API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 6th, 2017
435
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 98.78 KB | None | 0 0
raw download clone embed print report
  1.  
  2. (0) Received Access-Request Id 20 from 172.22.33.33:65484 to 172.22.33.46:1812 length 163
  3. (0) User-Name = "bj"
  4. (0) NAS-IP-Address = 172.22.33.33
  5. (0) NAS-Port = 0
  6. (0) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  7. (0) Calling-Station-Id = "88-1F-A1-11-43-E2"
  8. (0) Framed-MTU = 1400
  9. (0) NAS-Port-Type = Wireless-802.11
  10. (0) Connect-Info = "CONNECT 0Mbps 802.11"
  11. (0) EAP-Message = 0x0295000701626a
  12. (0) Message-Authenticator = 0x9275b1a12f92cd949f7f787c0a9a9fdc
  13. (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  14. (0) authorize {
  15. (0) policy filter_username {
  16. (0) if (&User-Name) {
  17. (0) if (&User-Name) -> TRUE
  18. (0) if (&User-Name) {
  19. (0) if (&User-Name =~ / /) {
  20. (0) if (&User-Name =~ / /) -> FALSE
  21. (0) if (&User-Name =~ /@[^@]*@/ ) {
  22. (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  23. (0) if (&User-Name =~ /\.\./ ) {
  24. (0) if (&User-Name =~ /\.\./ ) -> FALSE
  25. (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  26. (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  27. (0) if (&User-Name =~ /\.$/) {
  28. (0) if (&User-Name =~ /\.$/) -> FALSE
  29. (0) if (&User-Name =~ /@\./) {
  30. (0) if (&User-Name =~ /@\./) -> FALSE
  31. (0) } # if (&User-Name) = notfound
  32. (0) } # policy filter_username = notfound
  33. (0) [preprocess] = ok
  34. (0) [chap] = noop
  35. (0) [mschap] = noop
  36. (0) [digest] = noop
  37. (0) suffix: Checking for suffix after "@"
  38. (0) suffix: No '@' in User-Name = "bj", looking up realm NULL
  39. (0) suffix: No such realm "NULL"
  40. (0) [suffix] = noop
  41. (0) eap: Peer sent EAP Response (code 2) ID 149 length 7
  42. (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  43. (0) [eap] = ok
  44. (0) } # authorize = ok
  45. (0) Found Auth-Type = eap
  46. (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  47. (0) authenticate {
  48. (0) eap: Peer sent packet with method EAP Identity (1)
  49. (0) eap: Calling submodule eap_tls to process data
  50. (0) eap_tls: Initiating new EAP-TLS session
  51. (0) eap_tls: Flushing SSL sessions (of #0)
  52. (0) eap_tls: Setting verify mode to require certificate from client
  53. (0) eap_tls: [eaptls start] = request
  54. (0) eap: Sending EAP Request (code 1) ID 150 length 6
  55. (0) eap: EAP session adding &reply:State = 0x3401110c34971c71
  56. (0) [eap] = handled
  57. (0) } # authenticate = handled
  58. (0) Using Post-Auth-Type Challenge
  59. (0) Post-Auth-Type sub-section not found. Ignoring.
  60. (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  61. (0) Sent Access-Challenge Id 20 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  62. (0) EAP-Message = 0x019600060d20
  63. (0) Message-Authenticator = 0x00000000000000000000000000000000
  64. (0) State = 0x3401110c34971c7121133da265f33113
  65. (0) Finished request
  66. Waking up in 4.9 seconds.
  67. (1) Received Access-Request Id 21 from 172.22.33.33:65484 to 172.22.33.46:1812 length 182
  68. (1) User-Name = "bj"
  69. (1) NAS-IP-Address = 172.22.33.33
  70. (1) NAS-Port = 0
  71. (1) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  72. (1) Calling-Station-Id = "88-1F-A1-11-43-E2"
  73. (1) Framed-MTU = 1400
  74. (1) NAS-Port-Type = Wireless-802.11
  75. (1) Connect-Info = "CONNECT 0Mbps 802.11"
  76. (1) EAP-Message = 0x029600080319152b
  77. (1) State = 0x3401110c34971c7121133da265f33113
  78. (1) Message-Authenticator = 0xf29471f6a65217f85ed6229ad038cea3
  79. (1) session-state: No cached attributes
  80. (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  81. (1) authorize {
  82. (1) policy filter_username {
  83. (1) if (&User-Name) {
  84. (1) if (&User-Name) -> TRUE
  85. (1) if (&User-Name) {
  86. (1) if (&User-Name =~ / /) {
  87. (1) if (&User-Name =~ / /) -> FALSE
  88. (1) if (&User-Name =~ /@[^@]*@/ ) {
  89. (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  90. (1) if (&User-Name =~ /\.\./ ) {
  91. (1) if (&User-Name =~ /\.\./ ) -> FALSE
  92. (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  93. (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  94. (1) if (&User-Name =~ /\.$/) {
  95. (1) if (&User-Name =~ /\.$/) -> FALSE
  96. (1) if (&User-Name =~ /@\./) {
  97. (1) if (&User-Name =~ /@\./) -> FALSE
  98. (1) } # if (&User-Name) = notfound
  99. (1) } # policy filter_username = notfound
  100. (1) [preprocess] = ok
  101. (1) [chap] = noop
  102. (1) [mschap] = noop
  103. (1) [digest] = noop
  104. (1) suffix: Checking for suffix after "@"
  105. (1) suffix: No '@' in User-Name = "bj", looking up realm NULL
  106. (1) suffix: No such realm "NULL"
  107. (1) [suffix] = noop
  108. (1) eap: Peer sent EAP Response (code 2) ID 150 length 8
  109. (1) eap: No EAP Start, assuming it's an on-going EAP conversation
  110. (1) [eap] = updated
  111. (1) files: Searching for user in group "wifi-cph"
  112. rlm_ldap (ldap): Reserved connection (0)
  113. (1) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
  114. (1) files: --> (uid=bj)
  115. (1) files: Performing search in "o=kontrapunkt,dc=example,dc=com" with filter "(uid=bj)", scope "sub"
  116. (1) files: Waiting for search result...
  117. (1) files: User object found at DN "uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=example,dc=com"
  118. (1) files: Checking for user in group objects
  119. (1) files: EXPAND (&(cn=wifi-cph)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Na)
  120. (1) files: --> (&(cn=wifi-cph)(objectClass=posixGroup)(|(member=uid\3dbj\2cou\3dpeople\2cl\3dcopenhagen\2cc\3ddk\2co\3)
  121. (1) files: Performing search in "dc=services,o=kontrapunkt,dc=example,dc=com" with filter "(&(cn=wifi-cph)(objectClas"
  122. (1) files: Waiting for search result...
  123. (1) files: User found in group object "dc=services,o=kontrapunkt,dc=example,dc=com"
  124. rlm_ldap (ldap): Released connection (0)
  125. rlm_ldap (ldap): Need 5 more connections to reach 10 spares
  126. rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used
  127. rlm_ldap (ldap): Connecting to ldap://ldap.kontrapunkt.com:389
  128. rlm_ldap (ldap): Waiting for bind result...
  129. rlm_ldap (ldap): Bind successful
  130. (1) files: users: Matched entry DEFAULT at line 52
  131. (1) [files] = ok
  132. rlm_ldap (ldap): Reserved connection (1)
  133. (1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
  134. (1) ldap: --> (uid=bj)
  135. (1) ldap: Performing search in "o=kontrapunkt,dc=example,dc=com" with filter "(uid=bj)", scope "sub"
  136. (1) ldap: Waiting for search result...
  137. (1) ldap: User object found at DN "uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=example,dc=com"
  138. (1) ldap: Processing user attributes
  139. (1) ldap: control:Password-With-Header += '{CRYPT}***'
  140. (1) ldap: control:NT-Password := 0x3437413634423334324442384133314330313831413644453134393237413931
  141. rlm_ldap (ldap): Released connection (1)
  142. (1) [ldap] = updated
  143. (1) [expiration] = noop
  144. (1) [logintime] = noop
  145. (1) pap: Converted: &control:Password-With-Header -> &control:Crypt-Password
  146. (1) pap: Removing &control:Password-With-Header
  147. (1) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
  148. (1) pap: WARNING: Auth-Type already set. Not setting to PAP
  149. (1) [pap] = noop
  150. (1) } # authorize = updated
  151. (1) Found Auth-Type = eap
  152. (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  153. (1) authenticate {
  154. (1) eap: Expiring EAP session with state 0x3401110c34971c71
  155. (1) eap: Finished EAP session with state 0x3401110c34971c71
  156. (1) eap: Previous EAP request found for state 0x3401110c34971c71, released from the list
  157. (1) eap: Peer sent packet with method EAP NAK (3)
  158. (1) eap: Found mutually acceptable type PEAP (25)
  159. (1) eap: Calling submodule eap_peap to process data
  160. (1) eap_peap: Initiating new EAP-TLS session
  161. (1) eap_peap: [eaptls start] = request
  162. (1) eap: Sending EAP Request (code 1) ID 151 length 6
  163. (1) eap: EAP session adding &reply:State = 0x3401110c35960871
  164. (1) [eap] = handled
  165. (1) } # authenticate = handled
  166. (1) Using Post-Auth-Type Challenge
  167. (1) Post-Auth-Type sub-section not found. Ignoring.
  168. (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  169. (1) Sent Access-Challenge Id 21 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  170. (1) Reply-Message = "OK, member of wifi-cph."
  171. (1) EAP-Message = 0x019700061920
  172. (1) Message-Authenticator = 0x00000000000000000000000000000000
  173. (1) State = 0x3401110c3596087121133da265f33113
  174. (1) Finished request
  175. Waking up in 4.8 seconds.
  176. (2) Received Access-Request Id 22 from 172.22.33.33:65484 to 172.22.33.46:1812 length 305
  177. (2) User-Name = "bj"
  178. (2) NAS-IP-Address = 172.22.33.33
  179. (2) NAS-Port = 0
  180. (2) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  181. (2) Calling-Station-Id = "88-1F-A1-11-43-E2"
  182. (2) Framed-MTU = 1400
  183. (2) NAS-Port-Type = Wireless-802.11
  184. (2) Connect-Info = "CONNECT 0Mbps 802.11"
  185. (2) EAP-Message = 0x0297008319800000007916030100740100007003015a27e784529352b1199bc836b887737dffef96f3ae24c9a00bc6df4076a0
  186. (2) State = 0x3401110c3596087121133da265f33113
  187. (2) Message-Authenticator = 0xac6765812621d0a88f0d68caa9ad20a8
  188. (2) session-state: No cached attributes
  189. (2) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  190. (2) authorize {
  191. (2) policy filter_username {
  192. (2) if (&User-Name) {
  193. (2) if (&User-Name) -> TRUE
  194. (2) if (&User-Name) {
  195. (2) if (&User-Name =~ / /) {
  196. (2) if (&User-Name =~ / /) -> FALSE
  197. (2) if (&User-Name =~ /@[^@]*@/ ) {
  198. (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  199. (2) if (&User-Name =~ /\.\./ ) {
  200. (2) if (&User-Name =~ /\.\./ ) -> FALSE
  201. (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  202. (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  203. (2) if (&User-Name =~ /\.$/) {
  204. (2) if (&User-Name =~ /\.$/) -> FALSE
  205. (2) if (&User-Name =~ /@\./) {
  206. (2) if (&User-Name =~ /@\./) -> FALSE
  207. (2) } # if (&User-Name) = notfound
  208. (2) } # policy filter_username = notfound
  209. (2) [preprocess] = ok
  210. (2) [chap] = noop
  211. (2) [mschap] = noop
  212. (2) [digest] = noop
  213. (2) suffix: Checking for suffix after "@"
  214. (2) suffix: No '@' in User-Name = "bj", looking up realm NULL
  215. (2) suffix: No such realm "NULL"
  216. (2) [suffix] = noop
  217. (2) eap: Peer sent EAP Response (code 2) ID 151 length 131
  218. (2) eap: Continuing tunnel setup
  219. (2) [eap] = ok
  220. (2) } # authorize = ok
  221. (2) Found Auth-Type = eap
  222. (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  223. (2) authenticate {
  224. (2) eap: Expiring EAP session with state 0x3401110c35960871
  225. (2) eap: Finished EAP session with state 0x3401110c35960871
  226. (2) eap: Previous EAP request found for state 0x3401110c35960871, released from the list
  227. (2) eap: Peer sent packet with method EAP PEAP (25)
  228. (2) eap: Calling submodule eap_peap to process data
  229. (2) eap_peap: Continuing EAP-TLS
  230. (2) eap_peap: Peer indicated complete TLS record size will be 121 bytes
  231. (2) eap_peap: Got complete TLS record (121 bytes)
  232. (2) eap_peap: [eaptls verify] = length included
  233. (2) eap_peap: (other): before/accept initialization
  234. (2) eap_peap: TLS_accept: before/accept initialization
  235. (2) eap_peap: <<< recv TLS 1.0 Handshake [length 0074], ClientHello
  236. (2) eap_peap: TLS_accept: SSLv3 read client hello A
  237. (2) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
  238. (2) eap_peap: TLS_accept: SSLv3 write server hello A
  239. (2) eap_peap: >>> send TLS 1.0 Handshake [length 08d3], Certificate
  240. (2) eap_peap: TLS_accept: SSLv3 write certificate A
  241. (2) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
  242. (2) eap_peap: TLS_accept: SSLv3 write key exchange A
  243. (2) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
  244. (2) eap_peap: TLS_accept: SSLv3 write server done A
  245. (2) eap_peap: TLS_accept: SSLv3 flush data
  246. (2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
  247. (2) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
  248. (2) eap_peap: In SSL Handshake Phase
  249. (2) eap_peap: In SSL Accept mode
  250. (2) eap_peap: [eaptls process] = handled
  251. (2) eap: Sending EAP Request (code 1) ID 152 length 1004
  252. (2) eap: EAP session adding &reply:State = 0x3401110c36990871
  253. (2) [eap] = handled
  254. (2) } # authenticate = handled
  255. (2) Using Post-Auth-Type Challenge
  256. (2) Post-Auth-Type sub-section not found. Ignoring.
