~ /^([^@]*)(@([-[:alnum:]]+.[-[:alnum:].]+))?$/)) = updated
  3243. (9) ... skipping else for request 9: Preceding "if" was taken
  3244. (9) } # policy split_username_nai = updated
  3245. (9) update reply {
  3246. (9) EXPAND %{expr:(26 - %H) * 3600}
  3247. (9) --> 43200
  3248. (9) Session-Timeout := 43200
  3249. (9) Termination-Action := RADIUS-Request
  3250. (9) Tunnel-Type := VLAN
  3251. (9) Tunnel-Medium-Type := IEEE-802
  3252. (9) Tunnel-Private-Group-Id := "448"
  3253. (9) } # update reply = noop
  3254. (9) if (User-Name =~ /^host\/[a-z0-9\-]+\.[a-z]+\.bris.ac.uk$/) {
  3255. (9) if (User-Name =~ /^host\/[a-z0-9\-]+\.[a-z]+\.bris.ac.uk$/) -> FALSE
  3256. (9) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  3257. (9) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3258. (9) elsif (User-Name =~ /(@bris\\.ac\\.uk|@(my\\.)?bristol\\.ac\\.uk)$/) {
  3259. (9) elsif (User-Name =~ /(@bris\\.ac\\.uk|@(my\\.)?bristol\\.ac\\.uk)$/) -> TRUE
  3260. (9) elsif (User-Name =~ /(@bris\\.ac\\.uk|@(my\\.)?bristol\\.ac\\.uk)$/) {
  3261. (9) if (reply:User-Name =~ /(^[[:alpha:]]+[[:digit:]]+v@|^[[:alnum:]]+-[[:alnum:]]+@)/) {
  3262. (9) if (reply:User-Name =~ /(^[[:alpha:]]+[[:digit:]]+v@|^[[:alnum:]]+-[[:alnum:]]+@)/) -> FALSE
  3263. (9) elsif (reply:User-Name =~ /(uob\\\\?)?([a-z0-9\\-\\.]+)(@bris(tol)?\\.ac\\.uk)/){
  3264. (9) elsif (reply:User-Name =~ /(uob\\\\?)?([a-z0-9\\-\\.]+)(@bris(tol)?\\.ac\\.uk)/) -> TRUE
  3265. (9) elsif (reply:User-Name =~ /(uob\\\\?)?([a-z0-9\\-\\.]+)(@bris(tol)?\\.ac\\.uk)/) {
  3266. (9) eduroamvlan: EXPAND %{Calling-Station-Id}
  3267. (9) eduroamvlan: --> CC-20-E8-94-41-5A
  3268. (9) eduroamvlan: No cache entry found for "CC-20-E8-94-41-5A"
  3269. (9) eduroamvlan: Creating new cache entry
  3270. (9) eduroamvlan: EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
  3271. (9) eduroamvlan: --> rh13054
  3272. (9) eduroamvlan: SQL-User-Name set to 'rh13054'
  3273. rlm_sql (uobsql): Closing connection (0): Hit idle_timeout, was idle for 208 seconds
  3274. rlm_sql (uobsql): You probably need to lower "min"
  3275. rlm_sql_mysql: Socket destructor called, closing socket
  3276. rlm_sql (uobsql): 0 of 0 connections in use. You may need to increase "spare"
  3277. rlm_sql (uobsql): Opening additional connection (1), 1 of 8 pending slots used
  3278. rlm_sql_mysql: Starting connect to MySQL server
  3279. rlm_sql_mysql: Connected to database 'radius' on db.nomadic-core.bris.ac.uk via TCP/IP, server version 5.5.47-MariaDB-wsrep-log, protocol version 10
  3280. rlm_sql (uobsql): Reserved connection (1)
  3281. (9) eduroamvlan: Executing select query: select if(count(common_username)>0,544,1100) from localprod.current_suspension where common_username = 'rh13054'
  3282. rlm_sql (uobsql): Released connection (1)
  3283. (9) eduroamvlan: EXPAND %{%{uobsql:select if(count(common_username)>0,544,1100) from localprod.current_suspension where common_username = '%{Stripped-User-Name}'}:-1100}
  3284. (9) eduroamvlan: --> 1100
  3285. (9) eduroamvlan: Tunnel-Private-Group-Id := 1100
  3286. (9) eduroamvlan: Merging cache entry into request
  3287. (9) eduroamvlan: &request:Tunnel-Private-Group-Id := "1100"
  3288. (9) eduroamvlan: Committed entry, TTL 600 seconds
  3289. (9) [eduroamvlan] = updated
  3290. (9) update reply {
  3291. (9) EXPAND %{Tunnel-Private-Group-Id}
  3292. (9) --> 1100
  3293. (9) Tunnel-Private-Group-Id := 1100
  3294. (9) } # update reply = noop
  3295. (9) } # elsif (reply:User-Name =~ /(uob\\\\?)?([a-z0-9\\-\\.]+)(@bris(tol)?\\.ac\\.uk)/) = updated
  3296. (9) ... skipping else for request 9: Preceding "if" was taken
  3297. (9) } # elsif (User-Name =~ /(@bris\\.ac\\.uk|@(my\\.)?bristol\\.ac\\.uk)$/) = updated
  3298. (9) ... skipping else for request 9: Preceding "if" was taken
  3299. (9) if (reply:Tunnel-Private-Group-Id != "666") {
  3300. (9) if (reply:Tunnel-Private-Group-Id != "666") -> TRUE
  3301. (9) if (reply:Tunnel-Private-Group-Id != "666") {
  3302. (9) update request {
  3303. (9) UOB-Info-Type := 'ACPT'
  3304. (9) } # update request = noop
  3305. (9) policy logchecker-acpt {
  3306. (9) EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
  3307. (9) --> rh13054
  3308. (9) SQL-User-Name set to 'rh13054'
  3309. rlm_sql (uobsql): Reserved connection (1)
  3310. (9) Executing query: INSERT INTO logchecker.logs (date, error_code, calling_station_id, user_name, virtual_server, eap_session_resumed, called_station_id, vlan, inner_user_name, operator_name, nas_ip_address, nas_identifier, packet_src_ip, packet_dst_ip, eap_type, client_shortname) VALUES ('2016-02-11 14:13:13', 'ACPT', 'CC-20-E8-94-41-5A', 'rh13054@my.bristol.ac.uk', 'eduroamlocal-auth', 'no', '1c:6a:7a:bb:a4:40:eduroam', '1100', 'rh13054@bristol.ac.uk', '', '172.17.107.208', 'wism8', '137.222.8.128', '172.17.107.208', 'PEAP', 'WISM8')
  3311. rlm_sql (uobsql): Released connection (1)
  3312. (9) EXPAND %{uobsql:INSERT INTO logchecker.logs (date, error_code, calling_station_id, user_name, virtual_server, eap_session_resumed, called_station_id, vlan, inner_user_name, operator_name, nas_ip_address, nas_identifier, packet_src_ip, packet_dst_ip, eap_type, client_shortname) VALUES ('%S', 'ACPT', '%{Calling-Station-Id}', '%{User-Name}', '%{Virtual-Server}', '%{%{request:EAP-Session-Resumed}:-no}', '%{Called-Station-Id}', '%{reply:Tunnel-Private-Group-Id}', '%{reply:User-Name}', '%{Operator-Name}', '%{NAS-IP-Address}', '%{NAS-Identifier}', '%{%{reply:Packet-Src-IP-Address}:-%{reply:Packet-Src-IPv6-Address}}', '%{%{reply:Packet-Dst-IP-Address}:-%{reply:Packet-Dst-IPv6-Address}}', '%{request:EAP-Type}', '%{Client-Shortname}') }
  3313. (9) --> 1
  3314. (9) } # policy logchecker-acpt = noop
  3315. (9) } # if (reply:Tunnel-Private-Group-Id != "666") = noop
  3316. (9) ... skipping else for request 9: Preceding "if" was taken
  3317. (9) eduroaminfo: EXPAND %{Virtual-Server}.%{%{UOB-Info-Type}:-UNKN}
  3318. (9) eduroaminfo: --> eduroamlocal-auth.ACPT
  3319. (9) eduroaminfo: EXPAND ACPT, %{Calling-Station-Id}, LOGIN SUCCESSFUL [%{User-Name}] [%{Virtual-Server}], [TECH INFO: Resumed: %{%{request:EAP-Session-Resumed}:-no}, CdID: %{Called-Station-Id}, Vin: %{%{request:Tunnel-Private-Group-Id}:-'XXX'}, Vout: %{%{reply:Tunnel-Private-Group-Id}:-XXX}, EAP: %{request:EAP-Type}, Uin: %{request:User-Name}, Uout: %{reply:User-Name}]
  3320. (9) eduroaminfo: --> ACPT, CC-20-E8-94-41-5A, LOGIN SUCCESSFUL [rh13054@my.bristol.ac.uk] [eduroamlocal-auth], [TECH INFO: Resumed: no, CdID: 1c:6a:7a:bb:a4:40:eduroam, Vin: 1100, Vout: 1100, EAP: PEAP, Uin: rh13054@my.bristol.ac.uk, Uout: rh13054@bristol.ac.uk]
  3321. (9) [eduroaminfo] = ok
  3322. (9) logtosyslog: EXPAND logtosyslog.%{%{reply:Packet-Type}:-format}
  3323. (9) logtosyslog: --> logtosyslog.Access-Accept
  3324. (9) logtosyslog: EXPAND %{Virtual-Server}: Login OK: [%{User-Name}] (from client %S cli %{Calling-Station-Id})
  3325. (9) logtosyslog: --> eduroamlocal-auth: Login OK: [rh13054@my.bristol.ac.uk] (from client 2016-02-11 14:13:13 cli CC-20-E8-94-41-5A)
  3326. (9) [logtosyslog] = ok
  3327. (9) logtofile: EXPAND logtofile.%{%{reply:Packet-Type}:-format}
  3328. (9) logtofile: --> logtofile.Access-Accept
  3329. (9) logtofile: EXPAND /var/log/radius/radiusd-%{%{Virtual-Server}:-DEFAULT}.log
  3330. (9) logtofile: --> /var/log/radius/radiusd-eduroamlocal-auth.log
  3331. (9) logtofile: EXPAND %t : Login OK: [%{User-Name}] (from client %{Client-Shortname} op %{%{Operator-Name}:-NULL} cli %{Calling-Station-Id} port %{Packet-Dst-Port})
  3332. (9) logtofile: --> Thu Feb 11 14:13:13 2016 : Login OK: [rh13054@my.bristol.ac.uk] (from client WISM8 op NULL cli CC-20-E8-94-41-5A port 16006)
  3333. (9) [logtofile] = ok
  3334. (9) uob_reply_log: EXPAND /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/reply-detail.log
  3335. (9) uob_reply_log: --> /var/log/radius/radacct/eduroamlocal-auth/reply-detail.log
  3336. (9) uob_reply_log: /var/log/radius/radacct/%{%{Virtual-Server}:-UNKNOWN}/reply-detail.log expands to /var/log/radius/radacct/eduroamlocal-auth/reply-detail.log
  3337. (9) uob_reply_log: EXPAND %t
  3338. (9) uob_reply_log: --> Thu Feb 11 14:13:13 2016
  3339. (9) [uob_reply_log] = ok
  3340. (9) filter.eduroamlocal-a_accept: EXPAND %{User-Name}
  3341. (9) filter.eduroamlocal-a_accept: --> rh13054@my.bristol.ac.uk
  3342. (9) filter.eduroamlocal-a_accept: Matched entry DEFAULT at line 1
  3343. (9) [filter.eduroamlocal-a_accept] = updated
  3344. (9) } # post-auth = updated
  3345. (9) Sent Access-Accept Id 126 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  3346. (9) User-Name := "rh13054@bristol.ac.uk"
  3347. (9) MS-MPPE-Recv-Key = 0x7dea69fe1fd6363d900a7c146ef8b1fe35e0a062c4ab1257076347e1ccff809d
  3348. (9) MS-MPPE-Send-Key = 0x07c2d6b664ebd989dae4be5a361c67fd5c4e834bf67ba621bc70fd0556e98d1f
  3349. (9) EAP-Message = 0x030a0004
  3350. (9) Message-Authenticator = 0x00000000000000000000000000000000
  3351. (9) Session-Timeout := 43200
  3352. (9) Termination-Action := RADIUS-Request
  3353. (9) Tunnel-Type := VLAN
  3354. (9) Tunnel-Medium-Type := IEEE-802
  3355. (9) Tunnel-Private-Group-Id := "1100"