  257. (2) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  258. (2) Sent Access-Challenge Id 22 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  259. (2) EAP-Message = 0x019803ec19c000000a8f160301005902000055030120b167b1ad7daef8f07282bc88e293fe19a7b541368b295f38ec4975247e
  260. (2) Message-Authenticator = 0x00000000000000000000000000000000
  261. (2) State = 0x3401110c3699087121133da265f33113
  262. (2) Finished request
  263. Waking up in 4.8 seconds.
  264. (3) Received Access-Request Id 23 from 172.22.33.33:65484 to 172.22.33.46:1812 length 180
  265. (3) User-Name = "bj"
  266. (3) NAS-IP-Address = 172.22.33.33
  267. (3) NAS-Port = 0
  268. (3) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  269. (3) Calling-Station-Id = "88-1F-A1-11-43-E2"
  270. (3) Framed-MTU = 1400
  271. (3) NAS-Port-Type = Wireless-802.11
  272. (3) Connect-Info = "CONNECT 0Mbps 802.11"
  273. (3) EAP-Message = 0x029800061900
  274. (3) State = 0x3401110c3699087121133da265f33113
  275. (3) Message-Authenticator = 0x894c3fd16f2d78421341c01b56565ca1
  276. (3) session-state: No cached attributes
  277. (3) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  278. (3) authorize {
  279. (3) policy filter_username {
  280. (3) if (&User-Name) {
  281. (3) if (&User-Name) -> TRUE
  282. (3) if (&User-Name) {
  283. (3) if (&User-Name =~ / /) {
  284. (3) if (&User-Name =~ / /) -> FALSE
  285. (3) if (&User-Name =~ /@[^@]*@/ ) {
  286. (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  287. (3) if (&User-Name =~ /\.\./ ) {
  288. (3) if (&User-Name =~ /\.\./ ) -> FALSE
  289. (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  290. (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  291. (3) if (&User-Name =~ /\.$/) {
  292. (3) if (&User-Name =~ /\.$/) -> FALSE
  293. (3) if (&User-Name =~ /@\./) {
  294. (3) if (&User-Name =~ /@\./) -> FALSE
  295. (3) } # if (&User-Name) = notfound
  296. (3) } # policy filter_username = notfound
  297. (3) [preprocess] = ok
  298. (3) [chap] = noop
  299. (3) [mschap] = noop
  300. (3) [digest] = noop
  301. (3) suffix: Checking for suffix after "@"
  302. (3) suffix: No '@' in User-Name = "bj", looking up realm NULL
  303. (3) suffix: No such realm "NULL"
  304. (3) [suffix] = noop
  305. (3) eap: Peer sent EAP Response (code 2) ID 152 length 6
  306. (3) eap: Continuing tunnel setup
  307. (3) [eap] = ok
  308. (3) } # authorize = ok
  309. (3) Found Auth-Type = eap
  310. (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  311. (3) authenticate {
  312. (3) eap: Expiring EAP session with state 0x3401110c36990871
  313. (3) eap: Finished EAP session with state 0x3401110c36990871
  314. (3) eap: Previous EAP request found for state 0x3401110c36990871, released from the list
  315. (3) eap: Peer sent packet with method EAP PEAP (25)
  316. (3) eap: Calling submodule eap_peap to process data
  317. (3) eap_peap: Continuing EAP-TLS
  318. (3) eap_peap: Peer ACKed our handshake fragment
  319. (3) eap_peap: [eaptls verify] = request
  320. (3) eap_peap: [eaptls process] = handled
  321. (3) eap: Sending EAP Request (code 1) ID 153 length 1000
  322. (3) eap: EAP session adding &reply:State = 0x3401110c37980871
  323. (3) [eap] = handled
  324. (3) } # authenticate = handled
  325. (3) Using Post-Auth-Type Challenge
  326. (3) Post-Auth-Type sub-section not found. Ignoring.
  327. (3) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  328. (3) Sent Access-Challenge Id 23 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  329. (3) EAP-Message = 0x019903e819400342020de654b2672fb5f02c9ae02856749a536eccc0352abc3da4c99ee4528f5d13fa97c8ba81e1c1ef856280
  330. (3) Message-Authenticator = 0x00000000000000000000000000000000
  331. (3) State = 0x3401110c3798087121133da265f33113
  332. (3) Finished request
  333. Waking up in 4.8 seconds.
  334. (4) Received Access-Request Id 24 from 172.22.33.33:65484 to 172.22.33.46:1812 length 180
  335. (4) User-Name = "bj"
  336. (4) NAS-IP-Address = 172.22.33.33
  337. (4) NAS-Port = 0
  338. (4) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  339. (4) Calling-Station-Id = "88-1F-A1-11-43-E2"
  340. (4) Framed-MTU = 1400
  341. (4) NAS-Port-Type = Wireless-802.11
  342. (4) Connect-Info = "CONNECT 0Mbps 802.11"
  343. (4) EAP-Message = 0x029900061900
  344. (4) State = 0x3401110c3798087121133da265f33113
  345. (4) Message-Authenticator = 0x812b5084b8806f1a9f240f21e7978125
  346. (4) session-state: No cached attributes
  347. (4) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  348. (4) authorize {
  349. (4) policy filter_username {
  350. (4) if (&User-Name) {
  351. (4) if (&User-Name) -> TRUE
  352. (4) if (&User-Name) {
  353. (4) if (&User-Name =~ / /) {
  354. (4) if (&User-Name =~ / /) -> FALSE
  355. (4) if (&User-Name =~ /@[^@]*@/ ) {
  356. (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  357. (4) if (&User-Name =~ /\.\./ ) {
  358. (4) if (&User-Name =~ /\.\./ ) -> FALSE
  359. (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  360. (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  361. (4) if (&User-Name =~ /\.$/) {
  362. (4) if (&User-Name =~ /\.$/) -> FALSE
  363. (4) if (&User-Name =~ /@\./) {
  364. (4) if (&User-Name =~ /@\./) -> FALSE
  365. (4) } # if (&User-Name) = notfound
  366. (4) } # policy filter_username = notfound
  367. (4) [preprocess] = ok
  368. (4) [chap] = noop
  369. (4) [mschap] = noop
  370. (4) [digest] = noop
  371. (4) suffix: Checking for suffix after "@"
  372. (4) suffix: No '@' in User-Name = "bj", looking up realm NULL
  373. (4) suffix: No such realm "NULL"
  374. (4) [suffix] = noop
  375. (4) eap: Peer sent EAP Response (code 2) ID 153 length 6
  376. (4) eap: Continuing tunnel setup
  377. (4) [eap] = ok
  378. (4) } # authorize = ok
  379. (4) Found Auth-Type = eap
  380. (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  381. (4) authenticate {
  382. (4) eap: Expiring EAP session with state 0x3401110c37980871
  383. (4) eap: Finished EAP session with state 0x3401110c37980871
  384. (4) eap: Previous EAP request found for state 0x3401110c37980871, released from the list
  385. (4) eap: Peer sent packet with method EAP PEAP (25)
  386. (4) eap: Calling submodule eap_peap to process data
  387. (4) eap_peap: Continuing EAP-TLS
  388. (4) eap_peap: Peer ACKed our handshake fragment
  389. (4) eap_peap: [eaptls verify] = request
  390. (4) eap_peap: [eaptls process] = handled
  391. (4) eap: Sending EAP Request (code 1) ID 154 length 721
  392. (4) eap: EAP session adding &reply:State = 0x3401110c309b0871
  393. (4) [eap] = handled
  394. (4) } # authenticate = handled
  395. (4) Using Post-Auth-Type Challenge
  396. (4) Post-Auth-Type sub-section not found. Ignoring.
  397. (4) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  398. (4) Sent Access-Challenge Id 24 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  399. (4) EAP-Message = 0x019a02d1190020417574686f72697479820900c8b778d5cf225df1300f0603551d130101ff040530030101ff30360603551d11
  400. (4) Message-Authenticator = 0x00000000000000000000000000000000
  401. (4) State = 0x3401110c309b087121133da265f33113
  402. (4) Finished request
  403. Waking up in 4.8 seconds.
  404. (5) Received Access-Request Id 25 from 172.22.33.33:65484 to 172.22.33.46:1812 length 318
  405. (5) User-Name = "bj"
  406. (5) NAS-IP-Address = 172.22.33.33
  407. (5) NAS-Port = 0
  408. (5) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  409. (5) Calling-Station-Id = "88-1F-A1-11-43-E2"
  410. (5) Framed-MTU = 1400
  411. (5) NAS-Port-Type = Wireless-802.11
  412. (5) Connect-Info = "CONNECT 0Mbps 802.11"
  413. (5) EAP-Message = 0x029a00901980000000861603010046100000424104e550faab64dba4209c1e1e2a44b4cc057b7cc2d3b4d9d66b32c7f647ebb8
  414. (5) State = 0x3401110c309b087121133da265f33113
  415. (5) Message-Authenticator = 0xb9c5efe8dc2e9756e156580627ef69c6
  416. (5) session-state: No cached attributes
  417. (5) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  418. (5) authorize {
  419. (5) policy filter_username {
  420. (5) if (&User-Name) {
  421. (5) if (&User-Name) -> TRUE
  422. (5) if (&User-Name) {
  423. (5) if (&User-Name =~ / /) {
  424. (5) if (&User-Name =~ / /) -> FALSE
  425. (5) if (&User-Name =~ /@[^@]*@/ ) {
  426. (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  427. (5) if (&User-Name =~ /\.\./ ) {
  428. (5) if (&User-Name =~ /\.\./ ) -> FALSE
  429. (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  430. (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  431. (5) if (&User-Name =~ /\.$/) {
  432. (5) if (&User-Name =~ /\.$/) -> FALSE
  433. (5) if (&User-Name =~ /@\./) {
  434. (5) if (&User-Name =~ /@\./) -> FALSE
  435. (5) } # if (&User-Name) = notfound
  436. (5) } # policy filter_username = notfound
  437. (5) [preprocess] = ok
  438. (5) [chap] = noop
  439. (5) [mschap] = noop
  440. (5) [digest] = noop
  441. (5) suffix: Checking for suffix after "@"
  442. (5) suffix: No '@' in User-Name = "bj", looking up realm NULL
  443. (5) suffix: No such realm "NULL"
  444. (5) [suffix] = noop
  445. (5) eap: Peer sent EAP Response (code 2) ID 154 length 144
  446. (5) eap: Continuing tunnel setup
  447. (5) [eap] = ok
  448. (5) } # authorize = ok
  449. (5) Found Auth-Type = eap
  450. (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  451. (5) authenticate {
  452. (5) eap: Expiring EAP session with state 0x3401110c309b0871
  453. (5) eap: Finished EAP session with state 0x3401110c309b0871
  454. (5) eap: Previous EAP request found for state 0x3401110c309b0871, released from the list
  455. (5) eap: Peer sent packet with method EAP PEAP (25)
  456. (5) eap: Calling submodule eap_peap to process data
  457. (5) eap_peap: Continuing EAP-TLS
  458. (5) eap_peap: Peer indicated complete TLS record size will be 134 bytes
  459. (5) eap_peap: Got complete TLS record (134 bytes)
  460. (5) eap_peap: [eaptls verify] = length included
  461. (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
  462. (5) eap_peap: TLS_accept: SSLv3 read client key exchange A
  463. (5) eap_peap: TLS_accept: SSLv3 read certificate verify A
  464. (5) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
  465. (5) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
  466. (5) eap_peap: TLS_accept: SSLv3 read finished A
  467. (5) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
  468. (5) eap_peap: TLS_accept: SSLv3 write change cipher spec A
  469. (5) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
  470. (5) eap_peap: TLS_accept: SSLv3 write finished A
  471. (5) eap_peap: TLS_accept: SSLv3 flush data
  472. (5) eap_peap: (other): SSL negotiation finished successfully
  473. (5) eap_peap: SSL Connection Established
  474. (5) eap_peap: [eaptls process] = handled
  475. (5) eap: Sending EAP Request (code 1) ID 155 length 65
  476. (5) eap: EAP session adding &reply:State = 0x3401110c319a0871
  477. (5) [eap] = handled
  478. (5) } # authenticate = handled
  479. (5) Using Post-Auth-Type Challenge
  480. (5) Post-Auth-Type sub-section not found. Ignoring.
  481. (5) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  482. (5) Sent Access-Challenge Id 25 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  483. (5) EAP-Message = 0x019b00411900140301000101160301003041bc149a519ae634b74d6118db8f31cbd6c66998d7c9d59b6d16746c5d54d578a995
  484. (5) Message-Authenticator = 0x00000000000000000000000000000000
  485. (5) State = 0x3401110c319a087121133da265f33113
  486. (5) Finished request
  487. Waking up in 4.7 seconds.
  488. (6) Received Access-Request Id 26 from 172.22.33.33:65484 to 172.22.33.46:1812 length 180
  489. (6) User-Name = "bj"
  490. (6) NAS-IP-Address = 172.22.33.33
  491. (6) NAS-Port = 0
  492. (6) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  493. (6) Calling-Station-Id = "88-1F-A1-11-43-E2"
  494. (6) Framed-MTU = 1400
  495. (6) NAS-Port-Type = Wireless-802.11
  496. (6) Connect-Info = "CONNECT 0Mbps 802.11"
  497. (6) EAP-Message = 0x029b00061900
  498. (6) State = 0x3401110c319a087121133da265f33113
  499. (6) Message-Authenticator = 0xb018ef79ea50859523881b63c30ea3ed
  500. (6) session-state: No cached attributes
  501. (6) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  502. (6) authorize {
  503. (6) policy filter_username {
  504. (6) if (&User-Name) {
  505. (6) if (&User-Name) -> TRUE
  506. (6) if (&User-Name) {
  507. (6) if (&User-Name =~ / /) {
  508. (6) if (&User-Name =~ / /) -> FALSE
  509. (6) if (&User-Name =~ /@[^@]*@/ ) {
  510. (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  511. (6) if (&User-Name =~ /\.\./ ) {
  512. (6) if (&User-Name =~ /\.\./ ) -> FALSE
  513. (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  514. (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  515. (6) if (&User-Name =~ /\.$/) {
  516. (6) if (&User-Name =~ /\.$/) -> FALSE
  517. (6) if (&User-Name =~ /@\./) {
  518. (6) if (&User-Name =~ /@\./) -> FALSE
  519. (6) } # if (&User-Name) = notfound
  520. (6) } # policy filter_username = notfound
  521. (6) [preprocess] = ok
  522. (6) [chap] = noop
  523. (6) [mschap] = noop
  524. (6) [digest] = noop
  525. (6) suffix: Checking for suffix after "@"
  526. (6) suffix: No '@' in User-Name = "bj", looking up realm NULL
  527. (6) suffix: No such realm "NULL"
  528. (6) [suffix] = noop
  529. (6) eap: Peer sent EAP Response (code 2) ID 155 length 6
  530. (6) eap: Continuing tunnel setup
  531. (6) [eap] = ok
  532. (6) } # authorize = ok
  533. (6) Found Auth-Type = eap
  534. (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  535. (6) authenticate {
  536. (6) eap: Expiring EAP session with state 0x3401110c319a0871
  537. (6) eap: Finished EAP session with state 0x3401110c319a0871
  538. (6) eap: Previous EAP request found for state 0x3401110c319a0871, released from the list
  539. (6) eap: Peer sent packet with method EAP PEAP (25)
  540. (6) eap: Calling submodule eap_peap to process data
  541. (6) eap_peap: Continuing EAP-TLS
  542. (6) eap_peap: Peer ACKed our handshake fragment. handshake is finished
  543. (6) eap_peap: [eaptls verify] = success
  544. (6) eap_peap: [eaptls process] = success
  545. (6) eap_peap: Session established. Decoding tunneled attributes
  546. (6) eap_peap: PEAP state TUNNEL ESTABLISHED
  547. (6) eap: Sending EAP Request (code 1) ID 156 length 43
  548. (6) eap: EAP session adding &reply:State = 0x3401110c329d0871
  549. (6) [eap] = handled
  550. (6) } # authenticate = handled
  551. (6) Using Post-Auth-Type Challenge
  552. (6) Post-Auth-Type sub-section not found. Ignoring.