  3356. (9) Finished request
  3357. Waking up in 4.7 seconds.
  3358. (0) Cleaning up request packet ID 117 with timestamp +207
  3359. (1) Cleaning up request packet ID 118 with timestamp +207
  3360. (2) Cleaning up request packet ID 119 with timestamp +207
  3361. (3) Cleaning up request packet ID 120 with timestamp +207
  3362. (4) Cleaning up request packet ID 121 with timestamp +207
  3363. (5) Cleaning up request packet ID 122 with timestamp +208
  3364. (6) Cleaning up request packet ID 123 with timestamp +208
  3365. (7) Cleaning up request packet ID 124 with timestamp +208
  3366. (8) Cleaning up request packet ID 125 with timestamp +208
  3367. (9) Cleaning up request packet ID 126 with timestamp +208
  3368. Ready to process requests
  3369. (10) Received Access-Request Id 127 from 172.17.107.208:32770 to 137.222.8.128:16006 length 298
  3370. (10) User-Name = "rp12811@my.bristol.ac.uk"
  3371. (10) Chargeable-User-Identity = 0x00
  3372. (10) Location-Capable = Civix-Location
  3373. (10) Calling-Station-Id = "d8:d1:cb:c5:7d:70"
  3374. (10) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  3375. (10) NAS-Port = 13
  3376. (10) Cisco-AVPair = "audit-session-id=ac116bd00000245456bc9783"
  3377. (10) Acct-Session-Id = "56bc9783/d8:d1:cb:c5:7d:70/8990"
  3378. (10) NAS-IP-Address = 172.17.107.208
  3379. (10) NAS-Identifier = "wism8"
  3380. (10) Airespace-Wlan-Id = 1
  3381. (10) Service-Type = Framed-User
  3382. (10) Framed-MTU = 1300
  3383. (10) NAS-Port-Type = Wireless-802.11
  3384. (10) Tunnel-Type:0 = VLAN
  3385. (10) Tunnel-Medium-Type:0 = IEEE-802
  3386. (10) Tunnel-Private-Group-Id:0 = "448"
  3387. (10) EAP-Message = 0x0201001d0172703132383131406d792e62726973746f6c2e61632e756b
  3388. (10) Message-Authenticator = 0x8ef1c663237fae19e0f89e348044df81
  3389. (10) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3390. (10) authorize {
  3391. (10) policy rewrite_calling_station_id {
  3392. (10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  3393. (10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  3394. (10) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  3395. (10) update request {
  3396. (10) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  3397. (10) --> D8-D1-CB-C5-7D-70
  3398. (10) &Calling-Station-Id := D8-D1-CB-C5-7D-70
  3399. (10) } # update request = noop
  3400. (10) [updated] = updated
  3401. (10) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  3402. (10) ... skipping else for request 10: Preceding "if" was taken
  3403. (10) } # policy rewrite_calling_station_id = updated
  3404. (10) policy wism-checks {
  3405. (10) if (Service-Type == "NAS-Prompt-User") {
  3406. (10) if (Service-Type == "NAS-Prompt-User") -> FALSE
  3407. (10) } # policy wism-checks = updated
  3408. (10) [preprocess] = ok
  3409. (10) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  3410. (10) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  3411. (10) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  3412. (10) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  3413. (10) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  3414. (10) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  3415. (10) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  3416. (10) suffix: Checking for suffix after "@"
  3417. (10) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rp12811@my.bristol.ac.uk"
  3418. (10) suffix: Found realm "my.bristol.ac.uk"
  3419. (10) suffix: Adding Stripped-User-Name = "rp12811"
  3420. (10) suffix: Adding Realm = "my.bristol.ac.uk"
  3421. (10) suffix: Authentication realm is LOCAL
  3422. (10) [suffix] = ok
  3423. (10) update request {
  3424. (10) Realm := "my.bristol.ac.uk"
  3425. (10) } # update request = noop
  3426. (10) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  3427. (10) ... skipping elsif for request 10: Preceding "if" was taken
  3428. (10) ... skipping else for request 10: Preceding "if" was taken
  3429. (10) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  3430. (10) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3431. (10) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  3432. (10) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3433. (10) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  3434. (10) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3435. (10) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  3436. (10) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  3437. (10) else {
  3438. (10) eduroameap: Peer sent EAP Response (code 2) ID 1 length 29
  3439. (10) eduroameap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  3440. (10) [eduroameap] = ok
  3441. (10) } # else = ok
  3442. (10) } # authorize = updated
  3443. (10) Found Auth-Type = eduroameap
  3444. (10) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3445. (10) Auth-Type eduroameap {
  3446. (10) eduroameap: Peer sent packet with method EAP Identity (1)
  3447. (10) eduroameap: Calling submodule eap_peap to process data
  3448. (10) eap_peap: Initiating new EAP-TLS session
  3449. (10) eap_peap: [eaptls start] = request
  3450. (10) eduroameap: Sending EAP Request (code 1) ID 2 length 6
  3451. (10) eduroameap: EAP session adding &reply:State = 0x6fc3095a6fc110be
  3452. (10) [eduroameap] = handled
  3453. (10) if (handled && (Response-Packet-Type == Access-Challenge)) {
  3454. (10) EXPAND Response-Packet-Type
  3455. (10) --> Access-Challenge
  3456. (10) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  3457. (10) if (handled && (Response-Packet-Type == Access-Challenge)) {
  3458. (10) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  3459. (10) filter.eduroamlocal-a_challenge: --> rp12811@my.bristol.ac.uk
  3460. (10) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  3461. (10) [filter.eduroamlocal-a_challenge.post-auth] = updated
  3462. (10) [handled] = handled
  3463. (10) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  3464. (10) } # Auth-Type eduroameap = handled
  3465. (10) Using Post-Auth-Type Challenge
  3466. (10) Post-Auth-Type sub-section not found. Ignoring.
  3467. (10) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3468. (10) Sent Access-Challenge Id 127 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  3469. (10) EAP-Message = 0x010200061920
  3470. (10) Message-Authenticator = 0x00000000000000000000000000000000
  3471. (10) State = 0x6fc3095a6fc110bedb95671bc9796537
  3472. (10) Finished request
  3473. Waking up in 4.9 seconds.
  3474. (11) Received Access-Request Id 128 from 172.17.107.208:32770 to 137.222.8.128:16006 length 418
  3475. (11) User-Name = "rp12811@my.bristol.ac.uk"
  3476. (11) Chargeable-User-Identity = 0x00
  3477. (11) Location-Capable = Civix-Location
  3478. (11) Calling-Station-Id = "d8:d1:cb:c5:7d:70"
  3479. (11) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  3480. (11) NAS-Port = 13
  3481. (11) Cisco-AVPair = "audit-session-id=ac116bd00000245456bc9783"
  3482. (11) Acct-Session-Id = "56bc9783/d8:d1:cb:c5:7d:70/8990"
  3483. (11) NAS-IP-Address = 172.17.107.208
  3484. (11) NAS-Identifier = "wism8"
  3485. (11) Airespace-Wlan-Id = 1
  3486. (11) Service-Type = Framed-User
  3487. (11) Framed-MTU = 1300
  3488. (11) NAS-Port-Type = Wireless-802.11
  3489. (11) Tunnel-Type:0 = VLAN
  3490. (11) Tunnel-Medium-Type:0 = IEEE-802
  3491. (11) Tunnel-Private-Group-Id:0 = "448"
  3492. (11) EAP-Message = 0x02020083198000000079160301007401000070030156bc978240aa554f33a897e2dc8c9d57ef6a5df2432de6256f6cb2f0f3fb001500002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000
  3493. (11) State = 0x6fc3095a6fc110bedb95671bc9796537
  3494. (11) Message-Authenticator = 0xc464bc7c52c5dde3b6dadb729b24f64b
  3495. (11) session-state: No cached attributes
  3496. (11) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3497. (11) authorize {
  3498. (11) policy rewrite_calling_station_id {
  3499. (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  3500. (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  3501. (11) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  3502. (11) update request {
  3503. (11) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  3504. (11) --> D8-D1-CB-C5-7D-70
  3505. (11) &Calling-Station-Id := D8-D1-CB-C5-7D-70
  3506. (11) } # update request = noop
  3507. (11) [updated] = updated
  3508. (11) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  3509. (11) ... skipping else for request 11: Preceding "if" was taken
  3510. (11) } # policy rewrite_calling_station_id = updated
  3511. (11) policy wism-checks {
  3512. (11) if (Service-Type == "NAS-Prompt-User") {
  3513. (11) if (Service-Type == "NAS-Prompt-User") -> FALSE
  3514. (11) } # policy wism-checks = updated
  3515. (11) [preprocess] = ok
  3516. (11) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  3517. (11) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  3518. (11) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  3519. (11) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  3520. (11) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  3521. (11) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  3522. (11) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  3523. (11) suffix: Checking for suffix after "@"
  3524. (11) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rp12811@my.bristol.ac.uk"
  3525. (11) suffix: Found realm "my.bristol.ac.uk"
  3526. (11) suffix: Adding Stripped-User-Name = "rp12811"
  3527. (11) suffix: Adding Realm = "my.bristol.ac.uk"
  3528. (11) suffix: Authentication realm is LOCAL
  3529. (11) [suffix] = ok
  3530. (11) update request {
  3531. (11) Realm := "my.bristol.ac.uk"
  3532. (11) } # update request = noop
  3533. (11) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  3534. (11) ... skipping elsif for request 11: Preceding "if" was taken
  3535. (11) ... skipping else for request 11: Preceding "if" was taken
  3536. (11) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  3537. (11) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3538. (11) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  3539. (11) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3540. (11) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  3541. (11) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3542. (11) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  3543. (11) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  3544. (11) else {
  3545. (11) eduroameap: Peer sent EAP Response (code 2) ID 2 length 131
  3546. (11) eduroameap: Continuing tunnel setup
  3547. (11) [eduroameap] = ok
  3548. (11) } # else = ok
  3549. (11) } # authorize = updated
  3550. (11) Found Auth-Type = eduroameap
  3551. (11) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3552. (11) Auth-Type eduroameap {
  3553. (11) eduroameap: Expiring EAP session with state 0x6fc3095a6fc110be
  3554. (11) eduroameap: Finished EAP session with state 0x6fc3095a6fc110be
  3555. (11) eduroameap: Previous EAP request found for state 0x6fc3095a6fc110be, released from the list
  3556. (11) eduroameap: Peer sent packet with method EAP PEAP (25)
  3557. (11) eduroameap: Calling submodule eap_peap to process data
  3558. (11) eap_peap: Continuing EAP-TLS
  3559. (11) eap_peap: Peer indicated complete TLS record size will be 121 bytes
  3560. (11) eap_peap: Got complete TLS record (121 bytes)
  3561. (11) eap_peap: [eaptls verify] = length included
  3562. (11) eap_peap: (other): before/accept initialization
  3563. (11) eap_peap: TLS_accept: before/accept initialization
  3564. (11) eap_peap: <<< TLS 1.0 Handshake [length 0074], ClientHello
  3565. (11) eap_peap: TLS_accept: SSLv3 read client hello A
  3566. (11) eap_peap: >>> TLS 1.0 Handshake [length 0039], ServerHello
  3567. (11) eap_peap: TLS_accept: SSLv3 write server hello A
  3568. (11) eap_peap: >>> TLS 1.0 Handshake [length 0962], Certificate
  3569. (11) eap_peap: TLS_accept: SSLv3 write certificate A
  3570. (11) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
  3571. (11) eap_peap: TLS_accept: SSLv3 write key exchange A
  3572. (11) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
  3573. (11) eap_peap: TLS_accept: SSLv3 write server done A
  3574. (11) eap_peap: TLS_accept: SSLv3 flush data
  3575. (11) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
  3576. (11) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
  3577. (11) eap_peap: In SSL Handshake Phase
  3578. (11) eap_peap: In SSL Accept mode
  3579. (11) eap_peap: [eaptls process] = handled
  3580. (11) eduroameap: Sending EAP Request (code 1) ID 3 length 1004
  3581. (11) eduroameap: EAP session adding &reply:State = 0x6fc3095a6ec010be
  3582. (11) [eduroameap] = handled
  3583. (11) if (handled && (Response-Packet-Type == Access-Challenge)) {
  3584. (11) EXPAND Response-Packet-Type
  3585. (11) --> Access-Challenge
  3586. (11) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  3587. (11) if (handled && (Response-Packet-Type == Access-Challenge)) {
  3588. (11) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  3589. (11) filter.eduroamlocal-a_challenge: --> rp12811@my.bristol.ac.uk
  3590. (11) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  3591. (11) [filter.eduroamlocal-a_challenge.post-auth] = updated
  3592. (11) [handled] = handled
  3593. (11) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  3594. (11) } # Auth-Type eduroameap = handled
  3595. (11) Using Post-Auth-Type Challenge
  3596. (11) Post-Auth-Type sub-section not found. Ignoring.
  3597. (11) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3598. (11) Sent Access-Challenge Id 128 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  3599. (11) EAP-Message = 0x010303ec19c000000afe160301003902000035030156bc9783b2e925c80bf839ebc5123bd5372d5499dc8f383b0ed76bd493f7661f00c01400000dff01000100000b00040300010216030109620b00095e00095b00041e3082041a30820302a0030201020203100018300d06092a864886f70d01010505
  3600. (11) Message-Authenticator = 0x00000000000000000000000000000000
  3601. (11) State = 0x6fc3095a6ec010bedb95671bc9796537
  3602. (11) Finished request
  3603. Waking up in 4.9 seconds.
  3604. (12) Received Access-Request Id 129 from 172.17.107.208:32770 to 137.222.8.128:16006 length 293
  3605. (12) User-Name = "rp12811@my.bristol.ac.uk"
  3606. (12) Chargeable-User-Identity = 0x00
  3607. (12) Location-Capable = Civix-Location
  3608. (12) Calling-Station-Id = "d8:d1:cb:c5:7d:70"
  3609. (12) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  3610. (12) NAS-Port = 13
  3611. (12) Cisco-AVPair = "audit-session-id=ac116bd00000245456bc9783"
  3612. (12) Acct-Session-Id = "56bc9783/d8:d1:cb:c5:7d:70/8990"
  3613. (12) NAS-IP-Address = 172.17.107.208
  3614. (12) NAS-Identifier = "wism8"
  3615. (12) Airespace-Wlan-Id = 1
  3616. (12) Service-Type = Framed-User
  3617. (12) Framed-MTU = 1300
  3618. (12) NAS-Port-Type = Wireless-802.11
  3619. (12) Tunnel-Type:0 = VLAN
  3620. (12) Tunnel-Medium-Type:0 = IEEE-802
  3621. (12) Tunnel-Private-Group-Id:0 = "448"
  3622. (12) EAP-Message = 0x020300061900
  3623. (12) State = 0x6fc3095a6ec010bedb95671bc9796537
  3624. (12) Message-Authenticator = 0x18fe78145d5c46ceeffe01ec719a606a
  3625. (12) session-state: No cached attributes
  3626. (12) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3627. (12) authorize {
  3628. (12) policy rewrite_calling_station_id {
  3629. (12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  3630. (12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  3631. (12) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  3632. (12) update request {
  3633. (12) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  3634. (12) --> D8-D1-CB-C5-7D-70
  3635. (12) &Calling-Station-Id := D8-D1-CB-C5-7D-70
  3636. (12) } # update request = noop
  3637. (12) [updated] = updated
  3638. (12) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  3639. (12) ... skipping else for request 12: Preceding "if" was taken
  3640. (12) } # policy rewrite_calling_station_id = updated
  3641. (12) policy wism-checks {
  3642. (12) if (Service-Type == "NAS-Prompt-User") {
  3643. (12) if (Service-Type == "NAS-Prompt-User") -> FALSE
  3644. (12) } # policy wism-checks = updated
  3645. (12) [preprocess] = ok
  3646. (12) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  3647. (12) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  3648. (12) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  3649. (12) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  3650. (12) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  3651. (12) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  3652. (12) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  3653. (12) suffix: Checking for suffix after "@"
  3654. (12) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rp12811@my.bristol.ac.uk"
  3655. (12) suffix: Found realm "my.bristol.ac.uk"
  3656. (12) suffix: Adding Stripped-User-Name = "rp12811"
  3657. (12) suffix: Adding Realm = "my.bristol.ac.uk"
  3658. (12) suffix: Authentication realm is LOCAL
  3659. (12) [suffix] = ok
  3660. (12) update request {
  3661. (12) Realm := "my.bristol.ac.uk"
  3662. (12) } # update request = noop
  3663. (12) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  3664. (12) ... skipping elsif for request 12: Preceding "if" was taken
  3665. (12) ... skipping else for request 12: Preceding "if" was taken
  3666. (12) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  3667. (12) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3668. (12) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  3669. (12) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3670. (12) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  3671. (12) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3672. (12) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  3673. (12) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  3674. (12) else {
  3675. (12) eduroameap: Peer sent EAP Response (code 2) ID 3 length 6
  3676. (12) eduroameap: Continuing tunnel setup
  3677. (12) [eduroameap] = ok
  3678. (12) } # else = ok
  3679. (12) } # authorize = updated
  3680. (12) Found Auth-Type = eduroameap
  3681. (12) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3682. (12) Auth-Type eduroameap {
  3683. (12) eduroameap: Expiring EAP session with state 0x6fc3095a6ec010be
  3684. (12) eduroameap: Finished EAP session with state 0x6fc3095a6ec010be
  3685. (12) eduroameap: Previous EAP request found for state 0x6fc3095a6ec010be, released from the list
  3686. (12) eduroameap: Peer sent packet with method EAP PEAP (25)
  3687. (12) eduroameap: Calling submodule eap_peap to process data
  3688. (12) eap_peap: Continuing EAP-TLS
  3689. (12) eap_peap: Peer ACKed our handshake fragment
  3690. (12) eap_peap: [eaptls verify] = request
  3691. (12) eap_peap: [eaptls process] = handled
  3692. (12) eduroameap: Sending EAP Request (code 1) ID 4 length 1000
  3693. (12) eduroameap: EAP session adding &reply:State = 0x6fc3095a6dc710be
  3694. (12) [eduroameap] = handled
  3695. (12) if (handled && (Response-Packet-Type == Access-Challenge)) {
  3696. (12) EXPAND Response-Packet-Type
  3697. (12) --> Access-Challenge
  3698. (12) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  3699. (12) if (handled && (Response-Packet-Type == Access-Challenge)) {
  3700. (12) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  3701. (12) filter.eduroamlocal-a_challenge: --> rp12811@my.bristol.ac.uk
  3702. (12) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  3703. (12) [filter.eduroamlocal-a_challenge.post-auth] = updated
  3704. (12) [handled] = handled
  3705. (12) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  3706. (12) } # Auth-Type eduroameap = handled
  3707. (12) Using Post-Auth-Type Challenge
  3708. (12) Post-Auth-Type sub-section not found. Ignoring.
  3709. (12) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3710. (12) Sent Access-Challenge Id 129 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  3711. (12) EAP-Message = 0x010403e819401d2cf1d58f4dba2bd1120d6bedf8276592c881c781799b8f10ae54cb4827b40eb2cf8e47257082cc86b3a2942093f979c9fcd6717ee8896d352f6646c54e584c3a798453deeaf94dbe01ea370644beb43f63b6834155f52416c1c5262706477100b872f8c00c2c836a82b31c164acf9482
  3712. (12) Message-Authenticator = 0x00000000000000000000000000000000
  3713. (12) State = 0x6fc3095a6dc710bedb95671bc9796537
  3714. (12) Finished request
  3715. Waking up in 4.9 seconds.
  3716. (13) Received Access-Request Id 130 from 172.17.107.208:32770 to 137.222.8.128:16006 length 293
  3717. (13) User-Name = "rp12811@my.bristol.ac.uk"
  3718. (13) Chargeable-User-Identity = 0x00
  3719. (13) Location-Capable = Civix-Location
  3720. (13) Calling-Station-Id = "d8:d1:cb:c5:7d:70"
  3721. (13) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  3722. (13) NAS-Port = 13
  3723. (13) Cisco-AVPair = "audit-session-id=ac116bd00000245456bc9783"
  3724. (13) Acct-Session-Id = "56bc9783/d8:d1:cb:c5:7d:70/8990"
  3725. (13) NAS-IP-Address = 172.17.107.208
  3726. (13) NAS-Identifier = "wism8"
  3727. (13) Airespace-Wlan-Id = 1
  3728. (13) Service-Type = Framed-User
  3729. (13) Framed-MTU = 1300
  3730. (13) NAS-Port-Type = Wireless-802.11
  3731. (13) Tunnel-Type:0 = VLAN
  3732. (13) Tunnel-Medium-Type:0 = IEEE-802
  3733. (13) Tunnel-Private-Group-Id:0 = "448"
  3734. (13) EAP-Message = 0x020400061900
  3735. (13) State = 0x6fc3095a6dc710bedb95671bc9796537
  3736. (13) Message-Authenticator = 0xf7b8f7787579256f81c04348349f4d5b
  3737. (13) session-state: No cached attributes
  3738. (13) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3739. (13) authorize {
  3740. (13) policy rewrite_calling_station_id {
  3741. (13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  3742. (13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  3743. (13) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  3744. (13) update request {
  3745. (13) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  3746. (13) --> D8-D1-CB-C5-7D-70
  3747. (13) &Calling-Station-Id := D8-D1-CB-C5-7D-70
  3748. (13) } # update request = noop
  3749. (13) [updated] = updated
  3750. (13) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  3751. (13) ... skipping else for request 13: Preceding "if" was taken
  3752. (13) } # policy rewrite_calling_station_id = updated
  3753. (13) policy wism-checks {
  3754. (13) if (Service-Type == "NAS-Prompt-User") {
  3755. (13) if (Service-Type == "NAS-Prompt-User") -> FALSE
  3756. (13) } # policy wism-checks = updated
  3757. (13) [preprocess] = ok
  3758. (13) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  3759. (13) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  3760. (13) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  3761. (13) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  3762. (13) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  3763. (13) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  3764. (13) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  3765. (13) suffix: Checking for suffix after "@"
  3766. (13) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rp12811@my.bristol.ac.uk"
  3767. (13) suffix: Found realm "my.bristol.ac.uk"
  3768. (13) suffix: Adding Stripped-User-Name = "rp12811"
  3769. (13) suffix: Adding Realm = "my.bristol.ac.uk"
  3770. (13) suffix: Authentication realm is LOCAL
  3771. (13) [suffix] = ok
  3772. (13) update request {
  3773. (13) Realm := "my.bristol.ac.uk"
  3774. (13) } # update request = noop
  3775. (13) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  3776. (13) ... skipping elsif for request 13: Preceding "if" was taken
  3777. (13) ... skipping else for request 13: Preceding "if" was taken
  3778. (13) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  3779. (13) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3780. (13) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  3781. (13) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3782. (13) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  3783. (13) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3784. (13) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  3785. (13) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  3786. (13) else {
  3787. (13) eduroameap: Peer sent EAP Response (code 2) ID 4 length 6
  3788. (13) eduroameap: Continuing tunnel setup
  3789. (13) [eduroameap] = ok
  3790. (13) } # else = ok
  3791. (13) } # authorize = updated
  3792. (13) Found Auth-Type = eduroameap
  3793. (13) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3794. (13) Auth-Type eduroameap {
  3795. (13) eduroameap: Expiring EAP session with state 0x6fc3095a6dc710be
  3796. (13) eduroameap: Finished EAP session with state 0x6fc3095a6dc710be
  3797. (13) eduroameap: Previous EAP request found for state 0x6fc3095a6dc710be, released from the list
  3798. (13) eduroameap: Peer sent packet with method EAP PEAP (25)
  3799. (13) eduroameap: Calling submodule eap_peap to process data
  3800. (13) eap_peap: Continuing EAP-TLS
  3801. (13) eap_peap: Peer ACKed our handshake fragment
  3802. (13) eap_peap: [eaptls verify] = request
  3803. (13) eap_peap: [eaptls process] = handled
  3804. (13) eduroameap: Sending EAP Request (code 1) ID 5 length 832
  3805. (13) eduroameap: EAP session adding &reply:State = 0x6fc3095a6cc610be
  3806. (13) [eduroameap] = handled
  3807. (13) if (handled && (Response-Packet-Type == Access-Challenge)) {
  3808. (13) EXPAND Response-Packet-Type
  3809. (13) --> Access-Challenge
  3810. (13) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  3811. (13) if (handled && (Response-Packet-Type == Access-Challenge)) {
  3812. (13) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  3813. (13) filter.eduroamlocal-a_challenge: --> rp12811@my.bristol.ac.uk
  3814. (13) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  3815. (13) [filter.eduroamlocal-a_challenge.post-auth] = updated
  3816. (13) [handled] = handled
  3817. (13) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  3818. (13) } # Auth-Type eduroameap = handled
  3819. (13) Using Post-Auth-Type Challenge
  3820. (13) Post-Auth-Type sub-section not found. Ignoring.
  3821. (13) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3822. (13) Sent Access-Challenge Id 130 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  3823. (13) EAP-Message = 0x010503401900c1311e301c060355040a1315556e6976657273697479206f662042726973746f6c311f301d060355040b1316495420536572766963657320284e6574776f726b73293129302706092a864886f70d010901161a736572766963652d6465736b4062726973746f6c2e61632e756b3110300e
  3824. (13) Message-Authenticator = 0x00000000000000000000000000000000
  3825. (13) State = 0x6fc3095a6cc610bedb95671bc9796537
  3826. (13) Finished request
  3827. Waking up in 4.9 seconds.
  3828. (14) Received Access-Request Id 131 from 172.17.107.208:32770 to 137.222.8.128:16006 length 298
  3829. (14) User-Name = "rp12811@my.bristol.ac.uk"
  3830. (14) Chargeable-User-Identity = 0x00
  3831. (14) Location-Capable = Civix-Location
  3832. (14) Calling-Station-Id = "d8:d1:cb:c5:7d:70"
  3833. (14) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  3834. (14) NAS-Port = 13
  3835. (14) Cisco-AVPair = "audit-session-id=ac116bd00000245456bc9783"
  3836. (14) Acct-Session-Id = "56bc9783/d8:d1:cb:c5:7d:70/8990"
  3837. (14) NAS-IP-Address = 172.17.107.208
  3838. (14) NAS-Identifier = "wism8"
  3839. (14) Airespace-Wlan-Id = 1
  3840. (14) Service-Type = Framed-User
  3841. (14) Framed-MTU = 1300
  3842. (14) NAS-Port-Type = Wireless-802.11
  3843. (14) Tunnel-Type:0 = VLAN
  3844. (14) Tunnel-Medium-Type:0 = IEEE-802
  3845. (14) Tunnel-Private-Group-Id:0 = "448"
  3846. (14) EAP-Message = 0x0201001d0172703132383131406d792e62726973746f6c2e61632e756b
  3847. (14) Message-Authenticator = 0x76c266bab5a23bab9e9878b7e226959f
  3848. (14) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3849. (14) authorize {
  3850. (14) policy rewrite_calling_station_id {
  3851. (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  3852. (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  3853. (14) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  3854. (14) update request {
  3855. (14) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  3856. (14) --> D8-D1-CB-C5-7D-70
  3857. (14) &Calling-Station-Id := D8-D1-CB-C5-7D-70
  3858. (14) } # update request = noop
  3859. (14) [updated] = updated
  3860. (14) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  3861. (14) ... skipping else for request 14: Preceding "if" was taken
  3862. (14) } # policy rewrite_calling_station_id = updated
  3863. (14) policy wism-checks {
  3864. (14) if (Service-Type == "NAS-Prompt-User") {
  3865. (14) if (Service-Type == "NAS-Prompt-User") -> FALSE
  3866. (14) } # policy wism-checks = updated
  3867. (14) [preprocess] = ok
  3868. (14) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  3869. (14) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  3870. (14) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  3871. (14) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  3872. (14) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  3873. (14) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  3874. (14) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  3875. (14) suffix: Checking for suffix after "@"
  3876. (14) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rp12811@my.bristol.ac.uk"
  3877. (14) suffix: Found realm "my.bristol.ac.uk"
  3878. (14) suffix: Adding Stripped-User-Name = "rp12811"
  3879. (14) suffix: Adding Realm = "my.bristol.ac.uk"
  3880. (14) suffix: Authentication realm is LOCAL
  3881. (14) [suffix] = ok
  3882. (14) update request {
  3883. (14) Realm := "my.bristol.ac.uk"
  3884. (14) } # update request = noop
  3885. (14) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  3886. (14) ... skipping elsif for request 14: Preceding "if" was taken
  3887. (14) ... skipping else for request 14: Preceding "if" was taken
  3888. (14) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  3889. (14) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3890. (14) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  3891. (14) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3892. (14) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  3893. (14) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3894. (14) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  3895. (14) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  3896. (14) else {
  3897. (14) eduroameap: Peer sent EAP Response (code 2) ID 1 length 29
  3898. (14) eduroameap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  3899. (14) [eduroameap] = ok
  3900. (14) } # else = ok
  3901. (14) } # authorize = updated
  3902. (14) Found Auth-Type = eduroameap
  3903. (14) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3904. (14) Auth-Type eduroameap {
  3905. (14) eduroameap: Peer sent packet with method EAP Identity (1)
  3906. (14) eduroameap: Calling submodule eap_peap to process data
  3907. (14) eap_peap: Initiating new EAP-TLS session
  3908. (14) eap_peap: [eaptls start] = request
  3909. (14) eduroameap: Sending EAP Request (code 1) ID 2 length 6
  3910. (14) eduroameap: EAP session adding &reply:State = 0x50612e0f50633724
  3911. (14) [eduroameap] = handled
  3912. (14) if (handled && (Response-Packet-Type == Access-Challenge)) {
  3913. (14) EXPAND Response-Packet-Type
  3914. (14) --> Access-Challenge
  3915. (14) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  3916. (14) if (handled && (Response-Packet-Type == Access-Challenge)) {
  3917. (14) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  3918. (14) filter.eduroamlocal-a_challenge: --> rp12811@my.bristol.ac.uk
  3919. (14) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  3920. (14) [filter.eduroamlocal-a_challenge.post-auth] = updated
  3921. (14) [handled] = handled
  3922. (14) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  3923. (14) } # Auth-Type eduroameap = handled
  3924. (14) Using Post-Auth-Type Challenge
  3925. (14) Post-Auth-Type sub-section not found. Ignoring.