  553. (6) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  554. (6) Sent Access-Challenge Id 26 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  555. (6) EAP-Message = 0x019c002b190017030100209e8703ae3285d1979a77c92deddac005f638217fb7eca4cadd4045afae587ea5
  556. (6) Message-Authenticator = 0x00000000000000000000000000000000
  557. (6) State = 0x3401110c329d087121133da265f33113
  558. (6) Finished request
  559. Waking up in 4.7 seconds.
  560. (7) Received Access-Request Id 27 from 172.22.33.33:65484 to 172.22.33.46:1812 length 217
  561. (7) User-Name = "bj"
  562. (7) NAS-IP-Address = 172.22.33.33
  563. (7) NAS-Port = 0
  564. (7) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  565. (7) Calling-Station-Id = "88-1F-A1-11-43-E2"
  566. (7) Framed-MTU = 1400
  567. (7) NAS-Port-Type = Wireless-802.11
  568. (7) Connect-Info = "CONNECT 0Mbps 802.11"
  569. (7) EAP-Message = 0x029c002b19001703010020f8648c08529e403a5e206cff8b41881111b587df05bd924f4f09aa776210b873
  570. (7) State = 0x3401110c329d087121133da265f33113
  571. (7) Message-Authenticator = 0x8a81caaa4ce2638cbde5cce52af0624b
  572. (7) session-state: No cached attributes
  573. (7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  574. (7) authorize {
  575. (7) policy filter_username {
  576. (7) if (&User-Name) {
  577. (7) if (&User-Name) -> TRUE
  578. (7) if (&User-Name) {
  579. (7) if (&User-Name =~ / /) {
  580. (7) if (&User-Name =~ / /) -> FALSE
  581. (7) if (&User-Name =~ /@[^@]*@/ ) {
  582. (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  583. (7) if (&User-Name =~ /\.\./ ) {
  584. (7) if (&User-Name =~ /\.\./ ) -> FALSE
  585. (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  586. (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  587. (7) if (&User-Name =~ /\.$/) {
  588. (7) if (&User-Name =~ /\.$/) -> FALSE
  589. (7) if (&User-Name =~ /@\./) {
  590. (7) if (&User-Name =~ /@\./) -> FALSE
  591. (7) } # if (&User-Name) = notfound
  592. (7) } # policy filter_username = notfound
  593. (7) [preprocess] = ok
  594. (7) [chap] = noop
  595. (7) [mschap] = noop
  596. (7) [digest] = noop
  597. (7) suffix: Checking for suffix after "@"
  598. (7) suffix: No '@' in User-Name = "bj", looking up realm NULL
  599. (7) suffix: No such realm "NULL"
  600. (7) [suffix] = noop
  601. (7) eap: Peer sent EAP Response (code 2) ID 156 length 43
  602. (7) eap: Continuing tunnel setup
  603. (7) [eap] = ok
  604. (7) } # authorize = ok
  605. (7) Found Auth-Type = eap
  606. (7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  607. (7) authenticate {
  608. (7) eap: Expiring EAP session with state 0x3401110c329d0871
  609. (7) eap: Finished EAP session with state 0x3401110c329d0871
  610. (7) eap: Previous EAP request found for state 0x3401110c329d0871, released from the list
  611. (7) eap: Peer sent packet with method EAP PEAP (25)
  612. (7) eap: Calling submodule eap_peap to process data
  613. (7) eap_peap: Continuing EAP-TLS
  614. (7) eap_peap: [eaptls verify] = ok
  615. (7) eap_peap: Done initial handshake
  616. (7) eap_peap: [eaptls process] = ok
  617. (7) eap_peap: Session established. Decoding tunneled attributes
  618. (7) eap_peap: PEAP state WAITING FOR INNER IDENTITY
  619. (7) eap_peap: Identity - bj
  620. (7) eap_peap: Got inner identity 'bj'
  621. (7) eap_peap: Setting default EAP type for tunneled EAP session
  622. (7) eap_peap: Got tunneled request
  623. (7) eap_peap: EAP-Message = 0x029c000701626a
  624. (7) eap_peap: Setting User-Name to bj
  625. (7) eap_peap: Sending tunneled request to inner-tunnel
  626. (7) eap_peap: EAP-Message = 0x029c000701626a
  627. (7) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
  628. (7) eap_peap: User-Name = "bj"
  629. (7) Virtual server inner-tunnel received request
  630. (7) EAP-Message = 0x029c000701626a
  631. (7) FreeRADIUS-Proxied-To = 127.0.0.1
  632. (7) User-Name = "bj"
  633. (7) WARNING: Outer and inner identities are the same. User privacy is compromised.
  634. (7) server inner-tunnel {
  635. (7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  636. (7) authorize {
  637. (7) policy filter_username {
  638. (7) if (&User-Name) {
  639. (7) if (&User-Name) -> TRUE
  640. (7) if (&User-Name) {
  641. (7) if (&User-Name =~ / /) {
  642. (7) if (&User-Name =~ / /) -> FALSE
  643. (7) if (&User-Name =~ /@[^@]*@/ ) {
  644. (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  645. (7) if (&User-Name =~ /\.\./ ) {
  646. (7) if (&User-Name =~ /\.\./ ) -> FALSE
  647. (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  648. (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  649. (7) if (&User-Name =~ /\.$/) {
  650. (7) if (&User-Name =~ /\.$/) -> FALSE
  651. (7) if (&User-Name =~ /@\./) {
  652. (7) if (&User-Name =~ /@\./) -> FALSE
  653. (7) } # if (&User-Name) = notfound
  654. (7) } # policy filter_username = notfound
  655. (7) [chap] = noop
  656. (7) [mschap] = noop
  657. (7) suffix: Checking for suffix after "@"
  658. (7) suffix: No '@' in User-Name = "bj", looking up realm NULL
  659. (7) suffix: No such realm "NULL"
  660. (7) [suffix] = noop
  661. (7) update control {
  662. (7) &Proxy-To-Realm := LOCAL
  663. (7) } # update control = noop
  664. (7) eap: Peer sent EAP Response (code 2) ID 156 length 7
  665. (7) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  666. (7) [eap] = ok
  667. (7) } # authorize = ok
  668. (7) Found Auth-Type = eap
  669. (7) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  670. (7) authenticate {
  671. (7) eap: Peer sent packet with method EAP Identity (1)
  672. (7) eap: Calling submodule eap_mschapv2 to process data
  673. (7) eap_mschapv2: Issuing Challenge
  674. (7) eap: Sending EAP Request (code 1) ID 157 length 43
  675. (7) eap: EAP session adding &reply:State = 0x47e8552047754f14
  676. (7) [eap] = handled
  677. (7) } # authenticate = handled
  678. (7) } # server inner-tunnel
  679. (7) Virtual server sending reply
  680. (7) EAP-Message = 0x019d002b1a019d0026101d18b1030e69587a18f609577d69742a667265657261646975732d332e302e3132
  681. (7) Message-Authenticator = 0x00000000000000000000000000000000
  682. (7) State = 0x47e8552047754f14ee644e5e18ae3e3e
  683. (7) eap_peap: Got tunneled reply code 11
  684. (7) eap_peap: EAP-Message = 0x019d002b1a019d0026101d18b1030e69587a18f609577d69742a667265657261646975732d332e302e3132
  685. (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
  686. (7) eap_peap: State = 0x47e8552047754f14ee644e5e18ae3e3e
  687. (7) eap_peap: Got tunneled reply RADIUS code 11
  688. (7) eap_peap: EAP-Message = 0x019d002b1a019d0026101d18b1030e69587a18f609577d69742a667265657261646975732d332e302e3132
  689. (7) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
  690. (7) eap_peap: State = 0x47e8552047754f14ee644e5e18ae3e3e
  691. (7) eap_peap: Got tunneled Access-Challenge
  692. (7) eap: Sending EAP Request (code 1) ID 157 length 75
  693. (7) eap: EAP session adding &reply:State = 0x3401110c339c0871
  694. (7) [eap] = handled
  695. (7) } # authenticate = handled
  696. (7) Using Post-Auth-Type Challenge
  697. (7) Post-Auth-Type sub-section not found. Ignoring.
  698. (7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  699. (7) Sent Access-Challenge Id 27 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  700. (7) EAP-Message = 0x019d004b190017030100406b7f0cf4c4cff9137fef900bc6528cad097fb010e76e70f727f4a1f11e68347ba7f0e2c6d803bdd0
  701. (7) Message-Authenticator = 0x00000000000000000000000000000000
  702. (7) State = 0x3401110c339c087121133da265f33113
  703. (7) Finished request
  704. Waking up in 4.7 seconds.
  705. (8) Received Access-Request Id 28 from 172.22.33.33:65484 to 172.22.33.46:1812 length 265
  706. (8) User-Name = "bj"
  707. (8) NAS-IP-Address = 172.22.33.33
  708. (8) NAS-Port = 0
  709. (8) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  710. (8) Calling-Station-Id = "88-1F-A1-11-43-E2"
  711. (8) Framed-MTU = 1400
  712. (8) NAS-Port-Type = Wireless-802.11
  713. (8) Connect-Info = "CONNECT 0Mbps 802.11"
  714. (8) EAP-Message = 0x029d005b190017030100500d0b13415e54771b88e8a310b0e825947d00717a64627b11aa95cdb5cc198cff868cbb7b34454ff0
  715. (8) State = 0x3401110c339c087121133da265f33113
  716. (8) Message-Authenticator = 0xdd0d2a0ab3fdc7c30e788986d2abbcad
  717. (8) session-state: No cached attributes
  718. (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  719. (8) authorize {
  720. (8) policy filter_username {
  721. (8) if (&User-Name) {
  722. (8) if (&User-Name) -> TRUE
  723. (8) if (&User-Name) {
  724. (8) if (&User-Name =~ / /) {
  725. (8) if (&User-Name =~ / /) -> FALSE
  726. (8) if (&User-Name =~ /@[^@]*@/ ) {
  727. (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  728. (8) if (&User-Name =~ /\.\./ ) {
  729. (8) if (&User-Name =~ /\.\./ ) -> FALSE
  730. (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  731. (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  732. (8) if (&User-Name =~ /\.$/) {
  733. (8) if (&User-Name =~ /\.$/) -> FALSE
  734. (8) if (&User-Name =~ /@\./) {
  735. (8) if (&User-Name =~ /@\./) -> FALSE
  736. (8) } # if (&User-Name) = notfound
  737. (8) } # policy filter_username = notfound
  738. (8) [preprocess] = ok
  739. (8) [chap] = noop
  740. (8) [mschap] = noop
  741. (8) [digest] = noop
  742. (8) suffix: Checking for suffix after "@"
  743. (8) suffix: No '@' in User-Name = "bj", looking up realm NULL
  744. (8) suffix: No such realm "NULL"
  745. (8) [suffix] = noop
  746. (8) eap: Peer sent EAP Response (code 2) ID 157 length 91
  747. (8) eap: Continuing tunnel setup
  748. (8) [eap] = ok
  749. (8) } # authorize = ok
  750. (8) Found Auth-Type = eap
  751. (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  752. (8) authenticate {
  753. (8) eap: Expiring EAP session with state 0x47e8552047754f14
  754. (8) eap: Finished EAP session with state 0x3401110c339c0871
  755. (8) eap: Previous EAP request found for state 0x3401110c339c0871, released from the list
  756. (8) eap: Peer sent packet with method EAP PEAP (25)
  757. (8) eap: Calling submodule eap_peap to process data
  758. (8) eap_peap: Continuing EAP-TLS
  759. (8) eap_peap: [eaptls verify] = ok
  760. (8) eap_peap: Done initial handshake
  761. (8) eap_peap: [eaptls process] = ok
  762. (8) eap_peap: Session established. Decoding tunneled attributes
  763. (8) eap_peap: PEAP state phase2
  764. (8) eap_peap: EAP method MSCHAPv2 (26)
  765. (8) eap_peap: Got tunneled request
  766. (8) eap_peap: EAP-Message = 0x029d003d1a029d003831f953b8c0502e3ae7a755c0f04339e73500000000000000007fbdd521c99351466110631a
  767. (8) eap_peap: Setting User-Name to bj
  768. (8) eap_peap: Sending tunneled request to inner-tunnel
  769. (8) eap_peap: EAP-Message = 0x029d003d1a029d003831f953b8c0502e3ae7a755c0f04339e73500000000000000007fbdd521c99351466110631a
  770. (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
  771. (8) eap_peap: User-Name = "bj"
  772. (8) eap_peap: State = 0x47e8552047754f14ee644e5e18ae3e3e
  773. (8) Virtual server inner-tunnel received request
  774. (8) EAP-Message = 0x029d003d1a029d003831f953b8c0502e3ae7a755c0f04339e73500000000000000007fbdd521c99351466110631b9a16b1e27a
  775. (8) FreeRADIUS-Proxied-To = 127.0.0.1
  776. (8) User-Name = "bj"
  777. (8) State = 0x47e8552047754f14ee644e5e18ae3e3e
  778. (8) WARNING: Outer and inner identities are the same. User privacy is compromised.