  3926. (14) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3927. (14) Sent Access-Challenge Id 131 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  3928. (14) EAP-Message = 0x010200061920
  3929. (14) Message-Authenticator = 0x00000000000000000000000000000000
  3930. (14) State = 0x50612e0f50633724a214eec3e36f5ee8
  3931. (14) Finished request
  3932. Waking up in 3.9 seconds.
  3933. (15) Received Access-Request Id 132 from 172.17.107.208:32770 to 137.222.8.128:16006 length 418
  3934. (15) User-Name = "rp12811@my.bristol.ac.uk"
  3935. (15) Chargeable-User-Identity = 0x00
  3936. (15) Location-Capable = Civix-Location
  3937. (15) Calling-Station-Id = "d8:d1:cb:c5:7d:70"
  3938. (15) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  3939. (15) NAS-Port = 13
  3940. (15) Cisco-AVPair = "audit-session-id=ac116bd00000245456bc9783"
  3941. (15) Acct-Session-Id = "56bc9783/d8:d1:cb:c5:7d:70/8990"
  3942. (15) NAS-IP-Address = 172.17.107.208
  3943. (15) NAS-Identifier = "wism8"
  3944. (15) Airespace-Wlan-Id = 1
  3945. (15) Service-Type = Framed-User
  3946. (15) Framed-MTU = 1300
  3947. (15) NAS-Port-Type = Wireless-802.11
  3948. (15) Tunnel-Type:0 = VLAN
  3949. (15) Tunnel-Medium-Type:0 = IEEE-802
  3950. (15) Tunnel-Private-Group-Id:0 = "448"
  3951. (15) EAP-Message = 0x02020083198000000079160301007401000070030156bc97835125e194a702cc80fc08813897923c4cedc48f45b786af7d1fd85be600002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000
  3952. (15) State = 0x50612e0f50633724a214eec3e36f5ee8
  3953. (15) Message-Authenticator = 0xd8ea393995878445c9baa2148d1cd680
  3954. (15) session-state: No cached attributes
  3955. (15) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  3956. (15) authorize {
  3957. (15) policy rewrite_calling_station_id {
  3958. (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  3959. (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  3960. (15) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  3961. (15) update request {
  3962. (15) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  3963. (15) --> D8-D1-CB-C5-7D-70
  3964. (15) &Calling-Station-Id := D8-D1-CB-C5-7D-70
  3965. (15) } # update request = noop
  3966. (15) [updated] = updated
  3967. (15) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  3968. (15) ... skipping else for request 15: Preceding "if" was taken
  3969. (15) } # policy rewrite_calling_station_id = updated
  3970. (15) policy wism-checks {
  3971. (15) if (Service-Type == "NAS-Prompt-User") {
  3972. (15) if (Service-Type == "NAS-Prompt-User") -> FALSE
  3973. (15) } # policy wism-checks = updated
  3974. (15) [preprocess] = ok
  3975. (15) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  3976. (15) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  3977. (15) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  3978. (15) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  3979. (15) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  3980. (15) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  3981. (15) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  3982. (15) suffix: Checking for suffix after "@"
  3983. (15) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rp12811@my.bristol.ac.uk"
  3984. (15) suffix: Found realm "my.bristol.ac.uk"
  3985. (15) suffix: Adding Stripped-User-Name = "rp12811"
  3986. (15) suffix: Adding Realm = "my.bristol.ac.uk"
  3987. (15) suffix: Authentication realm is LOCAL
  3988. (15) [suffix] = ok
  3989. (15) update request {
  3990. (15) Realm := "my.bristol.ac.uk"
  3991. (15) } # update request = noop
  3992. (15) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  3993. (15) ... skipping elsif for request 15: Preceding "if" was taken
  3994. (15) ... skipping else for request 15: Preceding "if" was taken
  3995. (15) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  3996. (15) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3997. (15) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  3998. (15) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  3999. (15) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  4000. (15) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4001. (15) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  4002. (15) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  4003. (15) else {
  4004. (15) eduroameap: Peer sent EAP Response (code 2) ID 2 length 131
  4005. (15) eduroameap: Continuing tunnel setup
  4006. (15) [eduroameap] = ok
  4007. (15) } # else = ok
  4008. (15) } # authorize = updated
  4009. (15) Found Auth-Type = eduroameap
  4010. (15) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4011. (15) Auth-Type eduroameap {
  4012. (15) eduroameap: Expiring EAP session with state 0x6fc3095a6cc610be
  4013. (15) eduroameap: Finished EAP session with state 0x50612e0f50633724
  4014. (15) eduroameap: Previous EAP request found for state 0x50612e0f50633724, released from the list
  4015. (15) eduroameap: Peer sent packet with method EAP PEAP (25)
  4016. (15) eduroameap: Calling submodule eap_peap to process data
  4017. (15) eap_peap: Continuing EAP-TLS
  4018. (15) eap_peap: Peer indicated complete TLS record size will be 121 bytes
  4019. (15) eap_peap: Got complete TLS record (121 bytes)
  4020. (15) eap_peap: [eaptls verify] = length included
  4021. (15) eap_peap: (other): before/accept initialization
  4022. (15) eap_peap: TLS_accept: before/accept initialization
  4023. (15) eap_peap: <<< TLS 1.0 Handshake [length 0074], ClientHello
  4024. (15) eap_peap: TLS_accept: SSLv3 read client hello A
  4025. (15) eap_peap: >>> TLS 1.0 Handshake [length 0039], ServerHello
  4026. (15) eap_peap: TLS_accept: SSLv3 write server hello A
  4027. (15) eap_peap: >>> TLS 1.0 Handshake [length 0962], Certificate
  4028. (15) eap_peap: TLS_accept: SSLv3 write certificate A
  4029. (15) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
  4030. (15) eap_peap: TLS_accept: SSLv3 write key exchange A
  4031. (15) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
  4032. (15) eap_peap: TLS_accept: SSLv3 write server done A
  4033. (15) eap_peap: TLS_accept: SSLv3 flush data
  4034. (15) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
  4035. (15) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
  4036. (15) eap_peap: In SSL Handshake Phase
  4037. (15) eap_peap: In SSL Accept mode
  4038. (15) eap_peap: [eaptls process] = handled
  4039. (15) eduroameap: Sending EAP Request (code 1) ID 3 length 1004
  4040. (15) eduroameap: EAP session adding &reply:State = 0x50612e0f51623724
  4041. (15) [eduroameap] = handled
  4042. (15) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4043. (15) EXPAND Response-Packet-Type
  4044. (15) --> Access-Challenge
  4045. (15) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  4046. (15) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4047. (15) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  4048. (15) filter.eduroamlocal-a_challenge: --> rp12811@my.bristol.ac.uk
  4049. (15) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  4050. (15) [filter.eduroamlocal-a_challenge.post-auth] = updated
  4051. (15) [handled] = handled
  4052. (15) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  4053. (15) } # Auth-Type eduroameap = handled
  4054. (15) Using Post-Auth-Type Challenge
  4055. (15) Post-Auth-Type sub-section not found. Ignoring.
  4056. (15) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4057. (15) Sent Access-Challenge Id 132 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  4058. (15) EAP-Message = 0x010303ec19c000000afe160301003902000035030156bc9784ddfc34d777c621bfa7c09ea7dba760caae6ca5d9671a5b798bc88e2300c01400000dff01000100000b00040300010216030109620b00095e00095b00041e3082041a30820302a0030201020203100018300d06092a864886f70d01010505
  4059. (15) Message-Authenticator = 0x00000000000000000000000000000000
  4060. (15) State = 0x50612e0f51623724a214eec3e36f5ee8
  4061. (15) Finished request
  4062. Waking up in 3.8 seconds.
  4063. (16) Received Access-Request Id 133 from 172.17.107.208:32770 to 137.222.8.128:16006 length 293
  4064. (16) User-Name = "rp12811@my.bristol.ac.uk"
  4065. (16) Chargeable-User-Identity = 0x00
  4066. (16) Location-Capable = Civix-Location
  4067. (16) Calling-Station-Id = "d8:d1:cb:c5:7d:70"
  4068. (16) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  4069. (16) NAS-Port = 13
  4070. (16) Cisco-AVPair = "audit-session-id=ac116bd00000245456bc9783"
  4071. (16) Acct-Session-Id = "56bc9783/d8:d1:cb:c5:7d:70/8990"
  4072. (16) NAS-IP-Address = 172.17.107.208
  4073. (16) NAS-Identifier = "wism8"
  4074. (16) Airespace-Wlan-Id = 1
  4075. (16) Service-Type = Framed-User
  4076. (16) Framed-MTU = 1300
  4077. (16) NAS-Port-Type = Wireless-802.11
  4078. (16) Tunnel-Type:0 = VLAN
  4079. (16) Tunnel-Medium-Type:0 = IEEE-802
  4080. (16) Tunnel-Private-Group-Id:0 = "448"
  4081. (16) EAP-Message = 0x020300061900
  4082. (16) State = 0x50612e0f51623724a214eec3e36f5ee8
  4083. (16) Message-Authenticator = 0x08237bdbd543ad1e728b2a5507dd8740
  4084. (16) session-state: No cached attributes
  4085. (16) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4086. (16) authorize {
  4087. (16) policy rewrite_calling_station_id {
  4088. (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  4089. (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  4090. (16) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  4091. (16) update request {
  4092. (16) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  4093. (16) --> D8-D1-CB-C5-7D-70
  4094. (16) &Calling-Station-Id := D8-D1-CB-C5-7D-70
  4095. (16) } # update request = noop
  4096. (16) [updated] = updated
  4097. (16) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  4098. (16) ... skipping else for request 16: Preceding "if" was taken
  4099. (16) } # policy rewrite_calling_station_id = updated
  4100. (16) policy wism-checks {
  4101. (16) if (Service-Type == "NAS-Prompt-User") {
  4102. (16) if (Service-Type == "NAS-Prompt-User") -> FALSE
  4103. (16) } # policy wism-checks = updated
  4104. (16) [preprocess] = ok
  4105. (16) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  4106. (16) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  4107. (16) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  4108. (16) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  4109. (16) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  4110. (16) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  4111. (16) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  4112. (16) suffix: Checking for suffix after "@"
  4113. (16) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rp12811@my.bristol.ac.uk"
  4114. (16) suffix: Found realm "my.bristol.ac.uk"
  4115. (16) suffix: Adding Stripped-User-Name = "rp12811"
  4116. (16) suffix: Adding Realm = "my.bristol.ac.uk"
  4117. (16) suffix: Authentication realm is LOCAL
  4118. (16) [suffix] = ok
  4119. (16) update request {
  4120. (16) Realm := "my.bristol.ac.uk"
  4121. (16) } # update request = noop
  4122. (16) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  4123. (16) ... skipping elsif for request 16: Preceding "if" was taken
  4124. (16) ... skipping else for request 16: Preceding "if" was taken
  4125. (16) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  4126. (16) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4127. (16) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  4128. (16) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4129. (16) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  4130. (16) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4131. (16) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  4132. (16) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  4133. (16) else {
  4134. (16) eduroameap: Peer sent EAP Response (code 2) ID 3 length 6
  4135. (16) eduroameap: Continuing tunnel setup
  4136. (16) [eduroameap] = ok
  4137. (16) } # else = ok
  4138. (16) } # authorize = updated
  4139. (16) Found Auth-Type = eduroameap
  4140. (16) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4141. (16) Auth-Type eduroameap {
  4142. (16) eduroameap: Expiring EAP session with state 0x6fc3095a6cc610be
  4143. (16) eduroameap: Finished EAP session with state 0x50612e0f51623724
  4144. (16) eduroameap: Previous EAP request found for state 0x50612e0f51623724, released from the list
  4145. (16) eduroameap: Peer sent packet with method EAP PEAP (25)
  4146. (16) eduroameap: Calling submodule eap_peap to process data
  4147. (16) eap_peap: Continuing EAP-TLS
  4148. (16) eap_peap: Peer ACKed our handshake fragment
  4149. (16) eap_peap: [eaptls verify] = request
  4150. (16) eap_peap: [eaptls process] = handled
  4151. (16) eduroameap: Sending EAP Request (code 1) ID 4 length 1000
  4152. (16) eduroameap: EAP session adding &reply:State = 0x50612e0f52653724
  4153. (16) [eduroameap] = handled
  4154. (16) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4155. (16) EXPAND Response-Packet-Type
  4156. (16) --> Access-Challenge
  4157. (16) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  4158. (16) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4159. (16) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  4160. (16) filter.eduroamlocal-a_challenge: --> rp12811@my.bristol.ac.uk
  4161. (16) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  4162. (16) [filter.eduroamlocal-a_challenge.post-auth] = updated
  4163. (16) [handled] = handled
  4164. (16) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  4165. (16) } # Auth-Type eduroameap = handled
  4166. (16) Using Post-Auth-Type Challenge
  4167. (16) Post-Auth-Type sub-section not found. Ignoring.
  4168. (16) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4169. (16) Sent Access-Challenge Id 133 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  4170. (16) EAP-Message = 0x010403e819401d2cf1d58f4dba2bd1120d6bedf8276592c881c781799b8f10ae54cb4827b40eb2cf8e47257082cc86b3a2942093f979c9fcd6717ee8896d352f6646c54e584c3a798453deeaf94dbe01ea370644beb43f63b6834155f52416c1c5262706477100b872f8c00c2c836a82b31c164acf9482
  4171. (16) Message-Authenticator = 0x00000000000000000000000000000000
  4172. (16) State = 0x50612e0f52653724a214eec3e36f5ee8
  4173. (16) Finished request
  4174. Waking up in 3.8 seconds.
  4175. (17) Received Access-Request Id 134 from 172.17.107.208:32770 to 137.222.8.128:16006 length 293
  4176. (17) User-Name = "rp12811@my.bristol.ac.uk"
  4177. (17) Chargeable-User-Identity = 0x00
  4178. (17) Location-Capable = Civix-Location
  4179. (17) Calling-Station-Id = "d8:d1:cb:c5:7d:70"
  4180. (17) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  4181. (17) NAS-Port = 13
  4182. (17) Cisco-AVPair = "audit-session-id=ac116bd00000245456bc9783"
  4183. (17) Acct-Session-Id = "56bc9783/d8:d1:cb:c5:7d:70/8990"
  4184. (17) NAS-IP-Address = 172.17.107.208
  4185. (17) NAS-Identifier = "wism8"
  4186. (17) Airespace-Wlan-Id = 1
  4187. (17) Service-Type = Framed-User
  4188. (17) Framed-MTU = 1300
  4189. (17) NAS-Port-Type = Wireless-802.11
  4190. (17) Tunnel-Type:0 = VLAN
  4191. (17) Tunnel-Medium-Type:0 = IEEE-802
  4192. (17) Tunnel-Private-Group-Id:0 = "448"
  4193. (17) EAP-Message = 0x020400061900
  4194. (17) State = 0x50612e0f52653724a214eec3e36f5ee8
  4195. (17) Message-Authenticator = 0xd3ee353bf8b4d26d0129fdb3473c635d
  4196. (17) session-state: No cached attributes
  4197. (17) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4198. (17) authorize {
  4199. (17) policy rewrite_calling_station_id {
  4200. (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  4201. (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  4202. (17) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  4203. (17) update request {
  4204. (17) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  4205. (17) --> D8-D1-CB-C5-7D-70
  4206. (17) &Calling-Station-Id := D8-D1-CB-C5-7D-70
  4207. (17) } # update request = noop
  4208. (17) [updated] = updated
  4209. (17) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  4210. (17) ... skipping else for request 17: Preceding "if" was taken
  4211. (17) } # policy rewrite_calling_station_id = updated
  4212. (17) policy wism-checks {
  4213. (17) if (Service-Type == "NAS-Prompt-User") {
  4214. (17) if (Service-Type == "NAS-Prompt-User") -> FALSE
  4215. (17) } # policy wism-checks = updated
  4216. (17) [preprocess] = ok
  4217. (17) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  4218. (17) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  4219. (17) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  4220. (17) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  4221. (17) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  4222. (17) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  4223. (17) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  4224. (17) suffix: Checking for suffix after "@"
  4225. (17) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rp12811@my.bristol.ac.uk"
  4226. (17) suffix: Found realm "my.bristol.ac.uk"
  4227. (17) suffix: Adding Stripped-User-Name = "rp12811"
  4228. (17) suffix: Adding Realm = "my.bristol.ac.uk"
  4229. (17) suffix: Authentication realm is LOCAL
  4230. (17) [suffix] = ok
  4231. (17) update request {
  4232. (17) Realm := "my.bristol.ac.uk"
  4233. (17) } # update request = noop
  4234. (17) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  4235. (17) ... skipping elsif for request 17: Preceding "if" was taken
  4236. (17) ... skipping else for request 17: Preceding "if" was taken
  4237. (17) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  4238. (17) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4239. (17) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  4240. (17) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4241. (17) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  4242. (17) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4243. (17) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  4244. (17) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  4245. (17) else {
  4246. (17) eduroameap: Peer sent EAP Response (code 2) ID 4 length 6
  4247. (17) eduroameap: Continuing tunnel setup
  4248. (17) [eduroameap] = ok
  4249. (17) } # else = ok
  4250. (17) } # authorize = updated
  4251. (17) Found Auth-Type = eduroameap
  4252. (17) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4253. (17) Auth-Type eduroameap {
  4254. (17) eduroameap: Expiring EAP session with state 0x6fc3095a6cc610be
  4255. (17) eduroameap: Finished EAP session with state 0x50612e0f52653724
  4256. (17) eduroameap: Previous EAP request found for state 0x50612e0f52653724, released from the list
  4257. (17) eduroameap: Peer sent packet with method EAP PEAP (25)
  4258. (17) eduroameap: Calling submodule eap_peap to process data
  4259. (17) eap_peap: Continuing EAP-TLS
  4260. (17) eap_peap: Peer ACKed our handshake fragment
  4261. (17) eap_peap: [eaptls verify] = request
  4262. (17) eap_peap: [eaptls process] = handled
  4263. (17) eduroameap: Sending EAP Request (code 1) ID 5 length 832
  4264. (17) eduroameap: EAP session adding &reply:State = 0x50612e0f53643724
  4265. (17) [eduroameap] = handled
  4266. (17) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4267. (17) EXPAND Response-Packet-Type
  4268. (17) --> Access-Challenge
  4269. (17) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  4270. (17) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4271. (17) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  4272. (17) filter.eduroamlocal-a_challenge: --> rp12811@my.bristol.ac.uk
  4273. (17) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  4274. (17) [filter.eduroamlocal-a_challenge.post-auth] = updated
  4275. (17) [handled] = handled
  4276. (17) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  4277. (17) } # Auth-Type eduroameap = handled
  4278. (17) Using Post-Auth-Type Challenge
  4279. (17) Post-Auth-Type sub-section not found. Ignoring.
  4280. (17) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4281. (17) Sent Access-Challenge Id 134 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  4282. (17) EAP-Message = 0x010503401900c1311e301c060355040a1315556e6976657273697479206f662042726973746f6c311f301d060355040b1316495420536572766963657320284e6574776f726b73293129302706092a864886f70d010901161a736572766963652d6465736b4062726973746f6c2e61632e756b3110300e
  4283. (17) Message-Authenticator = 0x00000000000000000000000000000000
  4284. (17) State = 0x50612e0f53643724a214eec3e36f5ee8
  4285. (17) Finished request
  4286. Waking up in 3.8 seconds.
  4287. (10) Cleaning up request packet ID 127 with timestamp +346
  4288. (11) Cleaning up request packet ID 128 with timestamp +346
  4289. (12) Cleaning up request packet ID 129 with timestamp +346
  4290. (13) Cleaning up request packet ID 130 with timestamp +346
  4291. Waking up in 1.0 seconds.
  4292. (14) Cleaning up request packet ID 131 with timestamp +347
  4293. (15) Cleaning up request packet ID 132 with timestamp +347
  4294. (16) Cleaning up request packet ID 133 with timestamp +347
  4295. (17) Cleaning up request packet ID 134 with timestamp +347
  4296. Ready to process requests
  4297. (18) Received Access-Request Id 135 from 172.17.107.208:32770 to 137.222.8.128:16006 length 298
  4298. (18) User-Name = "rp12811@my.bristol.ac.uk"
  4299. (18) Chargeable-User-Identity = 0x00
  4300. (18) Location-Capable = Civix-Location
  4301. (18) Calling-Station-Id = "d8:d1:cb:c5:7d:70"
  4302. (18) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  4303. (18) NAS-Port = 13
  4304. (18) Cisco-AVPair = "audit-session-id=ac116bd00000245456bc9783"
  4305. (18) Acct-Session-Id = "56bc9783/d8:d1:cb:c5:7d:70/8990"
  4306. (18) NAS-IP-Address = 172.17.107.208
  4307. (18) NAS-Identifier = "wism8"
  4308. (18) Airespace-Wlan-Id = 1
  4309. (18) Service-Type = Framed-User
  4310. (18) Framed-MTU = 1300
  4311. (18) NAS-Port-Type = Wireless-802.11
  4312. (18) Tunnel-Type:0 = VLAN
  4313. (18) Tunnel-Medium-Type:0 = IEEE-802
  4314. (18) Tunnel-Private-Group-Id:0 = "448"
  4315. (18) EAP-Message = 0x0201001d0172703132383131406d792e62726973746f6c2e61632e756b
  4316. (18) Message-Authenticator = 0xcd6af9d132de4e3ac16596e6709f9803
  4317. (18) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4318. (18) authorize {
  4319. (18) policy rewrite_calling_station_id {
  4320. (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  4321. (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  4322. (18) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  4323. (18) update request {
  4324. (18) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  4325. (18) --> D8-D1-CB-C5-7D-70
  4326. (18) &Calling-Station-Id := D8-D1-CB-C5-7D-70
  4327. (18) } # update request = noop
  4328. (18) [updated] = updated
  4329. (18) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  4330. (18) ... skipping else for request 18: Preceding "if" was taken
  4331. (18) } # policy rewrite_calling_station_id = updated
  4332. (18) policy wism-checks {
  4333. (18) if (Service-Type == "NAS-Prompt-User") {
  4334. (18) if (Service-Type == "NAS-Prompt-User") -> FALSE
  4335. (18) } # policy wism-checks = updated
  4336. (18) [preprocess] = ok
  4337. (18) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  4338. (18) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  4339. (18) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  4340. (18) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  4341. (18) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  4342. (18) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  4343. (18) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  4344. (18) suffix: Checking for suffix after "@"
  4345. (18) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rp12811@my.bristol.ac.uk"
  4346. (18) suffix: Found realm "my.bristol.ac.uk"
  4347. (18) suffix: Adding Stripped-User-Name = "rp12811"
  4348. (18) suffix: Adding Realm = "my.bristol.ac.uk"
  4349. (18) suffix: Authentication realm is LOCAL
  4350. (18) [suffix] = ok
  4351. (18) update request {
  4352. (18) Realm := "my.bristol.ac.uk"
  4353. (18) } # update request = noop
  4354. (18) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  4355. (18) ... skipping elsif for request 18: Preceding "if" was taken
  4356. (18) ... skipping else for request 18: Preceding "if" was taken
  4357. (18) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  4358. (18) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4359. (18) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  4360. (18) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4361. (18) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  4362. (18) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4363. (18) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  4364. (18) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  4365. (18) else {
  4366. (18) eduroameap: Peer sent EAP Response (code 2) ID 1 length 29
  4367. (18) eduroameap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  4368. (18) [eduroameap] = ok
  4369. (18) } # else = ok
  4370. (18) } # authorize = updated
  4371. (18) Found Auth-Type = eduroameap
  4372. (18) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4373. (18) Auth-Type eduroameap {
  4374. (18) eduroameap: Peer sent packet with method EAP Identity (1)
  4375. (18) eduroameap: Calling submodule eap_peap to process data
  4376. (18) eap_peap: Initiating new EAP-TLS session
  4377. (18) eap_peap: [eaptls start] = request
  4378. (18) eduroameap: Sending EAP Request (code 1) ID 2 length 6
  4379. (18) eduroameap: EAP session adding &reply:State = 0x21f5426621f75bcd
  4380. (18) [eduroameap] = handled
  4381. (18) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4382. (18) EXPAND Response-Packet-Type
  4383. (18) --> Access-Challenge
  4384. (18) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  4385. (18) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4386. (18) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  4387. (18) filter.eduroamlocal-a_challenge: --> rp12811@my.bristol.ac.uk
  4388. (18) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  4389. (18) [filter.eduroamlocal-a_challenge.post-auth] = updated
  4390. (18) [handled] = handled
  4391. (18) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  4392. (18) } # Auth-Type eduroameap = handled
  4393. (18) Using Post-Auth-Type Challenge
  4394. (18) Post-Auth-Type sub-section not found. Ignoring.
  4395. (18) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4396. (18) Sent Access-Challenge Id 135 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  4397. (18) EAP-Message = 0x010200061920