  779. (8) server inner-tunnel {
  780. (8) session-state: No cached attributes
  781. (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  782. (8) authorize {
  783. (8) policy filter_username {
  784. (8) if (&User-Name) {
  785. (8) if (&User-Name) -> TRUE
  786. (8) if (&User-Name) {
  787. (8) if (&User-Name =~ / /) {
  788. (8) if (&User-Name =~ / /) -> FALSE
  789. (8) if (&User-Name =~ /@[^@]*@/ ) {
  790. (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  791. (8) if (&User-Name =~ /\.\./ ) {
  792. (8) if (&User-Name =~ /\.\./ ) -> FALSE
  793. (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  794. (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  795. (8) if (&User-Name =~ /\.$/) {
  796. (8) if (&User-Name =~ /\.$/) -> FALSE
  797. (8) if (&User-Name =~ /@\./) {
  798. (8) if (&User-Name =~ /@\./) -> FALSE
  799. (8) } # if (&User-Name) = notfound
  800. (8) } # policy filter_username = notfound
  801. (8) [chap] = noop
  802. (8) [mschap] = noop
  803. (8) suffix: Checking for suffix after "@"
  804. (8) suffix: No '@' in User-Name = "bj", looking up realm NULL
  805. (8) suffix: No such realm "NULL"
  806. (8) [suffix] = noop
  807. (8) update control {
  808. (8) &Proxy-To-Realm := LOCAL
  809. (8) } # update control = noop
  810. (8) eap: Peer sent EAP Response (code 2) ID 157 length 61
  811. (8) eap: No EAP Start, assuming it's an on-going EAP conversation
  812. (8) [eap] = updated
  813. (8) files: Searching for user in group "wifi-cph"
  814. rlm_ldap (ldap): Reserved connection (2)
  815. (8) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
  816. (8) files: --> (uid=bj)
  817. (8) files: Performing search in "o=kontrapunkt,dc=example,dc=com" with filter "(uid=bj)", scope "sub"
  818. (8) files: Waiting for search result...
  819. (8) files: User object found at DN "uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=example,dc=com"
  820. (8) files: Checking for user in group objects
  821. (8) files: EXPAND (&(cn=wifi-cph)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Na)
  822. (8) files: --> (&(cn=wifi-cph)(objectClass=posixGroup)(|(member=uid\3dbj\2cou\3dpeople\2cl\3dcopenhagen\2cc\3ddk\2co\3)
  823. (8) files: Performing search in "dc=services,o=kontrapunkt,dc=example,dc=com" with filter "(&(cn=wifi-cph)(objectClas"
  824. (8) files: Waiting for search result...
  825. (8) files: User found in group object "dc=services,o=kontrapunkt,dc=example,dc=com"
  826. rlm_ldap (ldap): Released connection (2)
  827. (8) files: Searching for user in group "wifi-cph-guest"
  828. rlm_ldap (ldap): Reserved connection (3)
  829. (8) files: Using user DN from request "uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=example,dc=com"
  830. (8) files: Checking for user in group objects
  831. (8) files: EXPAND (&(cn=wifi-cph-guest)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-U)
  832. (8) files: --> (&(cn=wifi-cph-guest)(objectClass=posixGroup)(|(member=uid\3dbj\2cou\3dpeople\2cl\3dcopenhagen\2cc\3ddk)
  833. (8) files: Performing search in "dc=services,o=kontrapunkt,dc=example,dc=com" with filter "(&(cn=wifi-cph-guest)(obje"
  834. (8) files: Waiting for search result...
  835. (8) files: User found in group object "dc=services,o=kontrapunkt,dc=example,dc=com"
  836. rlm_ldap (ldap): Released connection (3)
  837. (8) files: Searching for user in group "kp-vpn-cph"
  838. rlm_ldap (ldap): Reserved connection (4)
  839. (8) files: Using user DN from request "uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=example,dc=com"
  840. (8) files: Checking for user in group objects
  841. (8) files: EXPAND (&(cn=kp-vpn-cph)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-)
  842. (8) files: --> (&(cn=kp-vpn-cph)(objectClass=posixGroup)(|(member=uid\3dbj\2cou\3dpeople\2cl\3dcopenhagen\2cc\3ddk\2co)
  843. (8) files: Performing search in "dc=services,o=kontrapunkt,dc=example,dc=com" with filter "(&(cn=kp-vpn-cph)(objectCl"
  844. (8) files: Waiting for search result...
  845. (8) files: User found in group object "dc=services,o=kontrapunkt,dc=example,dc=com"
  846. rlm_ldap (ldap): Released connection (4)
  847. (8) files: users: Matched entry DEFAULT at line 63
  848. (8) [files] = ok
  849. rlm_ldap (ldap): Reserved connection (0)
  850. (8) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
  851. (8) ldap: --> (uid=bj)
  852. (8) ldap: Performing search in "o=kontrapunkt,dc=example,dc=com" with filter "(uid=bj)", scope "sub"
  853. (8) ldap: Waiting for search result...
  854. (8) ldap: User object found at DN "uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=example,dc=com"
  855. (8) ldap: Processing user attributes
  856. (8) ldap: control:Password-With-Header += '{CRYPT}*****'
  857. (8) ldap: control:NT-Password := 0x3437413634423334324442384133314330313831413644453134393237413931
  858. rlm_ldap (ldap): Released connection (0)
  859. (8) [ldap] = updated
  860. (8) [expiration] = noop
  861. (8) [logintime] = noop
  862. (8) pap: Converted: &control:Password-With-Header -> &control:Crypt-Password
  863. (8) pap: Removing &control:Password-With-Header
  864. (8) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
  865. (8) pap: WARNING: Auth-Type already set. Not setting to PAP
  866. (8) [pap] = noop
  867. (8) } # authorize = updated
  868. (8) Found Auth-Type = Reject
  869. (8) Auth-Type = Reject, rejecting user
  870. (8) Failed to authenticate the user
  871. (8) Using Post-Auth-Type Reject
  872. (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  873. (8) Post-Auth-Type REJECT {
  874. (8) attr_filter.access_reject: EXPAND %{User-Name}
  875. (8) attr_filter.access_reject: --> bj
  876. (8) attr_filter.access_reject: Matched entry DEFAULT at line 11
  877. (8) [attr_filter.access_reject] = updated
  878. (8) update outer.session-state {
  879. (8) No attributes updated
  880. (8) } # update outer.session-state = noop
  881. (8) } # Post-Auth-Type REJECT = updated
  882. (8) } # server inner-tunnel
  883. (8) Virtual server sending reply
  884. (8) Reply-Message = "Sorry, no access for you."
  885. (8) eap_peap: Got tunneled reply code 3
  886. (8) eap_peap: Reply-Message = "Sorry, no access for you."
  887. (8) eap_peap: Got tunneled reply RADIUS code 3
  888. (8) eap_peap: Reply-Message = "Sorry, no access for you."
  889. (8) eap_peap: Tunneled authentication was rejected
  890. (8) eap_peap: FAILURE
  891. (8) eap: Sending EAP Request (code 1) ID 158 length 43
  892. (8) eap: EAP session adding &reply:State = 0x3401110c3c9f0871
  893. (8) [eap] = handled
  894. (8) } # authenticate = handled
  895. (8) Using Post-Auth-Type Challenge
  896. (8) Post-Auth-Type sub-section not found. Ignoring.
  897. (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  898. (8) Sent Access-Challenge Id 28 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  899. (8) EAP-Message = 0x019e002b1900170301002090ab5701441d17c3517bae3c720d4781b0c1eb7f88b5cddcd915261b68bf1715
  900. (8) Message-Authenticator = 0x00000000000000000000000000000000
  901. (8) State = 0x3401110c3c9f087121133da265f33113
  902. (8) Finished request
  903. Waking up in 4.6 seconds.
  904. (9) Received Access-Request Id 29 from 172.22.33.33:65484 to 172.22.33.46:1812 length 217
  905. (9) User-Name = "bj"
  906. (9) NAS-IP-Address = 172.22.33.33
  907. (9) NAS-Port = 0
  908. (9) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  909. (9) Calling-Station-Id = "88-1F-A1-11-43-E2"
  910. (9) Framed-MTU = 1400
  911. (9) NAS-Port-Type = Wireless-802.11
  912. (9) Connect-Info = "CONNECT 0Mbps 802.11"
  913. (9) EAP-Message = 0x029e002b19001703010020c8b6f76fb5c3b70348e9ba9caac8125914d96bc93e7d21ae4f06ed9f4414e73e
  914. (9) State = 0x3401110c3c9f087121133da265f33113
  915. (9) Message-Authenticator = 0xfb36d3701d7b773d3890f420afe5709c
  916. (9) session-state: No cached attributes
  917. (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  918. (9) authorize {
  919. (9) policy filter_username {
  920. (9) if (&User-Name) {
  921. (9) if (&User-Name) -> TRUE
  922. (9) if (&User-Name) {
  923. (9) if (&User-Name =~ / /) {
  924. (9) if (&User-Name =~ / /) -> FALSE
  925. (9) if (&User-Name =~ /@[^@]*@/ ) {
  926. (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  927. (9) if (&User-Name =~ /\.\./ ) {
  928. (9) if (&User-Name =~ /\.\./ ) -> FALSE
  929. (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  930. (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  931. (9) if (&User-Name =~ /\.$/) {
  932. (9) if (&User-Name =~ /\.$/) -> FALSE
  933. (9) if (&User-Name =~ /@\./) {
  934. (9) if (&User-Name =~ /@\./) -> FALSE
  935. (9) } # if (&User-Name) = notfound
  936. (9) } # policy filter_username = notfound
  937. (9) [preprocess] = ok
  938. (9) [chap] = noop
  939. (9) [mschap] = noop
  940. (9) [digest] = noop
  941. (9) suffix: Checking for suffix after "@"
  942. (9) suffix: No '@' in User-Name = "bj", looking up realm NULL
  943. (9) suffix: No such realm "NULL"
  944. (9) [suffix] = noop
  945. (9) eap: Peer sent EAP Response (code 2) ID 158 length 43
  946. (9) eap: Continuing tunnel setup
  947. (9) [eap] = ok
  948. (9) } # authorize = ok
  949. (9) Found Auth-Type = eap
  950. (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  951. (9) authenticate {
  952. (9) eap: Expiring EAP session with state 0x47e8552047754f14
  953. (9) eap: Finished EAP session with state 0x3401110c3c9f0871
  954. (9) eap: Previous EAP request found for state 0x3401110c3c9f0871, released from the list
  955. (9) eap: Peer sent packet with method EAP PEAP (25)
  956. (9) eap: Calling submodule eap_peap to process data
  957. (9) eap_peap: Continuing EAP-TLS
  958. (9) eap_peap: [eaptls verify] = ok
  959. (9) eap_peap: Done initial handshake
  960. (9) eap_peap: [eaptls process] = ok
  961. (9) eap_peap: Session established. Decoding tunneled attributes
  962. (9) eap_peap: PEAP state send tlv failure
  963. (9) eap_peap: Received EAP-TLV response
  964. (9) eap_peap: The users session was previously rejected: returning reject (again.)
  965. (9) eap_peap: This means you need to read the PREVIOUS messages in the debug output
  966. (9) eap_peap: to find out the reason why the user was rejected
  967. (9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
  968. (9) eap_peap: what went wrong, and how to fix the problem
  969. (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
  970. (9) eap: Sending EAP Failure (code 4) ID 158 length 4
  971. (9) eap: Failed in EAP select
  972. (9) [eap] = invalid
  973. (9) } # authenticate = invalid
  974. (9) Failed to authenticate the user
  975. (9) Using Post-Auth-Type Reject
  976. (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  977. (9) Post-Auth-Type REJECT {
  978. (9) attr_filter.access_reject: EXPAND %{User-Name}
  979. (9) attr_filter.access_reject: --> bj
  980. (9) attr_filter.access_reject: Matched entry DEFAULT at line 11
  981. (9) [attr_filter.access_reject] = updated
  982. (9) [eap] = noop
  983. (9) policy remove_reply_message_if_eap {
  984. (9) if (&reply:EAP-Message && &reply:Reply-Message) {
  985. (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
  986. (9) else {
  987. (9) [noop] = noop
  988. (9) } # else = noop
  989. (9) } # policy remove_reply_message_if_eap = noop
  990. (9) } # Post-Auth-Type REJECT = updated
  991. (9) Delaying response for 1.000000 seconds
  992. Waking up in 0.3 seconds.
  993. Waking up in 0.6 seconds.
  994. (9) Sending delayed response
  995. (9) Sent Access-Reject Id 29 from 172.22.33.46:1812 to 172.22.33.33:65484 length 44
  996. (9) EAP-Message = 0x049e0004
  997. (9) Message-Authenticator = 0x00000000000000000000000000000000
  998. Waking up in 3.6 seconds.
  999. (0) Cleaning up request packet ID 20 with timestamp +23
  1000. Waking up in 0.1 seconds.
  1001. (1) Cleaning up request packet ID 21 with timestamp +23
  1002. (2) Cleaning up request packet ID 22 with timestamp +23
  1003. (3) Cleaning up request packet ID 23 with timestamp +23
  1004. (4) Cleaning up request packet ID 24 with timestamp +23
  1005. (5) Cleaning up request packet ID 25 with timestamp +23
  1006. (6) Cleaning up request packet ID 26 with timestamp +23
  1007. (7) Cleaning up request packet ID 27 with timestamp +23
  1008. (8) Cleaning up request packet ID 28 with timestamp +23
  1009. (9) Cleaning up request packet ID 29 with timestamp +23
  1010. Ready to process requests
  1011. (10) Received Access-Request Id 30 from 172.22.33.33:65484 to 172.22.33.46:1812 length 163
  1012. (10) User-Name = "bj"
  1013. (10) NAS-IP-Address = 172.22.33.33
  1014. (10) NAS-Port = 0
  1015. (10) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  1016. (10) Calling-Station-Id = "88-1F-A1-11-43-E2"
  1017. (10) Framed-MTU = 1400
  1018. (10) NAS-Port-Type = Wireless-802.11
  1019. (10) Connect-Info = "CONNECT 0Mbps 802.11"
  1020. (10) EAP-Message = 0x02aa000701626a
  1021. (10) Message-Authenticator = 0x8aaf965a195987ac1e87d7663d086689
  1022. (10) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1023. (10) authorize {
  1024. (10) policy filter_username {
  1025. (10) if (&User-Name) {
  1026. (10) if (&User-Name) -> TRUE
  1027. (10) if (&User-Name) {
  1028. (10) if (&User-Name =~ / /) {
  1029. (10) if (&User-Name =~ / /) -> FALSE
  1030. (10) if (&User-Name =~ /@[^@]*@/ ) {
  1031. (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  1032. (10) if (&User-Name =~ /\.\./ ) {
  1033. (10) if (&User-Name =~ /\.\./ ) -> FALSE
  1034. (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  1035. (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  1036. (10) if (&User-Name =~ /\.$/) {
  1037. (10) if (&User-Name =~ /\.$/) -> FALSE
  1038. (10) if (&User-Name =~ /@\./) {
  1039. (10) if (&User-Name =~ /@\./) -> FALSE
  1040. (10) } # if (&User-Name) = notfound
  1041. (10) } # policy filter_username = notfound
  1042. (10) [preprocess] = ok
  1043. (10) [chap] = noop
  1044. (10) [mschap] = noop
  1045. (10) [digest] = noop
  1046. (10) suffix: Checking for suffix after "@"
  1047. (10) suffix: No '@' in User-Name = "bj", looking up realm NULL
  1048. (10) suffix: No such realm "NULL"
  1049. (10) [suffix] = noop
  1050. (10) eap: Peer sent EAP Response (code 2) ID 170 length 7
  1051. (10) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  1052. (10) [eap] = ok
  1053. (10) } # authorize = ok
  1054. (10) Found Auth-Type = eap
  1055. (10) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1056. (10) authenticate {
  1057. (10) eap: Peer sent packet with method EAP Identity (1)
  1058. (10) eap: Calling submodule eap_tls to process data
  1059. (10) eap_tls: Initiating new EAP-TLS session
  1060. (10) eap_tls: Setting verify mode to require certificate from client
  1061. (10) eap_tls: [eaptls start] = request
  1062. (10) eap: Sending EAP Request (code 1) ID 171 length 6
  1063. (10) eap: EAP session adding &reply:State = 0x2e588f9b2ef382e1
  1064. (10) [eap] = handled
  1065. (10) } # authenticate = handled
  1066. (10) Using Post-Auth-Type Challenge
  1067. (10) Post-Auth-Type sub-section not found. Ignoring.