  4398. (18) Message-Authenticator = 0x00000000000000000000000000000000
  4399. (18) State = 0x21f5426621f75bcd6b9f3462aca485d2
  4400. (18) Finished request
  4401. Waking up in 4.9 seconds.
  4402. (19) Received Access-Request Id 136 from 172.17.107.208:32770 to 137.222.8.128:16006 length 418
  4403. (19) User-Name = "rp12811@my.bristol.ac.uk"
  4404. (19) Chargeable-User-Identity = 0x00
  4405. (19) Location-Capable = Civix-Location
  4406. (19) Calling-Station-Id = "d8:d1:cb:c5:7d:70"
  4407. (19) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  4408. (19) NAS-Port = 13
  4409. (19) Cisco-AVPair = "audit-session-id=ac116bd00000245456bc9783"
  4410. (19) Acct-Session-Id = "56bc9783/d8:d1:cb:c5:7d:70/8990"
  4411. (19) NAS-IP-Address = 172.17.107.208
  4412. (19) NAS-Identifier = "wism8"
  4413. (19) Airespace-Wlan-Id = 1
  4414. (19) Service-Type = Framed-User
  4415. (19) Framed-MTU = 1300
  4416. (19) NAS-Port-Type = Wireless-802.11
  4417. (19) Tunnel-Type:0 = VLAN
  4418. (19) Tunnel-Medium-Type:0 = IEEE-802
  4419. (19) Tunnel-Private-Group-Id:0 = "448"
  4420. (19) EAP-Message = 0x02020083198000000079160301007401000070030156bc978bf186a230ee80cf6ff5c1bb71824b07c187226de1df6a38a22772b10b00002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000
  4421. (19) State = 0x21f5426621f75bcd6b9f3462aca485d2
  4422. (19) Message-Authenticator = 0x3b125a4b2a6a7b9e97eca1725710dfc1
  4423. (19) session-state: No cached attributes
  4424. (19) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4425. (19) authorize {
  4426. (19) policy rewrite_calling_station_id {
  4427. (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  4428. (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  4429. (19) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  4430. (19) update request {
  4431. (19) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  4432. (19) --> D8-D1-CB-C5-7D-70
  4433. (19) &Calling-Station-Id := D8-D1-CB-C5-7D-70
  4434. (19) } # update request = noop
  4435. (19) [updated] = updated
  4436. (19) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  4437. (19) ... skipping else for request 19: Preceding "if" was taken
  4438. (19) } # policy rewrite_calling_station_id = updated
  4439. (19) policy wism-checks {
  4440. (19) if (Service-Type == "NAS-Prompt-User") {
  4441. (19) if (Service-Type == "NAS-Prompt-User") -> FALSE
  4442. (19) } # policy wism-checks = updated
  4443. (19) [preprocess] = ok
  4444. (19) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  4445. (19) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  4446. (19) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  4447. (19) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  4448. (19) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  4449. (19) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  4450. (19) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  4451. (19) suffix: Checking for suffix after "@"
  4452. (19) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rp12811@my.bristol.ac.uk"
  4453. (19) suffix: Found realm "my.bristol.ac.uk"
  4454. (19) suffix: Adding Stripped-User-Name = "rp12811"
  4455. (19) suffix: Adding Realm = "my.bristol.ac.uk"
  4456. (19) suffix: Authentication realm is LOCAL
  4457. (19) [suffix] = ok
  4458. (19) update request {
  4459. (19) Realm := "my.bristol.ac.uk"
  4460. (19) } # update request = noop
  4461. (19) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  4462. (19) ... skipping elsif for request 19: Preceding "if" was taken
  4463. (19) ... skipping else for request 19: Preceding "if" was taken
  4464. (19) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  4465. (19) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4466. (19) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  4467. (19) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4468. (19) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  4469. (19) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4470. (19) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  4471. (19) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  4472. (19) else {
  4473. (19) eduroameap: Peer sent EAP Response (code 2) ID 2 length 131
  4474. (19) eduroameap: Continuing tunnel setup
  4475. (19) [eduroameap] = ok
  4476. (19) } # else = ok
  4477. (19) } # authorize = updated
  4478. (19) Found Auth-Type = eduroameap
  4479. (19) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4480. (19) Auth-Type eduroameap {
  4481. (19) eduroameap: Expiring EAP session with state 0x6fc3095a6cc610be
  4482. (19) eduroameap: Finished EAP session with state 0x21f5426621f75bcd
  4483. (19) eduroameap: Previous EAP request found for state 0x21f5426621f75bcd, released from the list
  4484. (19) eduroameap: Peer sent packet with method EAP PEAP (25)
  4485. (19) eduroameap: Calling submodule eap_peap to process data
  4486. (19) eap_peap: Continuing EAP-TLS
  4487. (19) eap_peap: Peer indicated complete TLS record size will be 121 bytes
  4488. (19) eap_peap: Got complete TLS record (121 bytes)
  4489. (19) eap_peap: [eaptls verify] = length included
  4490. (19) eap_peap: (other): before/accept initialization
  4491. (19) eap_peap: TLS_accept: before/accept initialization
  4492. (19) eap_peap: <<< TLS 1.0 Handshake [length 0074], ClientHello
  4493. (19) eap_peap: TLS_accept: SSLv3 read client hello A
  4494. (19) eap_peap: >>> TLS 1.0 Handshake [length 0039], ServerHello
  4495. (19) eap_peap: TLS_accept: SSLv3 write server hello A
  4496. (19) eap_peap: >>> TLS 1.0 Handshake [length 0962], Certificate
  4497. (19) eap_peap: TLS_accept: SSLv3 write certificate A
  4498. (19) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
  4499. (19) eap_peap: TLS_accept: SSLv3 write key exchange A
  4500. (19) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
  4501. (19) eap_peap: TLS_accept: SSLv3 write server done A
  4502. (19) eap_peap: TLS_accept: SSLv3 flush data
  4503. (19) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
  4504. (19) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
  4505. (19) eap_peap: In SSL Handshake Phase
  4506. (19) eap_peap: In SSL Accept mode
  4507. (19) eap_peap: [eaptls process] = handled
  4508. (19) eduroameap: Sending EAP Request (code 1) ID 3 length 1004
  4509. (19) eduroameap: EAP session adding &reply:State = 0x21f5426620f65bcd
  4510. (19) [eduroameap] = handled
  4511. (19) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4512. (19) EXPAND Response-Packet-Type
  4513. (19) --> Access-Challenge
  4514. (19) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  4515. (19) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4516. (19) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  4517. (19) filter.eduroamlocal-a_challenge: --> rp12811@my.bristol.ac.uk
  4518. (19) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  4519. (19) [filter.eduroamlocal-a_challenge.post-auth] = updated
  4520. (19) [handled] = handled
  4521. (19) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  4522. (19) } # Auth-Type eduroameap = handled
  4523. (19) Using Post-Auth-Type Challenge
  4524. (19) Post-Auth-Type sub-section not found. Ignoring.
  4525. (19) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4526. (19) Sent Access-Challenge Id 136 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  4527. (19) EAP-Message = 0x010303ec19c000000afe160301003902000035030156bc978c24acb0f916813e20ccf627b8149e48b51ed351cd8b2161e84494441900c01400000dff01000100000b00040300010216030109620b00095e00095b00041e3082041a30820302a0030201020203100018300d06092a864886f70d01010505
  4528. (19) Message-Authenticator = 0x00000000000000000000000000000000
  4529. (19) State = 0x21f5426620f65bcd6b9f3462aca485d2
  4530. (19) Finished request
  4531. Waking up in 4.9 seconds.
  4532. (20) Received Access-Request Id 137 from 172.17.107.208:32770 to 137.222.8.128:16006 length 293
  4533. (20) User-Name = "rp12811@my.bristol.ac.uk"
  4534. (20) Chargeable-User-Identity = 0x00
  4535. (20) Location-Capable = Civix-Location
  4536. (20) Calling-Station-Id = "d8:d1:cb:c5:7d:70"
  4537. (20) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  4538. (20) NAS-Port = 13
  4539. (20) Cisco-AVPair = "audit-session-id=ac116bd00000245456bc9783"
  4540. (20) Acct-Session-Id = "56bc9783/d8:d1:cb:c5:7d:70/8990"
  4541. (20) NAS-IP-Address = 172.17.107.208
  4542. (20) NAS-Identifier = "wism8"
  4543. (20) Airespace-Wlan-Id = 1
  4544. (20) Service-Type = Framed-User
  4545. (20) Framed-MTU = 1300
  4546. (20) NAS-Port-Type = Wireless-802.11
  4547. (20) Tunnel-Type:0 = VLAN
  4548. (20) Tunnel-Medium-Type:0 = IEEE-802
  4549. (20) Tunnel-Private-Group-Id:0 = "448"
  4550. (20) EAP-Message = 0x020300061900
  4551. (20) State = 0x21f5426620f65bcd6b9f3462aca485d2
  4552. (20) Message-Authenticator = 0x00f086dddc165e975256eb5a64ee842c
  4553. (20) session-state: No cached attributes
  4554. (20) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4555. (20) authorize {
  4556. (20) policy rewrite_calling_station_id {
  4557. (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  4558. (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  4559. (20) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  4560. (20) update request {
  4561. (20) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  4562. (20) --> D8-D1-CB-C5-7D-70
  4563. (20) &Calling-Station-Id := D8-D1-CB-C5-7D-70
  4564. (20) } # update request = noop
  4565. (20) [updated] = updated
  4566. (20) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  4567. (20) ... skipping else for request 20: Preceding "if" was taken
  4568. (20) } # policy rewrite_calling_station_id = updated
  4569. (20) policy wism-checks {
  4570. (20) if (Service-Type == "NAS-Prompt-User") {
  4571. (20) if (Service-Type == "NAS-Prompt-User") -> FALSE
  4572. (20) } # policy wism-checks = updated
  4573. (20) [preprocess] = ok
  4574. (20) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  4575. (20) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  4576. (20) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  4577. (20) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  4578. (20) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  4579. (20) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  4580. (20) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  4581. (20) suffix: Checking for suffix after "@"
  4582. (20) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rp12811@my.bristol.ac.uk"
  4583. (20) suffix: Found realm "my.bristol.ac.uk"
  4584. (20) suffix: Adding Stripped-User-Name = "rp12811"
  4585. (20) suffix: Adding Realm = "my.bristol.ac.uk"
  4586. (20) suffix: Authentication realm is LOCAL
  4587. (20) [suffix] = ok
  4588. (20) update request {
  4589. (20) Realm := "my.bristol.ac.uk"
  4590. (20) } # update request = noop
  4591. (20) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  4592. (20) ... skipping elsif for request 20: Preceding "if" was taken
  4593. (20) ... skipping else for request 20: Preceding "if" was taken
  4594. (20) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  4595. (20) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4596. (20) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  4597. (20) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4598. (20) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  4599. (20) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4600. (20) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  4601. (20) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  4602. (20) else {
  4603. (20) eduroameap: Peer sent EAP Response (code 2) ID 3 length 6
  4604. (20) eduroameap: Continuing tunnel setup
  4605. (20) [eduroameap] = ok
  4606. (20) } # else = ok
  4607. (20) } # authorize = updated
  4608. (20) Found Auth-Type = eduroameap
  4609. (20) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4610. (20) Auth-Type eduroameap {
  4611. (20) eduroameap: Expiring EAP session with state 0x6fc3095a6cc610be
  4612. (20) eduroameap: Finished EAP session with state 0x21f5426620f65bcd
  4613. (20) eduroameap: Previous EAP request found for state 0x21f5426620f65bcd, released from the list
  4614. (20) eduroameap: Peer sent packet with method EAP PEAP (25)
  4615. (20) eduroameap: Calling submodule eap_peap to process data
  4616. (20) eap_peap: Continuing EAP-TLS
  4617. (20) eap_peap: Peer ACKed our handshake fragment
  4618. (20) eap_peap: [eaptls verify] = request
  4619. (20) eap_peap: [eaptls process] = handled
  4620. (20) eduroameap: Sending EAP Request (code 1) ID 4 length 1000
  4621. (20) eduroameap: EAP session adding &reply:State = 0x21f5426623f15bcd
  4622. (20) [eduroameap] = handled
  4623. (20) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4624. (20) EXPAND Response-Packet-Type
  4625. (20) --> Access-Challenge
  4626. (20) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  4627. (20) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4628. (20) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  4629. (20) filter.eduroamlocal-a_challenge: --> rp12811@my.bristol.ac.uk
  4630. (20) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  4631. (20) [filter.eduroamlocal-a_challenge.post-auth] = updated
  4632. (20) [handled] = handled
  4633. (20) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  4634. (20) } # Auth-Type eduroameap = handled
  4635. (20) Using Post-Auth-Type Challenge
  4636. (20) Post-Auth-Type sub-section not found. Ignoring.
  4637. (20) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4638. (20) Sent Access-Challenge Id 137 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  4639. (20) EAP-Message = 0x010403e819401d2cf1d58f4dba2bd1120d6bedf8276592c881c781799b8f10ae54cb4827b40eb2cf8e47257082cc86b3a2942093f979c9fcd6717ee8896d352f6646c54e584c3a798453deeaf94dbe01ea370644beb43f63b6834155f52416c1c5262706477100b872f8c00c2c836a82b31c164acf9482
  4640. (20) Message-Authenticator = 0x00000000000000000000000000000000
  4641. (20) State = 0x21f5426623f15bcd6b9f3462aca485d2
  4642. (20) Finished request
  4643. Waking up in 4.9 seconds.
  4644. (21) Received Access-Request Id 138 from 172.17.107.208:32770 to 137.222.8.128:16006 length 293
  4645. (21) User-Name = "rp12811@my.bristol.ac.uk"
  4646. (21) Chargeable-User-Identity = 0x00
  4647. (21) Location-Capable = Civix-Location
  4648. (21) Calling-Station-Id = "d8:d1:cb:c5:7d:70"
  4649. (21) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  4650. (21) NAS-Port = 13
  4651. (21) Cisco-AVPair = "audit-session-id=ac116bd00000245456bc9783"
  4652. (21) Acct-Session-Id = "56bc9783/d8:d1:cb:c5:7d:70/8990"
  4653. (21) NAS-IP-Address = 172.17.107.208
  4654. (21) NAS-Identifier = "wism8"
  4655. (21) Airespace-Wlan-Id = 1
  4656. (21) Service-Type = Framed-User
  4657. (21) Framed-MTU = 1300
  4658. (21) NAS-Port-Type = Wireless-802.11
  4659. (21) Tunnel-Type:0 = VLAN
  4660. (21) Tunnel-Medium-Type:0 = IEEE-802
  4661. (21) Tunnel-Private-Group-Id:0 = "448"
  4662. (21) EAP-Message = 0x020400061900
  4663. (21) State = 0x21f5426623f15bcd6b9f3462aca485d2
  4664. (21) Message-Authenticator = 0x6b0b5f1a253cdc1b8697daa05f26d432
  4665. (21) session-state: No cached attributes
  4666. (21) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4667. (21) authorize {
  4668. (21) policy rewrite_calling_station_id {
  4669. (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  4670. (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  4671. (21) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  4672. (21) update request {
  4673. (21) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  4674. (21) --> D8-D1-CB-C5-7D-70
  4675. (21) &Calling-Station-Id := D8-D1-CB-C5-7D-70
  4676. (21) } # update request = noop
  4677. (21) [updated] = updated
  4678. (21) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  4679. (21) ... skipping else for request 21: Preceding "if" was taken
  4680. (21) } # policy rewrite_calling_station_id = updated
  4681. (21) policy wism-checks {
  4682. (21) if (Service-Type == "NAS-Prompt-User") {
  4683. (21) if (Service-Type == "NAS-Prompt-User") -> FALSE
  4684. (21) } # policy wism-checks = updated
  4685. (21) [preprocess] = ok
  4686. (21) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  4687. (21) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  4688. (21) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  4689. (21) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  4690. (21) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  4691. (21) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  4692. (21) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  4693. (21) suffix: Checking for suffix after "@"
  4694. (21) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rp12811@my.bristol.ac.uk"
  4695. (21) suffix: Found realm "my.bristol.ac.uk"
  4696. (21) suffix: Adding Stripped-User-Name = "rp12811"
  4697. (21) suffix: Adding Realm = "my.bristol.ac.uk"
  4698. (21) suffix: Authentication realm is LOCAL
  4699. (21) [suffix] = ok
  4700. (21) update request {
  4701. (21) Realm := "my.bristol.ac.uk"
  4702. (21) } # update request = noop
  4703. (21) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  4704. (21) ... skipping elsif for request 21: Preceding "if" was taken
  4705. (21) ... skipping else for request 21: Preceding "if" was taken
  4706. (21) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  4707. (21) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4708. (21) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  4709. (21) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4710. (21) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  4711. (21) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4712. (21) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  4713. (21) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  4714. (21) else {
  4715. (21) eduroameap: Peer sent EAP Response (code 2) ID 4 length 6
  4716. (21) eduroameap: Continuing tunnel setup
  4717. (21) [eduroameap] = ok
  4718. (21) } # else = ok
  4719. (21) } # authorize = updated
  4720. (21) Found Auth-Type = eduroameap
  4721. (21) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4722. (21) Auth-Type eduroameap {
  4723. (21) eduroameap: Expiring EAP session with state 0x6fc3095a6cc610be
  4724. (21) eduroameap: Finished EAP session with state 0x21f5426623f15bcd
  4725. (21) eduroameap: Previous EAP request found for state 0x21f5426623f15bcd, released from the list
  4726. (21) eduroameap: Peer sent packet with method EAP PEAP (25)
  4727. (21) eduroameap: Calling submodule eap_peap to process data
  4728. (21) eap_peap: Continuing EAP-TLS
  4729. (21) eap_peap: Peer ACKed our handshake fragment
  4730. (21) eap_peap: [eaptls verify] = request
  4731. (21) eap_peap: [eaptls process] = handled
  4732. (21) eduroameap: Sending EAP Request (code 1) ID 5 length 832
  4733. (21) eduroameap: EAP session adding &reply:State = 0x21f5426622f05bcd
  4734. (21) [eduroameap] = handled
  4735. (21) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4736. (21) EXPAND Response-Packet-Type
  4737. (21) --> Access-Challenge
  4738. (21) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  4739. (21) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4740. (21) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  4741. (21) filter.eduroamlocal-a_challenge: --> rp12811@my.bristol.ac.uk
  4742. (21) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  4743. (21) [filter.eduroamlocal-a_challenge.post-auth] = updated
  4744. (21) [handled] = handled
  4745. (21) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  4746. (21) } # Auth-Type eduroameap = handled
  4747. (21) Using Post-Auth-Type Challenge
  4748. (21) Post-Auth-Type sub-section not found. Ignoring.
  4749. (21) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4750. (21) Sent Access-Challenge Id 138 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  4751. (21) EAP-Message = 0x010503401900c1311e301c060355040a1315556e6976657273697479206f662042726973746f6c311f301d060355040b1316495420536572766963657320284e6574776f726b73293129302706092a864886f70d010901161a736572766963652d6465736b4062726973746f6c2e61632e756b3110300e
  4752. (21) Message-Authenticator = 0x00000000000000000000000000000000
  4753. (21) State = 0x21f5426622f05bcd6b9f3462aca485d2
  4754. (21) Finished request
  4755. Waking up in 4.9 seconds.
  4756. (22) Received Access-Request Id 139 from 172.17.107.208:32770 to 137.222.8.128:16006 length 298
  4757. (22) User-Name = "rp12811@my.bristol.ac.uk"
  4758. (22) Chargeable-User-Identity = 0x00
  4759. (22) Location-Capable = Civix-Location
  4760. (22) Calling-Station-Id = "d8:d1:cb:c5:7d:70"
  4761. (22) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  4762. (22) NAS-Port = 13
  4763. (22) Cisco-AVPair = "audit-session-id=ac116bd00000245456bc9783"
  4764. (22) Acct-Session-Id = "56bc9783/d8:d1:cb:c5:7d:70/8990"
  4765. (22) NAS-IP-Address = 172.17.107.208
  4766. (22) NAS-Identifier = "wism8"
  4767. (22) Airespace-Wlan-Id = 1
  4768. (22) Service-Type = Framed-User
  4769. (22) Framed-MTU = 1300
  4770. (22) NAS-Port-Type = Wireless-802.11
  4771. (22) Tunnel-Type:0 = VLAN
  4772. (22) Tunnel-Medium-Type:0 = IEEE-802
  4773. (22) Tunnel-Private-Group-Id:0 = "448"
  4774. (22) EAP-Message = 0x0201001d0172703132383131406d792e62726973746f6c2e61632e756b
  4775. (22) Message-Authenticator = 0x04afa7aec2b3079088f2a76f8e0a08e4
  4776. (22) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4777. (22) authorize {
  4778. (22) policy rewrite_calling_station_id {
  4779. (22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  4780. (22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  4781. (22) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  4782. (22) update request {
  4783. (22) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  4784. (22) --> D8-D1-CB-C5-7D-70
  4785. (22) &Calling-Station-Id := D8-D1-CB-C5-7D-70
  4786. (22) } # update request = noop
  4787. (22) [updated] = updated
  4788. (22) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  4789. (22) ... skipping else for request 22: Preceding "if" was taken
  4790. (22) } # policy rewrite_calling_station_id = updated
  4791. (22) policy wism-checks {
  4792. (22) if (Service-Type == "NAS-Prompt-User") {
  4793. (22) if (Service-Type == "NAS-Prompt-User") -> FALSE
  4794. (22) } # policy wism-checks = updated
  4795. (22) [preprocess] = ok
  4796. (22) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  4797. (22) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  4798. (22) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  4799. (22) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  4800. (22) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  4801. (22) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  4802. (22) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  4803. (22) suffix: Checking for suffix after "@"
  4804. (22) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rp12811@my.bristol.ac.uk"
  4805. (22) suffix: Found realm "my.bristol.ac.uk"
  4806. (22) suffix: Adding Stripped-User-Name = "rp12811"
  4807. (22) suffix: Adding Realm = "my.bristol.ac.uk"
  4808. (22) suffix: Authentication realm is LOCAL
  4809. (22) [suffix] = ok
  4810. (22) update request {
  4811. (22) Realm := "my.bristol.ac.uk"
  4812. (22) } # update request = noop
  4813. (22) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  4814. (22) ... skipping elsif for request 22: Preceding "if" was taken
  4815. (22) ... skipping else for request 22: Preceding "if" was taken
  4816. (22) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  4817. (22) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4818. (22) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  4819. (22) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4820. (22) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  4821. (22) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4822. (22) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  4823. (22) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  4824. (22) else {
  4825. (22) eduroameap: Peer sent EAP Response (code 2) ID 1 length 29
  4826. (22) eduroameap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  4827. (22) [eduroameap] = ok
  4828. (22) } # else = ok
  4829. (22) } # authorize = updated
  4830. (22) Found Auth-Type = eduroameap
  4831. (22) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4832. (22) Auth-Type eduroameap {
  4833. (22) eduroameap: Peer sent packet with method EAP Identity (1)
  4834. (22) eduroameap: Calling submodule eap_peap to process data
  4835. (22) eap_peap: Initiating new EAP-TLS session
  4836. (22) eap_peap: [eaptls start] = request
  4837. (22) eduroameap: Sending EAP Request (code 1) ID 2 length 6
  4838. (22) eduroameap: EAP session adding &reply:State = 0xc126606ec1247937
  4839. (22) [eduroameap] = handled
  4840. (22) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4841. (22) EXPAND Response-Packet-Type
  4842. (22) --> Access-Challenge
  4843. (22) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  4844. (22) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4845. (22) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  4846. (22) filter.eduroamlocal-a_challenge: --> rp12811@my.bristol.ac.uk
  4847. (22) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  4848. (22) [filter.eduroamlocal-a_challenge.post-auth] = updated
  4849. (22) [handled] = handled
  4850. (22) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  4851. (22) } # Auth-Type eduroameap = handled
  4852. (22) Using Post-Auth-Type Challenge
  4853. (22) Post-Auth-Type sub-section not found. Ignoring.
  4854. (22) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4855. (22) Sent Access-Challenge Id 139 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  4856. (22) EAP-Message = 0x010200061920
  4857. (22) Message-Authenticator = 0x00000000000000000000000000000000
  4858. (22) State = 0xc126606ec12479374752ac9f596ed690
  4859. (22) Finished request
  4860. Waking up in 4.3 seconds.
  4861. (23) Received Access-Request Id 140 from 172.17.107.208:32770 to 137.222.8.128:16006 length 418
  4862. (23) User-Name = "rp12811@my.bristol.ac.uk"
  4863. (23) Chargeable-User-Identity = 0x00
  4864. (23) Location-Capable = Civix-Location
  4865. (23) Calling-Station-Id = "d8:d1:cb:c5:7d:70"
  4866. (23) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  4867. (23) NAS-Port = 13
  4868. (23) Cisco-AVPair = "audit-session-id=ac116bd00000245456bc9783"
  4869. (23) Acct-Session-Id = "56bc9783/d8:d1:cb:c5:7d:70/8990"
  4870. (23) NAS-IP-Address = 172.17.107.208
  4871. (23) NAS-Identifier = "wism8"
  4872. (23) Airespace-Wlan-Id = 1
  4873. (23) Service-Type = Framed-User
  4874. (23) Framed-MTU = 1300
  4875. (23) NAS-Port-Type = Wireless-802.11
  4876. (23) Tunnel-Type:0 = VLAN
  4877. (23) Tunnel-Medium-Type:0 = IEEE-802
  4878. (23) Tunnel-Private-Group-Id:0 = "448"
  4879. (23) EAP-Message = 0x02020083198000000079160301007401000070030156bc978cdca20b8db314bc7fcb2dd8bbee06ac883b03e88ff6ba2f031d63b21d00002800ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000ac007c011000500040100001f000a00080006001700180019000b0002010000
  4880. (23) State = 0xc126606ec12479374752ac9f596ed690
  4881. (23) Message-Authenticator = 0xb6c8c0221a5c92b9518880b8f0b7149e
  4882. (23) session-state: No cached attributes
  4883. (23) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4884. (23) authorize {
  4885. (23) policy rewrite_calling_station_id {
  4886. (23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  4887. (23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  4888. (23) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  4889. (23) update request {
  4890. (23) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  4891. (23) --> D8-D1-CB-C5-7D-70
  4892. (23) &Calling-Station-Id := D8-D1-CB-C5-7D-70
  4893. (23) } # update request = noop
  4894. (23) [updated] = updated
  4895. (23) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  4896. (23) ... skipping else for request 23: Preceding "if" was taken
  4897. (23) } # policy rewrite_calling_station_id = updated
  4898. (23) policy wism-checks {
  4899. (23) if (Service-Type == "NAS-Prompt-User") {
  4900. (23) if (Service-Type == "NAS-Prompt-User") -> FALSE
  4901. (23) } # policy wism-checks = updated
  4902. (23) [preprocess] = ok
  4903. (23) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  4904. (23) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  4905. (23) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  4906. (23) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  4907. (23) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  4908. (23) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  4909. (23) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  4910. (23) suffix: Checking for suffix after "@"
  4911. (23) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rp12811@my.bristol.ac.uk"
  4912. (23) suffix: Found realm "my.bristol.ac.uk"
  4913. (23) suffix: Adding Stripped-User-Name = "rp12811"
  4914. (23) suffix: Adding Realm = "my.bristol.ac.uk"
  4915. (23) suffix: Authentication realm is LOCAL
  4916. (23) [suffix] = ok
  4917. (23) update request {
  4918. (23) Realm := "my.bristol.ac.uk"
  4919. (23) } # update request = noop
  4920. (23) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  4921. (23) ... skipping elsif for request 23: Preceding "if" was taken
  4922. (23) ... skipping else for request 23: Preceding "if" was taken
  4923. (23) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  4924. (23) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4925. (23) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  4926. (23) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4927. (23) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  4928. (23) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  4929. (23) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  4930. (23) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  4931. (23) else {
  4932. (23) eduroameap: Peer sent EAP Response (code 2) ID 2 length 131
  4933. (23) eduroameap: Continuing tunnel setup
  4934. (23) [eduroameap] = ok
  4935. (23) } # else = ok
  4936. (23) } # authorize = updated
  4937. (23) Found Auth-Type = eduroameap
  4938. (23) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4939. (23) Auth-Type eduroameap {
  4940. (23) eduroameap: Expiring EAP session with state 0x6fc3095a6cc610be
  4941. (23) eduroameap: Finished EAP session with state 0xc126606ec1247937
  4942. (23) eduroameap: Previous EAP request found for state 0xc126606ec1247937, released from the list
  4943. (23) eduroameap: Peer sent packet with method EAP PEAP (25)
  4944. (23) eduroameap: Calling submodule eap_peap to process data
  4945. (23) eap_peap: Continuing EAP-TLS
  4946. (23) eap_peap: Peer indicated complete TLS record size will be 121 bytes
  4947. (23) eap_peap: Got complete TLS record (121 bytes)
  4948. (23) eap_peap: [eaptls verify] = length included
  4949. (23) eap_peap: (other): before/accept initialization
  4950. (23) eap_peap: TLS_accept: before/accept initialization
  4951. (23) eap_peap: <<< TLS 1.0 Handshake [length 0074], ClientHello
  4952. (23) eap_peap: TLS_accept: SSLv3 read client hello A
  4953. (23) eap_peap: >>> TLS 1.0 Handshake [length 0039], ServerHello
  4954. (23) eap_peap: TLS_accept: SSLv3 write server hello A
  4955. (23) eap_peap: >>> TLS 1.0 Handshake [length 0962], Certificate
  4956. (23) eap_peap: TLS_accept: SSLv3 write certificate A
  4957. (23) eap_peap: >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
  4958. (23) eap_peap: TLS_accept: SSLv3 write key exchange A
  4959. (23) eap_peap: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
  4960. (23) eap_peap: TLS_accept: SSLv3 write server done A
  4961. (23) eap_peap: TLS_accept: SSLv3 flush data
  4962. (23) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
  4963. (23) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
  4964. (23) eap_peap: In SSL Handshake Phase
  4965. (23) eap_peap: In SSL Accept mode
  4966. (23) eap_peap: [eaptls process] = handled
  4967. (23) eduroameap: Sending EAP Request (code 1) ID 3 length 1004
  4968. (23) eduroameap: EAP session adding &reply:State = 0xc126606ec0257937
  4969. (23) [eduroameap] = handled
  4970. (23) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4971. (23) EXPAND Response-Packet-Type
  4972. (23) --> Access-Challenge
  4973. (23) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  4974. (23) if (handled && (Response-Packet-Type == Access-Challenge)) {
  4975. (23) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  4976. (23) filter.eduroamlocal-a_challenge: --> rp12811@my.bristol.ac.uk
  4977. (23) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  4978. (23) [filter.eduroamlocal-a_challenge.post-auth] = updated
  4979. (23) [handled] = handled
  4980. (23) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  4981. (23) } # Auth-Type eduroameap = handled
  4982. (23) Using Post-Auth-Type Challenge
  4983. (23) Post-Auth-Type sub-section not found. Ignoring.