  1068. (10) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1069. (10) Sent Access-Challenge Id 30 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  1070. (10) EAP-Message = 0x01ab00060d20
  1071. (10) Message-Authenticator = 0x00000000000000000000000000000000
  1072. (10) State = 0x2e588f9b2ef382e1accf0533cefa4486
  1073. (10) Finished request
  1074. Waking up in 4.9 seconds.
  1075. (11) Received Access-Request Id 31 from 172.22.33.33:65484 to 172.22.33.46:1812 length 182
  1076. (11) User-Name = "bj"
  1077. (11) NAS-IP-Address = 172.22.33.33
  1078. (11) NAS-Port = 0
  1079. (11) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  1080. (11) Calling-Station-Id = "88-1F-A1-11-43-E2"
  1081. (11) Framed-MTU = 1400
  1082. (11) NAS-Port-Type = Wireless-802.11
  1083. (11) Connect-Info = "CONNECT 0Mbps 802.11"
  1084. (11) EAP-Message = 0x02ab00080319152b
  1085. (11) State = 0x2e588f9b2ef382e1accf0533cefa4486
  1086. (11) Message-Authenticator = 0x583e84ebb1043695e3f0a8e4469735d6
  1087. (11) session-state: No cached attributes
  1088. (11) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1089. (11) authorize {
  1090. (11) policy filter_username {
  1091. (11) if (&User-Name) {
  1092. (11) if (&User-Name) -> TRUE
  1093. (11) if (&User-Name) {
  1094. (11) if (&User-Name =~ / /) {
  1095. (11) if (&User-Name =~ / /) -> FALSE
  1096. (11) if (&User-Name =~ /@[^@]*@/ ) {
  1097. (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  1098. (11) if (&User-Name =~ /\.\./ ) {
  1099. (11) if (&User-Name =~ /\.\./ ) -> FALSE
  1100. (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  1101. (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  1102. (11) if (&User-Name =~ /\.$/) {
  1103. (11) if (&User-Name =~ /\.$/) -> FALSE
  1104. (11) if (&User-Name =~ /@\./) {
  1105. (11) if (&User-Name =~ /@\./) -> FALSE
  1106. (11) } # if (&User-Name) = notfound
  1107. (11) } # policy filter_username = notfound
  1108. (11) [preprocess] = ok
  1109. (11) [chap] = noop
  1110. (11) [mschap] = noop
  1111. (11) [digest] = noop
  1112. (11) suffix: Checking for suffix after "@"
  1113. (11) suffix: No '@' in User-Name = "bj", looking up realm NULL
  1114. (11) suffix: No such realm "NULL"
  1115. (11) [suffix] = noop
  1116. (11) eap: Peer sent EAP Response (code 2) ID 171 length 8
  1117. (11) eap: No EAP Start, assuming it's an on-going EAP conversation
  1118. (11) [eap] = updated
  1119. (11) files: Searching for user in group "wifi-cph"
  1120. rlm_ldap (ldap): Reserved connection (5)
  1121. (11) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
  1122. (11) files: --> (uid=bj)
  1123. (11) files: Performing search in "o=kontrapunkt,dc=example,dc=com" with filter "(uid=bj)", scope "sub"
  1124. (11) files: Waiting for search result...
  1125. (11) files: User object found at DN "uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=example,dc=com"
  1126. (11) files: Checking for user in group objects
  1127. (11) files: EXPAND (&(cn=wifi-cph)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-N)
  1128. (11) files: --> (&(cn=wifi-cph)(objectClass=posixGroup)(|(member=uid\3dbj\2cou\3dpeople\2cl\3dcopenhagen\2cc\3ddk\2co\)
  1129. (11) files: Performing search in "dc=services,o=kontrapunkt,dc=example,dc=com" with filter "(&(cn=wifi-cph)(objectCla"
  1130. (11) files: Waiting for search result...
  1131. (11) files: User found in group object "dc=services,o=kontrapunkt,dc=example,dc=com"
  1132. rlm_ldap (ldap): Released connection (5)
  1133. rlm_ldap (ldap): Need 4 more connections to reach 10 spares
  1134. rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots used
  1135. rlm_ldap (ldap): Connecting to ldap://ldap.kontrapunkt.com:389
  1136. rlm_ldap (ldap): Waiting for bind result...
  1137. rlm_ldap (ldap): Bind successful
  1138. (11) files: users: Matched entry DEFAULT at line 52
  1139. (11) [files] = ok
  1140. rlm_ldap (ldap): Reserved connection (1)
  1141. (11) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
  1142. (11) ldap: --> (uid=bj)
  1143. (11) ldap: Performing search in "o=kontrapunkt,dc=example,dc=com" with filter "(uid=bj)", scope "sub"
  1144. (11) ldap: Waiting for search result...
  1145. (11) ldap: User object found at DN "uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=example,dc=com"
  1146. (11) ldap: Processing user attributes
  1147. (11) ldap: control:Password-With-Header += '{CRYPT}*****'
  1148. (11) ldap: control:NT-Password := 0x3437413634423334324442384133314330313831413644453134393237413931
  1149. rlm_ldap (ldap): Released connection (1)
  1150. (11) [ldap] = updated
  1151. (11) [expiration] = noop
  1152. (11) [logintime] = noop
  1153. (11) pap: Converted: &control:Password-With-Header -> &control:Crypt-Password
  1154. (11) pap: Removing &control:Password-With-Header
  1155. (11) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
  1156. (11) pap: WARNING: Auth-Type already set. Not setting to PAP
  1157. (11) [pap] = noop
  1158. (11) } # authorize = updated
  1159. (11) Found Auth-Type = eap
  1160. (11) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1161. (11) authenticate {
  1162. (11) eap: Expiring EAP session with state 0x47e8552047754f14
  1163. (11) eap: Finished EAP session with state 0x2e588f9b2ef382e1
  1164. (11) eap: Previous EAP request found for state 0x2e588f9b2ef382e1, released from the list
  1165. (11) eap: Peer sent packet with method EAP NAK (3)
  1166. (11) eap: Found mutually acceptable type PEAP (25)
  1167. (11) eap: Calling submodule eap_peap to process data
  1168. (11) eap_peap: Initiating new EAP-TLS session
  1169. (11) eap_peap: [eaptls start] = request
  1170. (11) eap: Sending EAP Request (code 1) ID 172 length 6
  1171. (11) eap: EAP session adding &reply:State = 0x2e588f9b2ff496e1
  1172. (11) [eap] = handled
  1173. (11) } # authenticate = handled
  1174. (11) Using Post-Auth-Type Challenge
  1175. (11) Post-Auth-Type sub-section not found. Ignoring.
  1176. (11) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1177. (11) Sent Access-Challenge Id 31 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  1178. (11) Reply-Message = "OK, member of wifi-cph."
  1179. (11) EAP-Message = 0x01ac00061920
  1180. (11) Message-Authenticator = 0x00000000000000000000000000000000
  1181. (11) State = 0x2e588f9b2ff496e1accf0533cefa4486
  1182. (11) Finished request
  1183. Waking up in 4.8 seconds.
  1184. (12) Received Access-Request Id 32 from 172.22.33.33:65484 to 172.22.33.46:1812 length 337
  1185. (12) User-Name = "bj"
  1186. (12) NAS-IP-Address = 172.22.33.33
  1187. (12) NAS-Port = 0
  1188. (12) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  1189. (12) Calling-Station-Id = "88-1F-A1-11-43-E2"
  1190. (12) Framed-MTU = 1400
  1191. (12) NAS-Port-Type = Wireless-802.11
  1192. (12) Connect-Info = "CONNECT 0Mbps 802.11"
  1193. (12) EAP-Message = 0x02ac00a319800000009916030100940100009003015a27e78afe4cea71b62a0bc8a33e788801a92d631ac70d59e9c1f127120
  1194. (12) State = 0x2e588f9b2ff496e1accf0533cefa4486
  1195. (12) Message-Authenticator = 0xbaeb9faeea2c755a412633322374241f
  1196. (12) session-state: No cached attributes
  1197. (12) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1198. (12) authorize {
  1199. (12) policy filter_username {
  1200. (12) if (&User-Name) {
  1201. (12) if (&User-Name) -> TRUE
  1202. (12) if (&User-Name) {
  1203. (12) if (&User-Name =~ / /) {
  1204. (12) if (&User-Name =~ / /) -> FALSE
  1205. (12) if (&User-Name =~ /@[^@]*@/ ) {
  1206. (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  1207. (12) if (&User-Name =~ /\.\./ ) {
  1208. (12) if (&User-Name =~ /\.\./ ) -> FALSE
  1209. (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  1210. (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  1211. (12) if (&User-Name =~ /\.$/) {
  1212. (12) if (&User-Name =~ /\.$/) -> FALSE
  1213. (12) if (&User-Name =~ /@\./) {
  1214. (12) if (&User-Name =~ /@\./) -> FALSE
  1215. (12) } # if (&User-Name) = notfound
  1216. (12) } # policy filter_username = notfound
  1217. (12) [preprocess] = ok
  1218. (12) [chap] = noop
  1219. (12) [mschap] = noop
  1220. (12) [digest] = noop
  1221. (12) suffix: Checking for suffix after "@"
  1222. (12) suffix: No '@' in User-Name = "bj", looking up realm NULL
  1223. (12) suffix: No such realm "NULL"
  1224. (12) [suffix] = noop
  1225. (12) eap: Peer sent EAP Response (code 2) ID 172 length 163
  1226. (12) eap: Continuing tunnel setup
  1227. (12) [eap] = ok
  1228. (12) } # authorize = ok
  1229. (12) Found Auth-Type = eap
  1230. (12) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1231. (12) authenticate {
  1232. (12) eap: Expiring EAP session with state 0x47e8552047754f14
  1233. (12) eap: Finished EAP session with state 0x2e588f9b2ff496e1
  1234. (12) eap: Previous EAP request found for state 0x2e588f9b2ff496e1, released from the list
  1235. (12) eap: Peer sent packet with method EAP PEAP (25)
  1236. (12) eap: Calling submodule eap_peap to process data
  1237. (12) eap_peap: Continuing EAP-TLS
  1238. (12) eap_peap: Peer indicated complete TLS record size will be 153 bytes
  1239. (12) eap_peap: Got complete TLS record (153 bytes)
  1240. (12) eap_peap: [eaptls verify] = length included
  1241. (12) eap_peap: (other): before/accept initialization
  1242. (12) eap_peap: TLS_accept: before/accept initialization
  1243. (12) eap_peap: <<< recv TLS 1.0 Handshake [length 0094], ClientHello
  1244. (12) eap_peap: TLS_accept: SSLv3 read client hello A
  1245. (12) eap_peap: >>> send TLS 1.0 Handshake [length 0059], ServerHello
  1246. (12) eap_peap: TLS_accept: SSLv3 write server hello A
  1247. (12) eap_peap: >>> send TLS 1.0 Handshake [length 08d3], Certificate
  1248. (12) eap_peap: TLS_accept: SSLv3 write certificate A
  1249. (12) eap_peap: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
  1250. (12) eap_peap: TLS_accept: SSLv3 write key exchange A
  1251. (12) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone
  1252. (12) eap_peap: TLS_accept: SSLv3 write server done A
  1253. (12) eap_peap: TLS_accept: SSLv3 flush data
  1254. (12) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
  1255. (12) eap_peap: TLS_accept: Need to read more data: SSLv3 read client certificate A
  1256. (12) eap_peap: In SSL Handshake Phase
  1257. (12) eap_peap: In SSL Accept mode
  1258. (12) eap_peap: [eaptls process] = handled
  1259. (12) eap: Sending EAP Request (code 1) ID 173 length 1004
  1260. (12) eap: EAP session adding &reply:State = 0x2e588f9b2cf596e1
  1261. (12) [eap] = handled
  1262. (12) } # authenticate = handled
  1263. (12) Using Post-Auth-Type Challenge
  1264. (12) Post-Auth-Type sub-section not found. Ignoring.
  1265. (12) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1266. (12) Sent Access-Challenge Id 32 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  1267. (12) EAP-Message = 0x01ad03ec19c000000a8f16030100590200005503014748a904ab989ca04ea59792243053054cf3c7e805732d5c861e6f2ca5e
  1268. (12) Message-Authenticator = 0x00000000000000000000000000000000
  1269. (12) State = 0x2e588f9b2cf596e1accf0533cefa4486
  1270. (12) Finished request
  1271. Waking up in 4.8 seconds.
  1272. (13) Received Access-Request Id 33 from 172.22.33.33:65484 to 172.22.33.46:1812 length 180
  1273. (13) User-Name = "bj"
  1274. (13) NAS-IP-Address = 172.22.33.33
  1275. (13) NAS-Port = 0
  1276. (13) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  1277. (13) Calling-Station-Id = "88-1F-A1-11-43-E2"
  1278. (13) Framed-MTU = 1400
  1279. (13) NAS-Port-Type = Wireless-802.11
  1280. (13) Connect-Info = "CONNECT 0Mbps 802.11"
  1281. (13) EAP-Message = 0x02ad00061900
  1282. (13) State = 0x2e588f9b2cf596e1accf0533cefa4486
  1283. (13) Message-Authenticator = 0xed7ba18477904e37776fa8a5f09ba6aa
  1284. (13) session-state: No cached attributes
  1285. (13) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1286. (13) authorize {
  1287. (13) policy filter_username {
  1288. (13) if (&User-Name) {
  1289. (13) if (&User-Name) -> TRUE
  1290. (13) if (&User-Name) {
  1291. (13) if (&User-Name =~ / /) {
  1292. (13) if (&User-Name =~ / /) -> FALSE
  1293. (13) if (&User-Name =~ /@[^@]*@/ ) {
  1294. (13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  1295. (13) if (&User-Name =~ /\.\./ ) {
  1296. (13) if (&User-Name =~ /\.\./ ) -> FALSE
  1297. (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  1298. (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  1299. (13) if (&User-Name =~ /\.$/) {
  1300. (13) if (&User-Name =~ /\.$/) -> FALSE
  1301. (13) if (&User-Name =~ /@\./) {
  1302. (13) if (&User-Name =~ /@\./) -> FALSE
  1303. (13) } # if (&User-Name) = notfound
  1304. (13) } # policy filter_username = notfound
  1305. (13) [preprocess] = ok
  1306. (13) [chap] = noop
  1307. (13) [mschap] = noop
  1308. (13) [digest] = noop
  1309. (13) suffix: Checking for suffix after "@"
  1310. (13) suffix: No '@' in User-Name = "bj", looking up realm NULL
  1311. (13) suffix: No such realm "NULL"
  1312. (13) [suffix] = noop
  1313. (13) eap: Peer sent EAP Response (code 2) ID 173 length 6
  1314. (13) eap: Continuing tunnel setup
  1315. (13) [eap] = ok
  1316. (13) } # authorize = ok
  1317. (13) Found Auth-Type = eap
  1318. (13) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1319. (13) authenticate {
  1320. (13) eap: Expiring EAP session with state 0x47e8552047754f14
  1321. (13) eap: Finished EAP session with state 0x2e588f9b2cf596e1
  1322. (13) eap: Previous EAP request found for state 0x2e588f9b2cf596e1, released from the list
  1323. (13) eap: Peer sent packet with method EAP PEAP (25)
  1324. (13) eap: Calling submodule eap_peap to process data
  1325. (13) eap_peap: Continuing EAP-TLS
  1326. (13) eap_peap: Peer ACKed our handshake fragment
  1327. (13) eap_peap: [eaptls verify] = request
  1328. (13) eap_peap: [eaptls process] = handled
  1329. (13) eap: Sending EAP Request (code 1) ID 174 length 1000
  1330. (13) eap: EAP session adding &reply:State = 0x2e588f9b2df696e1
  1331. (13) [eap] = handled
  1332. (13) } # authenticate = handled
  1333. (13) Using Post-Auth-Type Challenge
  1334. (13) Post-Auth-Type sub-section not found. Ignoring.
  1335. (13) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1336. (13) Sent Access-Challenge Id 33 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  1337. (13) EAP-Message = 0x01ae03e819400342020de654b2672fb5f02c9ae02856749a536eccc0352abc3da4c99ee4528f5d13fa97c8ba81e1c1ef85620
  1338. (13) Message-Authenticator = 0x00000000000000000000000000000000
  1339. (13) State = 0x2e588f9b2df696e1accf0533cefa4486
  1340. (13) Finished request
  1341. Waking up in 4.8 seconds.
  1342. (14) Received Access-Request Id 34 from 172.22.33.33:65484 to 172.22.33.46:1812 length 180
  1343. (14) User-Name = "bj"
  1344. (14) NAS-IP-Address = 172.22.33.33
  1345. (14) NAS-Port = 0
  1346. (14) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  1347. (14) Calling-Station-Id = "88-1F-A1-11-43-E2"
  1348. (14) Framed-MTU = 1400
  1349. (14) NAS-Port-Type = Wireless-802.11
  1350. (14) Connect-Info = "CONNECT 0Mbps 802.11"
  1351. (14) EAP-Message = 0x02ae00061900
  1352. (14) State = 0x2e588f9b2df696e1accf0533cefa4486
  1353. (14) Message-Authenticator = 0xe0196afbc6745e3f940d3b1b6e9831ba
  1354. (14) session-state: No cached attributes
  1355. (14) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1356. (14) authorize {
  1357. (14) policy filter_username {
  1358. (14) if (&User-Name) {
  1359. (14) if (&User-Name) -> TRUE
  1360. (14) if (&User-Name) {
  1361. (14) if (&User-Name =~ / /) {
  1362. (14) if (&User-Name =~ / /) -> FALSE
  1363. (14) if (&User-Name =~ /@[^@]*@/ ) {
  1364. (14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  1365. (14) if (&User-Name =~ /\.\./ ) {
  1366. (14) if (&User-Name =~ /\.\./ ) -> FALSE
  1367. (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  1368. (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  1369. (14) if (&User-Name =~ /\.$/) {
  1370. (14) if (&User-Name =~ /\.$/) -> FALSE
  1371. (14) if (&User-Name =~ /@\./) {
  1372. (14) if (&User-Name =~ /@\./) -> FALSE
  1373. (14) } # if (&User-Name) = notfound
  1374. (14) } # policy filter_username = notfound
  1375. (14) [preprocess] = ok
  1376. (14) [chap] = noop
  1377. (14) [mschap] = noop
  1378. (14) [digest] = noop
  1379. (14) suffix: Checking for suffix after "@"
  1380. (14) suffix: No '@' in User-Name = "bj", looking up realm NULL
  1381. (14) suffix: No such realm "NULL"
  1382. (14) [suffix] = noop
  1383. (14) eap: Peer sent EAP Response (code 2) ID 174 length 6
  1384. (14) eap: Continuing tunnel setup
  1385. (14) [eap] = ok
  1386. (14) } # authorize = ok
  1387. (14) Found Auth-Type = eap
  1388. (14) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1389. (14) authenticate {
  1390. (14) eap: Expiring EAP session with state 0x47e8552047754f14
  1391. (14) eap: Finished EAP session with state 0x2e588f9b2df696e1
  1392. (14) eap: Previous EAP request found for state 0x2e588f9b2df696e1, released from the list
  1393. (14) eap: Peer sent packet with method EAP PEAP (25)
  1394. (14) eap: Calling submodule eap_peap to process data
  1395. (14) eap_peap: Continuing EAP-TLS
  1396. (14) eap_peap: Peer ACKed our handshake fragment
  1397. (14) eap_peap: [eaptls verify] = request
  1398. (14) eap_peap: [eaptls process] = handled
  1399. (14) eap: Sending EAP Request (code 1) ID 175 length 721
  1400. (14) eap: EAP session adding &reply:State = 0x2e588f9b2af796e1
  1401. (14) [eap] = handled
  1402. (14) } # authenticate = handled
  1403. (14) Using Post-Auth-Type Challenge
  1404. (14) Post-Auth-Type sub-section not found. Ignoring.
  1405. (14) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1406. (14) Sent Access-Challenge Id 34 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  1407. (14) EAP-Message = 0x01af02d1190020417574686f72697479820900c8b778d5cf225df1300f0603551d130101ff040530030101ff30360603551d1
  1408. (14) Message-Authenticator = 0x00000000000000000000000000000000
  1409. (14) State = 0x2e588f9b2af796e1accf0533cefa4486
  1410. (14) Finished request
  1411. Waking up in 4.8 seconds.
  1412. (15) Received Access-Request Id 35 from 172.22.33.33:65484 to 172.22.33.46:1812 length 318
  1413. (15) User-Name = "bj"
  1414. (15) NAS-IP-Address = 172.22.33.33
  1415. (15) NAS-Port = 0
  1416. (15) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  1417. (15) Calling-Station-Id = "88-1F-A1-11-43-E2"
  1418. (15) Framed-MTU = 1400
  1419. (15) NAS-Port-Type = Wireless-802.11
  1420. (15) Connect-Info = "CONNECT 0Mbps 802.11"
  1421. (15) EAP-Message = 0x02af009019800000008616030100461000004241042efd3b07344d272e9e1156e732965bb842814074601726eef26e659eb4c
  1422. (15) State = 0x2e588f9b2af796e1accf0533cefa4486
  1423. (15) Message-Authenticator = 0xdb4199eed8947d7766ed9eaf73e0f785
  1424. (15) session-state: No cached attributes
  1425. (15) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1426. (15) authorize {
  1427. (15) policy filter_username {
  1428. (15) if (&User-Name) {
  1429. (15) if (&User-Name) -> TRUE
  1430. (15) if (&User-Name) {
  1431. (15) if (&User-Name =~ / /) {
  1432. (15) if (&User-Name =~ / /) -> FALSE
  1433. (15) if (&User-Name =~ /@[^@]*@/ ) {
  1434. (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  1435. (15) if (&User-Name =~ /\.\./ ) {
  1436. (15) if (&User-Name =~ /\.\./ ) -> FALSE
  1437. (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  1438. (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  1439. (15) if (&User-Name =~ /\.$/) {
  1440. (15) if (&User-Name =~ /\.$/) -> FALSE
  1441. (15) if (&User-Name =~ /@\./) {
  1442. (15) if (&User-Name =~ /@\./) -> FALSE
  1443. (15) } # if (&User-Name) = notfound
  1444. (15) } # policy filter_username = notfound
  1445. (15) [preprocess] = ok
  1446. (15) [chap] = noop
  1447. (15) [mschap] = noop
  1448. (15) [digest] = noop
  1449. (15) suffix: Checking for suffix after "@"
  1450. (15) suffix: No '@' in User-Name = "bj", looking up realm NULL
  1451. (15) suffix: No such realm "NULL"
  1452. (15) [suffix] = noop
  1453. (15) eap: Peer sent EAP Response (code 2) ID 175 length 144
  1454. (15) eap: Continuing tunnel setup
  1455. (15) [eap] = ok
  1456. (15) } # authorize = ok
  1457. (15) Found Auth-Type = eap
  1458. (15) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1459. (15) authenticate {
  1460. (15) eap: Expiring EAP session with state 0x47e8552047754f14
  1461. (15) eap: Finished EAP session with state 0x2e588f9b2af796e1
  1462. (15) eap: Previous EAP request found for state 0x2e588f9b2af796e1, released from the list
  1463. (15) eap: Peer sent packet with method EAP PEAP (25)
  1464. (15) eap: Calling submodule eap_peap to process data
  1465. (15) eap_peap: Continuing EAP-TLS
  1466. (15) eap_peap: Peer indicated complete TLS record size will be 134 bytes
  1467. (15) eap_peap: Got complete TLS record (134 bytes)
  1468. (15) eap_peap: [eaptls verify] = length included
  1469. (15) eap_peap: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange
  1470. (15) eap_peap: TLS_accept: SSLv3 read client key exchange A
  1471. (15) eap_peap: TLS_accept: SSLv3 read certificate verify A
  1472. (15) eap_peap: <<< recv TLS 1.0 ChangeCipherSpec [length 0001]
  1473. (15) eap_peap: <<< recv TLS 1.0 Handshake [length 0010], Finished
  1474. (15) eap_peap: TLS_accept: SSLv3 read finished A
  1475. (15) eap_peap: >>> send TLS 1.0 ChangeCipherSpec [length 0001]
  1476. (15) eap_peap: TLS_accept: SSLv3 write change cipher spec A
  1477. (15) eap_peap: >>> send TLS 1.0 Handshake [length 0010], Finished
  1478. (15) eap_peap: TLS_accept: SSLv3 write finished A
  1479. (15) eap_peap: TLS_accept: SSLv3 flush data
  1480. (15) eap_peap: (other): SSL negotiation finished successfully
  1481. (15) eap_peap: SSL Connection Established
  1482. (15) eap_peap: [eaptls process] = handled
  1483. (15) eap: Sending EAP Request (code 1) ID 176 length 65
  1484. (15) eap: EAP session adding &reply:State = 0x2e588f9b2be896e1
  1485. (15) [eap] = handled
  1486. (15) } # authenticate = handled
  1487. (15) Using Post-Auth-Type Challenge
  1488. (15) Post-Auth-Type sub-section not found. Ignoring.
  1489. (15) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1490. (15) Sent Access-Challenge Id 35 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  1491. (15) EAP-Message = 0x01b000411900140301000101160301003086cb780e044d689b6f93ce76c2747f5291a55411ac4542dd9fabf4db3da20d262b6
  1492. (15) Message-Authenticator = 0x00000000000000000000000000000000
  1493. (15) State = 0x2e588f9b2be896e1accf0533cefa4486
  1494. (15) Finished request
  1495. Waking up in 4.8 seconds.
  1496. (16) Received Access-Request Id 36 from 172.22.33.33:65484 to 172.22.33.46:1812 length 180
  1497. (16) User-Name = "bj"
  1498. (16) NAS-IP-Address = 172.22.33.33
  1499. (16) NAS-Port = 0
  1500. (16) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  1501. (16) Calling-Station-Id = "88-1F-A1-11-43-E2"
  1502. (16) Framed-MTU = 1400
  1503. (16) NAS-Port-Type = Wireless-802.11
  1504. (16) Connect-Info = "CONNECT 0Mbps 802.11"
  1505. (16) EAP-Message = 0x02b000061900
  1506. (16) State = 0x2e588f9b2be896e1accf0533cefa4486
  1507. (16) Message-Authenticator = 0x79cf51699b9db2e0e8eda469afb83fee
  1508. (16) session-state: No cached attributes
  1509. (16) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1510. (16) authorize {
  1511. (16) policy filter_username {
  1512. (16) if (&User-Name) {
  1513. (16) if (&User-Name) -> TRUE
  1514. (16) if (&User-Name) {
  1515. (16) if (&User-Name =~ / /) {
  1516. (16) if (&User-Name =~ / /) -> FALSE
  1517. (16) if (&User-Name =~ /@[^@]*@/ ) {
  1518. (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  1519. (16) if (&User-Name =~ /\.\./ ) {
  1520. (16) if (&User-Name =~ /\.\./ ) -> FALSE
  1521. (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  1522. (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  1523. (16) if (&User-Name =~ /\.$/) {
  1524. (16) if (&User-Name =~ /\.$/) -> FALSE
  1525. (16) if (&User-Name =~ /@\./) {
  1526. (16) if (&User-Name =~ /@\./) -> FALSE
  1527. (16) } # if (&User-Name) = notfound
  1528. (16) } # policy filter_username = notfound
  1529. (16) [preprocess] = ok
  1530. (16) [chap] = noop
  1531. (16) [mschap] = noop
  1532. (16) [digest] = noop
  1533. (16) suffix: Checking for suffix after "@"
  1534. (16) suffix: No '@' in User-Name = "bj", looking up realm NULL
  1535. (16) suffix: No such realm "NULL"
  1536. (16) [suffix] = noop
  1537. (16) eap: Peer sent EAP Response (code 2) ID 176 length 6
  1538. (16) eap: Continuing tunnel setup
  1539. (16) [eap] = ok
  1540. (16) } # authorize = ok
  1541. (16) Found Auth-Type = eap
  1542. (16) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1543. (16) authenticate {
  1544. (16) eap: Expiring EAP session with state 0x47e8552047754f14
  1545. (16) eap: Finished EAP session with state 0x2e588f9b2be896e1
  1546. (16) eap: Previous EAP request found for state 0x2e588f9b2be896e1, released from the list
  1547. (16) eap: Peer sent packet with method EAP PEAP (25)
  1548. (16) eap: Calling submodule eap_peap to process data
  1549. (16) eap_peap: Continuing EAP-TLS
  1550. (16) eap_peap: Peer ACKed our handshake fragment. handshake is finished
  1551. (16) eap_peap: [eaptls verify] = success
  1552. (16) eap_peap: [eaptls process] = success
  1553. (16) eap_peap: Session established. Decoding tunneled attributes
  1554. (16) eap_peap: PEAP state TUNNEL ESTABLISHED
  1555. (16) eap: Sending EAP Request (code 1) ID 177 length 43
  1556. (16) eap: EAP session adding &reply:State = 0x2e588f9b28e996e1
  1557. (16) [eap] = handled
  1558. (16) } # authenticate = handled
  1559. (16) Using Post-Auth-Type Challenge
  1560. (16) Post-Auth-Type sub-section not found. Ignoring.