  4984. (23) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  4985. (23) Sent Access-Challenge Id 140 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  4986. (23) EAP-Message = 0x010303ec19c000000afe160301003902000035030156bc978c339b0c3dea73b84e0d18c4af9343a383bd199a7208920babcbd6dcd800c01400000dff01000100000b00040300010216030109620b00095e00095b00041e3082041a30820302a0030201020203100018300d06092a864886f70d01010505
  4987. (23) Message-Authenticator = 0x00000000000000000000000000000000
  4988. (23) State = 0xc126606ec02579374752ac9f596ed690
  4989. (23) Finished request
  4990. Waking up in 4.3 seconds.
  4991. (24) Received Access-Request Id 141 from 172.17.107.208:32770 to 137.222.8.128:16006 length 293
  4992. (24) User-Name = "rp12811@my.bristol.ac.uk"
  4993. (24) Chargeable-User-Identity = 0x00
  4994. (24) Location-Capable = Civix-Location
  4995. (24) Calling-Station-Id = "d8:d1:cb:c5:7d:70"
  4996. (24) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  4997. (24) NAS-Port = 13
  4998. (24) Cisco-AVPair = "audit-session-id=ac116bd00000245456bc9783"
  4999. (24) Acct-Session-Id = "56bc9783/d8:d1:cb:c5:7d:70/8990"
  5000. (24) NAS-IP-Address = 172.17.107.208
  5001. (24) NAS-Identifier = "wism8"
  5002. (24) Airespace-Wlan-Id = 1
  5003. (24) Service-Type = Framed-User
  5004. (24) Framed-MTU = 1300
  5005. (24) NAS-Port-Type = Wireless-802.11
  5006. (24) Tunnel-Type:0 = VLAN
  5007. (24) Tunnel-Medium-Type:0 = IEEE-802
  5008. (24) Tunnel-Private-Group-Id:0 = "448"
  5009. (24) EAP-Message = 0x020300061900
  5010. (24) State = 0xc126606ec02579374752ac9f596ed690
  5011. (24) Message-Authenticator = 0xd8d67171f368272e9ed3cb33b838548f
  5012. (24) session-state: No cached attributes
  5013. (24) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  5014. (24) authorize {
  5015. (24) policy rewrite_calling_station_id {
  5016. (24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  5017. (24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  5018. (24) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  5019. (24) update request {
  5020. (24) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  5021. (24) --> D8-D1-CB-C5-7D-70
  5022. (24) &Calling-Station-Id := D8-D1-CB-C5-7D-70
  5023. (24) } # update request = noop
  5024. (24) [updated] = updated
  5025. (24) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  5026. (24) ... skipping else for request 24: Preceding "if" was taken
  5027. (24) } # policy rewrite_calling_station_id = updated
  5028. (24) policy wism-checks {
  5029. (24) if (Service-Type == "NAS-Prompt-User") {
  5030. (24) if (Service-Type == "NAS-Prompt-User") -> FALSE
  5031. (24) } # policy wism-checks = updated
  5032. (24) [preprocess] = ok
  5033. (24) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  5034. (24) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  5035. (24) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  5036. (24) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  5037. (24) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  5038. (24) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  5039. (24) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  5040. (24) suffix: Checking for suffix after "@"
  5041. (24) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rp12811@my.bristol.ac.uk"
  5042. (24) suffix: Found realm "my.bristol.ac.uk"
  5043. (24) suffix: Adding Stripped-User-Name = "rp12811"
  5044. (24) suffix: Adding Realm = "my.bristol.ac.uk"
  5045. (24) suffix: Authentication realm is LOCAL
  5046. (24) [suffix] = ok
  5047. (24) update request {
  5048. (24) Realm := "my.bristol.ac.uk"
  5049. (24) } # update request = noop
  5050. (24) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  5051. (24) ... skipping elsif for request 24: Preceding "if" was taken
  5052. (24) ... skipping else for request 24: Preceding "if" was taken
  5053. (24) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  5054. (24) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  5055. (24) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  5056. (24) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  5057. (24) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  5058. (24) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  5059. (24) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  5060. (24) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  5061. (24) else {
  5062. (24) eduroameap: Peer sent EAP Response (code 2) ID 3 length 6
  5063. (24) eduroameap: Continuing tunnel setup
  5064. (24) [eduroameap] = ok
  5065. (24) } # else = ok
  5066. (24) } # authorize = updated
  5067. (24) Found Auth-Type = eduroameap
  5068. (24) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  5069. (24) Auth-Type eduroameap {
  5070. (24) eduroameap: Expiring EAP session with state 0x6fc3095a6cc610be
  5071. (24) eduroameap: Finished EAP session with state 0xc126606ec0257937
  5072. (24) eduroameap: Previous EAP request found for state 0xc126606ec0257937, released from the list
  5073. (24) eduroameap: Peer sent packet with method EAP PEAP (25)
  5074. (24) eduroameap: Calling submodule eap_peap to process data
  5075. (24) eap_peap: Continuing EAP-TLS
  5076. (24) eap_peap: Peer ACKed our handshake fragment
  5077. (24) eap_peap: [eaptls verify] = request
  5078. (24) eap_peap: [eaptls process] = handled
  5079. (24) eduroameap: Sending EAP Request (code 1) ID 4 length 1000
  5080. (24) eduroameap: EAP session adding &reply:State = 0xc126606ec3227937
  5081. (24) [eduroameap] = handled
  5082. (24) if (handled && (Response-Packet-Type == Access-Challenge)) {
  5083. (24) EXPAND Response-Packet-Type
  5084. (24) --> Access-Challenge
  5085. (24) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  5086. (24) if (handled && (Response-Packet-Type == Access-Challenge)) {
  5087. (24) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  5088. (24) filter.eduroamlocal-a_challenge: --> rp12811@my.bristol.ac.uk
  5089. (24) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  5090. (24) [filter.eduroamlocal-a_challenge.post-auth] = updated
  5091. (24) [handled] = handled
  5092. (24) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  5093. (24) } # Auth-Type eduroameap = handled
  5094. (24) Using Post-Auth-Type Challenge
  5095. (24) Post-Auth-Type sub-section not found. Ignoring.
  5096. (24) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  5097. (24) Sent Access-Challenge Id 141 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  5098. (24) EAP-Message = 0x010403e819401d2cf1d58f4dba2bd1120d6bedf8276592c881c781799b8f10ae54cb4827b40eb2cf8e47257082cc86b3a2942093f979c9fcd6717ee8896d352f6646c54e584c3a798453deeaf94dbe01ea370644beb43f63b6834155f52416c1c5262706477100b872f8c00c2c836a82b31c164acf9482
  5099. (24) Message-Authenticator = 0x00000000000000000000000000000000
  5100. (24) State = 0xc126606ec32279374752ac9f596ed690
  5101. (24) Finished request
  5102. Waking up in 4.3 seconds.
  5103. (25) Received Access-Request Id 142 from 172.17.107.208:32770 to 137.222.8.128:16006 length 293
  5104. (25) User-Name = "rp12811@my.bristol.ac.uk"
  5105. (25) Chargeable-User-Identity = 0x00
  5106. (25) Location-Capable = Civix-Location
  5107. (25) Calling-Station-Id = "d8:d1:cb:c5:7d:70"
  5108. (25) Called-Station-Id = "1c:6a:7a:bb:a4:40:eduroam"
  5109. (25) NAS-Port = 13
  5110. (25) Cisco-AVPair = "audit-session-id=ac116bd00000245456bc9783"
  5111. (25) Acct-Session-Id = "56bc9783/d8:d1:cb:c5:7d:70/8990"
  5112. (25) NAS-IP-Address = 172.17.107.208
  5113. (25) NAS-Identifier = "wism8"
  5114. (25) Airespace-Wlan-Id = 1
  5115. (25) Service-Type = Framed-User
  5116. (25) Framed-MTU = 1300
  5117. (25) NAS-Port-Type = Wireless-802.11
  5118. (25) Tunnel-Type:0 = VLAN
  5119. (25) Tunnel-Medium-Type:0 = IEEE-802
  5120. (25) Tunnel-Private-Group-Id:0 = "448"
  5121. (25) EAP-Message = 0x020400061900
  5122. (25) State = 0xc126606ec32279374752ac9f596ed690
  5123. (25) Message-Authenticator = 0xe36bdc6e49aaea47cc5cc142178338f4
  5124. (25) session-state: No cached attributes
  5125. (25) # Executing section authorize from file /etc/raddb/sites-enabled/eduroamlocal-auth
  5126. (25) authorize {
  5127. (25) policy rewrite_calling_station_id {
  5128. (25) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  5129. (25) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
  5130. (25) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
  5131. (25) update request {
  5132. (25) EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
  5133. (25) --> D8-D1-CB-C5-7D-70
  5134. (25) &Calling-Station-Id := D8-D1-CB-C5-7D-70
  5135. (25) } # update request = noop
  5136. (25) [updated] = updated
  5137. (25) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
  5138. (25) ... skipping else for request 25: Preceding "if" was taken
  5139. (25) } # policy rewrite_calling_station_id = updated
  5140. (25) policy wism-checks {
  5141. (25) if (Service-Type == "NAS-Prompt-User") {
  5142. (25) if (Service-Type == "NAS-Prompt-User") -> FALSE
  5143. (25) } # policy wism-checks = updated
  5144. (25) [preprocess] = ok
  5145. (25) if (User-Name =~ /@bris\\.ac\\.uk$/) {
  5146. (25) if (User-Name =~ /@bris\\.ac\\.uk$/) -> FALSE
  5147. (25) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) {
  5148. (25) elsif (User-Name =~ /@bristol\\.ac\\.uk$/) -> FALSE
  5149. (25) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  5150. (25) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) -> TRUE
  5151. (25) elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) {
  5152. (25) suffix: Checking for suffix after "@"
  5153. (25) suffix: Looking up realm "my.bristol.ac.uk" for User-Name = "rp12811@my.bristol.ac.uk"
  5154. (25) suffix: Found realm "my.bristol.ac.uk"
  5155. (25) suffix: Adding Stripped-User-Name = "rp12811"
  5156. (25) suffix: Adding Realm = "my.bristol.ac.uk"
  5157. (25) suffix: Authentication realm is LOCAL
  5158. (25) [suffix] = ok
  5159. (25) update request {
  5160. (25) Realm := "my.bristol.ac.uk"
  5161. (25) } # update request = noop
  5162. (25) } # elsif (User-Name =~ /@my.bristol\\.ac\\.uk$/) = ok
  5163. (25) ... skipping elsif for request 25: Preceding "if" was taken
  5164. (25) ... skipping else for request 25: Preceding "if" was taken
  5165. (25) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) {
  5166. (25) if (User-Name =~ /AppleOSXMachineAuth2011a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  5167. (25) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) {
  5168. (25) elsif (User-Name =~ /AppleOSXMachineAuth2012a@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  5169. (25) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) {
  5170. (25) elsif (User-Name =~ /@lion\\.bristol\\.ac\\.uk$/) -> FALSE
  5171. (25) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) {
  5172. (25) elsif (User-Name =~ /^host\\\/.+\\.bris(tol)?\\.ac\\.uk$/i) -> FALSE
  5173. (25) else {
  5174. (25) eduroameap: Peer sent EAP Response (code 2) ID 4 length 6
  5175. (25) eduroameap: Continuing tunnel setup
  5176. (25) [eduroameap] = ok
  5177. (25) } # else = ok
  5178. (25) } # authorize = updated
  5179. (25) Found Auth-Type = eduroameap
  5180. (25) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  5181. (25) Auth-Type eduroameap {
  5182. (25) eduroameap: Expiring EAP session with state 0x6fc3095a6cc610be
  5183. (25) eduroameap: Finished EAP session with state 0xc126606ec3227937
  5184. (25) eduroameap: Previous EAP request found for state 0xc126606ec3227937, released from the list
  5185. (25) eduroameap: Peer sent packet with method EAP PEAP (25)
  5186. (25) eduroameap: Calling submodule eap_peap to process data
  5187. (25) eap_peap: Continuing EAP-TLS
  5188. (25) eap_peap: Peer ACKed our handshake fragment
  5189. (25) eap_peap: [eaptls verify] = request
  5190. (25) eap_peap: [eaptls process] = handled
  5191. (25) eduroameap: Sending EAP Request (code 1) ID 5 length 832
  5192. (25) eduroameap: EAP session adding &reply:State = 0xc126606ec2237937
  5193. (25) [eduroameap] = handled
  5194. (25) if (handled && (Response-Packet-Type == Access-Challenge)) {
  5195. (25) EXPAND Response-Packet-Type
  5196. (25) --> Access-Challenge
  5197. (25) if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
  5198. (25) if (handled && (Response-Packet-Type == Access-Challenge)) {
  5199. (25) filter.eduroamlocal-a_challenge: EXPAND %{User-Name}
  5200. (25) filter.eduroamlocal-a_challenge: --> rp12811@my.bristol.ac.uk
  5201. (25) filter.eduroamlocal-a_challenge: Matched entry DEFAULT at line 1
  5202. (25) [filter.eduroamlocal-a_challenge.post-auth] = updated
  5203. (25) [handled] = handled
  5204. (25) } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
  5205. (25) } # Auth-Type eduroameap = handled
  5206. (25) Using Post-Auth-Type Challenge
  5207. (25) Post-Auth-Type sub-section not found. Ignoring.
  5208. (25) # Executing group from file /etc/raddb/sites-enabled/eduroamlocal-auth
  5209. (25) Sent Access-Challenge Id 142 from 137.222.8.128:16006 to 172.17.107.208:32770 length 0
  5210. (25) EAP-Message = 0x010503401900c1311e301c060355040a1315556e6976657273697479206f662042726973746f6c311f301d060355040b1316495420536572766963657320284e6574776f726b73293129302706092a864886f70d010901161a736572766963652d6465736b4062726973746f6c2e61632e756b3110300e
  5211. (25) Message-Authenticator = 0x00000000000000000000000000000000
  5212. (25) State = 0xc126606ec22379374752ac9f596ed690
  5213. (25) Finished request
  5214. Waking up in 4.3 seconds.
Add Comment
Please, Sign In to add comment