  1561. (16) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1562. (16) Sent Access-Challenge Id 36 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  1563. (16) EAP-Message = 0x01b1002b1900170301002041820bd542b4fdc03a7dbe11e04e4e329c418f4ebee14d4fbd906f4d90e610d8
  1564. (16) Message-Authenticator = 0x00000000000000000000000000000000
  1565. (16) State = 0x2e588f9b28e996e1accf0533cefa4486
  1566. (16) Finished request
  1567. Waking up in 4.8 seconds.
  1568. (17) Received Access-Request Id 37 from 172.22.33.33:65484 to 172.22.33.46:1812 length 217
  1569. (17) User-Name = "bj"
  1570. (17) NAS-IP-Address = 172.22.33.33
  1571. (17) NAS-Port = 0
  1572. (17) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  1573. (17) Calling-Station-Id = "88-1F-A1-11-43-E2"
  1574. (17) Framed-MTU = 1400
  1575. (17) NAS-Port-Type = Wireless-802.11
  1576. (17) Connect-Info = "CONNECT 0Mbps 802.11"
  1577. (17) EAP-Message = 0x02b1002b1900170301002091914282876324cc456d4fd9f80512ef05ce6de86c9c1ccdd04a78bddcb6c8d5
  1578. (17) State = 0x2e588f9b28e996e1accf0533cefa4486
  1579. (17) Message-Authenticator = 0x81d2c7bf28da575e3844d3d9e19aeab5
  1580. (17) session-state: No cached attributes
  1581. (17) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1582. (17) authorize {
  1583. (17) policy filter_username {
  1584. (17) if (&User-Name) {
  1585. (17) if (&User-Name) -> TRUE
  1586. (17) if (&User-Name) {
  1587. (17) if (&User-Name =~ / /) {
  1588. (17) if (&User-Name =~ / /) -> FALSE
  1589. (17) if (&User-Name =~ /@[^@]*@/ ) {
  1590. (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  1591. (17) if (&User-Name =~ /\.\./ ) {
  1592. (17) if (&User-Name =~ /\.\./ ) -> FALSE
  1593. (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  1594. (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  1595. (17) if (&User-Name =~ /\.$/) {
  1596. (17) if (&User-Name =~ /\.$/) -> FALSE
  1597. (17) if (&User-Name =~ /@\./) {
  1598. (17) if (&User-Name =~ /@\./) -> FALSE
  1599. (17) } # if (&User-Name) = notfound
  1600. (17) } # policy filter_username = notfound
  1601. (17) [preprocess] = ok
  1602. (17) [chap] = noop
  1603. (17) [mschap] = noop
  1604. (17) [digest] = noop
  1605. (17) suffix: Checking for suffix after "@"
  1606. (17) suffix: No '@' in User-Name = "bj", looking up realm NULL
  1607. (17) suffix: No such realm "NULL"
  1608. (17) [suffix] = noop
  1609. (17) eap: Peer sent EAP Response (code 2) ID 177 length 43
  1610. (17) eap: Continuing tunnel setup
  1611. (17) [eap] = ok
  1612. (17) } # authorize = ok
  1613. (17) Found Auth-Type = eap
  1614. (17) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1615. (17) authenticate {
  1616. (17) eap: Expiring EAP session with state 0x47e8552047754f14
  1617. (17) eap: Finished EAP session with state 0x2e588f9b28e996e1
  1618. (17) eap: Previous EAP request found for state 0x2e588f9b28e996e1, released from the list
  1619. (17) eap: Peer sent packet with method EAP PEAP (25)
  1620. (17) eap: Calling submodule eap_peap to process data
  1621. (17) eap_peap: Continuing EAP-TLS
  1622. (17) eap_peap: [eaptls verify] = ok
  1623. (17) eap_peap: Done initial handshake
  1624. (17) eap_peap: [eaptls process] = ok
  1625. (17) eap_peap: Session established. Decoding tunneled attributes
  1626. (17) eap_peap: PEAP state WAITING FOR INNER IDENTITY
  1627. (17) eap_peap: Identity - bj
  1628. (17) eap_peap: Got inner identity 'bj'
  1629. (17) eap_peap: Setting default EAP type for tunneled EAP session
  1630. (17) eap_peap: Got tunneled request
  1631. (17) eap_peap: EAP-Message = 0x02b1000701626a
  1632. (17) eap_peap: Setting User-Name to bj
  1633. (17) eap_peap: Sending tunneled request to inner-tunnel
  1634. (17) eap_peap: EAP-Message = 0x02b1000701626a
  1635. (17) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
  1636. (17) eap_peap: User-Name = "bj"
  1637. (17) Virtual server inner-tunnel received request
  1638. (17) EAP-Message = 0x02b1000701626a
  1639. (17) FreeRADIUS-Proxied-To = 127.0.0.1
  1640. (17) User-Name = "bj"
  1641. (17) WARNING: Outer and inner identities are the same. User privacy is compromised.
  1642. (17) server inner-tunnel {
  1643. (17) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  1644. (17) authorize {
  1645. (17) policy filter_username {
  1646. (17) if (&User-Name) {
  1647. (17) if (&User-Name) -> TRUE
  1648. (17) if (&User-Name) {
  1649. (17) if (&User-Name =~ / /) {
  1650. (17) if (&User-Name =~ / /) -> FALSE
  1651. (17) if (&User-Name =~ /@[^@]*@/ ) {
  1652. (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  1653. (17) if (&User-Name =~ /\.\./ ) {
  1654. (17) if (&User-Name =~ /\.\./ ) -> FALSE
  1655. (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  1656. (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  1657. (17) if (&User-Name =~ /\.$/) {
  1658. (17) if (&User-Name =~ /\.$/) -> FALSE
  1659. (17) if (&User-Name =~ /@\./) {
  1660. (17) if (&User-Name =~ /@\./) -> FALSE
  1661. (17) } # if (&User-Name) = notfound
  1662. (17) } # policy filter_username = notfound
  1663. (17) [chap] = noop
  1664. (17) [mschap] = noop
  1665. (17) suffix: Checking for suffix after "@"
  1666. (17) suffix: No '@' in User-Name = "bj", looking up realm NULL
  1667. (17) suffix: No such realm "NULL"
  1668. (17) [suffix] = noop
  1669. (17) update control {
  1670. (17) &Proxy-To-Realm := LOCAL
  1671. (17) } # update control = noop
  1672. (17) eap: Peer sent EAP Response (code 2) ID 177 length 7
  1673. (17) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
  1674. (17) [eap] = ok
  1675. (17) } # authorize = ok
  1676. (17) Found Auth-Type = eap
  1677. (17) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  1678. (17) authenticate {
  1679. (17) eap: Peer sent packet with method EAP Identity (1)
  1680. (17) eap: Calling submodule eap_mschapv2 to process data
  1681. (17) eap_mschapv2: Issuing Challenge
  1682. (17) eap: Sending EAP Request (code 1) ID 178 length 43
  1683. (17) eap: EAP session adding &reply:State = 0x0f6a1d280fd80790
  1684. (17) [eap] = handled
  1685. (17) } # authenticate = handled
  1686. (17) } # server inner-tunnel
  1687. (17) Virtual server sending reply
  1688. (17) EAP-Message = 0x01b2002b1a01b2002610c1f8ba17670f78199771c5b727004329667265657261646975732d332e302e3132
  1689. (17) Message-Authenticator = 0x00000000000000000000000000000000
  1690. (17) State = 0x0f6a1d280fd807900966e73b14246f17
  1691. (17) eap_peap: Got tunneled reply code 11
  1692. (17) eap_peap: EAP-Message = 0x01b2002b1a01b2002610c1f8ba17670f78199771c5b727004329667265657261646975732d332e302e3132
  1693. (17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
  1694. (17) eap_peap: State = 0x0f6a1d280fd807900966e73b14246f17
  1695. (17) eap_peap: Got tunneled reply RADIUS code 11
  1696. (17) eap_peap: EAP-Message = 0x01b2002b1a01b2002610c1f8ba17670f78199771c5b727004329667265657261646975732d332e302e3132
  1697. (17) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
  1698. (17) eap_peap: State = 0x0f6a1d280fd807900966e73b14246f17
  1699. (17) eap_peap: Got tunneled Access-Challenge
  1700. (17) eap: Sending EAP Request (code 1) ID 178 length 75
  1701. (17) eap: EAP session adding &reply:State = 0x2e588f9b29ea96e1
  1702. (17) [eap] = handled
  1703. (17) } # authenticate = handled
  1704. (17) Using Post-Auth-Type Challenge
  1705. (17) Post-Auth-Type sub-section not found. Ignoring.
  1706. (17) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1707. (17) Sent Access-Challenge Id 37 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  1708. (17) EAP-Message = 0x01b2004b1900170301004003bb5d4e473fece9d4731ba68e1759d5e7b68a5694ba5ca2987f171d2bcec75e1c8a2657660e8b4
  1709. (17) Message-Authenticator = 0x00000000000000000000000000000000
  1710. (17) State = 0x2e588f9b29ea96e1accf0533cefa4486
  1711. (17) Finished request
  1712. Waking up in 4.8 seconds.
  1713. (18) Received Access-Request Id 38 from 172.22.33.33:65484 to 172.22.33.46:1812 length 265
  1714. (18) User-Name = "bj"
  1715. (18) NAS-IP-Address = 172.22.33.33
  1716. (18) NAS-Port = 0
  1717. (18) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  1718. (18) Calling-Station-Id = "88-1F-A1-11-43-E2"
  1719. (18) Framed-MTU = 1400
  1720. (18) NAS-Port-Type = Wireless-802.11
  1721. (18) Connect-Info = "CONNECT 0Mbps 802.11"
  1722. (18) EAP-Message = 0x02b2005b1900170301005023a1a04f03ea0a2af2d60a57f1014e56041afc5134d8d3b1543e428caed9376131aca0e29b4fbde
  1723. (18) State = 0x2e588f9b29ea96e1accf0533cefa4486
  1724. (18) Message-Authenticator = 0xd0f7c4742c39c7ed27b191fe639bec39
  1725. (18) session-state: No cached attributes
  1726. (18) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1727. (18) authorize {
  1728. (18) policy filter_username {
  1729. (18) if (&User-Name) {
  1730. (18) if (&User-Name) -> TRUE
  1731. (18) if (&User-Name) {
  1732. (18) if (&User-Name =~ / /) {
  1733. (18) if (&User-Name =~ / /) -> FALSE
  1734. (18) if (&User-Name =~ /@[^@]*@/ ) {
  1735. (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  1736. (18) if (&User-Name =~ /\.\./ ) {
  1737. (18) if (&User-Name =~ /\.\./ ) -> FALSE
  1738. (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  1739. (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  1740. (18) if (&User-Name =~ /\.$/) {
  1741. (18) if (&User-Name =~ /\.$/) -> FALSE
  1742. (18) if (&User-Name =~ /@\./) {
  1743. (18) if (&User-Name =~ /@\./) -> FALSE
  1744. (18) } # if (&User-Name) = notfound
  1745. (18) } # policy filter_username = notfound
  1746. (18) [preprocess] = ok
  1747. (18) [chap] = noop
  1748. (18) [mschap] = noop
  1749. (18) [digest] = noop
  1750. (18) suffix: Checking for suffix after "@"
  1751. (18) suffix: No '@' in User-Name = "bj", looking up realm NULL
  1752. (18) suffix: No such realm "NULL"
  1753. (18) [suffix] = noop
  1754. (18) eap: Peer sent EAP Response (code 2) ID 178 length 91
  1755. (18) eap: Continuing tunnel setup
  1756. (18) [eap] = ok
  1757. (18) } # authorize = ok
  1758. (18) Found Auth-Type = eap
  1759. (18) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1760. (18) authenticate {
  1761. (18) eap: Expiring EAP session with state 0x47e8552047754f14
  1762. (18) eap: Finished EAP session with state 0x2e588f9b29ea96e1
  1763. (18) eap: Previous EAP request found for state 0x2e588f9b29ea96e1, released from the list
  1764. (18) eap: Peer sent packet with method EAP PEAP (25)
  1765. (18) eap: Calling submodule eap_peap to process data
  1766. (18) eap_peap: Continuing EAP-TLS
  1767. (18) eap_peap: [eaptls verify] = ok
  1768. (18) eap_peap: Done initial handshake
  1769. (18) eap_peap: [eaptls process] = ok
  1770. (18) eap_peap: Session established. Decoding tunneled attributes
  1771. (18) eap_peap: PEAP state phase2
  1772. (18) eap_peap: EAP method MSCHAPv2 (26)
  1773. (18) eap_peap: Got tunneled request
  1774. (18) eap_peap: EAP-Message = 0x02b2003d1a02b20038316cba8e7b1f5a2edcd35569fcad68dcf100000000000000004456bed55668bb2bc5a86ca
  1775. (18) eap_peap: Setting User-Name to bj
  1776. (18) eap_peap: Sending tunneled request to inner-tunnel
  1777. (18) eap_peap: EAP-Message = 0x02b2003d1a02b20038316cba8e7b1f5a2edcd35569fcad68dcf100000000000000004456bed55668bb2bc5a86ca
  1778. (18) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
  1779. (18) eap_peap: User-Name = "bj"
  1780. (18) eap_peap: State = 0x0f6a1d280fd807900966e73b14246f17
  1781. (18) Virtual server inner-tunnel received request
  1782. (18) EAP-Message = 0x02b2003d1a02b20038316cba8e7b1f5a2edcd35569fcad68dcf100000000000000004456bed55668bb2bc5a86c82e9b061daa
  1783. (18) FreeRADIUS-Proxied-To = 127.0.0.1
  1784. (18) User-Name = "bj"
  1785. (18) State = 0x0f6a1d280fd807900966e73b14246f17
  1786. (18) WARNING: Outer and inner identities are the same. User privacy is compromised.
  1787. (18) server inner-tunnel {
  1788. (18) session-state: No cached attributes
  1789. (18) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  1790. (18) authorize {
  1791. (18) policy filter_username {
  1792. (18) if (&User-Name) {
  1793. (18) if (&User-Name) -> TRUE
  1794. (18) if (&User-Name) {
  1795. (18) if (&User-Name =~ / /) {
  1796. (18) if (&User-Name =~ / /) -> FALSE
  1797. (18) if (&User-Name =~ /@[^@]*@/ ) {
  1798. (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  1799. (18) if (&User-Name =~ /\.\./ ) {
  1800. (18) if (&User-Name =~ /\.\./ ) -> FALSE
  1801. (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  1802. (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  1803. (18) if (&User-Name =~ /\.$/) {
  1804. (18) if (&User-Name =~ /\.$/) -> FALSE
  1805. (18) if (&User-Name =~ /@\./) {
  1806. (18) if (&User-Name =~ /@\./) -> FALSE
  1807. (18) } # if (&User-Name) = notfound
  1808. (18) } # policy filter_username = notfound
  1809. (18) [chap] = noop
  1810. (18) [mschap] = noop
  1811. (18) suffix: Checking for suffix after "@"
  1812. (18) suffix: No '@' in User-Name = "bj", looking up realm NULL
  1813. (18) suffix: No such realm "NULL"
  1814. (18) [suffix] = noop
  1815. (18) update control {
  1816. (18) &Proxy-To-Realm := LOCAL
  1817. (18) } # update control = noop
  1818. (18) eap: Peer sent EAP Response (code 2) ID 178 length 61
  1819. (18) eap: No EAP Start, assuming it's an on-going EAP conversation
  1820. (18) [eap] = updated
  1821. (18) files: Searching for user in group "wifi-cph"
  1822. rlm_ldap (ldap): Reserved connection (2)
  1823. (18) files: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
  1824. (18) files: --> (uid=bj)
  1825. (18) files: Performing search in "o=kontrapunkt,dc=example,dc=com" with filter "(uid=bj)", scope "sub"
  1826. (18) files: Waiting for search result...
  1827. (18) files: User object found at DN "uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=example,dc=com"
  1828. (18) files: Checking for user in group objects
  1829. (18) files: EXPAND (&(cn=wifi-cph)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-N)
  1830. (18) files: --> (&(cn=wifi-cph)(objectClass=posixGroup)(|(member=uid\3dbj\2cou\3dpeople\2cl\3dcopenhagen\2cc\3ddk\2co\)
  1831. (18) files: Performing search in "dc=services,o=kontrapunkt,dc=example,dc=com" with filter "(&(cn=wifi-cph)(objectCla"
  1832. (18) files: Waiting for search result...
  1833. (18) files: User found in group object "dc=services,o=kontrapunkt,dc=example,dc=com"
  1834. rlm_ldap (ldap): Released connection (2)
  1835. rlm_ldap (ldap): Need 3 more connections to reach 10 spares
  1836. rlm_ldap (ldap): Opening additional connection (7), 1 of 25 pending slots used
  1837. rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
  1838. rlm_ldap (ldap): Waiting for bind result...
  1839. rlm_ldap (ldap): Bind successful
  1840. (18) files: Searching for user in group "wifi-cph-guest"
  1841. rlm_ldap (ldap): Reserved connection (3)
  1842. (18) files: Using user DN from request "uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=example,dc=com"
  1843. (18) files: Checking for user in group objects
  1844. (18) files: EXPAND (&(cn=wifi-cph-guest)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-)
  1845. (18) files: --> (&(cn=wifi-cph-guest)(objectClass=posixGroup)(|(member=uid\3dbj\2cou\3dpeople\2cl\3dcopenhagen\2cc\3dd)
  1846. (18) files: Performing search in "dc=services,o=kontrapunkt,dc=example,dc=com" with filter "(&(cn=wifi-cph-guest)(obj"
  1847. (18) files: Waiting for search result...
  1848. (18) files: User found in group object "dc=services,o=kontrapunkt,dc=example,dc=com"
  1849. rlm_ldap (ldap): Released connection (3)
  1850. (18) files: Searching for user in group "kp-vpn-cph"
  1851. rlm_ldap (ldap): Reserved connection (4)
  1852. (18) files: Using user DN from request "uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=example,dc=com"
  1853. (18) files: Checking for user in group objects
  1854. (18) files: EXPAND (&(cn=kp-vpn-cph)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User)
  1855. (18) files: --> (&(cn=kp-vpn-cph)(objectClass=posixGroup)(|(member=uid\3dbj\2cou\3dpeople\2cl\3dcopenhagen\2cc\3ddk\2c)
  1856. (18) files: Performing search in "dc=services,o=kontrapunkt,dc=example,dc=com" with filter "(&(cn=kp-vpn-cph)(objectC"
  1857. (18) files: Waiting for search result...
  1858. (18) files: User found in group object "dc=services,o=kontrapunkt,dc=example,dc=com"
  1859. rlm_ldap (ldap): Released connection (4)
  1860. (18) files: users: Matched entry DEFAULT at line 63
  1861. (18) [files] = ok
  1862. rlm_ldap (ldap): Reserved connection (0)
  1863. (18) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
  1864. (18) ldap: --> (uid=bj)
  1865. (18) ldap: Performing search in "o=kontrapunkt,dc=example,dc=com" with filter "(uid=bj)", scope "sub"
  1866. (18) ldap: Waiting for search result...
  1867. (18) ldap: User object found at DN "uid=bj,ou=people,l=copenhagen,c=dk,o=kontrapunkt,dc=example,dc=com"
  1868. (18) ldap: Processing user attributes
  1869. (18) ldap: control:Password-With-Header += '{CRYPT}$*****'
  1870. (18) ldap: control:NT-Password := 0x3437413634423334324442384133314330313831413644453134393237413931
  1871. rlm_ldap (ldap): Released connection (0)
  1872. (18) [ldap] = updated
  1873. (18) [expiration] = noop
  1874. (18) [logintime] = noop
  1875. (18) pap: Converted: &control:Password-With-Header -> &control:Crypt-Password
  1876. (18) pap: Removing &control:Password-With-Header
  1877. (18) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
  1878. (18) pap: WARNING: Auth-Type already set. Not setting to PAP
  1879. (18) [pap] = noop
  1880. (18) } # authorize = updated
  1881. (18) Found Auth-Type = Reject
  1882. (18) Auth-Type = Reject, rejecting user
  1883. (18) Failed to authenticate the user
  1884. (18) Using Post-Auth-Type Reject
  1885. (18) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
  1886. (18) Post-Auth-Type REJECT {
  1887. (18) attr_filter.access_reject: EXPAND %{User-Name}
  1888. (18) attr_filter.access_reject: --> bj
  1889. (18) attr_filter.access_reject: Matched entry DEFAULT at line 11
  1890. (18) [attr_filter.access_reject] = updated
  1891. (18) update outer.session-state {
  1892. (18) No attributes updated
  1893. (18) } # update outer.session-state = noop
  1894. (18) } # Post-Auth-Type REJECT = updated
  1895. (18) } # server inner-tunnel
  1896. (18) Virtual server sending reply
  1897. (18) Reply-Message = "Sorry, no access for you."
  1898. (18) eap_peap: Got tunneled reply code 3
  1899. (18) eap_peap: Reply-Message = "Sorry, no access for you."
  1900. (18) eap_peap: Got tunneled reply RADIUS code 3
  1901. (18) eap_peap: Reply-Message = "Sorry, no access for you."
  1902. (18) eap_peap: Tunneled authentication was rejected
  1903. (18) eap_peap: FAILURE
  1904. (18) eap: Sending EAP Request (code 1) ID 179 length 43
  1905. (18) eap: EAP session adding &reply:State = 0x2e588f9b26eb96e1
  1906. (18) [eap] = handled
  1907. (18) } # authenticate = handled
  1908. (18) Using Post-Auth-Type Challenge
  1909. (18) Post-Auth-Type sub-section not found. Ignoring.
  1910. (18) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1911. (18) Sent Access-Challenge Id 38 from 172.22.33.46:1812 to 172.22.33.33:65484 length 0
  1912. (18) EAP-Message = 0x01b3002b19001703010020bb865662c8c0ade89daa01bb1223572b64a05308870cf047662598148a86dfeb
  1913. (18) Message-Authenticator = 0x00000000000000000000000000000000
  1914. (18) State = 0x2e588f9b26eb96e1accf0533cefa4486
  1915. (18) Finished request
  1916. Waking up in 4.6 seconds.
  1917. (19) Received Access-Request Id 39 from 172.22.33.33:65484 to 172.22.33.46:1812 length 217
  1918. (19) User-Name = "bj"
  1919. (19) NAS-IP-Address = 172.22.33.33
  1920. (19) NAS-Port = 0
  1921. (19) Called-Station-Id = "0C-51-01-E4-23-29:Kontrapunkt - NOT AVAILABLE"
  1922. (19) Calling-Station-Id = "88-1F-A1-11-43-E2"
  1923. (19) Framed-MTU = 1400
  1924. (19) NAS-Port-Type = Wireless-802.11
  1925. (19) Connect-Info = "CONNECT 0Mbps 802.11"
  1926. (19) EAP-Message = 0x02b3002b19001703010020f36596ba20e3b3d80188943909feb4d24b80ec7a076b02e780343c839a639a82
  1927. (19) State = 0x2e588f9b26eb96e1accf0533cefa4486
  1928. (19) Message-Authenticator = 0x0e566abe9b398831b30e8530f35885a6
  1929. (19) session-state: No cached attributes
  1930. (19) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
  1931. (19) authorize {
  1932. (19) policy filter_username {
  1933. (19) if (&User-Name) {
  1934. (19) if (&User-Name) -> TRUE
  1935. (19) if (&User-Name) {
  1936. (19) if (&User-Name =~ / /) {
  1937. (19) if (&User-Name =~ / /) -> FALSE
  1938. (19) if (&User-Name =~ /@[^@]*@/ ) {
  1939. (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
  1940. (19) if (&User-Name =~ /\.\./ ) {
  1941. (19) if (&User-Name =~ /\.\./ ) -> FALSE
  1942. (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
  1943. (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
  1944. (19) if (&User-Name =~ /\.$/) {
  1945. (19) if (&User-Name =~ /\.$/) -> FALSE
  1946. (19) if (&User-Name =~ /@\./) {
  1947. (19) if (&User-Name =~ /@\./) -> FALSE
  1948. (19) } # if (&User-Name) = notfound
  1949. (19) } # policy filter_username = notfound
  1950. (19) [preprocess] = ok
  1951. (19) [chap] = noop
  1952. (19) [mschap] = noop
  1953. (19) [digest] = noop
  1954. (19) suffix: Checking for suffix after "@"
  1955. (19) suffix: No '@' in User-Name = "bj", looking up realm NULL
  1956. (19) suffix: No such realm "NULL"
  1957. (19) [suffix] = noop
  1958. (19) eap: Peer sent EAP Response (code 2) ID 179 length 43
  1959. (19) eap: Continuing tunnel setup
  1960. (19) [eap] = ok
  1961. (19) } # authorize = ok
  1962. (19) Found Auth-Type = eap
  1963. (19) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1964. (19) authenticate {
  1965. (19) eap: Expiring EAP session with state 0x47e8552047754f14
  1966. (19) eap: Finished EAP session with state 0x2e588f9b26eb96e1
  1967. (19) eap: Previous EAP request found for state 0x2e588f9b26eb96e1, released from the list
  1968. (19) eap: Peer sent packet with method EAP PEAP (25)
  1969. (19) eap: Calling submodule eap_peap to process data
  1970. (19) eap_peap: Continuing EAP-TLS
  1971. (19) eap_peap: [eaptls verify] = ok
  1972. (19) eap_peap: Done initial handshake
  1973. (19) eap_peap: [eaptls process] = ok
  1974. (19) eap_peap: Session established. Decoding tunneled attributes
  1975. (19) eap_peap: PEAP state send tlv failure
  1976. (19) eap_peap: Received EAP-TLV response
  1977. (19) eap_peap: The users session was previously rejected: returning reject (again.)
  1978. (19) eap_peap: This means you need to read the PREVIOUS messages in the debug output
  1979. (19) eap_peap: to find out the reason why the user was rejected
  1980. (19) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
  1981. (19) eap_peap: what went wrong, and how to fix the problem
  1982. (19) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
  1983. (19) eap: Sending EAP Failure (code 4) ID 179 length 4
  1984. (19) eap: Failed in EAP select
  1985. (19) [eap] = invalid
  1986. (19) } # authenticate = invalid
  1987. (19) Failed to authenticate the user
  1988. (19) Using Post-Auth-Type Reject
  1989. (19) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
  1990. (19) Post-Auth-Type REJECT {
  1991. (19) attr_filter.access_reject: EXPAND %{User-Name}
  1992. (19) attr_filter.access_reject: --> bj
  1993. (19) attr_filter.access_reject: Matched entry DEFAULT at line 11
  1994. (19) [attr_filter.access_reject] = updated
  1995. (19) [eap] = noop
  1996. (19) policy remove_reply_message_if_eap {
  1997. (19) if (&reply:EAP-Message && &reply:Reply-Message) {
  1998. (19) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
  1999. (19) else {
  2000. (19) [noop] = noop
  2001. (19) } # else = noop
  2002. (19) } # policy remove_reply_message_if_eap = noop
  2003. (19) } # Post-Auth-Type REJECT = updated
  2004. (19) Delaying response for 1.000000 seconds
  2005. Waking up in 0.3 seconds.
  2006. Waking up in 0.6 seconds.
  2007. (19) Sending delayed response
  2008. (19) Sent Access-Reject Id 39 from 172.22.33.46:1812 to 172.22.33.33:65484 length 44
  2009. (19) EAP-Message = 0x04b30004
  2010. (19) Message-Authenticator = 0x00000000000000000000000000000000
  2011. Waking up in 3.5 seconds.
  2012. (10) Cleaning up request packet ID 30 with timestamp +28
  2013. Waking up in 0.1 seconds.
  2014. (11) Cleaning up request packet ID 31 with timestamp +28
  2015. (12) Cleaning up request packet ID 32 with timestamp +28
  2016. (13) Cleaning up request packet ID 33 with timestamp +28
  2017. (14) Cleaning up request packet ID 34 with timestamp +28
  2018. (15) Cleaning up request packet ID 35 with timestamp +29
  2019. (16) Cleaning up request packet ID 36 with timestamp +29
  2020. (17) Cleaning up request packet ID 37 with timestamp +29
  2021. Waking up in 0.1 seconds.
  2022. (18) Cleaning up request packet ID 38 with timestamp +29
  2023. (19) Cleaning up request packet ID 39 with timestamp +29
  2024. Ready to process requests
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!